Wednesday, 1 May 2013

PASSWORDS AND SECURITY - 1 (INTRO)

Hello guys sorry for being away for a year or something. So instead of all going nostalgic, lets cut the cribbing part and start with the work.

So in this post and the ones following it will contain post on this topic only.

Lets start with just passwords, this is an extremely common term found in our daily life of digital environment. Let it be a system, a website, a phone or any application, even minor applications contain security features. So how this whole mechanism works. Passwords being a basic string that a user thinks of to keep him/her secure. So a computer or an application cannot act like a person n just think of a password as correct or wrong. If even a person wants to store a password for that needs to store it somewhere. THIS whole mechanism gives us a hell of a lead in this whole scenario. As we know it is there, somewhere and stored, now how secure it is depends on the ones who designed it.

To explain what i just burped above in a much more technical and practical manner, lets take example of our beloved innocent victim as always windows o.s, what ever we enter as our password is stored in C:\Windows\System32\config\SAM, in this

  •  C:\ may vary according to the drive you installed your os in, but don't worry on Windows 7 this is not the issue, it forcefully changes the drive letter to C:\ to whichever it was installed to, and
  • also the last part the name itself varies in service packs of Xp editions, it goes from small letters to all caps in some. 
And you being a curious reader im pretty sure you must be checking out the folder rite now if you dint know that. Well people at the place are not so stupid. That file contains passwords as hashes not a plain string, this is a really interesting part of whole passwords security we will be doing that in a while.

So keeping this whole windows scene aside, lets focus on the basic working of them.

So to understand the working of this mechanism lets make on of ours only.
Here what we have is a simple c program which functions as a login panel.


What is does is a basic succes or fail response, if credentials are correct it prints login succesful ! otherwise failed ! on the basis of basic logic of length and value check.

Drawback ::
If you analyzed it correctly then you must have noticed the first drawback immediately that is the password being hardcoded inside the app itself, kills the user freedom.

NOTE
To some people this may be there requirement, but infact that is insecure and a rare scenario too.
The hardcoded password here "secret" can be easily extracted by basic disassembling procedures followed by experts. Password itself being in plain text is always insecure. And even providing this whole procedure a home-brew encryption never works out well until unless you are some extremely talented mathematician or something and ended up designing something of yours.

So focusing on providing user it freedom back, people have to design applications which provide scalability to the number of users and also the types of passwords. This again leaves us back to only one straight forward option that is outsource the passwords to another location. This gives us a good lead. Again what hits us back if how are we going to store the passwords, plain text is a blow in the face, So encrypting the string is the option.

Encryption in itself is an extensive field of research and requires patience to understand it.
Whatever i just explained above will make more sense if i will make you guys relate it to a daily life instance, lets take our windows os only.

To keep it extremely simple, i will give you a basic layout.
                                 
                                                    WINDOWS LOGIN
                                                                   | |
                                           YOU ENTER CREDENTIALS
                                                                   | |
                           -------------------------------------------------------------------------
                                   HERE ALL INTERNAL FUNCTIONING TAKES      
                                   PLACE WHERE THEY CHECK YOUR ENTERED  
                                   PASSWORD AND USERNAME COMBO AFTER
                               HASHING THEM WITH THE PREFERRED
                              TECHNIQUE FROM AN OUTSOURCED FILE
                              WHICH I TOLD YOU EARLIER >> "SAM".
                         ---------------------------------------------------------------------------
                                                                  | |
                                            ACCESS GIVEN IF CORRECT
                                                       ELSE DENIED !


Basically what we need to worry about is the box in dotted line, what happens behind the scenes,
this is just like being a doctor, if you know the thing in and out, you can treat it or you can kill it as well.

So with all that text i gave you above, it basically comes down to one simple thing, passwords let them be in any form, any platform or any thing, they follow a look-up technique, they compare and then show if your input is authentic or not.

Now for the people on the opposite side who have no clue of the passwords but we know the procedure involved, what can we do ??
This is an extremely simple question just like what will you do if you dont know something, you will gues it simply.
But guessing all the time never fits well, its time consuming if you dont have any constraints to your way of approach.
This gives us two techniques which can be used which are
  • Bruteforce - that is simply try to guess the correct value while trying every possible combination known to a living soul, this can be real time consuming and not a feasible option always.
  • Dictionary base - this is basically just guessing out the correct value from a limited set of possibilities what we have at hand at that instant.

I will discuss both of them in detail in next posts for each of them.

Hope you like it.
For any suggestions or queries plz comment below.
Thanks for reading.
Yinsain














Monday, 16 July 2012

MAC ADDRESS SPOOFING :: WINDOWS && LINUX


In the noon time i was chatting with one of my friend while he was at an airport in Paris, during the chat he mentioned that he paid some bucks to access wifi for half an hour.
Well that lead to a spark in my brain. On some basic quick thinking it reminded me about the same situation that i faced while travelling too,
but in my scenario, i only faced two types of policies used by admins at airport that restricted wifi access.

1-- MAC ADDRESS CROSS CHECK.
2-- SUPPLYING USER WITH A TEMP KEY THAT EXPIRES IN A TIME PRE-DEFINED TIME PERIOD.

