Client Side Exploits Using Pdf
View more presentations from titanlambda.
Ignite Bangalore 2
View more presentations from titanlambda.
More to come... Subscribe to my slideshare account to get more presentation in future...
Sunday, December 19, 2010
20 Linux server hardening tips
Here we go:
#1: Encrypt Data Communication
#2: Minimize Software to Minimize Vulnerability
#3: One Network Service Per System or VM Instance
#4: Keep Linux Kernel and Software Up to Date
#5: Use Linux Security Extensions
#6: User Accounts and Strong Password Policy
#7: Disable root Login
#8: Physical Server Security
#9: Disable Unwanted Services
#10: Delete X Windows
#11: Configure Iptables and TCPWrappers
#12: Linux Kernel /etc/sysctl.conf Hardening
#13: Separate Disk Partitions
#14: Turn Off IPv6
#15: Disable Unwanted SUID and SGID Binaries
#16: Use A Centralized Authentication Service
#17: Logging and Auditing
#18: Secure OpenSSH Serv
#19: Install And Use Intrusion Detection System
#20: Protecting Files, Directories and Email
READ MORE : http://www.cyberciti.biz/tips/linux-security.html
ATM Skimming and Fraud : Something to be aware of...
You may read about it in various news articles - ATM fraud, someone lost money because of fraudulent ATM machines containing skimmers etc. Here is a how it happens :
They fix a camera on the top of the keypad to capture your PIN and then a skimmer at the card hole...
Then, how do you protect yourself? Well, few basic things you can follow to reduce the chances.. Here is what should you do:
Happy ATMing... :)
Saturday, December 11, 2010
"Openleaks -- a rival to the secret-document-leaking website WikiLeaks -- is set to launch on Monday, according to a report.
The new site, which will be found at openleaks.org, has "been underway for some time" and was founded by "several key figures" who once worked at WikiLeaks but have resigned in protest of its controversial founder, Julian Assange, according to the Swedish news website DN.se."
The new site, which will be found at openleaks.org, has "been underway for some time" and was founded by "several key figures" who once worked at WikiLeaks but have resigned in protest of its controversial founder, Julian Assange, according to the Swedish news website DN.se."
Sunday, November 14, 2010
Perl Script to Fetch PNR Status reservation on train from Indian Railway
Just came across this interesting and innovative site - http://www.mypnrstatus.com/
That triggers my interest and little more googling reveals the following:
Perl Script to Fetch PNR Status reservation on train from Indian Railways - http://bit.ly/9rV1Aw
Tuesday, October 12, 2010
PCI DSS for Database Professionals
The Payment Card Industry Data Security Standard (PCI DSS) sets forth the security requirements for organizations that store, process and/or transmit credit or debit card transactions. These requirements stem from a series of significant security incidents affecting databases of consumer credit information over the past decade.
Few important points to consider in terms of PCI DSS for Databases:
- Place the database in an internal network zone, segregated from the DMZ. PCI requires that you place your database server on your internal network and that you deny attempts to directly access the database from untrusted networks. Additionally, you must use private IP addresses for the database server.
- Change vendor-supplied default passwords. You must ensure that your database uses strong passwords for all user accounts and that you change the passwords for any default accounts supplied by your database vendor.
- Encrypt all non-console administrative access. You’re required to use encryption technology (e.g. VPN, SSL, ssh) to encrypt any administrative connections to the database. This reduces the risk of an eavesdropper obtaining administrative credentials to the database.
- Keep cardholder data storage to a minimum. You should never store cardholder data that you no longer need. If you don’t need to store it, don’t. If you’re finished with it, purge it from your database. In all cases, you may never store data from the card’s magnetic stripe or the three digit security code on the back of the card.
- Encrypt card numbers that you do store. If your business requirements dictate that you store card numbers, you must encrypt them using a strong encryption algorithm. Furthermore, you must use sound key management practices to limit access to the encryption keys.
