IP Addressing

IP address is the way by which a system is identified on a network. System may include your desktops, laptops, mobile phones, and even household items such as refrigerator and cars which connects to a network. A network can be a local LAN, WAN or even public networks such as the internet.

Most of the IP addresses assigned today are version 4 or IPv4. However there is a move towards shifting into version 6 or IPv6. The major cause of this is the depletion of IPv4 addresses and the need for a larger set of addresses to accommodate the increasing size of the internet. Here I’ll discuss IPv4 addresses in detail and how they are used today

What is an IP address?

IP address is a 32 bit string which can uniquely identify any device on a network. When represented in binary it would look something like.

11000000101010000000000100000001

Since there are 32 binary bits, the total number of address combinations possible is 2^32 (with a few exceptions) which is indeed a very large number.

From the binary representation it can be seen that this format is not too human friendly, though machines find it most effective to use the binary format. Hence the representation above is modified a little, by grouping together 8 bits or 1 byte at a time. This group of 8 bits is commonly referred to as an octet. The decimal form of each octet is calculated to generate a human readable form.

11000000 = 192
10101000 = 168
00000001 = 1
00000001 = 1

Thus the above address becomes

19216811

Well that’s easier to read. However we need a way of distinguishing between each octet while reading it. Hence a dot (.) is introduced between each octet to represent the address as shown below

192.168.1.1

This representation is called the dotted decimal format since it represents the addresses as decimal numbers with dots in between each octet. This is the most popular way of representing IPv4 addresses.

Read more.... 0 comments

Multiple instances of gtalk

Have you ever tried logging into yahoo messenger from two clients on the same machine? Forget different ids... It does not even let you have two login instances with the same id.

Have you ever tried logging into gtalk from two clients on the same machine? Have you been able to at least start two instances of gtalk on your PC?

Look no further. For gtalk can be tweaked not only to run more than one instance of it , but you can actually login into them using different gmail ids.

Now why on the earth would someone want to do that? Well if for any chance that you maintain different ids for different purposes. Like one for your work, other for your family or girlfriend etc.

The tweak is simple. The first step is to create a shortcut to gtalk on your desktop. If you already have this, forget this step.

Next, right click on this shortcut, select properties, and choose the tab called Shortcut. You can see a field called ‘Target’ which is where our tweak will be inserted. At the end of this field, to the already existing text add the text as shown below.

/nomutex

Make sure that it is added right after the

……\googletalk.exe"

If any other text is present here, then delete it. So the final text in the target field will read

…………………… Google Talk\googletalk.exe" /nomutex

Click OK to save the propertied.

Done!!!!!!!!!!

Now every time you click this icon on your desktop, a new instance of gtalk will pop up. You can sign in with your different ids into each instance.

Enjoy!!!!!!!!!!!!!

Read more.... 0 comments

Passive foot printing

Passive foot printing is a method by which an attacker tries to gather more information about his target like ip addresses, security leaks and defense capabilities. In most cases an attacker launches his attack only after gathering such information and deciding if a breach is feasible. The following methods can aid him in this process


traceroute

This is a tool used to trace the route from the source to the destination. Each of the intermediate systems such as routers returns an ICMP packet to the source which revels information about these systems to the sender. It also helps in identifying the last but one system, which often happens to be a firewalls or routers. The attacker can thus know the type of routers and firewalls used in the company.

whois

This too is a passive reconnaissance method by which the ownership of a particular domain can be found out by querying public databases maintained by domain registrars. The query returns information such as, owner name, email address, phone number which can be used for email attacks and social engineering attacks. Also the query returns the ip address and domain expiration dates which can be used for domain hijacking. Moreover the physical address obtain can help the attacker in launching attacks such as dumpster diving.

nslookup

The name server lookup is a tool used to query the DNS, for the ip address of a particular domain. This is a passive reconnaissance method whereby a third party is used to gather information about the targeted domain. The attacker after obtaining the valid ip address of a company website may guess other ip addresses in the same subnets and launch an attack on any one of these weaker ones. Nslookup can also be used to gather information about mail servers after which attacks such as spamming and denial of service can be launched.

ARIN

American Registry for Internet Numbers is a body to manage the internet number resources including ip addresses, Autonomous System number etc. ARIN can be used in address reconnaissance which helps in identifying the address space used by a particular organization. Once the ip address of companies are identified by using methods like nslookup, the ARIN website can be used to obtain the entire ip address range of that company. This can be used for a brute force attack where one address after another is tried to find the unsecured one.

