Pro Hack

Guide to Anti-Debugging - Overview , Techniques and Approaches

2013-05-04T14:35:00.002+05:30

I have been nagged a lot regarding guest posts, and almost 90% of them are related to some news, social media bullshit and half baked security crescendo. Until recently, I was contacted by amiable folks at Infosec Institute with a good article on Anti Debugging. This is an article by Dejan Lukan, a security researcher at Infosec Institute, in which he discusses the Anti Debugging techniques in an objective and direct manner. I loved the implementation part, reminded me of my rev days (you can learn about how to reverse Winrar or just have a look at a real noobs guide to reverse some more stuff) , and more importantly Dejan explains how to stop (read : slow down) people from reversing your code. Hope you will enjoy it.

Before we begin, we must mention that it’s impossible to completely prevent reversing. What is possible is that we can place as many obstacles on the way as we want to make the process slow enough that reverse engineers will give up. Actually there are hardware implementations where you can buy a black box that attaches to your computer which can do the encryption/decryption for you, but this is far from being used in everyday life.

Techniques to Harden Reverse Engineering

The most basic approaches to harden the reverse engineering of programs are the following [1]:

Eliminating Symbolic Information
Obfuscating the Program
Embedding Antidebugger Code

When eliminating symbolic information, we’re taking the textual information from the program, which means we’re striping all symbolic information from the program executable. In bytecode programs, the executable often contains large amounts of internal symbolic information such as class names, class member names, the names of instantiated global objects. By removing every symbol from the executable or by renaming every symbol, the reverser is faced with a bigger problem than usual because symbol names alone can often be used to gather enough information about what the function does, which simplifies the reverse engineering part.

This can easily be done in C/C++ programs where we only have to append a few compiler flags to the command line that actually compiles the program into the executable. It’s much harder with programming languages like Java and .NET, where those symbols are used internally to reference variables, functions, etc. This is also the reason why Java and .NET programs can easily be converted into a pretty good source code of the original program. We can still strip the symbols from such programs by renaming all the symbols from their meaningful names into meaningless representations, which effectively does the job.

Besides stripping the executable symbols, we can also obfuscate the program. When obfuscating a program, we’re basically changing the code of the program without actually changing the logic behind it, so the program does the same as before but its code is far less readable. Here we have two techniques that can achieve that:

Encoding: With encoding, we must add the decoding instructions that decode the whole program before it’s being run. This can be done by appending the decoding instruction at the end of the program and changing the entry point to point to the decoding instructions. When the program is run, the decoding instructions are executed first, which decodes the whole program into its original form. After that, we must jump to the start of the program and actually run the original instructions as if the encoding didn’t even happen.
Packing: When packing the executable, we’re basically reducing the size of the executable as well as encrypting it. When such a program is run, it must first be decoded in memory and then run.
By obfuscating the program with nonstandard encoders/packers, we can greatly complicate the task of reverse engineering the executable, but at the end, a persistent reverse engineer will nevertheless be able to bypass that and get the non-obfuscated version of the executable, which can easily be reversed.

Last but not least, we can use an antidebugger code, where we can include a code into the executable that can detect if the program is currently being debugged. If that happens, the program terminates itself prematurely without actually executing the functions that would normally be executed if it wasn’t running under a debugger.

Antidebugging

Before discussing how anti-debugging tricks do their magic, we must first talk about how the debugger is able to debug the program. We know that we can stop and resume the program with the use of either software or hardware breakpoints.

When using software breakpoints, we’re replacing the instruction on which we’ve set the breakpoint with the INT 3 instruction (at least on the x86 architecture), which is a special software interrupt. In this case, we’re passing the value 3 to the instruction INT, which means that we’re generating the software interrupt 3. This causes the function pointed to by the 3rd vector in the interrupt address table (IAT) to be executed. I guess we’re all familiar with the INT 80 interrupt that makes a system call on Linux systems.

The INT 3 instruction temporarily replaces the current instruction in a running program. This is also a way for the debugger to know that a software breakpoint has occurred and the program execution should be stopped. After that, the debugger replaces the INT 3 instruction with the original instruction so the program can continue without the loss of instructions, which can otherwise cause abnormal program behavior.

When we use a hardware breakpoint, it’s the processor’s job to know when the breakpoint has been hit and the program has to be stopped. This is why the program is not modified when a hardware breakpoint is set.

When the breakpoint is hit, the program is stopped and we can safely execute instructions in our favorite debugger. At that point, we can run instructions step-by-step by entering into functions, or by executing them the same time. If we’re interested in what the function does, we need to enter into the function; otherwise we can safely ignore the function and step over it. When stepping through the code, each instruction is executed on its own and then the program is again stopped, so we’re able to analyze what the instruction has just done.

When stepping through the code with a debugger, the Trap Flag (TF) in the EFLAGS register is used. When the TF is enabled, an interrupt will be generated after every executed instruction, so we get the feeling of stepping though the program instruction by instruction.

IsDebuggerPresent

The IsDebuggerPresent is a Windows API function, which we can see on the picture below:

The function doesn’t take any arguments and returns a Boolean value notifying us whether the program is running under a debugger or not. This function can be used to trivially detect whether a debugger is being used to run the program. The function uses the Process Environment Block (PEB) to get information about whether the user-mode debugger is used.

Let’s create a simple program that prints the number 0 or 1 if the debugger is present or not. We can do that by first creating an empty console project under Visual Studio C++ and then changing the code of the main cpp file into the following:

// isdebuggerpresent.cpp : Defines the entry point for the console application.

#include "stdafx.h"

#include <stdio.h>

#include <Windows.h>

int _tmain(int argc, _TCHAR* argv[])

{

int num;

if(IsDebuggerPresent()) {

num = 0;

}

else {

num = 1;

}

printf("Number: %d\n", num);

/* wait */

getchar();

return 0;

}

The program prints “Number: 0″ if the debugger is present and “Number: 1″ if the debugger is not. If we run the application under Visual Studio, the program will display the number 0 because it’s being run under a debugger. This can be seen on the picture below:

Let’s also run the program under OllyDbg to be sure that the number 0 is displayed. This can be quickly confirmed by loading the executable program and running it. On the picture below, we can see that the number 0 was printed when the program was run under OllyDbg debugger:

But if we run the same program under normal cmd.exe, it will display the number 1. This can be seen on the picture below:

We can see that the IsDebuggerPresent API function call works as expected, but that the function call is easy to detect and bypass. This is because we can quickly find this function call in the executable and delete it or bypass it. To do this, we can simply open the executable in Ida debugger and check out the Imports table to verify if that function exists somewhere in there. We’re right, the function IsDebuggerPresent is listed among all the imported functions as we can see on the picture below:

This is a clear indication that the executable is using the function to do something different when the debugger is attached to the executable. We can also locate the exact instructions that are used to call that function. The whole Ida graph of the main function that does exactly the same as the main function from the C++ source code above is presented on the picture below:

We can see that, at first, we’re initializing the stack for the function and calling the IsDebuggerPresent function. After that, we’re testing the returned value in eax against itself to determine whether a true or false value was returned. If the eax holds a value different than 0 (1 in our case), then the zero flag will be set and the first box that sets the [ebp+num] to 0 is called. This is exactly what happens now, because we’re running the program under a debugger, but otherwise the block that sets the [ebp+num] to 1 is called. After that, we’re just moving the value of [ebp+num] into the register eax and printing it with the printf function.

If we now set the breakpoint on the call to the IsDebuggerPresent function and rerun the program, the execution will be stopped right where we want it. After the breakpoint has been hit, we can step into the function to see what the function actually does. On the picture below, we can see the function in question:

We can see that the function is pretty simple: we’re loading the address of the currently active thread (TIB) in the register eax and then accessing the structure member that’s located at the 0×30 offset; the PEB data structures lies at that offset. After that, we’re loading the address of PEB in eax and then accessing its data member at 0×2 offset, which holds the data member named BeingDebugged. Thus, we’ve successfully taken a look at what the IsDebuggerPresent function actually does and how it does it. We can see that it’s very simple and not really hard to bypass.

We can determine that IsDebuggerPresent is being used when we try to reverse engineer an executable and the program terminates prematurely, a different execution path is taken, or something else unexpected happens. In such cases, we must first check the Imports table if the IsDebuggerPresent function is being called anywhere in the executable. If that is the case, we can simply delete the instructions that call the IsDebuggerPresent function call, so it won’t bother us when reversing the executable.

On the other hand, if we’re developing a program and we would like to use the IsDebuggerPresent function call, we can copy the above instructions directly into our code, so that we’re not actually calling the IsDebuggerPresent function directly, but using its function body instructions to figure out whether the debugger is being used to run the executable. This is just another trick so that reverse engineers won’t immediately notice the use of IsDebuggerPresent function call and will make the debugging slightly more complicated.

