Brainfoldb4u's Blog

Just another WordPress.com weblog

Where do popular browsers and Chat applications store their passwords

Posted by brainfoldb4u on March 16, 2010

I got this question raised in an interview with Google “Where do browsers and popular messengers store their password” I kind of wondering for an answer to this questions. After some search i found answers for those question which i thought of sharing it with you all.

Fact is major browsers and applications tend to store the password in a way to hide/prevent you from altering it. Even by knowing the location its hard to move it from one machine to another.

Google Chrome:

Google chrome browser stores the password in windows machine at [Windows Profile]\Local Settings\Application Data\Google\Chrome\User Data\Default\Web Data.

Google Chrome uses SQLite as the storage space for passwords and other web page related critical data’s. Google done a appreciate work by extracting windows specifif code from the cross-platform stuff. The only Windows specific code here is the encryption function, which can easily be ported by creating a different Encryptor object for each OS. The important piece here is CryptProtectData, which is a Windows API function for encrypting data. Data encrypted with this function is pretty solid. It can only be decrypted on the same machine and by the same user that encrypted it in the first place

For more technical explanation click here :  how Google chrome stores password

Mozilla Firefox

The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version) These password files are located inside the profile folder of Firefox, in [Windows Profile]\Application Data\Mozilla\Firefox\Profiles\[Profile Name] Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.

Firefox is much better than Internet Explorer in terms of managing “remembered” logins. In Internet Explorer, there is no built-in feature where you can manage or view your saved login information. That’s why you need third party tools to reveal the passwords hidden under asterisks. As for Firefox, you can access remembered passwords with a few clicks.

To view your remembered passwords in Firefox browser, go to Tools, and click on Options. Go to Security tab and click on the Show Passwords button. A remember password dialog box will appear. Click on the Show Passwords button again and a new column with password will appear.

Upon clicking the saved password location (tools-options-security-saved passwords), you won’t need any tools to reveal the hidden passwords under asterisks. It’s a feature that’s included in Firefox browser. So any one who has access to your work station can typically spy into your password by going around to security tab in the options location.
One useful tool that worth sharing about Firefox browser password management  is “Firepassword” . FirePassword is the console tool designed to decrypt the username and password list from Firefox sign-on database. Firefox records the login details such as username and password for every website authorized by the user and stores them in the sign-on database file in encrypted format.  It works on similar line as Firefox’s built-in password manager but it can be used as offline tool to get the username/password information without running the Firefox. It is DOS based and the manual says that FirePassword requires only 3 files which is key3.db, cert8.db and signons.txt. This 3 files can be found in Firefox profile directory.

All you need to do is place the 3 files together with FirePassword and run FirePassword.exe. Weirdly, I am able to decrypt all my username and password by copying ONLY the signons.txt file. Looks like it’s not necessary to include the other 2 files.

For detailed technical explanation click here

Internet Explorer > 7.0 (hope you all have updated from version 6.0):

  • Auto complete passwords are stored under Registry under HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2.
  • Documents and Settings\Application Data\Microsoft\Credentials is the credential file location used to save  HTTP authentication passwords

An automatic tool that used to retrieve IE password is IE PassView can be used to recover these passwords

Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]\Application Data\Opera\Opera\profile

Safari: Safari stores password data via Keychain. /Applications/Utilities/Keychain Access (on Mac)

On PC, All that data is stored in plist files at: C:\Documents and Settings\(UserName)\Application Data\Apple Computer\Safari

I believe it is FormValues.plist

ThunderBird: The password file is located under [Windows Profile]\Application Data\Thunderbird\Profiles\[Profile Name] You should search a filename with .s extension.

Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts\[Account Name]

MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Creds\[Account Name]

Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”. These passwords can be recovered by both Network Password Recovery and MessenPass utilities.

Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USER\Software\Yahoo\Pager – “ETS” value. The value stored in “ETS” value cannot be recovered back to the original password

Advertisements

Posted in Auditing, Browser Security, Google, Security tools, vulnerability assessment | Tagged: | 1 Comment »

sqlmap: Open source pentest tool

Posted by brainfoldb4u on March 15, 2010

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

sqlmap features

Features implemented in sqlmap include:

