tag:blogger.com,1999:blog-4736200167794022912024-02-08T09:09:26.180+05:30Pro Hack<b>Computer security, tools, rants and misc stuff. v3.2</b>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.comBlogger633125tag:blogger.com,1999:blog-473620016779402291.post-51513008684703095712022-12-27T22:24:00.004+05:302022-12-27T22:26:24.363+05:30 Ransomware cyber response - Lessons from the trenches <p class="reader-text-block__paragraph" style="text-align: center;">" <i>On a long enough timeline, the survival rate of an organization against a dedicated adversary drops to zero.</i> " <br /></p><p class="reader-text-block__paragraph">7 years back, around this time, on a long night in the middle of
nowhere, I encountered a curious malware sample. Something didn't feel
right about it, and thankfully my schedule was wide open.
</p>
<p class="reader-text-block__paragraph">
As I went through the <a href="https://otx.alienvault.com/indicator/file/b7d9f11c166fa1a4ceef446dd9c8561c77115cb3ce4910a056dd6a361338a2b0/">sample</a>, I was able to glean couple of things – it encrypted files, left a backdoor (classic “<a href="https://www.theprohack.com/2009/02/hack-administrator-from-guest-account.html" target="_blank"><i>sethc</i></a>”) and required manual intervention for execution. It also tried to reach out to a C2 IP (<i>184.107.251.146</i>). Ergo, with some effort – I was able to deduce its tactics and surmise its nature. </p><p class="reader-text-block__paragraph" style="text-align: center;"><img alt="On a long enough timeline, the survival rate of an organization against a dedicated adversary drops to zero." class="reader-cover-image__img lazy-image ember-view" height="349" id="ember443" src="https://media.licdn.com/dms/image/D4D12AQHfyFf2RE-7ow/article-cover_image-shrink_720_1280/0/1672147958267?e=1677715200&v=beta&t=vwkYJTM_RlCdv9MOlVVjq-PPI740vO38J7Kheh3uehs" width="640" /> <br /></p>
<p class="reader-text-block__paragraph">
It was my first brush with “<i>LeChiffre</i>”, a malware that offered “<i>Ransomware as a Service</i>”
or RaaS capabilities. I was young then, and could not have comprehended
the myriad scale of RaaS industry, that would later unfold in front of
my eyes.
</p>
<p class="reader-text-block__paragraph">
Back then, ransomware (or "<i>Scareware</i>", its fore-bearer)
used to be a type of an opportunistic software, typically run by a
ragtag gang of cyber criminals. Organized criminal gangs were yet to
realize the immense potential of RaaS from a financial and operational
risk standpoint. Over a period of time, RaaS would evolve into a vast
enterprise with functions akin to the heads of a hydra – ransomware
gangs, exploit brokers, forum owners, initial access brokers, chat
support operators, ransomware developers, infrastructure providers and
so on. Law enforcement may slay one head, another one will take it's
place and assume dominance.
</p>
<p class="reader-text-block__paragraph">
Now, as I look back, 75 plus "<i>cyber response incidents</i>"
wiser – that was the moment that actually defined my strategy towards
ransomware incidents in particular. Through this post, I would like to
share some key lessons that might help you improve your cyber security
posture, and preparedness against a ransomware incident. </p><h3 class="reader-text-block__heading1" style="text-align: left;">
<span style="font-size: medium;"><b>Don’t Panic!</b></span>
</h3>
<div class="reader-image-block reader-image-block--full-width">
<figure class="reader-image-block__figure">
<div class="ivm-image-view-model">
<div class="ivm-view-attr__img-wrapper ivm-view-attr__img-wrapper--use-img-tag display-flex">
<img alt="Panic is the mother of chaos, and father of discord" class="ivm-view-attr__img--centered reader-image-block__img lazy-image ember-view" height="450" id="ember453" src="https://media.licdn.com/dms/image/D4D12AQEYBFI073mMdA/article-inline_image-shrink_1000_1488/0/1672147314152?e=1677715200&v=beta&t=4a_CU11w6CD5uWXQkS2u9yumtuwTFb4tOdoDPuzSxWQ" width="640" />
</div>
</div>
</figure>
</div>
<p class="reader-text-block__paragraph" style="text-align: center;">
“<i> Don't panic, because everything is probably all right, and if it's not, panicking will make it worse</i>. ” – <b>Emily Barr</b>
</p>
<p class="reader-text-block__paragraph">
Ransomware incidents have the power to bring an enterprise to a
grinding halt. The double, and triple extortion tactics are squarely
aimed to impact where it hurts the most – reputation and regulators.
However, know this – You are not the first it has happened to, neither
you will be the last. However, if you play your cards right, you will
become percipient and resilient.
</p>
<p class="reader-text-block__paragraph">
<i>Enterprise wide panic does nothing to solve an ongoing crisis. </i></p><h3 class="reader-text-block__heading1" style="text-align: left;">
<span style="font-size: medium;"><b>A single source of truth.</b></span>
</h3>
<div class="reader-image-block reader-image-block--full-width">
<figure class="reader-image-block__figure">
<div class="ivm-image-view-model">
<div class="ivm-view-attr__img-wrapper ivm-view-attr__img-wrapper--use-img-tag display-flex">
<img alt="The path to truth is not for the faint hearted" class="ivm-view-attr__img--centered reader-image-block__img lazy-image ember-view" height="427" id="ember454" src="https://media.licdn.com/dms/image/D4D12AQGxDjivlb0ENA/article-inline_image-shrink_1000_1488/0/1672147569411?e=1677715200&v=beta&t=d9L6adt0Fnq4yrqslqyF24NROWnBX5A-HyHZGSVKlAI" width="640" />
</div>
</div>
</figure>
</div>
<p class="reader-text-block__paragraph" style="text-align: center;">
“ <i>Experiment is the sole source of truth. It alone can teach us something new; it alone can give us certainty.</i>” – <b>Henri Poincare</b>
</p>
<p class="reader-text-block__paragraph">
I cannot overstate the importance of log availability and coverage
during the course of a ransomware incident. Attackers love to wipe them
to impede cyber response and to deter RCA. A centralized log repository
acts as a single source of truth from a monitoring, detection and
response standpoint.
</p>
<p class="reader-text-block__paragraph">
Ensure your critical assets are correctly configured to send logs to
a centralized repository or a SIEM, and they are sending the correct
telemetry which can provide early warnings against an impending attack.
</p>
<p class="reader-text-block__paragraph">
<i>Your source of truth is the backbone of your security operations, and preparedness.</i>
</p>
<h3 class="reader-text-block__heading1" style="text-align: left;">
<span style="font-size: medium;"><b>Seat-belts first.</b></span>
</h3>
<div class="reader-image-block reader-image-block--full-width">
<figure class="reader-image-block__figure">
<div class="ivm-image-view-model">
<div class="ivm-view-attr__img-wrapper ivm-view-attr__img-wrapper--use-img-tag display-flex">
<img alt="Seat-belts, the yard stick of your risk appetite" class="ivm-view-attr__img--centered reader-image-block__img lazy-image ember-view" height="427" id="ember455" src="https://media.licdn.com/dms/image/D4D12AQELylEBGT4V8Q/article-inline_image-shrink_1000_1488/0/1672146991886?e=1677715200&v=beta&t=1Frp55rMAguCcw4o57VOI3tjz2VnPWHncoXRtfkoBbI" width="640" />
</div>
</div>
</figure>
</div>
<p class="reader-text-block__paragraph" style="text-align: center;">
“<i> Superman don't need no seat belt</i>. ” – <b>Muhammad Ali</b>
</p>
<p class="reader-text-block__paragraph">
For the lesser mortals, seat-belts first.
</p>
<p class="reader-text-block__paragraph">
Ensure your environments are configured with “<i>seatbelts first</i>”
mindset, it hurts to get hacked later on. I have observed production
applications deployed on environments with key security settings
disabled – as they were observed to interfere with the application
functionality. Instead of fixing the issues with the application
behavior via developer or vendor route, the security defenses were
disabled in the interest of going live.
</p>
<p class="reader-text-block__paragraph">
This provides good opportunities for an attacker to target
vulnerable environments; and to their owners, an opportunity to learn
costly lessons later on.
</p>
<p class="reader-text-block__paragraph">
<i>When in doubt, seat-belts first.</i>
</p>
<h3 class="reader-text-block__heading1" style="text-align: left;">
<span style="font-size: medium;"><b>You cannot protect what you cannot see.</b></span>
</h3>
<div class="reader-image-block reader-image-block--full-width">
<figure class="reader-image-block__figure">
<div class="ivm-image-view-model">
<div class="ivm-view-attr__img-wrapper ivm-view-attr__img-wrapper--use-img-tag display-flex">
<img alt="Underestimate the value of visibility at your own peril" class="ivm-view-attr__img--centered reader-image-block__img lazy-image ember-view" height="360" id="ember456" src="https://media.licdn.com/dms/image/D4D12AQFqD5juVSXj7A/article-inline_image-shrink_1000_1488/0/1672147770361?e=1677715200&v=beta&t=DWYl4_D9yUwaWTg47n2GQIULqwvquDk47S3itoDCjfQ" width="640" />
</div>
</div>
</figure>
</div>
<p class="reader-text-block__paragraph" style="text-align: center;">
“<i> The power of visibility can never be underestimated.</i> ” – <b>Margaret Cho</b>
</p>
<p class="reader-text-block__paragraph">
Countless times, I have observed an internet exposed RDP, for a server configured for “<i>Rob</i>”. Rob was a project admin with administrator privileges, and his server was enabled with an “<i>Any-Any</i>” firewall rule. The server was not integrated with SIEM as it was "<i>test environment</i>" and was not protected by the anti-virus as it interfered with testing. Rob used to access the server through Anydesk or RDP.
</p>
<p class="reader-text-block__paragraph">
Few remember when Rob left the organization, fewer know about that exposed, poorly secured server.
</p>
<p class="reader-text-block__paragraph">
The RCA report will reveal that the attackers knew about that server and leveraged RDP to pivot inside, unobtrusively.
</p>
<p class="reader-text-block__paragraph">
You may laugh now, but I know your deepest fears. <i>Ultimately, you cannot protect what you cannot see.</i>
</p>
<h3 class="reader-text-block__heading1" style="text-align: left;">
<span style="font-size: medium;"><b>Shields up!</b></span>
</h3>
<div class="reader-image-block reader-image-block--full-width">
<figure class="reader-image-block__figure">
<div class="ivm-image-view-model">
<div class="ivm-view-attr__img-wrapper ivm-view-attr__img-wrapper--use-img-tag display-flex">
<img alt="Armor only protects warriors, the unprepared tend to get slaughtered" class="ivm-view-attr__img--centered reader-image-block__img lazy-image ember-view" height="427" id="ember457" src="https://media.licdn.com/dms/image/D4D12AQFDSp0NIX-ZKg/article-inline_image-shrink_1000_1488/0/1672146827481?e=1677715200&v=beta&t=25CHA5ztkscKLh1Bt7noqCvO4ij2keOvattvSBtpVig" width="640" />
</div>
</div>
</figure>
</div>
<p class="reader-text-block__paragraph" style="text-align: center;">
“<i> Shall we raise our shields, Captain?</i> ” – <b>Pavel Chekov</b>
</p>
<p class="reader-text-block__paragraph">
While C.I.A principles are good for compliance, I would argue
environment compartmentalization is a better strategy for all practical
reasons. Containerize your applications, test applications on containers
before they are deployed on production. Implement segmentation (<i>and micro segmentation</i>), actually enable payload & TLS inspection on firewalls, stop turning secure defaults off.
</p>
<p class="reader-text-block__paragraph">
Backups are a different ball game altogether, ensure they are
protected adequately and tested religiously. They are the lynch-pin for a
successful recovery operation against a ransomware attack.
</p>
<p class="reader-text-block__paragraph">
Your sysadmin’s machine is probably the most insecure machine in the
network, an access to it exposes everything. Leverage PIM or MFA (<i>hardware tokens, authenticator apps</i>)
for authentication and escalation of privileges across environment.
Implement principles of least privileges and stop having exceptions for
special user groups – Security is an onus for everyone.
</p>
<p class="reader-text-block__paragraph">
Funnel the aforementioned telemetry to SIEM and tune it with at
least MITRE ATT&CK use cases. Have some trained eyes to action
anomalies and make your environment a cold and unwelcome place for
adversaries.
</p>
<p class="reader-text-block__paragraph">
<i>Keep your shields up.</i>
</p>
<h3 class="reader-text-block__heading1" style="text-align: left;">
<span style="font-size: medium;"><b>Practice, practice and practice!</b></span>
</h3>
<div class="reader-image-block reader-image-block--full-width">
<figure class="reader-image-block__figure">
<div class="ivm-image-view-model">
<div class="ivm-view-attr__img-wrapper ivm-view-attr__img-wrapper--use-img-tag display-flex">
<img alt="Uncharted waters demand unrelenting practice" class="ivm-view-attr__img--centered reader-image-block__img lazy-image ember-view" height="427" id="ember458" src="https://media.licdn.com/dms/image/D4D12AQFk0jK8HWlzZQ/article-inline_image-shrink_1000_1488/0/1672146550507?e=1677715200&v=beta&t=XgsK8baREhMtlzTZ3_qdpcCNL5bB6FH8NWtX9I2F48E" width="640" />
</div>
</div>
</figure>
</div>
<p class="reader-text-block__paragraph" style="text-align: center;">
“<i> Amateurs practice till they get it right, professionals practice till they cant get it wrong.</i> ” – <b>Anonymous</b>
</p>
<p class="reader-text-block__paragraph">
Offensive exercises such as red teaming may help identify attack
avenues that you might have not considered as part of your existing
threat model. Cyber drills may identify response paradigms and
preparedness of your organization against a cyber attack.
</p>
<p class="reader-text-block__paragraph">
Cyber drills or ransomware simulations may help uncover pain areas
can induce panic and reduce operative effectiveness during the course of
a ransomware incident – such as miscommunication, stakeholder
accountability, regulator reporting & compliance measures,
availability of technical owners and vendors, vendor support clauses,
communication channels, PR strategy and communication, decision making
process etc.
</p>
<p class="reader-text-block__paragraph">
<i>Practice till it becomes second nature.</i>
</p>
<h3 class="reader-text-block__heading1" style="text-align: left;">
<span style="font-size: medium;">Epilogue</span>
</h3>
<div class="reader-image-block reader-image-block--full-width">
<figure class="reader-image-block__figure">
<div class="ivm-image-view-model">
<div class="ivm-view-attr__img-wrapper ivm-view-attr__img-wrapper--use-img-tag display-flex">
<img alt="Never invite an enemy for a dance" class="ivm-view-attr__img--centered reader-image-block__img lazy-image ember-view" height="427" id="ember459" src="https://media.licdn.com/dms/image/D4D12AQEm9xGyQU1JVg/article-inline_image-shrink_1000_1488/0/1672149873110?e=1677715200&v=beta&t=1pZkIXw-O4HODpbZhRIxvjge67O_IGSzPmUaglEGlsc" width="640" />
</div>
</div>
</figure>
</div>
<p class="reader-text-block__paragraph" style="text-align: center;">
“ <i>The winner of the game is the player who makes the next-to-last mistake.</i> ” – <b>Tartakower</b>
</p>
<p class="reader-text-block__paragraph">
Ransomware, or any other cyber attack for that matter is a perpetual
game of cat and mouse. The attackers will keep hunting for the right
opportunity, while the defenders face the ever looming "<i>goalkeepers paradox</i>".
In the grand scheme of things, reduction of opportunities against an
invisible, impending attacker helps protects against known-unknowns, and
potentially unknown-unknowns.
</p>
<p class="reader-text-block__paragraph">
Cyber, just like any other discipline, is susceptible to the usual
debates on the technicalities of implementation, nuances of operations,
verbiage of policy, and stratagems of future. But when the curtain falls
in the event of an incident; <i>exeunt omnes</i> – only the principles and lessons learnt remain, forged by experience, decisiveness and preparedness of an organization.
</p>
<p class="reader-text-block__paragraph">
Happy holidays!</p>
<p class="reader-text-block__paragraph">
<i>Thanks to </i><a data-entity-hovercard-id="urn:li:fs_miniProfile:ACoAACWXKu0BZznZglicZL2nuWfSbaQ9_a06VIc" data-entity-type="MINI_PROFILE" href="https://www.linkedin.com/in/dasarath-selvakumar?miniProfileUrn=urn%3Ali%3Afs_miniProfile%3AACoAACWXKu0BZznZglicZL2nuWfSbaQ9_a06VIc">Dasarath S</a><i> and </i><a data-entity-hovercard-id="urn:li:fs_miniProfile:ACoAABL9RKkBPgd26eOmUGVirUDsi3zTwlOBZP4" data-entity-type="MINI_PROFILE" href="https://www.linkedin.com/in/vivekguptafc?miniProfileUrn=urn%3Ali%3Afs_miniProfile%3AACoAABL9RKkBPgd26eOmUGVirUDsi3zTwlOBZP4">Vivek Gupta</a><i> for proof reading. This was cross posted on my personal blog as well. </i>Added inputs from backup standpoint as rightely pointed out by <a data-entity-hovercard-id="urn:li:fs_miniProfile:ACoAAAJxjCsBpUGUj2fkTicb_84AWup9bTqtbTQ" data-entity-type="MINI_PROFILE" href="https://www.linkedin.com/in/vikramjeetsinghk?miniProfileUrn=urn%3Ali%3Afs_miniProfile%3AACoAAAJxjCsBpUGUj2fkTicb_84AWup9bTqtbTQ">Vikram Jeet Singh</a>. </p><p class="reader-text-block__paragraph"> This was cross posted on my <a href="https://www.linkedin.com/pulse/ransomware-cyber-response-lessons-from-trenches-rishabh-dangwal/" rel="nofollow" target="_blank">linkedin blog</a> as well. <br /></p><p class="reader-text-block__paragraph"><i> </i>
</p><p class="reader-text-block__paragraph"> </p><div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-40147681448656444342021-08-24T16:51:00.001+05:302021-08-24T16:51:23.558+05:30 Some perspectives on the rise of ransomware attacks<p>Crime as a Service has evolved into Ransomware as a Service (“RaaS”).
The rise of ransomware attacks on companies and the way they are
escalating both in terms of scale and tactics is something that was in
the making for quite some time. I wished to document my own thoughts on
why it has been the case. </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmKSq9DYCE7y-GfYYHmk6wKPpdFZC-eYCr_xn_p3ISqAwGGk4Yaw5ZgOrNy9fQcuOgq3mslibhr3rNJN1zZlzHchZvfWcJhw2K_3qTmE6C-IgROJ3r7tqmog1oy2DtvmyYmmlaiQ-do7cx/s912/Screenshot+2021-08-24+at+16.37.18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="912" height="243" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmKSq9DYCE7y-GfYYHmk6wKPpdFZC-eYCr_xn_p3ISqAwGGk4Yaw5ZgOrNy9fQcuOgq3mslibhr3rNJN1zZlzHchZvfWcJhw2K_3qTmE6C-IgROJ3r7tqmog1oy2DtvmyYmmlaiQ-do7cx/w400-h243/Screenshot+2021-08-24+at+16.37.18.png" width="400" /> </a></div><div class="separator" style="clear: both; text-align: center;"><figure class="reader-cover-image--grid
relative"><figcaption class="reader-cover-image__caption t-12 t-black--light t-normal" itemprop="caption">
"Ransomware" by Stratageme.com is licensed with CC BY-NC-SA 2.0.</figcaption><br /></figure></div>Previously, RaaS was a one stop shop
of techniques – the threat actors had to scout, breach, infiltrate,
spread, exfiltrate and extort previously. The RaaS scene has evolved
into groups that offer specialisation into each of these skill areas.
