tag:blogger.com,1999:blog-25184889352871760562024-02-06T18:10:37.124-08:00InfoNationAnand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.comBlogger39125tag:blogger.com,1999:blog-2518488935287176056.post-87932701998313679882019-11-11T17:27:00.002-08:002019-11-11T17:27:39.020-08:00My New Article on Time Release Secrets - Just a thought<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="https://medium.com/@anand.namana/time-release-secrets-2cf159aca840">https://medium.com/@anand.namana/time-release-secrets-2cf159aca840</a></div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-61235786423606436682018-03-10T04:14:00.002-08:002018-03-10T04:21:00.539-08:00Bypassing Integrity Check of Pre-boot Authentication Software <div dir="ltr" style="text-align: left;" trbidi="on">
<h3 class="graf graf--h3" name="7fa6">
Bypassing Integrity Check of Pre-boot Authentication Software</h3>
<div class="graf graf--p" name="84ee">
I am intentionally masking all the file names in below description.</div>
<div class="graf graf--p" name="ccc7">
This is something i identified 1 and half year ago and sharing now. I was assessing a Pre-boot authentication software, which encrypts the Bitlocker authentication key and protects it and also offers different ways to login into OS. Below was my approach of doing its assessment.</div>
<div class="graf graf--p" name="4a7b">
<strong class="markup--strong markup--p-strong"><br /></strong></div>
<div class="graf graf--p" name="4a7b">
<strong class="markup--strong markup--p-strong">Phase 1</strong>: Lucky that laptop was not protected with BIOS password and i could boot using USB stick. After booting with USB stick i extracted the pre-boot authentication software/firmware image partition. After extracting i started exploring its contents. It was a stripped down Linux OS image along with custom binaries which protects confidentiality and integrity.</div>
<div class="graf graf--p" name="636b">
<strong class="markup--strong markup--p-strong"><br /></strong></div>
<div class="graf graf--p" name="636b">
<strong class="markup--strong markup--p-strong">Phase 2:</strong> After some exploration i identified the custom binaries which protects the integrity of entire firmware and performs encryption and decryption. So, the first step was to break the integrity. After thorough analysis i found out that a file named “x” is being invoked first which checks integrity of another file “y.sh”, once integrity check of “y.sh” is satisfied, “y.sh” kicks in and it checks integrity of entire firmware, if it finds any anomalies system does not boot and results in error. </div>
<div class="graf graf--p" name="be14">
<strong class="markup--strong markup--p-strong"><br /></strong></div>
<div class="graf graf--p" name="be14">
<strong class="markup--strong markup--p-strong">Phase 3: </strong>Now the idea is to analyze more and break integrity check. Upon further analysis i identified that “y.sh” uses some of Linux inbuilt utilities such as wc (word count) along with others to check entire file system integrity. if wc is returning value more than 0 it means some file has been modified and error is returned. If wc is 0 no error is returned and integrity check is good. So, if i modify the wc utility to return always 0 then i can break its integrity check. </div>
<div class="graf graf--p" name="3653">
<strong class="markup--strong markup--p-strong"><br /></strong></div>
<div class="graf graf--p" name="3653">
<strong class="markup--strong markup--p-strong">Phase 4: </strong>Further analysis helped me to understand that wc and other linux utilities were extracted at runtime from “x” file and were placed in /tmp directory. So, it is difficult to modify the wc file directly. After some thought i created fake wc utility which always returns 0 upon execution. Later i created a startup script which repeatedly copies our fake wc into /tmp directory and placed it in Linux startup script directory along with fake wc. Write back the modified image and boot up the laptop. Pooff!! Integrity check was broken and the filesystem can be modified now further.</div>
<div class="graf graf--p" name="6db5">
I thoroughly enjoyed performing assessment of such software.</div>
<div class="graf graf--p" name="2863">
<br /></div>
<div class="graf graf--p" name="2863">
Thanks</div>
</div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-13131658783607192042017-11-04T14:09:00.003-07:002017-11-04T14:09:23.148-07:00Blockchain Application Security Assessment / Vulnerability Assessment<div dir="ltr" style="text-align: left;" trbidi="on">
After long gap. <div>
<br /></div>
<div>
Blockchain - More and more people are hearing about this disruptive underlying technology, Reason? Bitcoin.</div>
<div>
<br /></div>
<div>
Out of the research and learning i have performed on blockchain, I decided to put some things together which are helpful to perform security assessment of blockchain applications.</div>
<div>
<br /></div>
<div>
Bitcoin, Ethereum and all other cryptocurrencies or Platforms are based on blockchain technology. Ethereum like platforms allow to run code i.e. smart contracts on the blockchain. Does this mean that these platforms are more secure and does not require any security assessments? No, let's start with the basic security aspects on this technology.</div>
<div>
<br /></div>
<div>
ABCD of security is CIA Confidentiality, Integrity and Availability. Lets start addressing security of blockchain application from these core principles. I am considering Ethereum (public) blockchain as an example. </div>
<div>
<br /></div>
<div>
<b>Availability</b> - Yes, apps or smart contracts are always available and cannot be taken down by any DOS, DDOS attacks or any system crash as the code is replicated across multiple nodes. </div>
<div>
<br /></div>
<div>
<b>Integrity</b> - Ok, I say this is 50-50. Blockchain platform does preserve the integrity of code by replicating it all across different nodes and change in one node cannot be accepted/approved by other (Many other conditions here) network members, But the code that is deployed by developer on the blockchain technology could potentially be vulnerable and may not do what it is intended to do until assessed thoroughly. Example is the DOA hack where in a vulnerable function lead an attacker to drain funds. Here the security professionals has huge role to play in terms of assessing the design of smart contracts and code quality. </div>
