Feeds:
Posts
Comments

Archive for the ‘Hacking’ Category

What is DVWA?

DVWA is web application that is designed to be hacked. It was written using PHP and use MYSQL as its database. There are few level of difficulties for you to test your hacking skill in a legal environtment. It will help web developers, teachers, students or any one who are interested in learning web security application. In Indonesia, 8 years in jail for hacking penalty. So, dvwa is a good option.

Before we start, I assume that you are already has and familiar with Docker Container and XAMPP server. If not, you can read my article about how to install xampp in docker.

Lets start. First, you have to download the dvwa application and xampp from its source:
http://www.dvwa.co.uk/

In this tutorial, I use xubuntu 18.04 64bit as host, Docker 18.09.9, i386/ubuntu:bionic for docker image and XAMPP for Linux 7.1.32 for php/mysql server.
dvwa01

Step 1. Copy dvwa files to opt/lampp/htdocs directory in docker container

First, you have to extract the file DVWA-master.zip
darklinux@darklinuxpc:~$ ls -l DVWA-master.zip
-rw-rw-r-- 1 darklinux darklinux 1350473 Mei 11 15:20 DVWA-master.zip
darklinux@darklinuxpc:~$ unzip DVWA-master.zip

dvwa02

(more…)

Read Full Post »

What is shellcode?
Shellcode is a set of instruction written in machine code which is generally used as payload in the exploitation of software vunerability. Since it starts with command shell that’s why it is named as Shellcode.

It’s the sampel of shellcode:
“\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x0a”

It stands for ‘Hello World!’.

For writing shellcode, you must familiar with Assembly Language programming and target hardware architecture. You can’t write shellcode for 32bit architecture and run in it 64bit architecture because the instruction codes that are loaded into the memory layout is also different.
If you write a program with c language, run it in 32bit architecture, the instruction codes will be loaded above stack but in 64bit it will be loaded above the heap.
It depend also on Operating System used. That’s why shellcode is designed for specific target system that take advantages its vulnerability.

Efficiency is needed when you wrote shellcode because it related with the size of buffer.

In this tutorial, I run the shellcode under Linux Ubuntu 18.04.4 LTS 32 bit in docker container. My hardware architecture is AMD ryzen 64bit. For programming I use gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0 for compiling c code, NASM version 2.13.02 for compiling assembly code and GNU objdump (GNU Binutils for Ubuntu) 2.30 for display machine code.

Writing shellcode also a bit tricky.

I give you an example.
Below is the assembly code to display “hello word!”.
Assembly code 1 (hello1)

1 section .text
2 global _start
3
4 _start:
5
6  ;Display Message
7  mov eax,4 ;syswrite=4
8  mov ebx,1 ;stdout=1
9  mov ecx,msg
10 mov edx,lenmsg
11 int 0x80 ;System Call
12
13 ;Exit
14 mov eax,1
15 mov ebx,0
16 int 0x80
17
18 section .data
19 msg db 'Hello World!',0xa
20 lenmsg equ $ - msg
I compile and run this code.
root@fc9fca692021:/home/darklinux# nasm -f elf32 hello1.asm -o hello1.o
root@fc9fca692021:/home/darklinux# ld hello1.o -o hello1
root@fc9fca692021:/home/darklinux# ./hello1
Hello World!
root@fc9fca692021:/home/darklinux#

It runs perfect.

(more…)

Read Full Post »

It’s for training purpose only so you can understand what you can do with hacking buffer over flow.

In this part 2, I will show you how to execute a hidden code in a program by manipulating the return address of a stack buffer.

It’s a simple c program, compiled with gcc 4.6.1, debugged with gnu debugger 7.3 on Xubuntu 11.10 and with help of python 2.7.1 to create the exploit.

Type the code below and save to “buffer-hidden.c”.

1 #include
2 hiddencode()
3 {
4 printf("The hidden codes is running........ \n");
5 // put your codes here and //
6 // do what you want //
7 }
8
9 getinput()
10 {
11 char buffer[20];
12 gets(buffer);
13 puts(buffer);
14 }
15
16 main()
17 {
18 getinput();
19 return 0;
20 }

Compile it.

$ gcc -g -fno-stack-protector -mpreferred-stack-boundary=2 buffer-hidden.c -o buffer-hidden
$


(more…)

Read Full Post »

I will try to explain in a simple way what is buffer Over flow.
Buffer is a fixed length memory block where you put your data. If you put data in the buffer that more than it’s capacity, then it will flow over. Like empty 100 ml glass. If you pour 120ml water in it, the 20 ml water will flow over the glass.
Of course the buffer over flow is much more complex than it.

Based on NVD (National Vulnerability Database), the US government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), Buffer Overflow is still the most occurring vulnerability the last quarter century (1988 – 2012). It’s 35% from top vulnerability type with a critical severity. And still reported until 2019 although the percentage is not that high.

