Local Attacks: Difference between revisions

From ICO wiki
Jump to navigationJump to search
mNo edit summary
 
(247 intermediate revisions by 2 users not shown)
Line 1: Line 1:
int power(long base, long exponent) {
= Abstract =
    int counter;
    int result = 1;
This article will be concerned about one of the common hacking methods in recent decades or even nowadays it is still being used by attackers. Its named Local Attack, this name is not the international official name for it. It was called by many Vietnamese Hackers, by somehow I realized it's quite good to describe partly of this attack method, so I'd like to take this name to be " our speaking" at least in this article. "This name is not available in google if you type by English "      
    for (counter = 0; counter < exponent; counter++)
        result *= base;
     return result;
}




I will illustrate the definition of Local Attack as well as the difficulties we will be suffered when we apply it beside its powerful. I will be talking detail step by step belongs with the certain knowledge what we need to know basically to do much straightforwardly and more understand its purpose. The knowledge requirement will be not hard to stop you getting the most powerful of hacking such as Web App, Linux command lines, Networking, etc.


/* When processor enters the function body the arguments are already placed in registers r0=5 (base), r1=3 (exponent) */
Because of the security of our website and server, I will not show the php shell link in this article. I apologize for this inconvenient. 


cmp r1, #0                        /* Compare exponent to 0 */
mov r2, #1                        /* Place constant 1 in register r2,
                                    this corresponds to result = 1 in C code */
ble .L2                          /* Exponent was not less than 0, so no jump to L2
mov r3, #0                        /* Place constant 0 in register r3,
                                    this corresponds to variable counter */


add r3, r3, #1                    /* Perform r3 = 0 + 1 which results in 1 being stored to r3
Keywords : ''Hacking, Local attack ,Linux , Web App.''
                                    this corresponds to first invocation of counter++ in C code */
cmp r3, r1                        /* Compare counter (1 in this case) to exponent (3), this will be used by bne instruction below */
mul r2, r0, r2                    /* Perform r2 = r0 * r2 which results in 1 * 5 = 5 being placed in r2
                                    this corresponds to first invocation of result *= base in C code */
bne .L3                          /* The comparison resulted in counter being not equal to exponent, so we jump back to L3
                                    this corresponds to first invocation of counter < exponent in C code */


add r3, r3, #1                    /* Perform r3 = 1 + 1 which results in 2 being stored to r3
[['''''!!! This article is served for education purpose only, I will not responsibility for any harm made by other ones !!!''''']]
                                    this corresponds to second invocation of counter++ in C code */
cmp r3, r1                        /* Compare counter (2 in this case) to exponent (3), this will be used by bne instruction below */
mul r2, r0, r2                    /* Perform r2 = r0 * r2 which results 5 * 5 = 25 being placed in r2
                                    this corresponds to second invocation of result *= base in C code */
bne .L3                          /* The comparison resulted in counter being not equal to exponent, so we jump back to L3
                                    this corresponds to second invocation of counter < exponent in C code */


add r3, r3, #1                    /* Perform r3 = 2 + 1 which results in 3 being stored to r3
= Local Attack Introduction=
                                    this corresponds to third invocation of counter++ in C code */
cmp r3, r1                        /* Compare counter (3 in this case) to exponent (3), this will be used by bne instruction below */
mul r2, r0, r2                    /* Perform r2 = r0 * r2 which results 25 * 5 = 125 being placed in r2
                                    this corresponds to third invocation of result *= base in C code */
bne .L3                          /* The comparison resulted in counter being equal to exponent, so we DO NOT jump back to L3 */


mov r0, r2                    /* Copy register r2 contents (125) to register r0 */
==What is Local Attack?==
bx lr                        /* Jump back to caller */
/* Function returns with 125 placed in r0 this is where caller function should expect the return value */
/* The other registers will still hold whatever values were left there: r1 = 3, r2 = 125, r3 = 3 */


== Storage abstractions ==
In generally, once we host the website to server, after that the user will be provided an " user account" and the directory/folder to mange their website. For instance, the first user has a website "A" and one directory/folder : /home/user1 to manage first user Similarly, the second user has a website "B" and one directory/folder /home/user2 to manage.


Local attack is the method which is applied to hack a website in the same server. For example, I want to attack website "A" from user 1, but unfortunately I could not find out the vulnerabilities to exploit and get an lien from it that means I have no way to attack based on this site "A". So, I will look for the websites which are being on the same server  with "A", could be website "B" or "C".


 What is a block device?
Based on site "B" or "C" both of them are getting some vulnerabilities or another words is " hackable ". After getting the authorities on these site "B" or "C", I will upload the php file named " Shell " to the server of "B" or "C" it's also the server of website "A". The hacking process is starting from now.....


 In computing (specifically data transmission and data storage), a block, sometimes called a physical record, is a sequence of bytes or bits, usually containing some whole number of records, having a maximum length, a block size.[1] Data thus structured are said to be blocked. The process of putting data into blocks is called blocking, while deblocking is the process of extracting data from blocks. Blocked data is normally stored in a data buffer and read or written a whole block at a time.  
                                          [[File:Local1.png]]
                                                                    ''Firgure 1: Php shell was uploaded to host of the website.''


