Skip to main content

Posts

Showing posts from March, 2013

Ethical HaCking 0x04

Security is the separation of an asset from a threat. Security as practiced by the military generally means destroying the threat. A non functioning threat is no longer a threat. So to separate the threat from the asset, you have three options: • Physically remove or separate the asset from the threat. • Destroy the threat. • Move or destroy the asset As you know destroying assets is undesirable and destroying threats is not feasible.so most of the time we separate the two from each other. Elements of Security Separation can be done by using following elements: 1:Visibility 2:Access 3:Trust Visibility can be an opportunity for an attacker.What an attacker see,learn or glean into help him in his attack.But think if attacker cant see, then he wont even think of attacking on that thing.Linux provide better ways to go invisible.In linux you can easily DROP ALL such request which can make you visible,like ping replies etc.Unfortunately, visibility is a necessary part of m...

Blind Sql Injection

I will be using a very simple example right now.Soon i ll be posting screenshots of sql injection done on my localhost http://www.site.com/news.php?id=5 when we execute this, we see some page and articles on that page, pictures etc... then when we want to test it for blind sql injection attack http://www.site.com/news.php?id=5 and 1=1 <--- this is always true  and the page loads normally, that's ok. now the real test http://www.site.com/news.php?id=5 and 1=2 <--- this is false so if some text, picture or some content is missing on returned page then that site is vulrnable to blind sql injection. 1) Get the MySQL version to get the version in blind attack we use sub-string  i.e http://www.site.com/news.php? id=5 and substring(@@version,1,1)=4 this should return TRUE if the version of MySQL is 4. replace 4 with 5, and if query return TRUE then the version is 5 http://www.site.com/news.php?id=5 and substring(@@version,1,1)=5 2) Test if subselect works...

Pentest LAb 0x02

module ms08_067_netapi This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. Use google to find more public information or metasploit focused papers. Reading exploit module On backtrack5, the metasploit is deployed into /opt/framework3/msf3. You can read exploit module on dev.metasploit.com or localy in /opt/framework3/msf3/modules/exploits/windows/smb/ms08_067_netapi.rb. Main class I don’t know right Ruby terms, but what is important, try to get experience by reading eventhough you don’t know exact language syntax. When you are familiar with python or PHP it will be easy then you think. Exploit integration starts with “Ruby class – “Metasploit3″ which is it derived from parrent class Msf::Exploit::Remote and includes some code from module Msf::Exploit::Remote, Msf::Exploit::Remote::SMB. class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::S...

Intel Ping Of Death!!

Do you remember the old Ping Of Death attack?? How cool was it ?! At that time breaking the stack was as simple as breaking the modelling assumptions, for example breaking the stack in 1997 was as simple as sending to the target stack a unexpected length in the ICMP packet ! The time being where a malformed source and destination address caused the smurf attack. After those implementation mistakes, developers, engineers and the developing frameworks became more and more sophisticated, became more and more complete in term of security checking. It is a long time since I saw another mistake like this ! ... Until today ! Today I've read a post talking about another implementation bug in the TCP/IP stack made by Intel engineers. The writer shows how the Intel card ( 82574L ) shouts down if a specific value (0x32) is placed into a specific address ( 0x47F). Which basically means if the ASCII "2" is into a specific address in the sent stream. Let's take a closer look to t...

Procedure Linkage Table And Global Offset Table

 It's a way to get code fixups without having to maintain a separate copy of the code for each process. The PLT is the procedure linkage table, one of the structures which makes dynamic loading easier to use. printf@plt is actually a small stub which calls the real printf function. This real function may be mapped into any location in a given virtual address space so, in order to allow proper code sharing of your own code (left side below), you don't want to apply the fixups to it directly since it too can be mapped anywhere in the virtual address space. The plt variant is a smaller process-specific area which isn't shared so a given process can change that however it wants to. In other words: Mapped to: 0x12345678 0x90000000 0x88888888 +-------------------------+ +----------+ +---------------------+ | | | Private | | | ProcA | | | PLT/GOT | | ...