Tuesday, February 22, 2011

Hack3rcon 2010 Videos

Intro with Rob Dixon and Johnny Long


Download MPEG4 (36.4 M)


Download MPEG4 (44.1 M)


Download MPEG4 (301.4 M)



Download MPEG4(282.6 M)


Download MPEG4(275.9 M)


Download MPEG4 (300.1M)



Download MPEG4 (290.1 M)



Download MPEG4( 312.1 M)



Download MPEG4 (305.0 M)


Download MPEG4 (309.1 M)

DOJOCON 2010 Videos

International Cyber Jurisdiction: "Kill Switching" Cyberspace, Cyber Criminal

Prosecution & Jurisdiction Hopping

When Domain Names Look Like Spaghetti (or Whatever)

Internationalized Domain Names & Investigations in the Networked World



Sunday, February 20, 2011

How to Test for Brute Force Vulnerabilities

See the OWASP Testing Guide article on how to Test for Brute Force Vulnerabilities.

During this type of attack, the attacker is trying to bypass security mechanisms while having minimal knowledge about them. Using one or more accessible methods: dictionary attack (with or without mutations), brute-force attack (with given classes of characters e.g.: alphanumerical, special, case (in)sensitive) the attacker is trying to achieve his/her goal. Considering a given method, number of tries, efficiency of the system, which conducts the attack and estimated efficiency of the system which is attacked, the attacker is able to calculate how long the attack will have to last. Non brute-force attacks, on the other hand, which includes all classes of characters, give no certainty of success.


Brute-force attacks are mainly used for guessing passwords and bypassing access control. However there are a lot of tools which use this techinque to examine the web service's catalogue structures and seek interesting, from the attacker's point of view, information. Very often the target of an attack are data in forms (GET/POST) and users' Session-IDs.

Example 1

In the first scenerio, where the goal of brute-forcing is to know the password in its decrypted form, it may appear that John the Ripper is a very helpful tool. The TOP10 tools for password cracking with different methods, including brute-force, may be found on http://sectools.org/crackers.html.

For testing web services there are tools like:
- dirb (http://sourceforge.net/projects/dirb/)
- WebRoot (http://www.cirt.dk/tools/webroot/WebRoot.txt)

dirb belongs to more advanced tools. With its help we are able to:
- set cookies
- add any HTTP header
- use PROXY
- mutate objects which were found
- test http(s) connections
- seek catalogues and/or files using defined dictionaries and templates
- and much much more

The simplest test to perform is:
rezos@dojo ~/d/owasp_tools/dirb $ ./dirb http://testsite.test/
DIRB v1.9
By The Dark Raver
START_TIME: Mon Jul  9 23:13:16 2007
URL_BASE: http://testsite.test/
WORDLIST_FILES: wordlists/common.txt
SERVER_BANNER: lighttpd/1.4.15
(Location: '' - Size: 345)


Generating Wordlist...
Generated Words: 839

---- Scanning URL: http://testsite.test/ ----
FOUND: http://testsite.test/phpmyadmin/
       (***) DIRECTORY (*)
In the output the attacker is informed that phpmyadmin/ catalogue was found. The attacker who knows that is now able to perform the attack on this application. In dirb's templates there is, among others, a dictionary containing information about invalid httpd configuration. This dictionary will detect weaknesses of this kind.

One of the main problems with tools like dirb is recognition if the given response from the server is expected and reliable. With more advanced server configuration (e.g. with mod_rewrite) automatic tools are unable to determine if server response informs about an error or that the file, which the attacker is after, was found.

