Website Defacement Explained
-
Upload
aung-khant -
Category
Technology
-
view
1.585 -
download
0
Transcript of Website Defacement Explained
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+= =+
+= Website Defacement =+
+= By: Th3 R@v3n =+
+= =+
+= Copyright Th3 R@v3n 2003 =+
+= =+
+= =+
+= This Is A TGS Presentation =+
+= www.TGS-Security.com =+
+= =+
+= =+
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-=Table Of Contents=-
Part One: Introduction
1. Introduction
1.A. Introduction
1.B. Shout Outs
1.C. Who Am I?
1.D. What Is TGS?
1.E. How Can I Join TGS?
1.F. Copyright Information
1.G. Disclaimer
2. Before We Start
2.A. What Is This?
2.B. What Will This Teach Me?
2.C. Is This Considered Hacking?
2.D. Is This Illegal?
2.E. Common Used Terms
Part Two: Reconnaissance
1. Getting The Server Type And Version
2. Versions Found, What Now?
2.A. New Vulnerabilities
2.B. Old Vulnerabilities
3. Vulnerability Scanning
3.A. What Is Vulnerability Scanning?
3.B. What Tools Can I Use?
3.B.1. Retina Tutorial
3.B.2. X-Scan Tutorial
3.B.3. WebChk
3.C. What Will These Tools Do?
3.D. Is Scanning Illegal?
4. Found Vulnerabilities: Researching
5. Brute Forcing
5.A. What Is Brute Forcing?
5.B. How Fast Will Brute Forcing Work?
5.C. How Effective Is It?
5.D. How Easy Is It To Catch A Brute Forcer?
5.E. What Tools Can I Use?
5.E.1. Brutus Tutorial
5.E.2. Homemade Brute Forcing Programs
5.F. Would You Suggest This?
6. Open Source Hacking
6.A. Finding Target Usernames On They’re Website
6.B. Manual Searching
6.C. What Tools Can Be Used To Do This?
6.C.1. Sam Spade Tutorial
7. Indexed Out Files Catching
7.A. What Is This?
7.B. How Much Of A Payload Will This Give Us?
7.C. What Programs Can I Use To Do This?
7.C.1. IntelliTamper Tutorial
7.D. What Should I Look For While Doing This?
8. Getting Lucky
8.A. Example: FTP
Part Three: Making The Hack
1. Getting In
3. What To Do Once Your In
4. Getting The Fuck Out
Part Four: Wrapping It Up
1. Contact Information
2. Joining TGS
3. Shout Outs
-=Part One: Introduction=-
-=Introduction=-
Welcome. First I’d like to say, thanks for reading this tutorial...
Though this is generally directed at the Newbies, I’m assuming that all of you “313375" out there will learn something as well. Please read this with an open mind, as well as remembering the fact that you aren’t going to learn anything unless you actually read it, rather then just look at the pictures.
-=Shout Outs=-
Yes, that’s right, what would a R@v3n tutorial be without the ever popular Shout Out section?
Alright, I’d like to give shout out to all my TGS brothers and friends, including: -=Vanguard=-, ICU*M8, The_IRS, Fanatical_Red, The_Messiah, Phlame, Fazza, Computer Geek, Kodaxx, Mr.Mind, TGIF15, NoUse, PuRe, Buali, Jenkins, SiLeNt, DeStRuCtIoN, GluTuk, WebMonster, Anubi, Mr.Crowley, and Slardy.
Right... I think that’s everyone... If I forgot someone, you’ll have to forgive me.
-=Who Am I?=-
I am Th3 R@v3n, founder of TGS (The Goon Squad), owner of TGS-Security.com, admin of the library.2ya.com forums, admin of the Elite Shadows forums, and a large contributor to PuRe’s Escape.
-=What Is TGS?=-
TGS is a group of people (with a “brother” relationship) who explore the field of computer security. In basic terms (for all you stupid people out there), we’re a hacking group.
TGS was originally founded by myself, with the co-ownership of -=Vanguard=- (who is either hiding, or getting ass raped in prison). “Vanny” was arrested last year around February and (somehow) he disappeared from my grasp.
Since Vanguards leave, he left it with me to ensure that his “pet”, ICU, found a place in TGS. I’m fulfilling that promise by taking this time to declare ICU*M8 the “vice pres” of The Goon Squad... Congrats mate.
-=How Can I Join TGS?=-
There’s a few ways you can join TGS, but as Messiah can tell you, it’s not an easy task getting accepted.
To join, you have to prove to us that you know what the hell your talking about. Weather you give me a few tutorials written by yourself, complete a number of various tasks, or hack me (with my permission) while I drop my security to quite low, it’s your choice... But it’s not going to be possible for
anything but an Intermediate - Veteran to complete... So Newbs are shit out of luck
-=Copyright Information=-
This tutorial was written by Th3 R@v3n of TGS. I ask that you don’t take credit for what you didn’t do.
You may host this on your web server (as well as any of my other tutorials), as long as it stays completely in-tact (no editing) and I am given FULL CREDIT for the work.
If your planning on hosting it, I’d like to be told about it if it’s in anyway possible. You can get a hold of me by e-mailing me at [email protected].
So Flowby, this means you can’t touch it, and if I see you did, death to you.
-=Disclaimer=-
This tutorial is strictly “Need To Know” to better improve the standards of security for today's world. I take absolutely NO RESPONSIBILITY for what you do with the information I provide.
Reading this doesn’t brake any U.S. Laws, but using the info does. If you get caught, you will go to jail, you will get butt raped, and it will not be fun.
Just learn from Master -=Vanguard=- and stay away... No need loosing any more security experts to the cops.
