Articles | Electric Impulse

Category Archives: Articles

Lists articles about Computer Security and other computer related articles.

Gaining Access To A Website Running Psychostats

Posted by acid_rain on March 9, 2011 – 10:20 pm

This article is also available in the Computer Security page.

            /$$$$$$  /$$$$$$       /$$                   /$$$$$$  /$$$$$$
           /$$__  $$|_  $$_/      | $$                  /$$__  $$|_  $$_/
  /$$$$$$ | $$  \__/  | $$    /$$$$$$$         /$$$$$$ | $$  \ $$  | $$   /$$$$$$$
 |____  $$| $$        | $$   /$$__  $$        /$$__  $$| $$$$$$$$  | $$  | $$__  $$
  /$$$$$$$| $$        | $$  | $$  | $$       | $$  \__/| $$__  $$  | $$  | $$  \ $$
 /$$__  $$| $$    $$  | $$  | $$  | $$       | $$      | $$  | $$  | $$  | $$  | $$
|  $$$$$$$|  $$$$$$/ /$$$$$$|  $$$$$$$       | $$      | $$  | $$ /$$$$$$| $$  | $$
 \_______/ \______/ |______/ \_______//$$$$$$|__/      |__/  |__/|______/|__/  |__/
                                     |______/

I’m BACK!

-=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=-

-=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–

Table of Contents 1. What is Psychostats?
2. Vulnerability.
3. The fix.
3. Reconnaissance.
4. Exploit.
5. Credits.
-=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–=0=–=1=–

Section 1. What is Psychostats?
——————————-

Straight from the site:
“PsychoStats is open source software that creates comprehensive gaming statistics for players and clans for Half-Life and Half-Life 2 based games. This includes games like Counter-Strike, Team Fortress 2, Day of Defeat and GunGame. Support for other games such as Call of Duty 4 and Soldat are also supported.” Examples of websites running Psychostats can be found by searching google or going to the Psychostats website at: http://www.psychostats.com/

Section 2. Vulnerability.
————————-

The vulnerability of psychostats is simple. WEBMASTER ERROR. SOME (Definitely not all) websites can be found with the vulnerability working like a charm. The problem is that finding a site running psychostats as a standalone, instead of a community or organization using some sort of automated website that gives psychostats is hard to find. Although I was successful in finding website that were readily exploitable, the success rate was quite low. The vulnerability comes with the stats.cfg file sitting in the top directory of a new (or even old) installation of Psychostats.

Section 3. The fix.
——————-
The fix is easy. DONT MAKE YOUR PSYCHOSTATS SQL-DB PASSWORD THE SAME AS YOUR WEBSITE PASSWORD. Change your permissions as well through CHMOD to keep random people out of your SQL-DB’s.

Section 3. Reconnaissance
————————-
We gather information about the target we are going to use. For this I am just going to use a fake website for an example. Most shared-hosting websites are the most vulnerable. Shared-hosting websites are normally used by beginning webmasters or smaller companies who cannot invest in high web-security. This isn’t always the case, though.

One of the best ways to understand an application– whether it be web, or an application for the OS is to install it and run it on a web server, or use it on your own system/test system. Learn how the application functions, and how the directory structure works. Once you’ve figured out the directory tree and the operation of that program, you’ll have a basic understanding of how to manipulate its structure or even code. Psychostats’ default install for most webmasters is either:

www.domainnamehere.com/stats

www.domainnamehere.com/psychostats

It appeared that some webmasters were smart enough to rename the Psychostats to whatever they wanted. It’s not necessary to do so, but it is highly recommended.

Now, how do we search for people on the web that are running Psychostats?
Google is our best friend:

http://www.google.com/search?q=powered+by+psychostats&btnG=Search&hl=en&sa=2

The term “Powered by Psychostats” is a “branding” that just gives us a hand finding nothing but websites running Psychostats. It’s those three words that give us our targets.

Now we have done our recon, and have a website that we want to exploit.

