Crack zip's password

KUMΞL | Monday, October 24, 2011 | | 1 comments


May be it is an old trick in sec world, but i'm just divide it for us cause this morning there's some one give me a zip file which he has forgot the password of it and he asked me to crack its password. How to crack a zip's password?
Hem, i had never did it before, but i'll try it.
My firs step is searching some tools which there is in my PC, and i've found "fcrackzip".
Can it work? i'll know if i've try it.

Now look a manual using of it with command :
root@victim:~# fcrackzip -h
fcrackzip version 1.0, a fast/free zip password cracker
written by Marc Lehmann <pcg@goof.com> You can find more info on
http://www.goof.com/pcg/marc/
USAGE: fcrackzip
          [-b|--brute-force]            use brute force algorithm
          [-D|--dictionary]             use a dictionary
          [-B|--benchmark]              execute a small benchmark
          [-c|--charset characterset]   use characters from charset
          [-h|--help]                   show this message
          [--version]                   show the version of this program
          [-V|--validate]               sanity-check the algortihm
          [-v|--verbose]                be more verbose
          [-p|--init-password string]   use string as initial password/file
          [-l|--length min-max]         check password with length min to max
          [-u|--use-unzip]              use unzip to weed out wrong passwords
          [-m|--method num]             use method number "num" (see below)
          [-2|--modulo r/m]             only calculcate 1/m of the password
          file...                    the zipfiles to crack
methods compiled in (* = default):
 0: cpmask
 1: zip1, TARGET_CPU=0
 2: zip2, TARGET_CPU=0, USE_MULT_TAB
 3: zip3, TARGET_CPU=5
 4: zip4, TARGET_CPU=5, USE_MULT_TAB
 5: zip5, TARGET_CPU=6
*6: zip6, TARGET_CPU=6, USE_MULT_TAB

Read more »

RIPS

KUMΞL | Thursday, October 20, 2011 | , | 0 comments

Yesterday when i and my team (9tails) become a finalist in a DAGELAN NETWORK SECURITY COMPETITION (GEMASTIK 2011), the panitya had give us a vulnerable web aplication and they hope it fixed by us.
Actually we could fix it with analysis the script of it one by one, but we knew it need more time and we were missing some time to test the secure of it. So our instructur (Anbu) was give us a solution, he suggest us to use RIPS.

RIPS? What is it?
RIPS is an OWAPS project which allow us to check the secure of php's script and give us some solve about that vulner. RIPS can search the vulner specified in some categories like SQL Injection, XSS, CSRF, and ect, for more information click here.
This is a screenshot of RIPS, Let's try it by your self if you're a web development.





The risk of simple answer from secure question

KUMΞL | Tuesday, September 27, 2011 | | 0 comments



If we want to create new account at some network aplication, we usually found some field to secure question.
The secure question used to resset password if we have forgotten the password of that account, but with the simple answer of secure question everyone can use it as a way to owned our account.

For example:
Vince make a problem with Andre, and Andre don't like Vince cause she haven't sorry about that problem. And Andre make a plan to owned all of Vince account.
Andre knows that Vince have an account in a social networking, so he make a fake account of that social networking with name Anton and try to close by Vince without Vince knows about Anton is Andre. (with social engineering tehnique)
After Vince believe that Anton is real.
And then Andre try to owned Vince's mail cause Andre had think there are more private information and some private mail in Vince's inbox mail. The simple way which Andre knew is reset password with secure question of Vince's account.

Now Andre go to mail server where Vince have account there, He opens feature forgot password which there's in that site, he's choosing secure question mode and try answer the question.
Example question is Where are your father born?
If andre didn't know the answer, he can direct ask it to Vince though Anton's account. Which one else way :
Anton : Where are you from Vince?
Vince : Tokyo
Anton : Is your father from there too?
Vince : No, my father born in Yokohama.

Read more »

Create backdoor use sql injection

KUMΞL | Monday, July 25, 2011 | | 0 comments

sqlinjectThe first step is search vulnerable of sql injection at the site, and i've found at that site sql injection vulner in url : http://192.168.56.103/joomla/index.php?option=com_aardvertiser&cat_name=user&task=view

Now, try to inject it with sqlmap with syntax :
root@bt:/pentest/database/sqlmap# ./sqlmap.py -u "http://192.168.56.103/joomla/index.php?" --data "option=com_aardvertiser&cat_name=user&task=view" -p cat_name --dbs

Than the result is :
[03:18:19] [WARNING] POST parameter 'cat_name' is not injectable
[03:18:19] [CRITICAL] all parameters appear to be not injectable. Try to increase --level/--risk values to perform more tests. Rerun by providing either a valid --string or a valid --regexp, refer to the user's manual for details
[*] shutting down at: 03:18:19

Read more »

What is socks?