Read more.... 0 comments

SQL Injection

SQL injection is a type of vulnerability attack which takes advantage of the holes in the database layer of a website. It happens when a user passes arguments to the SQL engine of the application through the regular user input fields. A major cause for the success of this attack is that most website parsers do not validate user inputs before passing it on to SQL for processing. An attacker can make use of this vulnerability and with a little time and patience can gain access to the entire database.

Description of the attack

SQL injection attack can be of many types. The major ones are listed below

• Incorrectly parsed inputs
This happens when a user input is not checked to see if it is a valid input allowed by the users. Statements like 1=1 or ‘x’=’x’ will always be true in an SQL query and thus can be injected to the form fields to bypass authentication process.

• Type invalidation
In other cases the parser does not check the type of data input by the user. An example of this is a text being provided into a date box, and the SQL trying to process this as a number field. In this case if proper error handling and type checking is not done, the database can crash, providing the user with additional details about the database.

• Blind attacks
These are attacks for which the user does not directly see any output on the screen but can infer a large amount of information by the behavior of the database. For example by providing special inputs and calculating the time needed for execution, an attacker can determine if it was a successful attack.


How it is used by hackers

The first step is to determine if the database is vulnerable. This can be done by providing a character such as a quote (‘) or a double quotes (“) in the user name filed. Other similar characters may also be employed for this purpose. If there is a vulnerability in the database, it provides a crash report instead of the usual output of “invalid user name” etc. this would look something like the figure above.

Now that vulnerability has been discovered, an attacker can input other combinations which provide him unauthenticated access. Most databases have “admin” or other variations of it as a user name. This can be used along with passwords which are always true like
anything' OR 'x'='x
‘OR 1=1 –
There are many other combinations which can be used for this purpose. For example the following can be used as credentials: Username: ' or 1=1 – Password: ' or 1=1 –
Yet another example that might work is: Username: me Password: anything' OR 'x'='x

Many other such combinations are available which can be used for this purpose. The important part about this method is that, once the database crash report is obtained (as shown in the figure) it hints the attacker to what type of strings are accepted by it. The attacker can then modify his credentials with these database specific details.

In case of some JavaScript enabled pages, with improper handling of login details, the page source can be saved onto the attacker system. This then can be modified to so that the login validation function calls are removed from the code.

Access provided by a successful attack

An attacker who succeeds in logging in into the system will have access to the information for the specific user. If a he succeeds in logging in as the as “admin” he will have unlimited privileges from viewing the database files to modifying or deleting it. However for a random login, the attacker normally gets logged into the first account found by the SQL search string. In such a case he will have access to the personal information of the user. In both cases the attacker can get complete information about the user, sometimes including the address, phone numbers or even social security numbers.

Defending against SQL attacks

The best method for defending against such attacks is to have the parser validate each and every string input by the user. Characters such as the quotes or the equals (=) should be properly handled. In addition it would be a good idea to keep a check on the length of the user data.

In case of JavaScript enabled page it would be good to have a good encryption technique employed on the website. Moreover it should be made sure that the functions for credential verification should be placed in a different secure location rather than embedding it into the source code for the login page.

Examples of successful attacks

A recent incident of SQL injection attack occurred on August 12, 2007 when the United Nations website was defaced by hackers. They posted their own message on the home page of the UN asking the US and ISRAEL to stop war. An interesting point to be noted in the message posted is that it hardly contains any quotes, not even for the “don’t “This clarifies that it was an SQL injection attack and the quotes would hinder with the commands provided by the attacker.

Another example is the Microsoft UK website which was attacked on the 29 June 2007 where SQL injection is suspected to be the method of attack. The hacker replaced several sections of the website with graphics related to Saudi Arabia. The method is said to have HTML code injected into an SQL engine which used the new code whenever a new page was generated. The attack is said to have taken advantage of a vulnerability associated with Microsoft SQL server.

Conclusion

SQL injection attack is one of the popular and easier types of attack, which can be performed by even a novice with some patience and time. Website developers and database admins should take proper care to make sure that their system is free from these kinds of attacks. This can be done by some of the methods outlined above. Moreover a company interested in preventing these attacks must be ready to provide proper security training to its web and database teams.


