Saturday, 22 November 2014

Packet Analysis 4 : Bacic HTTP Authentication

Standard
 "This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.The pcap file used in this example is from a CTF challenge "


Protocol - Hypertext Transfer Protocol - Used for exchanging or transfer hypertext 
Connection Type - TCP 



So the challenge scenario is something like this . 

Find the username and passport for the bacis http authentication.

So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.


In the filter bar I will write "http" so that it displays the packets matching the HTTP protocol only.



Now we will analyze the first capture and right click on it and select "Follow TCP Stream". After analyzing the we will find that the page is protected by Basic Http Authentication. 



GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.1
Connection: Keep-Alive
Authorization: Basic YWRtaW5pc3RyYXRvcjpwQHNzdzByZA==


So if we look carefully at the http packets we have 2 response codes 
401 Access Denied 
200 Okay .

200 Okay means "Successfully Loaded the Page". So lets use "Follow TCP Stream" on it.



GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.1
Connection: Keep-Alive
Authorization: Basic YWRtaW5pc3RyYXRvcjpwQHNzdzByZA==


HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Thu, 08 Apr 2010 19:43:33 GMT
Content-Length: 1270
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGGQGGGYU=MNHDPIBDBHJEPFGBCFGKPKIJ; path=/
Cache-control: private

So we need to decode the information of HTTP Authentication . It is generally encrypted in base64 . So we need to decrypt it 
YWRtaW5pc3RyYXRvcjpwQHNzdzByZA==

For HTTP Authetication the username and password is joined using a " : " and encrypted using base64. So on decrypting we get


Username = administrator
Password  = p@ssw0rd


Friday, 21 November 2014

Packet Analysis 3 : SMTP Authentication

Standard
 "This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.The pcap file used in this example is from a CTF challenge "


Protocol - Simple Mail Transfer Protocol - Used for sending emails
Connection Type - TCP
Commonly Used Commands : HELO , MAIL , RCPT , 

So the challenge scenario is something like this . 

Find the username and password of the SMTP authentication.

So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.




In the filter bar I will write "smtp" so that it displays the packets matching the SMTP protocol only.

In SMTP we need to authenticate before we can send any mail . After applying the filter we can see the details of the SMTP . We can find the info by looking at the output or we can also get the details by following the TCP stream at "Authentication Successful" . So I will right click on that and select "Follow TCP Stream".



We find this result 

AUTH LOGIN
334 VXNlcm5hbWU6
QXVkaQ==
334 UGFzc3dvcmQ6
MTIzNGFk

The authentications is encoded in base64 . So we will decode the information QXVkaQ== and MTIzNGFk

QXVkaQ== base64 decoded is Audi
MTIzNGFk base64 decoded is 1234ad

Wednesday, 24 September 2014

Packet Analysis 2 : SMTP Details

Standard
CAUTION

    "This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.The pcap file used in this example is from a CTF challenge "


Protocol - Simple Mail Transfer Protocol - Used for sending emails
Connection Type - TCP
Commonly Used Commands : HELO , MAIL , RCPT , 

So the challenge scenario is something like this . 

Find the senders email address and the recipients email address of the SMTP transfer out of the pcap file .

So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.



Now my objective is to find out the senders and receivers emails. So in the filter bar I will write "smtp" so that it displays the packets matching the SMTP protocol only.





In SMTP we need to authenticate before we can send any mail . After applying the filter we can see the details of the SMTP . We can find the info by looking at the output or we can also get the details by following the TCP stream at "Authentication Successful" . So I will right click on that and select "Follow TCP Stream".





By analyzing the packet we can find the senders and receivers email id

Monday, 18 August 2014

Packet Analysis 1- FTP Authentication

Standard
CAUTION
"This tutorial should be used for educational purpose only. I won't be responsible if you misuse this techniques and get yourself in trouble.The pcap file used in this example is from a CTF challenge "

Protocol - File Transfer Protocol - Used for transferring files from one host to another. 
Connection Type - TCP
Commonly Used Commands : USER , PASS , RETR

So the challenge scenario is something like this . 

Extract the credentials required for the FTP Authentication out of the pcap file .

So to solve this challenge I will use Wireshark. First I load the pcap file in Wireshark.




Now my objective is to find out the credentials required for the ftp authentication . So in the filter bar I will write "ftp" so that it displays the packets matching the FTP protocol only. Now if we look closely at the results we will see a lot of response codes . The response "230 User Sandy logged in" is pretty interesting. 



So I will right click on that and select "Follow TCP Stream"




So now I am able to retrieve the username and password required for authentication.



Friday, 23 May 2014

Think before you include external scripts from other domain

Standard
Hello ,
While Penetration Testing I found out one interesting thing . 

