recent articles

Backtrack is one of the most popular Linux distributions used for Penetration testing and Security Auditing. The Backtrack development team is sponsored by Offensive Security. On 13th August 2012, Backtrack 5 R3 was released. This included the addition of about 60 new tools, most of which were released during the Defcon and Blackhat conference held in Las Vegas in July 2012. In this series of articles, we will look at most of the new tools that were introduced with Backtrack 5 R3 and look at their usage. Some of the notable changes included tools...

Defcon day 3 started with one of the most awaited talks of Defcon 20. It was the talk “Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2” by Moxie Marlinspike, David Hulton and Marsh Ray. Moxie marlinspike has been one of the most popular speakers at Defcon for the past few years and as expected, the hall was full of people. Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2 This talk was mainly about pointing out the vulnerabilities in the MS-CHAP v2 protocol. The speaker talks about how the previous research has shown that the...

The talks on Defcon day 2 were scheduled to begin from 10 am. I reached the venue at 8:30 am and decided to use the time to buy some Defcon merchandise. The lines for the merchandise are usually very long but it wasn’t at that time of the day. After buying a Defcon T-shirt, i decided to go to the room where the CTF contest was being held. The room was already filled with participants who were just setting up their systems for the contest. Here are some pics of the contests hall where...

This article will discuss about the talks and events that happened on Defcon day 1. Venue: Rio Hotel and Casino We reached Rio Hotel at around 8 am. We thought we did good on time until a nice gentleman came to us and said “It’s a 3 hour long line guys !”. We however got through the line in about 90 minutes, thanks to the nice staff at Defcon. One you get through the registration process, you are offered a Defcon badge which is your entry pass to Defcon and a booklet that informs...

DNS is a naming system which coverts human readable domain names into computer readable IP addresses. Whenever there is a query for a domain which is not in the resolver’s cache, the process happens by traversing through the entire DNS hierarchy from the root servers to the top level domain (for e.g .com). The top level domain then gives us the information about the nameserver that has been delegated the responsibility of the domain whose IP address we are looking for. We then get the information about that domain from it’s nameserver. The results...

Web Application vulnerabilities in social networking sites is very common these days. In this article we will be discussing a vulnerability found in Social networking sites because of which it is possible to spoof the content shown to the user. Basically whenever someone wants to share, post or send a link on Facebook or some other social networking site, a request goes through from their servers to the link which the user wants to share. This happens because Facebook (or that particular social networking site) wants to display a quick snapshot of what appears...

A lot of the networks use NAT (Network Address Translation) these days. This allows the systems on the same network to have a single global IP address. This also assures enhanced security but at the same time adds complications specially while connecting to P2P (Peer to Peer) networks. This is because at the time of initiating a connection in a Peer to Peer network, it is not possible to determine which packet coming from the peer is intended for which host on the network simply because they have one global IP address. Also, most...

Ammonite is a Fiddler extension used to scan web application for common vulnerabilities like verbose and blind SQL injection, OS commanding, local file inclusion, buffer overflows, format string vulnerabilities etc. Ammonite can also scan responses for important information like credit card numbers. Some of the unique features of Ammonite is its ability to test all sections of an HTTP Request for which includes headers (ever heard of SQL injection through HTTP headers ? ), cookies etc. One of the other features which is particularly interesting about Ammonite is the ability to pause, cancel and...

In this article we will look at how we can insert vulnerabilities in web applications. Why? There are basically two reasons. Firstly, because it allows us to see the application from the eyes of a web developer and not a hacker. Secondly, because it allows us to create a platform where we can create a set of vulnerable web applications, and fuse them all together in a Virtual machine. So now, several people can test their web application security skills on the VM and learn from it. Some of the other reasons might be...

In the previous articles in this series, we looked at all the plugins available in w3af and looked at their applications in different scenarios. In this article, we will look at some of the other tools present in w3af which allow us to send Manual Requests, perform Fuzzing, Encode and Decode requests and responses, use a Proxy to intercept and modify requests and responses, and allow us to perform a comparison between different HTTP requests and responses. We will also look at how we can write our own w3af scripts to automate the task...

