Monday 19 November 2012

PHP 5.5 To Include Simple And Secure Password Hashing API

Few days ago, we saw the release of PHP 5.5.0 Alpha 1 to the public. The PHP development team is serious about addressing all the criticism it gets time and again. With the recent leaks of several high profile sites, a simple to use yet secure password hashing API has been introduced now.

Here's the RFC for simple password hashing API proposed by ircmaxell and now it has been implemented as a PHP core in 5.5.0 Alpha 1 release and will continue to be part of the PHP core in future releases.

In case you would like to use the API functions in older releases, there's a compatible PHP library for PHP >= 5.3.7. The reason for this is that PHP prior to 5.3.7 contains a security issue with its BCRYPT implementation.

Basically the idea behind simple password hashing API is that most of the PHP developers either don't understand or don't think worth the effort the whole concept of strong password hashing. By providing a simple API that can be called, which takes care of all of those issues for you, hopefully more projects and developers will be able to use secure password hashing.

Using the API is quite simple. All you have to do to get the hash is:

$hash = password_hash($password, PASSWORD_BCRYPT);

Verifying the password is also quite simple.

if (password_verify($password, $hash)) {
    // pass is correct :)
} else {
    // pass is correct :/

The simple password hashing API provides sets of password_* functions for the developers to make use of strong password hashing.

Reading materials

RFC for simple password hashing API

Designing an API

PHP 5.5.0 Alpha 1 released


How To View Someone's IP and Speed - Epic

Well wanna laugh the whole day? Then, check out the video I found today on google. Don't even try to hold your laugh while watching this video because that's gonna cause a serious mental disorder :P. Before starting, I would suggest you to read Wikipedia entry about traceroute if you don't know about traceroute(Believe me if you understand english, you'll get what it is).

Myself, been laughing the whole day. :P


Tuesday 13 November 2012

Linux Mint 14 "Nadia" RC Released

After 6 months of incremental development on top of stable and reliable technologies such as MATE, Cinnamon and MDM, Linux Mint 14 codenamed "Nadia" RC is available for download.

For the first time since Linux Mint 11, the development team was able to capitalize on upstream technology which works and fits its goals. After 6 months of incremental development, Linux Mint 14 features an impressive list of improvements, increased stability and a refined desktop experience. This new release comes with updated software and brings refinements and new features to make your desktop even more comfortable to use. Linux Mint 14 "Nadia" is based upon the Ubuntu 12.10 "Quantal Quetzal".

The download links (torrents and direct both) are available at this blog post.

Useful Links

Download Nadia
Nadia release notes
Whats New in Nadia


Sunday 11 November 2012

Wappalyzer - Browser Extension To Identify Web Servers

Wappalyzer is a very useful browser extension that reveals the web technologies and server softwares used behind to empower any webpage. This extension identifies different CMS, e-commerce portals, blogging platforms, web servers, frameworks, analytic tools, etc.

This very useful browser extension is available for Mozilla Firefox and Google Chrome. It is quite useful in server fingerprinting and identification steps. Wappalyzer tracks and detects several hundred applications under several categories.

Wappalyzer for Mozilla Firefox

Wappalyzer for Google Chrome

Wappalyzer @ GitHub

Once you install the addon and reload the browser, you will see the icons for identified applications on the right side of address bar (near to the bookmark & reload icon) in Mozilla Firefox. You can click in that area for more details.

One particular setting you would like to disable is the tracking and gathering of anonymous data which is *said* to be used for research purposes. You can turn off the tracking by going to the addon's preference page. Screenshot below shows the preference page in Mozilla Firefox.


Wednesday 7 November 2012

Steam Beta For Linux Released, Use Steam Beta Right Now

Finally the steam beta was released today and is ready for beta testing by the selected 1000 beta testers who were chosen through the Steam For Linux Beta Survey. This post also provides the steps for using steam beta for other users who were not selected.

Don't worry if you were not lucky enough to get a Beta account in Steam for linux survey. Some of the Reddit users have found a way around this and non-beta account holder can use steam for linux beta.

The post from Valve Software writes:

The Valve Linux team is proud to announce the launch of a limited access beta for its new Steam for Linux client.

The Steam for Linux Beta client supports the free-to-play game Team Fortress 2. Approximately two dozen additional Steam titles are now also available for play on Ubuntu. Additionally, the Steam for Linux Beta client includes Big Picture, the mode of Steam designed for use with a TV and controller, also currently in beta.

Below are the steps you should follow in order to use steam beta in your linux. First, type the following commands in the terminal:

samar@samar-Techgaun:~$ sudo apt-get install libopenal1
samar@samar-Techgaun:~$ wget && sudo dpkg -i steam.deb

The steam installer will then download and update the data for steam client. Once the update is finished, launch the steam from Unity dash and then login to your steam account (or create one). Close your steam client and then type the followin in terminal or just update your shortcut with following shortcut:

steam steam://open/games

Enjoy steam in your linux :)


Monday 5 November 2012

ImageShack and Symantec Hacked And Dumped

2012 has been a year of leaks and hacks and continues to be so. Hackers hacked into ImageShack and Symantec servers and have leaked several critical information regarding the servers and employees.

