Burp Suite : Configuring the browser and redirecting traffic

1.   Vide my last post about installing Burp Suite here ,now I move ahead to configure your browser in order to redirect all HTTP/S requests through Burp Proxy, instead of the actual target website. In my case here I am configuring a Mozilla Browser with proxy host address to 127.0.0.1 and the proxy port to 8080 , for both HTTP and HTTPS.The typical configuring of browsers is more or less common with major browsers with minor differences in interfaces.Here next I place you screen shots as I surfed a redirected traffic both for http and https via Burp Suite.First steps to configure Mozilla followed by screen shots :

Configuring Mozilla Firefox

- Click Firefox menu and then Preferences.
- In the Advanced options, under the Network tab, click on connection Settings.
- Select Manual proxy configuration.
- Enter the proxy host address as 127.0.0.1 and the proxy port as 8080.
- Select Use this proxy server for all protocols.
- Make sure to remove all exceptions from the No Proxy for field.
- Click OK and close.

2.   So now you have a working installation of Burp Suite and your browser is properly configured to intercept all requests.Now to test go to the browser, enter any http://www.****** site in the address bar and press Enter . If all is well, Burp Proxy should intercept this request. In Burp Suite,go to the Proxy and Intercept tab and verify that the web request is waiting for your approval.Ensure tha the Intercept on button is enabled; click on it and allow the request to transit through Burp by pressing Forward in Burp Suite Interface. Now in the browser, you should see the http page you entered in address bar.

Now try a https site and you are bound to see this warning as seen below in the screenshot.You will be presented with a This Connection is Untrusted page.In such a case, you are required to manually approve the connection by clicking on I Understand The Risks, then Add Exceptions... and Confirm Security Exception. To make sure that Burp Proxy is actually causing the warning, you click on the certificate status View... and see that the certificate belongs to PortSwigger CA as seen below in one screenshot.

 PortSwigger CA certificate

This setup means that Burp Suite is now ready for use as the traffic is being redirected as desired as per configuration....

Volatility Framework Command : Using pslist - pstree - psscan to identify process details from mem dump

This post will share an example to run the three volatility terminal commands including pslist, pstree and psscan

Before I proceed ahead,I would assume that you have installed volatility in your Linux system(in my case I am using UBUNTU,Installation explained at my earlier post at http://anupriti.blogspot.in/2015/09/volatility-advanced-memory-forensics.html) and you have a RAM dump of the OS u desire to analyse.In my case here I have taken the RAM dump of a Windows 7 OS as explained here at http://anupriti.blogspot.in/2015/09/volatility-command-using-imageinfo-to.html

Usage as follows :

pslist

The command pslist will be useful for any forensic prelim inquiry to find out the processes being run on the pc at the likely time of incident.The pslist command is used to list the processes of a system and it does not detect hidden or unlinked processes."pslist" module utilizes the same algorithm as the tasklist command that would be executed on the live computer. And also, Windows Task Manager uses the same approach as well.The command "pslist" traverses the list of active process structures that the Windows kernel maintains.The screen shot below shows a task manager activity of a windows PC i am using for test.Subsequently I have taken a fresh dump at this time and then analysed this dump with volatility on UBUNTU to find the process details which actually come out as the same as seen in the screenshots below :

Windows TASK MANAGER as seen in Windows OS
(CLICK TO ENLARGE)

The command usage at terminal syntax goes like this :

vol.py --profile=Win7SP0x86 -f windows_memory.raw pslist

Click on image to ENLARGE

Click on image to ENLARGE

 [TRIM]

Click on image to ENLARGE

 [TRIM]

The columns display the offset, process name, process ID, the parent process ID, number of threads, number of handles, and date/time when the process started. The offset is a virtual address by default, but the physical offset can be obtained with the -P switch as seen in the command below with screenshot.

vol.py --profile=Win7SP0x86 -f windows_memory.raw pslist -P

(Output with -P Switch)
Click on image to ENLARGE

pstree

pstree command is used to view the process listing in tree form and enumerates processes using the same technique as pslist, so it will also not show hidden or unlinked processes. Child process are indicated using indention and periods.SCreen shot of output and syntax as below :

vol.py --profile=Win7SP0x86 -f windows_memory.raw pstree

Click on image to ENLARGE

 psscan

psscan is used to enumerate processes by pool tag scanning and can find processes that previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit. Syntax and screenshot of output as follows:

vol.py --profile=Win7SP0x86 -f win7.dmp psscan

Click on image to ENLARGE

Android Factory Reset : How trustworthy from a PRIVACY view?