- Ensure that you patch your database regularly. A recent study revealed that many DBAs seldom, if ever apply security patches. PCI requires that you apply security updates within one month of their release.
- Develop web applications securely. Granted, DBAs seldom have control over the code written by developers, but it's important that we act as security evangelists, educating developers about the risk posed by database attacks such as SQL injection.
- Practice secure user management. In addition to the controls you'd expect, such as requiring individual user accounts with strong passwords, you also need to manage database roles and rights in a fashion that limits access to those with a need to know.
- Log everything. PCI requires that you record the name of the user, type of event, timestamp, and other technical information about any individual user access to cardholder data, administrator actions and failed authentication attempts.
This is just a high level overview. The entire standard document is available at: https://www.pcisecuritystandards.org/index.shtml.
Saturday, September 25, 2010
"Bom Sabado! " A new worm Hits google's Orkut
A new worm has Hit Google's Orkut early today and its spreading fast, the Infection looks pretty stubborn .
This wierd worm appears to be similar to one that appeared in Dec' 2007 and the people behind are suspected to be the same. A Portuguese Greeter worm
It appears that the communities like "Somente você me COMPLETA!, O virus Que Contagia, ADA - Adoro Dormir Abraçado, Eu tenho um grande AMOR" and few more random Communities
This greets you in the scrap book "Bom Sabado! " which translates to "Good Saturday" in contrast to the earlier on with “2008 vem ai… que ele comece mto bem para vc.” This translates to “2008 is coming…I wish that it begins quite well for you”.
No external links are involved just viewing the scrap spreads the worm. Although no cases of account infringement are noticed yet . This worm look to be having only a intention of fairly "Spamming" with greets.
Once the user views the scrap the account gets infected and runs a Javascript to post the scrap to all persons in the victims contact.
The javascripts look to appear from TPTOOLS (http://tptools.org/)
meanwhile the browser looks to be freezed however the code is executed in the background.
No official reports are out yet in this matter on the statistics and its impact.
The best countermeasure is to stay away from viewing the scrap or use "Noscripts" addon or block the scripts on the browser.
This wierd worm appears to be similar to one that appeared in Dec' 2007 and the people behind are suspected to be the same. A Portuguese Greeter worm
It appears that the communities like "Somente você me COMPLETA!, O virus Que Contagia, ADA - Adoro Dormir Abraçado, Eu tenho um grande AMOR" and few more random Communities
This greets you in the scrap book "Bom Sabado! " which translates to "Good Saturday" in contrast to the earlier on with “2008 vem ai… que ele comece mto bem para vc.” This translates to “2008 is coming…I wish that it begins quite well for you”.
No external links are involved just viewing the scrap spreads the worm. Although no cases of account infringement are noticed yet . This worm look to be having only a intention of fairly "Spamming" with greets.
Once the user views the scrap the account gets infected and runs a Javascript to post the scrap to all persons in the victims contact.
The javascripts look to appear from TPTOOLS (http://tptools.org/)
meanwhile the browser looks to be freezed however the code is executed in the background.
No official reports are out yet in this matter on the statistics and its impact.
The best countermeasure is to stay away from viewing the scrap or use "Noscripts" addon or block the scripts on the browser.
Sunday, September 19, 2010
Special investigation: It took just one hour for internet experts to find out almost every private detail of this woman's life
Steve Boggan challenged web experts to see how much they could discover about his partner. The results were chilling...
As I sit writing this, I am feeling vaguely grubby — guilty even — in the way a neurotic husband might after hiring a gumshoe to go trawling through his wife’s secrets.
There is a 15-page report in front of me chronicling virtually every aspect of my girlfriend’s life: past and present.
That includes her friends, education, embarrassing pictures, former boyfriends and long-forgotten relatives.
Much of the information is new to me. And the uses to which it could be put — uses I hadn’t dreamt of until this week — are chilling.
Armed with this information, criminals could use her identity to commit fraud or resurrect minute details of her past, her movements and friendships to lure her into scams or even dangerous liaisons.
