Today I hacked a site where people upload pictures and other people rate’s them. The site has a 100 000 users and for a Swedish site’s it’s big. The problem is it had stored the passwords in the database in plain text. Obviously this is good news for me but for the users it’s really bad. Sites that big should take better care of their users. The point here is webmaster should really think more about encryption and to use the right one. Do not use MD5, SHA-1 or MYSQL(4), they are way too easy to crack with too days GPU cards . If I would encrypt I would use phpass or whirlpool, they are hard nuts to crack. But I’am happy there are ignorant webmasters out there to make my life easy. How would I otherwise get my kickass wordlists?
Index for November, 2009
Encrypt or die!
Monday, November 30th, 2009Warning, too little sleep may cause stupidity!
Monday, November 30th, 2009Last night I was sitting at my computer preparing to go to sleep. When “skalman” came into the IRC channel and told me he had a mission for me. A friend of his had some trouble with a former partner of his and now he wanted to get some evidence that he thought was on the server of another company the partner ran. I was really tired at that point, but I’ll have a go I thought because my girl is coming tomorrow and that mean no time for the fun stuff. I started looking around and it didn’t take that long before I have everything I needed, htpasswd-files, MYSQL tables and root login for MYSQL. But they had block access from remote locations in the MYSQL configuration file. Turns out they do the epic mistake almost everyone dose, they had en phpmyadmin. And sure enough I logged in, did my “into outfile” trick and puff, I had a shell. Everything went as planned when a thought entered my mind, “Didn’t I turn off the proxy before… did it turn it back on?” I felt the panic spreading thru my body and the error was obvious. I turned on the proxy as fast as I could. I don’t think this would have happened if I wasn’t so tired. Although I don’t think anything will happen, I really hope not. Just in case I’am going to try and root the box to clean out every clue I left behind. I didn’t find the evidence this individual was looking for but it was fun to take a look around. Well I need to take a shower my girl is on route to my secret hacker lair =)
h4x
Monday, November 30th, 2009I often get requests to hack that user or that site. Often those people are inexperienced and don’t understand the time and will that goes in to some projects. To spend hours and hours to mapping and getting an overview of the server you need will and motivation. And then you get a request you often don’t feel that motivate to attack the target in question. But there are different kinds of motivation. The biggest and the one I use is my own curiosity or urge to have a site. Second best is to gain a favor from a friend or collage. Third is money, everyone needs that. So next time you ask a random hacker to do something think about dose three reasons and ask yourself if your request meets any of the criteria. I don’t get angry if my friends send me a request, but people I hardly know should even bother.
Even worse than that are people that think everything is easy to hack or that I have some kind of “super one click program” that I can use to get access to everything. They don’t understand that not everyone can do anything. Your need a set of skills and knowledge and that it takes time and effort to enquire them. From now on when people ask me to teach them to hack ill answer: “If you know how to Google and some PHP/*SQL/Perl(CGI)/ASP. Etc, and Unix, know some things about Apache/IIS and basic TCP. Then I’ll show you the way of the force”.
locating the httpd.conf file.
Monday, November 30th, 2009I rarely deal with local file inclusion, but when I do I always run into the same problem of finding the httpd.conf file. I need to read this file for several reasons. One is to know where I am (www-root). The second one is to find the path to the log files. Third is to find out if there are any other virtual hosts on the server I don’t know about. So the httpd.conf file is the first I thing I look for, but it can be a pain in the ass to find. Although I have a lot of default paths written down I still have problem finding it sometimes. Even if you find it/them there can still be obstacle in the way. One of them is the damn asterisk (*) sign, Ex: /etc/apache/conf.v/*conf
This tells apache to include every file in the /conf.v/ that ends with a “.conf”, the files can be named anything so it’s just the long an almost impossible task of guessing what the webmaster named them. Anyway what iam getting at is that reading the httpd.conf files is a big step in achieving your goal. I’ll post my list of default paths I have found over the years. Hopefully someone will post a comment with paths I don’t have. Hope this can be to help for someone.
Enjoy!
/www/apache/conf/httpd.conf
/etc/httpd/conf/httpd.conf
/usr/local/apache/conf/httpd.conf
/etc/apache/conf/httpd.conf
/www/httpd/conf/httpd.conf
/etc/www/conf/httpd.conf
/home/www/conf/httpd.conf
/home/apache/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/apache2/vhosts.d/vhost.conf
/home/www/httpd/conf/httpd.conf
/usr/local/etc/apache/httpd.conf
/usr/local/etc/apache/httpd.conf
/var/www/conf/httpd.com
/var/apache2/conf/httpd.conf
/usr/local/etc/apache22/httpd.conf
/usr/local/etc/apache2/httpd.conf
/etc/apache22/conf/httpd.conf
The SQL-injection hype, over?
