Close Panel

Can you imagine our indonesian internet core routing to be shutted down? None can browse their email, open facebook, or just search through google. Can you imagine indonesian internet banking stopped working for a while? Automatic Teller Machine (ATM) won’t work to response your request? That’s all just the lowest risk when core routing to be compromised.

Can you imagine when your confidential data to be sniffed without none notice it? Can you imagine when your username and password to be stealed? Oh that’s not big deal huh? But try to imagine your banking transaction to be intercepted and modified, yeah that’s the real fear on digital world. Hell yeah, this paper explains you how that problems are possible. This paper try to tell you how weak our indonesian core routing infrastructure, check it out!

 

3

Dec

2009

Another FreeBSD Root Exploit Leaked!

By IPSECS Admin. Posted in Exploitation | No Comments »

The latest version of freebsd is found to be vulnerable. This vulnerability is found in run time link editor (rtld) which can be tricked to accept LD variables even on setugid binaries. You might see this flaw by analyzing this exploit.

With this leaked exploit, it’s more than 10 exploitable vulnerability leaked to public this year (2009)! So it’s that true if freebsd as secure as what people said?!

 

24

Nov

2009

Web Backdooring & Keylogging

By IPSECS Admin. Posted in Exploitation, Presentation | 1 Comment »

Thinking how to backdoor & keylog website in unusual way is something that fun to be implemented. Kiddies usually use public backdoor to come back to compromised server or website, dumping the database, and cracking hash of confidential information likes password and CC number. Public backdoor is somewhat easy to be detected by administrator while hash cracking sometimes gives no result.

Modifying source code of website to be a backdoor and keylogger is not kind of new technique, but just few kiddies know about this. By modifying the source code, we can make more invisible backdoor than using public ones. We also can record confidential information likes password and CC number in plaintext, so we don’t have to crack it. I have implemented this technique in phpbb3, modifying its source code become backdoor & keylogger. This concept can be used to modify ecommerce application so just try to imagine when your CC number being stolen.

Download my paper, presentation, and phpbb3 patch which has been presented in STIMIK Palcomtech Palembang.

 

An independent security consultant publicized this week the details to a critical flaw in the server message block version 2 (SMB2) component of Microsoft’s Windows Vista, Windows Server 2008, and the release candidate for Windows 7.

The researcher, Laurent Gaffié, claimed in his advisory that the vulnerability causes a Blue Screen of Death, a pernicious crash on Windows system, but other researchers have subsequently concluded that the flaw is actually remotely exploitable, a more serious issue.

Microsoft acknowledged the flaw on Tuesday in an advisory. The flaw does not affect the latest version of Windows 7, Windows Server 2008 R2, nor Windows XP, the company stated. Microsoft took the researcher to task for disclosing the information before it fixed the security issue.

Yet, Gaffié argued that the disclosure was fair. The software company should have done more software quality assurance (SQA) on the networking components, he said in an e-mail interview with SecurityFocus. If they did, they would have easily found the issue — it took his fuzzer only 15 packets to crash the component, he said.

“So I personally think the one who has been irresponsible is Microsoft for shipping this driver on any Server 2008, Vista, and Windows 7 (system) without doing any SQA and security review,” he responded.

Gaffié said he notified the company, but had a typo in the e-mail address.

The flaw was disclosed on Monday, the day before Microsoft’s regularly scheduled patch day. The software giant issued five patches for eight vulnerabilities, including three flaws in the company’s TCP/IP networking stack. Other flaws affected Windows’ Javascript engine and its Windows Media components.

While Microsoft has not released a fix for the issue, the software giant recommended that administrators disable SMB version 2 or block the specific TCP ports (139 and 445) used by the file-sharing feature.

Source : http://www.securityfocus.com/brief/1009

 

2

Sep

2009

All Linux Kernel Are Targeted

By IPSECS Admin. Posted in Exploitation | No Comments »

Yupe, that’s true when sock_sendpage() is discovered to be vulnerable by Tavis Ormandy and Julien Tinnes. The function is vulnerable to NULL pointer dereference that can be exploited to escalate priviledge to be root. Most of linux kernel are reported to be vulnerable. Exploit to take advantage of this flaw has been developed and spreaded freely on internet. The exploit can be used to bypass security restriction like SElinux.

http://milw0rm.com/exploits/9435 – the first written exploit by spender of gresecurity
http://milw0rm.com/exploits/9436 – another exploit taken from www.frasunek.com
http://milw0rm.com/exploits/9479 – another exploit from p0c73n1
http://milw0rm.com/exploits/9545 – another exploit written by Ramon de Carvalho Valle of risesecurity

Download the exploit, compile and execute! BOOMMM It’s root! Finally, this post is a little bit late :D .