Generic features

  • Full support for MySQL, Oracle, PostgreSQL and Microsoft SQL Server back-end database management systems. Besides these four database management systems software, sqlmap can also identify Microsoft Access, DB2, Informix, Sybase and Interbase.
  • Full support for three SQL injection techniques: inferential blind SQL injection, UNION query (inband) SQL injection and batched queries support. sqlmap can also test for time based blind SQL injection.
  • It is possible to provide a single target URL, get the list of targets from Burp proxy requests log file or WebScarab proxy conversations/ folder, get the whole HTTP request from a text file or get the list of targets by providing sqlmap with a Google dork which queries Google search engine and parses its results page. You can also define a regular-expression based scope that is used to identify which of the parsed addresses to test.
  • Automatically tests all provided GET parameters, POST parameters, HTTP Cookie header values and HTTP User-Agent header value to find the dynamic ones, which means those that vary the HTTP response page content. On the dynamic ones sqlmap automatically tests and detects the ones affected by SQL injection. Each dynamic parameter is tested for numeric, single quoted string, double quoted string and all of these three data-types with zero to two parenthesis to correctly detect which is the SELECT statement syntax to perform further injections with. It is also possible to specify the only parameter(s) that you want to perform tests and use for injection on.
  • Option to specify the maximum number of concurrent HTTP requests to speed up the inferential blind SQL injection algorithms (multi-threading). It is also possible to specify the number of seconds to wait between each HTTP request.
  • HTTP Cookie header string support, useful when the web application requires authentication based upon cookies and you have such data or in case you just want to test for and exploit SQL injection on such header. You can also specify to always URL-encode the Cookie header.
  • Automatically handle HTTP Set-Cookie header from the application, re-establishing of the session if it expires. Test and exploit on these values is supported too. You can also force to ignore any Set-Cookie header.
  • HTTP Basic, Digest, NTLM and Certificate authentications support.
  • Anonymous HTTP proxy support to pass by the requests to the target application that works also with HTTPS requests.
  • Options to fake the HTTP Referer header value and the HTTP User-Agent header value specified by user or randomly selected from a text file.
  • Support to increase the verbosity level of output messages: there exist six levels. The default level is 1 in which information, warnings, errors and tracebacks (if any occur) will be shown.
  • Granularity in the user’s options.
  • Estimated time of arrival support for each query, updated in real time while fetching the information to give to the user an overview on how long it will take to retrieve the output.
  • Automatic support to save the session (queries and their output, even if partially retrieved) in real time while fetching the data on a text file and resume the injection from this file in a second time.
  • Support to read options from a configuration INI file rather than specify each time all of the options on the command line. Support also to save command line options on a configuration INI file.
  • Option to update sqlmap as a whole to the latest development version from the Subversion repository.
  • Integration with other IT security open source projects, Metasploit and w3af.

Fingerprint and enumeration features

  • Extensive back-end database software version and underlying operating system fingerprint based upon inband error messages, banner parsing, functions output comparison and specific features such as MySQL comment injection. It is also possible to force the back-end database management system name if you already know it.
  • Basic web server software and web application technology fingerprint.
  • Support to retrieve the DBMS banner, session user and current database information. The tool can also check if the session user is a database administrator (DBA).
  • Support to enumerate database users, users’ password hashes, users’ privileges, databases, tables and columns.
  • Support to dump database tables as a whole or a range of entries as per user’s choice. The user can also choose to dump only specific column(s).
  • Support to automatically dump all databases’ schemas and entries. It is possibly to exclude from the dump the system databases.
  • Support to enumerate and dump all databases’ tables containing user provided column(s). Useful to identify for instance tables containing custom application credentials.
  • Support to run custom SQL statement(s) as in an interactive SQL client connecting to the back-end database. sqlmap automatically dissects the provided statement, determines which technique to use to inject it and how to pack the SQL payload accordingly.

Download:

Click here to download

Posted in Auditing, Open Source, Penetration testing, Security tools | Tagged: | Leave a Comment »

Network Stuff – Handy network utility

Posted by brainfoldb4u on March 15, 2010

Network stuff is a cool Network Utility that comes whole set of very useful network tools like Whois, tcp/udp telnet, raw packet forger that gives more information about a host on a network and to perform simple tasks.

Network open source tool including:

  • – tcp/udp telnet
  • – ping/traceroute
  • – DNS resolver
  • – Whois
  • – Arp
  • – Stats and TCP/UDP/IP tables (iphelper functions)
  • – TCP/UDP/ICMP/CGI multithreaded scan (TCP and CGI scan could be done throw HTTP or socks proxy)
  • – Raw packet capture (multiple options including application name)
  • – Raw packet forging
  • – Wake on LAN and Remote Shutdown
  • – Interactive TCP/UDP Transparent Proxy

Its key features allows user to easily find information on a network reached through different interfaces, which are accessible through different tabs.  Information includes the hardware address being used, the IP address assigned, the link speed, link status, and vendor information on the network adapter. It also provides traffic information, including incoming and outdoing packets. While it doesn’t have advanced troubleshooting features, it does show errors in both incoming and outgoing packets, and provides a collision count. This includes information separated into TCP info, including detailed packet stats, UDP info with information about datagram like  ICMP, IGMP.  Network stuff  can also provide a routing table, with comprehensive information included. It can also show multicast data, and show the current state of all sockets the computer might have open, closed, or waiting.

Network stuff offers a number of diagnostics, including statistics and error counts, and all zones on a network. The Ping utility used by Network Utility is similar to other ping services, allowing input of a destination address, and a set number of pings to be sent. For each ping, of 64 byte packets, a transit time is given, helping troubleshoot network connections.  The Traceroute, Whois, and Finger options of the Network Utility are all analogous to those found in other operating systems. Traceroute displays the full route from the host computer to the destination, with hop times listed. Whois queries a whois service to return information on a domain name registrant. The Finger utility allows a user to look at a specific user profile on a specific server.

Download:

Click here to download the latest version 3.0.6.0 of Network stuff tool

It comes with a handy manual with how to’s for 26 network functions like

  • How to create TCP or UDP clients or server
  • How to make a telnet
  • How to make a ping
  • How to make traceroute
  • How to get host address (DNS resolve)
  • How to get host information (Whois)
  • How to retreive a MAC address on remote host
  • How to view or close active tcp connections (or end process of tcp connection owner)
  • How to view active udp servers
  • How to view tcp stats
  • How to view udp stats
  • How to view icmp stats
  • How to view or modify ip table
  • How to view IP stats
  • How to make cgi scan
  • How to make tcp scan
  • How to make udp scan
  • How to make icmp scan
  • How to make tcp or cgi scan throw proxy
  • How to make a wake on LAN
  • How to Shutdown a windows remote host
  • How to view your computer’s IP
  • How to get your computer’s outside IP (for people in LAN)
  • How to capture packet
  • How to forge packet
  • What is Interactive TCP/UDP

To  capture packets

Go to the Capture window (Tab “Raw Packet” then “Capture”).