It could be used to con her into revealing her bank details and credit card numbers.
Read more: http://www.mailonsunday.co.uk/news/article-1310965/Special-Investigation-It-took-just-hour-internet-experts-private-womans-life.html
Sunday, July 4, 2010
Setting up a Network Pentest and Web Pentest Lab by Security Aegis
Network Pentest Lab
Remember those good ole days in the sandbox? Where you threw stuff around learned where the sand goes and… doesn’t go? Well we’ve graduated from the sandbox, but our hearts and minds are still wired to play there. Maybe that’s why we love offsec, let’s get to the point though… We made a lab.
We wanted to address pentest labs. In this post in particular, Network pentest labs (webapp will be a separate post, challenge sites will be as well)
We used an existing set of hack challenge ISO’s, sandbox VM’s, vulnerable software, and vulnerable OS’s to create a 6 target lab that can be expanded upon.
Props to @_laz3r_ for the video and research he did for the project. No longer an intern, that didn’t last long did it? ;P
Pentest Labs: Web Application Edition
Over the last week, we busted out our red plastic shovel and our bucket shaped like a castle to dig a little bit deeper into our sandbox. Recently, we addressed the flexibility and overall necessity of a virtual lab for network pentesting, practice, and testing.
Today, we plan to expand upon that to encompass Web App. Our setup includes 7 target sites hosted on 4 VM’s. It’s important to note, that we only showcase the tip of the iceberg. The possibility of expansion is limited only by your imagination.
This lab takes substantially more prep and organization than our network lab did, as each target site has different requirements. We hosted most of our targets on XP Pro SP3 boxes, though many should work on Vista or maybe even Win7 RC.
Thursday, July 1, 2010
10 Everyday Items Hackers Are Targeting Right Now
"Just when you thought it was safe to use your computer, hackers have figured out how to attack everyday items. Your printer, your cellphone -- even the blender in your kitchen -- can be hacked and used against you.
And in the not-too-distant future, as the medical field makes advances with machine-to-human interfaces, even your own body and brain could be at risk.
Here are 10 everyday items that are open to fresh attacks from criminals.
And in the not-too-distant future, as the medical field makes advances with machine-to-human interfaces, even your own body and brain could be at risk.
Here are 10 everyday items that are open to fresh attacks from criminals.
1. Your Car
2. That New GPS Gizmo
3. Your Cellphone
4. The Front-Door Security System
5. Your Blender. Yes, Your Blender
6. Your Printer
7. Your New Digital Camera
8. The Power Sockets in Your Walls
9. The Human Body
10,000 XP machines attacked through 0-day flaw
"
Attacks on the Windows Help and Support Center Vulnerability (CVE-2010-1885)
30 Jun 2010 1:35 PM
"
Tuesday, June 15, 2010
Turning XSS into Clickjacking
"Those of us who do a lot of work in the security world have come to realize that there is a ton of cross site scripting (XSS) out there. 80% of dynamic sites (or more) suffer from it. But how many sites allow you to do HTML file uploads comparatively? It’s a much smaller amount, and typically requires some sort of login before you’re allowed to do it. Often times it’s protected by login too, so it’s a relatively small amount of people who could be impacted by any sort of HTML file upload. But that is precisely what’s needed to mount a clickjacking attack (usually one or two pages). Either the attacker has to rent space in the cloud with a stolen credit card, or find some parasitic hosting somewhere.
That’s when I got to thinking… how can you use any old generic reflected XSS attack to mount a clickjacking attack? A few hours later I had a prototype that worked. Here’s how the attack would work. Let’s say a parameter like “search” was vulnerable to reflected XSS."
Read More
That’s when I got to thinking… how can you use any old generic reflected XSS attack to mount a clickjacking attack? A few hours later I had a prototype that worked. Here’s how the attack would work. Let’s say a parameter like “search” was vulnerable to reflected XSS."
