Bash-Bug Penetration Testing - Anatomy of Shelllock

A new security vulnerability known as the Bash or Shellshock bug could spell disaster for major digital companies, small-scale Web hosts and even Internet-connected devices.

The quarter-century-old security flaw allows malicious code execution within the bash shell (commonly accessed through Command Prompt on PC or Mac's Terminal application) to take over an operating system and access confidential information.

A post from open-source software company Red Hat warned that "it is common for a lot of programs to run Bash shell in the background," and the bug is "triggered" when extra code is added within the lines of Bash code.

Security expert Robert Graham has warned that the Bash bug is bigger than Heartbleed because "the bug interacts with other software in unexpected ways" and because an "enormous percentage" of software interacts with the shell.

"We'll never be able to catalogue all the software out there that is vulnerable to the Bash bug," Graham said. "While the known systems (like your Web server) are patched, unknown systems remain unpatched. We see that with the Heartbleed bug: six months later, hundreds of thousands of systems remain vulnerable."

FOR PRACTICAL DEMONSTRATION - VISIT THIS TUTORIAL

http://infosecninja.blogspot.in/2014/09/bash-bug-penetration-testing-anatomy-of.html

 

Call For Papers for nullcon Goa 2015

Dear Security Gurus,

We are excited to announce Call For Papers for nullcon Goa 2015. Time to tickle your gray cells and submit your research.

6th year | CFP opened on 6th Aug 2014 | conference on 6th Feb 2015.

CFP Details:- http://nullcon.net/website/goa-15/cfp.php 

Training: 4th-5th Feb 2015
Conference: 6th-7th Feb 2015

Our motto - "The neXt security thing" drives the objective of the conference i.e. to discuss and showcase the future of information security, next-generation of offensive and defensive security technology, zero day vulnerabilities and unknown threats. 

Get ready to Goa!

Forceful Sale of Stove by HP (Hindustan Petroleum) Bhogpur Gas Service in Dalli, Bhogpur, Jalandhar, Punjab

This is regarding the forceful sale of stove by HP (Hindustan Petroleum) Bhogpur Gas Service in Bhogpur, Jalandhar, Punjab

The above news has been published in No. 1 Punjabi Newspaper AJIT on 1st September 2014 on page number 8.

Complaint against Distributor : BHOGPUR GAS SERVICE (13896100) 
From HP side communication done by Mr.ASHISH SINGH (192249) 

I had booked for a new HP gas connection and was called on Saturday (02/08/2014) as the connection was available. When I visited the company, I was told to buy stove along with other accessories. I humbly mentioned that I already have a stove manufactured as per the industry standards and I would need only the gas connection.

The manager over there informed me that I would get connection only if I buy the stove. When I asked the formal route of getting a connection without stove, they said without verification they will not provide the connection. Here I’ve seen a strange practice of forcing the customers to buy the stove and then making them sign the document mentioning that they were not forced to buy.

If we denied buying the stove, they will not give us the GAS connection & return back all the documents by saying that without verification they cannot provide the gas connection.

IF WE BUY THE STOVE, NO VERIFICATION IS REQUIRED. BUT SAME WILL BE APPLICABLE IF WE DENIED BUYING THE STOVE. This is totally unethical and criminal.

I also noticed the Rude behavior of owner/manager of the agency.

Through the MRTPC notification, HP has clearly mentioned that it is not obligatory to purchase the stove from dealers/distributors. But this is not being followed in Bhogpur Gas Service in Bhogpur, Jalandhar. Such activities are spoiling the name and fame of Hindustan Petroleum Corporation Limited.

For all other facing similar problem, you may please visit below website to log your complaint against any HP distributor across India. Once the complaint has been logged, response is mandatory from HP representative.

http://jihaan.hpcl.co.in/booking/ConsumerType.aspx

#HPCL #HindustanPetroleum #Bhogpur #AjitNewspaper #PunjabiNews #Dalli #Complaint #ForcefulSaleofStove #ForcefulSale

Fool the Network Hunters (Hackers)

Portspoof is meant to be a lightweight, fast, portable, and secure addition to any firewall system or security system. The general goal of the program is to make the information-gathering phase slow and bothersome for your attackers as much as possible. This is quite a change to the standard 5s nmap scan that will give a full view of your system’s running services.

