Layer 2 Security Issues and Their Mitigation

So, I have left Accenture and have joined the red team of a Big 4; & below is my first presentation which I have given there (redacted completely; obviously).

Comments are very much welcome.

by Rishabh Dangwal · 0

My time with Cisco EX90

Got my hands on Cisco EX90 (that was malfunctioning) & here is my impression of it - sucks balls.

The box has poor support for rs232 , has a special cable provided separately (USB to serial) without which it won't jack up on console at all. Yes I tried everything & the damn thing needs a specific ft232r driver to make it work. Speed settings are 38400 with no flow control & parity, post which the sucker boots up in admin mode with xConfig disabled. Now vendor nowadays have a very pragmatic approach to make CLI as difficult for the folks they intended to create. They tackle this problem by creating pseudo-shells (with limited capabilities,generally have limited to no debug facility, sometimes you really feel lucky if you are able to read proper logs ) which miserably fail to provide full view of what the heck is wrong with the device/service. The Result? After pulling hairs and cursing the box, you eventually dial 1-800-100-1364 to share your plight, resulting in more revenue for Cisco & you end up drinking more beer than you usually do in a bad manner. After all, a frustrated tinkerer is a good customer.

Coming to the point, Cisco has xConfig running over standard bash, which is more or less a limited configuration mode so that you can recover the device. But heck, since it was booting without it, I configured "rootsettings on Cisc0" , logged out and logged in as root with Cisc0 as password & jumped into a bash shell over Linux 3.4. Some more exploring and found  the environment was pretty loaded on factory defaults ; (as compared to trimmed, hardened network devices I have seen), heck, its having Python 2.6 :)

Not wasting anytime I configured the box with a static IP & tried upgrading it with 7.x code, which as expected failed. Upgrade gave unable to create squashfs on dmesg, at that moment I pretty much sighed & handed over things to Cisco Collab guy. I was already unimpressed with its poor recovery capabilities & time would not permit any more r&d on a production device.

Note to self: need to get my hands dirty once its dismounted.

by Rishabh Dangwal · 0

An open letter to Pramit Jhaveri - Citibank India - No Resolution, Customer care sucks & they lie, a lot.

Dear Mr Pramit Jhaveri ,

Last October an incident happened with me , on a fuzzy evening I went to the nearest ATM near my home - Deutsche Bank ATM where I provided my card to my cousin who went inside ATM to take money as I was on a concall with my office & guided some poor chap who required my help . Since you cant enter an ATM while talking on phone, I remained outside.

Turns out that there was no guard / money at ATM ,the machine gave an error after pin was entered and never dispensed the money. Also, there was one more guy who had the same experience.

Well, I finished call put my phone in my pocket & strolled to nearby Axis Bank ATM where we withdrew 1000/- INR and went home. Turns out some nasty surprises were waiting for me. I got a message from Citibank that 10K have been withdrawn from my account , flabbergasted I reported the incident to Citi on 7th October.

What happened next ? Ah tell a long story short -

  1. Citi reversed my money in 2 days (that was fast) & said they are investigating the issue.
  2. Then they said the transaction was valid & reversed it again. 
  3. I disputed & said show me the CCTV footage -> no response.
  4. Called their Citiphone officers (sic) muliple times & they said to check with Deutsche Bank, I commented why they were not taking end to end responsibility, they said its out of their scope.
  5. Then I checked with Deutsche Bank and they said they will not entertain my request for CCTV footage.
  6. Citiphone officer advices me to lodge FIR & I duly oblige.
  7. Dec 2013 - Citi reverses money again & as per Simmy Sebastian (Citi escalation executive) on email, money is debited to my account & investigation continues.
  8. 5 months later (28 March 2014) Citi reverses money again :D with NO CONCLUSIVE INVESTIGATION & charged an overdraft of 3899/-.

Well Done Citi..

Now this pissed me off. I just survived humiliation at paying a bill because I thought there was money in my account when there was not. After fighting 38 minutes (at dead of night) with Citi IVR and their agent Chirag, I finally wrote an email to you , the acting Citibank CEO/hotshots describing the whole affair.

Here is the full email (which I expect you should have gone through by now, if not..then my faith is dwindling) -

(I have redacted my email address from all of the following email communication)
---------- Forwarded message ----------From: Rishabh Dangwal <>Date: Sat, Mar 29, 2014 at 2:06 AMSubject: Attention !! // 020-486-450 // New Ref# SDN14026864 // Citi Transaction & Customer Service Failure at Grassroot level // WORST SERVICE & FEEDBACK.To: "" <>,,,, Executive Response <>, "" <>, vikram.saras@citi.comCc: "" <>, "" <>,,,, Rishabh Dangwal <>

Mr Pramit / Mr Ashish / Mr Anand / Mr Vikram,
Let me bring incident 020-486-450 (New ref# SDN14026864 ) to your attention where Citibank has shamelessly ripped off all the rules of customer service. We all hate typing emails at 2 AM at night, ain't it ?
Short Summary : 
  1. On 7th October 2013 , a mis-transaction of 10000/- was done on my Debit Card at Deutsche Bank ATM for which Citi was *UNABLE* to provide any conclusive feedback for 5 straight months
  1. I was provided an immediate credit & it was agreed on email with Simmy Sebastian (Email attached) that Citi will provide me CCTV footage of ATM as an evidence before reversing any credit.  
  1. As discussed with *countless* Citiphone Officers (sic) they recommended to get in touch with Deutsche Bank (which I did) , raise FIR with police (which I did, again) but everything went futile & today (28 March 2014), Citi has reversed the transaction *WITHOUT INFORMING ME IN ANY FORMAL MANNER* & *WITHOUT PROVIDING ME CCTV FOOTAGE OF THE TIME OF INCIDENT*, & even penalized an overdraft of 3899/- .