 

22

Jul

2009

PulseAudio Owns My Ubuntu Intrepid

By IPSECS Admin. Posted in Exploitation | No Comments »

It just fun to try exploiting pulseaudio to gain root priviledge, well my Ubuntu Intrepid is indeed exploitable.

Searching more about linux, i find an exploit to attack RHEL family with SELinux enabled here. So, is that true linux more secure than windows?? The fact which makes linux more secure is the people behind the machine. So many linux administrators is much more skilled than windows ones.

 

13

Jul

2009

Anti-Computer Forensics

By IPSECS Admin. Posted in Exploitation, Forensics | No Comments »

DEFINITION
Anti-forensics has only recently been recognized as a legitimate field of study. Within this field of study, numerous definitions of anti-forensics abound. One of the more widely known and accepted definitions comes from Dr. Marc Rogers of Purdue University. Dr. Rogers uses a more traditional “crime scene” approach when defining anti-forensics. “Attempts to negatively affect the existence, amount and/or quality of evidence from a crime scene, or make the analysis and examination of evidence difficult or impossible to conduct”.

A more abbreviated definition is given by Scott Berinato in his article entitled, The Rise of Anti-Forensics. “Anti-forensics is more than technology. It is an approach to criminal hacking that can be summed up like this: Make it hard for them to find you and impossible for them to prove they found you.” Interestingly, neither author takes into account using anti-forensics methods to ensure the privacy of one’s personal data.

Sub-Categories
Anti-forensics methods are often broken down into several sub-categories to make classification of the various tools and techniques simpler. One of the more widely accepted subcategory breakdowns was developed by Dr. Marcus Rogers. He has proposed the following sub-categories, data hiding, artifact wiping, trail obfuscation and attacks against the CF (computer forensics) process/tools.

Read more »

 

12

Jun

2009

Web & Wireless Hacking

By IPSECS Admin. Posted in Exploitation, Presentation | No Comments »

This is my presentation in STIMIK Dipanegara Makasar. I try to describe Web and Wireless exploitation conceptually & technically. This presentation consist of:

  • Web Hacking; I try to describe top 3 web exploitation, SQL Injection, File Inclussion, and Cross Site Scripting (XSS). My explanation are including SQL injection in login form, SQL injection in URI parameter, Local File Inclussion, Remote File Inclussion, DOM based XSS, Non-persistent XSS, and persistent XSS.
  • Wireless hacking; I try to describe how to do war driving and how to exploit wireless network. Exploiting wireless network includes how to spoof MAC address, creating Rogue AP, Cracking WEP, Cracking WPA-PSK, and Denial of Service (DoS).

This presentation is not including how to defend that kind of attacking, but i’m sure this presentation is cool enough to start learning Web & Wireless Hacking. Download my presentation here.

 

9

Jun

2009

Distributed Password Cracking

By IPSECS Admin. Posted in Exploitation, Presentation | No Comments »

Password cracking which uses some computers to accelerate password cracking process. It usually uses computer clusters and some software to support parallel computing. Some known software to do parallel computing in cluster computers are:

  • John The Ripper and Condor, John works as password cracker while Condor works as scheduler which parallelizes cracking proccess and distributes it to clusters.
  • John The Ripper and Djohn, John works as password cracker while Djohn works as client-servers application which parallelizes cracking proccess and distributes it to clusters.
  • Medussa, password cracker which’s originally designed to do parallel password cracking. It contains client servers application to parallelize cracking proccess and distribute it to clusters.
  • John The Ripper with MPI patch, john which’s developed using MPI programming. MPI is standard de facto for parallel programming which’s implemented on some softwares i.e : OpenMPI, MPICH, and LAM/MPI.

Our presentation describes how to do parallel cracking using John The Ripper with MPI patch. We use 15 dual core computers and LAM/MPI in distributing cracking proccess. Download our presentation here.

 

3

Jun

2009

Global Trend Attack

By IPSECS Admin. Posted in Exploitation, Presentation | No Comments »

The complete title is “global trend attack in local network“, this is my presentation in Telkom RDC Bandung at last 2007. It’s old but still nice enough to know what threats may disturb your network. Download my presentation here.

This presentation explains top 6 flaws which’s commonly exploited in Local Network. They are:

  • Spoofing; ARP Spoofing, IP Spoofing, DHCP Spoofing, DNS Spoofing are commonly exploited.
  • Man In The Middle; Using some spoofing techniques to do Man In The Middle attack.
  • Sniffing; Combining Man in The Middle with some tricks to passively intercept communication in Local Network.
  • TCP/IP Hijacking; Doing active sniffing and modificating data traffic to take over active TCP/IP connection.
  • Remote Code Execution; Using some software application flaws to exploit local network infrastructure. Buffer Overflow and Format String are the most common flaws to be exploited in Local Network.
  • Denial of Service; Most powerful denial of service (DoS) comes from Local Network.

This presentation is completed with ways to defend this attacks and minimize security risks.