Monday, November 30th, 2009About two years ago I understood that most sites that uses a database is vulnerable to an SQL-injection. This was when not that many people knew about the risks in my country and I took full advantage of that. But one year ago something changed, SQL-injection got to the script kiddies and BOOM! Everyone was now a hacker. The media called it “The return of the hobby hacker”, and they are right. You don’t need a lot of skills to do a simple SQL-injection, although there are more advanced types of injections like a “true of false”-injection. This trend we see in Sweden is not the general one said a security expert at Symantec. The problem I see is that when knowledge like SQL-injection comes in the main stream it by default comes to when people that are stupid and ignorant. It comes to people that want a pad on the back and that is the problem. The numbers of hobby hacker is increasing and because the cyberspace is a land of anarchy they feel safe doing what they are doing. But I feel this hype has reached it climax and is now on the way down. Just because the programmers are getting aware that this is a big problem. I’am sad to see that my job is getting harder every day but ill rather work my ass of and be one in a hundred then being one in a million. Hopefully the era of SQL-injections is on its way to a sudden end. All thought I shouldn’t underestimate the power of stupidity in the programmers either.
In other news I had my first “hacker” or bot crawl my site testing for vulnerabilities today. A R57 anyone? http://kkobold.extra.hu/export.txt just viewed it for five seconds and saw the username/password other then that I can’t say if it secure.
74.53.77.50 is the IP number the attack came from and it seems to be a exploited web server. I think the hacker came in thru http://www.media-courses.com and it seems have a big SQL-injection flaw. May hack it and download the exploit code for fun. But, right now I need to talk to a guy about a header image for a blog.
Hacking the hackers
Monday, November 30th, 2009You would think people like me know you should have good security and strong passwords, but you would be wrong. Seems like now and again I stumble upon some kind of hacker-community and high members and admins some time’s have the same password on other site’s. You should never use the same password twice for important stuff like an admin account. Some site’s you will even find really bad wholes like a simple sql-injection. I remember a year or so back when Sweden was a target for Turkish hackers because some drawings of Muhammad. Anyway one of these groups got some attention in the Swedish media. And I thought to myself “hum, might take a look”. Didn’t take me that long to find an injection, on the only page they had coded by them self (That said a lot about the group). As stupid as I was back then I wrote a script in perl and started to loop down the users. I started focusing on cracking the admin hashes, and sure enough I got a few hit’s. Logged in and posted a Muhammad picture on the front page and then posted the database on a forum from a fake account.
This would be the end of the story I thought and went to sleep feeling good about my retaliation. When I woke up the next day all hell had broken lose. People was hijacking Turkish accounts and the Turkish hacker forum was overflowing with spammers. As revenge the Turkish group made a ddos-attack on the forum I posted the database on. On top of this the Swedish media was talking about a cyber war between Sweden and turkey. Radio and newspapers was all over this. Well, shit dose happen. Not every day you get a accused for starting a war. =(
Here are some articles for the Swedish readers:
http://www.idg.se/2.1085/1.125941
http://www.idg.se/2.1085/1.125361
http://www.svd.se/nyheter/inrikes/artikel_497671.svd
http://www.sr.se/ekot/artikel.asp?artikel=1658549
http://www.sr.se/webbradio/webbradio.asp?type=db&id=819400
http://www.bestsecuritytips.com/news+article.storyid+367.htm
First and last time I take responsibility for this attack. It would have been so much better living of them for a while. Taking everything from the inner circle, living of them like a parasite. I would have had my own script kiddy army and they would have been none the wiser.
The torrent hack.
Monday, November 30th, 2009A week ago I helped a friend hack a torrent tracker. He came to me with a sysop password. It turned out to work and I started to go to work. Took me about 1 min before I found my way in, to place a shell via an old IPB-forum. I upped a shell via the admin panel and it all was over in a few minutes. Why I’am writing about this is that yesterday the tracker went down. Apparently some evil monkeys was on the server to. I don’t really know what happened but there aren’t many scenarios.
1. They saw my attack and put the server down for a look over.
2. My friend gave the shell to someone stupid.
3. It was a coincident and bad luck.
The rumor say’s it was a punch of former staff that was angry. So who knows might as well be option number three. It’s wasn’t a big hack but I allway get jumpy when they find my shells. Although I hadn’t put much effort in hiding it. Promised by friend I have another go at it. This time I’ll not underestimate them. =)