How to Hack Web Apps, Part 1 (Getting Started)

Welcome, budding hackers!

Before attacking any website, it’s critical to do good reconnaissance. A few minutes of recon can save you hours on a hack. Simply trying various attacks without first finding which attacks the site is vulnerable is pure foolishness.

There are a number of tools and applications to find vulnerabilities in websites, but one of the phishing website simplest (and one of my favorites) is nikto.This small and simple tool examines a website and reports back to you the potential vulnerabilities that it found that you could use to exploit or hack the site. In addition, it’s one of the most widely used website vulnerabilities tools in the industry and in many circles considered the industry standard.

Although this tool is extremely useful and effective, it is NOT stealthy. Any website with an IDS or other security measures in place will detect that you are scanning it. Originally designed for security testing, it was never meant to be stealthy.

Step 1 Fire Up Kali & Open Nikto

Let’s fire up Kali and get started with nikto. Once we have Kali up and running, go to Kali Linux -> Vulnerability Analysis -> Misc Scanners -> nikto, like in the screenshot below.

Image via wonderhowto.com

Although there are many options in using nikto, we will limit ourselves here to the basic syntax, such as this:

  • nikto -h <IP or hostname>

Step 2 Scan the Web Server

Let’s start with a safe web server on our own network. In this case, I have started the http service on another machine on my network. There is not a website hosted by this machine, just the web server. Let’s scan it for vulnerabilities by typing:

  • nikto -h 192.168.1.104

Nikto responds with a lot of information, as you can see below.

First, it tells us the server is Apache 2.2.14, probably on Ubuntu. It nailed this info and gives up more information on other potential vulnerabilities on this web server.

Note near the bottom that it identifies some vulnerabilities with the OSVDB prefix. This is the Open Source Vulnerability Database. This is a database maintained of known vulnerabilities at www.osvdb.org, in addition to other databases I covered, such as SecurityFocus and Microsoft’s Technet.

Step 3 Scan the Site

Let’s try another site. In an earlier tutorial, we had hacked a web server named webscantest.com. Let’s see what nikto can tell us about this site.

  • nikto -h webscantest.com

Once again, it identifies the server (Apache) and then proceeds to identify numerous potential vulnerabilities pre-fixed with OSVDB. We can take a look at that website at www.osvdb.org to learn more about these vulnerabilities.

Advertisements

Software Cracking Basics

Before you can begin cracking a trial, you must have some basic knowledge of assembly. If you are already familiar with it, you can skip this section. Well, you’re still here, so I guess I should start explaining. Unlike high-level programming languages (such as C++, Pascal, and Java) assembly does not rely on variables. Instead, it allows you to interact directly with the processor, and retrieve it in the same way. The places on the processor where the data is stored are called “registers”. The four most common registers are named AX, BX, CX, and DX (easy, eh?). These four registers are for general storage. The don’t have any special functions, they just store data (like variables).

In assembly, all commands look like this: COMMAND PARAMETER,PARAMETER (unless the command only uses one parameter). There are a few basic commands that you should know:

The MOV command is pretty much like using the assignment operator (“=”). It places the value of the second parameter in the first parameter. For example, MOV AX,DX moves the contents of the DX register into the AX register. You can also move numbers directly, as in MOV AX,15.

The basic math commands are ADD (addition), SUB (subtraction), MUL (multiply), and DIV (divide). Each of these commands require two parameters and store the result in the first parameter. You can also increase or decrease the value of a single register by 1, using the INC and DEC commands.

To compare values, most programs use the CMP command, which subtracts the value of the second parameter from the first. There is also a TEST command that does a bit-wise comparison. The result for each command is stored in a special area that can be accessed by functions called “conditional jumps”.

To move to another part of the code, a program will use the JMP command. The syntax is JMP (ADDRESS). If you want the program to jump only if a certain condition has been met (like the “If” statements in high-level languages), you can use these conditional jumps:

JE: Is executed if the parameters of the CMP command were equal.
JZ: Jump if zero (similar to JE).
JNE: Is executed if the parameters of the CMP command were NOT equal.
JNZ: Jump if not zero (similar to JNE).
JG: Is executed if the first parameter was greater than the second.
JL: Is executed if the first parameter was less than the second.
JGE: Is executed if the first parameter was greater than or equal to the second.
JLE: Is executed if the first parameter was less than or equal to the second.