The RaaS players are focused on ensuring their ransomware is fast, has
good after encryption support and has low detection instead of doing all
these above-mentioned steps. For instance, nowadays, ransomware actors
today buy initial access from “Initial Access Brokers” (“IAB”) –
pentesters who have already broken into target networks or buy RDP
access of compromised networks for as low as USD 5. The IAB Affiliates
(or in some cases RaaS groups) use native utilities/ or leverage Living
off the Land Binaries (Loll bins) to stay under the radar for extended
periods of time. Scouts offer their services on forums like XSS/ dread/
exploit/ raidforums et al. Affiliates with low activity see their
reputation go down or their access is shut by RaaS operators. <p></p><p>Since
this is effectively a well-oiled industry now, it has led to formation
of cartels. The Maze cartel consists of LockBit, Ryuk, Conti, Egregor,
Suncrypt, Ragnar Locker to name a few. The RaaS operators also closely
coordinate to share techniques and infrastructure. BlackMatter has tried
to incorporate techniques from fellow ransomware threat actors LockBit
and DarkSide. Groups typically close shop when they attract too much
heat or their infrastructure is blown – they then wait, change names and
emerge later. Infra wise, for instance once an IP is blacklisted, it
becomes very difficult to whitelist it, hence the IP will be circulated
from one gang to another since no good enterprise is going to touch it
with a 10 feet pole. This makes threat intelligence an increasingly
important and viable solution in identifying threats pre-emptively.</p><p>This
brings us to the other side of the table. The core question – why is
this happening and what makes if profitable business for cyber
attackers. For this shady business to sustain, you need pseudo-anonymity
as a key pillar. Let’s not confuse it with anonymity. Anonymity is when
you can’t tell if X or Y was a threat actor. Pseudo-anonymity is when
you know X was a threat actor but you don’t know who are the people
behind X. This helps create a certain brand, an idea, an agency.
Considering honour among thieves, it makes you a good anchor point for
like-minded associates.</p><p> “<em>And ideas, are bulletproof</em>”</p><p> We
know actors, Darkside, REvil, multiple APTs. We know their brand. Their
affiliates and customers (ahem.. targets) know it too.</p><p>Two, rise
of crypto and pseudo-anonymity of crypto transactions have eased the way
these gents do business. They don’t have to leverage wire transfers to
unknown remote countries. A wallet is fine, payment made is funnelled
through mixers to make it harder for forensics analysis. By the way,
Crypto (here currency, not cryptography) is not anonymous. Anyone can
look crypto addresses, wallets, their balances. That’s how these groups
are profiled. True anonymity won’t divulge information like this.</p><p>Three,
generally bad security posture of organizations. Security has been
historically seen as an expense, with undetermined ROI, part of IT
operations. Whatever that doesn’t makes money for an organization,
automatically gets low priority. Business operations enabled by IT take
precedence and security becomes an afterthought. Since ROI for typical
dilemma is, if what we are securing is less expensive than the measures
to secure it, then there is no point in securing it. These unsecured
assets / avenues pileup and collectively become a pile of things too
hard to secure. They might even become obvious and things then get swept
under the rug. Then all it requires is exploiting one vulnerability,
and threat actors are in. Historic analysis of any breach will tell that
99 percent only 1 vulnerability was exploited to gain access to
networks. </p><p>Then comes a black swan event. A sophisticated
adversary chains vulns to compromise at scale. SolarWinds compromise is a
great example. Kaseya, is also a good example of this. </p><p>Four, one
more enabler is the low complexity required to execute these attacks.
Plethora of open-source ransomware are present in GitHub. Plenty of
attack frameworks are available for free. Take for instance Pneuma.</p><p><a href="https://github.com/preludeorg/pneuma" rel="nofollow noopener" target="_blank">https://github.com/preludeorg/pneuma</a> </p><p>This was released months back and is already cutting edge. It is also free. </p><p>Cobalt
strike is available for purchase at low prices, it’s cracked versions
are already available for free for quite some time. 10 years back, this
would have required arcane knowledge of c2, comms, infra, automation for
scaling, evasion and what not.</p><p>Today it requires a double click (figuratively speaking).</p><p>Finally,
the dilemma of known knowns, known unknowns and unknown unknowns. I
have yet to see a firm that has full view of its assets. If you don’t
know what to protect, then you won’t know about it when it gets hacked.
Ultimately, you can’t catch what you can’t see. </p><p>There are plenty of other minor enablers as well, but they are subsets of the above-mentioned ones.</p><p>This
can be stopped by being proactive in your defence strategy, leveraging
threat intelligence and having visibility of your assets. And
additionally, by ensuring your reactive defence strategy is well
practiced till it becomes second nature. In any case, this is not the
last cyber-attack we have seen, given the risk, skill to reward ratio of
executing these. I’d expect more escalations and more sophisticated
hacks down the road – and we have just earned front-row seats.</p><div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-76828116310293071762020-09-05T12:16:00.006+05:302020-09-05T12:18:33.531+05:30 How I got myself a capable laptop<p></p><p>It all started with my old (and very hated) HP Pavilion notebook (i5, 12 GB RAM, 500 GB HDD) almost dying on me. I wanted to get a new laptop, the only reason I stuck with HP for so many years was that I got it as a gift and I wanted to squeeze every drop of use I could get from it. <br /><br />Well, let's get a new one then, and I wrote down what I needed -</p><p><b>Must have</b></p><ol style="text-align: left;"><li>Good, tactile, backlit keyboard</li><li>HDMI, not micro HDMI</li><li>Screen less than 13 inches</li><li>Good battery life</li></ol><p> <b>Should have</b></p><ol style="text-align: left;"><li>i5-i7 would do, AMD Ryzen as well</li><li>Should be portable</li><li>Easy to open, repair and upgrade</li><li>USB 3.0 </li><li>RAM 8 GB or more</li><li>256 GB SSD or more</li></ol><p> <b>Nice to have</b></p><ol style="text-align: left;"><li>Should support extra battery</li><li>SIM card slot</li><li>Swivel support</li><li>Graphics card</li><li>MIL-STD-810G</li><li>Fingerprint sensor for easy login</li></ol><p>My
options were quite limited considering what I needed would be
automatically expensive - I was looking at spending at least INR
75000-100000 (USD ~1000-1300) to get a new one. That too a base model. </p><p>I didn't mind buying a used one, if it served my purpose and was in good condition. I reached out to my connects in hardware segment and asked for their advice. </p><p style="margin-left: 40px; text-align: left;">A used Ferrari is always a Ferrari, a new ALTO will never match it.</p><p>Point well noted.<br /><br />They referred me to leased laptop distributors, which typically have inventories of laptops which are leased to corporate for 2-3 years and then brought back once the contract is over. Since they are used, people are less inclined to buy them, but their configurations are top notch as compared to their retail consumer segment counterparts and they are built to repair. These laptops are then dismantled and their parts flood the after sales market. The distributors are more than happy if their laptops are sold before they are dismantled.<br /><br />After having friendly chitchat with a lot of distributors, I finally narrowed my options to Lenovo X250 and an HP EliteBook. The keyboards were nice and tactile and the form factor was small. At one of the distributors, from a heap of laptops, I picked 2 and I asked the person if I can open it. He said why not, and he opened it for me. Both were in good condition, sporting 256 GB SSDs, 8 GB RAM, i5 5th gen processors and were costing INR 14000 (~USD 190), a far cry from new ones, but workable configuration. I asked about warranty and after a bit of negotiation, he agreed for a 1-year repair warranty for INR 2500 (~USD 34). Windows 10 pro was provided for free.<br /><br />I was about to settle it for X250 one (as it had more ports, was smaller and checked almost everything I needed), one of associates waltzed in and said, "we just got a shipment of some new stock". I asked if I could take a look and they pointed me to next door.<br /><br />From a heap of X260s I picked 3 - one with no battery and i7 6gen, one with an extra 6 cell battery with i5 6gen and one had 1 TB HDD. I asked if I could swap parts, and they said we don’t care, it’s all the same for us.<br /><br />I took the extra battery and plugged it into i7 one. CPUZ said it had Skylake i7 6600u and Samsung 8 GB built in. It had 256 GB SSD and a working WWAN module (SIM module) as well. Single memory slot (DDR4, 260 pin SODIMM) but was easy to open and clean. After playing it with for 1 hour, post testing all the ports, modules, running some stress tests, and haggling a bit, I went home with a deal at INR 17000 (~USD 230) with 1-year warranty from distributor, Windows 10 pro bundled.<br /><br />Then I did some research and checked the maximum RAM it supported - 16GB, 2133MHz DDR4, non-parity. Probably, enough for what I do. 2133 MHz is a bit hard to get by, so a better option was to buy 2666 MHz one since it will run automatically at 2133 Mhz. I did some research (read: going through Reddit threads, Lenovo forums) and found that one user was able to successfully upgrade it with 32 GB of RAM (M471A4G43MB1, costs around INR 27000/ ~USD 370 even more expensive than the laptop). Post upgrading to latest BIOS, I decided to take the risk and got myself a cheaper one (ADATA AD4S2666732G19, 32 GB RAM, 2666 MHz, INR 9000/ ~USD 122) from one of the distributors.<br /><br />Went back home, disabled internal battery from BIOS, unscrewed & pried back cover and disconnected battery cable. Swapped out 8GB one with 32 GB one. Connected battery cable, power cable and was met with POST screen. Assembled everything back again and ran memtest86 and windows memory diagnostics. Everything was squeaky clean :). Hardened everything, installed virtual box, migrated my VMs, installed emulators and voila, my new system is ready.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSEnZfVUCutCl5IJJK6L4Qhk6U1Im10nvzY3e3-LnYVNqjKckEJPh9zaFXj8J6r8PWJrFCTXBT-tnNmRgTi5vWo-LSI0qjGWiMmzf8H2L6DO-kjQ5hQRjOVAz5n6_AwfzzFQ26E_mM_u6D/s1107/x260.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="895" data-original-width="1107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSEnZfVUCutCl5IJJK6L4Qhk6U1Im10nvzY3e3-LnYVNqjKckEJPh9zaFXj8J6r8PWJrFCTXBT-tnNmRgTi5vWo-LSI0qjGWiMmzf8H2L6DO-kjQ5hQRjOVAz5n6_AwfzzFQ26E_mM_u6D/s320/x260.jpg" width="320" /></a></div><p>I have been using X260 since last 6 months as my primary laptop with the following configuration which runs multiple VMs simultaneously, is used for maintaining remote infrastructure, occasional retro gaming/ emulation and occasional writing : </p><br /><p></p><ol style="text-align: left;"><li>Tactile backlit keyboard <br /></li><li>6th Gen Intel Core i7-6600U Processor, Turbo Boost 2.0 (3.4GHz)</li><li>32 GB memory (ADATA AD4S2666732G19)</li><li>12.5" HD (1366 x 768) IPS</li><li>256 GB Samsung SSD</li><li>3 Cell internal + 6 cell external battery</li><li>SIM card slot (WWAN)</li><li>3 USB 3.0 ports (Superspeed)</li><li>1 HDMI/ 1 Mini DisplayPort</li><li>4-in-1 Card Reader (MMC, SD, SDHC, SDXC)</li><li>Intel I219 Gigabit LAN & Dual Band Wireless-AC 8260, with Bluetooth® 4.1</li><li>MIL-STD-810G compliant</li><li>Weighs around 1.5 KG</li><li>Bundled Windows 10 Pro</li></ol><p>Total Cost - INR 26000 / ~USD 352<br /><br /><b>Lessons learnt –</b><br /></p><ol style="text-align: left;"><li>Research, hunt and haggle</li><li>Be very specific about your requirements</li><li>Technology evolves every day, see what fits your needs on a long-term basis</li></ol><div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-37432001894858603242020-04-12T11:33:00.000+05:302020-04-12T13:17:23.761+05:30Assessing a cyber security candidate<div dir="ltr" style="text-align: left;" trbidi="on">
I typically assess a senior cyber security candidate across 7 basic domains for a technical interview, before I actually jump into security. Sometimes, a candidate is so good in these domains that asking questions about security becomes an afterthought. A dipstick feedback of fundamentals actually helps me understand where the candidate is coming from and if he can actually leverage his technical skills in real security engagements. Since these domains are exhaustive, assessment of fundamentals will depend on the previous experience a candidate is having. For instance, I would not expect a college grad to know complete ins and outs of active directory but would expect him to know programming, scripting, linux, VM and algorithms. A SOC guy should know network security, pcap analysis, protocols, BPF/ filters, elementary scripting. An experienced pentester is supposed to know almost all of the mentioned domains. At the end of the day, YMMV.<br />
<br />
Tools are not going to make you a hacker, always remember what Gray Fox said -<br />
<blockquote class="tr_bq" style="text-align: center;">
"Only a fool trusts his life to a weapon"</blockquote>
These domains form the bread and butter basics of any good computer security candidate and enable him to understand the cross functional world from the point of an architect, an operations analyst, an incident responder, a developer, a packer mangler or simply as an adviser.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTvTgXmgSP64EJn8uL0u9hqT0V4wAqavWZfdN5SigRvPYXIL10F99jlIzcp5Ixpb9rDXBzBv0LeT6hIAF8tRK4eXFVFrVbJTyfjJi-pz9KN3rk7Silslmat3YyQdrXHxRWp8ekEgLx2wGc/s1600/interview.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="900" data-original-width="1600" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTvTgXmgSP64EJn8uL0u9hqT0V4wAqavWZfdN5SigRvPYXIL10F99jlIzcp5Ixpb9rDXBzBv0LeT6hIAF8tRK4eXFVFrVbJTyfjJi-pz9KN3rk7Silslmat3YyQdrXHxRWp8ekEgLx2wGc/s640/interview.jpg" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">kinda like this. No Wait! Robyn Beck/AFP/Getty Images</td></tr>
</tbody></table>
<br />
<br />
Depending upon the feedback of this article, I may share some good to have domains as well.<br />
<br />
Nevertheless, here are the domains :<br />
<ol style="text-align: left;">
<li><b>OS Fundamentals / Software</b> - This is a big one, without these, your attack vectors typically fall flat. Windows and Linux are mandatory. Can you setup a working environment for your own security setup from scratch? Comfortable with VMs? Docker? Jailed environments?</li>
<li><b>Network/ Network Security </b>- Routers, switches, load balancers et al, be it software of hardware. Are the concepts clear? Considering a lot of the hardware is now virtualized/ customized and is being offered as a service by big providers and every now and then an attack/ exploit emerges that leverages misconfigurations in these systems/ services - these things are important. Can you understand a Pcap? Do you understand routing ? If there is one thing studying Phenoelit early on taught me, was to understand network and routing properly. </li>
<li><b>Active Directory/ LDAP </b>- I simply can't overstate the importance of AD/ LDAP when it comes to security. Considering how they function as the backbone for enterprise, you are bound to encounter these. Having good fundamentals around these gives you a good headstart when you actually pentest these environments.</li>
<li><b>Servers/ Web services/ APIs</b> - Servers and web application basics, how they work, are deployed and do you know how to secure them? Fundamentals are important here. You may be able to find a bug in an application, but in case you can't fix the application per se, can you secure or advise correctly about securing the environment itself? How are application headers used? Do you know how to interact with an API? Can you create your own? Do you operate any website/ webservice? How do you scale it?</li>
<li><b>Programming/ Scripting</b> - Any one programming or scripting language you are comfortable with - python/ ruby/ bash/ powershell et al. Doesn't matter what it is. Can you read code? Can you comprehend patterns? Can you write pseudocode? Do you have fundamental understanding of algorithms?</li>
<li><b>Hardware </b>- Good to have knowledge of hardware basics, you should be comfortable with atleast setting up platforms like raspberry pi, beaglebone et al. Can you identify pinouts on an unknown board? Can you read technical manuals? What is your portable platform of choice? Can you setup your own VPN environment on a raspberry pi and hook it up with your test laptop?</li>
<li><b>Architecture/ Tooling</b> - A typical question starts like this : create a full fledged network for 100 people with everything included, LAN, WAN web services, email et al. Now design for 1000 people. Now for 10 K people. Now let's break it systematically - how will you break it? What attack vectors? What if Burpsuite is not available? Can you leverage curl? How can we improve it?</li>
</ol>
<br />
These domains are absolute essentials, platforms and tools may make you a bug hunter, but a knowledge of these will make you a better one.<br />
There you go, if you know these, you already have a healthy background into computer security basics and I wish you best of luck.<br />
<br />
<div style="text-align: center;">
<i>This was crossposted at <a href="https://blog.fruxlabs.com/assessing-a-cyber-security-candidate/" target="_blank">Fruxlabs Team blog.</a></i></div>
<div style="text-align: center;">
<br /></div>
</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-1809637990076503232020-02-18T12:00:00.002+05:302020-08-20T09:51:27.247+05:30The Rescure Cyber Threat Intelligence Project - Sensor Update<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
We have massively upgraded our sensor detection, logging and monitoring capabilities at <a href="http://rescure.me">rescure.me</a> - we detected around 350K attacks in last 24 hours which are then funneled and curated as feeds by our co-relation system. This included removing code cruft, updating data pipelines, a new ELK stack which can monitor multiple sensors at once. Feeds have been optimized as well and the stack has been migrated to new high performance servers.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Countless hours and personal funds have gone in to maintain this, special thanks to <a href="http://team.fruxlabs.com/" target="_blank"><b>Fruxlabs Crack Team</b></a> for being there. w00t!</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSEJVyvbnj7McvGFvDvvU1D5vFjMqPPh6IvxXaRmQNbZ_R8Fc7TqyvB62s-78FFqZjgOJf5fdyi-eO3xijQXKaoTh9r93e9Ue4hfnbtWbjWm8QH7_WaQHWJb47K3slq5A1OWxH3SlWNYpt/s1600/honeynet.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="679" data-original-width="1533" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSEJVyvbnj7McvGFvDvvU1D5vFjMqPPh6IvxXaRmQNbZ_R8Fc7TqyvB62s-78FFqZjgOJf5fdyi-eO3xijQXKaoTh9r93e9Ue4hfnbtWbjWm8QH7_WaQHWJb47K3slq5A1OWxH3SlWNYpt/s640/honeynet.png" width="640" /></a></div>
<br />
<br />
In case you wish to collaborate in terms of sensors/ feeds/ research, please do reach us out at support@fruxlabs.com.</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-84017417102344419542018-10-16T17:14:00.003+05:302020-08-20T09:51:00.990+05:30The Rescure Cyber Threat Intelligence Project - Domain Blacklist Update<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
We are now publishing consumable list of malicious domains at <a href="https://rescure.fruxlabs.com/" target="_blank">rescure.me</a> as part of our independent cyber threat intelligence project.<br />
<br />
Each node below is an event with its separate attributes (around 2 million) which are co-related in real-time to ensure only offending, malicious domains are listed at the portal. The current domain list size is around 18 thousand (! and growing) which is updated at the frequency of 4 hours at </div>
<blockquote class="tr_bq">
