aLt's Security Blog

There are three different types of Cisco IOS passwords. 1) Cisco IOS type 0 passwords There is a command in Cisco IOS that can be issued to encrypt all passwords in the configuration file. If this command is not entered into the configuration file then all passwords (except for the enable secret password) will appear as plaintext as shown below: username admin privilege 15 password 0 cisco From the above lines in the Cisco IOS configuration file we can see that in this example the user admin has a password of cisco. The above passwords are noted as type 0 (zero) as shown by the zero that precedes the actual password. Type 0 passwords use no encryption. 2) Cisco IOS type 7 passwords  The command that is issued to encrypt user passwords is "service password-encryption" and this command should be entered from the Cisco router configuration mode prompt. If the "service password-encryption" command is issued then all type 0 (zero) passwords are become encrypted  use...

1)  Command to Find Available users on a window box:     net user 2)  Command to add a new user account with a password:     net user /add  Lenny{username} mango{pass} 3)  Command to add an user account to administrator group:     net localgroup administrator Lenny /add 4)  To give the full administrator right to the user,use following command:     net share concfg*C:\/grant:useraccountname,full 5)  The following example adds a user account for a user whose full name is Jay Jamison and whose user  account name is jayj, with logon rights from 8 A.M. to 5 P.M., Monday through Friday (no spaces in time designations), a mandatory password (Cyk4^g3B), and the user's full name:  net user jayj Cyk4^g3B /add /passwordreq:yes /times:monday-friday,8am-5pm /fullname:"Jay  Jamison" 6)  The following example sets the logon time (8 A.M. to 5 P.M.) for Lenny by using 24-hour notation: ...

With GS, DEP, ASLR, and protected mode IE7, it's possible to go ahead and write a functional proof of concept that will work on Vista and Xp also. When triggering the vulnerability on Vista with a complete overwrite of the return address, the register state looks something like this: eax=5f36476f ebx=0329f278 ecx=00000000 edx=00000000 esi=0329f1f0 edi=0329f1bc eip=41414141 esp=0329f1bc ebp=66ae6c41 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 41414141 ?? ??? One important point to note is that our malicious ani file contain two ani header one is good i.e of 36 byte and other is the bad boy that cause buffer overflow in LoadAniIcon function.The first is of 36 byte to make sure it passes the loadCursorIconfromFilemap function which checks the header of ani,but the problem is that it is called only once for a single file,if another ani header is encountered then instead of calling loadCursorIconfromFilemap loadAniIcon function  will be...

Harvesting Step 1:  Download the default page of a website wget icq.com Step2: Find All FQDN and PQDN in index.html cat index.html | grep "href=" |cut -d'/' -f3|grep icq.com|sort-u|cut -d'"' -f1 >domain.txt Step 3: Find Ip address of all domain names which we got from the last step.To do so we will make a bash script. //findip.sh #!/bin/bash for hostname in $(cat domain.txt); do host $hostname |cut -d' ' -f4|tr -d 'a-z' & done Step 4: Now find whether these Ip address are alive or not.So again we will make a script that will do ping sweep. ./findip.sh >Ipaddress.txt //FindAlive.sh #!/bin/bash for ipaddress in $(cat Ipaddress.txt);do echo $ipaddress   $(ping $ipaddress -c 1|grep "received"|cut -d',' -f2) & done Now lets have look to the results:->

Wireless CTS/RTS Flooder This module sends 802.11 CTS/RTS requests to a specific wireless peer, using the specified source address. Module Options ADDR_DST TARGET MAC (e.g 00:DE:AD:BE:EF:00) ADDR_SRC Source MAC (not needed for CTS) CHANNEL The initial channel (default: 11) DRIVER The name of the wireless driver for lorcon (default: autodetect) INTERFACE The name of the wireless interface (default: wlan0) NUM Number of frames to send (default: 100) TYPE Type of Frame (RTS, CTS) (default: RTS) VERBOSE Enable detailed status messages WORKSPACE Specify the workspace for this module Theory RTS/CTS (Request to Send / Clear to Send) is the optional mechanism used by the 802.11 wireless networking protocol to reduce frame collisions introduced by the hidden node problem. Originally the protocol fixed ...

Arp Poisoning also known as ARP Poison Routing, is a network attack that exploits the transition from Layer 3 to Layer 2 addresses. ARP (address resolution protocol) operates by broadcasting a message across a network, to determine the Layer 2 address (MAC address) of a host with a predefined Layer 3 address (IP address). The host at the destination IP address sends a reply packet containing its MAC address. Once the initial ARP transaction is complete, the originating device then caches the ARP response, which is used within the Layer 2 header of packets that are sent to a specified IP address.  An ARP Spoofing attack is the egression of unsolicited ARP messages. These ARP messages contain the IP address of a network resource, such as the default gateway, or a DNS server, and replaces the MAC address for the corresponding network resource with its own MAC address. Network devices, by design, overwrite any existing ARP information in conjunction with the IP address, ...