Click Here To Read Full Article

Information Security Aficionado: Vulnerability Scanning With Metasploit

Information Security Aficionado: Vulnerability Scanning With Metasploit: Vulnerability scanning is part of penetration testing. A vulnerability scanner is an automated program designed to look for weakne...

Theoretical Methodology for Detecting ICMP Reflected Attacks: SMURF Attacks - InfoSec Institute

 There are plenty of different ways to track the original source of a DoS
attack, but those techniques are not efficient enough to track a
reflected ICMP attack. When I say “reflected ICMP attack,” that means a
SMURF attack. Here I am going to show you a new model to trackback the
reflective DOS attack caused by ICMP packets. This is a very efficient
method, because you can do this with the help of a really few attack
packets. We have seen that, to detect ICMP attacks in direct attack, we
need a large amount of packets to be revised, which is not true in this
case.



LIKE AND SHARE IT PLEASE



Read Full Story : Theoretical Methodology for Detecting ICMP Reflected Attacks: SMURF Attacks - InfoSec Institute:

Notes On Biometric Template Security - InfoSec Institute

Notes On Biometric Template Security - InfoSec Institute

Metropolitan Police – A Case Study on Identity Management Key Issues (Biometrics) - InfoSec Institute

Metropolitan Police – A Case Study on Identity Management Key Issues (Biometrics) - InfoSec Institute

Vigilance complaints pile up as Delhi Police doesn’t know password | The Indian Express

Over 600 complaints regarding the Delhi Police forwarded by the Central Vigilance Commission
to an online portal have been pending for the past eight years. The
reason: the Delhi Police didn’t know the password to access the portal
or how to operate it, a lapse that went undetected since 2006.

In January finally, two Delhi Police officers, one of the level of
deputy commissioner of police and another an inspector, were imparted
“training” by the CVC on the same.

Sources in the CVC said 667 complaints had piled up, with no action taken by the police.

Each Delhi government department under the CVC, including the MCD,
DDA and several investigating agencies, have a chief vigilance officer
to look into complaints. If a complaint reaches the CVC, either it
tackles it independently or it sends it to the concerned department

Read Full Story :Vigilance complaints pile up as Delhi Police doesn’t know password | The Indian Express

Computer Forensics Investigation – A Case Study - InfoSec Institute

Computer technology is the major integral part of everyday human
life, and it is growing rapidly, as are computer crimes such as
financial fraud, unauthorized intrusion, identity theft and intellectual
theft. To counteract those computer-related crimes, Computer Forensics
plays a very important role. “Computer Forensics involves obtaining and
analysing digital information for use as evidence in civil, criminal or
administrative cases (Nelson, B., et al., 2008)”.


A Computer Forensic Investigation generally investigates the data
which could be taken from computer hard disks or any other storage
devices with adherence to standard policies and procedures to determine
if those devices have been compromised by unauthorised access or not.
Computer Forensics Investigators work as a team to investigate the
incident and conduct the forensic analysis by using various
methodologies (e.g. Static and Dynamic) and tools (e.g. ProDiscover or
Encase) to ensure the computer network system is secure in an
organization. A successful Computer Forensic Investigator must be
familiar with various laws and regulations related to computer crimes in
their country (e.g. Computer Misuse Act 1990, the UK) and various
computer operating systems (e.g. Windows, Linux) and network operating
systems (e.g. Win NT). According to Nelson, B., et al., (2008), Public
Investigations and Private or Corporate Investigations are the two
distinctive categories that fall under Computer Forensics
Investigations. Public investigations will be conducted by government
agencies, and private investigations will be conducted by private
computer forensic team. This report will be focused on private
investigations, since an incident occurred at a new start-up SME based
in Luton.