Conclusion

For a deeper understanding of reverse engineering, check out the reverse engineeringtraining course offered by the InfoSec Institute. In this article we’ve seen a few techniques to harden the reverse engineering process. The technique easiest to bypass is symbol elimination where we have to delete all the symbols presented in the executable. This effectively makes the names of the functions unavailable when debugging, which leaves it up to the debugger to properly name the functions. Another technique is program obfuscation, which can be a pretty simple operation like xoring the whole executable then running it, but it can also be pretty complicated. Things get further complicated if we’re using obfuscation with the anti-reversing techniques, which detects if the program is being reversed and terminates the program prematurely if so, greatly hardening the reverse engineering of the executable.

References:

[1]: Reversing: Secrets of Reverse Engineering, Eldad Eilam.

Ultimate Guide to run ASA 8.4 on GNS3 on Ubuntu - No more Qemu errors

2013-05-04T00:12:00.000+05:30

Simulating CISCO ASA 8.4 on GNS3, on Ubuntu is a pain in the ass. Countless QEMU errors ,203 errors, results with no output on console and many more hair-pulling skull bashing events that *will* make you scratch your head and you will be motivated to buy an ASA for your personal use.

Yes folks..You will be running this..or a cousin of it.

But fear not weary travelers if you have reached at this point of web while surfing (read:hunting) for your share of ASA & firewall stuff, you are right at home. Today I will be providing a step by step almost error free guide of simulating ASA, and fret not, this has been tested on more than 5 platforms with zero error rate (and that included machines of different platform - i386,x86_64; and different flavors of Fedora/Ubuntu).

NOTE: I love linux but I hate Ubuntu, for my own personal reasons. I am a fedora guy & I love debian, but I hate Ubuntu.
Why I didnt covered this guide for Fedora as Fedora guys will figure out how to do it anyways :P , its Ubuntu ones who were facing maximum issues (just google it) and hence I wanted to cover a guide for it. Jokes aside, I intend to cover the subjected issue as I faced multiple issue myself.

Never-mind, my machine as of now is an amd64 E350 based HP dm1 3210 Laptop with 4 GB ram. Its a pretty under powered PC for running GNS3 (as compared to dedicated rigs I have seen, however I can run IOU & NX-OS Titanium over it and it balances every known equation for me) but it does the job with some tweaking and the result is very satisfactory.

Coming to the point, you will be needing -

A laptop/desktop
Any Ubuntu flavor installed (I use backbox, its better than backtrack)
ASA 8.4.x files (initrd and kernel files, if you are reading this article, I know you have them)
Patience.

Step 1 - Installing GNS3

Well this is simple, just type the commands and it will install safely. Make sure you dont have GNS3 installed previously else you might face some issues. Please note I am using compiling GNS3 for my 64 bit OS, however it should work for 32 but laptops too, make sure you choose correct version of dynamips from GNS3 website.

rishabh@xion$cd /opt
rishabh@xion$sudo mkdir GNS3
rishabh@xi0n:/opt$ wget http://sourceforge.net/projects/gns-3/files/GNS3/0.8.3.1/GNS3-0.8.3.1-src.tar.gz
rishabh@xi0n:/opt$ unzip GNS3-0.8.3.1-src.zip
rishabh@xi0n:/opt$ sudo mv -f /GNS3-0.8.3.1-src/* /opt/GNS3
rishabh@xi0n:/opt$ sudo chmod 777 GNS3
rishabh@xi0n:/opt$ cd GNS3
rishabh@xi0n:/opt/GNS3$ sudo mkdir Dynamips Images Project Cache tmp
rishabh@xi0n:/opt/GNS3$ sudo chmod 777 Dynamips/ Images/ Project/ Cache/ tmp/
rishabh@xi0n:/opt/GNS3/Dynamips$ cd Dynamips/
rishabh@xi0n:/opt/GNS3/Dynamips$ http://sourceforge.net/projects/gns-3/files/Dynamips/0.2.8-RC3-community/dynamips-0.2.8-RC3-community-x86_64.bin
rishabh@xi0n:/opt/GNS3/Dynamips$ export PATH=$PATH:/opt/GNS3/GNS3-0.8.3.1-src/

Check if its installed by opening a terminal window and running GNS3. If it went well, proceed to next step.

Step 2 - Compiling and Patching QEMU

This is the second most crucial step, do as instructed, by the time you are finished, you will be presented with a stable installation of patched Qemu. Make sure NO previous installation of Qemu in installed on your machine.

rishabh@xion:/opt/GNS3$ wget http://download.savannah.gnu.org/releases/qemu/qemu-0.11.0.tar.gz
rishabh@xion:/opt/GNS3$tar xvzf qemu-0.11.0.tar.gz
rishabh@xion:/opt/GNS3$cd qemu-0.11.0
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$wget http://downloads.sourceforge.net/gns-3/qemu-0.11.0-olive.patch?download
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$patch -p1 -i qemu-0.11.0-olive.patch
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$./configure --target-list=i386_softmmu
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$make
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$sudo make install

Once its installed, check by running

rishabh@xi0n:/opt/GNS3/qemu/qemu-0.11.0$ which qemu
/usr/local/bin/qemu

It should display Qemu path, if not, you screwed up some where. Do it again.

Step 3 - Preliminary Configuration

In general settings of GNS3, you will find Qemuwrapper is already configured, double check Qemu & Qemu-img path here, it should be the same as mentioned in "which" command output or better if you have placed the same it in GNS3 folder

Also, Set ASA options as

Qemu Options:
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
Kernel cmd line:
-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536

Browse to the initrd & kernel images of ASA and set memory to 1024, once done, save it.

make sure your configuration looks like this

When done, its execution time follks :)

Step 4 - Running it.

Well..it will look like this.

You can also check the ps output of Qemu (quick and dirty output here..nothing flashy)

rishabh@xi0n:/opt/GNS3$ ps ax | grep 'qemu'
7094 pts/0 Sl+ 0:00 /usr/bin/python /opt/GNS3/GNS3-0.8.3.1-src/qemuwrapper/qemuwrapper.py --listen 127.0.0.1 --port 10525 --no-path-check
7101 pts/0 SN+ 0:00 /bin/sh -c /usr/local/bin/qemu -name ASA1 -m 1024 -hda "/tmp/ASA1/FLASH" -kernel "/home/rishabh/Documents/asa842-vmlinuz" -initrd "/home/rishabh/Documents/asa842-initrd" -append "-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536" -net nic,vlan=0,macaddr=00:00:ab:40:a4:00,model=e1000 -net nic,vlan=1,macaddr=00:00:ab:8d:12:01,model=e1000 -net nic,vlan=2,macaddr=00:00:ab:f0:c0:02,model=e1000 -serial telnet:127.0.0.1:3001,server,nowait -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
7102 pts/0 R+ 0:19 /usr/local/bin/qemu -name ASA1 -m 1024 -hda /tmp/ASA1/FLASH -kernel /home/rishabh/Documents/asa842-vmlinuz -initrd /home/rishabh/Documents/asa842-initrd -append -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536 -net nic,vlan=0,macaddr=00:00:ab:40:a4:00,model=e1000 -net nic,vlan=1,macaddr=00:00:ab:8d:12:01,model=e1000 -net nic,vlan=2,macaddr=00:00:ab:f0:c0:02,model=e1000 -serial telnet:127.0.0.1:3001,server,nowait -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32
7175 pts/1 S+ 0:00 grep --color=auto qemu

Once you are up and running, its time to grab a can of redbull (or beer if you prefer) and get a pat on your back, good work soldier :)

Miscellaneous Errors , which you *just might* encounter and how to deal with them.

If you followed my steps, I dont think you will encounter any errors, but for the sake of completeness, I am including the most basic errors which you might get.

"qemuwrapper path doesn't exist"
This one is a classic one. With proper GNS3 0.8.3x installation, you will *not* encounter it. If you are running classic 0.7.x build, God save you. Even if you have 0.8.3.x & still get this error , find Qemuwrapper (it will be there in one of GNS3 source folders) and select it, save it. Error gone. Make sure permissions are correct.

"203-Bad number of parameters (5 with min/max=6/6)"
Upgrade your GNS from 0.7x.x to 0.8.3, if you are following this guide, you should not get this error.

"You are running an old and unpatched version of qemu"
Now here things get interesting. In one case I installed Qemu before installing GNS3 and I got this error quite frequently. I uninstalled Qemu, cleared my /tmp & I then first installed GNS3 and then installed Qemu after configuring GNS3 fully (except the Qemu part that is) . Did a sudo make install for Qemu and restarted my laptop. Please note I am using Qemu 0.11
Ran GNS3 and tada..

This error will be rectified.

