tag:blogger.com,1999:blog-43069072731637051182024-03-20T21:24:25.884+05:30Hacking WifiSecurity, Backtrack,Ubuntu,Wifi hacking,Exploit, Pentesting OS, Tips and Tricks, Security News, Password Cracking, Windows XP, Windows Vista, LinuxVarun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-4306907273163705118.post-52794863887670513092012-02-20T18:02:00.000+05:302012-02-20T18:02:28.897+05:30Backtrack 5 - Available for download<div dir="ltr" style="text-align: left;" trbidi="on">
Backtrack 5 is finally available for download. It is available in two version Backtrack 5 & Backtrack 5 R1.
It now supports three architectures, ARM, 32 bit & 64 bit. To download <a href="http://www.backtrack-linux.org/downloads/">click here.</a>
</div>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com124tag:blogger.com,1999:blog-4306907273163705118.post-67510706400622480632009-03-14T22:41:00.004+05:302009-03-14T22:45:07.878+05:30WarVOX - Wardialing Tool Suite (Explore, Classify & Audit Telephone Systems)<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.warvox.org/logo4.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 600px; height: 197px;" src="http://www.warvox.org/logo4.png" border="0" alt="" /></a><br /><br />WarVOX is a suite of tools for exploring, classifying, and auditing telephone systems. Unlike normal wardialing tools, WarVOX works with the actual audio from each call and does not use a modem directly. This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders.<br /><br />WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.<br /><span id="fullpost"><br />WarVOX requires no telephony hardware and is massively scalable by leveraging Internet-based VoIP providers. A single instance of WarVOX on a residential broadband connection, with a typical VoIP account, can scan over 1,000 numbers per hour. The speed of WarVOX is limited only by downstream bandwidth and the limitations of the VoIP service. Using two providers with over 40 concurrent lines we have been able to scan entire 10,000 number prefixes within 3 hours.<br /><br />The resulting call audio can be used to extract a list of modems that can be fed into a standard modem-based wardialing application for fingerprinting and banner collection. One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed.<br /><br /><a href="http://warvox.org/releases/warvox-1.0.0.tar.gz">Download here</a><br /><br />The latest development version of WarVOX can be accessed from Subversion with the following command:<br /><br />$ svn co http://metasploit.com/svn/warvox/trunk/ <br /><a href="http://warvox.org/index.html"><br />For more info </a><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com5tag:blogger.com,1999:blog-4306907273163705118.post-8061604501232987582009-03-14T19:59:00.001+05:302009-03-14T22:40:30.256+05:30VideoJak - IP Video Security Assessment ToolVideoJak is an IP Video security assessment tool that can simulate a proof of concept DoS against a targeted, user-selected video session and IP video phone. VideoJak is the first of its kind security tool that analyzes video codec standards such as H.264.<br /><br />VideoJak works by first capturing the RTP port used in a video conversation and analyzing the RTP packets, collecting the RTP sequence numbers and timestamp values used between the phones. Then VideoJak creates a custom video payload by changing the sequence numbers and timestamp values used in the original RTP packets between the two phones. After the user selects a targeted phone to attack in an ongoing video session, VideoJak delivers the payload over the learned RTP port against the target. This attack results in severely degraded video and audio quality.<br /><span id="fullpost"><br />Features<br /><br /> * VLAN Discovery (CDP) and VLAN Hop<br /> * Call pattern tracking for SIP and SCCP signaling protocols<br /> * Audio codec (G.711u, G.722) and Video codec (H.263, H.264) support<br /> * Creates custom payload from H.263/H.264 packet capture<br /> * MitM functions and host management<br /> * Allows user to select ongoing video call from a menu<br /> * Allows user to select a targeted IP Phone for DoS within the video session<br /> * Enables the user to send the attack during an active, ongoing video call<br /><br /><a href="http://downloads.sourceforge.net/videojak/videojak-1.00.tar.gz?use_mirror=transact">Download here</a><a href="http://videojak.sourceforge.net/"><br /><br />For more info</a><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com2tag:blogger.com,1999:blog-4306907273163705118.post-89791695687219876662009-02-15T18:15:00.005+05:302009-02-16T18:39:29.447+05:30Backtrack 4 Beta Released<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhahxUqM5x8A5XEaajdRT2mzZ37tiTu3MOUKzpHKQWerXRupjN5yhANW-yGI1SBasBhzN87tiswkfbguCa1eeS20UhjIIwpRx0PZBrPPgJVfQ7kgymbxeS4rG69RDqGqy76E2bEyPYQmJaN/s1600-h/bt.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 161px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhahxUqM5x8A5XEaajdRT2mzZ37tiTu3MOUKzpHKQWerXRupjN5yhANW-yGI1SBasBhzN87tiswkfbguCa1eeS20UhjIIwpRx0PZBrPPgJVfQ7kgymbxeS4rG69RDqGqy76E2bEyPYQmJaN/s400/bt.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5303007658564836562" /></a><br /><br />The long awaited next beta release of Backtrack is out. Intially it was only released at the Shmoo Convention and got a great response. The iso and Vmware images are available for download.<br /><br />* <a href="http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso">Iso Image</a> with <a href="http://www.offensive-security.com/woot/bt4-beta.txt">md5 and sha512sum</a><br />* <a href="http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-vm">Vmware Image</a> with <a href="http://www.offensive-security.com/woot/bt4-beta-vm-6.5.1.txt">md5 and sha512sum </a><br /><br />New Features<br /><br /> * Kernel 2.6.28.1 with better hardware support.<br /> * Native support for Pico e12 and e16 cards is now fully functional, making BackTrack the first pentesting distro to fully utilize these awesome tiny machines.<br /> * Support for PXE Boot - Boot BackTrack over the network with PXE supported cards!<br /> * SAINT EXPLOIT - kindly provided by SAINT corporation for our users with a limited number of free IPs.<br /> * MALTEGO - The guys over at Paterva did outstanding work with Maltego 2.0.2 - which is featured in BackTrack as a community edition.<br /> * The latest mac80211 wireless injection patches are applied, with several custom patches for rtl8187 injection speed enhancements. Wireless injection support has never been so broad and functional.<br /> * Unicornscan - Fully functional with postgress logging support and a web front end.<br /> * RFID support<br /> * Pyrit CUDA support…<br /> * New and updated tools - the list is endless!<br /><br /><br />For more info checkout its official blog <a href="http://backtrack4.blogspot.com">http://backtrack4.blogspot.com</a>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com4tag:blogger.com,1999:blog-4306907273163705118.post-39901974493775817192008-12-24T02:29:00.002+05:302008-12-24T02:38:21.970+05:30MultiInjector v0.3 releasedMultiInjector which claims to the first configurable automatic website defacement tool.<br /><span style="font-weight:bold;">Features</span><br /><br /> * Receives a list of URLs as input<br /> * Recognizes the parameterized URLs from the list<br /> * Fuzzes all URL parameters to concatenate the desired payload once an injection is successful<br /> * Automatic defacement - you decide on the defacement content, be it a hidden script, or just pure old “cyber graffiti” fun<br /> * OS command execution - remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user<br /> * Configurable parallel connections exponentially speed up the attack process - one payload, multiple targets, simultaneous attacks<br /> * Optional use of an HTTP proxy to mask the origin of the attacks<br /><span id="fullpost"><br /><span style="font-weight:bold;">CHANGELOG</span><br /><br />- Added 4 more menu options. Now supports the following list of actions:<br /><br />1) Automatic defacement:<br />Try to concatenate a string to all user-defined text fields in DB<br /><br />2) Run OS shell command on DB server:<br />Run any OS command as if you're running a command console on the DB machine<br /><br />3) Run SQL query on DB server:<br />Execute SQL commands of your choice<br /><br />4) Enable OS shell procedure on DB:<br />Revive the good old XP_CMDSHELL where it was turned off<br />(default mode in MSSQL-2005)<br /><br />5) Add administrative user to DB server with password: T0pSeKret<br />Automagically join the Administrators family on DB machine<br /><br />6) Enable remote desktop on DB server:<br />Turn remote terminal services back on...<br /><br />- Fixed nvarchar cast to varchar. Verified against MS-SQL 2000<br />- Added numeric / string parameter type detection<br />- Improved defacement content handling by escaping quotation marks<br />- Improved support for Linux systems<br />- Fixed the "invalid number of concurrent connections" failure due to non-parameterized URLs<br /><br /><span style="font-weight:bold;">README</span><br /><br />MultiInjector Feature List:<br /><br />1. Receives a list of URLs as input<br />2. Recognizes the parameterized URLs from the list<br />3. Fuzzes all URL parameters to concatenate the desired payload once an injection is successful<br />4. Automatic defacement - you decide on the defacement content, be it a hidden script, or just pure old "cyber graffiti" fun<br />5. OS command execution - remote enabling of XP_CMDSHELL on SQL server, subsequently running any arbitrary operating system command lines entered by the user<br />6. Configurable parallel connections exponentially speed up the attack process - one payload, multiple targets, simultaneous attacks<br />7. Optional use of an HTTP proxy to mask the origin of the attacks<br /><span style="font-weight:bold;"><br />Requirements:<br />--------------</span><br /><br />* Python >= 2.4<br />* Pycurl (compatible with the above version of Python)<br />* Psyco (compatible with the above version of Python)<br /><br /><span style="font-weight:bold;">Windows Support<br />-----------------</span><br /><br />The binary has been compiled using the wonderful Pyinstaller.