For those who are unaware: We have moved!
Come find us at Insecurety Research!
No, really. We did move :)
~infodox
A simple Infosec/Security/Computing blog with a smattering of electronics, chemistry, and total randomness
Saturday, 29 December 2012
Thursday, 15 March 2012
Updates to Insecurety Research - PHP Command Injection!
So, we have written an article about PHP Command Injection (Applies to other platforms too, we just covered PHP).
Read it here! PHP Command Injection - Insecurety Research
More to come...
~Insecurety Research Team.
Read it here! PHP Command Injection - Insecurety Research
More to come...
~Insecurety Research Team.
Wednesday, 14 March 2012
[802.11] Wireless Jamming
Ok. Infodox BRIEFLY touched upon 802.11 jamming in his talk at CampusCon (their site seems to be down at the moment).
For those interested, the talk can be downloaded here: Insecurety Research
Anyways, onward to "The Good Stuff". I (x41) am simply posting the parts he wrote so far, and when he comes back he says he will finish the job.
Wireless Jamming. Sometimes one wants to disable all 802.11 stuff within range (i.e. WiFi) for some reason (perhaps deauth everyone so a KARMA style attack will work better?) and often this can be a bit of a challenge.
Challenge accepted.
First off, let's get to grips with some software called "mdk3".
MDK3 is a 802.11 flooding tool, and comes preinstalled on BackTrack and several other Pentest distros.
However, let's assume you are running a standard Ubuntu box and have not got it installed... So start by installing aircrack.
apt-get install aircrack-ng (ubuntu)
yum install aircrack-ng (fedora)
...Or, compile from sauce...
http://www.aircrack-ng.org/
Now. MDK3.
http://homepages.tu-darmstadt.de/~p_larbig/wlan/
Grab the source from here, untar, ./configure, make && make install (as root).
Then to run (as root):
PUT CARD INTO MONITOR MODE BEFORE CONTINUING!
sudo airmon-ng start wlan0 (where wlan0 is your wifi card)
mdk3 (arguements)
Some samples... (assumes mon0 is your monitor mode interface)
1. mdk3 mon0 x 1 -c (target client MAC) -t (target AP MAC)
This one simply deauths the victim client. Good for targetted jamming.
2. mdk3 mon0 d -b /root/blacklist
assuming you have a list of MAC addresses you DONT wish to have online, you put em in a list and blacklist em. This jams them.
3. mdk3 mon0" d -w (and the path to your whitelist file)
This kills everyones WiFi EXCEPT the devices in the whitelist.
Now. On to more fun things... Killing AP's.
Introducing "ap fucker".
AP Fucker is a python script that automates these DoS attacks. My preferred mode is "Destruction Mode". For obvious reasons.
Grab AP fucker here.. ApFucker - Pastebin
Running this is very simple. Just sudo bash (must be root), start the interface in monitor mode, and run it.
More to come - this was just an introduction!
For those interested, the talk can be downloaded here: Insecurety Research
Anyways, onward to "The Good Stuff". I (x41) am simply posting the parts he wrote so far, and when he comes back he says he will finish the job.
Wireless Jamming. Sometimes one wants to disable all 802.11 stuff within range (i.e. WiFi) for some reason (perhaps deauth everyone so a KARMA style attack will work better?) and often this can be a bit of a challenge.
Challenge accepted.
First off, let's get to grips with some software called "mdk3".
MDK3 is a 802.11 flooding tool, and comes preinstalled on BackTrack and several other Pentest distros.
However, let's assume you are running a standard Ubuntu box and have not got it installed... So start by installing aircrack.
apt-get install aircrack-ng (ubuntu)
yum install aircrack-ng (fedora)
...Or, compile from sauce...
http://www.aircrack-ng.org/
Now. MDK3.
http://homepages.tu-darmstadt.de/~p_larbig/wlan/
Grab the source from here, untar, ./configure, make && make install (as root).
Then to run (as root):
PUT CARD INTO MONITOR MODE BEFORE CONTINUING!
sudo airmon-ng start wlan0 (where wlan0 is your wifi card)
mdk3 (arguements)
Some samples... (assumes mon0 is your monitor mode interface)
1. mdk3 mon0 x 1 -c (target client MAC) -t (target AP MAC)
This one simply deauths the victim client. Good for targetted jamming.
2. mdk3 mon0 d -b /root/blacklist
assuming you have a list of MAC addresses you DONT wish to have online, you put em in a list and blacklist em. This jams them.
3. mdk3 mon0" d -w (and the path to your whitelist file)
This kills everyones WiFi EXCEPT the devices in the whitelist.
Now. On to more fun things... Killing AP's.
Introducing "ap fucker".
AP Fucker is a python script that automates these DoS attacks. My preferred mode is "Destruction Mode". For obvious reasons.
Grab AP fucker here.. ApFucker - Pastebin
Running this is very simple. Just sudo bash (must be root), start the interface in monitor mode, and run it.
More to come - this was just an introduction!
Monday, 12 March 2012
Infodox is AFK (x41)
x41 here, minding Infodox's accounts for him.
He is AFK. Indefinately. He will eventually come back. We hope...
The loss of such an enthusiastic researcher would be a blow to us at Insecurety Research, as he was the guy who got it going and came up with all kinds of crazy ideas - from mixing SQLi/LFI to the possibility of distributed vuln scanning via XSS.
If he goes, those ideas may well vanish with him as they are located in his "internal hard drive".
Anyways, seein as I have his blog and admin on the site and we have such a lovely audience, I may as well start posting things for him, etc.
He is AFK. Indefinately. He will eventually come back. We hope...
The loss of such an enthusiastic researcher would be a blow to us at Insecurety Research, as he was the guy who got it going and came up with all kinds of crazy ideas - from mixing SQLi/LFI to the possibility of distributed vuln scanning via XSS.
If he goes, those ideas may well vanish with him as they are located in his "internal hard drive".
Anyways, seein as I have his blog and admin on the site and we have such a lovely audience, I may as well start posting things for him, etc.