"You must use 'manual mode' to connect a link with a xyz module"
Simple as hell, use manual mode..duh..

"QEMU boots but no ASA boot output on console"
Use correct QEMU binary, no Qemu_i386 / Qemu_x86_64. Use only correctly patched Qemu 0.11 binary in GNS3 like previously specified.

In all cases, all errors are either will be some permutation or combination of the mentioned ones. Well , it summarizes my post on running ASA, hope it will help you.

Rishabh Dangwal

Wardriving at Delhi Updated –The OPEN, WEP & WPA faces of Delhi

2013-03-30T18:51:00.001+05:30

I got an overwhelming response to my Wardriving at Delhi project and have got a lot of emails regarding the same. I am so thrilled that so many people want to contribute to the project. Inspired by your feedback, I am here by producing here an update to my mapping project. This time I went Via Saket to Gurgaon and as usual I got a lot of access points which were OPEN with no security, WEP secured vulnerable access points & WPA/WPA PSK2 secured points.

As usual, I used -

Kismet
Moocherhunter
Aircrack
G-MON & WiGLE

The target is to make a map of Delhi with all the access points to analyse in layman terms -

The security awareness of people and organizations
The devices they are using
The security mechanisms they are using.
Wifi range analysis of individual device.

Well, in all you can find the data from below links -

Hotspot details / BSSID (See if you are on the list) =))
Google Maps KML Data (See it in Google Maps)

If you are interested in contributing to the data, please contact me at admin<at>theprohack.com . You can also read how to Hack Wifi using Backtrack , How to detect if someone is using your WiFi or how to detect WiFi hotspots . If you are having an Android, you can also read about how to use your Android for Wardriving.

Happy Wardriving.

Hack Windows using winAUTOPWN 3.4 –Completing 4 years of windows hacking

2013-03-29T23:36:00.001+05:30

winAUTOPWN has been an old favourite to automate windows hacking and vulnerability testing. The project is the brainchild of Azim Poonawala of [C4]Closed Circuit Corporate Clandestine and saw its first release in 2009. Fast forward to 4 years; it has matured into a good exploitation framework with a plethora of options. As the Author states about it -

Autohack your targets - even if you have consumed and holding a bottle of 'ABSOLUT' in one hand and absolute ease (winAUTOPWN) in the other.

In layman terms, winAUTOPWN is a unique exploit framework which helps in gaining shell access and pwning (aka exploiting vulnerabilities) to conduct Remote Command Execution, Remote File/Shell Upload, Remote File Inclusion and other Web-Application attacks. To add cherry on the top, it can also help in conducting multiple types of Denial of Service attacks on targets, furthermore, It can also be used to test effectiveness of IDS/IPS and other monitoring sensors/softwares.

You can -

Download winAUTOPWN from here / mirror
Read its documentation from here

Ngrep–Grep patterns in Network traffic

2013-03-26T01:11:00.001+05:30

We have got a lot of packet sniffer/analyzer software out there, I am a self confessed Wireshark & Ettercap lover, but still, when it comes to analyzing network traffic from command line in a fast manner, ngrep is my one of my favourites. Written by Jordan Ritter its used to “grep” traffic patterns from the network interfaces. As per official documentation -

ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

ngrep runs on Windows & *nix platforms alike and you need WinPCAP to run it since it relies on it.

Once you install it, it by default uses the first interface on your machine, so , make sure to check the detected interfaces by running -

C:\Users\RISHABH\Desktop>ngrep -L
idx     dev
---     ---
1:     \Device\NPF_{4D491111-D331-42BC-9A33-98EF8C40D422} (Microsoft)
2:     \Device\NPF_{ADBF6AC1-D111-463D-8D99-C58FA1BEF979} (Sun)
3:     \Device\NPF_{6F801AE0-CA61-4A6D-B5FF-DCB7CE8FC529} (VMware Virtual Ethernet Adapter)
4:     \Device\NPF_{930B6EC8-A5E3-4FFA-B68F-F159FDFC2064} (VMware Virtual Ethernet Adapter)
5:     \Device\NPF_{D1999293-A041-4C2A-B63F-5D8B4906000F} (Realtek PCIe GBE Family Controller)
exit

Now for example you want to check out whats going on at port 23 using interface 5

C:\Users\RISHABH\Desktop>ngrep -d 5 port 23
interface: \Device\NPF_{D1999293-A041-4C2A-B63F-5D8B4906000F} (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( port 23 )
exit
0 received, 0 dropped

Piece of cake.. and if you want to filter any website in you are searching for keyword "password" then :

ngrep -d 5 “password” port 80

Easy aint it ? Ngrep does it all : ] With some complex grep commands , you can become a pcap ninja.

Well, you can

Download Ngrep from here
Check out documentation and examples here
Learn about Wireshark from here

Cisco Type 4 Passwords cracked–Coding mistake endangers devices

2013-03-24T18:33:00.001+05:30

Cisco has issued a security advisory intimating that its new password hashing algorithm TYPE 4 is vulnerable,which allows Cisco TYPE 4 encoded hashes to be cracked easily. TYPE 4 is an update of TYPE 5 , and was supposed to salt passwords and apply 1000 iterations of SHA-256 . Well, engineers at Cisco actually miscoded the algorithm by forgetting to salt passwords and setting the number of iterations to 1 which makes it even weaker than TYPE 5 algorithm .

“This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.”

Also, the code base (CISCO IOS 15) also disables TYPE 5 encryption on devices. Well..talk about rubbing salt on wounds.

As per advisory -

"A device running a Cisco IOS or IOS XE release with support for Type 4 passwords lost the capability to create a Type 5 password from a user-provided plaintext password.Backward compatibility problems may arise when downgrading from a device running a Cisco IOS or IOS XE release with Type 4 password support and Type 4 passwords configured to a Cisco IOS or Cisco IOS XE release that does not support Type 4 passwords. Depending on the specific device configuration, the administrator may not be able to log in to the device or to change into privileged EXEC mode, requiring a password recovery process to be performed."

It was meant to be discovered inevitably. Folks at Hashcat - Philipp Schmidt and Jens Steube found it and were able to decode a hash posted at inetpro.org . Since hashes were weak, the information was more than enough to crack millions of hashes in hours if anyone gets their hands on hashes.

The aftermath ? Cisco says it will be creating new password type to counter it with new as of now unknown commands to implement it. In the meantime, Cisco says you “may” want to replace Type 4 password with Type 5 , as quoted -

There are two options to generate a Type 5 password:

Using another device running a Cisco IOS or Cisco IOS XE release without Type 4 support

Using the openssl command-line tool (part of the OpenSSL Project)

You can read the advisory here

You might also want to read -

CARNA Botnet–Researcher maps Internet using botnet

2013-03-23T01:16:00.001+05:30

“ Incredible”

thats one word when you describe CARNA botnet, which is a single handed attempt to map the entire Internet by a researcher, which makes it a single most herculean feat I have witnessed in digital domain which both grips me with mixed feelings of astonishment and Deja Vu.

As the paper states, the basic theory behind CARNA was

After completing the scan of roughly one hundred thousand IP addresses, we realized the number of insecure devices must be at least one hundred thousand. Starting with one device and assuming a scan speed of ten IP addresses per second, it should find the next open device within one hour. The scan rate would be doubled if we deployed a scanner to the newly found device. After doubling the scan rate in this way about 16.5 times, all unprotected devices would be found; this would take only 16.5 hours. Additionally, with one hundred thousand devices scanning at ten probes per second we would have a distributed port scanner to port scan the entire IPv4 Internet within one hour.

Impressive.. and the payload they devised was small, surgical and targeted routers with insecure logins.

The binary on the router was written in plain C. It was compiled for 9 different architectures using the OpenWRT Buildroot. In its latest and largest version this binary was between 46 and 60 kb in size depending on the target architecture.

Well, the end results ? ~ 420,000 infected routers are identified with 1,300,000,000 geolocated IPV4 devices with about one-third of those responding directly to pings.

Incredible..as I earlier said. Sceptics will say that It can be a hoax, as its difficult to verify with a 586GB bittorrent file compressed with ZPAQ which will decompress to 9TB , it needs somewhat of super human effort to download, unpack and analyze data if it really exists. But again, if its true, Its .. its awesome.

You can

Read the Paper here
Download Bit Torrent file here
See graphical results here

Like I said, prepare to be amazed.

Vulnerable SCADA systems in Finland – Shodan,Hackers and Security.

2013-03-22T12:17:00.001+05:30

Security researchers in Finland have turned up thousands of unsecured Internet-facing SCADA systems in that country, using the Shodan search engine.The researchers, from Aalto University, ran their test in January, and found 2,915 exposed systems running functions from building automation to transport and water supply. Those responses were out of a total of 185,000 Finnish IP addresses that responded to an HTTP request.