<div>
<br /></div>
<div>
<b>Confidentiality</b> - Again, developers need to be cautious when any confidential information is kept on blockchain. On public blockchain contracts can be viewed by any person so, one has to be careful while deploying sensitive information over blockchain. </div>
<div>
<br /></div>
<div>
<br /></div>
<div>
I could be missing many things but below is the brief idea or methodology that i came up with while assessing blockchain application.</div>
<div>
<br /></div>
<div>
1. <b>Platform Capability Assessment</b> (Understanding underlying platform) - public/private, Wallet API capabilities utilized by the blockchain application.</div>
<div>
<br /></div>
<div>
2. <b>Perform Design Analysis</b> - Specific to blockchain apps:</div>
<div>
<ul style="text-align: left;">
<li>Review the design or control flow of smart contract</li>
<li>Test the smart contract against all the mentioned business logic test cases - <a href="https://www.owasp.org/index.php/Testing_for_business_logic">https://www.owasp.org/index.php/Testing_for_business_logic</a> </li>
<li>Restrict the state changes on the blockchain using the code based on requirement</li>
<li>Review the cryptographic material strength used by the smart contract</li>
<li>A very <b>good resources provided</b> - <a href="https://courses.csail.mit.edu/6.857/2017/project/23.pdf">https://courses.csail.mit.edu/6.857/2017/project/23.pdf</a></li>
</ul>
<div>
3. <b>Traditional Security Assessment - </b></div>
</div>
<div>
<ul style="text-align: left;">
<li>This section deals with traditional security aspects and security guidelines. Follow OWASP</li>
</ul>
<div>
4. <b>Reporting - </b>Put things together</div>
</div>
<div>
<br /></div>
<div>
Also, below are some of the tools that i came across which i think could be very useful to perform assessment of blockchain applications.</div>
<div>
<br /></div>
<div>
Solgraph (Visual representation of SC) - <a href="https://github.com/raineorshine/solgraph">https://github.com/raineorshine/solgraph</a> </div>
<div>
Zeppelin (Write Secure Smart Contract)- <a href="https://github.com/OpenZeppelin/zeppelin-solidity">https://github.com/OpenZeppelin/zeppelin-solidity</a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
All the above things i have put together from my understanding of technology and experience with cyber security. Feel free to comment.</div>
<div>
<br /></div>
<div>
See yaa!!</div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com1tag:blogger.com,1999:blog-2518488935287176056.post-31114086380808291902015-02-07T07:12:00.001-08:002015-12-24T02:48:12.454-08:00Make VPN accessible to Mobile devices from a VPN connected host<div dir="ltr" style="text-align: left;" trbidi="on">
Hey All,<br />
<br />
Ever got into a problem like this before!!!!!<br />
<br />
Host machine i.e. intercepting device in VPN.<br />
Device like iPad or android and its traffic to be intercepted and sent from host machine VPN connection only.<br />
<br />
Well I have found a solution. ( well I know people generally don't care about this crap)<br />
<br />
Prior to this, one should have knowledge of usb tunneling, proxy in devices, SSH tunneling concepts.<br />
<br />
What we need to have for this??<br />
<br />
1) USB tunnel (iFunbox or any tunneling software for ios & ADB for android)<br />
2) SSH installed in the iPad or android<br />
3) Burp suite, Putty<br />
<br />
Steps.<br />
<br />
1) Put the host machine in VPN.<br />
2) Connect the device (iOS or Android) using the usb cable.<br />
3) After connection establish tunnels through the usb cable.<br />
<br />
For iOS using iFunbox tunnel, Quicktoolbox->USB tunnel (make sure you see 22 port)<br />
For Android device follow<br />
<a href="http://techie-anand.blogspot.in/2013/12/android-usb-ssh-connection-equivalent.html">http://techie-anand.blogspot.in/2013/12/android-usb-ssh-connection-equivalent.html</a><br />
<br />
4) Now its time to establish SSH connection with reverse tunnel -R option.<br />
5) Use putty to establish SSH connection from host to device<br />
6) Enter SSH connection details as "127.0.0.1" and "22" as port (its because of usb tunneling)<br />
7) Now got to SSH->tunnels and enter source port as "3232" (as you like) and destination address as<br />
x.x.x.x:8080 (here x.x.x.x is ip address of host machine <not address="" vpn=""> and 8080 is the port number where burp suite is listening in host machine which is in VPN)</not><br />
8) Select remote option in putty and add it.<br />
9) Now establish SSH connection by entering valid credentials<br />
10) Now set the proxy option in device as "localhost:3232" where 3232 is the -R remote port opened opened on server side and localhost is the interface<br />
11) Now enter any browser or application, all traffic should be going from VPN connection with interception through burp<br />
<br />
<br />
--HapKing--<br />
<br />
<br />
<br /></div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com1tag:blogger.com,1999:blog-2518488935287176056.post-85579958202113533522014-11-12T05:30:00.001-08:002014-11-12T10:34:52.455-08:00Reflected File Download (RFD)<div dir="ltr" style="text-align: left;" trbidi="on">
RFD is the new vulnerability that can be checked while doing vulnerability assessment of the web services.<br />
<br />
Lets walk through this vulnerability and requirements<br />
<br />
<br />
RFD occurs when the server disposes the response to any files. For example click on below link<br />
<br />
<a href="https://www.google.com/s?gs_ri=psy-ab&q=123">https://www.google.com/s?gs_ri=psy-ab&q=123</a><br />
<br />
<br />
When we click above link the server disposes json response into text file. The response headers responsible for disposing as file is<br />
<br />
<b>Content-Disposition: attachment; filename="f.txt" </b><br />
<br />
if the server responds with above header does not have "filename" parameter then we can force the browse to have a filename of our choice say "setup.bat", by giving filename as path parameter (using semicolon ; for path parameters)<br />
<br />
So if the content-disposition header does not have filename then it can be reported as vulnerability (or not a best practice). Till here it is vulnerability discovery. Lets go through exploitation procedure<br />
<br />
Say we have content-disposition without filename as response the we have to check the response and type of response . If response is json then the we have to see if it is escaping double quotes.<br />
