Nytro

De ceva timp: https://www.demonoid.ph/

[h=1]Aparatele se blocheaz?, iar astronau?ii au senza?ii stranii: ce este „Triunghiul Bermudelor spa?ial”, care produce aceste fenomene ciudate?[/h] Unele vehicule spa?iale, precum telescopul spa?ial Hubble, au fost proiectate astfel încât instrumentele delicate de la bordul lor s? închid? la trecerea prin zon?, pentru a evita defectarea lor. Unele defec?iuni ap?rute la sateli?ii re?elei Globalstar sunt atribuite tot trecerii sateli?ilor prin aceast? regiune. Se crede c? tot radia?iile puternice din aceast? regiune ar fi cauza fosfenelor (un fel de scântei sau „stele zbur?toare” care apar în câmpul vizual) raportate de astronau?i. Link: Aparatele se blocheaz?, iar astronau?ii au senza?ii stranii: ce este „Triunghiul Bermudelor spa?ial”, care produce aceste fenomene ciudate?

Da, nu prea ai ce ii face Si versiunea Desktop e "safe". Uite cateva detalii: https://rstforums.com/forum/85016-windows-7-security-features.rst Cateva idei: - pe Desktop nu prea ai limitari la ce poate face un program (desi nu ar fi o idee rea sa se implementeze asa ceva) - pe Desktop ai o flexibilitate mult mai mare in dezvoltarea aplicatiilor, de la exe la bat-uri si X limbaje de programare - daca consideram ca versiunea "Desktop" nu e "safe", atunci nici Linux-ul nu e "safe" deoarece la fel ca pe Windows, o aplicatie malitioasa e foarte usor de facut, de la executabile la "rm -rf"-uri A aparut Windows Phone mai tarziu, dar a avut timp sa invete si sa nu faca aceleasi greseli ca Android si iOS.

how to hack a windows phone In today’s how to we will be discussing on how to hack a Windows Phone 8. Every hacker should know about the internals of a device and operating system before he could attempt to compromise it. So lets try to understand the underlying hardware and OS security before we try to break it. To begin, we will try to compromise the hardware so that we can gain access to the hardware and then exploit the OS and ultimately take control of it or at least to steal data from it. Windows Phone employs UEFI Firmware Hardware at the very low level. In addition to that, every hardware which runs Windows Phone 8 OS has to be certified by Microsoft. Now when we say certified, it also means that all the hardware has to be signed and the chips will be burned with the keys from Microsoft. The “Trusted Boot Chain” component will make sure that all the signatures are in place and if they are valid before and during the process. Every program written in the silicon chip has to be signed including the BIOS, drivers etc. On top of these Windows Phone 8 device will also come with a TPM chip which means your encrypted data it is as good your Windows 7 & 8 PC. UEFI Windows Phone Lets see what are the options we have to break the security of the device. Hardware Now that we know all the components / programs are verified for the signature by the “Trusted Boot Chain”, why don’t we try to spoof the boot chain program itself with our own. If we are able to do that then we could easily make the device load our own components instead of the Windows Phone OS exploiting it completely naked. Though at the first look it is appears to be a very good idea, unfortunately all the hardware chips which can’t or can be overwritten comes with something called an efuse. The moment when you are trying to write something in these chips without a valid signature which will be there only with Microsoft and the device manufacturer, the efuse will trip. Once the efuse trips off, the boot loader will not be able to boot up your device. Congratulations! now you have a phone which is officially no better than a brick. For a moment even if we assume that you somehow fooled the efuse, the device still wont boot up just because you don’t have a valid key. Operating System Windows NT kernel it is. The Redmond guys have made sure that its sturdy enough. Windows NT kernel along with “Code Signing” makes a killer shield that you will not be able to penetrate. If you think you can get the control of the kernel using some code, wait till you read the “Malicious Code” section. For now lets think about the Windows Phone updates. Windows Phone does do regular updates just like your PC so what if we can trick the windows phone to install my program? Unfortunately the windows phone is programmed to get the updates only from the Microsoft update servers and no other place. Still its no big deal because I can always trick my network to believe some malicious hardware / software as the update server. Sadly, the update will again need the code signing process to pass. You can never break through it unless you are hacking into the Microsoft update server; definitely not a great plan. Storage How about the internal storage itself? Why don’t we break the phone take out the internal storage and may be at least try to steal the data? But wait, the storage again uses a 128 bit Bitlocker for encryption. The drive remains encrypted until the boot loader performs the job completely. The TPM chip which comes with the hardware is the one which manages the key for the encryption which means that once the disk is outside the hardware, you will need the 128 bit recovery key to break in the data. The storage behaves the same way as what your bitlocked hard drive behaves. Brute force opening a encryption is a very well known procedure to break encryption however its impossible when it comes to a 128 bit encryption. So to understand the quantum of complexity, lets assume that you have 10 million computers where every computer can process 100 billion keys per second (higher than 100GHz) and if you put them all together to crack the key, it will take 1013 years to find the key which is longer than the age of universe itself. If you are thinking of trying the PIN instead, you can always configure your phone to automatically wipe after a amount of incorrect tries. Some people try to snoop the data from the disk after it is wiped because it is easier that way since it wont have any encryption constraints. Luckily for the user what Windows Phone, it never decrypts the data but it wipes the encrypted data along with the key. You can be pretty sure that not even NSA can retrieve them. Malicious Code We have now almost come to the last and the mot favorite resort of a hacker. Most the hackers disassemble the system instructions and try to inject or alter the commands in the memory location. However the app model which windows phone function is always a sandbox, which means the app will have its own area where it can execute store data and perform actions. Windows Phone with the advantage of Code Signing will sign the apps based on the feature set they are allowed to access. E.g.) If a program does not have a valid signature to access the Camera, it wont be able to. This is true for any feature or hardware access in the device. So even for a moment if we assume that you are able to try writing something into the system memory location of the phone, the “Code Signing” will invalidate the program and unload it immediately. Starting from the phone to your protected mail message, everything is safe in Windows Phone 8. More information on the security of Windows Phone can be found at http://www.windowsphone.com/en-US/business/security-us This how to is written based on Windows Phone 8. Actual functionality might differ from device to device. Some features may not be available with pre-Windows Phone 8. Sursa: how to hack a windows phone | how to windows phone

E doar o colectie de metode de anti-debug. Daca e folosita la un proiect, persoana care face reverse engineering trebuie sa se fereasca de toate metodele pentru a putea face linistit reverse engineering.

This is a blog by Szymon Sidor. Its original purpose was to present nontrival Computer Science and Mathematical problems in an accessible way, but it evolved and now diverse topics are covered. Thursday, May 22, 2014 Exploring limits of covert data collection on Android: apps can take photos with your phone without you knowing. SHORT VERSION: Android apps can take photos with your phone in background phones without displaying any notification and you won't see the app on the list of installed applications. App can send the photos over the internet to their private server. You can also find video with demo in this post. Introduction I discovered this almost by accident while doing a team project for a Computer and Network Security course at my university. The project suggested by college of mine (Predrag Gruevski) was mostly about using cameras on PC's without turning on indicator light. There were already promising findings in this field (iSeeYou paper discussed doing so on old Mac models). Since the project was relatively general each of member of our team took different approach. I initially started with low-level USB hacking, but despite genuine efforts I found nothing really interesting. Further experiments seemed really boring to me, because they in general involved trying various different cameras and hours of starting at LED light hoping the camera light won't blink. I switched my focus to Android. Initial research was promising. There are many apps on Play Store (if you are iPhone user think App Store) that aim at taking pictures without any visual indication (ACLU-NJ Police Tape, Mobile Hidden Camera and more) but from what I found all of them require app activity to be visible and phone screen to be on. Some of them manage to record video without visible preview. Technical Details What I wanted is to take pictures without user knowing, but at any time, not only when the app is on. I started googling and first thing that I found is that using Camera technically requires a preview to be displayed on screen in order to take video, but background services do not have associated visible activity. But let's not get discouraged an keep trying. I wrote a small camera app for my Nexus 5. My first approach was to create a View object that is not attached to any activity and feed preview to that object. That fails (I literally get "take picture failed" exception). The I remembered something that later turned out to be very relevant. Facebook messages draws to the UI, even when the app is not technically running: This turned out to be indeed the right track. I attached preview to the screen from the background service and indeed I was able to take a photo! This is not yet ideal - the preview is visible on the screen user can clearly see that something is going on. But then I tried to remove it. Here's a list of approaches: Make preview invisible - failed: Android just ignores this setting for preview Make preview transparent - failed: Android just ignores this settings for preview Cover preview by another view - partially failed: the view on top is still obstructing the screen Make preview 1x1 pixel - successful The result was amazing and scary at the same time - the pixel is virtually impossible to spot on Nexus 5 screen (even when you know where to look)! Also it turned out that even if you turn the screen completely off, you can still take photos, as long as the pixel is still there. Demo If you cannot see this video here's a direct link: How can you protect yourself form malicious apps? If you are as disturbed by this find as I am you will start asking what can we do to avoid such situations. The bad news is that it's kind of a cat and mouse game - no matter how hard you try attackers can find more ways to obfuscate malicious activity. The good news is there are some ways that seem (at least given my current knowledge hard to circumvent: Pay attention to permissions (for example does Simple Notepad* really need access to your camera?) Keep your Google Account secure - if somebody can access your Google account they can install apps on your phone remotely without you approving it! Set up two step verification. Change your password from time to time. Set up secure password. Uninstall unused apps. High battery consumption (settings -> battery), and high bandwidth (settings -> data usage) are potential culprits Look at the background services that are running (settings -> apps -> running) - does Simple Notepad* really require background service Swiping app out of application list does not switch off background services (if you want to completely switch it off go to App Info (long press app icon inside menu and drag it to app info section) and click force stop - this ensures no background services are running. *Simple Notepad is a made up example - I am not referring to any app in particular. (hopefully constructive) criticism of Android design decisions Let me start by the fact that I really like Android SDK (maybe except the fact that it's Java - but I understand the logic behind that decision). It's nice because it gives a developer a lot of power. There are just some things that are possible on Android that simply would not be possible on other platforms. However given the fact that privacy is recently more and more of a growing concern, it would be nice to adjust accordingly. In my opinion privacy can be achieved by transparency without sacrificing comport. I could imagine use cases where I want app to take photos from background service. But I think it's inexcusable that user is not notified about this face. Android has a very nice notification bar. Users are very used to it. Why not make a use of it here. Same goes for sounds recording location recording etc. Another thing I think Android team should look into is modern security research. There's lot of ways of using data without direct access. Very simple example would be that can send emails to users without learning their email address - with Google acting as a intermediary. All of those suggestions can be summarized in on sentence - please put more effort into ensuring users' privacy. Szymon Sidor at 1:48 AM