According to communications and networking professor Jukka Manner,exposed building automation systems, the researchers claimed, included a bank, a gaol, and a hospital. Researchers claimed that many systems were vulnerable through their remote user interfaces.Interestingly, when the university re-ran its test in March, it found that a large number of the systems had been removed from the Internet, although 1,969 of the systems were still present.

“A lot of problems can … still be hiding”,

according to research assistant Seppo Tillkainen, since as much as 30 percent of the Finnish IP address space is still not mapped by Shodan. While systems spotted in the Shodan search even included a wind turbine, the majority of poorly-secured systems were in office blocks and residential towers, the study says. The researchers did not go as far as to actually try to penetrate the systems, citing Finland's computer crimes laws.

A Google translation of the university's press release is here. For Finnish readers, the whole study is here.

Blogged on Android Via The Register

Wardriving at Delhi–Wardriving revisited

2013-03-21T20:14:00.001+05:30

The last time I wardrived at Delhi was over 2 years ago, I was at Tulip Telecom then and was doing something of a personal project then. Well, now I am at Orange and thought of replicating the feat, this time I will be publishing the details of networks I wardrived while going to Gurgaon from Delhi. It was done using combination of G-Mon,Kismet, Moocherhunter and you just might find it useful. I intent to make a map of Delhi with all the access points , which does sounds incredulous & far fetched, but yep, I intend to do it and I am doing it bit by bit. It helps to analyse in layman terms -

The security awareness of people and organizations
The devices they are using
The security mechanisms they are using.
Wifi range analysis of individual device.

Well, in all you can find the data from below links -

Hotspot details / BSSID (See if you are on the list) =))
Google Maps KML Data (See it in Google Maps)

If you are interested in contributing to the data, please contact me at admin<at>theprohack.com

Happy Wardriving
- Rishabh Dangwal

LinkedIn Malware - Profiles hit with 청강아카데미학원

2013-01-02T13:43:00.001+05:30

Recently I have noticed a lot of LinkedIn profiles (especially belonging to Indian subcontinent) have mentioned “청강아카데미학원” in their educational details (Go Google). On further querying with friends and some readers have got an identical response that NO changes have been made from user end. Its a suspected XSS hit and LinkedIn team have been notified. Will update here if I get a response.

Happy New Year 2013 – Best Wishes from Prohack

2012-12-31T20:40:00.001+05:30

2012 was a formidable year : ] I was busy, in fact I have never been busier in my life and I find myself guilty of going into hibernation multiple times even when I didn’t wanted to. I promise 2013 will be the year of change , and I would dedicate myself over some newer interests and projects, this time, open source ones. I had enough of closed source pentest and scouting, nevertheless, It was an year where I -

Completed multiple <unmentionable> targets at corp level. [4]
Ran IOU on my laptop and simulated complete corporate cloud over it.
Learnt and explored more about networks.
Brokeup with my girlfriend : P
and at last , resigned from Tulip Telecom to join Orange Business Services, a subsidiary of France Telecom. In fact I will be joining in early Jan 2013.

I hope Orange will be my home away from home and will open symbiotic and never before possible opportunities for me, and I am quite excited about it. I hope I will be able to take more time for my projects and share with you some exciting findings. When i look back at 2012, it was an year that taught me a lot of things, it was full of surprises and I hope 2013 will be an awesome year for all of us.

See you next mission and Stay Awesome .

Happy New Year 2013

Rishabh Dangwal

EIGRP Cheatsheet – EIGRP in 15 min

2012-12-13T00:25:00.001+05:30

Long time folks, was busy with a lot of projects. Hope coming year gets less busier and I get to get my hands more dirty on networks and network security. In the meantime, here is an EIGRP cheat sheet which I thought will be helpful to folks who just want a quick theory review of Cisco’s EIGRP. Though I wanted to cover a lot more in cheat sheet like EIGRP technologies, planning but it would have defeated the purpose of cheatsheet. Never mind, I am preparing a more comprehensive EIGRP guide which I might publish soon depending on the feedback received. In the meantime, You can find the cheatsheet at Slideshare and Scribd.

Eigrp Cheatsheet - EIGRP in 15 min - Rishabh Dangwal - www.theprohack.com from Rishabh Dangwal

Hacking Dominos Coupon Generator – Free Dominos Pizza Coupons & Discounts

2012-07-30T23:24:00.001+05:30

After multiple failed attempts to place an order of pizza and getting tired of taking follow-ups from folks at Axis Bank and Bill Desk (the gateway that takes care of Dominos's online pizza orders) , I was frustrated a lot. Then , I came across Domino's Slot machine coupon generator. An innocent looking random coupon generator that is purely JS based and is easily hackable. NOW I AM NOT SAYING I HACKED IT AND ORDERED FREE PIZZA's , the payment gateway sucks soo much that I didn't ordered anything. But yes, I do have something to share with you.

Fire up your Google Chrome (that's enough) and open

http://pizzaonline.dominos.co.in/slot-machine/process-slot.php

You will see the Coupon Generator, fill in the captcha and play it, in normal circumstances , chances are -

You will win a coupon , if you are feeling lucky, you can try once more and then if you win again, you will have to deal with the final discount coupon you get.
You will get a "Try Again", you can try till the case 1 is fulfilled.

Lets turn the tables ,fire up developer console by pressing F12 .

navigate to scripts – > slot.js

Open slots and navigate to this code

and change the attempts value to anything you wish

Now navigate to this code

and change the value to 1

Now time to change duration values

$('#slot'+(slots+1)).animate( { backgroundPosition:"(0px "+bgPos+"px)"}, { duration: (10000+(slots*500)), complete: function(){
limit++; //console.log(limit);
if(limit == 4){

Change the subjected function to

$('#slot'+(slots+1)).animate( { backgroundPosition:"(0px "+bgPos+"px)"}, { duration: (1+(slots*1)), complete: function(){
limit++; //console.log(limit);
if(limit == 4){

once done , slot timers and duration will be ultra quick.

Press Ctrl + S and click on Start / Try Again and see the results : ) Cool huh ?

Now tinker with some innocent looking functions for your experiment : ] and enjoy.

Check this For loop and especially check for #slot values and value of i , also, some crazy things can be done by changing the pixel values

if(buttonState == 'Try Again' || buttonState == 'Please wait...'){
               var i=1;
               for(i=1;i<=4;i++)
               $('#slot'+i).css('background-position','0px 0px');
           }

Or Look for this function

$.post('process-slot.php',{ session_id : session_id},function(json){
var slot_result = slot_result_desc = ''; var limit = slots = 1;

Now again, I wont be divulging much here : P , you can modify completely the way the slot generator works and generate according to your whims : ] Work your way out.

PS : I did went into the site looking for coupons by being a Dominicon but the coupons there are just pathetic and almost same for all the traits like lazycon/freebicon etc.

Back to Cybernating.

Understanding DDOS Mitigation

2012-06-03T17:10:00.000+05:30

Hi all,
Its been a long time since I have posted anything, sorry for the same. I hope you will be following my twitter feed/ facebook for updates of what I have been doing nowadays, if not, no problemo , I know we will still get along well. This time I will be covering DDOS mitigation methodologies which might come handy to you in long term. I actually though of hosting a free for all DDOS server for testing , but then, it didnt materialized well and I am sharing a concised view of my part which I covered . Please be noted I am only sharing what can be made public ;)

Understanding DDOS Mitigation by Rishabh Dangwal

How to Play Devil May Cry 3 SE (dmc3 se) on PC with normal controller with xpadder

2012-04-10T01:06:00.001+05:30

Well..its been a long time I am writing a gaming article, I actually got bored of playing with routers and thought to give myself a break and return to hack and slash genre. I picked up Devil May Cry 3 Special Edition (dmc3se) for my laptop, and the game is a poor port by Sourcenext which are equal culprits in porting Onimusha 3, Resident Evil 4 on PC on behalf of Capcom , its a pity that Ubisoft (which marketed the game for PC) and Capcom wasted such a brilliant opportunity for catering PC gamers. The issues which are faced by game are -

Worst control scheme ever devised, controls by which only monkeys can play
Poor graphics and shadow effects
Bad joystick detection.
Even Worse analog stick detection and camera issues.
Choppy music.

If you are reading it, I guess you have already felt the pain and googled it a lot. Well, fear not , I will counter them one all : ] just read on.

Let me divide the problem into 2 categories – control issues and other issues. Well..I divided it into these two because the solution will address them in the following manner. First, Install the game properly, choose the correct directory (or whatever you want) insert correct serial key, make sure its a clean install.

Once you have done that, head on to Ubisoft and download the latest 1.3 patch for your respective version. Its absolutely critical to download and install this patch for solving the issues.

Once done, open the patch and install it. Your Music, graphical issues shall be solved as of now.

