The World of Ambient, The World of Mine

Privilege Escalation

pornsookk — Tue, 22 Nov 2011 06:22:52 +0000

robertray and schuydorsey introduced these articles in elearnsecurity, and I think those are very interesting.

Basic Linux Privilege Escalation
A quick guide to Linux privilege escalation
Windows Privilege Escalation Part 1

Finally, Shell is only the beginning.

Word Lists

pornsookk — Thu, 17 Nov 2011 15:57:51 +0000

Password cracking is safer than password guessing. However, we need a good dictionary ,too. Below, there is a great collection of word lists from cyberwarzone.

Enjoy!

Brute force MS Remote Terminal Service

pornsookk — Wed, 07 Sep 2011 10:35:33 +0000

When we see TCP/3389, normally, it is Microsoft Remote Terminal Service. If it is not, make sure you are not lured to HoneyPot. OK, let’s make it more certain!

D:\>nmap -n -PN -sS -sV 192.168.58.140 -p 3389 Interesting ports on 192.168.58.140: PORT STATE SERVICE VERSION 3389/tcp open ms-term-serv? MAC Address: 00:0C:29:61:DD:93 (VMware)

So what!

Basically, vulnerability assessment might evaluate it as a low, or sometimes, medium risk. However, you should bare in mind that the server you turned this service on could be compromised by brute force attack.

Lockout mechanism could help, but local Administrator is not normally kept locked after many failed logon attempts. Thus, we have got the way to get an unauthorised access to the server with
remote desktop service.

How to

1. You need to have rdesktop and its patch. After trying, I think that rdesktop-1.4.1.tar.gz and rdp-brute-force-r422.diff were my answers because there was no patch for newer version and some of which were not stable.

2. Unpack rdesktop(don’t install at this time) and move its patch into the same directory. Then run this command to update rdesktop.
patch -p1 -i rdp-brute-force-r422.diff
3. Install rdesktop.
./configure make make install
4. It is about time!
./rdesktop -u Administrator -p dict.txt 192.168.58.140

The successful rate depends on the strength of your password list file. I recommend you to read a brief and practical shot for John the ripper from carnal0wnage.

Security Testing Methodology

pornsookk — Sat, 20 Aug 2011 18:24:29 +0000

Today, we have 4 well-known methodologies.
1. OSSTMM – Open Source Security Testing Methodology; currently it is version 3.
2. ISSAF – Information Systems Security Assessment Framework; for penetration testing framework, it is interesting methodology. Visit here.
3. OWASP – Open Web Application Security Project; It is for web application security assessment. The projects focus on top 10 webapp vulnerabilities.
4. WASC-TC – Web Application Security Consortium Threat Classification; another methodology for web application security assessment. Now it is version 2.

Choose your suitable weapons!!

pcaprub problem on backtrack 5

pornsookk — Tue, 26 Jul 2011 08:49:26 +0000

When I use auxiliary/scanner/ip/ipidseq module on BT5, I got the problem of pcaprub. It said “The Pcaprub Module is not available: no such file to load — pcaprub”. pcaprub is the libpcap-like library implemented with ruby. If we specify where it is, it could work all right.

1. Compile pcaprub. Notice that pcaprub.so is the output.
ruby extconf.rb make make install

2. Browse to /opt/framework3/msf3/external/pcaprub.
pcaprub.so is located here as well. This path will be added to RUBYLIB for msf later.

3. We need to edit /opt/framework3/scripts/setenv.sh by inserting our pcaprub.so’s path into RUBYLIB variable.

4. Concat our target path.

5. Verify our modification.

6. Well, I tested with metasploit v4, it’s a well-known title, isn’t it?

7. Let’s play our module, auxiliary/scanner/ip/ipidseq. It should work well.

Thank you for thed0ct0r from backtrack-linux.org forum

System Hardening

pornsookk — Tue, 19 Jul 2011 04:40:52 +0000

As Counter Hack Reloaded by Ed Skoudis and Tom Liston says: “System hardening is a difficult task, and if anyone tell you differently, they’re trying to sell something”.

I could not agree with them more that system hardening is tough, time consuming and quite difficult. Sometimes you made it too loose, but some other time it was too tight. We need the security baseline to be referred to. Those links below are good enough resource. You need to strike a balance between what you need and how security should be.

CIS Security Configuration Benchmarks
Security Configuration Guides

Stay safe!!

CSRF Redirector

pornsookk — Fri, 08 Jul 2011 10:40:53 +0000

Yes, this is Cross-Site Request Forgery Redirector. If you are a fan of PHP, I am quite certain that you have heard of Chris Shiflett. He presented a CSRF Redirector. The idea is to re-route the GET request from one place to the POST request of another place which is the target site. As Chris has turned off this service, I think I had to rebuild it myself,for educational purpose, I insisted.

To recap, Alice had logged in to http://example.com, she had an active session. Eve sent a short but malicious link to Alice. That link rendered a HTML page containing a wicked iframe:
iframe src="http://[target_site]/csrf_redirect.php?csrf=http://example.com/buy_process.php?pid=7|product=iPad2|price=899" style="display:none"

The purpose of the malicious short link was to make a purchase silently. You can read more details about CSRF by Chris Shiflett from CSRF attack.

I could not show the sourcecode here because wordpress trimmed all of my html tags, but you could get it from:

Download PHP-CSRF Redirector

I hope this might help you realise how dangerous CSRF is. Enjoy!!

Denial of Service Attacks

pornsookk — Thu, 07 Jul 2011 15:53:50 +0000

A wicked attack which is difficult to protect and really hard to find the attack is DOS. We read it as (Dee-O-S). There are tons of things to
be told. If I have some free time, I will be back.

Reference:

1. Unix TCP/IP Stack Tuning
2. Hardening TCP/IP Stack
3. List of DOS tools
4. Smurf Amplifier
5. Smurf Hunting

WebSphere Hardening

pornsookk — Mon, 13 Jun 2011 07:50:22 +0000

Good tutorials by IBM developerWorks
Part 1: Overview and approach to security hardening
Part 2: Advanced security considerations

Site Advisor

pornsookk — Tue, 31 May 2011 02:42:13 +0000

For any suspicious URL, we can verify whether it is safe and secure with some help from these services.

If you got a shortlink, I suggest you should take a look at
LongURL in order to expand any short link

After you feel like the link you are going to visit is not certainly secure, try consulting
1. Trend Micro Site Safety Center
2. McAfee SiteAdvisor

Stay safe!!