To capture packets, you have to check protocol you want to capture.

Here we are capturing tcp and icmp packets

Next, for each protocol you can specify special filters. Another filter is available for tcp/udp connection: this is the “Application filter”

The option “Packet’s details” allow to show generally usless header fields. By checking this, all header fields are shown.

You can start/stop capture using the coresponding buttons.
The “Clear” button allows to clear the list of captured packet.
The “Load” button allows you to load a previous saved capture in txt or xml format.

Tcp filters :
– Source Ip
– Destination Ip
– Source Port
– Destination Port
– Sequence Number
– Acknowledgment Number
– Data Offset
– Window Size
– Control (URG,ACK,PSH,RST,SYN,FIN)

In this sample we are capturing only packets sent to and received from ip 10.0.0.138 port 80

How to forge packets

Go to the Forge window (Tab “Raw Packet” then “Forge”). Three different easy forging interfaces are available for tcp,udp and icmp;and another generic interface for other protocols is also available

For all protocols, you can configure all IP header fields options that means :

  • – Version
  • – IHL
  • – Precedence
  • – Delay
  • – Precedence
  • – Throughput
  • – Relibility
  • – Total Length
  • – Identification
  • – Fragment type/position/offset
  • – TTL
  • – Protocol number
  • – Checksum
  • – IP source
  • – IP dest
  • – Options

Some fields have the “Random” option which allows you to test your firewall/IDS reactions.

Notice : random fields are computed separately for each sent packet

What is the option “Auto” for length and checksum ?

If you don’t want to forge bad packets, you just check these options, so the fields are computed and you don’t need to comput them manualy.

Protocol data could be ASCII or hexa depending the “Hexa values” option

At this point you just need to specify the number of packets you want to send.

If you select the “Looping” option, packet are send until you push the “Stop” button.

Just click “Send” to begin packets sending

unknown protocol forge

Posted in Free but useful tools, Open Source, Security tools | Tagged: | Leave a Comment »

Router audit check list-ISO 27001

Posted by brainfoldb4u on March 15, 2010

Routers are increasingly an enterprises first and continued line of defense. As Router become more complex, streamlining the audit process, and ensuring risks and clutter are not injected into the rule base becomes an significant task. Below is the audit check list from ISO 27001 for auditing routers. ISO 27001 audit program covers the following area.

Router Policy

Disable Unneeded Services

Password Encryption

Authentication Settings

Administrator Authentication

Management Access

Route Protocol Security

Configuration Maintenance

Router Change Management

Router Redundancy

Log monitoring and Incident Handling

Security Updates

Download

ISO27k_router_security_audit_checklist (1)

Posted in Auditing, vulnerability assessment | Tagged: | Leave a Comment »

Netwox graphical front end Network tool

Posted by brainfoldb4u on March 15, 2010

Netwox

Netwox is an useful tool for those who are in profession of securing network security. Its not exactly an exploit engine but a massive suite of tools, 223 that gives you the ability to to carry out a number of services including enumeration, spoofing, brute forcing and also comes with a number of pre-built udp/ tcp clients/ servers etc.

Toolbox netwox helps to find and solve network problems :
– sniff, spoof
– clients, servers
– DNS, FTP, HTTP, IRC, NNTP, SMTP, SNMP, SYSLOG, TELNET, TFTP
– scan, ping, traceroute
– etc.

Tools in version 5.38.0:

1 : Display network configuration

2 : Display debugging information

3 : Display information about an IP address or a hostname

4 : Display information about an Ethernet address

5 : Obtain Ethernet addresses of computers in an IP list

6 : Display how to reach an IP address

7 : Sniff

8 : Sniff and display open ports

9 : Sniff and display Ethernet addresses

10 : Sniff and display network statistics

11 : Sniff and verify checksums

12 : Display which values to use for netwox parameters

13 : Obtain DLT type for sniff and spoof for each device

14 : Spoof a record

15 : Display content of a record

16 : Convert a record

17 : Recompute checksums of packets in a record

18 : Reassemble IP packets of a record, and reorder TCP flow

19 : Extract a range of packets from a record

20 : Search for strings in packets from a record

21 : Convert a number

22 : Convert a string

23 : Display ASCII table

24 : Convert IP addresses ranges

25 : Test if a directory is secure

26 : Dump a file

27 : Compute MD5 of a file

28 : Convert a binary file to readable and editable file

29 : Convert a readable and editable file to a binary file

30 : Convert a file from unix to dos

31 : Convert a file from dos to unix

32 : Spoof Ethernet packet

33 : Spoof EthernetArp packet

34 : Spoof EthernetIp4 packet

35 : Spoof EthernetIp4Udp packet

36 : Spoof EthernetIp4Tcp packet

37 : Spoof EthernetIp4Icmp4 packet

38 : Spoof Ip4 packet

39 : Spoof Ip4Udp packet

40 : Spoof Ip4Tcp packet

41 : Spoof Ip4Icmp4 packet

42 : Spoof of packet samples : fragment

43 : Spoof of packet samples : fragment, ip4opt:noop

44 : Spoof of packet samples : fragment, ip4opt:rr

45 : Spoof of packet samples : fragment, ip4opt:lsrr

46 : Spoof of packet samples : fragment, ip4opt:ts

47 : Spoof of packet samples : fragment, ip4opt:ipts

48 : Spoof of packet samples : fragment, ip4opt:ippts

49 : Ping ICMP

50 : Ping ICMP (EthIP spoof)

