Wednesday, December 29, 2010

Create Virus/malware to infect and disinfect with Visual Basic

I was quite surprised when I realized that I have not posted a single code on my blog. Unfortunately I am not the programmer one expects to design complex algorithms or solve logical problems in a jiffy. Every semester break, I plan to code small application which involve new languages or something which has not been taught before. The first such attempt involved learning Visual Basic. Visual Basic 6 is very easy to learn and Windows GUI programs are very easy to build. It offers simple functions to manipulate and control external devices like CD-ROM drives and complex structures such as Regsitry Hives. I decided to write an application which is able to hide itself and write registries, basically imitating a malware. It is also able to make copies of it and store them in different locations and run these whenever the computer boots up. It is a very simple program and once you know how to write registries and run some system commands using VB,you are done!


Why Visual Basic:


I chose Visual Basic since it the easiest language to write in when doing Windows Programming.Also it was one of the first languages in which simple malware, worms like I love you worm  were written in VBSscript(closely related to VB).
 
I have used VB6 because of its smaller size but found out that it easier to use when writing these sorts of codes compared to VB.NET. This software writes and modifies registry entries a lot of times and is simpler unlike C which requires knowledge of complicated functions and Windows API( although it provides complete control over Windows Registry).


Some features:


    * Disables Task Manager
    * Disables Regedit
    * Disables UAC in Vista
    * Enables Remote Desktop
    * Disables command prompt
    * Disable access to USB drives
    * Enable/Disable Automatic Updates
    * Disables Windows Installer
    * Disable Control Panel
    * Remove shutdown icon
    * Remove logoff button
    * Disable applications such as: firefox, notepad, wordpad, Avira antivirus etc
    * Change file associations, eg. html pages will be opened in wordpad only
    * Disable changing of file associations
    * Disable folder options

After understanding how primitive malware works you can write applications which can reverse these effects. Many such malware do the above mentioned, like disable the Task Manager. After reading through the very simple source code you will be able to repair your system.
Also this application can be modified and deployed by computer admins who want to control the amount of access to provide to users.For example an admin might employ such methods to disable control panel and other features to prevent abuse. I have provided links to "regdigest.exe" which will infect your system. "regundigest.exe" on the other hand will disinfect/repair your system. I have also put up links to their source codes. I am not responsible for any damages caused nor do I encourage the use of this code for illegal purposes.

Basic flow of the program:


    * CreateObject("WScript.Shell) returns an object which allows for registry key editing.
    * [object].regwrite is used to write regsitry key
    * [object].regdelete used to delete a registry key
    * Copy file to different locations in hard drive
    * add entries to "run" to ensure all the programs are run at startup

Food for thought:


Here are a few things you may want to add:
 
    *  Restrict running of major antivirus software.
    * copy the application to network drives
    * modify autorun.inf to execute it whenever the corresponding drive is opened.
    * Disable firewall, ports.

NOTE: Some of the antiviruses might flag the exe as a trojan or virus. Disable it before downloading.


A few issues to consider:


Changing Icons

You will notice that the exe has a typical Visual Basic styled icon. Malware and viruses generally carry icons which do not give away their identity. They usually have popular software icons like new firefox version etc. A great tool called ResourceTuner can be used to edit your application's icons.

Vista and UAC compatibility:

Vista users will be familiar with UAC and small shield which appers on executables requiring admin privileges. These are UAC compatible applications and make use of 'Application Manifest' which "inform the OS what resources an application needs". An Application Manifest basically carries information of privileges and resources required by the application. You can manually create an Appilcation Manifest file or Resource Tuner do the work.

Avoiding Antivirus:

There are tools known as crypter which can help in avoiding antivirus detection. Right now I do not have much clue about how they work but I do know that there are many posts available on the Internet which teach how to build your own crypters.

 Important Links:

  1. Download regdigest.exe and undigest.exe
  2. More about Application Manifest(UAC)

Tuesday, December 14, 2010

CCNA tutorial: VLAN and trunk ports

To understand what is a Vlan and the rich features that it provides follow the link (also provided at the end). This article discusses how to setup and configure VLAN on Cisco devices. Suppose we have the following scenario and network topology.







We will assign the switch's physical port a special VLAN id. A switch will forward requests only if the destination belongs to the physical port having the same VLAN id. Consequently, devices connected to the same VLAN will be able to communicate.This fragments a single broadcast domain as discussed in VLAN Part 1. But there are a few points to ponder:

  • How do 2 switches communicate with each other?
  • How to make physically distant devices belong to the same VLAN?
  • Is there any way at all to make inter-VLAN communication possible?

VLAN in Detail and intro to Trunk lines:


Cisco switches implement VLAN by attaching a small header to the Ethernet frame which contains VLAN id and other additional info.  If the destination host resides locally it the outgoing interface will remove this tag and the host will receive the packet, unaware of the tagging and untagging done in the background. Even during broadcasts only those ports will receive the packet which belong to the same Vlan set.

 Two switches communicate their respective VLAN information over 'trunk' lines. A trunk line is a special link designated to carry traffic belonging to all the VLANs. Trunk lines do not belong to any Vlan which is quite obvious since they will be carrying traffic of all the Vlans.

The protocols used to configure and manage VLANs are collectively known as IEEE 802.1q.

This explains the first two questions. By implementing trunk lines and Vlan tagging we can achieve our objective of designing a secure and efficient network. But the flexibility is lost since two host in different VLan groups cannot communicate with each other at all.

Inter-VLAN connectivity with the help of a router


Since switches cannot solve the problem we move onto the the next device we can work with-a Router!

But there is yet another problem. Routers are essentially layer -3 devices and tagging is being done at layer-2. When a packet meant for a different VLAN reaches the switch it will eventually get discarded ( due to lack of ARP responses). For packets to reach a router either there must be some redirection mechanism or the host should directly send its request to the router. Redirection is out of question since switches cannot operate at layer-3 or above.

We are left with only one option- whenever a host needs to communicate with a host on another VLAN it should send its request to a designated router. Again hosts have no knowledge of VLANs but it can be overcome if each VLAN is given a separate address space, basically assigned a unique subnetwork. In such a scenario the router will act as a default gateway and whenever there is a need for inter-VLAN communication the packet will be sent to this designated router.