Read More
Fun with printers
PART - I
"I don’t see a whole lot on the forums about owning printers during a pen test, so I figured I’d post some stuff here.
First, printers are often overlooked when it comes to securing a network. Why? Because all they’re supposed to do is print. You plug them in, install a driver, and so long as the end user can print, all is well in the world.
Thanks to this misconception, we can use network printers to gather boat loads of information, as well, as bounce through them when port scanning, cause disruption, and, well, screw with people.
First, printers are PERFECT boxes to use when doing a bounce (aka, IPID, zombie, idle, etc.) scan. Example:
nmap -sS -p9100 10.0.0.* --open
..snip..
Nmap scan report for 10.0.0.23
Host is up (0.00055s latency).
PORT STATE SERVICE
9100/tcp open jetdirect
..snip..
Ok, so we know that .23 is a printer. Yay.. lets see how much activity this thing is seeing at the moment..
hping3 10.0.0.23 -r -p 31337
HPING 10.0.0.23 (eth0 10.0.0.23): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=10.0.0.23 ttl=64 id=54757 sport=31337 flags=RA seq=0 win=0 rtt=0.6 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=1 win=0 rtt=0.9 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=2 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=3 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=4 win=0 rtt=0.8 ms
Sweet.. each IP ID is incremented by 1, this indicates that there’s no other traffic on this printer at the moment. We can use this to bounce through when doing a scan against the PDC...."
Read More
PART - II
"Ok, I’ll admit, the last post didn’t have a whole lot to do with printers, but it probably got you interested enough to read part 2.
First, lets find our network printers..
./jetpwn.pl eth0
Using range 10.0.0.1-255
Password for JetDirect running on 10.0.0.22
Hex password: 49 4e 54 45 52 57 45 42 5a
ASCII password: INTERWEBZ
Password for JetDirect running on 10.0.0.23
Hex password: 50 57 4e 5a
ASCII password: PWNZ
Not only did that find the network printers, it also grabbed and converted the password for us. "
Read More
"I don’t see a whole lot on the forums about owning printers during a pen test, so I figured I’d post some stuff here.
First, printers are often overlooked when it comes to securing a network. Why? Because all they’re supposed to do is print. You plug them in, install a driver, and so long as the end user can print, all is well in the world.
Thanks to this misconception, we can use network printers to gather boat loads of information, as well, as bounce through them when port scanning, cause disruption, and, well, screw with people.
First, printers are PERFECT boxes to use when doing a bounce (aka, IPID, zombie, idle, etc.) scan. Example:
nmap -sS -p9100 10.0.0.* --open
..snip..
Nmap scan report for 10.0.0.23
Host is up (0.00055s latency).
PORT STATE SERVICE
9100/tcp open jetdirect
..snip..
Ok, so we know that .23 is a printer. Yay.. lets see how much activity this thing is seeing at the moment..
hping3 10.0.0.23 -r -p 31337
HPING 10.0.0.23 (eth0 10.0.0.23): NO FLAGS are set, 40 headers + 0 data bytes
len=46 ip=10.0.0.23 ttl=64 id=54757 sport=31337 flags=RA seq=0 win=0 rtt=0.6 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=1 win=0 rtt=0.9 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=2 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=3 win=0 rtt=0.7 ms
len=46 ip=10.0.0.23 ttl=64 id=+1 sport=31337 flags=RA seq=4 win=0 rtt=0.8 ms
Sweet.. each IP ID is incremented by 1, this indicates that there’s no other traffic on this printer at the moment. We can use this to bounce through when doing a scan against the PDC...."
Read More
PART - II
"Ok, I’ll admit, the last post didn’t have a whole lot to do with printers, but it probably got you interested enough to read part 2.
First, lets find our network printers..