In the previous article w3af walkthrough and tutorial part 2 - Discovery and Audit plugins we looked at the various discovery and audit plugins used by w3af to identify vulnerabilities in a web application. We also looked at how we can exploit these vulnerabilities by using the exploit plugins present in w3af. In this article, we will look at the remaining plugins present in w3af which are bruteforce, grep, mangle, output, auth and evasion plugins and look at their applications in web application penetration testing. We will still be using the same test environment...

In the previous article w3af walkthrough and tutorial Part 1 we looked at how to use the w3af console. We also learnt about the different plugins in w3af and how they interact with each other to perform various tasks. In this article we will look at how to use the discovery and audit plugins in w3af to perform a vulnerability scan of the web applications and consequently exploit the vulnerabilities present. We will also look at the various techniques used by w3af to identify these vulnerabilities. In this article we will be working with...

w3af (Web Application audit and attack framework) is a framework for auditing and exploitation of web applications. In this series of articles we will be looking at almost all the features that w3af has to offer and discuss how to use them for Web application Penetration testing. In the first part of this series we will be working with w3af console and getting ourselves familiar with the commands. We will also be looking at the different types of plugins that w3af has to offer and discuss how to use them for optimal performance. Some...

Topics related to Internet censorship have been over much debate in the last few years. The main purpose of such internet censorship acts is to deny access to certain information on the internet. This information can be censored throughout the world, or in some cases could be limited to certain countries. Some countries even have their own censorship policies. One of the many examples of such acts is the very famous SOPA (Stop Online Piracy Act), which had provisions to protect the publication of copyright intellectual property on the internet. There are many ways...

Anonymous systems are used to allow users to surf the web, communicate with servers anonymously. Some of the popular Anonymity service providers are TOR, GTunnel etc. The basic idea is to hide the identity of the user. However it is important to ensure that the efficiency of the anonymous system in not decreased in the process which could depend on numerous factors like latency, degree of anonymity etc. The communication between the sender and the receiver happens through a set of routers, often referred to as a mix or node, whose job is to...

In the first part of this article we looked at some of the common authentication types used in Web Applications these days and discussed their pros and cons. In this article we take it one step further and discuss some of the advanced authentication methods used these days. We will also discuss the various techniques for bypassing web based authentication, and discuss the steps needed to avoid such kinds of vulnerabilities. Overall this article will be divided into two sections. A) Bypassing Authentication SQL Injection Cookie Stealing Session Hijacking B) Advanced Authentication Methods Certificate...

Authentication is the process of validating something as authentic. When a client makes a request to a web server for accessing a resource, sometimes the web server has to verify the user’s identity. For that the user will have to supply some credentials and the web server validates it. All subsequent decisions are then taken on the basis of the credentials supplied by the client. This process is called Authentication. Once the user is authenticated, the web server sets up the appropriate permissions for the user on it’s resources. Whenever the user tries to...

Wireless networks have become very common in today’s world, people are used to be connected to wireless networks in office, home, coffee shops etc. In order to facilitate the process of connecting to the wireless network, most of the operating systems often remember the previous networks connected to (often stored in Preferred Networks List) and send continuous probes looking for these networks. Once the network is found, the system automatically connects to the network. If more than one of the probed networks is found, it connects to the network with the highest signal strength...

This article will talk about the maintaining access step in a penetration test. After an attacker has broken into the system and got access, escalated privileges etc, it is important for him to maintain his authority on the system so that he can access it at a later time. The exploited system could be a web server (directly accessible from the internet), or a system running inside a network with NAT, hence not directly accessible from the internet. The system could also be running in a network with a firewall that monitors incoming and...

DNS is a naming system for computers that converts human readable domain names e.g. (infosecinstitute.com) into computer readable Ip-addresses. However some security vulnerabilites exist due to misconfigured DNS nameservers that can lead to information disclosure about the domain. This forms an important step of the Information stage during a Penetration test or Vulnerability assessment. In this article we will look at the following areas.. DNS Basics Resource records and the Zone file DNS Lookup and Reverse DNS Lookup Understanding Wildcard Entries DNS Zone transfer DNS Bruteforcing 1) DNS Basics-DNS converts human readable domain names...