GooDork

GooDork is a simple python script designed to allow you to leverage the power of Google Dorking straight from the comfort of your command line. There was a GUI tool we discussed a while back similar to this – Goolag – GUI Tool for Google Hacking.

GooDork offers powerful use of Google’s search directives, by analyzing results from searches using regular expressions that you supply. So basically the purpose of GooDork is to combined Dorking with Regular Expressions.

GooDork allows you to apply regular expressions to any and all of the follow attributes of web applications:

• URL
• Displayable Text
• Anchors
• Many more options will shortly be made available

Dependencies

GooDork uses the following python packages, please make sure all of them are available

• python beautifulsoup4
• python-httplib
• python-urllib
• python-urlparse

If you are using Python 2.6 you’ll most likely have all of these (except BeautifulSoup).

Installing:

The only installation you need do is to download the entire script package, and make sure the dependencies — listed above — are installed on your machine.

You can download GooDork here (using git):

git clone https://github.com/k3170makan/GooDork

Read more

Browser Event Hijacking

You can easily hijack events that should get passed through to the browser. The example that I will be discussing here is the ctrl+f or ⌘+f combination. This ubiquitous key combination results in a search box of some type being displayed to the user. With browser and OS key bindings, there is a user expectation of continuity. We are conditioned as users to expect that pressing these key combinations will have a certain effect. The interruption of this continuity can have security implications.

                                      (Fake Browser Search Bar)

                                           (Real Browser Search Bar)

 JavaScript on the page hijacks the ctrl+f and ⌘+f combinations, presenting a search box that is nearly identical to the browser search box users would see running Google Chrome on OSX. While normally, JavaScript wouldn’t have access to the contents of the search box, the fake search box is obviously accessible to the malicious site.

The ability of a malicious site to interrupt the expected continuity of user interaction with a web browser constitutes a breach of user trust on the part of the web browser. Because the user trusts that this key combination will trigger a browser event, they will trust the search bar presented by the site and interact with it as they would with the browser. Other key combinations could be similarly attacked. For example, ctrl+s/⌘+s or ctrl+o/⌘+o could be hijacked and could display a fake dialog claiming that the user’s password is required for file-system access. Specific attack scenarios aside, it is problematic to have ambiguity about the boundaries between browser and web app. More generally, a lower trust component should not have the ability to affect the behavior of a higher trust component.

SOLUTION :

1. Place the browser search box in a part of the browser that   could not be confused with website content. 
2. Warn the user when a site attempts to call preventDefault on an event that is registered as a browser key binding.

 

Read more

Quotation Mark Parsing Flaw Exposes Users to XSS Attacks

A bug in Microsoft’s Internet Explorer has left users of the popular browser vulnerable to cross-site scripting attacks, according to researchers at the security firm Imperva Data Security.
The flaw in IE gets a little techie but it is essentially this: the way double quotes are encoded by IE isn't properly done. This oversight has a significant downstream effect for websites supporting IE (and there's a lot). Since website developers assume requests from IE are properly done, hackers can sneak XSS attacks into websites.

According to the IETF RFC 3986, which spells out proper URI syntax. According to that document, double quote characters ("") should be rendered as %22 when they appear in URIs. While IE does this for some parts of a URI, double quotes that appear in the query component of a URI are not translated - a lapse that could cause IE browsers to splice a malicious link or other attack code into a URI.

The syntax of the query part of the URI is as follows:

pchar = unreserved / pct-encoded / sub-delims / ":" / "@"

query = *( pchar / "/" / "?" )

pct-encoded = "%" HEXDIG HEXDIG

unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~"

reserved = gen-delims / sub-delims

gen-delims = ":" / "/" / "?" / "#" / "[" / "]" / "@"

sub-delims = "!" / "$" / "&" / "'" / "(" / ")"

/ "*" / "+" / "," / ";" / "="

It's easy to verify that double quote should be "pct-encoded" and therefore represented as %22.
The problem with double quotes characters is not present in competing browsers such as Firefox and Google Chrome, there are sites listed that are currently experiencing XSS attacks stemming from the coding error in question and affecting only IE users.

Website developers operate under the assumption that requests coming from IE are properly encoded by the browser.

Imperva reached out to Microsoft about the bug. In their response, Microsoft downplayed the vulnerability, saying “[this flaw is] not something that we consider to be a security vulnerability that will be addressed in a security update.”