 What is logical block addressing and what are the benefits compared to older cylinder-head-sector addressing method in terms of harddisks?
==Pros and Cons of Local Attack==


Logical block addressing (LBA) is a common scheme used for specifying the location of blocks of data stored on computer storage devices, generally secondary storage systems such as hard disk drives. LBA is a particularly simple linear addressing scheme; blocks are located by an integer index, with the first block being LBA 0, the second LBA 1, and so on.
'''Pros:'''
Cylinder-head-sector, also known as CHS, is an early method for giving addresses to each physical block of data on a hard disk drive. In the case of floppy drives, for which the same exact diskette medium can be truly low-level formatted to different capacities, this is still true.
      *Does not take a lot of time.
      *Easy to interact with the server via shell and exploit it.


 What is a disk partition?
'''Cons:'''
Disk partitioning is the creation of one or more regions on a hard disk or other secondary storage, so that an operating system can manage information in each region separately.[1] Partitioning is typically the first step of preparing a newly manufactured disk, before any files or directories have been created
      *Leave the " mark ", The administrator would be able to find where the shell comes from.
      *If the websites are using separate server, Local Attack will be gotten some certain difficult.


What is a file system?
=What we need to know?=
==Host and Shared-Host==
Normally for web site, its data must be stored on one server (server) is always active and connected to the internet. Storage space on the server used to store the data of the website is called the host. For a number of agencies and organizations, the hired one server for data storage is not practical website. Due to their needs is simply stored, further 1 server rental price is not cheap. Therefore, shared hosting is a reasonable choice. With shared hosting, server memory space is divided into many small hosts, and are separate from each rental. So on one server will contain data for multiple websites, and there is also a source of security for developing local attack.
==Operating System and Decentralized system==


In computing, a file system (or filesystem) is used to control how data is stored and retrieved. Without a file system, information placed in a storage area would be one large body of data with no way to tell where one piece of information stops and the next begins. By separating the data into individual pieces, and giving each piece a name, the information is easily separated and identified. Taking its name from the way paper-based information systems are named, each group of data is called a "file". The structure and logic rules used to manage the groups of information and their names is called a "file system".
The Operating system of the server must be Linux


 What is journaling in terms of filesystems and what are the benefits? Name some journaled filesystems in use nowadays.
'''Unlike Windows, Linux operating system has a decentralized system is complicated and strict. Linux supports three permissions to do with files :'''


A journaling file system is a file system that keeps track of changes not yet committed to the file system's main part by recording the intentions of such changes in a data structure known as a "journal", which is usually a circular log. In the event of a system crash or power failure, such file systems can be brought back online quicker with lower likelihood of becoming corrupted


In the Linux operating system, JFS is supported with the kernel module (since the kernel version 2.4.18pre9-ac4) and the complementary userspace utilities packaged under the name JFSutils. Most Linux distributions support JFS, unless it is specifically removed due to space restrictions or other concerns.
r: read access (read)


== Hardware ==
w: right to record (write)


Computer hardware Jargon: CPU, RAM, ROM, HDD, SSD, PCI, PCI Express, USB 2.0, USB 3.0, VGA, HDMI, DVI, LCD, TFT, LED, OLED, AMOLED, CRT, PWM Lecture recording #1 Lecture recording #2 starting 12:30 Lecture slides Random access memory, permanent storage, buses, input devices, display technologies, networking Potential exam questions:  Different buses and their uses Bus is a system which help to transact the date between each component in computer or between computers. It has 2 types of buses in side computer (Asus socket 7) and outside of computers (Pc card or IEEE-448)
x: right to execute (execute)


 What are the differences between hard disk drive (HDD) and solid state drive (SSD)? [1]
-: not allowed


 What is the purpose of Flash Translation Layer in terms of solid state drives?


A flash translation layer is used to adapt a fully functional file system to the constraints and restrictions imposed by flash memory devices
'''These rights are assigned to three subjects:'''


 What are difference between volatile/non-volatile, RAM, ROM, EEPROM and where are they used?


RAM is Random Access Memory. ROM is Read Only Memory. RAM is the memory available for the operating system, programs and processes to use when the computer is running. ROM is the memory that comes with your computer that is pre-written to hold the instructions for booting-up the computer. RAM requires a flow of electricity to retain data (e.g. the computer powered on). ROM will retain data without the flow of electricity (e.g. when computer is powered off). RAM is a type of volatile memory. Data in RAM is not permanently written. When you power off your computer the data stored in RAM is deleted. ROM is a type of non- volatile memory. Data in ROM is permanently written and is not erased when you power off your computer. There are different types of RAM, including DRAM (Dynamic Random Access Memory) andSRAM (Static Random Access Memory). There are different types of ROM, including PROM (programmable read-only memory) that is manufactured as blank memory (e.g. a CD-ROM) and EPROM (erasable programmable read-only memory). There are many differences between RAM and ROM memory but there are also a couple similarities (and these are very easy to remember). Both types of memory used by a computer, and they are both required for your computer to operate properly and efficiently.
u: owner (owner)  
EEPROM EEPROM , or electrically erasable programmable read only memory, is another step up from EPROM because EEPROM chips do away with some of the drawbacks. For example, EEPROM chips do not need to be removed to be rewritten. Additionally, a portion of the chip can be changed without erasing the entire chip. Furthermore, it does not require special equipment to rewrite the chip.