This report also includes a computer investigation model, data
collections and its types, evidence acquisitions, forensics tools,
malicious investigation, legal aspects of computer forensics, and
finally this report also provides necessary recommendations,
countermeasures and policies to ensure this SME will be placed in a
secure network environment.









Read Full Article at Here : Computer Forensics Investigation – A Case Study - InfoSec Institute

Congress vs BJP vs AAP : How Media is Biased ?

Today the 3 major political parties – Congress, BJP and AAP had rallies of Rahul Gandhi, Narendra Modi and Arvind Kejriwal respectively.

While ABP news and NDTV were live telecasting all the three rallies alternatively, Times Now and CNN-IBN were only showing Rahul Gandhi and Narendra Modi’s rallies.

Even the “Tickr”(scrolling news at the bottom of the channel” on both the channel talks only about Modi and Rahul… Headlines on Tickr show only statements of Rahul and Modi.

Also, I checked the Timeline of Times Now’s Twitter handle @timesnow for last 5 hours. Not a single tweet on Kejriwal’s speech while they have live-tweeted both Narendra Modi and Rahul Gandhi. Have taken Screenshots of the TL.

I checked the Timeline of CNN-IBN’s Twitter Handle @ibnlive for last 5 hours. They have live-tweeted both Narendra Modi and Rahul Gandhi. There was only one tweet on Arvind Kejriwal’s rally (that too an anti-Congress statement that AK made).

(Screenshots of Twitter TL are at the end of this blog)

I Called Times Now Office at 02224999944 and spoke to the News desk member. Someone by name Preeti answered my call and she was able yo hear me until I asked the question. Then she started saying “hello.. hello” as if she cant hear me and then hung up… called back again and got connected to some other lady. She refused to reveal her name. When I asked her why they are not showing Kejriwal’s rally, she asked me to send a mail to their mail id “nowdesk@gmail.com” as she is not authorized to answer me.

Then I called CNN-IBN at 01204341818 and I was connected to news room guy Saharsh. He says they have covered Kejriwal’s rally as well and says may be I have missed the braodcast. I asked him for a mail ID where I can send a mail about this. He gave ” Assignment@network18online.com”
I guess we should start questioning these guys on such things to tame them. Its a known fact that these news channels are controlled by corporates that are closely connected to politicians. And as long as we dont question them, they will continue to show the biased news.

I will be sending a mail to the given mail IDs and also, will send a mail to News Broadcasting Association of India.

Until I get a satisfactory answer from them, the channels will be boycotted by me.
Note- I have recorded these calls : https://drive.google.com/folderview?id=0B7DWrSEAJy5_RVp1YzA0OW1PSFU#

Have uploaded the audio files again into a new folder. Please check this – Call Recordings New – https://docs.google.com/folder/d/0B7DWrSEAJy5_OHBTZER1ZWNfeVE/edit

Here is alternate link to access the audio files: https://drive.google.com/?authuser=0#folders/0B7DWrSEAJy5_MG5PQmx2QmQ5UUU

Read more @ http://syedshahalihussaini.wordpress.com/2014/02/23/biased-media/

Manual Web Application Penetration Testing – Finding XSS by Playing With Parameters

Introduction

In my previous article we saw the different ways of fuzzing, including suffix and prefix. We used those fuzzing techniques in order to find error messages in web applications. Now that we know how to fuzz, we will use that skill to find XSS, generally known as cross site scripting.

Testing For XSS

Without wasting any time, let’s go to the Document Viewer page under the A3 cross site scripting (XSS) module. Various methods of exploiting XSS are in there, but first we will choose a simple method which is HTTP attribute.

TO READ FULL ARTICLE, CLICK ON THIS LINK AND SHARE IT IF YOU "REALLY"  LIKE IT.

Manual Web Application Penetration Testing – Suffix & Prefix in Fuzzing

Introduction
In this series of articles, last time we talked about fuzzing and various SQL statement special characters which can be used in fuzzing a web application. In this article, I am going to focus on various prefixes and suffixes of fuzzing in order to fuzz the target web application.