KUMΞL | Wednesday, July 20, 2011 | | 0 comments

socksSocks is a generic proxy protocol for TCP/IP-based networking applications, the socks protocol provides a flexible framework for developing secure comunications by easily integrating other security technologies. When an application client need to connect to an application server, the client mechine connect to a socks proxy server. The proxy server connect to application server on behalf of th client, and relays data between the client and the application server. For the application server, the proxy server is the client.
Meanwhile of http's work, when a web browser initiates a request to a server, typical by openning a TCP/IP connection. The request it self comprises : a request line, a set of request headers, and an entity. And than the server sends a response that comprises : a status line, a set of response headers, and an entity. The entity in the request or response can be though of simply as the payload which may be binnary data. The other items are readable ascii characters. When the response has been completed, either the browser or the server may terminate the TCP/IP connections, or the browser can send another request.
References :
http://www.infosecwriters.com/text_resources/pdf/what_is_socks.pdf
http://www.silicon-press.com/briefs/brief.http/brief.pdf

Test a system

KUMΞL | Thursday, July 14, 2011 | | 0 comments

Information Gathering
Take the ip target

Service Enumeration
Scanning with nmap and a result is :
Starting Nmap 5.51 ( http://nmap.org ) at 2011-07-14 10:25 WIT
Nmap scan report for 192.168.56.101
Host is up (0.0011s latency).
Not shown: 995 closed ports


PORT      STATE SERVICE
21/tcp    open  ftp
80/tcp    open  http
443/tcp   open  https
3306/tcp  open  mysql
MAC Address: 08:00:27:A5:0B:F5 (Cadmus Computer Systems)
There is open port 80, an try to open the page of that system, there is a joomla template to be a main page. and scan some name of folder which probably there is of that system with dirbuster and i found a folder XAMPP

Read more »

What is htaccess?

KUMΞL | Thursday, July 14, 2011 | | 0 comments


.htaccess (hypertext access) is the default name of a directory-level configuration file that allows for decentralized management of web server configuration, with htaccess we able to override a subset of the server's global configuration. The original purpose of .htaccess was to allow per-directory access control (e.g. requiring a password to access the content), hence the name.

How to configure .htaccess ?
If you want to call your .htaccess file something else, you can change the name of the file using the AccessFileName directive. For example, if you would rather call the file .configthen you can put the following in your server configuration file:

Read more »

PHP Suhosin

KUMΞL | Monday, July 11, 2011 | | 0 comments


Suhosin is an advanced protection system for PHP installations. It was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core. Suhosin comes in two independent parts, that can be used separately or in combination. The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities and the second part is a powerful PHP extension that implements all the other protections.

Read more »

Subnetting

KUMΞL | Thursday, June 30, 2011 | | 0 comments


Subnetting is a technique to break up a large network into smaller networks by sacrificing bit Host ID on the subnet mask to be used as a new Network ID.
example:IP address 192.168.10.0 with a subnet mask 255.255.255.0 default is defined as a class C which means that IP address without subnetting a network address has only one fruit with 254 IP addresses that can be made (192.168.10.1 / 192.168.10.254).

Read more »

What is tor?

KUMΞL | Sunday, June 26, 2011 | | 0 comments

torTor is an application that allows you anonymise your IP address. I.e you can visit www.google.com on 26th Jun 2011 and Google will not record your actual IP address, but the one presented by Tor, this means that a review of logs stored by Google will not, in theory, show a record of you visiting the site on that date.
What is privoxy?
Privoxy is a non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk. Privoxy has a flexible configuration and can be customized to suit individual needs and tastes. It has application for both stand-alone systems and multi-user networks.
How to use the internet anonymously using Tor in linux Backtrack 5?
at first step we must add repo in /etc/apt/sources.list
deb http://deb.torproject.org/torproject.org lucid main

Read more »