Pwners

Bypassing SSL Pinning on Android via Reverse Engineering Denis Andzakovic – Security-Assessment.com 15 May 2014 Table of Contents Bypassing SSL Pinning on Android via Reverse Engineering ......................................................................... 1 Introduction .................................................................................................................................................. 3 Tools Used ..................................................................................................................................................... 3 The Victim ..................................................................................................................................................... 3 The Approach ................................................................................................................................................ 4 Reversing ....................................................................................................................................................... 5 Retrieving and Disassembling the APK ..................................................................................................... 5 Patching .................................................................................................................................................... 6 Patch at class instantiation ................................................................................................................... 6 Patch the Class ...................................................................................................................................... 7 Hijacking the Keystore .......................................................................................................................... 8 Repacking and Running ........................................................................................................................... 10 Tricks ........................................................................................................................................................... 11 Information in Stack Traces .................................................................................................................... 11 Decompiling into Java Code .................................................................................................................... 12 References .................................................................................................................................................. 12 Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/33430.pdf

Linux x86 Reverse Engineering Shellcode Disassembling and XOR decryption Harsh N. Daftary Sr. Security Researcher at CSPF Security Consultant at Trunkoz Technologies info@securityLabs.in Abstract: Most of the Windows as well as Linux based programs contains bugs or security holes and/or errors. These bugs or error in program can be exploited in order to crash the program or make system do unwanted stuff. A code which crashes the given program is called an exploit. Exploit usually attack a program on Memory Corruption, Segmentation Dump, format string, Buffer overflow or something else. Now exploit's work is just to attack the bug but there is another piece of code attacked with the exploit called as Shellcode whose debugging and analysis we will understand in this paper. Download: http://www.exploit-db.com/wp-content/themes/exploit/docs/33429.pdf

SpiderFoot 2.1.4 released From: Steve Micallef <steve () binarypool com> Date: Mon, 28 Apr 2014 10:34:40 +0200 Hi all, SpiderFoot 2.1.4 is now available, and will be the last enhancement release on the 2.1 branch as I focus on 2.2. SpiderFoot is an open source footprinting and intelligence gathering tool, written in Python and runs on Linux, *BSD and Windows. Since 2.1.0 was announced here in January, the following enhancements have been implemented.. - Integration with: - SHODAN - VirusTotal - AlienVault IP Reputation DB - projecthoneypot.org - nothink.org - autoshun.org - isc.sans.edu - openbl.org - SORBS and a bunch more... - PasteBin searching - Zone-H.org defacement look-up - TOR exit node check - Whole bunch of DNS-based functionality - Extracts meta data from PDF, DOCX, PPTX and XLSX files - Identifies human names in content - Finds associated Facebook, Google+ and LinkedIn profiles - SOCKS proxy support - Real-time scan status UI - Bug fixes and smaller miscellaneous enhancements Website: SpiderFoot - The Open Source Footprinting tool GitHub: https://github.com/smicallef/spiderfoot Twitter: https://twitter.com/binarypool Feel free to mail me any questions, enhancement requests or general feedback. Thanks, Steve Sursa: Penetration Testing: SpiderFoot 2.1.4 released

From: rage <ragesploit () 0xrage com> Date: Wed, 21 May 2014 23:13:20 -0400 I've written and released a packer/crypter called rcrypt that might be fun for some of you to play around with. The latest public version is 1.4 although there is a functional 1.5 non public version currently in progress. The general summary is as follows: rcrypt is a Windows PE binary crypter (a type of packer) that makes use of timelock techniques to cause a delay in execution. This delay can cause analysis to fail on time constrained systems such as on disk scanners. rcrypt can pack exes and dll files. It bypasses KAV and many others. I'm always interested in feedback and suggestions/criticisms. There are many other features and functions as well! Released on my site: rcrypt v1.4 released | 0xrage Writeup also available: rcrypt packer writeup | 0xrage enjoy! - rage Sursa: Full Disclosure: rcrypt packer/crypter writeup and POC tool

From: Tavis Ormandy <taviso () cmpxchg8b com> Date: Wed, 21 May 2014 11:57:31 -0700 Apparently I'm being lured into pointless discussions today, so here's another. As I'm sure everyone is aware, Microsoft introduced basic NULL page mitigations for Windows 8 (both x86 and x64), and even backported the mitigation to Vista+ (On x64 only). There are some weaknesses, but this is a topic for another time. Interestingly, on Windows 8 x86, there is an intentional exception, if an Administrator has installed the 16bit subsystem the mitigation is worthless because you can run your exploit in the context of NTVDM (simply use the technique I documented in CVE-2010-0232 Windows NT - User Mode to Ring 0 Escalation Vulnerability). An Administrator can do this either on-demand by running an 16bit program, e.g. C:\> debug Or using fondue to install it manually: C:\> fondue /enable-feature:ntvdm /hide-ux:all Let's look at an example of a NULL dereference. It's obvious from the code that win32k!GreSetPaletteEntries doesn't validate the MDCOBJA call succeeds in the HDC list traversal, resulting in a very clean NULL dereference. .text:001EAF49 lea esi, [ebp+var_2C] ; out pointer .text:001EAF4C call ??0MDCOBJA@@QAE () PAUHDC__@@@Z ; MDCOBJA::MDCOBJA(HDC__ *) .text:001EAF51 push 1 .text:001EAF53 mov edx, edi .text:001EAF55 call _GreGetObjectOwner () 8 ; GreGetObjectOwner(x,x) .text:001EAF5A mov esi, eax .text:001EAF5C call ds:__imp__PsGetCurrentProcessId () 0 ; PsGetCurrentProcessId() .text:001EAF62 and eax, 0FFFFFFFCh .text:001EAF65 cmp esi, eax .text:001EAF67 jnz short loc_1EAFBA .text:001EAF69 and [ebp+ms_exc.registration.TryLevel], 0 .text:001EAF6D mov eax, [ebp+var_2C] ; load pointer .text:001EAF70 mov ecx, [eax+38h] ; NULL dereference .text:001EAF73 mov eax, [ecx+4] Callers like GreIsRendering, GreSetDCOrg, GreGetBounds, etc, etc check correctly for comparison. This better code is from win32k!GreSetDCOrg: .text:00213DA2 lea esi, [ebp+var_C] ; out pointer .text:00213DA5 xor ebx, ebx .text:00213DA7 call ??0MDCOBJA@@QAE () PAUHDC__@@@Z ; MDCOBJA::MDCOBJA(HDC__ *) .text:00213DAC mov edi, [ebp+var_C] ; load result .text:00213DAF test edi, edi ; check for NULL .text:00213DB1 jz short loc_213E15 ; error This bug can be triggered with typical resource exhaustion patterns (see my exploit for CVE-2013-3660 for reference Windows NT - Windows 8 EPATHOBJ Local Ring 0 Exploit). However, I have also stumbled onto a Windows 8 specific technique that does not require resource exhaustion, using the (undocumented) Xferable object flag. See the attached code (the testcase is Windows 8+ on x86 specific, although the bug affects other versions and platforms). This seems exploitable on 32bit systems prior to Windows 8, but on Windows 8 it's only exploitable (ignoring mitigation failures) with NTVDM configured. It's my understanding that Microsoft no longer consider this a supported configuration, and are only interested in fixing NULL page mitigation bypasses. I'm not convinced this is a reasonable stance, what do other people think? Tavis. P.S. I think linux introduced it's mmap_min_addr mitigation to stable around 2007? Seven years lag, I guess that's the power of the SDL ;-) -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred ------------------------------------------------------- Attachment: SetPalette.c Sursa: Full Disclosure: NULL page mitigations on Windows 8 x86

Manual Unpacking of UPX using OllyDbg [TABLE] [TR] [TD=class: page_subheader]Introduction[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]In this tutorial, you will learn how to unpack any UPX packed Executable file using OllyDbg UPX is a free, portable, executable packer for several different executable formats. It achieves an excellent compression ratio and offers very fast decompression. [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]Here we will do live debugging using OllyDbg to fully unpack and produce the original Executable FILE from the packed file. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Packing EXE using UPX[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]To start with, we need to pack sample EXE file with UPX. First you need to download latest UPX packer from UPX website and then use the following command to pack your sample EXE file.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_code]upx -9 c:\sample.exe[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]If you already have UPX packed binary file then proceed further. In such case make sure to use PEiD or 'RDG Packer Detector' to confirm if it is packed with UPX as shown in the screenshot below.[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]UPX Unpacking Process[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] Before we begin with unpacking exercise, lets try to understand the working of UPX. When you pack any Executable with UPX, all existing sections (text, data, rsrc etc) are compressed. Each of these sections are named as UPX0, UPX1 etc. Then it adds new code section at the end of file which will actually decompress all the packed sections at execution time. Here is what happens during the execution of UPX packed EXE file.. [/TD] [/TR] [TR] [TD] Execution starts from new OEP (from newly added code section at the end of file) First it saves the current Register Status using PUSHAD instruction All the Packed Sections are Unpacked in memory Resolve the import table of original executable file. Restore the original Register Status using POPAD instruction Finally Jumps to Original Entry point to begin the actual execution [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Manual Unpacking of UPX[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Here are the standard steps involved in any Unpacking operation Debug the EXE to find the real OEP (Original Entry Point) At OEP, Dump the fully Unpacked Program to Disk Fix the Import Table [/TD] [/TR] [TR] [TD=align: justify] Based on type and complexity of Packer, unpacking operation may vary in terms of time and difficulty. UPX is the basic Packer and serves as great example for anyone who wants to learn Unpacking. Here we will use OllyDbg to debug & unpack the UPX packed EXE file. Although you can use any debugger, OllyDbg is one of the best ring 3 debugger for Reverse Engineering with its useful plugins. Here is the screenshot of OllyDbg in action [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]Lets start the unpacking operation[/TD] [/TR] [TR] [TD] Load the UPX packed EXE file into the OllyDbg Start tracing the EXE, until you encounter a PUSHAD instruction. Usually this is the first instruction or it will be present after first few instructions based on the UPX version. When you reach PUSHAD instruction, put the Hardware Breakpoint (type 'hr esp-4' at command bar) so as to stop at POPAD instruction. This will help us to stop the execution when the POPAD instruction is executed later on. Other way is to manually search for POPAD (Opcode 61) instruction and then set Breakpoint on it. Once you set up the breakpoint, continue the execution (press F9). Shortly, it will break on the instruction which is immediately after POPAD or on POPAD instruction based on the method you have chosen. Now start step by step tracing with F7 and soon you will encounter a JMP instruction which will take us to actual OEP in the original program. When you reach OEP, dump the whole program using OllyDmp plugin (use default settings). It will automatically fix all the Import table as well. That is it, you have just unpacked UPX !!! [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Fixing Import Table[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] In the current example, OllyDmp plugin will take care of fixing the Import table. However for most of the packers, we need to use advanced tool called ImpRec (Import Reconstructor). ImpREC is highly advanced tool used for fixing the import table. It provides multiple methods to trace the API functions as well as allow writing custom plugins. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center][/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD]For interested users, here are simple instructions on how to fix Import Table using ImpRec.[/TD] [/TR] [TR] [TD] When you are at the OEP of the program, just dump the memory image of binary file using Ollydmp WITHOUT asking it to fix the Import table. Now launch the ImpREC tool and select the process that you are currently debugging. Then in the ImpREC, enter the actual OEP (enter only RVA, not a complete address). Next click on 'IAT Autosearch' button to automatically search for Import table. Now click on 'Get Imports' to retrieve all the imported functions. You will see all the import functions listed under their respective DLL names. If you find any import function which is invalid (marked as VALID: NO) then remove it by by right clicking on it and then from the popup menu, click on 'Delete Thunks'. Once all the import functions are identified, click on "Fix Dump" button in ImpREC and then select the previously dumped file from OllyDbg. Now run the final fixed executable to see if everything is alright. [/TD] [/TR] [TR] [TD]For advanced packers, you may have to use different methods in ImpRec and some times need to write your own custom plugin to resolve the import table functions. For more interesting details refer to our PESpin ImpRec plugin. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Video Demonstration[/TD] [/TR] [/TABLE] [TABLE] [TR] [TD]This video demonstration uses slightly different way to put a hardware breakpoint than described in the article. Also it uses ImpREC to fix import table which is useful while unpacking advanced packers. Here are the steps shown in video [/TD] [/TR] [TR] [TD] Load your EXE in Ollydbg Step Over (Shortcut-F8) PUSHAD instruction Next Go to ESP (right click and follow in DUMP Window) Put Hardware Read Breakpoint (Access) on first dword at ESP. (This is similar 'hr esp-4 at PUSHAD instruction as described earlier) Now Run EXE until we hit breakpoint (shortcut-F9) It will break right after POPAD instruction. You will see a JMP instruction few lines below the current instructions. Put breakpoint on JMP Run exe again until it stops at JMP instruction (shortcut-F9) Step Over JMP (Shortcut- F8) Now we are at OEP, Here just Dump Process using OllyDump without fixing Import table. Here we will use ImpREC to fix the import table as mentioned in 'Fixing Import Table' section. Finally after fixing import table, run the new unpacked EXE to make sure it is perfect ! [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]References[/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] UPX: Ultimate Packer for Executables. OllyDbg: Popular Ring 3 Debugger. ImpREC: Import Table Reconstruction Tool PESpin Plugin for ImpREC RDG Packer Detector PEid Packer Detector [/TD] [/TR] [/TABLE] Sursa: Manual Unpacking of UPX Packed Binary File - www.SecurityXploded.com