Solving Controller Issues

With 1.3 patch, you will be getting a utility GPadCfg.exe at your game directory for configuring gamepad. Open it and click on edit, click on the buttons in the picture and press respective button on gamepad.

Once done, DOUBLE CLICK on save button to save the config. Dont click on L<->R REVERSE button.

Now, your controller is mapped to game. Now go to game directory and open DMC3SE.ini . Make sure to make a backup of it though. GO to end of DMC3SE.ini and look for the section for your gamepad config. It will look like this.

Now, edit it, such that L3 and R3 (the analog buttons) are cleared.

Now , download xpadder 5.3 from here . Once downloaded, open it . In case , you are using Windows 7 and it doesnt opens, right click on Xpadder.exe, go to compatibility and run it in Windows Vista SP2 mode.

Also, go to folder where DMC3SE is installed, and give full permissions to the user.

Now open xpadder.exe, make sure your controller is connected to your PC/Laptop. Click on controller icon to create a new profile.

Go to stickds/button/dpad tab and enable and press the respective buttons.

Once done, go to finish tab and click on close.

Once done, click on the buttons on the interface and map the LEFT ANALOG to W, A, S , D keys on the keyboard .

Your final xpadder configuration will look like this.

Save it. Now open the game and enjoy : ] , your controller will work fine.

I hope you will enjoy the game as much as I am enjoying it : ]

Emulation and Me–The gamer Side of me

2012-03-10T03:20:00.001+05:30

First of all, sorry for a late post, I have been busy in researching DDOS mitigation solutions, and have been going through a lot of data sheets, specs and devices for the same. Also, Prohack celebrated its one more year of its technological legacy and I thought why not to cover about what made me tick and started it all..Well...to be frank, it was the games, old school games.

The earliest memory of a videogame I played was at the local computer centre (Hind Computers) at my local town, it was Jordan Mechner's Prince of Persia in mid nineties, well..I remember the beautiful graphics on the monochrome monitors, elusive I must say, but I knew I was hooked to it for my life. It was also my first interaction with computers.

The 90's were a sort of a period when you can get your hands on an Atari (if you were lucky) , a PC (if your parents were either merchants and needed the machine for their financial transactions..or just hard-core geeks) or Terminator Ending Man series of NES clones that later in early 2000's flooded the market. The arcade scene boomed (provided you knew the places) and old CPS1 machines saw bouts of Street Fighter 2, Cadillac's and Dinosaurs (Fondly called as Mustafa due to the titular and strong character of the game) and if you were lucky Tekken 3 .

As time progressed home consoles, as I already said I witnessed 8 bit revolution in India when it was almost forgotten by the east and west. Well..not bad for me. I got my hands on an NES clone (Media 1000) for which I was able to get the Chinese/Taiwanese multicarts every once in a while, and witnessed the greatness of late eighties and early 90's in the form of Mario, Mario 3, Contra , Super C, Rockman , Mighty Final Fight, Metal Gear, Zen - The Intergalactic Ninja, Kage (Shadow of Ninja, Jap version) , Nekketsu series, Summer Carnival 92 - Recca , Little Ninja Bros,Disney’s Jungle Book, GIJOE, TMNT 3/ 4 Tournament Fighters and much much more..and to be frank, Capcom, Konami and Nintendo were my Gods .

I witnessed 16 bit gaming during my summer vacations at modded arcades at Dehradun (Tibet Coloney, Buddha temple, they are still there today), modded in the sense that they were home consoles of Sega Genesis/Mega Drive and SNES, which were fitted with Hori Style arcade sticks and hooked up to make shift cabinets, when for 5 Rs you can get your hands on Ultimate Mortal Kombat 3 , Comix Zone, Contra Hardcorps, Street Fighter 2 , Super Mario World for 30 minutes and lots more. Players duelled there and its there I got my first taste of fatalities in UMK3, and I am still good in pulling them off without breaking a sweat. Its there I had my first contact with 3d fighters like Tekken 3, Street Fighter Ex/EX2/plus , Mortal Kombat 4 and many more and I longed for my summer vacations so that I could go to my native place and play the games .

Growing up, I had my first RPG as Little Ninja Brothers by Culture Brain, when I bought the multicart, I was perplexed by the gameplay as I wasn't used to the concept of resource mining/hogging, spells, random encounters and a chained story. Getting dragstar, beating Devillion, getting to Yokan , the 7 bells..I now realise how generic it was , but back then , the sweet taste of going into an adventure in your own way was awesome. Nevertheless, I had a record of beating each game I got and mastering to the point of flawless execution, a thing that needed time which my parents frowned upon, a lot. The second thing they hated the most was the chiptune music which I liked a lot (still have a great collection of them today :) in my cell phone ) which later hooked me to the demoscene, I am a fan of the Farbrausch, .theprodukkt, Fairlight, mfx, kewlers and used to enjoy the intros/cracktros in my pastime.

Then there was Prateek, he had a blazing fast Pentium 3 at his home and I remember him cursing Windows and playing Dinocrisis (and swooning on Regina :P) , on a side note, we also started our experiments by getting a copy of Turbo Linux, experimenting with it , then after bouts of frustration and incoherent manuals (it was a time when IT WAS HARD finding the correct Linux drivers for your box, coding them was out of question since we were kids) but that's a different story. Doom , Dangerous Dave and Wolfenstein 3d was what we had with us at that time as shooters. Then after a lot of haggling, and by scoring good marks i was able to get a Sega Genesis for me (PAL version, used, with my first carts as Contra Hardcorps and Utlimate Mortal Kombat 3) and I spent my days tinkering with Super Hang On, Monaco GP, Rambo, Aladdin and lots more. It was during those days when I got a PC and then, my life was changed.

At that time, PC for me meant 3 things -

Games
Programming
Internet

Of which Games was the primary part and programming was done at late hours of night (VB/VBS if you are curious, it was in my courseware at school , I moved on to C as I got bored of dragging and dropping and wanted some real challenge).Initial games were Project IGI, handful of Virgin interactive classics (The Lion King..anyone ?) The real twist came when I picked up a dusty copy of Street Fighter Alpha 3 from a shop, and when I ran it from CD, a DOS based interface opened , and the game ran. But there was something peculiar about it, it wasn't exactly DOS based, I later figured out, the game ran in DOS mode using an emulator, which was a new term for me, but as a rule of thumb, anything that made me play games is something to be learnt and something to get good at, I started exploring them. I am lucky it was in those days emulation scene was still kicking ass, with fresh releases of Kawaks/Nebula/Final burn Alpha and all other CPS/CPS2/PGM emulation systems lots of documentation to read, a great community to mix and great games to play. It was then I found I had an inherent taste in emulation and I had a hand on almost all emulators which ever found their way to Zophar's Domain or scene sites. I found my own configurations that worked for me (and my own box) flawlessly, debugging through 68000 debugger in Kawaks , the first taste of loading games through Callous, and playing Super Mario World using SNES 9x (without paying money again, ever :D) .I used to play “borrowed” MAME roms on early builds of MAME and the understood the full glory of arcades . I remember playing Chronotrigger (the best RPG I played..ever) on ZSNES and dumping SPC files, only to be later converted into mp3 and then playing the sweet music on Sunday mornings. Nobuo Uematsu..thanks for making my childhood sweet.

It was due to emulators , I witnessed the actual history of gaming , starting from Spacewar to Atari, the console wars between Nintendo and Sega, the ditching of Sony by Nintendo, the revenge of Sony in the form of Playstation, the Sega 32 X, Saturn and the dawn of Sega, the tryst of Nintendo in the form of N64 , the console wars of millennium starting from the iconic date of 9/9/99 , the failing of Sega as a hardware developer and Dreamcast being ousted from market despite its innovations, the PS2 and Xbox and coming to the semi-present day scenario of PS3 vs XBOX 360 and the coming next generation of consoles.

Later on when it came to PC Gaming, we formed the Project IGI club, guys who started their PC gaming careers with their first game as Codemaster’s Project IGI and finding new and innovative ways to beat it. Also, when it came to PC gaming, Prateek and my brother Vaibhav , both hated me for emulators, according to them it was lame and the latest was the best, I on the other had found anything with a configuration file worth my time and played through all the classic titles one by one. The only game we all agreed was awesome was Mario Kart 64 on Project 64, hell, who would argue it was bad :) Then there were PlayStation emulators epsxe/pcsx/adripsx/psx and the best plugin pack you could get your hands on – Aldo’s Plugin Pack, having the best drivers from one of my favourite coder Pete Bernert , his fantastic plugins were easy to tweak/compile (courtesy of his PE oPs project) and had exceptional performance.