Read more

Oracle Plans To Fix 78 Critical Security Updates

Oracle has fixes for 78 security vulnerabilities slated for next week as part of its first critical update of the year.

The patches are expected to touch the Oracle Database Server, Fusion Middleware, E-Business suite, Supply Chain, PeopleSoft, JD Edwards, Virtualization, Sun and MySQL products. The most serious of the vulnerabilities is a security issue affecting the company’s Sun product suite, and has a CVSS (Common Vulnerability Scoring System) 2.0 rating of 7.8.

As usual, details of the actual vulnerabilities were scarce in Oracle’s pre-release announcement. However, the company noted that the Sun suite components addressed by the update are GlassFish Enterprise Server, Oracle Communications Unified, Oracle OpenSSO and Solaris. All totaled, the suite is home to 17 of the vulnerabilities set to be fixed in the update. Six of these can be exploited remotely without authentication.

The product with the largest number of vulnerabilities expected to be addressed by the update is MySQL. According to Oracle, 27 of the vulnerabilities reside in MySQL Server, including one that can be exploited over a network without the need of a username or password. The Oracle Database Server contains just two vulnerabilities being addressed by the update. Also included in the update are fixes for 11 vulnerabilities in Oracle Fusion Middleware, three in the Oracle E-Business Suite, eight for JD Edwards products, six in PeopleSoft products, three in Oracle Virtualization software and one in the Oracle Supply Chain products suite.

The update is scheduled to be available Tuesday, January 17.

“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” Oracle noted in its pre-update advisory. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”

Read more

How To Write Penetration Test Reports

There are thousands of books written about information security and pen testing. There are hundreds of hours of training courses that cover the penetration testing process. However, I would happily wager that less than ten percent of all the material out there is dedicated to reporting. This, when you consider that you probably spend 40-50% of the total duration of a pen test engagement actually writing the report, is quite alarming.

It’s not surprising though, teaching someone how to write a report just isn’t as sexy as describing how to craft the perfect buffer overflow, or pivot round a network using Metasploit. I totally get that, even learning how the TCP packet structure works for the nineteenth time sounds like a more interesting topic.

Why is a penetration test report so important?

Never forget, penetration testing is a scientific process, and like all scientific processes it should be repeatable by an independent party. If a client disagrees with the findings of a test, they have every right to ask for a second opinion from another tester. If your report doesn’t detail how you arrived at a conclusion, the second tester will have no idea how to repeat the steps you took to get there. This could lead to them offering a different conclusion, making you look a bit silly and worse still, leaving a potential vulnerability exposed to the world.

Bad: “Using a port scanner I detected an open TCP port”.

Better: “Using Nmap 5.50, a port scanner, I detected an open TCP port using the SYN scanning technique on a selected range of ports. The command line was: nmap –sS –p 7000-8000.”

The report is the tangible output of the testing process, and the only real evidence that a test actually took place. Chances are, senior management (who likely approved funding for the test) weren’t around when the testers came into the office, and even if they were, they probably didn’t pay a great deal of attention. So to them, the report is the only thing they have to go on when justifying the expense of the test. Having a penetration test performed isn’t like any other type of contract work. Once the contract is done there is no new system implemented, or no new pieces of code added to an application. Without the report, it’s very hard to explain to someone what exactly they’ve just paid for.

Who is the report for?

While the exact audience of the report will vary depending on the organization, it’s safe to assume that it will be viewed by at least three types of people.

Senior management, IT management and IT technical staff will all likely see the report, or at least part of it. All of these groups will want to get different snippets of information. Senior management simply doesn’t care, or doesn’t understand what it means if a payment server encrypts connections using SSL version two. All they want to know is the answer to one simple question “are we secure – yay or nay?”

IT management will be interested in the overall security of the organization, but will also want to make sure that their particular departments are not the cause of any major issues discovered during testing. I recall giving one particularly damming report to three IT managers. Upon reading it two of them turned very pale, while the third smiled and said “great, no database security issues then”.

What should the report contain?

Sometimes you’ll get lucky and the client will spell out exactly what they want to see in the report during the initial planning phase. This includes both content and layout. I’ve seen this happen to extreme levels of detail, such as what font size and line spacing settings should be used. However, more often than not, the client won’t know what they want and it’ll be your job to tell them.