The final step is to make the designated router aware of VLAN. An interesting topology known as "Router on a stick" ( illustration below) appears when a router routes traffic for many (sub)networks over a single link. (More on how to configure such topologies in some later post). I have also put up the basic commands required to set up vlan with useful comments. I have also provided a link to download this file

Router on a stick



en 
configure terminal
vlan 2 //create vlan with id 2
name account //give it an identifier 
exit
vlan 3 //create vlan with id 3
name admin
exit
interface range fa0/1,fa0/2... //select all the physical ports that 
// you need to assign to some vlan
switchport access vlan 2 //assign all these ports to vlan 2
//here access tells it to make it an access port 
// (ports which can belong to a single vlan

exit

interface range fa0/3,fa0/4 ... //select all ports to assign to 
//vlan 3
switchport access vlan 3
exit

interface fa0/5 //select the port that acts as the trunk port
//a trunk port is a port which carries all the vlan information from one
// switch to another. 

switchport mode trunk //make the port a trunking port
exit 


Useful Links :

CCNA tutorial: Introduction to Vlans PART 1
Wiki on Vlan
Sample Vlan configuration file

Wednesday, December 8, 2010

CCNA tutorial: Introduction to Vlans, its benefits PART 1

One of the most interesting topics in CCNA curriculum deals with VLans known as Virtual LAN. It is layer-2 technology and can be implemented on switches to allow devices connected to remote switches to behave as if they are connected to a single common switch. Additionally it can be used isolate certain ports of a switch by logically removing them from the broadcast domain of the switch.

Broadcast Domain


A broadcast domain is basically a group of computers effected when one of the PC in the group broadcasts. For example in a typical LAN setting, where all the computers are connected with a hub or a switch, all the computers form a single broadcast domain.

To make it more clearer suppose I have the following scenario where PCs -A,B and D belong to the accounts section and  C and E belong to the admin section. Also pc G in building 2 belongs to the admin section as well. PCs from different section must not be able to communicate with each other and should not be present in the same LAN segment.



Ordinarily they all form a single LAN and any broadcasts will be seen by all the PCs. We need to implement a solution where A,B and D form a LAN and C,E,G form another LAN. PC F should be isolated from all of them. With VLAN we have the flexibility to segment our physical LAN to logical subnetworks and merge PCs from different physical networks together.

Given below is a network topology resembling the given scenario. I have also provided a link to a text file containing all the necessary commands to configure the switches. The next part will be about these commands and how to configure switches as well as routers to make them aware of VLANS. To make PCS residing in different VLANs communicate with each other we need a router.




If we want to partition our network why not use a router?


First of all routers are very expensive. Secondly they have a limited number of physical interfaces. For example if I want to create 20 subnetworks then I will need 20 physical interface,(such routers are very costly) one for each subnetwork, while in the case of switches I need to create 20 VLANS , no additional hardware is required.


To summarize Vlans provide the following benefits:


  • Security
  • Flexibilty
  • Reduced traffic hence better network efficiency

Important links:


Wiki on VLAN
VLAN Part 2
VLAN configuration file

Wednesday, December 1, 2010

Playing Around with HXDEF Rootkit

Hacker Defender aka HXDEF is a very famous rootkit which works as a traditional rootkit as well as a trojan in some sense.

What is a Rootkit: an extremely brief introduction:


A rootkit is a piece of software which after executing is able to "hook" up - modify and take control of- Windows API calls making it undetectable. A typical rootkit is able to hide itself from the processes and services list. Modern rootkits have the ability to hide other processes as well and stealthily communicate over the network without being caught by firewalls.

These are some of the reasons Rootkits are considered much more dangerous than virus, worms, and trojans.

Introduction to Hacker Defender , HXDEF:


Hacker defender is a hybrid of a typical rootkit and trojan. It can make all its activities undetectable resembling a rootkit while it can also open many ports and create backdoors through which a remote user can connect just like a trojan.

Hacker defender was created in 2003 and was considered one of the most lethal rootkits in those times. Most of the antivirus software incorporate rootkit detection and hacker defender can be easily detected by all the major antiviruses. There are tools known as crypter which can make rootkits such as hacker defender avoid antivirus detection. Hacker defender enjoyed so much of popularity that when it was deemed obsolete, its makers came out with a premium version(search for hacker defender gold/platinum) which is still pretty popular since it claims to fully avoid antiviruses.

Still it is fun to run it on a virtual machine and mess around with the system. In this post the basic features and commands of Hacker defender will be discussed.

Installation of Hacker Defender (HXDEF):


I have uploaded the server and client .Link is provided at the bottom. Run the server on the victim PC. It will automatically hide all files with the name starting with hxdef and hacker defender. Before we continue further here is a list of the most common commands:

  • >hxdef100.exe [inifile] if you dont specify inifile then 'example.ini' will be executed where example.exe is the application. Eg in this case hxdef100.ini is the default file.
  • >hxdfe100.exe -:uninstall unistall the file you will have to go the folder where this application is stored
  •  >hxdef100.exe :-noservice doesn't install the service but simply runs them

This rootkit will hook up all the system's open ports which means any port can be used as a backdoor.Note that system ports are not hooked and therefore cannot be used as a backdoor.

Using rootkit as a trojan:


You can connect to your victim and get back a shell if there is any open port with input buffer larger than 256 bits. That means connecting to any open port listening for more than 256 bits will eventually lead to a shell being returned to the attacker.

To connect execute: bdcli100.exe [host] [port] [password]


Configuring various options:

Many options and parameters can be configured by editing the hxdef.ini file. Password used for connecting can be changed under the settings field. Other important settings:

Directories,files and processes beginning will values under [hidden table] will  hidden.
[Startup run] commands under this list will be executed as soon as a connection is established.
[Hidden ports] - all ports will be hidden from other applications.

For other options read the readme.txt file.

Detection and Disinfection:


Rootkit revealer is the most effective tool to remove rootkits.Moreover it is a freeware.