<br />You may custom compile it yourself by downloading Pyinstaller and following the<br />straightforward instructions attached, describing how to compile on Windows.<br /><br /><span style="font-weight:bold;">Linux Support<br />---------------</span><br /><br />Simply remove or comment out the "import psyco" line<br />You may also use Pyinstaller as described in the Windows section above to compile native<br />UNIX binaries.<a href="http://www.sn3akers.com/downloads/MultiInjectorV0.3.tar.gz"><br /> To download click here</a><br />A demonstration of attacks using MultiInjector will be presented at the<br />12th Annual Security Users' Festival in Korea.<br /><a href="http://translate.google.com/translate?u=http%3A%2F%2Fconcert.or.kr%2Fsuf2008%2Fprogram%2Fprogram.htm&hl=en&ie=UTF-8&sl=ko&tl=en">Presentation</a><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com1tag:blogger.com,1999:blog-4306907273163705118.post-56244390982021855642008-12-20T01:03:00.004+05:302008-12-20T01:10:10.099+05:30Data Recovery software - Test Disk<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.cgsecurity.org/testdisk_files/testdisklogo-clear-100.gif"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 100px; height: 100px;" src="http://www.cgsecurity.org/testdisk_files/testdisklogo-clear-100.gif" border="0" alt="" /></a><br /><br />TestDisk is OpenSource software and is licensed under the terms of the GNU Public License (GPL).<br /><br />TestDisk is a powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software, certain types of viruses or human error (such as accidentally deleting a Partition Table). <br /><br />TestDisk can<br /><br /> * Fix partition table, recover deleted partition<br /> * Recover FAT32 boot sector from its backup<br /> * Rebuild FAT12/FAT16/FAT32 boot sector<br /> * Fix FAT tables<br /> * Rebuild NTFS boot sector<br /> * Recover NTFS boot sector from its backup<br /> * Fix MFT using MFT mirror<br /> * Locate ext2/ext3 Backup SuperBlock<br /> * Undelete files from FAT, NTFS and ext2 filesystem<br /> * Copy files from deleted FAT, NTFS and ext2/ext3 partitions. <br /><br />TestDisk has features for both novices and experts. For those who know little or nothing about data recovery techniques, TestDisk can be used to collect detailed information about a non-booting drive which can then be sent to a tech for further analysis. Those more familiar with such procedures should find TestDisk a handy tool in performing onsite recovery.<br /><br /><span style="font-weight:bold;">Operating systems supported</span><br /><br /> * DOS (either real or in a Windows 9x DOS-box),<br /> * Windows (NT4, 2000, XP, 2003, Vista),<br /> * Linux,<br /> * FreeBSD, NetBSD, OpenBSD,<br /> * SunOS and<br /> * MacOS <br /><span id="fullpost"><br /><span style="font-weight:bold;">Filesystems<br /></span><br />TestDisk can find lost partitions for all of these file systems:<br /><br /> * BeFS ( BeOS )<br /> * BSD disklabel ( FreeBSD/OpenBSD/NetBSD )<br /> * CramFS, Compressed File System<br /> * DOS/Windows FAT12, FAT16 and FAT32<br /> * HFS, HFS+ and HFSX, Hierarchical File System<br /> * JFS, IBM's Journaled File System<br /> * Linux ext2 and ext3<br /> * Linux LUKS encrypted partition<br /> * Linux RAID md 0.9/1.0/1.1/1.2<br /> o RAID 1: mirroring<br /> o RAID 4: striped array with parity device<br /> o RAID 5: striped array with distributed parity information<br /> o RAID 6: striped array with distributed dual redundancy information <br /> * Linux Swap (versions 1 and 2)<br /> * LVM and LVM2, Linux Logical Volume Manager<br /> * Mac partition map<br /> * Novell Storage Services NSS<br /> * NTFS ( Windows NT/2000/XP/2003/Vista/2008 )<br /> * ReiserFS 3.5, 3.6 and 4<br /> * Sun Solaris i386 disklabel<br /> * Unix File System UFS and UFS2 (Sun/BSD/...)<br /> * XFS, SGI's Journaled File System <br /><br /><a href="http://www.cgsecurity.org/wiki/TestDisk_Download">To download click here</a><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com4tag:blogger.com,1999:blog-4306907273163705118.post-51006946763707299132008-12-18T22:37:00.004+05:302008-12-18T22:49:34.969+05:30Advanced application-level OS fingerprintingToday i want to share an article which i stumbled online. The following whole is thing is by Dan Crowley.<br /><blockquote><br /><span style="font-weight:bold;">Advanced application-level OS fingerprinting: Practical approaches and examples<br />Dan Crowley<br /></span><br /> The current state of OS fingerprinting involves, for the most part, layer 3 & 4 requests and responses. This includes tools like nmap, nessus, p0f, and sinFP. These tools make specific queries and examine the response for things like TCP/IP stack settings, TCP option support, the number of syn+ack packets sent before a timeout, the time interval between syn+ack packets, and the presence of a rst packet sent at timeout. Many of these things are manipulated or deformed by intermediary devices, and much of it can be fairly easily spoofed using freely available tools like IP Personality and Security Cloak.<br /><br /> Application-level OS fingerprinting, on the other hand, relies on data gleaned from an application running on the target host. The current methods include the identification of OS-specific applications, such as Remote Desktop, and "banner grabbing", which involves connecting to a cross-platform application and recording what operating system it claims to be running, usually in the welcome banner (thus the name). Banner grabbing is trivial to fool, usually requiring nothing more complicated than a change in a configuration file. It's not unheard of, for instance, for Apache servers to report that they are running on a Commodore 64.<br /><br /> Considering this, I present an alternate approach to application-level OS fingerprinting. The general idea is that there are certain requests that can be made to cross-platform applications which result in OS-dependant responses. This can be in the form of the data returned by the application, the lack of response, or timing differences in the response, although this is almost certainly not a comprehensive list. One example of existing usage of this technique is in [5]. Based on known differences in responses and known OSes associated with specific responses, one can determine the OS of a host running a service for which such signatures exist.<br /><br /><span id="fullpost"><br /> There are, of course, many differences in operating systems, but only some of them are actually feasible to measure remotely (in general scenarios). Here's a non-comprehensive list:<br /><br /><span style="font-weight:bold;">Newline characters<br />==================<br /></span>0x0d -> Classic Mac OS<br />0x0d0a -> win32, DOS, OS/2, SymbianOS<br />0x0a -> *nix<br />0x15 -> EBCDIC-based<br /><br /><span style="font-weight:bold;">Bit bucket<br />==========<br /></span>/dev/null -> *nix<br />NUL -> Win32, DOS, OS/2<br />NIL -> Amiga<br />SYS$NULL: -> OpenVMS<br />*DUMMY -> Univac<br /><span style="font-weight:bold;"><br />Directory separator [1]<br />===================</span><br />backslash -> win32, OS/2, symbianOS<br />slash -> *nix, amiga, domain, menuet<br />dot -> openVMS, riscOS<br />colon -> Classic Mac OS<br /><span style="font-weight:bold;"><br />Root directory [1]<br />==============</span><br />/ -> *nix, menuetOS<br />\ -> SymbianOS<br />// -> Domain/OS<br />[drive letter]:\ -> win32, OS/2, DOS<br />[drive letter]:/ -> win32<br />[device name]: or [NODE"accountname password"]::[device name]: -> OpenVMS<br />[drive name]: -> Classic Mac OS, AmigaOS<br />[volume or assign name]: -> AmigaOS<br />[fs type]::[drive number or disc name].$ -> RiscOS<br /><span style="font-weight:bold;"><br />EOF marker<br />==========</span><br />0x1a -> Windows;<br />(int) -1 -> Pretty much everything else<br /><span style="font-weight:bold;"><br />Filesystem differences<br />======================</span><br />Maximum path length<br />Maximum filename length<br />Illegal characters<br />Case sensitivity<br />Reserved filenames, special files<br /><br />***ILLEGAL NTFS CHARS***<br />" / \ * ? < > | :<br /><br />***ILLEGAL FAT CHARS***<br />" + , . / : ; < = > [ \ ] | .<br /><br />***ILLEGAL HPFS CHARS***<br />" / : < > \ |<br />any char below 0x20<br /><br /> Data alignment, word size, the existance of OS-specific binaries, and processor feature support are more criteria that can be used, but are less commonly determinable remotely.<br /><br /> Additionally, there are differences that are specific to an application that can be used. This varies widely from application to application, but often, these differences take one of a couple of forms. They can be vulnerabilities, or code written to patch those vulnerabilities that exist only on certain platforms (Fyodor has already discussed exploit chronology in [2] but does not discuss testing the existance of mitigation code). Certain features of programs will not be supported on some OSes, and will on others. The presence of these features eliminates unsupported OSes as a possibility. Finally, certain applications will have features which give out system details very freely. As a part of a default Apache installation, a test perl cgi script, printenv.pl, is placed in the cgi-bin directory. This script, when run, prints all environment variables. This is more or less advanced banner grabbing, but it makes a nice example of leaky features that can be found in certain applications.<br /><br /> But enough talk. Let's get to some real examples!<br /><span style="font-weight:bold;"><br />Example 1 - Apache 2.2.9<br />========================</span><br /><br />http://unix.example.com/\\\.<br />-URL must not be URL-encoded: PuTTY or an intercepting http-proxy can be used to ensure this<br />-Will return a 404 Not Found error<br />-Unix platform<br /><br />http://win32.example.com/\\\.<br />-Again, no URL-encoding<br />-Will return 200 OK and load front page<br />-Win32 platform<br /><br />(This is an example of mitigation code that exists only on Win32 installations of Apache. Apache, when compiled for Windows, will convert backslashes to slashes. On *nix, it will not. This would work even if there wasn't specific mitigation code for Win32, but the fact that Apache on *nix doesn't change the backslashes to slashes means that backslashes will be interpreted as a part of a filename, and will just be extraneous slashes to Win32, resulting in \\\. being interpreted as a filename on *nix, and as a reference to the root dir of the website on a win32 machine.)