Wednesday, 7 March 2012
[Article] Reverse shells...
Ok. So I wrote a short article yesterday showing off a few reverse shell tricks and demoing them on a vulnerable web app using a Command Injection vulnerability.
Some people were asking "why it so basic?" and here is why: The idea of the article is not to provide script kids/blackhats with new info - it is well known - but to demonstrate how one can go from a small PHP bug to a full blown reverse shell.
I will be working up SNORT IDS Signatures for them all based on how they throw a shell back, just have to get some nice .pcaps of it first. I plan to also find a way to "signature" the IDS evading shellcode I wrote - and so kind of have an "arms race" with myself...
Article on Insecurety.net
Some people were asking "why it so basic?" and here is why: The idea of the article is not to provide script kids/blackhats with new info - it is well known - but to demonstrate how one can go from a small PHP bug to a full blown reverse shell.
I will be working up SNORT IDS Signatures for them all based on how they throw a shell back, just have to get some nice .pcaps of it first. I plan to also find a way to "signature" the IDS evading shellcode I wrote - and so kind of have an "arms race" with myself...
Article on Insecurety.net
Monday, 5 March 2012
For Fuck Sake
So. Due to our bitcoin app it seems we have been blacklisted, our .co.cc domain has been nullrouted.
I have lodged a complaint about this, and suspect someone has been spamming their abuse dept in order to get my attention. I have a suspect, however I will do NOTHING about it until I get some proof.
For now we will be using THIS domain: theinfodox.blogspot.com
Until the situation resolves we will be working to let people know...
I have lodged a complaint about this, and suspect someone has been spamming their abuse dept in order to get my attention. I have a suspect, however I will do NOTHING about it until I get some proof.
For now we will be using THIS domain: theinfodox.blogspot.com
Until the situation resolves we will be working to let people know...
Friday, 2 March 2012
OWASP Galway Begins!
Ok, this is a very short post as I am a tad busy, but, as of today (Friday, March Second, 2012), Galway (Ireland) has its own OWASP chapter setup by infodox!
Meetings are being prepared, as are workshops, talks and such, so watch this space for updates!
I will post links to its wiki/blog/etc later on today :)
check out OWASP stuff at OWASP.ORG
Meetings are being prepared, as are workshops, talks and such, so watch this space for updates!
I will post links to its wiki/blog/etc later on today :)
check out OWASP stuff at OWASP.ORG
Quick note regarding my last demo
Ok, my last demo the reason the LFI-RCE failed was very simple: I messed up the Apache/PHP config in LAMPP while fuzzing earlier and forgot to reset it :/
Don't worry, my next demo will be on leveraging SQLi vulns in order to gain RCE, and I have to setup a better testbox anyway.
I will be showing the manual method + SQLMap methods of doing it all, and might even get a chance to video it!
Don't worry, my next demo will be on leveraging SQLi vulns in order to gain RCE, and I have to setup a better testbox anyway.
I will be showing the manual method + SQLMap methods of doing it all, and might even get a chance to video it!
WebApp Haxploitation with Weevely, Introducing InterSect.
Ok. This is a fairly pointless demo I made to demonstrate how a web-application bug (in this case LFI + Command Injection) can be leveraged to gain complete root access over a server. I simply took a bunch of screencaps during the demo I made to show a friend "Why web app bugs are dangerous".
So. Here goes!
The web app we used here was THIS: Mutillidae - IronGeek
Part One: The Buggy Page.
This shows the buggy applications vulnerable page. It is a simple "Do a DNS lookup" page that just by looking at we can discern certainly has a Local File Inclusion vulnerability, and more than likely a Command Injection vulnerability.
Part Two: Lets Look for LFI
So. I knew there was LFI, and decided I would let fimap check for me, to see could I pull off any LFI-RCE stuff.
So. Now we know Fimap no canhaz RCE on the site, however there IS LFI. I want RCE, so I move swiftly along to the second vulnerability - Command injection.
Part Three: Command Injection
I decided to inject a Weevely Webshell into the app, so I put it up on my webserver and used wget to "inject" it.
Here is a screencap...
Ok. Shell seems injected, so we move on and try connect to it using the Weevely Client.
Part Four: There are Weevils In Your WWWROOT
Connecting to Weevely's PHP backdoor with the client. This is too easy...
So, lets see what it looks like in there...
SO! Got remote code execution and a "shell" like session. Let's see does Weevely's reverse shell work for us and try become uid=0 :D
Part Five: Netcat Sais Meow
First off, we start Weevely's reverse shell plugin and tell it to phone home to us... We will be listening for it...
Ok. Now for the listener end of things...
w00t! We haz a shell :D
... Moving Swiftly along...
We decide to check kernel version and randomly see what commands work. I decided to lsusb for some arbitrary reason. Don't ask.
Ok. So we move on to escalating/exploring!
Part Six: Enter InterSect.
So I decide to test out InterSect, a wonderful post-exploitation tool developed by ohdae of BindShell Labs.
Here is a screencap of wgetting Intersect to the target box...
Aaaaand now to RUN Intersect ......
Ok. Intersect does not want to run as NON root, so it tells me how to get root on the box... Seeing as I like root... lets go get some!
Part Seven: We Are uid=0, + Harvest Some Infodox
So. I simply run a hypothetical root-exploit I had left in /tmp and getr00t! (It was actually a SUID shell I dropped earlier, as my kernel doesnt like localroots and panics!)
So. Got root. What next? Lets try see does InterSect want to run this time...
It Works! Sadly my battery promptly /quit a moment later but I think you get the idea of what you can do!
LINKS:
BindShell Labs
Intersect 2 - GitHub
Weevely - GoogleCode
Fimap - GoogleCode
And Finally
Insecurety Research
So. Here goes!
The web app we used here was THIS: Mutillidae - IronGeek
Part One: The Buggy Page.
This shows the buggy applications vulnerable page. It is a simple "Do a DNS lookup" page that just by looking at we can discern certainly has a Local File Inclusion vulnerability, and more than likely a Command Injection vulnerability.