CLICK HERE TO READ FULL ARTICLE

How to install and use Veil-Catapult in backtrack?

Today we are gonna talk about Veil-Catapult.Veil-Catapult is payload delivery for when metasploit’s psexec getting caught by AV.It utilizes Veil-Evasion to generate AV-evading binaries, impacket to upload/host the binaries, and the passing-the-hash toolkit to trigger execution.It officially supported on kali linux only.I`m going to show you how to install Veil-Catapult in backtrack?

First if you have not already installed veil-evasion framework then first install it as mentioned here.After installing Veil-evasion follow steps.

root@bt:~wget https://github.com/Veil-Framework/Veil-Catapult/archive/master.zip

root@bt:~unzip master.zip 

root@bt:~cd Veil-Catapult-master/

root@bt:~sh setup.sh

Now veil-catapult require impacket library & passing the hash toolkit.So setup script try to install PTH suite but we got error.So we have to manually do it.

Install passing the hash.

root@bt:~wget https://passing-the-hash.googlecode.com/files/wmiPTH-1.0-1.deb

root@bt:~wget https://passing-the-hash.googlecode.com/files/winexePTH1.1.0-1.deb

root@bt:~dpkg -i winexePTH1.1.0-1.deb

root@bt:~dpkg -i wmiPTH-1.0-1.deb

If you are using other OS then you have to manually build it as mentioned here .

It installed into the /opt/pth/bin folder , we have to move it into /usr/bin.

root@bt:~# ln -s /opt/pth/bin/wmis /usr/bin/pth-wmis

root@bt:~# ln -s /opt/pth/bin/winexe /usr/bin/pth-winexe

root@bt:~# ln -s /opt/pth/bin/wmic /usr/bin/pth-wmic

Installing impacket library

root@bt:~# wget http://corelabs.coresecurity.com/index.php?module=Wiki&action=attachment&type=tool&page=Impacket&file=impacket-0.9.11.tar.gz

root@bt:~# tar -xvzf impacket-0.9.11.tar.gz 

root@bt:~# cd impacket

root@bt:~# python setup.py build 

I know you have question that we can install it , but when we tried to install , it  installed succesfully ;but some of modules are missing.So we first gonna build it then copy it. Now copy folder impacket from build/lib.linux-i686-2.6/ and paste it into /usr/lib/pymodules/python2.6 

Now everything is ready ,we can run it. Before that open /etc/veil/settings.py and checkout all path.

root@bt:~/Veil-Catapult-master# python Veil-Catapult.py 

Now select number according to your choice & fill out necessary option.

Powershell injector

Barebones python injector

Sethc backdoor

Reboot, hit Shift key 5 times, SYSTEM shell will pop up. Also there is script for it in metasploit.Check it out this awesome blog for more details.

EXE delivery upload 

Cleanup resource script is generated , you can use it after your work completed for kill process & remove exe.

You can also host exe using temporary SMB server.This will load the payload executable into memory without touching disk, allowing otherwise disk-detectable executable to bypass detection

Alternatives of Veil-Catapult are smbexec  and keimpx.

Manually Web Application Penetration Testing: Fuzzing - Part 4

Introduction

When we test a web application, we do not test a single page, but a lot of pages of a single web application. Each page may have more than one variable, so technically you will be engaging with a ton of variables during your web application test. So when you inject anything into the input, it is good to know what kind of effect your injection has on the server. In this part of this series of articles, we will look at the importance of simple alphabetic injection along with the web page encoding technology and how it affects our testing and result.

Simple Alphabetic Injection

When you engage with many web pages and a ton of variables, it is good to find your input after you inject. When you give something to the web page as an input, your input will not be used in only one place, but it will be used for many variables and tons of places. One of the common ways to check which areas use a given input is to give a simple alphabetic injection. This simple alphabetic injection can be anything. As I said in an earlier article, I personally use Jonnybravo as a username and momma as a password. If I use any special characters within my input, it might get encoded/eliminated to prevent the injection attacks on that page. What encoding is and how it takes place I will cover later on. The reason for using simple alphabetic injection is because it will never be encoded or eliminated by the server and you can easily find your input within the response as well as the request.

