The other night i was chatting with Chris1an about web security and i just happen to realised that he was actually the one who killed Youtube. Some of you might have already knew that he was the one who discovered around 40+ vulnerabilities in Youtube and became famous overnight. Anyway Christ1an is based in Germany and he is only a student, but hack, he is a guru in web security. He was being interviewed by the register and google actually thanked him for his work.
Recently Christ1an launched http://planet-websecurity.org/ with the intention to bring together similarly themed news and rants related to Web security and to display them in one place. Visit his blog on the right side of my feed or check it out here.
The Hacka Man
Friday, June 29, 2007
Thursday, June 28, 2007
SAP
I always wanted to work for SAP because they pay huge money. I remembered i was being interviewed by SAP back in Singapore. During the first interview, it took me at least 1-2 hours of conversation and i passed the interview. The HR invited me for a second interview, however this time, the interviewer is crap. He asked all sorts of questions and i succintly answered them without beating around the bush. Its either he didnt get what i am trying to say or he is just plain talkative. I entrench strong to my roots for what i said and he did not believe me and saying that i am a pefect candidate for the position and looks like what they are searching for. ALL BLOODY CRAP!!!! A bunch of liars. They truly antagonize me and i loathe them for that. I am a straight person, if you don't wish to hire me, thats fine, just tell me straight and i will understand. Don't have to setup a bunch of stories and be a coward.
Well, good luck to you SAP. If i have a chance to audit your system, i promise i will bring down all your SAP/R3 servers and other external servers you have. Better protect your RFC or you will be OWNED!
The Hacka Man
Well, good luck to you SAP. If i have a chance to audit your system, i promise i will bring down all your SAP/R3 servers and other external servers you have. Better protect your RFC or you will be OWNED!
The Hacka Man
Wednesday, June 27, 2007
Cisco show mem vs show processes memory sorted
For me to check the router or firewall cpu usage and the memory usage, i always issue the show mem or show processes cpu to see what is causing the router to have a high CPU or memomry utilization. However, i realised that the show mem command output is not as nice as it seemed to be. I was looking at ioshints blog and found out the same command with a little tweaks here and there. This command provides a better output than show mem which is very important for troubleshooting purposes. See below:
show processes memory sorted
show processes cpu sorted 1min
show processes cpu sorted 7min
From cisco:
http://www.cisco.com/warp/public/63/showproc_cpu.html
http://www.cisco.com/warp/public/63/highcpu.html
For Cisco and Juniper command:
http://networking.ringofsaturn.com/Cisco/ciscojuniper.php
show processes memory sorted
show processes cpu sorted 1min
show processes cpu sorted 7min
From cisco:
http://www.cisco.com/warp/public/63/showproc_cpu.html
http://www.cisco.com/warp/public/63/highcpu.html
For Cisco and Juniper command:
http://networking.ringofsaturn.com/Cisco/ciscojuniper.php
Tuesday, June 26, 2007
Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter
I was invited by Lucian to review this book. Lucian actually sent me a copy of this book for me to read and i was happy upon receiving it. Well, i am someone who loves firewall and security stuff especially linux and cisco. This book is absolutely amazing. For beginners, there are a lot of technical configuration you can read and learn and for experts, this book will guide you to some topic that might interest you. I would really want to put this book into practice, but however base on my current situation, i will only have the time to read and understand the concept. I would highly rate this book a 4.5/5 and anyone who wants to learn firewall at a low level.
VoIPong installation error
For those of you who try to install VoIPong and have installation errors like the ones below, the problem and solution are provided as shown below:
Murat Balaban writes:
>
> Hi Henrique,
>
> Which UNIX user is trying to run voipong? It seems a non-root
> user is running it, but does not have the sufficient privileges
> to open the ethernet device in promisc mode.
>
> Plus, you seem to have problems with the permissions of
> your modules directory. That directory should be owned by
> the same user running voipong.
>
> Thursday, May 31, 2007, 8:41:56 PM, you wrote:
>
> > Release 2.0, running on DINP70759 [Linux 2.4.25-klg #1
> > SMP Ter Abr 6 09:28:24 BRT 2004 i686]
>
> > (c) Murat Balaban http://www.enderunix.org/
> > 31/05/07 14:34:14: EnderUNIX VOIPONG Voice Over IP
> > Sniffer starting...
