Wednesday 18 January 2012


What is Buffer overflow ? how it can be used to bypass the restriction of the firewall ?

Description

In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety.

Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. They are thus the basis of many software vulnerabilities and can be maliciously exploited.

Programming languages commonly associated with buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array.

Firewall and anti-virus are to protect your computer from hacking attack and from viruses but sometimes an attacker can easily bypass them and can get root access into your computer, there are so many techniques and tools are available to bypass or cheat anti-virus and firewall. Buffer overflow is the most common type of computer security attack that allows a hacker to get the administrator access into a computer or a network. As we have discussed so many tutorial by using Backtrack 5 to hack into windows operating system, however there are many exploits are also available for Linux operating system.

I really don't know about the author of this video but the video contain a good example of buffer overflow attack by using an exploit.

Requirements

•    Backtrack 5 or Backtrack 5 R1 (Attacker)
•    Windows (Victim)
•    Mestaploit
•    Apache
•    Brain

<iframe src="http://player.vimeo.com/video/32105952?title=0&amp;byline=0&amp;portrait=0" width="200" height="113" frameborder="0" webkitAllowFullScreen mozallowfullscreen allowFullScreen></iframe>

Sunday 15 January 2012

Basic techniques to hack website accounts hacking

Ok now that you have my attention :lp: Please read this guide that will burst your bubble, beginner hackers. I am sorry for that.You CANNOT hack emails or websites with just one or two clicks with some email hacking apps. You need to have proper information about the person that you are hacking. If you see sites that claim that they can hack email accounts within minutes and charge hundreds of dollars for it, just laugh at them and move on. Do not waste money on them as they will be just scamming you.

There are two ways to hack Accounts of a Website.

Server Side hacking :  that we’ll discuss later on.if you want more about it than comment more.

Client Side Hacking

This method can be done depending what you choose. Client side hacking is basically hacking the person's pc and extract information. Antiviruses will detect the apis, assemblies, etc and prevent you from infecting them. In this case you need

1) Keylogging : This basically taps all the keystrokes that users type. When user types password you get it. The victim requires to execute the keylogger "server" file in order to be infected.

2) Password Stealing : Here you steal password saved on user's pc. Browsers often save passwords to provide quick login to the user, but this can be harmful sometimes. Here same as keyloggers you need to execute a file on client pc. You can use combination of keylogger and password stealers, such as my Emissary Keylogger/Stealer.

3) Cookie Stealing : Here you are stealing cookies of the user. Cookies can be used to auto login as they hold information about the account.

4) Remote Administration Tools : These tools are very dangerous and give you full control of a computer. You can view webcams, desktops live, transfer and download files.

5) Social Engineering : Social Engineering is nothing but fooling someone to download your malware or extracting sensitive information from them.
One of the methods is this : Hacking Accounts through SE.


6) Phishing Attacks : Phishing is creating fake login pages similar to that of a website's login page and then fooling the person to enter their username and password into the login box. The triggered php scripts shall send the entered passwords to your log file.

7) Zombies/Bots : This is like keylogging and pass stealing if victim executes your malware he she can be infected with a bot. A bot will connect them to your irc channel or host server and make them your "Zombie". You can do whatever you want with them.

That covers the client part.


 

 

Saturday 14 January 2012

Piece of Advice for using anonymous port scanning

Some pieces of advice:

1.  Nmap makes use of something that generates packets by the raw packet interface so the packets connect directly to the target, not by Tor. For example:
Doing a connect() scan (TCP) will work with Tor but using something like -sS connects directly to the target, revealing your true address.
2.  Nmap & Nessus will often ping a target so see if it is up before doing a port scan. This is usually completed by raw ICMP packet's, ICMP won't traverse the Tor network (since its not TCP) and will reveal your true address.
In the usage of socat, socks4 does client side DNS. So you resolve a target host name by DNS from your machine not by the Tor network proxies.
Hence it is impossible to leak your source IP because you tell your scanner to make use of 127.0.0.1 as the target IP . Therefore, nmap / nessus has no host name to resolve, and in case you do forget to tell your scanner not to bother with ICMP pings, you will finish up pinging yourself – not the target directly.