Avoiding detection:


This is also possible by processing the file through a crypter. If the file is still being detected you need to either find a unique/premium version of a crypter since free copies are not sometimes not able to change the characteristics of a file well enough. Avoiding antivirus detection is a very hot topic nowadays and will be discussed in some future article.

Obfuscation techniques:


I have already talked about crypters but if someone runs an exe and finds that nothing happens, he is obviously going to feel suspicious. This is where binders come into picture. Binders allow you to "bind" or attach an executable with another one. So you can attach the rootkit with some game and when the victim will run it, hacker defender will run in the background as well. And did you know that Windows comes with a binder of its own? The answer will be put in some future post.

Download Hacker Defender,HXDEF
Download Rootkit Revealer

Wednesday, November 10, 2010

SSH forward and dynamic tunneling

SSH stands for Secure Shell and was designed to replace telnet since it provides remote control of a machine but with robust security. Linux users would have heard about this but if do not know how to run and use its features to the fullest then hop on.

SSH has evolved to incorporate features such as forward port tunneling, reverse port tunneling and dynamic port tunneling. This article will cover the basic setup and installation of SSH servers on Windows and Linux based Ubuntu. Steps will almost be the same on other distros.

Please note that port forwarding was originally introduced to allow incoming packets in a NAT environment but similar features were implemented in SSH and therefore the name SSH port forwarding.

SSH Forward Port forwarding


It can be visualized as an outbound tunnel where data is forwarded from the client 'towards' the server.

There are a few things to note:
1. First an SSH connection is set up therefore you need an SSH client and server running properly.
2. Once the forward tunnel has been set up , the data will pass through the tunnel and the receiving end will direct all the data to the mentioned port number.

Setting up port forwarding (WIndows)

Download FreeSSHD from the link posted below. This is a free software which runs SSH and telnet server. After installation you will be asked to generate a set of keys. Create them as they will be used to ensure integrity of the remote user.Now add a user account and assign a password. This account name will be used to login remotely.



If the SSH server is behind a NAT connection , eg home ADSL connection then you will need to allow incoming connections to port 22. Refer to this link if you want to have a brief idea on how to implement the aforementioned scheme (confusingly know as NAT port forwarding).

Try to establish a normal connection using putty, available in Windows and Linux.



Such a tunneling can be very useful if you want to access a remote service securely. Eg consider a scenario in which you need to access a remote web server securely. Then all you need to do is set up a forward ssh tunnel with the remote machine and entering the following configuration:


So when any data is sent to port number  it will be redirected through the ssh tunnel where the remote end will redirect the traffic to the destination address.
The above configuration will cause it to redirect all the traffic from local pc's port number 8080 to the remote machine through the ssh tunnel where the remote end will redirect the traffic to localhost , which means itself,  port 80. Clearly if the remote machine is running a web server all its content will pass through the ssh tunnel in encrypted, thus secure way.





Thus Forward tunnels have a very special use and can be used to bypass any firewalls or content filtering services and access remote machines with ease. The above schematic shows data transferred from local host to the remote server. Note how the data is internally directed from port 8181 to port 80.

More on Reverse Port tunneling and dynamic port tunneling in some later post.

Ubuntu users can install openssh server using the following command:
sudo apt-get install openssh-server(config files are stored in  /etc/ssh/sshd_config)
also a linux version of putty is available and can be obtained using synaptic package manager.

Some important commands:

Start OpenSSH Server:
sudo /etc/init.d/ssh start

Stop openssh server:
sudo /etc/init.d/ssh stop

Restart the server:
sudo /etc/init.d/ssh restart

Other Useful Links:


1. FreeSSHD homepage
2. Learn NAT Port Forwarding 
3.Wiki on SSH
4.More info

Monday, November 8, 2010

Cisco Packet Tracer

Cisco has developed a superb tool known as Cisco Packet tracer and is essential for anyone preparing for CCNA or higher exams. Since it is very difficult to realize complex network topologies with different devices and interconnections with actual hardware, Cisco developed this product to simulate such topologies and added features which makes debugging easier to understand and implement in real world situations. Therefore one can simulate real life network topologies on their PCs without needing to physically set up devices.

Modes in Cisco Packet tracer


Packet tracer has 2 modes - realtime and simulation.

In realtime mode devices run as they are expected to in normal operation. Simulation mode allows user to filter certain packet, change packet transfer speed to isolate certain packets for better analysis and understanding of the network topology and the path taken by a particular packet.

On the bottom left hand pane there is a list of devices such as routers,switches and WAN cloud which on clicking will display a list of models Cisco has manufactured. The most common router model used in CCNA is 2811 and for switches 2960 is used.

Dragging and dropping a device in the main window will boot it up and make it ready for configuration. Double clicking it will open a new window which will list the hardware specifications which can be modified according to your needs (like adding new modules such as ethernet ports) . There is a config mode and a CLI mode.



Config mode is useful for quick configuration of the device whereas CLI mode simulates a console session. Cisco devices can be configured using a console cable and such a session is called a console session. Obviously CLI mode allows user to fully explore a device's features, unlike the config mode.



The simulation mode is a wonderful feature and behaves like wireshark in some ways, for example it allows you to watch the details of a particular packet. Additionally, you can adjust the speed of the packet transfer for debugging and better understanding.

For example, in the above topology suppose I want to know what type of messages and path is taken when HostA pings router1. All I need to do is start the simulation mode and ping the destination. Clicking on the autocapture button will show a graphical "journey" of the packet. You can also click on a packet any time to view the headers and other details.




Tuesday, August 17, 2010

Using Disposable mail boxes like Guerrilamail

I am a big fan of Avira Security Suite and the only flaw that you might find is not in their wide range of products but how they distribute its licences. Many companies such as PC World offer one to two months free, promotional license which can be acquired by giving your email address and some personal detail. These offers cannot be availed more than once from an email account. Obviously the first question that pops straight in our mind is what if we are somehow able to get unique email addresses once a month or so, then offers such as these can be used repeatedly.

All the email sites like gmail  require a lot of time for registration and remembering usernames and passwords is a very tedious job. What if there was a service which provided 'disposable mail boxes'? You must have realised where this post is heading towards.