<br /><span style="font-weight:bold;"><br />Example 2 - Apache 2.2.9<br />========================</span><br /><br />http://unix.example.com/nul<br />-Returns 404 Not Found<br />-Not a windows based system<br /><br />http://win32.example.com/nul<br />-Returns 403 Forbidden<br />-Win32<br /><br />(This works because Apache won’t have read access to the bit bucket… nothing should!<br />On DOS-style systems, special files like nul and con “exist” and can be accessed from all directories. This should also work on other cross-platform web servers, ftp daemons, etc but I haven’t tested it)<br /><span style="font-weight:bold;"><br />Example 3 - Apache 2.2.9<br />========================</span><br /><br />http://unix.example.com/%1a<br />-404 Not Found<br /><br /><br />http://win32.example.com/%1a<br />-403 Forbidden<br /><br />(Apache on Win32 doesn’t appreciate EOF markers being stuck into URIs<br />Funny enough, it doesn’t like anything but GL codes(0x20-0x7f). I don’t know where in the code this happens. I think it’s likely a limitation of the system-level functions failing with characters outside a given range. Other operating systems aren’t as picky.)<br /><span style="font-weight:bold;"><br />Example 4<br />=========</span><br /><br />http://winme.example.com/images/thumbs.db<br />-Has drive and pathnames in file<br /><br />http://winxp.example.com/images/thumbs.db<br />-No drive or pathnames in file<br /><br />http://xpmedia.example.com/images/ehthumbs.db<br />-Unique to XP Media Center<br /><br />Thumbs.db<br />-Auto-generated image thumbnail database<br />-Exists in every dir with images (or certain other files) viewed in Windows Explorer with thumbnails on (even if images are later deleted)<br />-Generated on 98, ME, 2K, XP, 2003 (Maybe more, documentation is very sparse)<br />-Differs in contents between 98/ME/2K and XP/2003<br />-Win2k will use alternate data streams for thumbnail storage on NTFS volumes and thumbs.db on FAT partitions<br />-Windows XP Media Center Edition will also create ehthumbs.db for videos<br /><br />(table expanded from [3])<br />System | Win98 | WinME | Win2k | WinXP | Win2k3<br />--------+---------------+---------------+---------------+---------------+---------------<br />Drive | Yes | Yes | Yes | No | No<br />Filename| Yes | Yes | Yes | Yes | Yes<br />Path | Yes | Yes | Yes | No | No<br />Last Mod| Yes | Yes | Yes | Yes | Yes<br /><br />(One note about this: I was confronted with a problem with this method by Mike Eddington of Leviathan Security, who pointed out the possibility that a thumbs.db file could be uploaded to a webserver along with the corresponding images. After some thought, I realized that you could check the last modified date of the thumbs.db file as sent by the web server and the last modified date as recorded in the file. If they match, it was updated by the server itself!)<br /><span style="font-weight:bold;"><br />Example 5 - IIS [4]<br />===============</span><br />This one's pretty simple. IIS versions correspond to specific versions of Windows. Enumerate the IIS version, and you get the OS version.<br /><br />IIS version | OS version<br />----------------+------------------<br />1.0 | NT 3.51 SP3<br />2.0 | NT 4.0<br />3.0 | NT 4.0 SP3<br />4.0 | NT 4.0 SP3<br />5.0 | Win2k<br />5.1 | XP Pro<br />6.0 | Server 2003<br />7.0 | Vista, Server 2008<br /><br />(I haven't figured out ways to determine between IIS versions, although exploit chronology and feature support would likely be good candidates, and the version of IIS being reported should give a good indication. I suspect, however, that it should be easy for an admin to spoof.)<br /><span style="font-weight:bold;"><br />Example 6 - default FTP daemons<br />===============================</span><br />Run the raw ftp commands “rnfr .” and then “rnto .” against a default FTP daemon on a writable directory. It will generally spit back "350 File exists, ready for destination name" followed by a message about what happened with the operation…<br /><br />OpenBSD 4.0<br />550 rename: Is a directory.<br /><br />FreeBSD 7.0<br />250 RNTO command successful<br /><br />OpenSolaris 2008.05<br />550 rename: Invalid argument.<br /><br />Ubuntu 8.04 server<br />550 rename: Device or resource busy.<br /><span style="font-weight:bold;"><br />More quick examples<br />===================</span><br />Win32 Apache doesn’t like colons in urls, other OSes don't care so much<br />Win32 Apache will accept, for example, /BLAHBL~1.HTM as a valid replacement for blahblahblah.html where it will not on other OSes<br />(This one kinda sounds like security hell)<br /><span style="font-weight:bold;"><br />Other (less useful) signatures<br />==============================</span><br />The presence of $MFT in the root of a volume suggests an NTFS volume<br />Accessing a directory as a file will work on BSD systems<br />-FreeBSD and NetBSD will spit back binary data<br />-OpenBSD will return nothing but won’t complain<br />Windows can only use one audio input source at a time<br /><br />(I came up with these too and wanted to include them for completeness, but they're so case-specific that I didn't want to give them too much time.) <br /><br /> If you'd like to find some signatures yourself, try grepping for #ifdef and #ifndef in the sources of any given application (if you have sources and they're C). "Linux", "BSD", "MacOS", etc are also nice candidates. Additionally, the basis for many of the examples I've given here should apply to many different applications which do similar operations or make similar system calls. Requesting nul from any application that serves or queries for files should quickly identify a Windows system.<br /><br /> In conclusion, application-level OS fingerprinting using multi-platform applications is possible and plausible without using banner-grabbing. OS identity info leakage in applications is not well considered (I based this on the fact that I was able to find 3 leaks with the latest version of Apache in 1 hour of searching). This method is user, and can be combined with other fingerprinting methods, which is where I feel it would be most effective, though with enough signatures, this method could stand entirely on its own.<br /><br /> As for further work that can be done in this field, there are definitely timing differences in application responses that could be used for OS fingerprinting. It should also be possible to find OS-version-specific responses in platform-specific applications, much like the IIS version-to-OS version example. Also, these techniques could be coded into a tool, but I'm not a great coder by any means. I hope to release some python scripts for a few of these examples shortly after the paper is released. And finally, there's more applications out there to use for fingerprinting!<br /><br /> Thank you for reading!<br /><span style="font-weight:bold;"><br />References</span><br /> <br />[1] <a href="http://en.wikipedia.org/wiki/Path_(computing)">http://en.wikipedia.org/wiki/Path_(computing)</a><br />[2] <a href="http://nmap.org/nmap-fingerprinting-article.txt ">http://nmap.org/nmap-fingerprinting-article.txt<br /></a><br />[3] <a href="http://www.acquisitiondata.com/white_papers/thumbsdbfiles.pdf">http://www.acquisitiondata.com/white_papers/thumbsdbfiles.pdf</a><br />[4] <a href="http://support.microsoft.com/kb/224609">http://support.microsoft.com/kb/224609</a><br />[5] <a href="http://lwn.net/2001/0222/a/sec-lpddetect.php3 ">http://lwn.net/2001/0222/a/sec-lpddetect.php3<br /></a><br />To download original paper click <a href="http://www.x10security.org/appOSfingerprint.txt">here</a>.</blockquote><br /><br />Hope all like it.<br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com58tag:blogger.com,1999:blog-4306907273163705118.post-33319247135904248132008-12-12T21:30:00.003+05:302008-12-12T21:46:51.750+05:30Metasploit on UbuntuThe Metasploit Project is an open source computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development. Its most well-known sub-project is the Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive, and security research. (Wikipedia).<br /><br /> <br /><span style="font-weight:bold;">Installing Metasploit</span><br /><span id="fullpost"><br /><br />Before installing metasploit we need to install the following packages:<br /><br />$ sudo apt-get install ruby libruby rdoc<br /><br />$ sudo apt-get install libyaml-ruby<br /><br />$ sudo apt-get install libzlib-ruby<br /><br />$ sudo apt-get install libopenssl-ruby<br /><br />$ sudo apt-get install libdl-ruby<br /><br />$ sudo apt-get install libreadline-ruby<br /><br />$ sudo apt-get install libiconv-ruby<br /><br />$ sudo apt-get install rubygems<br /><br />Once the dependencies have been installed, we are ready to install metasploit.<br /><br />We now need to <a href="http://www.metasploit.com/framework/download/">download latest version of the metasploit.</a>. <br /><br />Accept the license.<br /><br />The location (for download) is not important. After the download is complete we need to untar it:<br /><br />$ tar -xvzf framework-x.x.tar.gz<br /><br /> <br /><span style="font-weight:bold;">Updating Metasploit</span><br /><br />Before we run metasploit, its a good idea to update its database. Change to metasploit folder:<br /><br />$ cd metasploit-x.x<br /><br /><span style="font-weight:bold;">Update:</span><br /><br />$ svn update<br /><br />Note: in case you don't have subversion installed use the following command:<br /><br />$ sudo apt-get install subversion<br /><br /> <br /><span style="font-weight:bold;">Running Metasploit<br /></span><br />To run metasploit use the following command:<br /><br />$ ./msfconsole<br /><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com2tag:blogger.com,1999:blog-4306907273163705118.post-13006581486119923732008-12-08T00:25:00.002+05:302008-12-08T00:39:27.535+05:30Mdk3 on UbuntuI know you have all tried to compile mdk3 ob ubuntu and have failed miserably. When ever you try to run make command, it shows all sorts of errors. <br /><br />First of make sure gcc-4.2 is installed.<br />To do that type sudo apt-get gcc-4.2 in terminal window.