Skip to main content


Showing posts from 2011

Process listening on the ports

Some times it becomes very necessary to confirm which exe or process is listening upon which port in order to determine the reason behind the running services on those ports. For example, if you find that there is one more web service running over another port, suppose 8082 apart from port 80, you may need to determine, after all which process. To see it type: netstat -anb: If you see the above output, you can see the inetinfo.exe process is running on two ports 80 and 3205 which in turn are http and sapdp05 respectively. Also, the respective PID or processID, which in this case is 2644 for inetinfo.exe. So, if you stop or kill the inetinfo.exe process, these services will stop. I have seen in some PCs, specially in Win7 netstat -ab command does not work. So for determining about the process listening on a specific port you can do like this: type netstat -ano | find "2644" as we know that PID 2644 is responsible for opening the port 80 (http) and 3205 (sapdp05)

Article in Hakin9

My Article on reversing exe has got published in Oct issue of "Exploiting Software-Hakin9" magazine. This article is about basic introduction to Reverse Engineering. I have chosen to show reversing of a sample exe file and how to patch it. The article more focuses on showing a practical example of reversing. It could be downloaded here . The article is from Page no. 38 onwards.

Dealing with Non-technical users

In Security profession, you always go with your finding to the people who has technical capabilities so that they may understand, what you want to explain to them. But what in a situation if you need to deal with ordinary, non technical users? They don't understand your security jargon, they only care about their business. I have been dealing with these sort people from long back! And when they are sitting in remote location, it's very tough! The best way is to send them mails explaining the issue, its impact and how to fix them. Sometimes, they will co-operate with you some times, you are disappointed. For example, if you need to deal with users running any Insecure Services (suppose FTP) on their machines, the following ways seem working: 1. First send a communication to them about the issue, eg, what the service is all about, how it could be exploited if not closed or secured. 2. If they respond, well, tell them to stop FTP from Services.msc. 3. Sometimes, they are not sure

Securing Connection Strings

Today, again I came across the same scenario about which my colleague Sam had asked me once. He asked me about best practices for securing the connection strings. Well, for securing the Database connection string file. The general approach will be-irrespective of technology- its’ best practice to move the credentials out of source-code into a configuration file. It needs to be properly protected, using strong ACLs and strong encryption with properly protected keys. I shall give you an example of .NET which I am aware of and you can suggest developers to use the similar thing for Oracle and jsp pages. Again there are different approaches for different technologies- for ASP.Net you can either use Windows authentication instead of using username/password, database (connection string) name in the source code. But that’s not possible, if you have got to mention the username/password, database name, put them in a separate configuration file such as app.config or web.config and encrypt them

Open Mail Relay-How to test

An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users.This used to be the default configuration in many mail servers; indeed, it was the way the Internet was initially set up, but open mail relays have become unpopular due to their exploitation by spammers and worms. Many relays were closed, or were placed on blacklists by other servers.[Wikipedia] How to test your mail server for open relay: 1. At command prompt type: C:/>telnet 25 220 ESMTP MAIL Service Version 6.0.3894 ready at Tue, 22 Aug 2011 05:22:00 -0700 2. helo 250 Hello 3. mail from: 250 2.1.0 OK 4. rcpt to: 250 2.1.5 5. data 354 Start mail input; end with . This is a test mail. P

Use SSH-Reject Telenet,RSH/RLogin

The main problem with Telnet/rsh/rlogin/rcp is that they send the information over the wire unencrypted. So whatever you type, your username/passwords that go in clear text over the wire. Anybody can sniff it and make your life difficult. The remote shell utilities such as, rsh, depend on a pre authenticated IP connection. Anything coming from that IP is reliable for them. IP spoofing is not difficult! So use SSH, Secure way to send information over network.The Secure Shell keeps unauthorized users out of our computers, both by encrypting passwords to protect them from sniffing, and by providing more positive authentication than simple password exchange. Instead of rsh, rcp, and rlogin, simply use the commands ssh, scp, or slogin . How to tunnel Telnet through SSH: 1. Launch Putty and provide the destination host IP address. 2. Go to SSH->Tunnel. Enter the destination server name or address followed by a colon and the port PuTTY will forward to. 3.Click on the Open button. A term

Web Application:Authorization Issues

I have written one article that got published in Hakin9 Magazine's July Issue. This article is about different kind of Access Control mechanisms and issues with them in Web Applications. Access Control, as the name suggests, is the mechanism of determining privileges of different users to access the contents of an application. It can also manage fine-grained read and write permissions on the files owned by a particular user. In other words, access control decides who has the authorization to use files, manipulate their contents, or visit a website. In the case of web applications, access control mechanisms allow different users different levels of access to web pages and functions. Want to read more? It can be found here or clicking on the list of articles in the right side of the blog.

Lifetime of cryptographic Hash functions

Many times developers ask which Hash is the best to work with currently. As I always suggest using SHA-2 family (SHA-224, SHA-256, SHA-384, SHA-512) as they are still not known to be broken, I found this chart very convincing and useful to compare between them: As you can see only popular SHA-2 are still remain undefeated. Reference:

Wireless Security- Best Practices

This article is about different kind of Best Practices that should be followed when using Wireless LAN. A liitle lazy to write it again :) . The article has been published into June 2011 Issue of ClubHack Magazine (Page 20-24). It can be downloaded here .

Disable NetBIOS

NetBIOS an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol. [Reference:] Risks of NetBIOS: 1)NetBIOS Null Session Enabled: A NetBIOS null session allows users to connect to a host remotely with no username and password and perform a limited set of administrative tasks. Null sessions allow the remote user to gather information such as: 1. List users 2. List groups 3. List shares (including hidden shares) 4. Policies (such as minimum password length, etc.) While the enumerated information is not an immediate risk, much of the information can be leveraged to launch an attack to gain user or administrative privilege. All steps should be taken to eliminate the vulnerability and/or reduce the information available to the attacker. 2)NBTSTAT : All Mic

Testing for SSH

This is written for specific scenario so may differ from yours. There are few ways to find if SSH is enabled on the remote machine or not. 1). Log onto the Linux machine and type the following command: netstat –a or netstat –a | grep ssh It will list down all the services running on the machine. Look for ssh or port 22, if that is enabled you can see like ftp and smtp: 2). Another way is to use Putty to connect the remote Linux machine. Select ssh and port 22 and try to connect. If connection established, then ssh is there otherwise, probably not-It's not a fool proof method however. 3) One more option is run port scanner such as nmap. It will list down all the services running on the machine.

Insecure protocols

Some basic insecure protocols and risk associated with them: FTP/Telnet/Rlogin/rsh/Rexec : These are insecure protocols because they use plain text authentication. This means that when you authenticate to the telnet or ftp server you send your login and password across the network un-encrypted or "in the clear". Data and even the password are transmitted as plain text. In addition to sending the login and password in the clear telnet and ftp also send the data or payload in the clear as well. There are commonly available programs that constantly monitor the network for packets that contains passwords. Preferably, all telnet and rlogin servers and clients should be removed from all machines. Disable them if not used. SNMP : Simple Network Management Protocol (SNMP) is a protocol for network management. SNMP lacks any authentication capabilities, which results in vulnerability to a variety of security threats. These include masquerading, modification of information, m