If you use external scripts from other domain then you should be careful and cautious about the http cookie access.Certain time it can happen that you need to include scripts from other domain. But if you are not taking  enough  care of security practices, then other users account can be compromised by session hijacking and session fixation even if your website is not vulnerable .

 Confused ? Okay I will make it easy. What will happen if the web server from where you are including the external JS scripts is compromised ? Well you may think that's not a big deal because that's not the server where the developer is hosting the website. But what if I modify that external JS script of the compromised server ? 
 Anyway I wont speak much and will give you a small demo instead.



Here is the source code of the external JS file located at 192.168.42.145. This code return a random quote from an array.The server at this location is hacked and this code will be modified by the attacker later.



This is somehow the source code looks like at 192.168.56.102



And here is how the application looks like. The function message() basically returns a random quote from an array and once someone logs in a message is displayed on the index page somewhat like this 


So once the attacker found that a external  JS script is used by a secured web site from the compromised location 192.168.42.145 , he decided to inject some malicious code in that  . The code will  steal cookies and send it back to the attacker  at 192.168.247.159. So here is the exploited code.
  


And now back at the attacker machine at 192.168.247.159 an attacker keep a listener . I am running a simple http server and it will actually log all the requests made to it.


And this is how the login screen looks

Now the actual fun begins. The victim logs into the system with her own username and password . And once she logs , the JS code executes , the cookies are stolen and sent to the attacker . Look at the logs

Now the attacker try to inject the hijacked cookies in his own cookies.



Boom :) :) ... Now the attacker is the admin :) ... Hope you enjoyed reading it .

Tuesday, 6 May 2014

DNS Part 2 - Linux and Windows Command Line Utilties to perform DNS Lookups

Standard
DNS Part 2 - Linux and Windows Command Line Utilities to query DNS Server

Now we are going to deal with some command line utility 


1. Host 


  • Purpose - Dns Lookup Utility
  • Platform : linux
  • Usage : 


$ host google.com







2. Nslookup 


  • Purpose - Query Internet NameServers Interactively
  • Platform : Windows , Linux (does not support some features like ls)
  • Usage :


$ nslookup
>set type=A 
>google.com







Similarly you can try out to query other record type by replacing set type = A to set type=NS 

$nslookup
>set type=NS
>google.com



3. Dig 


  • Purpose - Advanced Dns Lookup Utility
  • Platform : Linux
  • Usage


Please note by default dig uses A type record querying 

$ dig google.com





If you want to query all types of records at once then use this command .

$dig ANY google.com


Hope you enjoyed this tutorial . In the next part  DNS Part 3 we will learn about some hacking techniques to query the dns server like zone transfers , dns bruteforcing ,etc .



DNS Part 1 - Basics of DNS

Standard


Hello friends,
I am back again with some more tutorials . The whole tutorial is going to be divided in 4 parts . 

Part 1 - Basics of DNS
Part 2 - Linux and Windows Commandine Utilties to query dns
Part 3 - Advanced Tools - Dnsdict6 , Fiere , theHarvester 
Part 4 - Bash Scripting to Automate DNS Queries and Security Issues in DNS 

Well what is DNS ?
DNS stands for Domain Name System. It is used to resolve host name to IP Address and vice-versa.

A simple overview of its working

It is not possible to remember all the ip address of the system. DNS helps to give a hostname i.e a meaningful name for an ip address since it is easy to remember a name instead of a series of numbers. So when I want to browse any site say google.com I put that address in the address bar. After that the system using DNS query queries the dns server to resolve the ip address of google.com. Say it responds with an answer 74.125.236.41 . Now the browser will intiate a TCP connection to 74.125.236.41 at port 80. 

It provides the following services

1. Host Aliasing - Say for example a complicated hostname like training.subgroup.site.com can have alias like www.site.com . Here training.subgroup.site.com is a cannonical hostname.

2. MailServer Aliasing - Example mail.school.hackerrank.com can have alias like hackerrank.com . The MX records can be used to extract the information about the various email server. We will see it in details when we will study about nslookup in details.



Port used by dns to query and resolve hostname to ip : Port 53

Type of connection used : Mostly UDP . But can use TCP if the size of payoad is greater than 512. Like if we do zone transfer.

Types of DNS Server


  • Root DNS Server 
  • Top Level Domain
  • Authoritative DNS Server
  • Local DNS Server







Types of queries DNS make to resolve any ip address

  • Iterative
  • Recursive









Types of records 

1. Type=A - Hostname to IPv4 addressing
2. Type=AAAA - Hostname to IPv6 addressing
3. Type=NS - Name server record that maps a domain name to a list of DNS Servers authorative to that domain
4. Type=MX - Mail Exchange records that maps a domain name to a list of mail sever for that domain


There are even more types of record. Please do some more research work and find about some more interesting records . 


Okay so now you know how dns works ! And its time to have fun with dns ! It time for some real life demos. Check out part II . And thanks for reading :)