Section 4. Exploit. (not really, more like a URL search…)
——————-
Now that we’ve found our website at www.domainnamehere.com and we see it’s running Psychostats… we need to make sure we aren’t looking at a certain player’s stats, or a weapon’s stats. We need to make sure we’re in the ROOT DIRECTORY that the Psychostats install is in. We can check this by simply using our browser.

We are currently looking at something like this:

www.domainnamehere.com/psychostats/cs/87932845687=oihjhu=player=poop?

We need to get rid of all the extra trailing information and end up with a result like this:

www.domainnamehere.com/psychostats

THIS IS THE ROOT DIRECTORY OF PSYCHOSTATS.
(Remember, as said before, the root directory name isn’t always going to be “Psychostats”. It could be “stats”, or “statistics”, or even the name of the game or mod the webmaster chooses. Keep in mind, for some Apache servers, the trailing directory may be case sensitive.

Now that we’re in the root directory of Psychostats, we exploit by simply adding “stats.cfg” to the end of the URL. Here’s an example:

www.domainnamehere.com/psychostats/stats.cfg

Press enter to confirm the directory change.

If the host is vulnerable, your browser will attempt to download stats.cfg. Download the stats.cfg file, and open it. If the system is not vulnerable and you get a redirect, or a “File not Found”, there are two options you have.

1. Try changing “stats.cfg” to a different name, like “server.cfg” or using the clan’s name, game name, mod name etc. It will always have .cfg at the end no matter what’s before the extension separator.

2. Move on, Jack… the webmaster appears to be smart enough to know how to safeguard SQL.

If it just so happens that the system is vulnerable, and you are able to download the stats.cfg file from the web server, once you open the file you should see something like this:

# stats.cfg should ONLY contain basic database settings.
# any other configuration settings will be ignored.

dbtype = mysql
dbhost = mysql302.domainhere.com
dbport = 3306
dbname = dragon_ps3
dbuser = dragon_ps3
dbpass = PSadmin1
dbtblprefix = ps_

Congratulations! You’ve just gained access to an SQL database! If you can access the dbhost via url, can login to the admin section using the dbuser, and dbpass fields. We aren’t done yet.

Most webmasters, including some of the best, use global passwords to help keep memory of logins. SQL database something different than the password to their actual website! 7/10 times the password to the SQL DB is the same as the password to the entire website. Let’s login to the CPANEL! Note that all websites don’t always use CPANEL, but you can use whatever website login feature is available. Sometimes the login panel is on the website of the actual company hosting the website. However, most times if you simply go to the website root… “www.thewebsitenamehere.com/CPANEL” you will get a login request for the Control Panel to the website.

So now we know that www.domainnamehere.com was vulnerable.
We’ve downloaded the “stats.cfg” file from the Psychostats root directory.

We want to go further by getting complete access to the website.
No problem.

www.domainnamehere.com/cpanel

Enter the dbuser data you got from the “stats.cfg” file into the username field. Be sure to refrain from typing anything after the actual username, which includes _ps3. Anything starting with an underscore that have characters following is not part of the username, but part of the SQL Database. This is how the tables for the database are made. For instance, in this tutorial, our dbname was dragon_ps3. our login for any type of admin, including Psychostats web admin panel would only be “dragon” not “dragon_ps3″.

Now we enter our password we got from the dbpass section in our “stats.cfg” file into our control panel password field.

Press enter.
Wait.
One of two things will happen:

1. User or Password invalid. If this happens, the site isn’t accessible via the information we’ve used. This means the SQL DB user/password is actually different than the user/pass the website is using. Move on, Jack.

2. You get access to the Control Panel and are able to do anything you choose with the website. This is assuming that the privileges are set as root or a superuser.

Now what are the chances you will be able to succeed at one of these exploits.
There’s a 1/40 chance you’ll find someone stupid enough to have done this. However, there are roughly 6,706,993,152 people in the world. That leaves you with about… 167,674,828 chances for success. You had better get started.