Discovering Oracle Accounts With Nmap If we are conducting an infrastructure penetration test and we have discover an Oracle database during the information gathering stage then we can use Nmap to perform some checks that will help us to obtain potentially the accounts that exists on the database. These checks can be executed with two scripts that Nmap contains in his scripting engine.Specifically the scripts that we will need to use are the following: oracle-sid-brute oracle-brute Oracle databases are running on port 1521 so in most of the cases we can identify them just by checking if this port is open on our target host.The next step is to use the script oracle-sid-brute which will try to brute force common oracle SID’s.The next image is showing the use of this script and that has successfully identified that the SID is XE. Brute Forcing Oracle SID’s – Nmap Now that we know the SID of the Oracle database we can use the oracle-brute script to discover the valid accounts.by specifying the SID name Discovering Oracle Accounts Conclusion With these two scripts we can perform security audits against an Oracle database with Nmap.However the drawback as the above image indicates is that we can lock the accounts as the script doesn’t have a check about the number of tries that will execute in order to prevent the account lockout.From the other hand it is a very fast approach for detecting oracle accounts through Nmap during the information gathering. Sursa: Discovering Oracle Accounts With Nmap | Penetration Testing Lab

SQL Injection Authentication Bypass With Burp Burp is a tool that can be used in every web application penetration test to perform a variety of activities and to automate tasks.As a penetration tester you might want to test some things automatically and effectively because this will reduce the amount of time that you will spend on specific checks and it will give you more time to focus on the tricky parts of your assessment.One of the checks that you must do in a web application that contains a login form is to examine whether or not this form is vulnerable to SQL injection and if it is to try to bypass it and to login as administrator. In order to bypass authentication in a form that is vulnerable to SQL injection vulnerability we will need to understand how the query has constructed and to append to this query the appropriate parameters.If we want to do a fast test before starting exploiting this manually we can use Burp intruder and a cheat sheet that has created for this purpose.Burp intruder will send HTTP requests by passing each parameter from this list to a specific position in the request.This method is going to be examined in this article and for the demonstration needs we will use the mutillidae as the target application which contains this vulnerability. The first thing that we have to do in this situation is of course to discover if the login form is vulnerable.We can simply insert a single ‘ on the username field and then we must watch for the response.If the application returns an error like the one in the image below then it is likely to be vulnerable. SQL Injection Error Then we must capture the HTTP request with Burp proxy and we should send this to Intruder.In the Intruder there are two things that we need to check.The first is the attack type and the second is the payload position.For the attack type the choice must be sniper because in this mode Burp Intruder will take a single input from a list that we will provide later and it will send this input on the position that we specify in the HTTP request (each input at a time).For the position we choose the field that is vulnerable (in this case the username). Burp Intruder – Attack Type and Position Next thing to do is to set the payloads.As a payload type for this attack a simple list will used.So in the payload options we have to load our .txt list. Burp Intruder – Setting up the payloads Now the attack is ready to be launched.Burp Intruder will start passing these parameters from the list to the payload position and from the payload position to the web application as an HTTP request.When this process finishes the successful payloads will have different status code as it can be seen from the next image. SQL Injection Bypass Authentication – Burp payloads Now we can go back to the application and to use one of the successful payloads in order to bypass the authentication and to login with admin privilleges to the application. Bypass Authentication by passing the correct payload Conclusion This was a simple tutorial that showed the major capabilities of Burp against web applications as we managed to logged into the application as admin.The cheat sheet about SQL injection authentication bypass that we used in this article has developed by Dr. Emin ?slam Tatl?If and all the credits goes to him.If you want to use the list or to expand it you can find it here. Sursa: SQL Injection Authentication Bypass With Burp | Penetration Testing Lab

[h=1]Defeating Driver Singing Enforcement, Not That Much Hard![/h] November 4, 2012 These days everybody talks about Driver Signing Enforcement, and the ways we can bypass it. J00ru talked about the hard way, and I tell you about the easy and very long know way. What we need is just a Singed Vulnerable X64 Driver. As we know, loading drivers require administrator privilege, but these days a normal user with default UAC setting can silently achieve Admin privilege without popping up a UAC dialog. The driver I was talking about is DCR from DriveCrypt. The X64 version is singed and is vulnerable to a write4 bug. the latest version is not anymore vulnerable but this version still has a valid signature and that’s enough. I think it’s obvious that you can make the whole process of escalating privilege from normal user to Admin for loading vulnerable drive ( silently with one of UAC bypass methods) and exploitation pragmatically automatic. You can find vulnerable version of drive along the exploit at “DriveCrypt\x64\Release“. Sursa: Defeating Driver Singing Enforcement, Not That Much Hard! | REP RET

Troopers 14 - Easy Ways To Bypass Anti-Virus Systems - Attila Marosi Description: All IT security professionals know that antivirus systems can be avoided. But few of them knows that it is very easy to do. (If it is easy to do, its impact is huge!) In this presentation I will, on the spot, fully bypass several antivirus systems using basic techniques! I will bypass: signatures detection, emulation/virtualization, sandboxing, firewalls. How much time (development) is needed for it, for this result? Not more than 15 hours without a cent of investment! If I could do this, anyone can do this… so I think we have to focus to this problem. Using these easy techniques I can create a ‘dropper’ that can deliver any kind of Metasploit (or anything else) shellcode and bypass several well-known antivirus in real-life and full bypass the VirusTotal.com detection with a detection rate in 0. In my presentation I use 6 virtual machines and 9 real-time demos. Resulting the audience always have a big fun and surprise when they see the most well-know systems to fail – and the challenges what the AVs cannot solved are ridiculously simple and old. So the IT professionals might think too much about the systems which they rely on and which cost so much. Bypassed AntiVirus Systems: F-Secure, AVG, NOD32 6 and 7, !avast, Kaspersky, Trend Micro, McAfee… Educational value of the topic: We look at how the virus writers develop their codes. We will develop a puzzle which may distract the AV virtualization engine to avoid the detection. We will develop a code to encrypt/decypt our malicious shellcode. We will look at which built-in Windows functions helps the attacker to inject malicious code to a viction process and we try it. (We will use the iexplorer.exe to bypass the firewall.) We will look at what solutions are often used to avoid the sandbox. Learn the difference between the metamorphous and polymorphous code. I wrote a python script which can create a metamorphous version from a byte code. We will test it in realtime and it will be able to seen, that it is a real challenge for the AVs. BIO: Attila Marosi has always been working in information security field since he started working. As a lieutenant of active duty he worked for years on special information security tasks occuring within the SSNS. Newly he was transferred to the just established GovCERT-Hungary, wich is an additional national level in the internationally known system of CERT offices. He has several international certificates such as CEH, ECSA, OSCP, OSCE. During his free time he also read lections and does some teaching on different levels; on the top of them for white hat hackers. He has presented at many security conferences including Hacker Halted, DeepSEC and Ethical Hacking. For More Information please visit : - https://www.troopers.de Sursa: Troopers 14 - Easy Ways To Bypass Anti-Virus Systems - Attila Marosi

How To Crack A Wpa/Wpa2 Wireless Network Description: In this video i will show you how to crack a WPA/WPA2 Wireless network. We will need a Kali Linux and a Compatible Wireless card that supports Injection and Promiscuous mode. For more information on Promiscuous mode check out: Promiscuous mode - Wikipedia, the free encyclopedia Recommended Wireless card is a Alfa Network AWUS036H Getting started we need to put our wireless card into Monitor Mode to do that lets open a Terminal and type in: airmon-ng start wlan0 Next we need to find the network we wanna the password for First we need to Capture the 4-Way Handshake! Lets open a new Terminal and this time lets time in: airodump-ng mon0 Hopefully we should start to see networks showing up find the network you wanna crack hold CTRL+C tp stop airodump-ng Alright so assuming you found the network your going to wanna crack we need to get the 4-way handshake now! In the Terminal we need to type in: airodump-ng -c 1 --bssid 88:F7:C7:3A:D9:72 -w test mon0 change 88:F7:C7:3A:D9:72 to the target network you're trying to crack. Press enter and we should now be watching just that network! To get the handshake we must Deauthenticate a device or client already connected! If nothing shows up under STATION then we must wait till a wireless device shows up under their otherwise we can't get the handshake. Basically a waiting game till a wireless device is connected! Assuming you see a device listed under STATION we can then send a deauthentication using aireplay-ng Lets open a new Terminal and type in: aireplay-ng -0 1 -a 88:F7:C7:3A:D9:72 -c D8:50:E6:84:6C:74 mon0 Change 88:F7:C7:3A:D9:72 to the BSSID of the target network change D8:50:E6:84:6C:74 to the victims mac address under STATION. Once we get the Handshake its time to give it a try on cracking it! First you're going to need a wordlist so happy hunting! Their are tons of them out their some might work some might not! This video i have added my own password to a wordlist to make this an ethical video. Got you're wordlist? Lets move on to the next step! CRACKING! Open a Terminal and type in: aircrack-ng -w /path/to/wordlist/list.txt test-01.cap Assuming you didn't try using the same name ex; test more then once you should see a bunch of things in /root/ called test-01.cap, test-02.cap ect... Press enter and happy cracking good luck likely you have a better chance of getting hit by lighting on a nice day then getting the password. I recommend you try some online WPA cracking services for a better out come. Some sites like https://www.cloudcracker.com/ Charge $17 USD to try and crack it for you! Be sure to check out Matthew H Knight – Internet Security Professional Sursa: How To Crack A Wpa/Wpa2 Wireless Network