Staying anonymous

Tor cannot solve all anonymity issues. It focuses only on defending the transport of information. You will need to make use of protocol-specific support program in case you don't require the sites you visit to see your identifying information. For example, you can use web proxies such as Privoxy and open relays while web browsing to block cookies and withhold information about your browser type ident.
Be clever. Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast for web browsing, Tor does not provide protection against end-to-end timing assaults: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your selected location, they can use statistical analysis to discover that they are part of the same circuit.
The Electronic Privacy Information Centre (EPIC) lists down a comprehensive list which servers as a sampling of best available privacy enhancing tools

Friday 13 January 2012

How To Perform Anonymous Port scanning using Nmap and Tor (Part-3)


Here are a quantity of the entries in my Apache log that were a result of the scan:

212.9.32.5 - - [10/Jul/2005:17:29:56 -0700] "GET /Agents/ HTTP/1.1" 404 205 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:56 -0700] "GET /cgi-bin/viewpic.php?id=7&conversation_id=&btopage=0 HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:57 -0700] "GET /index.php?err=3&email= HTTP/1.1" 404 207 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:57 -0700] "GET /scripts/fom/fom.cgi?cmd=&file=1&keywords=nessus HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:58 -0700] "GET /scripts/viewpic.php?id=7&conversation_id=&btopage=0 HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:58 -0700] "GET /Album/ HTTP/1.1" 404 204 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:59 -0700] "GET /fom/fom.cgi?cmd=&file=1&keywords=nessus HTTP/1.1" 404 209 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:59 -0700] "GET /cgi-bin/wiki.pl? HTTP/1.1" 404 213 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"

The 212.9.32.5 IP address represents the host that is the last onion router in the random circuit that was setup by the Tor program

Simlarly two times you discover a vuln in a remote technique, setup another instance of socat: Say for simplicity you are exploiting a webserver (port 80).

[talha@localhost#] ./socat TCP4-LISTEN:1234,fork SOCKS4:127.0.0.1: 202.163.97.20:80,

In metasploit when launching the exploit, set the target IP to 127.0.0.1 and remote port to 1234. Its that simple eh.

The above instructions may even be used to exploit program flaws in order to anonymously execute arbitrary commands on vulnerable hosts.

in next post i'll give some advice related to this topic







Thursday 12 January 2012

How To Perform Anonymous Port scanning using Nmap and Tor (Part-2)

The Solution:
A distributed, anonymous, secure network

To reduce the risks of both simple and sophisticated traffic analysis by distributing your web traffic over several places / servers, so no single point can link you to your location helps defending your privacy. Its like taking a zig-zag random, hard to follow path to deceive somebody who is tracing you (what the heroes usually do against the villain in action films : ) ) , then periodically erasing your footprints. In lieu of taking a direct route from source to location, information packets on TOR take a random pathway through several servers that cover your tracks so no observer at any single point can tell where the information came from or where it is going.

TOR incrementally builds a circuit of encrypted connections through servers on the network which is extended one hop at a time, and each server along the way knows only which server gave it information and which server it is giving information to. No individual server ever knows the whole path that a knowledge packet has taken. The client negotiates a separate set of encryption keys for each hop along the circuit to make positive that each hop cannot trace these connections as they pass through.

Two times a circuit has been established any information can be exchanged and because each server sees no over one hop in the circuit, neither an eavesdropper nor a compromised server can use traffic analysis to link the connection's source and location.

Tor only works for TCP streams and can be used by any application with SOCKS support.
to experiment and write this small how-to, I setup a server on the Web that I desired to scan from my home network using Nmap, Nessus, and metasploit from my bacttrack suite installed in a VM. Here are the steps I followed to launch the scan / exploitation method by Tor:

A. Installing TOR: Detailed instructions can be viewed on the net site.
B) Download socat .This gizmo is an excellent multipurpose relay and will permit to setup a local TCP 
listener that will tunnel my connections by the Tor SOCKS server (listening on 9050).

Unfortunately socat comes only on bsd and *nix systems. To make use of TOR on windows I would recommend using Privoxy, or better installing the whole TorCP bundle.


Let us assume that the IP address of the host I desired to scan was 202.163.97.20
I invoked socat:
[talha@localhost#] ./socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1: 202.163.97.20:80, socksport=9050

The above command causes socat to listen on port 8080, and tunnel all incoming connections to 202.163.97.20 (port 80) by the Tor SOCKS server.

For using on windows you will need to:

1. Install privoxy
2. permit HTTP CONNECT requests by 80 through your firewall
3. Browse to http://config.privoxy.org/show-status
C. I assume Nmap, Nessus and metasploit are already installed and running. If not you can find the detailed instrucations on respective website.
D. Launch an nmap connect or nessus scan against 127.0.0.1 port 8080. Configure Nessus to limit the scan to port 8080 in the “Scan Options” tab.