-=Before We Start=-
This is the section that explains a few various questions that might be running through your head right now... If you already know what this is about (I’d hope so), then go ahead and skip through it.
-=What Is This?=-
I’m not sure... It looks like a computer to me...
This is a “security” tutorial that will take you through the basic steps of defacing a website (And if you have any sort of a brain, you can use the information in this to hack into a home box) and gaining control over a web server. I’ve provided a large amount of screen shots along the way, so you can get a good feel as to what it’s (relatively) supposed to look like.
This tutorial takes it from an aspect of a Windows XP computer, for the most part. I did try to provide pictures and examples for the good ole’ Linux users out there, but they might be a little less prevalent as opposed to the XP pics (NOTE: The Linux pics will be taken from a Redhat 8.0 box).
-=What Will This Teach Me?=-
This tutorial will explain the basics of the HTTP Protocol, the basics of the FTP protocol, how to scan for vulnerabilities using a few various tools, how to identify false positives, how to detect which OS a victim is using (using your brain), how to get a server’s software and version numbers, where to look for the newest exploits, how to run an exploit, how to do the defacing, where to place the backups (so you don’t hurt anything), how to scourge a web page for passwords and possible usernames, how to destroy any logs that exist, how to Brute Force using Brutus, various ways to keep yourself anonymous, and a large number of other things.
I think this will be a good resource for the newbie’s of today to get an idea of some of techniques that hackers use to gain access.
-=Is This Considered Hacking?=-
Well there’s two sides to that question really... It depends on who you ask and what they do for a living.
All news reporters, security techys (that don’t hack), principals, government officials, newbies, script kiddies, idiots and clowns will most likely tell you that website defacement is hacking only done by the “313375" (newbie language for “elite”).
All actual hackers, security people (who are involved in the hacking community), security programmers, and anyone with any sort of a clue will
most definitely tell you that website defacement takes no sort of brains, no thinking process, no intelligence what-so-ever.
Though the term “hacker” is fought about all the time, it’s accepted by most as someone who uses they’re brain to find new exploits and security vulnerabilities, someone who explores the security field, or someone who does an extreme amount of programming and has become very, very good at it (had to include the last part for “2th3f1ng3r”).
This is why defacing a website will get you nowhere in the hacking community if your looking for respect.
However, (many) hacker’s do give support to the people who deface a website for a particular reason that affects many people... For instance, take John William Racine II. Ole’ Johnny defaced the Al Jazzerra Website (among other things) and redirected the homepage to a page that played the Star Spangled Banner and had a flag waving with the words “Let Freedom Ring” under it... He was considered a great man by the hackers of America (which makes me curious as to why the fucking Government is making him face charges...?).
-=Is This Illegal?=-
Though not considered actual hacking and actually considered an ankle bite, it is extremely illegal. You get caught, your getting pie holed, simple as that. I suggest not doing it.
-=Common Used Terms=-
I figured that since some of you might not know a lot of the terms used here, I would put a quick dictionary to flip back to in case you get stuck.
1. Port - Used in TCP/IP to send data throughout the internet.
2. HTTP Protocol - Usually port 80. It’s used by web servers to allow browsers to connect and download the web page from the server.
3. FTP Protocol - Used for file transferring
4. IP - Used for computers to communicate throughout the internet. Each computer has a specific one and there is only one computer that is allowed for each IP.
5. Pie Holed - The act of getting ass raped in prison
There’s not a lot, since this tutorial is directed for the newbies out there, so that should take care of most of it.
-=Part Two: Reconnaissance=-
-=Getting The Server Type And Version=-
Alright, so the first thing you need to do is to find the server type and version so you can find new vulnerabilities that just came out, in an attempt to get it before the sysop updates.
To do this, you first need to open up Command Prompt (Ms-DOS).
There are many versions of Command Prompt, but it should look something like the picture in Figure 1.
Figure 1
Alright, now as something that you have a screen something like the one above, let’s move on.
First you need to ping your victim to see weather or not it’s alive (for web servers you really don’t need to worry about this, but I’m including it anyway).
In Command Prompt, type Ping www.yourhost.com (substituting yourhost.com for the domain name of the web server you plan on attacking) You should get something like the picture in Figure 2.
The picture in Figure 2 shows us that the victim responded to all four ICMP requests, and had an average round trip of 292 milliseconds (NOTE: I edited the picture so I wouldn’t have to deal with lawsuits... For the stupid people, the white patches shouldn’t be there).
So now that we know the host is alive, it’s
Figure 2
time to run a quick port scan (ports 1-10001) using my favourite port scanner: Blues Port Scanner (you can get it at tgs-security.com, download.com, or library.2ya.com). Figure 3 shows a pic of blues port scanner.
Figure 3
Once you’ve successfully downloaded and started blues up, type www.yourvictim.com in both of the boxes (of course, substituting the URL for your real victim). Make sure that you’ve got ping check off (in case it’s been told not to accept ICMP messages) and antiflood on. Start blue’s up.
Now it’s time to sit and wait while blue’s does it’s magic. Depending on your internet speed, it will take from 15 seconds - 2 minutes. When it’s done, it will look like Figure 4.
Figure 4
You will notice in Figure 4 that port 80 is open. This is what you are looking for. If you find other ones, such as port 21 (ftp) or port 135 (NetBIOS), it’s all the better. We’ll cover port 21 later in the tutorial, and 135 you can learn about in my mate The_IRS’s NetBIOS tutorial.
