Home / Arsip Untuk Juni 2017

Jumat, 30 Juni 2017

varmacscan-K1-2-2016-5-6.sh

MTeams has voted to release their latest varmacscan for community use.

An overview of the attack sequence is provided below: After setup operations are robotic in nature:

Place in root

chmod 755 varmacscan-K1-2-2016-R-5-6.sh

Run

./varmacscan-K1-2-2016-R-5-6.sh

After initial setup by user:

Scan Phase With Wash

A wash scan of all targets is first conducted. Any Targets that have had their WPA key extracted are excluded.

Attack Phase with reaver supported by aireplay-ng and mdk3

Attack Step 1

The script looks for any previous WPS pin found and attempts to extract the WPA key from the network-wps pin pair using reaver and pixiedust.

Attack Step 2

If the WPA key is not extracted or no previous WPS Pin found, then a standard reaver brute force attack is conducted.

Attack Step 3

Reaver attacks the target using default pin 12345670

Attack stage 4

Reaver attacks the target using default pin 00000000

Attack stage 5

Reaver attacks the target using default pin generated by -W in reaver command line. See reaver --help

Attack stage 6

Reaver attacks all targets with default pin as selected by user.

Reaver moves to next target in sequence

When all targets are exhausted another wash scan is begun and the automatic cycle continues.

Network Activators

Four(4) different Network activators are included using aireplay-ng and mdk3. All four(4) processes are placed within regenerative loops to keep functioning in cases where signal strength is weak and/or the process terminates.

Airmon-ng

As MTeams has noted in these forums, if reaver is able to extract the WPS Pin BUT cannot extract the WPA Key then using an older version of airmon-ng solves the problem. During tests the results when using the older version of airmon-ng with kali 2.0 and Kali Rolling were far superior to results when using the airmon-ng found with the kali distro. In WPA key extraction the older version provided a statistical 10 to 1 advantage over the newer version.

MTeams has therefore embedded an older version of airmon-ng into the varmacscan script. Users are given the option of using the older version or using the version found in the kali distro as required.

Pixie Dust Manual Extraction

Reaver log data is written to a single log for each target each cycle and checked for a pixiedust data sequence after every stage. This log can be later brute forced by the user. You can download PDDSA-06.sh for kali 1.10A or PDDSA-K2-06.sh for kali 2 and 2016. This is available for download in these forums.

Essidprobe data is written to file for use in brute forcing a WPA handshake with aircrack-ng elcomsoft etc.

In closing MTeams suggests users run this script anytime the computer is not being used especially during sleep or at night when terrestrial radiation causes low level inversions in the atmosphere trapping the wifi signal in a tight band along the surface thus expanding range and increasing strength.

You can download thru

https://github.com/musket33/varmacscan

or

https://www.datafilehost.com/d/7250027b

source : https://forums.kali.org/showthread.php?35508-varmacscan-K1-2-2016-5-6-sh-released-for-community-use

theharvester-gui-kali

What is theharvester-gui-kali?

It's a graphical frontend to theHarvester written by joshuastrot, for ease of use and speed. As Joshua's version covers Arch as well, I forked it to create a kali linux only branch to enable better version tracking. It's written in PyQt4 and Python 2.

Compatible Platforms:

  • Kali

Universal Dependencies:

  • Kali linux

Installation instructions

You'll need to build this package manually.

Dependencies:

  • python-qt4

Installation instructions:

git clone https://github.com/drosrantt/theharvester-gui-kali.git ~/theharvester-gui
cd ~/theharvester-gui
sudo bash install.sh -d / 
theharvestergui
 
 
source : https://github.com/drosrantt/theharvester-gui-kali

Rabu, 28 Juni 2017

Detect WebShell on PHP Web Server (how to)

View the access log

See if there’s a file upload (POST method):
 
IPREMOVED - - [01/Mar/2013:06:16:48 -0600] "POST/uploads/monthly_10_2012/view.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"  
IPREMOVED - - [01/Mar/2013:06:12:58 -0600] "POST/public/style_images/master/profile/blog.php HTTP/1.1" 200 36 "-" "Mozilla/5.0"

The default log format for nginx is:
 
access_log logs/access.log  
access_log logs/access.log combined

Find files containing malicious php code

Find the recent changes in the php file

  • find . -type f -name '*.php' -mtime -7

    -type f means that the normal search of normal files
    -mtime -7 that 7 * 24 hours to modify the file
The results may be as follows:
 