<a href="https://rescure.fruxlabs.com/rescure_domain_blacklist.txt" target="_blank">https://rescure.me/rescure_domain_blacklist.txt</a></blockquote>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIm4st1VoH0Lqhsct1LEF1A0r7YqHKD2Rx-Tg1CbSPzRF0AXyAeBGlmhLmo3Fwf30MMxjOnMf1Jp-ekMfnUfNGCINntemi8rShEIEu1npRVuAWO7qDLTsQEoLAUg_Wi-Gu4lIbj2MpW6U5/s1600/Domain_BlackList.png" style="margin-left: auto; margin-right: auto;"><img alt="Rescure Cyber Threat Intelligence Domain Blacklist" border="0" data-original-height="522" data-original-width="1039" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIm4st1VoH0Lqhsct1LEF1A0r7YqHKD2Rx-Tg1CbSPzRF0AXyAeBGlmhLmo3Fwf30MMxjOnMf1Jp-ekMfnUfNGCINntemi8rShEIEu1npRVuAWO7qDLTsQEoLAUg_Wi-Gu4lIbj2MpW6U5/s640/Domain_BlackList.png" title="Rescure Cyber Threat Intelligence Domain Blacklist" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Rescure Cyber Threat Intel Domain List Simulation</td></tr>
</tbody></table>
As always, feedback is appreciated at support@fruxlabs.com</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-53942925732542164132018-09-21T00:54:00.001+05:302020-08-20T09:52:11.119+05:30REScure Cyber Threat Intelligence Feed<div dir="ltr" style="text-align: left;" trbidi="on">
We are now generating a daily blacklist of malicious IPs via our own threat intel solution. The feed will be generated every 6 hours and is now available at<br />
<blockquote class="tr_bq">
<a href="https://rescure.me"><b>https://rescure.me</b></a></blockquote>
The below snapshot is the end result of the penultimate stage of co-relation of millions of data points that are finally grouped into attack groups before they are published at <a href="http://rescure.fruxlabs.com/" target="_blank">rescure.me</a><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpb06rR_qaVlxH5r5qYRm-TozHRNo9eIPwiaUvKYsSImJYP4C61sMUe7P6ZkUJ5oGDxQ5Ib0YRRi915F-tAL76K0Ka7i2CW9DBuet428UaRI4qG9rmSqgNk36twW5XbtqZSCMo2xsIAcPs/s1600/rishabh.JPG" style="margin-left: auto; margin-right: auto;"><img alt="Cyber Threat Intelligence co-relation rescure.fruxlabs.com" border="0" data-original-height="586" data-original-width="1022" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpb06rR_qaVlxH5r5qYRm-TozHRNo9eIPwiaUvKYsSImJYP4C61sMUe7P6ZkUJ5oGDxQ5Ib0YRRi915F-tAL76K0Ka7i2CW9DBuet428UaRI4qG9rmSqgNk36twW5XbtqZSCMo2xsIAcPs/s640/rishabh.JPG" title="Cyber Threat Intelligence co-relation rescure.fruxlabs.com" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Co-Relation snapshot at REScure Feed</i></td></tr>
</tbody></table>
You are encouraged to try it and consume it into your security solutions. Since this is in beta, we are limiting it to only IPs.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_NEl6HlAFFdI6CPtoQzdzo6tvU4KZTNKSC_L0u3e-pipggce2O2-3V2iBaS775t40_2_SA4RQz-5V8FnMXO0HZo3xYFWUABvsXr5k7LAeYly49d07qXmkidn_CCiBcuOl_6tmF2A6B2FV/s1600/REScure-Cyber-Threat-Intelligence-Feed.jpg" style="margin-left: auto; margin-right: auto;"><img alt="REScure Cyber Threat Intelligence Feed" border="0" data-original-height="300" data-original-width="400" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_NEl6HlAFFdI6CPtoQzdzo6tvU4KZTNKSC_L0u3e-pipggce2O2-3V2iBaS775t40_2_SA4RQz-5V8FnMXO0HZo3xYFWUABvsXr5k7LAeYly49d07qXmkidn_CCiBcuOl_6tmF2A6B2FV/s320/REScure-Cyber-Threat-Intelligence-Feed.jpg" title="REScure Cyber Threat Intelligence Feed" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i>Yep, REScure may look like this to your SIEM</i></td></tr>
</tbody></table>
We are alpha testing API access, detailed Indicators of Compromise access, STIX/TAXII/OpenIOC exports, realtime refresh rates and a lot more. This is an independent project we undertook to enhance our understanding of underlying architecture of distributed systems, the nature of threat intelligence and how to efficiently collect/store/consume/distribute it.<br />
<br />
The project is being jointly developed with <a href="https://www.linkedin.com/in/sreyash-ratna-tripathi/" rel="nofollow" target="_blank">Sreyash </a>and <a href="https://www.linkedin.com/in/eshanaswar/" rel="nofollow" target="_blank">Eshan</a>.<br />
<br />
Your feedback is appreciated, please share it at support@fruxlabs.com.<br />
<div>
<br /></div>
</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-89134258664700137412017-12-17T14:01:00.001+05:302017-12-19T01:38:56.912+05:30How I turned my phone into a hacking machine <div dir="ltr" style="text-align: left;" trbidi="on">
There are probably hundreds (if not thousands) of tutorials on this, but since I wanted a portable, non rooted, disposable hacking device which has the ability to take calls (a.k.a a cellphone/smartphone), I decided to mod an android based device. I have done this earlier (probably 5 years back) by installing arch on my android phone on a separate partition and booting it. This can be done today as well but since<b><u> I do not want to root my cellphone</u></b>, and do not want to use proot/LibSDL, I decided to see what can be done in a non rooted environment.<br />
<br />
Intended audience for this piece - anyone having a bit hands experience on linux. Consider this as my personal cliffnotes in case I have to do it again. Let me even include an age old <b>Disclaimer </b>(taken from XDA aeons ago):<br />
<blockquote class="tr_bq">
<span style="text-align: justify;">I am not responsible for bricked devices, dead SD cards, thermonuclear war, or you getting fired because the alarm app failed. Please do some research before running commands. YOU are choosing to make these modifications, and if you point your finger at me for messing up your device, I will laugh at you.</span></blockquote>
My iPhone recently went kaput during a fated trip to Jubail, KSA, and I zeroed on an inexpensive, capable device (<i>Motorola G4 Play for around ~120 USD</i>) for which I won't feel bad in case it gets lost or breaks into a million pieces.<br />
<br />
Well, the device specs are average, the phone feels rugged and the battery can be taken out by simply removing the cover (<b><u>which is EXTREMELY important for me</u></b>). It comes with Android 6.0 and probably will never get updated to Android 7.0 (owing to Lenovo's shitty firmware update cadence), but once I disabled a lot of applications, the phone feels quick and is a joy to use.<br />
<br />
First things first -<br />
<b>Disabled </b>: Chrome, Cloud Print, Device Help, Drive, File Manager, FM Radio, Google Japanese/Korean/Pinyin/Zhuyin Input, Google Play Movies, Google Play Music, Google Hangouts, Messenger, Photos, other motorola bloatware.<br />
<br />
Doublecheck device administrators. I would have removed a lot more software but then, I will also be using this phone for making calls and for light personal use as well.<br />
<br />
<b>Installed </b>: Firefox (with Ublock), ESFile Explorer, Termux, Hacker's Keyboard, Textra (for SMS), Quickpic, OpenVPN, SMS Backup+, FastHub (or Github), Fing (quick GUI based network discovery), Flud (Torrents), Google Authenticator, AndFTP, drozer agent, Packet Capture (Application specific packet capture), TOR and Phonograph (lightweight music application).<br />
<br />
Once the device's innards are replaced with a bit more capable/lightweight software, I launched Termux which is probably the most important terminal emulator written for android. From its website<br />
<blockquote class="tr_bq">
"<i>Termux is an Android terminal emulator and Linux environment app that works directly with no rooting or setup required. A minimal base system is installed automatically; Additional packages are available using the APT package manager. </i>"</blockquote>
Onwards we go.<br />
<ul>
<li>I started by updating Termux and its inherent environment - apt update && apt upgrade</li>
<li>Installed python2, python3, nmap, openssh, git, python-pip,htop through relevant apt commands.</li>
<li>Installed metasploit through https://github.com/Auxilus/Auxilus.github.io/blob/master/metasploit.sh (t<i>urns out this script has been stolen by a lot of folks, like <a href="https://github.com/Hax4us/Metasploit_termux/blob/master/metasploit.sh" rel="nofollow" target="_blank">this guy over here</a>, and <a href="https://github.com/Techzindia/Metasploit_For_Termux/blob/master/metasploitTechzindia.sh" rel="nofollow" target="_blank">this one</a> for youtube likes</i>).</li>
<li>Installed scapy.</li>
<li>Generated OpenSSH keys, configured OpenSSH to run into server mode so that I can login into my cellphone if required. Make sure you check the username with whoami before generating keys. Putty aficionados may want to convert id_rsa keys using puttygen before loading it.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibCmcdU3eLH1W3Auo9hlFzAakqmCcMiNYdUXXXx7avFFFoK3YyJvr_9VK8o6xUajo0whhNpZIt9tDGSTgikpuh-smq5YWLVojwU5k_aOhwV8MFdMBM5cMv7SV_XtQlRII_SELa_KzDFpEV/s1600/Screenshot_20171217-125543.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1280" data-original-width="720" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibCmcdU3eLH1W3Auo9hlFzAakqmCcMiNYdUXXXx7avFFFoK3YyJvr_9VK8o6xUajo0whhNpZIt9tDGSTgikpuh-smq5YWLVojwU5k_aOhwV8MFdMBM5cMv7SV_XtQlRII_SELa_KzDFpEV/s400/Screenshot_20171217-125543.png" width="225" /></a></div>
<div>
<br /></div>
<ul>
<li>Configured OpenVPN application to connect to my remote server. Added TOR support.</li>
<li>Authenticated Fasthub Application with my Github account through a personal access token.</li>
<li>Tested everything.</li>
<li>Generated a list of packages for later use by running the following command "<i>dpkg --get-selections | cut -f1 > bkup_pack.txt</i>". </li>
<li>Took tar backup of current Termux installation for later use, I admit it is a quick and dirty hack but it works. Yes, I tested it.</li>
</ul>
<blockquote class="tr_bq">
cd /data/data/com.termux/files<br />
tar -cvzf /sdcard/Download/termux.tgz --owner=0 --group=0 home usr</blockquote>
<div>
For more adventurous souls, you can go ahead with a rootfs option - https://github.com/xeffyr/Termux-RootFS. A simple tutorial for this would be <a href="http://www.itdadao.com/articles/c19a1256458p0.html" rel="nofollow" target="_blank">here</a>, however during my experiments, I found it to be buggy and some applications do not work properly. Since I value stability and security over everything, I promptly reverted back to my old fs.</div>
<div>
<br /></div>
<div>
Does everything works? Hell yeah.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcvt0cqkYxaMwV7JQWuCWqIkqtY6TQJ29ZpWKHBD25vOF0LH23QkS_VY56lpIKotC7FguhJW80j2AUPNavcWE858UuVpGB7fOb-ZxrWXqHHSZxnws8AGvVwoX4SdHywuQ7dvlACQ7Zm2pn/s1600/2017-12-17_132931.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Turn your phone into a hacking machine - Device statistics" border="0" data-original-height="526" data-original-width="875" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcvt0cqkYxaMwV7JQWuCWqIkqtY6TQJ29ZpWKHBD25vOF0LH23QkS_VY56lpIKotC7FguhJW80j2AUPNavcWE858UuVpGB7fOb-ZxrWXqHHSZxnws8AGvVwoX4SdHywuQ7dvlACQ7Zm2pn/s640/2017-12-17_132931.jpg" title="Current status - awesomeness" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzPoPyJmBgMOBQLniFCjmjeuCDUnoaEB78Pg6jnQ4iu1En1XNG3waV6Z842NSwfIRHEvKjkREGV684gZIaImYhX8Z3x9am_7gbD48Lh_ZhV5WMQsfb6Ul0pbYdSnPFxvskcjHLvTJH5hQJ/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Turn your phone into a hacking machine - Metasploit and python HTTP server" border="0" data-original-height="499" data-original-width="863" height="369" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzPoPyJmBgMOBQLniFCjmjeuCDUnoaEB78Pg6jnQ4iu1En1XNG3waV6Z842NSwfIRHEvKjkREGV684gZIaImYhX8Z3x9am_7gbD48Lh_ZhV5WMQsfb6Ul0pbYdSnPFxvskcjHLvTJH5hQJ/s640/2.jpg" title="metasploit and python HTTP server running on my phone" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5hkaQPLSVr9pR_Edtcoh9kxrjnAz8YlxFYg1D69Lu-FXvYol9WzM-7JWMO6jPH61Sq00DKWlPIh0oquityIOYHMUyTGnF_PmDcVv6xBH-yCs_ddtKKmce8kQt6UVbQZodgK5RjUhagVBJ/s1600/Screenshot_20171119-020837.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Turn your phone into a hacking machine - Running scapy" border="0" data-original-height="1280" data-original-width="720" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5hkaQPLSVr9pR_Edtcoh9kxrjnAz8YlxFYg1D69Lu-FXvYol9WzM-7JWMO6jPH61Sq00DKWlPIh0oquityIOYHMUyTGnF_PmDcVv6xBH-yCs_ddtKKmce8kQt6UVbQZodgK5RjUhagVBJ/s400/Screenshot_20171119-020837.png" title="Running scapy on my phone" width="225" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4IPtg6raULmtgDpCunQRbzxujdglBBRaNpEgB0Z5JJiM5_ZhYVoZbNGTuipc8SRaUUj9TIzWn2hYJ6By6PvtMiMx38cBR-9NLuuIPYQLHnFBOJe2Rsy0n_tcmhi1rU4Mcqhhu0PSb6zjm/s1600/Screenshot_20171217-133955.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Turn your phone into a hacking machine - access github" border="0" data-original-height="1280" data-original-width="720" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4IPtg6raULmtgDpCunQRbzxujdglBBRaNpEgB0Z5JJiM5_ZhYVoZbNGTuipc8SRaUUj9TIzWn2hYJ6By6PvtMiMx38cBR-9NLuuIPYQLHnFBOJe2Rsy0n_tcmhi1rU4Mcqhhu0PSb6zjm/s400/Screenshot_20171217-133955.png" title="Accessing github through fasthub" width="225" /></a></div>
<div>
<br /></div>
<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b>To do : </b></div>
<div style="text-align: left;">
</div>
<ol style="text-align: left;">
<li>Something about postgre stability, the sucker generally has connection issues.</li>
<li>Improve documentation</li>
<li>Harden device (CIS/STIG)</li>
</ol>
</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-34827723400353356582016-06-24T15:36:00.000+05:302016-06-24T19:38:17.741+05:30Download Kinect Virtual Dressing Room - Weekend project<div dir="ltr" style="text-align: left;" trbidi="on">
It was getting hot at Doha, Qatar and I was thoroughly bored. And tired.<br />
<br />
Out of blue a creative request came by one of my seniors that if I have ever worked on Unity 3D. Though I have some experience with game engines and modeling tools, i though it would be worth a try. As an absolute beginner, I tried my hands on Unity 3D and was able to compile Virtual Dressing Room for Kinect (code courtesy <b>Anthony heckmann - </b><a href="https://github.com/anthonyheckmann/KinectDressingRoom" rel="nofollow" target="_blank"><b>Github</b></a>). I updated some code and calls (for instance gettrianglestrip and settrianglesstrip to gettriangles and settriangles) for compatibility with latest release of Unity. As of now, have not tested it with a real Kinect although the executable works fine. Thanks to this project, I also got my hands on <a href="http://kinesis-io.github.io/" rel="nofollow" target="_blank">Kinesis.io</a>.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd6W7st1NSM-l5Rww4bXMQELTcApOnUhvvH5nP8n8D6CV353l6fhcwVoBDo9nHu5Zifa6JdBiBx480_BRoKqV2kvxAzDMAVKMmOrl2JMs2MlIAT6aAq-m7YENMLcANsO9f_-z-XoQqZsgJ/s1600/Kinect+Virtual+Dressing+Room.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgd6W7st1NSM-l5Rww4bXMQELTcApOnUhvvH5nP8n8D6CV353l6fhcwVoBDo9nHu5Zifa6JdBiBx480_BRoKqV2kvxAzDMAVKMmOrl2JMs2MlIAT6aAq-m7YENMLcANsO9f_-z-XoQqZsgJ/s400/Kinect+Virtual+Dressing+Room.jpg" /></a></div>
<br />
<br />
You can download the executable from <b><a href="https://drive.google.com/file/d/0BzUDzlL81T5CUEJraklEcXFmR00/view?usp=sharing" rel="nofollow" target="_blank">here</a> . </b>As usual, expect no support if you experience bugs as :<br />
<br />
<ol style="text-align: left;">
<li>Its my weekend project</li>
<li>I have not tested it with a real Kinect.</li>
<li>I have too much on my plate right now.</li>
</ol>
<div>
Password is <b>Prohack</b></div>
</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-59572777332872431162016-05-19T13:02:00.001+05:302016-05-19T13:19:43.423+05:30An Introduction to SwiftNET - An overview you always wanted<div dir="ltr" style="text-align: left;" trbidi="on">
Due to recent onslaught of attacks on SWIFT network, I thought why not to release a small introduction on the same. Here it is then gentlemen -An Introduction to SwiftNET you always wanted. I have tried to keep it as simple as possible whilst ensuring the information is complete and relevant. Hope you will find it userful.<br />
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="485" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/Ejzdv50zSvbFzH" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="595"> </iframe> <br />
<div style="margin-bottom: 5px;">
<br /></div>
As usual, comments, questions and critique are welcome.</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-58973115746144463102016-03-26T15:35:00.000+05:302016-03-26T15:35:31.342+05:30Fortigate SSH Backdoor Password Calculator<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn31-kb6g56WjhJyDhJ3qBYHkcEYjNVKRCqxQZG2m5v2m8lCLaNHsb9CweV70O0rMtqRq4RXxdLlgq5oxqsnBPpsTTsg3pwQdOpQ9obxRohYnvZ0JYmfFwzpIIvjwZVTZtqrBc1drPlMHx/s1600/69Fortinet_Logo.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="126" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjn31-kb6g56WjhJyDhJ3qBYHkcEYjNVKRCqxQZG2m5v2m8lCLaNHsb9CweV70O0rMtqRq4RXxdLlgq5oxqsnBPpsTTsg3pwQdOpQ9obxRohYnvZ0JYmfFwzpIIvjwZVTZtqrBc1drPlMHx/s200/69Fortinet_Logo.jpg" width="200" /></a></div>
Recently Fortinet confirmed there was a backdoor in their firewalls which impacted FortiGate OS Version 4.x - 5.0.7. An exploit was released in the wild but it took some efforts to work with (I am looking at you : paramiko/termios/msvcrt). So I ported the code to create a quick and dirty password calculator that will help in pwning Fortinet firewalls with vulnerable versions.<br />
<br />
Tested it on test firewalls and it works like a charm : )<br />
<br />
<a href="https://packetstormsecurity.com/files/136430/Fortigate-Backdoor-Password-Calculator.html">https://packetstormsecurity.com/files/136430/Fortigate-Backdoor-Password-Calculator.html</a><br />
<br />
<br /></div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-22745552057348057252015-07-06T23:02:00.002+05:302015-07-06T23:02:17.163+05:30Layer 2 Security Issues and Their Mitigation<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
So, I have left Accenture and have joined the red team of a Big 4; & below is my first presentation which I have given there (redacted completely; obviously).<br />
<br />
Comments are very much welcome.<br />
<br />
<br /></div>
<iframe frameborder="0" height="400" marginheight="0" marginwidth="0" scrolling="no" src="https://www.slideshare.net/slideshow/embed_code/key/n6wTvcJGh4QzSx" width="476"></iframe></div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-72007111064711158472015-03-10T07:25:00.001+05:302015-03-10T07:25:40.157+05:30My time with Cisco EX90<div dir="ltr" style="text-align: left;" trbidi="on">
Got my hands on Cisco EX90 (that was malfunctioning) & here is my impression of it - sucks balls.<br /><br />
The box has poor support for rs232 , has a special cable provided separately (USB to serial) without which it won't jack up on console at all. Yes I tried everything & the damn thing needs a specific ft232r driver to make it work. Speed settings are 38400 with no flow control & parity, post which the sucker boots up in admin mode with xConfig disabled. Now vendor nowadays have a very pragmatic approach to make CLI as difficult for the folks they intended to create. They tackle this problem by creating pseudo-shells (with limited capabilities,generally have limited to no debug facility, sometimes you really feel lucky if you are able to read proper logs ) which miserably fail to provide full view of what the heck is wrong with the device/service. The Result? After pulling hairs and cursing the box, you eventually dial 1-800-100-1364 to share your plight, resulting in more revenue for Cisco & you end up drinking more beer than you usually do in a bad manner. After all, a frustrated tinkerer is a good customer.<br />
<br />
Coming to the point, Cisco has xConfig running over standard bash, which is more or less a limited configuration mode so that you can recover the device. But heck, since it was booting without it, I configured "rootsettings on Cisc0" , logged out and logged in as root with Cisc0 as password & jumped into a bash shell over Linux 3.4. Some more exploring and found the environment was pretty loaded on factory defaults ; (as compared to trimmed, hardened network devices I have seen), heck, its having Python 2.6 :) <br />
<br />Not wasting anytime I configured the box with a static IP & tried upgrading it with 7.x code, which as expected failed. Upgrade gave unable to create squashfs on dmesg, at that moment I pretty much sighed & handed over things to Cisco Collab guy. I was already unimpressed with its poor recovery capabilities & time would not permit any more r&d on a production device.<br />