./jetpwn.pl eth0
Using range 10.0.0.1-255
Password for JetDirect running on 10.0.0.22
Hex password: 49 4e 54 45 52 57 45 42 5a
ASCII password: INTERWEBZ
Password for JetDirect running on 10.0.0.23
Hex password: 50 57 4e 5a
ASCII password: PWNZ
Not only did that find the network printers, it also grabbed and converted the password for us. "
Read More
Wednesday, June 9, 2010
Researchers use new exploit to bypass 100 percent of tested AV software
"The Internet just got more dangerous, in terms of malware, if this study is correct. Researchers have discovered a method of bypassing security software, one that they said tested successfully against all 34 of the products tested.
matousec.com said the exploit is usable even if the account does not possess administrative privileges. Among the big names vulnerable according to the report are Symantec (Norton), McAfee, Kaspersky, NOD32, and ZoneAlarm.
All that's required, the researchers said, is for the security software use System Service Descriptor Table (SSDT) hooks to modify parts of the OS kernel. The researchers have named the exploit KHOBE."
READ MORE...
matousec.com said the exploit is usable even if the account does not possess administrative privileges. Among the big names vulnerable according to the report are Symantec (Norton), McAfee, Kaspersky, NOD32, and ZoneAlarm.
All that's required, the researchers said, is for the security software use System Service Descriptor Table (SSDT) hooks to modify parts of the OS kernel. The researchers have named the exploit KHOBE."
READ MORE...
Man infects himself with computer virus
"University of Reading researcher Mark Gasson has become the first human known to be infected by a computer virus.
The virus, infecting a chip implanted in Gasson's hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards.
All this was intentional, in an experiment to see how simple radio-frequency identification (RFID) chips like those used for tracking animals can host and spread technological diseases.
Story continues below ↓advertisement | your ad here
The research from the British university shows that as implantable bionic devices such as pacemakers get more sophisticated in the years ahead, their security and the safety of the patients whose lives depend on them will become increasingly important, said Gasson."
Read More
The virus, infecting a chip implanted in Gasson's hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards.
All this was intentional, in an experiment to see how simple radio-frequency identification (RFID) chips like those used for tracking animals can host and spread technological diseases.
Story continues below ↓advertisement | your ad here
The research from the British university shows that as implantable bionic devices such as pacemakers get more sophisticated in the years ahead, their security and the safety of the patients whose lives depend on them will become increasingly important, said Gasson."
Read More
Friday, March 5, 2010
Robbed in London : New email scam
Recently I came across a new email scam strategy. It's like you will get a mail from your friend's email address that your friend went to some place (London preferably) for vacation and got mugged in the hotel. She lost everything except the passport. Now she needs money to pay the hotel bills and come back to her place. So she requests you to loan her some money (mostly around $1000) which she promises to pay back once she will be back. Also the money has to be transferred through Western Union Money Trasnfer. Following is the exact content:
"From:YOUR FRIEND
Sent: Wednesday, March 03, 2010 11:15 PM
Subject: Sad News!!!
I'm writing this with tears in my eyes,my fam and I came down here to London,England for a short vacation unfortunately we were mugged at the park of the hotel where we stayed,all cash,credit card and cell were stolen off
us but luckily for us we still have our passports with us.
We've been to the embassy and the Police here but they're not helping issues at all and our flight leaves in less than 3hrs from now but we're having problems settling the hotel bills and the hotel manager won't let us leave until we settle the bills.
Am freaked out at the moment.."
Seems like they first hack the email account, change the password so that the victim won't be able to access her account. Then send mails to the people in the contact list. Though it's new to me but seems similar stuff already happened through Facebook. Details of the earlier incidents were reported here. Also here is a funny discussion of the hacker and a person to whom the hacker was seeking help after compromising a facebook account.
But this time in case of my friend it was not facebook but msn. So seems like they are now spreading their access over the accounts. Now once your are victimized what should you do???
Well, following are few things you could do to prevent your friends from falling prey of the trap:
1. Firstly make sure you have a strong password for your account containing upper case and lowercase letters, digits and at least one special symbol like #, $, & etc.
