SEH : BigAnt Server Vulnerability Exploitation

Okey, after we learn about Non-SEH application exploitation, now we will to try exploit the application that have SEH or Structure Exception Handling. A little about SEH, SEH is a mechanism that is owned by a software and hardware to handle an exception. Exception will occur when an application tries to perform the execution of code that is outside the normal, for example in the case of buffer overflow.
 
Let's begin..

In this practice I use the BigAnt server application. BigAnt server is a server messaging application. This software built using SEH and linker SEH, that makes these applications is not easy to be exploited using direct RETN EIP like in case of WarFTP.

Easy RM-MP3 Converter Buffer Overflow

Okey guys, in this post I will try to exploit Easy RM-MP3 Converter using Buffer Overflow. Do you know what is purpose of this? To control the operating system where the Easy RM-MP3 Converter runs.

In this post I will try to find the vulnerability of the Easy RM-MP3 Converter. To find the software vulnerability we can use Buffer Overflow. In this practice I use Windows XP SP3 where the Easy RM-MP3 Converter installed. The Backtrack is Bactrack 5 R2 version.

Let's begin..

- After the Easy RM-MP3 Converter installed, then run the application.

Mini-stream RM-MP3 Converter Buffer Overflow

Mini-stream RM-MP3 Converter Buffer Overflow

Exploit WarFTP 1.65 using Buffer Overflow

Okey, now we will learn about attacking vulnerability application using buffer overflow. Before that, it would be better if we first know about the buffer overflow.

What is buffer overflow? Buffer overflow is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security.

 Now, we will try to attacking vulnerability of WarFTP 1.65 using buffer overflow. Is there anyone asking why we use WarFTP? Because the WarFTP didn't have a protection from buffer overflow attack.

The tools that we need to do vulnerability testing with buffer overflow is:

1. Ollydog, as a debugger.
2. Fuzzer for fuzzing process.
3. Python, for making fuzzer application and exploit.
4. Windows XP
5. Backtrack OS

Okey, run your WarFTP on Windows XP. If you didn't have WarFTP installed in your Windows XP, you can download the WarFTP file at the end of this article.

How to enlarge the root partition on Backtrack

Is there any one of you have the desire to enlarge the partition backtrack but do not know how to do? yeah, at first I did not know how. I've installed gparted in backtrack, but still the root partition can not be enlarged.


After some searching, I finally found how to enlarge root partition backtrack, using gparted live usb.

All you have to prepare is gparted live usb which you can download from the official website and unetbootin.

Download gparted live usb

Download unetbootin

Once everything is ready, make a bootable gparted live usb using unetbootin. Once done, boot your computer from the usb drive and follow the instructions there, and you're ready enlarged root partition.

How to install Tor on Bactrack 5 R2

Hai, long time no see...
Now, i want to share how to install Tor on Backtrack 5 R2. For your information Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis.

Tor is an open source Anonymous Internet tool. It protects your personal identification from tracking systems by changing the source IP address frequently. Application will create many virtual tunnels through the tor network.

Oke, now i will show you a video that explain how to install Tor on Backtrack 5 R2 step by step. I've tried to practice and succeed




 Ok, good luck with your practice..

Advanced Information Gathering using Maltego

After we learn about Information Gathering now we will learn about Advanced Information Gathering. So, what is Advanced Information Gathering? Advanced Information Gathering is more than just Information Gathering.

Advanced Information Gathering is more complex than Information Gathering. We search more information about the target. According to the given task, do advanced information gathering about one of website. We can use maltego to gathering more information about website.

First, open the maltego application...

Privilege Escalation Mutillidae in Backtrack using Brute Force and LFI

Okay,,now we learn about privelege escalation. What is privelege escalation?

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

There are two kinds of privilege escalation: Vertical and Horizontal.

• Vertical privilege escalation requires the attacker to grant himself higher privileges. This is typically achieved by performing kernel-level operations that allow the attacker to run unauthorized code.

• Horizontal privilege escalation requires the attacker to use the same level of privileges he already has been granted, but assume the identity of another user with similar privileges. For example, someone gaining access to another person's online banking account would constitute horizontal privilege escalation. 

One of the example of privelege escalation is brute force. Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.   