Volatile memory Non-volatile memory Requires a power source to retain information. Does not require a power source to retain information. When power source is disconnected, information is lost or deleted. When power source is disconnected, information is not deleted. Often used for temporary retention of data, such as with RAM, or for retention of sensitive data. Often used for long-term retention of data, such as files and folders.
g: group ownership (group)


 What is data retention? Data retention defines the policies of persistent data and records management for meeting legal and business data archival requirements;
o: the ordinary users (other)


 What are difference between asynchronous/synchronous, dynamic/static RAM and where are they used? 


Synchronous Circuits:
These are the class of sequential circuits which are governed by a global clock signal generated by an oscillator. The state of all elements of a synchronous circuit changes only by an application of a distributed clock signal. So, this makes the state of a synchronous circuit predictable. Also, synchronous clock signals are less susceptible to noise, circuit anomalies and hence safer to design and operate. But they are limited in operation of speed by the propagation delay of the clock signal in reaching all the elements of the clock signal. The time period of a clock signal should be long enough to accommodate longest propagation delay. Practically all the circuits today are synchronous circuits, except the part where speed of the circuit operation is crucial.


Asynchronous Circuits:
''You can read more here: http://linuxcommand.org/lts0070.php''


Asyncronous circuits change state only through the inputs received by them. So, the operation is quite instantaneous since they dont have to wait for a clock pulse. They are limited by propagation delay of logic gates only. But asynchronous circuits can transition into a wrong state due to incorrect arrival time of 2 inputs. This is called a race condition. Asynchronous circuits are quite difficult to design for a reliable operation. These are used primarily in high speed systems such as Signal Processing hardware.
==Shell==


The basic difference between Static and Dynamic RAM lies mainly in structure and work principal.  
Simply put, the shell is a program that takes your commands from the keyboard and gives them to the operating system to perform. In the old days, it was the only user interface available on a Unix computer. Nowadays, we have graphical user interfaces (GUIs) in addition to command line interfaces (CLIs) such as the shell.


•Firstly the main difference in the structure varies due to transistor and capacitor number and setting as just three to four transistors are required for a Dynamic RAM, but six to eight MOS transistors are necessary for a Static RAM.
On most Linux systems a program called bash (which stands for Bourne Again SHell, an enhanced version of the original Bourne shell program, sh, written by Steve Bourne) acts as the shell program. There are several additional shell programs available on a typical Linux system. These include: ksh, tcsh and zsh.
•Secondly Dynamic RAM memory can be deleted and refreshed while running the program, but in case of Static RAM it is not possible to refresh programs.
•Data is stored as a charge in a capacitor in Dynamic RAM, where data is stored in flip flop level in Static RAM.
•For refreshing a data another capacitor is required in case of Dynamic capacitor, but no refreshing option is available in Static RAM.
•A Dynamic RAM possesses less space in the chip than a Static RAM.
•Dynamic RAM is used to create larger RAM space system, where Static RAM create speed- sensitive cache.
•Static ram is 4 times more expensive than Dynamic RAM. •Dynamic RAM consumes less power than Static RAM.
•For accessing a data or information, Static RAM takes less time than Dynamic RAM.
•Dynamic RAM has higher storage capacity. In fact it can store 4 times than Static RAM.


 What is cache? What is cache coherence?
In this tutorial, I will use the shell php named: '''Shell r57 or c99'''. You can download it on google


Cache is very fast and small memory that is placed in between the CPU and the main memory.
See more here:
cache coherence is the consistency of shared resource data that ends up stored in multiple local caches. When clients in a system maintain caches of a common memory resource, problems may arise with inconsistent data, which is particularly the case with CPUs in a multiprocessing system.


 What are differences between resistive and capacitive touchscreen? [2]
-http://linuxcommand.org/lts0010.php


Explain how computer mouse works? History of computer mouse.
-http://linuxcommand.org/learning_the_shell.php


Ball mouse and optical mouse How does a mouse like this actually work? As you move it across your desk, the ball rolls under its own weight and pushes against two plastic rollers linked to thin wheels (numbered 6 and 7 in the photo). One of the wheels detects movements in an up-and-down direction (like the y-axis on graph/chart paper); the other detects side-to-side movements (like the x-axis on graph paper).
''*I recommend you use those shells or download it in virtual machines .''


