DNS Zone Transfer – Network Enumeration

Hi Testers,

Adding some information about DNS Zone Transfer,
We all are working on Gathering DNS information – It may help us to have confidential information – isn’t it ?

Here is the one small command (tool) that everyone have an idea, named as Dig (Source link – http://en.wikipedia.org/wiki/Dig_%28command%29%29

With proper understanding of any tools and proper timing of use – You can save your various time and implement various things on VAPT topic.
(May be command of Dig is known for experts but this information is for beginners only)

Command 1: dig http://www.target.com (hopefully show you Target Real IP address)

Command 2: dig http://www.target.com MX
(Can you find real IP range of your Target Network ? even you can conclude about webserver’s own mail functionality ?)

Command 3: dig http://www.target.com MX +noall +answer
Command 4: dig http://www.target.com MX +short

Through dig you can get, Exchange Records (MX), nameservers(NS), address records (A), PTR records (PTR), ixfr serial number to transfer DNS Zone Wink etc etc..

I hope you can try various dig command and understand the initial step of Testing.

(May be you are thinking that there are various automated tools provide auto report about DNS then why to use dig command or manual testing ?)

May be right question in your mind – but have you worked on manual testing before ? and how much accurate information you got ?. we can use automated tools to perform respective action but remember that tools are working on defined task/procedure, you have to configure it manually according to your requirement.

AXFR and IXFR:

Command x: dig http://www.target.com AXFR
Command y: dig http://www.target.com IXFR (IXFR is incremental zone transfer)

DNS Brute Force:
Here is the perl script that help to work on DNS brute-Force

Source Link: http://packetstormsecurity.com/files/24865/blindcrawl.pl.html

Command z: perl blindcrawl.pl -d http://www.target.com

Even Google(gxfr.py) help you lot to know the information about DNS

Fierce is the tool that help you to do DNS zone transfer –

follow the link,

http://securitytube-tools.net/index.php?title=Fierce
http://ha.ckers.org/fierce/
http://vimeo.com/6807644

Feel Free to reply back Smile

 

NETZOB: A Protocol Reverse Engineering Tool

Netzob is an opensource tool which supports the expert in its operations of reverse engineering, evaluation and simulation of communication protocols. Its main goals are to help security evaluators to :

  • Assess the robustness of proprietary or unknown protocols implementation.
  • Simulate realistic communications to test third-party products (IDS, firewalls, etc.).
  • Create an open source implementation of a proprietary or unknown protocol.

Netzob supports the expert in a semi-automatic infering process of any communication protocol. Hence, it includes the necessaries to passively learn the vocabulary of a protocol and to actively infer its grammar. The learnt protocol can afterward be simulated.

Netzob handles different types of protocols : text protocols (like HTTP and IRC), fixed fields protocols (like IP and TCP) and variable fields protocols (like ASN.1 based formats).

Netzob provides modules dedicated to capture data in multiple contexts : network, structured file, process and kernel data acquisition.

In addition, it integrates a stochastic and statefull model to represent any statefull communication protocol. The definition of the model can be shared and loaded in a dedicated component of Netzob, its simulator. Therefore, it becomes easy to simulate multiple actors (servers and clients) which communicates according to the infered protocol for advanced fuzzing processes or active infering process.

 

How to find potential security flaws in source code ?

GRAUDIT
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It’s comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible.

Graudit supports scanning code written in several languages; asp, jsp, perl, php and python.

USAGE
Graudit supports several options and tries to follow good shell practices. For
a list of the options you can run graudit -h or see below. The simplest way to use
graudit is;
graudit /path/to/scan

DEPENDENCIES
Required: bash, grep, sed

DOCUMENTATION
See the readme file and frequently asked questions.
graudit-1.1-screenshot.jpg

DOWNLOAD
You can download the latest version from the graudit download page.

SOURCE
http://www.justanotherhacker.com/projects/graudit.html

How to fit tools in a Vulnerability Assessment & Penetration Testing ?