1.  It is an accepted fact that one can remove all data from Android devices by resetting it to factory settings, or doing a "force reset." One can do so by either using the Settings menu to erase all your data or by using the Recovery menu.It is also understood that by performing a factory data reset, all data — like apps data, photos, and music etc will be wiped from the device.This reset in most of the cases will be required as a maintenance issue or when the user decides to sell his mobile to some other third guy.Now when he does a factory reset for ensuring himself that all his/her data is removed from the mobile,there is a sad angle recently revealed in a paper named "Security Analysis of Android Factory Resets" by Laurent Simon and Ross Anderson@University of Cambridge available at http://www.cl.cam.ac.uk/~rja14/Papers/fr_most15.pdf  that proves with technical demonstrations to negate the fact that the data and all privacy of accounts goes with the reset.Read on further for brief details...

2.  Even with full-disk encryption in play, researchers found that performing a factory reset on Android smart-phones isn’t always what it’s assumed safe up to be.Researchers found the file storing decryption keys on devices was not erased during the factory reset and they were successfully able to access data “wiped” Android devices from a wide variety of sources, including text messages, images, video, and even third-party applications. What’s more, researchers were able to “recover Google authentication tokens”, thereby enabling them to sync up any data a user had tied to Google’s services, including private emails.The study unveils five critical failures:

- the lack of Android support for proper deletion of the data partition in v2.3.x devices;

- the incompleteness of upgrades pushed to flawed devices by vendors;

- the lack of driver support for proper deletion shipped  by  vendors  in  newer  devices  (e.g.  on  v4.[1,2,3]);

- the  lack  of  Android  support  for  proper  deletion  of  the internal  and  external  SD  card  in  all  OS  versions; 

- the fragility  of  full-disk  encryption  to  mitigate  those  problems up to Android v4.4 (KitKat)

RECOVERY DETAILS OF DATA BY RESEARCHERS

ATTRIBUTED REASON

3.   Smartphones  use  flash  for  their  non  volatile  memory storage  because  it  is  fast,  cheap  and  small.  Flash  memory is  usually  arranged  in  pages  and  blocks.  The  CPU  can read  or  write  a  page  (of  typically  512+16  to  4096+128 data+metadata  bytes),  but  can  only  erase  a  block  of  from 32   to   128   pages.   Each   block   contains   both   data,   and “out-of-band”  (OOB)  data.When  removing  a  file,  an  OS  typically  only  deletes  its name  from  a  table,  rather  than  deleting  its  content.  The situation is aggravated on flash memory because data update does not occur in place, i.e. data are copied to a new block to  preserve  performance,  reduce  the  erasure  block  count and  slow  down  the  wear.  This makes a vulnerable issue as realised here by both these researchers.

Cracking linux password with John the ripper – Screenshots

1.   John the Ripper is a fast password cracker for UNIX/Linux and Mac OS X.. Its primary purpose is to detect weak Unix passwords, though it supports hashes for many other platforms as well. There is an official free version, a community-enhanced version (with many contributed patches but not as much quality assurance), and an inexpensive pro version.John is different from tools like hydra. Hydra does blind bruteforcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.This post brings out screen shots showing usage of the tools with screenshots step wise....in Kali Linux

2.   In this post I am going to show you, how to use the unshadow command along with john to crack the password of users on a linux system. On linux the username/password details are stored in the following 2 files

/etc/passwd
/etc/shadow

In the screenshot below I create a user by the name of lima and create a short password for testing the tool

The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with username and password details. Usage is quite simple as seen below :

 

Now this new file shall be cracked by john. For the wordlist we shall be using the password list that comes with john on kali linux. It is located at the following path

/usr/share/john/password.lst

 

So the password cracked is "test"

A veri simple yet powerful tool as we see from the screenshots above...

