Posts
Tuesday, September 20, 2011
Thursday, September 1, 2011
Beginners Guide To Hacking Wireless Networks
Beginners Guide To Hacking Wireless Networks
This Tutorial explains EVERYTHING in detail So, it is quite long. Enjoy.
1. Getting the right tools
This Tutorial is in Bt3 But Download The Latest Release Bt4.
Download Backtrack 4. It can be found here:
http://www.backtrack-linux.org/downloads/
I downloaded the Dvd iso and burned it to a Dvd. Insert your BT4 Dvd/usb drive and reboot your computer into BT4. I always load into the 3rd boot option from the boot menu. (VESA/KDE) You only have a few seconds before it auto-boots into the 1st option so be ready. The 1st option boots too slowly or not at all so always boot from the 2nd or 3rd. Experiment to see what works best for you.
2. Preparing the slave network for attack
Once in BT4, click the tiny black box in the lower left corner to load up a "Konsole" window. Now we must prep your wireless card.
Type:
airmon-ng
You will see the name of your wireless card. (mine is named "ath0") From here on out, replace "ath0" with the name of your card.
Now type:
airmon-ng stop ath0
then type:
ifconfig wifi0 down
then:
macchanger --mac 00:11:22:33:44:55 wifi0
then:
airmon-ng start wifi0
What these steps did was to spoof (fake) your mac address so that JUST IN CASE your computeris discovered by someone as you are breaking in, they will not see your REAL mac address. Moving on...
Now it's time to discover some networks to break into.
Type:
airodump-ng ath0
Now you will see a list of wireless networks start to populate. Some will have a better signal than others and it is a good idea to pick one that has a decent signal otherwise it will take forever to crack or you may not be able to crack it at all.
Once you see the network that you want to crack, do this:
hold down ctrl and type c
This will stop airodump from populating networks and will freeze the screen so that you can see the info that you need.
**Now from here on out, when I tell you to type a command, you need to replace whatever is in parenthesis with what I tell you to from your screen. For example: if i say to type:
-c (channel)
then dont actually type in
-c (channel)
Instead, replace that with whatever the channel number is...so, for example you would type:
-c 6
Can't be much clearer than that...lets continue...
Now find the network that you want to crack and MAKE SURE that it says the encryption for that network is WEP. If it says WPA or any variation of WPA then move on...you can still crack WPA with backtrack and some other tools but it is a whole other ball game and you need to master WEP first.
Once you've decided on a network, take note of its channel number and bssid. The bssid will look something like this --> 05:gk:30:fo:s9:2n
The Channel number will be under a heading that says "CH".
Now, in the same Konsole window, type:
airodump-ng -c (channel) -w (file name) --bssid (bssid) ath0
the FILE NAME can be whatever you want. This is simply the place that airodump is going to store the packets of info that you receive to later crack. You don't even put in an extension...just pick a random word that you will remember. I usually make mine "wepkey" because I can always remember it.
**Side Note: if you crack more than one network in the same session, you must have different file names for each one or it won't work. I usually just name them wepkey1, wepkey2, etc.
Once you typed in that last command, the screen of airodump will change and start to show your computer gathering packets. You will also see a heading marked "IV" with a number underneath it. This stands for "Initialization Vector" but in noob terms all this means is "packets of info that contain clues to the password." Once you gain a minimum of 5,000 of these IV's, you can try to crack the password. I've cracked some right at 5,000 and others have taken over 60,000. It just depends on how long and difficult they made the password.
Now you are thinking, "I'm screwed because my IV's are going up really slowly." Well, don't worry, now we are going to trick the router into giving us HUNDREDS of IV's per second.
3. Actually cracking the WEP password
Now leave this Konsole window up and running and open up a 2nd Konsole window. In this one type:
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 ath0
This will send some commands to the router that basically cause it to associate with your computer even though you are not officially connected with the password. If this command is successful, you should see about 4 lines of text print out with the last one saying something similar to "Association Successful :-)" If this happens, then good! You are almost there. Now type:
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 ath0
This will generate a bunch of text and then you will see a line where your computer is gathering a bunch of packets and waiting on ARP and ACK. Don't worry about what these mean...just know that these are your meal tickets. Now you just sit and wait. Once your computer finally gathers an ARP request, it will send it back to the router and begin to generate hundreds of ARP and ACK per second. Sometimes this starts to happen within seconds...sometimes you have to wait up to a few minutes. Just be patient. When it finally does happen, switch back to your first Konsole window and you should see the number underneath the IV starting to rise rapidly. This is great! It means you are almost finished! When this number reaches AT LEAST 5,000 then you can start your password crack. It will probably take more than this but I always start my password cracking at 5,000 just in case they have a really weak password.