When we were attending conferences on IT security, we usually asked and learn many things.
Here is one of my question regarding VA/PT to expert in IT security, hope you like it and learn from it too, Because sharing is caring (Its time to Share now)

Student:

How to fit tools in a VA/PT?
Student:

Behalf of Learners – i would like to ask one question – so that beginners also can understand the first basic of penetration testing..
In most cases student attend hacking workshops or classes have basic understanding of few security tools. Typically students have used port-scanner, Wireshark, Metasploit etc etc.. Unfortunately most beginners do not understand how these tools fit into the PT. or it may cause the knowledge of beginners or its incomplete knowledge.. or lack of knowledge..

so according to Expert of Penetration Testing – What is the best way to Fit such kind of tools in manner – so that it will define one kind of framework of penetration testing officially.. ???
( just like i read one cycle of PT (A)Reco->Scanning->Exploitation->Maintaining Access->(A) )
IT Security Expert:
Not an expert – but from my viewpoint, VA/PT is not just about tools. A training should include the following:

  • Why we do VA/PT?
  • VA/PT Process and Framework (Which is not just about tools)

The main problem is that generally these are the theoratical part of the trainings and most of the students are not interested in the theory. Most of the beginners are interested in the “exploit” or “shell” part of it.

As part of the trainings, the tools should be covered in such a way that the students should know:

  • Whey we need to use tool?
  • Which tool to use?
  • When to use a particular?
  • What information should be gatherred or collected?
  • How to use the tool? (Various options and parameters)
  • Advantages and Disadvantages of using tools
  • How to create your own custom tools, etc.

To summarize, a good VA/PT training should balance both the Theory and Practial Hands-on equally and also at the same time give importance to the Technial and Management side of VA/PT.

(Thanks Manu Zacharia for such beautiful guidance on IT Security )

Banking Trojan – Trojans with specific intention on Banking

Hi,We many time read documents about trojan, study about malwares, Create worms, execute keyloggers and analyze these packets..
Here are those files name of trojan that intentionally used for BANKING.

# Tinba
# Zeus
# Capberp
# Ramnit
# many more (Keep Adding)..
Google helps lot for analyzing such things, lets do something on analyzing our new topic known as Banking Trojans.

Share your sample files for analyzing purpose ! add your banking trojan list in this topic

(This knowledge is only for learning purpose, we are not enthusiast you to do illegal harm to any objects, its your responsibility)

International IT Security and Hacking Conference c0c0n 2014 – CFP

c0c0nCall For Papers and Call For Workshops

August 22-23, 2014 – Cochin, India

Buenos Dias from the God’s Own Country!

We are extremely delighted to announce the Call for Papers and Call for Workshops for c0c0n 2014 c0c0n 2014 , a 3-day Security and Hacking Conference (1 day pre-conference workshop and 2 day conference), full of interesting presentations, talks and of course filled with fun!

The conference topics are divided into four domains as follows:

  • Info Sec – Technical
  • Info Sec – Management
  • Digital Forensics and Investigations
  • Cyber Laws and Governance

We are expecting conference and workshop submissions on the following topics, but are not limited to:

  • Cloud Security
  • Browser Security
  • Honeypots/Honeynets
  • Offensive forensics
  • Software Testing/Fuzzing
  • Network and Router Hacking
  • WLAN and Bluetooth Security
  • Hacking virtualized environment
  • Lockpicking & physical security
  • National Security & Cyber Warfare
  • Open Source Security & Hacking Tools
  • Web Application Security & Hacking
  • Exploiting Layer 8/Social Engineering
  • Malware analysis & Reverse Engineering
  • New Vulnerabilities and Exploits/0-days
  • Advanced Penetration testing techniques
  • Antivirus/Firewall/UTM Evasion Techniques
  • IT Auditing/Risk management and IS Management
  • Cyber Forensics, Cyber Crime & Law Enforcement
  • Mobile Application Security-Threats and Exploits
  • Critical Infrastructure & SCADA networks Security

Presentations/topics that haven’t been presented before will be preferred. We are looking for the hottest presentation topics based on the research and *HOTNESS* of the topic. To follow a fair process of speaker selection, the selection committee is only given the abstract without revealing the identities, ensuring a transparent and fair policy for all submissions.