<br /><br />Now extract the contents in folder name mdk3 and open up terminal and follow the given steps:-<br />* cd mdk3/osdep <br />* nano common.mak<br />* find line<br /> CC = $(TOOL_PREFIX)gcc<br />and change it to <br />CC = $(TOOL_PREFIX)gcc-4.2<br />* press ctrl+x and press y and then enter<br />* cd ..<br />* make <br />* make install<br />To download latest version of mdk3 <a href="http://homepages.tu-darmstadt.de/~p_larbig/wlan/">click here.</a><br />And enjoy...<br /><span id="fullpost"><br />Type rest of the post here<br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com19tag:blogger.com,1999:blog-4306907273163705118.post-45305992506082465352008-12-05T23:48:00.002+05:302008-12-05T23:53:15.279+05:30The World’s Fastest MD5 Cracker - BarsWFBarsWF is basically an MD5 cracking tool and at the moment, is currently the fastest. Right now on nVidia 9600GT/C2D 3Ghz CUDA version does 350 M keys/sec, SSE2 version does 108 M keys/sec.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://chart.apis.google.com/chart?cht=bhs&chd=t:350,320,140,158,108,220,181&chs=500x232&chds=0,375&chco=fd3999|4d89f9|4d89f9|4d89f9|4d89f9|4d89f9|4d89f9&chf=c,ls,0,FFFFFF,0.13333,EEEEFF,0.13333&chxt=x,y,x&chxr=0,0,375&chxl=1:|InsidePro%20EGB%201.2|nVCuda_md5%202.04|cuMD5@2008.06.29|Elcomsoft%20md5crack%200.4|Vernoux%20MD5%20crack%20GPU*%200.2|BarsWF%20CUDA%20MD5%20x32+0.6|BarsWF%20CUDA%20MD5%20x64+0.6|2:|nVidia%209600GT%20C2D@3Ghz|&chxp=2,50"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 500px; height: 232px;" src="http://chart.apis.google.com/chart?cht=bhs&chd=t:350,320,140,158,108,220,181&chs=500x232&chds=0,375&chco=fd3999|4d89f9|4d89f9|4d89f9|4d89f9|4d89f9|4d89f9&chf=c,ls,0,FFFFFF,0.13333,EEEEFF,0.13333&chxt=x,y,x&chxr=0,0,375&chxl=1:|InsidePro%20EGB%201.2|nVCuda_md5%202.04|cuMD5@2008.06.29|Elcomsoft%20md5crack%200.4|Vernoux%20MD5%20crack%20GPU*%200.2|BarsWF%20CUDA%20MD5%20x32+0.6|BarsWF%20CUDA%20MD5%20x64+0.6|2:|nVidia%209600GT%20C2D@3Ghz|&chxp=2,50" border="0" alt="" /></a><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://chart.apis.google.com/chart?cht=bhs&chd=t:109.0,98.5,4.77,29,7.3,8.17,13.5&chs=500x233&chds=0,120&chco=fd3999|4d89f9|4d89f9|4d89f9|4d89f9|4d89f9|4d89f9&chf=c,ls,0,FFFFFF,0.16666,EEEEFF,0.16666&chxt=x,y,x&chxr=0,0,120&chxl=1:|Elcomsoft%20EDPR%202.60|Cain%20%26%20Abel%204.9.19|LastBit%20MD5%20Password|MDCrack%201.83%20SSE|InsidePro%20PasswordsPro%202.4.3.0|BarsWF%20MD5%20crack%20x32%200.6|BarsWF%20MD5%20crack%20x64%200.6|2:|Core2Duo%20E2140@3Ghz|&chxp=2,50"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 500px; height: 233px;" src="http://chart.apis.google.com/chart?cht=bhs&chd=t:109.0,98.5,4.77,29,7.3,8.17,13.5&chs=500x233&chds=0,120&chco=fd3999|4d89f9|4d89f9|4d89f9|4d89f9|4d89f9|4d89f9&chf=c,ls,0,FFFFFF,0.16666,EEEEFF,0.16666&chxt=x,y,x&chxr=0,0,120&chxl=1:|Elcomsoft%20EDPR%202.60|Cain%20%26%20Abel%204.9.19|LastBit%20MD5%20Password|MDCrack%201.83%20SSE|InsidePro%20PasswordsPro%202.4.3.0|BarsWF%20MD5%20crack%20x32%200.6|BarsWF%20MD5%20crack%20x64%200.6|2:|Core2Duo%20E2140@3Ghz|&chxp=2,50" border="0" alt="" /></a><br /><br /><span id="fullpost"><br />System Requirements<br /><br /> * CUDA version only:nVidia GeForce 8xxx and up, at least 256mb of video memory.<br /> * LATEST nVidia-driver with CUDA support.Standard drivers might be a bit older (as CUDA 2.0 is still beta)<br /> * CPU with SSE2 support (P4, Core2Duo, Athlon64, Sempron64, Phenom).<br /> * Recommended 64-bit OS (WinXP 64 or Vista64). 32-bit version is also available.<br /><br /><a href="http://3.14.by/en/md5">Download BarsWF 0.8 here</a><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com2tag:blogger.com,1999:blog-4306907273163705118.post-37757010844439652942008-11-29T01:37:00.007+05:302008-12-18T19:40:03.813+05:30Compiz Modules for SlaxHere are all the compiz-fusion 0.7.4 modules for SLAX 6 and above. While run the live SLAX live usb installation, just unzip the downloaded file and double click on the individual modules to activate them and then restart to take effect.<br />For more info on <a href="http://www.compiz-fusion.org/">compiz-fusion.</a><span style="font-weight:bold;"><br /><br /><a href="http://www.adrive.com/public/09880881e77c14370fc62a934cb7e4061315cd55177972b87f71149a7a733d80.html">Download compiz-fusion 0.7.4.rar</a> <br />Files enclosed</span><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi343pyr9TQEWOTYKALx2DBSLojTNsu2nTPbLFv1Q9cC705OEs5hKVfstfIupc0OvmaMINXcgtm284UhG7FbwJLsplLtoeRTqVR2ihlFgYhMnZwRlku3tgL39gi5J65BkMR49-f9xkM2PPf/s1600-h/1.JPG"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 152px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi343pyr9TQEWOTYKALx2DBSLojTNsu2nTPbLFv1Q9cC705OEs5hKVfstfIupc0OvmaMINXcgtm284UhG7FbwJLsplLtoeRTqVR2ihlFgYhMnZwRlku3tgL39gi5J65BkMR49-f9xkM2PPf/s400/1.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5273817094333454258" /></a>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com4tag:blogger.com,1999:blog-4306907273163705118.post-65855263588096287442008-11-26T23:45:00.001+05:302008-11-26T23:48:45.554+05:30WPA broken PACSEC 2008 + Aircrack-PTWSecurity conference <a href="http://pacsec.jp/">PACSEC 2008</a> that will be held in japanese Tokyo on 12th and 13th November 2008 has a great attraction. There will be presented a security research from Mark Tew as a next (not brute force), new implementation of the WPA-TKIP attack. WPA-TKIP security based on the dynamic key generation was supposed to be by laicks and professionals as unbreakable. Much more safe then funny WEP encription. <br /><br />According to the references Mark Tew and Martin Beck will present a way how to pass TKIP (Temporal Key Integrity Protocol), that is know as the one that uses a dynamic key generation for each of data block. The time needed for successful WPA cracking is 12 to 15 minutes. So don’t forget to check fresh materials from the PACSEC 2008 conference. The details will be published also here at Remote Security.<br /><span id="fullpost"><br /><span style="font-weight:bold;">Topics presented at PacSec konference</span><br /><br />Putting an SSH server in your NIC - Arrigo Trulzi<br />Gone in 900 Seconds, Some Crypto Issues with WPA - Erik Tews<br />Browser Memory Protection Bypasses: Virtual Machines - Mark Dowd, IBM<br />Cross domain leakiness: Divulging sensitive information and attacking SSL sessions - Chris Evans & Billy Rios, Google, Microsoft<br />Flash XSS - Rich Cannings, Google<br />Malicious origami in PDF - Fredric Raynal, Guillaume Delugre<br />Security for Virtual and Physical Server Environment - Akiko Takahashi<br />Living in the RIA World (Flash/Air, Silverlight, Gears, Prism, BrowserNow, HTML5) - David Thiel, iSec<br />Understanding Cross-Domain Models and Threats - Peleus Uhley, Adobe<br />Gaining access through Kerberos - Emmanuel Bouillon<br />A new web attack vector: Script Fragmentation - Stephan Chenette, WebSense<br />Countermeasure to SSH Brute Force Attack according to behaviour - Tetsuo Handa<br />Advances in Automated Attack Planning - Carlos Sarraute & Alejandro David Weil, Core<br />Inside “Winnyp”, Winnyp Internals and Concepts of Network Crawling - Toshiaki Ishiyama, Fourteenforty<br /><span style="font-weight:bold;">Aircrack-PTW</span><br /><br />It was released a better and faster implemantation for breaking WEP secutiry known as Aircrack-PTW. New minimum of the IV’s neede for successful 128 bit key recovery is 19 000 IV. Source code available at SVN. All tools are at your disposal at rootu. The implementaion is of course in the latest SVN version Aircrack-NG.<br /><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com5tag:blogger.com,1999:blog-4306907273163705118.post-5070195748576944272008-11-26T23:30:00.003+05:302008-11-26T23:37:10.476+05:30Wired keyboard eavesdropping videoEvery press on the keyboard produces a small impulse of electromagnetic radiation. This radiation can be captured and easy (quickly) decoded. Even though the described attack effects only some keyboard models it is worth mentioning. Before the penetration test there was done a verification of eleven different keyboards. Each one was receptive to one of four different methods of available attacks. As result see the videos bellow.<br /><br />The tests demonstrated that eavesdropping of keyboards is possible up to 20 meters (60 feet). Even the wall can ‘t stop the data sniffing. See second video after code breaking.<br /><span id="fullpost"><br /><object width="400" height="225"><param name="allowfullscreen" value="true" /><param name="allowscriptaccess" value="always" /><param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=2007855&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=ffffff&fullscreen=1" /><embed src="http://vimeo.com/moogaloop.swf?clip_id=2007855&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=ffffff&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="225"></embed></object><br /><a href="http://vimeo.com/2007855">Compromising Electromagnetic Emanations of Keyboards Experiment 1/2</a> from <a href="http://vimeo.com/user836876">Martin Vuagnoux</a> on <a href="http://vimeo.com">Vimeo</a>.<br /><br />Exact overview of keyboards is not known and the list of afflicted keyboard will be only published.<br /><br /><object width="400" height="225"><param name="allowfullscreen" value="true" /><param name="allowscriptaccess" value="always" /><param name="movie" value="http://vimeo.com/moogaloop.swf?clip_id=2008343&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=ffffff&fullscreen=1" /><embed src="http://vimeo.com/moogaloop.swf?clip_id=2008343&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=ffffff&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="225"></embed></object><br /><a href="http://vimeo.com/2008343">Compromising Electromagnetic Emanations of Keyboards Experiment 2/2</a> from <a href="http://vimeo.com/user836876">Martin Vuagnoux</a> on <a href="http://vimeo.com">Vimeo</a>.<br /><br />Similar article is a research and as a result of it is an application <a href="http://www.erikyyy.de/tempest/">tempest</a>. Video Author Martin Vuagnoux, Source Vimeo. Thanks for letting us know about an interesting material. <a href="http://lasecwww.epfl.ch/keyboard/">Lasecwww project homepage</a>.