Category Archives: Information Security

Nikto

Nikto adalah tool assessment untuk web server. Nikto dirancang untuk menemukan berbagai file dan konfigurasi default, dan program pada semua jenis web server.

[1] Donwload nikto disini

[2] Setelah selesai di download lakukan unzip

$ unzip nikto-master.zip

[3] Contoh command untuk menjalankan nikto

$ ./nikto.pl -h 10.10.10.99
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.99
+ Target Hostname: 10.10.10.99
+ Target Port: 80
+ Start Time: 2017-11-21 16:42:21 (GMT7)
---------------------------------------------------------------------------
+ Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips

[4] Basic Testing command nikto

# Testing basic menggunakan port 80
perl nikto.pl -h 192.168.0.1
# Testing menggunakan port spesifik 443 TCP
perl nikto.pl -h 192.168.0.1 -p 443
# Host protocol dan port spesifik menggunakan syntax URL 
perl nikto.pl -h https://192.168.0.1:443/

[5] Multiple Port Testing

perl nikto.pl -h 192.168.0.1 -p 80,88,443

Referrence

Cheers – AnditoYugoWicaksono

Advertisements

Kadimus ( LFI Scan & Exploit Tool )

Kadimus adalah tool yang berfungsi untuk memeriksa vulnerability situs/website.

Features:

Check all url parameters
 /var/log/auth.log RCE
 /proc/self/environ RCE
 php://input RCE
 data://text RCE
 Source code disclosure
 Multi thread scanner
 Command shell interface through HTTP Request
 Proxy support (socks4://, socks4a://, socks5:// ,socks5h:// and http://)
 Proxy socks5 support for bind connections

[1] Install Kadimus di Ubuntu 16.04

$ git clone https://github.com/P0cL4bs/Kadimus.git
Cloning into 'Kadimus'...
remote: Counting objects: 202, done.
remote: Total 202 (delta 0), reused 0 (delta 0), pack-reused 202
Receiving objects: 100% (202/202), 53.34 KiB | 0 bytes/s, done.
Resolving deltas: 100% (113/113), done.
Checking connectivity... done.

Jalankan configure

/Kadimus$ ./configure 
Checking libraries...
libcurl Ok
libssl Ok
libpcre Ok
libssh Ok

[2] Install paket yang dibutuhkan

sudo apt-get install libcurl4-openssl-dev libpcre3-dev libssh-dev
# Setelah semua sudah selesai di install lalu jalankan make
make
gcc -Wall -Wextra -O3 -c -o bin/kadimus_common.o src/kadimus_common.c
gcc -Wall -Wextra -O3 -c -o bin/kadimus_mem.o src/kadimus_mem.c
gcc -Wall -Wextra -O3 -c -o bin/kadimus_request.o src/kadimus_request.c
gcc -Wall -Wextra -O3 -c -o bin/kadimus_str.o src/kadimus_str.c
gcc -Wall -Wextra -O3 -c -o bin/kadimus_xpl.o src/kadimus_xpl.c
gcc -Wall -Wextra -O3 -c -o bin/kadimus_regex.o src/kadimus_regex.c
gcc -Wall -Wextra -O3 -c -o bin/kadimus_socket.o src/kadimus_socket.c

[3] Jalankan Kadimus

$ ./kadimus -h
 _ __ _ _ 
| |/ /__ _ __| (_)_ __ ___ _ _ ___ 
| ' // _` |/ _` | | '_ ` _ \| | | / __|
| . \ (_| | (_| | | | | | | | |_| \__ \
|_|\_\__,_|\__,_|_|_| |_| |_|\__,_|___/

v1.1 - LFI Scan & Exploit Tool (@hc0d3r - P0cL4bs Team)

Options:
 -h, --help Display this help menu

Request:
 -B, --cookie STRING Set custom HTTP Cookie header
 -A, --user-agent STRING User-Agent to send to server
 --connect-timeout SECONDS Maximum time allowed for connection
 --retry-times NUMBER number of times to retry if connection fails
 --proxy STRING Proxy to connect, syntax: protocol://hostname:port