Source URL:

http://www.is-ra.org/c0c0n/cfp

 Read More >>

Continue Reading

Load Balance Detector – Halberd

Simply another word to express about LBD – its “Headache Detection”

“What is headache & Who is Headache ?”

Lets find out the actual meaning of load balancing in
1. Telephone Switching & Signaling
2. LBD in Computer Networking

Telephone Switching & Signaling:
Recently we are also working on mobile networking & becoming master in it. Here is some point that i would like to introduce bit in the field of Load Sharing in Telephone Exchange Environment. Is this information connected with our IT security platform ? yes definitely, Just find out how our telephone exchange work on wired or wireless communication ?

(short note points cycle to learn) Telephone Switching & Signaling => Stored Program Control => Exchange Environment => Load Sharing Mode

Above cycle has particular meaning in the field of Telephone switching and signaling, studying mobile networking is very huge, i am sharing such points, to sake of understanding the Load balancing in Technology, lets compare that between telephone/mobile communication with Computer Networking.. Right ?

LBD in Computer Networking:
Load Balancing is a computer networking method for distributing workloads across multiple computing resources, such as computers, a computer cluster, network links, central processing units or disk drives.

Load balancing can be useful in applications with redundant communications links. For example, a company may have multiple Internet connections ensuring network access if one of the connections fails.

Wikipedia Source Code: http://en.wikipedia.org/wiki/Load_balancing_(computing)

LBD
Above figure gives you short imagination about load balancing – Load Balancing With ISA Server
Check out the link to configure Load Balancing in ISA server here.

Now time to move our focus on Detection – Headache Detection =>

LBD
Above figure give clarification on load balancer position in infrastructure, If our target is behind the load balancer then it will not respond that we are expecting in one to one connection. We have to observe lot in web auditing or Vulnerability assessment and penetration testing projects. Like target name, server name, session id during packet sent, date, time stamp etc..

Here we go with another tool to detect load balancer.. Halberd

Halberd discovers HTTP load balancers. It is useful for web application security auditing and for  load balancer configuration testing.

To cope with heavy traffic loads, web site administrators often install load balancer devices.  These machines hide (possibly) many real web servers behind a virtual IP. They receive HTTP  requests and redirect them to the real web servers in order to share the traffic between them. There are a few ways to map the servers behind the VIP and to reach them individually. Identifying and being able to reach all real servers individually (effectively bypassing the load balancer) is  very important for an attacker trying to break into a site. It is often the case that there are  configuration differences ranging from the slight:

  • server software versions,
  • server modules

to the extreme:

  • different platforms
  • server software.

For an attacker, this information is crucial because he might find vulnerable configurations that  otherwise (without mapping the real servers) could have gone unnoticed. But someone trying to  break into a web site doesn’t have server software as its only target. He will try to subvert dynamic server pages in several ways. By identifying all the real servers and scanning them individually for vulnerabilities, he might find bugs affecting only one or a few of the web servers. Even if all machines are running the same server software, halberd can enumerate them allowing more thorough vulnerability scans on the application level.

Tool Link:
https://github.com/jmbr/halberd
http://users.ices.utexas.edu/~jmb/

Halberd’s Manual PDF: halberd manual
Video URL: http://www.securitytube.net/video/699

OWASP Mantra – Fully Loaded Browser with Pentest Bookmarks !!

Hi Leaders,

Before going further, read my previous topic on ” Is your browser teaching Ethical Hacking ? “, Absolutely !

I would like to introduce another best part of OWASP Mantra browser is Pentest Bookmarks !
Another best reference material / food / b33r for learner / Beginner / Professional in IT security field.