51 : Ping TCP

52 : Ping TCP (EthIp spoof)

53 : Ping UDP

54 : Ping UDP (EthIp spoof)

55 : Ping ARP

56 : Ping ARP (EthIp spoof)

57 : Traceroute ICMP

58 : Traceroute ICMP (EthIP spoof)

59 : Traceroute TCP

60 : Traceroute TCP (EthIp spoof)

61 : Traceroute UDP

62 : Traceroute UDP (EthIp spoof)

63 : Traceroute on a specified IP protocol

64 : Traceroute on a specified IP protocol (EthIp spoof)

65 : Scan ICMP

66 : Scan ICMP (EthIP spoof)

67 : Scan TCP

68 : Scan TCP (EthIp spoof)

69 : Scan UDP

70 : Scan UDP (EthIp spoof)

71 : Scan ARP

72 : Scan ARP (EthIp spoof)

73 : Simulate presence of a/several computer/s (arp and ping)

74 : Flood a host with random fragments

75 : Fill table of a switch using a flood of Ethernet packets

76 : Synflood

77 : Check if seqnum are predictible

78 : Reset every TCP packet

79 : Acknowledge every TCP SYN

80 : Periodically send ARP replies

81 : Send an ICMP4 timestamp

82 : Sniff and send ICMP4/ICMP6 destination unreachable

83 : Sniff and send ICMP4/ICMP6 time exceeded

84 : Sniff and send ICMP4/ICMP6 parameter problem

85 : Sniff and send ICMP4 source quench

86 : Sniff and send ICMP4/ICMP6 redirect

87 : TCP client

88 : UDP client

89 : TCP server

90 : UDP server

91 : TCP server multiclients

92 : UDP server multiclients

93 : TCP remote administration server

94 : TCP remote administration client (exec)

95 : TCP remote administration client (get file)

96 : TCP remote administration client (put file)

97 : SYSLOG client

98 : Flood a host with syslog messages

99 : TELNET client

100 : TELNET client executing one or several commands

101 : Brute force telnet client

102 : Query a DNS server

103 : Obtain version of a Bind DNS server

104 : DNS server always answering same values

105 : Sniff and send DNS answers

106 : Send an email

107 : Post a newsgroup message

108 : List newsgroups available on a server

109 : Download one, or more, newsgroup messages

110 : Ethernet bridge limiting flow

111 : FTP listing a directory

112 : FTP client : get a file

113 : FTP client : put a file

114 : FTP client : del a file

115 : FTP client : get a directory recursively

116 : FTP client : put a directory recursively

117 : FTP client : del a directory recursively

118 : HTTP GET

119 : HTTP HEAD

120 : HTTP POST

121 : HTTP PUT

122 : HTTP DELETE

123 : HTTP TRACE

124 : HTTP OPTIONS

125 : HTTP server

126 : HTTP remote administration server

127 : Cypher/decypher a file using a xor

128 : Split a file in smaller chunks

129 : Reassemble chunks of a file

130 : Brute force ftp client

131 : Brute force http client (site password)

132 : Brute force http client (proxy password)

133 : Convert an url/uri

134 : Obtain urls/uris in a HMTL file

135 : Convert urls/uris in a HMTL file to absolute urls

136 : Web download (http://… or ftp://…)

137 : Create a sample configuration file for tool 138

138 : Web spider (use configuration file created by tool 137)

139 : Web spider on command line (fully recursive)

140 : Spoof EthernetIp6 packet

141 : Spoof EthernetIp6Udp packet

142 : Spoof EthernetIp6Tcp packet

143 : Spoof EthernetIp6Icmp6 packet

144 : Spoof Ip6 packet

145 : Spoof Ip6Udp packet

146 : Spoof Ip6Tcp packet

147 : Spoof Ip6Icmp6 packet

148 : Ping ICMP6 Neighbor Discovery

149 : Ping ICMP6 Neighbor Discovery (EthIp spoof)

150 : Scan ICMP6 Neighbor Discovery

151 : Scan ICMP6 Neighbor Discovery (EthIp spoof)

152 : Interactive IRC client

153 : IRC client listing channels

154 : IRC client listening on a channel

155 : Network performance measurement : TCP server

156 : Network performance measurement : TCP client

157 : Network performance measurement : UDP server

158 : Network performance measurement : UDP client

159 : SNMP Get

160 : SNMP Walk

161 : SNMP Trap

162 : SNMP Trap2

163 : SNMP Inform

164 : SNMP Set

165 : TFTP client : get a file

166 : TFTP client : put a file

167 : TFTP server

168 : FTP server

169 : Display simple network configuration easy to parse

170 : TELNET server

171 : DHCP client

172 : List articles range of a newsgroup

173 : Download overview of one, or more, newsgroup messages

174 : FTP client : get a file and check its MD5

175 : Web download (http://… or ftp://…) and check its MD5

176 : TFTP client : get a file and check its MD5

177 : Check if a SMTP server is up

178 : Check if an IRC server is up

179 : DHCP client requesting an INFORM

180 : SNTP client obtaining time

181 : SNTP server

182 : Obtain size of a web file (http://… or ftp://…)