• A Cover Sheet. This may seem obvious, but the details that should be included on the cover sheet can be less obvious. The name and logo of the testing company, as well as the name of the client should feature prominently. Any title given to the test such as “internal network scan” or “DMZ test” should also be up there, to avoid confusion when performing several tests for the same client. The date the test was performed should appear. If you perform the same tests on a quarterly basis this is very important, so that the client or the client’s auditor can tell whether or not their security posture is improving or getting worse over time. The cover sheet should also contain the document’s classification. Agree this with the client prior to testing; ask the m how they want the document protectively marked. A penetration test report is a commercially sensitive document and both you a nd the client will want to handle it as such.

• The Executive Summary. I’ve seen some that have gone on for three or four pages and read more like a Jane Austen novel than an abbreviated version of the report’s juicy bits. This needs to be less than a page. Don’t mention any specific tools, technologies or techniques used, they simply don’t care. All they need to know is what you did, “we performed a penetration test of servers belonging to X application”, and what happened, “we found some security problems in one of the payment servers”. What needs to happen next and why “you should tell someone to fix these problems and get us in to re-test the payment server, if you don’t you won’t be PCI compliant and you may get a fine”. The last line of the executive summary should alw ays be a conclusion that explicitly spells out whether or not the systems tested are secure or insecure, “overall we have found this system to be insecure”. It could even be just a single word.

  A bad way to end an executive summary:

  “In conclusion, we have found some areas where security policy is working well, but other areas where it isn’t being followed at all. This leads to some risk, but not a critical amount of risk.”

  
  

  A better way: “In conclusion, we have identified areas where security policy is not being adhered to, this introduces a risk to the organization and therefore we must declare the system as insecure.”
  

• Summary of Vulnerabilities. Group the vulnerabilities on a single page so that at a glance an IT manager can tell how much work needs to be done. You could use fancy graphics like tables or charts to make it clearer – but don’t overdo it. Vulnerabilities can be grouped by category (e.g. software issue, network device configuration, password policy), severity or CVSS score –the possibilities are endless. Just find something that works well and is easy to understand.
• Test Team Details. It is important to record the name of every tester involved in the testing process. This is not just so you and your colleagues can be hunted down should you break something. It’s a common courtesy to let a client know who has been on their network and provide a point of contact to discuss the report with. Some clients and testing companies also like to rotate the testers assigned to a particular set of tests. It’s always nice to cast a different set of eyes over a system. If you are performing a test for a UK government department under the CHECK scheme, including the name of the team leader and any team members is a mandatory requirement.

• List of the Tools Used. Include versions and a br ief description of the function. This goes back to repeatability. If anyone is going to accurately reproduce your test, they will need to know exactly which tools you used.

  

• A copy of the original scope of work. This will have been agreed in advance, but reprinting here for reference purposes is useful.

• The main body of the report. This is what it’s all about. The main body of the report should include details of all detected vulnerabilities, how you detected the vulnerability, clear technical expiations of how the vulnerability could be exploited, and the likelihood of exploitation. Whatever you do, make sure you write your own explanations, I’ve lost count of the number of reports that I’ve seen that are s imply copy and paste jobs from vulnerability scanner output. It makes my skin crawl; it’s unprofessional, often unclear and irrelevant. Detailed remediation advice should also be included. Nothing is more annoying to the person charged with fixing a problem than receiving flakey remediation advice. For example, “Disable SSL version 2 support” does not constitute remediation advice. Explain the exact steps required to disable SSL version 2 support on the platform in question. As interesting as reading how to disable SSL version 2 on Apache is, it’s not very useful if all your servers are running Microsoft IIS. Back up findings with links to references such as vendor security bulletins and CVE’s.

  

Final delivery : Just because its finished doesn’t mean you can switch off entirely. You still have to get the report out to the client, and you have to do so securely. Electronic distribution using public key cryptography is probably the best option, but not always possible. If symmetric encryption is to be used, a strong key should be used and must be transmitted out of band. Under no circumstances should a report be transmitted unencrypted. It all sounds like common sense, but all too often people fall down at the final hurdle.

Read more

Latest News

         New Facebook Security Phishing Attack

There is a new Facebook phishing attack going on. It will not just try to steal your Facebook credentials; it will also try to steal credit card information and other important information such as security questions.