<br />Note to self: need to get my hands dirty once its dismounted.<br /></div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-41869372203510968882014-03-30T18:51:00.000+05:302016-03-06T18:36:07.181+05:30Wardriving at Delhi Updated –The OPEN, WEP & WPA faces of Delhi<div dir="ltr" style="text-align: left;" trbidi="on">
I got an overwhelming response to my <a href="http://www.theprohack.com/2013/03/wardriving-at-delhiwardriving-revisited.html" target="_blank" title="Read about Wardriving at Delhi Project"><strong>Wardriving at Delhi project</strong></a> and have got a lot of emails regarding the same. I am so thrilled that so many people want to contribute to the project. Inspired by your feedback, I am here by producing here an update to my mapping project. This time I went Via Saket to Gurgaon and as usual I got a lot of access points which were OPEN with no security,<strong> </strong><a href="http://www.theprohack.com/2010/01/hack-wifi-using-backtrack.html" target="_blank" title="Learn how to hack Wifi using Backtrack"><strong>WEP secured vulnerable access points</strong></a> & WPA/WPA PSK2 secured points.<br />
<img alt="Wardriving at Delhi Updated - The OPEN,WEP and WPA" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiloM6nAd3LcoXvyhZ9NXfUV9lOv4uKDmFnFtmxFfC1Dn3N7ZGnLh_bRMMjl9dD0HB8t58T0F6JwbkugjAkTUuXVBC_JCzDJBNXLeWkCtarS1YMMERzmEzwknlntOUw3-J_UoBcS9AVd0Y/?imgmax=800" height="358" style="background-image: none; border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Wardriving at Delhi Updated - The OPEN,WEP and WPA" width="550" /><br />
As usual, I used -<br />
<ul>
<li><a href="http://www.theprohack.com/2009/10/7-must-have-tools-for-every-hacker.html" target="_blank" title="7 must have tools for every hacker"><strong>Kismet</strong></a></li>
<li><a href="http://www.theprohack.com/2009/04/wi-fi-compromised-track-wi-fi-hackers.html" target="_blank" title="Hack and track Wifi using Moocherhunter"><strong>Moocherhunter</strong></a></li>
<li>Aircrack</li>
<li>G-MON & WiGLE</li>
</ul>
The target is to make a map of Delhi with all the access points to analyse in layman terms -<br />
<ol>
<li>The security awareness of people and organizations</li>
<li>The devices they are using</li>
<li>The security mechanisms they are using.</li>
<li>Wifi range analysis of individual device.</li>
</ol>
Well, in all you can find the data from below links -<br />
<ul>
<li><a href="https://docs.google.com/file/d/0BzUDzlL81T5CNEJCczFyQUVrbzg/edit?usp=sharing" target="_blank" title="Download - Hotspot details & access point details"><strong>Hotspot details / BSSID</strong></a> (See if you are on the list) =))</li>
<li><a href="https://docs.google.com/file/d/0BzUDzlL81T5CZ2lmVHFzNE56UGc/edit?usp=sharing" target="_blank" title="See Wifi Access points in Google Maps"><strong>Google Maps KML Data</strong></a> (See it in Google Maps)</li>
</ul>
If you are interested in contributing to the data, please contact me at admin<at>theprohack.com . You can also read how to<strong> </strong><a href="http://www.theprohack.com/2010/01/hack-wifi-using-backtrack.html" target="_blank" title="Learn how to hack Wifi using Backtrack"><strong>Hack Wifi using Backtrack</strong></a> ,<strong> </strong><a href="http://www.theprohack.com/2009/04/wi-fi-compromised-track-wi-fi-hackers.html" target="_blank" title="Learn how to detect if someone is using WiFi"><strong>How to detect if someone is using your WiFi</strong></a> or<strong> </strong><a href="http://www.theprohack.com/2010/07/detect-wifi-hotspots-using-netstumbler.html" target="_blank" title="Learn how to detect Wifi hotspots using NetStumbler"><strong>how to detect WiFi hotspots</strong></a> . If you are having an Android, you can also read about<strong> </strong><a href="http://www.theprohack.com/2011/03/wardriving-with-android-hacking-wifi.html" target="_blank" title="Learn how to use your android for Wardriving"><strong>how to use your Android for Wardriving</strong></a>.<br />
<br />
Happy Wardriving.</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-20139306933612874192014-01-20T21:41:00.001+05:302014-02-05T16:27:27.009+05:30Oops..NSA did it again - How NSA hacked & (may have) got into *every* communicating device ever<div dir="ltr" style="text-align: left;" trbidi="on">
Happy new year folks, I am late & I know it, but there is something that I just came across & thought to share it with you. Its <br />
<br />
Read at leakedpress / Spiegel, posting from Leakedpress . If this is true (which it probably is. otherwise Snowden would not be hiding), then its something to either fear or marvel at. In both cases, I would love to see these devices in action as its something which catches my expertise and eye.<br />
<br />
Read on..<br />
<blockquote class="tr_bq">
<br />
SPIEGEL:<br />
After years of speculation that electronics can be accessed by
intelligence agencies through a back door, an internal NSA catalog
reveals that such methods already exist for numerous end-user devices.<br />
When it comes to modern firewalls for corporate computer networks,
the world’s second largest network equipment manufacturer doesn’t skimp
on praising its own work. According to Juniper Networks’ online PR copy,
the company’s products are “ideal” for protecting large companies and
computing centers from unwanted access from outside. They claim the
performance of the company’s special computers is “unmatched” and their
firewalls are the “best-in-class.” Despite these assurances, though,
there is one attacker none of these products can fend off — the United
States’ National Security Agency.<br />
Specialists at the intelligence organization succeeded years ago in
penetrating the company’s digital firewalls. A document viewed by
SPIEGEL resembling a product catalog reveals that an NSA division called
ANT has burrowed its way into nearly all the security architecture made
by the major players in the industry — including American global market
leader Cisco and its Chinese competitor Huawei, but also producers of
mass-market goods, such as US computer-maker Dell and Apple’s iPhone.<em><br />
</em><br />
These NSA agents, who specialize in secret back doors, are able to
keep an eye on all levels of our digital lives — from computing centers
to individual computers, from laptops to mobile phones. For nearly every
lock, ANT seems to have a key in its toolbox. And no matter what walls
companies erect, the NSA’s specialists seem already to have gotten past
them.<br />
This, at least, is the impression gained from flipping through the
50-page document. The list reads like a mail-order catalog, one from
which other NSA employees can order technologies from the ANT division
for tapping their targets’ data. The catalog even lists the prices for
these electronic break-in tools, with costs ranging from free to
$250,000.<br />
In the case of Juniper, the name of this particular digital lock pick
is “FEEDTROUGH.” This malware burrows into Juniper firewalls and makes
it possible to smuggle other NSA programs into mainframe computers.
Thanks to FEEDTROUGH, these implants can, by design, even survive
“across reboots and software upgrades.” In this way, US government spies
can secure themselves a permanent presence in computer networks. The
catalog states that FEEDTROUGH “has been deployed on many target
platforms.”<br />
The specialists at ANT, which presumably stands for Advanced or
Access Network Technology, could be described as master carpenters for
the NSA’s department for Tailored Access Operations (TAO).
In cases where TAO’s usual hacking and data-skimming methods don’t
suffice, ANT workers step in with their special tools, penetrating
networking equipment, monitoring mobile phones and computers and
diverting or even modifying data. Such “implants,” as they are referred
to in NSA parlance, have played a considerable role in the intelligence
agency’s ability to establish a global covert network that operates
alongside the Internet.<br />
Some of the equipment available is quite inexpensive. A rigged
monitor cable that allows “TAO personnel to see what is displayed on the
targeted monitor,” for example, is available for just $30. But an
“active GSM base station” — a tool that makes it possible to mimic a
mobile phone tower and thus monitor cell phones — costs a full $40,000.
Computer bugging devices disguised as normal USB plugs, capable of
sending and receiving data via radio undetected, are available in packs
of 50 for over $1 million.<br />
The ANT division doesn’t just manufacture surveillance hardware. It
also develops software for special tasks. The ANT developers have a
clear preference for planting their malicious code in so-called BIOS,
software located on a computer’s motherboard that is the first thing to
load when a computer is turned on.<br />
This has a number of valuable advantages: an infected PC or server
appears to be functioning normally, so the infection remains invisible
to virus protection and other security programs. And even if the hard
drive of an infected computer has been completely erased and a new
operating system is installed, the ANT malware can continue to function
and ensures that new spyware can once again be loaded onto what is
presumed to be a clean computer. The ANT developers call this
“Persistence” and believe this approach has provided them with the
possibility of permanent access.<br />
Another program attacks the firmware in hard drives manufactured by
Western Digital, Seagate, Maxtor and Samsung, all of which, with the
exception of latter, are American companies. Here, too, it appears the
US intelligence agency is compromising the technology and products of
American companies.<br />
Other ANT programs target Internet routers meant for professional use
or hardware firewalls intended to protect company networks from online
attacks. Many digital attack weapons are “remotely installable” — in
other words, over the Internet. Others require a direct attack on an
end-user device — an “interdiction,” as it is known in NSA jargon — in
order to install malware or bugging equipment.<br />
There is no information in the documents seen by SPIEGEL to suggest
that the companies whose products are mentioned in the catalog provided
any support to the NSA or even had any knowledge of the intelligence
solutions. “Cisco does not work with any government to modify our
equipment, nor to implement any so-called security ‘back doors’ in our
products,” the company said in a statement. Contacted by SPIEGEL
reporters, officials at Western Digital, Juniper Networks and Huawei
also said they had no knowledge of any such modifications. Meanwhile,
Dell officials said the company “respects and complies with the laws of
all countries in which it operates.”<br />
Many of the items in the software solutions catalog date from 2008,
and some of the target server systems that are listed are no longer on
the market today. At the same time, it’s not as if the hackers within
the ANT division have been sleeping on the job. They have continued to
develop their arsenal. Some pages in the 2008 catalog, for example, list
new systems for which no tools yet exist. However, the authors promise
they are already hard at work developing new tools and that they will be
“pursued for a future release”.</blockquote>
<br />
You can read the full post here - <span style="background-color: #edf4ff; color: #888888; font-family: Arial, Helvetica, sans-serif; font-size: 13px;">http://www.theprohack.com/2014/02/nsa-hacks-every-network-device.html</span> </div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-27884773999351258302013-11-18T16:49:00.001+05:302013-11-18T16:49:45.792+05:30Subnormality–The Webcomic that demands your reading.<p>Its feels like aeons since I have written anything at Prohack. Actually, I got busy with my side projects, job & some pretty shitty sticky situations (<em>I am looking at your CitiBank</em>) . </p> <p>Life was crawling ahead & first time in my life I truly felt helpless against the greater powers acting, but that’s an another story for some other time. Life at <a title="Orange Business Services" href="http://en.wikipedia.org/wiki/Orange_Business_Services" rel="nofollow" target="_blank"><strong>Orange</strong></a> has been good, has technology , scenarios & responsibilities that actually empower you. So far so good, lets see how it goes ahead.  </p> <p>Nevertheless, its not my life I have come to discuss today here, its something about a webcomic I read too much. I have always been a fan of webcomics, be it the all time classic "User Friendly" or the new ones (<em>well they are fairly old by internet standards but still</em>..) xkcd,The Oatmeal , Saturday Morning Breakfast Cereal , Penny Arcade , Cyanide & Happiness , Awkward Zombie , Brawl in the Family ,Hijinks Ensue , Dualing Analogs , Dinosaur Comics , JL8 & some pretty cool others (read:<em>too tired to type</em>); they have been a part & parcel of my life since the time I became a netizen.</p> <p>Be it sublime humour, philosophy , video games or just anything, I believe web comics as a medium ace anything contemporary. Then in & around ~2008 I came across <a title="Read Subnormality" href="http://www.viruscomix.com/subnormality.html" rel="nofollow" target="_blank"><strong>Subnormality</strong></a>, A comic within the umbrella of Viruscomix which are described as "<em>Comix with too many words since 2007</em>" by author <strong>Winston Rowntree</strong>, & I was blown away by its content. I was instantly hooked & 5 years later, I am a fan. </p> <p>It has been satirical, practical , intricately detailed , heart-warming , absurd, carefully drawn, full of easter eggs & pop culture references & caters to a very specific audience who have the patience to handle ~1500 - 2000 word texts inside speech bubbles just for the sake of reading a webcomic. But once you see through the veil, trust me, its one hell of a gem that demands a reading. </p> <p>Just in case its not your cup of tea, you can go through Abnormality which I believe is a fork of Subnormality created to cater Cracked.com & is equally good.</p> <p>Also, Winston's other comix at Viruscomix are “Sector 41” (<em>a nod to Akademgorodok/Zheleznogorsk</em>), "Things they Dont tell you (but should)" which are a must read. </p> <p>Just in case you want to test the waters before getting addicted to awesome webcomics by Winston Rowntree, you can read </p> <ol> <li><a title="Read Monstrous Discrepancies at Subnormality" href="http://www.viruscomix.com/page528.html" rel="nofollow" target="_blank">Monstrous Discrepancies</a></li> <li><a title="Read Understanding Nuclear Weapons at Subnormality" href="http://www.viruscomix.com/page510.html" rel="nofollow" target="_blank">Understanding Nuclear Weapons</a></li> <li><a title="Read Seven Reasons at Subnormality" href="http://www.viruscomix.com/page580.html" rel="nofollow" target="_blank">Seven Reasons</a></li> <li><a title="Read The Closer you get at Abnormality" href="http://www.viruscomix.com/abno22.html" rel="nofollow" target="_blank">The Closer you get</a></li> <li><a title="Read Video Game Design at Abnormality" href="http://www.viruscomix.com/abno34.html" rel="nofollow" target="_blank">Video Game Design</a></li> <li><a title="Read Logo Design primer at Abnormality" href="http://www.viruscomix.com/abno33.html" rel="nofollow" target="_blank">Logo Design primer</a></li> <li><a title="Read The Stupid Planet at Abnormality" href="http://www.viruscomix.com/abno28.html" rel="nofollow" target="_blank">The Stupid Planet</a></li> </ol> <p>for a start. Meanwhile, I am reading Zanadu again.. :) </p> <div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-77149557949830577172013-08-10T01:41:00.001+05:302013-08-10T01:41:21.522+05:30Best Hackers of India–Revealed<p>I have had enough..I am very very pissed off as India has become the land of the skids & the greatest contribution to the same has been provided by imitators of <a title="Ankit Fadia Sucks" href="http://www.theprohack.com/2010/09/demolishing-analysis-of-ankit-fadia.html" rel="nofollow" target="_blank"><strong>Fadia business model</strong></a> ..And for the time being they are having good business by making fool of naive minds. Nowadays everyone I see (<em>and meet</em>) is a freelance security consultant, without even knowing the basics and intricacies of Security as process,acumen,method & lastly knowledge. </p> <blockquote> <p>When I ask them, "<em>Oh great, nice to meet you, so what you have been working on lately</em>?" </p> </blockquote> <p>The answer is cryptic bullshit about using Trojans, hacking Facebook profiles (<em>using *means*..duh</em>) , pentesting websites (<em>using haviz/acunetix or automated tools without doing any static code analysis, or XSS'ing the website without even the hint of persistent ones</em>) ,servers and even SEO (!). </p> <p>A more advanced skid one will babble about using Backtrack/KALI and impress by using metasploit to show how exploits are run to compromise systems (<em>insecure one, also in place of writing their own they just update it</em>) , bit of showing connections to underground scene (<em>wait what</em> ?!) & having everyone by a cryptic handle in their Facebook profiles.  </p> <blockquote> <p>"<em>Nice..So..what is *new* that you are working on lately?"</em> I exclaim.</p> </blockquote> <p>The media ? </p> <p>Well..it goes apeshit whenever they hear about hacking prodigies. Well to uneducated media journalists, let it be known to you, RESEARCH BEFORE YOU VOMIT ANYTHING. Why don't you go through <a title="Ankit Fadia Revealed - The truth behind the Charlatan" href="http://forbesindia.com/article/beyond-business/ankit-fadia-revealed/34793/0" rel="nofollow" target="_blank"><strong>Charles Assisi's Article on Ankit Fadia and LEARN SOMETHING</strong></a> ?!!</p> <p>Worst part - These guys are even authoring books on hacking. Go figure :/ </p> <p>Every time some hacking prodigy or <strong>best hacker</strong> releases a book on "<strong>guide to hacking</strong>" with age old obsolete (& <em>mostly stolen</em>) content, a cute bunny performs harakiri with his copy of Sn0wcrash somewhere . </p> <p>Point in question is that NONE OF THE GUYS WHO PROCLAIM to be the <strong>BEST HACKERS IN INDIA</strong> have never appeared in reputable security conferences to show their mettle. Instead, <strong>they have created their own versions of DEFCON & HACKING CONFERENCES</strong> so that they can sing songs about their privates in full glory.</p> <p>    PS: Every time I read Norman Shark's report on an Indian APT, I have a facepalm, just saying. How on earth it was classified as an APT is beyond me.But again, not diverting too far from my point, back to Hackers.</p> <p>I owe to a lot of people ; yes, every pro was a skid, I admit it, however what separates a skid or a Charlatan from a true 1337/seasoned security researcher is their attitude towards learning, reproducing, validating and then putting their own blood,sweat & tears into research to advance it.  </p> <p>I have met a quite a lot of talented folks in corporate world and have got the privilege to work with some extremely talented people in <strong>network security</strong> (I<em> am looking at you fambon/jach/m0d412</em> =] ). Having watched the scene carefully, I wanted to make note of some of most talented folks in Indian security scene today,  people who are Hackers (<em>whether they acknowledge it or not</em>) and are not *self proclaimed Hackers/best Hackers/leets* (<em>guys you will find dime a dozen</em>).  Seriously guys..where is Halvar Flake of India?</p> <p>I wanted to do it as they have made significant contribution to the Indian hacking scene ,<strong> be it awareness,exploits,pwnage or anything</strong>, they have been doing what is needed today , rather than to create an army of skids that gave everyone a bad name. </p> <p>Of course you will argue that the real guys are always hiding in the shadows (read:null) & there are a lot who are working behind the scenes,but still these are the ones you would like to know about <em>(in no particular order</em>). </p> <p><strong>1.</strong>  <a title="Read more about Sanjay Rawat" href="http://www-verimag.imag.fr/~rawat/" rel="nofollow" target="_blank"><strong>Sanjay Rawat</strong></a></p> <p><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="Sanjay Rawat" border="0" alt="Sanjay Rawat" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjXXixEI64egTL73HWtNmAyCx_17FlQGrkf-KqAWQs7TJbJ10-JdN_XQLg5W6BqeQKsZoC4xlqFrMcf-oyfVzBzYuXqywiq5vf58pv8s1dxyNoGfGLNUgwXGcxoQvzhIq8maEnhLdQL4qOC/?imgmax=800" width="324" height="217" /> <br />Veteran security researcher specializing into Code optimization, Machine learning,VA,fuzzing and Network security. One of my heroes I look & greatly idolize. </p> <p><strong>2.  