Saturday 21 December 2013

Zee Cinema is Vulnerable to LFI(local file inclusion) + iframe Injection.

Local File Inclusion (LFI) is a type of vulnerability which is mostly found in websites. It allows hacker to include a local file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.  LFI Vulnerability allows an attacker to add any local file to Website Server through script. LFI is very dangerous vulnerability which can lead to website Defacement, Command Execution and many more........

Here are some of the common parameters which are vulnerable to local file inclusion or remote file inclusion attacks

read.html?link=
index.php?homepage=index.php?
page=index.php?index2=

But recent days I was testing Zee Cinema for vulnerabilities and i found that it is vulnerable to local file inclusion.









Enjoy!!!!!!!!!!!!!
Posted by at No comments:

Wednesday 2 October 2013

Wireshark (what's on your network) and how to analyse packets in it???

 Wireshark is the world's foremost network protocol analyzer. It lets you see  what's happening on your network at a microscopic level. It is used across  many industries and educational institutions.It is a network packet analyzer. A  network packet analyzer will try to capture network packets and tries to  display that packet data as detailed as possible.You could think of a network    packet analyzer as a measuring device used to  examine what's going on inside  a network cable, just like a voltmeter is used  by an electrician to examine  what's going on inside an electric cable. 
However, with the advent of Wireshark, all that has changed. Wireshark is perhaps one of the best open source packet analyzers available today.

 

 Features of Wireshark:

  • Available for UNIX and Windows.
  • Capture live packet data from a network interface.
  • Open files containing packet data captured with tcpdump/WinDump, Wireshark, and a number of other packet capture programs.
  • Import packets from text files containing hex dumps of packet data.
  • Display packets with very detailed protocol information.
  • Save packet data captured.
  • Export some or all packets in a number of capture file formats.
  • Filter packets on many criteria.
  • Search for packets on many criteria.
  • Colorize packet display based on filters.
  • ... and a lot more!

    For more information visit http://www.wireshark.org/


    How to Analyse a Packet in Wireshark:

    First of all download the .pcap file here which has to be open in wireshark.

    Now Open the downloaded file analyst.pcap in the wireshark as shown below image:


    So lets analyse from the above diagram::::
    Line 1 - the internal host at 192.168.1.100 has successfully connected to an outside server at 5.4.3.2 listing microsoft-ds (file sharing). Analysis - looks suspicious as internal hosts should not be sharing files outside the network.
    Line 2 - the internal host at 192.168.1.100 has successfully connected to an outside server at 5.192.78.3 on TCP port 31337.
    Analysis - looks suspicious as this port is known to be used by multiple Trojans, namely, Back Orifice.

    Line 3 - the internal host at 192.168.2.142 has sent an ICMP echo (ping) request to an outside server at 5.255.255.255 (broadcast).
    Analysis - this looks suspicious as malware will perform certain basic functions, after infecting the internal system they need to phone home and let their owner know that he/she has another satisfied customer.


    Line 4 - the internal host at 192.168.2.142 has connected to an outside server at 64.157.165.182 and looks to be infected spyware.
    Analysis - "Gator.exe" belongs to the Claria advertising program, it's running process on your system may be "Adware.W32.Claria". This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This process is a security risk and should be removed from your system.


    Line 5 - the internal host at 192.168.2.142 has connected to outside server at 5.192.33.34 listing "sunrpc".
    Analysis - Sun's Remote Proceedure Call forms the basis of many UNIX services, especially NFS (Network File System). However, RPC is extremely dangerous when left exposed to the Internet, which leads to frequent compromise of servers based upon Sun Solaris and Linux. RPC should never be exposed to the Internet.


