Nytro

[h=1]Cyberterrorism Defined (as distinct from “Cybercrime”)[/h]Dimitar Kostadinov December 21, 2012 Introduction Technology is developing at an extremely vigorous pace over the last couple of decades. There are many unknown terms that come along with this rapid change. Often, the common people are not familiar with these new strange words ensuing from technological advancements and its interaction with the other branches of life. The purpose of this article is to help the reader understand the notion of cyberterrorism. Many controversial questions are set forth: “What is cyberterrorism?” “What is its objective?” “Are there any cases of cyberterrorism in real life?” “What is the difference between cyberterrorism and cybercrime?” Although there is much to be said on that increasingly popular subject, this contribution reveals some of the answers behind these tricky queries. Cyberterrorism The Definition So far, the international community has not decided on an exact definition of “terrorism” that can be applied universally. However, the United States Department of State prescribes the following definition of terrorism: “…premeditated, politically motivated violence perpetrated against non-combatant targets by sub-national groups or clandestine agents.” (Title 22 of the U.S. Code, Section 2656 f(d)) “Cyberterrorism” was coined by Barry Collin in the 1980?s. The fact that terrorism caused via kinetic force has not been unified yet in the international doctrine undoubtedly impeded determining a proper definition for its subcategory, , cyberterrorism. In a way, defining cyberterrorism is even more difficult because of the abstractness that is naturally implicated in understanding how certain events occur in cyberspace. According to NATO (2008), cyberterrorism is “a cyber attack using or exploiting computer or communication networks to cause sufficient destruction to generate fear or intimidate a society into an ideological goal.” Another definition of cyberterrorism is provided by the US National Infrastructure Protection Centre, a part of the Department for Homeland Security: “a criminal act perpetrated through computers resulting in violence, death and/or destruction, and creating terror for the purpose of coercing a government to change its policies.” (Wilson, 2003) Some scholars or politicians avoid labelling acts as cyberterrorism, insisting on the assertion that these acts are mere hacking or so-called hacktivism. In their view, cyber attacks cannot bring about the same amount of death, destruction, or fear as with more traditional forms of terrorism. The word “hacking” become known in the beginning of the 1970?s when Altair 8800, the first personal computer, was created. The purchaser had to not only assemble the machinery himself, but also had to install the software as well (Shinder, 2002). Let’s examine the derivative term “hacktivism.” This is a word which combines two actions – hacking and activism. In short, hacktivism stands for low-level computer network attacks or digital activity which cause in most cases only temporary nuisance. Like cyberterrorists, hacktivists pursue political goals, but their activity does not correspond quantitatively or qualitatively with the possible outcome of cyberterrorist acts (Stanley, 2010). The term “cyberterrorism” encompasses two other terms – cyberspace and terrorism. The word “cyber” designates what type of terrorism is being referred to. The prefix “cyber” originates from the ancient Greece and means “skilled in steering or governing.” Many scholars claim that this term might not match well, since the Internet (the cyberspace) is not digitally, electronically, or otherwise controlled. Nevertheless, the term is deemed to be more accurate than terms like “virtual space/world/universe/reality,” which have different existential context and therefore are not semantically appropriate. William Gibson first came up with the term “cyberspace” in his novel “Neuromancer” which was published in 1984. Nowadays, this term is widely known as the environment which the Internet creates – all the communication activities and interconnection of human beings through computer devices innate to this medium. One scholar defines cyberterrorism as the “convergence of terrorism and cyberspace.” Basically, the means and their application is the same as regular computer network attacks with the significant difference that in the case of cyberterrorism, the leading motive is to coerce the government or its citizens to comply with some political or social demands. Moreover, the act should result in violence or fear in order to be qualified as cyberterrorism. Minor attacks that disrupt services of no great importance are not cyberterrorist acts, yet they may prove a very expensive nuisance, in terms of economics (Stohl, 2007). Objectives Without any doubt, the emergence of the Internet and its wide-range spectrum of opportunities have influenced considerably the terrorists’ methods and behaviour. In his speech before the RSA Cyber Security Conference, the FBA Director Robert Mueller warned that despite the fact that terrorism still poses the number one threat, cyberterrorism may displace the conventional one from its prime position. One can identify three main objectives of cyberterrorism: Organizational This organizational objective of cyberterrorism includes functions like recruiting, instigation training, fundraising, communication, planning, spying, etc. Following the intelligence reports, terrorist groups nowadays recourse to the Internet on a daily-basis. Their knowledge and skills in regard to computer technology is steadily growing and this build-up of knowledge and skills would eventually provide the necessary expertise for finding and exploiting vulnerabilities in the online security systems of governments or critical infrastructure institutions (Wilson, 2005). Although those researching the terrorist use of the Internet often describe them as radical factions seeking some sort of virtual jihad, the actors committing cyberterrorism do not have to be religiously motivated. Furthermore, the organizational function of cyberterrorism enables the wrongdoers to pursue their objective either through the means of traditional warfare or technology (Brickey, 2012). Undermining Self-explanatory, the goal which terrorists seek to achieve here is to hinder the normal functioning of computer systems, services, or websites. The methods used are defacing, denying, and exposing. Since the Western countries are highly dependent on online structures supporting vital services, these methods are of proven merit. However, disruptive activities usually do not entail grave consequences, except perhaps in cases of an unpredictable knock-on effect (Brickey, 2012). Destructive Because this purpose is directed towards achieving the same or similar results as classical terrorism, it is labelled pure cyberterrorism. Through the use of computer technology and the Internet, the terrorists seek to inflict destruction or damage on tangible property or assets, and even death or injury to individuals. There are no cases of pure cyberterrorism up to date, but perhaps its occurrence is only a matter of time, given the fact that the states’ critical infrastructure have significant security flaws (Brickey, 2012). History and Instances The first cyber attack by a terrorist was recorded in 1998 when the Black Tigers guerillas jammed Sri Lankan embassy email inboxes with hundreds of emails for a couple of weeks, generated by special software. In the course of the Kosovo war in 1998, NATO computers were subjected to denial-of-service attacks and email bombs. Web defacement against US government websites was conducted by Chinese activists as retaliation for the accidental bombing of the Chinese embassy in Belgrade by NATO forces. As a whole, cyberterrorism wasn’t really popular until