2. Better to change your password every 3 months or so.
These reduces the probabilities of being hacked. But still there is a chance and if that happens and your friends start getting scam mails from your account, do the following:
1. Try to login to the compromised account. If you are lucky enough to get into the account change the password immediately. You can also try "Forgot Password" option if that is working.
2. If you could login to the account, mail all your contact stating that your this account was hacked and do not reply to any mail from this account.
3. Also if you have any other accounts (facebook, orkut, linkedin etc), please update your status with the same information so that others will be informed about the same.
4. If you have any other email account, log in to that and inform everybody in you contact. (Luckily you might have the same set of contacts that the compromised account has.)
5. If you are using the same password in your other accounts change it immediately.
6. Also you can try reporting the incident to your email service provide and request them to block or reset the account and give it back to you. This process varies for different email service providers. For gmail try this, for hotmail/msn try this, for yahoo this could be helpful.
7. If you want to go further, you can contact the corresponding law and enforcement agency who deals with cyber crime for further investigation.
8. Incase of investigation, email headers of the scam mails could be useful as that could gives the ip addresses of the hacker which could lead to her location. So better ask your friends who got the mails to keep the mails/capture the email header and store for further investigation.
9. Also using ReadNotify you can trace the hacker and give that information to the law and enforcement agency.
10. Last but not the least, it could be possible that the hacker was using some sort of trojan or keylogger in your computer to get the account information. So scan your computer by antivirus/antitrojan software to ensure that your machine is clean.
Also keep yourself always updated with the knowledge of various scams and let others know.
Monday, March 1, 2010
Nmap using TOR
Got a good video about how to do a scanning using nmap and TOR. It increases the anonymity factor.
Send gmail from command prompt
Recently I was just playing with telnet, ssl etc. Reason being, learning how to check http web server on port 80 using telnet. It is a faster approach than opening a browser and type url and wait from the page to load, blah blah.... Specially when your intention is just to verify and not bothered about the content much and you are doing it frequently and multiple times.
telnet www.your_website.com 80
(Enter)
GET /index.php HTTP/1.1
host: www.your_website.com
(Enter)
(Enter)
(Enter)
GET /index.php HTTP/1.1
host: www.your_website.com
(Enter)
(Enter)
And you should be able to see the content there in the command prompt. Then this thing came to my mind, can I also send mail or receive mail from the command prompt. Well yah, very much.... So here is how did I send mail from my gmail account:
Steps:
1. You need to get into the SMTP server via telnet if it is not encrypted, or via SSL/TLS (encrypted), gmail uses encrypted communication.
2. You need to authenticate yourself using your gmail username and password.
3. Specify the sender's and receiver's address.
4. Type in the subject and content.
5. Send it.
Generally for an unencrypted custom SMTP server, it is quite simpler and explained here.
But this uses SSL/TLS. So here is it:
1. Login to gmail smtp server
openssl s_client -crlf -connect smtp.gmail.com:465
It will reply a lot of test and at the end of it you should seee
220 mx.google.com ESMTP 14sm2559253gxk.11
220 code means OK.
2. Authenticate yourself:
You need to encrypt your username and password first:
perl -MMIME::Base64 -e 'print encode_base64("\000My_EMAIL\@DOMAIN.com\000MY_PASSWORD")'
Once you give your username and password there properly, you should get an encrypted test in response. Copy that. Go back to your SMTP server prompt and type the following:
AUTH PLAIN your_encrypted_password_from_previous_step
235 2.7.0 Accepted
3. Specify the sender's and receiver's address.
mail from:
250 2.1.0 OK 14sm2559253gxk.11
rcpt to:
250 2.1.5 OK 14sm2559253gxk.11
4. Type in the subject and content: It starts with the "data" keyword.
data
354 Go ahead 14sm2559253gxk.11
subject: test
(enter)
(enter)
hello, This is my content
5. Send it: Once you are done writing the content, type "." (dot) and it enter twice to send it accross.
.