Now you need to open up a 3rd and final Konsole window. This will be where we actually crack the password. Type:
aircrack-ng -b (bssid) (filename)-01.cap
Remember the filename you made up earlier? Mine was "wepkey". Don't put a space in between it and -01.cap here. Type it as you see it. So for me, I would type wepkey-01.cap
Once you have done this you will see aircrack fire up and begin to crack the password. typically you have to wait for more like 10,000 to 20,000 IV's before it will crack. If this is the case, aircrack will test what you've got so far and then it will say something like "not enough IV's. Retry at 10,000." DON'T DO ANYTHING! It will stay running...it is just letting you know that it is on pause until more IV's are gathered. Once you pass the 10,000 mark it will automatically fire up again and try to crack it. If this fails it will say "not enough IV's. Retry at 15,000." and so on until it finally gets it.
If you do everything correctly up to this point, before too long you will have the password! now if the password looks goofy, dont worry, it will still work. some passwords are saved in ASCII format, in which case, aircrack will show you exactly what characters they typed in for their password. Sometimes, though, the password is saved in HEX format in which case the computer will show you the HEX encryption of the password. It doesn't matter either way, because you can type in either one and it will connect you to the network.
Take note, though, that the password will always be displayed in aircrack with a colon after every 2 characters. So for instance if the password was "secret", it would be displayed as:
se:cr:et
This would obviously be the ASCII format. If it was a HEX encrypted password that was something like "0FKW9427VF" then it would still display as:
0F:KW:94:27:VF
Just omit the colons from the password, boot back into whatever operating system you use, try to connect to the network and type in the password without the colons and presto! You are in!
It may seem like a lot to deal with if you have never done it, but after a few successful attempts, you will get very quick with it. If I am near a WEP encrypted router with a good signal, I can often crack the password in just a couple of minutes.
I am not responsible for what you do with this information. Any malicious/illegal activity that you do, falls completely on you because...technically...this is just for you to test the security of your own network. :-)
I will gladly answer any legitimate questions anyone has to the best of my ability.
HOWEVER, I WILL NOT ANSWER ANYONE THAT IS TOO LAZY TO READ THE WHOLE TUT AND JUST ASKS ME SOME QUESTION THAT I CLEARLY ANSWERED. No one wants to hold your hand through this...read the tut and go experiment until you get it right.
There are rare occasions where someone will use WEP encryption with SKA as well. (Shared Key Authentication) If this is the case, additional steps are needed to associate with the router and therefore, the steps I lined out here will not work. I've only seen this once or twice, though, so you probably won't run into it. If I get motivated, I may throw up a tut on how to crack this in the future.
Hacking WEP wifi passwords
By kumalynx
..........................................................................................................................................................................................
............
Monday, August 22, 2011
NET Framework Rootkits
he whitepaper .NET Framework rootkits - backdoors inside your framework.pdf covers various ways to develop rootkits for the .NET framework, so that every EXE/DLL that runs on a modified Framework will behave differently than what it's supposed to do. Code reviews will not detect backdoors installed inside the Framework since the payload is not in the code itself, but rather it is inside the Framework implementation. Writing Framework rootkits will enable the attacker to install a reverse shell inside the framework, to steal valuable information, to fixate encryption keys, disable security checks and to perform other nasty things as described in this paper.
This paper also introduces .NET-Sploit 1.0 - a new tool for building MSIL rootkits that will enable the user to inject preloaded/custom payload to the Framework core DLL.
Download and more info
Vbootkit 2.0
Vbootkit 2.0 is now open-source
Two security researchers open-source code that can be used to take control of versions of the Microsoft Windows 7 x64 operating system. The team decided to release the code despite initial reservations over security.
