Archive for the ‘Hacking’ Category

Zero for owned.. Do they have a point?

Thursday, July 30th, 2009

Two days ago the hackers who release the Zero for owned (maga)’zine’ released the fifth version, ZFO5.
For who do not know what I am talking about, check this link to read it.

Basically they hack some “wannabe” hackers and whitehat hackers which, according to them, are commercial fuckers who do not really help their customers on the long term. I am not going to comment on this statement, but the these guys had another statement that got me thinking:

The very concept of “penetration testing” is fundamentally flawed.  The problem
with it is that the penetration tester has a limited set of targets they’re
allowed to attack, while a real attacker can attack anything in order to gain
access to the site/box.  So if a site on a shared host is being tested, just
because site1.com is “secure” that does NOT in anyway mean that the server is
secure, because site2.com could easily be vulnerable to all sorts of simple
attacks.  The time constraint is another problem. A professional pentester with
a week or two to spend on a client’s network may or may not get into
everything.  A real dedicated hacker making the slog who spends a month of
eight hour days WILL get into anything they target. You’re lucky if it even
takes him that long, really.

They have a point here. In most pentest contracts ( at least the ones I know of) companies will only pay for theire most vulnerable or important systems to be pentested. But a blackhat could (easily) hack one of the others that have not been pentested and then he has a totally different attack vector, one the whitehat has not been able to test because of the lack of time and/or money. Besides that in the end everything could be hacked. The only thing that prevents many systems from being hacked is time and the fact that most systems are not worth hacking.

Posted in Hacking, Security | No Comments »

Kylin SecureOS website down

Monday, May 18th, 2009

As described in an earlier post I had found a possible SQL injection vulnerability in the website of the Chinese Kylin OS.
Now it turns out the website is unreachable:
The kylin.org.cn website resolves to 220.169.30.241

Non-authoritative answer:
Name:    kylin.org.cn
Address: 220.169.30.241

A traceroute brings me as far as 222.247.29.74

traceroute to kylin.org.cn (220.169.30.241), 30 hops max, 40 byte packets

13  61.137.0.134 (61.137.0.134)  282.076 ms  282.077 ms *
14  61.187.255.222 (61.187.255.222)  291.674 ms  291.695 ms  291.988 ms
15  222.247.29.74 (222.247.29.74)  288.679 ms  289.049 ms 222.247.29.70 (222.247.29.70)  287.816 ms
16  * * *
which essentially tells me not very much, because it could be the next-hop(s) to the actual server are discarding ICMP requests.
By doing a complete nmap scan  on the complete subnet. I noticed there are multiple hosts online surrounding the IP address I now know there is a route to the server, but it is just not active:

nmap 220.169.30.0/24 -sP

Starting Nmap 4.62 ( http://nmap.org ) at 2009-05-18 11:36 CEST

Host 220.169.30.239 appears to be up.
Host 220.169.30.242 appears to be up.
Host 220.169.30.243 appears to be up.
Host 220.169.30.244 appears to be up.
Host 220.169.30.245 appears to be up.
Host 220.169.30.246 appears to be up.
Host 220.169.30.247 appears to be up.
Host 220.169.30.249 appears to be up.
Host 220.169.30.250 appears to be up.
Host 220.169.30.251 appears to be up.
Host 220.169.30.252 appears to be up.
Host 220.169.30.253 appears to be up.
Host 220.169.30.255 appears to be up.

So I think we can assume there are a few reasons why the site is down, and I ordered them in the way I think  is most likely:

  • The website has been takendown because of all attention drawn to the project
  • The website has been takendown by a Hacker, or has been takendown to fix the leak I found
  • The website is overloaded by traffic due to all attention drawn to it, although I think this is highly unlikely. ( it probably would respond to ICMP requests ).

Tags:
Posted in Hacking, Security | No Comments »

Talking about ironic…

Tuesday, May 12th, 2009

Today I noticed a tweet about the chinese building a secure OS supposely to be targeted at an upcoming cyberwar.
I thought it was interesting, so I googled the name Kylin ( which is the name of the project ) and found kylin.org.cn which was in Chinese.

(more…)

Tags:
Posted in Hacking, Security | 1 Comment »

Getting data through SQL injections… can get nasty!

Monday, April 20th, 2009

When I first learned about SQL injections it sounded all pretty easy. Just put in some SQL code and you will get the output of your query ( and possible the data that was intended to be shown too ).
But as I found out today sometimes it isn’t that easy, especially when using a Blind SQL injection exploit.

Ten minutes after I first tried to hack the site I already found the way in, but it took me more than a day to get data out of it. It turned out the ASP page expected a numeric result set out of the query and based on that queried some more ( non-numeric) data. So when I did get an integer out of the database, the ASP looked it up in to the database and I turned up with legit data.
But then after I had fooled around a bit, I got an error message which returned a value out of the table I had intended to query! What I accidental had done was converting a integer to a varchar and vice versa so the SQL would generate an error, and return the value of the field in the error message.

Knowing this, I just wrote a small python script that filtered all field data out of the error messages.

<edit> This method is great as proof for your customer, but not to really dump the DB with it…. It had run all night and in the morning I had 1 MB of data pulled out of the database </edit>

Tags:
Posted in Hacking, Security | No Comments »

Fun with www.hackthissite.org

Wednesday, April 15th, 2009

Because penetration testing and hacking is best learned by just doing it, I decided to find a way of practicing various techniques.
Of course, I could be hacking just some website, but this has some disadvantages. ( You could call being arrested and put in jail a disadvantage ;-) )

So I decided to google for someone who had created a webpage that was created with the intention of being hacked. So, I found www.hackthissite.org.
After registration in the left menu several mission categories are presented, of which I have mastered the “basics” and currently busy with the “Realistic”. Especially the “realistic” missions give you a real rush if you have completed the mission. My current favourite mission was breaking into the website of bank and transfer money to a different account. Although the missions are quite realistic, the one with the bank is in a way unrealistic and realistic at the same time. It is realistic because of the mission ( transfer money to another account ) but banks now-a-days have much better protection that this one. For example, SSL is not used, no token based authentication, even clear text cookies and md5 password hashes are shown in HTML… But hey,  if they had used ( or not at )all of these techniques it probably would not have been hackable :-)

I can really recommend this site if you want to learn more about hacking websites.

Posted in Hacking, Security | No Comments »