The application WebRoot.pl, written by CIRT.DK, has embedded mechanisms for parsing server responses, and based on the phrase specified by the attacker, measures if the server response is expected.
For example:

./WebRoot.pl -noupdate -host testsite.test -port 80 -verbose -match "test" -url "/private/<BRUTE>" -incremental lowercase -minimum 1 -maximum 1

o          Webserver Bruteforcing 1.8          o
0  ************* !!! WARNING !!! ************  0
0  ******* FOR PENETRATION USE ONLY *********  0
0  ******************************************  0
o       (c)2007 by Dennis Rand - CIRT.DK       o
[X] Checking for updates                - NO CHECK
[X] Checking for False Positive Scan    - OK
[X] Using Incremental                   - OK
[X] Starting Scan                       - OK
   GET /private/b HTTP/1.1
   GET /private/z HTTP/1.1
[X] Scan complete                       - OK
[X] Total attempts                      - 26
[X] Sucessfull attempts                 - 1
WebRoot.pl found one file "/private/b" on testsite.test, which contains phrase "test".

Another example is to examine ranges of the variable's values:
./WebRoot.pl -noupdate -host testsite.test -port 80 -verbose -diff "Error" -url "/index.php?id=<BRUTE>" -incremental integer -minimum 1 -maximum 1

Defensive Tools

Php-Brute-Force-Attack Detector
Detect your web servers being scanned by brute force tools such as WFuzz, OWASP DirBuster and vulnerability scanners such as Nessus, Nikto, Acunetix ..etc. This helps you quickly identify probable probing by bad guys who's wanna dig possible security holes.

Thursday, February 17, 2011

How To Secure Your Wireless Home Network

Home network. Securing a wireless network is very important because if you don't, your neighbors can not only borrow your Internet connection, but also access your files. Even worse, hackers can use your internet connection to upload illegal materials, and the FBI will ring your bell...

Step 1  

Connect to your router via your browser to perform the following steps.

Step 2  

Enable encryption on your access point. Using 128-bit encryption or higher makes your Wireless Network more secure. WEP and WPA are entirely different encryption schemes. WEP has been proven insecure and can be cracked in a few minutes using free utilities that can be downloaded from the Internet. Using at least WPA is recommended, because it is much more secure, but is sometimes a bit harder to set up correctly than WEP is, and isn't completely secure. Some older access points or wireless cards do not support WPA2. If you have one of these, it is recommended that you purchase a newer one that supports WPA2, depending on how important you consider your security.

Step 3  

Set the router access password. Anybody who gains access to the router configuration settings can disable the security you have set up. If you forget the password, most routers have a hardware reset that will restore all of the settings to factory defaults. The best option is to use a random sequence of the maximum length of characters - you only have to type that once, so it is not a big thing. When you connect to the router via LAN cable while setting it up, you can copy and paste the password onto the router and onto your local setting, so you never need to type it again.
  • Use a secure password. Don't use easily guessed passwords for your WPA2 or router access passwords, such as "ABC123", "Password", or a string of numbers in order. Use something hard to guess that contains both upper and lowercase letters as well as numbers. Special characters such as !@#$% are not supported by some routers. The longer the key, the better, although the WPA2 key has a minimum and maximum length. Try to make a little mental effort -- good passwords might be hard to remember, but they are harder to crack.
  • If you use a weak key then even WPA and WPA2 can be easily cracked within a day using a combination of special precomputed tables and dictionary attacks. The best way to generate a secure key is to use an offline random number generator or write the entire alphabet in uppercase and lowercase and numbers 0-9 on separate pieces of paper, mix the paper up and randomly pick up pieces and return them, mixing them up again each time; each character you pull out becomes a character in your key. You can also try throwing a pair of dice and using the resulting numbers as your password.

Step 4  

Change the Service Set Identifier (the network name or "SSID") from the default to something unique. A default SSID indicates to hackers that the network was set up by a novice and that other options (such as the password) are also left as the default. Use a name you can remember and identify, as the SSID has no influence on the security of your network (not even if you choose not to broadcast it).

Step 5  

Enable MAC Address filtering on your Access Point or router. A MAC (not to be confused with the computer model 'Mac') address is a code unique to every wireless networking card in existence. MAC Address filtering will register the hardware MAC Address of your networked devices, and only allow devices with known MAC Addresses to connect to your network. However, hackers can clone MAC addresses and still enter your network, so MAC address filtering should not be used in place of proper WPA2 encryption.