Section 5. Credits
———————————————————————————

Email : acid_rain([at])electricimpulse([dot])net
Website: http://www.electricimpulse.net
Twitter: @acid_rain

aCId_rAIn (2009)

Using NetBIOS To Your Advantage

Posted by acid_rain on March 9, 2011 – 10:06 pm

Filed under Articles, Computer Security

This article is also available in the Computer Security page.

This exploit only works with Windows machines lesser than Windows 2000. Firewalls and routers have become more popular making this exploit almost useless. However, NetBios is still used widely today, and is much safer than it used to be.

            /$$$$$$  /$$$$$$       /$$                   /$$$$$$  /$$$$$$
           /$$__  $$|_  $$_/      | $$                  /$$__  $$|_  $$_/
  /$$$$$$ | $$  \__/  | $$    /$$$$$$$         /$$$$$$ | $$  \ $$  | $$   /$$$$$$$
 |____  $$| $$        | $$   /$$__  $$        /$$__  $$| $$$$$$$$  | $$  | $$__  $$
  /$$$$$$$| $$        | $$  | $$  | $$       | $$  \__/| $$__  $$  | $$  | $$  \ $$
 /$$__  $$| $$    $$  | $$  | $$  | $$       | $$      | $$  | $$  | $$  | $$  | $$
|  $$$$$$$|  $$$$$$/ /$$$$$$|  $$$$$$$       | $$      | $$  | $$ /$$$$$$| $$  | $$
 \_______/ \______/ |______/ \_______//$$$$$$|__/      |__/  |__/|______/|__/  |__/
                                     |______/

Introduction
————-
1. Welcome to the basic NETBIOS document created by aCId_rAIn. This document will teach you some simple things about NETBIOS– including… what it does, how to use it, how to exploit with it, and some other simple DOS commands that will be useful to you in the future. This document is intended to expand your knowledge of how the Network Basic Input Output System works. This method is very old, and hardly works anymore unless the target machine is not firewalled or is using an older Windows OS, but I have decided to keep it around for references.

2. NETBIOS, Network Basic Input output System, also known as “NBTSTAT” is a program run on the Windows operating system and is used for identifying a remote network or computer for communications, such as file sharing. We can exploit systems using this older method of communication.

How to use NBTSTAT to exploit a machine
—————————————-
There are two ways to access NBTSTAT. This tutorial is based off a home user’s PC running Windows 98x or lesser.

1:Start>Programs>MSDOS PROMPT>Type NBTSTAT
2:Start>Run>Type Command>Type NBTSTAT

It shouldn’t be that difficult to get to this command, either way.

Since you may be new to DOS, you may be a little confused at first at the results. These are the parameters (also called switches) to the command NBTSTAT. The results should look something like the following:

NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]
-a (adapter status) Lists the remote machine’s name table given its name
-A (Adapter status) Lists the remote machine’s name table given its IP address.
-c (cache) Lists NBT’s cache of remote [machine] names and their IP addresses
-n (names) Lists local NetBIOS names.
-r (resolved) Lists names resolved by broadcast and via WINS
-R (Reload) Purges and reloads the remote cache name table
-S (Sessions) Lists sessions table with the destination IP addresses
-s (sessions) Lists sessions table converting destination IP addresses to computer NETBIOS names.
-RR (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refresh
RemoteName Remote host machine name.
IP address Dotted decimal representation of the IP address.
interval Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying
statistics.
C:\WINDOWS\DESKTOP>

The only two commands that are going to be used for NBTSTAT in this tutorial are:

-a (adapter status) Lists the remote machine’s name table given its name
-A (Adapter status) Lists the remote machine’s name table given its IP address.