How do the wheels measure your hand movements? As you move the mouse, the ball moves the rollers that turn one or both of the wheels. If you move the mouse straight up, only the y-axis wheel turns; if you move to the right, only the x-axis wheel turns. And if you move the mouse at an angle, the ball turns both wheels at once. Now here's the clever bit. Each wheel is made up of plastic spokes and, as it turns, the spokes repeatedly break a light beam. The more the wheel turns, the more times the beam is broken. So counting the number of times the beam is broken is a way of precisely measuring how far the wheel has turned and how far you've pushed the mouse. The counting and measuring is done by the microchip inside the mouse, which sends details down the cable to your computer. Software in your computer moves the cursor on your screen by a corresponding amount.
=How to do Local attack step by step ?=


An optical mouse works in a completely different way. It shines a bright light down onto your desk from an LED (light-emitting diode) mounted on the bottom of the mouse. The light bounces straight back up off the desk into a photocell (photoelectric cell), also mounted under the mouse, a short distance from the LED. The photocell has a lens in front of it that magnifies the reflected light, so the mouse can respond more precisely to your hand movements. As you push the mouse around your desk, the pattern of reflected light changes, and the chip inside the mouse uses this to figure out how you're moving your hand. The mouse was invented by Douglas Engelbart in 1964 and consisted of a wooden shell, circuit board and two metal wheels that came into contact with the surface it was being used on.
1. View the list of user in server


 Explain how computer keyboard works? HowStuffworks article Explain that Stuff article Keyboard History http://www.explainthatstuff.com/computerkeyboards.html
2. Find the config.php file


Keyboards and typing technology have come a long way over the past couple centuries. The first typing devices were designed and patented in the 1700s while the first manufactured typing devices came about in the 1870s. These machines featured “blind typing” technology, where characters were printed on upside-down pages that remained unseen until completion. Since then, we have seen several updates in design, layout, technology, and function that are more efficient and user-friendly.
3. Get the login information to database


 Explain how cathode ray tube (CRT) based screen technology works and name pros/cons. [3]
4. Crack and change the password of admin


Sort for cathode-ray tubes, CRT monitors were the only choice consumers had for monitor technology for many years. Cathode ray tube (CRT) technology has been in use for more than 100 years, and is found in most televisions and computer monitors. A CRT works by moving an electron beam back and forth across the back of the screen. Each time the beam makes a pass across the screen, it lights up phosphor dots on the inside of the glass tube, thereby illuminating the active portions of the screen. By drawing many such lines from the top to the bottom of the screen, it creates an entire screen of images.
5. Login and upload the shell


Resolution on a CRT is flexible and a newer model will provide you with viewing resolutions of up to 1600 by 1200 and higher, On a CRT the sharpness of the picture can be blemished by soft edges or a flawed focus. A CRT monitor can be viewed from almost any angle Some users of a CRT may notice a bit of an annoying flicker, which is an inherent trait based on a CRTs physical components. Today's graphics cards, however, can provide a high refresh rate signal to the CRT to get rid of this otherwise annoying problem.. Screen (viewable) Size Most people today tend to look at a 17-inch CRT or bigger monitor. When you purchase a 17-inch CRT monitor, you usually get 16.1 inches or a bit more of actual viewing area, depending on the brand and manufacturer of a specific CRT. Physical Size There is no denying that an LCD wins in terms of its physical size and the space it needs. CRT monitors are big, bulky and heavy. They are not a good choice if you're working with limited desk space, or need to move the monitor around (for some odd reason) between computers
==View the list of user in server==


 Explain how liquid crystal displays (LCD) work and name pros/cons. [4]
If we want to local attack a website as I mentioned before, we need to know the users on the server and which sources it is? . After that , we have able to read the config.php file of the user


Short for liquid crystal display, LCD technology can be found in digital watches and computer monitors. LCD displays use two sheets of polarizing material with a liquid crystal solution between them. An electric current passed through the liquid causes the crystals to align so that light cannot pass through them. Each crystal, therefore, is like a shutter, either allowing light to pass through or blocking the light. Color LCD displays use two basic techniques for producing color: Passive matrix is the less expensive of the two technologies. The other technology, calledthin film transistor (TFT) or active-matrix, produces color images that are as sharp as traditional CRT displays, but the technology is expensive.
The command line to get the user:


  resolution
  cat /etc/passwd
an LCD the resolution is fixed within each monitor (called a native resolution). The resolution on an LCD can be changed, but if you're running it at a resolution other than its native resolution you will notice a drop in performance or quality. Both types of monitors (newer models) provide bright and vibrant color display. However, LCDs cannot display the maximum color range that a CRT can. In terms of image sharpness, when an LCD is running at its native resolution the picture quality is perfectly sharp. On a CRT the sharpness of the picture can be blemished by soft edges or a flawed focus. A CRT monitor can be viewed from almost any angle, but with an LCD this is often a problem. When you use an LCD, your view changes as you move different angles and distances away from the monitor. At some odd angles, you may notice the picture fade, and possibly look as if it will disappear from view.