> > 31/05/07 14:34:14: Release 2.0 running on DINP70759
> > [Linux 2.4.25-klg #1 SMP Ter Abr 6 09:28:24 BRT 2004
> > i686]. (c) Murat Balaban http://www.enderunix.org/
> > [pid: 669]
> > 31/05/07 14:34:14: Default matching algorithm: lfp
> > 31/05/07 14:34:14: error:
> > securemod(/usr/local/etc/voipong/modules/modvocoder_pcma.so):
> > gid: got 50, expected 0
> > 31/05/07 14:34:14: error:
> > securemod(/usr/local/etc/voipong/modules/modvocoder_pcmu.so):
> > gid: got 50, expected 0
> > 31/05/07 14:34:14: loaded 0 module(s)
> > 31/05/07 14:34:14: libpcap start failure:
> > pcap_open_live: SIOCGIFHWADDR: No such device
>
> > 31/05/07 14:34:14: PID 669 [parent: 653]: exited with
> > code: 1. uptime: .
>
I had the same problems and i had solved it using this command
sudo chown -R root:root /usr/local/etc/voipong/modules/modvocoder_pcm*
Also for the voipongnets, i created the file by
touch /usr/local/etc/voipong/voipongnets
This will solve the error below.
Murat Balaban
>
> Hi Henrique,
>
> Which UNIX user is trying to run voipong? It seems a non-root
> user is running it, but does not have the sufficient privileges
> to open the ethernet device in promisc mode.
>
> Plus, you seem to have problems with the permissions of
> your modules directory. That directory should be owned by
> the same user running voipong.
>
> Thursday, May 31, 2007, 8:41:56 PM, you wrote:
>
> > Release 2.0, running on DINP70759 [Linux 2.4.25-klg #1
> > SMP Ter Abr 6 09:28:24 BRT 2004 i686]
>
> > (c) Murat Balaban http://www.enderunix.org/
> > 31/05/07 14:34:14: EnderUNIX VOIPONG Voice Over IP
> > Sniffer starting...
> > 31/05/07 14:34:14: Release 2.0 running on DINP70759
> > [Linux 2.4.25-klg #1 SMP Ter Abr 6 09:28:24 BRT 2004
> > i686]. (c) Murat Balaban http://www.enderunix.org/
> > [pid: 669]
> > 31/05/07 14:34:14: Default matching algorithm: lfp
> > 31/05/07 14:34:14: error:
> > securemod(/usr/local/etc/voipong/modules/modvocoder_pcma.so):
> > gid: got 50, expected 0
> > 31/05/07 14:34:14: error:
> > securemod(/usr/local/etc/voipong/modules/modvocoder_pcmu.so):
> > gid: got 50, expected 0
> > 31/05/07 14:34:14: loaded 0 module(s)
> > 31/05/07 14:34:14: libpcap start failure:
> > pcap_open_live: SIOCGIFHWADDR: No such device
>
> > 31/05/07 14:34:14: PID 669 [parent: 653]: exited with
> > code: 1. uptime: .
>
I had the same problems and i had solved it using this command
sudo chown -R root:root /usr/local/etc/voipong/modules/modvocoder_pcm*
Also for the voipongnets, i created the file by
touch /usr/local/etc/voipong/voipongnets
This will solve the error below.
Monday, June 25, 2007
Snom phones web interface exposed to public.
I was just researching on hard and soft phones and i came across Snom VoIP phones. I don't know much about the phones, however a simple google dorking gave me a bad result. Default installations of the phone is not password protected. Check it out:
"(e.g. 0114930398330)" snom
"(e.g. 0114930398330)" snom
Sunday, June 24, 2007
Hakin9 X Hackathology
This past week, i was invited by hakin9 magazine to write an article about the lastest hacking skills. I am still thinking about a topic to write. There are different types of hacks and i am in a dilemma in choosing one. After pondering for sometime, i think i would love to write hacks about VoIP. Personally, because VoIP is a subset of network security, i think its best to write something that i am good at. I had already setup a PBX server and now its up to the guys at hakin9. The hakin9 team is a bunch of really cool and nice guys. They gave me a free copy of their magazine and once my article is published, they will also send me a copy of the published issue. I will keep you guys updated on this. Let me know what you guys think?
Friday, June 22, 2007
David Litchfield new Oracle book
I had been wanting to learn more about Oracle hacking and i would not say i am not really good in Oracle Security. I managed to setup a Oracle Database server and do some simple exploitation and auditing, however i know that for me to be good in that aspect, it would require to focus most of my time trying to exploit and learn the techniques to hacking the database. This past week, it had came to my attention that David Litchfield(Oracle Security Guru, google him up to find out more) had published a book called Oracle Hacker's Handbook. I highly recommend anyone who loves Oracle Security to purchase this book. Although i had not lay my hands on this book, it will soon be on my bookshelves.