HOW IT WORKS :

This Facebook phishing attack is pretty interesting because it does not just try to trick the victim into visiting a phishing website. It will reuse the stolen information and login to the compromised account and change both profile picture and name. The profile picture will be changed to the Facebook logo and the name will be translated to “Facebook Security” but containing special ascii characters replacing letters such as “a” “k” “S” and “t”.

Once an account is compromised it will also send out a message to all contacts of the compromised account. The message looks like this:

Message Contains :
"Last Warning: Your Facebook account will be turned off Because someone has reported you. Please do re-confirm your account security by: => http://apps-xxxx-xxxxx-user.de.vuThank you. The Facebook Team"/

When you click on the link you will be redirected to a website which looks very similar to Facebook, and asks you for personal information such as: Name, Email, Password, Webmail system, Password to email etc. When submitting this form the details will be sent to the attacker, and they can automatically login to your Facebook account and compromise it.


CONCLUSION :

These scams are just getting more popular and we really recommend not giving out personal information, especially not email, password and credit card information over social medias. It is also recommend that you contact your security vendor and the social media vendor if you encounter these sites.

Read more

Way to Sniff Corporate Email Via BlackBerry PlayBook

Thanks to the explosion of iOS and Android phones and tablets in the consumer and enterprise markets. Now, the spotlight is slowly beginning to turn in the direction of RIM, and specifically its BlackBerry PlayBook tablet.

The first dings in the PlayBook's armor came last month when a group of researchers published a tool that could jailbreak PlayBook tablets through the exploitation of a bug they'd discovered in the operating system. RIM later issued a fix for the jailbreak, but that was just the start of what may end up being a long road for the company's security efforts.

The latest indication is work done by a pair of researchers who found a series of problems and weaknesses in PlayBook, including one that enables an attacker to listen in on the connection between the tablet and a BlackBerry handset. That connection, which is done via Bluetooth in the company's Bridge application, is designed to allow users to access their corporate email, calendar and other data on the tablet.

How The Attack Work :

In order for their attack to work, certain conditions must be present. For example, an app that can access the token must be installed on the PlayBook. A malicious mobile app would satisfy that requirement. Or, if an attacker was able to exploit another flaw on the tablet, he would be able to access that token as well.
RIM is touting the PlayBook as the enterprise-ready tablet, and marketing it aggressively to its large installed BlackBerry customer base. The tablet doesn't currently have a native email client, so users who want to read their corporate email on the PlayBook either need to use a webmail client or connect to their BlackBerry handsets using Bridge.

In addition to the Bridge vulnerability, there are some interesting issues with the BlackBerry AppWorld app store. For one,file names in the store are sequential and therefore predictable, so a user could simply increment the file name to a desired number and download whatever app he chose.

Read more

Turn Facebook Pink, Red or Black : Facebook Makeover Scam

Have your Facebook friends invited you to switch your boring blue Facebook profile to an attractive shade of red, black or shocking pink? The latest survey scam doing the rounds on Facebook works by falsely offering to change the profile of prospective marks from blue to red, black or shocking pink.

Many users must have seen similar messages to the following:

Switch to Pink Facebook (Limited Time!)

[LINK]

Say goodbye to the boring blue profile and say hello to the pink profile!!

OR

Switch to Red Facebook (Limited Time!)

[LINK]

Say goodbye to the boring blue profile and say hello to the red profile!!

what happens if you click on one of these links :

Firstly, you are told to share the link with your online friends. This should be the first indication that something is amiss - after all, what legitimate feature or organisation would require you to share news of it *before* you have actually experienced what - if anything - it can do for you?

Secondly, you are asked to leave a comment - extolling the wonderfulness of your new pink or red Facebook. Remember - at this point your Facebook is still decidedly blue. Any comment you leave will, of course, act as an endorsement and could be seen by your online friends and encourage them to also participate.

Predictably, the point of all of this sharing is to drive more traffic to the scammers' link where an online survey will pop-up. The more people who take the survey, the more commission that the scammers will earn.

That's not to say, of course, that it's impossible to turn your Facebook pink, red or black if you really want to Change your Facebook theme See this post (click here).

Clearly there's a demand for such customisation - even if it serves no practical purpose. But just make sure that your hunger for a pink-themed Facebook doesn't lead you into a scheme designed purely to earn money for scammers.

Facebook is rolling out Timeline as a "new" feature to replace traditional user profile pages. True to form, this feature has also become the target of survey scams over recent days .