Windows 7 Security Features Windows 7 is an Operating System developed and released by Microsoft in 2009. It was designed to be a successor to the Windows Vista range of operating systems. Windows 7 builds upon the features and design philosophies of Windows Vista and adds several enhancements along the way. Windows 7 primarily targets Home/Office users. It was the first Windows operating system to support the 64 bit Intel architecture. Design wise, Windows 7 is very similar to its predecessor Widows Vista, however it does have several enhancements such as Libraries, Jump Lists, etc. Security in Windows Windows-based operating systems have always been plagued with a host of security flaws and vulnerabilities, this is mainly because the systems were not designed with secure computing in mind. They are also a popular target for hackers due to these flaws. In today’s increasingly connected world we cannot allow our systems to be compromised without dire consequences. Windows 7 has tried to address these issues by following a Secure Development Life Cycle (SDLC), i.e. developers enforced a strict code review of all new code and they performed refactoring and code review of older OS code. Several of the major security improvements are given below in greater detail. 1. Date Execution Prevention (DEP) During the execution of a process, it will contain several memory locations that do not contain executable code. Attackers use these sections to initiate code injection attacks. After arbitrary code has been inserted, they can carry out attacks such as buffer overflows. Data Execution Prevention is a security technique that is used to prevent the execution of code from such data pages. This is done by marking data pages as non-executable. This makes it harder for code to be run in those memory locations. DEP is intended to be used with other mechanisms such as ASLR and SEHOP. When used together, it makes it very difficult for attacks to exploit the application using memory attacks. DEP support, though present in Windows 7, is opt-in, i.e. it is not enabled by default, but users are encouraged to enable DEP support. DEP can be enabled system wide or on a per application basis. This is configured by the system administrator. DEP types There are two DEP implementations: Hardware enforced DEP Software enforced DEP Hardware enforced DEP marks all memory locations as non-executable by default unless the location contains executable code explicitly. This helps prevent attacks that try to insert code from non-executable memory locations. Hardware DEP makes use of processor hardware to mark memory as non-executable, this is done by setting an attribute at the specified memory location. Hardware enforced DEP requires the system to be using a DEP compatible processor. Both AMD and Intel have both released processors with DEP support. AMD based processors make use of the NX bit to signify non-executable sections of memory. Intel based processors make use of the XD (Execute disable) bit to signify the same. Software enforced DEP Software based DEP is less complex than its hardware dependent variant, it also has limited functionality. Software based DEP will run on any type of processor that can run Windows 7. It can protect only a limited number of system binaries. Software based DEP can help defend against attacks that make use of the exception handling mechanism in Windows 7. DEP in other Operating Systems DEP is found in other operating systems as well, however they mostly make use of hardware enforced DEP technologies. This varies according to the processor used. RedHat/CentOS Linux supports DEP through the ExecShield tool. It is enabled by default. Sun Solaris supports hardware enforced DEP on NX/XD enabled x86 systems. This setting must be enabled. Apple Mac OS X supports DEP on Intel processors using the XD bit, it is enabled by default. Android 2.3 and above support DEP FreeBSD has supported DEP from version 5.3 onwards OpenBSD supports DEP through a custom implementation called W^X which can be used to mark pages as non-executable by default. W^X makes use of NX bit for its implantation support for XD bit is still forthcoming. W^X has been available from OpenBSD version 3.3 onwards. 2. Address Space Layout Randomization (ASLR) Address space layout randomization is a technique to increase security from common memory based attacks such as buffer overflows and stack smashing. Older versions of Windows essential system processes often used predictable memory locations for their execution. This made it much easier for attackers to find critical components of the process, including the program stack and heap. These addresses can then be used to launch buffer overflow attacks. To overcome this problem, ASLR was devised. ASLR randomizes several sections of the program, such as the stack, heap, libraries, etc. This makes memory addresses much harder to predict. Coupling ASLR with DEP makes it extremely difficult to carry out memory based attacks. In order to use ASLR, programs must be compiled using the ASLR flag, only then will randomization occur during program runtime. Windows 7 completely supports ASLR based applications and libraries. This support will be included in all Windows systems from Windows Vista onwards. ASLR in other Operating Systems ASLR is not restricted to Windows alone, it is found in other Operating systems as well. Linux supports a weaker form of ASLR, but it is present by default. OpenBSD has supported ASLR by default since its inception. MacOSX supports memory randomization by default for system libraries and applications that have been compiled with ASLR support. FreeBSD does not support ASLR fully as of yet, however they are in the process of developing it. DragonFly BSD supports ASLR it is based on the OpenBSD implementation. Android 4.0 (Ice Cream Sandwich) supports ASLR to protect memory system and third party applications from memory exploits. 3. Structured Exception Handler Overwrite Protection (SEHOP) Structured Exception Handler Overwrite Protection (SEHOP) is a technique used to prevent malicious users from exploiting Structured Exception Handler (SEH) overwrites. The SEH overwrite exploit was first demonstrated in Windows XP, since then it has become one of the most popular exploits in the hacker arsenal. Several exploit frameworks including Metasploit make use of SEH overwrite techniques to execute code remotely. SEH works by subverting the 32 bit exception mechanism provided by the Microsoft operating system. SEH exploits are generally carried out by using stack-based buffer overflow attacks to overwrite an exception registration record that has been stored in the thread’s stack. The exception registration record consists of two records, the next pointer and the exception handler, also called the exception dispatcher. The attacker will try to overwrite the exception dispatcher and force an exception. There are two methods to stop SEH exploits. The first technique requires the application to compiled using the /SAFESEH flag during the linking phase. This may not be feasible, because it requires the recompilation of the entire application. The second method is used by SEHOP. Here dynamic checks are carried out to ensure that a thread’s exception handler list is not corrupt before actually calling the exception handler. SEHOP is enabled by default on Windows 7 and Windows 8 operating systems. It can be disabled if required through the modification of registry keys. 4. User Account Control (UAC) User account control is a security feature first introduced in Windows Vista to limit administrative privileges only to authorized users. If an application tries to perform an administrative action, the user must authenticate before the action is carried out. This is useful, as it prevents malicious files from executing actions with administrative privileges. UAC works by allowing temporary administrative access to the concerned user if he/she is able to authenticate themselves during the UAC prompt. There are several actions that can trigger a UAC alert. Some of them are listed below: Running an Application as an Administrator Changes to system-wide settings or to files in %SystemRoot% or %ProgramFiles% Installing and uninstalling applications Installing device drivers Installing ActiveX controls Changing settings for Windows Firewall Changing UAC settings Configuring Windows Update Adding or removing user accounts Changing a user’s account type Configuring Parental Controls Running Task Scheduler Restoring backed-up system files Viewing or changing another user’s folders and files UAC also introduces the concept of Secure Desktop, wherein the entire desktop is dimmed during a UAC prompt, forcing the user to only interact with the elevation window. Normal applications cannot interact with the secure desktop. This prevents spoofing attacks. UAC is enabled by default, but can be disabled from the Control Panel, but it is not advisable to do so. UAC is similar in functionality to the sudo command found in UNIX based systems. 5. DNS System Security Enhancements (DNSSEC) The DNS System Security Enhancements is a set of specifications used to secure information provided by the DNS system. The specification was devised by the IETF (Internet Engineering Task Force). DNSSEC support was first introduced to Windows 7 and Windows Server 2008 R2. DNSSEC works through the use of extensions to improve upon the shortcomings of the DNS system to provide DNS clients with certain features such as: Origin authentication of data Authentication Data integrity The original DNS system was not designed with security in mind, this has led to heavy exploitation of DNS systems. DNSSEC tries to add security without sacrificing backward compatibility. DNSSEC makes use of public key cryptography to digitally sign records for DNS lookup. The correct DNS record is authenticated using a chain of trust, which works with a set of verified keys from the DNS root zone, which is the trusted third party. DNSSEC in other Operating Systems DNSSEC is supported in many other operating systems. BIND, the most popular DNS name server, supports the latest version of the DNSSEC protocol The Google public DNS server fully supports the DNSSEC protocol. 6. Bitlocker Bitlocker is a Windows security feature that was first introduced for Windows Vista and then further enhanced for Windows 7. It provides full disk encryption capabilities for Windows 7, it is included as part of the operating system itself, and it does not require any third party plugins to function. It is only available for the Enterprise and Ultimate editions of Windows 7. Bitlocker provides logical volume encryption, i.e. the drive to be encrypted must be partitioned into logical volumes for Bitlocker to work. Bitlocker requires at least two NTFS volumes, one for the OS itself (typically called C Drive) and another boot partition with a minimum size of 100MB. The boot partition is not encrypted by Bitlocker, as it is required for the system bootstrap process. Bitlocker may be used in conjunction with the encrypting file system to provide increased security. The encrypting file system or EFS is another security feature for Microsoft Windows that was introduced for NTFS version 3.0 and above. It is supported on all Windows systems from Windows 2000 onwards. EFS provides filesystem level encryption for the user while the operating system is running. This provides an additional layer of protection. Both Bitlocker and EFS make use of 256 bit AES in CBC mode for its encryption needs. EFS also has several other algorithms to choose from. Full disk encryption in other Operating Systems Full disk encryption is not a new concept and there are many alternatives for it. Full disk encryption is supported by different operating systems in varying degrees. Linux supports two alternatives for full disk encryption, eCryptfs and dm-crypt. eCryptfs provides stacked file system level encryption. This is similar to EFS on Windows. FreeBSD provides full disk encryption through the GBDE (GEOM based Disk Encryption) framework. GBDE only supports 128 bit AES however. FreeBSD also has another full disk encryption framework called GELI. GELI has support for many cryptographic algorithms such as AES, Blowfish, Triple DES, etc. 7. Improved Cryptography Windows 7 features several enhancements in its Cryptographic subsystem. There are several new cryptographic algorithms to choose from, including Blowfish, AES, Triple DES, etc. Windows 7 also includes support for Elliptic curve cryptography. The Kerberos protocol in Windows 7 has been updated to use AES encryption over DES. The Windows LAN manager has been updated to use NTLM2 hashes by default instead of SHA1 or MD5 hashing algorithms. 8. Windows Firewall/Defender Windows 7 includes a new and improved Windows Defender. Windows Defender is an anti-spyware and anti adware software that is included as part of the operating system itself. Windows Defender can be updated like an Anti-virus solution. Windows Firewall is a host based firewall that is included with each copy of Windows. It has been extensively overhauled in Windows 7. It now provides full support for IPsec. Windows firewall also makes use of a new framework called Windows Filtering Platform (WFP). WFP provides improved packet filtering capabilities that are integrated into the TCP/IP stack. 9. Improved Authentication Mechanisms Better authentication support was introduced in Windows 7. This includes support for Biometric access and Smart cards. User accounts can be authenticated using two-factor authentication, i.e. a combination of password and smart card. The single sign-on feature has also been introduced. This can be used with smart-cards which can also be integrated with several other security services such as EFS. Winlogon has been upgraded from GINA (Graphical Identification and Authentication) to the Credential provider library. It also supports NTLM2 by default for generating password hashes. This is a significant improvement from the deprecated NTLM hashing algorithm. Winlogon is the interactive login manager for Windows based systems. References Address space layout randomization - Wikipedia, the free encyclopedia Security and safety features new to Windows Vista - Wikipedia, the free encyclopedia Data Execution Prevention - Wikipedia, the free encyclopedia Windows 7 - Wikipedia, the free encyclopedia Encrypting File System - Wikipedia, the free encyclopedia Domain Name System Security Extensions - Wikipedia, the free encyclopedia Managing Risk Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP - Security Research & Defense - Site Home - TechNet Blogs How Mac OS X Implements Password Authentication, Part 2 - Dave Dribin's Blog https://support.microsoft.com/kb/875352 http://support.microsoft.com/kb/956607 Advanced Windows Security: Activating SEHOP | gHacks Technology News By Albert Fruz|May 23rd, 2014 Sursa: Windows 7 Security Features - InfoSec Institute