Guerrilamail is a site which offers email address for an hour. After this time the account is deleted.It provides a couple of additional features like 'Forget Me' which instantly deletes the account or "give me another 1 hour' to extend the expiration time.

To create an account all you need to do is to enter the desired username and some space will be allocated for your emails. The process is quick,simple and there is no need to remember any password.

Services such as these were originally designed to prevent spam but have found newer, more innovative uses. You can give out this email address if you feel it will receive spam or the recipient is not trustworthy. There are other services which provide more features or more expiration time, for example mailinator or mailexpire. Links are provided at the bottom.

Personally, I have used guerrillamail's email service to get 3 months Avira promotional licence twice now, using different email ids. :D

Wiki on disposable mail box
Link to guerrilamail
Mailinator's home page
List of disposable mail sites

Tuesday, August 10, 2010

VPN introduced

Our institute recently banned facebook and other such sites in an effort to preserve bandwidth and although this was a very bad move we cannot do anything but find different ways to access the internet. There are web based proxy websites which fetch the page for you and then deliver them to your browser. They also allow the option of encoding the url so that administrators cannot monitor which site is being accessed. But these sites are really slow and unable to handle dynamic content effectively. So cgi proxies sites allow you to access facebook but it will not be able to load javascript or ajax content. Another solution is to use software such as PingFu, as explained before, which have developed their own set of proprietary protocols which encrypt data so that no one is able to 'read' it. 

The title is a bit misleading since this article is more about using third party software instead of complete understanding of VPN. VPN stands for Virtual Private Network and was initially designed to allow remote users to become a part the office LAN keeping a few things in mind

1.Data confidentiality
2.Authentication support
3.Compatibility with huge range of devices


Data confidentiality is provided by using high grade encryption. VPN services are quite robust and can be employed on NAT devices as well. VPN servers can be installed on backbone routers as well to interconnect two different LAN's over the Internet.

Nowadays VPN connections also allow you to access high speed Internet through their fast connection to it. One such service is provided by SecurityKiss Tunnel software. It is a software which like PingFu bypasses firewalls by routing traffic to its servers, the difference being this software uses certain standards defined by VPN. To be able to run it you will also have to install OpenVpn as well. It is a foundation on which different companies build customised VPN products.

Simply install and run SecurityKiss with administrator privileges.Click on connect and you're done.Till now I have received seamless connectivity to various social networking sites like facebook.  Moreover torrent files were being downloaded at around 10kbps which is very impressive considering I did not have a premium account. They probably achieve this by using an efficient traffic compression scheme.


At present SecurityKiss provides 50mb per day limit to free users but there must be other similar services which provide better speed and download limit.Please leave a comment if you find/know any such vpn service.

NOTE: Remember to install openvpn and securitykiss with admin privileges.If there is a problem in connectivity try to run the software with admin privileges as well.

Few important links:

1. Wiki on VPN
2. OpenVpn
3. SecurityKiss Homepage
4. Learn more about PingFu

Friday, July 9, 2010

Cracking Windows Passwords withJohn The Ripper(JTR) & prevention

We always hear that small passwords are vulnerable and long passwords possibly containing numbers should be used.What can be the reason? If you are sniffing it does not really make a difference even if a password of 100 characters is used, if the channel is not secure it is going to be visible. What about 'login' passwords we use to login to our favourite OS (of course I am talking about Windows). Let us make a few things clear.
First of all , the password has to stored in hard drive so that when Windows boots and a user enters a password it can be matched to authorize.

Secondly the password has to be placed in a directory inaccessible to a user.  Lastly, in an extreme situation where someone is able to access that 'password' file should be unreadable. Microsoft addresses the issues by storing passwords in a  "SAM" file in C:\Windows\System32\config\ folder. Also the files cannot be viewed by a user even if it has admin privileges. The contents of the files are stored in a hashed form. Hashing loosely means that the contents are passed through a function which changes the contents  to an unreadable form, many online sites provide hashing of a string to based on different functions, one such hash-generator site's link is provided at the bottom. The main difference which concerns us is that while encryption is a reversible process , hashing is irreversible and hashed data cannot be retrieved back.
When an user creates an account the password is hashed and stored by the OS. Subsequently whenever the user will enter a password it will be hashed and compared with the correct password which has been saved by the OS.

Microsoft before launching NT used to store passwords using LM (Lan Manager) hashing algorithm. Later it introduced NTLM (NT Lan Manager) which was a stronger hashing algorithm. To ensure backward compatibility an LM hash was also computed and stored. This was the default behaviour before Vista was launched. Therefore XP ,even though uses NTLM , keeps the passwords in LM hash as well.

The LM hashing is so weak that certain researchers and enthusiasts developed tools such as Ophcrack and John The Ripper( famously known as JTR) which can crack alphanumeric passwords within a few hours. John The Ripper uses two methods -dictionary attack and bruteforce attack, both have their advantages and disadvantages. Dictionary attack uses a user defined file which contains all the words in a dictionary while bruteforce uses all the permutation and combination of the defined keyspace (user can define whether only alphabets should be considered or numbers etc). A dictionary attack is obviously faster since there are less words but you have to be sure that the user has used a dictionary word as his/her password. Bruteforce attack on the other hand is slower but gives more assurance of the password being cracked!

John The Ripper -Introduction ,Installation and Usage


You can download John the ripper (free version) ,link is at the bottom. JTR is available for both Windows and Linux. Here both will be used. First let us explore the Windows version. Here are the basic commands to use JTR

--single :use predefined parameters such as login names,user's home directory as username and password to compare with the hash
--incremental:basically bruteforce mode modes include 'All', 'Alpha' ,'Alnum','Digits' and 'LanMan'
--wordlist : use this keyword to use the dictionary method, words in a defined file be used only. A sorted wordlist can make JTR faster.
--show passwd :show the cracked password
--restore :Press control C once to save the session, use this command to restore the saved session. Remember pressing control C twice immediately aborts the session

Usage :
jtr-386.exe [OPTIONS] password file

password file contains the password hashes.

Retrieve Password Hashes.