Host Names
———-

3. The “-a” switch means that you will need to type in the HOST NAME of the target that you are trying to access. Just in case you haven’t any idea what a host name looks like, here’s an example:

123-fgh-ppp.internet.com

There are many variations of these adresses. For each different address you see there is a new ISP or server assigned to that computer to give it connectivity to the internet. Look at the difference between these two:

abc-123.internet.com
ghj-789.newnet.com

These are differnet host names, evidently. By dissecting the host-name into sections, and learning about the current ISP’s around the world, and how their host-name makeup is, you will be able to tell that these are two computers on two different ISPs by naure. Now, here are two host names on the same ISP but a different backbone server.

123-fgh-ppp.internet.com
567-cde-ppp.internet.com

IP Addresses
————-
The “-A” switch is used for inserting IP addresses into NBTSTAT.

4. You can resolve these host names, if you want, to the IP address. IP stands for Internet Protocol.

IP addresses range in different numbers. An IP looks like this:

201.123.101.123

Most times you can tell if a target is running on a cable/dsl/high-speed connection because of the IP address’s numbers. On faster connections, usually the first two numbers are very low/very high. here’s a cable connection IP.

24.18.18.10

on dialup connections IP’s are higher, like this:

208.148.255.255

notice the 208 is higher than the 24 which is the cable connection.

Of course, depending on the ISP, IP addresses can be very similar to high speed. Normally, it’s a good idea to ping the destination target. Doing this will definitely make the target more aware of your presence, but it can yield some really good information, such as TTL (Time To Live) which is normally used to determine the target OS. If a pong reply comes back from a ping request and has a high latency, it may be a connection lesser than broadband.

Getting The IP Through DC (Direct Connection) or site statistics.
5. First. You’re going to need to find the target IP or host name. Either will work. If you are on mIRC You can get it by typing /whois (nick) …where (nick) is the target nickname without parenthesis. You will either get a host name or an IP. Copy it down. If you do not get it or you are not using mIRC then you must direct connect to the target or you may use a sniffer/website stats to figure out the IP or host name. Direct connections are directly established links between two systems allowing either encrypted or unencrypted data to pass. Some programs that still use direct connect are:

AOL INSTANT MESSENGER
ICQ

Most times when you are sending a file to another machine you are directly connected. (Assuming you know the user is not using a proxy server to connect to the internet.) Since this document is old, things have changed over the past ten years, and IM applications like AIM, and Yahoo no longer directly connect anymore. Normally, a direct connection is made between you and the IM server, and the same with your destination target. The client requesting data from the file transfer is requesting the data from the IM server, while the host or “server” is sending that file directly to the IM server as well. This acts as a firewall for both users.

If you have none of these programs or choose not to use them, either I suggest you get one and try it out, get an updated sniffer, (Not sure if they even work or exist anymore…) or read this next statement.

A smart method I use to obtain an address or hostname is to send the target machine a link to a website (or my own website) that enables traffic statistics. If you use this method, you can then check the stats and get the IP/hostname/OS/Browser and more information from the latest visitors of your website. Once you have the IP address or host name of the target, you’ll need to switch into DOS.

If you are using the direct connect method instead of the traffic statistics method, use the following command to retrieve current connections to your machine out and in:

