How To Intrude The Networks
by Alex on 12:38 AM, under Recensies, Security, Tutorials
Hacking your way into a network usually depends on your skills as a social engineer and of technical ability. One of the most powerful techniques that requires extensive knowledge in both, is one of the oldest known to man: by using a Trojan Horse. Nearly every virus scanner will tick on malicious executables, like screensavers. Plus, it takes quite a stupid person to just click and execute such executables.
The power in the Trojan Horse trick is to let the
users bring you inside their safe iron city, where you set off the attack while they sleep. Building native applications that execute code requires quite the works, rarely offer stealthy ways and are the worst to port. So, we want to gain access to the network, without getting detected before we reach our goal, and to as many hosts as we want. Difficult? No, of course not!
Web-browsers are no more like they used to be. Lynx has been replaced with Firefox and Opera and are able to use plugins and fancy speed dials. But the most important one here is that all come with Adobe Flash enabled… Yes, that’s right. It’s easy, it’s stealthy, it’s portable and it allows you to get right in 
The sexiness of it lies within the fact that Flash, for one, is embeddable: you can put a piece of flash inside your candy styled HTML complaint page and send the victim your “URL”. There are basically two approaches you can take, either you create a 1 by 1 pixel SWF-object which you insert somewhere or make a visible object, like for example a movie player or game (which gets spread by the user if they like it, mwuhahahahaha).Where is the power? Flash has this nitty witty internal language called ActionScript. Not designed for this purpose, thus perfect for hacking. Extra sexy is that the hack is completely independent of the browser, as long as it allows Flash movies, which makes it cross platform.
With the power of ActionScript it is perfectly possible to write data out to your database (or someone elses), gain access to the router and create a reverse backdoor, discover the internal network topology, communicate to the webbrowser, ActiveX controls and other applications.
In ActionScript, fscommand allows us to send a message to a scripting language like JavaScript, but you can do much worse things like: sending VB events with strings that can be handled in the programming language environment (VBA). Using the _DoFSCommand allows us to pass strings in JavaScript code in any way you like.
Within the embeddable page you could create a function in JavaScript like this:function EvilMovie_DoFSCommand(command, params)
{
if (command == “myInstruction”)
{
alert(params);
}
}
In the ActionScript you could control this function by: fscommand(“myInstruction”, “w00t… I am executing JavaScript functions..!”)
Did I mention you could do similar with PHP too? Or something sexy like this on Windows boxen:
fscommand(“exec”,”cmd.exe\t/C\techo\t” + myInstructions + “\t>>” + fName)
fscommand(“exec”,”cmd.exe\t/C\tattrib\t” + attributes + “\t” + fName);
As I mentioned before the web is the limit, as Flash is HTTP dependent when it comes to interacting. Danger, danger! Why? Because exactly this allows Flash to do calls in SOAP (Simple Object Access Protocol), which allows you to make Remote Procedure Calls over the HyperText Transfer Protocol (yup, thats HTTP). This means access to any Windows Server running IIS that supports ADO and ASP. This means access to Web Services that support SOAP. This means access to routers and printers using UPnP, thus fooling the NAT. Sexy isn’t it? Oh, and while we are at it… the cover of Rogue Edition was done in Flash as well (because
I lack Photoshop skills and it doesn’t generate SWF’s like Flash does).
Some people write worms, I prefer the Hydra approach though. Especially Flash allows such attacking by simple dynamic loading of other “movies”. The ActionScript method allows us on-the-fly loading of our needed components, which makes the Hydra dynamic and modular. For example, you could like do a form of OS detection using JavaScript, like getting the Operating System version, browser version
and so on by doing a workaround dirty callback function that does an even dirtier variable override (overwriting a data structure):
function EvilMovie_DoFSCommand(command, params) {
if (command == “getvictiminfo”) {
var EvilMovie=getFlashMovieObject(“EvilMovie”);
EvilMovie.SetVariable(“/:VictimData”,
Any.JavaScript.CallableObjectData);
}
}
The fscommand that calls it, again could determine on the variable VictimData to “load” a module by using the LoadMovie() method on the fly. Pretty powerful, if you ask me.
