Security at Stake

Me-Myself-I

Search

Projects-

Email Contacts.

Linkedin Network..

Previous Posts

IS Research Author

Conferences.

EuSecWest
Troopers
XFocus Xcon
Xfocus XKungfoo
Owasp
Clubhack
CERT-IN

Archives

Links

Stuff At Packetstorm Security Portal







A bit of mine previous stuff at packetstorm security.

http://packetstormsecurity.org/0610-advisories/msn-redirects.txt
http://packetstormsecurity.org/0604-advisories/HijackArt.txt
http://packetstormsecurity.org/UNIX/scanners/WebPcon_pl.txt


[Zknk]

Posted on 11/29/2006 10:24:00 AM by 0kn0ck | 0 Comments

Redirection And Phishing Vulnerability In AOL my.screenname.com

You can find the required advisory at:




http://lists.grok.org.uk/pipermail/full-disclosure/
2006-November/050979.html


[Zknk]

Posted on 11/29/2006 06:31:00 AM by 0kn0ck | 0 Comments

BruteForcing Network Ports : Is it Crucial


Bruteforcing network ports for local machine
is a a good security practise.This is because it
let you know how the ports are working and
configured for network operations.

How ?
The bruteforcing of network port is based on concept of
exchanging data between ports.This let you know completely
which ports are currently engaged in servicing or binding
because if the process of exchanging data is failed , that
clearly depicts the port is binded.

It also provides information regarding which ports have
SO_REUSEADDR.It is also important to prevent multiple
binding for providing services through a single port.

It also gives information regarding false positive of the
various ports in a system.

I think it is crucial to have the state of your system.

[Zknk]

Posted on 11/27/2006 05:36:00 AM by 0kn0ck | 0 Comments

Blacklists : Spamming Solution or Not

The spamming problem is arising very craftly day
by day. The pace is even too high for this.The spammers
are really frustrating the internet users by swapping
internet resources for this illegal activity.

Our Main Point : Are Blacklists a solution ?

The blacklists are considered to be as one of the solution of
this email spamming but this technique is even not reliable
after some extent.The theqry behind this is that application
of blacklisting define on the basis of static layout ie you
have a archive of addresses that you can configure in blacklist
file and set in the activation mode.But this solution not seems to
be much effective now a days.

Why ?

This is beacuse all the trend of spamming has been shifted to
Random Email Address Builder ie spammers are now able to
design programs htat builds random email addresses but uses
hacked domains to deliver mails.

As only recipient field is matter but not senders.

Example: Delivering mail through PHP

$To = 'xxxxxx@yyyyyy.com';
$Email_Subject = 'Your Help Required!';
$Email_Message = 'Account Balance...';
$Email_Headers = 'From: aaa.@bbb.com' . "\r\n" .
 'X-Mailer: PHP/' . phpversion();

mail($To, $Email_Subject, $Email_Message, $Email_Headers);
?>


The typical example of sending mail.The email headers can be
manipulated to whatever the spammer thinks.Moreover
with random genration of email addresses the flooding can
be done.

The blacklists are basically defined for specifcally domains,Now
a days better solutions are desired for this.

[Zknk]


Posted on 11/24/2006 10:08:00 PM by 0kn0ck | 0 Comments

Spamdexing Search Engine Anomalies

This start way back.The search engines are getting
prone to a very strange anomaly called to be as
spamdexing bug.

Based on my penetration sessions , previously i stated full
description og google metacharacter spmadexing bug which
proliferates in the google search engine which in itself shows
false coding or filter problem in the search engine of google.

You can check at :
http://www.metaeye.org/?p=23#more-23
http://zeroknock.metaeye.org/articles/GoogleSD.pdf

It was stated to google and bug was almost fixed.

This bug is getting proliferated in most of other search engines
like Ebay , Orkut etc.the very definitve information you can
find at:

http://zeroknock.metaeye.org/articles/EbaySearchEng.pdf
http://zeroknock.metaeye.org/articles/OrkutSearchBug.pdf

So the point of discussion is why this type of bugs or anomlaies
persist.Are they telling us to get more specific in the context
in which search engines are used.

Ofcourse the development goes on.I think anomalies play a
crucial role in making significant development.