<br />
For example<br />
<br />
<br />
Giving double quote to q parameter in below url (if <b>escaped </b>not encoded)<br />
<br />
https://www.google.com/s?gs_ri=psy-ab&q=<b>123"</b><br />
<b><br /></b>
will have json response as {val:"123<b>\"</b>"}. So in order to exploit this escaping vulnerability we will use pipe symbols to concatenate our shell commands<br />
<br />
<br />
Let us see how injected commands on json work<br />
<br />
Inject "||calc|| to above url then we will have a response as<br />
<br />
{val:"123<b>\""||calc||"</b>} (Try giving this raw input in command prompt <b>dadf2342fatrash\""||calc</b>|<b>|</b>)<br />
<br />
Backslash "\" in response is acting like path separator (windows format c:\sample\) but not like escape character (point to note) <br />
<br />
If the above Json response is named with bat extension then we will have a batch file as output and on click <b>calc </b>command will run in command prompt.<br />
<br />
The main challenge will be to run have bat file extension output. For this path parameters are used to force browser to have our own file name with extension. Here an attacker will run malicious commands instead of calc.<br />
<br />
<br />
RFD vulnerability is applicable on following conditions<br />
<br />
1) A service or response is applicable to RFD only if the response has "content-disposition" header without filename.<br />
<br />
2) The response should have some json type content or strings (I'm being generic)<br />
<br />
3) Characters like double quote " has to be escaped but not encoded.<br />
<br />
<br />
<br />
For complete information on this vulnerability follow below link<br />
<br />
<a href="https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector-wp.pdf">https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector-wp.pdf</a><br />
<br />
HapKing</div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-50170095812070698362014-09-18T11:10:00.001-07:002014-09-18T11:11:50.746-07:00$800 Bug Bounty Reward by Asana <div dir="ltr" style="text-align: left;" trbidi="on">
Hey All,<br />
<br />
Found critical vulnerability in Asana.com. Asana is intended for team work without emails. So lets get up to vulnerability<br />
<br />
Uncovered this vulnerability by using both web and iOS version of the Asana.<br />
<br />
So what is the vulnerability?<br />
<br />
Registration token is visible to invited person and to invitee. Shown below<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6nE9b1UpV8tDciu7HzmC03YnlDJWWyDjDcDn2twzegaQ-RfYHEbXAuhh3odTPa__Nvt8mWylRtMJOTrC-m0EdwwpnPJi4-BjLnMlwWTq70ZdtpGbO1kMNVycTaX39YqAVF5bOVmudCIV0/s1600/email.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6nE9b1UpV8tDciu7HzmC03YnlDJWWyDjDcDn2twzegaQ-RfYHEbXAuhh3odTPa__Nvt8mWylRtMJOTrC-m0EdwwpnPJi4-BjLnMlwWTq70ZdtpGbO1kMNVycTaX39YqAVF5bOVmudCIV0/s1600/email.jpg" height="155" width="320" /></a></div>
<br />
<br />
the above link is sent to invited user and the token can be extracted from iOS device logs. as shown below<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4otnRHq5OIHAnIRZ9ZuR3LCSAUtiTxPbUUOMd8aFdHKv1vKMCinS9rZ411ZS2xZXmrHy8nBMTpOWhJ6DGopfK4c5aPFwD6RPo8DXcmeMK3O69G2znlUXj9nhnNNSJMzI78bAbGS_MdDsX/s1600/iOS+logs.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4otnRHq5OIHAnIRZ9ZuR3LCSAUtiTxPbUUOMd8aFdHKv1vKMCinS9rZ411ZS2xZXmrHy8nBMTpOWhJ6DGopfK4c5aPFwD6RPo8DXcmeMK3O69G2znlUXj9nhnNNSJMzI78bAbGS_MdDsX/s1600/iOS+logs.jpg" height="58" width="320" /></a></div>
<br />
<br />
The attacker can create an account with any persons email id without their knowledge.<br />
<br />
Team Asana responded very quickly on it. A reward of $800 USD was awarded to me.<br />
<br />
Thanks a lot Asana.<br />
<br />
HapKing<br />
<br /></div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-34886707970456530252014-06-25T03:39:00.000-07:002014-06-25T03:39:32.296-07:00Passing Parameter to Shortened URL <div dir="ltr" style="text-align: left;" trbidi="on">
Hi,<br />
<br />
Vulnerability Assessment of an application forced me to look for an URL service which would shorten the URL and pass the parameters to URL after redirection.<br />
<br />
E.g.<br />
<br />
In goo.gl URL short service we can have a short URL like<br />
<br />
<b>http://goo.gl/xyz../ </b> to<b> </b><b>http://www.google.com</b><br />
<b><br /></b>
What if you want to pass argument form short url to long then?? (think)<br />
<br />
E.g<br />
<br />
<b>http://goo.gl/xyz../?q=123</b> to <b>http://www.google.com/?q=123</b><br />
<br />
<br />
Well the above method is not possible in google URL shortener service<br />
<br />
<br />
However you can pass arguments using <a href="http://snurl.com/">http://snurl.com/ </a> URL shortener service.<br />
<br />
<br />
E.g. <b>http://snurl.com/xyz123../?q=123</b> to<b> http://www.google.com/?q=123</b><br />
<b><br /></b>
In the above case argument <b>q=123</b> will be appended to the original URL as shown above.<br />
<br />
HapKing...<br />
<br />
<br /></div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com4tag:blogger.com,1999:blog-2518488935287176056.post-68270860425932460602014-06-22T21:51:00.000-07:002014-06-22T21:52:13.463-07:00Xposed framework in Security testing of Android applications<div dir="ltr" style="text-align: left;" trbidi="on">
Hey all,<br />
<br />
It is quite difficult to perform run time analysis and manipulation of android application. Since every app runs in its own dalvik vm instance it is difficult to hook into the android application and hook methods.<br />
<br />
Dont worry we have solution for it. Xposed framework can do the trick for us. Working of xposed framework can be found <a href="https://github.com/rovo89/XposedBridge/wiki/Development-tutorial">here</a> . Using xposed framework we can create specific modules which will hook into the android apps methods and change it.<br />
<br />
Refer this link <a href="https://github.com/rovo89/XposedBridge/wiki/Development-tutorial">https://github.com/rovo89/XposedBridge/wiki/Development-tutorial</a><br />
<br />
HapKing</div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com1tag:blogger.com,1999:blog-2518488935287176056.post-47417204450594343452013-12-08T23:33:00.002-08:002013-12-08T23:34:32.188-08:00ANDROID USB SSH CONNECTION EQUIVALENT TO iOS USBMUX TUNNEL <div dir="ltr" style="text-align: left;" trbidi="on">