Ok, so this is what we know now:
1. The computer/server is alive [ping].
2. The computer/server has port 80 open, among other ones [port scanning].
Alright, so now what you want to do is to figure out exactly what type of server they’re running. To do this, we’re going to use the popular program “Telnet” to connect to port 80 on the server. Now, I’m not going to teach the extensive bits of Telnet right now, so if you want to know more about what you can do with Telnet, get a copy of my “Telnet For Dummies” tutorial.
Open up your copy of Command Prompt again. Assuming your connected to the internet, type “telnet www.yourvictim.com 80", press enter, and wait. Figure 5 shows what it should look like before you press enter... Your Command Prompt screen should go blank (Figure 6), this is indicating that it is connected. The screen goes blank because web servers were made to wait until they’re counterpart (the web browser) to ask them for what they want, this way you can go to different pages on the same web site!
Figure 5
The HTTP Protocol waits until the browser says “Get some file” and then two enters. After the two enters, it assumes the request is over, so it goes looking for the file. If It can’t find the file on the server space, then it feeds back the 404 error page.
However, when it gives the error page, it leaves you with a few things that you don’t actually see unless you’re the web browser (or us in this case). When it gives you a 404 error page, it also encloses the server information, current time and date, and, depending on the server type, a few other things.
So, we want to direct it to find a file that is not there so we can get it’s little secret. Wait until the blank screen (Figure 6) pops up, then type “Get adsfj” and press enter twice. You should get something like Figure 7.
Figure 6
If you got something like this, great!
Now we know:
1. The target is alive [ping]
2. The target has port 80 open, as well as others [port scan]
3. The target is running Apache 1.3.26 on port 80
4. The target charset is iso-8859-1
If you’ve completed this much, congrats! You’ve made your first step do defacing a website.
Figure 7
-=OK, Versions Found, Now What?=-
-=New Vulnerabilities=-
Great! Now we need to take the next step to defacing the website.
To manually find vulnerabilities, you will want to catch the exploit before the sysop updates the server... The key is to run the exploit the first second you find it, which will mean your going to spend a lot of time watching security web sites. You can find exploit info at www.securityfocus.com, www.bugtraqer.com, and www.TGS-Security.com.
-=Old Vulnerabilities=-
Think you’ve got a lazy sysop on your hands? You might find happiness in trying out some old-but-recent vulnerabilities on the server you’re trying to hack.
There’s no telling how many times we’ve looked at hours at security, just to find out that the server has a 3 year old vulnerability that can be run in seconds! Don’t forget to run a few simple ones!
-=Vulnerability Scanning=-
-=What Is Vulnerability Scanning?=-
Vulnerability Scanning is using a tool (almost 100% of the time) to run through a list of preset possible exploits to try to find a problem in the victim server.
Vulnerability scanning is essential for those who are trying to break into a web server (or any other type of box for that matter).
-=What Tools Can I Use To Do This?=-
There is a vast amount of tools that you can use to run your scans, but I’m only going to go through the ones that I like (duh! I mean, common, why the fuck would I do a tutorial on a tool that I hate?). The tutorials will consist of *quick* over view of the program’s usage and key functions, so I’m not going to go over every single detail.
-=Retina Tutorial=-
Alright, let’s start out with one of my favourites, called Retina.
Retina is a twenty five hundred dollar, corporate strength, 16 meg program. Fortunate for us (and everyone else who lacks the money to buy this program), there is a 15 day trial to this program that you can download from the website. I’m sure that there is also a vast majority of cracks for the program as well, but I don’t recommend fucking with eEye. You can download the trial at www.eEye.com and wait for the 16 meg download. 56k
users, I know it’s going to take 2 ½ hours to download this, but I promise it’s worth it.
Once it’s downloaded, go through the painless installation, and start this baby up.
From the starting screen, it might be a bit confusing, so I took the time to put a simple map to the program with this tutorial (don’t you just love me?!?). You’ll see the map in Figure 8.
The program is actually pretty simple once you get the hang of it. It consists of four different tools to help you do this:
1. Browser
2. Miner
3. Scanner
4. Tracer
The Browser tool acts like a normal web browser, accept it’s within the program.
The Miner runs through a list of about 25 thousand different file vulnerabilities (IE: The etc/pass vulnerability that was “1337" a few years ago). Your chances of finding something with this option depends on the security of the file, but with such a wide variety of vulnerabilities, your chances of finding one are pretty good.
Figure 8.
The Scanner is mainly what we will be focusing on. The list of vulnerabilities is quite up to date, and very in depth.
The Tracer basically runs a trace route to the victim, and then scans all of the hops along the way for slip ups in routers and DNS’s.
Now, lets get moving. Type the victim name in the text bar along the top (TIP: Make sure that you are in “scanner” mode). You can find the bar on the map if your having troubles finding it. Before pressing “OK”, the screen should look like Figure 9.
Figure 9
After you get the victim name in the box, press Ok.
The scan should take anywhere from 1-10 minutes and will run a “stealth” (doesn’t connect) port scan, a ping scan, a trace route, OS detection, and a vulnerability scan.
After you get done scanning, it should look like something like Figure 10.
Figure 10
As you can see from Figure 10, Retina picked up a huge amount of vulnerabilities in the web-server! The audits marked with a red arrow indicates that the vulnerability has a “High” risk level, the ones with a orange box indicates a “Medium” risk level, the ones with a yellow arrow indicates a “Low” risk level, and the ones with a green “I” indicates an “Information” risk level.
By selecting a specific audit that Retina lists it will give you a summary of what this vulnerability risks, links to the website of the makers, and links to other various ways to help you learn more about this vulnerability.
By scrolling down the list, it will show you the open ports and the version numbers etc. that it gives. You can read more in depth about what port is doing what.