Coming of age , I got my hands on Halo: Combat Evolved, CS 1.6 , Hitman series, Max Payne series of which I still can repeat dialogues of Max Payne line by line, I just liked the Nordic ,violent,noir setting of the game like with a great story line. It was also at that time I came across modern emulators PCSX2 , CXBX/DXBX, Potemkin, XEON, Dolphin, Chankast and found except Chankast each one of them required to have an Alienware or Origin PC to even run the games (well, I wanted to play God of War at that time, bad..but they were on nascent stage then) , in laymen terms, they needed exceptionally high configurations just to croak . I also found Doom 3 also needed an Alienware to run :| literally.

After a while, I found the emulation scene started getting stagnant with few updates and releases and I started focusing on genres I haven't tried. At this point of time, I vaguely remembered a trailer of Metal gear Solid 3 : Snake Eater in an early review at Ten Sports, and thought to give a shot to the series starting of MGS on EPSXE.

That proved to be the most exciting gaming experiences of my life.

Well..i found it alluring, awesome storyline, well developed characters, a gruff snake and the best voice acting I have ever heard on a videogame . Wow..just wow. It was time for Metal Gear Solid 2 : Substance on PC and got my copy cheap off from a retail shop. the experience ? Well..2 words – Fucking Awesome ! I will cover it in a later review some other day. Also, during those days. I saw a demo of RE4 on a gamecube machine and its still the best survival horror game ever. Speaking of which, my life had came a full circle, Capcom’s Shinji Mikami’s RE , Capcom Clover’s Killer 7,Hideki Kamiya’s Devil May Cry, Konami’s Hideo Kojima’s MGS and Shigeru Miyamato’s Mario series..Everything a gamer could want. Capcom, Konami and Nintendo..the game Gods revisited again.

Mid and late 2000’s brought me Warcraft 3, StarCraft, Farcry, Half life 2 , Prince of Persia : Warrior Within (which I only play due to the refined combo system and kickass music by Godsmack) and CPS3. A special mention to Half Life 2 for the most immersive shooter of its time, although I wished the crap about G Man was solved :X . While Warcraft 3 and Starcraft are the best RTS experience, the reverse engineering of CPS3 encryption was what caught my eye during those days. One of the first POC emulators was written by Miguel Angel 'ElSemi' Horna better known as Elsemi of Nebula fame and one of the first games which I played was Street Fighter 3. Heck, CPS3 means Street Fighter 3, the finest and most technical fighting game ever made. Don't believe me ? well..just Google “Evolution 2004 Daigo” and you will know what I mean. Its the pinnacle of fighting genre only for the dedicated. Nowadays, add GGPO to it and you get a heady mix of online play in the most competitive manner in an already highly competitive game.

Nowadays, a lot of titles are revised, repacked and innovative games are being launched, you have got staples like Street Fighter 4, Killzone, God Of War 3 , Gears, RE, MGS, Super Mario Galaxy / Galaxy 2, Halo 3, Portal/Portal 2 (however I liked Narbular Drop just as much) and the innovation bandwagon of Bastion, Tower of Goo, Limbo, Bulletstorm,Journey, Infamous and a lot more..they are online and fun, the DLC allows for replayability , but still, I prefer the old school emulation any day over the current titles. Call me a nerd, but then, thats the way I am . As i type this , i have an opponent waiting for a rematch on Third Strike.

I had a great gaming childhood, if you had one, you might share my sentiments, else, I just might have some great geeky stories to tell you.

Mikrotik Routers rock– Cheap, awesome and beats Cisco at same price

2012-02-17T20:56:00.001+05:30

Working at Tulip Telecom has his own charm, you get your hands on an array of devices and lots of research . Well, i got my hands on Mikrotik routers, i have been working on them for a considerable amount of time (more than 6 months) and they are awesome. Here’s what i like in them -

Awesome Router OS
Extensive IP accounting which can segregate and display bandwidth utilization by IP,vlan,interface,source,destination .. and even more..you name it it has it.
3G modem/VPDN support.
Extensive Queue and filter support, with ability to use burst limits and can be extended on individual interfaces, vlan etc. its a full fledged firewall provided you know how to use it.
Wi-Fi support.
Can do Email, SMS/SMS gateway..Hell..you can even run a PHP server inside Router OS
Supports MPLS , BGP, OSPF, Multicast ,DHCP
Netflow server
Packet capture, Wi-Fi snooper, packet capture can be opened using wireshark
Scripting support to insane levels
Hardware encryption
Easy to deploy
Stable..and Cheap
and much much more..

I would prefer it over a DD-WRT/Tomato enabled Linksys any day on a tight budget :) If only people knew about it..then i guess,picture would have been different for Cisco

Increasing Reliance Netconnect speed, Online Transaction failure and Customer Care woes

2012-02-01T00:37:00.001+05:30

Since my data card limit was over, so i got Reliance Netconnect from a colleague, thought it might come handy while posting “IP Subnetting - The easy way” at Prohack and some simple surfing, I was already skeptic of taking the data card actually as I previously had a very bad experience with Reliance Netconnect and doubted if their broadband services are any good. I bet my MTS Mblaze makes it eat dirt any day ,but I had no option at that moment and thought , lets give the fucker another chance.

Ah well..you can say it was more than bad. Firstly, the data card has pretty bad speeds (~30 KBps) and then connection dropping issues. Mind you, I live in Delhi NCR and get full signal bars all the time on Reliance Netconnect Broadband + but still it barely managed to load Facebook. I thought, why not to change the DNS, on experimenting, I found Open DNS and Verizon DNS to be the most stable of all and I got a speed boost of 90-100 KBps : ]]

Here is how you can Increase speed of Reliance Netconnect Broadband + datacard -

Plugin your data card, launch application, go to settings, click on edit.

Click on advanced and put DNS server IPs. I found Verizon 4.2.2.2 //4.2.2.1 and Open DNS 208.67.222.222 // 208.67.220.220 work best for me. You can also try Google DNS 8.8.8.8 // 8.8.4.4 . Experiment and pick your choice.

Once done, click OK, save it and connect. you will get improved speeds..The whole process makes me wonder why Reliance’s default DNS is so slow . Do they even use their datacards at their home ? :|

On to my story, Since, even after changing DNS, the speeds were not good enough for me, so I thought, why not to recharge my MTS Data card online and then use it. Instantly I opened MTS website and after entering required details, transferring money to MTS from my online account, the page hanged and session was timed out. Responding to my sense of deja vu, I checked the data card and found it was not sending/receiving any data. the fucker dropped the connection just I when i was about to get my transaction completed.

I guess it took its revenge :X

I immediately emailed to MTS customer care/RechargeItNow/Bank customer care and I have *yet* to receive a helpful followup message on email. I contacted MTS customer care on phone and entered 1,1,1,1,<datacard MDN number>,1 waited for 2 minutes 46 seconds (yeah..i timed it) , the automated IVR said “after several tries you have not entered any number, so we are transferring your call to our expert” . Well..it wasn't my fault, again, there is some fault in their system as I tried 3 different valid MDN numbers later on and I got the same result. Nevertheless, I was put on call with an *expert* to whom I explained my issue and asked for escalation matrix, the details of email ID and in simple words, “what to do in case of transaction failure, the MTS way ? ”

The result was flabbergasting, the CCE spoke in an english which by all means was incomprehensible to me, I politely disconnected the call and then fumed for 2-3 minutes while looking at the Reliance datacard.

Protip : If you hate someone, gift him a Reliance datacard and watch him cry tears of blood :P

In the meantime i am still waiting for a positive response from my bank/MTS/rechargeitnow.

That was last night and I guess i have been outsmarted by a pathetic Reliance Netconnect.

IP Subnetting – The easy way

2012-01-29T23:23:00.001+05:30

Is network subnetting driving you crazy ? Does binary math gives you headaches ? well..fear not, since the time i have delved into networks, i have gone through all the oohs and aaahs and the NAH’s of the logical crescendo , and I present you the easiest way to do subnetting. Generally,3 questions are being addressed when subnetting an IP-

No of subnets
No of valid hosts and
Host range/block size

We will tackle them one by one. First you need to know about IP addresses and their classes.

Class A includes 0-127 where 0 and 127 are reserved, the default subnet mask for this class is /8 .

Class B includes 128-191 in their first octet, and the default subnet mask for this class is /16

Class C deals with 192-224 in their first octet and the default subnet mask for this class is /24

Also, also, understand a simple concept, subnet masks lying between 8- 15 are A class masks, from 16- 23 are B class and 24-32 are C class masks. Furthermore, a subnet mask can be expressed as this where (N)etwork value and (H)ost values-

Class A : 255.0.0.0 = NNNNNNNN.HHHHHHHH.HHHHHHHH.HHHHHHHH
Class B : 255.255.0.0 = NNNNNNNN.NNNNNNNN.HHHHHHHH.HHHHHHHH
Class C : 255.255.0.0 = NNNNNNNN.NNNNNNNN.NNNNNNNN.HHHHHHHH
Class mask value 8 16 24 32

Now once you see it, lets tackle some real life questions. Lets find the no of subnets and valid hosts for 192.168.10.10/18

See this ? its a C class IP address having a mask of B class (as the mask lies between 16-24) now, in order to find the number of subnets, use the following formulae -

2 ^ (What mask you have been provided – default mask of the IP address given)

putting the values here..