NETSTAT -n. NETSTAT is short for NET STATISTICS. It will show you all computers connected to yours. (This is also helpful if you think you have been subject to a trojan horse). Once you’ve typed NETSTAT – n your screen should look like the following example:
————————————————————————————————
C:\WINDOWS\DESKTOP>netstat -n
Active Connections
Proto Local Address       Foreign Address       State
TCP 172.255.255.82:1027 205.188.68.46:13784 ESTABLISHED
TCP 172.255.255.82:1036 205.188.44.3:5190   ESTABLISHED
TCP 172.255.255.82:1621 24.131.30.75:66     CLOSE_WAIT
TCP 172.255.255.82:1413 205.188.8.7:26778   ESTABLISHED
TCP 172.255.255.82:1483 64.4.13.209:1863    ESTABLISHED
C:\WINDOWS\DESKTOP>
————————————————————————————————
The first line indicated the Protocol (language) that is being used by the two computers.
TCP (Transfer Control Protocol) is being used in this and is most widely used.
Local address shows your IP address, or the IP address of the system you are on. If you are behind a router,
Foreign address shows the address of the computer connected to yours.
State tells you what kind of connection is being made ESTABLISHED – means it will stay connected to you as long as you are on the program or as long as the computer is allowing or is needing the other computers connection to it. CLOSE_WAIT means the connection closes at times and waits until it is needed or you resume connection to be made again. One that isn’t on the list is TIME_WAIT which means it is timed. Most Ads that run on AOL are using TIME_WAIT states.
the way you know the person is directly connected to your computer is because of this:
————————————————————————————————
C:\WINDOWS\DESKTOP>netstat -n
Active Connections
Proto Local Address Foreign Address State
TCP 172.255.255.82:1027 205.188.68.46:13784 ESTABLISHED
TCP 172.255.255.82:1036 205.188.44.3:5190 ESTABLISHED
TCP 172.255.255.82:1621 24.131.30.75:66 CLOSE_WAIT
TCP 172.255.255.82:1413 abc-123-ppp.webnet.com ESTABLISHED
TCP 172.255.255.82:1483 64.4.13.209:1863 ESTABLISHED
C:\WINDOWS\DESKTOP>
————————————————————————————————
It’s a good idea to learn what applications are using what ports or to use an administration tool to verify what process is using what port. If you can’t identify what applications are claiming specific ports, start by closing out programs that use an internet connection, or use an online validation.

In this scenario, I have identified:

abc-123-ppp.webnet.com

as one of the systems that continued to show up on my list after closing out all applications while the file transfer was in progress.

Either the IP or hostname will be listed, and either one is fine. I am using abc-123-ppp.webnet.com host name as an example.

Open up your DOS command. Invoke NBTSTAT by typing NBTSTAT. Here’s the only thing you’ll need to know.

-a (adapter status) Lists the remote machine’s name table given its name
-A (Adapter status) Lists the remote machine’s name table given its IP address.

Simplified:

-a will be the host name
-A will be the IP

If you’ve used NETSTAT -a and recovered a host-name, then use the -a switch.
If you’ve used NETSTAT -A and recovered an IP address, then use the -A switch.

Using it to your advantage
————————–
Use the correct switch in conjunction with the IP address or host-name in the command.

For example:
NBTSTAT -a abc-123-ppp.webnet.com

or if an IP address:
NBTSTAT -A 127.0.0.1

Once you’ve typed in the correct information, press enter. Either one of two things came up
1. Host not found
2. Something that looks like this:
——————————————–
NetBIOS Local Name Table
Name Type Status
———————————————
GMVPS01 <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
GMVPS01 <03> UNIQUE Registered
GMVPS01 <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
———————————————
If the computer responded “Host not found” Then one of the following could be the cause:
1. You misepelled the host name.
2. You are using the wrong switch.
3. The host is not hackable, because NETBIOS is not enabled.
4. There is a firewall blocking that port or is disallowing access to the port because the source IP is unknown or has been filtered.

If number one is the case you’re in great luck. If two, This system isn’t hackable using the NBTSTAT command. So try another system.
If you got the table as above to come up, look at it carefully as i describe to you each part and its purpose.
Name – states the share name of that certain part of the computer
<00>, <03>, <20>, <1E> – Are the Hexidecimal codes giving you the services available on that share name.
Type – Is self-explanatory. It’s either turned on, or activated by you, or always on.
Status – Simply states that the share name is working and is currently activated.

