IntroIf you've been following security news, you'd know that Mac OS High Sierra has a security bug. Most of the articles have done a fine job explaining all the fluff, so I'll get straight to the point.
If you have no password for the root account (as is the case for most users, since they haven't explicitly set up a root account and password on their system), then Mac will accept a blank password for logging into root.
A demo is better than a 1000 words, and I'll show you one real quick-
DemoStep 1 : Go to a place requiring admin privilege authentication. For example, Users and Groups in System Preferences.
Step 2 : Click on the lock, and you'd be prompted to login.
Step 3 : Change username to root, leave the password field blank (After changing username to root, press tab to move to the password field, then tab again to go back to username field, and then click unlock, otherwise this won't work).
MacOS High Sierra blank password bug - YouTube
That's it. You can get creative regarding what all you can accomplish with this. I haven't tried it, but I've heard that this attack (bug :p) works remotely!
Seeing as how this bug puts your system at risk, I'm sure you are curious as to how to fix it. One way is to give your root account a password.
However, on 29th Nov apple released a security update for this bug. We'll simply use that. Here's the update - https://support.apple.com/en-us/HT208315 (the section below uses info from the linked page)
Let's first check if the update is installed.
For that, type this on your terminal and hit enter-
If your output is something like this, then you have an old version of the update installed-
If it's one of these two, or a more recent version (higher numbers), then you're good
opendirectoryd-483.1.5 on macOS High Sierra 10.13 opendirectoryd-483.20.7 on macOS High Sierra 10.13.1
So, if you have and old version like me, let's head to the app store and install the update.
Sure enough, here's the update we need. It'll take a bit to get installed.
Once that's done, let's just run the same command again and verify that the version number increased to our liking. Now we're all good.
MacOS High Sierra Bug Gone After security update - YouTube
Over the past week, around 200,000 systems are believed to have been hacked by wannacry ransomware. Let's start with some background first, and then move into the details-
Before you know what Ransomeware is, it's important to know what trojans are. We can broadly classify malicious computer programs into 2 categories-
Spread wildly and attack destructively
Spread surgically and attack covertly
The first category comprises the typical viruses that infect your computers, get inside your USB, copy themselves to every avenue they can. They slow down your computer, limit it's functionality, and in general, make a lot of changes that make them easy to detect. These, in general, serve no particular useful purpose for the writer of the malicious code, other than perhaps giving them the lulz or maybe some sense of accomplishment. Also, once spread, there is very limited amount (or none at all) amount of control that the writer of the malicious code has on it's actions.
The second ones are the precisely crafted viruses called trojans. These hide behind legitimate files, spread only through very few avenues as seen fit by their programmer. Let me make this point a bit clearer-
Most viruses would copy themselves to all devices attached to the infected system, try to spread via the network, internet etc. from the infected system.
Trojans will not automatically copy themselves. They will stay hidden and inactive.
As with everything else, the means of spread of trojan is also precise. The malicious code writer will hide them behind a legitimate file, and then spread this file using social networks, spam mails, etc. This way, only those computers will get infected that the attacker wants to infect.
What are some examples of trojans-
Remote Administration Tools (RATs) - These are trojans which, when installed on the system, silently position themselves in such a way that they allow the attacker to control the system remotely. This means that the attacker can browser all your files, read all your data, see what you're typing (hence get all your accounts and passwords), get a live feed of your screen, and access your webcam. As you can clearly see, as opposed to other viruses, trojans have specific use for the malicious author. He now controls the infected computer.
Botnet - This is a special use of a freely spreading trojan whose purpose is to infect as many computers as possible with a RAT like functionality but less control on who gets infected. This reduced control and increase rate of spreading is important because of the purpose of a botnet. Botnet is basically a large network of infected computers which the attacker uses to do his bidding. They are often used to carry out DDOS attacks. Suppose the trojan spread to 1000 computers (a very small number, there are HUGE botnets out there). The attacker can then use these 1000 computers to simultaneously attack websites and take them down. Another use for botnets is bitcoin mining.
Recently, a new use for trojans has been seen-
If you have been paying attention so far, you'll notice that once infected by a trojan, a computer's files are under control of the attacker. That means he can easily say- "Give me money or I'll delete all your files". Unfortunately for the attacker, once the victim sees this message, the trojan is no longer covert. The victim may install an antivirus, backup his important data to the cloud/ external storage media/ USB, etc.
