Thursday, October 20, 2011

Clean r57 PHP Shell

The r57 shell (and others) at has a backdoor.

Clean copy can be found here:


See original source for base 64 encoded variables, containing javascript back doors. These have been cleaned up in the pastebin above..

Computer Biology

Saturday, September 17, 2011

Tor Proxy and Proxychains = Anonymous Internet Operations

The Tor network is an onion routing project that allows users to send traffic through the network, thus making your Internet traffic appear to come from the Tor exit node, not your real IP.

This article will show you how to use torproxy to tunnel to a Tor exit node, bypassing the rest of the s-l-o-w Tor network, and then use proxychains so that your applications can use this tunnel, and your public IP will appear to be that of the Tor exit node. 

First we need to get the required applications installed.


I will be using Ubuntu 11.04. You will also need to install:
tortunnel (contains torproxy, requires boost libraries)
Boost C++ Libraries

From terminal:
sudo apt-get install proxychains privoxy libboost-all-dev

See notes below if you cant get Boost libraries installed.

Next, download and save tortunnel:
Back to terminal, then extract and install...

tar -xf tortunnel-0.2.tar.gz
 cd tortunnel-0.2

./configure; make;

Watch the install screen and make sure it all goes well. To confirm torproxy is working type: 


You should get a response:

Usage: ./torproxy <ExitNodeIP>


Now that everything is installed, we need to configure privoxy and proxychains so that they work with torproxy.

Configure proxychains.

sudo gedit /etc/proxychains.conf 

Comment out the last line with a # and add the line below:

# defaults set to "tor"
#socks4 9050
socks5 5060

Configure privoxy

sudo gedit /etc/privoxy/config

Find the line that says "forward-socks5" and change it to look like this (including the period):

#      To chain Privoxy and Tor, both running on the same system,
#      you would use something like:
        forward-socks5   /      .

Configure torproxy

To connect to an exit node we first need to find exit node IP.
From the tortunnel website they provide a directory of Tor routers. Look in the directory for a router that has the properties:  "Fast" "Exit" and "Valid"

A directory of Tor routers is located here:

Once you find an exit node IP, run torproxy using that IP, and put an & at the end of the command to start it as a backround job.
./torproxy <ExitNodeIP> &

You should see a result like this: 
torproxy 0.2 by Moxie Marlinspike.
Retrieving directory listing...
Connecting to exit node:
SSL Connection to node complete.  Setting up circuit.
Connected to Exit Node.  SOCKS proxy ready on 5060.

Use tunnel

Once  you see the line "Connected to Exit Node. SOCKS proxy ready on 5060" we can start pushing traffic through that socket.

We configured proxychains to forward traffic to port 5060. To use command line tools use the following syntax:

proxychains telnet 80

proxychains ssh

proxychains nmap

Or you can configure Firefox to run through the Tor exit proxy. Click
Edit > Preferences > Network > Settings

Set proxy to "Manual proxy configuration" and specify 5060 as Firefox's SOCKS proxy - this will push all firefox traffic trough the Tor exit node. Confirm this by checking - it should be the same IP as the exit node you chose.

You may need to download the Boost C++ libraries directly from their website or SourceForge and install it manually. The release package will have detailed install instructions.

Computer Biology

Tuesday, July 5, 2011

Word Frequency Analysis

Simple Bash script used to determine the frequency of words in a text file called "mydatafile".

cat mydatafile \
        | tr '[:punct:]'  ' ' \
        | tr '[:digit:]'  ' ' \
        | tr ' ' '\012' \
        | sort \
        | uniq -c \
        | sort -n \
        | tail -700

Line by line walk through of the above script:

First, cat the text file to the standard output and pipe into a few tr commands.
The first tr removes any punctuation and output piped into a second tr which removes the numbers and the output is piped into a third tr command that places every word (group of letters separated by a ' ' ) on a new line.

The output is run through a sort command, arranging the words in a sorted list and the output is piped into a uniq -c command that counts the unique words outputting two columns; the count and the word, which is piped into a sort -n to sort the list ascending order of words.

The last line cuts the list to only display the top 700 most frequent words.