Penetration Testing Apps for Android Devices Introduction According to recent research, the amount of mobile phone users is larger than PC users. At the same time, the number of people who own Android phones is increasing rapidly. Android phones bring people a lot of convenience, in that it helps people do as much work as they can do on a computer, with no limitation by the location. Android has become a need rather than luxury these days, and its popularity has increased rapidly among available smart phones. There are lots of OS which are available these days, but among all of them, Android is the best one, as it can be handled easily and also it is very easy to implement because of its open source nature. Android App Development has become an important tool for developing mobile applications. The Software Development Kit facilitated by Android assists developers to start developing and working on the applications instantaneously, so the app can be implemented faster. Now that penetration testing is possible by using the Android platform, there will be no need to carry your system to various locations to carry out your pen test. As we all know, penetration testing involves much involvement of the person into their system, but by using your Android phone, you can perform it at any location in the best way you can. The following are the Android applications that you can use for penetration testing. 1. Networking Tools Port Scanner: this tool lets you scan ports on a remote host via its IP or domain name so you can know which ports are open on the host. It supports 3G, protocol recognition, and many other features. Fing: Fing is a professional App for network analysis. A simple and intuitive interface helps you evaluate security levels, detect intruders and resolve network issues. It helps you to find out which devices are connected to your Wi-Fi network, in just a few seconds. Network Discovery: Network Discovery is similar to Fing. It is used for device discovery and works as a port scanner for a local area network. tPacketCapture: tPacketCapture does packet capturing without using any root permissions. tPacketCapture uses VpnService provided by Android OS. Captured data are saved as a PCAP file format in the external storage. Droidsheep: Droidsheep is written by Andrew Koch. It works as a session hijacker for non-encrypted sites and allows you to save cookies files/sessions for later analysis. It is no longer available from the developer’s site i.e. droidsheep.de. FaceNiff: FaceNiff is an app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to. It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private network. 2. DOS LOIC: LOIC is a tool for network stress testing a denial-of-service attack application. LOIC performs a denial-of-service (DoS) attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP or UDP packets with the intention of disrupting the service of a particular host. AnDOSid: AnDOSid allows security professionals to simulate a DOS attack. AnDOSid app launched a HTTP POST flood attack, where the number of HTTP requests becomes so huge, a victim’s server has trouble responding to them all. When the server begins to rely too heavily on its system resources, it crashes. 3. Packet sniffer Intercepter-NG: Intercepter-NG is a multifunctional network toolkit. It has functionality of several famous separate tools and moreover offers a good and unique alternative of Wireshark for Android. The main features are: network discovery with OS detection network traffic analysis password recovery file recovery Shark for Root: Traffic sniffer, works on 3G and WiFi (works on FroYo tethered mode too). To open dump, use WireShark or similar software, to preview dump on phone, use Shark Reader. PacketShark: This is a packet sniffer application. Features include friendly capture options interface, filter support, live capture view, and Dropbox upload of captured files. It allows viewing of the captured packets — no need to install other application as a viewer. 4. Scanners WPScan: WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. This app was developed by Alessio Dalla Piazza. Its intended use is to be for security professionals or WordPress administrators to assess the security posture of their WordPress installations. WPScan includes user enumeration and will detect timthumb file, theme and WordPress version. Nessus: Nessus is a popular penetration testing tool that is used to perform vulnerability scans with its client/server architecture. Nessus Android app can perform following tasks. Connect to a Nessus server (4.2 or greater) Launch existing scans on the server Start, stop or pause running scans Create and execute new scans and scan templates View and filter reports Network Mapper: A very fast net scanner for network admins that can scan your network in the office and export as CSV via Gmail to give you a map of what devices are on your LAN. Includes a port scanner for security audit scans and a MAC vendor database to identify NIC manufacturers. Can detect firewalled and stealthed computers, quite useful if you are looking for a Windows/firewall box that you can’t see on your network. Useful if you want to find FTP servers, SSH servers, SMB servers, etc. on your network and would help you to diagnose faults. You can save the scan results as a CSV file, which can be imported into Excel/Google Spreadsheet/LibreOffice. 5. Webattack DroidSQLi: DroidSQLi is the first automated MySQL Injection tool for Android. It allows you to test your MySQL-based web application against SQL injection attacks. DroidSQLi supports the following injection techniques: Time based injection Blind injection Error based injection Normal injection It automatically selects the best technique to use and employs some simple filter evasion methods. Sqlmapchik: sqlmapchik is a cross-platform sqlmap GUI for the popular sqlmap tool. It is primarily aimed to be used on mobile devices. The easiest way to install sqlmapchik on an Android device is to download it from Google Play. 6. Pentesting Suites dSploit: dSploit is an Android network analysis and penetration suite which aims to offer to IT security experts/geeks the most complete and advanced professional toolkit to perform network security assessments on a mobile device. Once dSploit is started, you will be able to easily map your network, fingerprint alive host’s operating systems and running services, search for known vulnerabilities, crack logon procedures of many tcp protocols, perform man in the middle attacks such as password sniffing, real time traffic manipulation, etc. These are the available modules in the app: RouterPWN Trace Port Scanner Inspector Vulnerability Finder Login Cracker Packet Forger MITM Revenssis Penetration Suite: Revenssis Penetration Suite is a set of all the useful types of tools used in Computer and Web Application security. Web Vulnerability Scanners including: SQL injection scanner XSS scanner DDOS scanner CSRF scanner SSL misconfiguration scanner Remote and Local File Inclusion (RFI/LFI) scanners Useful utilities such as: WHOIS lookup, IP finder, Shell, SSH, Blacklist lookup tool, Ping tool Forensic tools (in implementation) such as malware analyzers, hash crackers, network sniffer, ZIP/RAR password finder, social engineering toolset, reverse engineering tool. Vulnerability research lab (sources include: Shodan vulnerability search engine, ExploitSearch, Exploit DB, OSVDB and NVD NIST) Self scan and defense tools for your Android phone against vulnerabilities Connectivity Security Tools for Bluetooth, Wifi and Internet. (NFC, Wifi Direct and USB in implementation) zANTI: zANTI is a comprehensive network diagnostics toolkit that enables complex audits and penetration tests at the push of a button. It provides cloud-based reporting that walks you through simple guidelines to ensure network safety. zANTI offers a comprehensive range of fully customizable scans to reveal everything from authentication, backdoor and brute-force attempts to database, DNS and protocol-specific attacks – including rogue access points. 7. Anonymity Orbot: Orbot is a free proxy app that empowers other apps to use the Internet more securely. Orbot uses Tor to encrypt your Internet traffic and then hides it by bouncing through a series of computers around the world. Tor is an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis. Orbot is the safest way to use the Internet on Android. Period. Orbot bounces your encrypted traffic several times through computers around the world, instead of connecting you directly like VPNs and proxies. This process takes a little longer, but the strongest privacy and identity protection available is worth the wait. Use with Orweb, the most anonymous way to access any website, even if it’s normally blocked, monitored, or on the hidden web. Use Gibberbot with Orbot to chat confidentially with anyone, anywhere for free. Any installed app can use Tor if it has a proxy feature, using the settings. You can use private web searching with DuckDuckGo. Orbot can be configured to transparently proxy all of your Internet traffic through Tor. You can also choose which specific apps you want to use through Tor. Orbot is free software. OpenVPN: OpenVPN Connect is the official full-featured Android VPN client for the OpenVPN Access Server, Private Tunnel VPN and OpenVPN Community, developed by OpenVPN Technologies, Inc. Does not require a rooted device. Easily import .ovpn profiles from SD card, OpenVPN Access Server, Private Tunnel or via a browser link. Improved power management – preferences setting allows VPN to pause in a low-power state whenever screen is blanked or network is unavailable. Android Keychain integration – OpenVPN profiles may reference a cert/key pair in the Android keychain. Supports hardware-backed keystores Support for multi-factor authentication using OpenVPN static and dynamic challenge/response protocols. Full IPv6 support (at both the tunnel and transport layer). Orweb: Orweb is the most privacy-enhancing web browser on Android for visiting any website, even if it’s normally censored, monitored, or on the hidden web. Orweb is the safest browser on Android. Orweb evades tracking and censorship by bouncing your encrypted traffic several times through computers around the world, instead of connecting you directly like VPNs and proxies. This process takes a little longer, but the strongest privacy and identity protection available is worth the wait. Orweb bypasses almost every kind of network restriction. Orweb does not store any information about the websites you visit. You can prevent sites you visit from installing any cookies (which could track your web activities), allow them selectively, or allow any site to create cookies. JavaScript, a common attack method for malicious software, is disabled by default. Orweb is opensource. Orweb attempts to prevent Flash from loading on sites you visit, blocking many common security threats. Orweb is available in: Arabic, Chinese, Dutch, English, Esperanto, Farsi, French, German, Hungarian, Italian, Norwegian, Russian, Spanish, Swedish and Tibetan. Conclusion Android Operating System has been progressing quite rapidly. An innovative and open platform, Android is most popular mobile OS. It is well positioned to address the growing needs of the mobile marketplace. Due to rapid growth of Android, developers are now focusing on developing their tools in the Android environment. The above mentioned Android applications are the proof of that. The Software Development Kit facilitated by Android helps developers to achieve the same. The above applications discussed are ways to perform penetration testing from your Android mobile. We can achieve anonymity and can perform web attacks by using an Android phone. It also provides us with penetration suites and other networking tools. References Nindroid: Pentesting Apps for your Android device - Michael Palumbo Notacon 11 (Hacking Illustrated Series InfoSec Tutorial Videos) By Mohit Rawat|May 20th, 2014 Sursa: Penetration Testing Apps for Android Devices - InfoSec Institute