To get cracking password hashes are required, and this is where ophcrack comes into play. It is a free ware and allows you to extract the hashes and export it to a file. You can find the appropriate links at the end.
Or you can use a linux distro ,boot it live and copy the SAM file . Running it in ophcrack will reveal the username and their corresponding hashes. Delete the entries that you do not want to crack (eg helpandsupport etc) and let JTR do the rest.



I ran JTR on a SAM file containing "yellowz" as the password  with the command
john-386.exe --incremental:Alpha [filename]

It took 28 minutes to crack the password. All the passwords are saved in john.pot file by default.


Linux users


Linux users need to download the tar-ball and run the following commands:
Go to the src folder 
 make
 make clean generic
cd ../run
./john password file

Please read the INSTALL file for complete instructions

You can also crack the Linux hashes by running the UNSHADOW utility in run folder

Usage:

./unshadow /etc/passwd  /etc/shadow > dest password file
This will store the password hashes in the specified destination file.Root privileges are required to run this command.This file can now be used as a password file for JTR.

Ophcrack is available in Linux as well. Ubuntu users need to simply go to
Applications->Add/Remove -> search for ophcrack and install it.Once installed, it can be found in Applications->System Tools.


Shortcomings


Bruteforce is very effective with today's modern CPU but if the password is longer than 7 then it takes a very long time to crack the password even if it comprises alphabets only. But hold on folks! If you thought that this is where it ends then you are completely wrong as I found out a few weeks ago. Yes you can crack passwords a hell lot faster with the use of tables also known as rainbow tables.

Rainbow tables

As earlier mentioned, software such as JTR take a string, convert it to the hash and compare it with the hash in the supplied password file. Why not compute all these hashes and store it in a table? This is a rough definition of a rainbow table. More about it in a future article.

Conclusion


Since XP is still the most widely used OS , it is very vulnerable to this attack. Anyone with physical access to the machine can find login passwords within minutes. You can disable LM authentication by following these steps:
Start -> Settings -> Control Panel -> Administrative Tools -> Local Security Policy
Expand the “Local Policies” folder and select “Security Options” beneath it.
Double click “Network security: LAN Manager authentication level”.
Change the setting to “Send NTLMv2 response only\refuse LM & NTLM”.

To disable storage of LM hashes in future:
Still in the “Security Options” folder, double click “Network security: Do not store LAN Manager
hash value on next password change”, and choose ‘Enabled”.
Restart your computer and change the password for all accounts on the computer.

Windows Server 2003 users and NT users,if any, can check out google on how to disable LM authentication.

Important links:

Online hash generator
Ophcrack homepage
John The Ripper
Disable LM authentication
Secure Practices

Wednesday, June 30, 2010

Wireshark as a network Sniffer or network analyzer

The last two posts(links at the end) on wireshark were about installation and using it for basic analysis and troubleshooting network traffic. This article explains why this software is so famous among hacker circles. Wireshark supports promiscuous mode which basically allows the host to view other hosts' traffic!

Detailed working of Wireshark


Nowadays Ethernet has emerged as the most widely used LAN data link and physical layer standard. To support hardware communication between many machines at the same time the concept of MAC addressing was introduced. When data is put on the cable for transmission all the other hosts receive that data and pass it to its NIC also known as the Ethernet card or LAN card. This data is then passed to its upper layer , the data link layer which checks whether the destination MAC /hardware address matches with its own (remember, MAC address of a machine is unique throughout the globe). If a match is found the packet is passed to the upper layer else the packet is discarded. Wireshark with the help of WinPcap library captures the frames from the interface (Ethernet, token ring networks are supported) regardless of the destintion MAC address therefore displaying packets meant for other hosts as well.

The only problem is that you might not capture any one's traffic if switched topology is being used instead of hubs. The reason lies in the way how switches and hubs propagate packets to end systems.

When a hub receives a packet on its physical interface is pushes out that packet through all of its other port. Consider this scenario


When the gateway sends a packet to the hub it forwards it to all its connected interfaces , as shown above.

Now consider a scenario in which a switch is being used instead of a hub


A switch silently learns the mac address of the end system and maps it to the physical port to which it is connected to. Therefore when a switch receives a packet it checks the destination MAC address and searches its table. If there is match, it forwards that packet through that particular port else floods it through all of the connected ports. It is clear that after a switch has built its table the packets are forwarded to the correct destination and the other connected hosts do not receive that packet. Therefore if Wireshark is run in a switched environment you will rarely be able to capture other's data. You might receive other hosts' data but that happens only when the switch has not completely built its table.

Here is an example of a switch's table where fa represents fastEthernet ports.


Finally, I tried to access my router's webpage through VMware XP running in bridged connection mode ( in bridging mode all the virtual pc's data is forwarded to the real machine which starts acting as a bridge) and ran Wireshark on my PC. Upon filtering data here is some juicy info


The authorization process has been captured by Wireshark; 'basic' implies that a very weak Base64 encoding has been applied. Decoding the string is very easy and can be done online , one such is link is provided at the bottom. The example above decodes to nando:nando which means a username and password of nando was entered.


Detection


Detecting this activity in a hub environment is nearly impossible and although a few tests can be done they are meant for older Windows versions ( 98,NT) and Linux kernels, therefore it is recommended that network administrators should implement switches as they not only provide security but also better network performance. Users should use encryption during important data communication.

NOTE
If you are not able to see others traffic make sure the promiscuous mode is set. Go to Capture->options , set the correct interface and tick the "capture in promiscuous mode field".


Also Windows users should ensure that npf be up and running, Linux users need to run wireshark with root privileges. If the problem persists then chances are that a switched network is being used.

To sniff a switched network a few more software and a deeper understanding of certain mechanisms is needed, which will be covered in some future article.

Wireshark has established itself as the leading packet sniffer software and a network analyzer. You can even use it to troubleshoot any DdoS attacks or malicious packets in your LAN. More on it in a future article.

