Category Archives: security

Sweet DEFCON19 stuff and pwnage.

Posted on by
Reply

Got some cool shit at DEFCON, here are some pics of the stuff i got. Here is the DEFCON19 cd iso, and here is your mom ๐Ÿ˜›

While at DEFCON we ran a little hack contest, back at the riv amongst our selves “me, ngharo, black rat, and alex”, to see who could bypass the hotels internet billing system ๐Ÿ™‚ I would like to say that i came out on top as leet hacker supreme by getting online first. Yeah im the best hacker ever ๐Ÿ˜› dont freak out, we are good people and didn’t actually use the hotels internet in this manner, i personally opted for a slightly more secure method and tethered my phone. ok thats it peace.

June 2011 meeting recap

Posted on by
Reply

I know this post is a little late but we have been busy with other stuff, and my mom always said better late then never. Valdimir started us off with a fun demo of his magnetic card reader “vid below”, which could also write to a card but he didnt have the right software, he said he will be getting the right stuff soon. Then he came out with the big guns, a 3G/cell phone jammer!! This thing was all kinds of fun, and i uploaded a little vid of one of the demos we did with it “bellow”. The awesomeness didn’t end there, dw5304 gave us a nice demo of ZFS and showed off some of its more robust features. One of my personal favorite features was being able to pipe snap shots to anything!! Congrats to Darkwind for beeing last meetings winner of free junk from dc414!! Here are some pics taken at dc414.

Darkwind and his winnings!

Vlad reading cards:

Vlad be jammin:

Cisco Small Business RV042 XSS

Posted on by
3

The RV042 is a Dual WAN, 4 port switch, VPN Router. Work just got it in to do a little load balancing and for fail over protection. One of my favorite things to do with new toys like this guy is give them a nice once over. Which of course is how i found a XSS in the login logging functions of this device. I was originally looking for weaknesses in the login scheme and notice that my attempts are being logged, notably the user name i was trying to login as was being logged, along with a brief description of the failure. I then put non-standard characters in there which broke the UI, after some more playing around i found i was able to get html to render, from there i just started messing with XSS payloads till i found one that worked.

Here is my working XSS at the login screen:
The string i used is < iframe src="https://new.dc414.org" >
For password i just put in some junk

Here is what it looks like after i submit:

Here is the XSS in action ๐Ÿ™‚

K thats it, enjoy, peace.

May 2011 meeting

Posted on by
Reply

Another awesome meeting with dc414 this month. dw5304 pwned us all with his GPS jammer, and a ardunio RFID reader. The laser mic from last months meeting was busted out for a while and ngharo brought his oscilloscope which we used to mess with the RFID reader. Vladimir had some killer lasers, one of which we used to light a cig ๐Ÿ˜€ Check out the vids below to see some of the fun ๐Ÿ™‚

The laser lighter – https://www.youtube.com/watch?v=FRFPO2X-Mao

Ardunio RFID reader demo – https://www.youtube.com/watch?v=PfCxP5Huoxw

oscilloscope + RFID play time – https://www.youtube.com/watch?v=4c5NK9idhtA

Fun with CVE-2011-0997

Posted on by
9

Saw a killer dhcp client bug come across the wire the other day and thought it would be fun to play around with. Heres some info on it:
dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message.
source: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0997

This is super easy to exploit, all you need to do is set up a DHCP server and edit the clients hostname to include our payload! Once you get dhcp up and running edit your /etc/dchp3/dhcpd.conf and locate the line that loks something like this:
subnet 10.10.5.0 netmask 255.255.255.0 {
Then right under it add something like this:
option host-name "test;nc -l -p 1337 -e /bin/bash";
Now using the above payload when someone requests an IP from you and its accepted a shell will open on port 1337 on their machine ๐Ÿ˜€

What happens is the victims computer gets the hostname value from DHCP, then just runs it against the shell. Now because we added a shell metacharacter “;” we are telling the shell that it has multipliable commands to execute which in the above case its the commands to change the hostname to test and “nc -l -p 1337 -e /bin/bash”. Fun right? Ok thats it, peace.

