Exploits Database by Offensive Security


Thursday, November 18, 2010

Isolate IP With Ettercap

Ettercap has a plug in to isolate network IP address. In a sense it causes a DOS attack. This can be useful for network administrators. For example unlike cisco where you can shutdown an interface on a switch, sonicwall wont let you do such a thing; which can make administering a good amount harder. Especially when you have end users running itunes and torrents etc. 
To start this attack you will need the IP of the host you are isolating. In this case it will be How this attack works every packet the computer sends out will resolver its own mac address. Here is the network setup of a windows box using ipconifg /all.

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-11-D8-70-48-4F
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
Default Gateway . . . . . . . . . :
DHCP Server . . . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
Primary WINS Server . . . . . . . :
Lease Obtained. . . . . . . . . . : Thursday, July 24, 2008 11:42:50 AM
Lease Expires . . . . . . . . . . : Thursday, July 24, 2008 11:52:50 AM

Here is the arp -a out put
Interface: 0x2
Internet Address Physical Address Type 00-06-b1-36-1f-24 dynamic

To start the attack we are going to be using the isolate plugin. And specify the IP that we are attacking. Here is what the command looks like.

#ettercap -i sk0 -P isolate / //

The command will take about 5 min to go into effect since that is how long it takes the arp cache to refresh, once it does this is what the ap should look like.

Interface: 0x2
Internet Address Physical Address Type 00-11-D8-70-48-4F dynamic

As you notice that is'nt the same mac address that had when we first ran the arp -a, it is now resolving the mac address of itself. If you try to resolve a web site the ettercap will output something along the lines of this.

TCP --> | AP

Saturday, October 2, 2010

CodeMeter not cracked at international Hacker’s Contest

March 21, 2007

Hanover (CeBIT) – Today, the fourth Hacker’s hosted by Wibu-Systems closed. The task was to by-pass of the software protection solution CodeMeter that was developed by Wibu-Systems. The competition started on February 1, 0:00 CET and ended on March 14, 23:59 CET. All in all, 1,092 contestants from 27 countries participated. Most of the participants were located in Germany, followed by China, the United States, the Netherlands, Poland, Hungary, France, Great Britain and the Ukraine.

No protection solution can offer 100% protection. This time the competition was extremely exciting because each contestant had received the protected software together with the suitable license stored in a CmStick, the dongle. Both are necessary for executing the competition software on their PC. For a second function in the competition software the license bit in the CmStick wasn’t set. Here the encryption would be cracked – which is nearly impossible – or the license bit in the dongle or software would be manipulated.

But today, after exactly six weeks, it is certain: no contestant was able to crack the protection. Oliver Winzenried, C.E.O. of Wibu-Systems AG, said: “We hoped that our solution CodeMeter held out against attacks and now we are especially pleased about the fantastic result. There are plenty of protection solutions available on the market with their advantages and disadvantages. One of the most important features is the protection level in addition to flexibility and license management. Here we have given proof of the security of our solutions in public as a worldwide first manufacturer of software protection solutions.”

Next to the usage of approved secure encryption algorithms and the secure storage of keys in a Smart Card Chip in the CmStick, it is characterized by the identification of hacking attacks so that the license in the hardware will be disabled through a policy registered for a patent by Wibu-Systems. Many of the contestants have addressed exactly this problem and some of them asked for a second activation. If the license in the CmStick is disabled, the competition program can’t be executed. This is comparable to what would happen if a CmStick was not connected.

Only some contestants in Germany, China and one of Poland have sent partial solutions that will be rewarded each time with 1,000 Euro by Wibu-Systems. They provided suggestions for the company for improving the protection mechanisms further. Oliver Winzenried says: “Of course it was the ambition of this contest to show that our solutions provide a high level of security. Additionally it was an important purpose to find unknown weak points for improving the security level.” Christoph Fischer, an accepted IT security specialist, says: “The contest shows clearly that even if there is no 100% protection possible in all areas, top-quality solutions can provide a sufficient high barrier against cracking even through specialists.”