 Next part you'll see the apache log with some more details








Wednesday 11 January 2012

How To Perform Anonymous Port scanning using Nmap and Tor (Part-1) 

This tutorial i have divided into 3 parts with some explanation of theory with practical part later on. This post is only for educational purpose.

Description

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Web. It also permits developers / researchers to generate new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that permit organizations and individuals to share information over public networks without compromising their privacy
The Onion Router [TOR] is an excellent work towards defending online privacy. As of with every debate about exploitation frameworks, security tools, vulnerability disclosures such projects have also been victim of criticism, and debates of potential abuse that they may cause and the dangers of teaching individuals a dangerous and potentially illegal craft and a ‘secure’ channel to hide their online presence. But lets face it, the bad guys already know about it (that is the reason they’re bad ‘eh). However although these channels of misuse and abuse do exist and they cannot be ignored, still the merits of it will always outweigh the harm black community may cause.

 

Regrettably in the country I live in even most of the senior know-how people I meet / see / have a chance to work with, don’t even have a clue of online privacy or security of their information. Privacy is every individuals right, and is as important as any other basic human need. You will seldom require somebody tracking your IP, spywares tracing your network activity, and the next time you try to experiment with something, you receive a disagreeable small e mail from an ISP admin that you were doing so-and-so. I am by no way TEMPTING you to do something wrong. Its all about your morale and motivation : ) , the small how-to below is a kick starter for getting started with TOR and experimenting with some stuff securely. Interested ? move on, but don’t go about emailing me that this stuff like this is illegal to be posted and ought to be removed.

The problem

A basic issue for the privacy minded is that the recipient of your communication / conversation or even otherwise can see that you sent it by taking a look at the IP headers, or worse trace the whole path. And so can authorized intermediaries like ISPs, govt. organizations etc, and sometimes unauthorized intermediaries as well. A very simple type of network traffic analysis might involve sitting somewhere between sender and recipient on the network (man-in-the-middle), taking a look at headers. But there's also more powerful kinds of packet analysis. Some attackers spy on multiple parts of the Web and use sophisticated statistical techniques to track the communications patterns of plenty of different organizations and individuals. Encryption does not help against these attackers, since it only hides the content of Web traffic, not the headers (VPN ? duh!!) .


Tuesday 10 January 2012


Android security experts reply to Google's accusations: not charlatans, the malware threat is real

Last week, Google’s open-source software captain Chris DiBona radically wrote off the malware threat for Android. The engineer explained that the sandboxing models and underlying kernel simply don’t allow the traditional virus issue in the way that it has affected desktop computers. Moreover, he called anti-virus software makers for Android, RIM and iOS "scammers and charlatans." Ouch.

"Virus companies are playing on your fears to try to sell you BS protection software for Android, RIM, and, iOS. They are charlatans and scammers. If you work for a company selling virus protection for Android, RIM or iOS, you should be ashamed of yourself," DiBona posted on Google+.
That couldn’t have gone unnoticed and it hasn’t - Denis Maslennikov, malware analyst at Kaspersky Labs, one of the anti-virus software makers begged to differ: “Today malware for Android devices is one of the biggest issues in [the] mobile malware area. The growth of numbers of malware for Android is significant in [the] last 5 months. In June we've discovered 112 modifications of Android malware, in July - 212; August - 161; 559 in September; 808 in October."

Now, the catch here seems to be in the definition of malware. DiBona stressed that it’s viruses in the traditional sense that are not an issue for Android and revolted against the practice of selling a product by marketing it as “anti-virus.” Security companies however point out that their apps tackle the growing number of Trojans, but also other cross-platform threats like phishing or premium fee scams. 
Interestingly, F-Secure chief researcher Mikko Hypponen admitted that virus protection is merely a bonus feature of their mobile software: "What he [DiBona] is missing is that mobile security tools (like ours) do much more than just antivirus. Antitheft, remote lock, backup, parental control, Web filter -- these features are the main reason why people buy mobile security products. They get antivirus as a bonus," he said.

AVAST Software expert Ondrej Vicek also agrees that users following the best practices should feel safe, but pointed out that the problem is that most users don’t and that’s where the problem stems from for most users.

How do you personally look at the mobile security apps for Android - do you perceive them as revolving mainly around virus-protection or is anti-virus only a bonus for you when you download them?
Source:  Pc world, google
Author:  Victor H.
Time: 23 Nov 2011, 03:04