-=X-Scan Tutorial=-
X-Scan is a nice *free* tool that can be found in many places throughout the internet, but you can specifically find it at www.TGS-Security.com in the “programs” section.
X-Scan has a GUI and a Command Prompt version. Now, since I’m too afraid of the thousands of questions I’m going to get about the Command Prompt version, I’m going to show the GUI version.
Once you open the X-Scan GUI (Figure 11), you will be greeted with a nice explanation as to what you need to have to use the program, what it will do, how to use it, etc. You will notice a green arrow at the top, it is the “go” button. You use this button to proceed to the next screen, and to start your scanning from there. You can see the map in Figure 11.
Figure 11
Hit the “Scan Parameter” button so that a box like Figure 12 pops up. Enter your victim and mess around with the controls a little, the close it and press the green arrow, this will start the scanning.
Figure 12
The scanner will go through a number of different types of scans, and then stop. Once stopped, press the “report” button. This will bring up a box like Figure 13.
Figure 13
Now, press the “Detail” button to learn more about it’s findings. Since the results are so long, I just pasted the text instead of taking a Screen Shot to save time, energy, and size, among other things.
X-Scan v2.3 report
[Index]: "www.columbia.edu"
Port-Status
SNMP-Info
SSL-Vuln
RPC-Vuln
SQL-Server-Password
FTP-Password
NT-Server-Password
SMTP-Vuln
POP3-Password
HTTP-Vuln
IIS-Vuln
[NetBIOS-Info]
RemoteRegistryInfo NetServerGetInfo NetGetDCName NetServerTransportEnum NetSessionEnum
NetServerEnum NetServerDiskEnum NetShareEnum NetUserEnum NetLocalGroupEnum
NetGroupEnum NetFileEnum NetScheduleJobEnum NetUseEnum
--------------------------------------------------------------------------------
Detail
[Port-Status]
Port 22 is opened: SSH, Remote Login Protocol
[Banner]
SSH-1.99-OpenSSH_3.4p1
[End of banner]
Port 21 is opened: FTP (Control)
[Banner]
220 osiyou FTP server (Version 5.60) ready.
[End of banner]
Port 80 is opened: HTTP, World Wide Web
[Banner]
HTTP/1.1 200 OK Date: Fri, 20 Jun 2003 02:16:58 GMT Server: Apache/1.3.26 (Unix) mod_perl/1.27 Last-Modified: Thu, 19 Jun 2003 13:53:40 GMT ETag: "2797a-413c-3ef1c064" Accept-Ranges: bytes Content-Length: 16700 Connection: close Content-Type: text/html
[End of banner]
Port 13 is opened: Daytime
[Banner]
Thu Jun 19 22:16:59 2003
[End of banner]
Port 23 is opened: Telnet
[Banner]
ÿý%
[End of banner]
Port 37 is opened: Time
[Banner]
Âœí
[End of banner]
Port 79 is opened: Finger server
[Banner]
Login Name TTY Idle When Where culpub C U Libraries Public pts/0 12d Sat 09:58
[End of banner]
Port 443 is opened: HttpS, Secure HTTP
[Banner]
[None]
[End of banner]
Plugin category: PORT
Plugin name: Port-Status
Plugin author: glacier
Plugin version: 1.7
Risk rank: lower
Description: "xfocus" vulnerability search engine "xfocus" exploit search engine
--------------------------------------------------------------------------------
[SNMP-Info]
--------------------------------------------------------------------------------
[SSL-Vuln]
--------------------------------------------------------------------------------
[RPC-Vuln]
--------------------------------------------------------------------------------
[SQL-Server-Password]
--------------------------------------------------------------------------------
[FTP-Password]
ftp/[Blank password]
Plugin category: FTP
Plugin name: FTP-Password
Plugin author: glacier
Plugin version: 1.1
Risk rank: high
Description: "xfocus" vulnerability search engine "xfocus" exploit search engine
--------------------------------------------------------------------------------
[NT-Server-Password]
--------------------------------------------------------------------------------
[NetBIOS-Info]
--------------------------------------------------------------------------------
[SMTP-Vuln]
--------------------------------------------------------------------------------
[POP3-Password]
--------------------------------------------------------------------------------
[HTTP-Vuln]
/search [Search description]
/robots.txt [Search description]
/library/ [Search description]
/cgi-bin/aglimpse [Search description]
/cgi-bin/finger [Search description]
/cgi-bin/nph-test-cgi [Search description]
/cgi-bin/test-cgi [Search description]
Plugin category: HTTP
Plugin name: HTTP-Vuln
Plugin author: glacier
Plugin version: 1.4
Risk rank: high
Description: "xfocus" vulnerability search engine "xfocus" exploit search engine
--------------------------------------------------------------------------------
[IIS-Vuln]
--------------------------------------------------------------------------------
Complete
Now, this gives us some great information to go off of in the future.
-=WebChk Tutorial=-
Now on to WebChk.
WebChk is good for scanning the basics. The main feature that people like WebChk for is it’s ability to allow you to try out your own exploits to see if they work.
You can get a copy of WebChck at www.TGS-Security.com.
Once you get it and start it up, you should see something like Figure 13, and you can see the map of WebChk in Figure 14.
Figure 13
Figure 14
The usage of this program is pretty simple. You enter the name of the victim in the box labeled “Host”, and change your exploits accordingly.
When you run a test, the result will appear in the bottom right next to the word “Result”.
Figure 15, Figure 16, and Figure 17 shows positive vulnerabilities, when Figure 18 show’s one that the server is not vulnerable of.