At the end the competition was worth it for all involved: Wibu-Systems didn’t need to pay off the complete prize and received invaluable ideas for a continuous improvement of the software protection on the interest of all vendors of software and digital content. The contestants have received a CmStick for an attractive price and they can use its personal “security suite” further on. And the senders of a partial solution have received an attractive consolation prize.

How this thing works ? http://www.wibu.com/software_protection_01.php?lang=en

Friday, October 1, 2010

How To Downgrade Fast-Track On Backtrack 4 R 1

If you are already upgraded your Fast-Track to version 4.0-r344-bt0, you will notice that this version will not have the menu for updating metasploit, aircrack-ng, etc like the older version. To downgrade Fast-Track, just follow these steps.

root@bt:/pentest/exploits/fasttrack# apt-get install fasttrack=4.0-r249-bt2
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages will be DOWNGRADED:
0 upgraded, 0 newly installed, 1 downgraded, 0 to remove and 30 not upgraded.
Need to get 409kB of archives.
After this operation, 0B of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://archive.offensive-security.com pwnsauce/microverse fasttrack 4.0-r249-bt2 [409kB]
Fetched 409kB in 21s (19.4kB/s)
dpkg - warning: downgrading fasttrack from 4.0-r344-bt0 to 4.0-r249-bt2.
(Reading database ... 248128 files and directories currently installed.)
Preparing to replace fasttrack 4.0-r344-bt0 (using .../fasttrack_4.0-r249-bt2_all.deb) ...
Unpacking replacement fasttrack ...
Setting up fasttrack (4.0-r249-bt2) ...

Fast-Track Updates

Enter a number to update

1. Update Fast-Track
2. Metasploit 3 Update
3. Aircrack-NG Update
4. Nikto Plugin Update
5. W3AF Update
6. SQLMap Update
7. Installation Menu
8. Update Exploit-DB Exploits
9. Update Kismet-Newcore
10. Update Gerix Wifi Cracker NG
11. Update Social-Engineer Toolkt
12. Update Everything
13. Return to Main Menu

Now you can have the update everything menu again.

Thursday, September 30, 2010

FakeAP_PWN.sh v0.2.5

 [Script][Video] fakeAP_pwn.sh (v0.2.5)

    Watch video on-line: http://g0tmi1k.blip.tv/file/3622180
    Download video: http://www.mediafire.com/?xj1myzznlyo

        ~ V0.3 FINAL IS OUT ~
        [Script] [Video] fakeAP_pwn (v0.3)

    What is this?
    An update to the script, fakeAP_pwn. This is a bash script to automate creating a 'Fake Access Point' and 'pwn' whoever connects to it! The FakeAP is transparent (allowing the target to afterwards surf the inter-webs once they have been exploited!), and the payload is either SBD (Secure BackDoor - similar to netcat!) or VNC (remote desktop).

    How does this work?
    > Creates a fake AP and DHCP server.
    > Runs a web server & creates an exploit with metasploit.
    > Waits for the target to connect, download and run the exploit.
    > Once successfully exploited it grants access to allow the target to surf the inter-webs.
    > Uploads a backdoor; SBD or VNC, via the exploit
    > The attacker has the option to run a few 'sniffing' programs (from the dnsiff suite) to watch what the target does on the FakeAP!