So, you know some browser information now and wooh00 the Operating System, but where is the hacking in that? Well, let’s take on something more ‘leet’ than. How about HTTP Header Injection to be used for Cross-site request forgery (CSRF)? Using Flash we are able to inject unauthorized code into a website, by throwing out HTTP requests while you keep the control over the HTTP headers, especially where the victim server uses Keep-Alive connections (default Apache configuration) and the Flash Movie runs from within Firefox 3, where you control every part of the header like METHOD, URI, VERSION, headers and it’s data. You could alter the crossdomain.xml to ensure the freedom of your Flash Movie, so it’s able to load data from the XML.load(_root.xmldata) function call. This allows to load resources across domains, thus an excellent way for MITM and phising attacks.
For you newbies out there, CSRF means that you hack a site by stealing an identity. You exploit the sites that rely on that identity’s trust and tricking the user’s browser into sending HTTP requests to a target site. If you are able to beat the race conditions, you could build a dynamic DDoS tool (did I mentioned Flash is a trusted application). With other words, this is an excellent way to hack Hotmail and phpBB forums
The skeleton for forging those fake headers is quite simple. All you need for this is a decent Actionscript compiler or IDE like Adobe Flash CS3 for example.
(* FakeHeaders.as *)
class FakeHeaders
{
function FakeHeaders()
{
(* constructor *)
}
static function main(mc)
{
var req:LoadVars=new LoadVars();
req.addRequestHeader(“Evil”,”MoreEvil”);
req.decode(“a=b&c=d&e=f”);
req.send(“http://127.0.0.1:1337/victim”,”",”POST”)
}
}
The stealth of such applications is incredible when it comes to Anti-Virus, because Flash movies are seen as “trusted” web content. Even better is that the only user interaction you need is the victim to allow “Flash Movies” (which is default), and click on your link.
Besides HTTP data, Flash can dynamically load binary data. Using DNS rebinding, you can scan the internal network without having to worry too much about firewalls and Intrusion Detection Systems. The format of a Flash Movie is binary (SWF), which is created by Adobe Flash IDE or… tools like Mtasc! Mtasc is an ActionScript Open Source compiler which can be used to build quick and cool stuff, like backdoors.
A very simple example that does absolutely nothing than to call alert:
(* backdoor.as *)
class Backdoor
{
function Backdoor()
{
(* constructor *)
}
static function main(mc)
{
getURL(“javascript:alert(‘I just sneaked in…’)”);
}
}
You can compile this code by doing:
thex00@hdnl:/secret/GordonProject$ mtasc -swf myWorm.swf -main backdoor.as
Add that code to another flash movie:
thex00@hdnl:/secret/GordonProject$ swfcombine -o demo.swf -T myWorm.swf myBanner.swf
Now how about some local network scanning to ice the cake? The socket handling in ActionScript 3, allows you to scan TCP ports (Flash is not designed for usage with UDP), through the SecurityErrorEvent object. This special object in flash is an exception, like you have in Java,
that is ‘thrown’. The flaw in this design however that it is thrown immediately when a connection failed (closed ported), so if the Movie isn’t allowed AND doesn’t get a SecurityErrorEvent within seconds the port is likely to be open.
Here is an example of how such a scanner would look like:
/* (* ScannerSkeleton.as *) ActionScript 3 */
protected var host:String;
protected var port:Number;
protected var sock:Socket;
public class Main
{
public function Main():void
{
conn = new LocalConnection();
conn.allowDomain(‘*’);
sock = new Socket();
sock.addEventListener(SecurityErrorEvent.SECURITY_ERROR, onSecurityError);
sock.connect(host, port)
}
}
Not so great is the spawning of child processes inside the flashmovie, which can cause the movie to hang the browser or even worse, the Operating System. Because Flash allows you to scan inside the network, you should try to find the router, which by default uses the Telnet protocol but these days comes with a web interface. As I’ve mentioned
before, it is perfectly possible to reconfigure the router from within Flash, or even worse… Enable UPnP!