You now know the very basics of x86 assembly. It’s time to get cracking!
(NOTE: If you want to continue learning assembly, visit http://www.emu8086.com)

Cracking the Program
_____________________

Tools needed: any good debugger (I’ll be using OllyDbg, which can be found at http://home.t-online.de/home/ollydbg)

The first step is to launch Olly (the debugger). Open the program you want to crack (cracking will be easier if the program is already expired). Olly will do some processing and analyzing, then display the code. Now, it’s time to get started. The very first thing you want to do is right-click the code and select “Search for” -> “All intermodular calls”. A window should pop up and show a big list of functions. These are all of the APIs that Olly found in the code. Towards the top of the window, there is a row of that says:

Address | Disassembly      | Destination

Click destination, so we can sort the APIs by name. Scroll down until you find a function called ollydbg”GetSystemTime“. (If there are several, you will have to follow the next steps for each one.) Click it and press F2. This will set a breakpoint so the program will automatically be pause when GetSystemTime is called. Press F9 to run the program. The program should pause before it can show you a dialog box notifying you that the trial is expired. If that happens, then go back to Olly, and press CTRL+F2 to restart the program. Find GetSystemTime again, click it, and press F2 to disable the breakpoint. Now double-click it. You should now be looking at the actual code of the program near the call to GetSystemTime. What we want to do now is look for a CMP or TEST statement, followed by a CONDITIONAL jump, such as JE or JG. The jump is there to either display a dialog and exit (if it expired), or give you access (if it hasn’t expired yet). Not all trial programs are the same, so I can’t tell you exactly what it will be like. Set a breakpoint on the jump (F2) and run the program again. If it still pauses before displaying a message or exiting, we’re almost done! (If not, you’ll need to look for another conditional jump.) The program should now be paused, and the conditional jump should be highlighted. Double-click it so you can modify it. Make it the opposite of whatever it is (change JE to JNEJG to JLet cetera…), then click the “Assemble” button. Press F9 to run the program again. Tada! Your program should work now. Right-click the code again and select “Copy to executable” -> “All modifications”, then choose “Copy all”. A new window should appear. Right-click it and choose “Save file” to save the program. Congratulations! You’re a real app cracker now!

Software Cracking Tutorial

If you’ve ever wondered how software pirates can take software and crack it time and time again, even with security in place, this small series is for you. Even with today’s most advanced methods of defeating piracy in place, it is still relatively easy to crack almost any program in the world. This is mainly due to computer processes’ ability to be completely manipulated by an assembly debugger. Using this, you can completely bypass the registration process by making it skip the application’s key code verification process without using a valid key. This works because assembly allows you to speak directly to the processor and force a skip over the registration process.In this Null Byte, let’s go over how cracking could work in practice by looking at an example program (a program that serves no purpose other than for me to hack). I will not be walking you through how to actually crack a legitimate program, because I can’t just crack a program for demonstration, but the techniques applied to my examples should give you the foundation needed to create your own. At that point, it’s a test of your morals if you want to use your knowledge for good or bad.

Requirements

  • Windows (for examples only, debuggers exist across platforms)
  • A debugger installed: IDAollydbg, etc. (ollydbg will be used in examples)

Step 1 Test the Program

First, run the program that you are attempting to reverse engineer and try to activate it with a random key to verify that you need a valid software key to proceed. This is to verify that we can come up with the keys.

Step 2 Run the Program in a Debugger

  1. Run ollydbg.
  2. Open up the program you wish to bypass with ollydbg.
  3. Click the play button to run the program with the debugger attached.
  4. Right click the CPU window, and click Search For > All intermodular calls.
  5. Search for high interest DLLs. GETDLGITEMTEXT, will be for dialog boxes, which get called when you try to enter a software key. By stepping into the function with the debugger, we can examine the registration specifically. SENDDLGITEM could be used as well.
  6. Test to see which one works to break out of the activation loop by right clicking the DLL call and setting a breakpoint for all instances of that call.
  7. hacks-behind-cracking-part-1-bypass-software-registration.w654
  8. Resume the program and enter any software key you feel like. If the debugger breaks (pauses the program’s execution) after entering your key, then you know you found DLL in step 5.
  9. Press F8 back in the CPU window to force the next step until you get to the TEST EAX. EAX is the return of a value, which means that a check is being performed here. Upon examination, we can see that the EAX is checking for a number that is not equal to a null value. This means that if it is replaced with anything other than null, it will run.hacks-behind-cracking-part-1-bypass-software-registration.w654(1)
  10. Right-click the EAX and change it in hex value to 1, instead of 0.
  11. Resume the program again, and you will have successfully activated the program.hacks-behind-cracking-part-1-bypass-software-registration.w654(2)
  12. And for proof it was registered to me:
  13. hacks-behind-cracking-part-1-bypass-software-registration.w654(3)

This works because you are making the process jump from one register and skip the one that verifies the key entered. To exploit the key registration algorithm, keep an eye out for part two of this tutorial on making the key generator. Hooray for assembly!