Part Two: Lets Look for LFI
So. I knew there was LFI, and decided I would let fimap check for me, to see could I pull off any LFI-RCE stuff.
So. Now we know Fimap no canhaz RCE on the site, however there IS LFI. I want RCE, so I move swiftly along to the second vulnerability - Command injection.
Part Three: Command Injection
I decided to inject a Weevely Webshell into the app, so I put it up on my webserver and used wget to "inject" it.
Here is a screencap...
Ok. Shell seems injected, so we move on and try connect to it using the Weevely Client.
Part Four: There are Weevils In Your WWWROOT
Connecting to Weevely's PHP backdoor with the client. This is too easy...
So, lets see what it looks like in there...
SO! Got remote code execution and a "shell" like session. Let's see does Weevely's reverse shell work for us and try become uid=0 :D
Part Five: Netcat Sais Meow
First off, we start Weevely's reverse shell plugin and tell it to phone home to us... We will be listening for it...
Ok. Now for the listener end of things...
w00t! We haz a shell :D
... Moving Swiftly along...
We decide to check kernel version and randomly see what commands work. I decided to lsusb for some arbitrary reason. Don't ask.
Ok. So we move on to escalating/exploring!
Part Six: Enter InterSect.
So I decide to test out InterSect, a wonderful post-exploitation tool developed by ohdae of BindShell Labs.
Here is a screencap of wgetting Intersect to the target box...
Aaaaand now to RUN Intersect ......
Ok. Intersect does not want to run as NON root, so it tells me how to get root on the box... Seeing as I like root... lets go get some!
Part Seven: We Are uid=0, + Harvest Some Infodox
So. I simply run a hypothetical root-exploit I had left in /tmp and getr00t! (It was actually a SUID shell I dropped earlier, as my kernel doesnt like localroots and panics!)
So. Got root. What next? Lets try see does InterSect want to run this time...
It Works! Sadly my battery promptly /quit a moment later but I think you get the idea of what you can do!
LINKS:
BindShell Labs
Intersect 2 - GitHub
Weevely - GoogleCode
Fimap - GoogleCode
And Finally
Insecurety Research
Labels:
attack tools,
Backdoor,
exploit,
Fimap,
Hackers,
Hacking,
insecurety,
Intersect,
linux,
local root,
OWASP,
Owned,
PHP,
PHP Backdoors,
Reverse Shell,
root,
suid,
Web App,
website,
Weevely
Thursday, 1 March 2012
Installing Nemesis on Ubuntu/BackTrack
Ok. Simple Post to explain how to go about installing Nemesis on Ubuntu/BackTrack.
What is nemesis?
Nemesis is a packet crafting/sending utility. It, much like hping3, allows you to craft and send packets of a few different protocols. I mainly use it for crafting/sending ARP packets for ARP poisoning, and my tool "arptoxin" uses it.
This post is also available HERE
Step One: Sudo Bash
i.e. you must be root.
Step Two: Install Dependancies
apt-get install libdnet-dev
apt-get install libpcap-dev
Step Three: Install libnet
cd /usr
mkdir nembuild
cd nembuild
wget http://ips-builder.googlecode.com/files/libnet-1.0.2a.tar.gz
tar -xf libnet-1.0.2a.tar.gz
cd Libnet-1.0.2a
./configure
make && make install
Step Four: Install Nemesis
cd /usr/nembuild (if not still there!)
wget http://heanet.dl.sourceforge.net/project/nemesis/nemesis/1.4/nemesis-1.4.tar.gz
tar -xf nemesis-1.4.tar.gz
cd nemesis-1.4
./configure --with-libnet-includes=/usr/nembuild/Libnet-1.0.2a/include --with-libnet-libraries=/usr/nembuild/Libnet-1.0.2a/lib
make && make install
Done! Nemesis SHOULD look like this...
What is nemesis?
Nemesis is a packet crafting/sending utility. It, much like hping3, allows you to craft and send packets of a few different protocols. I mainly use it for crafting/sending ARP packets for ARP poisoning, and my tool "arptoxin" uses it.
This post is also available HERE
Step One: Sudo Bash
i.e. you must be root.
Step Two: Install Dependancies
apt-get install libdnet-dev
apt-get install libpcap-dev
Step Three: Install libnet
cd /usr
mkdir nembuild
cd nembuild
wget http://ips-builder.googlecode.com/files/libnet-1.0.2a.tar.gz
tar -xf libnet-1.0.2a.tar.gz
cd Libnet-1.0.2a
./configure
make && make install
Step Four: Install Nemesis
cd /usr/nembuild (if not still there!)
wget http://heanet.dl.sourceforge.net/project/nemesis/nemesis/1.4/nemesis-1.4.tar.gz
tar -xf nemesis-1.4.tar.gz
cd nemesis-1.4
./configure --with-libnet-includes=/usr/nembuild/Libnet-1.0.2a/include --with-libnet-libraries=/usr/nembuild/Libnet-1.0.2a/lib
make && make install
Done! Nemesis SHOULD look like this...
Wednesday, 22 February 2012
New Project - ShellCode Collection/Repository
So. After getting sick of having to search all the time for shellcode, I decided it would be a nice idea to just create a nice repo of shellcode so people can just svn up and have a searchable repo of organized shellcode.
Hence I started this project.
It is a slow thing to start, and I seriously need people to help me. I can add people as committers if they want to help out, and the idea is to collect a wide variety of shellcode for various OS/Architectures/systems and have it searchable.
I eventually hope to clean up existing shellcode and add a python script for searching the repo, compiling, objdumping and encoding the shellcode.
Anyways, without further ado..
Project Homepage: Insecurety Research - Shellcode Repository
GoogleCode Page: Shellcode Repository at Google Code
Hence I started this project.
It is a slow thing to start, and I seriously need people to help me. I can add people as committers if they want to help out, and the idea is to collect a wide variety of shellcode for various OS/Architectures/systems and have it searchable.
I eventually hope to clean up existing shellcode and add a python script for searching the repo, compiling, objdumping and encoding the shellcode.
