Need Something To Hack?

Finally, after 2 months of wildness life (prepare my team {the 9 tails team} for Gemastik 2011 Hacking Contest, with 24h of craziest training I’ve ever made!), it’s time for me to have a little break in here. Today post is about hacking lab stuff. In case you need to search for hacking lab for you training, you might give a try on this list. Happy hacking !
UltimateLAMP
UltimateLAMP is a Ubuntu VM  running vulnerable services and containing weak accounts. The UltimateLAMP VM runs the following services:Postfix, Apache,
MySQL, WordPress, TextPattern, Seredipity, MediaWiki, TikiWiki, PHP,
Gallery, Moodle, PHPWebSite, Joomla, eGroupWare, Drupal, Php Bulletin
Board, Sugar CRM, Owl, WebCalendar, Dot project, PhpAdsNew, Bugzilla,
OsCommerce, ZenCart, PhphMyAdmin, Webmin,Mutillidae 1.5 (OWASP Top 10
Vulns)

 

Webgoat
WebGoat is a deliberately insecure J2EE web application maintained by
OWASP designed to teach web application security lessons. In each
lesson, users must demonstrate their understanding of a security issue
by exploiting a real vulnerability in the WebGoat application. For
example, in one of the lessons the user must use SQL injection to steal
fake credit card numbers. The application is a realistic teaching
environment, providing users with hints and code to further explain the
lesson.
Holynix
Similar to the de-ice Cd’s and pWnOS, holynix is an ubuntu server vmware
image that was deliberately built to have security holes for the
purposes of penetration testing. More of an obstacle course than a real
world example.
http://pynstrom.net/index.php?page=holynix.php
WackoPicko
WackoPicko is a website that contains known vulnerabilities. It was
first used for the paper Why Johnny Can’t Pentest: An Analysis of
Black-box Web Vulnerability Scanners found: http://cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf
De-ICE PenTest LiveCDs
The PenTest LiveCDs are the creation of Thomas Wilhelm, who was
transferred to a penetration test team at the company he worked for.
Needing to learn as much about penetration testing as quickly as
possible, Thomas began looking for both tools and targets. He found a
number of tools, but no usable targets to practice against. Eventually,
in an attempt to narrow the learning gap, Thomas created PenTest
scenarios using LiveCDs.
http://de-ice.net/hackerpedia/index.php/De-ICE.net_PenTest_Disks
Metasploitable
Metasploitable is an Ubuntu 8.04 server
install on a VMWare 6.5 image. A number of vulnerable packages are
included, including an install of tomcat 5.5 (with weak credentials),
distcc, tikiwiki, twiki, and an older mysql.
http://blog.metasploit.com/2010/05/introducing-metasploitable.html
Owaspbwa
Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications.
http://code.google.com/p/owaspbwa/
Web Security Dojo
A free open-source self-contained training environment for Web Application Security penetration testing. Tools + Targets = Dojo
http://www.mavensecurity.com/web_security_dojo/
Lampsecurity
LAMPSecurity training is designed to be a series of vunlerable virtual
machine images along with complementary documentation designed to teach
linux,apache,php,mysql security.
http://sourceforge.net/projects/lampsecurity/files/
Damn Vulnerable Web App (DVWA)
Damn Vulnerable Web App is a PHP/MySQL web application that is damn
vulnerable. Its main goals are to be an aid for security professionals
to test their skills and tools in a legal environment, help web
developers better understand the processes of securing web applications
and aid teachers/students to teach/learn web application security in a
class room environment.
www.dvwa.co.uk/
Hacking-Lab
This is the Hacking-Lab LiveCD project. It is currently in beta stadium.
The live-cd is a standardized client environment for solving our
Hacking-Lab wargame challenges from remote.
http://www.hacking-lab.com/hl_livecd/
Moth
Moth is a VMware image with a set of vulnerable Web Applications and scripts, that you may use for:
http://www.bonsai-sec.com/en/research/moth.php
Exploit kb vulnerable web app
exploit.co.il Vulnerable Web app designed as a learning platform to test
various SQL injection Techniques This is a fully functional web site
with a content management system based on fckeditor. You can download it
as source code or a pre configured.
http://sourceforge.net/projects/exploitcoilvuln/

 

Gruyere
This codelab shows how web application vulnerabilities can be
exploited and how to defend against these attacks. The best way to learn
things is by doing, so you’ll get a chance to do some real penetration
testing, actually exploiting a real application. Specifically, you’ll
learn the following:
  • How an application can be attacked using common web security
    vulnerabilities, like cross-site scripting vulnerabilities (XSS) and
    cross-site request forgery (XSRF).
  • How to find, fix, and avoid these common vulnerabilities and other bugs
    that have a security impact, such as denial-of-service, information
    disclosure, or remote code execution.