<br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com2tag:blogger.com,1999:blog-4306907273163705118.post-5767250188948486842008-11-26T23:15:00.003+05:302008-11-26T23:21:14.782+05:30Data doubts - people are the weakest linkHow secure is your memory stick? <br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://cordis.europa.eu/ictresults/image-gallery/200709/89216_001.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 220px; height: 146px;" src="http://cordis.europa.eu/ictresults/image-gallery/200709/89216_001.jpg" border="0" alt="" /></a><br />USB “key drives”, contrary to what their name suggests, can be a security nightmare. A new, patented European design of key drive improves security by keeping fallible humans out of the loop, using hardware techniques to lock up sensitive data.<br /><br />To organisations concerned with computer security, the ubiquitous USB “key drive” or “memory stick” is a problem. Such drives are quick to use, easy to conceal, and are available in huge capacities. A USB drive containing private information can easily be stolen from a pocket or briefcase, or used to smuggle confidential files out of an office.<br /><br />Some USB drives encrypt data so that it can only be written or copied by someone who knows the password or has the correct fingerprint. This is useful if the device itself is stolen, but cannot stop the theft of data by someone who is authorised to access it.<br /><br /><br /><span id="fullpost"><br />What is needed in such cases is a technology that eliminates human fallibility. Ensuring that a certain USB drive could only be read by a particular PC would remove the need for passwords or fingerprints, while a PC that rejects unauthorised USB drives would go a long way to preventing data theft within organisations.<br /><span style="font-weight:bold;">Reliable hardware fingerprints</span><br /><br />French company MobileGov has developed and patented just such a technology as a spin-off from an EU-supported project to transform Europe’s legal systems through technology. MobileGov’s Device Linker is a secure USB drive that can only be used on PCs for which it has been authorised. Another product, called Device Authenticator, performs a complementary function: it allows a PC to reject unauthorised USB keys or other hardware devices.<br /><br />The ability to authorise any kind of computer hardware has all kinds of applications, points out Michel Frenkiel, president of MobileGov. For instance, he says, security based on biometric indicators such as fingerprints is becoming common — but what if someone unplugs a fingerprint reader and replaces it with a similar one that has been programmed to accept a data thief’s fingerprints? The MobileGov technology could prevent this by refusing to accept the unauthorised device.<br /><br />Key to MobileGov’s patent is the use of a “hardware fingerprint” — a unique number calculated from the hardware and software components of a PC, PDA, mobile phone, USB drive or other device. Limited forms of hardware coding are sometimes used to prevent software theft, Frenkiel notes, but the MobileGov system is more powerful and flexible. Manufacturers could even use it to detect tampering in equipment that is under warranty, for instance.<br /><br />MobileGov launched Device Authenticator in 2006 and Device Linker in 2007, to strong interest from the French media. The company is currently working with both the French defence ministry and Microsoft, whose future Vista Professional operating system will offer such features, Frenkiel says.<br /><span style="font-weight:bold;">A wider view of legal processes</span><br /><br />MobileGov’s technology is only the most visible of several useful results to emerge from a much broader R&D initiative. The two-year eJustice project, which finished in February 2006, aimed to make legal procedures more efficient by using information and communications technology to replace cumbersome paper-based workflows. The main focus was on biometric authentication via smart ID cards. The researchers developed ways of combining face recognition and fingerprinting that reduce the error rate by a factor of 30, to an average of 1 in 10,000, compared to using either technology on its own.<br /><br />eJustice created a card-based combined biometric security solution that works with most of the systems currently used for electronic signatures and is technically ready for use. The result, say the project partners, will be legal systems that are highly secure, yet easy to use and which protect personal data strongly. With current biometric passports, for instance, a computer extracts personal data from the passport and compares it with information from a face or fingerprint scanner. The eJustice ID card is more secure because it stores personal data in a form that cannot be extracted; it is the card itself that compares the stored and scanned profiles.<br /><br />Another part of eJustice concerned the translation of traditional legal workflows into processes that computers can understand. An example of the work done during the project is Lexecute, a software package produced by eJustice partners led by the Max Planck Institut für Informatik in Germany.<br /><br />Lexecute shows the stages of a legal case from the viewpoint of both legal professionals and their clients. It has applications across e-government as a tool for case study management, documentation and education, and is already being used in Germany to train clerks. By improving people’s understanding of how legal processes are supposed to work, tools like Lexecute can increase transparency and highlight opportunities for improvement, Frenkiel says.<br /><br />The work of eJustice was taken up in another project, egov.eu">R4eGov, also coordinated by Michel Frenkiel. R4eGov, which started in 2006 and runs until 2009, is helping to create the security and interoperability needed for the EU’s i2010 initiative, which aims to deliver a single European Information Area, improve public services and quality of life, and promote innovation.<br /><br />Ten years from now, the eJustice partners believe, legal procedures will be based on integrated technologies that will make them simpler, quicker and more secure. Relieved of the need to handle so much paper, legal professionals will have more time to think and learn, so their performance will improve and trust in the law will increase. Cross-border legal processes of all kinds, including those that deal with crime, will become more effective.<br /><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com1tag:blogger.com,1999:blog-4306907273163705118.post-665841709375236972008-11-25T21:18:00.004+05:302008-11-25T21:32:52.847+05:30Antivirus just for gamers<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://media.arstechnica.com/journals/microsoft.media/symantec_logo.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 300px; height: 77px;" src="http://media.arstechnica.com/journals/microsoft.media/symantec_logo.jpg" border="0" alt="" /></a><br /><br />Symantec today released Norton AntiVirus 2009 Gaming Edition, an antivirus utility designed specifically not to bother gamers while they, err, game. The "Gamer Mode" suspends updates, alerts, and other background activities when you’re in the middle of a game. It is automatically enabled when the system is in full screen mode (and can also be manually enabled). Resource-intensive actions such as a system scan only occur when the computer is idle. Furthermore, Symantec claims that the software is a performance-driven release, but then again, the normal NAV2009 is as well (as we've seen in a recent performance test). Rowan Trollope, senior vice president of consumer products at Symantec gave the following explanation for the product release:<br /><span id="fullpost"><br /> Gamers are an extremely demanding audience that simply won’t tolerate anything on their system that detracts from gameplay. Norton AntiVirus Gaming Edition keeps gamers protected online and runs perfectly undetected in the background, meaning no interruptions, no pop-ups, and with the same award winning zero-impact performance of our 2009 products. <br /><br /><object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/_xwXreYp0To&hl=en&fs=1"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/_xwXreYp0To&hl=en&fs=1" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="425" height="344"></embed></object><br /><br />Great, now can we get a Non-Gaming Edition please? Better yet, why can't NAV2009 simply include a "Gamer Mode"? When anyone is in full-screen mode (gaming, watching a video, or intensive graphic design), they don't want an antivirus bothering them; this isn't a feature that only hard-core gamers desire. Obviously Symantec is trying to make the choice for gamers easy by being the first major security company to offer a gaming antivirus. However, the security giant would do much better to forget the Gaming Edition and focus on giving everyone these extra options right out of the box. <br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://media.arstechnica.com/journals/microsoft.media/500/norton_antivirus_gaming.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 500px; height: 319px;" src="http://media.arstechnica.com/journals/microsoft.media/500/norton_antivirus_gaming.jpg" border="0" alt="" /></a><br /><br />NAV2009 Gaming Edition is now available in the US exclusively on the <a href="http://www.symantecstore.com/">Symantec online store</a> for $39.99USD, the same price as the original NAV2009.<br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com0tag:blogger.com,1999:blog-4306907273163705118.post-80516924892194268962008-11-20T23:25:00.002+05:302008-11-20T23:28:17.080+05:301st Wardrive in IndiaOn 10th November 2008, ClubHack with support of Cyber Crime Cell of Pune Police conducted a Wardriving in Pune, Maharashtra.<br />This Wardriving aimed at analysis of wireless network security in Pune city at common places like IT parks, residential areas, market areas, hotels, airport etc.The report was made public in a press conference today in commissioner office and the same has been uploaded on a <a href="http://wardrive.in/">new dedicated website.