While moving my Kali Linux VM from my old Win7 machine to my new Win10 machine, I faced this strange issue, while starting the VM:
After banging my head for along, I figured out that by default in new laptops, the virtualization is disabled on Intel processors and for enabling it we need to enter the BIOS setup. We need to turn it on by:
Entering the BIOS is a bit different inWin 10 machines:
Generally the accounts are locked when the attempt to login exceed a certain no. of unsuccessful attempts. The userids are locked by the application to thwart any further attempt to brute force. Generally the threshold is 3 unsuccessful attempts.
But I recently came across an application where there was a flaw which leads to bypass the account lockout.
Suppose an account is already locked and we try to provide the correct userid and password as now we remember the correct combination.
It acts like the below:
1. In one tab we'll access the login page and enter the userid/ password correctly. But the app will not let you in because the userid is locked and displays account locked message.
2. Now try accessing an internal url of the application in the second tab in the same browser since two tabs share the session id in most of the browsers.
3. The application lets you in the second tab!
This behavior of the application puzzled us until we inspected it closely and came to know about…
There was a recent discussion around effective security and effective key length of 3DES algo. Basically the 3 DES is 3 times DES. There would be 3 keys (K1, K2, K3 ) involved in the operation. The size of a key in DES is 64 bit, but due to padding the actual keys being used for the encryption are 56 bits of the length. So, in 3DES the the total key size would be 168 bits.
Now there are 3 options in 3DES:
Option 1, where K1, K2, and K3 are independent, the length would be 168 bits.
Option 2, where 2 keys are similar , eg, K1=K3, still the actual length is 168 bits but the 'effective' length would be 112 bits. (also called 2-key 3DES)
Option 3, the least secure where all three keys are same, ie, K1=K2=K3, still the actual length is 168 bits, the 'effective' key length would be 56 bits.
Now due to a know attack on 3DES, Meet-In-the-Middle (MeetITM), the 'effective' security of the above options are reduced as following:
As the brush with 2-tier apps continues, the usual recommendations to manage the memory from leakage is to overwrite it quickly once its use is over. Although, it does not prevents the leakage completely, it reduces the attack surface by a considerable extent. Fortunately, for .Net application there's a method called SecureString. This class allows you to keep string data encrypted in memory. But a few things to keep in mind. Liked the below points from a discussion from stackoverflow post:
Do you know how many times I've seen such scenarios(answer is: many!):
1.A password appears in a log file accidentally.
2.A password is being shown at somewhere - once a GUI did show a command line of application that was being run, and the command line consisted of password.
3.Using memory profiler to profile software with your colleague. Colleague sees your password in memory. Sounds unreal? Not at all.
4.Some tools such as RedGate software that could capture the "value" of lo…
The 2-tier applications use front-end to directly communicate to DB. There's no separate business logic tier. All the business logic are at client side. Thick client applications (mostly) are classic examples of that. Applications developed in .Net and Java could be found in big nos. inside any organization. Sometimes it's difficult to straightaway move to 3-tier architecture. Businesses are reluctant to accept this approach due to:
- Moving towards 3-tier involves a great amount of coding efforts and money.
- Sometimes the applications are almost end of life and are not being retired just because of there;s no good reason to do so.
- Most of the above applications are Intranet applications. Business claims that being an internal application, this is less susceptible to attack.
But they forget one very big risk under these claims- sensitive information in memory dumps.
The application being 2-tier connects to DB while constructing the connection string using DB credentials…
Just after writing the previous post, we came across a scenario where the application was expecting a pdf and back-end was php. But the application was not accepting the Null Byte injected files as described in last post.
We found that it was validating PDF magic no. and application types in headers.
So, we repeated the the exact steps of the last post and additionally we changed the signature and content type and the application uploaded it successfully.
So we renamed our file shell.php as shell.phpA.pdf and replaced A with Null, so the strings became shell.php[NULL] .pdf, which the interpreter read and created a file shell.php on the server. Only issue is that there's not code to execute since all the contents were pdf contents. But our aim was to bypass this and it was successful. This post concludes.