What is LFI? A local file inclusion (usually called “LFI”) is a webhacking technique that allow simply to include files from a local location. That means that we can include a file that is outside of the web directory (if we got rights), and execute PHP code. 

Now i will show you Privilege Escalation Mutillidae in Backtrack using Brute Force and LFI, so you can try it yourself.

Installing Mutillidae on Backtrack

Okay, now we will try to install mutillidae. What is mutillidae? Mutillidae is a free and open source web application for website penetration testing and hacking which was developed by Adrian “Irongeek” Crenshaw and Jeremy “webpwnized” Druin. It is designed to be exploitable and vulnerable and ideal for practicing your Web Fu skills like SQL injection, cross site scripting, HTML injection, Javascript injection, clickjacking, local file inclusion, authentication bypass methods, remote code execution and many more based on OWASP (Open Web Application Security) Top 10 Web Vulnerabiltie

1. The first step is to make sure you've installed apache and mysql. Backtrack is usually already installed in the beginning. You just run it from the application menu.

2.  And then, open the folder /var/www mutillidae and download files with a command like below.

cd /var/www

wget http://sourceforge.net/projects/mutillidae/files/mutillidae-project/LATEST-mutillidae-2.3.5.zip/download

Exploit Windows XP with Metasploit Framework msfconsole

Okey, this time we will learn about the exploitation. Previously, we've learned about how to use the exploit-db exploitation. As we are required to perform their duties exploitable Windows XP using metasploit.

Let's start..


Remember, before we do the exploitation, we have to step Information Gathering, Service Enumeration, and Vulnerability Assessment, it shall be done!
Of those three things, we will be able to find a hole that we will do exploits. 

By using Nessus, we will be able to find some holes with a high level that we can exploit. As an example I will do exploits in SMB Vulnerability on port 445.

1. Open metasploit msfconsole contained Backtrack tool, Exploitation Tools, or just open the terminal and type msfconsole.

How to install nessus on Backtrack 5

After Website Information Gathering, the second task is explain How to install Nessus on Backtrack. 
Okey, for your informastion Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.

Oke, let's try to install Nessus..

1. Download the installation packet from the official page at www.nessus.org. But you can also just type the command below to your terminal if you already are connected to the Internet.

root@bt:~# apt-get install nessus

Website Information Gathering

After we learn about Information Gathering, then we are given the task to gathering information on two websites.
is2c-dojo.com and spentera.com

Let's try..

First, I tried to gather information about is2c-dojo.com

root@bt:~# nslookup is2c-dojo.com
Server:        8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:    is2c-dojo.com
Address: 108.162.199.180
Name:    is2c-dojo.com
Address: 108.162.199.80

Then i tried to use whois command.

root@bt:~# whois is2c-dojo.com

Spoiler:

 root@bt:~# whois is2c-dojo.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

   Domain Name: IS2C-DOJO.COM
   Registrar: CV. JOGJACAMP
   Whois Server: whois.resellercamp.com
   Referral URL: http://www.resellercamp.com
   Name Server: IVAN.NS.CLOUDFLARE.COM
   Name Server: RITA.NS.CLOUDFLARE.COM
   Status: clientTransferProhibited
   Updated Date: 01-jun-2012
   Creation Date: 14-jan-2012
   Expiration Date: 14-jan-2013

>>> Last update of whois database: Fri, 07 Sep 2012 20:06:34 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar.  Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability.  VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: IS2C-DOJO.COM    
                                 
 Registrant:                     
     PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676   
                                 
 Creation Date: 14-Jan-2012
 Expiration Date: 14-Jan-2013
                                 
 Domain servers in listed order: 
     ivan.ns.cloudflare.com
    rita.ns.cloudflare.com
                 
                                 
 Administrative Contact:         
     PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676
                                 
 Technical Contact:              
     PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676    
                                 
 Billing Contact:                
     PrivacyProtect.org
    Domain Admin        (contact@privacyprotect.org)
    ID#10760, PO Box 16
    Note - All Postal Mails Rejected, visit Privacyprotect.org
    Nobby Beach
    null,QLD 4218
    AU
    Tel. +45.36946676      
                                 
 Status:LOCKED
    Note: This Domain Name is currently Locked. In this status the domain
    name cannot be transferred, hijacked, or modified. The Owner of this
    domain name can easily change this status from their control panel.
    This feature is provided as a security measure against fraudulent domain name hijacking.
                  
