Unicorn – PowerShell Downgrade Attack

Unicorn – PowerShell Downgrade Attack
Magic Unicorn is a simple tool for using a PowerShell downgrade attack to inject shellcode straight into memory. Based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. Usage is simple, just run Magic Unicorn (ensure Metasploit is installed and in the…

Read the full post at darknet.org.uk

New feed

Web Application Log Forensics After a Hack

Web Application Log Forensics After a Hack
Sites get hacked, it’s not pleasant but it happens. A critical part of it, especially in my experience, has been the web application log forensics applied directly after an attack. You can usually piece together what happened, especially if the attacker doesn’t rotate IP addresses during the attack. With a little poking around and after…

Read the full post at darknet.org.uk

New feed

movfuscator – Compile Into ONLY mov Instructions

movfuscator – Compile Into ONLY mov Instructions
The M/o/Vfuscator (short ‘o’, sounds like “mobfuscator”) helps programs compile into only mov instructions, and nothing else – no cheating. Arithmetic, comparisons, jumps, function calls, and everything else a program needs are all performed through mov operations; there is no self-modifying code, no transport-triggered calculation, and no other…

Read the full post at darknet.org.uk

New feed

What is a Server Side Include Injection Attack or SSI Injection Attack ?

Many a times attackers exploit security vulnerabilities in web applications and inject their malicious codes into the server to steal sensitive data, spread malware or do other malicious activities. Server Side Includes Injection Attack or SSI Injection Attack is one such attack.
In SSI Injection Attack, the attacker takes advantage of security vulnerabilities of web applications to inject their malicious code using Server Side Includes directives and perpetrate the attacks.
What is Server Side Includes or SSI ?
Nowadays, most of the web servers handle dynamic pages. It takes input from the user in the form of text box, radio buttons, pictures etc and the information is passed to a program in the web server, which then processes the information and generates output. The output is sent back to our browser and our browser finally displays the HTML page.
But, at times dynamically generating the whole page becomes inefficient and it is not needed too. Instead, a part of the page content can be dynamically generated and it can be added to an existing HTML page. Server Side Includes are directives that are used for that purpose. Using these directives, dynamic contents can be embedded to an existing HTML page and then displayed.
For example, a webpage may display local date and time to a visitor. Dynamically generating the page every time using some program or dynamic technology may prove to be inefficient. Instead, one can put the following SSI directive to an existing HTML page :
<!–#echo var=”DATE_LOCAL” –>
As a result, whenever the page will be served to the client, this particular fragment will be evaluated and replaced with the current local date and time :
Sunday, 25-Jan-2016 12:00:00 EST
The decision of whether to use SSI directives to dynamically generate a particular fragment of the page or to dynamically generate the whole page using some dynamic technology, often depends on how much of the page is to be dynamically generated. If a major part of the page content is to be dynamically generated, then SSI may not be a good solution.
Server Side Includes Injection Attack or SSI Injection Attack
In SSI Injection Attack, the attacker first finds out whether a web application is vulnerable to Server Side Includes Injection or SSI Injection. Normally, a web application is vulnerable to SSI Injection through manipulation of existing SSI directives in use or through lacking in proper validation of user inputs.
If a web application has pages with extension .stm, .shtm, .shtml, then that would indicate to the attackers that the web application is using SSI directives to dynamically generate page contents. At this point, if the web server permits SSI execution without proper validation, then the attacker can trick the webserver to execute SSI directives to manipulate filesystem of the web server and thus, to add, modify and delete files or to display content of sensitive files like /etc/passwd.
On the other hand, the attacker can type the following characters in the user input field to find out whether the web application properly validates the user inputs :
< ! # = / . " - > and [a-zA-Z0-9]
As these are the characters often used by SSI directives, the web application will become vulnerable to SSI Injection if it cannot properly validate the user inputs and allow these characters to be present in the input when they are not expected. The attacker can take advantage of that and access sensitive information or execute shell commands for nefarious purposes.
As the SSI directives are executed before supplying the page content to the client, the data intended for the attack will be displayed the next time the webpage is loaded.
Suppose, a web application is vulnerable to SSI Injection. At this point, the attacker can trick the web server to execute the following SSI directive and display current document filename :
<!–#echo var=”DOCUMENT_NAME” –>
The attacker can create a file attack.shtml with the following content :