Rahul "fb1h2s" Sasi</strong></p> <p><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="Rahul Sasi" border="0" alt="Rahul Sasi" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwTWcGAkiMWlljciDzkRVxUP9sjpVdQKhRKlNFAJE1umsDvqgLPceWDtmRutG-ApQAK_5sEOvLPsPc-EK7v0fizqx0u_zMuGt1aciJHJ76XJvSwrnKUVm4RVm5OL_PswgObBXeoAi5cNUq/?imgmax=800" width="324" height="244" /> <br />I have known Sasi since quite some time, & he is the current torch bearer of the face of Indian hackers, his research into HID devices-Biometrics,Datacards,IVR has recieved widespread attention and has given Indian security scene a good name. </p> <p>  PS: <em>Rahul, if you are reading this , I chose this pic as this makes you resemble more like a cross between Alan Cox & Cory Doctorow, some offbeat folks I greatly admire, no kidding</em> : P</p> <p><strong></strong></p> <p><strong>3.  Vinay "Vinnu" Katoch</strong> <br />Long time L0Xian has impeccable skills in exploit development, reverse engineering ,malware analysis and development. Known for his exploits in JVM,ASLR/DEP bypass and his quite nature.</p> <p> </p> <p><strong>4.  Vivek Ramachandran</strong> <br /><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="Vivek Ramachandran" border="0" alt="Vivek Ramachandran" src="http://lh5.ggpht.com/-SdCr9Mjm9H8/UgVM523wjFI/AAAAAAAACRY/KYgSPp2K8k4/Vivek%252520Ramachandran%25255B4%25255D.jpg?imgmax=800" width="324" height="244" /></p> <p>Well, how he can be even missing from this list. His famed Café Latte Attack & his latest primer on making security accessible to everyone via Securitytube has helped millions to learn security the right way, at least the nascent steps. Kudos to him.</p> <p><strong>5.  Rajshekhar Murthy / Atul Alex Cherian</strong> <br />The Malc0n duo is quite infamous for bringing raw,uncensored malware research,development into the spotlight. Malc0n exclusively focuses on proactive malware research and analysis & the responsible folks have been instrumental in making it an international platform.</p> <blockquote> <p>Honourable mention : Folks at n|u,g4h,SX, I always take you for granted since you have always been 1337s, you don't need a lesser mortal to define your contribution to the scene.</p> </blockquote> <p>I hope my rant was quite clear (!) , concise and to the point, I hope the next time you will hear about some<strong> Indian hacking prodigy</strong> in your local newspaper, Facebook page or on a poster at your college campus, you will QUESTION YOURSELF TWICE & ask the goodol' folks at n|u/SX/g4h for a piece of their mind. </p> <p><a title="Top Indian Hackers of India" href="http://www.theprohack.com/2011/04/top-indian-hackers-real-indian-hackers.html" target="_blank"><strong>If you want to go through the last time I ranted about the BEST HACKERS IN INDIA, click here.</strong></a>   You can also read more about<strong> </strong><a title="Attrition.org - Attrition is an eclectic collection of general Internet and computer security resources." href="http://attrition.org/errata/charlatan/" rel="nofollow" target="_blank"><strong>Charlatans at Attrition.org</strong></a><strong>,</strong> my favourite place to kill off time. </p> <p>Just in case you might question my authority of ranting about the topic, then well, I hope you will get it someday.</p> <div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-25230393516255337492013-05-21T02:27:00.001+05:302013-05-28T16:36:24.159+05:30Snapdeal Sucks - My experience with Snapdeal.com - Its Pathetic,slow and unresponsive<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="http://lh6.ggpht.com/-tygBbZwbxgA/UZqNxOvnOkI/AAAAAAAACMM/QViVm_b60-A/s1600-h/Not%252520exactly%252520a%252520snap%252520deal%25255B7%25255D.jpg"><img align="left" alt="snapdeal_logo_new" border="0" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQmKgn18Ch1wONXzaAgdtR4Mekxy0kHb4BbSirn1CMVY4YX6TmQ6I4VW-sL_ncbvZHcbkqd3dRZlv16n9Gicl-AvFcVGzPWpJORoUaEBzY-AFO656v4G0bQZKaGpjRo4njPZGrno1ygd79/?imgmax=800" style="background-image: none; border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: inline; float: left; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="snapdeal_logo_new" width="244" /></a>It all started with me hunting for a point and shoot camera for my mother. To be frank , any camera with no hassles & fair performance would have qualified and I was personally looking for Nikon L26; but since it was deemed out-dated by Nikon itself, I hopped in for Nikon L27 violet colour camera. Now, to be frank I never wanted to go out of Flipkart/Infibeam since they have stood the test of time with me, but somehow I ordered it from another popular online portal <strong><a href="http://www.snapdeal.com/" rel="nofollow" target="_blank" title="Snapdeal.com - It sucks">Snapdeal.com</a></strong> & there the things start to get interesting. <br />
For starters, I never received any email of purchase confirmation, I thought it might have landed in junk/spam folder but hell no. I double checked my email filters, searched every label but nopes..zilch..nada..I simply didn't get any email receipt of purchase from Snapdeal. It was the first omen of a Bad Deal (aka <strong>Snapdeal</strong>) . Thankfully I didn't closed my browser windows, I was lucky to take the snapshot of transaction , noted down the transaction id from my bank statement , drank a glass of water & wiped away the sweat that scorching Delhi summer delightfully gave me.<br />
5 minutes later I received an SMS from <strong>Snapdeal</strong> regarding my order number, I matched it with my snapshot, went online again and found after providing my details, the estimated shipping date was 20th May 2013. <br />
I tried to login into Snapdeal and found that since I created an account long time ago (<em>when Snapdeal was not into store business and was into deals business</em>) , I didn't actually remembered its password. I tried to reset it, but received *NO EMAIL* from Snapdeal. Now that was alarming, I was not able to reset my password, not able to get an email receipt and I was not very sure about the delivering capability of Snapdeal (<em><a href="http://www.mouthshut.com/product-reviews/Snapdeal-com-reviews-925602969" rel="nofollow" target="_blank" title="Snapdeal sucks on Mouthshut too"><strong>quick search on mouthshut.com was quite revealing</strong></a></em>). <br />
Immediately I called customer care (+91-92126-92126) , after hearing to whistles and caller tune for 5 minutes (<em>yes, *5 minutes</em>*) , my call was picked. I explained to CCE -<br />
<ol>
<li>I am not getting email from Snapdeal.</li>
<li>I did not received an receipt.</li>
<li>I am unable to reset my password.</li>
<li>What is the status of my order as of now and by what time will it get delivered.</li>
</ol>
The CCE responded -<br />
<ol>
<li>He can not reset password nor help me in any regards in account or email issue.</li>
<li>My order was under processing and he can not provide an estimated delivery date.</li>
</ol>
I thanked him and hoped for the best. <br />
Also, I logged into Snapdeal via FB authentication and was still not able to reset the password.<br />
That was on 15th May 2013.<br />
Now ,to be frank I have never ordered anything from Snapdeal before, one of my friends (<em>Gurpreet Singh</em>) had once ordered some stuff from it , but he warned me about Snapdeal's performance issues after I placed the order. <br />
While I was gleefully cursing him "<em>Saaley pehle kyu nahi bataya </em>!!" , he reassured me that they are slow but they atleast deliver the goods. <br />
"<em>Also, shipping date is 20th,you might be getting goods before that in your hands</em>", he finished gulping his last glass of lassi.<br />
Nervously I reassured myself and crossed my fingers. Who knows, It wasn't for me, it was for my Mom and I wanted to get it delivered on a timely manner. <br />
17th May came and status was still "<em>processing</em>" on the website. Furthermore I tried calling to customer care thrice with no one responding on the number. They also hanged up on me on one occasion without CCE interaction.<br />
Now I was getting a bit angry. 18th May, it was Saturday noon and order was still under processing. I tweeted to Snapdeal <br />
<a href="http://lh4.ggpht.com/-ITNHfU0GNoc/UZqNy8BOH2I/AAAAAAAACMc/w5tzvsyMv5I/s1600-h/Tweet%252520to%252520Snapdeal%25255B3%25255D.jpg"><img alt="Tweet to Snapdeal" border="0" height="858" src="http://lh3.ggpht.com/-hglHenJ8iMk/UZqNz8vJnOI/AAAAAAAACMk/beKT9SP-Sj0/Tweet%252520to%252520Snapdeal_thumb%25255B1%25255D.jpg?imgmax=800" style="background-image: none; border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Tweet to Snapdeal" width="484" /></a> <br />
No response from Snapdeal as of now. Also, I sent the email to Snapdeal helpdesk (<em>help@snapdeal.com</em>)<br />
<blockquote>
Team,<br />
I bought Nikon Coolpix L27 16MP Point & Shoot Digital Camera (Purple) Order Number 994202497 Item code 1333471211, its been 3 days but I have NOT received the email reciept of order. Further more I am not able to verify my snapdeal account as I am not getting any emails from Snapdeal regarding verification and order. <br />
I have looked into SPAM/JUNK folder to no avail. I mentioned the same to customer care on 9212692126 but they were helpless. <br />
Furthermore, Why is it so much delay in processing the order ? 3 days and its still processing. Whats the bottleneck in it ? I never had such slow response from any of online retailers I have used ?<br />
Please get back to me on the double.</blockquote>
You guessed it right, no response from Snapdeal. <br />
On 20th May I shot another one.<br />
<blockquote>
Dear Team,<br />
Still awaiting your response. Its quite incredulous that I am following up for an email response which should have been your duty . Its 20th may and the product page still shows shipping date of 20th May with no update. I had a word with CCE Maninder Sandhu (yeah I got lucky, finally your customer care picked the call) for an update on the order but then he himself was helpless regarding the same. <br />
Its pathetic how you are keeping the money interest free without giving any proactive updates on the status of order and keeping customer completely blind on it.<br />
Nevertheless, I will be waiting till 21 May on an update for a fair chance. After that , I will be cancelling the order and will be filing for a refund.<br />
Regards</blockquote>
<br />
Seriously, I could have posted call records but then I think it would have been a bit overkill. But then, if they could record our calls for "<em>quality & training purposes</em>" then why cant we use them for some real "<em>quality</em>" purposes ?<br />
I had no idea what was going on, at least an email response would have sufficed. We live in a country where consumer is hailed as king, I have no complains with late deliveries, I am actually angry with no/diminutive response from Snapdeal team. I have paid for an item first rate , online , in single transaction with no dues pending , no instalments and they are keeping my money interest free , processing it according to their whims and are providing no reasons for delay. Furthermore, response time is pathetic, I got the reply from <a href="https://www.facebook.com/Snapdeal/posts/10152873587930393" rel="nofollow" target="_blank" title="Snapdeal replied on FB"><strong>Snapdeal on Facebook page</strong></a> / Twitter , 2 days later, & that too that they are looking into it and order will be shipped today. <br />
<a href="http://lh4.ggpht.com/-hocSRc3AEaU/UZqN1TycR3I/AAAAAAAACMs/CfioKu_9tk8/s1600-h/Snapdeal%252520Order%252520will%252520ship%252520today%25255B7%25255D.png"><img alt="Snapdeal Order will ship today" border="0" height="858" src="http://lh3.ggpht.com/-L-tU0NFssbE/UZqN2XDvsJI/AAAAAAAACM0/g3pj5u39Gro/Snapdeal%252520Order%252520will%252520ship%252520today_thumb%25255B2%25255D.png?imgmax=800" style="background-image: none; border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Snapdeal Order will ship today" width="484" /></a><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3kwIkmDQ6kQ56M1yoAZS4LSZviNJzysE7FqklYC9ND9fKYHVz3FZYHgLoUb5MFA3KIgCCot73AXtnfkJjMe1HIICvW9yA3ozVIn5aU7IAaLv3v1eC01tIfrZYbQ0HSwxuQrKzsBRbGbTZ/s1600-h/Snapdeal%252520facebook%252520response%25255B5%25255D.jpg"><img alt="Snapdeal facebook response" border="0" height="471" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdLo4ecxKZbkbb_IUOqqCJxynQZULRMO9yBR9cjgFq10fXNrFPFgRzpfqwebWn12rujPcG9_ChWwW0ISUvaJgv199nXY48T2x7EQOqz2WiSmDKFD_Nbli5bQPImgMl1zzWPe_4rq4ZLAso/?imgmax=800" style="background-image: none; border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Snapdeal facebook response" width="504" /></a><br />
<div align="center">
<a href="https://www.facebook.com/photo.php?fbid=10152880162390393&set=a.10150210480210393.434702.471784335392&type=1" rel="nofollow" target="_blank" title="Seems like I am not the only one frustrated of Snapdeal, click here to see the same."><strong>Also, a quick look on their FB page reveals that I am not the only one frustrated from Snapdeal</strong></a>, see the below image or click the mentioned link.</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLjVQLxO6z6mBn3nwk7oIy1-h4QFEnRJiUUiETtEbTUDrbU6CJgJxcF46koFq6q3JKZACzpiSJwUy1fU-t707PZPiWK_QkwFisppJdRguNUOROPi64RrKjUzHz6UPtq8dFUDvZiZqMDVAT/s1600-h/Snapdeal%252520-%252520I%252520am%252520not%252520the%252520only%252520one%252520frustrated%25255B3%25255D.jpg"><img alt="Snapdeal - I am not the only one frustrated" border="0" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuWmTe3wvSE1pYa8DrqIiXWiOCwZ9JUuOehgo65hTijA56xj3Vjvs20wRiCz2b4ypQCMpgj6Be2QMLHQPtVd4sJXI9ctXXylxjuntjy9hGPYVCdoHaU733UNTqn_H14JGUHIfxSkXlDGca/?imgmax=800" style="background-image: none; border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Snapdeal - I am not the only one frustrated" width="504" /></a><br />
<br />
Later, I got an SMS from Snapdeal that order has been delayed. <br />
<a href="http://lh5.ggpht.com/-Y0JaQTDMDhw/UZqN7LIKHqI/AAAAAAAACNc/qDPDyhBdL7Q/s1600-h/Snapdeal%252520SMS%25255B3%25255D.jpg"><img alt="Snapdeal SMS" border="0" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCkICDk5ZtN7sUbx99O22-S6tycCyDUegtI0KTHFEFUPiIE7Dk7_CoKifh9_1TTPfcm4DbNxrLeJmr7CyqPJC_IodstFsKmqBUetwUenD4t-WJrHkZv0znWUaLjKXZiC6R-RmyuKkxDok8/?imgmax=800" style="background-image: none; border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Snapdeal SMS" width="484" /></a><br />
But the online portal is still showing that order is under processing and I really dont know what information to trust.<br />
<a href="http://lh3.ggpht.com/-i6NszR9qn0c/UZqOOFpoE-I/AAAAAAAACNs/SqdU70fayqA/s1600-h/Snap%2525204%252520Censored%25255B3%25255D.jpg"><img alt="Snap 4 Censored" border="0" height="225" src="http://lh4.ggpht.com/-ydCuD2Q0nzo/UZqOPMG1AfI/AAAAAAAACN0/q0aItxCWVLE/Snap%2525204%252520Censored_thumb%25255B1%25255D.jpg?imgmax=800" style="background-image: none; border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Snap 4 Censored" width="504" /></a><br />
I was also not able to cancel my order as I CANT REACH TO CUSTOMER CARE AND I AM NOT SURE IF MY EMAILS ARE EVEN READ. As per Snapdeal's guidelines, they can choose to accept or deny my request of cancelling the order based on their convenience and understanding of situation.<br />
<a href="http://lh5.ggpht.com/-RQRdqNkLR2E/UZqOQEw681I/AAAAAAAACN8/OAr-JoaQaCc/s1600-h/Snapdeal%252520%252520Terms%252520of%252520Sale%252520-%252520Cancellation%25255B8%25255D.jpg"><img alt="Snapdeal Terms of Sale - Cancellation" border="0" height="251" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhIs5_RYTLpCYjlvtn86_i7A4dgkI1uhIjVo5xeZW_544j9LEvQFazAhAC6_yFXqmL8fN62CpwgEhaq3_qAAISfxTyuWry8XO-HOb7i2XqLmqWtOZHzCTRIQK72P0m46xjDRmiC-OL8RpNi/?imgmax=800" style="background-image: none; border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Snapdeal Terms of Sale - Cancellation" width="504" /></a><br />
If you cant read it, to quote Snapdeal (<em>Trust me, its an amusing read</em>)<br />
<blockquote>
10.2 <u>Cancellation by the User:</u> <strong>In case of requests for order cancellations, Snapdeal reserves the right to accept or reject requests for order cancellations for any reason whatsoever. As part of usual business practice, if Snapdeal receives a cancellation notice and the order has not been processed/ approved by Snapdeal, Snapdeal shall cancel the order and refund the entire amount to You within a reasonable period of time. Snapdeal will not be able to cancel orders that have already been processed. Snapdeal has the full right to decide whether an order has been processed or not. You agree not to dispute the decision made by Snapdeal and accept Snapdeal's decision regarding the cancellation.</strong></blockquote>
Very cute .<br />
Bet I would have called Snapdeal for cancellation and they would have cancelled my request because they “<em>had processed my order</em>” .. and because its written in clause 10.2 .<br />
As of now, summing up my entire experience on Snapdeal echoes the following problems again and again -<br />
<ol>
<li>Lack of proper communication to customer.</li>
<li>Unresponsive support & </li>
<li>Broken implementation of information systems.</li>
</ol>
I want to reiterate again, that I don't have any problems with delays provided proper , proactive and responsive communication is done with customer and issues regarding information are handled adeptly. I once had an order from Flipkart halted for around 14 days, but never once I had to be bothered about it because the responsive CCE’s provided me concrete updates, on 7th day they offered a refund which I gladly accepted. <br />
As of now, I haven't got any response on my tweet to Snapdeal <br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF7Y3QuE5Wi5o-SYissEszK6qFbOKadwOmHrBSQn2XJtYx9Hjjjewx8eR-KFq4Pi39GdmJ9vGx0rN7qXs-442RpL621MPmoH3G6dbuC6MQ65k0lHiSwimWoGaSusVZt3PX6_lzocMlyR7B/s1600-h/Tweet%252520to%252520Snapdeal%2525202%25255B4%25255D.jpg"><img alt="Tweet to Snapdeal 2" border="0" height="98" src="http://lh3.ggpht.com/-6GTy9wiYt6s/UZqOSi8Gr7I/AAAAAAAACOU/4ml_QPbUI7Y/Tweet%252520to%252520Snapdeal%2525202_thumb%25255B2%25255D.jpg?imgmax=800" style="background-image: none; border-bottom: 0px; border-left: 0px; border-right: 0px; border-top: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px;" title="Tweet to Snapdeal 2" width="504" /></a><br />
Another call to CCE Maninder Sandhu (<em>I just got lucky</em>) was fruitless although he was a nice chap and was trying to help. <br />
Lessons learnt :<br />
<ol>
<li>I wont be shopping from Snapdeal again, thats for sure, unless they make some really radical changes in their system.</li>
<li>Wont be ordering from my hard earned money from portals that are pathetic.</li>
</ol>
I do hope Snapdeal takes my rant as constructive criticism and infuses something into its DNA for the greater good. <br />
<br />
Meanwhile, I am still waiting for my camera to be delivered .. : ( <br />
(6 Days at the time of writing ) and counting..<br />
<br />
<b>Update 21 May 2013 6.04 PM IST : </b><br />
<b><br /></b>
To top it off as of now -<br />
<br />
<ol style="text-align: left;">
<li>Still estimated shipping time on webpage is showing 20th May, but it has been updated that tracking number will be available in 12 hours, so I actually dont know what is the correct update.</li>
<li>Snapdeal_help on twitter promised a a shipping by today but to no avail . They actually update my Mother and not me regarding that, but alas, its still showing pending.</li>
<li>According to CCE Akash, package is ready for courier and will be shipped by tomorrow first half. One more date..Lets see how it goes.</li>
<li>Snapdeal FB page removed the negative comments, however you can see them in the picture which is given above.</li>
</ol>
<div>
<b>Update 21 May 2013 7.00 PM IST :</b></div>
<div>
<br /></div>
<div>
Got a call from Snapdeal Okhla Office from Monika , provided courier tracking number and apologized for delay, I thanked her. Also, as per her, the tracking number will be active within 12 - 48 hours, I promptly checked the 11 digit tracking number which was not active on Courier service (Bluedart) page. She might be right. Will check it tomorrow morning.<br />
<br />
<b>Update 22 May 2013 6 PM IST :</b><br />
<b><br /></b>
AS of now, Snapdeal has *FINALLY* shipped my order (YAY!!) . But again, it has been delayed by Courier Service. As of now, I was in talks with Assistant Mgr at Courier service who was quite helpful and said the product will be delivered by tomorrow. All I hope it is a functional one as this long delay has shaken my already non existent faith in Snapdeal.<br />
