Friday, 23 May 2014

Think before you include external scripts from other domain

Standard
Hello ,
While Penetration Testing I found out one interesting thing . 

If you use external scripts from other domain then you should be careful and cautious about the http cookie access.Certain time it can happen that you need to include scripts from other domain. But if you are not taking  enough  care of security practices, then other users account can be compromised by session hijacking and session fixation even if your website is not vulnerable .

 Confused ? Okay I will make it easy. What will happen if the web server from where you are including the external JS scripts is compromised ? Well you may think that's not a big deal because that's not the server where the developer is hosting the website. But what if I modify that external JS script of the compromised server ? 
 Anyway I wont speak much and will give you a small demo instead.



Here is the source code of the external JS file located at 192.168.42.145. This code return a random quote from an array.The server at this location is hacked and this code will be modified by the attacker later.



This is somehow the source code looks like at 192.168.56.102



And here is how the application looks like. The function message() basically returns a random quote from an array and once someone logs in a message is displayed on the index page somewhat like this 


So once the attacker found that a external  JS script is used by a secured web site from the compromised location 192.168.42.145 , he decided to inject some malicious code in that  . The code will  steal cookies and send it back to the attacker  at 192.168.247.159. So here is the exploited code.
  


And now back at the attacker machine at 192.168.247.159 an attacker keep a listener . I am running a simple http server and it will actually log all the requests made to it.


And this is how the login screen looks

Now the actual fun begins. The victim logs into the system with her own username and password . And once she logs , the JS code executes , the cookies are stolen and sent to the attacker . Look at the logs

Now the attacker try to inject the hijacked cookies in his own cookies.



Boom :) :) ... Now the attacker is the admin :) ... Hope you enjoyed reading it .

Tuesday, 6 May 2014

DNS Part 2 - Linux and Windows Command Line Utilties to perform DNS Lookups

Standard
DNS Part 2 - Linux and Windows Command Line Utilities to query DNS Server

Now we are going to deal with some command line utility 


1. Host 


  • Purpose - Dns Lookup Utility
  • Platform : linux
  • Usage : 


$ host google.com







2. Nslookup 


  • Purpose - Query Internet NameServers Interactively
  • Platform : Windows , Linux (does not support some features like ls)
  • Usage :


$ nslookup
>set type=A 
>google.com







Similarly you can try out to query other record type by replacing set type = A to set type=NS 

$nslookup
>set type=NS
>google.com



3. Dig 


  • Purpose - Advanced Dns Lookup Utility
  • Platform : Linux
  • Usage


Please note by default dig uses A type record querying 

$ dig google.com





If you want to query all types of records at once then use this command .

$dig ANY google.com


Hope you enjoyed this tutorial . In the next part  DNS Part 3 we will learn about some hacking techniques to query the dns server like zone transfers , dns bruteforcing ,etc .



DNS Part 1 - Basics of DNS

Standard


Hello friends,
I am back again with some more tutorials . The whole tutorial is going to be divided in 4 parts . 

Part 1 - Basics of DNS
Part 2 - Linux and Windows Commandine Utilties to query dns
Part 3 - Advanced Tools - Dnsdict6 , Fiere , theHarvester 
Part 4 - Bash Scripting to Automate DNS Queries and Security Issues in DNS 

Well what is DNS ?
DNS stands for Domain Name System. It is used to resolve host name to IP Address and vice-versa.

A simple overview of its working

It is not possible to remember all the ip address of the system. DNS helps to give a hostname i.e a meaningful name for an ip address since it is easy to remember a name instead of a series of numbers. So when I want to browse any site say google.com I put that address in the address bar. After that the system using DNS query queries the dns server to resolve the ip address of google.com. Say it responds with an answer 74.125.236.41 . Now the browser will intiate a TCP connection to 74.125.236.41 at port 80. 

It provides the following services

1. Host Aliasing - Say for example a complicated hostname like training.subgroup.site.com can have alias like www.site.com . Here training.subgroup.site.com is a cannonical hostname.

2. MailServer Aliasing - Example mail.school.hackerrank.com can have alias like hackerrank.com . The MX records can be used to extract the information about the various email server. We will see it in details when we will study about nslookup in details.



Port used by dns to query and resolve hostname to ip : Port 53

Type of connection used : Mostly UDP . But can use TCP if the size of payoad is greater than 512. Like if we do zone transfer.

Types of DNS Server


  • Root DNS Server 
  • Top Level Domain
  • Authoritative DNS Server
  • Local DNS Server







Types of queries DNS make to resolve any ip address

  • Iterative
  • Recursive









Types of records 

1. Type=A - Hostname to IPv4 addressing
2. Type=AAAA - Hostname to IPv6 addressing
3. Type=NS - Name server record that maps a domain name to a list of DNS Servers authorative to that domain
4. Type=MX - Mail Exchange records that maps a domain name to a list of mail sever for that domain


There are even more types of record. Please do some more research work and find about some more interesting records . 


Okay so now you know how dns works ! And its time to have fun with dns ! It time for some real life demos. Check out part II . And thanks for reading :)