Metasploit 3.0 is out

Posted by ghimau under
Metasploit 3.0 is out. Need to try it out, but dont have sufficient time. They said, it can evade IDS and IPS, wow!

Complete interview with H.D. Moore

Metasploit 3 supports evasion options for almost every module. The evasion options are broken down by protocol and can be seen with the "show evasions" command in the console interface. A module that uses the SMB, DCERPC, and TCP protocols can benefit from over 15 different evasion options.

These options cover settings such as the maximum DCERPC fragment size, whether to obfuscate different SMB transactions, and how many bytes to send at a time in each TCP segment. Client-side modules, such as browser exploits, support compression, chunked encoding, and unicode obfuscation, in addition to any Javascript-based encoding implemented in the module itself. Web application exploits support all of the "standard" encoding methods (unicode, hex encoding, etc) in addition to things like header padding, junk relative directories, and pipelined requests.
One of the great things about the structure of Metasploit 3 is that adding a new evasion method rarely requires the modules themselves to be updated. It's even possible to develop a loadable plugin that implements new, unpublished evasion routines (and sell it, if you wish to do so).

Remote File Include

Posted by ghimau under
I managed to bypass one of our internal system login page, using simple sql inject techniques. Hahaha..

The string i used is :
' or 1=1--

Found another vulnerable site, which returns the table information. But I'm not going to that, need to follow the code of ethics :)

Here is a great tutorial on Remote File Include, a must read for newbies.

Remote file inclusion, commonly known as RFI is a form of attack where the attacker trys to inject there own php code inside your php app's. If an attacker can successfully achieve this they will be able to execute any code they wish on your webserver.

Lets say we have a website that is coded in php, the website uses something like page=page.html to work out which page should be displayed. The code for this might look like

$file =$_GET['page']; //The page we wish to display

What this means is that what ever is passed down to page will get included inside this php page. This means that an attacker can simply do something like this

If we take a look at what is happening on the code side of things once this has been done we can see that the actual code that the web server is executing looks like this

$file =""; //$_GET['page'];
include($file); //$file is the attackers script

As you can see the attacker has just managed to get his code executed on your webserver.

Behind The Scenes
So why can an attacker do this? Well the simple answer is because the include() function (note, this kind of attack isnt only open to the include function, require_once() will also work) allows you to link to remote files, the problem with this is that an attacker can take advantage of that feature, like you just seen. You might be wondering why the script that the attacker includes is a .txt and not a .php. The answer to this is that if the script was a .php and the attackers server had php installed then the script will get executed on the attackers server and not the target. We also add the ? at the end so we can remove anything that might be inside the include() function on the target server, take this script for example

$file =$_GET['page'];
include($file .".php");

What the above script does is add .php to anything that is passed into it. So if we passed it then what we are actually going to see in the include() function is this is bad. What this means is that we wont actually get our script executed as it doesnt exist now. So if we pass the ? on the end of the script we are going to treat the .php as if it is a var that is getting passed to the script. So now the include() function looks like and it will still get executed.

There you have it a basic tutorial on what remote file inclusion is and how/why an attacker can use it against your servers. This kind of attack, just like most attacks isnt that hard to stop if you dont trust all data that is coming into you. All you have to really remember is if the data isnt hard coded then you need to check it to make sure it does what it is meant to do. Alot of the attacks that are preformed can be stoped by a few simple checks on the data.

Hacked by Godzilla?

Posted by ghimau under
You come to your office, open your favourite IE, suddenly, you've been hacked by godzilla?

'Hacked by Godzilla Removal - ghimau
on error resume next
MsgBox("Hacked by Godzilla Removal" & vbcrlf & ".::ghimau::.")
Set wshshell=wscript.CreateObject("WScript.Shell")
wshshell.Run "CMD /c TaskKill/F /im Wscript.exe /T"
wshshell.Run "TaskKill/F /im Wscript.exe /T"

Set fs=CreateObject("scripting.FileSystemObject")

sFilePathAndName=myWinPath & "/ms32dll.dll.vbs"
If fs.FileExists(sFilePathAndName) = True Then
mf.attribute = 0
fs.DeleteFile sFilePathAndName, True
end if

sFilePathAndName=myWinPath & "/autorun.inf"
If fs.FileExists(sFilePathAndName) = True Then
mf.attribute = 0
fs.DeleteFile sFilePathAndName, True
MsgBox("tutup" & "ditutup.")
end if

For Each fd in fs.drives
If (fd.DriveType=1 or fd.DriveType=2) and fd.path<>"A:" Then
sFilePathAndName=fd.path & "/ms32dll.dll.vbs"
If fs.FileExists(sFilePathAndName) = True Then
mf.attribute = 0
mf.Closefs.DeleteFile sFilePathAndName, True
end if
sFilePathAndName=fd.path & "/autorun.inf"

If fs.FileExists(sFilePathAndName) = True Then
mf.attribute = 0
mf.Closefs.DeleteFile sFilePathAndName, True
end if

end if

NextSet fs=Nothing
oldVal=wshshell.RegRead("HKLM\software\Microsoft\W indows\CurrentVersion\Run\ms32dll","")

If not Err Then
wshshell.RegWrite "HKLM\software\Microsoft\Windows\CurrentVersion\Ru n\ms32dll",""wshshell.RegDelete("HKLM\software\Microsoft\Window s\CurrentVersion\Run\ms32dll")wshshell.RegDelete "HKCU\software\Microsoft\Internet Explorer\Main\Window Title"
End If

'WScript.echo "Hacked by Godzilla telah dibersihkan" &amp;amp;amp;amp; vbCrLf & '".::ghimau::."
Set wshshell=Nothing

Just copy the above red code. Paste in notepad. Save it as "something.vbs". Double click on your new file.. and you're done !