Now points of concern are -
  • Citi *NEVER* informed me that they are closing investigation at their end and reversing credit, I barely survived humiliation when I thought I had money in my bank account when there was none, thanks to Citi as transaction was reversed.
  • FIR has been raised with police, CCTV Footage acts as an evidence in this regard. Citi didnt provided it & concluded it, then shall I sue Citi for causing hindrance in investigation ?
  • Citi failed to provide me the CCTV Footage & failed to meet the commitments & left me in a dire financial situation without explanation & information.
  • One sided followups were being done with NO PROACTIVE UPDATES on this matter.

I will be escalating the matter to RBI Ombudsman for failure of Citi to provide a conclusive feedback & failing at all echelons of customer service, its a huge disappointment at all grounds. I should infact also inform my colleagues at Orange Business Services (France Telecom) to migrate their accounts , its bad PR & its well justified if you ask me.
Right now, I had a word with Chirag Jain (Citiphone officer) at dead of night & in a 38 minute call I was unable to get to a senior person who can take responsibility & can be accounted for some justified action .  
Infact I am so frustrated with onesided followups that once its solved, I would close my account with Citi & encourage my finance head at Orange Business Services to do the same, somehow I believe from this incident that how broken is the customer service at a world renowned bank like Citi.
PS : I know you all might be busy, so I have finally decided to blog about it at Prohack ( where I can make note of the progress which Citi makes once an issue is reported to head honchos of a company. If this doesn't works out right now, I would then know if I can trust Citi again or not. 
I am attaching all the relevant documents of 
  1. Followups done with Citi
  1. Agreement done with Citi wrt CCTV footage
  1. FIR
  1. Followup with Deutsche Bank 
as a proof and testament of my words, lets see if Citi can finally provide me resolution.
I still want to believe & hope Citi stands for its customer values, requesting your urgent attention & complete cooperation in sorting this matter out.
Best Regards, ,

Rishabh DangwalNetwork Security Specialist 
Orange Business Services (France Telecom)RHCE | CCNA | ITIL | CEHWebsite: , "Quis Custodiet Ipsos Custodes ?''

Trust me, if this isnt sorted out now, then I would recommend to NEVER TO OPEN an account with Citi since if a CEO cant sort a mess out, then of course a customer service is no good.
More over , its a huge fail in customer service that a guy is forced to address his concerns to CEO of Citi because the lower rungs of service and escalation fail to provide *any viable resolution*.

The best part Mr Pramit ?
Well..that ATM closed out, & I pointed it to Simmy/lots of other Citiphone folks that at max 2 months of video is stored in the ATM CCTV hard drive, and if you dont act fast, *YOU WILL NEVER BE ABLE TO GET THE CCTV FOOTAGE*. Turns out they are not having any and are now bullying me by keeping me in dark.

Well Mr Pramit, if Citi can charge me to withdraw money from any other ATM, then I expect some services from Citi that safeguards my interests. It makes me shudder how one-sided this whole affair has been, if only you have an idea, a complete fail of all the echelons.  If Citi can provide me CCTV footage since its a criminal case & stop taking independent conclusive actions without informing customer. Its a breach of customer trust and is an epic fail in code of conduct.

I still believe you guys have sensible online services, but customer service is one area in which Citibank India fails spectacularly.

I hope something could be done on it ? Aint it? Noone wants to type an email at 2 AM at night and blog at 2:40 AM about his horrible experience. If Citi wants that , then no thanks, I will close my account as soon as its sorted and will encourage my colleagues to do the same.
What a waste..

Rant aside..

I do hope something can be done in this regard. Wave your magic wand sire, I will be waiting for some concrete action..

Best Regards

Rishabh Dangwal

Update 29 March 2014 12:07 PM IST :
One long time blog reader & friend suggested to get it reported to RBI. Duly acknowledged, complaint have been raised with RBI.

Update 29 March 2014 04:05 PM IST :
Had a word with Citi CCE -Navneet/S Mahesh who confirmed that they will have some response by Friday 4 April 7 PM IST . Also confirmed if Overdraft will be reversed and money will be credited back on my account, he was affirmative. Mahesh Confirmed that he will have some update on CCTV and promised a call back by 31 March NBH. Provided this Blogpost URL as a timeline of incident.

Update 29 March 2014 04:50 PM IST :
Consumer complaint 82619.1.2014 lodged against Citi Bank .

Update 30 March 2014 08:25 PM IST :
47 minute call was finished with Citi Helpdesk with approximately 20 minutes of being on hold, excluding 2 minutes of fighting with IVR.
After 5 tries by Merin (Citi service desk) , her manager Manisha Sitaram (on duty floor manager) came on call.

  • Asked her about the status of investigation -> she was clueless.
  • Asked her why a callback was not arranged bacl -> She was clueless.
  • Asked her what the heck Chirag Jain (on duty floor manager) & S Mahesh (on duty floor manager) doing -> They were on leave / not available

Asked her to make note of 5 questions -

  1. Why Citibank did not provided me CCTV footage & why transaction was reversed.
  2. Why Citibank reversed transaction & did not intimate me , although it was agreed with Simmy Sebastian (Citi Executive response desk, Mumbai) that he will check & update regarding CCTV footage.
  3. Why is this incident being dragged on for 5 months.
  4. What is the status of followups being done for CCTV Footage with Deutsche Bank.
  5. Will Citibank credit money back (along with overdraft) since they have not provided any CCTV footage & they have no right to do it.

Provided her the URL of this blogpost , details of Simmy Sebastian, current executive incident owner Laxmiprabha Kotian at Citi end & asked her to arrange a call back by 31'st March 5 PM IST during NBH.

Lets see how Citi takes this incident up.

Update 30 March 2014 08:50 PM IST :
Shot an email to Citi again since they failed to acknowledge anything.