Monday, June 18, 2007
Using ftp with CUTCP telnet
Check out CUTCP
"Telnet is a program used to interactively log in to a remote computer. CUTCP telnet is a program that runs on a PC and is used in CIRCA labs and elsewhere on campus to log in to remote computers. This program can also function as an ftp server when you are logged in to a remote host. This means that you can use the host's ftp client to connect back to yourself. Here's how you do it:
1) First use telnet to log in to the remote host.
2) Press Alt/T. This will generate an ftp command with the proper network address and start the ftp client program on the interactive host.
3) When it asks for a name, enter anything.
4) When it asks for a password, press Alt/W. This will provide a hidden password to authenticate the connection.
Remember that when you have completed this connection, your PC is an ftp server, and the interactive host is running an ftp client. To transfer a file from the interactive host to your PC, use the put command. To transfer a file from the PC to the interactive host, use the get command."
"Telnet is a program used to interactively log in to a remote computer. CUTCP telnet is a program that runs on a PC and is used in CIRCA labs and elsewhere on campus to log in to remote computers. This program can also function as an ftp server when you are logged in to a remote host. This means that you can use the host's ftp client to connect back to yourself. Here's how you do it:
1) First use telnet to log in to the remote host.
2) Press Alt/T. This will generate an ftp command with the proper network address and start the ftp client program on the interactive host.
3) When it asks for a name, enter anything.
4) When it asks for a password, press Alt/W. This will provide a hidden password to authenticate the connection.
Remember that when you have completed this connection, your PC is an ftp server, and the interactive host is running an ftp client. To transfer a file from the interactive host to your PC, use the put command. To transfer a file from the PC to the interactive host, use the get command."
Sunday, June 17, 2007
Regular Expressions with Cisco IOS
I was reaading some cisco stuffs today and i knew long ago that Cisco IOS allows regular expression for simplification of search task and other uses. Well, back then i did not research much on it but i just came across 2 sites which provides more explaination with regards to Cisco IOS regex.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ftersv_c/ftsappx/tcfaapre.htm
http://www.nil.com/ipcorner/EnhanceIOSUI/
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ftersv_c/ftsappx/tcfaapre.htm
http://www.nil.com/ipcorner/EnhanceIOSUI/
Saturday, June 16, 2007
Cisco Router's DNS server to kill browser advertisement
I just happen to stumble across ioshints blog. He mentioned something about the cisco router's dns server having a way to prevent unwanted website advertisement. You guys can read more at: http://www.nil.com/ipcorner/RouterDNS/
Hacking Old Skoolz Windows
Port 135 (client-server communications)
Port 139, 445 (authentication and file sharing)
Port 137,138 (NetBIOS browser, name and lookup functions)
Look for port 135 endpoint mapping which includes, Microsoft Outlook, Exchange and Messenger Service.
Nmap server to look for port 135
Run rpcscan or epdump on server over port tcp or udp port 135
If udp port 1028, 1029 opened or tcp port 1025 opened, run rpcscan over those ports
Look for IFID 12345778-1234-abcd-ef00-0123456789ab and 12345778-1234-abcd-ef00-0123456789ac for both LSA and SAMR interface respectively. Can be found on all Windows NT OS using name pipes accessible through SMB session over TCP port 139 or 445.
Run walksam query if SMAR interface is present to glean user information.
Run rpcclient from backtrack if a valid username and password is given. LSARPC interface must be present
Compromise admin password using brute force tool WMICracker.
Use Remoxec to execute arbitrary commands.
Verify if server is vulnerable for RPC DCOM exploits. If patch MS03-026 and MS03-039 is applied, nothing can be done. Else download exploits from
http://packetstormsecurity.org/0307-exploits/dcom.c
http://packetstormsecurity.org/0307-exploits/DComExpl_UnixWin32.zip
http://packetstormsecurity.org/0307-exploits/rpcdcom.101.zip
http://packetstormsecurity.org/0307-exploits/oc192-dcom.c
http://examples.oreilly.com/networksa/tools/dcom-exploits.zip
http://www.securityfocus.com/bid/8205/exploit/
DCOM interface can be exploited through:
TCP and UDP port 135 (through RPC server service)
TCP ports 139 and 445 (through SMB and named pipes)
TCP port 593 (through COM Internet Services, if installed)
Use kaHt2 to exploit a remote shell
Use SPKIE msrpcfuzz fuzzer to do stress test.
