Latest News

Manual Web Application Penetration Testing – Finding XSS by Playing With Parameters

Introduction
In my previous article we saw the different ways of fuzzing, including suffix and prefix. We used those fuzzing techniques in order to find error messages in web applications. Now that we know how to fuzz, we will use that skill to find XSS, generally known as cross site scripting.

Testing For XSS
Without wasting any time, let’s go to the Document Viewer page under the A3 cross site scripting (XSS) module. Various methods of exploiting XSS are in there, but first we will choose a simple method which is HTTP attribute.

A Beginners Guide To Using IPTables

ABSTRACT

Readers, there are numerous reasons ... It is well known that the Internet is an unmanaged an decentralized network, running under a set of protocols, which are not designed to ensure the integrity and confidentiality of information and access controls.
There are several ways to breach a network, but these ways do nothing more than take advantage of flaws within network protocols and services.


CONCEPTS

IPTABLES is an editing tool for packet filtering, with it you can analyze the header and make decisions about the destinations of these packets, it is not the only existing solution to control this filtering. We still have the old ipfwadm and ipchains, etc.
It is important to note that in Gnu / Linux, packet filtering is built into the kernel. Why not configure your installation in accordance with this article, since most distributions come with it enabled as a module or compiled directly into the kernel.

STEP BY STEP


case "$1" in
start)

Clearing Rules
iptables -t filter -F
iptables -t filter -X

Tips [ICMP ECHO-REQUEST] messages sent to broadcast or multicast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Protection against ICMP redirect request
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Do not send messages, ICMP redirected.
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

(Ping) ICMP 
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

Packages logs with nonexistent addresses (due to wrong routes) on your network
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

Enabling forwarding packets (required for NAT)
echo "1" >/proc/sys/net/ipv4/ip_forward

SSH accepted
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

Do not break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

IP spoofing protection
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo - Subindo proteção contra ip spoofing : [OK]

Disable sending the IPV4
echo 0 > /proc/sys/net/ipv4/ip_forward

SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP

# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

Tips connections scans
iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j DROP
iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j LOG --log-level info --log-prefix "Scan recent"

Tips SYN packets invalid
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "Packages SYN Detected"
# Tips SYN packets invalid
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "Packages SYN Detected"

Certifies that new packets are SYN, otherwise they Tips
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Discard packets with fragments of entry. Attack that can cause data loss
iptables -A INPUT -f -j DROP
iptables -A INPUT -f -j LOG --log-level info --log-prefix "Packages fragmented entries"

Tips malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-level info --log-prefix "malformed XMAS packets"

DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

WHOIS Out
iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT

FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT

FTP In
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Reverse
iptables -t filter -A INPUT -p tcp --dport 77 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 77 -j ACCEPT

MSF
iptables -t filter -A INPUT -p tcp --dport 7337 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7337 -j ACCEPT

#######################################
WEB Management Firewall
touch /var/log/firewall
chmod +x /var/log/firewall
/var/log/firewall -A INPUT -p icmp -m limit --limit 1/s -j LOG --log-level info --log-prefix "ICMP Dropped "
/var/log/firewall -A INPUT -p tcp -m limit --limit 1/s -j LOG --log-level info --log-prefix "TCP Dropped "
/var/log/firewall -A INPUT -p udp -m limit --limit 1/s -j LOG --log-level info --log-prefix "UDP Dropped "
/var/log/firewall -A INPUT -f -m limit --limit 1/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
/var/log/firewall -A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
/var/log/firewall -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
exit 0
;;

stop)
echo "turning off the firewall "
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
exit 0
;;

restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;

echo "Use: /etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esac

Logs available: /var/log/firewall
COMMANDS TO MONITOR LOGS: tail -f /var/log/messages
Save: /etc/init.d/firewall

CONCLUSION

Gentlemen, I hope to help you in configuring your network security and remind you to choose only the best options available.
Allow me to add a few Advantages of using your firewall. Be sure to Block unknown and unauthorized connections. You can specify what types of network protocols and services to be provided and you may control the packets from any untrusted services. Your firewall also allows blocking websites with URL filters, access control, access logs for reports by user, protecting the corporate network through proxies, and Automatic Address Conversion (NAT). Control services that can either be executed or not, on the network allowing for high performance in their duties with easy administration and reliability.