SQL Truncation Attack The SQL Truncation vulnerability is a very interesting flaw in the database. The successful exploitation of this issue leads to user account compromise, as it means an attacker can access any users account with his own password. Sounds interesting! First we will see why this issue occurs in the database. If the user input value is not validating for its length, then a truncation vulnerability can arise. If the MySQL is running in default mode, Administrator account as admin, the database column is limited to 20 characters. Now what’s happening in the backend database? By default, MySQL will truncate longer strings than the defined maximum column width and only emit a warning. But those warnings are usually are seen only in the backend database, not by web applications, and are therefore not handled at all. MySQL does not compare strings in binary mode. By default, more relaxed comparison rules are used. One of these relaxations is that trailing space characters are ignored during the comparison. This means the string ‘admin ‘ is still equal to the string ‘admin’ in the database. And therefore, the application will refuse to accept the new user. If the attacker provides ‘admin ninja’ and the application searches in the database for this user, and it can’t find it because the username column name is limited to 20 characters and the attacker supplied 21 characters, the application will accept the new username and insert into the database. Due to the 20 character column length, the application will truncate the username and insert it as ‘admin ‘. Now the table contains two admin users, ‘admin’ and ‘admin ‘. Now we are going to see a practical scenario of this attack. Recently a CTF challenge took place at Capture the Flag and the first issue was SQL Truncation for capturing the first flag. We opened the URL and found a login page. Our first attempt was to check for default credentials. We tried username as admin and password as admin and we successfully logged in. What the heck happened? That was our reaction, but this is an online hosted challenge, so somebody already created this admin password. But our motive is there, that to gain access to admin with our credentials, it means we first have to create a user by registering into this application. We logged out from the application and found the register link on that page. So we registered a user from this form and then logged in into the application. Now it shows a message that “You are not Admin”. We need to compromise that admin account. The first thing we know is the default admin account exists, now we check for the username character limit, if there is any limit or not. We verify that the username with 20 characters is able to register. The application is accepting up to 20 characters, and rest of the characters are not accepted. So here we can perform the truncation attack. So again we try to register a user with username ‘admin ninjasecurity’, it is 33 characters and the password is pass@123 Here the application will accept up to 20 characters, and the rest of the characters, which are ‘ninjasecurity’, will be ignored. It will be inserted in the database as ‘admin ‘. Our user is successfully registered. Now we try to login as admin with password pass@123 and Boom! We are logged in. References: NotSoSecure Labs | Feeling NotSoSecure? We are here to help! http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/ By Rohit Shaw|May 13th, 2014 Sursa: SQL Truncation Attack - InfoSec Institute

Public Key Cryptography and PuTTYgen – Program for Generating Private and Public Keys In today’s electronic world where everything is done online, “trust” is hard to come by. Conversations can be snooped on, credit card numbers can be stolen, identities can be exchanged and unseen eyes are everywhere. Imagine business emails being maliciously read by competitors, company’s proposals being leaked and even crucial corporate information being tampered with… This is where cryptography plays a crucial role, and important transactions have to be encrypted with strong algorithms to prevent leakage of information. We will discuss the basics of cryptography, public key cryptography, the RSA algorithm and the ‘PuTTYgen’ program (which is used to create and public and private keys) in this paper. It is a commonly known fact that the field of cryptography involves two major models – the symmetric cipher model and the asymmetric cipher or public key cipher model. The major difference between the two models is that the symmetric cipher model uses the same key to encrypt and decrypt messages, and the asymmetric cipher model uses different keys for encryption and decryption. Some popular symmetric algorithms are DES (Data Encryption Standard), AES (Advanced Encryption Standard) and Blowfish. Similarly popular asymmetric cipher algorithms are RSA (which stands for Ron Rivest, Adi Shamir, and Leonard Adleman, who designed the algorithm), ElGamal and DSS (Digital Signal Standard). Public Key Cryptography The key concepts in public key cryptography are plain text, encryption algorithm, cipher text, decryption algorithm and the recovered text. In addition, we make use of the most important component of public key cryptography to encrypt and decrypt the text – the public and private keys. If one key is used to encrypt the text, the other key is used to decrypt the text. The public and private keys are mathematically connected. The public keys are normally managed by a trustworthy third party person. Some of the required features of public key cryptography are listed below: The private key should be infeasible to be generated through the public key. Both the private and public keys should be easy to generate. Person ‘X’ (also popularly known as ‘Bob’) should easily be able to encrypt a message and send it to person ‘Y’ (also popularly known as ‘Alice’) using person ‘Y”s public key. Similarly, person ‘Y’ should easily be able to decrypt the message using their private key. A hacker should find it impossible to recover the original text in spite of knowing the ciphertext and the public key. Public key cryptography solves two of the symmetric cipher model’s drawbacks: The key distribution problem, which in the symmetric model is to figure a way to distribute the keys when a lot of people are involved. This is solved in the asymmetric model by having “key-value” pair. The authentication problem (verifying that the message indeed came from where it should have come from), which is solved in the asymmetric key model by making use of “digital signatures”. We will next see the RSA algorithm, which uses public key cryptography and is the basis of the PuTTYgen program. RSA Algorithm As already stated, ‘RSA’- stands for Ron Rivest, Adi Shamir and Leonard Adleman, who designed the algorithm. Most cryptographic algorithms involve tremendous amount of mathematics and the RSA algorithm is no exception. The mathematics behind the RSA algorithm are explained below in a lucid and easy to understand form. The basic idea behind the RSA algorithm is that it: “is a block cipher; it uses very large prime numbers for key generation; and the generated keys are mathematically linked.” (Walsh College, 2010) There are three steps in the RSA algorithm: generating the public and private keys encrypting the message decrypting the message. We will see a brief gist of generating the public and private keys in this paper. Generating the public and private keys: For the RSA algorithm to be highly successful, two large prime numbers are chosen (‘u’ and ‘v’) The product of the two numbers is calculated: (n=u * v) Totient of the product is calculated as: ?(n)= (u-1) (v-1) where ‘?’ is the Greek symbol ‘phi’. Next, we need to find values for ‘P’ and ‘Q’ after which the two large prime numbers can be abandoned. P * Q = 1(mod ?(n)) The only condition here is that both ‘P’ and ‘Q’ must be relatively prime to ?(n). Two numbers are relatively prime, if they have no common factors apart from 1. For example, GCD (15,10) = 5 GCD (18,10) =2 GCD (21, 10) = 1 Now, 21 and 10 are relatively prime to each other or co-prime to each other. Step (d) seems to be a bit more complicated than it actually looks. This can be simplified and re-written, assuming ‘P’ to be 7: 7 * Q = K * ?(n) + 1, where ‘K’ can be any number. Now ‘P’ and ‘R’ are the public keys and ‘Q’ and ‘R’ become the private keys. (Prime Number Hide-and-Seek: How the RSA Cipher Works) Explaining the RSA algorithm with an example: We take two small prime numbers, 5 and 11, for this example. n=(5*11)=55 “?(55) = (5 – 1) * (11 – 1) = 4 * 10 = 40. Now, we need to find numbers (‘P’ and ‘Q’) to fit the equation: P * Q = 1 (mod 40). Now, ‘P’ and ‘Q’ must be relatively prime to 40. (Prime Number Hide-and-Seek: How the RSA Cipher Works) If ‘P’ is considered as 7, and the unfamiliar modular mathematics are removed and replaced with a highly understandable equation, 7 * Q = K * 40 + 1, We next consider ‘Q’ to be 23 which is the next prime number close to 40. ‘P’ and ‘Q’ should also not be congruent to mod 40. The equation now becomes, 7 * 23 = 161 And ‘K’ now becomes ’4?. So, the primary keys are 7 and 55 and private keys are 23 and 55. The RSA algorithm is tough to crack if the keys are long. RSA keys are typically between 1024 – 2048 bits long, and a key length of 1024 bits is mostly sufficient for most calculations. Attacks against RSA: There are four different types of attacks that are possible against the RSA algorithm. Brute force: This is trying different types of combinations to crack the keys. It is very difficult to crack the algorithm when the keys are large. Mathematical attacks: This is equivalent to factoring the two large primes, which again has not been successful. Timing attacks: The timing attack depends on the running time of the decryption algorithm. Chosen ciphertext attacks: This type of attack is aimed at the properties of the algorithm. (Stallings) We will next move onto PuTTygen – a program for generating public and private keys. PuTTY “PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the Windows platform. PuTTY is open source software that is available with source code and is developed and supported by a group of volunteers.” (Download PuTTY) It is used to generate public and private keys. The PuTTY program can be downloaded from this link: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. The following screenshot shows the opening screen of the PuTTY program. Before we move onto the other aspects of ‘PuTTYgen’ program, we will briefly divert to the topic of SSH. We can see from the above screenshot, that there are SSH-1 RSA and SSH-2 RSA and SSH2-2 DSA keys to generate. We will see a brief explanation of SSH next. SSH SSH is secure shell network protocol that is basically used to connect two networked computers securely. By means of SSH, the two computers can be used to perform remote and secure command login, secure data communication and other secure network services. SSH “connects, via a secure channel over an insecure network, a server and a client running SSH server and SSH client programs, respectively.[1] The protocol specification distinguishes between two major versions that are referred to as SSH-1 and SSH-2.” (Secure Shell) Retracing back to the PuTTY gen program, we can generate public and private keys by moving the mouse cursor constantly over the blank area. The following screenshot shows the result of generating the public and private key pair: As we can see, we have generated SSH-2 RSA keys of length 1024 bits. The public and private keys can be saved as .txt files for later use. If the keys are generated using a length of 2048 bits, security will be enhanced, but at the cost of decreased performance. The ‘passphrase’ field is optional, but it is better used. It is used to encrypt the private key in case it falls into wrong hands. The use of passphrase is explained in the University of Waterloo website which states that the private key is like a debit card and the passphrase is the PIN that is used to guard it. “With SSH private keys, if somebody manages to acquire it, they will not be able to use it until they’ve figured out your passphrase. A private key without a passphrase is like a credit card, once they acquire it they can immediately use it.” (SSH Public Key authentication) Application of the keys generated: The keys that are generated can be used for SSH authentication with OpenSSH. The public key is the one that will be stored on the server. The private key will be the key that will be stored on one’s own computer. Instead of using the traditional username and password to login, the SSH client will authenticate your private key with the public key which was stored on the server. Conclusion This paper discussed the basics of cryptography and the necessities of cryptography, followed by the public key cryptography. We next moved onto the mathematics behind the RSA algorithm and concluded with the PuTTY program, which is used to generate public and private keys. Using public and private keys for authentication may be the future for online login into various websites. Bibliography Download PuTTY. (n.d.). Retrieved April 28, 2014, from putty.org: Download PuTTY - a free SSH and telnet client for Windows Prime Number Hide-and-Seek: How the RSA Cipher Works. (n.d.). Retrieved April 28, 2014, from muppetlabs.com: Prime Number Hide-and-Seek: How the RSA Cipher Works Secure Shell. (n.d.). Retrieved April 29, 2014, from en.wikipedia.org: Secure Shell - Wikipedia, the free encyclopedia SSH Public Key authentication. (n.d.). Retrieved from Waterloo Cheriton School of Computer Science: https://cs.uwaterloo.ca/cscf/howto/ssh/public_key/ Cryptography and Network Security. In W. Stallings. Walsh College. (2010). Retrieved from Walsh College. By Jayanthi|May 2nd, 2014 Sursa: Public Key Cryptography and PuTTYgen – Program for Generating Private and Public Keys - InfoSec Institute