Warning ! Your account a Aol was limited

Posted on by
2

but… I don’t even have a Aol account, however thats of no concern to the fools that sent me this nice little phishing email:

Delivered-To: XXX@gmail.com
Received: by 10.42.218.8 with SMTP id ho8cs188088icb;
Sat, 2 Apr 2011 20:49:38 -0700 (PDT)
Received: by 10.43.56.140 with SMTP id wc12mr7828120icb.237.1301802578076;
Sat, 02 Apr 2011 20:49:38 -0700 (PDT)
Return-Path:
Received: from cl-t009-331cl.privatedns.com (cp1.likuid.com [64.15.156.140])
by mx.google.com with ESMTPS id xe4si10607558icb.57.2011.04.02.20.49.37
(version=TLSv1/SSLv3 cipher=OTHER);
Sat, 02 Apr 2011 20:49:38 -0700 (PDT)
Received-SPF: neutral (google.com: 64.15.156.140 is neither permitted nor denied by best guess record for domain of nobody@cl-t009-331cl.privatedns.com) client-ip=64.15.156.140;
Authentication-Results: mx.google.com; spf=neutral (google.com: 64.15.156.140 is neither permitted nor denied by best guess record for domain of nobody@cl-t009-331cl.privatedns.com) smtp.mail=nobody@cl-t009-331cl.privatedns.com
Received: from nobody by cl-t009-331cl.privatedns.com with local (Exim 4.69)
(envelope-from )
id 1Q6EJl-0006w2-N4
for XXX@gmail.com; Sat, 02 Apr 2011 23:49:37 -0400
To: XXX@gmail.com
Subject: Warning ! Your account a Aol was limited
X-PHP-Script: compagnelic.com/Skpy2.php for 81.192.139.76
From: Service Aol
MIME-Version: 1.0
Content-Type: text/html
Content-Transfer-Encoding: 8bit
Message-Id:
Date: Sat, 02 Apr 2011 23:49:37 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - cl-t009-331cl.privatedns.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [99 99] / [47 12]
X-AntiAbuse: Sender Address Domain - cl-t009-331cl.privatedns.com



AOL April 2011


Dear AOL Customer,

As part of our security measures,We regularly check the work of the AOL screen. We demand information to you for the following reason :

Our system detected unusual charges to a credit card linked to your AOL account.

This is the final reminder to log in to AOL as soon as possible. Once you are connected. AOL will provide you with steps to restore access to your account .

Secure Server


Click here to confirm

Once connected, follow the steps to activate your account. Thank you for your understanding as we work to ensure account security .
We appreciate your attention to this
question. Please understand that this is a security measure aimed at protecting you and your account. We apologize for any inconvenience ..

Thank you for using AOL!

This notification was sent to you by AOL. To change your notification preferences, log into your AOL account, click the Profile sub-tab, then click the Notifications link under Account Information. Changes take up to 10 days to be reflected in our mailings. AOL will not sell or rent your personally identifiable information to tiers.Pour more information about the security of your information, read our privacy policy at https://www.aol.com/privacy .

Copyright ยฉ 2011 AOL Inc. All rights reserved. Designated trademarks and brands are the property of their respective owners. AOL is located at 2211 First St. N., San Jose, CA 95131.


Well since I dont have a Aol account the first thing I did was take a close look at the headers where I found this little bit of info:

X-PHP-Script: compagnelic.com/Skpy2.php for 81.192.139.76

So I stopped by compagnelic.com/Skpy2.php which happen to be a php script for mass emails from some MยฃNaBiLo$ss guy. I also followed the link given in the email which takes me to some fake Aol connection page that forwards to a phishing site geared to get all your personal information! The form submits to a “HiTman.php” that when I tried to visit, it just sent me along to aol.com. All in all not a very good attempt “less spelling and loading errors would help”, I have seen better but thanx for the lulz and the online anonymous email app ๐Ÿ˜€

Aprils meeting run down.

Posted on by
Reply

Last nights meeting was not a let down, dw5403 and Matt wowed us with killer demonstrations of a laser mic setup “pics below” and Van eck phreaking!! (Video). dw also brought his DIY 3 port powerless hub and gave us a little demo of ssl strip. Matt busted out all massive lock collection and we all got to play around a little bit. We also saw the release of ODiG! Bellow is a pic of this months winner of junk from dc414 “dstarar”. (more pics HERE, i took more but they got all fucked up some how)

Hacking with ODiG

Posted on by
2

Some of you maybe have seen this before, I had this post/tool on one of my old sites a long time ago. I am going to show you how to do a zone transfer using my online tool ODiG. Ok so its not really hacking but it can help you get a foot in the door. Wikipedia says a zone transfer also sometimes known by its (most common) opcode mnemonic AXFR, is a type of DNS transaction. It is one of the many mechanisms available for administrators to employ for replicating the databases containing the DNS data across a set of DNS servers. Zone transfer comes in two flavors, full (opcode AXFR) and incremental (IXFR). Nearly universal at one time, it is now becoming less popular in favor of the use of other database replication mechanisms that modern DNS server packages provide.