the end of the millennium. At this particular moment, the big hysteria around the Millennium bug started to kindle peoples’ imagination. There were many apocalyptic scenarios which apparently did not transpire. Nevertheless, the fear of what might happen, either intentionally or by accident, if computers or technology were to go wrong, remained. Then the 9/11 terrorist attacks happened, leading inevitably to a new wave of anxiety with relation to all possible terrorist threats. In 2007, Estonia’s government and economy was struck by distributed denial-of-service attacks allegedly conducted by a Russian group. Nonetheless, neither NATO investigators nor European Commission experts could not link the cyber attack to the Russian government. Following a more recent series of events, in 2008, the Stuxnet worm sabotaged an Iranian nuclear plant. The Iranian government cast the blame on the joint efforts of USA and Israel. The latest cyber attacks on Saudi Aramco, RasGas, and US banks are considered as a strike back from the Iranian side. Cybercrime An increasing number of criminals are attracted by cybercrimes, because these types of crimes are convenient, anonymous, quick, diverse, and relatively low-risk. In the past, cybercrimes were committed by individuals or groups without decent organization, whilst nowadays organized crime structures and highly-trained professionals are deeply involved in this lucrative criminal activity. According to Interpol intelligence, just in the years 2007 and 2008, the damage from cybercrimes worldwide in numbers was evaluated at approximately 8 billion USD. In addition, the negative impact that corporate espionage brought on the intellectual property business worldwide was estimated at 1 trillion USD (Interpol, 2012). Cybercrimes encompass the following range of illegal activities: - attacks against computer data or network - internet theft - internet fraud - interference of online financial services - distribution of sexual content concerning children - distribution of malicious software, Botnets - email scam and phishing/pharming - copyright or intellectual property infringement The diagram below (GAO, 2007) briefly outlines the differences between traditional criminal techniques and cybercrime: Click to see the report from the United States Government Accountability Office Noticing the difference between cyberterrorism and cybercrime Depending on the context, cyberterrorism may overlap considerably with cybercrime or ordinary terrorism. When we talk about cybercrime and cyberterrorism, one of the underlying issues is the correct differentiation between the meaning of these terms. Often both terms are used interchangeably, a fact which brings confusion to people unfamiliar with details on that matter. If one observes a particular case and its context, this confusion may be further exacerbated by the application of other similar terms like Cyberwarfare. Brett Pladna (2008: 5), Information Security Specialist, also admits that it is often not an easy task to make a distinction between computer network attacks performed by terrorists and cyber-crimes done by hackers. This is so because the attacker, whoever that is, always tries to exploit weak spots in the system regardless of the essence of the real motives. Nevertheless, there are certain trends that can help in making a clear difference between both acts. For instance, in most of the cases of terrorist computer network attacks, the terrorists’ actions have been focused on website defacement and email bombing. For cyberterrorism cases to be regarded in a way similar to classical terrorism, the acts of the former needs more or less to bear the character and magnitude of the latter, meaning death/injury to human beings or physical destruction or damage to property, and to be inflicted through the means of the Internet. The term cyberterrorism usually comprises acts that resemble to a certain extent those which are characteristic of terroristic attacks via conventional means. As to the term cybercrime, it generally includes an illicit activity on the Internet as a whole. In order to overcome the disambiguation issue, scholars, institutions at international and domestic level, and legislation bodies should adopt a more appropriate course, in terms of law and politics. Once cybercrime and cyberterrorism terms are determinable, we would have a clear view on how to deal with such malignant acts. The only way to avoid that psychological condition is to strip both terms of the vagueness and ambiguity surrounding them. Conclusion Despite the fact that many observers deem that terrorist organizations like Al Qaeda do not rely on cyber attacks to achieve their ends, there is enough evidence material indicating the opposite. As it may seem probable from the late events connected to cyber attacks across the globe, there is an impending cyber threat. Without doubt, the terrorists desire to explore every option to cause great damage to their targets. Apparently, cyberspace provides a new battleground which every self-respecting opportunist would be willing to exploit either for criminal activities or cyber attacks at a minor or large scale. People tend to be frightened of what is unknown, of that which is veiled under obscurity. Knowledge and enlightenment is always a power which can disperse the cloud that prevents one to see clearly the truth. By finding a way that even the common people would be able to understand clearlythe essence of terms like “cyberspace,” “cybercrime,” and “cyberterrorim,” we can ensure that there will be less digital loopholes that the terrorists could take advantage of. Reference List Barry Collin, “The Future of CyberTerrorism,” Proceedings of the 11th Annual International Symposium on Criminal Justice Issues, The University of Illinois at Chicago, 1996. Retrieved also on 12/12/2012 from The Future of CyberTerrorism Brickey, J. (2012). Defining Cyberterrorism: Capturing a Broad Range of Activities in Cyberspace. Combating Terrorism Center at West Point. Retreived on 12/12/2012 from Defining Cyberterrorism: Capturing a Broad Range of Activities in Cyberspace | Combating Terrorism Center at West Point Interpol, (2012). Cybercrime. Retreived on 12/12/2012 from Cybercrime / Cybercrime / Crime areas / Internet / Home - INTERPOL [h=3]NATO, (2008). Cyber defence concept MC0571. Brussels, Belgium.[/h] Pladna, B. (2008). Cyber terrorism and information security. Retrieved on 12/12/2012 from http://www.infosecwriters.com/text_resources/pdf/BPladna_Cyber_Terrorism.pdf [h=3]Shinder, D. L.(2002). Scene of the Cybercrime: Computer Forensics Handbook. Syngress, Rockland (MA), USA.[/h] Stanley, N. (2010). The truth behind cybercrime, cyberwarfare, cyberterrorism and hacktivism. Retrieved on 12/12/2012 from Cybercrime, Cyberwars, Cyberterrorism and Hacktivism - Part 1 | Bloor Stohl, M. (2007). Cyber terrorism: A clear and present danger, the sum of all fears, breaking point or patriot games? Journal of Crime, Law and Social Change,46(4). U.S. Department of State, Office of the Coordinator for Counterterrorism, Country Reports on Terrorism, April 30, 2007. United States Government Accountability Office (GAO), (2007). CYBERCRIME Public and Private Entities Face Challenges in Addressing Cyber Threats. Report to Congressional Requesters. Retrieved on 12/12/2012 from http://www.gao.gov/new.items/d07705.pdf Wikia (2012). IT Law Wiki – Cybercrime. Accessed on 12/12/2012 Cybercrime - The IT Law Wiki [h=3]Wilson, C. (2003). Computer Attack and Cyber Terrorism: Vulnerabilities and Policy Issues for Congress. CRS Web.[/h] Wilson, C. (2005). Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress. CRS Report for Congress.Retreived on 12/12/2012 from Computer Attack and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Sursa: InfoSec Institute Resources – Cyberterrorism Defined (as distinct from “Cybercrime”)