Vbootkit 2.0 Attacking Windows 7 (x64) via Boot Sectors presentation
Download Vbootkit 2.0 source code
Swimming into Trojan and Rootkit GameThief.Win32.Magania Hostile Code
rojan-GameThief.Win32.Magania, according to Kaspersky naming convention, monitors the user activities trying to obtain valuable information from the affected user, especially about gaming login accounts. This long tutorial analyze this malware but is also a general document which explains how to analyze a modern nested-dolls malware.
In this paper we will analyse more deeply the structure of this malware, especially the polymorphic part that represents a typical sample of hostile code. Starting from the first load into IDA we can see that Megania's PE structure and Import Table destroyed, this is how looks from WinGraph:
Download PDF
2009 Protecting OSs from RootKits
Countering Kernel Rootkits with Lightweight Hook Protection
Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits is to protect such hooks from being hijacked. However, it remains a challenge because there exist a large number of widely-scattered kernel hooks and many of them could be dynamically allocated from kernel heap and co-located together with other kernel data. In addition, there is a lack of flexible commodity hardware support, leading to the socalled protection granularity gap kernel hook protection requires byte-level granularity but commodity hardware only provides pagelevel protection.
Source: Schneier on Security
Download PDF
Kernel rootkits have posed serious security threats due to their stealthy manner. To hide their presence and activities, many rootkits hijack control flows by modifying control data or hooks in the kernel space. A critical step towards eliminating rootkits is to protect such hooks from being hijacked. However, it remains a challenge because there exist a large number of widely-scattered kernel hooks and many of them could be dynamically allocated from kernel heap and co-located together with other kernel data. In addition, there is a lack of flexible commodity hardware support, leading to the socalled protection granularity gap kernel hook protection requires byte-level granularity but commodity hardware only provides pagelevel protection.
Source: Schneier on Security
Download PDF
Stoned Bootkit
The Stoned Bootkit is a rootkit that is booted before the main operating system has, and is able to stay and hide itself in memory during execution of the guest operating system. The payload is executed beside the running operating system and comes with the bootkit. Stoned is designed to be operating system independent, it is multiplatform. It currently supports all 32-bit and 64-bit Windows systems and Linux.
It allows a very wide abstraction of the program and the running base, this means it is a new deployment platform of software. The current proof of concept payloads are a local privilege escalation and a remote surveillance tool. The platform, however is open for third-party future development.
The bootkit itself has an integrated module and plugin structure which allows extending its core features without touching the core code. New in this version is that it is totally independent from media, it can be started from hard disk (master boot record), but also CD/DVD/BD or even over the network.
Download PDF
It allows a very wide abstraction of the program and the running base, this means it is a new deployment platform of software. The current proof of concept payloads are a local privilege escalation and a remote surveillance tool. The platform, however is open for third-party future development.
The bootkit itself has an integrated module and plugin structure which allows extending its core features without touching the core code. New in this version is that it is totally independent from media, it can be started from hard disk (master boot record), but also CD/DVD/BD or even over the network.
Download PDF
Tuluka kernel inspector v1.0.394.77
Tuluka is a new powerful AntiRootkit, which has the following features:
Detects hidden processes, drivers and devices
Detects IRP hooks
Identifies the substitution of certain fields in DRIVER_OBJECT structure
Checks driver signatures
Detects and restores SSDT hooks
Detects suspicious descriptors in GDT
IDT hook detection
SYSENTER hook detection
Displays list of system threads and allows you to suspend them
IAT and Inline hook detection
and much more ...
Download: http://www.tuluka.org
More Info: http://www.rootkit.commuch more...
Detects hidden processes, drivers and devices
Detects IRP hooks
Identifies the substitution of certain fields in DRIVER_OBJECT structure
Checks driver signatures
Detects and restores SSDT hooks
Detects suspicious descriptors in GDT
IDT hook detection
SYSENTER hook detection
Displays list of system threads and allows you to suspend them
IAT and Inline hook detection
and much more ...
Download: http://www.tuluka.org
More Info: http://www.rootkit.commuch more...