To get the most out of this lab, you should have some familiarity with
how a web application works (e.g., general knowledge of HTML, templates,
cookies, AJAX, etc.).

Damn Vulnerable Linux (DVL)
Damn Vulnerable Linux  is everything a good Linux distribution isn’t.
Its developers have spent hours stuffing it with broken, ill-configured,
outdated, and exploitable software that makes it vulnerable to attacks.
DVL isn’t built to run on your desktop – it’s a learning tool for
security students.
http://www.damnvulnerablelinux.org
pWnOS
pWnOS is on a “VM Image”, that creates a target on which to practice
penetration testing; with the “end goal” is to get root. It was designed
to practice using exploits, with multiple entry points
http://www.backtrack-linux.org/forums/backtrack-videos/2748-%5Bvideo%5D-attacking-pwnos.html
Virtual Hacking Lab
A mirror of deliberately insecure applications and old softwares with
known vulnerabilities. Used for proof-of-concept /security
training/learning purposes. Available in either virtual images or live
iso or standalone formats.
http://sourceforge.net/projects/virtualhacking/files/
Badstore
Badstore.net is dedicated to helping you understand how hackers prey on
Web application vulnerabilities, and to showing you how to reduce your
exposure.
http://www.badstore.net/
BodgeIt Store
The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing.
Hackademic Challenges
The OWASP Hackademic Challenges , is an open source project that can
be used to test and improve one’s knowledge of information system and
web application security. The OWASP Hackademic Challenges implement
realistic scenarios with known vulnerabilities in a safe, controllable
environment. Users can attempt to discover and exploit these
vulnerabilities in order to learn important concepts of information
security through the attacker’s perspective.

Nasihat Imam Syafi’i … Merantaulah!

Orang pandai dan beradab tak kan diam di kampung halaman . Tinggalkan negerimu dan merantaulah ke negeri orang . Pergilah, kan kau dapatkan pengganti dari kerabat dan teman .Berlelah-lelahlah, manisnya hidup terasa setelah lelah berjuang

Aku melihat air yang diam menjadi rusak karena diam tertahan .Jika mengalir menjadi jernih jika tidak dia kan keruh menggenang . Singa tak kan pernah memangsa jika tak tinggalkan sarang . Anak panah jika tidak tinggalkan busur tak kan kena sasaran . Jika saja matahari di orbitnya tak bergerak dan terus diam . Tentu manusia bosan padanya dan enggan memandang . Rembulan jika terus-menerus purnama sepanjang zaman . Orang-orang tak kan menunggu saat munculnya datang . Biji emas bagai tanah biasa sebelum digali dari tambang . Setelah diolah dan ditambang manusia ramai memperebutkan.

Kayu gaharu tak ubahnya kayu biasa di dalam hutan . Jika dibawa ke kota berubah mahal jadi incaran hartawan.

(Al-imam asy-Syafi’i)
https://dodoy2.wordpress.com/2011/01/14/merantaulah-nasihat-imam-syafii/

Seminar, Demo, dan Bedah Buku: Harmless Hacking: Malware Analysis and Vulnerability Development

Beberapa tahun sebelum Internet secara luas tersedia untuk umum, mungkin 95% dari komputer yang ada di dunia saat itu masih berdiri sendiri-sendiri, yang berarti tidak terhubung ke jaringan komputer. Salah satu alat yang digunakan untuk berbagi informasi dan data saat itu adalah melalui disk. Virus komputer (Virii) yang ada saat itu menimbulkan kerusakan komputer masih belum begitu banyak dan penyebarannya pun terbatas. Munculnya Internet telah mengubah semua ini. 