2^(18-16) –> 2^(2) –> 4 subnets

simple : )

Now for calculating the no.of hosts, use the below formulae -

2^(32- what mask you have been provided) –2

Putting values here..

2^(32-18)-2 -> 2^(14)-2 –> 16384-2 –> 16382 hosts

piece of cake ..

now to find the block size, see the provided mask lies between which next default mask value , which in this case is 24 (as 18 is greater than 16 and less than 24) . So ..

Subtract the provided mask with the class mask value which is greater than it.

2^(Next class mask value – provided mask)

which on putting values will be

2^(24-18) –> 2^6 –> 64

So, the block size will be of 64 . So, the IP addresses will be divided into 4 subnets (which we already calculated above) above as -

192.168.0.0 - 192.168.63.255

192.168.64.0 – 192.168.127.255

192.168.128.0 - 192.168.191.255

192.168.192.0 – 192.168.255.255

And the best part, its applicable to all classes : )

Happy Subnetting : ]

Chinese Hackers Trojan-ize US Access Card - The curious case of Sykipot Trojan

2012-01-14T22:27:00.001+05:30

Researchers at AlientVault have uncovered a new strain of Sykipot Trojan which has been used to compromise the Department of Defense-sanctioned smart cards used to authorise network and building access at many US government agencies, the Trojan has been adapted by Chinese hackers in order to lift credentials from compromised systems in order to access classified military networks. The Trojan inadvertently targets PCs attached to smart card readers running ActivClient, the client application of ActivIdentity, in what's been described as a 'smart card proxy' attack.

Read the full Story at the Register

WiFi Protected Standard vulnerability – Cracked, Bruteforced and Documented

2012-01-03T16:05:00.001+05:30

A new critical flaw in Wi-Fi Protected Standard (WPS) has recently been uncovered by Security researcher Stefan Viehböck that leaves wireless routers open to attack. The inherent vulnerability lies in the design protocol that splits the 8 digit PIN in two halves which reduces its complexity and henceforth the time required to crack it. Simple permutations and combinations deduce that an 8 digit pin will create 100 million possible combinations and during his testing Stefan found it takes 2 seconds to test each combination, so bruteforcing was not a feasible option.

Unfortunately, after entering the first 4 digits of a pin, the protocol used by WPS confirms if they are correct or not, which means the pairs can be attacked separately. Also, the remaining 4 digits is just a checksum, so if an attacker has the first 4 digits, he just have to try ~1000 combinations to crack it open , which brings it to a total of 11000 different combinations to the correct pin which reduces the attack time into a matter of hours. You can find the documented PDF here and read the awesomeness.

I guess router manufacturers are up for a software fix, till then , I guess we all have to go back to MAC address .

You can also read how to Hack Wifi using Backtrack , How to detect if someone is using your WiFi or how to detect WiFi hotspots . If you are having an Android, you can also read about how to use your Android for Wardriving.

Happy New Year 2012

2011-12-31T16:25:00.001+05:30

Okay folks :) Its that time of the year again when you can get high (me on red bull) and celebrate like there is no tomorrow (literally..2012 anyone ? ). Happy New Year everyone..I have taken a lot of resolutions for 2012, and I will make them true .. that's one more resolution for me.

As a roundup of 2011, I got hired at Tulip Telecom and now oversee the good, the bad and the nerdy side of security there along with network operations,ranted about the current security scene,wrote about Top Indian Hackers, I got my HTC wildfire (rooted and still kicking ass), got myself a new laptop , got interested into networking, hacked routers and did a lot of research on exotic fields if you have been following the Prohack FB page lately. I am sorry for absence of posts though, which can be attributed to me getting busy on a lot of side projects and on my Job. One of resolutions for 2012 includes giving more time to Prohack and I will see it through .
Nevertheless, stay awesome ! and Have a safe, sane and awesome 2012 .

-Rishabh Dangwal

5 software I cant live without on my laptop (Windows) – A look inside the self confessed geeks laptop and mindset

2011-11-14T22:53:00.001+05:30

Hello fellas,

I purchased a new HP DM-3210AU machine in October, an amazing piece of hardware and one of the highest rated netbook/sub notebook of all time, and yes, I am quite impressed with its performance and capabilities. I finished my share of Call of Duty 4 on it, prepared GNS3 Topologies over it with ease and the machine chomped away everything like a no brainer. In case, ou have been wondering where I had been, you might like to read about it or want to join the Facebook page where I post more frequently .

Well..continuing to my desktop,here is how it looks : ) .

Well..then out of blue (and I think it was Redbull) I decided to write an article on 5 software I cant live without on my new machine , which allows me to simultaneously multitask on it with ease and efficiency. Consider it as a follow up of Top 10 software I cant live without on my PC.

Windows Live Mail

Now here is one of the good things Microsoft has invented, the next generation of Outlook express, simple, easy to use, intuitive and FAST. Though you will argue why I don't use Mozilla Thunderbird over it , well..Mozilla thunderbird is almost takes the same amount of memory as its Windows counterpart, but is twice as slow in terms of interface, and speed matters to me much while checking emails, I do hope you will agree with me. Although I do hate the calendar feature of live (which is a pain due to various issues) but still, it does the primary job it was conceived for.

Download it from here.

Virtual Wifi Router

Again, an amazing piece of software that frees you from the headaches of Android Adhoc wifi patching and the likes of purchasing buggy paid software like Connectify for creating wifi network with ease. I was fed up of creating adhoc networks on Windows 7 and check that my HTC Wildfire (Cyanogen mod 7, version 2.3.7) was not able to properly detect it, there came Virtual Wifi Router to the rescue and trust me, its the best Wifi Network sharing software you will ever get. Highly recommended !!

Download Virtual Wifi Router

K-Lite Mega Codec Pack

Power user friendly yet easy to install , this codec pack will just blow you away, no need to install any other x-y-z player to do the job if your windows media player can play everything (i actually like to keep my laptop clean and use it with minimum software) from the most popular formats to arcane ones..and even allows for great amount of tweaking using its ffdshow interface. link it up with Virtualdub and you have a true gem. Included tools like Gspot, mediainfo and more add the cherry to the already delicious cake . Again, no need of VLC (unless you are into multicast streaming, to confess, i am not much of a VLC fan) and no need of anything else, one codec pack to rule them all : ) .

Download from here

GNS3

I dont think I need to elaborate upon it, since the time I have joined Tulip Telecom, it has been a part and parcel o my life, simulation of complex network topologies and whacky late night experiments (you know about them if you have been following the facebook page) are all possible because of this open source tool. Be it Cisco or juniper, it handles it with ease and the best part is that its hackable, configurable and programmable till the last drop. I have my custom version running over windows (self compiled :) ), pair it with putty connection manager and you are good to go. Also, you might want to look at sample GNS3 tutorials I posted at Prohack or more at the Facebook page.

Download it from here

Google Chrome

Now again..love it or hate it, yet I find chrome as indispensible as a browser, I had issues with Mozilla Firefox (old memory bastard) and Internet Explorer 9 (old bastard), Opera is a favourite but again, I had some issues with it again (opera link issues, broken plugins) , so I finally settled on chrome for general browsing and acceptable response times, but when it comes to testing some web based apps, i jump to Opera for the same for its intuitiveness. Trust me, when it comes to choose a browser, i call it as a choice between evils. So go with the lesser one . You might also want to look at Google Chrome Easter eggs

Download it from here

Well..that sums it up I will be back with some more ramblings of mine.

Till then,

Stay Gold..

Rishabh Dangwal

Diwali Celebrations and Answers to common questions (which people have been asking me)

2011-10-26T23:07:00.002+05:30

First of all..Happy Diwali to everyone :) The festival of light , may it brings the best out of you .

Happy Diwali Everyone :)

In the mean time, there have been a lot of commotion going behind the scenes .. lots of emails asking whether I have gone into some kind of digital hibernation .. So, I will be answering the most common questions here ..

Question : What are you doing these days ?

Answer : Networks..Networks..Networks..and lots of exotic research on some exotic devices..plus some thing related to android,android service codes,gns,cisco,juniper and random stuff about explosives.

Question : Explosives ?

Answer : No typo :) i am into it actually for quite a long time. Home made stuff rocks if you ask me. (and if you are careful)

Question : Okay..so, why no updates ?