WHAT TO DO : If you're one of the many people who fell for this or similar scams, please check your Facebook page to ensure that you are not spreading any messages to your online friends and ensure that you have revoked any Facebook applications, events and "like"d pages that you are uncomfortable with. If you use Facebook and want to get an early warning about the latest attacks, you should join the INDIATRIKS Facebook page .

Read more

Facebook Timeline Scam

BEWARE OF SCAMS RELATED TO FACEBOOK TIMELINE :

First it was the Cheesecake Factory; now, it’s Timeline. Facebook, like many other social networking companies, is experiencing some user dissatisfaction, and scammers are taking advantage of anti-Timeline sentiment. According to Insidefacebook, scammers are creating pages that assure the public that by “liking” the page, watching the linked video, downloading a certain browser application, or inviting their friends to the page, they will be allowed to opt out of Timeline.

These pages all ask readers to "Like" the account, and some even ask them to subscribe. Some pages ask readers to install a browser application; Google Chrome and Firefox are common targets of such scams. Though some Facebook pages may look harmless, remember that being cautious is the best way to prevent potential data loss.
Timeline was introduced by Mark Zuckerberg during the F8 developer conference. There, he announced that the beta version of the interface would be available to Facebook users on September 22nd.
So, what is Timeline? Facebook engineers implemented an algorithm that gathers all of your Facebook activity and organizes it based on what it deems important: your birth, high school graduation, first job, wedding, special events, and so on. The Timeline profile page is divided into two columns that contain recent photos, games, posts, and other activity. Since the algorithm decides what is relevant and what is not, there is a chance an event or a post you think is relevant might not show up in Timeline. But fear not, the new page layout will allow editing so that users can manually change what information is shared or deemed important.

Facebook employee Paul McDonald explains that Timeline allows users to add details of their lives before Facebook was created, providing an easy way to rediscover things once shared in real life. You have seven days to review and modify the timeline before it goes live and anyone else can see it.

As long as Facebook remains the top social networking site, scammers will use new and innovative methods to try to steal and exploit user information, but rest assured that ACE (Advanced Classification Engine) protects our customers from such scams.

Read more

Exploit Code For ASP.NET Flaw

A few days after Microsoft released a patch to fix a vulnerability in ASP.NET that could enable a denial-of-service attack, someone has released exploit code for the vulnerability.

The proof-of-concept exploit code was posted to the Full Disclosure mailing list and is available for download from GitHUb. Posted by a user named HybrisDisaster, the code is designed to exploit a recently discovered vulnerability in ASP.NET that's related to the way that the software handles certain HTTP post requests. The vulnerability was first disclosed in late December at the Chaos Communications Congress in Germany.

The problem isn't actually specific to ASP.NET, but affects a variety of languages and applications. Microsoft shipped an emergency patch for the flaw on Dec. 29, recommending that users install it as quickly as possible.

"This vulnerability could allow an anonymous attacker to efficiently consume all CPU resources on a web server, or even on a cluster of web servers. For ASP.NET in particular, a single specially crafted ~100kb HTTP request can consume 100% of one CPU core for between 90 – 110 seconds. An attacker could potentially repeatedly issue such requests, causing performance to degrade significantly enough to cause a denial of service condition for even mulch-core servers or clusters of servers."
The base cause of the problem is that when ASP.NET comes across a form submission with some specific characteristics, it will need to perform a huge amount of computations that could consume all of the server's resources.

Read more

Arachni v0.4

Arachni is a high-performance (Open Source) Web Application Security Scanner Framework written in Ruby.Arachni uses various techniques to compensate for the widely heterogeneous environment of web applications.

This includes a combination of widely deployed techniques (taint-analysis, fuzzing, differential analysis, timing/delay attacks) along with novel technologies (rDiff analysis, modular meta-analysis) developed specifically for the framework.
This allows the system to make highly informed decisions using a variety of different inputs; a process which diminishes false positives and even uses them to provide human-like insights into the inner workings of web applications.