Here is the trick you can make use of while making SSH connection to android device via USB ( If Android device and PC are on different network i.e. subnet).<br />
<br />
<b>Prerequ's </b><br />
<br />
Rooted Device<br />
<br />
<b>Steps</b><br />
<br />
1) Install SSHDroid from play store and turn on SSH<br />
<br />
2) Connect the device to PC using data cable<br />
<br />
3) Now type following command<br />
<br />
<blockquote class="tr_bq">
<span style="background-color: #999999;">adb forward tcp:22 tcp:22</span></blockquote>
<br />
4) Now open putty and type host as <span style="background-color: #999999;">127.0.0.1</span> and port as <span style="background-color: #999999;">22</span> and connect to device over USB.. :)<br />
<br />
...HAPKING...</div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-66627829969949500392012-12-12T03:22:00.000-08:002012-12-12T03:22:25.796-08:00Intercepting Android HTTPS connection<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<h1>
Intercepting Android HTTPS connection</h1>
<div class="MsoNoSpacing">
<br /></div>
<div class="MsoNormal">
Setting up proxy and getting it work is very difficult task in android. Now here is the tutorial to set up proxy for android application.</div>
<div class="MsoNormal">
Basically certificates can be kept in android trusted store or may be placed within the application to establish HTTPS connection</div>
<div class="MsoNormal">
<b><span style="font-size: 14pt; line-height: 21px;">Prerequisites<o:p></o:p></span></b></div>
<div class="MsoNormal">
Good idea on SSL ( create ssl certificate using openssl to understand)</div>
<div class="MsoNormal">
Hands on Android emulator</div>
<div class="MsoNormal">
<b><span style="font-size: 14pt; line-height: 21px;">Android trusted store for android versions<o:p></o:p></span></b></div>
<div class="MsoNormal">
Android trusted certificate store is kept in BKS (bouncycastle) format for android version < 4. So it we have to prepare BKS format certificate. Google it for creating BKS format for android version < 4 After creating BKS format certificate we need to push that into the emulator or device and override the present <b>cacert.bks<o:p></o:p></b></div>
<div class="MsoNormal">
Android version > 4 have option to install certificate. Go to settings-> security and select Install from sdcard option. You need to push certificate using</div>
<div class="MsoNormal">
adb push “cert path.cer” /mnt/sdcard < create sdcard space using AVD> </div>
<div class="MsoNormal">
We can install our trusted certificate using that option (very easy in android version > 4)</div>
<div class="MsoNormal">
<b><span style="font-size: 14pt; line-height: 21px;">Trusted certificate<o:p></o:p></span></b></div>
<div class="MsoNormal">
Every https android application will have either CA signed certificate or self signed certificate. If the application is CA signed certificate then we have to compromise Android Trusted store for intercepting SSL request. If the application is self signed certificate then it may use android trusted store or may use its own local keystore for establishing https connection.</div>
<div class="MsoNormal">
<b><span style="font-size: 14pt; line-height: 21px;">Tools<o:p></o:p></span></b></div>
<div class="MsoListParagraphCxSpFirst" style="text-indent: -18pt;">
1)<span style="font-size: 7pt;"> </span><a href="http://code.google.com/p/dex2jar/">Dex2jar </a><b> <o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
2)<span style="font-size: 7pt;"> </span><a href="http://code.google.com/p/android-apktool/">Apktool</a><b><o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
3)<span style="font-size: 7pt;"> </span><a href="http://www.bouncycastle.org/latest_releases.html">Bouncy castle</a> for (BKS) format cert creation<b><o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
4)<span style="font-size: 7pt;"> </span><a href="http://java.decompiler.free.fr/?q=jdgui">JD-Gui</a><b><o:p></o:p></b></div>
<div class="MsoListParagraphCxSpLast" style="text-indent: -18pt;">
5)<span style="font-size: 7pt;"> </span>Burp suite<b><o:p></o:p></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-size: 14pt; line-height: 21px;">Steps<o:p></o:p></span></b></div>
<div class="MsoListParagraphCxSpFirst" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>This was done in emulator</div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Install the android sdk and related tools, may take some time</div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>After installing everything launch AVD (android virtual device). Also use following command “<b>android avd”</b> to launch</div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Create a virtual device and allocate some space in “sdcard” in given options</div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Emulator will be launched. You can check device connected by using “adb devices” command</div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>After successfully connecting we need to install apk file that was given to us. Use following command “adb install <filename .apk=".apk">”</filename></div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Application will install. If any dependencies are missing then app will not install. Fix them</div>
<div class="MsoListParagraphCxSpLast" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>“Logcat” is the command used to check the logs the application is logging. In order to monitor the application and see its behaviour use following</div>
<div class="MsoNormal" style="margin-left: 36pt;">
Adb logcat | findstr <app keyword="keyword" specific="specific"> in windows</app></div>
<div class="MsoNormal" style="margin-left: 36pt;">
Adb logcat | grep < app specific keyword> in linux</div>
<div class="MsoNormal" style="margin-left: 36pt;">
App specific keyword can be its name or uniquely identified in logs</div>
<div class="MsoListParagraphCxSpFirst" style="margin-left: 37.6pt; text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Run the application and verify the logs and its behaviour</div>
<div class="MsoListParagraphCxSpLast" style="margin-left: 37.6pt; text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Now we have to set the proxy for the emulator use following command</div>
<div class="MsoNormal" style="margin-left: 36pt;">
<b>Emulator –avd “name of virtual device” –http-proxy </b><a href="http://127.0.0.1:8080/">http://127.0.0.1:8080</a><b><o:p></o:p></b></div>
<div class="MsoNormal">