ShowOff-ul e una dintre cele mai importante parti ale RST-ului. Nu e ceva rau, dimpotriva, nu exista o alta metoda mai buna de a invata "securitate web" decat aceasta. Nu poti spune ca stii sa previi/repari o vulnerabilitate web daca nu stii cum se exploateaza. In plus exista firme mari care ofera sume substantiale de bani celor care gasesc probleme de securitate in site-urile proprii: Google, Facebook, Paypal si chiar incurajez lumea sa cauta vulnerabilitati in acele site-uri. Sigur, ar fi de preferat evitarea site-urilor guvernamentale si mai ales ale institutiilor financiare...

Fixed. Thanks.

Verificati daca puteti sa va schimbati avatarul/profile picture/signature picture.

E vina mea, am facut ceva modificari

Nullcon Delhi 2012: Another Security Lab - By Joerg Simon Description: This talk introduces and demonstrates the latest development state of the Fedora Security Lab and how it implements and aids the "Open Source Security Testing Methodology Manual" by creating the OSSTMM Lab as a tool set for teaching security. It introduces how - based on real scientific work - the OSSTMM Methodology helps to go a proper security testpath and how the metric works in order to ascertain and quantify security and trust not only for Computer and Network Security. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Nullcon Delhi 2012: Another Security Lab - By Joerg Simon

Da, asta cred si eu, si e cel mai bine asa.

Imi place si CentOS (server).