<br />
<b>Update 23 May 2013 6 PM IST :</b><br />
<b><br /></b>
Finally, after numerous delays, Order was delivered. The bottomline ? Well, the issue was already escalated at Snapdeal end , the pity was that when I checked at support.snapdeal.com , my ticket was not updated in 3-4 days, and one was closed with remark that customer (thats me) was not reachable. Excellent, it was only when I started escalating the matter on online and social platforms, they came into action and hasted the matter. Still its 8 days, which is well beyond the norms of a normal e-comm site.<br />
I am glad it all ended well. Mom got the camera and I got to see the inner workings of an e-comm site.</div>
</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-46550163101459177822013-05-04T14:35:00.002+05:302013-05-04T14:35:33.105+05:30Guide to Anti-Debugging - Overview , Techniques and Approaches<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLw9FVA692bR6nKI4EvdtiwHV_f8R5hK2MS158uIMGADiTgX0vwIdx3rM0D5EsLPmVUYJy5y3-ifPxOi0HGeNvgq-gNTGxdnM3Jda8P7HQVablbVKG99f5dahb1LYTCa2-aAI7wDjhBxDQ/s1600/Guide+to+Anti-Debugging+-+Overview+,+Techniques+and+Approaches.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="Guide to Anti-Debugging - Overview , Techniques and Approaches" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhLw9FVA692bR6nKI4EvdtiwHV_f8R5hK2MS158uIMGADiTgX0vwIdx3rM0D5EsLPmVUYJy5y3-ifPxOi0HGeNvgq-gNTGxdnM3Jda8P7HQVablbVKG99f5dahb1LYTCa2-aAI7wDjhBxDQ/s200/Guide+to+Anti-Debugging+-+Overview+,+Techniques+and+Approaches.jpg" title="Guide to Anti-Debugging - Overview , Techniques and Approaches" width="180" /></a>I have been nagged a lot regarding guest posts, and almost 90% of them are related to some news, social media bullshit and half baked security crescendo. Until recently, I was contacted by amiable folks at <b>Infosec Institute</b> with a good article on <b>Anti Debugging</b>. This is an article by <b> Dejan Lukan</b>, a security researcher at <b><a href="http://www.infosecinstitute.com/" target="_blank">Infosec Institute</a>,</b> in which<b> </b>he discusses the <b>Anti Debugging techniques</b> in an objective and direct manner. I loved the implementation part, reminded me of my rev days (you can learn about <a href="http://www.theprohack.com/2010/01/learn-to-crack-any-version-of-winrar.html" target="_blank">how to reverse Winrar</a> or just have a look at <a href="http://www.theprohack.com/2010/10/reverse-engineering-for-noobs-step-by.html" target="_blank">a real noobs guide to reverse some more stuff</a>) , and more importantly Dejan explains how to stop (read : slow down) people from reversing your code. Hope you will enjoy it.<br />
<div class="MsoNormalCxSpMiddle" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 15pt;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Before we begin, we must mention that it’s impossible to
completely prevent reversing. What is possible is that we can place as many
obstacles on the way as we want to make the process slow enough that reverse
engineers will give up. Actually there are hardware implementations where you
can buy a black box that attaches to your computer which can do the </span><a href="http://resources.infosecinstitute.com/role-of-cryptography/" rel="" target="_blank"><span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">encryption</span></a><span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">/decryption
for you, but this is far from being used in everyday life.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Techniques to Harden Reverse Engineering<o:p></o:p></span></b></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">The most basic approaches to harden the reverse engineering of
programs are the following [1]:<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 7.5pt; text-indent: -0.25in;">
</div>
<ol style="text-align: left;">
<li><span style="color: #333333; font-family: PTSansRegular, serif; font-size: 10pt; text-indent: -0.25in;"><span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="color: #333333; font-family: PTSansRegular, serif; font-size: 10pt; text-indent: -0.25in;">Eliminating Symbolic Information</span></li>
<li><span style="color: #333333; font-family: PTSansRegular, serif; font-size: 10pt; text-indent: -0.25in;"><span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="color: #333333; font-family: PTSansRegular, serif; font-size: 10pt; text-indent: -0.25in;">Obfuscating the Program</span></li>
<li><span style="color: #333333; font-family: PTSansRegular, serif; font-size: 10pt; text-indent: -0.25in;"><span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="color: #333333; font-family: PTSansRegular, serif; font-size: 10pt; text-indent: -0.25in;">Embedding Antidebugger Code</span></li>
</ol>
<span style="background-color: white; line-height: 15pt;">When eliminating symbolic information, we’re taking the textual
information from the program, which means we’re striping all symbolic
information from the program executable. In bytecode programs, the executable
often contains large amounts of internal symbolic information such as class names,
class member names, the names of instantiated global objects. By removing every
symbol from the executable or by renaming every symbol, the reverser is faced
with a bigger problem than usual because symbol names alone can often be used
to gather enough information about what the function does, which simplifies the
reverse engineering part.</span><br />
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">This can easily be done in C/C++ programs where we only have to
append a few compiler flags to the command line that actually compiles the
program into the executable. It’s much harder with programming languages like
Java and .NET, where those symbols are used internally to reference variables,
functions, etc. This is also the reason why Java and .NET programs can easily
be converted into a pretty good source code of the original program. We can
still strip the symbols from such programs by renaming all the symbols from
their meaningful names into meaningless representations, which effectively does
the job.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Besides stripping the executable symbols, we can also obfuscate
the program. When obfuscating a program, we’re basically changing the code of
the program without actually changing the logic behind it, so the program does
the same as before but its code is far less readable. Here we have two
techniques that can achieve that:<o:p></o:p></span></div>
<div class="MsoListParagraphCxSpFirst" style="background-color: white; background-position: initial initial; background-repeat: initial initial; margin-bottom: 7.5pt; text-indent: -0.25in;">
<ul style="text-align: left;">
<li><span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: PTSansRegular; mso-fareast-font-family: PTSansRegular;"><span style="font-family: 'Times New Roman'; font-size: 7pt;"> </span></span><span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"><b>Encoding</b>: With encoding, we must add the decoding instructions
that decode the whole program before it’s being run. This can be done by
appending the decoding instruction at the end of the program and changing the
entry point to point to the decoding instructions. When the program is run, the
decoding instructions are executed first, which decodes the whole program into
its original form. After that, we must jump to the start of the program and
actually run the original instructions as if the encoding didn’t even happen.</span></li>
<li><span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"><b>Packing</b>: When packing the executable, we’re basically reducing
the size of the executable as well as encrypting it. When such a program is
run, it must first be decoded in memory and then run.</span></li>
<li><span style="background-color: white; line-height: 15pt;">By obfuscating the program with nonstandard encoders/packers, we
can greatly complicate the task of reverse engineering the executable, but at
the end, a persistent reverse engineer will nevertheless be able to bypass that
and get the non-obfuscated version of the executable, which can easily be
reversed.</span></li>
</ul>
<!--[if !supportLists]--></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Last but not least, we can use an antidebugger code, where we
can include a code into the executable that can detect if the program is
currently being debugged. If that happens, the program terminates itself
prematurely without actually executing the functions that would normally be
executed if it wasn’t running under a debugger.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Antidebugging<o:p></o:p></span></b></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Before discussing how anti-debugging tricks do their magic, we
must first talk about how the debugger is able to debug the program. We know
that we can stop and resume the program with the use of either software or
hardware breakpoints.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">When using software breakpoints, we’re replacing the instruction
on which we’ve set the breakpoint with the INT 3 instruction (at least on the
x86 architecture), which is a special software interrupt. In this case, we’re
passing the value 3 to the instruction INT, which means that we’re generating
the software interrupt 3. This causes the function pointed to by the 3rd vector
in the interrupt address table (IAT) to be executed. I guess we’re all familiar
with the INT 80 interrupt that makes a system call on Linux systems.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">The INT 3 instruction temporarily replaces the current
instruction in a running program. This is also a way for the debugger to know
that a software breakpoint has occurred and the program execution should be
stopped. After that, the debugger replaces the INT 3 instruction with the
original instruction so the program can continue without the loss of
instructions, which can otherwise cause abnormal program behavior.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">When we use a hardware breakpoint, it’s the processor’s job to
know when the breakpoint has been hit and the program has to be stopped. This
is why the program is not modified when a hardware breakpoint is set.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">When the breakpoint is hit, the program is stopped and we can
safely execute instructions in our favorite debugger. At that point, we can run
instructions step-by-step by entering into functions, or by executing them the
same time. If we’re interested in what the function does, we need to enter into
the function; otherwise we can safely ignore the function and step over it.
When stepping through the code, each instruction is executed on its own and
then the program is again stopped, so we’re able to analyze what the
instruction has just done.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"><br />
When stepping through the code with a debugger, the Trap Flag (TF) in the
EFLAGS register is used. When the TF is enabled, an interrupt will be generated
after every executed instruction, so we get the feeling of stepping though the
program instruction by instruction.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">IsDebuggerPresent<o:p></o:p></span></b></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">The IsDebuggerPresent is a Windows API function, which we can
see on the picture below:<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-02gqU1oQatdkD176PmpLFTa3_ISSSwFXXeA1LAvBjtq6xhyphenhyphenS3ylqaw641jc2TPkRQq_SkQi8MGjcE5yOAWd2QY3AieMdihjRGfUTfQnkhW9wO24KgZUP59j5-_F1UmzJ02lIxFqcBCnH/s1600/1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Guide to Anti-Debugging - Overview , Techniques and Approaches" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-02gqU1oQatdkD176PmpLFTa3_ISSSwFXXeA1LAvBjtq6xhyphenhyphenS3ylqaw641jc2TPkRQq_SkQi8MGjcE5yOAWd2QY3AieMdihjRGfUTfQnkhW9wO24KgZUP59j5-_F1UmzJ02lIxFqcBCnH/s1600/1.jpg" title="Guide to Anti-Debugging - Overview , Techniques and Approaches" /></a></div>
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">The function doesn’t take any arguments and returns a Boolean
value notifying us whether the program is running under a debugger or not. This
function can be used to trivially detect whether a debugger is being used to
run the program. The function uses the Process Environment Block (PEB) to get
information about whether the user-mode debugger is used.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Let’s create a simple program that prints the number 0 or 1 if
the debugger is present or not. We can do that by first creating an empty
console project under Visual Studio C++ and then changing the code of the main
cpp file into the following:<o:p></o:p></span></div>
<table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; mso-padding-alt: 0in 0in 0in 0in; mso-yfti-tbllook: 1184; width: 608px;">
<tbody>
<tr>
<td style="padding: 0in 0in 0in 0in;"><div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">1<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">2<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">3<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">4<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">5<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">6<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">7<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">8<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">9<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">10<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">11<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">12<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">13<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">14<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">15<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">16<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">17<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">18<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">19<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">20<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">21<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">22<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">23<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">24<o:p></o:p></span></div>
</td>
<td style="padding: 0in 0in 0in 0in; width: 430.8pt;" width="574"><div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">//
isdebuggerpresent.cpp : Defines the entry point for the console application.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">//<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">#include
"stdafx.h"<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">#include
&lt;stdio.h&gt;<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">#include
&lt;Windows.h&gt;<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">int _tmain(int argc,
_TCHAR* argv[])<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">{<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> int
num;<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> if(IsDebuggerPresent())
{<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> num
= 0;<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> }<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> else
{<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> num
= 1;<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> }<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> printf("Number:
%d\n", num);<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> /*
wait */<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> getchar();<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;"> return
0;<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; line-height: 115%; mso-bidi-font-size: 11.0pt;">}<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"><br /></span>
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">The program prints “Number: 0″ if the debugger is present and
“Number: 1″ if the debugger is not. If we run the application under Visual
Studio, the program will display the number 0 because it’s being run under a
debugger. This can be seen on the picture below:<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXXfGRJh3YC3FJlPVq-TLo2Lqp8LODT2wLhI3Bfh52Umf6hzzPVhCEnP_ruPjSROBdvlm3MWGmFsxc3KqF6LqCzEQiA515DOsIGFs8tgz5dnJ9-odjnNT-WjLNGEWfXNZBSBzaNNBYth7O/s1600/2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Guide to Anti-Debugging - Overview , Techniques and Approaches" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXXfGRJh3YC3FJlPVq-TLo2Lqp8LODT2wLhI3Bfh52Umf6hzzPVhCEnP_ruPjSROBdvlm3MWGmFsxc3KqF6LqCzEQiA515DOsIGFs8tgz5dnJ9-odjnNT-WjLNGEWfXNZBSBzaNNBYth7O/s1600/2.jpg" title="Guide to Anti-Debugging - Overview , Techniques and Approaches" /></a></div>
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Let’s also run the program under OllyDbg to be sure that the
number 0 is displayed. This can be quickly confirmed by loading the executable
program and running it. On the picture below, we can see that the number 0 was
printed when the program was run under OllyDbg debugger:<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeTsjg5ot-e_N_V9VrzyPwX_o24eEoSZO-4Zd6ventIWkgpx4aYXNqdH1zjcUc0TuqgwKg4vrO7s53Aw14S6wV9ByN7vIN27ay_iONqeR214XieQLuWlrkUo76yyouqn90_gn85_3vXHC_/s1600/3.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjeTsjg5ot-e_N_V9VrzyPwX_o24eEoSZO-4Zd6ventIWkgpx4aYXNqdH1zjcUc0TuqgwKg4vrO7s53Aw14S6wV9ByN7vIN27ay_iONqeR214XieQLuWlrkUo76yyouqn90_gn85_3vXHC_/s1600/3.jpg" /></a></div>
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">But if we run the same program under normal cmd.exe, it will
display the number 1. This can be seen on the picture below:<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg1w1LjlB1hyphenhyphenTGUGfM-6yw8HvBThsqaOifxe5T7GlJhok5HAAfdUFoe5poZRZhYHaJsj8IuWs9hwRthLP-8hiu2BuYjSdmscGL03-L-G1N39iA1goCeCwlHYLCi81x9jni099g9bx4oPjc/s1600/4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Guide to Anti-Debugging - Overview , Techniques and Approaches" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhg1w1LjlB1hyphenhyphenTGUGfM-6yw8HvBThsqaOifxe5T7GlJhok5HAAfdUFoe5poZRZhYHaJsj8IuWs9hwRthLP-8hiu2BuYjSdmscGL03-L-G1N39iA1goCeCwlHYLCi81x9jni099g9bx4oPjc/s1600/4.jpg" title="Guide to Anti-Debugging - Overview , Techniques and Approaches" /></a></div>
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">We can see that the IsDebuggerPresent API function call works as
expected, but that the function call is easy to detect and bypass. This is
because we can quickly find this function call in the executable and delete it
or bypass it. To do this, we can simply open the executable in Ida debugger and
check out the Imports table to verify if that function exists somewhere in
there. We’re right, the function IsDebuggerPresent is listed among all the
imported functions as we can see on the picture below:<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsCSBaFPIkOyn4ZOAZzsplpktU-q5LhYRfOZ2BYpRJynvdFkmyOGrMI9ie_3VDXjXNt7hWeybhI0zRZ_jqM4-qOKHWwtgRa_0FFCvoKUlbHYJxLtsp_qISlc26Pl1GIywji9NExt6TttEV/s1600/5.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Guide to Anti-Debugging - Overview , Techniques and Approaches" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsCSBaFPIkOyn4ZOAZzsplpktU-q5LhYRfOZ2BYpRJynvdFkmyOGrMI9ie_3VDXjXNt7hWeybhI0zRZ_jqM4-qOKHWwtgRa_0FFCvoKUlbHYJxLtsp_qISlc26Pl1GIywji9NExt6TttEV/s1600/5.jpg" title="Guide to Anti-Debugging - Overview , Techniques and Approaches" /></a></div>
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">This is a clear indication that the executable is using the
function to do something different when the debugger is attached to the
executable. We can also locate the exact instructions that are used to call
that function. The whole Ida graph of the main function that does exactly the
same as the main function from the C++ source code above is presented on the
picture below:<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOX6o9q58UPGlyRhqVpjpl7bWSbS80Txwuf5RGUD47mDqC6Z7-LLPsyiCyptq0hQ1-yCngVNWgwbTm2U1f0QC4t18oEjLhYzjlkSaSf9Wgz3D6L1grtpTajcX_Ng6i3-8QnceA1znDS4j-/s1600/6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Guide to Anti-Debugging - Overview , Techniques and Approaches" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOX6o9q58UPGlyRhqVpjpl7bWSbS80Txwuf5RGUD47mDqC6Z7-LLPsyiCyptq0hQ1-yCngVNWgwbTm2U1f0QC4t18oEjLhYzjlkSaSf9Wgz3D6L1grtpTajcX_Ng6i3-8QnceA1znDS4j-/s1600/6.jpg" title="Guide to Anti-Debugging - Overview , Techniques and Approaches" /></a></div>