So, the attacker needs to do something which is equivalent to deleting, but reversible. Also, the reverse procedure should require the consent of the attacker. There is one solution - Encryption. If you know what encryption is, then you should see by now what's up. Otherwise, here's a simpler explanation (though not entirely accurate)-
What the attacker can do is similar to what happens when you find a compressed archive with a password. If you know the password, you can uncompress the archive, otherwise not. So, the attacker will take all files except the System files (without which your computer won't work), put them into a compressed archive with a secure password, and then delete the uncompressed files.
Once he's done with compressing (encrypting really) everything, he'll inform you about what just happened, and tell you to pay him a certain amount in bitcoins in exchange for the password of the compressed archive (i.e. the decryption key). If you don't pay up, he will delete the compressed archive and your data will be lost forever. Even if you manage to remove the ransomware after it announces it's presence, it's a bit too late. You avert the possibility of data deletion but that doesn't mean that you can now get your data back. You still don't know the decryption key, and unless there's a cryptographic flaw/weakness in the encryption scheme used by the attacker (basically weak password is used), it's almost impossible to find the key and decrypt the data.
What's special about WannaCry?
So while there have been ransomware around for quite some time, this one has spread to epic proportions. Why?
NSA, Shadow Brokers and EternalBlue
The credit for this goes to NSA for discovering the EternalBlue exploit and Shadow Brokers for releasing it to the public. I won't delve into further details of this, but EternalBlue exploit can hack any Windows machine which didn't have the patch for it. What does that mean?
The standard Windows security update on 14 March 2017 resolved the issue via security update MS17-010, for all currently supported Windows versions.
"The issue" referring to the vulnerability. However, many systems have automatic updates disabled and didn't have the patch. All these machines were vulnerable to this attack. Considering how often people end up disabling automatic updates (because they're annoying), you can imagine the scale of the EternalBlue exploit. This is the reason why this particular ransomware was able to spread so quickly.
WannaCryAt this point, you already have enough background necessary to understand what WannaCry is, on your own. You know it's a ransomware, and you know it uses EternalBlue to infect computers. The details can be seen n the pic below-
Files have been encrypted
You need to pay $300 via bitcoin
If you don't pay within 3 days, you need to pay $600
If you don't pay in a week, all files will be deleted permanently.
In the previous tutorial, we set up our web application pentesting lab. However, it's far from ready, and we need to make some changes to get it working as per our needs. Here's the link to the previous post if you didn't follow that- Set up your web app pentesting lab
Fixing the problems
Adding recaptcha key
Enabling disabled stuff
Installing missing stuff
Giving write privileges
If you remember from previous post, we reached this point-
There's some stuff in red color
All the stuff in red needs fixing. If you are lucky, we have the same set of issues which need fixing. Otherwise, you'll have to do some googling to find out how to fix problems which you are facing and I am not.
Changing mysql username and password
The default credentials are 'root' and 'p@ssw0rd' in the config.php.ini file. We change it to the correct mysql login credentials, 'root' and '', in my case. You can change depending on your mysql credentials. This gets rid of our biggest worry - Unable to connect to database!
This is the biggest problem. Solving this means we can create our database, some modules may not work perfectly, but DVWA will run. Without fixing this, we won't even be able to start.
This password isn't the password of our mysql database. In my case, password is nothing (i.e. ''). Update the value here. In case your mysql password is something else, use that. Change the username too is need be.
This is the corrected password value in my case. After this, refresh the page and click "Create/Reset database"
Now everything works fine after you click Create/Reset database.
Now we'll fix the other remaining issues.
Fixing missing recaptcha key Firstly, we need to solve the recaptcha key missing problem. Go to this URL-
Go to the URL, you'll see a form like this
Fill form, values don't matter much
You obtain site key and secret key. Site key = Private key, secret key = private key
Open the config.ini.php file in your favourite text editor
Edit the recaptcha public key and private key fields. Here is what I did.
Now we have a a recaptcha key. One red down, 3 to go.
Fixing disabled allow_url_include
We simply have to locate the configuration file and edit the value of the parameter from Off to On.
The php configuration file is located at /opt/lampp/etc/php.ini Edit it with your favourite text editor, you'll need root privileges (sudo)
Locate the allow_url_include line by using search feature of your text editor
Change Off to On
Restart the lampp service
Reload page, you'll see that the issue is fixed
Note: Any other function which is disabled can be enabled in a similar manner. All settings are in the php.ini file. You just need to search for the corresponding line and edit it.
Fixing missing modules
If a module is shown as missing , then we need to install it. In my case, everything is installed. Most likely, since you are also using XAMPP, everything would be installed. However, if that is not the case, then you have to figure out how to install the modules. If you aren't using XAMPP and did everything manually, then apt-get would be the way to go. Otherwise look at XAMPP's (or whichever bundle you are using) documentation.