Brute-Force Attack On Ssh, Mysql, Vnc Using Metasploit-Framework Description: In this video I will show you how to perform a brute - force attack on services like SSH , MySQL, and VNC. Why Metasploit – I think Metasploit will work on target very well you can set brute-force speed ,threats level and many more things you can set. Modules Are used : - SSH Login Check Scanner | Metasploit Exploit Database (DB) This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access. MySQL Login Utility | Metasploit Exploit Database (DB) This module simply queries the MySQL instance for a specific user/pass (default is root with blank). VNC Authentication Scanner | Metasploit Exploit Database (DB) This module will test a VNC server on a range of machines and report successful logins. Currently it supports RFB protocol version 3.3, 3.7, and 3.8 using the VNC challenge response authentication method. Source : - Penetration Testing Software | Metasploit Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Brute-Force Attack On Ssh, Mysql, Vnc Using Metasploit-Framework

Metasploit Wmap Web Vulnerability Scanner Description: In this video i will show you how to use WMAP Plugging in Metasploit-Framework. WMAP is an automation for an auxiliary, I mean this Plugging will fire automatically web supported auxiliary and in the last if on target vulnerability is available so it will store in our database. In this video I’m targeting one website and we found some files and some links maybe sometime we will get some sensitive information depend on the website. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Metasploit Wmap Web Vulnerability Scanner

Digipass Instrumentation For Fun And Profit Description: PDF : - https://hacktivity.com/en/downloads/archives/223/ He currently works as a Security Consultant at KPMG Romania where he is involved in penetration testing projects against web applications, mobile applications and network infrastructures. Adrian Furtuna has a PhD in Computer Science obtained at the Military Technical Academy of Bucharest, Romania. During his PhD program he has extensively studied various attack techniques utilized in Red Teaming engagements and he has designed a few scenarios for cyber defense exercises. He currently works as a Security Consultant at KPMG Romania where he is involved in penetration testing projects against web applications, mobile applications and network infrastructures. Adrian is also a lecturer at several master programs from Bucharest universities, teaching practical aspects of systems security testing and he is the founder of pentest-tools.com, a place where penetration testers can find a collection of ethical hacking tools that can be used online in their engagements. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Digipass Instrumentation For Fun And Profit

Android Programming for Beginners: Part 1 Thursday, 20 December 2012 11:06 Juliet Kemp With Android phones and tablets making their way into more and more pockets and bags, dipping a toe into Android coding is becoming more popular too. And it's a great platform to code for -- the API is largely well-documented and easy to use, and it's just fun to write something that you can run on your own phone. You don't even need a phone at first, because you can write and test code in an emulator on your Linux PC. In the first of this two-part intro to Android coding, get a basic timer app up and running and start learning about the Android API. This tutorial assumes some basic familiarity with Java, XML, and programming concepts, but even if you're shaky on those, feel free to follow along! Dev environment and getting started A note on versions: the most recent version of Android is 4.2 (Jelly Bean), but as you can see from this Wikipedia chart, there aren't many people using it yet. You're better off coding for one or both of 4.0 (Ice Cream Sandwich) or 2.3 (Gingerbread), especially as Android is entirely forwards-compatible (so your 2.3 code will run on 4.2) but not always backwards-compatible. The code here should work on either 4.0 or 2.3. The quickest way to get your dev environment set up is to download the Android Bundle. You'll also need JDK 6 (not just JRE); note that Android is not compatible with gcj. If you already have Eclipse, or wish to use another IDE, you can set it up for Android as described here. Now, create a project called Countdown either using Eclipse, or from the command line. I set the BuildSDK to 4.0.3, and minimum SDK to 2.2, and (in Eclipse) used the BlankActivity template. My First Android Project: Layout For our very first program, we're going to do is to show a timer that counts down from 10 seconds when you click a button. Before writing the code, let's create the interface -- what the user will see when they start the app. Open up res/layout/activity_countdown.xmlto create an XML layout, using either the Eclipse graphical editor, or a text/XML editor, to enter this: <RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools" android:layout_width="match_parent" android:layout_height="match_parent" > <TextView android:id="@+id/time_display_box" android:layout_width="wrap_content" android:layout_height="wrap_content" android:layout_alignParentTop="true" android:layout_centerHorizontal="true" android:layout_marginTop="60dp" android:text="@string/_00_30" android:textAppearance="?android:attr/textAppearanceLarge"/> <Button android:id="@+id/startbutton" android:layout_width="wrap_content" android:layout_height="wrap_content" android:layout_below="@+id/time_display_box" android:layout_centerHorizontal="true" android:layout_marginTop="41dp" android:text="@string/start" /> </RelativeLayout> This illustrates the standard way of referring to Android resources. It's best practice to use string references rather than hard-coding strings. My First Android Project: Code Next, open up the CountdownActivity.java file in your editor, ready to write some code. You should already have an onCreate() method stub generated. onCreate() is always called when the Activity is first created, so you'll often do setup and app logic startup here. (Eclipse may also have created an onCreateOptionsMenu()method stub, which we'll ignore for now.) Enter this code: public class CountdownActivity extends Activity { private static final int MILLIS_PER_SECOND = 1000; private static final int SECONDS_TO_COUNTDOWN = 30; private TextView countdownDisplay; private CountDownTimer timer; @Override public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_countdown); countdownDisplay = (TextView) findViewById(R.id.time_display_box); Button startButton = (Button) findViewById(R.id.startbutton); startButton.setOnClickListener(new View.OnClickListener() { public void onClick(View view) { try { showTimer(SECONDS_TO_COUNTDOWN * MILLIS_PER_SECOND); } catch (NumberFormatException e) { // method ignores invalid (non-integer) input and waits // for something it can use } } }); } } You'll notice the thing that makes this a surprisingly easy first project: the Android API includes a CountDownTimer that you can use. We set up this, and the countdown display, as private member variables. In onCreate() we use the built-in setContentView method to grab our XML layout The R.foo.barsyntax is a standard way to refer to Android XML resources in your code, so you'll see it a lot. findViewById is another method you'll use a lot; here, it grabs the display and the Start button from the XML layout. For the Button to work when clicked, it needs an OnClickListener. This is an interface, so must be subclassed. We could create a whole new MyButton class to do this, but this is overkill for a single button. Instead, we do it inline, creating a new OnClickListener and its onClick() method. Ours simply calls showTimer() on the number of milliseconds we want to use (currently hard-coded). So what does showTimer()do? private void showTimer(int countdownMillis) { if(timer != null) { timer.cancel(); } timer = new CountDownTimer(countdownMillis, MILLIS_PER_SECOND) { @Override public void onTick(long millisUntilFinished) { countdownDisplay.setText("counting down: " + millisUntilFinished / MILLIS_PER_SECOND); } @Override public void onFinish() { countdownDisplay.setText("KABOOM!"); } }.start(); } The CountDownTimer class does most of the work for us, which is nice. Just in case there's already a running timer, we start off by cancelling it if it exists. Then we create a new timer, setting the number of milliseconds to count down (from the showTimer() parameter) and the milliseconds per count interval. This interval is how often the onTick()callback is fired. CountDownTimer is another abstract class, and the __onTick()__ and __onFinish()__ methods must be implemented when it is subclassed. We override onTick() to decrease the countdown display by a second on every tick; and override onFinish() to set a display message once the countdown finishes. Finally, start() sets the timer going. If you select 'Run' in Eclipse, you can choose to run this as an Android app, and an emulator will automatically be generated and run for you. Check out the Android docs if you need more information on setting up an emulator, or on running an app from the command line. Congratulations, you've written your first Android app! In the second part of this series, we'll have a closer look at the structure of an Android app, and make some improvements to the timer to input a countdown time, a Stop button, and menu options. We'll also look at running it on a physical phone rather than the software emulator. For more information in the mean time, you can check out the Android Development Training section of The Linux Foundation's Linux training website. Sursa: Android Programming for Beginners: Part 1 | Linux.com