Run burpsuite on port 8080.</div>
<div class="MsoListParagraphCxSpFirst" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Check the proxy by launching the android browser. It should be intercepted.</div>
<div class="MsoListParagraphCxSpLast" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Again run logcat to view the behaviour of the application when it is proxied. If you encounter https connection then the application may not send request to server and it will throw error in the logs that can be verified</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-size: 14pt; line-height: 21px;">Certificate signing<o:p></o:p></span></b></div>
<div class="MsoNormal">
If the connection is intercepted then it is fine. If the https connection is not intercepted then the real challenge comes.</div>
<div class="MsoNormal">
Let’s say we are making use of android version 4. Now we have to find out whether the application uses android trusted store to establish https connection or its local keystore.</div>
<div class="MsoNormal">
Verify the URL it is that it is making use of to connect to server and access that URL using browser. By doing so we can know whether the certificate is self signed or CA signed, usually test sites are self signed.</div>
<div class="MsoListParagraphCxSpFirst" style="text-indent: -18pt;">
1)<span style="font-size: 7pt;"> </span>If CA signed</div>
<div class="MsoListParagraphCxSpLast" style="text-indent: -18pt;">
2)<span style="font-size: 7pt;"> </span>If self signed</div>
<div class="MsoNormal">
1)</div>
<div class="MsoNormal">
If CA signed then it is quite easy to compromise the android certificate trusted store. Just follow this guide. Look upto installing certificate on emulator.<a href="http://blog.opensecurityresearch.com/2012/07/proxying-android-40-ics-and-fs-cert.html">http://blog.opensecurityresearch.com/2012/07/proxying-android-40-ics-and-fs-cert.html</a> . Install certificate. <<b>Note: </b>you will not see your installed certificate on trusted credentials -> user certificate></div>
<div class="MsoNormal">
2)</div>
<div class="MsoNormal">
If self signed then again we have to follow some other things.</div>
<div class="MsoListParagraphCxSpFirst" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Find out the URL that uses to connect to server.</div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Set proxy to browser and use burp suite as proxy server (port as your wish usually 8080). Access the URL (<a href="https://name.com/"><b>https</b>://name.com/</a>) in pc browser and intercept the connection using burp suite.</div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span> Browser will display error. Add the certificate to exception list. Then go to tools->options->Advanced->encryption and view certificates button. Check for the portswigger certificate for that particular domain name (E.g . portswigger cert if google is intercepted, the portwigger google certificate).</div>
<div class="MsoListParagraphCxSpLast" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Select the certificate and click on export. Appen (<b>.cer</b>) to the name of the file and save it. A certificate will be created on your desktop</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-size: 14pt; line-height: 21px;">Find local keystore<o:p></o:p></span></b></div>
<div class="MsoNormal">
If we are lucky then we can find in logs the process that is making request to server and accepting response. Use (adb logcat | grep <app keyword="keyword" specific="specific">)</app></div>
<div class="MsoNormal">
Follow steps to find local keystore</div>
<div class="MsoListParagraphCxSpFirst" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Use dex2jar application to decompile the application to jar file <b>“d2j-dex2jar< filename.apk>”. </b>locate the code which makes HTTPS connection and fine lines like these</div>
<div class="MsoListParagraphCxSpMiddle">
<br /></div>
<div class="MsoListParagraphCxSpMiddle">
<b>KeyStore localKeyStore = KeyStore.getInstance("BKS");<o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle">
<b> InputStream localInputStream = this.context.getResources().openRawResource(R.raw.Name _of_file.BKS);<o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle">
<b> try<o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle">
<b> {<o:p></o:p></b></div>
<div class="MsoListParagraphCxSpLast">
<b> localKeyStore.load(localInputStream, "pass".toCharArray()); <o:p></o:p></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoListParagraphCxSpFirst" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>if you find lines then application uses local keystore to create https connection.<b><o:p></o:p></b></div>
<div class="MsoListParagraphCxSpMiddle" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Now we need to again decompile the application to smali files.<b><o:p></o:p></b></div>
<div class="MsoListParagraphCxSpLast" style="text-indent: -18pt;">
<span style="font-family: Symbol;">·<span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span>Use APKTOOL to decompile it. Use the following command “<b>apktool d <filename .apk=".apk"></filename></b>”. output will be generated. Search for BKS format certificate. If you find it the its bingo. Now we have to replace the certificate with our burp suite public certificate<b><o:p></o:p></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-size: 14pt; line-height: 21px;">BKS format certificate creation<o:p></o:p></span></b></div>
<div class="MsoNormal">
Google it for BKS format certificate creation. We have bunch of tutorials. While creating BKS format certificate the “store pass” should be given as<b> </b>the keyword specified in the following line<b> </b>(here as pass)<b> <</b>localKeyStore.load(localInputStream<b>,"pass".</b>toCharArray());><b> <o:p></o:p></b></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span style="font-size: 14pt; line-height: 21px;">Final steps<o:p></o:p></span></b></div>
<div class="MsoNormal">
The created BKS format certificate has to be replaced with our own created BKS certificate.</div>
<div class="MsoNormal">
We have to build the application using apktool. Use following command</div>
<div class="MsoNormal">
<b>Apktool b “application directory”<o:p></o:p></b></div>
<div class="MsoNormal">
Install the application on emulator using following command</div>
<div class="MsoNormal">
“<b>Adb install <filename .apk=".apk"></filename></b>”</div>