A hug to all who follow RHA and my sweet brother Rafay Baloch.

ABOUT THE AUTHOR:

This is a guest post written by , RAFAEL FONTES SOUZA. He is the maintainer of the “Project Backtrack Team Brazilian”, He works at RHAinfosec as a senior penetration tester. He is also the Founder of the "Wikileaks and Intelligence, Cypherpunks". Good communication in groups and the general public, attended college projects with a focus on business organization, he currently seeks work experience outside of brazil”. He frequently contributes at RHA and talks about various topics related to internet security. 

bb in Kali Linux


Bb is a high quality audio-visual demonstration for your text terminal.

1. How to Install bb – Open terminal, type apt-get install bb and Press Enter.
(Click image for large view)

2. Open bb with Help Commands

Syntax - /usr/games/bb -h

3. This command is used to start bb. After running the command choose ‘y’ if you want music. Turn ON your Speakers.
Syntax - /usr/games/bb

 

3A. If you logged in as an user (not root) then command syntax will be change.

Syntax : hell@MrQuiety:/root$ bb

4. If you want to change anything then just Press the given number according to their description. After that Press 8 for continue.

5. Watch and Enjoy….
(Click image for large view)

Like it ? Share it.

Certified Penetration Testing Consultant - C)PTC Review

Although most of the attacks have moved towards Web Application, but the most critical information resides upon the network and is not being exposed to the Web application, therefore a lot of the organizations are allocating a certain amount of budget to obtain a better security model. However, now a days network penetration testing is becoming a tedious job due to the fact that organizations are now implementing multiple layers of defenses. In such cases a better strategy and advanced attack strategies are required for conducting a better security assessment.

Recently, I got a chance to take the C | PTC course which was focused primarily on testing huge network infrastructures. So, therefore I thought to write an unbiased review about the course contents and the examination.
CPTC (Certified Penetration Testing Consultant) comes into two flavors, the practical and the theoretical exam. The theoretical exam costs about 300$ and comes in the form of multiple choice questions, whereas the CPTC practical exam costs 600$. The exam would consists of two IP addresses to pentest and 6 hours to exploit them and report the results to pass the examination. At the end of the engagement, you would need to submit full penetration testing report with all your technical findings under 90 days, the report would be evaluated by experts and based upon their decision, you'll be marked with a pass or fail.

The overall course is based upon Network infrastructure based attacks i.e. mostly related to layer 2, layer 3, Layer 4 attacks. The course included in depth coverage of much less discussed topics such as Vlan hopping at layer 2, routing protocols attacks (OSPF, EIGRP), HSRP, VPN, IPV6 based attacks etc. The course kit ships up with a workbook, a Lab guide and lab access to follow practice the attacks you have learnt through out the course. The course is strongly recommended to any one who is interested in taking their skills to the next level.

Course Content

The course is divided into 8 different modules and each module comes up with a lab of it's own. So that after each module you would be able to practice the attacks you learned.








According to mile2, the attendees of the course would be able to do the following things:

  • Perform a penetration test and submit a deliverable report
  • Capture and replay VoIP traffic
  • Learning Network Infrastructure advanced Attacks.
  • Find and exploit databases with SQL Injection vulnerabilities
  • Manipulate prices on e-commerce websites
  • Obtain and transfer information via Bluetooth enabled telephones
  • Tools and resources for picking simple and complex locks
  • Techniques for Wireless Site Surveying and Cracking WEP/WPA key
  • Each day ends with a Capture the Flag Competition to ensure that participants retain the daily objectives.
  • Additionally, attendees will be qualified to confidently undertake the CPT Consultant practical examination.

Pros

  • The course offers wide varieties of topics for advanced penetration testing
  • The examination is based upon real world practical challenge.
  • Along with pentesting, they also teach you how to write reports, which is something that is often not taught in most of the penetration testing courses.
  • The course talks about complex network Infrastructure attacks specifically focused on cisco.
  • The cost for the exam and material is pretty reasonable when compared with other certifications such as eccouncil's CEH.

Cons

  • Since the CPTE course covers much about webapplication penetration testing, the course being an advanced versions should also had contained a module on "WebApplication" security/pentesting. However, mile2 has specifically designed a course for webapplications known as CSWAE course, which we would review very soon here at RHA.
  • The workbook/labguide should be downloadable as the PDF, so that people can study offline.