183 : TCP relay

184 : UDP relay

185 : TCP multiclient relay

186 : Millisecond sleep

187 : Display date and time

188 : SYSLOG server

189 : SMTP server

190 : Make coffee

191 : Generate a password (English, French, Spanish)

192 : Spoof of packet samples : fragment, ip4opt:ssrr

193 : IDENT client requesting info about an open session

194 : IDENT client creating a session and requesting its info

195 : IDENT server

196 : WHOIS client

197 : WHOIS client guessing server

198 : SMB/CIFS client: list shares

199 : SMB/CIFS client: create a directory

200 : SMB/CIFS client: delete a directory

201 : SMB/CIFS client: rename a directory

202 : SMB/CIFS client: list contents of a directory

203 : SMB/CIFS client: delete a file

204 : SMB/CIFS client: rename a file

205 : SMB/CIFS client: get a file

206 : SMB/CIFS client: put a file

207 : SMB/CIFS client: recursively get a directory

208 : SMB/CIFS client: recursively put a directory

209 : SMB/CIFS client: recursively delete a directory

210 : Web spider on command line (stay in same directory)

211 : Web spider : converts a local downloaded filename to its original url

212 : Web spider : converts an url to its local downloaded filename

213 : Display a list of IP addresses

214 : Traceroute discovery: graph of network topology

215 : Traceroute discovery (EthIp spoof)

216 : Beep

217 : SMB/CIFS server

218 : Netwox internal validation suite

219 : Compute cryptographic hash of a file (md5, sha, etc.)

220 : Convert a binary file to a base64 encoded file

221 : Convert a base64 encoded file to a binary file

222 : In a HMTL file, suppress links pointing to local urls

223 : Forward an email

Obviously from this list, just about everything is covered and netwox is extremely useful. It can be used in either command line mode or gui utilising netwag.

Netwag is a graphical front end for netwox. It permits to easily :

– search tools proposed in netwox

– construct command line

– run tools

– keep an history of commands

Installation:

To utilise both command-line and gui versions the following needs to be installed:

  • WinPcap
  • Activestate tcl
  • netwox
  • netwag

Netwag requires that the netwag535.tcl script be amended and the line:

set netwag_glo_bin_netwox “netwox535”  be altered to the location that the netwox535 executable is located.

Note: – It may be easier to unzip netwox directly into the netwag directory to save any alteration.

Click here to download Netwox

Click here to download Netwag

Execution:

Command-line:

D:\Documents and Settings\hacker\Desktop\netwox-5.35.0-bin_windows>netwox535.exe

Netwox toolbox version 5.35.0. Netwib library version 5.35.0.

######################## MAIN MENU #########################

0 – leave netwox

3 – search tools

4 – display help of one tool

5 – run a tool selecting parameters on command line

6 – run a tool selecting parameters from keyboard

a + information

b + network protocol

c + application protocol

d + sniff (capture network packets)

e + spoof (create and send packets)

f + record (file containing captured packets)

g + client

h + server

i + ping (check if a computer if reachable)

j + traceroute (obtain list of gateways)

k + scan (computer and port discovery)

l + network audit

m + brute force (check if passwords are weak)

n + remote administration

o + tools not related to network

Select a node (key in 03456abcdefghijklmno): 5

Select tool number (between 1 and 222): 1

################## running tool number 1 ###################

Title: Display network configuration

+————————————————————————+

| This tool displays network configuration: |

| – the list of devices/interfaces: |

| + nu: device number |

| + dev: easy device name |

| + eth_hw: Ethernet address or hardware type (if not Ethernet) |

| + mtu: MTU (maximum size of packets) |

| + real_dev: real device name |

| – the list of IP addresses: |

| + nu: device number of device associated to this address |

| + ip: IP address |

| + netmask: network mask |

| + ppp: if true(1), this address is a Point To Point |

| + ppp_with: if ppp, this is the address of remote endpoint |

| – the IP4 ARP cache or IP6 neighbor (this contains Ethernet |

| addresses for other computers) |

| + nu: device number of device associated to this entry |

| + eth: Ethernet address of computer |

| + ip: IP address of computer |

| – the routes |

| + nu: device number of device associated to this entry |

| + destination/netmask: destination addresses |

| + source: source IP address, or local for a local route |

| + gateway: gateway (first router) to use |

| + metric: metric of route |

| |

| Parameter –device ask to display devices list. |

| Parameter –ip ask to display ip list. |

| Parameter –arpcache ask to display ARP cache and neighbors. |

| Parameter –routes ask to display routes list. |

| If no Parameter is set, they are all displayed. |

| |

| This tool may need to be run with admin privilege in order to obtain |

| full network configuration. |

+————————————————————————+

Synonyms: address, arp, device, gateway, ifconfig, interface, ipconfig, mac, nei

ghbor, netmask, route, show

Usage: netwox 1 [-d|+d] [-i|+i] [-a|+a] [-r|+r]

Parameters:

-d|–devices|+d|–no-devices display devices

-i|–ip|+i|–no-ip display ip addresses

-a|–arpcache|+a|–no-arpcache display arp cache and neighbors

-r|–routes|+r|–no-routes display routes

Example: netwox 1

Enter optional tool parameters and press Return key.