<div class="MsoNormal">
Again restart the emulator by setting the proxy ( <b>emulator –avd “virtual device name” –http-proxy <a href="http://127.0.0.1:8080/">http://127.0.0.1:8080</a></b> )<b><o:p></o:p></b></div>
<div class="MsoNormal">
Now start the application. BURP suite will definitely intercept the connection ....... <span style="font-family: Wingdings;">J</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
...HAPKING...</div>
</div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-10479993650193246342012-12-06T02:05:00.000-08:002012-12-06T02:05:30.286-08:00How ssl or https connection works<div dir="ltr" style="text-align: left;" trbidi="on">
Lets see how https connections work and how it behaves when a proxy is set to a https connection.The best way to understand about ssl connection is to create our own SSL certificate.<br />
<div>
<br /></div>
<div>
Basically there are two concepts involved in ssl certificates</div>
<div>
1) public key and private key for encryption and decryption</div>
<div>
2) Certificate signing where CA's come into play</div>
<div>
<br /></div>
<div>
1) </div>
<div>
<br /></div>
<div>
We can find lot of tutorials about working of public key and private key i.e asymmetric encryption.</div>
<div>
Lets have a brief look at it. </div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivafWijH_0JZcM6k_IyYfF3arbIAUECyC0Ykz1cy0r0kj-zRn-gl1PWfyd1G3fj6N935GvoE11l22gMvKAld-FFnT8TDBQXF0lHuLegRjVdIUoGHT7-emtz2LK7WwBI_m8SPmND_9BlB1m/s1600/ssl.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivafWijH_0JZcM6k_IyYfF3arbIAUECyC0Ykz1cy0r0kj-zRn-gl1PWfyd1G3fj6N935GvoE11l22gMvKAld-FFnT8TDBQXF0lHuLegRjVdIUoGHT7-emtz2LK7WwBI_m8SPmND_9BlB1m/s400/ssl.png" width="400" /></a></div>
The browser requests the https// related URL. The server sends its public key certificate. The browser verifies the certificate and checks for the authority that signed the certificate. If authority that signed the certificate does not exist then Error is raised.<br />
<br />
2)<br />
<br />
Now the concept of CA's come into play. Browser believes only particular set of CA's (certificate authorities). So every certificate has to be signed by a third party CA so that a browser can trust it.<br />
<br />
Lets see how ssl behaves when a proxy is setup<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8voDErdGobP1e9xKhzvxLP7aM5rl93f4b-B_SjD5SO-iD-WepK59uS1bUAqWm894u-WHxxtnSqBP32SasuXrCBss0umudT3rXxXBLa-Si1QydCjm3YJkJq0r4lffOwvpQ8yA9VWAL1_LM/s1600/ssl.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8voDErdGobP1e9xKhzvxLP7aM5rl93f4b-B_SjD5SO-iD-WepK59uS1bUAqWm894u-WHxxtnSqBP32SasuXrCBss0umudT3rXxXBLa-Si1QydCjm3YJkJq0r4lffOwvpQ8yA9VWAL1_LM/s400/ssl.png" width="400" /></a></div>
<br />
Browser sends https request to proxy server e.g. burp proxy on our pc. Burp internally consist of a certificate and CA as portswigger.<br />
Step 1: Browser does not believe that certificate and issues warning<br />
Step 2: We will be asked to add a exception of certificate<br />
Step 3: Now again a session is established between proxy server and actual server when sends and receives information by making use of public key of the server.<br />
<br />
....hapking....<br />
<br />
<br />
<br /></div>
</div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-19081935557184160862012-10-05T02:46:00.002-07:002012-10-05T02:58:52.699-07:00Wireless Security Tools<div dir="ltr" style="text-align: left;" trbidi="on">
Hii<br />
Checkout this site. Have a bunch of wireless security applications<br />
<a href="http://www.corecom.com/html/wlan_tools.html">http://www.corecom.com/html/wlan_tools.html</a><br />
<br />
.....HAPKING........ </div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-55405467027507322622012-09-05T23:34:00.003-07:002012-09-05T23:34:38.125-07:00Encoding<div dir="ltr" style="text-align: left;" trbidi="on">
Every pentester should have good knowledge on encoding. Encoding is the best technique to bypass the filters. Here is very good info on encoding<br />
<br />
<a href="http://htmlpurifier.org/docs/enduser-utf8.html">http://htmlpurifier.org/docs/enduser-utf8.html</a> </div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-15741882934443670012012-08-29T22:18:00.000-07:002012-08-29T22:37:44.772-07:00SiliconIndia.com CSRF vulnerability<div dir="ltr" style="text-align: left;" trbidi="on">
Found CSRF vulnerability in Siliconindia.com website. The Unique id which is generated is not validated while changing the Email address of the users.<br />
<br />
Proof of concept<br />
<br />
The Update Email field is Vulnerable to CSRF attack.<br />
<br />
<form action="http://www.siliconindia.com/home/confirm_email.php?UW4CZH85LfJ2p7Q8dkZAiu3aYX4zw761" id="frm" method="post" name="form2">
</form>
<form action="http://www.siliconindia.com/home/confirm_email.php?UW4CZH85LfJ2p7Q8dkZAiu3aYX4zw761" id="frm" method="post" name="form2">
</form>
form method="post" name="form2" action="http://www.siliconindia.com/home/confirm_email.php?UW4CZH85LfJ2p7Q8dkZAiu3aYX4zw761" id="frm"<br />
<br />
The Unique id is not validated when Updating the email address.<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
...HapKing</div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-91455714648137981912012-08-28T02:55:00.002-07:002012-08-28T02:55:52.764-07:00IronWASP<div dir="ltr" style="text-align: left;" trbidi="on">
Wow...excellent tool written by <a href="https://twitter.com/lavakumark">lavakumar</a>. This tool is so precise when it comes to pentesting. We can use it via gui and also we can use scripting language like python or ruby to interact. To help understand the tool videos have been linked in the website of ironWASP. <br />
<br />
Here is the link <a href="http://ironwasp.org/">http://ironwasp.org/ </a><br />
<br />
A good documentation will be very much helpful to dig deeper into the tool<br />
<br /></div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-90158205495285139862012-08-27T06:00:00.001-07:002012-08-27T06:01:50.892-07:00Way2Sms.com XSS vulnerability<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="text-align: left;">I found XSS vulnerability in way2sms.com. The below image shows the session id.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG_qargSHDdn6tk36_3yR9c3ihOod20pntTx4riAu5ppuwmx-H-Cltg0BAD0vh38IOTLTfYmho_Cozz1nMo5H4kQmer5Q-XgqQgqx6xvwgv4I2jbCpak0kpfile6_uBTM_j3aKV3mD7eyH/s1600/way2smsxss.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="211" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjG_qargSHDdn6tk36_3yR9c3ihOod20pntTx4riAu5ppuwmx-H-Cltg0BAD0vh38IOTLTfYmho_Cozz1nMo5H4kQmer5Q-XgqQgqx6xvwgv4I2jbCpak0kpfile6_uBTM_j3aKV3mD7eyH/s400/way2smsxss.jpg" width="400" /></a></div>