Figure 15
Figure 16
Figure 17
Figure 18
-=What Will These Tools Do?=-
As mentioned before, these tools will scan the given domain/IP for a known vulnerability that you can exploit.
They will not exploit it for you, so to actually make use of the information it provides you, you will need to do a little research.
-=Is Scanning Illegal?=-
I guess it depends on where you live and what your intention of scanning is.
If you’re a network administrator, scanning your network for vulnerabilities, then of course it’s not...
If you’re in the U.K. and your scanning for vulnerabilities to hack, then (to the best of my knowledge), your breaking some laws.
Although in the U.S. scanning isn’t illegal, it does well at freaking out network administrators looking for possible attackers... This is why you should always watch what ISP and IP your running from.
-=Found Vulnerabilities: Researching=-
-=What Web Sites Will Explain Vulnerabilities?=-
There are a number of Web Sites that have vulnerability databases, so I’m not going to be telling all of them. However, here are a few that I’ve found to be the most helpful: www.icat.nist.gov, www.rootshell.com,
www.securityfocus.com, www.iss.net, and www.osvdb.org. My experience with these is that they have always proven to be quite good at providing me the information that I need.
The Web Pages should give you everything that you need, however, if your having trouble, send me a message at: [email protected]
-=Brute Forcing=-
-=What Is Brute Forcing?=-
Brute forcing is basically using a combination of user names and passwords repeatedly in an attempt to find a match. You can Brute Force anything from passwords, to credit card numbers, to social security numbers... The only limit is your creativity!
-=How Fast Will Brute Forcing Work?=-
The time you spend Brute Forcing ultimately depends on the strength of the passwords that you are trying to get. If the person’s password is “password”, then your going to guess it within the first 10 minutes. However, if the persons password is “135b1@n5_ru13_113nig5", then your going to spend days, years trying to guess it, unless it is in the password list. To guess something that difficult, your going to try to guess every combination of letters and numbers imaginable... Which will take a very long time.
-=How Effective Is It?=-
Theoretically, Brute Forcing is probably the most effective way to steal a password... Though it is very easy to catch the person if they have shitty security, and if the password is very complicated, your fucked.
The thing that makes it so effective is the fact that it has the option to try every single possible password, even though it takes a great amount of time to do this.
-=How Easy Is It To Catch A Brute Forcer?=-
If the person/organization your trying to crack has any idea about security, chances are they check logs. By opening the logs of the server they’re running (IE: Telnet, FTP, Etc.) They can see all of the attempted passwords and user names, making it quite obvious that your trying to break in.
The person would then have to find your IP from the logs, extract it, trace you, then call your ISP. Though this might seem like a lot of work, it isn’t.
-=What Tools Can I Use?=-
Although there are a large number of Brute Forcing tools that you can use, I’m going to discuss my favourite: Brutus.
You can download Brutus at www.hoobie.net in the downloads section. When you get it, unpack it and start it up.
Also, your going to need a good password list if you plan to do anything with Brutus. The one that comes with it is OK, but you might need a more complicated one... You can download a password list with over 15 million passwords, compliments of The_IRS and Computer Geek, at: ftp://passwordfile:[email protected]/
-=Brutus Tutorial=-
Assuming you’ve downloaded Brutus, and you’ve got the password file, let’s get started.
When you open Brutus, you should get a screen that looks something like Figure 19.
Figure 19
The interface is quite easy to get used to. Put the domain or the IP address in the top bar labeled target. Select the type of service you wish to crack, the port (usually automatically selected by the type of service), user name file, and password file.
For this example, we’re going to set it up to crack some passwords of www.yourvictim.com, we’re going to make it try to stay connected as long as it can, the user name file will be users.txt, and the password file will be words.txt. If you set it up right, you should get something like Figure 20.
You’ll notice I spray painted (Hey! Back to my old habits!) the major changes in Figure 20
Figure 20
Another feature that you might want to know about, is the option to use a proxy to improve your anonymity. To use this feature, press the “Proxy” button. You should get a box that pops up like Figure 21.
Figure 21
Enter the proxy type by pressing the drop down box, then enter the proxy address, and the proxy port. If the proxy requires authentication, you can put the username and password in the specific box. Now press OK and run Brutus.
When Brutus finds a match, there will be a box with the matches in it. Not very hard to run.
-=Homemade Brute Forcing Programs=-
If your good with programming in C++, Java, Delphi, Or VB, I’d suggest thinking about making some Brute Forcing programs yourself. Doing this, you can speed up the Brute Forcing process by customizing different things in your program.
-=Would You Suggest This?=-
If you have read many various tutorials and have tried many different ports and have gotten nowhere, go ahead. The reason I wouldn’t do this first, is because it’s so simple and obvious to network administrators that someone is trying to break in. Sending up red flags in a sysop’s mind is not a good idea because it could convince them to beef up on security, making it harder for you!
-=Open Source Hacking=-
-=Finding Target Username’s On They’re Website=-
Believe it or not, a web site is a wonderful place to find username’s, e-mail addresses, and sometimes even passwords for a target organization. Passwords and other hidden information might be found in the source code, as I’m sure they aren’t going to put it on the web page itself.
-=Manual Searching=-
For this example, we’re going to use a “hacking game” web page. You can open up the test at: www.homepage.eircom.net/~level12/11.html
As soon as the page loads you’ll see something like Figure 22.
Figure 22
Press the “Password Hack” link and you’ll notice a box like Figure 23 pop up asking you for a password.
Figure 23
Now, we of course don’t know the password (what would be the fun of that?), so we decide to figure it out. By typing the in correct password, you’ll see a box like Figure 24 pop up telling you that you suck (and you do).