Tuesday, March 8, 2011

Low Orbit Ion Cannon (LOIC) Analysis

The Primordial Weapon of Cyberwar

The LOIC is a readily available, open-source application used in DDoS attacks; most notably used in the 'Anonymous' attacks against Visa, MasterCard and WordPress. Read more about LOIC attacks here.
"It's true that most of the operations performed under the Anonymous branding have been relatively unsophisticated, albeit effective: the attacks made on MasterCard and others were distributed denial-of-service attacks using a modified version of the Low Orbit Ion Cannon (LOIC) load-testing tool. The modified LOIC enables the creation of large botnets that each user opts into: the software can be configured to take its instructions from connections to Internet relay chat (IRC) chat servers, allowing attack organizers to remotely control hundreds of slave machines and hence control large-scale attacks that can readily knock websites offline."

Once a willing participant hands control over to the IRC channel, LOIC blasts away at a web server, using a loop of HTTP GET requests, TCP connections, and or UDP connections. One person using this application is not enough to bring down a web server, as the server should handle these requests; its when thousands of people use the tool to overwhelm the server that the DoS actually occurs. 

See the links section at the end of this post if you want to read more about the attacks and the 'group' labeled Anonymous.

A screen shot of the original LOIC v. written by Praetox - Note, this early version does not have the remote IRC control feature.

v. - The remote control over IRC feature allows individuals to participate and use their home bandwidth in an attack with no prior 'hacking' knowledge.

The Source

There are two different LOIC's that are popularly downloaded. There are many variants in the wild but all are based on the original code in C#. LOIC has been ported to other languages including Java and JavaScript.

LOIC v.1.0.4
Developed by abatishchev -

LOIC v.1.1.3
Developed by NewEraCracker -

Each version has two main modules that do most of the 'work' in the aplication.


As the names imply, these are the two different methods LOIC uses to flood the web server with traffic.

Looking at the source, we can actually see what is happening and the difference between the two popular versions.  

LOIC v.1.0.4 (

byte[] buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0} HTTP/1.0{1}{1}{1}", Subsite, Environment.NewLine));
socket.Send(buf, SocketFlags.None);
These lines, neatly wrapped in a While loop, create a variable called buf and send that variable through a socket.

The buf variable is simply the text sent to a web server to make a legitimate request for a document on that server. When placed in the loop this seemingly innocent request starts to get not-so-innocent. One person using this is a load-testing tool but a few hundred people can cause some damage if they all point at one server.

byte[] buf = System.Text.Encoding.ASCII.GetBytes(Data);

socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); 
while (IsFlooding)


socket = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);

while (IsFlooding)

socket.SendTo(buf, SocketFlags.None, RHost);

The first flooding method besides HTTP requests, is the TCP connection, sending random message/data through a TCP connection, again not-so-innocently placed inside a while loop. The other flooding option is creating a UDP connection. The screen shots show a text input field where a user can specify the text they wish to send through the socket. 

LOIC v.1.1.3 (

byte[] buf = System.Text.Encoding.ASCII.GetBytes(String.Format("GET {0}{1} HTTP/1.1{4}Accept: */*{4}User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0){4}{3}Host: {2}{4}{4}{4}", Subsite, ( AllowRandom ? new Functions().RandomString() : null ), Host, (AllowGzip ? "Accept-Encoding: gzip, deflate"+Environment.NewLine : null), Environment.NewLine));

IPEndPoint RHost = new IPEndPoint(System.Net.IPAddress.Parse(IP), Port);

The updated version performs the same HTTP GET request but this time is spoofs browser headers (Mozilla/4.0(Compatible; MSIE 7.0 Windows NT 6.0), sends a random string as part of the request, allows GZip compression, and as usual you need to end the request with a few Enter keystrokes (Environment.NewLine) just like when you telnet into a web server to make the request manually.

socket = new Socket(AddressFamily.InterNetwork, SocketType.Stream,ProtocolType.Tcp);


socket = new Socket(AddressFamily.InterNetwork, SocketType.Dgram, ProtocolType.Udp);


while (IsFlooding)

buf = System.Text.Encoding.ASCII.GetBytes(String.Concat(Data, (AllowRandom ? new Functions().RandomString() : null) ));

socket.SendTo(buf, SocketFlags.None, RHost);
The XXPFlooder is practically the same, except this version concatenates the user input text message with a random string and sends that through either a TCP or UDP connection.