Anyways, without further ado..
Project Homepage: Insecurety Research - Shellcode Repository
GoogleCode Page: Shellcode Repository at Google Code
Tuesday, 21 February 2012
Web Malware Collection - more Updates!
So, I have been grepping and searching through logs and google searches, hunting for malware to add. And oh lord, I am finding a LOT!
Lately I started hunting through pastebin for "more malware" and such, and am slowly amassing a fairly epic amount to sort. Also have to handle submissions, Honeypot logs, etc.
So, check out the project page! Web Malware Collection
Lately I started hunting through pastebin for "more malware" and such, and am slowly amassing a fairly epic amount to sort. Also have to handle submissions, Honeypot logs, etc.
So, check out the project page! Web Malware Collection
Labels:
ASP,
ASP Shell,
Backdoor,
Hacking,
JSP,
JSP Shell,
Perl,
PHP,
PHP Backdoors,
Reverse Shell
Thursday, 16 February 2012
Web Malware Collection Updated
Ok, quick post. The Web Malware Collection has had some updates done, and I am *Still* busy sorting samples to commit.
Currently it has 443 samples (according to this
Project Page: http://insecurety.net/projects/web-malware/
GoogleCode: http://code.google.com/p/web-malware-collection/
SVN repo is on googlecode so SVN up :D
Currently it has 443 samples (according to this
"find . -type f | wc -l"
command)Project Page: http://insecurety.net/projects/web-malware/
GoogleCode: http://code.google.com/p/web-malware-collection/
SVN repo is on googlecode so SVN up :D
Labels:
ASP,
ASP Shell,
attack tools,
Backdoor,
insecurety,
JSP,
JSP Shell,
malware,
Nastyware,
Perl,
PHP,
Reverse Shell,
Security,
Web App
Tuesday, 14 February 2012
POST-it DoS
So. Got bored waiting for a lecturer who showed up late, and decided to add some shit to POST-it DoS while working on code for RailGun.
I added a massive list of Useragents (like 70k of em or something, its big...), randomize-useragent-from-list function, and a rather epic random junk generator for the POST data instead of using just a big load of X's.
So now it hits a bit harder (actual random junk) and may even defeat some failures of IDS/IPS... until the target box dies, that is.
It KIND OF implements a SlowLoris attack of kinds too, just to make it even more awesome.
Check it out here --> POST-it DoS and as always, use SVN to get it :)
I added a massive list of Useragents (like 70k of em or something, its big...), randomize-useragent-from-list function, and a rather epic random junk generator for the POST data instead of using just a big load of X's.
So now it hits a bit harder (actual random junk) and may even defeat some failures of IDS/IPS... until the target box dies, that is.
It KIND OF implements a SlowLoris attack of kinds too, just to make it even more awesome.
Check it out here --> POST-it DoS and as always, use SVN to get it :)
Monday, 13 February 2012
Insecurety Site Launched!
Good news! Our hosting came through so we migrated one of our sites to the new domain (and server) at insecurety.net - we own it for the next year, so I finally have a stable place to host downloads, projects, etc!
All projects will still be backed up to GoogleCode, but milestone releases will be available from insecurety.net as soon as we hit milestones :D
All projects will still be backed up to GoogleCode, but milestone releases will be available from insecurety.net as soon as we hit milestones :D
Tuesday, 7 February 2012
HideMAC moved to GoogleCode!
HideMAC has been moved to GoogleCode!
Get it HERE... http://code.google.com/p/hidemac/
BTW, the bugs are being worked on...
Get it HERE... http://code.google.com/p/hidemac/
BTW, the bugs are being worked on...
Monday, 6 February 2012
Denial of Service Attacks, Layer 7
This is a brief reposted post (one I wrote ages back) on how Layer 7, or "Application Layer" Denial of Service Attacks work.
Application Layer DoS attacks are a newer form of DoS attack. They work by not simply flooding/saturating the servers bandwidth, but by attacking a specific service, or application, running on the server. They often require far less bandwidth to accomplish, and are far more "efficient" an attack method. No massive botnets are required for an attacker to be able to effectively take out the target service.
I first got interested in Layer 7 DoS after realizing that LOIC and such "packet flooders" were essentially next to useless. TCP flooding was bandwidth intensive and required either a horde of fools, a large botnet, or a fucking huge datapipe to accomplish (a few cheap VPS's, however, made the job easier...). Sure, you could use spoofing and such attacks to enhance your "firepower", but when up against *big* targets with fairly impressive filtering, you were essentially wasting resources.
For those of you unfamiliar with Layer 7 DoS attacks, have a read of this paper from OWASP - it was what gave me my head start in understanding it all.
Layer 7 DoS - OWASP
Now. Onward to the "attack techniques". The series I wrote on DoS attacks was all about explaining what attack methods are used where, and seeing as the only edits done in this repost were a quick spellcheck and this comment, I do not plan on editing very much else. Yes, I am lazy.
HTTP GET DoS / SlowLoris Attack.
Wikipedia on Slowloris
Original page explaining it
Now, first off, list of affected target webservers:
How it works is simple, it asks the server to wait. The server, being nice, waits. It does this simulating over9000 clients. The server keeps on waiting, being nice. Server dies, pretty much.
Now, to the interesting part. Attack Tools.
Original Slow Loris
TOR Loris - SlowLoris w/ Multiple TOR Proxies
PyLoris - Python SlowLoris
In Development: FluxLoris (Rapid SOCKS switching SlowLoris implementation)
HTTP POST DoS Attack (SlowPost)
This one was inspired by the OWASP paper I referred to above, and we released a PoC tool to exploit the bug around Christmas 2010. I worked on developing the tool and learned a LOT. Basically you are uploading (POST-ing) data to the server and saying "Hey, you! I am on a laggy connect! Please wait!". The server waits... And waits... You keep the connection open.
You do this with a literal shitload of threads.
It requires bugger all bandwidth and has a very destructive effect, rendering most webservers 404-ed within a few minutes.