This version includes lots of goodies, including:

• A new light-weight RPC implementation (No more XMLRPC)
• High Performance Grid (HPG) — Combines the resources of multiple nodes for lightning-fast scans
• Updated WebUI to provide access to HPG features and context-sensitive help
• Accuracy improvements and bugfixes for the XSS, SQL Injection and Path Traversal modules
• New report formats (JSON, Marshal, YAML)
• Cygwin package for Windows

New plugins

• ReScan — It uses the AFR report of a previous scan to extract the sitemap in order to avoid a redundant crawl.
• BeepNotify — Beeps when the scan finishes.
• LibNotify — Uses the libnotify library to send notifications for each discovered issue and a summary at the end of the scan.
• EmailNotify — Sends a notification (and optionally a report) over SMTP at the end of the scan.
• Manual verification — Flags issues that require manual verification as untrusted in order to reduce the signal-to-noise ratio.
• Resolver — Resolves vulnerable hostnames to IP addresses.

IF you want a slightly more detailed description of what’s changed you can check here, or view the ChangeLog.

INSTALLATION

CDE Package For LINUX

Arachni is released as a CDE package for your convinience.
CDE packages are self contained and thus alleviate the need for Ruby and other dependencies to be installed.
You can download the latest CDE package from the download page and escape the dependency hell.

Cygwin Package For WINDOWS

Arachni does not yet run natively on Windows systems, however until that day comes you can download a pre-configured Cygwin environment containing Arachni and its dependencies. All you need to do is download the self-extracting archive, select a directory for it, open it up and then execute the Cygwin batch file.

You will then be presented with a Bash shell, after that you'll be able to use Arachni as if you were on a Linux system.

You can download Arachni v0.4 here :

Windows – arachni-v0.4-cygwin.exe
Linux – arachni-v0.4-cde.tar.gz

Read more

How To Set Up Pen Testing/Hacking Lab Network Using a Single System

INTRODUCTION

There are lots of tutorials available on the internet related to hacking but the big problem lies in testing your theoretical skills. Unless you don't have practical exposure to hacking, you cannot really understand the strength of it. The technique I will discuss here will be advantageous for those who have only single system a nd want to set up a testing network using it. In case you have multiple systems then you can easily test for your skills by making one system as target and other as attacker.
But what to do when we have only a single system at our disposal. Need not to worry. Virtual machine is the ultimate solution. You can set up your own hacking network and apply your skills to gain practical exposure to hacking.


INSTALLATION & CONFIGURATION

The only thing to look for is your systems hardware configuration. You should have minimum 2 GB RAM but it is highly recommended to use 3 GB RAM for a 32 bit operating system.
We will be using Oracle VirtualBox in this tutorial. You can download virtualbox from this link [Referenc e 1 ]. Once you have installed Vbox, the next step is to download the Extensions pack. You can get it from this link [Reference 2 ]

Once you have followed these initial steps, you are half done. The next step is to setup a target operating system. Suppose you want to set WINDOWS XP SP2 as the target operating system. You will need a bootable Windows XP SP2 iso for that. You can easily download it from Microsoft website or torrent.


INSTALLING APPLICATIONS ON VIRTUAL MACHINE

So now you have a virtual machine where you can test all your applications and hacks. Let us install a WAMP server and run DVWA over it.
Now how to install applications on a virtual machine? Well the process is simple. When your Windows XP Virtual machine is running, then click on the DEVICE tab, move to USB and select your pendrive from the list.
Now you can install anything from a USB drive inside your virtual machine. There is also a facility to create shared folder with your host operating system but I would prefer that you use USB. Shared folder has some issues when your host operating system is Windows 7. You can install different servers, applications, RAT clients etc and play with it.


ADVANTAGES OF VIRTUAL MACHINE

Here are some of the major advantages of using virtual machine :-

1. You can test all the viruses and RATs without any fear as your base operating system will not be affected.

2. You can test different servers and applications easily without affecting your base operating system.

3. In case the Virtual machine gets corrupt then you can re-install it.

TAKE BACKUP & SAVE TROUBLE IN FUTURE

There are also some key factors that you should remember which will help you during your pen testing :

1. Create a clone of the virtual machine

2. This step is very helpful in case your VM gets corrupt. Creating a clone of it will prevent you from re-installing it again and again.

3. You can create a clone by Right clicking on the Virtul machine instance in VBox and click on "clone.."

4. You will notice that a cloned virtual WinXP will be created for you.
DISABLE THE WINDOWS FIREWALL

The next important thing you can do is disable the windows firewall and then perform your pentesting as the firewall may block some of the suspicious activities. Using the default Windows firewall of XP virtual machine you can also test whether your activity is traceable or not. This will give you a clear understanding why RATs are not considered as a suitable hack these days because they are easily detectable. You can disable th e firewall by going to control panel, clicking on Firewall and then disable it.