Wireshark Installation
Configuring and using various options
Download Wireshark
Wireshark manual
Online Base64 encoder/decoder

Friday, June 25, 2010

What is Wireshark? A network or packet sniffer, Part 2

In this previous post basic download and installation of wireshark was discussed in Windows and Linux based Ubuntu.Today's article will cover the basic uses of wireshark, how one can use it to its maximum potential using various filters and other options. 
When you have configured wireshark to capture packets from the correct interface it will aptly show the frames being received and sent on that particular interface. You might get an output such as this ->





You can view the packet details by clicking on a packet. The details are displayed just like it is seen ie in the logically encapsulated form. So the ethernet frame would appear first then the ip header and so on.


Please note that Wireshark cannot capture wireless data and a special hardware (like a wireless usb adapter) is required to capture the wireless data.Cace Technologies have developed such a product called airPcap, links are at the bottom.
 

WIRESHARK FILTERS:


If you wish to see packets of a particular protocol , ip address or a port number and/or a variety of other parameters you can prepare a 'filter' ie a set of commands which would filter and display only the requested traffic.


Programmers especially C/C++ users will find it pretty easy to create filters because of the similarity in the syntax.
For example, if only TCP traffic is to be displayed simply enter tcp in the filter field and click on apply. If TCP is not required while all other protocols are append a ! before TCP. Almost all the major protocols are supported, atleast the upper layer protocols.


What if traffic from a particular ip address is required? Simply use the command ip.src or ip.dst command
Eg if traffic coming from 192.168.32.1 is to be filtered and displayed, then enter
ip.src==192.168.32.1 ; Note the use of two = signs



Suppose we want to view only tcp traffic coming from 192.168.32.1 ? Here we want two conditions to be satisfied simultaneously, therefore the && operator. The input to the filter field becomes


ip.src==192.168.32.1 && tcp


Furthermore, if we want to view tcp or udp traffic coming from 192.168.32.1 then we have a slight complex situation in which either the packet should be tcp and the source ip be 192.168.32.1 OR the protocol be udp and  source ip be 192.168.32.1, here the use of OR operatot ie || will also come to play. The filter will become:

ip.src==192.168.32.1 && (tcp || udp)

basically wireshark will check if ip.src is equal to 192.168.32.1 if true then it will further check if the protocol is tcp or udp if either comes out to be true the boolean output will be true and that particular packet will be displayed.


As a final example if we want tcp traffic with source port as 100 or 200 and destination port as 121 or 221 be displayed the filter will become:
ip.src==192.168.32.1 && tcp && ( tcp.srcport == 100 || tcp.port==200) && (tcp.dstport== 121 || tcp.dstport == 221 ) 



Follow a stream



One of the best features of Wireshark is the ability to "follow" a stream. When a TCP connection is established a two way virtual channel is created and the two end points then communicate. This feature displays the ongoing application layer data being exchanged in a strict chronological order. This can be very useful to analyze what kind of data is being exchanged at the application layer. 



Searching data


With the find packet option one can search for a particular string in the captured packets. The option is neatly tucked up in Find packet and string radio button.





Promiscuous mode


Another superb feature which made this software one of the most popular network analyzing tool and sniffer (earlier it was known as Ethereal). These two exciting topics deserve a proper explanation and a fresh page!


Download Wireshark
WinPcap Homepage
Airpcap Homepage

Monday, June 7, 2010

An SQL injection how to and preventing it

SQL injection attack is probably one of the most widely used attacks to hack or take control over a site. In the earlier days hacking/cracking was mainly done by exploiting the vulnerabilities in the Operating System. For example Ping Of Death was possible due to the fact that Windows kernel was not able to handle big sized ping packets and therefore the attacked computer would freeze or shutdown! Windows and Linux based OS have "patched" up most of the vulnerabilities that have been found, nowadays the focus has shifted to finding flaws in application and loosely written codes.Another reason for the gaining popularity is the fact that it is relatively easier than other techniques such as buffer overflow or heap overflow exploits. One such type of application layer exploit is the SQL injection attack which exploits which user input is not properly "sanitised" and is interpreted incorrectly by the database language, in this case SQL. For example suppose the SQL statement is

SELECT name FROM USERS where user= '[user input]' AND password='[user input]'

If the programmer has not taken proper measures it can create a big security hole,continuing with our example if the user gives "matrix" as the username and 1' OR '1=1 as the password the server will read it as

SELECT user FROM USERS where user= 'matrix' AND password=' 1' OR '1=1 '

Now it will search for the user matrix in the table and then check out if the password '1' OR '1=1' is true. Obviously the latter part of the statement is true and therefore authorization will be validated!
Note: In this case I somehow managed to know the username , there are techniques in which specially crafted SQL statements are input which can reveal all the usernames in the database tables.
This video illustrates how easy this technique is-


A very basic SQL injection attack, used to gain account access within minutes! from Nando Nachi on Vimeo.

This is probably the shortest article on SQL injection ever written. The aim is to create awareness on how lethal this flaw is and can be exploited by even an average computer user. Of course this is only one command and it is said that most of the SQL based servers are vulnerable and can be exploited with some form of complex command. That is why nowadays they have divided the SQL injection techniques to two groups- Basic and Advanced. Basic techniques deal with access to account using simple 'Queries' ie the user types in a command which will ask the database server to fetch details. Advanced techniques use complex and long SQl commands which can not only grant access but can be used to modify the database itself (eg deleting an account)! This was a very 'jugadoo' way of doing things and in no way is complete( I did not even mention the effects of using '--' which is used for commenting in SQL)

Preventing SQL injection
It's quite clear that if the user input is filtered of any harmful statements the vulnerability can be fixed.  Moreover the SQL software should be constantly updated.

I hope this post gave you a brief sql injection how to and described the fundamentals behind it.

These links are immensely helpful
SQL injection on Wikipedia
Preventing SQL on Microsoft SQL serverShare

Thursday, May 20, 2010

Exclusive PingFu exploit/crack to run it for virtually forever!

The last post was about PingFu and the great speed and flexibility it provides. In fact you can run any sort of software from the humble firefox browser to utorrent with utmost ease. The only problem is that it is not a freeware and provides a trial version for only 3 days. This quick hack will tell you how you can hack PingFu and make it run virtually forever.