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">We can see that, at first, we’re initializing the stack for the
function and calling the IsDebuggerPresent function. After that, we’re testing
the returned value in eax against itself to determine whether a true or false
value was returned. If the eax holds a value different than 0 (1 in our case),
then the zero flag will be set and the first box that sets the [ebp+num] to 0
is called. This is exactly what happens now, because we’re running the program
under a debugger, but otherwise the block that sets the [ebp+num] to 1 is
called. After that, we’re just moving the value of [ebp+num] into the register
eax and printing it with the printf function.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">If we now set the breakpoint on the call to the
IsDebuggerPresent function and rerun the program, the execution will be stopped
right where we want it. After the breakpoint has been hit, we can step into the
function to see what the function actually does. On the picture below, we can
see the function in question:<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifVr9po9U8K4kq8fs7m8Mm1Fs7awsuZNM3mT_SXxp2kQbOnN3nhNpLnB1RxZqBOApq8k6tWE99fsppZFG2cHpl1n4svNr3VIlkSG3o3gQL4Jz77cyJDTBBtXCo-JrP714-C1TiALSG0QRd/s1600/7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Guide to Anti-Debugging - Overview , Techniques and Approaches" border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifVr9po9U8K4kq8fs7m8Mm1Fs7awsuZNM3mT_SXxp2kQbOnN3nhNpLnB1RxZqBOApq8k6tWE99fsppZFG2cHpl1n4svNr3VIlkSG3o3gQL4Jz77cyJDTBBtXCo-JrP714-C1TiALSG0QRd/s1600/7.jpg" title="Guide to Anti-Debugging - Overview , Techniques and Approaches" /></a></div>
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">We can see that the function is pretty simple: we’re loading the
address of the currently active thread (TIB) in the register eax and then accessing
the structure member that’s located at the 0×30 offset; the PEB data structures
lies at that offset. After that, we’re loading the address of PEB in eax and
then accessing its data member at 0×2 offset, which holds the data member
named <b>BeingDebugged</b>. Thus, we’ve successfully taken a look at what
the IsDebuggerPresent function actually does and how it does it. We can see
that it’s very simple and not really hard to bypass.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">We can determine that IsDebuggerPresent is being used when we
try to reverse engineer an executable and the program terminates prematurely, a
different execution path is taken, or something else unexpected happens. In
such cases, we must first check the Imports table if the IsDebuggerPresent
function is being called anywhere in the executable. If that is the case, we
can simply delete the instructions that call the IsDebuggerPresent function
call, so it won’t bother us when reversing the executable.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">On the other hand, if we’re developing a program and we would
like to use the IsDebuggerPresent function call, we can copy the above
instructions directly into our code, so that we’re not actually calling the
IsDebuggerPresent function directly, but using its function body instructions
to figure out whether the debugger is being used to run the executable. This is
just another trick so that reverse engineers won’t immediately notice the use
of IsDebuggerPresent function call and will make the debugging slightly more
complicated.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<b><span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Conclusion<o:p></o:p></span></b></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">For a deeper understanding of reverse engineering, check out the
</span><a href="http://www.infosecinstitute.com/courses/reverse_engineering_training.html" rel="" target="_blank"><span style="font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">reverse engineeringtraining</span></a><span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"> course offered by the InfoSec Institute. In this article we’ve
seen a few techniques to harden the reverse engineering process. The technique
easiest to bypass is symbol elimination where we have to delete all the symbols
presented in the executable. This effectively makes the names of the functions
unavailable when debugging, which leaves it up to the debugger to properly name
the functions. Another technique is program obfuscation, which can be a pretty
simple operation like xoring the whole executable then running it, but it can
also be pretty complicated. Things get further complicated if we’re using
obfuscation with the anti-reversing techniques, which detects if the program is
being reversed and terminates the program prematurely if so, greatly hardening
the reverse engineering of the executable.<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";"><b>References:</b><o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: 15.0pt; margin-bottom: 15.0pt;">
<span style="color: #333333; font-family: "PTSansRegular","serif"; font-size: 10.0pt; mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">[1]: Reversing: Secrets of Reverse Engineering, Eldad Eilam.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-44596974586407676952013-05-04T00:12:00.000+05:302013-05-04T00:30:13.324+05:30Ultimate Guide to run ASA 8.4 on GNS3 on Ubuntu - No more Qemu errors<div dir="ltr" style="text-align: left;" trbidi="on">
Simulating CISCO ASA 8.4 on GNS3, on Ubuntu is a pain in the ass. Countless QEMU errors ,203 errors, results with no output on console and many more hair-pulling skull bashing events that *will* make you scratch your head and you will be motivated to buy an ASA for your personal use.<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZdObYd9lLHMh1MJwRQneDu0ijDkGIxg6yX8zNH_OvoZpVZubMG21_d-_bAdLGhdU36Zp6Mw40Pe5J4daeCoFcCeEBkucirl2NgQCuPpsKDMgPFvvo-9XPfLCRSVRfCqyCdCPsAXiPbVXc/s1600/Cisco+ASA+5500+Series+Adaptive+Security+Appliances+-+theprohack.com+.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZdObYd9lLHMh1MJwRQneDu0ijDkGIxg6yX8zNH_OvoZpVZubMG21_d-_bAdLGhdU36Zp6Mw40Pe5J4daeCoFcCeEBkucirl2NgQCuPpsKDMgPFvvo-9XPfLCRSVRfCqyCdCPsAXiPbVXc/s400/Cisco+ASA+5500+Series+Adaptive+Security+Appliances+-+theprohack.com+.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Yes folks..You will be running this..or a cousin of it.</td></tr>
</tbody></table>
But fear not weary travelers if you have reached at this point of web while surfing (read:hunting) for your share of ASA & firewall stuff, you are right at home. Today I will be providing a step by step almost error free guide of simulating ASA, and fret not, this has been tested on more than 5 platforms with zero error rate (and that included machines of different platform - i386,x86_64; and different flavors of Fedora/Ubuntu).<br />
<br />
<blockquote class="tr_bq">
NOTE: I love linux but I hate Ubuntu, for my own personal reasons. I am a fedora guy & I love debian, but I hate Ubuntu.<br />
Why I didnt covered this guide for Fedora as Fedora guys will figure out how to do it anyways :P , its Ubuntu ones who were facing maximum issues (just google it) and hence I wanted to cover a guide for it. Jokes aside, I intend to cover the subjected issue as I faced multiple issue myself.</blockquote>
<br />
Never-mind, my machine as of now is an amd64 E350 based HP dm1 3210 Laptop with 4 GB ram. Its a pretty under powered PC for running GNS3 (as compared to dedicated rigs I have seen, however I can run IOU & NX-OS Titanium over it and it balances every known equation for me) but it does the job with some tweaking and the result is very satisfactory.<br />
<br />
Coming to the point, you will be needing -<br />
<ol style="text-align: left;">
<li>A laptop/desktop</li>
<li>Any Ubuntu flavor installed (I use backbox, its better than backtrack)</li>
<li>ASA 8.4.x files (initrd and kernel files, if you are reading this article, I know you have them)</li>
<li>Patience.</li>
</ol>
<b>Step 1 - Installing GNS3</b><br />
<br />
Well this is simple, just type the commands and it will install safely. Make sure you dont have GNS3 installed previously else you might face some issues. Please note I am using compiling GNS3 for my 64 bit OS, however it should work for 32 but laptops too, make sure you choose correct version of dynamips from GNS3 website.<br />
<blockquote class="tr_bq">
rishabh@xion$cd /opt<br />
rishabh@xion$sudo mkdir GNS3<br />
rishabh@xi0n:/opt$ wget http://sourceforge.net/projects/gns-3/files/GNS3/0.8.3.1/GNS3-0.8.3.1-src.tar.gz<br />
rishabh@xi0n:/opt$ unzip GNS3-0.8.3.1-src.zip<br />
rishabh@xi0n:/opt$ sudo mv -f /GNS3-0.8.3.1-src/* /opt/GNS3<br />
rishabh@xi0n:/opt$ sudo chmod 777 GNS3<br />
rishabh@xi0n:/opt$ cd GNS3<br />
rishabh@xi0n:/opt/GNS3$ sudo mkdir Dynamips Images Project Cache tmp<br />
rishabh@xi0n:/opt/GNS3$ sudo chmod 777 Dynamips/ Images/ Project/ Cache/ tmp/<br />
rishabh@xi0n:/opt/GNS3/Dynamips$ cd Dynamips/<br />
rishabh@xi0n:/opt/GNS3/Dynamips$ http://sourceforge.net/projects/gns-3/files/Dynamips/0.2.8-RC3-community/dynamips-0.2.8-RC3-community-x86_64.bin<br />
rishabh@xi0n:/opt/GNS3/Dynamips$ export PATH=$PATH:/opt/GNS3/GNS3-0.8.3.1-src/</blockquote>
Check if its installed by opening a terminal window and running GNS3. If it went well, proceed to next step.<br />
<br />
<b>Step 2 - Compiling and Patching QEMU</b><br />
<br />
This is the second most crucial step, do as instructed, by the time you are finished, you will be presented with a stable installation of patched Qemu. Make sure NO previous installation of Qemu in installed on your machine.<br />
<blockquote class="tr_bq">
rishabh@xion:/opt/GNS3$ wget http://download.savannah.gnu.org/releases/qemu/qemu-0.11.0.tar.gz<br />
rishabh@xion:/opt/GNS3$tar xvzf qemu-0.11.0.tar.gz<br />
rishabh@xion:/opt/GNS3$cd qemu-0.11.0<br />
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$wget http://downloads.sourceforge.net/gns-3/qemu-0.11.0-olive.patch?download<br />
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$patch -p1 -i qemu-0.11.0-olive.patch<br />
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$./configure --target-list=i386_softmmu<br />
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$make<br />
rishabh@xion:/opt/GNS3/qemu/qemu-0.11.0$sudo make install</blockquote>
Once its installed, check by running<br />
<blockquote class="tr_bq">
rishabh@xi0n:/opt/GNS3/qemu/qemu-0.11.0$ which qemu<br />
/usr/local/bin/qemu</blockquote>
It should display Qemu path, if not, you screwed up some where. Do it again.<br />
<br />
<b>Step 3 - Preliminary Configuration</b><br />
<br />
In general settings of GNS3, you will find Qemuwrapper is already configured, double check Qemu & Qemu-img path here, it should be the same as mentioned in "which" command output or better if you have placed the same it in GNS3 folder<br />
<br />
Also, Set ASA options as<br />
<blockquote class="tr_bq">
Qemu Options:<br />
-vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32<br />
Kernel cmd line:<br />
-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536</blockquote>
Browse to the initrd & kernel images of ASA and set memory to 1024, once done, save it.<br />
<br />
make sure your configuration looks like this<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR7yrwNB5ZZ4lU5rbwRIioNPsT6iaJ80CyUAl4G1dYyQuGEHHTqSAHLP4XUhD37EDyAU_krJzoKSU0etJeSatLjizvOFLOIQ00Axq0rY5HzNsXpf1MiwUNVbJoGfm-0I4ViKfPeDUvi6-e/s1600/GNS+3+QEMU+configuration+-+ASA+on+GNS3+-+TheProhack.com+2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhR7yrwNB5ZZ4lU5rbwRIioNPsT6iaJ80CyUAl4G1dYyQuGEHHTqSAHLP4XUhD37EDyAU_krJzoKSU0etJeSatLjizvOFLOIQ00Axq0rY5HzNsXpf1MiwUNVbJoGfm-0I4ViKfPeDUvi6-e/s1600/GNS+3+QEMU+configuration+-+ASA+on+GNS3+-+TheProhack.com+2.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKEkNYmmSe6R_CVjEESr1TpPHAjonzePB4owsebprQ6AWwA8VJzGre9hF64TQsnhXXoVL0GPje_9p7TPPTDntvEUHLiE5vuBGr9ZYviqrsjV3mjinNmKvJe1tZiMG7NQYe1qAqovKm2diq/s1600/GNS+3+QEMU+configuration+-+ASA+on+GNS3+-+TheProhack.com.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKEkNYmmSe6R_CVjEESr1TpPHAjonzePB4owsebprQ6AWwA8VJzGre9hF64TQsnhXXoVL0GPje_9p7TPPTDntvEUHLiE5vuBGr9ZYviqrsjV3mjinNmKvJe1tZiMG7NQYe1qAqovKm2diq/s1600/GNS+3+QEMU+configuration+-+ASA+on+GNS3+-+TheProhack.com.jpg" /></a></div>
<br />
<br />
When done, its execution time follks :)<br />
<br />
<b>Step 4 - Running it.</b><br />
<br />
Well..it will look like this.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIFIERCLV4ZGEAubpEMQi1QQD6QXj4cIPGT8LS2HXBPl6faC81xreZBmMDchhSDH0BeRRQiiY1ZNj7sRxap1X2iy3YtzKh_y-4zdbAZtvg5C0CzcgdDN6qeT5SFzBNlFIF9AdCniVMqZg3/s1600/Running+ASA+on+GNS3+-+TheProhack.com+.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIFIERCLV4ZGEAubpEMQi1QQD6QXj4cIPGT8LS2HXBPl6faC81xreZBmMDchhSDH0BeRRQiiY1ZNj7sRxap1X2iy3YtzKh_y-4zdbAZtvg5C0CzcgdDN6qeT5SFzBNlFIF9AdCniVMqZg3/s1600/Running+ASA+on+GNS3+-+TheProhack.com+.jpg" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4vHL8SWCMcGj04z6DQBvjPoruTVx16ELIef2teohkTiGTlKQiRUWl0L4ppbceqCZHhg-8lMkYSHm23hIUACQ4Bqtn2Aa4BCCIzYLKwwvLs3hUwVUjEetWnTE7ZH3oeUTBO1QW8MFmKeJB/s1600/Console+output+of+ASA+running+on+GNS3+-+TheProhack.com+.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4vHL8SWCMcGj04z6DQBvjPoruTVx16ELIef2teohkTiGTlKQiRUWl0L4ppbceqCZHhg-8lMkYSHm23hIUACQ4Bqtn2Aa4BCCIzYLKwwvLs3hUwVUjEetWnTE7ZH3oeUTBO1QW8MFmKeJB/s1600/Console+output+of+ASA+running+on+GNS3+-+TheProhack.com+.jpg" /></a></div>
<br />
You can also check the ps output of Qemu (quick and dirty output here..nothing flashy)<br />
<blockquote class="tr_bq">
rishabh@xi0n:/opt/GNS3$ ps ax | grep 'qemu'<br />
7094 pts/0 Sl+ 0:00 /usr/bin/python /opt/GNS3/GNS3-0.8.3.1-src/qemuwrapper/qemuwrapper.py --listen 127.0.0.1 --port 10525 --no-path-check<br />
7101 pts/0 SN+ 0:00 /bin/sh -c /usr/local/bin/qemu -name ASA1 -m 1024 -hda "/tmp/ASA1/FLASH" -kernel "/home/rishabh/Documents/asa842-vmlinuz" -initrd "/home/rishabh/Documents/asa842-initrd" -append "-append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536" -net nic,vlan=0,macaddr=00:00:ab:40:a4:00,model=e1000 -net nic,vlan=1,macaddr=00:00:ab:8d:12:01,model=e1000 -net nic,vlan=2,macaddr=00:00:ab:f0:c0:02,model=e1000 -serial telnet:127.0.0.1:3001,server,nowait -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32<br />
7102 pts/0 R+ 0:19 /usr/local/bin/qemu -name ASA1 -m 1024 -hda /tmp/ASA1/FLASH -kernel /home/rishabh/Documents/asa842-vmlinuz -initrd /home/rishabh/Documents/asa842-initrd -append -append ide_generic.probe_mask=0x01 ide_core.chs=0.0:980,16,32 auto nousb console=ttyS0,9600 bigphysarea=65536 -net nic,vlan=0,macaddr=00:00:ab:40:a4:00,model=e1000 -net nic,vlan=1,macaddr=00:00:ab:8d:12:01,model=e1000 -net nic,vlan=2,macaddr=00:00:ab:f0:c0:02,model=e1000 -serial telnet:127.0.0.1:3001,server,nowait -vnc none -vga none -m 1024 -icount auto -hdachs 980,16,32<br />
7175 pts/1 S+ 0:00 grep --color=auto qemu</blockquote>
Once you are up and running, its time to grab a can of redbull (or beer if you prefer) and get a pat on your back, good work soldier :)<br />
<br />
<b>Miscellaneous Errors , which you *just might* encounter and how to deal with them.</b><br />
<br />
If you followed my steps, I dont think you will encounter any errors, but for the sake of completeness, I am including the most basic errors which you might get.<br />
<br />
<b><i>"qemuwrapper path doesn't exist"</i></b><br />
This one is a classic one. With proper GNS3 0.8.3x installation, you will *not* encounter it. If you are running classic 0.7.x build, God save you. Even if you have 0.8.3.x & still get this error , find Qemuwrapper (it will be there in one of GNS3 source folders) and select it, save it. Error gone. Make sure permissions are correct.<br />
<br />
<b><i>"203-Bad number of parameters (5 with min/max=6/6)"</i></b><br />
Upgrade your GNS from 0.7x.x to 0.8.3, if you are following this guide, you should not get this error.<br />
<br />
<b><i> "You are running an old and unpatched version of qemu"</i></b><br />
Now here things get interesting. In one case I installed Qemu before installing GNS3 and I got this error quite frequently. I uninstalled Qemu, cleared my /tmp & I then first installed GNS3 and then installed Qemu after configuring GNS3 fully (except the Qemu part that is) . Did a sudo make install for Qemu and restarted my laptop. Please note I am using Qemu 0.11<br />
Ran GNS3 and tada..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXUm5rGXP3LkOx1bBxTwoNWWWDYwJk_BbLmBBTAWfVBIdcXeh9CyqFDY9JlgJAiw8CXYiLKdkj9Fq8rYOT0Rw9PDXUhJ7JSy01wp8p7uJTPOkzghQFNfXpl62ivPQOHxDslaPm5f-PL74Z/s1600/GNS+3+QEMU+configuration+-+Qemu+version+is+correct+-+theprohack.com.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXUm5rGXP3LkOx1bBxTwoNWWWDYwJk_BbLmBBTAWfVBIdcXeh9CyqFDY9JlgJAiw8CXYiLKdkj9Fq8rYOT0Rw9PDXUhJ7JSy01wp8p7uJTPOkzghQFNfXpl62ivPQOHxDslaPm5f-PL74Z/s1600/GNS+3+QEMU+configuration+-+Qemu+version+is+correct+-+theprohack.com.jpg" /></a></div>
<br />
<br />
This error will be rectified.<br />
<br />
<b><i> "You must use 'manual mode' to connect a link with a xyz module"</i></b><br />
Simple as hell, use manual mode..duh..<br />
<br />
<b><i> "QEMU boots but no ASA boot output on console"</i></b><br />
Use correct QEMU binary, no Qemu_i386 / Qemu_x86_64. Use only correctly patched Qemu 0.11 binary in GNS3 like previously specified.<br />
<br />
In all cases, all errors are either will be some permutation or combination of the mentioned ones. Well , it summarizes my post on running ASA, hope it will help you.<br />
<br />
Rishabh Dangwal<br />
<div>
<br /></div>
</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-1343880305367934722013-03-29T23:36:00.001+05:302013-03-29T23:36:24.422+05:30Hack Windows using winAUTOPWN 3.4 –Completing 4 years of windows hacking<p>winAUTOPWN has been an old favourite to automate <a title="Read more windows articles at Prohack" href="http://www.theprohack.com/search/label/Windows%20tricks" target="_blank"><strong>windows</strong></a> hacking and vulnerability testing.  The project is the brainchild of Azim Poonawala of [C4]<em>Closed Circuit Corporate Clandestine</em> and saw its first release in 2009. Fast forward to 4 years; it has matured into a good exploitation framework with a plethora of options. As the Author states about it  - </p> <blockquote> <p><em>Autohack your targets - even if you have consumed and holding a bottle of 'ABSOLUT' in one hand and absolute ease (winAUTOPWN) in the other.</em></p> </blockquote> <p>In layman terms, winAUTOPWN is a unique exploit framework which helps in <a title="Shell Packs & Other Tools" href="http://www.theprohack.com/2008/12/shell-packs-other-tools.html" target="_blank"><strong>gaining shell access</strong></a> and pwning (<em>aka exploiting vulnerabilities</em>) to conduct Remote Command Execution, Remote File/Shell Upload, <a title="A simple tutorial on Remote File Inclusion (RFI)" href="http://www.theprohack.com/2010/07/simple-tutorial-on-remote-file.html" target="_blank"><strong>Remote File Inclusion</strong></a> and <a title="Learn Web hacking using DVWA" href="http://www.theprohack.com/2009/09/learn-web-hacking-using-dvwa.html" target="_blank"><strong>other Web-Application attacks</strong></a>. To add cherry on the top, it can also help in conducting multiple types of <a title="Understanding DDOS Mitigation" href="http://www.theprohack.com/2012/06/understanding-ddos-mitigation.html" target="_blank"><strong>Denial of Service attacks on targets</strong></a>, furthermore, It can also be used to test effectiveness of IDS/IPS and other monitoring sensors/softwares.<img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: inline; border-top: 0px; border-right: 0px; padding-top: 0px" title="Hack Windows using winAUTOPWN 3.4 –Completing 4 years of autopwnage" border="0" alt="Hack Windows using winAUTOPWN 3.4 –Completing 4 years of autopwnage" src="http://lh5.ggpht.com/-k8tFU9xjnDA/UVXYHur1e_I/AAAAAAAACHM/5vi35ms_b1I/Image.jpg?imgmax=800" width="204" height="193" /></p> <p>You can - </p> <ul> <li>Download winAUTOPWN from <a title="Download winAUTOPWN" href="http://winautopwn.co.nr/" rel="nofollow" target="_blank"><strong>here</strong></a> / <a title="Download winAUTOPWN from here" href="http://www.c-4.in/winautopwn" target="_blank"><strong>mirror</strong></a></li> <li>Read its documentation from <a title="Read winAUTOPWN documentation" href="http://resources.infosecinstitute.com/vulnerability-testing-winautopwn/" rel="nofollow" target="_blank"><strong>here</strong></a></li> </ul> <div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-54581727945814050442013-03-29T02:48:00.000+05:302016-03-06T18:35:08.918+05:30An open letter to Pramit Jhaveri - Citibank India - No Resolution, Customer care sucks & they lie, a lot.<div dir="ltr" style="text-align: left;" trbidi="on">
