Wednesday, October 31, 2007

Hacked into a Wireless Router.

These days, i am just mad crazy. Hacking, hacking and still hacking. Basically i am dead boring and decide to see how far can i go with my hacking skills. Today, after finishing auditing a customer, i wanted to check my email as i need to send out an urgent email. I saw an internet cafe with Wifi connection, however there was encryption on. Within a few minutes, i managed to crack their password and hacked straight into their router. With that, i managed to use bit torrent to do port forwarding and download my favourite tv show. Well, it wasn't as thrilling as the first time i hacked into a wireless router, but still, it was a hack. How i do it? Just by observation and some trial and error and there you go.



The Hacka Man

Web Application Security with Joe Walker

This is a great slideshare from Joe Walker with all the new hacking techniques that involves with ajax and Web2.0. Its content is simple yet very entertaining and easily understandable. Check it out guys,



http://getahead.org/blog/joe/

The Hacka Man

Free Audit, Is it Real??

Ok, i am providing free audits for those who need my help in assisting them to secure their applications or networks and read properly, i am NOT charging a single cent for my effort of work in helping you. The reason for doing so is because i am giving back to the community that once helped me in getting where i am today. I remembered i was hacking like nobody business back in the days with trojans, port scanning, exploits, etc..I was very young then and indeed very enthusiastic in all sorts of hacking. Today, because of the busy work schedule and commitments i have, i tend to have lesser time in reading or researching. However, i am still pretty much involved in the security community when in comes to networking and web applications. There are actually quite a number of people who approached me for free auditing of their public facing web applications and i actually managed test their site and show them what i had found. Of course, i cannot reveal any of those clients i did before, but trust me, some of them are huge organization and of course some are my friends.

To get a free audit, i need the following details:

1. Prove that you are the owner of the site or network.

2. Personal details of yourself.

3. If you are from a company, use your company's email to send me an email and follow up with a call to my mobile.

4. If you are an individual, i would require you to give me a call to my mobile or skype. Send me an email first at hackathology@gmail.com

5. If there should be any meetup, prepare a Non Diclosure Agreement for signing if required and discuss for the Scope Of Work.

I cannot guarantee i have the time to test and deliver on time for each and every customer if the request traffic is high, however, i will do my best to deliver you of what i promised. Also, if the scope gets larger, then the amount of delay will be longer, it all depends. Don't forget i have a day time job and doing a favour for you. Lastly, should there be any changes based on the audit details, i will update it here on my blog.

The Hacka Man

Tuesday, October 30, 2007

Detecting BroadVision Applications. Are they secure?

Are proprietary applications secure? Well, i guess yes and no. Security researchers are constantly researching for flaws in those applications and only if a bug is reported, will only then the company take actions to secure their loopholes. I am currently auditing a BroadVision application and what a surprised i got from my results. I am not supposed to reveal anything, but i let me tell you, for a critical application like this, i am not sure if the customer is using an old version of BroadVision or it was simply not check for sanitization. I could basically do pretty much i want from that application and create a havoc. Too bad, i cant show anything here but trust me, if you guys got a chance to audit a BroadVision application, you will be surprised with the kind of flaws you find. Its basically like opening a can of worms, waiting for someone to feed on it.

Well, at first i wasn't sure it was a BroadVision application, however after some researching on observation on the HTTP headers, this is what i got:

POST http://example.com/bvsn/bvcom/en/server/whereto.jsp?BV_SessionID=NNNN1809204881.10923774158NNNN&BV_EngineID=nnndaoplghjkiihcfklcfkmdgohdgih.0&BV_UseBVCookie=yes HTTP/1.0

The killer signature here is the parameter names of BV_SessionID and BV_ EngineID. If you see these anywhere in a URL or on a http header, you have more or less nailed down a BroadVision Application. Of course there are some other parameters like checking for .do extention, however that wasn't seen during the audit. Google for those highlighted in bold and you will see what i mean. I am now signing off here and back for another round of audit. I am going to pretty much cripple the whole application this time round.

The Hacka Man

Monday, October 29, 2007

Injection Vectors, Are you up for it?