Saat ini, jutaan komputer di seluruh dunia bisa terkena virus dalam hitungan jam. Jenis-jenis malware menyebar sangat cepat dan kerusakan yang ditimbulkannya juga semakin meningkat. Jika komputer yang terhubung jaringan Internet dan memiliki proteksi yang buruk, maka kemungkinan dapat terinfeksi di bawah 4 menit, dan bila efek kerusakannya cukup parah, maka komputer benar-benar nonaktif atau tidak bisa dijalankan. Setidaknya ada salah dua dari beberapa tanda utama bahwa komputer terinfeksi dengan malware: Menjalankan file jahat (Running malicious files) – Komputer bisa terinfeksi ketika file jahat dijalankan atau dilihat. File-file ini dapat diterima melalui removable media seperti disket, CD, DVD atau flash drive. File-file berbahaya ini juga bisa diterima melalui transfer file Instant Messenger atau file yang dilampirkan dalam email. Mungkin Anda berkata kepada diri sendiri “Saya hanya perlu khawatir dengan program executable – File EXE.” Mungkin itu dulu. Tapi sekarang, hal ini tidak lagi terjadi. Ada banyak jenis file yang perlu menjadi kewaspadan banyak orang dan banyak daftar file yang berkembang setiap hari. 
Websites Berbahaya (Malicious Websites) – ini adalah metode terbaru dan yang paling umum dalam menyebarkan malware. Sebuah situs web yang memiliki celah keamanan dapat disisipkan script – program kecil, yang dirancang untuk memaksa komputer pengguna men-download dan menjalankan malware. Seringkali pengguna tidak menyadari ketika jenis serangan malware terjadi sampai komputer telah terinfeksi dan menyebarkan malware, hingga dengan cepat melumpuhkan komputer pengguna. 
Lalu, apa sih sebenarnya malware itu? Mengapa komputer dapat diserang malware? Apa dampak yang disebabkan malware? Bagaimana sih caranya mengatasi jenis-jenis serangan ini? Apa saja tools yang digunakan untuk menganalisanya? Pencegahan apa yang perlu dilakukan? Jenis-jenis kelemahan (vulnerabilty) apa saja sih yang perlu diantisipasi? Mau tahu jawabannya? Ikuti seminar, demo, dan bedah buku tentang “Harmless Hacking: Malware Analysis and Vulnerability Development,” oleh Mada R Perdana, penulis buku, praktisi digital forensic dan keamanan komputer di Kampus A – STIKOM Balikpapan Jl. KP Tendean 2A, Balikpapan Kalimantan Timur, pada hari Sabtu, 15 Januari 2011 pukul: 9.00 WITA – Selesai, gratis! Pendaftaran kilk DI SINI. Kapasitas terbatas hanya 100 orang, buruan!

http://stmikbpn.ac.id/web/2011/01/10/seminar-demo-dan-bedah-buku-harmless-hacking-malware-analisys-and-vulnerabilty-development/

Malware… oh malware

This afternoon, when I was working at my collage, I found an annoying nag screen from one of antivirus application which told me that the computer has been infected by a trojan. Since I had a curiousity with this kind of “software”, I decide to play around with the malware a little. 
I decide to download some standard application to help me analyze the malware. Here are some of the application :
  • CaptureBAT
  • TCPView
  • Ollydbg
  • Process Monitor
  • Telnet
  • Mandiant Red Curtain
Ok, the antivirus said that the application which was suspected as a trojan locate at C:\Windows\ and named with gwdrive32.exe. First I run the process monitor, try to end all the process. Next I run the captureBAT to watch the system with -n prefix, so captureBAT will also capture some network activity. Next I run the TCPView to watch the network process. From the tcpview and process monitor, it’s clearly that beside the trojan itself there also a lot of malware application running at background process.
From mandian red curtain and ollydbg, I could know that the application was build with microsoft visual basic. Shortly after analyze for some hour, I came with some conclusion.