On collecting info from him it showed that they are surely using the first case.
That just reminded me of something similar i went through while helping a friend in china,
basically there university was using a a client software, that assigns ip address by checking mac add.



so access to other systems except the university registered laptop/pc was restricted, so we used the similar trick for of spoofing the mac address n voila it worked.
so just for explaining that part created to vidz of tools n there how tos for spoofing it on both win and a Linux system.

tools used are :: win : macshift :  link
Linux : macchanger :: link

## on any debian based distro like ubuntu just
## apt-get install macchanger
##if you guys using backtrack or any other security distro i should probably be there in it.


So here are the videos to get you start up fast and easy.





mac address spoofing Linux






mac address spoofing Windows




Thanks for reading.
For any queries or suggestions plz comment below.
Yinsain.


Sunday, 8 July 2012

EFFECTS OF MONDAY MALWARE EXPLAINED.

Hey guys this is yash aka yinsain here,if you are reading this then you are surely not infected with it. I was getting a bit curious about all this news i was getting from my friend about a new malware hitting the web, well as i looked into it, it looks nothing new, just the old skool technique to redirect victims to a malicious server for there own good.

Methods are still the same but the techniques to achieve that has really evolved from years till now. As this name is a bit eye catchy you might be interested but do you really know what it is and what will it do.

Lets start with the name, Monday malware was given to it because it will knock you off the internet on monday that is today 9/7/2012 as most of the agencies are saying.

Well its actual name is still not defined but people have given its so many names, and some are from gov agencies also to classify it.

Other name is 'Alureon/DNS Changer bot'.

So lets dig into its working, as i dont hold a working executable or its source code. So i will be demonstrating the effect of this malware in a controlled enviroment via some network tools.

To understand the basic working of this malware you should be aware of some of the working principles of internet. The one we are focusing on in this blog post is DNS. For a basic explanation, this is the service which manages the juggling of ip addresses and the host names, wrong info of ipaddress will lead you to a wrong page, that is what that malware do but in a stealthy manner, most probably redirecting the victim to thr own server for malicious purposes. for further details you can read this.


Here i am using a virtual machine to depict a victim and using a linux(ubuntu) host machine to create an infected scenario.
Tools :: dsniff-suite, Virtualbox.


Setup ::

Getting the softwares,
------------------------------------------------------------------------------------------------------------------------------------

apt-get install dsniff

for virtualbox

either download a installer file for your o.s. or follow the linux way.

-------------------------------------------------------------------------------------------------------------------------------------



This suite consists of many great tools, the ones we will be using are

>> arpspoof
>> dnsspoof

NOTE :: arpspoof requires packet forwarding on the host system.


So first we need to enable packet forwarding on your linux host.



-------------------------------------------------------------------------------------------------------------------------------------

# echo 1 > /proc/sys/net/ipv4/ip_forward

please note you will require root priviledges to do this.
-------------------------------------------------------------------------------------------------------------------------------------

And now for the dnsspoof, this tool reads out the domains from a file which we can provide.


edit it the way you feel, just maintain the structure it recognizes.


here is mine.




so we are ready..

i have just added three entries for the common sites that people open.
>> paypal
>> facebook
>> google

So the setup for the tool is ready,

 Now you need a victim, here in our example we are using a virtual victim
so you can google it to get a detailed instruction to get a virtual machine all set with o.s. of your choice for this.

Our victim here is windows xp user.

NOTE :: THIS DEMO WORKS ON ALL THE O.Ss INCLUDING WINDOWS, MAC OS AND LINUX. BUT THE REAL MALWARE WAS REPORTED TO JUST WORK ON WINDOWS  AND MAC OS TILL NOW. LINUX STILL SURVIVES HUH.


So lest fire up our virtual machine.

lets open up our websites....











as you can see, all the three seems to opening fine..

and even the dns_cache is fine.



So lets start the attack to create an infected scenario....


I will try to keep it least complicated so open up three different instances of terminal.

and issue these commands.

-------------------------------------------------------------------------------------------------------------------------------------

I terminal

# arpspoof -i eth0 -t 192.168.1.16 192.168.1.14
                                 victim ^          gateway^

II terminal

# arpspoof -i eth0 -t 192.168.1.14 192.168.1.16
                                            gateway^       victim^

-i [ interface name ]
-t specify targets

and start them


III terminal

#dnsspoof -i eth0 -f int.txt  host 192.168.1.16 and udp port 53
                                ^file with host names we created earlier

-------------------------------------------------------------------------------------------------------------------------------------

so this is how it may look





So lets open up a browser on the victim machine,,

here i am opening facebook..




As you can see the url was valid, but due to the infected victim machine,
 request got redirected to the host mentioned in the spoof file for dnsspoof.

Be careful while logging in any of your accounts or buying any stuff online, if you are infected you may endup in a bad situation.

This is how a dns spoofing can occur, this is extremely dangerous for day to day users, as they may get redirected to fake pages and innocently give up their login credentials without any suspicion.

PREVENTIVE MEASURES::

>> do get your system cleaned by a valid tool like avira dnschanger bot remover if your windows or mac is infected.

>> contact your isp to get a valid list of dns servers' ipaddresses which are owned by the isps.

Again thanks for reading.
plz leave comments or message me for any query.