Oct 22, 2011

Howto: Deobfuscating malicious code.

This post is the summary from Pandalabs's blog. If you want to see full detail, please go to the source.

1. Install Malzilla
2. Copy the obfuscate code into Malzilla
3. Hit the "Format Code" button.
4. Copy the code into text editor
5. Get the Javascript part into the new page for easy analyses.
6. Find the first function that was run when script start.
7. Create the code that will receive what is the buffer of return value of first function.

Example decode the buffer from the source.

function decode
   var string01 = document.getElementId('variable').innerHTML;
   var var_array = new Array(2,3,2,3);
   var index = 0;
   var index2 = 0;
   var buffer = "";
   while( index < string01.length)
        index += var_array[index2];
        buffer += string01.charAt(index);
        if ( index2 == var_array.length)
   return buffer;

8. Run the code in the browser.
9. You will know what the purpose of that function. So do it in every function that you want to know what it will do.

Source: http://pandalabs.pandasecurity.com/deobfuscating-malicious-code-layer-by-layer/

If you like my blog, Please Donate Me

OSSAMS Alpha – Security Testing Automation and Reporting

As information security professionals, we conduct security assessments for companies.  One of the biggest problems we have is after all the data is collected, how can we correlate the data accurately.
Cody Dumont, Adrien de Beaupre, and Darryl Williams decided to start a project to solve this problem, and we are calling it Open Source Security Assessment Management System (OSSAMS).  OSSAMS is a framework for putting configuration files, security scan data files (like Nessus), and other data collected, during a security assessment or penetration test, into a RDBMS.
The framework is going to be designed in a fashion similar to Metasploit, SNORT, or other systems that allow the security community to create plugins for new tasks as needed.  The primary goal of OSSAMS is to normalize the data, there by allowing the security professional to better assess the current state of security for an organization.

Download :: http://www.ossams.com/?page_id=46   

Source: http://www.vulnerabilitydatabase.com/2011/10/ossams-alpha-security-testing-automation-and-reporting/

If you like my blog, Please Donate Me

iPad 2 iOS 5 Lock Screen Bypass Vulnerability

1) Lock a password protected iPad 2
2) Hold down power button until iPad 2 reaches turn off slider
3) Close Smart Cover
4) Open Smart Cover
5) Click cancel on the bottom of the screen

This isn’t the first security issue Apple has experienced since rolling out iOS 5. On the brand new iPhone 4S it has been discovered you can use Siri when a device is locked. Even if a passcode is required, Siri doesn’t care and allows you to carry out functions such as sending email and text messages.

Protection Against the iPad 2 Lock Screen Bypass:

For the time being, iPad 2 users are encouraged to disable the “
Smart Cover unlocking” feature found in Settings > General.

Source: http://thehackernews.com/2011/10/ipad-2-ios-5-lock-screen-bypass.html

If you like my blog, Please Donate Me

Oct 21, 2011

Howto: Create And Control ZEUS Bot.

So today we are going to learn another botnet, THE ZEUS BOT, yes you read it correct.
I don't think that you may not have heard about Zeus, it's one of the most dangerous bot in the world.
But why I'm showing it??

Because I want you to learn the most hazardous attacks of the world, not just hacking with some tools like
skr!p7 k!dd!3s....I want you to be a proffessional, not a hacker.

You can get the Bot from here.

Ok my lecture is over, here's the practical.

Note:- For educational and learning purposes, I will not be responsible for your shity work.

Step 1: First things first, open an account on a free hosting (or paid) with MySQL support.

Step 2: Now create a MySQL database and copy the details, you'll need them.

Step 3: Extract the files of zeus.rar and open "install" folder and open index.php

Step 4: Now some editing, go to line number 154 and edit the details which are asked. see above.

Step 5: Now goto /cpanel/system and open global.php and set the same values there which you can find at line number 408.

Step 6: We are done with setup, now goto /zeus and open config.txt and set the details as in picture:

Step 7: Open the builder.exe and click on "Build config" you'll get a file named "cfg.bin" and click on "Build Loader" you'll get bt.exe (infected file).

Step 8: Now upload the files in the same sequence as they appear in your PC:

Step 9: After uploading, Open http://yourhost.com/install/index.php, you should get a screen like this.

Step 10: Fill the details and click on install. Now open a new tab and type: "yourhost.com/cp.php" and finally you are ready to go.

Do not use it on any server or system which you don't own. It is an illegal action.

Source: http://www.kislaybhardwaj.com/2011/10/tutorial-of-zeus-bot.html

If you like my blog, Please Donate Me

Preventing CSRF With Ajax

You can try to apply the ValidateAntiForgeryTokenAttribute attribute to an action method, but it will fail every time if you try to post JSON encoded data to the action method. On one hand, the most secure action possible is one that rejects every request. On the other hand, that’s a lousy user experience.
The problem lies in the fact that the under the hood, deep within the call stack, the attribute peeks into the Request.Form collection to grab the anti-forgery token. But when you post JSON encoded data, there is no form collection to speak of. We hope to fix this at some point and with a more flexible set of anti-forgery helpers. But for the moment, we’re stuck with this.
This problem became evident to me after I wrote a proof-of-concept library to  ASP.NET MVC action methods from JavaScript in an easy manner. The JavaScript helpers I wrote post JSON to action methods in order to call the actions. So I set out to fix this in my CodeHaacks project.
There are two parts we need to tackle this problem. The first part is on the client-side where we need to generate and send the token to the server. To generate the token, I just use the existing @Html.AntiForgeryToken helper in the view. A little bit of jQuery code grabs the value of that token.