Snort is a lightweight intrusion detection system that can log packets coming across your network. This program can be used on smaller networks but on larger ones, with Gigabit Ethernet, snort can become unreliable. Snort doesn't require that you recompile your kernel or add any software or hardware to your existing distribution but it does require that you have root privileges. Now we'll take a look at some basic rules to see how they work. The basic format of a rule is as follows: function protocol source_ip/mask source_port -> destination_ip/mask destination_port options A rules file will contain many lines of rules and it can look a little complicated at first. Here’s an example. # look for stealth port scans/sweeps alert tcp any any -> $HOME_NET any (msg:"SYN FIN Scan"; flags: SF;) alert tcp any any -> $HOME_NET any (msg:"FIN Scan"; flags: F;) alert tcp any any -> $HOME_NET any (msg:"NULL Scan"; flags: 0;) alert tc...

TCP Hijacking The goal of the TCP session hijacker is to create a state where the client and server are unable to exchange data, so that he can forge acceptable packets for both ends, which mimic the real packets. Thus, he is able to gain control of the session. At this point, the reason why the client and server will drop packets sent between them is because the serv er’s sequence number no longer matches the client’s ACK number and likewise, the client’s sequence number no longer matches the server’s ACK number. In “Simple Active Attack Against TCP,” Laurent Joncheray refers to this state as the “desynchronized state” whereas the state where the TCP session is open and data is being exchanged is referred to as the “established state.” To achieve the creation of the desynchronized state, the hijacker can employ different techniques: IP Spoofing: Source Routed PacketsIP spoofing is “a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a...

It runs the same DOS attacks as Targa plus an additional five exploits. In addition, it is a DDOS tool, which means it can run in a distributed mode where several machines all across the Internet attack a single machine or network. Because TFN2K is a DDOS application and runs in a distributed mode, there are two main pieces to the program: a client module and a server module. The client module is the piece that controls the servers; it tells the servers when to attack and with what exploit. The server runs on a machine in listening mode and waits to get commands from the client. It is important to note that to start and stop a TFN2K attack, the user of the program must supply a password. The password is supplied when the program is installed. An additional important fact to point out is that TFN2K is very stealthy. It does several things that make it harder to detect on a network. For example, all communication between the client and the server are sent using ICMP_EC...

The Smurf attack is a category of network-level attacks against hosts with the goal of denying service to the hosts. A perpetrator sends ICMP echo requests (ping) traffic to an IP broadcast address using a spoofed source address of a victim. On a multi-access broadcast network, there could potentially be thousands of machines to reply to each packet. The Smurf attack’s cousin is called “fraggle”, which uses UDP echo packets in the same fashion as the ICMP echo packets. Currently, the machines most commonly hit are IRC servers and their providers. Because Smurf is a Denial of Service attack, it impacts most devices that process packets. The two main components of the Smurf attack are the use of forged packets and the use of a broadcast address. In the Smurf attack, attackers are forging or spoofing the source address on ICMP echo requests and sending them to an IP broadcast address. This causes every machine on the broadcast network to receive the reply and respond back to the sourc...

JOLT The attacker sends the same IP packets (illegally fragmented ICMP ECHOs or illegally fragmented UDP packets) to the attacked machine.  "the affected systems contain a flaw in the code that performs IP fragment re-assembly. If a continuous stream of fragmented IP datagrams with a particular malformation were sent to an affected machine, it could be made to devote most or all of its CPU ability to processing them. The data rate needed to completely deny service varies depending on the machine and network conditions, but in most cases even relatively moderate rate would suffice." To show fragmentation in practice I choose traces underneath. The first example indicates not fragmented ICMP packet and the second example Indicates fragmented ICMP packets. Examples one and two are not showing the hole packets, but just part of them. Example 1: IP: ----- IP Header -----… IP: Total length = 60 bytes IP: Identification = 46881 IP: Flags = 0X IP: .0.. .... = may fragmen...

Step1: create two file on attacker side 1) default index.html and 2) cursor file to load Now save the proof of concept in a txt file(cursor.txt). use above command to cut down the hex part from proof of concept and paste it in buffer.ani Step2 :upload the above two files in your apache webserver.  Step3: Try to open index.html from window-xp and analyse the behavior of IE using ollydgb in order to find the offset address where EIP will get over written. Attach IE in ollydgb and put malicious url in it. As we can see now that EIP is overwritten with 42424242 that means this place is our offset. Now we will put the address of jump instruction in place of 42424242 which we will get from user32.dll by searching for command JUMP DWORD [EBX],now we jumped at ebx because it contain the malicious .ani file address. Just go into view=>executable=>user32.dll , press enter. Now try to find a jump [ebx] instruction in user32.dll by pressing ...