Defend your network from a LOIC attack

Proxies and Tor can't be used in this type of attack because the DoS traffic will overwhelm the proxy or Tor network. This attack exposes the client IP address, as if they were making thousands of legitimate requests. If you are attacked with a DDoS, log every connection attempt that you possibly can.

Defense against this type of DDoS attack include:

- Limit the number of requests per IP address per second.

- Use firewalls that support layer 7 HTTP inspection.

- Ingress Filtering


LOIC on GitHub - pageview traffic from Dec 2010 to present (Mar 2011) Yes, thats 35K page views in Dec 2010. Operation Avenge Assange was launched in Dec 2010, targeting PayPal, Visa, MasterCard and the Swedish Prosecution Authority. The traffic appears to have fallen off since then.

Have a look at download statistics for LOIC hosted on SourceForge. Top downloading country: the United States, top OS: Windows. Its staggering that this is an opt-in, point-and-click attack and the source seems to be concentrated in the United States.


- LOIC DDoS Analysis, Wireshark and Snort

- Operation Payback used LOIC

- DACS Paper on LOIC & Anonymous

- WordPress attacked by LOIC

- More about LOIC

Computer Biology

Wednesday, January 26, 2011

802.11 WEP Wireless Hacking

Introduction to WEP and the IV vulnerability

Wired Equivalent Privacy (WEP) is a wireless security protocol, providing both encryption and authentication.

The encryption method used is RSA's RC4 stream cipher. The RC4 algorithm operates on a 'seed' consisting of an initialization vector (IV) and a secret shared key to create a keystream which is XORed with plaintext to create ciphertext.

When connecting to a WEP secured network you are asked for the secret shared key which is used to authenticate clients to the network and also encrypt the traffic.

The vulnerability in the WEP protocol is the transit of the IV in plaintext. This allows an attacker to eavesdrop on wireless traffic and collect enough IVs to bruteforce the secret shared authentication key. Once the key is obtained the attacker uses it to connect to the target wireless network.
Note: A standard WEP implementation uses a 40 bit key and a 24 bit IV, resulting in a 64 bit keystream. Because of this, WEP is sometimes referred to as 40 bit WEP or 64 bit WEP.

Cracking a WEP Key

The purpose of this article is for education and security auditing only. Anyone using this for any other reason are liable for their own actions. 

To see this vulnerability work and to actually crack a WEP key in a test environment you need some tools.
  • A test network using an 802.11 wireless router with WEP enabled and a 40 bit key created. 
  • A linux machine with a wireless card. In this example Back Track 4 r2 is the operating system used. Download a live DVD if you don't have a dedicated machine.
  • macchanger, airmon-ng, airdump-ng, and aircrack-ng. These tools are all included in Back Track 4. 

    The following example is a passive WEP attack that observes traffic and collects IVs. In comparison, an active attack involves packet injection to get the access point (AP) to generate more traffic and in turn more IVs; resulting in a faster crack. The passive attack takes significantly longer depending on the traffic volume on the target network. 

    Assuming the wireless interface is wlan0, disable the interface. 
    ifconfig wlan0 down

    Use macchanger to change the MAC address of the wlan0 interface. 
    macchanger --mac 00:11:22:33:44:55 wlan0

    Bring the wlan0 interface back up.
    ifconfig wlan0 up

    Use airmon to create a monitor mode interface for wlan0. The new monitoring interface is called mon0.
    airmon-ng start wlan0

    Run airodump to observe target networks and gather MAC (BSSID), channel and ESSID.
    airodump-ng mon0

    Run airodump again this time specifying the target channel, BSSID, and file to dump the output to. This step is where the IVs are collected for analysis later. Again, since this is a passive attack it may take a while to collect enough IVs. Leave the machine on overnight collecting data if needed.

    airodump-ng --ivs -w /root/dumpfile --bssid mon0

    Keep an eye on the above command. One column is called #Data. This is the actual number of IVs collected from the network. If there is no traffic on the network this number will slowly increase. Once you have about 20,000 IVs, run the following command.
    aircrack-ng /root/dumpfile.cap

    aircrack will report back if it has successfully cracked the WEP key or if you need to continue to collect more IVs and try again. The number of IVs needed to crack a key varies, but it can be done in less than 20,000 IVs.