So, here was our initial PoC tool:
POST-it v1
We had a more "lethal" variant but it is lost long ago, maybe some day I will dig it up and re-implement it, but given current climate, no point.
Now, onward, there are far better attack tools!
SlowPost by NEC - This one is VERY nice. Uses Proxy lists to anonymize the attack. Was written by the current mantainer of the "LOIC" package I believe.
OWASP HTTP POST DoS - This one is from OWASP, and seems to be moreso for testing.
R U Dead Yet - This one is considered the "industry standard" for HTTP POST DoS attacks. It works. Most of the time. I know of some unusual errors it has thrown in the past, but it has TOR support.
And finally, the well known and loved TORSHAMMER . This one is incredibly effective, known to drop servers within minutes. Anecdotal evidence has it one guy on a DSL line took out a bunch of Iranian government websites for a half hour a year or so ago, and then ate the Libyan .gov servers for second helpings! It works fairly reliably, and uses TOR.
There are a great deal of other attack tools out there exploiting these weaknesses, but the best bet (for now) to avoid the embarassment of someone taking you down a peg with some of these is to use the NGINX platform for a webserver. It works fairly well and seems to just blatantly ignore these attacks.
Further Reading...
Testing Webservers for Slow HTTP Attacks
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.acunetix.com/blog/web-security-zone/articles/http-post-denial-service/
http://www.us-cert.gov/cas/tips/ST04-015.html
http://isc.sans.edu/diary.html?storyid=6601
http://www.funtoo.org/wiki/Slowloris_DOS_Mitigation_Guide
http://www.checkpoint.com/defense/advisories/public/announcement/071409-slowloris-dos-attack.html
http://www.bullten.com/what-is-slowiris-ddos-attack-and-how-to-mitigate-its-effect/
Application Layer DoS attacks are a newer form of DoS attack. They work by not simply flooding/saturating the servers bandwidth, but by attacking a specific service, or application, running on the server. They often require far less bandwidth to accomplish, and are far more "efficient" an attack method. No massive botnets are required for an attacker to be able to effectively take out the target service.
I first got interested in Layer 7 DoS after realizing that LOIC and such "packet flooders" were essentially next to useless. TCP flooding was bandwidth intensive and required either a horde of fools, a large botnet, or a fucking huge datapipe to accomplish (a few cheap VPS's, however, made the job easier...). Sure, you could use spoofing and such attacks to enhance your "firepower", but when up against *big* targets with fairly impressive filtering, you were essentially wasting resources.
For those of you unfamiliar with Layer 7 DoS attacks, have a read of this paper from OWASP - it was what gave me my head start in understanding it all.
Layer 7 DoS - OWASP
Now. Onward to the "attack techniques". The series I wrote on DoS attacks was all about explaining what attack methods are used where, and seeing as the only edits done in this repost were a quick spellcheck and this comment, I do not plan on editing very much else. Yes, I am lazy.
HTTP GET DoS / SlowLoris Attack.
Wikipedia on Slowloris
Original page explaining it
Now, first off, list of affected target webservers:
- Apache 2.x
- Apache 1.x
- dhttpd
- GoAhead WebServer
- WebSense "block pages" (unconfirmed)
- Trapeze Wireless Web Portal (unconfirmed)
- Verizon's MI424-WR FIOS Cable modem (unconfirmed)
- Verizon's Motorola Set-Top Box (port 8082 and requires auth - unconfirmed)
- BeeWare WAF (unconfirmed)
- Deny All WAF (unconfirmed)
How it works is simple, it asks the server to wait. The server, being nice, waits. It does this simulating over9000 clients. The server keeps on waiting, being nice. Server dies, pretty much.
Now, to the interesting part. Attack Tools.
Original Slow Loris
TOR Loris - SlowLoris w/ Multiple TOR Proxies
PyLoris - Python SlowLoris
In Development: FluxLoris (Rapid SOCKS switching SlowLoris implementation)
HTTP POST DoS Attack (SlowPost)
This one was inspired by the OWASP paper I referred to above, and we released a PoC tool to exploit the bug around Christmas 2010. I worked on developing the tool and learned a LOT. Basically you are uploading (POST-ing) data to the server and saying "Hey, you! I am on a laggy connect! Please wait!". The server waits... And waits... You keep the connection open.
You do this with a literal shitload of threads.
It requires bugger all bandwidth and has a very destructive effect, rendering most webservers 404-ed within a few minutes.
So, here was our initial PoC tool:
POST-it v1
We had a more "lethal" variant but it is lost long ago, maybe some day I will dig it up and re-implement it, but given current climate, no point.
Now, onward, there are far better attack tools!
SlowPost by NEC - This one is VERY nice. Uses Proxy lists to anonymize the attack. Was written by the current mantainer of the "LOIC" package I believe.
OWASP HTTP POST DoS - This one is from OWASP, and seems to be moreso for testing.
R U Dead Yet - This one is considered the "industry standard" for HTTP POST DoS attacks. It works. Most of the time. I know of some unusual errors it has thrown in the past, but it has TOR support.
And finally, the well known and loved TORSHAMMER . This one is incredibly effective, known to drop servers within minutes. Anecdotal evidence has it one guy on a DSL line took out a bunch of Iranian government websites for a half hour a year or so ago, and then ate the Libyan .gov servers for second helpings! It works fairly reliably, and uses TOR.
There are a great deal of other attack tools out there exploiting these weaknesses, but the best bet (for now) to avoid the embarassment of someone taking you down a peg with some of these is to use the NGINX platform for a webserver. It works fairly well and seems to just blatantly ignore these attacks.
Further Reading...
Testing Webservers for Slow HTTP Attacks
http://en.wikipedia.org/wiki/Denial-of-service_attack
http://www.acunetix.com/blog/web-security-zone/articles/http-post-denial-service/
http://www.us-cert.gov/cas/tips/ST04-015.html
http://isc.sans.edu/diary.html?storyid=6601
http://www.funtoo.org/wiki/Slowloris_DOS_Mitigation_Guide
http://www.checkpoint.com/defense/advisories/public/announcement/071409-slowloris-dos-attack.html
http://www.bullten.com/what-is-slowiris-ddos-attack-and-how-to-mitigate-its-effect/
Wiley Less: It Is Back!!