References:

Wikipedia
Youtube
http://unixwiz.net
http://hackademix.net
http://rcpmag.com

Read more.... 0 comments

PhoneSweep – The war dialer

PhoneSweep is a commercial war dialer from the Sandstorm Enterprises. Since the term war dialer has been associated with amateur tools created by hackers for malicious purposes, the company likes to classify PhoneSweep as a “telephone line scanner”.

Description

Almost all the computers deployed today come with an inbuilt modem. These devices though seldom used, can pose as serious vulnerabilities in a network especially in a corporate environment employing thousands of such devices. Corporates normally spend huge amounts of money on securing their network using firewalls and other security devices. However what mostly is ignored are the lowly modems attached to almost every computer system in their network.

Hackers can take advantage of these devices by methods like war dialing. Here a hacker by the use of war dialing tools try to dial all possible combinations of telephone numbers in the organization. These tools can then identify the type of device attached to the modem, like a server, fax machine. Special mechanisms are embedded in these to identifying the different ways in which the call is terminated. For example calls answered by automated systems are normally answered in a single ring and by a human user takes more rings. Such devices when compromised can serve as backdoors to the entire corporate network. War dialing can be done either to a single organization or to a particular geographical location.

Unlike the hacker tools available for war dialing, PhoneSweep is more of a commercial ethical tool which helps organizations track down the vulnerabilities in their system. Prior to the release of PhoneSweep the only tools available to the security personals were freeware like ToneLoc and THC-Scan which could not be reliable as it was designed mostly by hackers and could introduce vulnerabilities in the system.

Features

The following features of PhoneSweep has made it an ideal phone line analyzing tool for corporates.

i. Trusted source
Since the software comes from a trusted source, corporates can make sure that it does not introduce any kind of vulnerabilities into the system. This is unlike the freeware previously available which used to have undocumented bugs and used to infect the systems on which they were installed.

ii. Friendly interface
The application comes with an inbuilt GUI based interface which makes it easy to configure and use even by the novice. It is currently available for all versions of Windows. However for more advanced users it comes with the CLI configuration method.

iii. Hardware licensing
Another feature which has made the software popular is hardware licensing. This means that in order to use the software there need to be a dongle which is available for the USB or the parallel port. Without this hardware licensing, the program is useless. Hence it can be assured that the software will never be shared with unauthorized users who can misuse it for their malicious needs.

iv. Updated
The large support for this software has the advantage that the program is updated all the time. At this time PhoneSweep can detect close to over 460 systems and keeps on adding support for new devices

Usage options

Two popular usage options available with this tool is described below.

i. Penetration testing
PhoneSweep has a feature which is called penetration testing which along with identifying the vulnerabilities, also tries to break into the systems. This is done by identifying the type of system and checking if these devices can be easily penetrated using default passwords or brute force attack.

ii. Differential scanning
Any war dialing tools takes a huge amount of time for scanning an entire corporate environment. However PhoneSweep comes with a feature called differential scanning which tries to discover the changes which has been made in the network since the last scan. This considerably reduces the scan times for future scans

Output

The output of this scanning tool is available as a well formatted rtf file. This makes it easier for a user to sort the results by using various files. The results can be seen by the number dialed, the type of device on the other end and many other option. It also has the additional feature to import the results onto an excel graph which can gives a pictorial representation of the vulnerabilities and the percentage of threats to each type of discovered device.

Uses of war dialer tools to the hacker

As already mentioned this tool is not available to the normal hacker due to licensing restrictions. Moreover the tool is made available at a high cost ($1000 - $10000) which makes it impossible for a novice to get his hands on this corporate tool.

However, freely available war dialing tools can provide a wealth of information to hackers. Though much inefficient than the PhoneSweep, these tools can be used successfully with little patience and time. These tools can be used discover the holes in devices attached to unprotected modems. Through these reconnaissance attacks, the type of system at the other end can be easily discovered. Latter an attacker can launch system specific attacks on there vulnerable devices and create backdoors to the entire network

Conclusion

It has been a blessing to the corporate security offices that a tool like PhoneSweep is at their disposal. Previously they had to rely on other freeware which had greater chances of introducing viruses or threats into the system. Some of these were even used to report back to the designer about the holes in a corporate network. However Sandstorm has made it impossible for the hackers to get their hand on this ethical software. Though it comes at a huge cost, any corporate wishing to keep their system free from undiscovered threats associated with phone lines should have PhoneSweep as part of their security mechanism.

References:

Sandstorm.net
Sans.com
Wikipedia

Read more.... 0 comments