</a>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com1tag:blogger.com,1999:blog-4306907273163705118.post-31865047839687436232008-11-20T23:11:00.003+05:302008-11-20T23:21:35.401+05:30Documentaries<span style="font-weight:bold;">Unauthorized Access (101mb)</span> <br />An insiders view of the computer cracker underground. The filming took place all across the United States, Holland and Germany. "Unauthorized Access" looks at the personalities behind the computers screens and aims to separate the media hype of the 'outlaw hacker' from the reality. <br /><br /><a href="http://www.adrive.com/home/downloadfile/346b73e6ac03c671d053bf81a0fbbb04f69c7137c5c15bff531b769bb1328929/d/1">To download click here</a><a href="http://www.bianca.com/bump/ua/"><br />For more info</a><br /><span id="fullpost"><br /><span style="font-weight:bold;">Hackers 95 (43.6mb)</span><br />Video documentary from Defcon.<br /><br /><a href="http://www.adrive.com/home/downloadfile/b1e3d3a7bda428364bbd1c324e7cf5e6e4f5c94809df3aed1918d136b16fc933/d/1">To download click here</a><br /><span style="font-weight:bold;"><br />What was once possible with the telephone system (34mb)</span><br />A history of phone phreak culture previous to the statute of limitations. <br /><br /><a href="http://www.adrive.com/home/downloadfile/11a4b59f43b18e34aab98f143ae94dfcd798fc487a2af4bad2be646dcf1afc09/d/1">To download click here</a><br /><a href="http://www.tomanddarryl.org/">For more info</a><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com0tag:blogger.com,1999:blog-4306907273163705118.post-15634936771353082802008-11-13T21:32:00.003+05:302008-11-13T21:41:55.068+05:30RFDump v1.4 : - An RFID toolRFDump is a backend GPL tool to directly interoperate with any RFID ISO-Reader to make the contents stored on RFID tags accessible. This makes the following types of audits possible:<br /><br /> * Test robustness of data-structures on the reader and the backend-application<br /> * Proof-of-concept manipulations of RFID tag contents<br /> * Clone / copy & paste User-Data stored on RFID tags<br /> * Audit tag-security features <br /><span id="fullpost"><br />RFDump is a tool to detect RFID-Tags and show their meta information: Tag ID, Tag Type, manufacturer etc. The User-Data of a tag can be displayed and modified using either a Hex or an ASCII editor. In addition, the integrated cookie feature demonstrates how easy it is for a company to abuse RFID technology to spy on their customers. RFDump works with the ACG Multi-Tag Reader or similar card reader hardware. <br />RFDump is available in different versions:<br /><br /> * As Gtk application for Linux/Unix with a GUI<br /> * As rudimentary Perl script for Linux (PC or PDA) with a console-based interface <br /><br />RFDump features (Gtk Application):<br /><br /> * Runs on Linux, Windows<br /> * Supports ACGs PCMCIA/CF Multi-Tag Readers<br /> * Decodes the tag type, tag ID and manufacturer<br /> * Displays tag memory in Hex and ASCII encoding<br /> * Allows to write memory using Hex or ASCII editor<br /> * NEW: Full 14443 a/b Support<br /> * NEW: Support for Mifare sector keys<br /> * NEW: Cookie feature using arbitrary cookie ID and automatically incrementing counter<br /> * NEW: Brute-Force cracking of access control cards (sector keys)<br /> * NEW: Audit of encrypted RFID tags check for "default" Shipping Keys<br /> * NEW: Save and restore of Mifare Cards incl. Sector-Keys<br /> * NEW: Multi baudrate reader support, RFDump can set boud rate<br /> * NEW: Scan-Option<br /> * NEW: Config-Menus <br /><br />Supported Tag Types:<br /><br /> * ISO 15693: Tag-it ISO, My-d, I-Code SLI, LRI512, TempSense<br /> * ISO 14443 A: Mifare Standard(1,2), Mifare UltraLight(1,2)<br /> * ISO 14443 B: SR176(1,2)<br /> * Tag-it®<br /> * I-Code®<br /> * EM4002<br /> * EM4005<br /> * EM4050<br /> * HITAG1<br /> * HITAG2<br /> * Q5<br /> * TIRIS <br /><br />Recommended Hardware:<br /><br /> * Linux/Windows PC or HP iPAQ PDA with Linux<br /> * ACG Multi-Tag Reader, in a CF-Flash Socket or PCMCIA Adapter<br /> * 13.56 MHz Tags for testing <br /><br />To download <a href="http://www.rf-dump.org/downloads.shtml">click here</a><br /></span><br /><br />It is also available as a <a href="http://ftp.arcane-networks.com/pub/rfdump/rfdump-1.4-vmware.zip">Live Image</a> and is run in Vmware.Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com7tag:blogger.com,1999:blog-4306907273163705118.post-29297345203801285582008-11-07T22:05:00.002+05:302008-12-18T20:48:27.833+05:30SARA (tool from SATAN)From SATAN and it’s development came SARA, which is now in it’s 3rd generation.<br /><br />Advanced Research’s philosophy relies heavily on software re-use. Rather than inventing a new module, SARA is adapted to interface to other community products. For instance, SARA interfaces with the popular Nmap package for superior “Operating System fingerprinting”. Also, SARA provides a transparent interface to SAMBA for SMB security analysis.<br /><br />A recent addition to SARA is the ability to operate on a Windows 200* and Windows XP platforms. SARA relies on Cooperative Linux to provide the proper operating environment to operate as Windows process. This product is called coSARA.<br /><br />The Security Auditor’s Research Assistant (SARA) is a third generation network security analysis tool that is:<br /><span id="fullpost"><br /><br /><br /> 1. Operates under Unix, Linux, MAC OS/X or Windows (through coLinux) OS’.<br /> 2. Integrates the National Vulnerability Database (NVD).<br /> 3. Performs SQL injection tests.<br /> 4. Performs exhaustive XSS tests<br /> 5. Can adapt to many firewalled environments.<br /> 6. Support remote self scan and API facilities.<br /> 7. Used for CIS benchmark initiatives<br /> 8. Plug-in facility for third party apps<br /> 9. CVE standards support<br /> 10. Enterprise search module<br /> 11. Standalone or daemon mode<br /> 12. Free-use open SATAN oriented license<br /> 13. Updated twice a month (we try)<br /> 14. User extension support<br /> 15. Based on the SATAN model<br /><br />The first generation assistant, the Security Administrator’s Tool for Analyzing Networks (SATAN) was developed in early 1995. It became the benchmark for network security analysis for several years. However, few updates were provided and the tool slowly became obsolete in the growing threat environment. <br /><br />For linux download <a href="http://www-arc.com/sara/downloads/sara-7.8.4.tgz">sara-7.8.4.tgz</a><br />For Windows download <a href="http://www-arc.com/sara/downloads/cosara/cosara-7.4.1.exe">cosara-7.4.1.exe<br /></a><br /> <br />And for more info </span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com4tag:blogger.com,1999:blog-4306907273163705118.post-14272907969813369132008-11-02T23:12:00.002+05:302008-11-02T23:22:36.369+05:30Free zip password cracker v1FCrackZip is a fully free zip password cracker but is a commandline tool.<br />It is free software and not a open source software.<br />Now, what are the features of fcrackzip?<br /><br /> * FREE<br /><br /> It doesn't cost anything, it will run on many architectures, and the source is freely available, so you can customise it to your needs. If you make improvements, don't hesitate to mail them to me, and I will include them in fcrackzip!<br /><br /> One goal of fcrackzip was to provide a free but still fast zipcracker, so that other people can improve and contribute it further, in an open developement style.<br /><br /> Other programs, like fzc, come not only without source, but the executable is even encrypted, so improving it or customizing it is difficult at best. (Maybe the programmers of other crackers don't want that people see how crappy their code actually is? Nobody knows for sure, but I see no other reason for this strange, but common, behaviour)<br /><span id="fullpost"><br /><br /> * FAST<br /><br /> On my old machine (a pentium-90), the portable C version is 12% slower than fzc, the fastest cracker I could find. Small parts of fcrackzip have been converted to x86 assembly, so it performs a bit faster (around 4%) than fzc now, on the same hardware (note: this is highly os/compiler dependent). Since the author of fzc claims that it is written fully in assembler, further improvements might well be possible. Incidently, on my new P-II machine, fcrackzip is almost twice as fast as fzc ;)<br /><br /> * PORTABLE<br /><br /> fcrackzip was written in ISO-C, and should run on most platforms, even 64 bit ones (maybe after some tweaking). I'll be glad to hear about portability problems so I can fix them.<br /><br /> * FEATUREFUL<br /><br /> fcrackzip will, at some later stage at least, support many more useful operation modes than other crackers. It already supports multiple zip files with multiple files. Remember that the code is only a few hours old!<br /><br /> However, since version 0.2.0 fcrackzip also includes a mode to brute force cpmask'ed images, something no other program (that I know of) can do, so at least there is one feature other crackers don't have.<br />To download on <br /><a href="http://www.goof.com/pcg/marc/data/fcrackzip-bin-win32-0.3.zip">Windows</a><br /><a href="http://www.goof.com/pcg/marc/data/fcrackzip-1.0.tar.gz">Linux</a> <br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com3tag:blogger.com,1999:blog-4306907273163705118.post-80026796927180747262008-11-02T03:25:00.006+05:302008-11-02T05:20:36.007+05:30Hack a Mobile Phone with Linux and PythonA mobile phone is a cool gadget to play with, especially when I can run my favourite programming language (no prize for guessing what it is!) on it! That was the logic which made me purchase a Nokia Series 60 smartphone, the N-Gage QD. This article describes a few experiments I did with the mobile - like setting up Bluetooth communication links, writing Python/C code and emulating serial ports.<br />Bluetooth on Linux<br /><br />Bluetooth is a short distance wireless communication standard. It is commonly used to facilitate data transfer between PC's and cell phones/PDA's without the hassle of `wired' connections. The hardware which provides Bluetooth connectivity on the PC is a small device called a `USB-Bluetooth dongle' which you can plug onto a spare USB port of your machine. I approached the local electronics dealer asking him for such a device and got one which didn't even have the manufacturer's name printed on it. The driver CD which came with it of course contained only Windows software. Deciding to try my luck, I plugged the device on and booted my system running Fedora Core 3 - bluetooth service was started manually by executing:<br /><span id="fullpost"><br />sh /etc/init.d/bluetooth start<br /><br /><br />Here is the output I obtained when the command `hciconfig' ( which is similar to the `ifconfig' command used to configure TCP/IP network interfaces) was executed:<br /><br />hci0: Type: USB<br /> BD Address: 00:11:B1:07:A2:B5 ACL MTU: 192:8 SCO MTU: 64:8<br /> UP RUNNING PSCAN ISCAN <br /> RX bytes:378 acl:0 sco:0 events:16 errors:0<br /> TX bytes:309 acl:0 sco:0 commands:16 errors:0<br /><br /><br />My no-name USB-Bluetooth dongle has been detected and configured properly! The number 00:11:B1:07:A2:B5 is the Bluetooth address of the device.