Refresh Rate
Some cases, If the above command line does not show the user list, we could try this:
Some users of a CRT may notice a bit of an annoying flicker, which is an inherent trait based on a CRTs physical components. Today's graphics cards, however, can provide a high refresh rate signal to the CRT to get rid of this otherwise annoying problem. LCDs are flicker-free and as such the refresh rate isn't an important issue with LCDs. Dot Pitch
Dot pitch refers to the space between the pixels that make up the images on your screen, and is measured in millimeters. The less space between pixels, the better the image quality. On either type of monitor, smaller dot pitch is better and you're going to want to look at something in the 0.26 mm dot pitch or smaller range. Screen (viewable) Size
Most people today tend to look at a 17-inch CRT or bigger monitor. When you purchase a 17-inch CRT monitor, you usually get 16.1 inches or a bit more of actual viewing area, depending on the brand and manufacturer of a specific CRT. The difference between the "monitor size" and the "view area" is due to the large bulky frame of a CRT. If you purchase a 17" LCD monitor, you actually get a full 17" viewable area, or very close to a 17".


  Physical Size
  ls -l /home/


There is no denying that an LCD wins in terms of its physical size and the space it needs. CRT monitors are big, bulky and heavy. They are not a good choice if you're working with limited desk space, or need to move the monitor around (for some odd reason) between computers. An LCD on the other hand is small, compact and lightweight. LCDs are thin, take up far less space and are easy to move around. An average 17-inch CRT monitor could be upwards of 40 pounds, while a 17&-inch LCD would weigh in at around 15 pounds. Price
If the server ban to cat the passwd, use could use these command lines:
As an individual one-time purchase an LCD monitor is going to be more expensive. Throughout a lifetime, however, LCDs are cheaper as they are known to have a longer lifespan and also a lower power consumption. The cost of both technologies have come down over the past few years, and LCDs are reaching a point where smaller monitors are within many consumers' price range. You will pay more for a 17" LCD compared to a 17" CRT, but since the CRT's actual viewing size is smaller, it does bring the question of price back into proportion. Today, fewer CRT monitors are manufactured as the price on LCDs lowers and they become mainstream.


 Name screen technologies making use of thin film transistor (TFT) technology? [5]
less /etc/passwd
./cat/etc/passwd


A thin-film transistor (TFT) is a special kind of field-effect transistor made by depositing thin films of an active semiconductor layer as well as the dielectric layer and metallic contacts over a supporting (but non-conducting) substrate. A common substrate is glass, because the primary application of TFTs is in liquid-crystal displays. This differs from the conventional transistor, where the semiconductor material typically is the substrate, such as a silicon wafer.
==Find the path file config.php==


 Name uses for light polarization filters? [6] [7]
Depending on the sources the path file will set be default like this:
Camera, tv, photography….
''Note: Path is the path locates from server to the site''


   What are the benefits of twisted pair cabling and differential signalling? twisted pair cabling
-With linux:
    Electrical noise going into or coming from the cable can be prevented.[10]  Cross-talk is minimized differential signalling The technique minimizes electronic crosstalk and electromagnetic interference, both noise emission and noise acceptance, and can achieve a constant or known characteristic impedance, allowing impedance matching techniques important in a high-speed signal transmission line or high qualitybalanced line and balanced circuit audio signal path.
  /home/user/public_html
Or other


 Active matrix vs passive matrix in display technology 
-Joomla:


Active-matrix display :
path/configuration.php
An active-matrix display, also known as a TFT (thin-film transistor) display, uses a separate transistor to apply charges to each liquid crystal cell and thus displays high-quality color that is viewable from all angles.


Passive-matrix display :
-Word-Press:
A passive-matrix display uses fewer transistors, requires less power, and is less expensive than an active-matrix display. The color on a passive-matrix display often is not as bright as an active-matrix display. Users view images on a passive-matrix display best when working directly in front of it.


*Compare FAT32 and NTFS
path/wp-config.php


NTFS


NTFS is the preferred file system for this version of Windows. It has many benefits over the earlier FAT32 file system, including:


The capability to recover from some disk-related errors automatically, which FAT32 cannot.
This is the default path of those type of servers it's being used. It might be changed depended on Administrators (This is mainly due to the habits of programmers ).


Improved support for larger hard disks.
(To search for the source path, search by keywords: "cwd", we will see similar code: "require_once (CWD. '/includes/init.php');" - This is the path defaults resulting init.php file)) ......


Better security because you can use permissions and encryption to restrict access to specific files to approved users.
==Get the information from config file==
''This is the most difficult step of the method''


FAT32
===The basic command lines using for Local Attack===


FAT32, and the lesser-used FAT, were used in earlier versions of Windows operating systems, including Windows 95, Windows 98, and Windows Millennium Edition. FAT32 does not have the security that NTFS provides, so if you have a FAT32 partition or volume on your computer, any user who has access to your computer can read any file on it. FAT32 also has size limitations. You cannot create a FAT32 partition greater than 32GB in this version of Windows, and you cannot store a file larger than 4GB on a FAT32 partition.
-ls, dir: List the names of the files inside the folder
ls -al, ls -lia: List the names and attributes of files inside the folder 
 
  ls -lia "/home/lphanvan/public_html/@ender/includes.config.php"
 
-sand, ./cat, less, more, tail: View contents inside the file:
 
  cat "/home/lphanvan/public_html/@ender/includes/config.php"
 