Recently, i had been doing a lot of web penetration test and i realised that most of them suffers from injection flaws. Well, some can be deadly and some were just pretty minor. Well, it doesnt matter whether how severe the injection point is, if your site can be injected, it means that there are still some sanatizing and input validation work which still need to be followed up. Whenever i perform a penetration test on huge organization, scanners are always deemed useless and i have to do it manually with some form of checks i have on a list. Well, i managed to download a list of injection vectors from my friend Andres and that certainly helped me save time on googling for attack vectors. For those who do web penetration test, this will be very useful which will save your hours and hours looking, reading or searching around for information.

****************Start of the injection list*********************************















*****************************END*****************************************************

The Hacka Man

Sunday, October 28, 2007

An Important Lesson, Passive Enumeration with Paterva

I am about to assigned to a very exciting project and one of the most important elements of hacking is passive enumeration. I mean to bring down an organization or their networks, passive enumeration is definitely a must! This weekend i was scouring around for effective tools that would allow me to perform my search much faster and in a more logical and graphical manner and i happen to stumble on a site called Paterva. This is a wonderful toy for passive enumeration. You can basically search for a person, DNSName, Website, Email, etc and it will return you with results of what a person had visited, the sites he visted, the words he used, etc. Of course instead of searching for a person, you can also perform searches for organization. I know people are going to say that this can also be done in google dorking. Well, thats absolutely true, google dorking is so much powerful with more explosive results. However, not everyone is an expert in that area and i mean this is only the surface of passive enumeration. To excel deeper, you would of course require certain skills like google dorking to do so. I am pretty much happy with Paterva because of its simplicity and the ability to produce results in a more systematic manner. Try it for yourself.

http://maltego1.paterva.com/maltego-classic.html

http://www.paterva.com/web/Maltego



The Hacka Man

Friday, October 26, 2007

Citrix Hacking

Few weeks ago, pdp released an article about citrix hacking and it actually caught my attention. I read through a total of 4 pdp's posts and also wirepair's whitepaper on hackingcitrix. It was overall a basic yet interesting article and actually gave me an idea on how to start enumeration and hacking citrix. Well, for my next trick when i am about to audit citrix soon, i will start employing the techniques that was discussed in the article and also include one of my favourite tricks of all time that would actually find flaws in the Citrix application. This would actually test how robust is the citrix application and how can it handle certain payloads. Since Citrix is not taking security seriously according to wirepair's article, i would not hestitate to publish any flaws i find. With that being said, of course i would give them a chance to see how is their response.

The Hacka Man

Thursday, October 25, 2007

Checkpwd 2.00 A12 released

Alexander Kornbrust of red database security just released the much anticipated checkpwd oracle cracking tool. This release has much improvement over the previous releases. Some of those include:

* support for Oracle 11g passwords
* support for APEX passwords (1.4-3.0.1)
* collect passwords from the database
* collect password candidates from the database
* option not to display the oracle password in command line
* crack passwords from the password history
* crack role passwords
* save checkpwd default configuration in a configuration file
* read username and password hashes from a file

Well, personally i had tried the version 1.21 months ago and it wasn't bad after all. And now comes version 2? You bet, it will be so much interesting to test out the new features and see how the tool produce the results. Weeks ago, THC, a german underground hacking community released oracle 11g password cracker and i must admit that i haven't tried it yet, but now Alex had incorporated checkpwd 2.00 with oracle database 11g password cracking abilities.

For those who don't know, Alex is a world renowned oracle security expert. He is constantly reporting oracle bugs to Oracle and had published a lot of whitepapers and giving talks at conferences regarding oracle security. I had met him once in Dubai and i must say he is a humble and patient person with amazing oracle security knowledge. To find out more, check him out at the following links

http://www.red-database-security.com

http://blog.red-database-security.com

The Hacka Man

Sunday, October 21, 2007

Results from Hacking a huge organization

The other night i was auditing one of the customers here in Singapore. It was a huge organization with massive workforce and manpower. Normally huge organization tend to give people an impression that they must be secure because either they have enough internal people to do the patching or they must be doing some kind of upgrading work every now and then to have their servers or networks compliance with the government authority.

