This site is some kind of personal database gathering notes about my day-to-day discoveries in the IT world basically about security.
While some are howtos and tips (we learn a new thing every day eh), hopefully you'll find some of them informative !

August 1, 2008

Hacking InvisionFree forums

Ever wanted to hack that InvisionFree forum that you despise? Or maybe you're the ethical hacker that simply wants to show InvisionFree owners how to stay secure (through demonstration, no less). Either way, you might find this guide useful.

Requirements:
- Basic HTML knowledge
- Advanced-ish PHP knowledge
- Advanced-ish Javascript knowledge
- An inconspicuous image
- A PHP host
- An (active) Invisionfree forum to hack
- Proxy/proxies (optional, but recommended)
- Possibly social engineering skills

That's a long list of requirements, but I'm sure most of you have these things.

STEP ONE: THE COOKIE STEALER
You need to write a cookie stealer. Preferrably, the cookie stealer should show itself as an image so you don't have to redirect your victims to it (ensuring a quickly blown cover). I'm not going to tell you how to write one, mainly because you have an unlimited amount of information at your fingertips, hiding under the name "Google". Just have there be a GET variable containing the cookie and then store it in a text file or a MySQL database. If you choose the latter, remember to include a file that gets the cookies from the database and also guard against SQL injections.

STEP TWO: IMPLEMENTATION
It's time to implement your cookie stealer. You will need the forum to have HTML in signatures. If you already have HTML in the signatures, skip to the next paragraph. If you're unlucky enough not to, you're going to have to convince the admin of the forum to enable HTML in signatures. For instance, say you have a killer Flash signature that you just HAVE to include.

Include the cookie stealer's image in an img tag. Give it a unique id like "snarfblat" or "cacklemuffs" so you can edit the image source with Javascript.

InvisionFree doesn't filter out "onFocus", which is great for us. Add a body tag with the onFocus attribute that changes snarfblat/cacklemuffs' src. It would appear something like:



Submit and try it out. If it works, congratulations! Move to step three. If it doesn't, you might have done something wrong.

STEP THREE: GETTING THE COOKIES
Post. If you feel like you're not getting good enough cookies fast enough (you want access to the ACP), PM the admins.

STEP FOUR: WHAT NOW?
Crack the admin passwords. They're unsalted. If you somehow don't know how to distinguish between admin and member, find the member ID's of the admins. Then find those ID's in your cookies (e.g. [forumname]member_id=1), locate the pass_hash of the cookies, and start cracking the MD5's.

Once you have the admin passwords, log in as the admins and do whatever you want.

PREVENTION
To prevent this from happening, filter out the attribute "onFocus" loosely. If you're extremely paranoid, disable HTML in signatures altogether.

DISCLAIMER
You are responsible for your own actions.

ref: hellboundhackers.org

0 comments

ARP Poisoning

This article is meant to teach how ARP works and how one can go about poisoning the ARP cache and enable them to completely sniff traffic over a switched network. This article assumes that you already have access to a switched network. ARP Poisoning is a way of tricking computers over a switched network to send traffic through you before going to other computers or out to the internet.

Introduction
This article is meant to teach how ARP works and how one can go about poisoning the ARP cache and enable them to completely sniff traffic over a switched network. This article assumes that you already have access to a switched network. ARP Poisoning is a way of tricking computers over a switched network to send traffic through you before going to other computers or out to the internet.

ARP
Address Resolution Protocol (ARP) is a dynamic protocol to map a 32bit IP Address to a 48bit physical hardware address (MAC Address). If one system over a network wants to communicate with another system over a network, it will first check if it already knows that systems MAC Address and if not it will send out an ARP broadcast which will look for the hardware address of the destination system. There are four types of ARP messages but the main two are ARP Request and ARP Reply. When a system starts broadcasting an ARP Message it sends out an ARP Request. An ARP Request is a message sent to the broadcast address, the message contains the sender’s IP Address and MAC Address and requests the MAC Address of the given IP, and then it waits for an ARP Reply. An ARP Reply replies to the ARP Request and tells the computer sending the ARP Request what its MAC Address is.
The ARP Cache is a temporary storage place that holds a table with MAC Address’s and IP Address’s. If a computer wants to talk to another computer and it doesn’t already have its MAC address stored it will send an ARP Request. If the Computer that is sending the ARP Reply does not have the requesting computers MAC Address it as well will save it to cache. So now both computers have the MAC Address. A system cannot communicate with another until it has its MAC Address.
ARP is a stateless protocol with no authentication built in so any ARP Reply, whether there was a request or not will update the ARP Cache on a computer. All systems will accept an ARP Reply regardless if there was an ARP Request sent.

The Switch
Media Access Control (MAC) is a standard addressing system for all Ethernet devices. Most networks use switching devices and in a switched network packets are only sent to the port they are destined to according to their destination MAC Address. Switches maintain a table that associates MAC Address’s with certain ports. A switch constructs a route table by extracting the source MAC Address from the Ethernet frame of each packet processed. If any entry in the route table does not exist the switch will forward the packet out all of its ports.

Within a switched network packets are only sent to the destination device making it, so other devices cannot see the traffic.

Poisoning
There are a few tricks to manipulating a network to send traffic through you before sending it to the packets to the destination device. One of these methods is referred to as ARP Poisoning and it is when you send a customized ARP Reply to different computers across the network tricking their computers into updating their ARP cache with new MAC Address’s (Your MAC Address). So now each time computer1 wants to send a message to computer2 it gets the MAC address of computer2’s IP and sends the message to that MAC address. But if that MAC address is changed to your MAC address, by poisoning the ARP Cache the message will be sent to you instead. After packets are sent to you, you must forward the packets to the computer it was meant to go in the first place or DoS will be caused and the hosts will not be able to communicate anymore. Another factor that you must weigh in are timeouts, if there is no traffic over the network, after a timeout period the ARP cache of the computers across a network will be flushed out and you will need to send another constructed ARP reply to the hosts so that traffic is once again forwarded to you. One way to fix this is to automatically send ARP Replies every 10 seconds or so to the hosts that you want to poison.

Sniffing
Sniffing is the act of capturing packets that aren’t necessarily meant for public viewings. When you sniff packets across a network you can come across many interesting things such as emails, instant messages, and even passwords to email accounts and ftp accounts and many other types of passwords which in my experience are more often than not, left unencrypted. There are many tools out there that will automatically scan packets for username and password info. You can also see what websites the person is going to.

Wireless
If an access point is connected directly to a hub or a switch than it leaves the entire wireless network open to ARP Poisoning. Wireless internet is becoming more and more used and it is hard to be anywhere that does not have a wireless access point, especially in well populated areas. This leaves a huge security risk to most networks because in theory someone with a laptop could go into the lobby of a business and get on their network by cracking their WEP key or just simply connecting if they don’t even have WEP. The attacker would then just need to poison the ARP Cache of the different computers across the network and then forward all traffic through you. You would get their passwords and usernames, the websites they go to and anything else that you feel would be fun to look at.

ref: hellboundhackers.org

0 comments

Subscribe to: Posts (Atom)