<!–#include file=”AAAA….AAAA” –>

with number of A’s more than 2049.
At this point, suppose the web application loads a legitimate URL like :
Now, the attacker can include his own file attack.shtml in the web application like :

If the web server returns a blank page, that would indicate an overflow has occurred. So, the attacker can now get enough information to trick the web application to execute malicious code.

How To Stay Safe
- User inputs should be properly validated so that it does not contain characters like <, !, #, =, /, ., ", -, > and [a-zA-Z0-9] if they are not needed.
- Make sure the web server only executes SSI directives needed for a particular web page.
- HTML entity encode user inputs before passing it to a page that executes SSI directives.
- Make sure a page is executed with the permission of the file owner, instead of that of the web server user.

Being informed about various web application security vulnerabilities is the very first step towards safeguarding a web application. Hope this article served its purpose.

XPath Injection Attack

What is XPath
Many web applications use XML or EXtensible Markup Language to store and transport data in both human readable and machine readable format. It is often used to separate data from presentation.
To give an example, a web server may store data in separate XML files and write a small JavaScript code to read the XML files and update the contents of HTML pages.
XSLT or EXtensible Stylesheet Language Transformations is a recommended stylesheet language for XML, which is used to transform an XML document into HTML.
XPath is a major element in XSLT. It is used in XSLT to navigate through an XML document to find out required information.
To give an example, let’s consider this XML document :
<?xml version=”1.0″ encoding=”UTF-8″?>


<book category=”HACKING”>
<title lang=”en”>Learn Hacking</title>
<author>Tony Stark</author>

In a modern browser, you can load the XML document using :
var xmlhttprequest=new XMLHttpRequest()
And, the following XPath query will select the title of the book from the XML document :
xmlDoc.evaluate(xpath, xmlDoc, null, XPathResult.ANY_TYPE, null);
What is XPath Injection Attack
Let’s understand this with an example.

Suppose, we have an authentication system on a webpage which takes inputs of username and password from the user and uses XPath to look up the following XML document to find out the proper user.
<?xml version=”1.0″ encoding=”utf-8″?>
<User ID=”1”>
<User ID=”2”>
Let’s consider it uses the following XPath to look for the user :
FindUserXPath = “//User[UserName/text()='” & Request(“Username”) & “‘ and Password/text()='” & Request(“Password”) & “‘]”
So, an attacker can send a malicious username and password in the web application to select XML nodes without knowing any actual username and password.
Username: blah’ or 1=1 or ‘a’=’a
Password: blah
So, logically FindUserXPath becomes equivalent to :
//User[(UserName/text()=’blah’ or 1=1) or
(‘a’=’a’ and Password/text()=’blah’)]
As the first part of the XPath is always true, the password part becomes irrelevant and the UserName part matches the admin. And thus, it can now reveal sensitive information from the server to the attacker, which the attacker can exploit for malicious purposes. And, the web application becomes vulnerable to XPath Injection Attack.
  • Use a parameterized XPath interface whenever possible.
  • Construct the XPath query dynamically and escape the user inputs properly.
  • In a dynamically constructed XPath query, if you are using quotes to terminate untrusted input, then make sure to escape that quote in the untrusted input, so that the untrusted input cannot try to break out of the quoted part. For example, if single quote (‘) is used to terminate the input username, then replace any single quote (‘) character in the XPath query with XML encoded version of that character, for example “&apos;”
  • Using precompiled XPath query is always good. With this, the user inputs get escaped properly without missing any character that should have been escaped.