    What do I need?
    > Two interfaces, one for Internet (wired/wireless) and the other for becoming an access point (wireless only - must support monitor mode)
    > A Internet connection (though you could modify it so its non transparent)
    > Airmon-ng, dhcpd3, apache, metasploit, dnsiff suite --- All on BackTrack!
    > The script! fakeAP_pwn-v0.2.5.tar.gz (490.3 KB, SHA1:541d91c19ff32777317385218820233a62f1dc76)

    Whats in the tar.gz?
    > fakeAP_pwn.sh --- Bash script
    > www/index.php --- The page the target is forced to see before they have access to the Internet.
    > www/Linux.jpg, OSX.jpg, Windows.jpg --- OS pictures
    > www/sbd.exe --- SBD Backdoor> www/vnc-g0tmi1k.exe --- VNC Backdoor

    How to use it?1.) Extract the tar.gz file (via tar zxf fakeAP_pwn-v0.2.5.tar.gz).
    2.) Copy the "www" folder to /var/www (cp www/* /var/www/)
    3.) Make sure to "Start Network" and to have an IP address. (via start-network and dhclient [Internet Interface])
    4.) Edit fakeAP_pwn.sh with your "internet" and "wireless" interface. (You can view your interfaces via ifconfig and use kate to edit the file.)
    5.) bash fakeAP_pwn.sh (don't forget to be in the correct folder!)
    6.) Wait for a connection...
    7.) ...Game Over.


    tar zxf fakeAP_pwn-v0.2.5.tar.gz
    cd fakeAP_pwn-v0.2.5
    cd fakeAP_pwn
    cp www/* /var/www
    kate fakeAP_pwn.sh
    bash fakeAP_pwn.sh


        * This time it should work for everyone, just not me =P
        * The video uses fakeAP_pwn.sh v0.2.1
        * It's worth doing this "manually" (without the script) before using the script, so you have an idea of what's happening, and why. The script is only meant to save time.
        * I'm running BackTrack 4 Final in VM, The target is running Windows 7 Ultimate (fully up-to-date 2010-05-13), with no firewall, no AV and no UAC. Tested with windows XP SP3 Professional as well.
        * The connection is reversed - so the connection comes from the target to the attacker, therefore, as the attacker is the server, it could help out with firewalls...
        * As you can see in the code, one day I plan for this to also "affect" Linux and/or OSX...but its taken me this long to update it - so don't hold your breath!

    Song: Medicin - Summer Drummer
    Video length: 3:20
    Capture length: 8:12

    Blog Post: http://g0tmi1k.blogspot.com/2010/05/...ppwn-v021.html
    Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/28363-%5Bscript%5D-%5Bvideo%5D-fakeap_pwn-v0-2-1-a.html

    > Removed silly typos

    + Added arguments
    + Checks for superuser
    + Checks interfaces/paths/files exists
    + Improved transparent mode (Thanks joker5bb)
    > General code improvements
    > Updated the help message

    + Fakes the MAC address (Thanks joker5bb)
    + Fix “wicd” bug (Thanks joker5bb)
    + Randomizes ports each time
    + Reversed VNC - No need to type in password now
    + Stops and removes existent backdoors
    + Stops services and programs (Thanks joker5bb)
    + Uses “msfencode” - to prevent detection
    + Webpage now has a "favicon"
    > Fix a few minor features - Couple of silly typos (Thanks joker5bb)
    > General code improvements
    > Improved "clean up" code
    > Improved the WiFi interface (Thanks joker5bb)
    > Renamed the backdoor files
    > Renamed the output windows

    + Fix gateway bug
    + Fix DHCP PID Bug
    + Checks for other index files. And acts on it.
    + Checks to make sure user copied www/. Else acts on it.
    + Added more tools to "extra".
    + Added extra settings (Response to all requests & WiFiName)
    > Improved debug info
    > Aligned the output windows
    > General code improvements
    > Improved chances of DHCP working (Might need more work)
    > "Started" work on transparent (Needs more work)
    > "Started" work on allow a custom backdoor (Needs more work)
    - Removed Linux/OSX - was confusing people

    + Remade first release
    > Created Video

    + First public release

Hacking With FastTrack On Backtrack

Hacking Bluetooth Backtrack4 with Blue_ron v.01

Hacking A Website: SQL Injection Attack

Hacking with the SET toolkit explained