Generally commercial softwares keep a tab on the number of days you can use their trial version by putting an entry in the Window's registry which keeps track of installation time etc. But when you uninstall, it does not delete that specific registry entry and during reinstallation it checks and using that registry decides whether the software has been installed in the past or not. Exploiting applications which use this method is pretty easy since that particular registry entry needs to be tracked and then manually modified or deleted.

Unfortunately PingFu uses an advanced mechanism in which it sends the Hard Disk Serial number to its server. This technique is also used by online game servers such as Halo and Counter Strike to ban players.

Actually hard disk serial number is a serial number assigned to the drive whenever a fresh copy of Windows OS is installed. So if PingFu has expired and you want to use it again just format your drive. Obviously formatting is tedious and time consuming, you will also have to backup all your data each time Pingfu expires which is currently 3 days! Therefore I recommend running PingFu on a virtual Windows OS (virtualbox or VMWare are good options) and installing a nifty tool called "Hard Disk Number Changer" (download link is at bottom).

Run it with admin privileges, change the number of the drive in which PingFu is installed , reboot and enter the new (bogus) registration details. Basically PingFu will think that it has been installed on a fresh copy and will allow you to use it for another trial period. It's that simple!


Download Hard Disk Number Changer
Know more about PingFu

Share

Monday, May 17, 2010

Bypass firewalls,proxy servers and unblock sites using PingFu

The earlier article about visiting blocked websites or viewing them anonymously had a few key disadvantages. First of all they can be used to websites only! So applications requiring other protocols such as torrent cannot be run using them. Secondly, dynamic webpages and elements such scripts eg javascripts are stripped off while displaying the webpages. This renders site such as rapidshare useless.php/cgi based proxy servers are helpful but most of them are blocked and the ones which are not are usually extremely slow.

Much more robust methods include use of software which completely encrypt connections of all type of protocols increasing flexibility as now even torrent based software can work. An example of such software is PingFu UDP , links are at the bottom. It is a commercial software and comes with a 3 day trial. After that you will either need to format your computer or use the hack described in the next article. Therefore I would seriously recommend using PingFu only on a virtual OS (use virtual box or VMware). Just install it and register yourself.
On the app screen you should see green light and "connected" as "client status".

To run an application simply click on Application Launcher on the sidebar and click on "Add an Application". It should now appear in "Installed Applications" column. Double clicking on the icon will  launch the application.

Upon running Opera with PingFu here is what whatismyipaddtess had to say :)



The reason for choosing PingFu is that the speed is pretty good and the software is really easy to use and very flexible. The next article will examine how PingFu manages its users and how we can play around with the software and fool it to provide us virtually unlimited number of trial days.

Note that this establishes a vpn to their server allowing you to unblock sites and letting you bypass any school or corporate firewall.

HOMEPAGE PINGFU
DOWNLOAD PINGFU
ALTERNATE DOWNLOAD LINK

Friday, May 14, 2010

Unblock banned or blocked sites using proxy servers

Our institute has installed a hardware and software based packet analyzer provided by Cyberoam which ruthlessly blocks p2p based sites, or sites containing games, spyware, hacking or adult content. There are also times when it blocks harmless,normal sites which is very frustrating.Also it has blocked the famous and even lesser known cgi proxy servers. Usually all institutes and offices install some sort of network analyzer and or blocker to disallow certain websites to prevent misuse. Here I present two ways to view blocked websites or if you want anonymity while browsing.

(Please remember that both allow only basic text and image; scripts are filtered off)

Webinmail is a service by Rediff in which it sends you requested webpages via email! On testing I found it very efficient and fast. Here is what you need to do.

Compose a mail to browse@webinmail.com with the subject as the webpage you need to view. Leave the body of the message empty and send the mail.


Within a few minutes you will receive a stripped down version of the requested page





Go to Rediff Webinmail

Aptivate an NGO working towards international IT development is working on a project called Loband which aims to reduce bandwidth consumption by displaying a "text and image only" version of the site. But it also serves our purpose of surfing web without any restriction.

Free web proxy servers are usually extremely slow and take a lot of time to load the requested webpages but here are two alternatives which almost replicate the functioning of a proxy server but are much faster. The only disadvantage is that dynamic webpages cannot be accessed.

Go to Aptivate's Homepage
Visit Project Loband
Share

Wednesday, May 12, 2010

Analyze network packets using monitoring tool ie Wireshark

Anyone fascinated with computer network and how it has enabled connectivity between remote places throughout the globe must have wondered how it has been made possible. Small bytes of data continually flow through small wires, perhaps even without any wires and soon you have, Wikipedia displaying all the information known to mankind.








When you type www.google.com in your favourite browser, I assume it is Firefox :) , what sort of data is sent? How is it sent? If you want to watch the "data packets" in action what you need is a network analyzer or a network monitor aka sniffer. Network sniffing or packet sniffing is the same so don't be confused if there are other tools to do packet sniffing, because Wireshark does it all.

For a developer this software is pretty handy since it captures live data and shows what kind of data is being sent.

Although sniffers have more useful/evil purposes,(some future article) this article will cover how we can use a software called "Wireshark" to analyze the network data being sent.

The software is available for both windows and unix. The great thing is that it is an open source software, yet is updated regularly. The download links are at the bottom.

If you will be using Windows simply download the setup and install it. Wireshark comes bundled with WinPcap a set of libraries which allows Wireshark to capture packet in real time. During installation their will a prompt suggesting you

"Start WinPcap service "NPF" at startup -"

Allowing npf at startup would enable users without admin privileges to run it.If this bugs you then simply 'untick' the option and install it. The latter option however requires the user to start the NPF service manually by typing the following command in command prompt having admin priviliges each time before running Wireshark

net start npf

The following command stops the service

net stop npf



Ubuntu users need to type in wireshark in the synaptic software manager and let it do the rest. Other linux/unix users need to refer to the official documentation provided on their website. Linux users need to run wireshark as root privileges.


To capture live packets either click on the network interface that you want Wireshark to hook on to or if you're unsure which interface is being used go to options and click on interface. It will open a small windows displaying the number of packets received on each interface. The one having highest number of packets is most probably going to be connected to your local Lan or directly to the internet.