---------- Forwarded message ----------From: Rishabh Dangwal <>Date: Sun, Mar 30, 2014 at 8:53 PMSubject: Re: Attention !! // 020-486-450 // New Ref# SDN14026864 // Citi Transaction & Customer Service Failure at Grassroot level // WORST SERVICE & FEEDBACK.To: "" <>,,,, Executive Response <>, "" <>,, arghya.dasgupta@citi.comCc: "" <>, "" <>,,,, Rishabh Dangwal <>

Good Evening Gentlemen,
Seems like 40+ minutes calls , 5 months old pending incidents ( & still counting) , no call backs, one sided followups from customer end and unexpected/surprise charge-backs are becoming the new hallmarks of 201 years of Citi in India.
Is there anyone even working on the matter ? I am still waiting for an acknowledgement from your end.
Meanwhile the incident history is now live at  (just in case your executives/underlings are not providing your proactive updates) & you can have a look at the glorious way the incident is being handled by Citi. 
Awaiting some action on the matter since its now long overdue.
Best Regards, ,

Rishabh DangwalNetwork Security SpecialistOrange Business Services (France Telecom)RHCE | CCNA | ITIL | CEHWebsite: , "Quis Custodiet Ipsos Custodes ?''

Update 30 March 2014 09:13 - 09:30 PM IST :
Finally got a revert from Citibank Vice president Jinit Thakkar, although it was on a separate email chain.

On Sun, Mar 30, 2014 at 9:13 PM, Thakkar, Jinit <> wrote:
Dear Mr. Dangwal,
This refers to you email of March 30th 2014.
We acknowledge receipt of your email.
Due to an extended holiday, on occasion of Gudi Padwa, we will respond to you by Tuesday, April 1st 2014.
Would appreciate your understanding till then.
Jinit Thakkar
Head- Executive Response Unit
Pat went the response.

---------- Forwarded message ----------From: Rishabh Dangwal <>Date: Sun, Mar 30, 2014 at 9:30 PMSubject: Re: your email dated March 30' 2014 / SDN14026864 / old ref#020-486-450To: "Thakkar, Jinit" <>Cc: Executive Response <>, "" <>, "" <>,,,, "" <>,, "" <>,,

Hello Jinit,
Lets not start one more email chain on this issue since there are already plenty , I will be looping you in the main email chain & I expect a revert on the same one. 

Please let me know if Citi will provide me some conclusive feedback by 1 April or will it be the same 5 month old weasel words/updates of "under investigation"/"being looked by internal team"/"awaiting confirmation from internal team" since Simmy / folks left the investigation in lurch & have wasted a lot of my research time in followups with Citi, mental harassment aside. 

Awaiting a LEAN & concrete feedback from Citi.
Best Regards

Rishabh DangwalNetwork Security SpecialistOrange Business Services (France Telecom)RHCE | CCNA | ITIL | CEHWebsite: , "Quis Custodiet Ipsos Custodes ?''

Update 30 March 2014 09:43 PM IST :
Looks like even the Citi India Vice president Jinit Thakkar have got a taste of bad customer service, from folks at Samsung, had a #facepalm moment.

An amusing read at -

Somehow, it feels like a guilty pleasure. FYI details are - Jinit Thakkar Asst Vice President , Citibank India, mob : 9820401881 

Update 31 March 2014 12:43 PM IST :
Had a word with Manisha Shriram / Jinit Thakkar from Chennai, they required 1 more day to investigate the issue since its holiday at Mumbai. Also, internally escalated the matter to Orange / France Telecom Finance department.

Update 31 March 2014 06:00 PM IST :
Finally got the call from Simmy Sebastian (executive response unit), to cut a long story short-
  1. As per him he has retrieved the clippings.
  2. He has seen that cash is being dispensed.
  3. He asked if I was informed about cash reversal -> negative
  4. He asked if I had communication from Keerti -> positive
  5. Asked him to drop an email about it, he asked for 1 more day to have a conclusive feedback.
  6. Asked him if anything is required from my end , he said nothing else is required.
  7. He said he will provide a final stand on this regard by tomorrow.
Final Update : 

I am updating this in feb 2016, as I think it was long over due. Simmy called me and sent across the footage of ATM in a PKZIP encrypted file. Checked the footage and found out the ATM was misbehaving and another guy took out money. 

Bottom Line : 
No refund from Bank (Thank you Citibank :X ) . No action from Delhi Police. The ATM was tore down to make place for a new clinic. 

Welcome to India. 

by Rishabh Dangwal · 0

Oops..NSA did it again - How NSA hacked & (may have) got into *every* communicating device ever

Happy new year folks, I am late & I know it, but there is something that I just came across & thought to share it with you. Its

Read at leakedpress / Spiegel, posting from Leakedpress . If this is true (which it probably is. otherwise Snowden would not be hiding), then its something to either fear or marvel at. In both cases, I would love to see these devices in action as its something which catches my expertise and eye.

Read on..

After years of speculation that electronics can be accessed by intelligence agencies through a back door, an internal NSA catalog reveals that such methods already exist for numerous end-user devices.
When it comes to modern firewalls for corporate computer networks, the world’s second largest network equipment manufacturer doesn’t skimp on praising its own work. According to Juniper Networks’ online PR copy, the company’s products are “ideal” for protecting large companies and computing centers from unwanted access from outside. They claim the performance of the company’s special computers is “unmatched” and their firewalls are the “best-in-class.” Despite these assurances, though, there is one attacker none of these products can fend off — the United States’ National Security Agency.
Specialists at the intelligence organization succeeded years ago in penetrating the company’s digital firewalls. A document viewed by SPIEGEL resembling a product catalog reveals that an NSA division called ANT has burrowed its way into nearly all the security architecture made by the major players in the industry — including American global market leader Cisco and its Chinese competitor Huawei, but also producers of mass-market goods, such as US computer-maker Dell and Apple’s iPhone.