Answer : Call it , lack of time (dedicated internet included) .. I am sooo busy in company work that I am not able to post some wonderful findings I have dug up.

Question : Why dont you reply to mails ?

Answer : I reply to each and every mail I get, no matter how "flabbergasting" it may seem to me and only if it gets past my "SPAM" filters.

Question : When you will be back in fulltime writing

Answer : Cant say, I write when I am free..and I will stick to it till I get on a vacation.

Stay Amazing..
Rishabh Dangwal

I too Intended to join a Security NGO (period) and I was proved wrong.

2011-09-22T00:56:00.000+05:30

I came to know about HANS when one of my friends joined it,and eventually I was interested. Hence I thought some research shall suffice before joining one.

PS : bear with me, I am on my android and my thumbs hurt :| Also, in some places, the formatting might not be correct, android blogging issues .

I actually visited their site http://www.indianhans.org had a look at it and found that it had -

A non working Facebook login api system which actually logs you out when you do try to log in, tested it on chrome 14.0.835.163 m / Windows 7 (office PC after hours). Also, a flawed login system that allows you to login inside the side without email confirmation, also PHP code is vulnerable.
Some outdated references to outdated CVE's and nothing of particular interest.
Some 0days which have been patched up long time ago
Whitepapers that on google hacking and mobiles which have been published like wildfire in late 2000's, again nothing of particular interest here
The "Team" that comprises less of experts and more of management folks. No one with any background of security here.
Link to Indian HANS youtube channel.
Pretty crap and old flash games about hacking. LAME !
Backtrack introduction (mainly) and no technical tutorials in short
Zero original research.

Disillusioned, I wrote a mail to Indian HANS team and queried Indian HANS team regarding the services they provide and what they do -

Subject : Queries for Indian Hans team from a Security Enthusiastic
Dear Indian HANS Team,

I have some queries which I would like to be answered -

What is the ultimate motive of HANS ? Are you consultants ? If YES then on what grounds ? If NO, then ,

Can you provide links to your -

Original research

ORIGINAL technical advisories/papers

Tools that you wrote

Code that you released

Configurations of exotic software

Exploits and modules

0day/0hour vulnerabilities

Vulnerabilities what you found

Cases of complexity that were solved

CVE

Documentation of exploits

Original findings

Which fellow infosec researchers are working at HANS? All i found was more of management guys (seriously?) volunteers,executives,technical experts,naive girls,inexperienced folks but no security folks or self confessed hackers with known security experience and expertise.

What is the symbiotic influence of joining Indian Hans ? Or Why SHALL we join HANS ?

--
Warm Regards,

Rishabh Dangwal
Network Security Analyst
TheProhack.com | Rish.co.in
India

"0x72697368 was here, 2620796f75206172652077617374696e6720796f75722074696d65202e2e2064756d62617373"

and waited.
A day passed and the reply came.

Subject : reply to an abuse mail

Warm Greets,

First of all I would like to say thanks, for being so concerned about our organization.

Following are the thoughts I would like to share about our organization.

1) Our motive is to fill the gap between the cyber victims and the security experts, as many times we felt that in spite of availability to many security experts in market still victims are not able to get there answers.
2) Yes, we are consultants/Knowledge Sharers as we guide the common measures to cyber victims and government bodies [maharasthra/Punjab police]such that they can overcome a cyber crime rate.
3) I have written 2 International Papers :
· In response to Google Hacking
· Future Email Security

And 2 national papers:
· Mobile Security and upcoming challenges
· Acknowledgement based System for Mobile Security.
4) I have not written any security tool/configurations yet But, I write other Business applications for Accenture as an Associate Software Engineer.
5) We have solved numerous cases which deals with daily cyber problems including ATM cloning case [chandigarh], Source code theft case [Pune], Abuse email, fake profiles, email threatening and other hundreds. www.youtube.com/theindianhans
6) Ya, you are right 90% of our Organization members have managerial skills, because we strongly believe that having only technical knowledge is not enough to cease the cyber crime rate, because solving a cyber crime is thinking out of the box process.
7) Joining a HANS, shows your commitment towards our society, that you have a zeal to help others with your knowledge and skills.

I also wish to bring to your notice without hurting your ego and sentiments that,

We are not competitors of any private owned body who work only for money. Many times we get such mails which prove that really HANS is doing a greats job. These kinds of mails show our Power of being united and our influence on other private organization. It is my humble requests kindly don’t compare our NGO with other private organizations as our motto is different. we don’t believe in writing the viruses, exploits, tools and other stuff because these things wont help a common man who is not IT literate, to overcome a cyber problem. I wont ask you same the questions as I have nothing to do with same. I hope I have given your answers without hurting you and your team members feelings. I highly apologize if I did so.

Thanks

Happy Hacking

HANS TEAM.

Now that was interesting, my mail has been treated as an abuse email, well..nevermind. A rather to-the-point approach may be confused with that. Well, what they said -

1) Our motive is to fill the gap between the cyber victims and the security experts, as many times we felt that in spite of availability to many security experts in market still victims are not able to get there answers.2) Yes, we are consultants/Knowledge Sharers as we guide the common measures to cyber victims and government bodies [maharasthra/Punjab police]such that they can overcome a cyber crime rate. I actually expected that HANS shall justify itself as a for-profit/not-for-profit organisation and why it requires money to join it when the elite organisations for example Null is a self sustained, free and aimed at the very thing HANS intends to achieve. helping naive people ? Ofcourse..thats why a lot of organisations has been growing like mushrooms (kaizen ?) and making money from it by joining it. The core thing is that i am 100% sure that volunteers / infosec reserachers wont learn anything new and will waste their time here.

moving on ,

3) I have written 2 International Papers :·In response to Google Hacking·Future Email Security And 2 national papers:·Mobile Security and upcoming challenges·Acknowledgement based System for Mobile Security.Great..i disregard them as recycled content, already checked it. 4) I have not written any security tool/configurations yet But, I write other Business applications for Accenture as an Associate Software Engineer. that was fine with me. 5) We have solved numerous cases which deals with daily cyber problems including ATM cloning case [chandigarh], Source code theft case [Pune], Abuse email, fake profiles, email threatening and other hundreds. www.youtube.com/theindianhansAgain, they have solved a lot of cases and hundreds , i would regard it as weasel terms. no journal on how they were solved, the method, instrumental techniques, research employed, tools/techniquies deployed, the collaboration, nothing covered, nothing said, just distorted videos at youtube. Again..no references to it. 6) Ya, you are right 90% of our Organization members have managerial skills, because we strongly believe that having only technical knowledge is not enough to cease the cyber crime rate, because solving a cyber crime is thinking out of the box process.7) Joining a HANS, shows your commitment towards our society, that you have a zeal to help others with your knowledge and skills.

How management can help decrease cybercrime rates is beyond me unless they really have the skills to get it in their heads. All aboard the failboat here.

I also wish to bring to your notice without hurting your ego and sentiments that,

We are not competitors of any private owned body who work only for money. Many times we get such mails which prove that really HANS is doing a greats job. These kinds of mails show our Power of being united and our influence on other private organization. It is my humble requests kindly don’t compare our NGO with other private organizations as our motto is different. we don’t believe in writing the viruses, exploits, tools and other stuff because these things wont help a common man who is not IT literate, to overcome a cyber problem. I wont ask you same the questions as I have nothing to do with same. I hope I have given your answers without hurting you and your team members feelings. I highly apologize if I did so.

thats nice of you,and encouraging, but since you dont write viruses,exploits,0days or anything remotely related with it, then -

Why they are linked in your website at http://www.indianhans.org/index-4.html ?
How do you decipher complex hack jobs them when most of your team is management one with no background of security

Anyways..i fired up my android and wrote a reply.

Subject - Re: reply to an abuse mail
Dear Indian Hans,

The email was not an intended as an abuse email as indicated by your subject, I would rather pass your defenses as plain excuses for hiding underlying incompetence since it requires Money to join and still no viable, updated information/code/application (as you said you develop it as associate software engineer for organisations , yet saying that you bridge the gap) , accurate information (I studied the Google hacking and mobile whitepaper, the stuff has been published before a million times, hence I would just regard it something to enhance resume) and would consider your organization nothing but a money making enterprise run by homebrew entrepreneurs without any credible research, what you solved in cases what nothing I shall say of technical callibre or "hacking ", its in more generic sense called as tech support for those who know nothing about cyber security, while earning fame and money in the process.
I earlier thought to join it, hence inquired about it in a rather direct & to the point manner,but your response, links, references and treatment of it as an abuse email (?) makes me guess its in my best interest to stay away and convey the same to intended audience.
Stay superb

-sent from my android-

call me harsh, but that is the reality. And I am waiting for the reply. Now, I can say that I too Intended to join a Security NGO (period) and I now I am thinking otherwise.