Conclusion

Overall, I found the course pretty fascinating and it's definitely recommended for individuals that want to dive inside the world of network infrastructure attacks and hack on lower layers.

Questions and Comments

If you have any questions feel free to contact: BillNelson@Mile2.com. Mile2 has been kind enough to offer a special discount rate of 14% specifically for RHA readers.

Discount Code: BNSpcl14

Web Application Exploits


Web Evolution
  • Static content:-  Server serves web pages created by people.
  • Dynamic content via server-side code:- Server generates web pages based on input from user and a database using code executed on server.
    Ex - CGI scripts (Perl, Python, PHP, Ruby, Java, ASP, etc.)
  • Dynamic content via client-side code:- Code embedded in web page is executed in browser and can manipulate web page as a data structure (Domain Object Model = DOM)
    Ex. - JavaScript, VBScript, Active X controls, Java applets
  • AJAX (Asynchronous JavaScript and XML):- Framework for updating page by communicating between browser and remote servers.
Attack Surface

Web applications have a large attack surface  places that might contain vulnerabilities that can be exploited. A vault with a single guarded door is easier to secure than a building with many doors and windows.
  • Client side surface:- form inputs (including hiddenfields), cookies, headers, query parameters, uploaded files, mobile code
  • Server attack surface: web service methods, databases
  • AJAX attack surface: union of the above

These were divided into six categories:
Broken Authentication (62%) - This vulnerability relates to the application’s login mechanism, which may enable the attacker to guess username and passwords and thus launch a brute-force attack.

Broken Access Controls (71%) - The application fails to properly protect access to sensitive information. An attacker can be able to view other user’s personal information.

SQL Injection (32%) - This allows the attacker to submit arbitrary input to the application and interfere with the application’s back-end database. An attacker may be able to modify or retrieve data from the application or execute commands on the database.

Cross-site Scripting (94%) - This vulnerability enables the attacker to input malicious javascript to the application and potentially gain access to their data, or carrying other attacks against them.

Information Leakage (78%) - In this case the application exposes sensitive data or information that might be useful for the attacker when targeting the application.

Cross-site Request Forgery (92%) - This allows the attacker to create malicious and unintended actions in the application with other user’s behalf.

The OWASP Top 10 - 2013 Release Candidate includes the following changes as compared to the 2010 edition:
  • A1 Injection
  • A2 Broken Authentication and Session Management (was formerly A3)
  • A3 Cross-Site Scripting (XSS) (was formerly A2)
  • A4 Insecure Direct Object References
  • A5 Security Misconfiguration (was formerly A6)
  • A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
  • A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
  • A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
  • A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration)
  • A10 Unvalidated Redirects and Forwards

Like it ? Share it.

oneko in Kali Linux


Oneko changes your mouse cursor into mouse and creates a little cute cat and the cat start chasing around your mouse cursor. If the cat catchup the “mouse”, start sleeping.


1. How to install – Open Terminal, type apt-get install oneko and Press Enter
(Click on image for large view)

2. Open oneko with help commands
Syntax - /usr/games/oneko -help


3. Neko – neko use neko bitmaps.
Syntax - /usr/games/oneko
          or /usr/games/oneko -neko

4. Dog use dog bitmaps
Syntax - /usr/games/oneko –dog

5. Sakura use sakura bitmaps.
Syntax - /usr/games/oneko -sakura

6. Tomoyo use tomoyo bitmaps.
Syntax - /usr/games/oneko -tomoyo
(Click on image for large view)


Like it ? Share it.

How to Delete Gmail Account

Sometime we need to delete Gmail account and every person has their own reason behind this decision. We want to also tell your think once again about deleting your gmail. After deleting gmail account you will lose your all access, data and email etc. So, This is really a big decision. Now come to the point “How to Delete Gmail Account”

1. Write you Gmail ID which you want to delete as well write your Gmail ID's Password and Click on Sign In.
(Click Image for large view)

2. If you have slow Internet connection and you want to access your gmail account faster then Click on Basic HTML. Sure It will not give you new look of gmail but its very handy for slow net connection users.

3. As you will see you have successfully logged In. Now Click on Account.

4. If required it may ask you to write our password again for security reason. If it ask then write your password and click on Sign In. In my case it didn't ask and it simply switch to my personal info Tab. In this Tab Click on Data Tools.