Abstract This paper attempts to explain one of the critical buffer over?ow vulnerabilities and its detection approaches that check the referenced buffers at run time, moreover suggesting other protection mechanics applied during software deployment configuration. Programs typically written in C or C++ language are inherently susceptible to buffer overflow attacks, in which methods are often passed pointers or arrays as parameters without any indication of their size, and such malpractices are exploited later. Buffer overflows remain one of the most critical threats to systems security, especially for deployed software. Successful mistreatment of a buffer overflow attack often leads to arbitrary code execution in the form of so-called shell code, and thorough control of the vulnerable application in a vicious manner. Essentials We shall showcase buffer overflow vulnerability in a Windows environment via C++ or VC++ code which is typically written via VS 2o1o or Turbo C++. Moreover, it is expected that researchers have a comprehensive understanding about C++ syntax and concepts, especially pointers and arrays by creating a Win32 console application. Turbo C++ compiler VC++.NET GCC Compiler (optional) Buffer Overflow Bug Demo An overflow typically happens when something is filled beyond its capacity. So, buffer overrun attacks obviously occur in any program execution that allows input to be written beyond the end of an assigned buffer (memory block). Thus, it leads the data to overwrite into adjacent memory locations which are already occupied to some existing code instruction. In buffer overflow attacks, the hacker encroaches the preoccupied memory segments for other operation instruction sets to inject malicious arbitrary code, and the pre-determined program behavior is changed eventually. These buffer overflows are the implication of poor programming practices by not putting any boundaries on the size of input the program can handle. C and C++ programmed code are a great source to produce buffer overflow attacks, because these languages allow direct access to application memory. Sometimes hackers find other ways to exploit the overflow besides getting their code to run. Certain overflows do not actually allow hackers to take control, but might instead allow them to manipulate extra data. Let’s examine the following bofVul.exe login console based program which accepts user name and password at the command line to validate users. If they enter the correct username and password, it allows access; otherwise, access is denied as follows: This program was running perfectly up till now, but now imagine if a person with a vicious intention enters the parameters in the following form. He is trying to overflow the buffer by entering some garbage values and finally notices that we successfully penetrate the program even without having the correct user name and password. Bingo!!!!!!!!! It is even revealing the welcome message which is flashed when the user enters the correct credentials. So, this is a bit strange, how can this be possible? We have just entered a sequence of raw data in spite of the password and successfully obtained access. Using a different password with the same user id still worked! So it is a clear case of a buffer overflow bug because the strange behavior of program allows you to log in if you specify a long password, regardless of whether the password is correct. Buffer Overrun Internal A buffer overflow is one of the costliest security vulnerabilities known to affect computer software. It is basically defined as when input is larger than the space allocated for it, but it is written there anyhow and memory is overwritten outside the allocated location. In some cases, overflows result from incorrect handling of mathematical operation or attempts to use memory after the memory has already been allocated. Although many overflows occur when the program receives more data than it expects, in fact there are many different kinds of overflows. It is important to distinguish between various classes of overflows to be able to develop good test cases to identify specific types of overflows. Integer overflow: When a specific data type of CPU register meant to hold values within a certain range is assigned a value outside that range. An integer overflow often leads to a buffer overflow in cases in which integer overflow occurs when computing the size of the memory to allocate. Stack Overflows: Such overflows occur when data is written past the end of buffers allocated on the stack. Heap Overflow: It occurs when data is written outside the space that was allocated for it on the heap. Format String Attacks: Format string attacks occur when the %n parameter of the format string is used to write data outside the target buffer. It is important to delve deep into the CPU internal infrastructure by examining various registers which play a significant role in memory allocation. EIP [Extended Instructor Pointer]: It is only administrated by the CPU and determines next-to-execute opcode in the memory. It contains the offsets of data and instructions. ESP [Extended Stack Pointer]: It points to the zenith of the stack to assist the CPU to perform a push and pop operation. EBP [Extended Base Pointer]: It is used as a reference point for indirect addressing. EAX/EBX/ECX/EDX: They are used for arithmetic and data movement. Segments[CS/DS/SS/FS/ES/GS]: They are used as a base location for program data, instruction and stack. If a method is called by assembler 'call' commands, a new stackframe is created, with boundaries defined by the EBP and ESP. First, the call command pushes the EIP into the stack to start execution. The previous ESP becomes the new EBP and then space for variables is allocated by subtracting its size from the earlier ESP. Finally, at the end of the function call, the ESP becomes the new EBP. Now, let's consider one more buffer overflow samples which are developed under VC++ Studio. Here the user name and password are supplied as a command line argument which is copied into a corresponding fixed length array of character variables by using the strcpy method. Later, the supplied credentials are validated against a predefined password via the strcmp method as follows: #define BUFF_SIZE 10 void creed(char *usr,char *password) { char uN[10]; char pass[10]; strcpy(uN, usr); strcpy(pass, password); if(strcmp(pass,"ajay")) { printf ("n Access Denied n"); } else { printf ("n Welcome:"); .. } } int main(int argc, char* argv[]) { .. creed(argv[1],argv[2]); return 0; } The moment a user enters tom as a user name and ajay as a password via the command line argument, this program successfully validates those credentials and allows access as follows: Now try to enter some bogus data as credentials. As assumed, the program won't allow us to get access as follows. At this moment, everything is running fine and under control. The character variable uN and pass can hold only up to 10 characters and if we input data beyond this fixed length, since we are not performing any bound checking, we are just directly copying the entered data into the buffer directly via the strcpy method. The program would be confused and can't handle such abundant data, which later leads to buffer overflow as follows: Since we are testing this program under the Windows environment, the OS throws the aforesaid exception, which eventually causes the application to crash, because the program accepted too much data beyond the limit of 10. In the case of compiling this program via Turbo compiler, it notifies the buffer overflow exception in a different manner as follows: When executing the aforesaid code, it first pushes the two arguments (user name and password) to creed() method backwards onto the stack. It then calls the creed() function. The instruction CALL then pushes the instruction pointer (EIP) onto the stack. The creed () function now pushes the stack frame pointer onto the stack. The current stack pointer (ESP) is then copied into the EBP, making it the new frame pointer (SFP) as follows: Now, the creed() function instruction next instruction address 0x00412206 is saved to the stack, and execution jumps to ebp in the creed() instruction code where user name and password values are copied into eax, which are pushed into stack. Finally, on behalf of both strcpy offsets, the strcmp instruction is executed. Thereafter, the ret opcode is executed, which points out the end of program instructions. If a parameter is entered in the correct form or lesser than the fixed length, the program doesn't show any abnormal behavior. But as we are passing the argument beyond the limit, here we examine the register EBP value as 79797979 which becomes the ESP now as follows: As we move ahead, the execution should jump to 00412209 instead of 0079797979. Hence, Visual Studio throws a run time exception at 79797979 offset where the program denies reading the address space at 79797979 locations. So, the program crashes because execution is halted due to access violation, and buffer overflow attacks occur as follows: Protection Mechanisms The buffer overrun attacks can be thwarted in the Windows environment by making critical configuration changes. Visual Studio C++ compiler offers several options to enable certain checks at runtime such as /GS, RTC, Runtime library check and DEP. These options can be enabled using a specific compiler flag. The /GS option shield against vulnerable parameters passes into a function in the form of a pointer, string buffer, or C++ reference. Normally, the incoming methods parameters are assigned on the stack and are susceptible to being overwritten, just like the return address. To avoid this situation, the compiler makes a replica of the vulnerable incoming parameters after storage for local buffers, where they are not in threat of being overwritten. On the other side, the RTC compiler option control run-time checks such as underflow and overflow checking, stack verification and detection of variable use without initialization. However, these run-time checks introduce a performance overhead that is not acceptable for release builds. We must to enable these compiler checks at least: Buffer Security check (/GS) Runtime Library check (Both /RTC1…) Basic Runtime checks (Enable VC++ Run time Library) DEP Visual Studio also provides a Data Execution Prevention (DEP) option during compilation in case of not disabling it at the operating system level. Data Execution Prevention (DEP) is an important feature to protect from buffer overflow attacks. This feature has been available on Windows and assumes that no code is intended to be executed that is not part of the program itself. It uses NX technology to prevent the execution of instructions stored in data segments. This feature requires administrative right to change its settings. We can alter this configuration from the command prompt as follows: For Disable Data Execution Protection Setting bcdedit.exe /set {current} nx AlwaysOff For Enabling Data Execution Protection Setting bcdedit.exe /set {current} nx AlwaysOn We can enable this setting from My Computer advanced setting under Performance options. These options are disabled by default. In order to enable them, log in via Administrative account as follows: After finishing with all the necessary configuration or BOF attack thwarting option enabling, run the program and supply some bogus argument beyond the buffer limit. The operating system will issue a run time buffer overflow exception as follows: Even though /GS aborted the program, these overruns should be fixed. Buffer overflow attacks can be avoided at the time of coding by ensuring that input data does not exceed the size of the fixed length buffer in which it is stored. Here, the fixed length buffer size is 10, so calculate the entered data length and make sure it is less than 10 as follows: #define BUFF_SIZE 10 void creed(char *usr, char *password) { .. if (strlen(password)<BUFF_SIZE) { strcpy(uN, usr); strcpy(pass, password); } else { printf ("n Program doesn't support this password n"); exit(1); } ... } int main(int argc, char* argv[]) { .. creed(argv[1],argv[2]); return 0; } Now a buffer overflow attack can be thwarted even if other protections such GS and DEP are not applied at solution configuration. Here, the program alters and exits if data is entered beyond the buffer limit as follows: As we have stated earlier, C and C++ sources are most vulnerable to buffer overrun attack. I am going to pinpoint some C library methods which make you vulnerable. Hence, it is recommended to avoid using these methods into your source code. [TABLE] [TR] [TD]Functions[/TD] [TD]Potential Problem[/TD] [/TR] [TR] [TD]Strcpy(char *str, const char * str2)[/TD] [TD]Str buffer could overflow[/TD] [/TR] [TR] [TD]Gets(char *arr)[/TD] [TD]arr buffer could overflow[/TD] [/TR] [TR] [TD]Getwd(char *arr)[/TD] [TD]arr buffer could overflow[/TD] [/TR] [TR] [TD]Scanf()[/TD] [TD]Arguments can overflow[/TD] [/TR] [TR] [TD]Fscanf()[/TD] [TD]Arguments can overflow[/TD] [/TR] [TR] [TD]Sprint(char * str,const char *str2)[/TD] [TD]Str buffer could overflow[/TD] [/TR] [TR] [TD]Strcat(char * str, const char * str2)[/TD] [TD]Str buffer could overflow[/TD] [/TR] [/TABLE] Final Note In this article, we discussed how buffer overflows are encountered, the varieties of overflows that can materialize, and ways to control the flow of execution to our arbitrary code. We have also covered various forms of prevention mechanisms that can be taken to thwart buffer overrun attacks. Memory management and CPU registers have also been covered, giving us the elementary knowledge indispensable to detect and exploit buffer overflow vulnerability. We looked into actual exploits on how they were written and where the control on the flow of execution had taken place. Understanding all these sections will aid us in the future when it comes to analyses, debugging, and exploiting the buffer overflow vulnerability. By Ajay Yadav|April 23rd, 2014 Sursa: Buffer Overflow Attack & Defense - InfoSec Institute

