Category Archives: (J) Security Focus

movfuscator – Compile Into ONLY mov Instructions

movfuscator – Compile Into ONLY mov Instructions
The M/o/Vfuscator (short ‘o’, sounds like “mobfuscator”) helps programs compile into only mov instructions, and nothing else – no cheating. Arithmetic, comparisons, jumps, function calls, and everything else a program needs are all performed through mov operations; there is no self-modifying code, no transport-triggered calculation, and no other…

Read the full post at darknet.org.uk


New feed

XPath Injection Attack

What is XPath
Many web applications use XML or EXtensible Markup Language to store and transport data in both human readable and machine readable format. It is often used to separate data from presentation.
To give an example, a web server may store data in separate XML files and write a small JavaScript code to read the XML files and update the contents of HTML pages.
XSLT or EXtensible Stylesheet Language Transformations is a recommended stylesheet language for XML, which is used to transform an XML document into HTML.
XPath is a major element in XSLT. It is used in XSLT to navigate through an XML document to find out required information.
To give an example, let’s consider this XML document :
<?xml version=”1.0″ encoding=”UTF-8″?>

<bookstore>

<book category=”HACKING”>
<title lang=”en”>Learn Hacking</title>
<author>Tony Stark</author>
<year>1995</year>
<price>50.00</price>
</book>

</bookstore>
In a modern browser, you can load the XML document using :
var xmlhttprequest=new XMLHttpRequest()
And, the following XPath query will select the title of the book from the XML document :
xpath=”/bookstore/book/title”;
xmlDoc.evaluate(xpath, xmlDoc, null, XPathResult.ANY_TYPE, null);
What is XPath Injection Attack
Let’s understand this with an example.

Suppose, we have an authentication system on a webpage which takes inputs of username and password from the user and uses XPath to look up the following XML document to find out the proper user.
<?xml version=”1.0″ encoding=”utf-8″?>
<Users>
<User ID=”1”>
<FirstName>Tony</FirstName>
<LastName>Stark</LastName>
<UserName>AnthonyStark</UserName>
<Password>SecretForJarvis</Password>
<Type>Admin</Type>
</User>
<User ID=”2”>
<FirstName>Arnold</FirstName>
<LastName>Cook</LastName>
<UserName>ACook</UserName>
<Password>SecretForArnold</Password>
<Type>User</Type>
</User>
</Users>
Let’s consider it uses the following XPath to look for the user :
FindUserXPath = “//User[UserName/text()='” & Request(“Username”) & “‘ and Password/text()='” & Request(“Password”) & “‘]”
So, an attacker can send a malicious username and password in the web application to select XML nodes without knowing any actual username and password.
Username: blah’ or 1=1 or ‘a’=’a
Password: blah
So, logically FindUserXPath becomes equivalent to :
//User[(UserName/text()=’blah’ or 1=1) or
(‘a’=’a’ and Password/text()=’blah’)]
As the first part of the XPath is always true, the password part becomes irrelevant and the UserName part matches the admin. And thus, it can now reveal sensitive information from the server to the attacker, which the attacker can exploit for malicious purposes. And, the web application becomes vulnerable to XPath Injection Attack.
Usage
  • Use a parameterized XPath interface whenever possible.
  • Construct the XPath query dynamically and escape the user inputs properly.
  • In a dynamically constructed XPath query, if you are using quotes to terminate untrusted input, then make sure to escape that quote in the untrusted input, so that the untrusted input cannot try to break out of the quoted part. For example, if single quote (‘) is used to terminate the input username, then replace any single quote (‘) character in the XPath query with XML encoded version of that character, for example “&apos;”
  • Using precompiled XPath query is always good. With this, the user inputs get escaped properly without missing any character that should have been escaped.