OK, so you think to yourself: “I know how to do this! It’s just JavaScript! The pass is in the source code!”... Hey! Your right! So you right click on the web page to access the source code, and your greeted with a box like Figure 25.
Damn... He thought of that... So you have to find some way of getting to the source code... Ah! Hit view/source (Figure 26), and get a text file like Figure 27.
Figure 26
Figure 27
You’ll notice that hitting that doesn’t give us the source for what we wanted, it gives us the source for the top Frame!
After getting over the fit if anger, you read through the script and notice a link pointing to a file called “hack1.html”.
Put hack1.html in replace of the ending of the other link at the top of your browser, and get taken to what seems to be the exact same page. However, go to view/source again and get the script of the bottom Frame!
This is the script, I will bold and underline the important part:
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<meta name="Author" content="GUESS WHO">
<meta name="GENERATOR" content="Microsoft FrontPage Express 2.0">
<title>Hack2</title>
<bgsound src="gaa.mid" loop="infinite">
</head>
<body bgcolor="#000000" text="#FF7E0B" link="#CD853F"
vlink="#AA5200" alink="#CD853F">
<script LANGUAGE="JavaScript">
function click() {
if (event.button==2) {
alert('This is easy you said to yourself! I will just check the source (lol) I will keep an eye on you!');
}
}
document.onmousedown=click
// -->
</script>
<center>
<applet code="PopMenu" width=400 height=29>
<param name="labelpos" value="right">
<param name="target" value="_self">
<param name="src0" value="ball1.gif">
<param name="text0" value="Home">
<param name="href0" value="main.html">
<param name="src1" value="ball1.gif">
<param name="text1" value="Introduction..">
<param name="href1" value="index22.html">
<param name="src2" value="ball1.gif">
<param name="text2" value="Forum">
<param name="href2" value="http://pub50.ezboard.com/bharryshacktest">
<param name="src3" value="ball1.gif">
<param name="text3" value="Test">
<param name="href3" value="11.html">
<param name="src4" value="ball1.gif">
<param name="text4" value="Tools">
<param name="href4" value="http://homepage.eircom.net/~headhunterkill/side.htm">
<param name="src5" value="ball1.gif">
<param name="text5" value="Members">
<param name="href5" value="login.html">
</applet></center>
<p align="center"><br>
<HR WIDTH="100%"></CENTER>
<script language="JavaScript">
<!-- Beginning of JavaScript -
function password() {
Ret=prompt('Please enter your password:',"");
if(Ret=="123456") {
location='hack12.html';
} else {
alert("Incorrect Password... That's a Sad Attempt.")
}
}
// - End of JavaScript - -->
</script>
<dl>
<div align="center"><center>
<dt><font color="#FF8000" size="7"
face="Comic Sans MS,Verdana,Arial,Helvetica"><b>Welcome!
Test Your Skill</b></font></dt>
</center></div>
<dd><br>
<br>
</dd>
<div align="center"><center>
<dt><font face="Comic Sans MS,Verdana,Arial,Helvetica">Level
One Attempt!!</font></dt>
</center></div><div align="center"><center>
<dt><font face="Comic Sans MS,Verdana,Arial,Helvetica">Well
time for you to start to learn...</font></dt>
</center></div>
<dt><a href="javascript:password()"><font
face="Comic Sans MS,Verdana,Arial,Helvetica">Password
Hack</font></a></dt>
<dt><font face="Comic Sans MS,Verdana,Arial,Helvetica">This
is a beginner, or level one or whatever you want to call
it. Break in, and it will give you instructions on how to
take the next step... no, unfourtunatley, there is no
prize for hacking here! Just your pride! </font></dt>
<dd><br>
<br>
<br>
<br>
<br>
<br>
<p><font size="1" face="Arial">Copyright © 2001 - Harry
Murphy<br>
All Rights Reserved<br>
Webmaster: Harry Murphy - </font><a
href="mailto:[email protected]"><font size="1"
face="Arial">[email protected]</font></a></p>
</dd>
</dl>
</body>
</html>
So, now we know that the password is 123456.
Congratulations! You’ve just made a hack... Kinda
-=What Tools Can I Use To Do This?=-
Like everything else, there are a lot of different programs that you can use to do this... Though I’m only going to show you my favourite: Sam Spade
-=Sam Spade Tutorial=-
Among the hundreds of possible uses for Sam Spade, is the nice way that Sam spade can crawl a web page looking for hidden values, email addresses, username’s , links, and all sorts of fun stuff. It can also mirror the web page into a directory.
Start up SS. You will see something like Figure 28.
Figure 28
Press the “Tools” button and then hit the “Crawl Website” button. You should see a box like Figure 29.
Enter the URL of the website you wish to crawl in the box at the top. Then check “Include Headers” and “Include Inline Images”... Next Check “Search Website For”, and then “Email Addresses” and “Hidden Form Values”.
Figure 29
Figure 30
Hit OK, and Sam Spade will start scourging the website for the information you told it to look for. Figure 30 show’s Sam Spade in action.
Save the list you get and use it for a good username list for your Brute Forcing.
-=Indexed Out File Catching=-
-=What Is This?=-
Indexed Out File Catching is when you pick through a web server and find many of the indexed out and files that they don’t want you to see.
-=How Much Of A Payload Will This Give Us?=-
This can provide us with many, many things, as you will see in our examples. This method can be one of the most deadliest next to exploits.
-=What Programs Can I Use To Do This?=-
-=IntelliTamper Tutorial=-
The best program that I’ve ever ran across for this method is called IntelliTamper. You can download a copy at www.intellitamper.com.
After you download it, start it up. If your anything like me, you should see something like Figure 31.