Brute Force Attack With Burp In many occasions as a penetration testers we will have to face a web application where it will contain a login form which we will have to test it for weak credentials.Burp Suite is probably the best tool to be used when assessing web applications.Burp’s main use is to be a proxy interceptor,however provides a lot of other functions to penetration testers and it can also be used to attack a login form.In this article we will examine how we can use Burp in order to perform a brute force attack on a web application. Let’s say that we have the following login form: Login Form We will try to submit a username and a password and we will use the Burp Suite in order to capture the HTTP request. Capturing the HTTP Request Then we will send the request to the Intruder (Action—>Send to Intruder) and we will clear the positions on the request that we will not need to insert payloads which are the $low$ and session cookie.So we will leave the following positions: Remaining Positions As an attack type we will choose the cluster bomb because this type of attack it can take each word of the username list and it can run it against each word of the password list in order to discover the correct credentials. Now it is time to set the payloads on the three positions.So we will load our wordlists that contains usernames and passwords in the payload options of Burp and for the 3rd position we will just put as an option $Login$.In the next three images you can see this configuration. Payload Set 1 – Usernames Payload Set 2 – Passwords Payload Set 3 – Login Everything now is ready and we can start the attack on the Intruder.The Intruder will start sending HTTP requests to the form based on our payloads and it will try all the possible combinations. Cluster Bomb – Intruder After the inspection of the responses we will notices that Burp has successfully logged in under the credentials smithy/password. Discovery of valid credentials We can now go back to the application and to try to get access to the admin area with this username and password. Access in the admin area Conclusion As we saw in this post Burp is also capable to perform brute force attacks against web applications.Login forms can be found almost in every web application and the intruder tool can help the penetration tester to automate his tests.The discovery of valid administrator credentials can make the difference in black-box penetration tests. Sursa: https://pentestlab.wordpress.com/2012/12/21/brute-force-attack-with-burp/

Eu tot nu inteleg. Ce legaturi sa faca? Singurele legaturi se pot face username - IP (probabil foarte putine oricum). Restul sunt informatii PUBLICE. Daca cineva e speriat ca a facut ceva chiar ii recomand sa isi faca un alt cont si sa aiba grija ca nimeni sa nu isi dea seama de vechea sa identitate. Care ar fi rostul unui inceput de la 0? DE CE? Nimeni nu vine cu o explicatie logica, parca ati fi femei...

Study Of Malware Obfuscation Techniques Description: PRESENTATION ABSTRACT: Malware is widely acknowledged as a growing threat with hundreds of thousands of new samples reported each week. Analysis of these malware samples has to deal with this significant quantity but also with the defensive capabilities built into malware. Malware authors use a range of evasion techniques to harden their creations against accurate analysis. The evasion techniques aim to disrupt attempts of disassembly, debugging or analyse in a virtualized environment. This talk catalogs the common evasion techniques malware authors employ, applying over 50 different static detections, combined with a few dynamic ones for completeness. We validate our catalog by running these detections against a database of 4 million samples (the system is constantly running and the numbers will be updated for the presentation), enabling us to present an analysis on the real state of evasion techniques in use by malware today. The resulting data will help security companies and researchers around the world to focus their attention on making their tools and processes more efficient to rapidly avoid the malware authors' countermeasures. This first of its kind, comprehensive catalog of countermeasures was compiled by the paper's authors by researching each of the known techniques employed by malware, and in the process new detections were proposed and developed. The underlying malware sample database has an open architecture that allows researchers not only to see the results of the analysis, but also to develop and plug-in new analysis capabilities. The system will be made available in beta at Black Hat, with the purpose of serving as a basis for innovative community research. ABOUT RODRIGO RUBIRA BRANCO Rodrigo Rubira Branco (BSDaemon) is the Director of Vulnerability & Malware Research at Qualys. In 2011 he was honored as one of the top contributors to Adobe Vulnerabilities in the past 12 months. Previously, as the Chief Security Research at Check Point he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. Previous to that, he worked as Senior Vulnerability Researcher in COSEINC, as Principal Security Researcher at Scanit and as Staff Software Engineer in the IBM Advanced Linux Response Team (ALRT) also working in the IBM Toolchain (Debugging) Team for PowerPC Architecture. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest security research conference in Latin America. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Study Of Malware Obfuscation Techniques

Element 1337 In The Periodic Table: Pwnium Description: PRESENTATION ABSTRACT: Starting with the earliest Chromium Security Reward Program, we'll look at the evolution from $500 in 2010 to $60000 in 2012. Along the way, we'll look at the events and motivations that directed the growth of the program, as well as celebrate some of the more interesting and quirky bugs and individuals involved. Most excitingly, we'll end with results and updates from the previous day's exciting Pwnium 2 competition! There will be lots of time for audience questions. ABOUT CHRIS EVANS Chris is known for various work in the security community. Most notably, he is the author of vsftpd and a vulnerability researcher. Details of vsftpd are at http://vsftpd.beasts.org/. He releases vulnerabilities at http://scary.beasts.org/. His work includes vulnerabilities in the Firefox and Safari browsers; the Linux and OpenBSD kernels; Sun's JDK; and lots of open source packages. He blogs about some of his work at Security. At Google, Chris has led or been involved with the security of projects such as Google App Engine, Google Spreadsheets, Picasa Web and Google Finance. He now leads security for Google Chrome. He has presented at various conferences. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Element 1337 In The Periodic Table: Pwnium

Dnswalk Tool On Backtrack 5 R3 Description: Dnswalk is a DNS debugger. It performs zone transfers of specifieddomains, and checks the database in numerous ways for internalconsistency, as well as accuracy. dnswalk is not for the faint of heart. It should NOT be used without a firm knowledge of the DNS RFC's. The warnings and errors must be interpreted within the context they are being used. Something may be flagged as a warning, but in reality it is a really bad error. Conversely dnswalk will flag things as warnings and possibly even errors, but they may actually be perfectly "legal" or normal in your specific situation. dnswalk is not an AI engine. It just provides useful information which you need to interpret. If you use this tool for cracking or otherwise evil purposes, the author hereby considers you a slime-ball. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Dnswalk Tool On Backtrack 5 R3

Man-In-The-Middle Attack Using Ipv6 Description: In this video you will learn how to perform a man in the middle attack on IPv6 system. So he will shows us how to setup your attack tools and how to start spoofing etc.. after all the configuration he will shows us how you can Hack the user , And if users logged somewhere you will get the pain text password. So he will shows us this demo on Facebook. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Man-In-The-Middle Attack Using Ipv6

Self Defending Database Description: PDF : - https://hacktivity.com/en/downloads/archives/215/ His expertise covers security of enterprise business-critical software like ERP, CRM, SRM, SCADA,PLC, banking and processing software. He is the manager of OWASP-EAS (OWASP subproject), a well-known security expert of the enterprise applications of such vendors as SAP and Oracle, who published a significant number of the vulnerabilities found in the applications of these vendors. He is the writer of multiple whitepapers devoted to information security research, and the author of the book “Oracle Security from the Eye of the Auditor: Attack and Defense” and one of the contributors to "Oracle with Metasploit" project. Alexander has spoken at international conferences such as BlackHat, HITB (EU/ASIA), Source, DeepSec, CONFidence, Troopers. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Self Defending Database