Intro to Evil Twin in Wireless Networks

What is Evil Twin
Evil Twin is basically a rogue Wi-Fi access point. It may look very similar to a legitimate one. But, it actually is a Wi-Fi access point controlled by attackers. Most of the time, it contains an SSID or Service Set Identifier of the access point very much similar to the legitimate one. Sometimes, it even provides signal stronger than the legitimate ones so that it can attract attention easily. But, it is actually controlled by the attackers. So, any data traveled through that Evil Twin Wi-Fi access point can be intercepted by attackers.
Purpose of Evil Twin
Attackers make Evil Twin mainly for stealing sensitive data or for other Phishing attacks. If a victim connects to an Evil Twin, any non-HTTPS data can be easily intercepted, as it travels through the attackers’ equipment. So, if the user logs in to unprotected bank or email account, the attacker will have access to the entire transaction.
The victim may even be tricked with a login prompt of attacker’s server, tempting him to provide sensitive information like usernames and password and resulting in a Phishing attack.
 
How is Evil Twin created
An Evil Twin can easily be created by an attacker with a smartphone or computer and with some easily available software. The attacker first places himself near a legitimate Wi-Fi hotspot and finds out the SSID or Service Set Identifier and signal strength of the access point. Now, he sends his radio signal using the same or very similar SSID. The attacker may even position himself near the potential victims so that his signal can lure the victims. Some attackers even use some software to deauthenticate the victims from legitimate Wi-Fi access point, so that when they connect back they would connect to the Evil Twin, as it provides stronger signal.
Mitigation
  • It is always a good idea to use VPN. It creates an encrypted tunnel before transmitting data. As a result, it is hard for the attacker to intercept that data.
  • Some software like EvilAP_Defender can be used by network administrator to detect Evil Twin. They try to find out :
          • Wi-Fi access points with similar SSID, but different BSSID or MAC address of wireless access point.
          • same BSSID as the legitimate one, but with different attributes like channel, cipher, privacy protocol, authentication etc.
          • Even with same BSSID and attributes as the legitimate access point, but with different tagged parameter like OUI or Organizationally Unique Identifier which is assigned by the IEEE registration authority.
  • Before connecting to a Wi-Fi do not just rely on the name of the wireless access point, instead verify whether it is a legitimate one.
  • It is always better to restrict browsing only to websites that do not require any sensitive data like login credentials while using a public Wi-Fi.
  • Avoid providing any sensitive information even any website or login screen asks for that while using public Wi-Fi.
So, beware of all the security vulnerabilities and recent threats and stay safe, stay secured.

CapTipper – Explore Malicious HTTP Traffic

CapTipper – Explore Malicious HTTP Traffic
CapTipper is a Python tool to explore malicious HTTP traffic, it can also help analyse and revive captured sessions from PCAP files. It sets up a web server that acts exactly as the server in the PCAP file and contains internal tools with a powerful interactive console for analysis and inspection of the hosts, objects […]

The post CapTipper…

Read the full post at darknet.org.uk


New feed

Computer Worms Vs Computer Viruses Vs Trojans

Computer Worms, Computer Viruses and Trojans have one similarity. They all are malware.
What is a malware ?
Malware is an abbreviated form of Malicious Software. It indicates any software which is used for malicious purposes like stealing private data, corrupting files, crashing hard disks, extorting money etc. They infect a computer stealthily, without the user’s knowledge. And then spread themselves.
But, there are subtle differences among all these terms, though their intention is similar. So, what all are the differences among them ?

Let’s start by Computer Worms.