Ok, there might have some other variants such as "Hacked by Pokemon", "Hacked by HackersMalaysia". Basically they are using the same payload ms32dll.dll.vbs. They changed a little to suits their purpose

So you need to identify the payload they are using, for this case it it ms32dll.dll.vbs, they might changed it to something different. Then you need to alter a bit the above script, change the blue color statement to the new payload they are using.

Acer Laptop

Posted by ghimau under
Finally that stupid Hi Point guys repaired my laptop. Waiting almost 3 months to get it fix! Damn. I'm going to the repair center to get back my laptop. Need to pay, RM 400.

This night, Ustaz Zamri will be staying at Seri Malaysia Hotel. What else, testing my 'gerak' with him la. Hihihihi.

Today, i joined a irc channel - #balihackerlink (Thanks to http tunnel :P). Got new friends, rocks, chorvel_enter. Tomorrow, I might continue chatting with them. Hihihi.. making friends with Indonesian hackers. Who knows, the might email me a copy of Seni Teknik Hacking 1 & 2 by Sto. Hihihi

Hmm.. Ok.. need to go back.

Bypass Firewall

Posted by ghimau under
Hahaha.. I managed to bypass my organization firewall. Now I am able to connect to Dalnet irc server.
Simple.. just use httptunnel, configure your tunnel client to a port specificaly used by your application. In my case, i configured my tunnel client to tcp port 6667 - irc port
Yeah.. now i can chat with real haxor.. Did'nt have to go to CC anymore... hihihi.

XP SP2 Firewall

Posted by ghimau under
Yesterday, as usual, my internet connection was down (lame). Couple of guys from Telekom Malaysia did came, and did their testing. Hmm..

OK.. I wrote a simple batch file, to configure Windows XP firewall via command line, if you are creative enough, you can alter the script and make it as a backdoor. You can add open ports, start a service.. beyond your creativity.

Ok.. when you run a restricted (not allowed by default by your firewall) program, your windows firewall may block your program. Yes, you can easily click on the Unblock button, but that is not kewl. Hihihihi..

Ok.. here's the command :
REM 19 March 2007
REM ghimau
REM You can modify this script to allow certain ports to open
echo off
echo ---------------------------------
echo Add Cain To Firewall Allowed List
echo ---------------------------------
echo You can modify this file, add a
echo variable,so that you can input
echo your own program.This script only
echo demonstrates, how to configure
echo your Windows XP SP2 firewall,
echo via command line
netsh firewall add allowedprogram C:\Progra~1\Cain\Cain.exe My_Program ENABLE

YM Scanner

Posted by ghimau under
I wrote a small vb program, to detect who is online using Yahoo Messenger. The idea is quite simple, detect open port 5101 tcp - yahoo server, then i returns true. Might help network administrator to detect whose chatting in the network.

while ip x.x.x.0 to x.x.x.255
if port == 5101 then
msg = online

continue loop
end if

Input your ip range

YM Scanner in action

Enable Registry.vbs

Posted by ghimau under
For those, whose computer got infected by viruses that disables your registry editing function, just cut&paste this code, rename it to something.vbs. Double click on the file.
'Edited by ghimau
Option Explicit

'Declare variables
Dim WSHShell, rr, rr2, MyBox, val, val2, ttl, toggle
Dim jobfunc, itemtype
On Error Resume Next

Set WSHShell = WScript.CreateObject("WScript.Shell")
val = "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
val2 = "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools"
itemtype = "REG_DWORD"
jobfunc = "Regedit anda telah : "ttl = "Hasil .::ghimau::."

'reads the registry key value.
rr = WSHShell.RegRead (val)
rr2 = WSHShell.RegRead (val2)
If (rr=1 or rr2=1) Then toggle=0
If toggle = 1 Then
WSHShell.RegWrite val, 1, itemtype
WSHShell.RegWrite val2, 1, itemtype
Mybox = MsgBox(jobfunc & "ditutup.", 4096, ttl)
WSHShell.RegDelete val
WSHShell.RegDelete val2
Mybox = MsgBox(jobfunc & "dibuka.", 4096, ttl)
End If


New born blog

Posted by ghimau under
Hi, ari ni first time aku daftar blog dan post dalam blog ni. Mcm best ajer...

Today's diary :

Adding new components (event calendar and guestbook) to 8 district office.. ah.. so boring, updating the web pages makes me feels like stupid...

I really wanted to do something more challenging, more brain stuff, not just sitting in front of my monitor, typing new events, latest news.. so boring.

Hmm.. need a break..

Got a call from Roslin UPEN, need to teach mambo.. argh.. head ache!