Just a quick post. The WileyLess Project has returned... And has a blog/twitter of its own. Facebook app delayed.
I am working on the hosting/mirrors side of things, the .js and html is the other developers problem!
Link: Wiley Less Blog
Coming Soon from the Wiley Less team: Interactive Periodic Table, and some kind of chemdraw app, or so I am told...
I am working on the hosting/mirrors side of things, the .js and html is the other developers problem!
Link: Wiley Less Blog
Coming Soon from the Wiley Less team: Interactive Periodic Table, and some kind of chemdraw app, or so I am told...
Friday, 3 February 2012
HTTP Session Hijacking
So. We all know about the infamous FireSheep, which caused an EPIC shitstorm when it came out - and was subsequently abused by many a bored student to "Frape" people in lecture halls.
For those of you who have slept throu gh the last year, here is a link to it...
Get FireSheep
Wikipedia: Firesheep
Firesheep on Linux
Now, onward! Firesheep only "Kind of" works on Linux, so we had to find other tools to do the same thing (session sidejacking without any ARP fuckery).
Also, installing FireSheep on Linux was such a total pain in the arse, even WITH instructions, that I soon got annoyed. I may write a .sh script to automate it all later, if I could be arsed.
However, fear not! Someone wrote something awesome! Hamster and Ferret!
Hamster and Ferret
It sets up a web proxy type thing and sniffs wireless. It works, most of the time.
It is also totally awesome!
Here is someone elses video on using it...
Now that is all pretty damn cool. But I found an even better tool yet on my travels...
SurfJack
Why is it better? 'cos it is written in python. That is why. And it is using SCAPY. I love SCAPY.
Check out their site here... Enable Security
There are, of course, a lot of nasty things one can do with session hijacking, and I planned a longer post on the topic but my fingers are tired.
For those of you who have slept throu gh the last year, here is a link to it...
Get FireSheep
Wikipedia: Firesheep
Firesheep on Linux
Now, onward! Firesheep only "Kind of" works on Linux, so we had to find other tools to do the same thing (session sidejacking without any ARP fuckery).
Also, installing FireSheep on Linux was such a total pain in the arse, even WITH instructions, that I soon got annoyed. I may write a .sh script to automate it all later, if I could be arsed.
However, fear not! Someone wrote something awesome! Hamster and Ferret!
Hamster and Ferret
It sets up a web proxy type thing and sniffs wireless. It works, most of the time.
It is also totally awesome!
Here is someone elses video on using it...
Now that is all pretty damn cool. But I found an even better tool yet on my travels...
SurfJack
Why is it better? 'cos it is written in python. That is why. And it is using SCAPY. I love SCAPY.
Check out their site here... Enable Security
There are, of course, a lot of nasty things one can do with session hijacking, and I planned a longer post on the topic but my fingers are tired.
Thursday, 2 February 2012
New OS... BackBox
OK. Seeing as the installer or Xubuntu 10.04 crashed every time it got to "partition shit plz" I ended up with BackBox.
BackBox 2 is damn nice, XFCE interface... Lightweight... And does the job.
I will be later covering slight modifications I make to it.
Also, my keyboard is a bit fucked as I used it as an ashtray. Derp.
BackBox 2 is damn nice, XFCE interface... Lightweight... And does the job.
I will be later covering slight modifications I make to it.
Also, my keyboard is a bit fucked as I used it as an ashtray. Derp.
Wednesday, 1 February 2012
Bricked!
Ok, so I did SOMETHING wrong with SVN and broke 2 of my SVN repos. I also seem to have broken several other things on my computer, so its time for the infamous rm -rf and restart.
I will be documenting every thing I change, I am starting with XUbuntu 10.04 and will be turning it into a bit of a pentesting distro. Compiling lots of shit from source, apt-getting lots of other shit, and generally fucking about until it works.
If you are looking for nice information on making your own PT distro, watch this space. I will be logging every last thing I do, from the MetaSploit Install to compiling nmap, and it may be interesting to some of you :)
Seeing as I focus a lot on Wireless and Web App testing you will see a lot of focus on those applications, and on making MSF work from source.
Hope you find it useful and interesting - I will be doing it all over the next few hours :D
I will be documenting every thing I change, I am starting with XUbuntu 10.04 and will be turning it into a bit of a pentesting distro. Compiling lots of shit from source, apt-getting lots of other shit, and generally fucking about until it works.
If you are looking for nice information on making your own PT distro, watch this space. I will be logging every last thing I do, from the MetaSploit Install to compiling nmap, and it may be interesting to some of you :)
Seeing as I focus a lot on Wireless and Web App testing you will see a lot of focus on those applications, and on making MSF work from source.
Hope you find it useful and interesting - I will be doing it all over the next few hours :D
Monday, 30 January 2012
Web Application Backdoors Collection: v2.0
This is the SVN for web app backdoors. As I find em, I add em. I also try purge dupes time to time, but have not yet got a good method of doing so just yet.
I also plan to eventually analyse them for backdoors, so if you find a backdoor in one please mail me so I can mark it as backdoored.
Finally, I take NO RESPONSIBILITY WHATSOEVER for ANY use of this collection, it is designed for educational purposes and so you AV people can write signatures for this shit.
So SVN UP!!
Web Shell Collection
I also plan to eventually analyse them for backdoors, so if you find a backdoor in one please mail me so I can mark it as backdoored.
Finally, I take NO RESPONSIBILITY WHATSOEVER for ANY use of this collection, it is designed for educational purposes and so you AV people can write signatures for this shit.
So SVN UP!!
Web Shell Collection
Sunday, 29 January 2012
New Linux Local Root Exploit in the wild
Just a quick post, plan to test this in a VM later and make a video for all to see... (if I remember!)
http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
Very interesting technique!
Play safe...
http://git.zx2c4.com/CVE-2012-0056/plain/mempodipper.c
Very interesting technique!
