my obfuscated mind close-up

Prevent Web Application Vulnerability Scanner

2009-07-02T16:36:00.001+04:30

hi guys,
at least i decided to take this blog out of magazine releases news fashion, and pulled one of ideas out of my head, implement it, and write a little about it here.

anyway,let's get on the subject.
Certainly you have experience in working by WEB Application Vulnerability Scanners.They are all going to be improved and this is a big threat to all of web applications.both commercial and non-commercial web apps.
although there is many false positive in their results but most of them make the way of attacking luminous to us.It's great that you can find most of hidden directory in the web sites, check for SQL injection, Cross Site Scripting, Cross Site Request Forgery and so on.
This is great for pen-tester and a threat for security managers !
umm, the question that i asked myself many times was: how to scape from these web app scanners?
I scanned a Content management system(CMS) a few web application vulnerability scanners many many times.then sniffed the requests and the responses.after all i've founded that there is an unique USER-AGENT for each of these web app vuln scanners.in some of them you can change the USER-AGENT value,but in some this options is not implemented.and of course many users of these softwares that allow you to change, do not change the default value of USER-AGENT. So this is a good way to identify the web app vuln scanner softwares. however this can not fool elite users of these softwares.
It was still a possibility, not a fact. So i decided to examine this.
I fired up IBM Rational AppScan. Then check the request that AppScan Sent to remote http server. It was "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" .
Also you can grab this USER-AGENT value by a short PHP code such as:

It will write down the USER-AGENT value of anything(browser, web app scanner and so on...) that request this page in data.txt besid itself.
Well,this is a good idea to foolish these scanners. So we fake a 404 error page for them.ha?!
ok let's write the code..

then i've scanned this page by AppScan automatically and it just detected the 404 error. then found out Manual test in Scan menu.I send a query and again 404 !
after all i saw AppScan Browser.I opend the page with it,and yes welcome message :-(

I checked it and found out that it use a different USER-AGENT, So i grab it and added in IF condition after an OR Logical Operator.then refreshed the page and finally 404 error :-)

finaly the code goes something like this:

be careful about what USER-AGENT you are fil*ter*ing in your code.if you fil*ter a usual USER-AGENT , so many of blameless visitors of your web site see 404 error page!!
well,may be it's not the best way and writing a secure program is better, but always there is something that you forget,and there is someone else that [ab]use it to smash your web app ! so this can be a guard between you and the Artificial Intelligence of these Web App vuln scanners.though you can not foolish an elite user with these kind of tricks.;)

that was all..

P.s. : this post is old! more or less for 7 months ago, I took this in draft for some skit reasons but now decided to publish it.

comments are welcomed ;-)

Snoop Magazine news Releases

2009-05-15T18:21:00.003+04:30

Another Hi after a long time of silence on my blog. btw it's good, at least that's I'm still alive!

In this period of time we were working on Snoop Digital Security Magazine!

Well we have released 2 version of magazine!
one of them was No#2 of Snoop Magazine and contains below topics:

- Deep Look at SEH Overwrite Exploitation Techniques
- One Attack, One Solution.. (GreenSQL DB Firewall)
- Deep into Metasploit - Part 2
- Surf Jacking
- Analysis of CVE-2009-0658
- Introduction to Honeypots
- Using Dynamic IP Restrictions in IIS7
- Introduction to Cisco Security Solutions and CS-MARS
- Top 100 Network Security Tools
- Downadup/Conficker Detection
- .Net/Java Code Obfuscation

Next release was a special edition (No#2.5) for sake of releasing new ubuntu(9.04) and contains a couple of articles on (in)security aspects of this distro. topics are:

- Your Distro is Insecure: Ubuntu
- GnuPrivacyGuard HowTo
- Securing Ubuntu Linux
- Configure SSL in Ubuntu
- Getting Start with Firewall Builder
- OSX Tiger vs. Vista vs. Ubuntu

you can download all of these releases from Snoop Magazine web-site:
http://snoopmag.net/archive.html

after all i want to thanks all of my friends and colleague at Snoop-Security such as : Adel Karimi, Shahriyar Jalayeri, Alireza Mohammadzade, Mohammad Sadegh Babaei, Vahid Amirian and other fellas..

hope you find it useful.
/aMIr

Happy Norooz and MS !exploitable extension review

2009-03-22T03:07:00.002+04:30

hi guys,
yep after all of these insomnia i'm still alive.
Microsoft today release a WinDbg Extension in the name of "!exploitable" and after some tests i review this on "Snoop Security Researching Community" blog and you can read this post here:

http://www.snoop-security.com/blog/?p=6

another good news is that new issue of Snoop Security Magazine coming soon(cheers to Adel).
oh i forgot it! happy norooz everyone. i wish a good year for you and your family in peace and luck.

that was all
/aMIr

I need INT3 on my life process

2009-03-02T20:32:00.002+03:30

I know it's long time that i'm not updating this blog, yep that's my bad.
These days i'm really confused and mixed up. I'm in process of reading , researching, writing and blah blah blah..
before the next season of year we'll release next number of Snoop-Secrity Digital Magazine. If you haven't downloaded the first release you can grab it at www.snoopmag.net and feel free to contact us about the articles contents, sections, and everything you think can help growing the value of this release.And if you wanna write article contact me, however we have sufficient number of articles for this release and we save your article for the next season(spring) release.
IMHO this coming release has more usefull stuffs. You can wait and see these changes in next release.
As i said in the beginnig i'am really confused and it's so much time that i'm awake!
God, please send INT3 on my life running process...

Snoop Digital Security Magazine No. #1 Released

2008-11-05T01:03:00.005+03:30

Hi Everyone;

After a while from starting of this project finally our magazine released just right now.

Indisputably it's in our native language( persian ) and included many good stuffs such as:

An Inroduction To DNS And Kaminsky DNS Vulnerability
Wireless Packet Injection With Airpwn
Exploiting Office:MS08-011 Attacking using Malformed .WPS
Security Tools Review: Nipper
A Simple Reverse Engineering
Hacking JSON
Intrusion Prevention Systems
Security Books Review: Security Power Tools
Basic IPTables
Deep Into Metasploit - Part 1

http://mag.snoop-security.com

I hope you read it and find it useful.

I wanna thank from Netw0rm, Snake, L0pht, Black Scorpion, amytis and…

Snoop Security Researching Committee

sCORPINo

[UPDATE]:Because of low bandwidth of our site you can also download this number of magazine from below address:
http://scorpino.parsaspace.com/magazine/SnoopDigitalMagNo1.pdf

don't check my Y! ID nosy

2008-10-20T19:41:00.009+03:30

A simple trick or just a light bulb on my curious mind.

May be you have seen web sites that check a Y! ID for invisibility and avatar photo.I don't link to them,you can find them in WWW.
I'm just thinking about how they work and what is behind the screen.
At beginning i was thinking that your online/invisible/offline status reported to Y! servers and these web sites robots check the invisibility and avatar photo from Y! servers and this is a full passive way to catch information about you and you can not do anything!
I had been in curious mode and thinking about that, immediately a light bulb came out of my head.I quickly fired up my fave sniffer wireshark and started it to capture traffic on my Y! ID client(pidgin) listening port and i saw what i wanted.You can look it in the below picture and blah blah..everything is clear..

P.S:Today I accidentally see metallica new album which named "Death Magnetic".It was much better than previous album of this group.In the previous album i just loved Frantic but there is more lovely songs in this new album..