5. Click on Delete account and data 

6. Read the paragraph carefully and check the boxes which things you want to delete again check box for confirmation and finally click on DELETE GOOGLE ACCOUNT

7. Soon you will get a successful message in your screen.
(Click Image for large view)
Like it ? Share it.

Buffer overflows


In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety.
Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited.
Programming languages commonly associated with buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built-in buffer type) is within the boundaries of that array. Bounds checking can prevent buffer overflows.

A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer. Most commonly this occurs when copying strings of characters from one buffer to another.

Exploitation

The techniques to exploit a buffer overflow vulnerability vary per architecture, operating system and memory region. For example, exploitation on the heap (used for dynamically allocated memory), is very different from exploitation on the call stack.

Stack-based Exploitation
A technically inclined user may exploit stack-based buffer overflows to manipulate the program to their advantage in one of several ways:
  • By overwriting a local variable that is near the buffer in memory on the stack to change the behavior of the program which may benefit the attacker.
  • By overwriting the return address in a stack frame. Once the function returns, execution will resume at the return address as specified by the attacker, usually a user input filled buffer.
  • By overwriting a function pointer,[ or exception handler, which is subsequently executed.
With a method called "trampolining", if the address of the user-supplied data is unknown, but the location is stored in a register, then the return address can be overwritten with the address of an opcode which will cause execution to jump to the user supplied data. If the location is stored in a register R, then a jump to the location containing the opcode for a jump R, call R or similar instruction, will cause execution of user supplied data.
The locations of suitable opcodes, or bytes in memory, can be found in DLLs or the executable itself. However the address of the opcode typically cannot contain any null characters and the locations of these opcodes can vary between applications and versions of the operating system. The Metasploit Project is one such database of suitable opcodes, though only those found in the Windows operating system are listed.
Stack-based buffer overflows are not to be confused with stack overflows. Also note that these vulnerabilities are usually discovered through the use of a fuzzer.

Heap-based Exploitation
A buffer overflow occurring in the heap data area is referred to as a heap overflow and is exploitable in a different manner to that of stack-based overflows. Memory on the heap is dynamically allocated by the application at run-time and typically contains program data.
Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers. The canonical heap overflow technique overwrites dynamic memory allocation linkage (such as malloc meta data) and uses the resulting pointer exchange to overwrite a program function pointer.
Microsoft's GDI+ vulnerability in handling JPEGs is an example of the danger a heap overflow can present.

Barriers to Exploitation
Manipulation of the buffer, which occurs before it is read or executed, may lead to the failure of an exploitation attempt. These manipulations can mitigate the threat of exploitation, but may not make it impossible.
Manipulations could include conversion to upper or lower case, removal of metacharacters and filtering out of non-alphanumeric strings. However, techniques exist to bypass these filters and manipulations; alphanumeric code, polymorphic code, self-modifying code and return-to-libc attacks. The same methods can be used to avoid detection by intrusion detection systems. In some cases, including where code is converted into unicode, the threat of the vulnerability have been misrepresented by the disclosers as only Denial of Service when in fact the remote execution of arbitrary code is possible.

Practicalities of Exploitation
In real-world exploits there are a variety of challenges which need to be overcome for exploits to operate reliably. These factors include null bytes in addresses, variability in the location of shellcode, differences between environments and various counter-measures in operation.

NOP Sled Technique
A NOP-sled is the oldest and most widely known technique for successfully exploiting a stack buffer overflow. It solves the problem of finding the exact address of the buffer by effectively increasing the size of the target area.
To do this much larger sections of the stack are corrupted with the no-op machine instruction. At the end of the attacker-supplied data, after the no-op instructions, an instruction to perform a relative jump to the top of the buffer where the shellcode is located. This collection of no-ops is referred to as the "NOP-sled" because if the return address is overwritten with any address within the no-op region of the buffer it will "slide" down the no-ops until it is redirected to the actual malicious code by the jump at the end.
This technique requires the attacker to guess where on the stack the NOP-sled is instead of the comparatively small shellcode.
Because of the popularity of this technique, many vendors of intrusion prevention systems will search for this pattern of no-op machine instructions in an attempt to detect shellcode in use. It is important to note that a NOP-sled does not necessarily contain only traditional no-op machine instructions; any instruction that does not corrupt the machine state to a point where the shellcode will not run can be used in place of the hardware assisted no-op.
As a result it has become common practice for exploit writers to compose the no-op sled with randomly chosen instructions which will have no real effect on the shellcode execution.