These NSA agents, who specialize in secret back doors, are able to keep an eye on all levels of our digital lives — from computing centers to individual computers, from laptops to mobile phones. For nearly every lock, ANT seems to have a key in its toolbox. And no matter what walls companies erect, the NSA’s specialists seem already to have gotten past them.
This, at least, is the impression gained from flipping through the 50-page document. The list reads like a mail-order catalog, one from which other NSA employees can order technologies from the ANT division for tapping their targets’ data. The catalog even lists the prices for these electronic break-in tools, with costs ranging from free to $250,000.
In the case of Juniper, the name of this particular digital lock pick is “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes it possible to smuggle other NSA programs into mainframe computers. Thanks to FEEDTROUGH, these implants can, by design, even survive “across reboots and software upgrades.” In this way, US government spies can secure themselves a permanent presence in computer networks. The catalog states that FEEDTROUGH “has been deployed on many target platforms.”
The specialists at ANT, which presumably stands for Advanced or Access Network Technology, could be described as master carpenters for the NSA’s department for Tailored Access Operations (TAO). In cases where TAO’s usual hacking and data-skimming methods don’t suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such “implants,” as they are referred to in NSA parlance, have played a considerable role in the intelligence agency’s ability to establish a global covert network that operates alongside the Internet.
Some of the equipment available is quite inexpensive. A rigged monitor cable that allows “TAO personnel to see what is displayed on the targeted monitor,” for example, is available for just $30. But an “active GSM base station” — a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones — costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.
The ANT division doesn’t just manufacture surveillance hardware. It also develops software for special tasks. The ANT developers have a clear preference for planting their malicious code in so-called BIOS, software located on a computer’s motherboard that is the first thing to load when a computer is turned on.
This has a number of valuable advantages: an infected PC or server appears to be functioning normally, so the infection remains invisible to virus protection and other security programs. And even if the hard drive of an infected computer has been completely erased and a new operating system is installed, the ANT malware can continue to function and ensures that new spyware can once again be loaded onto what is presumed to be a clean computer. The ANT developers call this “Persistence” and believe this approach has provided them with the possibility of permanent access.
Another program attacks the firmware in hard drives manufactured by Western Digital, Seagate, Maxtor and Samsung, all of which, with the exception of latter, are American companies. Here, too, it appears the US intelligence agency is compromising the technology and products of American companies.
Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are “remotely installable” — in other words, over the Internet. Others require a direct attack on an end-user device — an “interdiction,” as it is known in NSA jargon — in order to install malware or bugging equipment.
There is no information in the documents seen by SPIEGEL to suggest that the companies whose products are mentioned in the catalog provided any support to the NSA or even had any knowledge of the intelligence solutions. “Cisco does not work with any government to modify our equipment, nor to implement any so-called security ‘back doors’ in our products,” the company said in a statement. Contacted by SPIEGEL reporters, officials at Western Digital, Juniper Networks and Huawei also said they had no knowledge of any such modifications. Meanwhile, Dell officials said the company “respects and complies with the laws of all countries in which it operates.”
Many of the items in the software solutions catalog date from 2008, and some of the target server systems that are listed are no longer on the market today. At the same time, it’s not as if the hackers within the ANT division have been sleeping on the job. They have continued to develop their arsenal. Some pages in the 2008 catalog, for example, list new systems for which no tools yet exist. However, the authors promise they are already hard at work developing new tools and that they will be “pursued for a future release”.

You can read the full post here - 

by Rishabh Dangwal · 0

Subnormality–The Webcomic that demands your reading.

Its feels like aeons since I have written anything at Prohack. Actually, I got busy with my side projects, job & some pretty shitty sticky situations (I am looking at your CitiBank) .

Life was crawling ahead & first time in my life I truly felt helpless against the greater powers acting, but that’s an another story for some other time. Life at Orange has been good, has technology , scenarios & responsibilities that actually empower you. So far so good, lets see how it goes ahead. 

Nevertheless, its not my life I have come to discuss today here, its something about a webcomic I read too much. I have always been a fan of webcomics, be it the all time classic "User Friendly" or the new ones (well they are fairly old by internet standards but still..) xkcd,The Oatmeal , Saturday Morning Breakfast Cereal , Penny Arcade , Cyanide & Happiness , Awkward Zombie , Brawl in the Family ,Hijinks Ensue , Dualing Analogs , Dinosaur Comics , JL8 & some pretty cool others (read:too tired to type); they have been a part & parcel of my life since the time I became a netizen.

Be it sublime humour, philosophy , video games or just anything, I believe web comics as a medium ace anything contemporary. Then in & around ~2008 I came across Subnormality, A comic within the umbrella of Viruscomix which are described as "Comix with too many words since 2007" by author Winston Rowntree, & I was blown away by its content. I was instantly hooked & 5 years later, I am a fan.

It has been satirical, practical , intricately detailed , heart-warming , absurd, carefully drawn, full of easter eggs & pop culture references & caters to a very specific audience who have the patience to handle ~1500 - 2000 word texts inside speech bubbles just for the sake of reading a webcomic. But once you see through the veil, trust me, its one hell of a gem that demands a reading.

Just in case its not your cup of tea, you can go through Abnormality which I believe is a fork of Subnormality created to cater & is equally good.

Also, Winston's other comix at Viruscomix are “Sector 41” (a nod to Akademgorodok/Zheleznogorsk), "Things they Dont tell you (but should)" which are a must read.

Just in case you want to test the waters before getting addicted to awesome webcomics by Winston Rowntree, you can read

  1. Monstrous Discrepancies
  2. Understanding Nuclear Weapons
  3. Seven Reasons
  4. The Closer you get
  5. Video Game Design
  6. Logo Design primer
  7. The Stupid Planet

for a start. Meanwhile, I am reading Zanadu again.. :)

by Rishabh Dangwal · 0

Best Hackers of India–Revealed

I have had enough..I am very very pissed off as India has become the land of the skids & the greatest contribution to the same has been provided by imitators of Fadia business model ..And for the time being they are having good business by making fool of naive minds. Nowadays everyone I see (and meet) is a freelance security consultant, without even knowing the basics and intricacies of Security as process,acumen,method & lastly knowledge.

When I ask them, "Oh great, nice to meet you, so what you have been working on lately?"

The answer is cryptic bullshit about using Trojans, hacking Facebook profiles (using *means*..duh) , pentesting websites (using haviz/acunetix or automated tools without doing any static code analysis, or XSS'ing the website without even the hint of persistent ones) ,servers and even SEO (!).