    Line 6 - the internal host at 192.168.1.100 has attempted to connect to outside server at 66.75.160.13 using SMTP.
    Analysis - this looks suspicious as this host appears to be infected, though secureinfo.com is a company that performs vulnerability assessments, penetration testing and security auditing services. If I was not informed of this in advance, I would still treat this as suspicious until confirmed otherwise. It could also represent an infected host sending an email worm. 
    The next step is to remove this host from the network, review any compliance regulations if any apply (i.e. PCI, SOX, HIPAA, GLBA), perform a complete virus scan to remove all malware, update and apply all patches. Next, I would recommend reviewing all log files to determine the origin of the infection to prevent further problems.


    Line 7 - the internal host at 192.168.2.142 has connected to outside server at 66.136.57.21 containing "winnt/system32/cmd.exe".
    Analysis - This tells me that this internal host may be infected with the Nimbda worm, which unlike the Code Red worm spreads as an email attachment and can infect everyone in your email client's contact list by sending a malicious attachment sometimes named "readme.exe"


    Line 8 - the internal host at 192.168.0.68 has sent a syn packet to an internal host with the same ip address 192.168.0.68 listing microsoft ds (file sharing). 
    Analysis - This is suspicious as it could represent ip spoofing attempt to gain access to internal file shares.


    Line 9 - the internal host at 192.168.0.68 has sent a request to an outside server at 5.222.3.1 using IRC protocol.
    Analysis - This is suspicious as it may be an infected internal host phoning home to tell it's master that it is infected.


    Line 10 - the internal host at 192.168.0.68 has requested a file (test.exe) transfer from an outside server at 5.234.7.2 using the TFTP protocol.
    Analysis - This is suspicious. TFTP uses UDP port 69, rather then tcp port 21 like ftp, and can cause DOS. It uses no authentication or encryption mechanisms, and is used to read files from, or write files to, a remote server. "Due to the lack of security, it is dangerous over the open Internet. Thus, TFTP is generally only used on private, local networks."
    Also, based on the previous events with this internal host, it appears to be malicious activity.


    Overall analysis is to perform complete anti virus scans of hosts 192.168.1.100, 192.168.2.142 and 192.168.0.68. and carefully check the running processes and services for anything not listed as a Microsoft service or authorized application (located in c:/Windows or c:/Windows/System32 folders). Also, check for unauthorized services and startup programs.

    Enjoy!!!!!!!!!!!!!!!!!!!1

Posted by at No comments:

Saturday 10 August 2013

Best Internet Security Free Tools

1. HTTPS Everywhere

To secure your data and online communication you can use the HTTPS everywhere browser extension with either Chrome or Firefox HTTPS which protects against eavesdropping attacks during downloads and account creation.







2. LASTPASS

The LastPass team believes your online experience can be easier, faster and safer. Collectively we lose more than 10,300 hours per year retrieving lost passwords, making new ones or talking to call center representatives about them. And it gets much worse if a password is stolen and misused. We go online to connect with people, explore, shop and learn. We certainly don't go online to fuss with passwords or risk our privacy, personal or financial information. Designed by web enthusiasts and skilled application developers, LastPass was created to make the online experience easier and safer for everyone.





















See this url https://lastpass.com/

3. LongUrl

 It is useful for clearing web clutter, short links also come with the possibility of leading you to a risky, dangerous site. Use the web tool "Long URL" to revert your shortened links back to their original forms. Like using Twitter you have seen short links that can be dangerous.























See this url http://longurl.org/

4. NoScript

NoScript also provides the most powerful anti-XSS and anti-Clickjacking protection ever available in a browser.
NoScript's unique whitelist based pre-emptive script blocking approach prevents exploitation of security vulnerabilities (known and even not known yet!) with no loss of functionality.


















See this url http://noscript.net/

5. Trusteer Rapport

It is the award winning anti-malware and encryption tool that will block any third parties from stealing your information and also keep you from entering your data into fraud sites as your bank.





















6. Hotspot Shield 

It is the tool which secure your IP addresses from hackers by protecting your browsing in public access spots like coffee shops,airports,hotels etc

















Enjoy!!!!
