-----------------------------------------------------------------------------------------
NetBIOS Name Service UDP port 137
Dumping NetBIOS table: Nbtstat –A 192.168.1.152
Local Area Connection:
Node IpAddress: [192.168.1.20] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
CARAA <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
CARAA <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
MAC Address = 00-0D-88-CB-30-0B
------------------------------------------------
<00> unique hostname
<00> group domain name
<03> unique Messenger service running for that computer
Port 139, 445 (authentication and file sharing)
Port 137,138 (NetBIOS browser, name and lookup functions)
Look for port 135 endpoint mapping which includes, Microsoft Outlook, Exchange and Messenger Service.
Nmap server to look for port 135
Run rpcscan or epdump on server over port tcp or udp port 135
If udp port 1028, 1029 opened or tcp port 1025 opened, run rpcscan over those ports
Look for IFID 12345778-1234-abcd-ef00-0123456789ab and 12345778-1234-abcd-ef00-0123456789ac for both LSA and SAMR interface respectively. Can be found on all Windows NT OS using name pipes accessible through SMB session over TCP port 139 or 445.
Run walksam query if SMAR interface is present to glean user information.
Run rpcclient from backtrack if a valid username and password is given. LSARPC interface must be present
Compromise admin password using brute force tool WMICracker.
Use Remoxec to execute arbitrary commands.
Verify if server is vulnerable for RPC DCOM exploits. If patch MS03-026 and MS03-039 is applied, nothing can be done. Else download exploits from
http://packetstormsecurity.org/0307-exploits/dcom.c
http://packetstormsecurity.org/0307-exploits/DComExpl_UnixWin32.zip
http://packetstormsecurity.org/0307-exploits/rpcdcom.101.zip
http://packetstormsecurity.org/0307-exploits/oc192-dcom.c
http://examples.oreilly.com/networksa/tools/dcom-exploits.zip
http://www.securityfocus.com/bid/8205/exploit/
DCOM interface can be exploited through:
TCP and UDP port 135 (through RPC server service)
TCP ports 139 and 445 (through SMB and named pipes)
TCP port 593 (through COM Internet Services, if installed)
Use kaHt2 to exploit a remote shell
Use SPKIE msrpcfuzz fuzzer to do stress test.
-----------------------------------------------------------------------------------------
NetBIOS Name Service UDP port 137
Dumping NetBIOS table: Nbtstat –A 192.168.1.152
Local Area Connection:
Node IpAddress: [192.168.1.20] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
CARAA <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
CARAA <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
MAC Address = 00-0D-88-CB-30-0B
------------------------------------------------
<00> unique hostname
<00> group domain name
Wednesday, June 13, 2007
Cisco's PIX/ASA TCP flags syntax
Have you guys ever wondered how PIX or ASA firewall TCP 3 way handshake works? Well, its absolutely similiar to how the normal TCP/IP handshake works. Just a little different in terms of the syntax. For instance SYN flag in PIX is known as saA. For torubleshooting purposes, you would however need to know these flags in PIX/ASA. I had summarised a table of the flags and how it works.
Tuesday, June 12, 2007
PIX firewall troubleshooting commands
I am adding some commonly used PIX firewall troubleshooting commands. For those of you who does troubleshooting of the firewall, you know should familiar yourself with these commmands. Handy yet Powerful.
1. show xlate, show xlate detail - display NAT translations and its details
2. show connection, show connection detail - display connection details built in the firewall
3. show service-policy - display inspection policies
4. show local-host 192.168.1.1 - display translation, AAA, connection information
5. show asp drop - show number of packets dropped while processing the packets
6. show mem - display memory usage in the PIX
7. show cpu usage - display cpu usage over a time period
8. show traffic - display total traffic transmitted and received on each individual interfaces on the PIX
9. show block and show cpu usage can determine if the firewall is overloaded.
Of course there are many other things you would need to know like the debug commands, capture commands, show logging, show running logging, show logging setting commands. If you guys need to know more, just email me and i will guide you
1. show xlate, show xlate detail - display NAT translations and its details
2. show connection, show connection detail - display connection details built in the firewall
3. show service-policy - display inspection policies
4. show local-host 192.168.1.1 - display translation, AAA, connection information
5. show asp drop - show number of packets dropped while processing the packets
6. show mem - display memory usage in the PIX
7. show cpu usage - display cpu usage over a time period
8. show traffic - display total traffic transmitted and received on each individual interfaces on the PIX
9. show block and show cpu usage can determine if the firewall is overloaded.
Of course there are many other things you would need to know like the debug commands, capture commands, show logging, show running logging, show logging setting commands. If you guys need to know more, just email me and i will guide you
Subscribe to:
Posts (Atom)