A more advanced skid one will babble about using Backtrack/KALI and impress by using metasploit to show how exploits are run to compromise systems (insecure one, also in place of writing their own they just update it) , bit of showing connections to underground scene (wait what ?!) & having everyone by a cryptic handle in their Facebook profiles. 

"Nice..So..what is *new* that you are working on lately?" I exclaim.

The media ? goes apeshit whenever they hear about hacking prodigies. Well to uneducated media journalists, let it be known to you, RESEARCH BEFORE YOU VOMIT ANYTHING. Why don't you go through Charles Assisi's Article on Ankit Fadia and LEARN SOMETHING ?!!

Worst part - These guys are even authoring books on hacking. Go figure :/

Every time some hacking prodigy or best hacker releases a book on "guide to hacking" with age old obsolete (& mostly stolen) content, a cute bunny performs harakiri with his copy of Sn0wcrash somewhere .

Point in question is that NONE OF THE GUYS WHO PROCLAIM to be the BEST HACKERS IN INDIA have never appeared in reputable security conferences to show their mettle. Instead, they have created their own versions of DEFCON & HACKING CONFERENCES so that they can sing songs about their privates in full glory.

    PS: Every time I read Norman Shark's report on an Indian APT, I have a facepalm, just saying. How on earth it was classified as an APT is beyond me.But again, not diverting too far from my point, back to Hackers.

I owe to a lot of people ; yes, every pro was a skid, I admit it, however what separates a skid or a Charlatan from a true 1337/seasoned security researcher is their attitude towards learning, reproducing, validating and then putting their own blood,sweat & tears into research to advance it. 

I have met a quite a lot of talented folks in corporate world and have got the privilege to work with some extremely talented people in network security (I am looking at you fambon/jach/m0d412 =] ). Having watched the scene carefully, I wanted to make note of some of most talented folks in Indian security scene today,  people who are Hackers (whether they acknowledge it or not) and are not *self proclaimed Hackers/best Hackers/leets* (guys you will find dime a dozen).  Seriously guys..where is Halvar Flake of India?

I wanted to do it as they have made significant contribution to the Indian hacking scene , be it awareness,exploits,pwnage or anything, they have been doing what is needed today , rather than to create an army of skids that gave everyone a bad name.

Of course you will argue that the real guys are always hiding in the shadows (read:null) & there are a lot who are working behind the scenes,but still these are the ones you would like to know about (in no particular order).

1.  Sanjay Rawat

Sanjay Rawat
Veteran security researcher specializing into Code optimization, Machine learning,VA,fuzzing and Network security. One of my heroes I look & greatly idolize.

2.  Rahul "fb1h2s" Sasi

Rahul Sasi
I have known Sasi since quite some time, & he is the current torch bearer of the face of Indian hackers, his research into HID devices-Biometrics,Datacards,IVR has recieved widespread attention and has given Indian security scene a good name.

  PS: Rahul, if you are reading this , I chose this pic as this makes you resemble more like a cross between Alan Cox & Cory Doctorow, some offbeat folks I greatly admire, no kidding : P

3.  Vinay "Vinnu" Katoch
Long time L0Xian has impeccable skills in exploit development, reverse engineering ,malware analysis and development. Known for his exploits in JVM,ASLR/DEP bypass and his quite nature.


4.  Vivek Ramachandran
Vivek Ramachandran

Well, how he can be even missing from this list. His famed Café Latte Attack & his latest primer on making security accessible to everyone via Securitytube has helped millions to learn security the right way, at least the nascent steps. Kudos to him.

5.  Rajshekhar Murthy / Atul Alex Cherian
The Malc0n duo is quite infamous for bringing raw,uncensored malware research,development into the spotlight. Malc0n exclusively focuses on proactive malware research and analysis & the responsible folks have been instrumental in making it an international platform.

Honourable mention : Folks at n|u,g4h,SX, I always take you for granted since you have always been 1337s, you don't need a lesser mortal to define your contribution to the scene.

I hope my rant was quite clear (!) , concise and to the point, I hope the next time you will hear about some Indian hacking prodigy in your local newspaper, Facebook page or on a poster at your college campus, you will QUESTION YOURSELF TWICE & ask the goodol' folks at n|u/SX/g4h for a piece of their mind.

If you want to go through the last time I ranted about the BEST HACKERS IN INDIA, click here.   You can also read more about Charlatans at, my favourite place to kill off time.

Just in case you might question my authority of ranting about the topic, then well, I hope you will get it someday.

