Posts

Showing posts from May, 2012

Log central with Snort, Syslog-ng and Splunk ( SSS)

Image
In previous post, i installed snort with barnyard to send log to snort report. Today, i installed addition Base: Snort log analysis:
Download file:
#wget http://sourceforge.net/projects/adodb/files/latest/download?source=files
#wget http://sourceforge.net/projects/secureideas/files/latest/download?source=files
#yum --enablerepo=epel -y install php-adodb php-pear-Image-Graph

#unzip adodb517.zip
#tar xvzf base-1.4.5.tar.gz
#cp -R base-1.4.5 /var/www/html/
#mv  /var/www/html/base-1.4.5  /var/www/html/base
#cp -R adodb5 /var/www/html/base
#chmod 777 -R /var/www/html/base

Go http:///base and setup, adodb path is /var/www/html/base/adodb5

After complete this tutorial, i started config snort to send log to center log. I am using splunk to Log Central Manager. I used syslog-ng to send snort log to splunk.
Frist, in snort machine, i edited config to force snort write alert to plain text file:
#vim /etc/sysconfig/snortd ( i don`t remmeber path)
Find ALERT and uncomment it, change ALERT=full
Restart snort…

My first Python Program

Today i started learning Python. I had first program. After finish, i learned:
print number, string, format etc
function
local and global variable
read file
string find index and substring

And now, this is my first program:
#Author:     Namhb
#Email:     namhb@gmail.com
#Program:    Demo1
#Version:    0.1

#############################################
##### Start program

##### Lib
import getpass
##### Global Variable
userfile = "user.txt"
userc = ""
rolec = ""
logined = False
failcount = 0
maxfail = 3
##### Function
def menu():
    print "+---------------------------------------------+"
    print "+                                             +"
    print "+     Demo Python Program                     +"
    print "+   namhb@gmail.com                           +"
    print "+                                             +"
    print "+---------------------------------------------+"

def checklogin(u…

Install Snort with snort report in CentOS

Image
Step 1: Preparing

#yum install pcre pcre-devel php php-common php-gd php-cli php-mysql flex bison mysql mysql-devel mysql-bench mysql-server php-pear.noarch php-pear-DB.noarch php-pear-File.noarch kernel-devel libxml2-devel vim-enhanced.i386
#yum install gcc-c++

Download sourcode:
#cd /usr/local
#wget http://ips-builder.googlecode.com/files/libnet-1.0.2a.tar.gz
#wget http://libdnet.googlecode.com/files/libdnet-1.12.tgz
#wget http://www.tcpdump.org/release/libpcap-1.1.1.tar.gz
#wget http://www.snort.org/downloads/1623 -O daq-0.6.2.tar.gz
#wget http://www.snort.org/downloads/1631 -O snort-2.9.2.3.tar.gz
#download https://www.snort.org/snort-rules/
#wget http://www.unixwiz.net/tools/nbtscan-source-1.0.35.tgz
#wget http://jpgraph.net/download/download.php?p=1.27.1 -O jpgraph-1.27.1.tar.gz

Step 2: Install lib
#cd /usr/local
#tar zxvf /root/libnet-1.0.2a.tar.gz
#cd Libnet-1.0.2a
#./configure && make && make install
#cd /usr/local
#tar zxvf /root/libdnet-1.12.tgz
#cd libdnet-1.12
#./configure &am…

Linux Bufferoverflow Exploit

Image
Demo Linux Bufferoverflow Exploit:


------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Local File Include with Access log

Image
My demo for Local File Include. If you can not found any file contain mailicous code on server, you can use access log to inject malicious code. Note: If you send url by web browser, url will be encoded. So, you must send direct url to server to write code to access log.



------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

SQLinjection with XSS

Image
My report in tomorrow. If you find SQL injection, with union stament, you can force web application print result. Ex: union 1,2,3,4,5 -> You can see 2 3 4 5 number. Replace 2 with 'namhb', you can see namhb. So, you can exploit XSS in SQL injection.
Now, you can insert javascript, instead: alert(/namhb/) (in script tag). Buzz, new dialog.
Finish, have got many script, you can use sqli,js.
See demo:


------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Exploit writing tutorial part 3 : SEH Based Exploits

Image
Ở 2 phần trước, chúng ta đã nói về stack overflow. Phần này, chúng ta sẽ nói về một phương pháp khai thác khác sử dụng ngoại lệ, để từ đó thực hiện lệnh nhảy tới đoạn code mong muốn. Trước hết, cần phải nói về ngoại lệ - exception handlers ? Việc bắt ngoại lệ được đặt trong ứng dụng, mục đích để bắt các ngoại lệ mà ứng dụng có thể gặp phải ( ví dụ như file không tồn tại, hay chia cho 0...) try

{

//run stuff.  If an exception occurs, go to code

}

catch

{

// run stuff when exception occurs

}
Nếu trong một chương trình bình thường không sử dụng ngoại lệ, đầu tiên sẽ đẩy vào các tham số, rồi đến EIP, EBP, tiếp đến cấp phát cho các biến cục bộ. Nếu chương trình có sử dụng ngoại lệ, sẽ cấp phát thêm một vùng để chứa ngoại lệ
"Address of exception handler" là một phần của  SEH record. Windows có một SEH mặc định (Structured Exception Handler) để bắt ngoại lệ. Khi mà ngoại lệ này được bắt, bạn sẽ thấy một popup “xxx has encountered a problem and needs to close”. Để ứng dụng có …

Demo buffer overflow

Image
First is demo smash the stack:

Next is demo SEH exploit:

------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Uploading Exploit with Metasploit

Image
With msfpayload, you can create web shell to backdoor ( like metepreter). This is my demo with metasploit
------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.