Blind SQL Injection

KUMΞL | Monday, June 20, 2011 | | 0 comments


This is a hacking method that allows an unauthorized attacker to access a database server. It is facilitated by a common coding blunder: the program accepts data from a client and executes SQL queries without first validating the client’s input. The attacker is then free to extract, modify, add, or delete content from the database. In some circumstances, he may even penetrate past the database server and into the underlying operating system.
Hackers typically test for SQL injection vulnerabilities by sending the application input that would cause the server to generate an invalid SQL query. If the server then returns an error message to the client, the attacker will attempt to reverse-engineer portions of the original SQL query using information gained from these error messages. The typical administrative safeguard is simply to prohibit the display of database server error messages. Regrettably, that’s not sufficient.
I will be using our example
http://www.site.com/news.php?id=5
when we execute this, we see some page and articles on that page, pictures etc…
then when we want to test it for blind sql injection attack
http://www.site.com/news.php?id=5 and 1=1
==> this is always true and the page loads normally, that’s ok.
Now the real test
http://www.site.com/news.php?id=5 and 1=2
==> this is false so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection.

Read more »

SQL Injection

KUMΞL | Sunday, June 19, 2011 | | 0 comments



SQL injection is a hacking technique is performed in the client application by modifying an existing command in memory MySQL client applications, this is also a technique in which to exploit web applications using database for data storage.

Read more »

What is cookie and what is sessions?

KUMΞL | Wednesday, June 08, 2011 | | 0 comments

cookieCookie is a method of storing data into the computer such as storing user names, passwords or other data. While the session is a method used to maintain data between pages.
For example:
we access site1.com page, then accessing site2.com. Pages site2.com will not know that we are the same people who previously had access site1.com page. Session task is to know that we are the same person.
For that task, the session usually use a cookie (so that the theft of cookies are the same as theft of session). However, the session does not have to use cookies because the nature of cookies are sometimes blocked by the user.
In addition, cookies save data in the user's computer while the session save the current code into the user's computer, while data stored in the server. Neither the value of a cookie nor the value of a session is dangerous if easy guessed or stolen by hackers.

Pretty Good Privace

KUMΞL | Friday, June 03, 2011 | | 0 comments



Pretty Good Privacy (PGP)?
What is it?
It is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk partitions to increase the security of e-mail communications. It was created by Phil Zimmermann in 1991.
GNU make a product which useful for PGP and its name is GPG (GNU Private Guard).

Read more »

Introduce Attack Vector (Test2)

KUMΞL | Sunday, May 29, 2011 | | 0 comments

On my second test i have learned how to use appropriate tools where exists on backtrack 5 to solved the problem which given to my team.
That problem is try brusts in on a site too, but on this moment we have trouble which so difficult to us, we can't resolve it. We have tried analyzed at the script site and on that script we found an encryption script, that is a problem which make us touble to solve it.

In order that we are able to resolve it, we can use some tools which there are on bactrack 5 with the way open Aplication launcher menu.
To disencryption script we need brust tools where exists at menu backtrack --> Vulnerability Assessment --> Web Assessment --> Vulnerability Scanners --> burpsuite
Open it and start it, than chose tab decoder, paste that encryption script there than click smart decode and wait than we are looking the true script, one of other at encryption script we found
<input type="hidden" name="teamstatus" value="false">

if we want to change the value="false" to the value="true" at that site, we need mantra web browser where exists on bactrack 5 as web browser portable at this backtrack. It's located at directory /pentes/web/mantra and thats file name is firefox-portable.

Start mantra with commandTest1
./pentest/web/mantra/firefox-portable

on mantra web browser, we open tools --> tamper data (chose tamper data) to open tamper data. After that opened, we click start tamper and it will start. After that we immediately click login on that site and than open a message dialog, we click tempar and than will open the new window, change the value false to be true at that window, and refresh that site. We will found a user and password at that site.

Analysis (Test1)

KUMΞL | Sunday, May 29, 2011 | | 0 comments

On my first test i have learned many thing.
Some of that things are :

  • Attitude and behavior are more important for knowladge.
  • The quieter you are, the more you are able to hear.
  •  Every problem must be analyzed before we decide how to solve them. Because with an analyzed we can determine the most appropriate way to solve that problem without causing other problems.
    If we want to try brusts in on a site, We must do first is find out how the site works by reading the scripts which exists on that site ( one example is the script html, php, or javascript on this site ) then let's try with every possibility which exists on that site and do it with carefully because without it we will locked and can't do anything on that site again.

Subscribe to: Posts (Atom)