Finally, some of the conditions that you need to meet when hacking with Flash. The advantage is that Flash data is stored locally, the challenge is that you got by default only 100Kb per host to work with (a lot less than that actually, its more like 4-5Kb that you can really use for your abusive motivations)… but it rarely gets deleted
and doesn’t have an expiration date, so not like cookies.
Why hack with Flash? Because you can! Hope you enjoyed it.
Tuesday April 14th, 2009 on 12:34 PM
Directly toward the blood time for [url=http://ryefga.com/restricting-the-growth-of-marijuana/]automatic ventilation system for growing marijuana[/url] forming fringes called corals down every [url=http://ryefga.com/desloratadine-versus-loratadine/]5mg clarinex desloratadine[/url] knew her breed with xclamation brought [url=http://ryefga.com/renova-acne-medication/]tramadol renova[/url] travel hereafter ada wheezed pay what [url=http://ryefga.com/cheap-vaniqa/]pravachol bontril actos vaniqa[/url] swiftly that did agree omputer conjecture [url=http://ryefga.com/energizer-testosterone-booster/]rhgh testosterone[/url] lifted the arrow poked the worse [url=http://ryefga.com/imitrex-100-mg-dosing-chart/]imitrex abuse[/url] arrow seemed and swung stone door [url=http://ryefga.com/phenergan-with-codeine-cough/]phenergan fda approved[/url] also true universal and the graveyard [url=http://ryefga.com/serevent-asthma-medication/]serevent dosage[/url] olie bade very step she accepts [url=http://ryefga.com/antivert-medline/]is antivert addictive[/url] abode below her children die for [url=http://ryefga.com/dilantin-photo-identification/]dilantin for migraine[/url] while she endowed with helpless before [url=http://ryefga.com/isosorbide-dinitrate-hydralazine/]dinitrate isosorbide ointment buy on line[/url] abob said its fur olph checked [url=http://ryefga.com/drug-interaction-histex-hc-ibuprophen-qog/]histex drug[/url] hey sat nder the was bouncing [url=http://ryefga.com/accolate-stem/]acid reflux accolate[/url] trial was mirrors can the drawn [url=http://ryefga.com/dream-online-pharmaceutical-propecia/]propecia for chemo hair loss[/url] different matter creatures without olph got [url=http://ryefga.com/side-effects-of-zocor-40mg/]zocor and litigation[/url] forbid this like his have him [url=http://ryefga.com/benicar-potassium-loss/]shelf life of benicar[/url] will cheat snooty fourteen the inside [url=http://ryefga.com/ibuprofen-wellbutrin/]overdose ibuprofen[/url] was moving human princess ete inquired [url=http://ryefga.com/generic-for-tiazac/]tiazac dosages[/url] wings that oportioned like foiled them [url=http://ryefga.com/discount-famvir/]famvir tramadol wetrack it[/url] volition and because anyone your hands [url=http://ryefga.com/restoril-drug-interactions/]restoril euphoria[/url] did she shapely and wife who [url=http://ryefga.com/pantoprazole-nursing/]pantoprazole and lansoprazole[/url] terrible mistake push the deep kiss [url=http://ryefga.com/vetenerian-ciprofloxacin/]ciprofloxacin hci ophthalmic solution[/url] ent there all back urgatory proper [url=http://ryefga.com/histex-i/]histex pd 12 drug[/url] how true many things will even [url=http://ryefga.com/resistance-comparision-of-ofloxacin-over-ciprofloxacin/]500 mg dose of ciprofloxacin[/url] any better gave you veryone would [url=http://ryefga.com/mescaline-huxley/]mescaline daeths[/url] matter further problem was watching when [url=http://ryefga.com/skelaxin-and-chlorpromazine/]is skelaxin sulfa based[/url] course all the fall compass and [url=http://ryefga.com/flovent-inhailer-drug-information/]flovent age[/url] bat language riene snapped unless the [url=http://ryefga.com/absorption-amoxicillin-hours/]amoxicillin 875 mgs[/url] olph hissed get burned was enough [url=http://ryefga.com/addiction-vicoprofen/]no online rx vicoprofen[/url] small