The results from my audit depicted that life isn't a bed of roses. Multiple servers suffers from DoS, buffer overflows and one of them even allows me to escalate to admin priveleges. Well, the results were really astonishing from such a reputable organization and everything was under my control. Of course, i managed to capture all screenshots of what i did and wrote a report to the management. I am wondering what they will do about it. They could either pray hard that no one attack them and start patching or expect for the worst where they could be brought down anytime anyday.

One of the coolest thing i did during the audit was defacement of their website. Personally, i had never deface a website before till that day. It was great seeing big organization websites having your own selected message or picture, definitely tarnishing their reputation and the feeling was just too estatic. Of course, i had to wrap it up fast by taking a screenshot of it and resume their site back to normal or i will be screwed. The one last thing i observed and found out was they were using a very old Operating System where most of their crucial data was residing. It was exhilarating as i was poking my way to grab all their private data. All in all, it was just bad, really bad. I am about to finish the report and i send it to the customer. I just want to see what is the response going to be.

The Hacka Man

Saturday, October 20, 2007

Short update on audit

For those of you guys who are waiting for the result of the audit, because of the things i found and the sheer volume of report writing i am doing, i will only update the findings next week when i finish the report. Sorry for the wait, but thanks for the understanding.

The Hacka Man

Thursday, October 18, 2007

e... singapore, re-evaluate your website!

Well, i am roughly around 10 mins before i start audit, but anyway, i would love to talk about e... singapore. Heard quite a few bad things about e... singapore and i remembered while i was at Dubai, i was asking them for a job, but in the end, they void my application. Back in Singapore, my colleagues were just talking about security companies in Singapore and they mentioned e.... I have no grudges against e..., but frankly speaking, as a MSS and now trying to expand their business into the IS field, i am issuing a challenge against them. By just browsing their websites, i am pretty sure that they can be Own3d! From my guess, they could be easily using IIS 5 or 6 and for this i can be sure by just testing one of their functions, without scanning their website. As for owning them, i pretty sure they tightened up most of the holes, EXCEPT for one. All in all, if they want to step into the the IS field, the first step would be to tighten their own holes first, or else how could they convince people that they are doing IS when they own site is at risk????? e..., get your internal auditors to re-evaluate the e... website or get me at NO cost to help you do the job.

The Hacka Man

ScanAlert, Hacker Safe?


Yesterday, i heard from my colleagues that we would be joining forces with ScanAlert and i was really puzzled with the move. I was asking myself that if ScanAlert is really Hacker Safe? Are they really that good with their scanners? Did they use open source scanners and customized it to their own? Are those clients they have really safe from hackers? Can i say that if i use ScanAlert service to scan my website or network, i will be safe from hackers? There are a lot of questions in my head and i think ScanAlert has a good way of doing marketing. They make every customer insert their logo onto their own site which provide more visibility of ScanAlert's Service. Well, it is a good from a company point of view because they are recognized and make money out of it, however, that doesnt mean that by using their service, i will be free from attackers. Not long ago, i remember members of sla.ckers.org posted XSS vulnerabilities on their site. So can i say that if i can find XSS on their site, their scanners are shitty and they are still hackers safe? I don't know, just my 2 cents worth. Anyway, i managed to digg out the XSS vector that was injected at their site sometime ago, however, they already patched it.

https://www.scanalert.com/SignUp.sa?act=step1&oc=%27%29return+0%3B%7Dalert%280%29%3Bfunction+blah%28%29%7Bif+%280%29%7B%2F%2F

https://www.scanalert.com/SignUp.sa?adds106=2&act=step3&company.name=touchme%22%20onmouseover=%22alert('Hacker%20Safe?');%22