Testing UBUNTU for SHELLSHOCK vulnerability

Shellshock,the now famous vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Tue Sep 30 2014: 1:32PM EST , you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3.Its always good to at least close known bugs and holes since zero vulnerabilities always exist....here i bring out few ready made cut/paste terminal commands to test your UBUNTU...This simply involves running of a script shellshock_test.sh.Source code at https://github.com/wreiske/shellshocker/blob/master/shellshock_test.sh

Screen shot shown below as run from my system :  

Terminal cmd : curl https://shellshocker.net/shellshock_test.sh | bash

(Click to ENLARGE)

New Laptops without Windows 8 @ Rare

1.   Strange it may seem but the current availability of Laptops for sale in the market show a peculiar sad state of specs...ie they are available only with Windows 8.There are rare options on few sites that offer New laptops for sale without Windows OS.I have been planning to buy a laptop with i3/i5 processor and in my search over various sites I came across this sad but surprising stat.

2.  Infact leading online shopping retails in Dubai have got NIL option to buy a laptop without Windows 8.I checked up at the following sites :

- www.sharafdg.com/‎

- http://www.carrefouruae.com/

- http://www.ic4uae.com/

3.   Even the options without Windows 8 on leading retails in India have much lesser options then with Windows 8. Checked up at Flipkart, snapdeal,timesofindia shopping to mention a few.

 

 4.   Given these facts...it looks like Microsoft has put in rigorous and vigorous marketing efforts to increase there sales graph for Windows 8.For those guys who wish to buy Windows 8 laptop and then attempt removing the windows and install some Linux flavour...it is equally surprising that unlike till Windows 7 wherein it was relatively a matter of deleting Windows and installing Linux...it is complex removing Windows 8 so the user has to be content with a dual boot option wherein he has to compromise with wastage of space dedicated to Windows....

5.  Thus there is a kind of binding that comes along with these laptops with Windows 8 that you cannot mov to another OS.....:-(

Reduce Tracking/Increase Privacy : Start Mozilla in PRIVATE MODE by default

1.   Earlier in one of my posts I had shown on how to start chrome in "INCOGNITO" mode to avoid any cache storing and also at the same time remove cookies at the end of the session....the following steps make way to start the mozilla browser by default in a private mode.

2.   As shown in the screen shot below...go to the Edit drop down menu and select preferences and then go to the privacy tab and select NEVER REMEMBER HISTORY

(Click on the image to enlarge)

(Click on the image to enlarge)

(Click on the image to enlarge)

 3.     The video cast below :

ARACHNI Web Scanner

1.    When we start finding vulnerabilities in a web application,either we have a option to do it manually by putting in hours of patience and grilling or we generally hear the commonly used tools like Acunetix and few other online scanners...or for may be afford a luxury like IBM - Proventia Network Enterprise Scanner ..but there is an open source tool option to Acunetix. Takes lil bit of time but the amount of options that it offers are huge...and gives a great report that is exhaustive.

2. Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications. It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives. It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.

3.   Arachni is a fully automated system which tries to enforce the fire and forget principle. As soon as a scan is started it will not bother you for anything nor require further user interaction.Upon completion, you will be able to export the scan results to several different formats (HTML, Plain Text, XML, etc.).Few useful pointers about details of this good scanner : 

Download from         -  http://www.arachni-scanner.com/download/

Homepage                 - http://arachni-scanner.com

Blog                          - http://arachni-scanner.com/blog

Documentation          - https://github.com/Arachni/arachni/wiki

Support                     - http://support.arachni-scanner.com

GitHub page              - http://github.com/Arachni/arachni

Code Documentation - http://rubydoc.info/github/Arachni/arachni

Author                     - Tasos "Zapotek" Laskos (http://twitter.com/Zap0tek)

Twitter                    - http://twitter.com/ArachniScanner

4.    To use Arachni run the executables under "bin/".

To launch the Web interface:

   cd bin

   ./arachni_web in a separate terminal

and ./arachni_rpcd in a separate terminal

Default account details:

    Administrator:

        E-mail address: admin@admin.admin

        Password:       administrator

    User:

        E-mail address: user@user.user

        Password:       regular_user

5.    For a quick scan: via the command-line interface:

    bin/arachni http://test.com

6.     For detailed documentation see:        http://arachni-scanner.com/wiki/User-guide

MATRIUX KRYPTON :INSTALLATION STEP by STEP

This screen cord gives a step by step installation in virtual box starting right from choosing the .ISO and configuring the machine.The default password for root is "toor" without quotes.

THE FUTURE OF OSs : MICROSOFT VERSION

1. Microsoft's involvement in playing a key role in the field of future operating systems can be gauged from the fact deciphered below in successive paragraphs.