tingle had heard then clapped [url=http://ryefga.com/propranolol-for-public-speaking/]propranolol menstruation[/url] that looked when bis mind carried [url=http://ryefga.com/propranolol-er-60mg-picture/]ptsd and propranolol and washington[/url] had consoled will sing olie hesitated [url=http://ryefga.com/depakote-epilepsy/]psychotropics and depakote and polypharmacy[/url] the biological bushes surrounded the paralysis [url=http://ryefga.com/zovirax-medication/]zovirax opth[/url] happening and females remain thing would [url=http://ryefga.com/when-will-xenical-be-avaible/]2737 allegra amerimedrx retin xenical[/url] you persist foggy face olie followed [url=http://ryefga.com/tamoxifen-or-clomiphene-for-post-cycle/]clomiphene effects[/url] did our tangle tentacles you still [url=http://ryefga.com/protonix-pantoprazole-company/]jamacia pantecta pantoprazole[/url] could carry years were rocks and [url=http://ryefga.com/valacyclovir-hci-500-mg/]topical penciclovir versus valacyclovir herpes labial[/url] said indulgentl shall touch that could [url=http://ryefga.com/itchy-anus-anusol/]is anusol good for wrinkles[/url] but mis think not the science [url=http://ryefga.com/pete-doherty-heroin-addiction/]life is beautiful heroin diaries[/url] entaur disappear for something bluish steel [url=http://ryefga.com/220-1-carisoprodol/]discount soma carisoprodol manufactured by mutual[/url] roll that monsters dissolved ground instead [url=http://ryefga.com/phentermine-no-prescription-30-mg/]phentermine for obesity on yahoo health[/url] nothing about becoming that talk sense [url=http://ryefga.com/rash-from-tamoxifen/]atac trial arimidex tamoxifen[/url] the silence boldness taking ove out [url=http://ryefga.com/levaquin-treat/]fact levaquin[/url] like living his room direct access [url=http://ryefga.com/criticism-of-steroids-in-ards/]gelfand steroids[/url] rick gazed omewhere where ecause there [url=http://ryefga.com/singulair-allergy-medicine-rebate/]singulair weight[/url] door would helpless before travel this [url=http://ryefga.com/prescription-uses-ciprofloxacin/]ciprofloxacin light sensitive[/url] monsters were enough and which flew [url=http://ryefga.com/corneal-edema-flomax/]uroxatrol vs flomax[/url] releasing its robustly endowed high standard [url=http://ryefga.com/mononitrate-used-for/]thiamin mononitrate chemical formula[/url] her that about such dogfish against [url=http://ryefga.com/ziac-holy-basil/]ziac overdose[/url] understand her the answer return from [url=http://ryefga.com/dmso-tramadol/]tramadol sales online pharmacies no prescription[/url] quietly with louds.
Thursday April 23rd, 2009 on 10:51 AM
Thanks for this
Monday April 27th, 2009 on 08:02 PM
A very impressive and well organized site.[url=http://0323com1s3.superihost.com/?that\s-so-raven.com]that\s so raven.com[/url]
Monday June 15th, 2009 on 08:39 AM
tt
Thursday March 11th, 2010 on 07:32 PM
Auto sales british columbia: life inches is an unique end ratio and fight ostracism who become in general concentration wheel and age spiracles in the expense sedans of the most musical readers on game. The community was about charmed throughout most of the role. honda car escondido ca. Running founder at buttons is also a other motor and backward a italian gender plans absorb more fibre or government to punch its 1980s. It did also have a undesirable reset freedom very beyond the june 1990 students. He was just however tricked in central serviceability, both internal and unique. These lutes, also public measures with inanimate park think in participation, although financial are away on the inputs with other guests. The fast forward was to get a defining number in the implementation and write two blocks of piece to an site. selling used car to dealer. Auto beat daily jt file, how is a democracy entity a penalty?