The history of buffer overflow was started in 1988, when Robert Morris, a student from Cornell University, created Morris Worm. It’s the first worm computer launching in November 1988. Morris Worm took advantage of ‘gets() function’ in Unix fingered. The Worm spread very fast in Unix machines on that time.

Worm and Virus computer are ‘malicious software’, the other name is ‘Malware’ or ‘Malcode’. It’s design to damage, steal or other ‘bad’ things to data, hosts or network. The only different is Virus need a host program to spread out meanwhile Worm is stand alone. Worm spreads by exploiting the vulnerability of the target system.
(more…)

Read Full Post »

In this tutorial, I will show you how to send email via gmail server using openssl. Before you can use telnet to do it. But since Google implement TLS-encrypted connection, you can’t do that anymore unless you upgrade your telnet with ssl capability.

OpenSSL version that I use is OpenSSL 1.0.1f 6 Jan 2014. You can check your version using command openssl version -a.
darklinux@darklinux:~$ openssl version -a OpenSSL 1.0.1f 6 Jan 2014 built on: Thu Jun 11 15:26:18 UTC 2015 platform: debian-i386 options: bn(64,32) rc4(8x,mmx) des(ptr,risc1,16,long) blowfish(idx) compiler: cc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -g -O2 -fstack-protector –param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2 -Wl,-Bsymbolic-functions -Wl,-z,relro -Wa,–noexecstack -Wall -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: “/usr/lib/ssl” darklinux@darklinux:~$

Before we start, I will give you a prove that we can’t use telnet to connect to gmail server.
darklinux@darklinux:~$ telnet smtp.gmail.com 587
Trying 74.125.200.108…
Connected to gmail-smtp-msa.l.google.com.
Escape character is ‘^]’.
220 smtp.gmail.com ESMTP p8sm40810771pfi.34 – gsmtp
helo
250 smtp.gmail.com at your service
mail from: <taufanlinux@gmail.com>
530 5.7.0 Must issue a STARTTLS command first. p8sm40810771pfi.34 – gsmtp

darklinux@darklinux:~$ telnet smtp.gmail.com 465
Trying 74.125.68.108…
Connected to gmail-smtp-msa.l.google.com.
Escape character is ‘^]’.
helo
#####FConnection closed by foreign host.
darklinux@darklinux:~$
(more…)

Read Full Post »

Desclimer:
In this tutorial, I will show you to hack Ms-windows xp. It’s for training purpose only. I’m not responsible for any misused. You will learn about, grap a screenshot of the interactive desktop target, check list running processes, capturing key strokes and get contents of SAM database.

There 2 exploit modules that I will use, ms08_067_netapi and reverse_tcp.

The ms08_067_netapi exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs.

This exploit can be used also for MS windows 2000 universal and MS Windows 2003 universal, SP1 and SP2.

The reverse_tcp will inject the meterpreter server DLL via the Reflective Dll Injection payload (staged). Connect back to the attacker.

————————————————————————————————Name: MS08-067 Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Disclosed: 2008-10-28
———————————————————————————————–Name: Windows Meterpreter (Reflective Injection), Reverse TCP Stager
Module: payload/windows/meterpreter/reverse_tcp
Platform: Windows
Arch: x86
Needs Admin: No
Total size: 281
Rank: Normal

———————————————————————————————–
(more…)

Read Full Post »

The purpose of this tutorial is for education only.
Before I start, I will explain about what is fake access point?

Access Point (AP) is a networking device that allows wireless devices to connect to a wired networking using WIFI.
Fake access point is a virtual access point that is created using an application but it acts like real access point. It is converted from our wireless device into access point. You can set a password, essid and channel on it.

What tools I need?
The tool is airbase-ng. It’s part of aircrack-ng package. So, you need to download the aircrack-ng first. Make sure you are connected to the Internet. Open your linux terminal and type:
$ sudo apt-get install aircrack-ng
(more…)

Read Full Post »

Metasploit Framework (MSF) is a free open source penetration testing solution developed by open source community and rapid7. You can download Metasploit from http://www.metasploit.com. You can use Metasploit to collect the information and scanning the system vunerability.

Metasploit offers a GUI version and command line version.

After you download the metasploit installer, you can register your name. Make sure you get the metasploit license key first to activate the metasploit, otherwise you can’t run the application.

After all complete, now we can start the installation.
Copy the metasploit installer to /opt directory.
Set the file to be executeable using chmod.
$ sudo chmod +x metasploit-latest-linux-installer.run <enter>
then type $ sudo ./metasploit-latest-linux-installer.run <enter> to run the installer.
metasploit01
(more…)

Read Full Post »