Category Archives: Information Security

quasiBot ( complex webshell manager )

QuasiBot is a complex webshell manager written in PHP, which operate on web-based backdoors implemented by user himself. Using prepared php backdoors, quasiBot will work as C&C trying to communicate with each backdoor. Tool goes beyond average web-shell managers, since it delivers useful functions for scanning, exploiting and so on. It is quasi-HTTP botnet, therefore it is called. Also, quasiBot allows you to perform various bruteforce attacks on services such as ftp, ssh or databases.

All data about bots is stored in SQL database, ATM only MySQL is supported. TOR proxy is also supported, the goal was to create secure connection between C&C and backdoors; using SOCKS5, it is able to torify all connections between you and web server. All configuration is stored in config file. QuasiBot it’s still under construction so i am aware of any potential bugs.

You will need any web server software; tested on Linux, Apache 2.2 and PHP 5.4.4. Fully written in PHP.

Download QuasiBot

#How it works?

  • quasiBot is operating on web-shells delivered by user, each backdoor is being verified by md5 hash which changes every hour
quasiBot (C&C) -[request/verification]-> Bots (Webshells) -[response/verification]-> quasiBot (C&C) -[request/command]-> Bots (Webshells) -[response/execution]-> quasiBot (C&C)

 

  • Backdoors consists of two types, with and without DDoS module, source code is included and displayed in home page;
  • Connection between C&C and server is being supported by curl, TOR proxy is supported, User Agent is being randomized from an array
quasiBot (C&C) -[PROXY/TOR]-> Bots (Webshells) <-[PROXY/TOR]- quasiBot (C&C)
  • Webshells can be removed and added at ‘Settings’ tab, they are stored in database
  • ‘RSS’ tab contain latest exploits and vulnerabilities feeds
  • ‘RCE’ tab allows to perform Remote Code Execution on specific server using selected PHP function
  • ‘Scan’ tab allows to resolve IP or URL and perform basic scan using nmap, dig and whois – useful in the phase of gathering information
  • ‘Pwn’ tab stands for few functions, which generally will help collect informations about server and try to find exploits for currently used OS version using Exploit Suggestor module
  • ‘MySQL Manager’, as the name says, can be used to perform basic operations on specific database – it could be helpful while looking for config files that include mysql connections on remote server; it also displays some informations about it’s envoirment
  • ‘Run’ tab allows you to run specific command on every bots at once
  • ‘DDoS’ tab allows you to perform UDP DoS attacks using all bots or single one, expanded backdoor is required
  • ‘Shell’ tab allows you to spawn reverse or bind shell; you may pick between few languages that will be used for creating reverse shell
  • You may enable authorisation module, user is being validated by session, auth credentials are stored in config file, not in db; using Cookie Auth, user won’t be able to use quasiBot until specific cookie will be used
  • ‘Bruteforce’ category consists of few modules, they allow you to perform single or massive attacks on ftp, ssh, mysql, pgsql, mssql and wordpress
  • Broken credentials are stored in database, bruteforce on websites can be done via tor
  • Whole front-end is maintaned by a pleasant, functional interface

#Screens

Home

Hack

Bruteforce

Tools

Bots

#Running quasi for first time

  • Move all files to prepared directory, change default settings in config file (config.php)
  • Visiting quasiBot for the first time will create needed database and it’s structure
  • In ‘Settings’ tab, you are able to add and delete shells, you’re ready to go
  • Using authorisation? To logout, simply add GET logout to current URL, like quasi/index.php?logout

#Misc

Todo:

  • Windows support in ‘PWN’ module
  • Bruteforce WWW: Joomla
  • Optimization
  • ???

Changelog:

  • 0.3
  • Bruteforce: SSH, FTP, WWW, DB’s
  • Details
  • 0.2
  • Added authorization (Sessions / Cookie Auth)
  • Added Shell Module (Reverse / Bind shell)
  • Added Linux Exploit Suggestor module

Referrence : https://github.com/Smaash/quasibot

 

 

 

 

RIPS – PHP Security Analysis

RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.