Preventing Overflows Vulnerabilities

Various techniques have been used to detect or prevent buffer overflows, with various tradeoffs. The most reliable way to avoid or prevent buffer overflows is to use automatic protection at the language level. This sort of protection, however, cannot be applied to legacy code, and often technical, business, or cultural constraints call for a vulnerable language. The following sections describe the choices and implementations available.

Choice of programming language
The choice of programming language can have a profound effect on the occurrence of buffer overflows. As of 2008, among the most popular languages are C and its derivative, C++, with a vast body of software having been written in these languages. C and C++ provide no built-in protection against accessing or overwriting data in any part of memory; more specifically, they do not check that data written to a buffer is within the boundaries of that buffer. However, the standard C++ libraries provide many ways of safely buffering data, and techniques to avoid buffer overflows also exist for C.
Many other programming languages provide runtime checking and in some cases even compile-time checking which might send a warning or raise an exception when C or C++ would overwrite data and continue to execute further instructions until erroneous results are obtained which might or might not cause the program to crash. Examples of such languages include Ada, Eiffel, Lisp, Modula-2, Smalltalk, OCaml and such C-derivatives as Cyclone and D. The Java and .NET Framework bytecode environments also require bounds checking on all arrays. Nearly every interpreted language will protect against buffer overflows, signalling a well-defined error condition.
Often where a language provides enough type information to do bounds checking an option is provided to enable or disable it. Static code analysis can remove many dynamic bound and type checks, but poor implementations and awkward cases can significantly decrease performance. Software engineers must carefully consider the tradeoffs of safety versus performance costs when deciding which language and compiler setting to use.

Use of safe libraries
The problem of buffer overflows is common in the C and C++ languages because they expose low level representational details of buffers as containers for data types. Buffer overflows must thus be avoided by maintaining a high degree of correctness in code which performs buffer management. It has also long been recommended to avoid standard library functions which are not bounds checked, such as gets, scanf and strcpy.
The Morris worm exploited a gets call in fingerd. Well-written and tested abstract data type libraries which centralize and automatically perform buffer management, including bounds checking, can reduce the occurrence and impact of buffer overflows.
The two main building-block data types in these languages in which buffer overflows commonly occur are strings and arrays; thus, libraries preventing buffer overflows in these data types can provide the vast majority of the necessary coverage. Still, failure to use these safe libraries correctly can result in buffer overflows and other vulnerabilities; and naturally, any bug in the library itself is a potential vulnerability. "Safe" library implementations include "The Better String Library", Vstr  and Erwin. The OpenBSD operating system's C library provides the strlcpy and strlcat functions, but these are more limited than full safe library implementations.

Buffer overflow protection
Buffer overflow protection is used to detect the most common buffer overflows by checking that the stack has not been altered when a function returns. If it has been altered, the program exits with a segmentation fault. Three such systems are Libsafe,  and the StackGuard and ProPolice gcc patches.
Microsoft's Data Execution Prevention mode explicitly protects the pointer to the SEH Exception Handler from being overwritten.
Stronger stack protection is possible by splitting the stack in two: one for data and one for function returns. This split is present in the Forth language, though it was not a security-based design decision. Regardless, this is not a complete solution to buffer overflows, as sensitive data other than the return address may still be overwritten.

Pointer protection
Buffer overflows work by manipulating pointers (including stored addresses). PointGuard was proposed as a compiler-extension to prevent attackers from being able to reliably manipulate pointers and addresses.
The approach works by having the compiler add code to automatically XOR-encode pointers before and after they are used. Because the attacker (theoretically) does not know what value will be used to encode/decode the pointer, he cannot predict what it will point to if he overwrites it with a new value. PointGuard was never released, but Microsoft implemented a similar approach beginning in Windows XP SP2 and Windows Server 2003 SP1.
Rather than implement pointer protection as an automatic feature, Microsoft added an API routine that can be called at the discretion of the programmer. This allows for better performance (because it is not used all of the time), but places the burden on the programmer to know when it is necessary.
Because XOR is linear, an attacker may be able to manipulate an encoded pointer by overwriting only the lower bytes of an address. This can allow an attack to succeed if the attacker is able to attempt the exploit multiple times and/or is able to complete an attack by causing a pointer to point to one of several locations (such as any location within a NOP sled). Microsoft added a random rotation to their encoding scheme to address this weakness to partial overwrites.