Sunday, August 21, 2011
XSS Street-Fight: The Only Rule Is There Are No Rules
XSS Introduction
Attack: XSS
Attacker can send data through web applications that will execute code within the victim’s web browser
It is an interpreter attack against the web browser
Application Defects: Improper Output Handling
Application does not properly apply contextual output encoding/escaping of user supplied data
Types:
Reflected,Stored and DOM
Consequences:
Session Hijacking,Malware Installation,Fraud (CSRF)
Remediation: Contextual Output Encoding
Must escape differently depending where data is displayed on the page
− HTML,HTML Attribute,URL,JavaScript,CSS
Reference: OWASP XSS Cheatsheet
http://www.owasp.org
Download: PDF
Attack: XSS
Attacker can send data through web applications that will execute code within the victim’s web browser
It is an interpreter attack against the web browser
Application Defects: Improper Output Handling
Application does not properly apply contextual output encoding/escaping of user supplied data
Types:
Reflected,Stored and DOM
Consequences:
Session Hijacking,Malware Installation,Fraud (CSRF)
Remediation: Contextual Output Encoding
Must escape differently depending where data is displayed on the page
− HTML,HTML Attribute,URL,JavaScript,CSS
Reference: OWASP XSS Cheatsheet
http://www.owasp.org
Download: PDF
XSS Rays - Google Chrome Browser Extensions
Complete XSS reversing/scanner tool. Find how a site is filtering code, check for injections and inspect objects.
XSS is a security tool to help pen test large web sites. It's core features include a XSS scanner, XSS Reverser and object inspection. Need to know how a certain page filters output? Don't have the source? No problem. XSS Rays will blackbox reverse a XSS filter without needing the source code.
You can also extract/view and edit forms non-destructively that normally can't be edited. For example if you want to modify the value of a checkbox without changing it's type XSS Rays can link to the object and allow you to change the value without altering the original object.
Using the object inspector you can browse through the window object and edit the contents of the functions in real time allowing you to dissect a web page and understand more how it works. This also works with globally defined functions, you can see which functions the developer has decided to place within the window object.
Download: https://chrome.google.com
More info: http://www.thespanner.co.uk
XSS is a security tool to help pen test large web sites. It's core features include a XSS scanner, XSS Reverser and object inspection. Need to know how a certain page filters output? Don't have the source? No problem. XSS Rays will blackbox reverse a XSS filter without needing the source code.
You can also extract/view and edit forms non-destructively that normally can't be edited. For example if you want to modify the value of a checkbox without changing it's type XSS Rays can link to the object and allow you to change the value without altering the original object.
Using the object inspector you can browse through the window object and edit the contents of the functions in real time allowing you to dissect a web page and understand more how it works. This also works with globally defined functions, you can see which functions the developer has decided to place within the window object.
Download: https://chrome.google.com
More info: http://www.thespanner.co.uk
DOMXSS Scanner
What is DOMXSS Scanner?
DOMXSS Scanner is an online tool that helps you find potential DOM based XSS security vulnerabilities. Enter a URL to scan the document and the included scripts for DOMXSS sources and sinks in the source code of Web pages and JavaScript files. More about DOMXSS Scanner.
What is DOM Based XSS?
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
http://www.domxssscanner.com
DOMXSS Scanner is an online tool that helps you find potential DOM based XSS security vulnerabilities. Enter a URL to scan the document and the included scripts for DOMXSS sources and sinks in the source code of Web pages and JavaScript files. More about DOMXSS Scanner.
What is DOM Based XSS?
DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
http://www.domxssscanner.com
OWASP AntiSamy v.1.4.4 Released
The OWASP AntiSamy project is an API for safely allowing users to supply their own HTML and CSS without exposure to XSS vulnerabilities.
The biggest move of this release is to officially change the default parser/serializer from the DOM engine to the SAX engine. We’ve had two engines for the past few versions, but maintaining two engines concurrently is kinda crazy. The SAX version is twice as fast and much better on memory. Even though all of our test cases pass for both engines, I still anticipate some growing pains in the SAX version, which is why I think most critical applications should stick to 1.4.3 for now.
Changelist:
-fixed error message not sanitizing CDATA payloads when encountered (should only concern you if you use error messages + exactly version 1.4.3)
-tags that are allowed to be empty are no longer hardcoded and can be set in the policy file (), with a safe default list if none are provided
-continued to try to make SAX and DOM version semantically if not literally identical output
-added test cases to regression
-fixed Julian Cohen’s privately reported stack exhaustion bug by applying a tree depth check (the max depth of a DOM tree is now 250)
-no longer Java 1.4 compatible
Download: http://code.google.com
The biggest move of this release is to officially change the default parser/serializer from the DOM engine to the SAX engine. We’ve had two engines for the past few versions, but maintaining two engines concurrently is kinda crazy. The SAX version is twice as fast and much better on memory. Even though all of our test cases pass for both engines, I still anticipate some growing pains in the SAX version, which is why I think most critical applications should stick to 1.4.3 for now.
