Zero for 0wned zine – ZF05

I know this is ‘old’ news, but I was a bit busy so could not post it here.

ZF05 has been released to stands where the ‘hackers hack the hackers‘ …hehe

Pretty interesting stuff. Make sure to read the hackers comments embedded in between the text – which by the way is pretty huge !!

Check it out at
Here’s a snippet of what to expect 🙂
– Kevin Mitnick
– Dan Kaminsky
– Hacking in gitmo
– darkmindz
– Binary Revolution
– hak5
– blackhat-forums
-….and many more

Anti-sec = Anti Script-kiddie movement ??

I know this blog is turning out to be a propaganda machine for the anti-sec guys, but let me assure you there’s no such thing going on here. It’s just that their antics are generating more interest day-by-day.

They have been in the news recently for some high-profile hacks of Astalavista and Imageshack and for declaring war on the security community (refer previous posts for more information)

Well, now they are rumored to have released (or was it leaked ??) the OpenSSH 0-day ( Open0wn.c )that helped them exploit vulnerable systems on the internet.

Thierry Zoller has disassembled the shellcode to find the that it is actually a hex-coded IRC-bot and the linux command ” rm -rf ~ /* 2> /dev/null
They seem to have taken their movements to new heights. If this 0-day was really released by the Anti-sec movement, then I’m sure their target were unsuspecting script-kiddies who simply download exploits from the internet and run them against vulnerable systems.

Thierry has done a good job too. Check out his analysis here

For details check out the following links:

Open0wn.c source –> Securiteam and Code posted by str0ke

Shellcode Disassemly + IRC code –> Thierry Zoller’s analysis

Metasploit Unleashed – Mastering the Framework – FREE


Update 1: 22-September-2009
: It’s here !! They’ve released the course contents. PDFs and Videos can be bought later at a price. Head over to for more info

Keep an eye out for this !! Offensive-Security is coming up with a new security training track and they’re offering the slides and labs for free. The training videos would be available at small fee, proceeds from which will go to the Hackers For Charity, to help kids in Kenya and Uganda.

Metasploit Unleased Logo

The course’s expected to be release late August 2009

For more details visit the blog at Offensive-Security

Will update here as more details come in. I’m sure to be tracking this 🙂


Astalavista 0wned !! – The Story

Update 1: 15th July, 2009 – Anti-Sec has struck again. It seems they’ve launched a campaign against Full-Disclosure ! was the latest victim. This time too they have kept the logs, which shows a vulnerability in lighthttpd, the ‘Hacking Security Community’ was recently 0wned, literally, by an underground hacker group Anti-Sec. The interesting thing about this attack was that the hackers posted their entire ‘attack log’ online. Leaving out some crucial details (like the 0day which they used to initiate the attack) they demonstrated the inherent weakness of the human mind. Though the attack was personally motivated, it serves as a good learning ground for beginners in the security field…what and where mistakes may occur.

For reference purposes, I’ve added the entire attack log of the attack here.

So what are the lessons learned from this real-world example

1) You’re never safe from 0-day exploits. Even though it seems that the guys had patched their systems, the anti-sec people were able to launch a script and exploit their ‘LightSpeed’ web server to obtain a shell.
The contents of the script have not been disclosed and it’s speculated that the issue was certainly with LightSpeed which is based on the Apache software.
Interestingly, the shell returned had the ‘apache’ user privileges which allowed the attackers to read almost any file on the system. Note that the user ‘apache’ is not given a default ‘shell’ (check /bin/false), but I believe the ‘g0tshell’ had a shell payload.

2) The owners at Astalavista ‘did’ have some sort of password complexity for much of the users. But the issue lies elsewhere. The attackers were able to obtain plain-text passwords to FTP servers and DBs via configuration files and backup scripts

3) Encrypt your passwords before storing it in the databases. As can be seen in the logs, the users of the database did not encrypt their passwords before storing their passwords there. This requires proper configuration at the database application end.

4) DON’T type passwords onto the command line. The attackers were able to obtain a password to a MySQL database by listing the .bash_history . This file contains all commands typed into the bash prompt after every session (the current session is stored in the RAM). So it becomes necessary to avoid typing passwords into the command prompt. Rather, the server should throw back a password request where the user should type his password. Else expect yourself to be owned by any Tom, Dick and Harry who can view the .bash_history file.

5) Following to the previous point, it is prudent to regularly ( maybe after each session) clear your .bash_history file. Check here for pointers.

6) Anything else ??….right now I’m just able to recollect these points from memory. I might update this later I anything new comes up.

Update 2: 22nd November, 2010: Remaining section of post removed

I hope it is understood that I do not condone such hacking activities. This post was just for educational purposes. As can be seen, we did learn a lot !!

Safe browsing 😉


Microsoft falters again !

A new vulnerability has been discovered in Microsoft IIS 6.0 which allows an attacker to access protected(password) content in a website. The vulnerability arises because of the way IIS handles Unicode.

Microsoft has released a security advisory 971492 and it’s follow-up

According to the advisory the scale of vulnerable systems is reduced due to multiple factors

* An IIS server not running WebDAV is safe.
The Windows Server 2003 IIS (version 6) shipped with WebDAV disabled by default.
* An IIS server not using IIS permissions to restrict content to authenticated users is safe.
* An IIS server that does not grant filesystem access to the IUSR_[MachineName] account is safe.
* An IIS server that hosts web applications using only forms-based authentication is probably safe.

If your web server meets all of the following criteria, you will want to read on:

* IF an IIS 5, 5.1, or 6.0 webserver is running with WebDAV enabled;
* AND the IIS server is using IIS permissions to restrict a subfolder of content to authenticated users;
* AND file system access is granted for the restricted content to the IUSR_[MachineName] account;
* AND a parent folder of the private subfolder allows anonymous access;
THEN an anonymous remote user may be able to leverage this vulnerability to access files that normally would only be served to authenticated webserver users.

This vulnerability is primarily an information disclosure threat.

Thierry Zoller has made an excellent post explaining the vulnerability with graphical representation. It’s a must-read.

He made a reference to the SANS article on the original Unicode vulnerability in IIS 4.0 and 5.0 which explains the Unicode issues in depth.

There are a few tools that can be used to search for WebDav enabled servers on the network (referenced from Zoller’s blog
* Specifically for this vulnerability: Metasploit added test script to the trunk (use svn update to get the latest exploits)
* Webdav network scanner here
* Nmap webdav scanner

Till Microsoft releases a patch to fix this vulnerability, it’s best to disable WebDAV on IIS servers (Sharepoint user beware)