Figure 31
One of the best things about IntelliTamper is the fact that it works pretty well right out of the box. Unless you want to specialize it to be absolutely perfect, just enter the URL into the address bar and hit the go button.
Depending on how insecure the web server is, it should take 3-20 minutes to run the scans. It grabs all the files and puts it in a directory listing on the left side of the program. You can browse around like your browsing through explorer.
Figure 32 shows what IntelliTamper will look like after it gets done indexing the web server. You can see the many files it grabbed onto.
Figure 32
Alright, so we’ve explored all of the server that we possibly can... Time to see what we can do with it.
Running throughout the files that IntelliTamper indexed, you run across a .mdb (database file). Always try and get a copy of this file.
The file in question is StJohns.mdb. Basically, it is the database for the web site your hacking. All the data that someone wants is stuck into this database...
Think back to the past 10 web sites that you’ve visited. Now think how many of these web pages have databases that are commonly in use. 8 out of the last 10 web pages that I’ve been to, have had databases, and what’s worse, I’ve used them!
The impact that this attack has on web pages/servers is quite significant!
Figure 33Alright, now go ahead and download the file by right clicking it and pressing download, or double clicking the file. Depending on the size of the file, the speed of the server, the speed of your internet connection, and the speed of it’s internet connection, the download might take a while. Since I’m on a 56k dial up and the file is 1245 KB, this will take me about 10 minutes.
Now is the time that you might have to use your brain. Since some of the files you download (.pl, .db, .mdb) are specified for a web server, your computer might not be able to associate this file type with a program. Fortunately, during my researching of the web page (another reason why the more information you have on the target, the better), I know that the server uses access databases.
Open the file with either Microshit Access or Excel (some program, just more money for Bill Gates, in my mind) and browse throughout the file.
Now, since I’ve got a deep seeded hate for the Microsoft products (yes, even Windows... I sound like a hypocrite don’t I?), I’d like to thank my buddy John for allowing (kind of) me to use his computer (*cough*stoleit*cough*) for a few days.
This database has multiple databases in one file. Accordingly, you have to decide which section you want to go to. This database has 6 sections (Figure 34). I’ll take you through each one to tell you what they include and what you can get from them.
Figure 34
The first part that we are going to go through is the first one on the list: Cadet Details. Now, if you haven’t picked up yet, the example that I’m giving you is the web server for a military school... Why this target? Because I hate schools, and I hate the military, so it’s a double pun.
Double clicking on the Cadet Details, the database will appear. Scroll throughout the database and look at the information that it provides you (NOTE: I split the pictures up since it couldn’t all fit on one screen. The pics for Cadet Details are Figures 35-36)
Figure 35
Figure 36
I can hear all the crackers and script kiddies of the world drooling from here. This database alone provided us with multiple names, social security numbers, places of birth, birth dates, fax numbers, phone numbers, cell phone numbers, websites, zip codes, addresses, and many other bits of information that someone could use to steal another persons life and possessions. Don’t get too excited yet, this is just the beginning.
If you go back to the beginning screen, you’ll see the next item on the list is “Cadet History”.
Once open, you’ll see the answers to multiple yes-no questions about the kid, as well as a few comments by the parents (I especially like the entry: “he’s a crack head”) Figure 37 shows the database.
Figure 37
The next item on the list is “Email Merge”... I opened the database and didn’t find it of any importance... At all... So I thought I’d save time, space, and energy by not including it in the tutorial.
Checking the DB list, we find that “Inquiry” is the next database that we need to open. Inquiry is bigger then most of the other ones, so it spans Figures 38-41.
Figure 38
Figure 39
Figure 40
What’s this? Even more personal info about someone we don’t even know, who doesn’t know us, that some evil person could use to commit felonies? Damn, some people put a little bit too much trust into companies! Though this is very, very nice, this isn’t even the worst of it! Read on!
The next database on the list is “Parent Agreement”. This database spans from Figure 41-42.
Figure 41
Figure 42
Wow... Now this is even more then any Script Kiddie could imagine! Not only do they disclose enormous amounts of personal details, but it also gives us credit card numbers, created dates, and expiration dates!
That’s not all though. We still have one more database to scourge, Parent Details... Parent Details spans from Figure 43-46.
Figure 43
Figure 44
Figure 45
Figure 46This database gives us even more juicy information to keep in mind. As you can tell, I blocked out a great deal of the pics... Legal issues...
Now, in the wrong hands, this information could be most deadly... Fortunately, I’m a respectable person, so I’m going to take the right actions after checking the security even more...
I put in a phone call to the security administrators, the military school head ponchos, as well as the people in the database, to tell them that lot’s of information that should be hidden, isn’t.
I recommend that you do this every time you make a hack. After all, the point to security is improving it.
-=What Should I Look For While Doing This?=-
Always keep an eye open for any files that are out of the ordinary, including .pl, .bat, .db, .mdb, .exe, and any unlocked CGI folders or something of the kind. If you aren’t familiar with the file, download and view it (after running it with a virus scanner).
-=Getting Lucky=-
Sometimes, a network administrator will leave a port or service open that will give you great results. I’m assuming that you’ve read my “Telnet For Dummies” tutorial, so you should have a good knowledge of how to telnet. I recommend telnetting into every open port and service to see if someone left something open accidentally.
Also, try mapping the open ports to the general services that run with it. Try to grab the banners (what appears after connecting to the port) and see if you can’t map some services... There are also some tools out there that provide help for doing this. For instance: NMAP does a general check, as well as Retina.
-=Example One: FTP=-
I’m going to connect to the FTP port of the given target. The target is running a FTP service that allows anonymous connections.