Download packet RIPS –> https://sourceforge.net/projects/rips-scanner/

Unzip packet to /var/www/html/rips

Access url via localhost web –> http://localhost/rips/index.php

Untuk menganalisa scrip php dengan cara memasukkan file/path lalu klik scan

Selection_322

Cheers – Andito Yugo Wicaksono

Source Code Analysis Tools

Open Source or Free Tools Of This Type

Bandit – bandit is a comprehensive source vulnerability scanner for Python

Brakeman – Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications

Codesake Dawn – Codesake Dawn is an open source security source code analyzer designed for Sinatra, Padrino for Ruby on Rails applications. It also works on non-web applications written in Ruby

FindBugs – Find Bugs (including a few security flaws) in Java programs

FindSecBugs – A security specific plugin for FingBugs that significantly improves FindBug’s ability to find security vulnerabilities in Java programs

Flawfinder Flawfinder – Scans C and C++

Google CodeSearchDiggity – Uses Google Code Search to identifies vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, Github, and more. The tool comes with over 130 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more. Essentially, Google CodeSearchDiggity provides a source code security analysis of nearly every single open source code project in existence – simultaneously.

PMD – PMD scans Java source code and looks for potential code problems (this is a code quality tool that does not focus on security issues)

PreFast (Microsoft) – PREfast is a static analysis tool that identifies defects in C/C++ programs. Last update 2006.

Puma Scan – Puma Scan is a .NET C# open source static source code analyzer that runs as an IDE plugin for Visual Studio and via MSBuild in CI pipelines.

RIPS – RIPS is a static source code analyzer for vulnerabilities in PHP web applications. Please see notes on the sourceforge.net site.

SonarQube – Scans source code for more than 20 languages for Bugs, Vulnerabilities, and Code Smells. SonarQube IDE plugins for Eclipse, Visual Studio, and IntelliJ provided by SonarLint.

VisualCodeGrepper (VCG) – Scans C/C++, C#, VB, PHP, Java, and PL/SQL for security issues and for comments which may indicate defective code. The config files can be used to carry out additional checks for banned functions or functions which commonly cause security issues.

Xanitizer – Scans Java for security vulnerabilities, mainly via taint analysis. The tool comes with a number of predefined vulnerability detectors which can additionally be extended by the user.

Source : https://www.owasp.org/index.php/Source_Code_Analysis_Tools

FoxyProxy

What is FoxyProxy ?

FoxyProxy sells reliable, fast, secure VPN and proxy servers in 68+ different countries with 5 ways to connect. Our free proxy and VPN management tools set industry standards as far back as 2006, with our award-winning Firefox addons used by millions.

[1] Untuk installasinya bisa langsung add-on melalui web browser mozilla firefox

[2] Setelah selesai terinstall lalu buka FoxyProxy, buat proxy baru sebagai contoh akan memakai localhost

– Select mode untuk mengaktifkan proxy

Cheers – Andito Yugo Wicaksono

 

 

 

 

 

Install Burp Suite di Ubuntu 16.04

[1] Download https://portswigger.net/burp/freedownload/

[2] Masuk ke direktori file burp suite yang sudah di download, lakukan install

sh burpsuite_free_linux_v1_7_26.sh 
Unpacking JRE ...
Starting Installer ...

 

Ok burp suite sudah berhasil diinstall

How to use??

[1] Open Burp suite, untuk settingan proxy menggunakan FoxyProxy di browser.

[2] Masuk ke halaman login target, masukkan username dan password di halaman login.

[3] Setting Proxy di Burp Suite

[4] Melihat Intercept Packet, jalankan FoxyProxy di browser sebelum melakukan intercept packet. Klik Forward untuk melakukan intercept.

Bingo, username, password dan session PHP berhasil di dapatkan.

Reference Web Application Attack

Hacking Web Authentication – Part 1

Hacking Web Authentication – Part 2

W3af walkthrough and tutorial

Discovery and Audit plugins

Remaining plugins

w3af walkthrough and tutorial part 4 – w3af tools, profiles and scripting

Cheers – Andito Yugo Wicaksono

dsniff

Dsniff adalah tools untuk audit jaringan dan penetration testing. Dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, dan webspy secara pasif memonitor jaringan untuk mendapatkan data pribadi (kata sandi, e-mail, file, dll.). Arpspoof, dnsspoof, dan macof memfasilitasi intersepsi lalu lintas jaringan yang biasanya unavailable bagi attacker (misalnya, karena layer-2 switching). Sshmitm dan webmitm menerapkan monkey-in-the-middle attacks aktif terhadap sesi SSH dan HTTPS yang diarahkan secara terus menerus dengan memanfaatkan binding yang rentan pada PKI ad-hoc.

