tutorial on Session hijacking attack

When a user log in to the acccount, it starts a session with that account and this session ends up with logout. In a running session, user is given a session id which is unique identifier of the user for that session and is only valid for that session. Session hijacking is the type of attack in which hacker gain access to the session id to gain unauthorized access to information or services.


Session hijacking can be done at 2 levels: Network level (TCP and UDP session hijacking)Application level (HTTP session hijacking)


Network level (TCP and UDP session hijacking)


TCP session hijacking
TCP session hijacking is when a hacker takes over a TCP session between two machines. Since most authentication only occurs at the start of a TCP session, this allows the hacker to gain access to a machine. It can be done by following ways. IP Spoofing: Assuming the identityMan in the Middle attack using Packet SniffersBlind attacks which involves bruteforcing of session id.


UDP session hijacking
It is similar to TCP session hijacking but easier than that because UDP does not use packet sequencing and synchronizing.


Hijacking Application Levels
In HTTP session hijacking hacker tries to get access to the session ID used in the session to identify the user. HTTP is state less so it need session ID with each request. If hacker get the session id, he can hijack the victim's session. XSSMan in the middle attackBruteforcing session idMan in the browser attack
Session hijacking is widely used for hacking into website accounts. In websites, session id is stored in the form of cookies in the client browser. If you want to hijack some one's session, you have to steal the session informations of that user.
Session hijacking has been an ongoing problem for web browser developers and security experts for at least 5 years.


Prevention: Use of ArpON which is used to prevent Man In The Middle Attack through ARP Spoofing.Use of HTTPS protocol for secure sessions. It uses an encrypted sessions.Set the expiry time of cookies as less as possible.

XPath injection tutorial

X-path injection is a type of web attack which target a website that create XPath queries from user-supplied data. Querying XML is done with XPath, a type of simple descriptive statement that allows the XML query to locate a piece of information.  By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that he may not normally have access to.


XPath Injections might be even more dangerous than SQL Injections since XPath lacks access control and allows querying of the complete database (XML document), whereas many SQL databases have meta tables that cannot be accessed by regular queries.


Now i am going to give a demo of this.. It is similar to SQL Injection attack


See this user.xml file

 
 
       
          Ben
          Elmore 
          abc 
          test123 
       
       
          Shlomy
          Gantz
          xyz 
          123test 
       
       
          Jeghis
          Katz
          mrj 
          jk2468 
       
       
          Darien
          Heap
          drano 
          2mne8s 
       
 


       
          Ben
          Elmore 
          abc 
          test123 
       
       
          Shlomy
          Gantz
          xyz 
          123test 
       
       
          Jeghis
          Katz
          mrj 
          jk2468 
       
       
          Darien
          Heap
          drano 
          2mne8s 
       





Xpath query              
//users/user[loginID/text()='abc' and password/text()='test123']


Now bypassing authentication in the query
//users/user[LoginID/text()='' or 1=1  and password/text()='' or 1=1]




See the link for detail demonstration.
link


Prevention


XPATH Injection can be prevented in the same way as SQL injection. Some of the
Input ValidationParametrized Queries

Packet Sniffer for Android phones

Packet Sniffer for Android phones

This is a nice app to capture and display WiFi and bluetooth traffic on Android phones. But for using this app, you have to root your phone and have "su" command install.

This app is based on the tcpdump package therefor it have to be installed manually.
1. Download and Install PacketSniffer App from the market or from the following link.
http://dl.dropbox.com/u/3775726/PacketSniffer/PacketSniffer.apk
2. Copy the precompiled TCPDUMP file to the "/data"  library on your phone:  
             first make sure your "/data" library has READ and WRITE privileges. if not use:  "chmod 777 data"
             in order to copy use the following command if you have ADB :"adb push c:\locationOfTheTcpdumpFile /data"
            in case you don't have ADB you can copy the tcpdump file to the SD card and do:  "cat /sdcard/tcpdump > /data/tcpdump
3. Give the tcpdump file Read Write and Exec privileges :    "chmod 777 /data/tcpdump"


Before you start to capture you can pick weather to save the captured data on a local SQL DB on the device
or on to a file on the SD card.


Read More on
https://sites.google.com/site/androidarts/packet-sniffer

Tutorial on Arbitrary File uploading Vulnerability

Tutorial on Arbitrary File uploading Vulnerability

Arbitrary File uploading vulnerabilities are the type of vulnerabiliy which occurs in web applications in which there is a file uploading form but file format is not checked or filtered during file upload.
Now you are thinking that what is the problem in that. Now think that the website has a uploader form which do not check for file type and you have a malicious  PHP, ASP script. You can upload the script using this form and then you can execute your malicious script on the website server. You can run any kind of commands on the server using your script which would lead to a full compromise of the server.
If you do not know how to create a malicious script, you can simly download those scripts from internet and use it on any server having this type of vulnerability.


Some PHP Shells :-


Ani-Shell
R57 Shell
C99 Shell


Note: This tutorial and script is only for educational purpose. Use of these scripts on web servers in illegal.