by Rishabh Dangwal · 0

Snapdeal Sucks - My experience with - Its Pathetic,slow and unresponsive

snapdeal_logo_newIt all started with me hunting for a point and shoot camera for my mother. To be frank , any camera with no hassles & fair performance would have qualified and I was personally looking for Nikon L26;  but since it was deemed out-dated by Nikon itself, I hopped in for Nikon L27 violet colour camera. Now, to be frank I never wanted to go out of Flipkart/Infibeam since they have stood the test of time with me, but somehow I ordered it from another popular online portal & there the things start to get interesting.
For starters, I never received any email of purchase confirmation, I thought it might have landed in junk/spam folder but hell no. I double checked my email filters, searched every label but nopes..zilch..nada..I  simply didn't get any email receipt of purchase from Snapdeal. It was the first omen of a Bad Deal (aka Snapdeal) . Thankfully I didn't closed my browser windows, I was lucky to take the snapshot of transaction , noted down the transaction id from my bank statement , drank a glass of water & wiped away the sweat that scorching Delhi summer delightfully gave me.
5 minutes later I received an SMS from Snapdeal regarding my order number, I matched it with my snapshot, went online again and found after providing my details, the estimated shipping date was 20th May 2013.
I tried to login into Snapdeal and found that since I created an account long time ago (when Snapdeal was not into store business and was into deals business) , I didn't actually remembered its password. I tried to reset it, but received *NO EMAIL* from Snapdeal. Now that was alarming, I was not able to reset my password, not able to get an email receipt and I was not very sure about the delivering capability of Snapdeal (quick search on was quite revealing).
Immediately I called customer care (+91-92126-92126) , after hearing to whistles and caller tune for 5 minutes (yes, *5 minutes*) , my call was picked. I explained to CCE -
  1. I am not getting email from Snapdeal.
  2. I did not received an receipt.
  3. I am unable to reset my password.
  4. What is the status of my order as of now and by what time will it get delivered.
The CCE responded -
  1. He can not reset password nor help me in any regards in account or email issue.
  2. My order was under processing and he can not provide an estimated delivery date.
I thanked him and hoped for the best.
Also, I logged into Snapdeal via FB authentication and was still not able to reset the password.
That was on 15th May 2013.
Now ,to be frank I have never ordered anything from Snapdeal before, one of my friends (Gurpreet Singh) had once ordered some stuff from it , but he warned me about Snapdeal's performance issues after I placed the order.
While I was gleefully cursing him "Saaley pehle kyu nahi bataya !!" , he reassured me that they are slow but they atleast deliver the goods.
"Also, shipping date is 20th,you might be getting goods before that in your hands", he finished gulping his last glass of lassi.
Nervously I reassured myself and crossed my fingers. Who knows, It wasn't for me, it was for my Mom and I wanted to get it delivered on a timely manner.
17th May came and status was still "processing" on the website. Furthermore I tried calling to customer care thrice with no one responding on the number. They also hanged up on me on one occasion without CCE interaction.
Now I was getting a bit angry.  18th May, it was Saturday noon and order was still under processing. I tweeted to Snapdeal
Tweet to Snapdeal
No response from Snapdeal as of now. Also, I sent the email to Snapdeal helpdesk (
I bought Nikon Coolpix L27 16MP Point & Shoot Digital Camera (Purple) Order Number 994202497 Item code 1333471211, its been 3 days but I have NOT received the email reciept of order. Further more I am not able to verify my snapdeal account as I am not getting any emails from Snapdeal regarding verification and order.
I have looked into SPAM/JUNK folder to no avail. I mentioned the same to customer care on 9212692126 but they were helpless.
Furthermore, Why is it so much delay in processing the order ? 3 days and its still processing. Whats the bottleneck in it ? I never had such slow response from any of online retailers I have used ?
Please get back to me on the double.
You guessed it right, no response from Snapdeal.
On 20th May I shot another one.
Dear Team,
Still awaiting your response. Its quite incredulous that I am following up for an email response which should have been your duty . Its 20th may and the product page still shows shipping date of 20th May with no update. I had a word with CCE Maninder Sandhu (yeah I got lucky, finally your customer care picked the call) for  an update on the order but then he himself was helpless regarding the same.
Its pathetic how you are keeping the money interest free without giving any proactive updates on the status of order and keeping customer completely blind on it.
Nevertheless, I will be waiting till 21 May on an update for a fair chance. After that , I will be cancelling the order and will be filing for a refund.

Seriously, I could have posted call records but then I think it would have been a bit overkill. But then, if they could record our calls for "quality & training purposes" then why cant we use them for some real "quality" purposes ?
I had no idea what was going on, at least an email response would have sufficed. We live in a country where consumer is hailed as king, I have no complains with late deliveries, I am actually angry with no/diminutive response from Snapdeal team. I have paid for an item first rate , online , in single transaction with no dues pending , no instalments and they are keeping my money interest free , processing it according to their whims and are providing no reasons for delay. Furthermore, response time is pathetic, I got the reply from Snapdeal on Facebook page / Twitter , 2 days later, & that too that they are looking into it and order will be shipped today.
Snapdeal Order will ship today
Snapdeal facebook response
Snapdeal - I am not the only one frustrated

Later,  I got an SMS from Snapdeal that order has been delayed.
Snapdeal SMS
But the online portal is still showing that order is under processing and I really dont know what information to trust.
Snap 4 Censored
I was also not able to cancel my order as I CANT REACH TO CUSTOMER CARE AND I AM NOT SURE IF MY EMAILS ARE EVEN READ. As per Snapdeal's guidelines, they can choose to accept or deny my request of cancelling the order based on their convenience and understanding of situation.
Snapdeal  Terms of Sale - Cancellation
If you cant read it, to quote Snapdeal (Trust me, its an amusing read)
10.2 Cancellation by the User: In case of requests for order cancellations, Snapdeal reserves the right to accept or reject requests for order cancellations for any reason whatsoever. As part of usual business practice, if Snapdeal receives a cancellation notice and the order has not been processed/ approved by Snapdeal, Snapdeal shall cancel the order and refund the entire amount to You within a reasonable period of time. Snapdeal will not be able to cancel orders that have already been processed. Snapdeal has the full right to decide whether an order has been processed or not. You agree not to dispute the decision made by Snapdeal and accept Snapdeal's decision regarding the cancellation.
Very cute .
Bet I would have called Snapdeal for cancellation and they would have cancelled my request because they “had processed my order” .. and because its written in clause 10.2 .
As of now, summing up my entire experience on Snapdeal echoes the following problems again and again -
  1. Lack of proper communication to customer.
  2. Unresponsive support &
  3. Broken implementation of information systems.
I want to reiterate again, that I don't have any problems with delays provided proper , proactive and responsive communication is done with customer and issues regarding information are handled adeptly. I once had an order from Flipkart halted for around 14 days, but never once I had to be bothered about it because the responsive CCE’s provided me concrete updates, on 7th day they offered a refund which I gladly accepted.
As of now, I haven't got any response on my tweet to Snapdeal
Tweet to Snapdeal 2
Another call to CCE Maninder Sandhu (I just got lucky) was fruitless although he was a nice chap and was trying to help.
Lessons learnt :
  1. I wont be shopping from Snapdeal again, thats for sure, unless they make some really radical changes in their system.
  2. Wont be ordering from my hard earned money from portals that are pathetic.
I do hope Snapdeal takes my rant as constructive criticism and infuses something into its DNA for the greater good.

Meanwhile, I am still waiting for my camera to be delivered .. : (    
(6 Days at the time of writing ) and counting..