Changelist:
-fixed error message not sanitizing CDATA payloads when encountered (should only concern you if you use error messages + exactly version 1.4.3)
-tags that are allowed to be empty are no longer hardcoded and can be set in the policy file (
-continued to try to make SAX and DOM version semantically if not literally identical output
-added test cases to regression
-fixed Julian Cohen’s privately reported stack exhaustion bug by applying a tree depth check (the max depth of a DOM tree is now 250)
-no longer Java 1.4 compatible
Download: http://code.google.com
Web application vulnerabilities in context of browser extensions
2: Opera
Intro
Lets continue to research possible security problems in case of using popular web technologies in browser extensions. Opera is one of the most powerful web browsers today.It has fast rendering and JavaScript engines and a lot of other useful features. For a long time Opera was all-in-one thing in opposition to Mozilla Firefox with its addons. But now when one more strong player called Google Chrome comes into the game in browser's market, Opera decided to support extensions too (yes-yes, I remember about Opera widgets).
Download: PDF
Intro
Lets continue to research possible security problems in case of using popular web technologies in browser extensions. Opera is one of the most powerful web browsers today.It has fast rendering and JavaScript engines and a lot of other useful features. For a long time Opera was all-in-one thing in opposition to Mozilla Firefox with its addons. But now when one more strong player called Google Chrome comes into the game in browser's market, Opera decided to support extensions too (yes-yes, I remember about Opera widgets).
Download: PDF
AntiXSS v.4.0 Released
Microsoft Anti-Cross Site Scripting Library V4.0
The Microsoft Anti-Cross Site Scripting Library V4.0 (AntiXSS V4.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include:- A customizable safe list for HTML and XML encoding- Performance improvements- Support for Medium Trust ASP.NET applications- HTML Named Entity Support- Invalid Unicode detection- Improved Surrogate Character Support for HTML and XML encoding- LDAP Encoding Improvements- application/x-www-form-urlencoded encoding support
Download: http://www.microsoft.com
The Microsoft Anti-Cross Site Scripting Library V4.0 (AntiXSS V4.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include:- A customizable safe list for HTML and XML encoding- Performance improvements- Support for Medium Trust ASP.NET applications- HTML Named Entity Support- Invalid Unicode detection- Improved Surrogate Character Support for HTML and XML encoding- LDAP Encoding Improvements- application/x-www-form-urlencoded encoding support
Download: http://www.microsoft.com
DOMinator - The DOM XSS Analyzer Tool
What is DOMinator?
DOMinator is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DOMXss)It is the first runtime tool which can help security testers to identify DOMXss.
How it works?
It uses dynamic runtime tainting model on strings and can trace back taint propagation operations in order to understand if a DOMXss vulnerability is actually exploitable.You can have an introduction about the implementation flow and some interface description here
What are the possibilities?
In the topics of DOMXss possibilities are quite infinite.At the moment DOMinator can help in identifying reflected DOM Based Xss, but there is potential to extend it to stored DOMXss analysis.
Download: http://code.google.com
DOMinator is a Firefox based software for analysis and identification of DOM Based Cross Site Scripting issues (DOMXss)It is the first runtime tool which can help security testers to identify DOMXss.
How it works?
It uses dynamic runtime tainting model on strings and can trace back taint propagation operations in order to understand if a DOMXss vulnerability is actually exploitable.You can have an introduction about the implementation flow and some interface description here
What are the possibilities?
In the topics of DOMXss possibilities are quite infinite.At the moment DOMinator can help in identifying reflected DOM Based Xss, but there is potential to extend it to stored DOMXss analysis.