Android Security - An Introduction Description: PDF : - https://hacktivity.com/en/downloads/archives/207/ During his studies at the Swiss Federal Institute of Technology Antonio focused on information security topics with a special interest in system, network and software security. While studying, he worked as a part-time Software Engineer for a Swiss cable TV and Internet provider. After graduation he started to work as an IT Risk Officer for a Swiss financial institute where he performed IT risk assessments and technical security audits for business-critical applications and infrastructure components. In this function, he gained experience in technical security testing and IT risk assessment methodologies. In June 2011, Antonio joined AdNovum Informatik AG as a Software Engineer where he works on security-related projects. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Android Security - An Introduction

Post Exploitation – Discovering Network Information In Windows In network infrastructure penetration tests if we manage to exploit one system then it is easy to obtain information for the network that this system is part of.This information is important because in almost every network penetration test the ultimate goal is to become domain administrator and in order to achieve that it is necessary to know the appropriate commands that will help us to gather information about the network that we are already inside.In this article we will see how we can gather information about windows networks that we are conducting the penetration test from the system that we have already exploited. Lets say that we have exploited a windows system and we want to know more about the network that this system belongs to.The first and most common command is of course the ipconfig /all which it will display to us all the information about the network adapters of the host and the Windows IP configuration as the picture below is showing: ipconfig /all Another command is the ipconfig /displaydns which it will display the contents of local DNS cache. Display Local DNS Cache Systems in internal networks most of the times contain shared folders which can be listed with the command net share. System Shares We might also want to discover other internal networks that exist by examining the machine routing table with the command route print. Routing Table The ARP -A command will list all the systems that are currently in the machine’s ARP table helping us to discover other valid hosts. ARP Table We can also use the network diagnostic command of the system to obtain information about operating system,network adapters,network clients and other network configuration with the command netsh diag show all. network diagnostic Another information that is important to learn about the host that we have exploited is to see which other hosts are on the same workgroup.The command that we will need to type is the net view. Discover Hosts on the same workgroup Last but not least the netstat command can be used with the parameters -n -a -o to display all the active connections along with the IP addresses and process ID of each connection. Active Connections Conclusion In this article we saw some common commands and their output that can be used for post exploitation activities in Windows networks.The majority of these commands will help us to identify new hosts and network shares which can lead us to compromise further systems on the network. Sursa: Post Exploitation – Discovering Network Information In Windows

Reverse-Engineering Arrays Dejan Lukan December 19, 2012 Introduction Whenever we would like to reverse-engineer a function, we need to know exactly how the function is being called: its calling convention, number of parameters, parameter types, parameter values, etc. After the Ida analyzes the program, it will create comments for known parameters being passed to known functions. The function names will also be preserved and an automatically generated name will not be assigned to that function. An example of such a function is GetCurrentDirectoryA , a function call we can see in the picture below: We can see that the address of a function GetCurrentDirectoryA is being pushed into register edi. Then we’re moving a hexadecimal value 0×104 into register esi. Let’s ignore the jump instruction for now, since it’s not important at the moment. Then we’re loading some address to the register eax, which is currently unknown, and pushing that address to the stack as an lpBuffer parameter. After that we’re pushing the register esi as parameter nBufferLength to the stack and calling the GetCurrentDirectoryA function. If we go to the MSND website and take a look at the GetCurrentDirectoryA function prototype, we will see the following: We can see that Ida has correctly identified the names of the parameters that we’re pushing on the stack right before calling the GetCurrentDirectory function. If we take a look at the explanation of the function, we’ll figure out that the nBufferLength parameter specifies the length of the buffer for the current directory string, including the null character. The lpBuffer parameter holds a pointer to the buffer that receives the current directory string. If the function succeeds, the return value specifies the number of characters that are written to the buffer, not including the terminating null character. If the function fails, the return value is zero. To get extended error information, call GetLastError [1]. We saw that Ida automatically recognized the parameters that were passed to the GetCurrentDirectoryA function, which can be a great help when reverse-engineering a binary. But we must also mention that Ida doesn’t always know how to identify the parameters being passed to known functions, so from time to time we’ll have to rely on our own knowledge to identify those parameters. In the next part of the tutorial we’ll present a few basic programs and their disassembled versions to show how the higher-level C++ code is compiled into lower-level assembly code. First we must present a few basic programs in C++ we’ll use to compile into their binary form, which we’ll later analyze. We’ll present the C++ code that uses arrays in different situations and then reverse-engineer it in Ida. Global Arrays We know that arrays are contiguous blocks of memory, but we must differentiate between the locations where the arrays are stored. The arrays can be stored in a global scope of the program, on the stack, or on the heap. The first program that stores the array in a global scope of the program, written in C++, is presented below: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11[/TD] [TD=class: code]#include int a[10]; int main(int argc, char **argv) { for(int i=0; i a = i; } return 0; }[/TD] [/TR] [/TABLE] We can see that the program is very simple; first we’re creating an array in the global scope of the program, which we’re iterating in the main function of the program and assigning each element their corresponding index. At the end the array will look like this: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9 (the index starts at 0). If we compile and run the program right now, it won’t do anything, since we’re not printing the array on the screen. An example of this can be seen on the picture below where we first compiled the program into the array1 executable and later run it on the system: If we open the array1.exe executable in Ida now, the program will be analyzed and Ida will present the start method, which can be shown below: We can see that the start method initializes the stack and then calls the sub_401000 function to do its work. In order to further declare what the executable actually does, we need to examine that function. It’s good if we can first present the graph of how the functions are called in the current executable; the xrefs graph can be seen in the picture below: In the C++ code, we know that we’re assigning the number 11 to the ninth element of the array, so it would be a good idea to search for immediate value 0xB (the number 11 in hexadecimal representation) using the Search – Search immediate functionality. The following window will be presented to us: In the “Value to search” box we entered the value 0xB and checked the “Find all occurrences,” then pressed the OK button. Ida will look for all 0xB immediate constants throughout the program and will display a view notifying us about them. The view will look like on the picture below: We can see that many of the immediate 0xB constants were found, but we’re looking for such a constant in the .text section of the program, so only the first five options are really relevant. Most probably, the fifth option isn’t the one we’re looking for, since it’s comparing the 0xB constant to the value stored in register eax, and we’re looking for an assignment of the constant 0xB to some value. Thus, we need to scroll over only the four options that are left; we’ll quickly find out that it’s the forth option that we’re looking for and it’s located at the 0x004013C3 virtual address. The whole code of the function that also holds the 0x004013C3 location is presented on the picture below: The function’s name is sub_40138C and it is being called from the function sub_401000 (notice the cross reference). Actually, this is the function that we’re looking for, because the code presented above loops through the array and assigns the appropriate values to each element of the array. The graphical representation of the code above is presented on the picture below: On the loc_4013B7, we can see that we’re comparing the value stored at the [esp+20+var_4] to a constant 9, which is exactly our comparison of a for loop in C++ code. If the number stored at that address doesn’t equal to 9, then the program execution is redirected to loc_4013A4. That subsection increments the specified value by 1 and continues the looping process. When the loop is done, we’re jumping to the last block on the picture above, where we’re storing the 0xB constant in the eax register and overwriting the last entry in the array. Then we’re storing the offset to the cout function on the [esp+20+var_20] and printing the last entry of the array. At the end we’re returning 0 and quitting the program. If we right click on the dword_405020 variable and select “Jump in a new window,” the disassembly of that virtual address will open in a new window as we can see in the picture below: We can see that we’re referencing the dword_405020 variable that is part of the .bss section that holds the variables which can be allocated at compile-time rather than run-time. We know that the .bss section contains the uninitialized global variables that are declared outside any function. After the function is done executing, the memory will look as we can see in the two pictures below; the first picture presents the hexadecimal view and the second picture presents the disassembly view of the memory in question: We can see that both pictures present an array of integers, where the numbers are being increased from 1 to 9 and saved into contiguous memory locations. But why are three out of four bytes marked as zero? It’s because each integer is 4 bytes in size, but we’re only using 1 byte, since the numbers are very small, so the other three bytes must be left at zero. If we take a look at the instruction that writes the number to the specified memory locations, we can see that it’s using the “dword_405020[eax*4]” to index the right element in an array. The usage of eax*4 indicates that each element in an array is 4 bytes long. Local Arrays In the previous example we saw how the array is being accessed and written to when using global arrays where the compiler knows its address at compile-time; but if we try to use a local array, the virtual address to the start of the array is not known in advance, only at run-time. Let’s present the same program we used in the previous example, but move the array inside the main function, so the whole program will look like this: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12[/TD] [TD=class: code]#include int main(int argc, char **argv) { int a[10]; for(int i=0; i a = i; } a[9] = 11; std::cout << a[9] << std::endl; return 0; }[/TD] [/TR] [/TABLE] If we compile and run the program again, it will look like the picture below: We can see that we compiled the program with g++ compiler and when we run it, the program output the number 11 as it should. If we now disassemble the program in Ida and find the function that initializes and declares the array, we will find something like the picture below: Notice the difference in assigning the values to the array. In the previous example, the assignment operations were as follows: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]mov ds:dword_405020[eax*4], edx mov ds:dword_405044, 0Bh[/TD] [/TR] [/TABLE] The current assignment operations are the following: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]mov [esp+eax*4+40h+var_2C], edx mov [esp+40h+var_8], 0Bh[/TD] [/TR] [/TABLE] Before we used the global variable for which the space has already been assigned at compile-time: the dword_405020 variable. But with the local array there is no default variable that is assigned at compile-time. Instead, the space in memory is assigned dynamically at run-time. At the latter example we can see that the index to the array is calculated with [esp+40h+eax*4+var_2X] index, which is a clear indication that the ESP register is also used to define the exact memory location, so the array must be local and declared on the stack. When the global array was used, the dword_405020 variable was used to define the exact virtual address of the memory location, but here it’s the ESP register. The var_2C is a local variable that holds a negative number that needs to be added to the ESP virtual address to get the address of the array on the stack. When assigning 0xB constant to the ninth element of the array, the var_8 local variable is used, which is used to calculate the exact address of the ninth element on the local array variable on the stack. The var_2C local variable holds the value of -0x2C, while the local variable var_8 holds the value -0×8. The [esp+eax*4+40h+var_2C] is evaluated as [esp+14h], [esp+18h], [esp+1Ch], etc, while the [esp+40h+var_8] is evaluated as [esp+0x38]. This makes perfect sense and exposes all the virtual addresses of all the elements of local array. The first element a[0] is located at [esp+14h], the second argument a[1] is located at [esp+18h], etc, and the last argument a[9] is located at [esp+38h]. Heap Arrays There’s one more place where we can allocate arrays: on the heap. To do that, we must introduce the new keyword into the C++ program. If we rewrite the program so it will use the heap for storing the array, the actual code will look like the one below: [TABLE] [TR] [TD=class: gutter]1 2 3 4 5 6 7 8 9 10 11 12[/TD] [TD=class: code]#include int main(int argc, char **argv) { int *a = new int(10); for(int i=0; i a = i; } a[9] = 11; std::cout << a[9] << std::endl; return 0; }[/TD] [/TR] [/TABLE] Notice that the use of new keyword operation reserves space on the heap at run-time. The picture below presents the compiling and running the program the same way as we already did in the previous two examples. When we load the array3.exe executable into Ida, we can quickly locate the relevant function inside it, since the program is basically the same as before. The graphical overview of the relevant code is presented in the picture below: In the first block above, we’re initializing the stack and then moving the value 0×28 to the stack, which is the first and only parameter to function Znaj, which symbolizes the call to the new keyword. The 0×28 bytes is exactly 40 bytes, which is: 10*4=40 bytes (10 elements of the array). After the initialization, the virtual address is stored in eax register, which is then saved into the [esp+20h+var_8] variable on the stack. The [esp+20h+var_4] value holds the index to the array, which is first initialized at 0 and then increased to 9. The “mov [eax], edx” instruction saves the current index value on the address returned by the new operation, which is a memory region on the heap. Conclusion We’ve seen different uses of arrays in assembly language. The easiest way to figure out we’re dealing with an array is noticing the use of eax*4 index, which increases the array index in each iteration by 4. References: [1]: GetCurrentDirectoryA function, accessible on http://msdn.microsoft.com/en-us/library/windows/desktop/aa364934(v=vs.85).aspx. Sursa: InfoSec Institute Resources – Reverse-Engineering Arrays