Scanner:
 -u, --url STRING Single URI to scan
 -U, --url-list FILE File contains URIs to scan
 -o, --output FILE File to save output results
 --threads NUMBER Number of threads (2..1000)

Explotation:
 -t, --target STRING Vulnerable Target to exploit
 --injec-at STRING Parameter name to inject exploit
 (only need with RCE data and source disclosure)

RCE:
 -X, --rce-technique=TECH LFI to RCE technique to use
 -C, --code STRING Custom PHP code to execute, with php brackets
 -c, --cmd STRING Execute system command on vulnerable target system
 -s, --shell Simple command shell interface through HTTP Request

-r, --reverse-shell Try spawn a reverse shell connection.
 -l, --listen NUMBER Port to listen

-b, --bind-shell Try connect to a bind-shell
 -i, --connect-to STRING Ip/Hostname to connect
 -p, --port NUMBER Port number to connect
 --b-proxy STRING IP/Hostname of socks5 proxy
 --b-port NUMBER Port number of socks5 proxy

--ssh-port NUMBER Set the SSH Port to try inject command (Default: 22)
 --ssh-target STRING Set the SSH Host

RCE Available techniques

environ Try run PHP Code using /proc/self/environ
 input Try run PHP Code using php://input
 auth Try run PHP Code using /var/log/auth.log
 data Try run PHP Code using data://text

Source Disclosure:
 -G, --get-source Try get the source files using filter://
 -f, --filename STRING Set filename to grab source [REQUIRED]
 -O FILE Set output file (Default: stdout)

Cheers  – AnditoYugoWicaksono

Referrence

DirBuster – Find Directories in Websites

DirBuster adalah aplikasi java multi threaded yang dirancang untuk melakukan brute force direktori dan nama file di server web / aplikasi. Seringkali yang terjadi sekarang adalah seperti web server dalam keadaan default konfigurasi, dan memiliki halaman aplikasi yang tersembunyi di dalamnya.

Download
DirBuster-0.12.tar.bz2
How to install
Unzip atau untar paket DirBuster yang sudah di download
cd ke direktori yang sudah di Unzip

# Untuk menjalankan program DirBuster
java -jar DirBuster-0.12.jar -h : Help information
java -jar DirBuster-0.12.jar -H -u https://127.0.0.1/ : Run DirBuster in headless mode
java -jar DirBuster-0.12.jar -u https://127.0.0.1/ : Start GUI with target prepopulated
GUI DirBuster

Cheers – AnditoYugoWicaksono

Referrence

Spaghetti – Web Application Security Scanner

Spaghetti adalah Open Source web application scanner,  yang dirancang untuk menemukan berbagai file dan default konfigurasi, insecure file, dan miskonfigurasi. Spaghetti dikembangkan dengan menggunakan python2.7 dan dapat berjalan di platform manapun yang menggunakan environment Python.

Install Spaghetti
$ git clone https://github.com/m4ll0k/Spaghetti.git
$ cd Spaghetti 
$ pip install -r requirements.txt
Jika menggunakan proxy : $ sudo pip --proxy http://IP_ProxyServer:Port install -r requirements.txt
$ python spaghetti.py
Features
  • Fingerprints
    • Server
    • Web Frameworks (CakePHP,CherryPy,…)
    • Web Application Firewall (Waf)
    • Content Management System (CMS)
    • Operating System (Linux,Unix,..)
    • Language (PHP,Ruby,…)
    • Cookie Security
  • Discovery:
    • Bruteforce
      • Admin Interface
      • Common Backdoors
      • Common Backup Directory
      • Common Backup File
      • Common Directory
      • Common File
      • Log File
    • Disclosure
      • Emails
      • Private IP
      • Credit Cards
    • Attacks
      • HTML Injection
      • SQL Injection
      • LDAP Injection
      • XPath Injection
      • Cross Site Scripting (XSS)
      • Remote File Inclusion (RFI)
      • PHP Code Injection
    • Other
      • HTTP Allow Methods
      • HTML Object
      • Multiple Index
      • Robots Paths
      • Web Dav
      • Cross Site Tracing (XST)
      • PHPINFO
      • .Listing
    • Vulns
      • ShellShock
      • Anonymous Cipher (CVE-2007-1858)
      • Crime (SPDY) (CVE-2012-4929)
      • Struts-Shock