Executable space protection
Executable space protection is an approach to buffer overflow protection which prevents execution of code on the stack or the heap. An attacker may use buffer overflows to insert arbitrary code into the memory of a program, but with executable space protection, any attempt to execute that code will cause an exception.
Some CPUs support a feature called NX ("No eXecute") or XD ("eXecute Disabled") bit, which in conjunction with software, can be used to mark pages of data (such as those containing the stack and the heap) as readable and writeable but not executable. Some Unix operating systems (e.g. OpenBSD, Mac OS X) ship with executable space protection (e.g. W^X). Some optional packages include:
  • PaX
  • Exec Shield
  • Openwall
Newer variants of Microsoft Windows also support executable space protection, called Data Execution Prevention.  Proprietary add-ons include:
  • BufferShield
  • StackDefender
Executable space protection does not generally protect against return-to-libc attacks, or any other attack which does not rely on the execution of the attackers code. However, on 64-bit systems using ASLR, as described below, executable space protection makes it far more difficult to execute such attacks.
Address space layout randomization
Address space layout randomization (ASLR) is a computer security feature which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.
Randomization of the virtual memory addresses at which functions and variables can be found can make exploitation of a buffer overflow more difficult, but not impossible. It also forces the attacker to tailor the exploitation attempt to the individual system, which foils the attempts of internet worms. A similar but less effective method is to rebase processes and libraries in the virtual address space.

Deep packet inspection
The use of deep packet inspection (DPI) can detect, at the network perimeter, very basic remote attempts to exploit buffer overflows by use of attack signatures and heuristics. These are able to block packets which have the signature of a known attack, or if a long series of No-Operation instructions (known as a nop-sled) is detected, these were once used when the location of the exploit's payload is slightly variable.
Packet scanning is not an effective method since it can only prevent known attacks and there are many ways that a 'nop-sled' can be encoded. Shellcode used by attackers can be made alphanumeric, metamorphic, or self-modifying to evade detection by heuristic packet scanners and intrusion detection systems.

Like it ? Share it.

Manual Web Application Penetration Testing – Suffix & Prefix in Fuzzing

Introduction
In this series of articles, last time we talked about fuzzing and various SQL statement special characters which can be used in fuzzing a web application. In this article, I am going to focus on various prefixes and suffixes of fuzzing in order to fuzz the target web application.

CLICK HERE TO READ FULL ARTICLE

CISCO Systems Security Certification


The industry leader in networking, unified communications & collaboration - and an innovator in data center technology, network infrastructure, and other key emerging technologies.
Cisco launches its first global re-branding campaign for the first time in six years with its "TOMORROW starts here" and "Internet of Everything" advertising campaigns. These efforts were designed to position Cisco for the next ten years into a global leader in connecting the previously unconnected and facilitate the IP address connectivity of people, data, processes and things through cloud computing applications and services.

In March 2013, Cisco announced its interest in Myanmar by investing in two Cisco Networking Academies in Yangon and Mandalay and a channel partner network in the country.

A Cisco base in Chennai, India.India is one of the company's largest overseas markets and production centers.

Cisco's current portfolio of products and services is focused upon three market segments – Enterprise and Service Provider, Small Business and the Home. The solutions for each market are segmented into Architectures, which form the basis for how Cisco approaches each market.

Cisco Security Certifications
Cisco Systems also sponsors a line of IT Professional certifications for Cisco products. There are five levels of certification: Entry (CCENT), Associate (CCNA / CCDA), Professional (CCNP / CCDP), Expert (CCIE / CCDE), and recently Architect, as well as eight different paths, Routing & Switching, Design, Network Security, Service Provider, Service Provider Operations, Storage Networking, Voice, and Wireless.
A number of specialist technician, sales and datacenter certifications are also available. Cisco also provides training for these certifications via a portal called the Cisco Networking Academy. Qualifying schools can become members of the Cisco Networking Academy and then provide CCNA level or other level courses. Cisco Academy Instructors must be CCNA certified to be a CCAI certified instructor.