[1] Berikut adalah cara Install dsniff di ubuntu 16.04

sudo apt-get install dsniff

Atau bisa langsung download packet di link terkait dsniff

 

[2] Untuk cara penggunaan bisa dilihat dengan command seperti di bawah ini

dsniff --help
dsniff: invalid option -- '-'
Version: 2.4
Usage: dsniff [-cdmn] [-i interface | -p pcapfile] [-s snaplen]
[-f services] [-t trigger[,...]] [-r|-w savefile]
[expression]

 

[3] Sebagai contoh untuk sniffing interface

sudo dsniff -i eth0

 

Cheers – Andito Yugo Wicaksono

mod_security

Menggunakan mod_security module untuk konfigurasi Web Application Firewall (WAF).

[1] Install mod_security

yum -y install mod_security

[2] Setelah selesai installasi, konfigurasi file mod_security di direktori dan setting menjadi enabled. Setelah settingan selesai lalu tambahkan rules.

# cat /etc/httpd/conf.d/mod_security.conf 
<IfModule mod_security2.c>
 # ModSecurity Core Rules Set configuration
 IncludeOptional modsecurity.d/*.conf
 IncludeOptional modsecurity.d/activated_rules/*.conf
 
 # Default recommended configuration
 SecRuleEngine On
 SecRequestBodyAccess On
 SecRule REQUEST_HEADERS:Content-Type "text/xml" \
......................................................
.....................................................

[3] Di bawah ini contoh rules sederhana

# default action when matching rules
SecDefaultAction "phase:2,deny,log,status:406"

# "etc/passwd" is included in request URI
SecRule REQUEST_URI "etc/passwd" "id:'500001'"
SecRule REQUEST_URI "home" "id:'500005'"

# "../" is included in request URI
SecRule REQUEST_URI "\.\./" "id:'500002'"

# "<SCRIPT" is included in arguments
SecRule ARGS "<[Ss][Cc][Rr][Ii][Pp][Tt]" "id:'500003'"

# "SELECT FROM" is included in arguments
SecRule ARGS "[Ss][Ee][Ll][Ee][Cc][Tt][[:space:]]+[Ff][Rr][Oo][Mm]" "id:'500004'"

--------------------------------------------------------------------
# Restart httpd
systemctl restart httpd

[4] Akses web yang di block rule

[5] General rules disediakan dari official repository dan mudah untuk menerapkannya. Tapi mungkin anda perlu menyesuaikannya untuk situs web anda sendiri agar tidak memblokir permintaan yang diperlukan.

yum -y install mod_security_crs
cd /usr/lib/modsecurity.d/base_rules
ll
modsecurity_35_bad_robots.data
modsecurity_35_scanners.data
modsecurity_40_generic_attacks.data
modsecurity_41_sql_injection_attacks.data
modsecurity_50_outbound.data
modsecurity_50_outbound_malware.data
modsecurity_crs_20_protocol_violations.conf
modsecurity_crs_21_protocol_anomalies.conf
modsecurity_crs_23_request_limits.conf
modsecurity_crs_30_http_policy.conf
modsecurity_crs_35_bad_robots.conf
modsecurity_crs_40_generic_attacks.conf
modsecurity_crs_41_sql_injection_attacks.conf
modsecurity_crs_41_xss_attacks.conf
modsecurity_crs_42_tight_security.conf
modsecurity_crs_45_trojans.conf
modsecurity_crs_47_common_exceptions.conf
modsecurity_crs_48_local_exceptions.conf.example
modsecurity_crs_49_inbound_blocking.conf
modsecurity_crs_50_outbound.conf
modsecurity_crs_59_outbound_blocking.conf
modsecurity_crs_60_correlation.conf

Cheers.
Andito Yugo Wicaksono