Update 21 May 2013 6.04 PM IST  : 

To top it off as of now -

  1. Still estimated shipping time on webpage is showing 20th May, but it has been updated that tracking number will be available in 12 hours, so I actually dont know what is the correct update.
  2. Snapdeal_help on twitter promised a a shipping by today but to no avail . They actually update my Mother and not me regarding that, but alas, its still showing pending.
  3. According to CCE Akash, package is ready for courier and will be shipped by tomorrow first half. One more date..Lets see how it goes.
  4. Snapdeal FB page removed the negative comments, however you can see them in the picture which is given above.
Update 21 May 2013 7.00 PM IST :

Got a call from Snapdeal Okhla Office from Monika , provided courier tracking number and apologized for delay, I thanked her. Also, as per her, the tracking number will be active within 12 - 48 hours, I promptly checked the 11 digit tracking number which was not active on Courier service (Bluedart) page. She might be right. Will check it tomorrow morning.

Update 22 May 2013 6 PM IST :

AS of now, Snapdeal has *FINALLY* shipped my order (YAY!!) . But again, it has been delayed by Courier Service. As of now, I was in talks with Assistant Mgr at Courier service who was quite helpful and said the product will be delivered by tomorrow. All I hope it is a functional one as this long delay has shaken my already non existent faith in Snapdeal.

Update 23 May 2013 6 PM IST :

Finally, after numerous delays, Order was delivered.  The bottomline ? Well, the issue was already escalated at Snapdeal end , the pity was that when I checked at , my ticket was not updated in 3-4 days, and one was closed with remark that customer (thats me) was not reachable. Excellent, it was only when I started escalating the matter on online and social platforms, they came into action and hasted the matter. Still its 8 days, which is well beyond the norms of a normal e-comm site.
I am glad it all ended well. Mom got the camera and I got to see the inner workings of an e-comm site.

by Rishabh Dangwal · 0

Guide to Anti-Debugging - Overview , Techniques and Approaches

Guide to Anti-Debugging - Overview , Techniques and ApproachesI have been nagged a lot regarding guest posts, and almost 90% of them are related to some news, social media bullshit and half baked security crescendo. Until recently, I was contacted by amiable folks at Infosec Institute with a good article on Anti Debugging. This is an article by  Dejan Lukan, a security researcher at Infosec Institute, in which he discusses the Anti Debugging techniques in an objective and direct manner. I loved the implementation part, reminded me of my rev days (you can learn about how to reverse Winrar or just have a look at a real noobs guide to reverse some more stuff) , and more importantly Dejan explains how to stop (read : slow down) people from reversing your code. Hope you will enjoy it.

Before we begin, we must mention that it’s impossible to completely prevent reversing. What is possible is that we can place as many obstacles on the way as we want to make the process slow enough that reverse engineers will give up. Actually there are hardware implementations where you can buy a black box that attaches to your computer which can do the encryption/decryption for you, but this is far from being used in everyday life.
Techniques to Harden Reverse Engineering

The most basic approaches to harden the reverse engineering of programs are the following [1]:
  1.          Eliminating Symbolic Information
  2.          Obfuscating the Program
  3.          Embedding Antidebugger Code
When eliminating symbolic information, we’re taking the textual information from the program, which means we’re striping all symbolic information from the program executable. In bytecode programs, the executable often contains large amounts of internal symbolic information such as class names, class member names, the names of instantiated global objects. By removing every symbol from the executable or by renaming every symbol, the reverser is faced with a bigger problem than usual because symbol names alone can often be used to gather enough information about what the function does, which simplifies the reverse engineering part.
This can easily be done in C/C++ programs where we only have to append a few compiler flags to the command line that actually compiles the program into the executable. It’s much harder with programming languages like Java and .NET, where those symbols are used internally to reference variables, functions, etc. This is also the reason why Java and .NET programs can easily be converted into a pretty good source code of the original program. We can still strip the symbols from such programs by renaming all the symbols from their meaningful names into meaningless representations, which effectively does the job.
Besides stripping the executable symbols, we can also obfuscate the program. When obfuscating a program, we’re basically changing the code of the program without actually changing the logic behind it, so the program does the same as before but its code is far less readable. Here we have two techniques that can achieve that:
  •  Encoding: With encoding, we must add the decoding instructions that decode the whole program before it’s being run. This can be done by appending the decoding instruction at the end of the program and changing the entry point to point to the decoding instructions. When the program is run, the decoding instructions are executed first, which decodes the whole program into its original form. After that, we must jump to the start of the program and actually run the original instructions as if the encoding didn’t even happen.
  • Packing: When packing the executable, we’re basically reducing the size of the executable as well as encrypting it. When such a program is run, it must first be decoded in memory and then run.
  • By obfuscating the program with nonstandard encoders/packers, we can greatly complicate the task of reverse engineering the executable, but at the end, a persistent reverse engineer will nevertheless be able to bypass that and get the non-obfuscated version of the executable, which can easily be reversed.
Last but not least, we can use an antidebugger code, where we can include a code into the executable that can detect if the program is currently being debugged. If that happens, the program terminates itself prematurely without actually executing the functions that would normally be executed if it wasn’t running under a debugger.

Before discussing how anti-debugging tricks do their magic, we must first talk about how the debugger is able to debug the program. We know that we can stop and resume the program with the use of either software or hardware breakpoints.
When using software breakpoints, we’re replacing the instruction on which we’ve set the breakpoint with the INT 3 instruction (at least on the x86 architecture), which is a special software interrupt. In this case, we’re passing the value 3 to the instruction INT, which means that we’re generating the software interrupt 3. This causes the function pointed to by the 3rd vector in the interrupt address table (IAT) to be executed. I guess we’re all familiar with the INT 80 interrupt that makes a system call on Linux systems.
The INT 3 instruction temporarily replaces the current instruction in a running program. This is also a way for the debugger to know that a software breakpoint has occurred and the program execution should be stopped. After that, the debugger replaces the INT 3 instruction with the original instruction so the program can continue without the loss of instructions, which can otherwise cause abnormal program behavior.
When we use a hardware breakpoint, it’s the processor’s job to know when the breakpoint has been hit and the program has to be stopped. This is why the program is not modified when a hardware breakpoint is set.
When the breakpoint is hit, the program is stopped and we can safely execute instructions in our favorite debugger. At that point, we can run instructions step-by-step by entering into functions, or by executing them the same time. If we’re interested in what the function does, we need to enter into the function; otherwise we can safely ignore the function and step over it. When stepping through the code, each instruction is executed on its own and then the program is again stopped, so we’re able to analyze what the instruction has just done.