-ln: Command symbolic link:
 
  ln -s "/home/lphanvan/public_html/@ender/includes/config.php%20ender.ini"
 
-cd: Convert directory
 
 
For example, to navigate to the folder
 
  cd / home / lphanvan/ public_html / @ender/ includes / itcollege
 
  cd ~: Go to Facebook's home directory
 
 
 
-chmod: Distribution rights for files or folders:
 
  chmod 400 config.php (working in the directory where the file includes config.php)
 
-mkdir: create directory:
 
 
For me, I want to create a folder in the directory includes: 
 
  mkdir / home / lphanvan/ public_html / @ ender/ includes / itcollege
 
-touch: Create file:
 
  touch /home/lphanvan/public_html/@ender/includes/itcollege.php
 
-tar, tip: compress and uncompress command: often used in root symlink 
 
  tar -zcvf enderhacked.tar.gz soleil (Compressed file folder enderhacked.tar.gz ender)
 
  tar -zxvf enderhacked.tar.gz (unzip files enderhacked.tar.gz)
 
See more here: http://linuxcommand.org/lts0070.php
 
===Some techniques to get useful information from config.php===
 
1-Using the cat command, dim to see the folder name, file and read the file contents.
Example: dir / home / lphanvan/ public_html / includes
 
cat /homme/lphanvan/public_html/includes/config.php
 
But now the majority of servers are not allowed to exercise this function should apply this method will not work,
 
 
2-Using Symbolic links - Referred to as symlink
 
 
Symbolic links are basic techniques, and almost as important that the majority of the first attaker think before doing work local attack.
 
  ln -s "/ home / lphanvan/ public_html / @ ender/ includes /config.php% itcollege.ini "
 
It can be understood simply create one file on the host itcollege.ini with identical content lphanvan config.php file on the server with the user's path
 
  "/home/lphanvan/public_html/@ender/includes/config.php"
 
 
 
''You can read more detail here: http://linuxcommand.org/learning_the_shell.php''
 
==Cracking and Changing the admin's password !!!!==
 
In this case the admin's password does not be encoded by hash, so you do not need to crack it. In many cases, the content would not be showed and the password will be in hash.
 
You have gotten the admin account and password as the picture below by using command line.
 
  cat /etc/home/lphanvan/public_html/config.php
 
                                                   
                                                    [[File:Pass.png]]
                                                                          Figure 2: See the content of config.php " cat /etc/home/lphanvan/public_html/config.php "
 
                                                                       
                                                               
 
Now, let's login to database of website
 
                                                    [[File:Dtb.png]]
                                                                                        Figure 3: Login to database via shell
 
=How to avoid Local Attack?=
In my opinions, Local attack is one of dangerous attacking methods I have used so far. Below are my experiences to avoid the Local attack:
 
 
- Should not use the source code when we do not know where it comes from, malicious code might be attached.
 
- Checking the update of source codes as well as server to fix vulnerability frequently.
 
- Change the password to be stronger and hard to brute force.
 
- Set chmod 400 for sensitive files and 101 for folders.
 
- Use VPS instead of using host to avoid local attack.
 
- Data back up and scan the data to realize it's having malicious code or not. 
 
 
These are my experiences to avoid Local Attack. Surely, It might not a perfect way to avoid, but at least it could help us to reduce the risk.
 
=References=
 
'''English Websites'''
 
''http://linuxcommand.org/lts0010.php''
 
''http://linuxcommand.org/learning_the_shell.php''
 
''http://linuxcommand.org/lts0070.php''
 
'''Vietnamese Websites'''
 
''http://kechocgian.blogspot.com.ee/2013/08/huong-dan-tong-hop-chi-tiet-co-ban-nhat.html''
 
''http://namcoder.com/hack-local-attack-va-cach-phong-tranh/''
 
''http://duyk.net/topic/20-Huong-dan-local-attack-voi-mot-so-phuong-phap-co-ban''
 
'''Video'''
 
''https://www.youtube.com/watch?v=RcusKpvKR_w''
 
=See more=
You might want to see more:
 
'''https://www.youtube.com/watch?v=FjgKtBAiLKQ'''
 
'''https://www.youtube.com/watch?v=6hJ-d2NYLBg'''
 
'''https://www.youtube.com/watch?v=HpY6JxIzs1g'''
 
=Conclusion=
 
As what I wrote above are an outline of the Local Attack method which attackers can use their php shell to exploit not even one website it could be all of websites are standing in a same server. In which the attack can execute the command line to your server to find out the password of your database or host. Get Root access is possible if the Linux server are not being updated. Those steps above might not be used successfully in some cases, because it depends on the configuration of administrator and the version of server is setting up.
 
=Contact=
 
If you want to know more about this method, please do not be hesitated to keep in touch with me :D
 
 
Ender Phan- Cyber Security Engineering- C11
 
 
The Estonian Information Technology College
 
 
Email: lphanvan@itcollege.ee
 
 
My site: cybercoffee.xyz
 
 
[['''''!!! This article is served for education purpose only, I will not responsibility for any harm made by other ones !!!''''']]
 