Computer Worms

Computer Worms are malware which infect a computer without the user’s knowledge, like other malware do. And then it spreads through self-replication.
But unlike Computer Virus, they do not need to attach themselves to an existing program. It often uses computer networks and spread itself taking the advantage of security vulnerability of an existing software.
They almost always cause some harm to the network, by taking lots of bandwidth if not anything else. And after infecting a computer, they can delete files, use the computer as a botnet and use its computer resources for illegal activities, send spams or even blackmail companies by threatening about DoS or Denial of Service Attacks.
Computer Virus
Computer Viruses also infect a computer and then spread themselves to infect more computers. They normally attach themselves with other computer programs, so that, when a user executes the program in his computer, they infect the computer. Just to give a common example, Microsoft Word Document support macro so that it can execute while opening the document. A virus can attach itself to a Word Document as a macro, so that, whenever a user will open the document, the code of the virus will be executed and the computer will be infected.
Computer Viruses can attach themselves to data files also. For example, a virus can attach its code to a jpg file and change the name of the file to jpg.exe, so that, whenever a user will open the file, unknowingly his computer will get infected.
A virus can affect the Master Boot Record or MBR of a computer also. And when that happens, it can survive through reinstallation of Operating Systems.
Computer Viruses can perform many harmful activities like corrupting hard disks, deleting files, degrading performance of computer, display unrelated messages on computer screen, stealing private data by logging keystrokes, spamming contacts etc.
 
Trojan
The word Trojan is derived from the ancient Greek wooden horse that the Greeks used to invade Troy stealthily. Trojan programs generally tricks a user by some form of social engineering and get loaded and executed into the system. They often misrepresent themselves to appear useful, routine or interesting to the user and persuades the user to install it.
Trojans can infect a computer by clicking on a suspicious link, opening email attachment or even by installing software from untrusted sources. Sometimes, they even misrepresent themselves in unsafe websites as Anti-Virus software and when a user installs them, they infect the computer.
But unlike, Computer Worms and Computer Viruses, they do not self-replicate themselves.
Spyware and Ransomware are types of Trojans. Spyware infect a computer to steal sensitive private data or spy on the activities of the user. And Ransomware also do the same, but for blackmailing the user to extort money.
Trojans, when they infect a computer with elevated privileges, can do much harm. They too can corrupt hard disks, corrupt data, crash a computer, format disks, infect MBR or Master Boot Record of a computer and they can even steal sensitive private data or encrypt user files to extort money.

Prevention Techniques

Computer Worms, Computer Viruses and Trojans have similar prevention techniques.
  • Do not click on suspicious links.
  • Do not open suspicious email attachments.
  • Install software from trusted sources only.
  • Update recent patches of software immediately.
  • Keep your computer updated with a trusted security program.
  • Do nor pay money if someone is trying to extort money by infecting your computer.

What is a Replay Attack?

A Replay Attack is an attack in which the attacker repeats or delays a valid transmission and fraudulently re-transmits it. Using this approach, an attacker can fraudulently authenticate himself to a system though he is not authorized to do so.

How is Replay Attack perpetrated

Let’s suppose, Alice and Bob are communicating with each other over the network. Bob wants to authenticate himself to Alice. So, Bob will provide his password which will then be transmitted over the network in encrypted fashion, may be as a password hash.
Suppose Charles is an attacker. He listens to the conversation between Alice and Bob and reads Bob’s password while it was transmitted to Alice. So, after the session is over between Alice and Bob, Charles opens a connection to Alice. When the system asks for authentication, Charles provides Bob’s password which he had read and fraudulently copied.
So, Alice’s system will not understand the deception and authenticate Charles. Charles at this point will gain access to Alice’s system and use that connection for malicious purposes like stealing sensitive data or performing even more attacks.
Prevention 
We can take a couple of steps to prevent this type of attacks :
  • At the time of authentication, Alice can first send a session token like a random number to Bob. Bob can now append the hashed token value with his password and send the resultant encrypted hash to Alice. Alice will now decrypt the token and if there is a match, she will authenticate Bob. If we take this approach, then even if Charles later repeats the encrypted hash to Alice, the token value will not match and authentication will not be possible. This session token value should be a random number rather than a some other calculated number. Because that will reduce the possibility of guessing the session token by Charles.
  • One Time Password is also another approach to prevent this attack. This One Time Passwords expire after a short period of time. So, if Charles repeats the communication after that interval, he cannot authenticate himself.
  • Sending Time Stamp is another way to prevent this attack. Alice can periodically transmit her time. And when Bob will want to communicate with Alice, he needs to append the time in his clock at the time of authentication. In this approach, Alice does not need to generate random numbers.