When stepping through the code with a debugger, the Trap Flag (TF) in the EFLAGS register is used. When the TF is enabled, an interrupt will be generated after every executed instruction, so we get the feeling of stepping though the program instruction by instruction.


The IsDebuggerPresent is a Windows API function, which we can see on the picture below:
Guide to Anti-Debugging - Overview , Techniques and Approaches

The function doesn’t take any arguments and returns a Boolean value notifying us whether the program is running under a debugger or not. This function can be used to trivially detect whether a debugger is being used to run the program. The function uses the Process Environment Block (PEB) to get information about whether the user-mode debugger is used.
Let’s create a simple program that prints the number 0 or 1 if the debugger is present or not. We can do that by first creating an empty console project under Visual Studio C++ and then changing the code of the main cpp file into the following:
// isdebuggerpresent.cpp : Defines the entry point for the console application.

#include "stdafx.h"
#include &lt;stdio.h&gt;
#include &lt;Windows.h&gt;

int _tmain(int argc, _TCHAR* argv[])
    int num;
    if(IsDebuggerPresent()) {
        num = 0;
    else {
        num = 1;

    printf("Number: %d\n", num);

    /* wait */

    return 0;

The program prints “Number: 0″ if the debugger is present and “Number: 1″ if the debugger is not. If we run the application under Visual Studio, the program will display the number 0 because it’s being run under a debugger. This can be seen on the picture below:
Guide to Anti-Debugging - Overview , Techniques and Approaches

Let’s also run the program under OllyDbg to be sure that the number 0 is displayed. This can be quickly confirmed by loading the executable program and running it. On the picture below, we can see that the number 0 was printed when the program was run under OllyDbg debugger:

But if we run the same program under normal cmd.exe, it will display the number 1. This can be seen on the picture below:
Guide to Anti-Debugging - Overview , Techniques and Approaches

We can see that the IsDebuggerPresent API function call works as expected, but that the function call is easy to detect and bypass. This is because we can quickly find this function call in the executable and delete it or bypass it. To do this, we can simply open the executable in Ida debugger and check out the Imports table to verify if that function exists somewhere in there. We’re right, the function IsDebuggerPresent is listed among all the imported functions as we can see on the picture below:
Guide to Anti-Debugging - Overview , Techniques and Approaches

This is a clear indication that the executable is using the function to do something different when the debugger is attached to the executable. We can also locate the exact instructions that are used to call that function. The whole Ida graph of the main function that does exactly the same as the main function from the C++ source code above is presented on the picture below:
Guide to Anti-Debugging - Overview , Techniques and Approaches

We can see that, at first, we’re initializing the stack for the function and calling the IsDebuggerPresent function. After that, we’re testing the returned value in eax against itself to determine whether a true or false value was returned. If the eax holds a value different than 0 (1 in our case), then the zero flag will be set and the first box that sets the [ebp+num] to 0 is called. This is exactly what happens now, because we’re running the program under a debugger, but otherwise the block that sets the [ebp+num] to 1 is called. After that, we’re just moving the value of [ebp+num] into the register eax and printing it with the printf function.
If we now set the breakpoint on the call to the IsDebuggerPresent function and rerun the program, the execution will be stopped right where we want it. After the breakpoint has been hit, we can step into the function to see what the function actually does. On the picture below, we can see the function in question:
Guide to Anti-Debugging - Overview , Techniques and Approaches

We can see that the function is pretty simple: we’re loading the address of the currently active thread (TIB) in the register eax and then accessing the structure member that’s located at the 0×30 offset; the PEB data structures lies at that offset. After that, we’re loading the address of PEB in eax and then accessing its data member at 0×2 offset, which holds the data member named BeingDebugged. Thus, we’ve successfully taken a look at what the IsDebuggerPresent function actually does and how it does it. We can see that it’s very simple and not really hard to bypass.

We can determine that IsDebuggerPresent is being used when we try to reverse engineer an executable and the program terminates prematurely, a different execution path is taken, or something else unexpected happens. In such cases, we must first check the Imports table if the IsDebuggerPresent function is being called anywhere in the executable. If that is the case, we can simply delete the instructions that call the IsDebuggerPresent function call, so it won’t bother us when reversing the executable.
On the other hand, if we’re developing a program and we would like to use the IsDebuggerPresent function call, we can copy the above instructions directly into our code, so that we’re not actually calling the IsDebuggerPresent function directly, but using its function body instructions to figure out whether the debugger is being used to run the executable. This is just another trick so that reverse engineers won’t immediately notice the use of IsDebuggerPresent function call and will make the debugging slightly more complicated.

For a deeper understanding of reverse engineering, check out the reverse engineeringtraining course offered by the InfoSec Institute. In this article we’ve seen a few techniques to harden the reverse engineering process. The technique easiest to bypass is symbol elimination where we have to delete all the symbols presented in the executable. This effectively makes the names of the functions unavailable when debugging, which leaves it up to the debugger to properly name the functions. Another technique is program obfuscation, which can be a pretty simple operation like xoring the whole executable then running it, but it can also be pretty complicated. Things get further complicated if we’re using obfuscation with the anti-reversing techniques, which detects if the program is being reversed and terminates the program prematurely if so, greatly hardening the reverse engineering of the executable.
[1]: Reversing: Secrets of Reverse Engineering, Eldad Eilam.

by Rishabh Dangwal · 0

All Rights Reserved by Pro Hack . Copyright 2008 - 20011. Template by Bloggermint .