netwox 1 -d -i -a -r

nu dev ethernet_hwtype mtu real_device_name

1 Lo0 loopback 1520 Loopback

2 Unk0 unknown 0 \Device\NPF_GenericDialupAdapter

3 Eth0 00:15:C5:CJ:C3:BJ 1500 \Device\NPF_{720B03E4-B057-444E-8D93-B321DE296D

15}

nu ip /netmask ppp point_to_point_with

1 127.0.0.1 /255.0.0.0 0

3 169.254.182.93 /255.255.0.0 0

nu ethernet ip

3 00:15:C5:CF:C3:BC 169.254.182.93

nu destination /netmask source gateway metric

1 127.0.0.1 /255.255.255.255 local 0

3 169.254.182.93 /255.255.255.255 local 0

3 169.254.0.0 /255.255.0.0 169.254.182.93 0

1 127.0.0.0 /255.0.0.0 127.0.0.1 0

Command returned 0 (OK)

Press ‘r’ or ‘k’ to run again this tool, or any other key to continue

I don’t know about you but that seems a little like hard work just to get a small bit of host information returned and that’s from a simple tool that is available in the suite. I would recommend using Netwag to aid the use of this suite.

Posted in Auditing, Security tools, vulnerability assessment | Tagged: | Leave a Comment »

Browsing safely with WOT

Posted by brainfoldb4u on March 12, 2010

Web attacks are getting more frequent now a days and its very hard for an average user to identify which site is good and which site will harm his computer. Our browser of chose becomes to play a big role in protecting our computers.  Despite browsers like Firefox, Google chrome, IE, Opera and safari gives a level of protection, its still worthy to have a assurance from an independent body regarding the worthiness of the website from an  unknown source.

I came across this application/add-on from a company called Web of Trust providing a significant level of assurance regarding the website that we are visiting. Say if your web site sells something or “sign up here”button, people are in real dilemma to trust or not the web site. Instead of clicking be not being sure  now with Web of trust a website cab show  that your online business is trusted by millions of members of  Web of Trust. The WOT community has rated 26 million websites for trustworthiness, vendor reliability, privacy and child safety. Use it to your advantage!

WOT is available as an add-on for major browsers for download here (Firefox, Google Chrome, IE)

Installation on Google Chrome:

Installing WOT on Google Chrome is very easy as adding another addon.

WOT as an add-on for Google Chrome

Once you have accepted the license agreement and Chrome has started, the WOT button will be located at the right side of the address bar (default location). As with other aspects of the Google Chrome  interface, you can easily move the WOT button to a new location that best suits your needs. You may click the “O” symbol to change its setting.

WOT Sceen shot with setting option

Setting page gives us more options like Guide to educate how the websites are rated, option to customize your feel of protection, WOT search page and pop up options.

WOT Searching page sample

WOT protecting level settings page

Its pretty much the same procedure to install in Firefox. It got some end user license and  user name registration procure with firefox. Upon installing you will find WOT symbol at left hand side of the URL box.

Checking the rating of a website

After installing the add-on, Go to a web site for which you want to check the reputation scorecard and click the “O” symbol on your left hand side of firefox.

WOT Icon

WOT Scorecard

Score card for a chosen website would look like the above screen shot.  User have an option to provide their opinion about the particular website. But users opinion does not affect the website rating.

Posted in Browser Security, Free but useful tools | Tagged: | 1 Comment »

Process Explorer: Windows Task manager alternative

Posted by brainfoldb4u on March 12, 2010

Process Explorer v11.33 is a freeware from Microsoft showing information about which handles and DLLs process have opened or loaded. We all would hit Ctrl +alt+delete when PC hangs up and to kill the current process running and bring up the task manager. some power users may click CPU column twice to see which processes are sucking up most of the CPU’s power. Alternatively we may scan the process list for suspicious items. Here i saw this pretty useful tool from Microsoft simplifying task manager and even gives more granular details about a process including its icon, command line, full mage path, memory statistics, user account, security attributes and more.

Process Explorer

Process explorer showing system information details in graphical representation

Process explorer with system information

Process explorer with system information

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you’ll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you’ll see the DLLs and memory-mapped files that the process has loaded.Process Explorer also has a powerful search capability that will quickly show you which processes have particular handles opened or DLLs loaded.

The unique capabilities of Process Explorer make it useful for tracking down DLL-version problems or handle leaks, and provide insight into the way Windows and applications work. You can right -click and kill a process as in Task Manager, with the obligatory warning that killing a process can destabilize the system. Process Explorer’s added ability to kill a process and all of its descendant processes may forestall stability problems. Process Explorer can also suspend a process’s execution and resume it later. Say you’ve got a number-crunching utility that’s tying up the CPU and you want to stop for a minute while you check your e-mail. With Process Explorer, you can suspend the app briefly without going through the hassle of shutting it down and starting all over again after checking your mail.

Task Manager helps you figure out what program a given process represents by displaying its internal description, if available. Process Explorer goes a step farther by adding the company name. Still puzzled? Double-click the process and click the “Strings” tab in the resulting properties dialog—it lists all text strings found embedded in the process’s executable file. The properties dialog also reveals the full pathname and command-line for the process, lists and graphs performance statistics, and even displays TCP/IP activity.