After you have selected the correct interface Wireshark will start displaying all the packets that are being sent or received by your computer.




This was a very basic lowdown on Wireshark perhaps one of the best networking tool.The next article of this series will cover some of its features.

Access many sites without account 

Although this deserves a mere mention I thought I should dedicate a page to it since it serves a very useful purpose and has saved a lot of precious time and inbox with spam. There are two ways to enter a site either you hack through it or you have a legitimate account. Sometimes we come across a site or a newsgroup which has an interesting software or document but we cant download it unless we have an account.



Bugmenot is an initiative whose main aim is to create a dedicated database of usernames and passwords of sites which "force" you to login.

You can also go there and submit username and password of any site which you feel is having unnecessary authentication. As users of the site try out your username and password they will rank it based on whether it was a success or a failure.

the link is www.bugmenot.com

Sunday, May 9, 2010

Mirror a site

Mirroring a site is the act of taking the exact copy of a site, copying them in such a way that even the hieracrchy of the files on the remote server is maintained. Mirroring can be used if you want to have a backup of the directories on your remote server. Sites such as sourceforge.net which experience heavy traffic have "mirrored" links so that users can download from the mirrored links if they are unable to do so from the original website.

Anyone can mirror a site but it has do be done after taking permission from the owner, and is illegal if done without prior permission as it would be a violation copyright

Some servers implement a feature in which if too much of data is being downloaded very quickly, it can block those users.

Also mirroring a site sometimes causes a problem if it contains dynamic elements such as php ,javascripts and other dnamic elements.

The most famous software used is Wget, it was initially made for unix systems but was ported to windows, links are provided:-

For Windows:-

1.Wget command line

2.WinWGet gui

3.VisualWin (gui)

For Linux:-
1.GNU wget


Basic commands to use the wget command line (Windows)

wget -m [site name] Would mirror the site and save it on the local hard drive with the directory name as the site name

wget -r [site name] Would save all the pages and all the links

wget -h show all the options available


I was not able to change the default directory therefore I used the WinWGet gui version, its pretty simple.

Important links:-

1.Wiki on mirroring

ARP packets are not forwarded by Routers

While using a MAC address scanner in my campus, I realized that it was able to show the correct MAC addresses corresponding to the hosts on my local subnet ONLY. For the rest of the hosts outside my subnet, the same MAC address was shown and surprisingly it corresponded to the router connected to our subnet. Why was this happening?

Well I have found the answer to that when I read Richard Stevens' TCP/IP Illustrated Vol-1 a month back. It is an amazing book and explains the concepts very well.

The reason for the anomaly I described above was that MAC addresses are hardware addresses which work at the LINK LAYER of the OSI Model, the MAC scanner simply sends out ARP REQUEST packets for the different ip addresses. Now these ARP REQUESTS are broadcast WITHIN the subnet and the hosts respond to the requests if the destination ipaddress of the request packet matches with theirs. Then that host sends an ARP REPLY packet with the correct MAC ADDRESS. But you may still be wondering why does the local router responds to request packets having the ipaddress not meant for it?

Actually, when the router, through its ROUTING TABLE is always aware which hosts belong to its subnet and which are not(Its more complicated than that). When a host tries to send packet outside its own subnet ,the router realises this and sends its own mac address. A router works at the IP layer, which means that it needs an IP datagram, for forwarding any packet, and since ARP packets work at the link layer, do not have any IP header therefore are never forwarded to the outside networks.

This was written in an ultra-condensed form and reading a book on the TCP/IP suite is a must if you feel this article did not do justice to the topic.

I would recommend

1. TCP/IP Illustrated by Richard Stevens
2.Computer Networks by Tenebaum (I have not read it but i have heard it is very good as well)

Some important links:

1.Wiki on OSI Model

2.Wiki on LINK LAYER

3.Wiki on ARP

4.Richard Stevens' Home Page

5.Computer Network by Tanebaum book review

Saturday, May 8, 2010

Port Forwarding to allow faster torrent downloads

If you are getting absymally low sppeds while dowloading using torrent links then this article may help you out greatly.

The torrent network is based on P2P (peer to peer) technology which means that while you are happily downloading some stuf ,someone else is simultaneously downloading from your already downloaded data. This ensures that maximum speed is achieved. But nowadays users having personal broadband connection have a router which connects them to their ISP. These router come with a prebuilt firewall which filter out incoming packets and only allow packets bound to certain ports.

Usually torrent clients such as utorrent require ports in the range of 5000 and onwards to be "opened" for peers to connect to you but the router does not allow it. While downloading a file in utorrent check whether there is a tick or a cross at the bottom bar of utorrent. If there is no signal present your internet connection is probably not working . A green coloured tick means that utorrent is working perfectly fine otherwise if there is a red cross then you will have to instruct your router to forward all the packets that it is blocking to your computer.


Port forwarding allows you to forward all the packets bound to a certain port or ip address without any hindrance from the router. Obviously to do this you would need full access to your router.

Usuallly all routers have a web server and telnet server running TO access the webserver , open your web browser and enter

192.168.1.1 , (if you get an error you have either entered a worng address or the web server is not running)

Now youll probably be asked for username and password to access the webpage:
The default usernames and passwords are generally in the form of:

admin;password
administrator;password
admin;admin
Once you have access to the web page search for the links such as Port forwarding , Virtual Severs or DMZ HOST or port triggering.

I have a beetel 440bx wireless router at home and port forwarding can be done by using the virtual servers settings.

Select the protocols as TCP&UDP and enter the port that is specified in utorrent settings for both the "Internal port end" and "External port End".

In the "Server IP address " settings enter the IP of the host computer.

Save the settings and reboot the router.


Port triggering is a newer feature in which "outbound" and "inbound" ports are specified. Now as soon as a packet leaves the router from the "outbound" port, it will instantly allow all packets in through the specified "inbound" port to that host which caused the traffic. It is not a very user-friendly technique and causes problems if your application uses a different port each time.


DMZ host basically allows the router to forward all the packets from outside to the specified IP address.

Also remember to assign your computer a static IP address so that you dont have to change settings in the router.

If the settings are entered correctly you will get a nice green tick at the bottom of u torrent