CCNA Security

CCNA Security validates knowledge of security infrastructure, threats, and vulnerabilities to networks and threat mitigation. Required skills include installation, troubleshooting and monitoring of network devices to maintain the integrity, confidentiality, and availability of data and devices. This certification is earned by passing the IINS 640-553 (Implementing Cisco IOS Network Security, or IINS) exam. The last day to enroll in the IINS 640-553 exam was September 30th, 2012, and has since been replaced by the IINS 640-554 exam (IINS v2.0), which is now the required exam to earn the certification and for continuing the security certification path to the CCNP.

CCNP Security

The CCNP Security certification program is aligned to the job role of the Cisco Network Security Engineer, responsible for security in routers, switches, networking devices, and appliances, as well as choosing, deploying, supporting, and troubleshooting firewalls, VPNS, and IDS/IPS solutions for their networking environments. The CCNP Security certification requires CCNA Security or any CCIE Certification.

CCNP Security exams and recommended training
642-637 SECURE v1.0 Secure v1.0 Securing Networks with Cisco Routers and Switches (SECURE v1.0)
642-618 FIREWALL v2.0 Deploying Cisco ASA Firewall Solutions (FIREWALL v2.0)
642-648 VPN v2.0 Deploying Cisco ASA VPN Solutions (VPN v2.0)
642-627 IPS v7.0 Implementing Cisco Intrusion Prevention System v7.0 - (IPS v7.0)

CCIE Security

The Security track covers advanced topics in subjects such as ASA, IDS, IOS security, and many others.

Official Website : Click Here

Like it ? Share it.

Matrix in Kali Linux


Show a scrolling ‘Matrix’ like screen in Kali Linux

1. How to install – Open Terminal, type apt-get install cmatrix and Press Enter
(Click on image for large view)

2. Open cmatrix with help commands.
Syntax – cmatrix –h

3. This is a simple example of cmatrix. Open Terminal, type cmatrix and Press Enter

As Result we will see letter scrolling matrix.

4. This command will display The Matrix with bold font.
Syntax – cmatrix –B

As Result you will see this.
(Click on image for large view)


Like it ? Share it.

Interview of Kali Linux


What is Kali Linux - Kali Linux is the new generation of the industry-leading BackTrack Linux penetration testing and security auditing Linux distribution. Kali Linux is a complete re-build of BackTrack from the ground up, adhering completely to Debian development standards. It is maintained and funded by Offensive Security Ltd. It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewriting BackTrack, their previous forensics Linux distribution. Users may run Kali Linux from a hard disk, live CD, or live USB. Kali Linux is distributed in 32- and 64-bit images for use on hosts based on the x86 instruction set, as well as an image for the ARM architecture for use on the Raspberry Pi computer and on Samsung's ARM Chromebook. Kali Linux is also known as Backtrack 6.

How to Download Kali Linux ISO
1. Open This link Download Kali Linux
2. After Opening the Official Download Website of Kali Linux you will find out download links. I advice you If you are feeling confuse which one should you choose for downloading, choose Kali Linux 32 Bit ISO. It supports mostly all System. So for starting download click on Kali Linux 1.0.6 32 Bit ISO (Version may update in the future just focus on 32 Bit ISO)

3. So, If you have Internet Download Manager in your system. You will see a pop up like this. If not then as per your browser it will start to download.

4. After finishing your download check your download save path. You will find your Kali Linux 32 Bit ISO there.

How to Make Kali Linux Bootable Pendrive - Visit Our this post Make Kali Linux Bootable Pendrive

What is VMware Workstation ? - VMware Workstation is a hypervisor that runs on x64 computers; it enables users to set up multiple virtual machines (VMs) and use them simultaneously along with the actual machine. Each virtual machine can execute its own operating system, such as Microsoft Windows, Linux or BSD variants. As such, VMware Workstation allows one physical machine to run multiple operating systems simultaneously. Workstation is developed and sold by VMware, Inc., a division of EMC Corporation.
VMware Workstation supports bridging existing host network adapters and share physical disk drives and USB devices with a virtual machine. In addition, it can simulate disk drives. It can mount an existing ISO image file into a virtual optical disc drive so that the virtual machine sees it as a real one. Likewise, virtual hard disk drives are made via .vmdk files.
VMware Workstation can save the state of a virtual machine in one point of time. These saved states, known as a "snapshots", can later be restored, effectively returning the virtual machine to the saved state.
VMware Workstation includes the ability to designate multiple virtual machines as a team which can then be powered on, powered off, suspended or resume as a single object, making it particularly useful for testing client-server environments.