Play safe...
Friday, 27 January 2012
Web Backdoors: Video
This is a video I made to quickly demonstrate some Web App Backdoors.
I demonstrate Weevely; FireInTheHole.py; PHPSploit; and two standard "web shells", the WSO2.php shell and the ITSecTeam shell.
I occasionally comment on each ones shortfalls, but here is the simple TL;DR one.
Weevely is amazing to use, has LOADS of features, the netcat bind and backconneect shells work perfectly, but it is slightly confusing for the first time user. It also remembers your current working dir and has a very intuitive shell (just like BASH) and fairly good error handling.
You can get it HERE: Weevely
FireInTheHole.py is fast, simple to use, uses both POST and/or GET and gives a terminal like session. It has no advanced features but has a couple of bugs, namely its non-interactive state. It *does* remember your current working dir however, which is very advantageous.
You can download it HERE: Fireinthehole.py
PHPSploit is a VERY nice "framework" which is currently in beta and has great potential. It looks a LOT like Metasploit, and I envision it becoming popular sometime in the future. It works fine, allows you to pull a lot of info, however it has some issues. It does not remember current working dir at all, so it can be rather annoying to "stack" commands for different dirs.
You can download it HERE: PHPSploit
I then demo the WSO2 PHP backdoor, which was failing pretty hard (some functions missing) and the ITSecTeam PHP backdoor, which seems designed to be "skid friendly" and has loads of features. I suspect both may be backdoored but have not investigated... YET. Neither had a functional backconnect or bindshell, and had a load of errors/bugs. I recommend *not* using these. You may find examples on google, and I plan to upload them myself later.
Now its video time!
I demonstrate Weevely; FireInTheHole.py; PHPSploit; and two standard "web shells", the WSO2.php shell and the ITSecTeam shell.
I occasionally comment on each ones shortfalls, but here is the simple TL;DR one.
Weevely is amazing to use, has LOADS of features, the netcat bind and backconneect shells work perfectly, but it is slightly confusing for the first time user. It also remembers your current working dir and has a very intuitive shell (just like BASH) and fairly good error handling.
You can get it HERE: Weevely
FireInTheHole.py is fast, simple to use, uses both POST and/or GET and gives a terminal like session. It has no advanced features but has a couple of bugs, namely its non-interactive state. It *does* remember your current working dir however, which is very advantageous.
You can download it HERE: Fireinthehole.py
PHPSploit is a VERY nice "framework" which is currently in beta and has great potential. It looks a LOT like Metasploit, and I envision it becoming popular sometime in the future. It works fine, allows you to pull a lot of info, however it has some issues. It does not remember current working dir at all, so it can be rather annoying to "stack" commands for different dirs.
You can download it HERE: PHPSploit
I then demo the WSO2 PHP backdoor, which was failing pretty hard (some functions missing) and the ITSecTeam PHP backdoor, which seems designed to be "skid friendly" and has loads of features. I suspect both may be backdoored but have not investigated... YET. Neither had a functional backconnect or bindshell, and had a load of errors/bugs. I recommend *not* using these. You may find examples on google, and I plan to upload them myself later.
Now its video time!
Quick note...
So as I slowly realize that some parts of my mind are eroding due to excessive stress, I decided "why not fucking blog about it like all those other people with inflated self-opinion?"
So, for the hell of it, my rantings and general idiocy will be posted to my other blog that I just set up. expect lots of emotional/drunken/pseudo-philosophical rantings.
Some of you may even get a good laugh as my mind melts down into jelly! As if it ever was *not* a quivering blob of jelly...
Link to blog! ---> My Own Idiotic Ranting
Oh, some other people may occasionally use it to "vent" also. So spread it around, and if you want to anonymously vent and want to publish it there, just message me @info_dox on twatter or email at: the.infodox [at] gmail.com :)
~infodox
So, for the hell of it, my rantings and general idiocy will be posted to my other blog that I just set up. expect lots of emotional/drunken/pseudo-philosophical rantings.
Some of you may even get a good laugh as my mind melts down into jelly! As if it ever was *not* a quivering blob of jelly...
Link to blog! ---> My Own Idiotic Ranting
Oh, some other people may occasionally use it to "vent" also. So spread it around, and if you want to anonymously vent and want to publish it there, just message me @info_dox on twatter or email at: the.infodox [at] gmail.com :)
~infodox
Sunday, 22 January 2012
802.11 Race Condition Exploitation
802.11 Race Condition Exploitation
This post is about the Race Condition Exploitation method for "hijacking" WiFi clients.
Basically how it works is, the client sends a GET request for whatever. You respond with a 301 redirect to your content.
How you do this is by sniffing the traffic, and when you see a GET you inject a 301 to the client and a FIN or RST to the AP. You essentially pretend to be the access point for a second.
SO far there are several variants out there, including a Metasploit module. It can be found in auxiliary/spoof/wifi/airpwn
The technique was originally demoed by "toast" at DEFCON 12, and used to replace images with shock porn like Goatse or Tubgirl.
Some links of interest...
http://evilscheme.org/defcon/
http://airpwn.sourceforge.net/Airpwn.html
http://sourceforge.net/projects/airpwn/
http://securitysumo.wordpress.com/2008/04/22/running-airpwn/
Aaaaand some video...
So naturally, I wondered. I can inject images and javascript... So what about executables? (you see where I am going...)
Then I found someone else was doing this exact thing with updates. Hijacking them ala airpwn. Their tool is named "IPPON", and is very interesting, albeit buggy as fuck. If you can make it work, please god message me!
Here be their presentation from DEFCON 17, and their code!
http://www.slideshare.net/itzikk/ippondefcon17
http://code.google.com/p/ippon-mitm/
Now on to the best of the bunch (IMO). RCX. Developed by Melchi Salins, it allows you to do *anything*, is written in Python using SCAPY, and generally is fucking BADASS! With it, you can redirect ANYTHING to ANYTHING.
http://rcx.sourceforge.net/rcx.html
Coming Soon... The RCX config file for mass update hijacking!
