Posts

ZigBee test cases

Image
Zigbee is an IEEE 802.15.4-based specification for a suite of high-level communication protocols used to create personal area networks with small, low-power digital radios, such as for home automation, medical device data collection, and other low-power low-bandwidth needs, designed for small scale projects.

Here are some generic test cases (please enlarge for the clearer view) :




Nice aricle on recent Equifax hack

Americans who either applied for new jobs, loans, or just wanted to check their credit score via Equifax are having a difficult time getting answers as to whether they are part of the breach of 143 million records that occurred Thursday. The company disclosed yesterday it was the victim of a massive cyberattack. From mid-May to the end of July this year, Equifax said criminals accessed files including names, Social Security numbers, birth dates, addresses and even driver’s license numbers. Since the revelation, the company’s site has been overwhelmed with worried website visitors that have brought the site to a crawl and at times rendered it unreachable. https://threatpost.com/many-questions-few-answers-for-equifax-breach-victims/127886/

LFI to DB and backdoor

I am decribing a high level, theortical way of converting LFI to DB compromise and creating a backdoor. A long time ago, came across an application which was vulnerable to LFI (Local File Inclusion).
The LFI found was different from traditional one, since the filenmames were not being passed in any parameter, so was hard to detect also. A file called default.cgi contained code that which looks for a file in the directory and include it for some sort of processing, that was a business requirement, if not found, displayed 'File not found' error. So in order to exploit it one need to append a file name just after default.cgi?.  This way, could view any file from app server to OS level. Many sensitive files are easily accessible even from other folders too. /etc/passwd was accessible but /etc/shadow was not present, unfortunately. 
After browsing through almost all the files present at the server, came across a few interesting files (conn.cgi) which contained the logic of connect…

Solving SSL error in python: certificate verified failed

Image
To do away the below SSL handshake errors, where the urllib is very strict in verifying ssl certificates, we can ask it to relax:


Add the below lines:


When You face Binary translation is incompatiple VM

Image
While moving my Kali Linux VM from my old Win7 machine to my new Win10 machine, I faced this strange issue, while starting the VM:

After banging my head for along, I figured out that by default in new laptops, the virtualization is disabled on Intel processors and for enabling it we need to enter the BIOS setup. We need to turn it on by:


 Entering the BIOS is a bit different inWin 10 machines:
https://www.laptopmag.com/articles/access-bios-windows-10

Once that's enabled the VM bootup will be smooth!

When the locked account bypassed

Generally the accounts are locked when the attempt to login exceed a certain no. of unsuccessful attempts. The userids are locked by the application to thwart any further attempt to brute force. Generally the threshold is 3 unsuccessful attempts.
But I recently came across an application where there was a flaw which leads to bypass the account lockout.
Suppose an account is already locked and we try to provide the correct userid and password as now we remember the correct combination.

It acts like the below:
1. In one tab we'll access the login page and enter the userid/ password correctly. But the app will not let you in because the userid is locked and displays account locked message.

2. Now try accessing an internal url of the application in the second tab in the same browser since two tabs share the session id in most of the browsers.

3. The application lets you in the second tab!

This behavior of the application puzzled us until we inspected it closely and came to know about…

3 key 3DES, 2 key 3DES and effective security

Image
There was a recent discussion around effective security and effective key length of 3DES algo. Basically the 3 DES is 3 times DES. There would be 3 keys (K1, K2, K3 ) involved in the operation. The size of a key in DES is 64 bit, but due to padding the actual keys being used for the encryption are 56 bits of the length. So, in 3DES the the total key size would be 168 bits.
Now there are 3 options in 3DES:
Option 1, where K1, K2, and K3  are independent, the length would be 168 bits.
Option 2, where 2 keys are similar , eg, K1=K3, still the actual length is 168 bits but the 'effective' length would be 112 bits. (also called 2-key 3DES)
Option 3, the least secure where all three keys are same, ie, K1=K2=K3, still the actual length is 168 bits, the 'effective' key length would be 56 bits.

Now due to a know attack on 3DES, Meet-In-the-Middle (MeetITM), the 'effective' security of the above options are reduced as following:

Option 1: 112 bits
Option 2: 80 bits
Opti…