Intro to Evil Twin in Wireless Networks

What is Evil Twin
Evil Twin is basically a rogue Wi-Fi access point. It may look very similar to a legitimate one. But, it actually is a Wi-Fi access point controlled by attackers. Most of the time, it contains an SSID or Service Set Identifier of the access point very much similar to the legitimate one. Sometimes, it even provides signal stronger than the legitimate ones so that it can attract attention easily. But, it is actually controlled by the attackers. So, any data traveled through that Evil Twin Wi-Fi access point can be intercepted by attackers.
Purpose of Evil Twin
Attackers make Evil Twin mainly for stealing sensitive data or for other Phishing attacks. If a victim connects to an Evil Twin, any non-HTTPS data can be easily intercepted, as it travels through the attackers’ equipment. So, if the user logs in to unprotected bank or email account, the attacker will have access to the entire transaction.
The victim may even be tricked with a login prompt of attacker’s server, tempting him to provide sensitive information like usernames and password and resulting in a Phishing attack.
How is Evil Twin created
An Evil Twin can easily be created by an attacker with a smartphone or computer and with some easily available software. The attacker first places himself near a legitimate Wi-Fi hotspot and finds out the SSID or Service Set Identifier and signal strength of the access point. Now, he sends his radio signal using the same or very similar SSID. The attacker may even position himself near the potential victims so that his signal can lure the victims. Some attackers even use some software to deauthenticate the victims from legitimate Wi-Fi access point, so that when they connect back they would connect to the Evil Twin, as it provides stronger signal.
  • It is always a good idea to use VPN. It creates an encrypted tunnel before transmitting data. As a result, it is hard for the attacker to intercept that data.
  • Some software like EvilAP_Defender can be used by network administrator to detect Evil Twin. They try to find out :
          • Wi-Fi access points with similar SSID, but different BSSID or MAC address of wireless access point.
          • same BSSID as the legitimate one, but with different attributes like channel, cipher, privacy protocol, authentication etc.
          • Even with same BSSID and attributes as the legitimate access point, but with different tagged parameter like OUI or Organizationally Unique Identifier which is assigned by the IEEE registration authority.
  • Before connecting to a Wi-Fi do not just rely on the name of the wireless access point, instead verify whether it is a legitimate one.
  • It is always better to restrict browsing only to websites that do not require any sensitive data like login credentials while using a public Wi-Fi.
  • Avoid providing any sensitive information even any website or login screen asks for that while using public Wi-Fi.
So, beware of all the security vulnerabilities and recent threats and stay safe, stay secured.

CapTipper – Explore Malicious HTTP Traffic

CapTipper – Explore Malicious HTTP Traffic
CapTipper is a Python tool to explore malicious HTTP traffic, it can also help analyse and revive captured sessions from PCAP files. It sets up a web server that acts exactly as the server in the PCAP file and contains internal tools with a powerful interactive console for analysis and inspection of the hosts, objects […]

The post CapTipper…

Read the full post at darknet.org.uk

New feed

Computer Worms Vs Computer Viruses Vs Trojans

Computer Worms, Computer Viruses and Trojans have one similarity. They all are malware.
What is a malware ?
Malware is an abbreviated form of Malicious Software. It indicates any software which is used for malicious purposes like stealing private data, corrupting files, crashing hard disks, extorting money etc. They infect a computer stealthily, without the user’s knowledge. And then spread themselves.
But, there are subtle differences among all these terms, though their intention is similar. So, what all are the differences among them ?

Let’s start by Computer Worms.