 

How To
$ python spaghetti.py 
 _____ _ _ _ _ 
 | __|___ ___ ___| |_ ___| |_| |_|_|
 |__ | . | .'| . | | -_| _| _| |
 |_____| _|__,|_ |_|_|___|_| |_| |_|
 |_| |___| v0.1.3

~/# Spaghetti - Web Application Security Scanner
~/# Codename - MR.R0B0T
~/# Momo Outaadi (@M4ll0k)
~/# https://github.com/m4ll0k/Spaghetti

Usage:

-u --url Target URL (eg: http://example.com)
 -s --scan Scan Options (default=0):

0: Full Scan
 1: Bruteforce (dirs,files,..)
 2: Disclosure (ip,emails,..)
 3: Attacks (sql,lfi,..)
 4: Others (webdav,..)
 5: Vulns (shellshock,..)
 6: Fingerprint only

--crawler Deep crawling (slow)
 --agent Use the specified user-agent
 --random-agent Use a random user-agent
 --redirect Redirect target URL, default=True
 --timeout Set timeout, default=None
 --cookie Set cookie, default=None
 --proxy Set proxy, (host:port)
 --verbose Verbose output
 --version Show version
 --help Show this help and exit

Examples:

spaghetti.py --url http://example.com
 spaghetti.py --url http://example.com --scan [0-6]
 spaghetti.py --url http://example.com --scan 1 --crawler

Referrence

Cheers – AnditoYugoWicaksono

 

Foremost

Foremost adalah program recovery data forensik untuk Linux yang digunakan untuk memulihkan file menggunakan header, footer, dan struktur data mereka melalui proses yang dikenal sebagai file carving.

[1] Install Foremost

yum install foremost -y
Donwload packet foremost http://foremost.sourceforge.net/pkg/foremost-1.5.7.tar.gz

tar -xvzf foremost-1.5.7.tar.gz
cd foremost-1.5.7

[2] Command foremost

man foremost

[3] Untuk konfigurasi foremost ada di file # vi /etc/foremost.conf

[4] Contoh command untuk menjalankan foremost

pertama lihat file yang akan di recovery berada di mana

# df -h

Filesystem Size Used Avail Use% Mounted on
/dev/mapper/centos00-root 50G 4,4G 46G 9% /
devtmpfs 905M 0 905M 0% /dev
tmpfs 915M 0 915M 0% /dev/shm
tmpfs 915M 8,5M 907M 1% /run
tmpfs 915M 0 915M 0% /sys/fs/cgroup
/dev/mapper/centos00-home 469G 241G 229G 52% /home
/dev/sda1 497M 171M 327M 35% /boot
tmpfs 183M 0 183M 0% /run/user/0

Data yang akan saya recover ada di home : /dev/mapper/centos00-root

foremost -t pdf,jpg -T -v -Q -o /home/output /dev/mapper/centos00-root

 

 

dumpzilla

Dumpzila adalah tools untuk forensik browser

[1] Download dumpzilla di website resminya ada di http://www.dumpzilla.org/

[2] Setelah source dumpzilla berhasil di download, lalu jalankan script python

python dumpzilla.py

Version: 15/03/2013

Usage: python dumpzilla.py browser_profile_directory [Options]

Options:

--All (Shows everything but the DOM data. Doesn't extract thumbnails or HTML 5 offline)
 --Cookies [-showdom -domain <string> -name <string> -hostcookie <string> -access <date> -create <date> -secure <0/1> -httponly <0/1> -range_last -range_create <start> <end>]
 --Permissions [-host <string>]
 --Downloads [-range <start> <end>]
 --Forms [-value <string> -range_forms <start> <end>]
 --History [-url <string> -title <string> -date <date> -range_history <start> <end> -frequency]
 --Bookmarks [-range_bookmarks <start> <end>]
 --Cacheoffline [-range_cacheoff <start> <end> -extract <directory>]
 --Thumbnails [-extract_thumb <directory>]
 --Range <start date> <end date>
 --Addons
 --Passwords (Decode only in Unix)
 --Certoverride
 --Session
 --Watch [-text <string>] (Shows in daemon mode the URLs and text form in real time. -text' Option allow filter, support all grep Wildcards. Exit: Ctrl + C. only Unix).

Wildcards: '%' Any string of any length (Including zero length)
 '_' Single character
 '\' Escape character

Date syntax: YYYY-MM-DD HH:MM:SS

Win profile: 'C:\Documents and Settings\xx\Application Data\Mozilla\Firefox\Profiles\xxxx.default'
Unix profile: '/home/xx/.mozilla/seamonkey/xxxx.default/'

[3] Contoh untuk melihat history

$ python dumpzilla.py /home/space/.mozilla/firefox/g8gha5kg.default/ --History

Last visit: 2017-08-25 16:32:51
Title: Add New Post ‹ — WordPress
URL: https://anditoyugowicaksono.wordpress.com/wp-admin/post-new.php
Frequency: 10

================================================================================================================
Total information
================================================================================================================

Total urls in History: 1861

Cheers – Andito Yugo Wicaksono

 

Operative Framework

Operative Framework adalah open-source berbasis Python dan sangat powerful yang dapat digunakan untuk menemukan informasi domain yang terdaftar dengan alamat email yang sama, serta banyak fungsi investigasi lainnya. Tool reconnaissance ini memberi informasi tentang target dengan memeriksa relasi di domain yang mereka miliki.

[1] Installing the Operative Framework

git clone https://github.com/graniet/operative-framework.git
cd operative-framework
pip install -r requirements.txt
python operative.py

Jika paket pip belum terinstall bisa melakukan installasi python-pip

# sudo apt install python-pip
atau menggunakan git clone
git clone https://github.com/pypa/pip.git

[2] Jalankan operative.py

$ python operative.py
__ _ 
 ____ ____ ___ _________ _/ /_(_) _____ 
 / __ \/ __ \/ _ \/ ___/ __ `/ __/ / | / / _ \
/ /_/ / /_/ / __/ / / /_/ / /_/ /| |/ / __/
\____/ .___/\___/_/ \__,_/\__/_/ |___/\___/ 
 /_/ Version: 2.0 BETA | Twitter: @graniet75
 If you don't know how run it use :help

$ operative > modules 
 * viadeo_search Viadeo employee search module
 * email_to_domain Get domain with email
 * reverse_ipdomain Reverse ip domain check (Yougetsignal)
 * vhost_IPchecker Reverse IP domain check (BING)
 * https_gathering SSL/TLS information gathering (sslyze)
 * subdomain_search Search subdomain with google dork
 * getform_data Get all form parameters (BETA)
 * defaultPassword Search default password from manufactor
 * domain_search Search enterprise domain name
 * header_retrieval No module description found
 * file_common Read/Search common file
 * waf_gathering WAF information gathering : need wafw00f
 * cms_gathering Check if CMS is used (wordpress,joomla,magento)
 * get_websiteurl Extract url on website domain
 * metatag_look get meta name,content
 * search_db Forensics module for SQL database
 * website_archive Search archive of website domain (archive.org)
 * linkedin_search Linkedin employee search module
 * sample_module Module sample
 * whois_domain Whois information for domain
 * tools_suggester Check website & show possible tools for CMS exploitation
 * generate_email Generate email with employee list
$ operative >

example : how to use

$ operative > use whois_domain
Loading : core/modules/whois_domain.py
$ operative (core/modules/whois_domain) > show options
- website(is_required):No value
$ operative (core/modules/whois_domain) > set website=zotma.com 
$ operative (core/modules/whois_domain) > run