 

17

May

2009

Grid Computing Hacking

By IPSECS Admin. Posted in Exploitation, News | No Comments »

Introduction

Grid computing is kind of new technology which has been known since 1990s. It idea was brought together by Ian Foster, Carl Kesselman, and Steve Tuecke, widely regardes as “Father of Grid”. Grid computing is defined as group of node computation which works together in distributed computing. You can find some grid project in wikipedia article here.

Each node in grid has computer cluster to perform high performance computing through parallel computation. A computer cluster consists of a headnode (master) and some computational nodes (slaves). Headnode is responsible in communicating with the other headnode in grid, managing computation resource, and scheduling computation jobs to slave. We don’t want to explain detail how computer cluster works. In this article, our interest is in grid computing and why it’s vulnerable to some hacking exploitation.

How Grid Works

Grid computing is really complex inside its technology, so the chance of being exploited is really big. Grid computing needs a good network connectivity, many TCP/IP services, encryption, parallel programming, and web service. A headnode of cluster trusts the other because valid Certificate Authority (CA) is installed on both of headnode. CA which installed on headnode is called as Host CA. TCP/IP services is needed in headnode to send or receive data or execute jobs between two or more headnodes. There is two services in headnode which need to communicate a headnode to other, 1st is GridFTP service which is responsible in data transfer between two or more headnodes and 2nd is Web Service Container which is responsible in receiving jobs from user. Both services can be activated by installing Globus Toolkit which is de facto standard open source software for grid.

Read more »

 

Introduction

802.1x is an IEEE standard for port-based (well, we would rather say interface-based) enduser authentication on LANs. While it supports (and was initially designed for) Ethernet, the main current use of 802.1x is wireless users’ authentication as a part of the wireless security scheme provided by the 802.11i security standard. The 802.1x authentication chain consists of three elements:

  • Supplicant An end-user station, often a laptop, that runs 802.1x client software.
  • Authenticator A switch, a wireless gateway, or an access point to which the authenticating users connect. It must be configured to support 802.1x on the involved interfaces with commands like aaa authentication dot1x default group radius (global configuration) and dot1x port control auto (switch interface).
  • Authentication server A RADIUS server to which authenticators forward end users’ authentication requests for verification and authentication decision.

Cisco Switch

EAP-LEAP Basics

The Extensible Authentication Protocol (EAP) is used by all three 802.1x component devices to communicate with each other. It is extensible since many different EAP types exist for all kinds of authentication plans—for example, employing SIM cards, tokens, certificates, and more traditional passwords. Here we are interested only in Cisco-related protocols and products, thus the security weaknesses of EAP-LEAP are the target of the discussion.

Read more »

 

5

May

2009

VLAN Hoping Attack

By IPSECS Admin. Posted in Exploitation | Comments Off

Description

VLAN Hopping is an exploitation method used to attack a network with multiple VLANs. It is an attack that involves an attacking system to deploy packets. These packets have a destination of a system on a separate VLAN which would, in normal circumstances, not be accessible by the attacker. VLAN Hopping attacks are primarily conducted within the Dynamic Trunking Protocol (DTP). Often, VLAN Hopping attacks are directed at the trunking encapsulation protocol (802.1q or ISL).

Malicious traffic used for VLAN Hopping is tagged with a VLAN ID destined outside the VLAN on which the system conducting the attacks belongs to. An attacker can also attempt to behave and look like a switch, which will negotiate trunking, allowing the attacker to not only send, but receive traffic across more than one VLAN.

There are two common methods of VLAN Hopping; Switch Spoofing and Double Tagging.

Read more »

 

1

May

2009

Linux Kernel 2.6.x SCTP FWD Memory Corruption

By IPSECS Admin. Posted in Exploitation | Comments Off

Common Vulnerabilities and Exposures

http://cve.mitre.org/cgi-bi/cvename.cgi?name=CVE-2009-0065

“Buffer overflow in net/sctp/sm_statefuns.c in the Stream Control Transmission Protocol (sctp) implementation in the Linux kernel before 2.6.28-git8 allows remote attackers to have an unknown impact via an FWD-TSN (aka FORWARD-TSN) chunk with a large stream ID. “

Ubuntu Security Notice USN-751-1

http://www.ubuntu.com/usn/usn-751-1

“The SCTP stack did not correctly validate FORWARD-TSN packets. A remote attacker could send specially crafted SCTP traffic causing a system crash, leading to a denial of service. (CVE-2009-0065)”

RedHat Security Advisory

http://rhn.redhat.com/errata/RHSA-2009-0331.html

“a buffer overflow was found in the Linux kernel Partial Reliable Stream Control Transmission Protocol (PR-SCTP) implementation. This could, potentially, lead to a denial of service if a Forward-TSN chunk is received with a large stream ID. (CVE-2009-0065, Important) ”

Read more »