<br />
Reported to way2sms.com and it is fixed. It's really sad to know that they at least doesn't know to acknowledge a person who found a security hole in their website.<br />
<br />
Hapking....</div>
Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com1tag:blogger.com,1999:blog-2518488935287176056.post-37758126759568897772012-07-11T07:03:00.000-07:002012-07-11T07:03:30.622-07:00SQLMAP Tutorial<div dir="ltr" style="text-align: left;" trbidi="on">
I suggest to use tools only after understanding about SQL injections and how they are performed manually.<br />
<br />
SQLMAP is very good tool to perform SQL injections on a applications.<br />
<br />
To know its features type ./sqlmap.py -h<br />
<br />
--> To perform SQL injections on website GET method parameters<br />
<br />
./sqlmap.py -u "<cite>
<span style="font-style: normal;">www.example.com/index.php?</span><b>id</b>=<b>1</b></cite>" //automatically SQL injections will be performed<br />
<br />
--> To perform SQL injections on website using POST method<br />
<br />
./sqlmap.py -u "<span style="background-color: white;">www.example.com/login.php" --data="id=1" //post method usage</span><br />
<span style="background-color: white;"><br /></span><br />
<span style="background-color: white;">--> To perform SQL injections having multiple parameters</span><br />
<span style="background-color: white;"><br /></span><br />
<span style="background-color: white;">./sqlmap.py -u "</span><span style="background-color: white;">www.example.com/login.php" --data="id=1&val=2" --param-del="&" </span><br />
<span style="background-color: white;"><br /></span><br />
<span style="background-color: white;"> //here we pass the value which separates parameters</span><br />
<span style="background-color: white;"><br /></span><br />
<span style="background-color: white;">-->To perform SQL injections having cookies and specify complexity levels and Risk levels</span><br />
<span style="background-color: white;"><br /></span><br />
<span style="background-color: white;">./sqlmap.py -u "</span><span style="background-color: white;">www.example.com/login.php" --data="id=1& val=2" --param="&" --cookies=" JSESSIONID .................." --level=2 --risk=2</span><br />
<span style="background-color: white;"><br /></span><br />
<span style="background-color: white;">--> To perform SQL injections on applications using a proxy..</span><br />
<span style="background-color: white;"><br /></span><br />
<span style="background-color: white;">./sqlmap.py -u " </span><span style="background-color: white;">www.example.com/login.php" --data="id=1&val=2" --param="&" --cookies=" ....." --level=2 --risk=2 --proxy="http://127.0.0.1:8080"</span><br />
<br />
See ./sqlmap.py -h for more features and options<br />
<br />
..............HapKing..........</div>Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-7014753929103146852012-07-01T21:12:00.000-07:002012-07-01T21:12:00.171-07:00Online encoder<div dir="ltr" style="text-align: left;" trbidi="on">
Every pentester or hacker need to encode the data into various encoding schemes. Have a look at a very good site which provides various encoding schemes.<br />
<a href="http://kanjidict.stc.cx/recode.php">http://kanjidict.stc.cx/recode.php</a> <br />
<br />
...............HapKing........</div>Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-10503902602363959402012-06-28T23:57:00.001-07:002012-07-01T21:12:20.592-07:00Ziddu.com Login Vulnerability<div dir="ltr" style="text-align: left;" trbidi="on">
Hii<br />
Bypassing login of http://www.ziddu.com/. I really don't understand what's wrong with the site but when i disable javascript and enter the login button...booooo....you are into some one's account. You can do anything in that account.<br />
<br />
Javascript enabled page throws error.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-mWMLR27wzlvIcKWQO1guzXI1G-i1YicRf-9j4s9ux6hKKEPt-Ytw4FBwJ2pBlgsy7m_CxPwbOlKwYKfUdEq6iXRHiE3DnR5nvUjNaJYN8RXDjQz3S2d-sY_rQokt2CrW5KCgCNRFSMm0/s1600/enable.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-mWMLR27wzlvIcKWQO1guzXI1G-i1YicRf-9j4s9ux6hKKEPt-Ytw4FBwJ2pBlgsy7m_CxPwbOlKwYKfUdEq6iXRHiE3DnR5nvUjNaJYN8RXDjQz3S2d-sY_rQokt2CrW5KCgCNRFSMm0/s320/enable.jpg" width="320" /></a></div>
<br />
<br />
Javascript disabled page. without error logs in<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDGbLaTth_M6PUplHOKgBxfH-34gpa2MK0Hnkr0nHr8QaNvTNQvmgknGNEfhWCPw6NhtaefpDhDCLW-BRAiPAIQBjyAzXuLLqleHed_cRUqyLOuUCOG8E603BxqMcumN51K7zs_lAUL_VK/s1600/disable.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="178" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDGbLaTth_M6PUplHOKgBxfH-34gpa2MK0Hnkr0nHr8QaNvTNQvmgknGNEfhWCPw6NhtaefpDhDCLW-BRAiPAIQBjyAzXuLLqleHed_cRUqyLOuUCOG8E603BxqMcumN51K7zs_lAUL_VK/s320/disable.jpg" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
....................................HapKing............</div>
<br /></div>Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-69552421603287700432012-06-18T05:54:00.001-07:002012-07-01T21:12:44.869-07:00Pentesting Ipad/iphone applications<div dir="ltr" style="text-align: left;" trbidi="on">
This post deals with the pentesting of the ipad/iphone applications. A very good explanation is provided by the foundstone professional to pentest the ipad/iphone applications.<br />
<div>
<a href="http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing-iphone-ipad-apps.pdf">http://www.mcafee.com/us/resources/white-papers/foundstone/wp-pen-testing-iphone-ipad-apps.pdf</a>
</div>
<div>
<br /></div>
<div>
There also another approach to test the ipad/iphone applications. Pentester may not be always given with the binaries of the application..IPA files are given to test the application. In this case pentester can follow the following steps</div>
<div>
<br /></div>
<div>
1) Goto ipad wifii settings</div>
<div>
2) Click on the arrow </div>
<div>
3) Click on proxy settings </div>
<div>
4) Enter the IP address of the laptop or desktop which is in the same wifii network</div>
<div>
5) Use Burp suite proxy or Charles proxy as interceptor or proxy. I prefer Burp proxy to intercept</div>
<div>
<span style="background-color: white;">6) Set the listening port.</span></div>