Download: http://code.google.com
Socially-Engineered XSS Attacks
When the IE team talks about Cross-Site-Scripting (XSS) attacks, we’ve usually grouped them into three categories
Type 0: DOM-based XSS
Type 1: “Reflected” XSS
Type 2: Persistent/Stored XSS
DOM-APIs like toStaticHTML enable pages to protect themselves against Type 0 attacks. The Internet Explorer XSS Filter can block Type 1 attacks by detecting reflected script and neutering it. Servers can protect themselves against Type 2 attacks using the Anti-XSS library to sanitize stored data.
It turns out, however, that there’s a fourth type of XSS attack: Socially-engineered XSS. In a socially-engineered XSS attack, the user is tricked into running an attacker’s JavaScript code in the context of the victim site. Even if a site follows best-practices to block XSS Types 0, 1 and 2, they may still be vulnerable to Socially Engineered XSS attacks.
Such attacks work in the same way as most socially-engineered attacks, by attacking the weakest link in browser security—the user’s trust. The attacks request that the user perform a series of operations (often using keyboard key combinations) that result in a JavaScript URL being entered in the address bar and invoked. JavaScript URIs entered in this way execute in the context of the currently loaded page. Users are tricked into following these instructions with the promise of some reward (e.g. free “points” for games, “secret” information about other users, etc).
More: http://blogs.msdn.com
Type 0: DOM-based XSS
Type 1: “Reflected” XSS
Type 2: Persistent/Stored XSS
DOM-APIs like toStaticHTML enable pages to protect themselves against Type 0 attacks. The Internet Explorer XSS Filter can block Type 1 attacks by detecting reflected script and neutering it. Servers can protect themselves against Type 2 attacks using the Anti-XSS library to sanitize stored data.
It turns out, however, that there’s a fourth type of XSS attack: Socially-engineered XSS. In a socially-engineered XSS attack, the user is tricked into running an attacker’s JavaScript code in the context of the victim site. Even if a site follows best-practices to block XSS Types 0, 1 and 2, they may still be vulnerable to Socially Engineered XSS attacks.
Such attacks work in the same way as most socially-engineered attacks, by attacking the weakest link in browser security—the user’s trust. The attacks request that the user perform a series of operations (often using keyboard key combinations) that result in a JavaScript URL being entered in the address bar and invoked. JavaScript URIs entered in this way execute in the context of the currently loaded page. Users are tricked into following these instructions with the promise of some reward (e.g. free “points” for games, “secret” information about other users, etc).
More: http://blogs.msdn.com
Cookiejacking Attack Technique
Cookiejacking is a UI redressing attack that allows an attacker to hijack his victim's cookies without any XSS.
Clickjacking attacks have been widely adopted by attackers worldwide on popular websites (eg Facebook) in order to perform some drive to download attacks,click forging, message sending and so on.
In previous works on the same matter, new approaches on UI redressing attacks emerged, showing the possibility to steal victims webpage contents. In this presentation I will demonstrate a new kind of attack that can be used to exploit a 0-day vulnerability affecting all Internet Explorer versions over every Windows OS installation. The attack leverages on a UI redressing approach and allows an attacker to steal session cookies of from whatever site a victim is visiting. This new approach really moves UI redressing attacks a step further.
More info and demo: https://sites.google.com/site/tentacoloviola/cookiejacking
Clickjacking attacks have been widely adopted by attackers worldwide on popular websites (eg Facebook) in order to perform some drive to download attacks,click forging, message sending and so on.
In previous works on the same matter, new approaches on UI redressing attacks emerged, showing the possibility to steal victims webpage contents. In this presentation I will demonstrate a new kind of attack that can be used to exploit a 0-day vulnerability affecting all Internet Explorer versions over every Windows OS installation. The attack leverages on a UI redressing approach and allows an attacker to steal session cookies of from whatever site a victim is visiting. This new approach really moves UI redressing attacks a step further.
More info and demo: https://sites.google.com/site/tentacoloviola/cookiejacking
Friday, August 19, 2011
XSSF - Cross-Site Scripting Framework v.2.0 Released
The Cross-Site Scripting Framework (XSSF) is a security tool designed to turn the XSS vulnerability exploitation task into a much easier work. The XSSF project aims to demonstrate the real dangers of XSS vulnerabilities, vulgarizing their exploitation. This project is created solely for education, penetration testing and lawful research purposes.
XSSF allows creating a communication channel with the targeted browser (from a XSS vulnerability) in order to perform further attacks. Users are free to select existing modules (a module = an attack) in order to target specific browsers.