<br />Detecting the mobile<br /><br />The next step is to check whether Linux is able to sense the proximity of the mobile. If your phone has bluetooth disabled, enable it and run the following command (on the Linux machine):<br /><br />hcitool scan<br /><br /><br />Here is the output obtained on my machine:<br /><br />Scanning ...<br /> 00:0E:6D:9A:57:48 Dijkstra<br /><br /><br />The `BlueZ' protocol stack running on my GNU/Linux box has `discovered' the Nokia N-Gage sitting nearby and printed its Bluetooth address as well the name which was assigned to it, `Dijkstra'.<br />Pairing the mobile<br /><br />For security reasons, some interactions with the mobile require that the device is `paired' with the one it is interacting with. First, store a number (4 or more digits) in the file /etc/bluetooth/pin (say 12345). Stop and restart the bluetooth service by doing:<br /><br />sh /etc/init.d/bluetooth stop<br />sh /etc/init.d/bluetooth start<br /><br /><br />Now initiate a `pairing' action on the mobile (the phone manual will tell you how this is done). The software on the phone will detect the presence of the Bluetooth-enabled Linux machine and ask for a code - you should enter the very same number which you have stored in /etc/bluetooth/pin on the PC - the pairing process will succeed.<br />Transferring files<br /><br />Files can be transferred to/from the Linux machine using a high level protocol called OBEX (standing for OBjectEXchange, originally designed for Infrared links). First, you have to find out whether the mobile supports OBEX based message transfer. Try running the following command on the Linux machine (the number is the bluetooth address of the phone):<br /><br />sdptool browse 00:0E:6D:9A:57:48<br /><br /><br />You might get voluminous output - here is part of what I got:<br /><br />Service Description: OBEX Object Push<br />Service RecHandle: 0x10005<br />Service Class ID List:<br /> "OBEX Object Push" (0x1105)<br />Protocol Descriptor List:<br /> "L2CAP" (0x0100)<br /> "RFCOMM" (0x0003)<br /> Channel: 9<br /> "OBEX" (0x0008)<br /><br /><br />OBEX is built on top a lower-level protocol called RFCOMM. The `Object Push' service uses RFCOMM `channel' 9. Let's try to upload a file to the phone; run the following command on the Linux machine:<br /><br />obex_push 9 00:0e:6d:9a:57:48 a.txt<br /><br /><br />The phone will respond by asking you whether to accept the message coming over the bluetooth link. The same command, invoked without any option, can be used to receive files sent from the mobile over the bluetooth link (read the corresponding `man' page for more details).<br />Installing Python<br /><br />Nokia has recently done a port of Python to the `Series 60' smartphones running the Symbian operating system. The Python interpreter as well as a few important modules are packaged into a single .sis file (somewhat like the Linux RPM file) which can be obtained from http://www.forum.nokia.com/main/0,,034-821,00.html. The file to be installed is named PythonForSeries60_pre_SDK20.SIS. The first step is to transfer this file to the mobile via obex_push. Trying to open the file on the mobile will result in the Nokia installer program running - it will ask you whether to install Python on the limited amount of memory which the phone has or to an additional MMC card (if one is present). Once the installation is over, you will see a not-so-cute Python logo on the main menu of the phone - Figure 1 is a screenshot I took of the main menu. <br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://pramode.net/articles/lfy/mobile/figure1.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 176px; height: 208px;" src="http://pramode.net/articles/lfy/mobile/figure1.jpg" border="0" alt="" /></a><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://pramode.net/articles/lfy/mobile/figure2.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 176px; height: 208px;" src="http://pramode.net/articles/lfy/mobile/figure2.jpg" border="0" alt="" /></a><br /><br />Running the Python `Hello, World'<br /><br />You can write Python scripts on the Linux machine and upload them to the mobile with `obex_push'. If you try to open these scripts (on the mobile), the `applications manager' will ask you whether to install the files as Python scripts or not. Once installed as scripts, you can execute them by following the instructions displayed on the screen when you open the `Python' application from the main menu.<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://pramode.net/articles/lfy/mobile/figure3.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 176px; height: 208px;" src="http://pramode.net/articles/lfy/mobile/figure3.jpg" border="0" alt="" /></a><br /><br />The output obtained by installing and running the following script on the mobile:<br /><br />import appuifw # The application UI framework<br />appuifw.app.title = u'Cool Python'<br />appuifw.note(u'OK', 'info')<br /><br /><br />Socket programming<br /><br />Application programs running on both the phone as well as the Linux machine interface with the Bluetooth protocol stack via the socket API. Listing 1 shows a simple client program running on the mobile which connects with a server running on the Linux machine and sends it a message; the server code is shown in Listing 2.<br /><br />The Python client program running on the mobile opens a Bluetooth socket and connects to the PC whose device address is specified in the variable `ATHLON'. Once the connection is established, it simply sends a string `Hello, world'.<br /><br />The server program running on the PC opens a Bluetooth stream socket, binds it to RFCOMM channel 4 and calls `accept' - the server is now blocked waiting for a connection request to arrive from the client. Once the request arrives, the server comes out of the accept, returning a `connected' socket calling `recv' on which will result in the server getting the string which the client had transmitted.<br /><br />The `bacpy' function in the server program is defined as an inline function in one of the header files being included - so you need not link in any extra library to get the executable. But if you are using any of the other Bluetooth utility functions like `ba2str', you have to link /usr/lib/libbluetooth.so to your code.<br />Using PyBlueZ<br /><br />There is an interesting Python interface to the Bluetooth library in Linux called `PyBlueZ' available for download from http://org.csail.mit.edu/pybluez. It simplifies the process of writing bluetooth socket programs on the Linux machine. Listing 3 shows the Python implementation of the server program described in the previous section.<br />Emulating serial links<br /><br />Programs like `minicom' are used to talk to devices connected over a serial link (say a modem). There is a neat software trick to present a `serial-port-like' view of a bluetooth link so that programs like `minicom' can manipulate the connection effortlessly. Let's try it out.<br /><br />First, edit /etc/bluetooth/rfcomm.conf so that it looks like the following:<br /><br />rfcomm0 {<br /> bind no;<br /> device 00:0e:6d:9a:57:48;<br /> channel 1;<br /> comment "Example Bluetooth device";<br />}<br /><br /><br />After stopping and restarting the bluetooth service, run the following command:<br /><br />rfcomm bind /dev/rfcomm0<br /><br /><br />You should see a file called `rfcomm0' under /dev after executing the above command. Now, you can set up `minicom' by running:<br /><br />minicom -m -s<br /><br /><br />The only thing to do is to set the name of the device to connect to as /dev/rfcomm0. Save the new configuration as the default configuration and invoke:<br /><br />minicom -m<br /><br /><br />Minicom is now ready to talk to your phone! Type in `AT' and the program will respond with an `OK'. Say you wish to make your phone dial a number. Just type:<br /><br />atdt 1234567;<br /><br /><br />There are many other AT commands you can experiment with; try googling for say `mobile phone AT commands' or something of that sort!<br /><br />After you have finished with your virtual serial port manipulations, you should run:<br /><br />rfcomm release /dev/rfcomm0<br /><br /><br />to `release' the serial-bluetooth link.<br />Python over a Bluetooth console<br /><br />Once you get the serial port emulation working, there is another interesting hack to explore. The Nokia Python distribution comes with a program called `btconsole.py'. On one console of your Linux machine, run the command:<br /><br />rfcomm listen /dev/rfcomm0<br /><br /><br />Now run `btconsole.py' on the phone. You will see that after a few seconds, `rfcomm' will respond with a `connected' message. Once you get this message, take another console and run:<br /><br />minicom -m <br /><br /><br />What do you see on the screen? A Python interactive interpreter prompt! You can now type in Python code snippets and execute them on the phone on-the-fly! Isn't that cool?<br />Parting Thought<br /><br />I was curious to know how Microsoft's Windows XP operating system, famous for its `ease of use', would compare with Linux when it comes to interacting with my NGage QD. I installed the Windows driver for my no-name usb-bluetooth dongle and tried to get the Nokia PC suite up and running on an XP machine - maybe it's because I am far more experienced in GNU/Linux than on MS operating systems, but I found the XP experience far less `friendly' than MS would care to admit. I believe that most of the `user friendliness' of the Microsoft operating system comes from hardware vendors and application developers tightly integrating their products with the platform rather than any inherent quality of the OS as such.<br />References<br /><br />For a general introduction to Bluetooth technology, see http://www.dell.com/downloads/global/vectors/2003_bluetooth.pdf. An interesting paper on Bluetooth security is available at http://www.niksula.cs.hut.fi/~jiitv/bluesec.html.<br /><br />http://www.holtmann.org/ has plenty of information regarding Bluetooth and Linux; I found the document `Bluetooth Programming for Linux' (http://www.holtmann.org/papers/bluetooth/wtc2003_slides.pdf) very informative.<br /><br />Lots of information about Python on series 60 mobiles is available at http://www.postneo.com/postwiki/moin.cgi/PythonForSeries60/. ObexFTP seems to be an interesting tool - you can get it from http://triq.net/obex/. There are some documents floating on the net which describe how you can do an NFS mount of your phone's file system - try a google.<br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com31tag:blogger.com,1999:blog-4306907273163705118.post-51670453811962955322008-11-02T03:12:00.006+05:302008-11-03T01:29:26.990+05:30NeoPwn Mobile PentestingThe first ever mobile pentesting platform is here. Running on a well balanced mix of open source hardware and network security testing software, NeoPwn has been a long awaited pocket penetration testing platform. This is the first ever network auditing distribution for a mobile phone.<br />