<div>
<span style="background-color: white;">7) Done!!! All the request will through Burp proxy suite. (note:SSl connections may not work)</span></div>
<div>
<span style="background-color: white;"><br /></span></div>
<div>
<span style="background-color: white;">It is very good to debug the HTTP traffic </span></div>
</div>Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com1tag:blogger.com,1999:blog-2518488935287176056.post-83937744888675231762012-05-13T22:48:00.001-07:002012-07-01T21:13:06.764-07:00Searching for Internal mail servers<div dir="ltr" style="text-align: left;" trbidi="on">
hii...<br />
We are aware of nslookup command which looks up for Default DNS server. we can search for the mail urls in that by setting the value as<br />
set type=MX<br />
and enter the domain name that u want to search for. This is quite common.<br />
<br />
Every time when you search for MX records u may not get it because the DNS server may be different for different N/W. In order to find out those internal records search for ISP(internet service provider) of the domain. After that try to find out its DNS server details. Connect to it and search for MX records. Then u will get the internal mail server links. Find out the IP address and check wether they relay emails or not. Some times we can also search in google DNS server for it.<br />
<br />
This is how we find internal details of network.<br />
<br />
Regards,<br />
An&<br />
<br />
<br /></div>Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-36273195712257810802012-03-01T04:21:00.004-08:002012-07-01T21:12:55.578-07:00Burp suite<div dir="ltr" style="text-align: left;" trbidi="on">
<span class="Apple-tab-span" style="white-space: pre;"> </span>I tried burp suite in LAN. I created phishing site of gmail and hosted it on web server(wamp server). configure apache tomcat in wamp server. <span style="font-size: 100%;">httpd.conf file. set the field</span><br />
<div>
(control who can get stuff from server) keep it as Allow from all instead of 127.0.0.1 space.</div>
<div>
<span style="color: red; font-size: 100%;"><br /></span></div>
<div>
<ul>
<li><span style="font-size: 100%;">Now every one in LAN can access your web page. Now use Burp suite as proxy server.</span></li>
<li><span style="font-size: 100%;">Configure in browser for proxy server setting and keep ip address of system itself as proxy server address . just change the port number to 8080.</span><span style="color: red; font-size: 100%;"> </span></li>
<li>your webserver ip address will also be similar to ip address of system instead port number will be 80.</li>
<li>Now keep 8080 as the port listener in the burp suite and host to redirect as address of webserver and port number as port number of webserver i.e, 80</li>
<li>From other system in LAN send request to proxy server as (ipaddressof system:port number of proxy)</li>
<li>If you press forward in burp suite proxy then page will be loaded to requested person.</li>
<li>When the persons enters username and password then burp suite proxy will gather those (only able to understand if u have already gone through burp suite and webserver) Happy hacking..<span style="font-size: 100%;"> </span></li>
</ul>
</div>
<div>
<div>
<div>
<br /></div>
</div>
</div>
</div>Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-79521597283995333952011-11-02T09:01:00.000-07:002011-11-02T09:13:34.628-07:00Ruby on Rails notes2<span style="font-size:180%;">Variables Declaration</span><br /><br />1) Global - Starts with $ eg. $globalvar<br /><br />2) Local - any name eg. name<br /><br />3) Instance - starts with @ eg. @objectname<br /><br />4) Class Variable - starts with @@ eg. @@classvar<br /><br />5) Constants - All should be in capital letters eg. CONSTANT<br /><br />To access the constant variable out side of the class we write<br /><br /> classname :: CONSTANT<br /><br /><br /><br /><br /><span style="font-size:180%;">Commenting</span><br /><br />1) we use # to comment the single line in ruby. eg. # puts "hello world"<br /><br />2) we use =begin at start and =end to end the multiple lines.<br /><br /> eg. =begin<br /> puts "hello"<br /> puts "world"<br /> =end<br /><br /><br /><span style="font-size:180%;">Interpolation</span><br /><br />eg. x=10<br /> <br /> str= "hello"<br /> <br /> str1="hello #{x}"<br /><br />o/p hello 10<br /><br /><br />Note: Interpolation is not possible in single quotes as shown below<br /><br /> eg. x=10<br /><br /> str="hello"<br /><br /> str1='hello #{x}'<br /><br /><br />o/p "hello #{x}"Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-86356238824664326442011-11-02T08:44:00.000-07:002011-11-02T09:01:42.187-07:00Ruby on Rails notes1<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh38jsAf6WsAHRq33u9mTpqWBwruQ52U5-WSd7g9ViGkns3qBJtsVLTuZ6rV1ShHoy93IyrsWYX-fTUsKMs83eWeQ-XREWwQgC_tP4ddXruKF8SqL0nwZgkvjG7DxXzqWMIwlqbhlebYW3S/s1600/ror.JPG"><img style="float: left; margin: 0pt 10px 10px 0pt; cursor: pointer; width: 1px; height: 1px;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh38jsAf6WsAHRq33u9mTpqWBwruQ52U5-WSd7g9ViGkns3qBJtsVLTuZ6rV1ShHoy93IyrsWYX-fTUsKMs83eWeQ-XREWwQgC_tP4ddXruKF8SqL0nwZgkvjG7DxXzqWMIwlqbhlebYW3S/s320/ror.JPG" alt="" id="BLOGGER_PHOTO_ID_5670428098324491346" border="0" /></a><br />1) Ruby is very high level language.<br /><br />2) Ruby is dynamic.<br /><br />3) Every thing in ruby is object and belongs to class<br /><br /> Eg. Go to IRB(interactive ruby)<br /> <br /> type the following<br /> <br /> a=10<br /> a.class<br /><br /> O/P is Fixnum<br /><br /> This means that all integer values are handled by class Fixnum. lly we have classes for float and string types. That is why the reason we don't have to specify datatype name while declaring a variable.Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0tag:blogger.com,1999:blog-2518488935287176056.post-41208044601121010502011-11-02T00:16:00.000-07:002011-11-02T00:24:09.457-07:00Ruby on Rails Download linkhii,<br /> <br /> To download ruby on rails for windows <a style="color: rgb(51, 102, 255);" href="http://railsinstaller.org/"><span style="font-size:130%;">click here</span></a><br /><br /> Installation is simple.<br /><br /> After installing it just set the environment path as you do for java.<br /><br /> Select the IRB (interactive ruby) console mode.<br /><br /> <br /> Thank you....Anand Namanahttp://www.blogger.com/profile/18231660585428540339noreply@blogger.com0