Brute Force Attack

Brute force attack is a computer cracking technique in which the attacker uses an automated program to try every possible combination for a password.This password attack does not attempt to decrypt any information but continue to try different passwords again and again to gain a authentication/access.The amount of time it takes to complete these attacks is dependent on length of the password.Traditional brute force attacks attempt to guess username and password combinations for services like FTP, SSH, or other authenticated

Example
Let us assume the password length is 3. we have characters set (abcdefghijklmnopqrstuvwxyz0123456789)
Number of Permutation to first character :
Upper case letters(26 )+Lower Case Letters(26)+10 Numbers =62
Total permutation to find Password:
62*62*62=238328 ways.
Thus the automated brute force program need to try for an 238028 possible password. You can also calculate the time take to complete the brute force attack from "Last Bit"

Tools for Brute Force Attack
Here,I suggest some of the tools to crack an password using brute force technique
Cain and Abel
Aircrack
L0phtcrack
Brutus

Advantage
Probability of finding the password highIts fairly simple attack that doesn't require a lot of work to setup or initiate.
Disadvantage
Brute Force attack is noisy, and they take a long timeIt takes an processing power and hardware intensive.Nowadays a security measures is done that they might lock you out after 3 fail attempts and this extends the amount of time needed to crack

Exploit packs

Exploit packs

Exploit packs are very commonly used in today’s drive-by attacks. An exploit pack is a set of programs that exploit vulnerabilities in legitimate software programs running on the victim machine. In other words, the exploits open a sort of back door via which malicious programs can infect the computer. Since attacks on the web take place through the browser, cybercriminals need to exploit vulnerabilities in the browser, in browser add-ons, or in third-party software which is used by the browser to process content. The main purpose of exploit packs is to download and launch executable malicious files without the user noticing.
The screenshot below shows a typical set of add-ons for Firefox. The versions with vulnerabilities that have been exploited in previous attacks against users are highlighted. Furthermore, other vulnerabilities have been identified (and exploited) in Firefox itself.

Today, exploit packs represent the evolutionary peak of drive-by download attacks, and are regularly modified and updated. This is to ensure that they both include exploits for new vulnerabilities and are able to effectively counteract security measures.
Exploit packs have consolidated their niche on the cybercrime services market. At present, there are a great many exploit packs for sale on the black market; they differ in terms of price, the number of exploits included, the usability of the admin interface, and the level of customer service offered. In addition to the “off-the-shelf” exploit packs offered for sale, exploit packs can also be made to order, a service that is used by some cybercrime gangs.

s an example, let’s take a look at one of the most common exploit packs currently on open sale: Crimepack Exploit System.
Crimepack features its own control panel with a high-quality user interface.

Crimepack admin panel: the authentication screen
The admin panel web interface can be used to modify the configuration of the exploit pack. It also provides statistics on the number of downloads, successful exploits, and the operating systems and browsers running on victim computers.

Crimepacks statistics page in the admin panel The exploit pack itself is an encrypted and obfuscated HTML page that includes JavaScript.

Crimepack exploits: source code Analysis of the decrypted page makes it possible to trace Crimepack’s main functionality. The script within the page attempts, at set intervals, to exploit vulnerabilities in Internet Explorer, DirectX, Java, and Adobe Reader. During exploit attempts, a range of components are used, including malicious PDF and JAR files, which are loaded as the original script runs.

Crimepack exploits: main functionality By early July 2010, Crimepack Exploit System had reached its third version, which contains 14 exploits targeting Microsoft, Adobe, Mozilla, and Opera products.

Black hat SEO

SEO (Search Engine Optimization) refers to methods used to improve a website’s position in search results returned by search engines in response to specific search terms. Today, search engines are a key resource when looking for information; the easier it is to find a website, the more demand there will be for services offered by the site.
There are numerous SEO methods – legitimate and prohibited by search engines.   These techniques are commonly used by cybercriminals to promote malicious resources.
Here is a general overview of how users come into contact with “optimized” resources, and how cybercriminals make their resources more visible.
By using keywords, which can be entered either manually or automatically (for example, using Google Trends), cybercriminals create websites containing relevant content. Usually, this is done automatically: bots create search engines queries and steal content (fragments of text, for example) from pages that come top of the search results.
In order to ensure that a new website falls among the top search results, first and foremost, the creators have to force web crawlers, or spiders, to index it. The simplest way to initiate the indexing process is manually, by using, for example, the pages on Add your URL to Google, where users can enter their website into the search engine’s index. In order to push the site up toward the top of the results more quickly, a link to the site may be posted on resources that are already known to search engines, such as forums, blogs, or social networks. The link to the target page on these websites will make it appear more prominent during the indexing process. Furthermore, a site can be “optimized” with the help of botnets: infected computers conduct a search using specific keywords, and then select the cybercriminal website from the results.
A script is then put on the newly-created web page that, with the help of HTTP header processing, can be used to identify visitors. If the visitor is a web crawler, it will be “shown” a page with content associated with the chosen keywords. As a result, the page will be pushed up the list of search results returned. If a user is led to the site from a search engine, then s/he will be redirected to a malicious site.

                                             Black hat SEO: creating and presenting data
Websites that are promoted using illegal or dubious methods are promptly removed by search engines from search results. This is why cybercriminals, as a rule, use automated processes to create and optimize such sites; this speeds up the process and multiplies the number of new malicious web resources.
Automatically created web pages can be placed anywhere: on cybercriminal resources, on legitimate resources that have been infected, or on free hosting services or blog platforms.