Posted by at No comments:

Friday 9 August 2013

All About Tabnabbing and How it Done


Tabnabbing is computer exploits and phishing attack, which persuades users to submit their login details and passwords to popular websites by impersonating those sites and convincing the user that the site is genuine. The attack's name was coined in early 2010 by Aza Raskin, a security researcher and design expert. The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded. Tabnabbing operates in reverse of most phishing attacks in that it doesn�t ask users to click on an obfuscated link but instead loads a fake page in one of the open tabs in your browser. Source Wikipedia.




The Tabnabbing attack method is used when a victim has multiple tabs open, when the user clicks the link, the victim will be presented with a �Please wait while the page loads�.


In this attack, the main aim of the attacker is to redirect the browser to its fake login page where the victim can input his/her credentials.



How it is done:

Step 1: Load your Backtrack machine and the open the terminal and 
Type:  cd /pentest/exploits/set/   HIT ENTER










Step 2. type: ./set HIT ENTER























This will open Social Engineering toolkit. The Social-Engineer Toolkit (SET) was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, DerbyCon, Defcon, and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community.
The Social-Engineer Toolkit has over 2 million downloads and is aimed at leveraging advanced technological attacks in a social-engineering type environment. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent. The toolkit has been featured in a number of books including the number one best seller in security books for 9 months since its release,�Metasploit: The Penetrations Testers Guide�written by TrustedSec�s founder as well as Devon Kearns, Jim O�Gorman, and Mati Aharoni.

You can also download Social Engineering Toolkit for Windows.

Step 3. Now type: 1 and HIT ENTER which is social engineering.



Step 4.> Now type: 2 and HIT ENTER which is website attack vendors



Step 5.> type 4 and HIT ENTER which is tabnabbing attack method.




















Step 6.> type: 2 and HIT ENTER which is site cloner
 Enter your IP and HIT ENTER and also type the url you want to clone.In this I am cloning gmail.com and  hit enter and again hit enter.
















You can see now the tabnabbing attack is enabled now.

So now the last step is to open your browser and type the IP address which was set by you in the url bar and HIT ENTER.















This will redirect to the fake page which has been cloned. Whenever the victim types the username and password in it, it automatically redirects and the credentials will get to us.



































Enjoy!!!!

Posted by at No comments:

Wednesday 7 August 2013

All About Email Harvesting and How we can Harvest Emails

Email harvesting is the process of obtaining email addresses list. Usually it is used for sending bulk emails and also used for spamming. It is also the information gathering technique to collect information about the email id like phone numbers,addresses etc. . An automated process where a Bot is used to search Web pages for email addresses. The e-mail addresses are collected into a database that can be used by spammers to send unsolicited e-mail.

Usually in this case the attacker tries to send fake emails with the help of harvested emails which he had got.

For eg: The attacker harvests a corporate website for emails and  gets the email lists like jon@gmail.com,ram@gmail.com,jenifer@gmail.com who  working in ABC company .Now the attacker can send fake using the using these emails in the ABC company to gather information for further purposes etc.  

Note: This post is only for educational purpose, the author of this website will not be responsible for any misuse. 





How can we Harvest emails: So lets begin,

In this post I am using Email harvesting technique on IIT Bombay http://www.iitb.ac.in/





Step 1> Load on your Backtrack Machine,open terminal and type msfconsole and Hit enter .






















Step 2> Type  search collector and hit enter.



Step 3> Now we are collecting emails, Type:

Use auxiliary/gather/search_email_colector





Step 4> Now Type: Show options and hit enter 
This is used to view your current settings .











Step 5> Now Type: set domain iitb.ac.in






If you want the output file in the txt format 

Type: set outfile ABC.txt , this will store all the email addresses in the ABC file

Step 6> Now the last step is to exploit 
Type: exploit and hit enter




















So we get the emails, now attacker can use these emails for spamming and also can use these emails for information gathering.



Posted by at No comments:
Subscribe to: Posts (Atom)