Look for the following line if a response is made back to you from the target:

<20> UNIQUE Registered

See it?
The Hexidecimanl code of <20> means that file sharing is enabled on the share name. Now you want to exploit the machine. Here’s How to do it. (This is the harder part)

LMHOST File
————
7. There is a file in all Windows systems called LMHOST.sam. Remember that we are talking about <Windows 2000. We need to simply add the IP into the LMHOST file. The LMHOST files allows redirecting to a particular address. It can be used to block addresses, or it can be used for it’s common purpose of becoming a replacement for DNS updates.
Search on your drive for LMHOST or HOST, or *.SAM if you’re having issues finding the file. When you’ve located the file, open it using a text program such as notepad++ or notepad, but make
Search through the LMHOST file until you see the part:

# This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts
# files and offers the following extensions:
#
# #PRE
# #DOM:
# #INCLUDE
# #BEGIN_ALTERNATE
# #END_ALTERNATE
# \0xnn (non-printing character support)
#
# Following any entry in the file with the characters “#PRE” will cause
# the entry to be preloaded into the name cache. By default, entries are
# not preloaded, but are parsed only after dynamic name resolution fails.
#
# Following an entry with the “#DOM:” tag will associate the
# entry with the domain specified by . This affects how the
# browser and logon services behave in TCP/IP environments. To preload
# the host name associated with #DOM entry, it is necessary to also add a
# #PRE to the line. The is always preloaded although it will not
# be shown when the name cache is viewed.
#
# Specifying “#INCLUDE ” will force the RFC NetBIOS (NBT)
# software to seek the specified and parse it as if it were
# local. is generally a UNC-based name, allowing a

# centralized lmhosts file to be maintained on a server.
# It is ALWAYS necessary to provide a mapping for the IP address of the
# server prior to the #INCLUDE. This mapping must use the #PRE directive.
# In addtion the share “public” in the example below must be in the
# LanManServer list of “NullSessionShares” in order for client machines to
# be able to read the lmhosts file successfully. This key is under
# \machine\system\currentcontrolset\services\lanmans erver\parameters\nullsessionshares
# in the registry. Simply add “public” to the list found there.
#
# The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE
# statements to be grouped together. Any single successful include
# will cause the group to succeed.
#
# Finally, non-printing characters can be embedded in mappings by
# first surrounding the NetBIOS name in quotations, then using the
# \0xnn notation to specify a hex value for a non-printing character.
Read this over and over until you understand the way you want your connection to be set. Here’s an example of how to add an IP the way I would do it:

#PRE #DOM:255.102.255.102 #INCLUDE C:/

Pre will preload the connection as soon as you log on to the net. Once you’ve added your entry, if typing the address in does not work because the resolve has failed, #PRE will check the address and force the #DOM to be the domain or IP address of the host you have listed in the HOSTS file. #INCLUDE will set the default path once the connection has been made. In this case, as soon as I have established a connection to my target, I will get access to 255.102.255.102 on the C:/ drive. To help you out some, it would be a great idea to pick up on some programming languages to show you how the computer reads information and learn some things on TCP/IP (Transfer Control Protocol/Internet Protocol).

Gaining Access
—————
7. Once you have added this to you LMHOST file. You are basically done. All you need to do is go to:
Start
Find
Computer

Simply type the IP address or host name of the target into the search box. The result that shows up will inevitably be the target machine unless that machine is also connected using the same method of networking purposely, such as a file server. This will allow you to browse using a GUI so you don’t have to use DOS if you choose. You can use DOS to do it by invoking the “net use (IP)” command/switch as well. When you open the system you can edit, delete, rename, do anything to any file you wish as long as the permissions are there. In most cases, users do not expect to become compromised, thus having lower security precautions. It’s a great idea to also write a small script to send an email out to the attacking machine notifying of updated DNS. If a target is on a dynamic IP address, it may be much harder to retrieve the IP address unless a script is written to notify the attacker on update.

Email  :    acid_rain([at])electricimpulse([dot])net
Website:    http://www.electricimpulse.net
Twitter: @acid_rain

 aCId_rAIn (1998)

Category Archives: Articles

Gaining Access To A Website Running Psychostats

Using NetBIOS To Your Advantage

Subscribe

Who’s Online?

Twitter Feed

My Tumblr