Reverse Engineering Structures Dejan Lukan December 18, 2012 Introduction In this part of the tutorial, we’ll take a look at how we can figure out a structure when reverse engineering a binary. First, we must write a C++ program that declares and uses the structure, so that we’ll be able to reverse engineer it. The basic difference between arrays and structures is the fact that we’re using an index to address consecutive elements of the array, whereas with structures we’re using named members to access specific data within the structure. When working with structures, we must keep in mind that the size of the structure is declared as the sum of all its data members aligned on word boundary in memory. What does that mean? It means that the compiler will align each data structure on a 4-byte boundary, so it can read and write member values from memory more efficiently. Global Structures The program written in C++ that uses global structures can be seen below: #include <iostream> struct s { int x; int y; int z; double value; } mys; int main(int argc, char **argv) { mys.x = 1; mys.y = 2; mys.z = 3; mys.value = 9.9; std::cout << mys.value << std::endl; return 0; } Let’s compile and run the program to see what it does. We can do that by downloading the MinGW software package in Windows and issue the two commands that can be seen on the picture below: We compiled the program with the g++ compiler and after running it, the program outputted the number 9.9. In the source code of the program, we’re first defining a structure that has four members: variable x, an integer; variable y, an integer; variable z, an integer; and variable value, a double. The structure can represent points and their values in a three-dimensional space. We’re also defining an instance of the structure named mys when declaring the structure: note that this is just a shortcut to declaring the structure in a normal way like “struct s mys.” If we load the program in Ida, we can quickly find the following disassembly that initialized the numbers 1, 2, 3 to the x, y, z members of a structure and which defined the value of member ‘value’ to be 9.9. The disassembly can be seen on the picture below: In the assembly code, we can see the direct assignment of values 1, 2, 3 and 9.9 to a certain memory location by using the variables dword_405020, dword_405024, dword_405028 for variables x, y and z and dword_405030, dword_405034 for variable ‘value’. In the assembly code, there is no math involved at all, so we really can’t be sure if the structure is involved or not. The way we see it, the program references a few global variables rather the members of the structure. Local Structures First let’s present the C++ program that allocates the structure locally and declares its members. Basically, the program is the same as with the global structures, except that the structure is declared locally; all the rest is the same. The whole C++ program is as follows: #include <iostream> struct s { int x; int y; int z; double value; }; int main(int argc, char **argv) { struct s mys; mys.x = 1; mys.y = 2; mys.z = 3; mys.value = 9.9; std::cout << mys.value << std::endl; return 0; } We can see that we’re first declaring the structure with four members: variable x, y and z that are of type int and variable ‘value’ that is of type double. We can copy the program to Windows executable, compiling it and running it. We can see that on the picture below: Okay, so the program works as expected, because it outputs the number 9.9. But we’re interested in the disassembled version of the program that we can obtain very quickly by opening up the executable in Ida Pro and finding the appropriate section of the executable. The disassembly listing can be seen below: In the disassembly function, we can quickly figure out that we’re using 0×30 bytes for local variables, which is the fact that we’re declaring the structure locally. In the previous example where we declared the structure globally, we only used 0×10 bytes on the stack for local variables. We can also see that this time, we’re now assigning the values 1, 2, 3 and 9.9 to different global variables inside the assembly, yet we’re actually using the stack pointer ESP with the right offsets to access certain members of the structure. The x variable from the C++ code lies at the address [esp+30h+var_18], which means that the local variable var_18 is used to reference the x member of the structure. The same goes for other members, where var_14 is used for member y, var_10 is used for member z and var_8 and var_4 are used for member ‘value’. This gives us the picture that the function is using different local variables to hold the values assigned to them, but in reality we’re defining the members of the previously defined structure ‘s’. When we know how a certain function uses a structure, we can rename the local variables to define the structure more clearly. This also presents another useful feature of Ida: renaming the variables automatically generated by Ida itself. The disassembly of the renamed local variables could look like the picture below: Notice that the local variables that used the offset into the structure are not renamed to define their real members x, y, z and ‘value’? This can be a valuable help if we would like to share our work with others; maybe putting a few comments in there wouldn’t be such a bad idea. Heap Structures Heap structures are basically the same as local or global structures, except that they are defined on heap. I guess we should first present the program written in C++ that does exactly that: it allocates the structure on the heap and then allocates certain values to its members and prints the value stored in memory ‘value’. Such a C++ code can be seen below: #include <iostream> struct s { int x; int y; int z; double value; }; int main(int argc, char **argv) { s *mys = new s; mys->x = 1; mys->y = 2; mys->z = 3; mys->value = 9.9; std::cout << mys->value << std::endl; return 0; } Upon compiling and running the example code above, the program will print the value 9.9 as we can see on the picture below: When we load the program with Ida Pro, we can quickly find the relevant code the above program was compiled into. The assembly version of the above program can be seen on the picture below: Notice that we’re first calling the Znwj function that equals the new function in C++. That function creates a new struct on the heap and stores the pointer to the structure in eax, which we’re writing to the address on stack [esp+20h+var_4]. Afterwards, we’re using this pointer to get access to various structure members by using the appropriate offset into the structure: [eax], [eax+4], [eax+8], [eax+10] and [eax+14]. We’re also passing the 0×18 constant to the new function, which means that the struct’s size is 0×18 (24 bytes). Defining Structures Manually in Ida In the preceding examples we saw how the structures from C++ were translated into assembly code. Let’s summarize how the structure members were accessed in each of the three examples. When we declared the structure globally, the structure was accessed as follows: [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]mov ds:dword_405020, 1 mov ds:dword_405024, 2 mov ds:dword_405028, 3[/TD] [/TR] [/TABLE] When we declared the structure locally, the structure was accessed as follows: [TABLE] [TR] [TD=class: gutter]1 2 3[/TD] [TD=class: code]mov [esp+30h+var_18], 1 mov [esp+30h+var_14], 2 mov [esp+30h+var_10], 3[/TD] [/TR] [/TABLE] When we declared the structure on the heap, the structure was accessed as follows: [TABLE] [TR] [TD=class: gutter]1 2 3 4[/TD] [TD=class: code]mov eax, [esp+20h+var_4] mov dword ptr [eax], 1 mov dword ptr [eax+4], 2 mov dword ptr [eax+8], 3[/TD] [/TR] [/TABLE] We can see that in the second and third case, we’re using offsets to access certain members of a structure. We should tell Ida that we’re dealing with a structure since Ida can only detect the use of a known structure by itself, but it certainly can’t detect using the custom structure as we did in the above cases. We can open the Structures window by going to View – Open Subviews – Structures to see if Ida has detected the use of any structure in the program. Currently there are no structures in this executable as we can see below: There are some comments presented in the structures view that informs us of how we can use the structures window. To create a structure, we can press the Insert key, while the Del key deletes a structure. We want to press the Insert key to insert a new structure. Upon doing that, the following dialog box will pop-up: We need to enter the name of the structure, which is only the letter ‘s’ and press OK. A new empty structure will be added to the Structures windows as can be seen on the picture below: To add members to the data structure, we must position our cursor to where we want the structure to be and press the letter ‘d’. We must then press the letter ‘d’ as long as the added member isn’t the required size as it should be. Afterwards, we can right-click the name, which is by default field_0 and change its name to something else. Using that approach, we must add all members of a certain structure, which in our case are the variables x, y, z and ‘value’. We must also ensure the proper alignment of all the fields in the array. At the end, we can even collapse the structure with the minus ‘-’ sign to represent it in one line; the opposite operation of that is to expand the structure by pressing the plus ‘+’ sign. There is an easier way to create a structure in Ida – we can import the structure written in C/C++ programming language itself by importing the header file into Ida. We can do that by first creating the header file, which will contain only the defined structure itself and nothing else. Then we need to go to File – Load File – Parse C Header File and choose the created header file. Ida will parse and import it and then display the following notification window: The window tells us that the structure was successfully imported. After that, we should go to the Structures window and Insert a new structure with the same name as what we imported from the header file. This will actually add the structure among all the structures in the executable. We can see the structure ‘s’ being added to the structure window below: To use the structure in the disassembly listing, we have to double click on the offset that is being used to reference different members of the structure. Let’s take a look at the following program disassembly: In the picture above, it’s already evident that we renamed the offsets that reference different members of the structure into x, y, z as valueH and valueL. After that, we should double-click on the variable x to be thrown at an actual stack frame memory address (this can be a memory allocated in any section) as follows: Then we should select the first variable of the structure, in this case variable x, and select Edit – Struct Var. This will display a list of known structures within the executable. In our case, only the imported structure ‘s’ is known, as we can see on the picture below: The structure will be applied to the current address and will consume as many bytes as the size of the structure. This is why we must always select the first member of the structure, because the structure will be applied to that memory address and its corresponding higher memory addresses. After the structure is applied to the current memory address, the disassembly will look like the picture below: We can see that it was worth it, because now the disassembly view is much clearer and easier to read. Notice that we now have a local variable named mystruct that is used later by the function to reference different members inside it. Conclusion We’ve seen how structures are reverse engineered in Ida debugger and how to recognize them. But what is more important is the fact that we’ve looked at how to import the structures in Ida and apply them to memory locations, which automatically updates the disassembly view to make it more readable and easier to understand. We should also keep in mind that Ida applies known structures from various system libraries to the executable by default when being analyzed. Usually, different structures are used in different API functions that are part of the system. All the recognized structures will also be added to the structures window, which we can use throughout the program analysis. Sursa: InfoSec Institute Resources – Reverse Engineering Structures