[Zknk]

Posted on 11/24/2006 09:41:00 AM by 0kn0ck | 0 Comments

Bug Tracking : Pseudo Registers Panorma

Pseudo as the name suggest which is not exactly what it
seems.The pseudoregister is not taken to be as the hardware
register but it works like that ie it holds the functionalities
of hardware register.This register helps you to traverse the
debugger for specific values.

To Play ?
A] First fire your debugger with any application you want.
B] Setting of breakpoint in the code snippet.
C] Then you have to play with watch window and put entry
of pseudoregister.
D] Analyse The application.

Example:
@Err is the defined pseudoregister.This is placed in the watch
window.Its very first value undertaken is 0 which actually sets
the code for GetLastError() function.So when you traverse your
code and any fault occurs the value will change accordingly.

The very definitive pseudoregisters are:
@ERR = Last error value

@TIB = Thread information block for the current thread; necessary
because the debugger doesn't handle the "FS:0" format

@CLK = Undocumented clock register; usable only in the Watch window

@EAX, @EBX, @ECX, @EDX, @ESI, @EDI, @EIP, @ESP, @EBP, @EFL
Intel CPU registers

@CS, @DS, @ES, @SS, @FS, @GS
Intel CPU segment registers

@ST0, @ST1, @ST2, @ST3, @ST4, @ST5, @ST6, @ST7
Intel CPU floating-point registers

So all these registers play crucial role.


[Zknk]

Posted on 11/24/2006 02:33:00 AM by 0kn0ck | 0 Comments

PnP -Admdog : Streaming Source Of Virus Activation

Plug and Play devices are getting to be the streaming
sources of Virus activation in the network.This i have
noticed during reactive traffic analysis sessions of mine.
The network having specific IP thats running the PnP
services are the major source of infection.

Question arises Why this is so ?

The answer subjugates in itself as we know the PnP runs on the
port 5000 mainly but also triggers the port in that range too.Now
a days the viruses are very intlligent.The cause occurs when ever
a user downloads soemthing from the internet and try to copy by
placing in the USB device , if somewhat the any file is infected it
triggers the kind of fusion between two services.

Let see how:

We know Yahoo service admdog runs on 5101 port and is used
for buddy chatting.The virus writers are very crafty,They try to
start this service on windows machine if infection occurs as result
of which the machine gets in listening state.This actually opens a
door to the internet world for further explotitation of network etc.

The process starts from the virus that gets into USB drive then hits
the admdog service of yahoo.This actually enhance virus mode in
various ways. Afterwards all of the trojans port seemed activated
which starts interrupting the network. This problem is arising very
fastly because the fusion of services for virus activation is getting
activated.

You never know when and How it hits you.

[Zknk]

Posted on 11/23/2006 10:26:00 PM by 0kn0ck | 0 Comments

URL Stripping

This is a specific technique which is used to leverage information
from the web servers.This is based on my web penetration sessions
as most of the web servers are not restrictedto directory access that
throw ample amount of information.This technique is also useful in
web penetration too.

Lets track with Google:
inurl: index of /etc/passwd site:com
intitle:index of /etc/shadow site:org

This will try to extract the index if directory traversal is possible on
the web server. This search is very crucial in its context because it
unviels lot of information. As when you are encountered with specific
URL , try to adopt hit and trial in stripping the parameters of URL to
generate very rogue input or direct go for traversing the web servers.
This result in:

A] The permission check on the directories.
B] Helpful in banner grabbing of servers.
C] Information about the internal working of servers.

Example:
http://gray-world.net/etc/passwd/

Try to strip to look in the directory:

http://gray-world.net/etc/

Example:
http://rpmfind.net/linux/RPM/sourceforge/m/mo/mod-auth-shadow/ByName.html

Backward Stripping:
http://rpmfind.net/linux/RPM/sourceforge/m/mo/mod-auth-shadow/
http://rpmfind.net/linux/RPM/sourceforge/m/mo/
http://rpmfind.net/linux/RPM/sourceforge/m

Forward Stripping:
http://rpmfind.net/linux/RPM/sourceforge/m/mo/mod-auth-shadow/../../../

This will let you jump into three directories back.

So The Stripping Of URL's is one of the reactive web penetration
techniquewith minimum intervention.


[ Zknk]

Posted on 11/23/2006 04:59:00 AM by 0kn0ck | 0 Comments