Hackers have disclosed in an e-zine that the security practices of these major companies have been a joke: In case of ImageShack, all MySQL instances as root, really old (2008) kernels, hardcode database passwords, enable register_globals, etc.

The e-zine says:

ImageShack has been completely owned, from the ground up. We have had root and physical control of every server and router they own.

Likewise, they have dumped the database of Symantec, one of the leading AV companies which includes the critical information of the researchers at Symantec.





Saturday 3 November 2012

Bypass Slot Reservation In Counter Strike 1.6

So you are crazy about CS but your local servers are always packed and can not enter the servers due to slot reservations for admins? Don't worry, this guide will provide an insight and step by step details on how to bypass slot reservation in Amx Mod X powered servers. I checked the source code of slot reservation plugin (adminslots.sma) from AMXMODX source and found out that the admin slot plugin was executing a brute-force vulnerable randomized command at the client end. See the line of code below:

format(g_cmdLoopback, 15, "amxres%c%c%c%c", random_num('A', 'Z'), random_num('A', 'Z'), random_num('A', 'Z'), random_num('A', 'Z'))

The bruteforce space is quite small, 4 uppercase characters from A-Z i.e. 26 * 26 * 26 * 26 combination is the maximum amount of search required to find the random part of the command. Hence, the command executed at client end is amxresXXXX where {X: X belongs to [A-Z]}. If there are still slots available for normal players or if the connecting user has slot reservation privilege, he will be able to connect to the server otherwise the server will kick the user. We are not going to bruteforce but we are going to use a memory viewer and editor software that is capable of reading the contents in the memory (RAM).

Basically, we hook into the Counter Strike client process from one of the freely available memory editors. We then connect to the server and get dropped due to the slot reservation message. In the meantime, the server sends the partial-random command.. FYI, these memory viewers make use of kernel APIs such as ReadProcessMemory() to read the memory layout of any process. We search for the initial part of the string which is amxres.

Once we find the unique string sent by server to our client, we use the alias command with amxresXXXX as our alias. For your info, alias provides a mechanism to group different commands to achieve something more useful.

The syntax of alias is: alias "alias_name" "cmd1; cmd2; ...; cmdn" And here we've just created an alias "amxresXXXX" which does nothing since the commands list is missing there.

The tool I've used here is ArtMoney available for download at In case, the site goes down, you can get it from here:

Several similar tools exist & are available for free. Some of them are CheatEngine ( and Poke (

Check the video below for more information:


Make Your Linux Read Papers For You

Fed up of reading text files and PDF papers? Is you eye power degrading day by day and can't hold even few minutes on screen? Don't worry, you can easily make your linux system speak and read all those papers for you.

There are several text to speech tools available for linux but in this post, I will be using festival, a Text-to-speech (TTS) tool written in C++. Also, Ubuntu and its derivation are most likely to include by default espeak, a multi-lingual software speech synthesizer.

For ubuntu and debian based system, type the following to install festival:
samar@samar-Techgaun:~$ sudo apt-get install festival

Moreover, you can also install a pidgin plugin that uses festival:

samar@samar-Techgaun:~$ sudo apt-get install pidgin-festival

For now, you just need to install festival. Once you have installed festival, you can make it read text files for you. If you go through the online manual of festival, it says:
"Festival works in two fundamental modes, command mode and text-to-speech mode (tts-mode). In command mode, information (in files or through standard input) is treated as commands and is interpreted by a Scheme interpreter. In tts-mode, information (in files or through standard input) is treated as text to be rendered as speech. The default mode is command mode, though this may change in later versions."

To read a text file, you can use the command below:

samar@samar-Techgaun:~$ festival --tts mypaper.txt

The festival will start in text-to-speech (tts) mode and will read your text files for you. But now, we want to read PDF files and if you try to read PDF files directly (festival --tts paper.pdf), festival is most likely to speak the cryptic terms since it actually reads the content of PDF including its header (You know PDF is different than simple text file). So we will use a pdftotext command to convert our pdf file and then pipe the output to the festival so that festival reads the PDF files for us. You can use the syntax as below to read PDF files.

samar@samar-Techgaun:~$ pdftotext paper.pdf - | festival --tts

If you want to skip all those table of contents and prefaces or if you are in the middle of PDF, you can use the switches of pdftotext to change the starting and ending pages. For example, if I wish to read page 10 - 14 of a PDF, I would do:

samar@samar-Techgaun:~$ pdftotext -f 10 -l 14 paper.pdf - | festival --tts

Enjoy learning. I hope this post helps you ;)