Wednesday, 7 May 2014

April Fool You Hackers !!!

Portspoof is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security system. The general goal of the program is to make the information gathering phase slow and bothersome for your attackers as much it is only possible. This is quite a change to the standard 5s Nmap scan, that will give a full view of your systems running services.

So let’s start directly. So this is how the common structure of portspoof. First I will mention normal network structure without using portspoof and then with using portspoof. Below figure shows the normal structure of my network.

Friday, 2 May 2014

Metasploit Part 3/3 - Exploitation

Exploitation is the main part of penetration testing many security professionals’ careers. The ability to gain full control over a targeted machine is a great feeling. Various system and network protections have made it increasingly more difficult to succeed with basic exploits. So we need to know advance exploitation.

In this article, we move into more difficult attack methods, beginning with command-line interfaces to the Metasploit Framework. Most of the attacks and customizations discussed in this article will occur in msfconsole, msfencode, and msfpayload.

Before you begin to exploit systems, we need to understand a few things about penetration testing and exploitation.

Metasploit Part 2/3 - Vulnerability Scanning

Vulnerability scanning is part of penetration testing. A vulnerability scanner is an automated program designed to look for weaknesses in computer systems, networks, and applications. There are many vulnerability scanners available for penetration Testing. But here we use Metasploit framework for scanning vulnerability.
 Various operating systems respond differently because of the different networking implementations in use. These unique responses that vulnerability scanner uses to determine the operating system version and even its patch level. A vulnerability scanner can also use a given set of user credentials to log into the remote system and enumerate the software and services to determine whether they are patched.

Metasploit Part 1/3 - Information Gathering


Your goals during information gathering should be to gain accurate information about your targets without revealing your presence or your intentions, to learn how the organization operates, and to determine the best route. Metasploit is a best console for information gathering it is very comprehensive penetration testing tool. In this article, I am going to cover whole information gathering of a network using Metasploit.

Information gathering requires careful planning, research, and, most importantly, the ability to think like an attacker. At this step, you will attempt to collect as much information about the target environment as possible.

There are two types of information gathering passive and active.

April Fool You Hacker :P

Portspoof is meant to be a lightweight, fast, portable and secure addition to the any firewall system or security system. The general goal of the program is to make the information gathering phase slow and bothersome for your attackers as much it is only possible. This is quite a change to the standard 5s Nmap scan, that will give a full view of your systems running services.

So let’s start directly. So this is how the common structure of portspoof. First I will mention normal network structure without using portspoof and then with using portspoof. Below figure shows the normal structure of my network.

Saturday, 12 April 2014

Web App Pentest - Part 5 XSS

Introduction

In my previous article we have seen which are the different ways of fuzzing including suffix and prefix. We used those fuzzing techniques in order to find error messages in web application. Now as we know how to fuzz, we will use that skill to find XSS generally known as cross site scripting.

Friday, 11 April 2014

Web App Pentest - Part 4 Suffix & Prefix in Fuzzing

Introduction
In this series of article, last time we talked about the fuzzing and various SQL statement special characters which can be used in fuzzing the web application. In this article I am going to focus on various prefixes and suffix of fuzzing in order to fuzz the target web application.

Web App Pentest - Part 3 Fuzzing



Introduction
When We test the web application, we do not test a single page but we test lot of page of a single web application. So each page may have more than one variable so technically you will be engaging with ton of variables within your web application test. So when you inject anything to the input it is good to know what kind of effect your injection is making to the server. In this part of these article series we will look at the importance of simple alphabetic injection along with the web page encoding technology and how it does effect on our testing and result.

Web App Pentest - Part 2 Indentifying Injection Points

Identifying Injection Points
If your web page is static, you cannot test it as far as security concern. You can test it at some sort of view but you can’t play with it much as compare to dynamic page. Nikto scanner is a good utility which works best in testing static sites. There has to be some interaction between client and server via login panel, comment section, register page, contact us form and so on.

Sunday, 9 March 2014

Vigilance complaints pile up as Delhi Police doesn’t know password | The Indian Express

Over 600 complaints regarding the Delhi Police forwarded by the Central Vigilance Commission to an online portal have been pending for the past eight years. The
reason: the Delhi Police didn’t know the password to access the portal
or how to operate it, a lapse that went undetected since 2006.

In January finally, two Delhi Police officers, one of the level of
deputy commissioner of police and another an inspector, were imparted
“training” by the CVC on the same.

Sources in the CVC said 667 complaints had piled up, with no action taken by the police.

Each Delhi government department under the CVC, including the MCD,
DDA and several investigating agencies, have a chief vigilance officer
to look into complaints. If a complaint reaches the CVC, either it
tackles it independently or it sends it to the concerned department

Sunday, 23 February 2014

Web App Pentest - Part 1 Introduction

In this series of articles, I am going to demonstrate how you can manually exploit the vulnerability of a web application, compared to using any automation tool, in order to find vulnerabilities in the application. Almost all companies worldwide focus on manual testing of web application rather than running web application scanners, which limit your knowledge and skills and the scope of finding a vulnerability with your testing.
For the whole series I am going to use these programs:

Various Types of Wireless Attacks

As we all know that wireless networks are spread at each and every  part of the world starting from personal home to corporate business, schools/universities, cafes etc.. Major merit of wireless network is of eliminating the big and tidy cables which acquires space and not spoiling the look of your working area. But as we all know that each coin has two sides. There are demerits of wireless networks as well. It comes with high possibility of attacks on it. In this article I am going to describe different techniques of wireless attacks from the world and what we should do to prevent those attacks on wireless networks.