File Info
Name Value
Size 143430
MD5 a3f85d336559620eefc5681a3a2e6d13
SHA1 37791dac9bf0b14354ec954e68de3b6adaab91fd
SHA256 38c99bb7db6637cd5416f203dcf50c8487ccef75bab2a035491e82a40bf44061
Process Exited
• Keys Created
Name Last Write Time
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer 2009.01.12 14:48:02.203
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run 2009.01.12 14:48:02.234

• Values Created
Name Type Size Value
LM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\Microsoft Driver Setup REG_SZ 50 “C:\WINDOWS\gwdrive32.exe”
LM\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup REG_SZ 50 “C:\WINDOWS\gwdrive32.exe”
LM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\TEST\sample.exe REG_SZ 92 “C:\TEST\sample.exe:*:C:\WINDOWS\gwdrive32.exe”
• Values Changed
Name Type Size Value
LM\System\CurrentControlSet\Services\SharedAccess\Epoch\Epoch REG_DWORD/REG_DWORD 4/4 0x57/0x58

• Files Created

Name Size Last Write Time Creation Time Last Access Time Attr
C:\WINDOWS\gwdrive32.exe 143430 2009.01.12 14:47:54.609 2009.01.12 14:48:02.187 2009.01.12 14:48:02.187 0x7
• Processes Created
PId Process Name Image Name
0x7cc sample.exe C:\TEST\sample.exe
• Processes Terminated
• Threads Created
PId Process Name TId Start Start Mem Win32 Start Win32 Start Mem
0x344 svchost.exe 0x170 0x7c810856 MEM_IMAGE 0x7c910760 MEM_IMAGE
0x7cc sample.exe 0x7d0 0x7c810867 MEM_FREE 0x0 MEM_FREE
• Modules Loaded
• Windows Api Calls
PId Image Name Address Function ( Parameters ) | Return Value
0x7cc C:\TEST\sample.exe 0x405f36 CopyFileA(lpExistingFileName: “C:\TEST\sample.exe”, lpNewFileName: “C:\WINDOWS\gwdrive32.exe”, bFailIfExists: 0x0)|0x1
• DNS Queries
DNS Query Text
aaaaaaaa.schooluni.us IN A +
• Description
Suspicious Actions Detected
Copies self to other locations
Creates autorun records
Creates files in windows system directory
Disables windows firewall
• Mutexes Created or Opened
PId Image Name Address Mutex Name
0x360 C:\WINDOWS\gwdrive32.exe 0x403d8a jng28gdcrg2fcs
0x360 C:\WINDOWS\gwdrive32.exe 0x403daf jng28gdcrg2fcs
0x360 C:\WINDOWS\gwdrive32.exe 0x771ba3ae _!MSFTHISTORY!_
0x360 C:\WINDOWS\gwdrive32.exe 0x771bc21c WininetConnectionMutex
0x360 C:\WINDOWS\gwdrive32.exe 0x771bc23d WininetProxyRegistryMutex
0x360 C:\WINDOWS\gwdrive32.exe 0x771bc2dd WininetStartupMutex
0x360 C:\WINDOWS\gwdrive32.exe 0x771d9710 c:!documents and settings!user!cookies!
0x360 C:\WINDOWS\gwdrive32.exe 0x771d9710 c:!documents and settings!user!local settings!history!history.ie5!
0x360 C:\WINDOWS\gwdrive32.exe 0x771d9710 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
0x7cc C:\TEST\sample.exe 0x771ba3ae _!MSFTHISTORY!_
0x7cc C:\TEST\sample.exe 0x771bc21c WininetConnectionMutex
0x7cc C:\TEST\sample.exe 0x771bc23d WininetProxyRegistryMutex
0x7cc C:\TEST\sample.exe 0x771bc2dd WininetStartupMutex
0x7cc C:\TEST\sample.exe 0x771d9710 c:!documents and settings!user!cookies!
0x7cc C:\TEST\sample.exe 0x771d9710 c:!documents and settings!user!local settings!history!history.ie5!
0x7cc C:\TEST\sample.exe 0x771d9710 c:!documents and settings!user!local settings!temporary internet files!content.ie5!
• Events Created or Opened
PId Image Name Address Event Name
0x360 C:\WINDOWS\gwdrive32.exe 0x77a89422 Global\crypt32LogoffEvent
0x7cc C:\TEST\sample.exe 0x77a89422 Global\crypt32LogoffEvent