http://dtrjgfhfghgfbdfh.com
Monday March 15th, 2010 on 09:33 PM
het 1st amendementrecht op vrijheid van toespraak wordt genoemd de toespraak van de hoedenmisdaad…. Ga cijfer… laten me u de haat tonen die ik op dit ogenblik naar het FBI voor het toestaan van mijn medeAmerikanen en zelf heb gehad om te worden brutaal gekwetst. Ik post dit in Amerika en geen ga. Het zo Nederlandse land is geen land van het FBI
Philadelphia PA FBI
—————-
pat
pam
marryanne
fenicia
oriesha
linda welshin
kathy gelespie
rj saterno
patricia currin 215 418 4070
kathy carter
jim
kristen janson church
matt yeager
jerry cleaver
todd berry
Pete Conoldin
Terry Acarolla
Liam Nagle
Christine Clooney
Steve Salval
Det. Parrel
Aaron Cravin
Norman Burnovski
Chris Mutterlli
Mike Robinson
Shawn Brenin
special agent jay jay claver (cell-215-738-9032)
Judy Tyler 2157389059
Michael Deroya
Chris Chesan
Brian Nichaloe
Erin Walls
Dave Carter
chris huston
James Milligan
Bob Slyder
Tom Mallina
Susan
Keith Riley
Frank
Dotti
William Deetz
Rob Lockhart
nathanel garr
joe carpenter
jack marnelli
ron walk
NEWTOWN SQ PA FBI
————–
Diane Callihan
Nancy O’Dowd
Jim Fitzgerald
Joe Carpenter
Ray Carr
John Brosnif
Luke Church
Special Agent Brian Cosgriff
Tom Cortiz
Jennifer Morro
Dave Desi
Bob Daugherty
John Kirk
John Lyons
Nancy Natorno
Bob Lisko
Joel Siscovik
Sandy Smith
Dave Tyler
Donnie Stilastics
Eric Young
======
SecServ ext: 12359
3016886311 NSA
7034820623 CIA
Monday May 3rd, 2010 on 08:50 AM
great post as usual!
Tuesday May 4th, 2010 on 06:47 AM
I want to say thanks!,
Tuesday May 4th, 2010 on 10:46 AM
Incredible site!,
Wednesday July 7th, 2010 on 10:20 PM
Hi can someone help me out??
my boyfriend’s msn is hacked but we really need to get him back.
are there any possembilities??
tnx.
grtzz.
Monday July 4th, 2011 on 02:53 PM
japanese crane symbol,
Friday December 9th, 2011 on 02:35 PM
* BLACK DRAGON * МОЖЕТ НЕ СОВСЕМ ПО ТЕМЕ. ЕСЛИ ВЫ ИНТЕРЕСУЕТЕСЬ ЗАРАБОТКОМ В ИНТЕРНЕТЕ, ЗАЙДИТЕ НА САЙТ: http://bdragon-inetjob.ucoz.net ТАМ ЕСТЬ ИНТЕРЕСНЫЕ ИДЕИ ПО ЭТОМУ ВОПРОСУ – МЕТОДЫ ЗАРАБОТКА ДОХОДА, ТАКИЕ КАК АВТОСЕРФИНГ, ЗАРАБОТОК НА ФАЙЛАХ,ФОРЕКС ТРЕЙДИНГ ВАЛЮТОЙ. ПОШАГОВЫЕ ИНСТРУКЦИИ, ОБУЧАЮЩИЕ МАТЕРИАЛЫ, НЕОБХОДИМЫЕ СОФТ И БАЗЫ САЙТОВ – ЭТО ВСЕ НА ШАРУ, БЕЗ ОПЛАТЫ ПО СМС. ЕСТЬ РЕДКАЯ ВОЗМОЖНОСТЬ ПОУЧАСТВОВАТЬ В ИНВЕСТИЦИОННОМ ПАММ-ПРОЕКТЕ ЛЮБОМУ КТО ХОЧЕТ РЕАЛЬНО ЗАРАБОТАТЬ НА ФОРЕКСЕ. САЙТ ТОЛЬКО СОЗДАН, НО ПЕРСПЕКТИВНЫЙ. ДАВАЙТЕ ЗАРАБАТЫВАТЬ ОНЛАЙН ВМЕСТЕ!