2. So when Microsoft tries working on the futuristic versions of operating systems...the surprise is that windows does not come in the discussion....windows is out...yessss!!!it is terms like MIDORI,SINGULARITY,BARRELFISH,HELEOS.....the names must be sounding french to people like me....just read ahead!!!

MIDORI

3. Midori based on their Singularity operating system research project is an experimental operating system, in which all code, even device drivers, and the kernel itself are written in managed code, making the operating system much safer. The operating system also has a large focus on concurrency.Midori is in incubation, which means it is a little closer to market than most Microsoft Research projects, but not yet close enough to be available in any kind of early preview form to users.

BARRELFISH

4. Barrelfish, an OS written specifically for multicore environments. It hopes to improve the performance of boxes with such chips by creating a network bus and calls itself a multi-kernel operating system. Its focus is on leveraging the increasing number of cores in desktop processors. The mainstream operating systems today, Windows, and Linux, have both been designed for single-core computers, with multi-processing support added on later. 

5. The Barrelfish project instead tries to redefine the entire operating system keeping in mind that multi-core is here is stay. Today we have dual-core, quad-core, and even hexa-core, but given a decade, we may be looking at hecto-, kilo-, or even mega-core computers! These will require a rethinking of the very organization of the operating system.

6. Barrlefish does just that. It treats the multi-core processor environment as a collection of networked processor cores, and applies the concepts used with distributed computing to manage the execution of the computer's processes. This has the effect of making the system much more scalable. An interesting part of this approach is also 

that the processor cores need not be homogeneous! The multiple kernels could all be running on processors of different architectures, one kernel might be executing on an ARM, while another on a x86, and a third on a GPU!

HELEOS

7. Heleos, another research OS in MS labs and their latest revelation, takes the concept of heterogeneous multiprocessing further, and introduces "satellite kernels".It explains that current operating systems are designed with a homogeneous running environments in mind. For this reason, an operating system is written for either an IA64, or an x86, or a PPC, or an ARM platform, however it cannot leverage all of them. Our computers however are no longer homogeneous. We have CPUs and GPUs of different architectures, each with multiple cores. The GPU is highly optimized for a vector processing, and has an architecture which vastly differs from that of the CPU, with a completely different instruction set and performance characteristics. 

8. The Helios project introduces satellite kernels, which essentially presents the developers with a "single,uniform set of OS abstractions across CPUs of disparate architectures and performance characteristics." This satellite kernel is a micro-kernel, and runs all other services and drivers in individual processes.

9. With Singularity and Barrelfish both available as open source releases, it seems Microsoft might just be headed for a more open future. 

10. Thanks DIGIT and Microsoft for the updates.

THE LINK : BJP & OPEN SOURCE!!

1. Rajnitee and IT ?Do they share a relation in our country? Do they meet anywhere in Indian scenario?Have you ever heard a technical IT buzz word shooting from any of the mantri’s mouth.I am sure in most cases the answer would be NO. 

2. Recently I read this article at the http://infotech.indiatimes.com/articleshow/4272163.cms wherein it adverted that Mr L.K.Advani has said that if his party comes to power, it will actively promote opensource software and internet telephony. Now irrespective of  whether Mr Advani knows what open source software is or not,or whether he just recited what he was told to by IT savvy speech writer,the good good news is that IT is buzzing now in politics.

 3. The power of open source software is still lying completely unexploited in our country for most of us don’t know what opensource has in store for us.All paid softwares ex any Software developer viz Microsoft,Corel etc to name a few has an equivalent in opensource costing free which unfortunately now one is aware.Did you still not understand ? Read on for what is open source? 

4. Open source software (OSS) is defined as computer software for which the source code and certain other rights normally reserved for copyright holders are provided under a software license that meets the Open Source Definition or that is in the public domain. This permits users to use, change, and improve the software, and to redistribute it in modified or unmodified forms. It is very often developed in a public, collaborative manner. The term open source software originated as part of a marketing campaign for free software. A report  states that adoption of open source software models has resulted in savings of about $60 billion per year to consumers.(…thanks wiki) 

5. So Mr L K Advani’s party seems to be the first to realize the power hidden in this.Good!Isn’t it…….Now why open source doesn’t seem to be a success in India?One line answer….may I attempt?........”because Microsoft’s Cracked Windows Xp and Vista are available for free in any gali,mohalla of the Hindustan.So the next motto for a political party would be to crack those crackers!!!!!!!!!!For now its INDIA SHINING!