The Hacka Man

Friday, October 12, 2007

XSS-Proxy PoC

The other day, i was thinking about how can i actually get more sales during a meeting session with customers and with the current bloom of hacking websites, i thought its time to actually show customers of what i can do and the impact of a XSS vulnerability. I referred to the book "XSS Exploit and Defence" by Jeremiah and Rsnake and i decided to go with a tool called the XSS-Proxy. All i can say is this tool is really light and easy to use. All you need is just perl and a webserver to be running on your machine and one would have to just launch the listener from there on with the command "perl XSS-Proxy-shmoo_0_0_11" in the command prompt. Anton Rager actually spend some time with me explaining to me how this tool works and the impact of an XSS. I would like to thank him here for his time and effort. If those of you guys who would love to try this tool, download it at http://xss-proxy.sourceforge.net. There is also Advanced XSS attacks and a mini whitepaper for further knowledge reading.

First to startup xss-proxy:


Then inject a script tag into the victim page, be it persistent or reflected, try it to realised it.


The admin page contains the links that the victim had visited, and by clicking those links, you can choose to redirect and hijack the victim browser under the same document domain


A sample of the redirect attack. Observe the below grey bar with "Opening page.."
This is achieved through by clicking on the admin page on one of the links the victim had visited and i wanted the victim to visit another page, so i choose the link i wanted the victim to visit and click on it. On the victim side, he will automatically be redirected to the page i chosed.


And finally, i can even proxy javascript injection on the victim browser. A simple one would be alert('XSS');


The Hacka Man

Wednesday, October 10, 2007

AppCodeScan beta Released

Few minutes ago, Shreeraj just updated me with the release of a new tool from Blueinfy. This tool basically check your source code for potential entry points for xss, sql injection, poor validation etc. Well, personally i had not tested the tool due to time constraints and my busy schedule. I would strongly recommend anyone who has the time to actually download the tool and give it a try and its free anyway. The tool is called AppCodeScan and for those who had already tried the tool, feel free to let me know as trust me, i am really eager to try on this. Also, check out Fortify's source code scanning tool which has similar functions and usage. The only difference is maybe the support and its an enterprise tool. At the same time, do check out their cost and you know why Shreeraj is so generous to make it free. Of course, you can customize the ruleset to suit your application if you know how to. Thank you Shreeraj.

http://blueinfy.com/tools.html

The Hacka Man

Monday, October 8, 2007

Try this at your own risk, COKE Machine hacked!!

I was checking PDP's hack on citrix and i stumble across a coke machine hack. Well, i am not sure if this is an old exploit or if it is still working as of today or it is patched. However, i could not replicate this hack on a vending machine here. Maybe it is of a different model or different system or different chipset. Whatever it is, this is a cool one. Simple yet effective.



The Hacka Man

Sunday, October 7, 2007

Just another XSS

Well, i am getting tired of your site "big organization". PoC shown with screenshots of your site being XSS numerous times. Just patch up quick and you will be alright. Hire me or get someone to do the job. What ever you decide, wish you good luck and all the best.



The Hacka Man

Saturday, October 6, 2007

Preventation is better than Cure

With over 6 years of experience in penetration tests of all sorts of systems from networks to web applications to databases to many others more, I can say that i have successfully achieve my goals as "hacker" or a white hat. As usual, i am constantly keeping myself abreast of the lastest exploits and hacking methodology. I am not really a true researcher, but however a guy who loves to read all sorts hacking books or articles.

Well, with the recent work i am doing on web applications, i can say that most web applications are truly not secure and hackable, except for a few out there. It all boils down to the developers and the customers. Those customers have no idea of how secure programming is so important. Once they are hacked, their reputation is gone and data is lost. From what i see, customers are always eager to launch their application online maybe because of certain time frame they have to meet or maybe because they are eager to let the consumers know more about their services and products, but they did not think about security on their applications as a whole. Well, i would advise them to think twice and think about the possibility of being hacked hard time. Below are a few guidelines that i got from Jeremiah's whitepaper that after reading it, i feel that it is important to embrace it, rather than treating it just like another whitepaper.

Secure Code: Application developers must consider security
from the beginning. Involve the security staff early in the
process.

QA Development: Experienced staff must perform periodic
security as well as usability reviews.

Stay up-to-date on patches and configured securely.