How To Find Out Who Is Stealing Your Wi-Fi?

How To Find Out Who Is Stealing Your Wi-Fi?

Before moving ahead, make sure that you have connected with your Wi-Fi network. Now download and install the network monitoring “Fing Android App” on your Android smartphone. Now launch the app and you’ll see the name of your network on the home screen, just tap on the refresh button and you will see a list of connected devices with your Wi-Fi router.

Download Fing App From here:    FING APP

Now tap on any connected device on your network to bring up a list of options for interacting with that device. These include sending pings or wake on LAN signals, and you can even log when those devices connect or disconnect from your network. Also WiFiKILL another alternative Android  app that allows you to block any connected devices to Wi-Fi router.

 

How To Find Out Who Is Stealing Your Wi-Fi (WiFi) And Block Them 2

Image Source: AndroidPIT

How to Block Connected Devices on Your Wi-Fi?

If any device connected to your Wi-Fi network is unfamiliar or suspicious, you can banish it forever. Well, Fing show the MAC address of connected devices to your Wi-Fi network (the mAc address format: ‘xx:xx:xx:xx:xx:xx’).

Step 1: First of all, you need to connect your PC to Wi-Fi router, enter the “IP” into a browser and enter login details (enter username and password).

Step 2: Once you successfully login your Wi-Fi router, finds the security options (Its locations vary between routers and may be located under “Advanced Settings”).

Step 3: Click on MAC Filtering and then Add Device under Security option.

Step 4: Enter the MAC address of the device you want to ban in the MAC field, enter some specific name in such an option and click Apply, Save or OK option.

Step 5: While you logged into your router, you can change the Router password and remove the all connected devices to your router.

Blind Sql Injection with Regular Expressions Attack PART 1

Why blind sql injection?

Blind SQL Injection is used when a web application is vulnerable to an SQL injection, but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered.

 

 

How blind sql injection can be used?

There are several uses for the Blind Sql Injection:

• Testing the vulnerability;

• Finding the table name;

• Exporting a value;

Every techniques are based on the ‘guess attack’, because we only have two different input: TRUE or FALSE. Let me explain better…

 

Testing vulnerability (MySQL – MSSQL):

Let’s star with an easy example.

We have this type of URL: site.com/news.php?id=2

it will result in this type of query on the database:

SELECT * FROM news WHERE ID = 2

Now, we can try some sql injection techniques,

for example the blind sql injection!

site.com/news.php?id=2 and 1=0 SQL query is now:

SELECT * FROM news WHERE ID = 2 and 1=0

 

In this case the query will not return anything (FALSE) because 1 is different from 0;

Let’s do the litmus test: try to get the TRUE statement forcing the AND to be TRUE;

site.com/news.php?id=2 and 0=0 In this case 0 is equal to 0…

Got it! We should now see the original news page. We now know that is vulnerable to Blind Sql Injection.

The Backdoor Factory (BDF) – Patch Binaries With Shellcode

The Backdoor Factory (BDF) – Patch Binaries With Shellcode
The Backdoor Factory or BDF is a tool which enables you to patch binaries with shellcode and continue normal execution exactly as the executable binary would have in its’ pre-patched state. Some executables have built in protection, as such this tool will not work on all binaries. It is advisable that you test target binaries […]

The post…

Read the full post at darknet.org.uk


New feed

Gdog – Python Windows Backdoor With Gmail Command & Control

Gdog – Python Windows Backdoor With Gmail Command & Control
Gdog is a stealthy Python Windows backdoor that uses Gmail as a command and control server, it’s inspired by Gcat and pushes a little beyond a proof of concept with way more features. And don’t forget, Gcat also inspired Twittor – Backdoor Using Twitter For Command & Control. Features Encrypted transportation messages (AES) + SHA256…

Read the full post at darknet.org.uk


New feed