Obfuscating Your OS TCP Stack or The Way To OSfuscate

2008-10-15T23:04:00.012+03:30

Just another TCP post!
There is many tools for TCP/IP Stack Fingerprinting to figure out the target Operation System.all these tools use fixed methods.Normally these software send an SYN and wait for SYN/ACK , when they receive that packet(or any response to their request) they analyze the packet for Flag's value and guess the OS.
Fyodor listed TCP/IP stack Fingerprinting methods in his article(nmap fingerprinting) and that list contains below methods:
The FIN probe, The BOGUS flag probe, TCP ISN Sampling, Don't Fragment bit, TCP Initial Window, ACK Value, ICMP Error Message Quenching, ICMP Message Quoting, ICMP Error message echoing integrity, Type of Service, Fragmentation Handling, TCP Options, SYN Flood Resistance

these method supported by nmap.
there is a picture from Network Miner tool that show some active and passive fingerprinting result for a single IP address.

It's currently a Vista BoX that is with it's default configuration.
after some changes you can see that p0f and Ettercap can not detect the OS.although satori can detect by analyzing DHCP packets.It seems that windows does not allow you to modify it's DHCP packet configuration as well as TCP.
this tool change some value in your windows registry that include these keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpUseRFC1122UrgentPointer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SackOpts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*\MTU

here you can see result of nmap OS fingerprinting scan before and after using this tool:

before:
nmap -T Aggressive -O 192.168.1.123
PORT STATE SERVICE
3389/tcp open ms-term-serv
5357/tcp open unknown
MAC Address: 00:1A:70:3C:A6:3D (Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 6.X (92%), OpenBSD 4.X (92%), Microsoft Windows Vista (86%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (92%), OpenBSD 4.3 (92%), Microsoft Windows Vista (86%), Microsoft Windows Vista Home Basic (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

and after:
nmap -T Aggressive -O 192.168.1.123
PORT STATE SERVICE
3389/tcp open ms-term-serv
5357/tcp open unknown
MAC Address: 00:1A:70:3C:A6:3D (Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 6.X (96%), OpenBSD 4.X (96%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (96%), OpenBSD 4.3 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

it's not a stable and complete tool, and by the way using this tool is at your own risk!!! it's recommended to use it on a virtual machine OS if you wanna try it out.

it was just an introduce to this tool and real post is at irongeek, check out and there you can download OSfuscate 0.3(current version).

[update] : although all these works dizzy some tools,but still if your network use DHCP IP addressing,it's easy to figure out your OS by using satori.thanks Eric for the sake of reminding my mistake.I appreciate Eric and his good work;)
I'll try to works on it more in my future free times.
By the way anyone can access satoori from here.

TCP SYN Cookie Juji-gatame

2008-10-10T16:44:00.006+03:30

once upon a time,when the TCP/IP invented in 1979,no one thought that it's goping to knocked out late in 2008.
If you are interested in computer security so you should heard about this big threat.
though complete technical information does not disclosured but this can not be a hoax.because the men whom discovered this issue are not stupid ones.probably you have an experience with Unicornscan that is one of this netherlandish company which it's name is Outpost24.It seems that they have found this vulnerability in their deep digging in TCP/IP to accomplish developing the unicornscan. They dig the TCP protocol stacks and found out that something is wrong with SYN Cookies.
well now if your system is available,you are on risk,so you should cut off an angle of security triangle(availability). This mean that your system security is absurd.
each system have a limited connection slot,when all of them are in use the system goes out of service.the goal of DoS(Denial of Service) is to reach this.they wanna keep you busy in order to no one can get service from you.
Outpost24 guys discovered this issue in 2005 and now they have written a TCP socket stress testing framework that named Sockstress.
They just noticed that there is such kind of vulnerability in TCP and the is such a tools to defeat all kind of devices that use TCP,and there is no technical disclosure about this issue.they haven't speak straightforward about this problem yet,and they said we are cooperating with vendors to solve this issue.
On the other side Fyodor, nmap programmer has disavow this and answered that this is not a new kind of vulnerability.He believes that they have rediscovered what he found in past years and performed in his private tools(Ndos).
I have no idea about it's a kind of dislike that Fyodor feels about Outpost24 and their Unicornscan or not,but as i said these guys news can't be a hoax.
they have offered some ways to defeat SYN Cookies and i mention them here as they told:

- To defeat Server side SYN Cookies...
- Employ Client side SYN Cookies
- Start with a random 32-bit number
- XOR this number against Client side of a
connection attempt (192.168.1.3:51242)
- Use output as ISN for SYN packets
- When Client receives SYN/ACK’s
- (Sequence Number - 1) XOR’d with 32-bit number reveals the client sending IP and port
- Client can now complete a full 3 way handshake without ever tracking anything in a table.
- Client can also transmit data on this connection
- No need on Client side to even keep a hash table. XOR is reversible.

that was all.

Netcat Power Tools Book Review

2008-10-05T18:47:00.010+03:30

I have seen this book approximately 2 weeks ago.I got it,but indeed i was not in mood to read it.so i leave it alone in a folder and continue reading my other incomplete books.2 days ago i have seen a post , and it abet me(why? i don't know!)to read this thin book.
Yes,it just finished and i am dangling with something in this book!
At first look it may give you an adventure feel for discovering netcat power tools! umm,I'm not going to stop you from this feel,but i think this book could be better with a fair name and may be something more..
In the beginning of book,i bet you get crazy with repeating of two words: "Server" and "Client" . He has repeated these words over and over.It can repulse a new one who is going to read about a simple security tool such Netcat.
Next thing that must be mentioned is a huge headline in the first chapter.He almost said all of his book briefly in first chapter.
He named netcat as an powerful Banner Grabbing tools! I think always there is more than a simple banner that you get by connecting to a port from netcat.It's cool but not always.Sometimes banners are hidden and also sometimes spoofed,so you need more thing than netcat.Well in this situation netcat can be handy when you have a pattern from many known software that usually listen on a specific port(such as webservers on port 80).
Author mentioned all about windows and Unix/linux version of netcat but it didn't see anything that he notify about absence of -q switch in windows version(you see?!).
Repeating of fixed headline make me bored from this book.For example he has repeated port scanning in chapter 1, 2, 3 and 7.They are almost all alike!
Author has filled many pages with base of some simple protocol and this is not good.He could reference them.
I think this book could name "Computer forensics tools tips and tricks".It could be a graceful name for this book.
Huge list of tips and tricks are great but not plenty.for example it could include the trick of using netcat as an simple web server.it comes very handy.this can be implemented by using bash same this(i can't put code in blog post!why?!):

Simple and useful;)
There is some strange headline in this book such as using nmap and etc.
But a good inform about cryptcat is so good.
anyway i appreciate the author because of writing books for starter, however there are many blame on him.

Computer comes with exception

2008-10-04T15:31:00.003+03:30

Computers are sometimes exceptional.their act make us wonderful.
for example doing some work with computer is your daily job and always you do a routine task.It always seems normal and after many many times it sounds a good way to do this task.but very chancy one time that you are doing this routine job,something go wrong!
yes you try to fire up your intelligence mind and solve this problem.may be it get a long time to solve this problem to you,and may be it will be solved with a lil trick.absolutely it depends on your experience and may be your fortune.

But there is many many occasion that not computer logic exceptional.because many events are based on concepts.concepts always forced by us to computers.some concepts are documented and some not.some are intentional and some not.
I believe the exceptional that i said at beginning of this post is a kind of inadvertent undocumented concepts.They forced to the computer by writing the codes from programmer.The computer never disobeys from programmer in normal mode,because it's logic is based on the obey.
So we must try to be careful about any concept that we are learning to computer!
yes,this is very important.If we want,we can teach computer to disobey us.we can force computers to disobey us,and this may be the last obey of computer from us.They can learn from us to be our malicious foe.
So,be careful about what concept you are learning to your computer...