With lots of General Categories as,

HACKERY – Open Penetration Testing Bookmarks Collection

Hackery

GALLEY – Online Penetration Testing Tools Index

Galley

Let we know one thing – “Is your browser teaching Ethical hacking ?” Then make it like OWASP Mantra !!
Download the Fully Loaded Browser with bunch of arsenal from here.
4 Tutorials click here.

What is in your mind now ? Go and check those collection and learn as much as you can.
Hack The Gibson” Make ready your arsenal with OWASP Mantra for your next Assignments !

Even you can think on – IT Security Policy Development !!

policyI found many organizations without any IT Security – policy or with policy that none of any use or no one is following it. With the help of some industrial survey, employees not even read the policy book. May be due to lack of time or huge bunch of IT Security policy papers. Sometimes IT security manager not able to sort out right IT security policy papers for right employee. Even they not able to sign them properly. Of-course it depends on company/organization industrial level/band, country and trust. So, here is the question for you – Is your IT security policy guiding your employee to avoid confidential data leakage ?

Recently heard one scenario in IT industrial, One of the company IT administrator performed task which is beyond ability and got appreciation from IT manager personally. (administrator saved tons of company money, with the help of contacts/knowledge and experience in IT). As a result, in a few week administrator got appreciation letter from IT manager. Appreciation letter is nothing but in terms of resigning letter… huh.. Why ??
Administrator did best task for the company, even company CEO appreciate every time to his IT manager for wonderful job. But administrator got resigning letter from his IT manager… Bullshit right !! Where is your company policy ? Where is your task credit points ? Is your company IT policy for just employees or managers or CEO or each person of company ?

Sometimes questions are useful to contemplate on important topic. As i am discussing with the topic as ‘even you can also develop company policy’. Learn from company activity and develop new policy for the company and train others to learn new policies.

Developing all kind of document/policy is sometimes so hectic due to environment, time, task schedule. Even they forgot many things in while developing policy.

Here is the questions to ask your self at the time of developing it:

IT Policy Prominent ?
IT Policy Treatment ?
IT Policy Custodial Practices ? etc.
IT Policy Benefits ?
IT Policy Compliance ?
IT Policy Respect, Confidentiality, Trust ?

Some more questions to create document about policy:
IT Policy introduction with company environment ?
IT Policy Authorities and Compliance ?
IT Policy Applicability ?
IT Policies ? Procedure and Tasks ? Guideline ? Document Control ?

Here is small policy points to share with you from Information Systems Security Policy Handbook
==============================================================================
POL01 Responsibility of the office of information Security
POL02 Responsibility of the information Technology Security Board
POL03 Responsibility of system owner
POL04 Responsibility of information Technology Mangers
POL05 Responsibility of System Administrators
POL06 Responsibility of Data Custodians
POL07 Responsibility of Users
POL08 Monitoring of User Accounts, Files, and Access
POL09 Administrative Access to City Information Systems
POL10 Electronics Data and Records Management
POL11 Electronics Data Breach Disclosure
POL12 Access Controls
POL13 Systems and Network Security
POL14 Physical Security
POL15 Personnel Security Measures
POL16 Policy Enforcement
POL17 Acceptable Use of City Digital Equipment, Internet Access, Electronics Communications and Other Applications
POL18 Rules Specific to Electronics Communication Usage
POL19 Patch Management
POL20 Virus Malware Protection
POL21 Remote and Ad-Hoc Connectivity
POL22 Wireless Access
POL23 Web Application Deployment
POL24 Policy Exceptions
(…Continue in ISSP Handbook)
==============================================================================

Appendix A:
http://en.wikipedia.org/wiki/Security_policy
http://en.wikipedia.org/wiki/Information_security_policy
http://en.wikipedia.org/wiki/Information_Protection_Policy
SANS – Web Application Security Assessment Policy
Appendix B:
Business Justification for Application Security Assessment
Disgruntled Employee – The initial physical state of data leakage