Fixing File OwnershipWe need to give www-data user write access to two directories. We'll can use chgrp and chmod commands in unison to give only the privileges that are needed, or we could go the lazy way and use chmod 777 (full read, write and execute privileges to everyone). I'm feeling lazy and I'm just gonna go the chmod way. Run the command below-
chmod 777 <directory>
Replace directory with the correct directory.
This is the last thing that needs to be done
Everything is green finally! Also, notice the credentials, we'll need it later. "admin // password"
Database created. Populated with tables.
Finally the damn vulnerable application is running.
The username = "admin" and password is "password" ("admin // password" that we saw three pics ago).
Everything is running perfectly. This is the page you should see after successful login.
I'll leave you at the welcome page of DVWA. In the next tutorial, we'll begin proper exploitation of the intentional vulnerabilities, moving from trivial stuff to the really hard stuff. The first two tutorials complete the installation and configuration parts.
Without any preface, let me get straight to the point. In this tutorial, we will be installing Damn Vulnerable Web Application (DVWA) on a Ubuntu virtual machine. Our attacker machine would be Kali Linux, which is also installed as a virtual machine (or virtual box). The host can be any OS, and doesn't matter since we won't be using it at all. An alternate configuration is when your host is either Kali or Ubuntu, in which case you need only one VM, to install their the other OS. Alternatively, you could just use a single Kali machine both as attacker as well as victim (running the vulnerable application). However, that makes things less realistic.
Disclaimer : No cool stuff in this tutorial, just straightforward installation. Pre-requisites
You need to have Kali Linux (rolling release) and Ubuntu (I'm using 16.04) up and running. If you aren't familiar with virtual machines and stuff, then take a break of a few days, get familiar with them, install and run a few Linux (any flavour) VMs, drink some coffee, etc. Once you're comfortable with virtual machines (and have Kali & Ubuntu up nd running), proceed onward.
You also need some minimal knowledge of linux, networking, and web applications. As an exercise, you could try getting some free web host (a pathetic one will suffice, since you are only doing this for learning and won't need anyone to use your website), and deploy a wordpress site. Tinker around the website, install themes and stuff to get a feel for it. Then, go one step further and deploy a wordpress instance on your linux virtual machine. This time, don't use the wordpress UI to do things, but instead try and figure out stuff manually. Install themes, modules, etc. on your own by placing them in the correct directory. Just tinker away, in short, till you have some level of familiarity with web applications.
Now, you are familiar with web apps, virtual machines, and linux (not networking though). The task above were pretty simple but for now you can move ahead with the tutorial with the given amount of expertise. Also, the pre-reqs listed above are for the entire web pentesting series, and most probably you'll be able to follow this tutorial without completing some of them, since this is the first and very basic installation tutorial.
This is a fairly simple procedure. Below are screenshots with explanation.
First we will download DVWA.
Then we read it's doc and find out what to do.
After reading doc, we realize we need to install XAMPP, we do that.
After installing XAMPP, we test if it works by starting it and opening localhost on our machine.
Once we're sure that XAMPP works, we will proceed and copy DVWA files to htdocs folder of XAMPP.
Now we check if localhost/DVWA-master leads us to the vulnerable app. If it does, then we did everything right.
Navigate to the extracted archive. Get a lay of the land. You'll find that there is documentation available in docs folder.
Here is the relevant section of the documentation. We need to install XAMPP. You can get it to work with any other equivalent software bundle, but for ease, let's stick to the recommended way.
Proceed to download the XAMPP bundle. I went with the latest version (going with latest version poses a slight problem for us, while DVWA is flawed, our PHP version is perfectly patched. For now, let's ignore this. If this cause hinderance at a later stage, then we'll deal with it)
Navigate to downloads directory and run the installer for XAMPP
Realise that you forgot to run the installer as root! (kudos if you ran as root and didn't make the same mistake as me)
Run installer as root
It's a simple installer. You'd know what to do.
Wait for it to finish.
Start the XAMPP server (note that the directory is lampp in linux systems)
Check if your server is running by typing 127.0.0.1 or localhost on your browser. XAMPP is now up and running properly. Let's run our vulnerable app on XAMPP now.
As suggested by the documentation, we simply move our folder into the htdocs directory.
Open the localhost/DVWA-master URL and you'll see that everything works as expected. Our initial setup is successfully done.
There is still further configuration to be done, but I don't want to extend the tutorial any further.
Read about localhost (what does this URL signify - 127.0.0.1)
Commands used - ls, cd, mv, sudo. Use man pages to find out what these mean (eg. type man mv into the terminal)
Read Full Article
Scroll to Top
Separate tags by commas
To access this feature, please upgrade your account.