Continuous assessments: Covering both technical and logical
issues on the production web site as its being changed.

Also, for those who are paranoid about your web applications and have no budgets to spent, you guys should install an Web Application Firewall like ModSecurity to shield off most of the attacks and moreover, it is customizable where you can add your own ruleset. There are also a few open source WAF like PHP-IDS for XSS, URLSCAN for IIS and some others. Commercial ones are available too. It all depends on how much you can spend and what do you really need.

The Hacka Man

Friday, October 5, 2007

Another hole????

Hey "big organization", need no explaination. You have been owned again. Well i am smart not to let you see the actual url string, else you will secure yourself? Still call me a script kiddie?? Think harder. Challenge me?? Why not do something to your site rather than challenging people here and there? Need to know the actual payload and url string? Call me. You are lucky i didn't use xss to portscan your internal network or cause a defacement and make you look like a fool. Respect others and respect yourself.



The Hacka Man

Thursday, October 4, 2007

You are OwNED!!!

Hey "big organization", I don't think i need to prove too much. Check out your logs or something. Check out whatever you have. I just spend roughly around 5 minutes on your site and i got what i want. Well, i don't think you worth my precious time doing good for your site. This is just a simple test. I can do more damaging stuff, but well I don't see the point of doing more damage. I don't have to prove no more. Take this shit from me and do your part. Peace.



The Hacka Man

Wednesday, October 3, 2007

Challenge me on Web Application Security???

One day after the application penetration test, i was contacted by an huge organization who apparently view/read my blog. Basically they issue a challenge to test on my knowledge and skills on web application security assessment. Well, i don't really care or bother how huge you organization is, i accept your challenge and i will show you that your public facing website will be used as a zombie for unidentified attacks. Don't blame me for that. You issue a challenge and i responded. I don't have anything to prove, except that i would love to see how good is your web security.

The Hacka Man

Tuesday, October 2, 2007

Sessionn ID Manipulation?????

So today is the last day for Phase 1 for my application penetest. Well, its always funny because its always during the last day that i will find something. In my previous posts, i was saying that the application is very secure. However, i found some session IDs manipulation that allows an attacker to impersonate someone. Well although its not high risk, but think of this situation. Lets say you and your friend is at a school compound or somewhere with network access and suddenly your friend is checking his account. With the mindset of a hacker, you know that by manipulating the session ID will allow you to gain access to his account, while he says that he wants to go to the toilet and forgets to logout, you quickly grab his session id and then change his password. From there on, you can monitor his account's transaction and status and moreover you can transfer money to your own account. I mean there is too many possibility. This is just one of the scenarios. You can let your imagination run wild and can come up with more evil stuff. However i just want to point out that since that application is already so secure, why not take another step to tighten this hole? Agree?????

The Hacka Man

Monday, October 1, 2007

Owning Axis IP Cameras

Over the weekend, i had the time to review a whitepaper written by both Adrian Pastor and Amir Azam. In that article, they displayed certain XSS techniques that allowed an attacker to own the IP cameras and monitor it. Well, i would say that this is not too bad of an article as the PoC included. It is still the same old XSS that is doing the trick and CSRF that allows creation of admin accounts. The firmware for Axis is just crap. They should brush up on their security to avoid more security issues. For those who are interested, do check it out at

http://www.gnucitizen.org/blog/owning-big-brother-hollywood-style-exploits-included


The Hacka Man

2 Factor Authentication Last Update

I think i am more or less done with my scope of work. There is simply no chance in hell that i can break that application. It like no matter what i entered, i always get a service not available or please try again later. Verified all the injection points and the stuffs that i can inject. Still, nothing can be done. The application is so sensitive and secure that it validates all input characters and escape all output characters. Lastly, every error message that is output is all generic error message with no other information. The only one last thing i am trying now is XSS on a 404 error page and see how it reacts. Still, this is what i got



And the generated source i got after the XSS:

[404 Not Found
Not Found
The requested URL /x/--><script>alert("XSS")</script><!--&node=465600 was not found on this server.]

The Hacka Man