Selecting the process corresponding to an on-screen window is a snap—just drag the utility’s  icon onto the window. You can also enable a lower pane that lists all DLLs used by the selected process or all handles opened by that process. And a search option makes it easy to get a list of all programs currently using a specific DLL or identify which program is holding a certain file open.

Process explorer showing information about skype process running

Process explorer showing information about skype process running

Process explorer showing a process string

Process explorer showing a process string

.

Posted in Cool Techniques, Free but useful tools, Windows | Tagged: | Leave a Comment »

Iphone Hack ban

Posted by brainfoldb4u on February 17, 2010

I guess apple have found their Iphone OS now frequently hacked. Almost like Windows, apple had trouble facing the sophisticated hacks and weekly patches are not enough to protect their OS. So apple seems to come up with a defensive idea of locking the hackers account. Just days after a scrappy young iPhone hacked discovered an unlock exploit for OS 3.1.3 baseband 05.12.01, Sherif Hashim received an ominous message on his iPhone after attempting to log into iTunes: “This Apple ID has been disabled for security reasons.” Proving that this is not an isolated incident, fellow hacker iH8sn0w responded to Hashim to let him know the very same thing happened to him after he released an exploit known as XEMN. Perhaps most puzzlingly, however, is the fact that Hasim’s exploit was never publicly released having only been given to the iPhone Dev-Team who plan to incorporate it into their next release. Obviously Apple could claim that its actions were in response to the violation of their intellectual property as well as a breach of the iPhone’s end-user license agreement, but one has to wonder just how far a notoriously heavy-handed company like Apple might go in the future if it is unable to gain the upper hand over hackers like Hashim.

iPhone developer and hacker, Sherif Hashim, claims to receive a warning showing he’d been denied access to the App Store for “security reasons”, see image above.
The move sparked concerns that Apple might ban all jailbroken iPhones was accessing the App Store. However, such a move would prevent Apple’s application developers from selling to the millions of users of jailbroken devices and would be especially bad politicsfollowing the launch of the Wholesale Applications Community at the Mobile World Congress conference earlier this week.

This seems to be a strong message indicating that known iPhone hackers may get into trouble but at the same time there is no indication that Apple are refusing access to the App Store for anyone who merely makes use of available software to jailbreak or unlock their iPhone or iPod Touch handsets, the message is clear: publicly release an exploit for the iPhone OS and expect to lose your App Store privileges.

Posted in Hacking, Information Security, Iphone | Tagged: , | Leave a Comment »

Checking brand name availability

Posted by brainfoldb4u on February 4, 2010

Its common for most of us to have a virtual name in the internet. And we tent to have that name across the internet and that becomes our  identity. There are chances that your username/virtual name/your identity may be used by some one anywhere in the internet (heavily possible).  having the same username across every website makes you to easily remember  and helps you be recognizable across multiple networks without the need to link your accounts. I started browsing to find a way to customize a brand name and check how unique it is. thank fully i  found great solutions in order to verify the availability of our username across multiple social media websites for free.

KnowEm

This is a free site allows you to check for the use of your brand, product, personal name or username instantly on over 350 popular and emerging social media websites. It lets us to secure your brand before someone else does.

With a click of a button it lets us to search for the availability of a username across more than 350 popular social networking websites. All you need to do is is enter your desired brand username in the search box and click “Check it”. KnowEm will then come up with a list of all the social media networks along with the availability of your username. If you wish to sign up simply click on “Available” to jump to the sign up page of any particular website and get registered.

KnowEm also constantly updates and adds new sites to their vast database of social sites. The next Facebook, Twitter or MySpace is already out there or could be coming soon – do you know which one it will be? KnowEm offers a subscription service (Brand Protection Program) to ensure that you and your brand will not have to worry about it. As new sites emerge we will make sure that your flag is already planted and you will not have to worry about dealing with a squatter or someone who is misrepresenting your social media identity.

Is Your Name Available?

The basic free version of KnowEm makes it easy to find out if your favorite username is still available on the 350 social media services. Just type in your favorite username and KnowEm will check if your name is still available on these sites. Given how closely our online identities are often tied to one single username, it only makes sense to claim the same username on every site and to ensure that somebody else isn’t impersonating you. Other services that offer similar free features include Namechk (148 sites) and Usernamecheck.com (68 sites).

Premium Services

The new premium services extend KnowEm’s portfolio by giving businesses additional services for claiming and monitoring their brands. For users of the Corporate Edition ($349), KnowEm will create profiles on 150 social media sites and populate them with photos, bios and descriptions. A cheaper version of this services ($99) only includes the signup process, and users will have to populate their profiles by hand. For an additional $49 per month, KnowEm will also register your name or brand on new social media services as they launch.

Namechk

Namechk is an worthy alternative to KnowEm with almost similar features. It checks for desired username or vanity URL’s that are still available at dozens of popular social networking and social bookmarking websites. It helps to promote your brand name constantly by registering a username that is still available on the majority of popular websites.

NameChk is completely free to use, it seems to be supported by Google Adsense adverts, but these are small and don’t get in the way. It’s a very useful website and a real joy to use! NameChk is perfect for anyone that struggles to find good usernames on a number of the social networking sites. It is becoming more difficult so this is a great idea. It is also good for companies who are trying to build their brand image; they can use this tool to find a name which is available on most of the platforms and then register it to promote their products.