##
Ok. Comments were asking for how to install AirPwn in Ubuntu 10.04/Back Track 5.
Here is how it is SUGGESTED to do it...
http://www.timashley.me/node/718
Now I found the second part of that (install lorcon + airpwn) did not work for me. So... I did things a bit differently.
Check out this LaunchPad: https://launchpad.net/~nagos/+archive/ppa?field.series_filter=
Now, I simply grabbed the .deb files for Airpwn and Liblorcon from there.
Install Liblorcon FIRST. Then Airpwn.
However, this PPA should work fine also: ppa:nagos/ppa
It just didn't work for me :P
This post is about the Race Condition Exploitation method for "hijacking" WiFi clients.
Basically how it works is, the client sends a GET request for whatever. You respond with a 301 redirect to your content.
How you do this is by sniffing the traffic, and when you see a GET you inject a 301 to the client and a FIN or RST to the AP. You essentially pretend to be the access point for a second.
SO far there are several variants out there, including a Metasploit module. It can be found in auxiliary/spoof/wifi/airpwn
The technique was originally demoed by "toast" at DEFCON 12, and used to replace images with shock porn like Goatse or Tubgirl.
Some links of interest...
http://evilscheme.org/defcon/
http://airpwn.sourceforge.net/Airpwn.html
http://sourceforge.net/projects/airpwn/
http://securitysumo.wordpress.com/2008/04/22/running-airpwn/
Aaaaand some video...
So naturally, I wondered. I can inject images and javascript... So what about executables? (you see where I am going...)
Then I found someone else was doing this exact thing with updates. Hijacking them ala airpwn. Their tool is named "IPPON", and is very interesting, albeit buggy as fuck. If you can make it work, please god message me!
Here be their presentation from DEFCON 17, and their code!
http://www.slideshare.net/itzikk/ippondefcon17
http://code.google.com/p/ippon-mitm/
Now on to the best of the bunch (IMO). RCX. Developed by Melchi Salins, it allows you to do *anything*, is written in Python using SCAPY, and generally is fucking BADASS! With it, you can redirect ANYTHING to ANYTHING.
http://rcx.sourceforge.net/rcx.html
Coming Soon... The RCX config file for mass update hijacking!
##
Ok. Comments were asking for how to install AirPwn in Ubuntu 10.04/Back Track 5.
Here is how it is SUGGESTED to do it...
http://www.timashley.me/node/718
Now I found the second part of that (install lorcon + airpwn) did not work for me. So... I did things a bit differently.
Check out this LaunchPad: https://launchpad.net/~nagos/+archive/ppa?field.series_filter=
Now, I simply grabbed the .deb files for Airpwn and Liblorcon from there.
Install Liblorcon FIRST. Then Airpwn.
However, this PPA should work fine also: ppa:nagos/ppa
It just didn't work for me :P
Labels:
802.11,
airpwn,
Hacking,
Infosec,
Insecurity,
malware,
Man In The Middle,
Sniffing,
Spoofing,
WiFi
Saturday, 21 January 2012
Friday, 13 January 2012
MITM w/ ARP Toxin and Driftnet - Video + Tool
Quick into video about using ARP Toxin to preform MITM attacks, with extra fun involvin' using Driftnet to sniff images sent across the network.
Code is here -- Sauce Code
Bug reports and suggestions welcome!
Video made for CampusCon :D
Code is here -- Sauce Code
Bug reports and suggestions welcome!
Video made for CampusCon :D
Labels:
ARP,
ARP Poisoning,
ARP Spoofing,
Dsniff,
Hacking,
Infosec,
Man In The Middle,
Nemesis,
Perl
Tuesday, 10 January 2012
Downtime part 2
SO I think the shell I hosted the main site on is dead.
Once I retrieve backups of my homedir there I will have it back online.
All files are slowly being mirrored and I am working to rectify the issue...
Once I retrieve backups of my homedir there I will have it back online.
All files are slowly being mirrored and I am working to rectify the issue...
Thursday, 5 January 2012
Interesting Stats... Browser and OS choice of my readers
So, I noticed blogger.com autodetects OS and Browser of viewers to the blog. I then thought... "Wow, this is interesting..." and decided to publish. I wonder how they run the detection? User Agent? Fascinating stuff, especially the variety xD Pageviews by Browsers | ||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||
Pageviews by Operating Systems | ||||||||||||||||||||||||||||||||||||||
|
Collection of web app backdoors (v1)
This is a collection of the common PHP (and ASP if I find them) backdoors used by malicious hackers to take over servers.
I am NOT responsible for your use of this!
Warning: There is every possibility these backdoors may be backdoored. I am going to eventually sort them into two folders - backdoored backdoors and clean backdoors. Then I can sit back and watch y'all go apeshit at some skiddies who backdoor their backdoors :D
Download the list here...Web Backdoors
I am NOT responsible for your use of this!
Warning: There is every possibility these backdoors may be backdoored. I am going to eventually sort them into two folders - backdoored backdoors and clean backdoors. Then I can sit back and watch y'all go apeshit at some skiddies who backdoor their backdoors :D
Download the list here...Web Backdoors
Tuesday, 3 January 2012
Quick Post - package of Perl shells
Ok, very short post. 4 Perl shells/backdoors, 3 are reverse shells and one is a Bind shell. Seems to me everyone uses the same trick to get reverse shell :/
Anyways, more to come later! Download link below!
Perl Shells Tarball
Anyways, more to come later! Download link below!
Perl Shells Tarball
Sunday, 1 January 2012
CVE-2011-4885 PHP HashTables Exploit
Hey guys, time for some exploit code!
Here is the exploit for CVE-2011-4885
Info on vuln:
http://secunia.com/advisories/47404
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
Exploit Code:
PHP Exploit Code
Pastebin Mirror
Here is the exploit for CVE-2011-4885
Info on vuln:
http://secunia.com/advisories/47404
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
Exploit Code:
PHP Exploit Code
Pastebin Mirror
Subscribe to:
Posts (Atom)