(enter)
(enter)
250 2.0.0 OK 1267453152 14sm2559253gxk.11
The last "." in the command signifies the end of the mail and sends it across. And!!! Trinnnn, youv'e got a mail....
Sunday, February 14, 2010
Nullcon Capture The Flag 2010 hacking competition : How did I crack it
Recently I had been to Nullcon, Goa, 2010 - Internation Hacking and Security Conference.Well a lot to say. It was a great experience. My first hacking experience, unforgettable. Here is the details:
Goal : There was a server, we had to shut it down.
Hint: "Its there in the air"
Step 1: I found the wireless network they have configured for the challenge. Definitely the server is inside that network. It was WEP encrypted network. I used aircrack-ng in Backtrack 4. Steps are explained here. Better explanation could be helpful. Still confused!!! then watch this:
Step 2: Once I got the key and connected the network, I started looking for the server. Now here they had configured two network one with 192 series ip that I was connected to and another one with 172 series ip where the server is. Also they have configured the firewall in the router so that no packets could reach to 172 network. So first firwall had to be disabled. But root priviledge was required to do so. So task is, gain root access to the router 192.68.1.1.
fingerprinting using nmap (nmap -O ip) gave the firmware details of the router: it was dd-wrt firmware. Searched for the existing vulnerabilities or exploits for that and foung cgi-bin vulnerability. It could be exploited by command-line approach or using metasploit. I found metasploit easier and faster as well. Once done successfully, I got the root shell in the router.
Step 3: Now disable the firewall.
They had set up iptable rules to drop the packet. So here are the commands:
iptables -L -nv
It showed the configured rule to drop all the packets mentioned earlier.
Now,
iptables -P FORWARD ACCEPT
iptables -F FORWARD
It allowed the connections through. If you want to allow only traffic from your machine then,
iptables -I FORWARD -p all -d
Once this is done. I was able to reach the server which was 172.16.1.2 (I guess).
Step 4: Now I could ping the server. Now I had to get into the server. So did a port scanning on that machine
nmap -sS -PT 172.16.1.2 (requires root privilege)
Found port 445 was open. It was SMB over TCP. Already an exploit was available in metasploit. So just ran that and BINGO... I got the command promt of the server.
Step 5: Shoutdown the server. Since I was already inside the server. Only thing required was to run the following:
SHUTDOWN -s -t 01
And I was done...
Monday, January 25, 2010
Spoof Mac in Mac
A MAC address is a unique identifier assigned to your network card, and some networks implement MAC address filtering as a method of security. Spoofing a MAC address can be desired for multiple reasons, and it is very easy to spoof your MAC address in both Mac OS X 10.4 and 10.5. For the purpose of this article, we are going to assume you want to spoof your Mac’s wireless MAC address. So without further ado, here’s a 3 step process on how to do it:
Retrieving your current MAC address
First, you’re going to want your current wireless MAC address so you can set it back without rebooting. Launch the Terminal and type the following command:ifconfig en1 | grep ether
You’ll know see something like:ether 00:12:cb:c6:24:e2
And the values after ‘ether’ makeup your current MAC address. Write this down somewhere so you don’t forget it. If you do, it’s not the end of the world, you’ll just have to reboot to reset it from a change.
Spoofing a MAC address
To spoof your MAC address, you simply set that value returned from ifconfig to another hex value in the format of aa:bb:cc:dd:ee:ff
For this example, we will set our wireless MAC address to 00:e2:e3:e4:e5:e6 by issuing the following command:sudo ifconfig en1 ether 00:e2:e3:e4:e5:e6
The sudo command will require that you enter your root password to make the change.
Verifying the Spoofed MAC address worked
If you want to check that the spoof worked, type the same command as earlier:ifconfig en1 | grep ether
Now you will see:ether 00:e2:e3:e4:e5:e6
Meaning your MAC address is now the value you set it to. If you want to further verify the spoof, simply login to your wireless router and look at the ‘available devices’ (or attached devices) list, and your spoofed MAC address will be part of that list.