XSSF provides a powerfull documented API, which facilitates development of modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easilly from an XSS vulnerability.
Download: https://code.google.com
Video demo: http://www.youtube.com
XSSF allows creating a communication channel with the targeted browser (from a XSS vulnerability) in order to perform further attacks. Users are free to select existing modules (a module = an attack) in order to target specific browsers.
XSSF provides a powerfull documented API, which facilitates development of modules and attacks. In addition, its integration into the Metasploit Framework allows users to launch MSF browser based exploit easilly from an XSS vulnerability.
Download: https://code.google.com
Video demo: http://www.youtube.com
OWASP Zed Attack Proxy v.1.3.1 Released
The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.
Download: https://www.owasp.org
Changelog: https://code.google.com
Download: https://www.owasp.org
Changelog: https://code.google.com
Harvesting Cross Site Scripting (XSS) Victims - Clicks, Keystrokes and Cookies
A couple of years ago I was inspired by @fmavituna's work on XSS Shell and decided to write a new extended version (XSS-Shell-NG) using a PHP and a MySQL backend rather than the ASP/Access combination of the original. I never released the tool publicly, as my main aim of making XSS Shell easier to use was never really accomplished; it still required a significant amount of set up to get it working. However, one thing that both tools did well once working was to demonstrate the real business impact of cross-site scripting.
To demonstrate the real business impact of cross site scripting I have developed a completely new tool from the ground up - XSS-Harvest. It is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool. Before going into the detail, I'll list the high level functionality below:
See: http://www.0x90.co.uk
Download XSS-Harvest : https://docs.google.com
To demonstrate the real business impact of cross site scripting I have developed a completely new tool from the ground up - XSS-Harvest. It is multi-threaded pre-forking web server written in Perl, and requires no dependencies other than a couple of common Perl modules; you do not need a web server or database to use this tool. Before going into the detail, I'll list the high level functionality below:
See: http://www.0x90.co.uk
Download XSS-Harvest : https://docs.google.com
5 Things Every Beginner Hacker Should Know
5 Most Common Mistakes Done by Beginners in the field of Hacking
This post is for everyone out there who actually want to become a true hacker:-
1) Never trust sites that ask you for money in return of Hacking Softwares or who claim to Hack Email Id’s in return of money. All such things are Scam . Nothing Works.
2) There is NO DIRECT SOFTWARE to Hack Facebook , Google , Yahoo or any other big website. All the softwares that claim to do so are scam. They are just meant to take your money and in worse cases, those softwares have trojans or keyloggers in them. As a result your account gets hacked trying to hack others.
2) There is NO DIRECT SOFTWARE to Hack Facebook , Google , Yahoo or any other big website. All the softwares that claim to do so are scam. They are just meant to take your money and in worse cases, those softwares have trojans or keyloggers in them. As a result your account gets hacked trying to hack others.
3) NEVER EVER use the keyloggers or trojans you find as freeware on internet. Hackers are not fools. They compile keyloggers and trojans almost with any such software and when you install them , you are already hacked before even trying to hack others.
4) You are never going to be a good hacker without the knowledge of programming and scripting languages. When you are going to use only ready made softwares and would depend on them for hacking anything then your functionality would be limited upto the functionality of the software. When you are not going to use your brain , just doing the copy paste thing, then how can you even think of being a good hacker.
5) If you are a good Hacker, you already become a good programmer , a good script writer , a good web developer and an excellent security expert. Well any good Hacker will/should have good knowledge of various aspects and programming languages. to do XSS (Cross Site Scripting ) , PHP INJECTION , SQL INJECTION , PHISHING, FOOTPRINTING etc… you will have to be good at programing and scripting. And when you know the Various loop holes , vulnerabilities and security tips, you already become a Computer Security Expert.
So Never Ever Under estimate the term Hacker. A Hacker Is Not a person who just hacks email id’s or servers but a True Hacker is a Computer Genius who the knowledge of computers more than anyone.
Next time think before asking the question – “How much Will I get in this field?” because, if you have so many skills , you really don’t have to run after money. Success comes and money follows itself.
Website Hacking
I have found good tutorial on http://www.criticalsecurity.net/index.php/topic/14035-how-to-hack-a-website/
Subscribe to:
Posts (Atom)