Computer Worms

Computer Worms are malware which infect a computer without the user’s knowledge, like other malware do. And then it spreads through self-replication.
But unlike Computer Virus, they do not need to attach themselves to an existing program. It often uses computer networks and spread itself taking the advantage of security vulnerability of an existing software.
They almost always cause some harm to the network, by taking lots of bandwidth if not anything else. And after infecting a computer, they can delete files, use the computer as a botnet and use its computer resources for illegal activities, send spams or even blackmail companies by threatening about DoS or Denial of Service Attacks.
Computer Virus
Computer Viruses also infect a computer and then spread themselves to infect more computers. They normally attach themselves with other computer programs, so that, when a user executes the program in his computer, they infect the computer. Just to give a common example, Microsoft Word Document support macro so that it can execute while opening the document. A virus can attach itself to a Word Document as a macro, so that, whenever a user will open the document, the code of the virus will be executed and the computer will be infected.
Computer Viruses can attach themselves to data files also. For example, a virus can attach its code to a jpg file and change the name of the file to jpg.exe, so that, whenever a user will open the file, unknowingly his computer will get infected.
A virus can affect the Master Boot Record or MBR of a computer also. And when that happens, it can survive through reinstallation of Operating Systems.
Computer Viruses can perform many harmful activities like corrupting hard disks, deleting files, degrading performance of computer, display unrelated messages on computer screen, stealing private data by logging keystrokes, spamming contacts etc.
The word Trojan is derived from the ancient Greek wooden horse that the Greeks used to invade Troy stealthily. Trojan programs generally tricks a user by some form of social engineering and get loaded and executed into the system. They often misrepresent themselves to appear useful, routine or interesting to the user and persuades the user to install it.
Trojans can infect a computer by clicking on a suspicious link, opening email attachment or even by installing software from untrusted sources. Sometimes, they even misrepresent themselves in unsafe websites as Anti-Virus software and when a user installs them, they infect the computer.
But unlike, Computer Worms and Computer Viruses, they do not self-replicate themselves.
Spyware and Ransomware are types of Trojans. Spyware infect a computer to steal sensitive private data or spy on the activities of the user. And Ransomware also do the same, but for blackmailing the user to extort money.
Trojans, when they infect a computer with elevated privileges, can do much harm. They too can corrupt hard disks, corrupt data, crash a computer, format disks, infect MBR or Master Boot Record of a computer and they can even steal sensitive private data or encrypt user files to extort money.

Prevention Techniques

Computer Worms, Computer Viruses and Trojans have similar prevention techniques.
  • Do not click on suspicious links.
  • Do not open suspicious email attachments.
  • Install software from trusted sources only.
  • Update recent patches of software immediately.
  • Keep your computer updated with a trusted security program.
  • Do nor pay money if someone is trying to extort money by infecting your computer.

What is a Replay Attack?

A Replay Attack is an attack in which the attacker repeats or delays a valid transmission and fraudulently re-transmits it. Using this approach, an attacker can fraudulently authenticate himself to a system though he is not authorized to do so.

How is Replay Attack perpetrated

Let’s suppose, Alice and Bob are communicating with each other over the network. Bob wants to authenticate himself to Alice. So, Bob will provide his password which will then be transmitted over the network in encrypted fashion, may be as a password hash.
Suppose Charles is an attacker. He listens to the conversation between Alice and Bob and reads Bob’s password while it was transmitted to Alice. So, after the session is over between Alice and Bob, Charles opens a connection to Alice. When the system asks for authentication, Charles provides Bob’s password which he had read and fraudulently copied.
So, Alice’s system will not understand the deception and authenticate Charles. Charles at this point will gain access to Alice’s system and use that connection for malicious purposes like stealing sensitive data or performing even more attacks.
We can take a couple of steps to prevent this type of attacks :
  • At the time of authentication, Alice can first send a session token like a random number to Bob. Bob can now append the hashed token value with his password and send the resultant encrypted hash to Alice. Alice will now decrypt the token and if there is a match, she will authenticate Bob. If we take this approach, then even if Charles later repeats the encrypted hash to Alice, the token value will not match and authentication will not be possible. This session token value should be a random number rather than a some other calculated number. Because that will reduce the possibility of guessing the session token by Charles.
  • One Time Password is also another approach to prevent this attack. This One Time Passwords expire after a short period of time. So, if Charles repeats the communication after that interval, he cannot authenticate himself.
  • Sending Time Stamp is another way to prevent this attack. Alice can periodically transmit her time. And when Bob will want to communicate with Alice, he needs to append the time in his clock at the time of authentication. In this approach, Alice does not need to generate random numbers.