./uploads/monthly_04_2008/index.php
./uploads/monthly_10_2008/index.php
./uploads/monthly_08_2009/template.php
./uploads/monthly_02_2013/index.php

Find out if there is any suspected code in the file

find . -type f -name '*.php' | xargs grep -l "eval *(" --color  
find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color  
find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color  
find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color
Note: Many commands do not support pipelining parameters, but in fact need this, so it used the xargs command, the command can be used to pipe transmission parameters; grep-l said that only contains a string of file names, if removed – L The contents of the line matching the specified string are displayed
The meaning of several special strings:
  • eval() The string in accordance with the PHP code to implement, is the most common php Trojans
  • base64_decode() Will be the base64 string decoding, attack time payload is base64 encoding, then this function is useless
  • gzinflate() The string decompression processing, when the attack with gzdeflate payload compression, the use of this function for decompression
  • str_rot13() The string is encoded with rot13
Regular expressions can also be used to search for documents, can find code:
 
find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("  

The following explains webshell commonly used functions:
  • mail() Can be used to send spam to the site user
  • fsockopen() Open a network connection or a Unix socket connection that can be used to send remote requests for payload
  • pfsockopen() And fsockopen () role similar
  • exec() Command execution function
  • system() With the exec ()
  • passthru() With the exec ()
  • stream_socket_client() To establish a remote connection, examples are as follows:
<?php  
$fp = stream_socket_client("tcp://www.example.com:80", $errno, $errstr, 30);  
if (!$fp) {  
echo "$errstr ($errno)<br />\n";  
} else {  
fwrite($fp, "GET / HTTP/1.0\r\nHost: www.example.com\r\nAccept: */*\r\n\r\n");  
while (!feof($fp)) {  
echo fgets($fp, 1024);  
}  
fclose($fp);  
}  
?>
  • preg_replace()When the regular expression is modified by the modifier “e”, the replacement string needs to be executed in accordance with the php code before the substitution. This also needs to be taken into account. In this case,
find . -type f -name '*.php' | xargs egrep -i "preg_replace *\((['|\"])(.).*\2[a-z]*e[^\1]*\1 *," --color

Compares the code file

This situation requires a clean code, the code and the code being used to compare. E.g
diff -r wordpress-clean/ wordpress-compromised/ -x wp-content
The above example compares wordpress-clean / and wordpress-comprised directories, and the directory wp-content / subdirectory does not compare.

Search for writable directories

Look at the list of whether there are suspicious files, the following script to find the permissions for the 777 directory exists php file

#!/bin/bash
search_dir=$(pwd)  
writable_dirs=$(find $search_dir -type d -perm 0777)  
for dir in $writable_dirs  
do
#echo $dir
find $dir -type f -name '*.php'
done

Hackers often insert jpg php code in the document, so when inquiries in these directories have to query jpg files:
 
find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php

Note: -iname said the file name is not case-sensitive, grep-i also said that case-insensitive

The iframe tag is detected

Hackers often do is to embed iframe tags, so you can view the source code of the page, and search for the existence of iframe tags, you can use the following command:
 
grep -i '<iframe' mywebsite.txt

For dynamically generated pages can be used ff of Live HTTP Headers plug-in, and then downloaded to the source to find out whether the presence of iframe tag

Finds if there is a sensitive string in the database

Including% base64 _%,% eval (% <and so on some of the above-mentioned keywords

0x07 Examine the .htaccess file

Whether it contains auto_prepend_file and auto_append_file, use the following command
 
find . -type f -name '\.htaccess' | xargs grep -i auto_prepend_file  
find . -type f -name '\.htaccess' | xargs grep -i auto_append_file

Auto_prepend_file role is to load the current script file before loading the php script auto_append_file role is to load the current script file, and then load the php script. Hackers if so modified. Htaccess file, you can access. Htaccess directory php script, you want to load the load on the malicious script.
Htaccess file can also be used to hijack the traffic to the site to the hacker’s Web site,
 
RewriteCond %{HTTP_USER_AGENT}^.*hacker.*$  
Rewriterule ^(.*)$ http://www.hacker.com/muma.php [R=301]
 
 
source : http://ins-cyber.blogspot.co.id/2017/06/detect-webshell-on-php-web-server-how-to.html