 PRIVACYPROTECT.ORG is providing privacy protection services to this domain name to
protect the owner from spam and phishing attacks. PrivacyProtect.org is not
responsible for any of the activities associated with this domain name. If you wish
to report any abuse concerning the usage of this domain name, you may do so at
http://privacyprotect.org/contact. We have a stringent abuse policy and any
complaint will be actioned within a short period of time.

The data in this whois database is provided to you for information purposes only,
that is, to assist you in obtaining information about or related
to a domain name registration record. We make this information available "as is",
and do not guarantee its accuracy. By submitting a whois query, you agree that you will
use this data only for lawful purposes and that, under no circumstances will you use this data to:
(1) enable high volume, automated, electronic processes that stress
or load this whois database system providing you this information; or
(2) allow, enable, or otherwise support the transmission of mass unsolicited,
commercial advertising or solicitations via direct mail, electronic mail, or by telephone.
The compilation, repackaging, dissemination or other use of this data is expressly prohibited without
prior written consent from us. The Registrar of record is CV. Jogjacamp.
We reserve the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.

From the result we know that the registrar of is2c-dojo.com is a CV.JOGJACAMP. And then i searched on google CV.JOGJACAMP, from google i know that the is2c-dojo.com using services of idwebhost.com. And is2c-dojo.com has nameserver, IVAN.NS.CLOUDFLARE.COM and RITA.NS.CLOUDFLARE.COM.
 

Information Gathering

The first thing we should do when starting penetration testing or hacking is gather information. In Information Security ussualy called Information Gathering step. Information Gathering is the basic thing in hacking. Information Gathering is the process of gathering as much information from the target which we will test. Informastion Gathering is divided into two, Technical and Non-Technical.

• Technical Information Gathering is the process of gathering information that is technical, such as the use of tools.

• Non-Technical Information Gathering is the process of gathering information that is non technical, for example, personal approach to the target.

Technical Information Gathering was divided into two techniques, Active and Passive. 

• Active Information Gathering is is a collection of information directed towards a target, such as scan directly to the target.

• Passive Information Gathering is a collection of information that does not lead directly to a target, such as using different media, ie googling.

Next, i will try to practice Information Gatherig in my network.

Installing & Connecting Ubuntu in VirtualBox ~ Part 2

After we successfully installed the Ubuntu in VirtualBox, then we will tried to connecting the Ubuntu in VirtualBox with Backtrack.

1. First step, open the VirtualBox Manager. And choose the Ubuntu Virtual Machine.

Installing & Connecting Ubuntu in VirtualBox ~ Part 1

Okey, after we tried to install Windows in VirtualBox, then we will try to install Ubuntu in VirtualBox to be used for Penetration Test Laboratory. We must prepare VirtualBox-4.2, Ubuntu 10.10, and Backtrack to do that.

This is steps to Installing & Connecting Ubuntu in VirtualBox


1. Firts step, open the VirtualBox Manager. Then click start to Create New Installation.

Installing & Connecting Windows in VirtualBox ~ Part 2

Okay, now Windows XP already installed on virtualbox, then we will try to connect Backtrack OS with Windows XP that contained in VirtualBox.

1. First, open the VirtualBox Manager.

Installing & Connecting Windows in VirtualBox ~ Part 1

Okay, after we finished installing virtualbox on backtrack, then the next we will create Penetration Test Laboratory using VirtualBox which we installed earlier.

Things that we need to create Penetration Test Laboratory is VirtualBox-4.2, Windows XP SP3,  and Backtrack 5 R2.

Steps to Installing & Connecting Windows in VirtualBox

1.  Open VirtualBox Manager

How to Install VirtualBox on Backtrack 5 R2

The first task that given is installing and connecting Windows in VirtualBox to be used for Penetration Test Laboratory. To do that we first have to install VirtualBox on backtrack that we use.

The way is as below...

1. Open terminal on your backtrack.

Backtrack 5 doesnt come with the kernel headers installed.So you will need to download them and then proceed with installing virtualbox. The commands are listed below.

root@bt:~# prepare-kernel-sources
root@bt:~# cd /usr/src/linux
root@bt:~# cp -rf include/generated/* include/linux/