[[Category:Operatsioonisüsteemide administreerimine ja sidumine]]

Latest revision as of 00:43, 30 January 2017

Abstract

This article will be concerned about one of the common hacking methods in recent decades or even nowadays it is still being used by attackers. Its named Local Attack, this name is not the international official name for it. It was called by many Vietnamese Hackers, by somehow I realized it's quite good to describe partly of this attack method, so I'd like to take this name to be " our speaking" at least in this article. "This name is not available in google if you type by English "


I will illustrate the definition of Local Attack as well as the difficulties we will be suffered when we apply it beside its powerful. I will be talking detail step by step belongs with the certain knowledge what we need to know basically to do much straightforwardly and more understand its purpose. The knowledge requirement will be not hard to stop you getting the most powerful of hacking such as Web App, Linux command lines, Networking, etc.

Because of the security of our website and server, I will not show the php shell link in this article. I apologize for this inconvenient.


Keywords : Hacking, Local attack ,Linux , Web App.

'''''!!! This article is served for education purpose only, I will not responsibility for any harm made by other ones !!!'''''

Local Attack Introduction

What is Local Attack?

In generally, once we host the website to server, after that the user will be provided an " user account" and the directory/folder to mange their website. For instance, the first user has a website "A" and one directory/folder : /home/user1 to manage first user Similarly, the second user has a website "B" and one directory/folder /home/user2 to manage.

Local attack is the method which is applied to hack a website in the same server. For example, I want to attack website "A" from user 1, but unfortunately I could not find out the vulnerabilities to exploit and get an lien from it that means I have no way to attack based on this site "A". So, I will look for the websites which are being on the same server with "A", could be website "B" or "C".

Based on site "B" or "C" both of them are getting some vulnerabilities or another words is " hackable ". After getting the authorities on these site "B" or "C", I will upload the php file named " Shell " to the server of "B" or "C" it's also the server of website "A". The hacking process is starting from now..... 

                                          

                                                                    Firgure 1: Php shell was uploaded to host of the website.

Pros and Cons of Local Attack

Pros: 

     *Does not take a lot of time.
     *Easy to interact with the server via shell and exploit it.

Cons: 

     *Leave the " mark ", The administrator would be able to find where the shell comes from.
     *If the websites are using separate server, Local Attack will be gotten some certain difficult.

What we need to know?

Host and Shared-Host

Normally for web site, its data must be stored on one server (server) is always active and connected to the internet. Storage space on the server used to store the data of the website is called the host. For a number of agencies and organizations, the hired one server for data storage is not practical website. Due to their needs is simply stored, further 1 server rental price is not cheap. Therefore, shared hosting is a reasonable choice. With shared hosting, server memory space is divided into many small hosts, and are separate from each rental. So on one server will contain data for multiple websites, and there is also a source of security for developing local attack.

Operating System and Decentralized system

The Operating system of the server must be Linux

Unlike Windows, Linux operating system has a decentralized system is complicated and strict. Linux supports three permissions to do with files :


r: read access (read)

w: right to record (write)

x: right to execute (execute)

-: not allowed


These rights are assigned to three subjects:


u: owner (owner)

g: group ownership (group)

o: the ordinary users (other)


You can read more here: http://linuxcommand.org/lts0070.php

Shell

Simply put, the shell is a program that takes your commands from the keyboard and gives them to the operating system to perform. In the old days, it was the only user interface available on a Unix computer. Nowadays, we have graphical user interfaces (GUIs) in addition to command line interfaces (CLIs) such as the shell.

On most Linux systems a program called bash (which stands for Bourne Again SHell, an enhanced version of the original Bourne shell program, sh, written by Steve Bourne) acts as the shell program. There are several additional shell programs available on a typical Linux system. These include: ksh, tcsh and zsh.

In this tutorial, I will use the shell php named: Shell r57 or c99. You can download it on google

See more here:

-http://linuxcommand.org/lts0010.php

-http://linuxcommand.org/learning_the_shell.php

*I recommend you use those shells or download it in virtual machines .

How to do Local attack step by step ?

1. View the list of user in server

2. Find the config.php file

3. Get the login information to database

4. Crack and change the password of admin

5. Login and upload the shell

View the list of user in server

If we want to local attack a website as I mentioned before, we need to know the users on the server and which sources it is? . After that , we have able to read the config.php file of the user

The command line to get the user: 

cat /etc/passwd

Some cases, If the above command line does not show the user list, we could try this: 

ls -l /home/

If the server ban to cat the passwd, use could use these command lines: 

less /etc/passwd
./cat/etc/passwd

Find the path file config.php

Depending on the sources the path file will set be default like this: Note: Path is the path locates from server to the site

-With linux: 

/home/user/public_html

Or other

-Joomla: 

path/configuration.php

-Word-Press: 

path/wp-config.php


This is the default path of those type of servers it's being used. It might be changed depended on Administrators (This is mainly due to the habits of programmers ).