Step 6  

Don't disable the 'SSID Broadcast'. Do not disable the 'SSID Broadcast' feature of your Access Point or router. This seems counter-intuitive, but it is actually a bad idea. Although this would make your network invisible to your neighbors, any determined hacker can still sniff out your SSID; and you are implicitly forcing your computer to shout out your SSID anywhere you are, while it is trying to connect to it. Anyone could then impersonate your router with that SSID, and get your credentials that way.

Step 7  

Disable remote login. The first router worm brute forces its way into the router in this manner. Most default usernames are set to Admin. It isn't hard for a virus/worm to crack the password if the username is known. The good thing is that routers normally have this disabled by default. Be sure to confirm that it is disabled when you first set up your router and periodically thereafter. If you need to update your router setting remotely, only set up access for the time you are going to be connected.

Step 8  

Disable wireless administrating. Finally, change the setting that allows administrating the router through a wireless connection to 'off' (meaning that you need to connect with a LAN cable for administration). This disables any wireless hacking into the router! (aside from breaking into your house)


  • You need to set the same WPA2 Settings on your computer and router.
  • Use the 'Shared Key' method of encryption, so that all data passed between clients is encrypted properly.
  • Check your Access Point or Routers' documentation on how to enable or disable security features.
  • You may need to upgrade the Firmware of your Access Point or Router if it doesn't have any of these features. In some situations, you will need to purchase a new Access Point.


  • Be sure to register all devices on your network, including computers, laptops, media players, and networked storage if you are using MAC filtering. Also, be sure to enter the MAC addresses correctly as if you enter the wrong ones, you will not be able to connect the computer to the router to change them back and you will need to reset the router. Some routers allow you to save them while they are connected.
  • Windows doesn't have individual wireless settings for different wireless domains. This means that the settings that 'share' files at home with your LAN will 'share' files with anybody else's wireless network, even a wireless network masquerading as one you trust.
  • Disable 'File and Printer Sharing' in the wireless 'Connection Properties' for your portable computer. Only use the 'Client for Microsoft Networks' half of Microsoft's file sharing. This means that your portable must connect to a machine that shares file/folders in order to access things, and that OTHER computers can't ask to connect to your portable to access files on your machine. At least not through Microsoft's 'File Sharing'. Other running services and back doors may exist.
  • A user with a 'cantenna' can access your wireless network from a very long way off. Just because your notebook doesn't get a signal on the porch doesn't mean someone else can't access or monitor your network from a mile away, meaning that even though you don't think anyone in your neighborhood would break into your network, someone far away might.

WEP Password Cracker: Wireless Network Hacking | Download Wi-fEye

WEP Password Cracker: Wireless Network Hacking | Download Wi-fEye

Wi-fEye is designed to help with network penetration testing, Wi-fEye will allow you to perform a number of powerful attacks Automatically, all you have to do is to lunch Wi-fEye, choose which attack to perform, select your target and let Wi-fEye do the magic !!.

Wi-fEye is divided to four main menus: 

  1. Cracking menu: This menu will allow you to:
  • Enable monitor mode
  • View avalale Wireless Networks
  • Launch Airodump-ng on a specific AP
  • WEP cracking: this will allow you to perform the following attacks automatically:
- Interactive packet replay.
- Fake Authentication Attack.
- Korek Chopchop Attack.
- Fragmentation Attack.
- Hirte Attack (cfrag attack).
- Wesside-ng.

  • WPA Cracking: This contains the following attacks:
- Wordlist Attack
- Rouge AP Attack.

2. Mapping: this menu will allow you to do the following:
  • Scan the network and view the connected hosts.
  • Use Nmap Automatically.
3. MITM: this menu will allow you to do the following Automatically:
  • Enable IP forwarding.
  • ARP Spoof.
  • Launch ettercap (Text mode).
  • Sniff SSL/HTTPS traffic.
  • Sniff URLs and send them to browser.
  • Sniff messengers from instant messengers.
  • Sniff images.
  • DNS Spoof.
  • HTTP Session Hijacking (using Hamster).
4. Others: this menu will allow you to o the following automatically:
  • Change MAC Address.
  • Hijack software updates (using Evilgrade).