Namechk Features

  • Check usernames on 106 different social networking sites
  • Register by clicking on the buttons
  • Find usernames which are available on all platforms
  • Build your brand image

Username check

A simple service that might nonetheless come in handy sometime, the suitably-titled UsernameCheck will let you find out where is your username registered in a more or less instant way. If you claim  “Do I have my username registered across every site that I should?”. That is a valid question, because how would you feel if the next Internet humiliation that comes along happens to share the same username that you have been using since the dawn of the web?

This site, then, will let you check where you username is registered just by supplying it and hitting the “check” button. A service by service rundown is then carried out, and you will then find out whether your back is covered or not.

Posted in Cool Techniques, Free but useful tools, Open Source | Tagged: | 1 Comment »

Voice Encryption

Posted by brainfoldb4u on January 28, 2010

Voice Encryption, almost more than 65% of worlds population uses mobile phone and mobile phone business is in multi million dollars.   We use mobile phone to even book online tickets using Credit card number, personal details and so many occasions we tend to have one or few of these details as our password just to keep it simple. As a general user we assume our telephone conversations are secure and no one else hearing out conversation other than the person we are speaking to.Law enforcement agencies can tap your call but they wont do it unless it is very necessary .

But the reality is any one with basic technical skills and financially motivated.

Statistics show Government agencies on average conduct 50,000 legal wiretaps per year (legal= those where a court order is required), (Let’s not forget Echelon http://tinyurl.com/yetrajm ) another 150,000 phones are illegally tapped by private detectives, spouses and boyfriends and girlfriends trying to catch a potential cheater.  Another estimate shows up to 100,000 phones are wiretapped by companies and private industry in some form of industrial espionage. It is happening and it is a big business.

It’s indeed becomes essential for us to know the ways to secure at least understand the risk of the potential exploit. I saw this article with  technical explanation containing how secure the voice encryption products are..  According to infosecurityguard.com

I knew if I was able to compromise the security I just had to decide if it was as, less or more effective than breaking the encryption and which method was the most efficient. Unfortunately for almost all of  solutions they failed and I was able to simply compromise their security, intercept a phone call in real-time bypassing the entire encryption. The really surprising element was, how extremely simple it is.

All of the products have basic system requirements (i.e. OS, data connection etc) Well, they also all depend on the spoken voice being fed into the microphone.  This is the basic concept of some of the commercial wiretapping tools available on the market, so I thought I would take the same approach.
At what point does the software begin to encrypt the voice input and audio output ? So lets capture it before that happens.   This way I do not have to bother or worry about what encryption algorithms or key exchanges are being used, it really becomes a non issue.

To read more about the technical voice encryptions click here

Lack of voice encryption opens world of attack opportunities with readily available wiretapping utility, costing as little as $100, as well as his own ‘homemade’ Trojan, Notrax was able to bypass the encryption and eavesdrop by capturing conversations from the microphone and speaker in real time. By suppressing any rings, notifications or call logs, these attacks go completely undetected. And while Trojans can be installed manually by someone with access to the phone, they could equally be delivered via email, SMS or a mobile application.

List of Software solutions available with their tested status

The list of tested solutions includes:

  • Caspertec (Software) – Intercepted / insecure
  • CellCrypt (Software) – Intercepted / insecure
  • Cryptophone (Hardware) – Intercepted / insecure
  • Gold-Lock (Software) – Intercepted / insecure
  • Illix (Software) – Intercepted / insecure
  • No1.BC (Hardware SD-Card) – Intercepted / insecure
  • PhoneCrypt (Software) – Secure
  • Rode&Swarz (Hardware Bluetooth) – Secure
  • Secure-Voice (Software) – Intercepted / insecure
  • SecuSmart (Hardware SD-Card) – Intercepted / insecure
  • SecVoice (Software) – Intercepted / insecure
  • SegureGSM (Software) – Intercepted / insicure
  • SnapCell (Hardware) – Secure
  • Tripleton (Hardware) – Still Under Review
  • Zfone (Software) – Intercepted / insecure
  • ZRTP (Software) – Intercepted / insicure.

Phone Crypt,  and Rode&Swarz are two products considered secure and i can find product reviews on

PhoneCrypt

Phone Crypt is an innovative solution based in military grade encryption (RSA 4096 bits and AES 256 bits), the same technology used by FBI and CIA, which effectively protects your landline, mobile and PBX phones from access of intruders. IT also protects against trojan horse.

PhoneCrypt Features

• RSA 4096 bit & AES 256 bit Encryption;
• Diffie-Helman (DH) Key Exchange;
• MD5 & SHA512 Hash for voice integrity;
• Protection Agents detects, alerts and defends against attacks;
• Excelent voice quality;
• Easy to use and intuitive interface for users – the user doesn’t need knowledge in security or technology;
• Voice encryption, immediate and automatic message, without any need of interaction from the user;
• The software uses internet connectivity through 3G, UMTS, HSPA, W-CDMA, EDGE, GPRS and WiFi to data transmission;
• Completely safe –  no secure data it is saved in the device at any time;
• No user intervention is required in security procedures;
• Less requirement use for processor (less than150 MHz);
• Works in devices with Windows Mobile systems without modify or inhibit any other function;
• Encrypt communication in landline and mobile phones;
• Advanced detector of phone calls;
• Superior voice quality (QOS).

To get an detail technical insight of phonecrypt, click here

I urge you to read the interesting article/demo from infosecurityguard.com to gain more understanding on voice encryption products.

Some recent news development about Cell Phone Security:

Posted in Information Security | 2 Comments »