How to Download VMware - Visit official Website of VMware Click Here then use below serial key to make it full version. 

╚═►VMware Workstation v9.X ◄═╝
Serial Key:→
ZF3X0-4ZW0Q-0842P-E6PGC-PKRZF
VY19K-01X5L-084MY-MXMZG-MAUF2
YA5X2-FEFDK-H80VQ-4YWQC-MPARD
YU1WA-F1GD7-485UQ-ADNNT-XCAR6
GF1WR-FGZ5J-485RY-JGQQC-XZ2G8
AY3HA-F1D5N-08D7Q-Z6X5T-XK2G2
YG5EK-D1X8L-088XY-NNQEC-P3AW6
VF14H-0YFE5-48D2Z-ZDPNT-YFUZ8
ZU31H-2WY83-0853Y-Z5WQZ-ZAAC6
GC1WK-F8XEM-M812P-9WMG9-XUU9F
AY540-00W0M-088DY-GDQ7T-QL8Z8
FF34U-A5W11-H80UP-F6WNV-NL8V6
CF71K-AGD52-H894Q-Q4P7E-XL2R6
YZ5MA-6GXDP-0841Y-K4PNG-XK2ZF

╚═►VMware Workstation 10 ◄═╝
Serial Keys :-
1Z0G9-67285-FZG78-ZL3Q2-234JG
4C4EK-89KDL-5ZFP9-1LA5P-2A0J0
HY086-4T01N-CZ3U0-CV0QM-13DNU
5U4GA-DQ09H-EZK48-YTAQP-83K79
NU4FQ-DFH40-0ZA01-8A37K-32RKL
HF0DA-FF086-VZ739-AA87H-236M4
HF0A8-FMJ1P-1Z1U1-LK1N2-9AGKJ
5A477-D3284-3ZUF0-2K154-23R0P
MY47Y-2MK1M-6ZQC0-7J05M-8A60D
5V6K2-29243-HZDV0-VVA76-93A2R
NA28T-DR114-AZ9Z8-R1250-93U27
MF4JG-4H3DK-NZ3L0-KHCNM-8AMNP
NA6F3-2HKEM-6ZDF8-Q18N6-33DNN
1Y2FZ-AHJ5H-6ZU09-DKA5M-82RQ7
5U6KQ-6M240-LZMW1-U13N2-AAX7X
HA4FW-8G052-DZ8Q0-U295P-83KLV
5F4PK-42181-9ZXP9-T31Q6-1CVKM
JY468-44L9M-DZ479-3UA72-CAKHR
4F6Z5-80H42-FZ889-L007M-ACJJN

More Serial Keys : Click Here

How to install VMware - VMware installation is not a big deal. just open downloaded vmware setup file and follow the instruction.

Q. - Any Freeware Software like VMware because i am unable to download this ?
Ans - Yes, There are many software like this but VMware has more features then other but as you are unable to download so Here are your alternate option Choose one of them.
How to Install Kali Linux on VMware - Visit Our this Post Install Kali Linux on VMware

How to Install Kali Linux with Windows -  Visit Our this Post Install Kali Linux on Hard Disk 

Additional Information - 
Grub Rescue - Sometime for different reason we can face this problem so visit our How to Fix Grub Rescue error Post for solution 

Q. - I also want to download Kali Linux through Internet Download Manager (IDM). Where I can get it for Free ?
Ans - Download from Geekyshows its Free and Full version for life time. If you notice that download link has broken kindly report me Contact Us. 
Internet Download Manager - Download Link  

Like it ? Share it.

Contact Us

24x7 online , we happy to answer you
tamilcypc@gmail.com

Disclaimer

This Blog and its TUT's are intended for educational purposes only, no-one involved in the creation of this TuT may be held responsible for any illegal acts brought about by this Blog or TuT.



Featured Post

Custom Domains And HTTPS Redirection Code