CLICK HERE TO READ FULL ARTICLE

Manual Web Application Penetration Testing: Identifying Application Entry Points

Introduction

In this article, I will show you how to find injection points for your target host and how the webpage is encoded when it comes to the client side from the server.

Identifying Injection Points

If your web page is static, you cannot test it for security concern. You can test it at some sort of view but you can’t play with it much as compared to a dynamic page. The Nikto scanner is a good utility that works best in testing static sites. There has to be some interaction between client and server via login panel, comment section, register page, contact form, and so on.

To Read Full Article Click Here : http://resources.infosecinstitute.com/manual-web-application-penetration-testing-identifying-application-entry-points/

Manual Web Application Penetration Testing: Introduction

In this series of articles, I am going to demonstrate how you can manually exploit the vulnerability of a web application, compared to using any automation tool, in order to find vulnerabilities in the application. Almost all companies worldwide focus on manual testing of web application rather than running web application scanners, which limit your knowledge and skills and the scope of finding a vulnerability with your testing.
For the whole series I am going to use these programs:

1. NOWASP Mutiliadae
2. BURP Proxy
   Read full article at :  http://resources.infosecinstitute.com/manual-web-application-penetration-testing-introduction/

Deliver powershell payload using macro.

In past we saw method of direct shell code execution in Ms word or Excel using macro;but if document is closed then we will lose our shell so we have to migrate to other process and sometimes migration is pick up by AV. So in this tutorial we are going to use powershell payload.

Advantages of this method:-

(1)Persistence
(2)Migration is not needed
(3)AV bypass

(1)First we will generate powershell payload; for this purpose i used SET.You can also used Veil or powersploit.Open SET in terminal & select Social-Engineering Attacks and then Powershell Attack Vectors.Generate Powershell Alphanumeric Shellcode Injector.Fill LHOST & LPORT value.

Our generated powershell payload is located into /root/.set/reports/powershell/. Rename x86_powershell_injection.txt to x32.ps1.

(2)Now Clone git repository of code

root@bt:~# git clone https://github.com/enigma0x3/Old-Powershell-payload-Excel-Delivery

root@bt:~# cd Powershell-payload-Excel-Delivery/

(3)In Powershell-payload-Excel-Delivery folder; rename RemovePayload.bat to remove.bat. Now you have to host remove.bat and x32.ps1 to web-server.Then open persist.vbs file and change URL of x32.ps1 in line 13,33 to your hosted x32.ps1 `s URL. And now also host persist.vbs to web-server. I used localhost.

(4)Open Macrocode file from cloned folder & change URL in line 27,82,118 respectively to your hosted x32.ps1,persist.vbs and remove.bat `s URL.Now add this macro code into excel document as mentioned in previous tutorial.

(5)And last step is setup listener.

Now send this document to victim , as soon as he open document and run macro we will get shell. Once the payload is ran, it runs in the powershell process, so if the user closes excel, you keep your shell. You also remain in a stable process until reboot, so migration is not needed.

It then pulls down a persistence script, drops it, creates a registry key for autorun for the persistence script. Once done, it also drops a self-deleting bat file that removes the initial payload from the system.

Thanks to  enigma0x3 for this awesome method.

Update :- New-Powershell-Payload-Excel-Delivery

This is a VBA macro that uses Matt Graeber's Invoke-Shellcode to execute a powershell payload in memory as well as schedule a task for persistence(20 min onidle  you get shell).

root@bt:~# git clone https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery.git
root@bt:~# cd Powershell-Payload-Excel-Delivery/

Open MacroCode file & change Download URL for Invoke-Shellcode file & change LHOST & LPORT option. Now add macro-code in Excel file & start-up listener.