SELinux Raises the Bar Against Intruders: An Introduction Adrian Stolarski December 14, 2012 A task of any operating system is to provide software that strongly increases its security. A lot of programs of this type have been created; some are better than others. What does it look like in terms of Linux? Of course, here we have many more choices when it comes to this type of software, but some software is worth recommending. Some people already know what I mean: SELinux. Why choose this solution? Why do I think it is so different from other software of this type? And the last key question: who really should use it? This series will show what SELinux is and what it offers to each user. I hope that you will find the answer to all your questions. Despite the fact that SELinux uses the basic standards, it really is very revolutionary. This system, as the name suggests is Security Enhanced Linux! So I invite you to read this series and learn about this tool. What is SELinux and where did it come from? Do you want a book definition? Okay, no problem. SELinux is a system with MAC, or Mandatory Access Control. It implements a security policy called RBAC, Role-Based Access Control. This policy is implemented by DTAC, which is Dynamically Typed Access Control, which also translates as the domain name of Access Control System. True, it sounds a bit baffling. But in practice, it is really very simple. It is only the theory that seems highly complicated. And now it’s time forsomething much simpler: a little bit about the history of SELinux All work on SELinux is sponsored by the U.S. National Security Agency. The money goes to the team that is working on SELinux, the Secure Computing Corp. It should be noted that this company also owns all of the patents for the software. The idea of SELinux, a product that we all know today, is not really new; it is 20 years old. In 1992, a new idea for security resulted in a project called Distributed Trusted Match. The project developed some innovative solutions, which became part of an operating system called Fluke. Fluke evolved into Flux, which led to the development of Flask architecture. The Flask architecture was then integrated with the Linux kernel, and the whole newly created project was called SELinux. How did this happen? SELinux was the first security project in the history of scientists from NSA. NSA scientists were the first to have noticed that mainstream operating systems do not have a required critical security to enforce access control and separation of inside information on the requirements of consistency. The result is that most security mechanisms are vulnerable to manipulation and handling, which involves a cascade of consequences. The choice of Linux as a system for the NSA security project was not accidental. Linux was chosen because of two main features: • growing popularity • open developement environment NSA’s intention was to present a functionality that could succeed in mainstream operating systems and at the same time would have a chance to contribute to the improvement of the safety of commonly used operating systems. The project thate has been registered as SELinux resulted from several previous NSA projects. The work of NSA scientists (meaning researchers sponsored by NSA) was not intended to solve existing problems of security and SELinux is in no way an attempt to improve security in Linux. Changes in Linux only covered the introduction of new mechanisms. What is hiding in the middle of SELinux? In fact, three elements of this system should attract our attention. The first is the kernel. At first, SELinux tried several kernels, but today the complete infrastructure of SELinux uses the Linux kernel. It is, of course, slightly modified and is called LSM, Linux Security Modules.This infrastructure provides all possible interfaces that allow you to fully control access to all system objects when they are initiated by user actions. These are, for example, opening a file, creating a new folder, or binding ports. How does it work? Well, SELinux simply connects to the interface and forces the use of the system’s own security policy. From the point of view of the administrator who installs SELinux, this system is simply a patch for the kernel. The second element that I have to mention is that key programs are modified. How does it work in practice? In most cases, SELinux allows all programs a little bit of freedom. They do not need to understand that SELinux is not just Linux. But in any operating system there are some safety-critical software systems that must always be extended to support SELinux. These programs are primarily ssh, ls, ps, xdm, or login. And here again there is a role for the Linux. During installation or download, fully modified versions of these programs are required or security patches must be applied to the source programs to ensure the security of the system. The third and last thing that distinguishes SELinux are its rules, or policy. What is their role? They define access rights, the right to pursue activities in the system, and the behavior of SELinux system. Although I mention them third, they are the most important. These rules determine the effective action of the system. A large part of this article will be devoted to writing the rules and the way they are constructed in the system. The truth is that system administrators never, under any circumstances, should be required to write their own rules for the policy, unless there are custom requirements. However, every administrator should have the knowledge that will allow him to modify the rules to suit the system’s needs. In addition to knowing something and be able to use your knowledge, you need to understand all the rules that already exist in the operating system. How to really grasp the damn thing called MAC? As already mentioned, the system is a method of enforcing SELinux MAC. So let’s see exactly what it means to us as administrators. Well, I managed to find the main principle, applicable to all systems using MAC. In my opinion, it should be this: none of the users of the system has the right to decide in any way the security and rights of access to objects in the system. All of those rights and security should always be defined according to the security policy of the system. In the case of SELinux, they should be reflected in all policy records. MAC policy alone is very often confused with ACL. The facts very quickly refute this myth. In fact, ACL does not carry MAC policy. These lists also have yet another disadvantage. In practice, they are very complicated in terms of configuration and maintaining correctness. You can also say that they are different is in terms of action. ACL always specifies individual use cases, while MAC always sets out general principles. In fact, ACL support has been withdrawn from the Linux kernel version 2.4.x already Why did this happen? Because Linux kernel developers decided that ACLs are not really as good a way to control the powers and actions of the user in the operating system. Despite this, those lists are sometimes used. For example, if we have a Samba server, they are often used, because they allow you to set permissions for all the files from the Microsoft Windows client. Another heavy shortcut, or DTAC As I mentioned earlier, DTAC is Dynamically Typed Access Control, but it is often translated as the domain name of Access Control System. But that’s not what this section is about. Let’s focus on the real features of DTAC. Shall we begin? In the case of DTAC, each of the objects in the system, whether it is a directory, port, or any device, has its own unique type. What does this mean in practice? Some top-down rules are always forced on each object type . These rules in no way depend on the decision of the user, but the system administrator creates and controls the policy. This means that in any system that uses a DTAC, you can create any number of rules, a thousand or a million, and the system is always prepared. In addition, the system has whole sets of rules on how to take action on all objects of each type. We will return to this subject later. In fact, in the case of DTAC, control and validation testing of all rules are much easier than in other cases. As a curiosity, I should mention that IBM has developed a tool, whose main task is to automatically check the consistency and accuracy of security policy DTAC. Another heavy stand, the RBAC As I mentioned earlier, RBAC stands for Role Based Access Control. We can recognize that this is an access control system based on user roles in the system. This term is not often used. Where can we find it? Well, any standard Unix or Linux system has built-in Role Based Access Control. And the truth is that if you look closely at the UNIX system, the roles are always split. There are always certain types of system users, each of whom is entitled to exercise a very limited range of activities. This means that each of them performs a role within the UNIX system. There is another element that qualifies a standard UNIX system to become a system with built-in RBAC. There is something in them called SUID. As you all probably know, SUID can change the user’s role and the actions that can be performed by the user. How does this all work with SELinux? Well, it really is a SELinux RBAC system with built-in rules that are implemented by DTAC. SELinux system also extends what is called the philosophy of SUID. Thus, it can also extend the understanding of the role of users in the system. To summarize quickly: a SELinux system is designed to allow for a much more flexible way, which is also more accurate and much better suited to your needs, to identify and help implement user roles within the system. Summary This is really only a quick introduction to SELinux. The article describes the basics of the mechanism used on a daily basis in this system. It still does not do anything special, but the desire to write a summary of what it is captivated me. On our website, with SELinux we often capture 50 fixes critical to the security system in a very short time, less than seven days. Another decisive advantage is its ease of use. As a Linux system administrator, I have never met a tool that uses such simple rules, yet describes so much. Yet very few administrators so far know the SELinux system. My next article in this series will go a few stepsfurther. Sursa: InfoSec Institute Resources – SELinux Raises the Bar Against Intruders: An Introduction