Ok so what all that means is a DNS zone transfer will give us all the subdomains a DNS has on record for a given domain. Like if we did a zone transfer on a DNS server that servces google we would get mail.google.com, code.google.com, images.google.com and so on. In other words giving you more access points into the network, now instead of just the www.target.com and what ever links you can find on the site you can attack anything they may have that goes out to the net. You might get lucky and find some test servers and who knows what else.

For testing I will be using morainepark.edu a local tech college. Now goto ODiG and use morainepark.edu as the target and in the query drop down select NS (nameserver), leave the rest as is, enter in the captcha and hit submit. Now we are looking for what ever DNS server holds records for the domain morainepark.edu so we will be looking in the โ€œ;; AUTHORITY SECTION:โ€ and we see โ€œmorainepark.edu. 9863 IN NS dns.uw-mad.wiscnet.netโ€ Here we see that dns.uw-mad.wiscnet.net is the DNS server that holds the records we want so now again go back to ODiG. Again put morainepark.edu as the target only this time put dns.uw-mad.wiscnet.net in the DNS server field and change the Query drop down box to AXFR (zone fransfer) enter in the captcha hit submit and you will be given all the records that DNS server holds for the morainepark.edu domain, now you can really get some scanning done!!

If you did the same thing to wisconsin.edu you would get a transfer failed message which will be the case with any secure DNS host. Now for the sake of security I wold hope ppl are pen-testing things before they expose them to the net, but more often then not they dont and that can get really messy! Securing BIND against this kind of information leak just edit /etc/bind.conf and add this line:
allow-transfer{192.168.1.4; 172.16.1.5; };

Where 192.168.1.4 and 172.16.1.5 are the only address you will allow transfers to and from. To secure other DNS server software look here: HERE

PHP Shadow released!

Posted on by
Reply

PHP Shadow obsfiacates a php script for you making it harder to detect on a system. One possible use would be to hide a php shell from IDS/IPS and other systems as well. So how does it work? Well you start with some php code like so:


function go()
{
$txt="hello world";
echo $txt;
}
go();

Then you submit it to PHP Shadow and you should get this back:

< ? eval(str_rot13(base64_decode('c2hhcGd2YmEgazM0cTFzOTFzbzJyNTE0bzg1NzZzbm8xbjc1bjg5bjZvKCl7JGtwNzgyNHMzcTRxNXM3bzJzMjJxMDM0NzU4cDFyOTQ1ND0idXJ5eWIgamJleXEiO3JwdWIgJGtwNzgyNHMzcTRxNXM3bzJzMjJxMDM0NzU4cDFyOTQ1NDt9azM0cTFzOTFzbzJyNTE0bzg1NzZzbm8xbjc1bjg5bjZvKCk7IHJwdWIgIjxwcmFncmU+PG92dD5HdXZmIGZwZXZjZyBqbmYgcmFwYnFycSBvbCA8biB1ZXJzPVwidWdnY2Y6Ly9xcDQxNC5iZXRcIj5xcDQxNDwvbj5mIENVQyBGdW5xYmo8L292dD48L3ByYWdyZT4iOw=='))); ? >

Now paste that code into a blank php file and it will run as normal. So we can see that PHP Shadow base64 encodes and rot13s your code and adds another layer of protection that cant be seen until you decode it. So here is what our code looks like after we rot13 and base64 decode it:


function x34d1f91fb2e514b8576fab1a75a89a6b(){$xc7824f3d4d5f7b2f22d034758c1e9454="hello world";echo $xc7824f3d4d5f7b2f22d034758c1e9454;}x34d1f91fb2e514b8576fab1a75a89a6b(); echo "< center >< big >This script was encoded by < a href=\"https://new.dc414.org\" >dc414< /a >s PHP Shadow< /big >< /center >";

We see that all vars and functions are MD5 hashed to make it harder to follow and see whats going on. The code in italics is added by PHP Shadow to help spread the word ๐Ÿ™‚ Thats all i got, enjoy.