If you want to set your MAC address back to its real value, simply issue the above ifconfig commands with the MAC address that you retrieved in step 1. You can also reboot your Mac.
Enjoy!
Note: Reader Dee Brown points out the following, which may help with some users having difficulties: “running 10.5.6 you need to do the trick to disassociate from the network. ****DO NOT TURN AIRPORT OFF****. What you will have to do is click your airport and click join network and enter some bogus name as the network ssid. Then while it’s trying to connect click cancel.At this point you may spoof using the sudo ifconfig en1 ether command”
other reads point out that Dee Brown’s trick works in 10.5.7 and above too. Thanks Dee!
Update: If you’re still having problems with MAC address spoofing in Leopard or Snow Leopard, the above method still works but try disassociating with any wireless network BUT keep your wireless Airport on (as mentioned above) – an easy way to do this is to type the following in the command line:
airport -z
Note that you have to have the ‘airport’ command setup to work for users, you can do that by copy and pasting this command into the Mac Terminal:
sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport
Once disassociated from the network you should be able to spoof your MAC address as usual
[Copied from http://osxdaily.com/2008/01/17/how-to-spoof-your-mac-address-in-mac-os-x/]
Wednesday, January 13, 2010
Invisible Nmap
Nmap is a powerful tool for network scanning. Whether it is good or bad is a different question and that is upto the users' motives to use it. It has a lot of options. Here are some of those options together to get a reasonable amount of information about an ip or network without bothering the owner by telling her about your existence :). Not sure though how efficient it would be considering the latest IDS/IPSes. But that's all I could get out of the options provided by NMAP. The command and its explanation are as follows:
sudo nmap -n -sS -f -A -T1 -S fake_ip -e interface_to_use -D fake_ip1, fake_ip2, fake_ip3 -vvv ip_to_scan -P0
Sudo: You have to have root permission to run it.
-n: Do not resolve host. Show the ips.
-sS: Stealth SYN scan. SUpposed to be less noisy.
-f: fragment the packets before sending to the ip_to_scan. Reduces the chance to get detected. New IDS/IPS can get it still (as per the information I got).
-A : Do OS and version detection, script scanning, and traceroute.
-T1 : Range is T0 (slowest) to T5 (fastest) -speed of execution. Slower packet sending increases your anonymity.
-S fake_ip: Use fake_ip as the source of the packets.
-e interface_to_use: Since source address is spoofed in precious option, you have to give the network interface details to send/receive packets.
D fake_ip1..ME : Decoy option - Use all these fake_ips mentioned and ME, i.e. my ip to create packets to send. More invisibility.
-vvv: very very verbose mode. Explains the output more elaborately.
ip_to_scan: IP/Network to scan.
-P0: Do not ping , do only scan. Saves time and finds more machines.
sudo nmap -n -sS -f -A -T1 -S fake_ip -e interface_to_use -D fake_ip1, fake_ip2, fake_ip3 -vvv ip_to_scan -P0
Sudo: You have to have root permission to run it.
-n: Do not resolve host. Show the ips.
-sS: Stealth SYN scan. SUpposed to be less noisy.
-f: fragment the packets before sending to the ip_to_scan. Reduces the chance to get detected. New IDS/IPS can get it still (as per the information I got).
-A : Do OS and version detection, script scanning, and traceroute.
-T1 : Range is T0 (slowest) to T5 (fastest) -speed of execution. Slower packet sending increases your anonymity.
-S fake_ip: Use fake_ip as the source of the packets.
-e interface_to_use: Since source address is spoofed in precious option, you have to give the network interface details to send/receive packets.
D fake_ip1..ME : Decoy option - Use all these fake_ips mentioned and ME, i.e. my ip to create packets to send. More invisibility.
-vvv: very very verbose mode. Explains the output more elaborately.
ip_to_scan: IP/Network to scan.
-P0: Do not ping , do only scan. Saves time and finds more machines.
Subscribe to:
Posts (Atom)