(To search for the source path, search by keywords: "cwd", we will see similar code: "require_once (CWD. '/includes/init.php');" - This is the path defaults resulting init.php file)) ......

Get the information from config file

This is the most difficult step of the method

The basic command lines using for Local Attack

-ls, dir: List the names of the files inside the folder ls -al, ls -lia: List the names and attributes of files inside the folder 

 ls -lia "/home/lphanvan/public_html/@ender/includes.config.php"

-sand, ./cat, less, more, tail: View contents inside the file: 

 cat "/home/lphanvan/public_html/@ender/includes/config.php"

-ln: Command symbolic link: 

 ln -s "/home/lphanvan/public_html/@ender/includes/config.php%20ender.ini"

-cd: Convert directory


For example, to navigate to the folder 

 cd / home / lphanvan/ public_html / @ender/ includes / itcollege

 cd ~: Go to Facebook's home directory


-chmod: Distribution rights for files or folders: 

 chmod 400 config.php (working in the directory where the file includes config.php)

-mkdir: create directory:


For me, I want to create a folder in the directory includes: 

 mkdir / home / lphanvan/ public_html / @ ender/ includes / itcollege

-touch: Create file: 

 touch /home/lphanvan/public_html/@ender/includes/itcollege.php

-tar, tip: compress and uncompress command: often used in root symlink 

 tar -zcvf enderhacked.tar.gz soleil (Compressed file folder enderhacked.tar.gz ender)

 tar -zxvf enderhacked.tar.gz (unzip files enderhacked.tar.gz)

See more here: http://linuxcommand.org/lts0070.php

Some techniques to get useful information from config.php

1-Using the cat command, dim to see the folder name, file and read the file contents. 

Example: dir / home / lphanvan/ public_html / includes

cat /homme/lphanvan/public_html/includes/config.php

But now the majority of servers are not allowed to exercise this function should apply this method will not work,


2-Using Symbolic links - Referred to as symlink


Symbolic links are basic techniques, and almost as important that the majority of the first attaker think before doing work local attack. 

 ln -s "/ home / lphanvan/ public_html / @ ender/ includes /config.php% itcollege.ini "

It can be understood simply create one file on the host itcollege.ini with identical content lphanvan config.php file on the server with the user's path 

 "/home/lphanvan/public_html/@ender/includes/config.php"


You can read more detail here: http://linuxcommand.org/learning_the_shell.php

Cracking and Changing the admin's password !!!!

In this case the admin's password does not be encoded by hash, so you do not need to crack it. In many cases, the content would not be showed and the password will be in hash.

You have gotten the admin account and password as the picture below by using command line. 

 cat /etc/home/lphanvan/public_html/config.php



                                                   
                                                                          Figure 2: See the content of config.php " cat /etc/home/lphanvan/public_html/config.php "



Now, let's login to database of website 

                                                   
                                                                                       Figure 3: Login to database via shell

How to avoid Local Attack?

In my opinions, Local attack is one of dangerous attacking methods I have used so far. Below are my experiences to avoid the Local attack:


- Should not use the source code when we do not know where it comes from, malicious code might be attached.

- Checking the update of source codes as well as server to fix vulnerability frequently.

- Change the password to be stronger and hard to brute force.

- Set chmod 400 for sensitive files and 101 for folders.

- Use VPS instead of using host to avoid local attack.

- Data back up and scan the data to realize it's having malicious code or not.


These are my experiences to avoid Local Attack. Surely, It might not a perfect way to avoid, but at least it could help us to reduce the risk.

References

English Websites

http://linuxcommand.org/lts0010.php

http://linuxcommand.org/learning_the_shell.php

http://linuxcommand.org/lts0070.php

Vietnamese Websites

http://kechocgian.blogspot.com.ee/2013/08/huong-dan-tong-hop-chi-tiet-co-ban-nhat.html

http://namcoder.com/hack-local-attack-va-cach-phong-tranh/

http://duyk.net/topic/20-Huong-dan-local-attack-voi-mot-so-phuong-phap-co-ban

Video

https://www.youtube.com/watch?v=RcusKpvKR_w

See more

You might want to see more:

https://www.youtube.com/watch?v=FjgKtBAiLKQ

https://www.youtube.com/watch?v=6hJ-d2NYLBg

https://www.youtube.com/watch?v=HpY6JxIzs1g

Conclusion

As what I wrote above are an outline of the Local Attack method which attackers can use their php shell to exploit not even one website it could be all of websites are standing in a same server. In which the attack can execute the command line to your server to find out the password of your database or host. Get Root access is possible if the Linux server are not being updated. Those steps above might not be used successfully in some cases, because it depends on the configuration of administrator and the version of server is setting up.

Contact

If you want to know more about this method, please do not be hesitated to keep in touch with me :D


Ender Phan- Cyber Security Engineering- C11


The Estonian Information Technology College


Email: lphanvan@itcollege.ee


My site: cybercoffee.xyz


'''''!!! This article is served for education purpose only, I will not responsibility for any harm made by other ones !!!'''''

Retrieved from "https://wiki.itcollege.ee/index.php?title=Local_Attacks&oldid=117338"