<br />
The NeoPwn uses the base platform of the Openmoko Neo Freerunner, which offers USB WLAN support, a GPS Modem, a GPRS Modem for cellular connectivity, and an CSR based Bluetooth module. The USB hostmode will also allow for a range of other devices and peripherials.<br />
<span id="fullpost"><br />
Neopwn runs on an optimized FULL custom Debian operating system that boots off of a microSD card with a custom Linux kernel, with a vast support range for module drivers, allowing the network security tester the ability to perform various network penetration auditing tasks that are normally carried out on a notebook or desktop workstation.<br />
<br />
<br />
There have been other commercial grade pocket penetration testing platforms in the past, however they lacked the ability of wireless packet injection and open source programming. These devices also carry a hefty pricetag for their limited abilities in comparison. The NeoPwn's penetration software collection is based off of very popular open source pentesting applications and is proven to be a powerful discreet network auditing tool for the penetration tester.<br />
<br />
You will have the ability to discretely arm yourself with a device that will fit in a pocket to test various aspects of your client's network - going places where being promiscuous and undetected is essential.<br />
<br />
<span style="font-weight:bold;">Click images to display larger</span><br />
<br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.linuxdevices.com/files/misc/neopwn_screen3-sm.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 220px; height: 294px;" src="http://www.linuxdevices.com/files/misc/neopwn_screen3-sm.jpg" border="0" alt="" /></a><br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.linuxdevices.com/files/misc/neopwn_screen2-sm.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 220px; height: 289px;" src="http://www.linuxdevices.com/files/misc/neopwn_screen2-sm.jpg" border="0" alt="" /></a><br />
<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.linuxdevices.com/files/misc/neopwn_screen1-sm.jpg"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 220px; height: 295px;" src="http://www.linuxdevices.com/files/misc/neopwn_screen1-sm.jpg" border="0" alt="" /></a><br />
<br />
<a href="http://www.neopwn.com/index.php">For more information click here</a><br />
</span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com0tag:blogger.com,1999:blog-4306907273163705118.post-1696476516822899482008-11-02T03:03:00.002+05:302008-11-02T05:21:58.405+05:30Mdk3 v4....(new)The new MDK3 uses the osdep injection library from the www.aircrack-ng.org project. The Linux-dependant includes have been removed, mdk3 compiles and runs on FreeBSD and even Windows (Cygwin). For Windows you need special drivers, a possibly illegal DLL file and the cygwin environment. Please see the aircrack-ng website for details.<br /><br />MDK3 has successfully been tested on the new mac80211 stack in kernel version 2.6.23 with the rt2x00 driver and a rt73usb card.<br /><br />If you are a Linux user, just make, make install and have fun.<br />If you are a FreeBSD user, do the same, and report back to me, if it works correctly there.<br />And very important, don't forget to type mdk3 instead of mdk2 now ;)<br /><span id="fullpost"><br />MDK3 is licenced under GPLv2.<br />Features:<br />- Bruteforce MAC Filters<br />- Bruteforce hidden SSIDs (some small SSID wordlists included)<br />- Probe networks for checking if they can hear you<br />- intelligent Authentication-DoS to freeze APs (with checking for success)<br />- Beacon Flooding with channel hopping (can crash NetStumbler and some buggy drivers)<br />- Disconnects everything found (aka AMOK-MODE) with DeAuth and DisAssoc packets (Don't try this where they can kick your ass! ;D)<br />- WPA TKIP Denial-of-Service<br /><br /><br />MDK3 version 4<br />* Added high-speed MAC-Filter Bruteforce Mode (experimental)<br />-> Please test this on your APs and report back for optimzing and bugfixing, thanks!<br /><br /><br />MDK3 version 3<br />* Added a channel hopper for Amok Mode<br />* Added WIDS confusion mode<br />* fresh & bugfixed osdep included<br />* Fixed White- and Blacklisting again...<br /><br /><br />MDK3 version 2<br />* More Documentation<br />* Added -Wall to Makefile to always keep the code clean<br />* Fixed the Warnings produced by -Wall ;)<br />* Updated osdep<br />* Merged some patches from Andy Green to clean up the code<br />* Poured some holy water all over the code, because mdk3 is used by professionals<br />* Added intelligent Authentication DoS mode<br />* Fixed White- and Blacklist function in Amok mode (again!!!)<br /><br /><br />MDK3 version 1<br />* NOW USING OSDEP INJECTION from aircrack-ng project<br />-> mdk2 should now run on LINUX and FREEBSD (and soon more)<br />* Started writing some docs (now that mdk3 may soon run on Windows, the kids may need it, hehehe)<br />* Better Madwifi-ng handling<br />* Blacklist mode fixed<br /><br />Download <a href="http://homepages.tu-darmstadt.de/~p_larbig/wlan/mdk3-v4.tar.bz2">Click Here</a><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com2tag:blogger.com,1999:blog-4306907273163705118.post-52524117605772123472008-11-02T02:30:00.006+05:302008-11-02T05:23:20.376+05:30Wifizoo 1.3 - Eee PC Edition Release.WifiZoo is a tool to gather wifi information passively. <br />WifiZoo does the following:-<br /><span id="fullpost"><br />-gathers bssid->ssid information from beacons and probe responses *(now the graph contains the ssid of the bssid :), new in v1.1)*<br />-gathers list of unique SSIDS found on probe requests (you can keep track of all SSIDS machines around you are probing for, and use this information on further attacks)*new in v1.1*<br />-gathers the list and graphs which SSIDS are being probed from what sources *new in v1.1*<br />-gathers bssid->clients information and outputs it in a file that you can later use with graphviz and get a graph with "802.11 bssids->clients". It gathers both src and dst addresses of packets to make the list of clients so sometimes you get weird graphs that are fun to analyze :) (basically, because I still need to omit multicast dst addresses and things like that). Using the dst address means that sometimes you get mac addresses of wifi devices that are not near you, but I think gives you information about the wifi 'infrastructure', again, I think :).<br />-gathers 'useful' information from unencrypted wifi traffic (ala Ferret,and dsniff, etc); like pop3 credentials, smtp traffic, http cookies/authinfo, msn messages,ftp credentials, telnet network traffic, nbt, etc.<br /><br /><br />and remember.. WifiZoo is work in progress... <br />Author has added a new version of my Wifizoo Web interface customisation to his website at http://www.wifizoo.info/. The new version has been shrunk down, hopefully to fit smaller screens such as the Eee PC.<br /><br />This version is miniaturised for the EEEPC. The buttons are made smaller amongst a few other things. <br /><br />Download it from <a href="www.wifizoo.info">here.</a><br /><span style="font-weight:bold;">Screenshot</span><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://wifizoo.info/screen.png"><img style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 858px; height: 469px;" src="http://wifizoo.info/screen.png" border="0" alt="" /></a><br /></span>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com6tag:blogger.com,1999:blog-4306907273163705118.post-24787335771739154172008-11-02T02:11:00.005+05:302008-11-02T02:53:23.465+05:30Ubuntu 8.10 supports injection for all broadcom mini-pci wireless cards<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://wubi-installer.org/images/wubi_logo.gif"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;width: 256px; height: 80px;" src="http://wubi-installer.org/images/wubi_logo.gif" border="0" alt="" /></a><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://www.ubuntu.com/themes/ubuntu07/images/ubuntulogo.png"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;width: 202px; height: 55px;" src="http://www.ubuntu.com/themes/ubuntu07/images/ubuntulogo.png" border="0" alt="" /></a><br /><br /><br />The new version of Ubuntu Linux i.e. Ubuntu 8.10 is available for download. This is the most exciting release because it is the only available flavor which supports injection of any broadcom mini-pci wireless cards. I have tested it against broadcom 4311 rev 02 mini-pci card and the injection is working 100%. Also it has the latest available linux kernel so it supports almost all the available hardware.<br />For more info <a href="http://www.ubuntu.com/getubuntu/releasenotes">Click Here</a><br />And to download <a href="http://www.ubuntu.com/getubuntu/download">Click Here</a><br />For those who want to directly download the iso image file and install on computer in windows, one can use latest version <a href="http://wubi-installer.org/">Wubi.</a>Varun D Kapoorhttp://www.blogger.com/profile/17529348705205647251noreply@blogger.com0