Subterfuge: The Automated Man-in-the-Middle Attack Framework Introduction Surfing the internet through untrustworthy public networks whether wired or wireless has been known to be risky for a long time now. We all think twice before logging into our bank account or accessing any kind of sensitive information, but what about simply browsing our favourite site? A Man in the Middle Attack (MITM) is a type of attack in which an attacker assumes the role of the default gateway and captures all the traffic going to and fro. A MITM attack allows the attacker to eavesdrop on the conversation between the parties, or to actively intervene in the conversation to achieve some illegitimate end. This is a very serious attack and also very easy to perform. In the image above you will notice that the attacker inserted him/herself in-between the flow of traffic between the client and server. Now that the attacker has intruded into the communication between the two endpoints, he/she can inject false information and intercept the data transferred between them. Subterfuge Subterfuge is a simple but devastatingly effective credential-harvesting program, which exploits vulnerabilities in the inherently trusting Address Resolution Protocol. Subterfuge provides the framework by which users can then leverage a MITM attack to do anything from browser/service exploitation to credential harvesting, thus equipping information and network security professionals and enthusiasts alike with a sleek “push-button” security validation tool. Subterfuge is developed with the Python programming language and uses a SQLite database. ARPSpoof from the Dsniff suite is used to poison the target network. Subterfuge also uses SSLStrip to collect user credentials that were sent over a secure socket layer (SSL) web connection. Why Subterfuge? Subterfuge has a sleek web-based interface to allow a user to deploy the software quickly and easily without editing sophisticated text-based configuration files. Subterfuge automates the configuration process, or, alternatively, streamlines it with a Graphical User Interface (GUI). It also allows the user to view a report of all the different credentials that were harvested. Subterfuge uses software like SSLStrip, evilgrade and ARPSpoof. These will be given a brief introduction below. SSLStrip is a tool written by Moxie Marlinspike. It basically reroutes encrypted HTTPS requests from network users to plaintext HTTP requests, effectively sniffing all credentials passed along the network via SSL. The way it does this is it lets users connect via HTTP, logs their information, and then redirects their connection to the originally-intended HTTPS server on the internet. Evilgrade is a modular framework that allows us to take advantage of poor update implementations by injecting fake updates. It works with modules, each module implements the structure needed to emulate a false update of a specific application. ARPSpoof is a simple tool that allows a user to masquerade as the network gateway by spamming ARP Packets. This causes their MAC Address to be associated with the IP address of the default gateway, thereby initiating a MITM connection. Subterfuge Advantages over other MITM Tools Intuitive Interface Easy to Use Silent and Stealthy Open Source Modules in Subterfuge Subterfuge contains several modules in it. These help you to customise your attack vendors. Multiple modules can be run simultaneously. Modules in Subterfuge are as follows: Network View The Network View allows you to see everything happening on the network. It allows you to quickly and easily launch advanced attack vectors. Credential Harvester The User Credential Harvester is the default module for Subterfuge. It allows the user to transparently downgrade an HTTPS session and steal user login credentials. This runs automatically when you hit “Start. Module Builder Module Builder allows you to create your own modules. You can integrate your own attack code into the framework. Tunnel Block This module will block all attempts to avoid MITM Exploitation through encrypted tunnelling protocols like VPNs, SSH, and other encrypted protocols. SSLStrip is not included in this module, because SSLStrip automatically runs with Subterfuge. Tunnel Block will prevent the following protocols: PPTP, Cisco IPSec, L2TP, OpenVPN, SSH. Denial of Service This module disconnects a client from the network. HTTP Code Injection Subterfuge’s HTTP Code Injection Module allows a user to inject custom payloads directly into a target’s browsing session. Payloads can be anything from simple Javascript/HTML injections to browser exploits. Session Hijacking The session hijacking plug-in will allow a user to masquerade as a victim within the session that was hijacked. This attack occurs by stealing the cookie used to authenticate into a web service. Evilgrade update exploitation Evilgrade is a tool that allows a user to spoof an update server on the network. When a victim starts up a program it automatically looks to see if updates exist. Evilgrade steps into this process and sends the victim a malicious payload. Settings menu Subterfuge will attempt to auto-configure for your network. If it fails to configure the network automatically, you can go to the settings menu and manually configure it. The settings menu allows you to control and fine-tune different aspects of your attack, so if you’re a new user or seasoned vet you have control over Subterfuge. Conclusion Subterfuge is an Automated Man-in-the-Middle Attack Framework. Subterfuge Framework allows a user to circumvent many security protocols and policies on a computer network with ease and with devastating results to the victims. Subterfuge largely transforms the complexity of performing the Man in the Middle Attacks with the other existing tools and makes it far easier to launch various forms of MITMs. Subterfuge collects user information and credentials on the network to which they are connected. A Subterfuge user ought to be able to steal user credentials, without the victim’s knowledge, even when using a secure protocol such as HTTPS. References subterfuge - Automated Man-in-the-Middle Attack Framework - Google Project Hosting By Mohit Rawat|April 22nd, 2014 Sursa: Subterfuge: The Automated Man-in-the-Middle Attack Framework - InfoSec Institute

Load Library Safely SRD Blog Author 13 May 2014 11:26 AM Dynamically loading libraries in an application can lead to vulnerabilities if not secured properly. In this blog post we talk about loading a library using LoadLibraryEx() API and make use of options to make it safe. Know the defaults: The library file name passed to LoadLibrary() / LoadLibraryEx() call need not contain an extension. If one is not specified, then the default library file extension, .DLL, is used. As a result of this feature, if a null is passed as library name it tries to load ".DLL" which could be exploited by placing a ".DLL" in the path searched. The library file name passed to LoadLibrary() / LoadLibraryEx() call need not specify a directory path. If one is specified, library is loaded only from the specified path. Otherwise, following default DLL search order is used: The current process image file directory, application directory. The system directory. The 16 bit system directory. The windows directory. The current working directory. The directories listed in the PATH environment variable. Windows maintain a list known DLLs, which are basically a set of system DLLs, that are always guaranteed to load from the system directory when absolute name is specified. DllMain() function within the loaded library is called after loading the library into memory. Control the DLL search order: There are various option to modify the order in which the loading library is searched other than the default search order when absolute name is provided. Some of the APIs that can influence the DLL search order/path by the LoadLibraryEx() are as below: SetDllDirectory() : Adds a directory to the search path used to locate DLLs for the application SetDefaultDllDirectories() : Adds a directory to the process DLL search path AddDllDirectory() : Adds a directory to the process DLL search path RemoveDllDirectory() : Removes a directory that was added to the process DLL search path by using AddDllDirectory() SearchPath() : Searches for a specified file in a specified path SetSearchPathMode() : Sets the per-process mode that the SearchPath() function uses when locating files SetCurrentDirectory() : Changes the current directory for the current process DefaultDllImportSearchPathsAttribute : For managed application use this attribute to specify the paths used to search the DLLs during platform invokes LoadLibraryEx() provide many flags that can be used to alter the default search order. Below table lists most of the flags and also depicts the DLL search order that is followed for each of them. Some of the options even consider the paths set with above mentioned APIs. Table 1: Depicting different options to the LoadLibraryEx and how it affects the DLL search order. Loading library as non-executable: It is not always required to load a library as an executable image. LoadLibraryEx() makes it possible to load a library as a data file, or an image resource, for example. For this purpose, it supports following different options: LOAD_LIBRARY_AS_DATAFILE LOAD_LIBRARY_AS_DATAFILE_EXCLUSIVE LOAD_LIBRARY_AS_IMAGE_RESOURCE DONT_RESOLVE_DLL_REFERENCES These options helps in treating a file as a normal data file rather as an executable module. Loading with this option doesn't call DLLMain() and none of the memory space of the loaded DLL data is marked as executable. Blocking the library from loading: Sometimes it might be required to block a library or block an illegitimate library from loading into an application. Check out following facilities to aid that: AppLocker : AppLocker is a policy based mechanism to block DLLs from loading into applications. These policies can be pushed via group policy. AppLocker can control executables, scripts and installers. When a new DLL loads, a notification is sent to AppLocker to verify that the DLL is allowed to load. AppLocker calls the Application Identity component to calculate the file attributes. It duplicates the existing process token and replaces those Application Identity attributes in the duplicated token with attributes of the loaded DLL. AppLocker then evaluates the policy for this DLL, and the duplicated token is discarded. Depending on the result of this check, the system either continues to load the DLL or stops the process. AppLocker can block the DLL based on path, publisher or file hash. Code Signing Microsoft Authenticode technology can be used to sign the DLL, which is to attach digital signatures to the DLL to guarantee its authenticity and integrity. To summarize our discussion: To ensure secure loading of libraries Use proper DLL search order. Always specify the fully qualified path when the library location is constant. Load as data file when required. Make use of code signing infrastructure or AppLocker. Some common attack vectors we see: Application directory attacks, especially from the temporary internet or download folder perspective. Particularly when the application is an installer, it is a common thing for people to download the installer into default directory and execute from there. Considering attacker can drop malicious file in the default directory can make use of application directory to load the DLLs. Manifest and .local redirection can also be used in this scenario. Loading DLL from memory and also Powershell DLL injection. Which can be used by malwares to keep the loading of a malicious DLL from getting detected. TOCTOU attacks when loading library from remote location. - Swamy Shivaganga Nagaraju, MSRC engineering team Sursa: Load Library Safely - Security Research & Defense - Site Home - TechNet Blogs