TESTING YOUR PEN-TESTING/HACK NETWORK

Well a good question to ask if you have understood the above concepts. So far we discussed how to test different tools and techniques on a virtual operating system. The next step will be how to hack one virtual machine using the other. The scenario will be similar to hacking any system on internet so this technique will give you a real time exposure.
Interesting... Lets proceed then. This time we will set up another virtual machine using BackTrack [Referenc e 3 ] operating system which is one of the most widely used penetration testing operating system by security professionals.

The reason which makes Backtrack so popular is:

1. It has all the relevant tools pre-installed

2. It is linux based.


You can download the Backtrack 5 iso from its official website. Its a must have operating system for all.
Once you are done with the installation part, the next step is to make the two virtual machines (BT and WinXP) connect with each other. There is a simple setting that you will have to make in both the virtual machines. Let's check it out.


Select the Backtrack virtual machine, then click on settings tab, then move to "network settings. You will find that Adapter 1 set to NAT adapter. Switch to the Adapter 2 tab.
In the Adapter2 tab, set the adapter as Host-Only Adapter. Set the name of adapter as VirtualBox Host Only Ethernet Adapter .


Make similar setting changes in your windows XP virtual machine as well. Now your two virtual machines are ready to connect with each other. You can check the IP address of Windows machine by using the ipconfig command in the command prompt and similarly you can check the IP address of the BT machine using the ifconfig command. Also you can ping the two machines to check if both are detecting each other (don't forget to disable the windows firewall else it will filter the ping data packets).


Now There is two virtual machines. One is WinXP and other is BT5 with there corresponding ip addresses. Both are running ovr my host operating system Win7. So in all there are 3 operating systems running simultaneously.


Now you can use various options available in Backtrack OS to perform tests on the WinXP box. Quickly perform an nmap scan to check the open ports on WinXP machine.
If the target is up and has some open ports as well. Similarly you can perform several attacks and use the tools available in Backtrack to penetrate the target windows XP machine without harming your own operating system.

You can use this technique to perform several tests like :-

1. You can try to hack different operating systems by installing them as a virtual machine.

2. This will have a real time simulation of original scenario.

3. You can increase the level of difficulty of your hacks by installing firewalls, IDS/IPS etc.

4. This is a self customization scenario where you can do what ever you want

*****HOPE YOU LIKE THIS *****

Read more

Dammit Ramnit

A famous worm called Ramnit worm has been actively found in the facebook environment. It is reported by Symantec that this worm is responsible for the theft of more than 45k facebook passwords.
"We suspect that they use the Facebook logins to post on a victim's friends' wall links to malicious websites which download Ramnit," he added.Ramnit started as a file infector worm which steals FTP credentials and browser cookies, then added some financial-stealing capabilities, and now recently added Facebook worm capabilities.According to Cyberthreat management site Seculert, most of the stolen credentials were from US, UK and France, Furthermore they have added that over the of these stolen logins were invalid and many of them have reacted correctly by changing their username and passwords.

Ramnit first appeared in April 2010. By last July variants of the malware accounted for 17.3 per cent of all new malicious software infections, according to Symantec. A month later Trusteer reported that flavours of Ramnit were packing sophisticated banking login credential snaffling capabilities - technologies culled from the leak of the source code of the notorious ZeuS cybercrime toolkit at around the same time.

The new Ramnit configuration was able to bypass two-factor authentication and transaction-signing systems used by financial institutions to protect online banking sessions. The same technology might also be used to bypass two-factor authentication mechanisms in order to gain remote access to corporate networks, Seculert warns.We suspect that the attackers behind Ramnit are using the stolen credentials to expand the malware’s reach," Seculert concludes, adding that capturing the login credentials of Facebook accounts creates a means to attack more sensitive accounts that happen to use the same email address and password combination. "The cyber-criminals are also taking advantage of the fact that people usually use the same passwords for different web-based services (Facebook, Gmail, Corporate SSL VPN, Outlook Web Access, etc.) to gain remote access to corporate networks.

HOW TO PROTECT :- 1. Never click on strange links and report any suspicious activity you encounter on Facebook.

2. Update your Antivirus

Read more