After connecting to the host, I log in as anonymous, and check to see if there is anything I can do. To save space and time, I’ve just made the conversations text, rather then pictures.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\David>ftp www.sjms.org
Connected to www.you’revictim.org.
220 sjms.worldkom.biz FTP server ready
User (www.you’revictim.org:(none)): anonymous
331 Anonymous login ok, send your complete email address as your password.
Password:
230-Welcome to the Anonymous FTP Archive!
230 Anonymous access granted, restrictions apply.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw------- 1 user group 43 Feb 6 23:33 .welcome
drwxr-xr-x 2 user group 512 Feb 6 23:33 pub
-rw------- 1 user group 30720 Feb 12 02:11 user and password li
st
226-Transfer complete.
226 Quotas off
ftp: 209 bytes received in 0.05Seconds 4.18Kbytes/sec.
ftp> get .welcome
200 PORT command successful
150 Opening ASCII mode data connection for .welcome (43 bytes)
226 Transfer complete.
ftp: 44 bytes received in 0.14Seconds 0.31Kbytes/sec.
ftp> get user and password list
200 PORT command successful
150 Opening ASCII mode data connection for user and password list (30720 bytes)
226 Transfer complete.
ftp> cd pub
250 CWD command successful.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
226-Transfer complete.
226 Quotas off
ftp> cd ..
250 CWD command successful.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rw------- 1 user group 43 Feb 6 23:33 .welcome
drwxr-xr-x 2 user group 512 Feb 6 23:33 pub
-rw------- 1 user group 30720 Feb 12 02:11 user and password li
st
226-Transfer complete.
226 Quotas off
ftp: 209 bytes received in 0.03Seconds 6.97Kbytes/sec.
ftp> goodbye
Invalid command.
ftp> quit
221 Goodbye.
C:\Documents and Settings\David>
So basically, in the few seconds that I was connected, I got on and stole all the user names and passwords for that web server... Quite a profit of a few second’s work, eh?
-=Getting In=-
Chances are, the exploit you have (assuming your using one) has a readme file. If not, search the internet for an explanation of what it is and how to use it. I’m not going to go over all of them, because there’s hundreds of thousands, and I’m simply too damned lazy to do so.
Set your security up, take down your firewalls, and run the exploit. Simple as pie (no, not 3.14....). If the detection wasn’t a false positive, then it should work and will in turn give you access. Your in!
-=What to do once your in=-
Depending on what kind of access you have, what your user attributes are, and what the exploit (assuming you used an exploit) gave you when you ran it, there are multiple things you can do.
If you just want to be an idiot and deface the webpage, use my "HTML For Newbies" tutorial on how to create simple webpages using HTML. If you already know how to code, then write a page saying what you want it to say (IE: I used *this* vulnerability, shout outs, ect) and save it as the same format as the homepage for the webserver is saved as. Chances are that it is saved as "index.html" or "index.htm"... There are multiple other ways it could be, but for simplicity's sake, I'll just tell you to do that.
Once you made your version of what the homepage should look like, RENAME THE ORIGINAL COPY OF THE HOME PAGE AS "name.BAK". This will ensure that you didn't damage the webpage, and might save you some jail time down the road if you get caught. Remember to include it in your copy of the webpage for the stupid administrators, so they know that you didn't hurt anything and you saved a backup of their file.
-=Getting The Fuck Out=-
Should be simple enough... If your in FTP, type bye. If your in Telnet, type quit. Most other applications will take quit as a command and disconnect you. DON'T FORGET TO CLEAN YOUR LOGS BEFORE YOU DISCONNECT FROM THE SERVER. Most are saved as .log files or log.txt files.
If your on dialup, remember to close your connection and reconnect so you can grab another IP.
For the broadband internet users, follow my "Changing Your IP Address" tutorial if you would like to change your IP.
-=Part Four: Hiding Yourself=-
-=What?!?! They Keep Logs!?!=-
Uh... Yeah. It’s pretty obvious... You put a computer on the internet that you actually care about, your going to log what traffic goes where. The logs will be stored in a .txt or .log file if it’s just a simple browser.
However, if it’s a big company, the logs will also be stored in a network traffic analyzer that you aren’t going to have access to. This is when your anonymity becomes important to you.
-=Part Four: Wrapping It Up=-
-=Contact Information=-
You can e-mail myself at: [email protected] . If I don’t respond there, try [email protected] for my MSN. For AIM, goonish88 is my handle. I run around the www.library.2ya.com forums... As well as www.pureescape.net. To visit the forums, you can get to them at: www.hackcircle.tk, the link at www.tgs-security.com, or www.pureescape.net/raven. Hosting provided by my bro PuRe (of www.pureescape.net).
-=Joining TGS=-
If you think you’ve got it to join TGS, send me an e-mail or get in contact with me somehow... You’ll be put to a few small tests, then a big one for the final. If you pass them all, then you’re looked at by all the members and voted on. If voted yes by 100% of the members, you’re in.
-=Shout Outs=-
Yes, that’s right, what would a R@v3n tutorial be without the ever popular Shout Out section?
Alright, I’d like to give shout out to all my TGS brothers and friends, including: -=Vanguard=-, ICU*M8, The_IRS, Fanatical_Red, The_Messiah, Phlame, Fazza, Computer Geek, Kodaxx, Mr.Mind, TGIF15, NoUse, PuRe, Buali, Jenkins, SiLeNt, DeStRuCtIoN, GluTuk, WebMonster, Anubi, Mr.Crowley, and Slardy.
Right... I think that’s everyone... If I forgot someone, you’ll have to forgive me.