var token = $('input[name=""__RequestVerificationToken""]').val();

That’s easy. Now that I have the value, I just need a way to post it to the server. I choose to add it to the request headers. In vanilla jQuery (mmmm, vanilla), that looks similar to:

var headers = {};
// other headers omitted
headers['__RequestVerificationToken'] = token;
  cache: false,
  dataType: 'json',
  type: 'POST',
  headers: headers,
  data: window.JSON.stringify(obj),
  contentType: 'application/json; charset=utf-8',
  url: '/some-url'

Ok, so far so good. This will generate the token in the browser and send it to the server, but we have a problem here. As I mentioned earlier, the existing attribute which validates the token on the server won’t look in the header. It only looks in the form collection. Uh oh! It’s Hacking time! I’ll write a custom attribute called ValidateJsonAntiForgeryTokenAttribute.
This attribute will call into the underlying anti-forgery code, but we need to get around that form collection issue I mentioned earlier.
Peeking into Reflector, I looked at the implementation of the regular attribute and followed its call stack. It took me deep into the bowels of the System.Web.WebPages.dll assembly, which contains a method with the following signature that does the actual work to validate the token:

public void Validate(HttpContextBase context, string salt);

Score! The method takes in an instance of type HttpContextBase, which is an abstract base class. That means we can intercept that call and provide our own instance of HttpContextBase to validate the anti-forgery token. Yes, I provide a forgery of the request to enable the anti-forgery helper to work. Ironic, eh?
Here’s the custom implementation of the HttpContextBase class. I wrote it as a private inner class to the attribute.

private class JsonAntiForgeryHttpContextWrapper : HttpContextWrapper {
  readonly HttpRequestBase _request;
  public JsonAntiForgeryHttpContextWrapper(HttpContext httpContext)
    : base(httpContext) {
    _request = new JsonAntiForgeryHttpRequestWrapper(httpContext.Request);
  public override HttpRequestBase Request {
    get {
      return _request;
private class JsonAntiForgeryHttpRequestWrapper : HttpRequestWrapper {
  readonly NameValueCollection _form;
  public JsonAntiForgeryHttpRequestWrapper(HttpRequest request)
    : base(request) {
    _form = new NameValueCollection(request.Form);
    if (request.Headers["__RequestVerificationToken"] != null) {
        = request.Headers["__RequestVerificationToken"];
  public override NameValueCollection Form {
    get {
      return _form;

In general, you can get into all sorts of trouble when you hack around with the http context. But in this case, I’ve implemented a wrapper for a tightly constrained scenario that defers to default implementation for most things. The only thing I override is the request form. As you can see, I copy the form into a new NameValueCollection instance and if there is a request verification token in the header, I copy that value in the form too. I then use this modified collection as the Form collection.
Simple, but effective.
The custom attribute follows the basic implementation pattern of the regular attribute, but uses these new wrappers.

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, 
    AllowMultiple = false, Inherited = true)]
public class ValidateJsonAntiForgeryTokenAttribute : 
    FilterAttribute, IAuthorizationFilter {
  public void OnAuthorization(AuthorizationContext filterContext) {
    if (filterContext == null) {
      throw new ArgumentNullException("filterContext");
    var httpContext = new JsonAntiForgeryHttpContextWrapper(HttpContext.Current);
    AntiForgery.Validate(httpContext, Salt ?? string.Empty);
  public string Salt {
  // The private context classes go here

With that in place, I can now decorate action methods with this new attribute and it will work in both scenarios, whether I post a form or post JSON data. I updated the client script library for calling action methods to accept a second parameter, includeAntiForgeryToken, which causes it to add the anti-forgery token to the headers.

As always, the source code is up on Github with a sample application that demonstrates usage of this technique and the assembly is in NuGet with the package id “MvcHaack.Ajax”.

If you like my blog, Please Donate Me

Oct 20, 2011

Kippo The SSH Honeypot

Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.

How to run it?

Edit kippo.cfg to your liking and start the honeypot by running:
start.sh is a simple shell script that runs Kippo in the background using twistd. Detailed startup options can be given by running twistd manually. For example, to run Kippo in foreground:
twistd -y kippo.tac -n
By default Kippo listens for ssh connections on port 2222. You can change this, but do not change it to 22 as it requires root privileges. Use port forwarding instead. (More info: MakingKippoReachable).
Files of interest:
  • dl/ - files downloaded with wget are stored here
  • log/kippo.log - log/debug output
  • log/tty/ - session logs
  • utils/playlog.py - utility to replay session logs
  • utils/createfs.py - used to create fs.pickle
  • fs.pickle - fake filesystem
  • honeyfs/ - file contents for the fake filesystem - feel free to copy a real system here

Source:  https://code.google.com/p/kippo/

If you like my blog, Please Donate Me

Oct 16, 2011

SPAM: Google History?

 Please don't spam it to me again.

If you like my blog, Please Donate Me