Dear Mr Pramit Jhaveri ,<br />
<br />
Last October an incident happened with me , on a fuzzy evening I went to the nearest ATM near my home - Deutsche Bank ATM where I provided my card to my cousin who went inside ATM to take money as I was on a concall with my office & guided some poor chap who required my help . Since you cant enter an ATM while talking on phone, I remained outside.<br />
<br />
Turns out that there was no guard / money at ATM ,the machine gave an error after pin was entered and never dispensed the money. Also, there was one more guy who had the same experience.<br />
<br />
Well, I finished call put my phone in my pocket & strolled to nearby Axis Bank ATM where we withdrew 1000/- INR and went home. Turns out some nasty surprises were waiting for me. I got a message from Citibank that 10K have been withdrawn from my account , flabbergasted I reported the incident to Citi on 7th October.<br />
<br />
What happened next ? Ah well..to tell a long story short -<br />
<br />
<ol style="text-align: left;">
<li>Citi reversed my money in 2 days (that was fast) & said they are investigating the issue.</li>
<li>Then they said the transaction was valid & reversed it again. </li>
<li>I disputed & said show me the CCTV footage -> no response.</li>
<li>Called their Citiphone officers (sic) muliple times & they said to check with Deutsche Bank, I commented why they were not taking end to end responsibility, they said its out of their scope.</li>
<li>Then I checked with Deutsche Bank and they said they will not entertain my request for CCTV footage.</li>
<li>Citiphone officer advices me to lodge FIR & I duly oblige.</li>
<li>Dec 2013 - Citi reverses money again & as per Simmy Sebastian (Citi escalation executive) on email, money is debited to my account & investigation continues.</li>
<li>5 months later (28 March 2014) Citi reverses money again :D with NO CONCLUSIVE INVESTIGATION & charged an overdraft of 3899/-.</li>
</ol>
<br />
<b>Well Done Citi..</b><br />
<br />
Now this pissed me off. I just survived humiliation at paying a bill because I thought there was money in my account when there was not. After fighting 38 minutes (at dead of night) with Citi IVR and their agent Chirag, I finally wrote an email to you , the acting Citibank CEO/hotshots describing the whole affair.<br />
<br />
Here is the full email (which I expect you should have gone through by now, if not..then my faith is dwindling) -<br />
<br />
(I have redacted my email address from all of the following email communication)<br />
<div class="gmail_default" style="background-color: white; color: #222222; display: inline; font-family: 'trebuchet ms', sans-serif; font-size: small;">
</div>
<blockquote class="tr_bq" style="margin: 0.5pt 0in;">
<span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">---------- Forwarded message ----------</span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">From: </span><b class="gmail_sendername" style="background-color: white; color: #222222; font-family: arial; font-size: small;">Rishabh Dangwal</b><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;"> </span><span dir="ltr" style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;"><XXXXXXX@gmail.com></span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">Date: Sat, Mar 29, 2014 at 2:06 AM</span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">Subject: Attention !! // 020-486-450 // New Ref# SDN14026864 // Citi Transaction & Customer Service Failure at Grassroot level // WORST SERVICE & FEEDBACK.</span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">To: "india.branchbanking.head@citi.com" <india.branchbanking.head@citi.com>, india.consumerbanking.head@citi.com, india.ceo@citi.com, india.operations.head@citi.com, Executive Response <executiveresponsedesk@citi.com>, "head.customercare@citi.com" <head.customercare@citi.com>, vikram.saras@citi.com</span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">Cc: "retail.dox.india@citi.com" <retail.dox.india@citi.com>, "nishashriram@citi.com" <nishashriram@citi.com>, r.singh@citi.com, rakesh.singh@citi.com, collection.external.ombudsman@citi.com, Rishabh Dangwal <admin@theprohack.com></span><br />
<br style="background-color: white; color: #222222; font-family: arial; font-size: small;" />
<b><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Mr Pramit / Mr Ashish / Mr Anand / Mr Vikram,</span></b><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Gentlemen,</span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Let me bring incident 020-486-450 (New ref# </span><span style="font-family: "lucida sans unicode" , sans-serif;"><b>SDN14026864 </b>)</span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"> to your attention where Citibank has shamelessly ripped off all the rules of customer service. </span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">We all hate typing emails at 2 AM at night, ain't it ?</span><br />
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><b>Short Summary</b> : </span><br />
<ol>
<li><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">On 7th October 2013 , a mis-transaction of 10000/- was done on my Debit Card at Deutsche Bank ATM for which </span><span style="color: red; font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><b>Citi was *UNABLE* to provide any conclusive feedback for 5 straight months</b>. </span></li>
</ol>
<ol>
<li><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">I was provided an immediate credit &</span><b style="font-family: 'Lucida Sans Unicode', sans-serif; font-size: 13px;"> <span style="color: red;">it was agreed on email with Simmy Sebastian (Email attached) that Citi will provide me CCTV footage of ATM as an evidence before reversing any credit</span></b><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">. </span></li>
</ol>
<ol>
<li><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">As discussed with *countless* Citiphone Officers (sic) they recommended to get in touch with Deutsche Bank (which I did) , </span><b style="font-family: 'Lucida Sans Unicode', sans-serif; font-size: 13px;"><u><span style="color: red;">raise FIR with police</span></u></b><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"> (which I did, again) but everything went futile & </span><b style="font-family: 'Lucida Sans Unicode', sans-serif; font-size: 13px;"><span style="color: red;">today (28 March 2014), Citi has reversed the transaction *WITHOUT INFORMING ME IN ANY FORMAL MANNER* & *WITHOUT PROVIDING ME CCTV FOOTAGE OF THE TIME OF INCIDENT*, & even penalized an overdraft of 3899/- .</span></b></li>
</ol>
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><b>Now points of concern are -</b></span><br />
<ul>
<li><span style="font-family: "lucida sans unicode" , sans-serif;"><b>Citi *NEVER* informed me that they are closing investigation at their end and reversing credit, I barely survived humiliation </b>when I thought I had money in my bank account when there was none, thanks to Citi as transaction was reversed.</span></li>
</ul>
<ul>
<li><span style="font-family: "lucida sans unicode" , sans-serif;">FIR has been raised with police, CCTV Footage acts as an evidence in this regard. Citi didnt provided it & concluded it, then <b>shall I sue Citi for causing hindrance</b></span><span style="font-family: "lucida sans unicode" , sans-serif;"><b> in <wbr></wbr>investigation</b></span><span style="font-family: "lucida sans unicode" , sans-serif;"> ?</span></li>
</ul>
<ul>
<li><b><span style="font-family: "lucida sans unicode" , sans-serif;">Citi failed to provide me the CCTV Footage & failed to meet the commitments & left me in a dire financial situation without explanation & <wbr></wbr>information.</span></b></li>
</ul>
<ul>
<li><span style="font-family: "lucida sans unicode" , sans-serif;"><b>One sided followups were being done with NO PROACTIVE UPDATES on this matter.</b></span></li>
</ul>
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">I will be escalating the matter to RBI Ombudsman for failure of Citi to provide a conclusive feedback & failing at all echelons of customer service, its a huge disappointment at all grounds. <b>I should infact also inform my colleagues at Orange Business Services (France Telecom) to migrate their accounts , its bad PR & its well justified if you ask me.</b></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Right now, I had a word with Chirag Jain (Citiphone officer) at dead of night & in a 38 minute call I was unable to get to a senior person who can take responsibility & can be accounted for some justified action . </span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Infact I am so frustrated with onesided followups that once its solved, I would close my account with Citi & encourage my finance head at Orange Business Services to do the same, somehow I believe from this incident that how broken is the customer service at a world renowned bank like Citi.</span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><b>PS : I know you all might be busy, so I have finally decided to blog about it at Prohack (<a href="http://www.theprohack.com/" style="color: #1155cc;" target="_blank">www.theprohack.com</a>) where I can make note of the progress which Citi makes once an issue is reported to head honchos of a company. If this doesn't works out right now, I would then know if I can trust Citi again or not. </b></span><br />
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">I am attaching all the relevant documents of </span><br />
<ol>
<li><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Followups done with Citi</span></li>
</ol>
<ol>
<li><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Agreement done with Citi wrt CCTV footage</span></li>
</ol>
<ol>
<li><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">FIR</span></li>
</ol>
<ol>
<li><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Followup with Deutsche Bank </span></li>
</ol>
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">as a proof and testament of my words, lets see if Citi can finally provide me resolution.</span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">I still want to believe & hope Citi stands for its customer values, r</span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">equesting your urgent attention & complete cooperation in sorting this matter out.</span><br />
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Best Regards,</span><span style="font-family: "arial";"> ,</span><span lang="FR" style="font-family: "lucida sans unicode" , sans-serif; font-size: 10pt;"></span><br />
<hr align="center" size="2" width="100%" />
<span lang="FR" style="font-family: "lucida sans unicode" , sans-serif; font-size: 10pt;">
</span><span style="font-size: 10pt;"><br /></span><b><span style="color: #1f497d; font-family: "lucida sans unicode" , sans-serif; font-size: 10pt;">Rishabh Dangwal</span></b><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Network Security Specialist </span><br />
<div style="display: inline; font-family: 'trebuchet ms', sans-serif;">
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">,</span></div>
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">
</span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Orange Business Services (France Telecom)</span><b><span style="color: #ff6600; font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;">RHCE | CCNA | ITIL | CEH</span></b><span style="color: navy; font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;">Website: </span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;"><a href="http://www.theprohack.com/" style="color: #1155cc;" target="_blank">www.ThePROHACK.com</a> , <a href="http://www.rish.co.in/" style="color: #1155cc;" target="_blank">www.RISH.co.in</a></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;"> </span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;">"Quis Custodiet Ipsos Custodes ?''</span></blockquote>
<div dir="ltr" style="background-color: white; color: #222222; font-family: arial; font-size: small;">
<div style="font-family: 'trebuchet ms', sans-serif;">
</div>
<div>
<div dir="ltr">
<div style="margin: 0.5pt 0in;">
<b><span style="color: #ff6600; font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;"></span></b></div>
</div>
</div>
</div>
<div style="background-color: white; color: #222222; font-family: arial, sans-serif; font-size: 13px;">
<div dir="ltr">
<div style="margin: 0.5pt 0in;">
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;"><br /></span></div>
</div>
</div>
<br />
Trust me, if this isnt sorted out now, then I would recommend to NEVER TO OPEN an account with Citi since if a CEO cant sort a mess out, then of course a customer service is no good.<br />
More over , its a huge fail in customer service that a guy is forced to address his concerns to CEO of Citi because the lower rungs of service and escalation fail to provide *any viable resolution*.<br />
<br />
The best part Mr Pramit ?<br />
Well..that ATM closed out, & I pointed it to Simmy/lots of other Citiphone folks that at max 2 months of video is stored in the ATM CCTV hard drive, and if you dont act fast, *YOU WILL NEVER BE ABLE TO GET THE CCTV FOOTAGE*. Turns out they are not having any and are now bullying me by keeping me in dark.<br />
<br />
Well Mr Pramit, if Citi can charge me to withdraw money from any other ATM, then I expect some services from Citi that safeguards my interests. It makes me shudder how one-sided this whole affair has been, if only you have an idea, a complete fail of all the echelons. If Citi can provide me CCTV footage since its a criminal case & stop taking independent conclusive actions without informing customer. Its a breach of customer trust and is an epic fail in code of conduct.<br />
<br />
I still believe you guys have sensible online services, but customer service is one area in which Citibank India fails spectacularly.<br />
<br />
I hope something could be done on it ? Aint it? Noone wants to type an email at 2 AM at night and blog at 2:40 AM about his horrible experience. If Citi wants that , then no thanks, I will close my account as soon as its sorted and will encourage my colleagues to do the same.<br />
What a waste..<br />
<br />
Rant aside..<br />
<br />
I do hope something can be done in this regard. Wave your magic wand sire, I will be waiting for some concrete action..<br />
<br />
Best Regards<br />
<br />
Rishabh Dangwal<br />
<br />
<b><br /></b>
<b>Update 29 March 2014 12:07 PM IST :</b><br />
<div>
One long time blog reader & friend suggested to get it reported to RBI. Duly acknowledged, complaint have been raised with RBI.</div>
<b><br /></b>
<b>Update 29 March 2014 04:05 PM IST :</b><br />
Had a word with Citi CCE -Navneet/S Mahesh who confirmed that they will have some response by Friday 4 April 7 PM IST . Also confirmed if Overdraft will be reversed and money will be credited back on my account, he was affirmative. Mahesh Confirmed that he will have some update on CCTV and promised a call back by 31 March NBH. Provided this Blogpost URL as a timeline of incident.<br />
<br />
<b>Update 29 March 2014 04:50 PM IST :</b><br />
Consumer complaint <span style="background-color: white; font-family: "geneva" , "arial" , "helvetica" , sans-serif; font-size: 13px;">82619.1.2014 lodged against Citi Bank .</span><br />
<span style="background-color: white; font-family: "geneva" , "arial" , "helvetica" , sans-serif; font-size: 13px;"><br /></span>
<b>Update 30 March 2014 08:25 PM IST :</b><br />
47 minute call was finished with Citi Helpdesk with approximately 20 minutes of being on hold, excluding 2 minutes of fighting with IVR.<br />
After 5 tries by Merin (Citi service desk) , her manager Manisha Sitaram (on duty floor manager) came on call.<br />
<br />
<ul style="text-align: left;">
<li>Asked her about the status of investigation -> she was clueless.</li>
<li>Asked her why a callback was not arranged bacl -> She was clueless.</li>
<li>Asked her what the heck Chirag Jain (on duty floor manager) & S Mahesh (on duty floor manager) doing -> They were on leave / not available</li>
</ul>
<br />
Asked her to make note of 5 questions -<br />
<br />
<ol style="text-align: left;">
<li>Why Citibank did not provided me CCTV footage & why transaction was reversed.</li>
<li>Why Citibank reversed transaction & did not intimate me , although it was agreed with Simmy Sebastian (Citi Executive response desk, Mumbai) that he will check & update regarding CCTV footage.</li>
<li>Why is this incident being dragged on for 5 months.</li>
<li>What is the status of followups being done for CCTV Footage with Deutsche Bank.</li>
<li>Will Citibank credit money back (along with overdraft) since they have not provided any CCTV footage & they have no right to do it.</li>
</ol>
<br />
<div>
Provided her the URL of this blogpost , details of Simmy Sebastian, current executive incident owner Laxmiprabha Kotian at Citi end & asked her to arrange a call back by 31'st March 5 PM IST during NBH.</div>
<div>
<br /></div>
<div>
Lets see how Citi takes this incident up.<br />
<b><br /></b>
<b><br /></b>
<b>Update 30 March 2014 08:50 PM IST :</b><br />
Shot an email to Citi again since they failed to acknowledge anything.<br />
<blockquote style="margin: 0.5pt 0in;">
<br />
<span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">---------- Forwarded message ----------</span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">From: </span><b class="gmail_sendername" style="background-color: white; color: #222222; font-family: arial; font-size: small;">Rishabh Dangwal</b><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;"> </span><span dir="ltr" style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;"><XXXXXXX@gmail.com></span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">Date: Sun, Mar 30, 2014 at 8:53 PM</span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">Subject: Re: Attention !! // 020-486-450 // New Ref# SDN14026864 // Citi Transaction & Customer Service Failure at Grassroot level // WORST SERVICE & FEEDBACK.</span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">To: "india.branchbanking.head@citi.com" <india.branchbanking.head@citi.com>, india.consumerbanking.head@citi.com, india.ceo@citi.com, india.operations.head@citi.com, Executive Response <executiveresponsedesk@citi.com>, "head.customercare@citi.com" <head.customercare@citi.com>, vikram.saraf@citi.com, arghya.dasgupta@citi.com</span><span style="background-color: white; color: #222222; font-family: "arial"; font-size: x-small;">Cc: "retail.dox.india@citi.com" <retail.dox.india@citi.com>, "nishashriram@citi.com" <nishashriram@citi.com>, r.singh@citi.com, rakesh.singh@citi.com, collection.external.ombudsman@citi.com, Rishabh Dangwal <admin@theprohack.com></span><br />
<br style="background-color: white; color: #222222; font-family: arial; font-size: small;" />
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Good Evening Gentlemen,</span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Seems like 40+ minutes calls , 5 months old pending incidents ( & still counting) , no call backs, one sided followups from customer end and unexpected/surprise charge-backs are becoming the new hallmarks of 201 years of Citi in India.</span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Is there anyone even working on the matter ? I am still waiting for an acknowledgement from your end.</span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Meanwhile the incident history is now live at </span><span style="font-family: "lucida sans unicode" , sans-serif;"><a href="http://goo.gl/LAcB0G" style="color: #1155cc;" target="_blank">goo.gl/LAcB0G</a> (just in case your executives/underlings are not providing your proactive updates) & you can have a look at the glorious way the incident is being handled by Citi. </span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Awaiting some action on the matter since its now long overdue.</span><br />
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: 13px;">Best Regards,</span><span style="font-family: "arial"; font-size: 13px;"> ,</span><span lang="FR" style="font-family: "lucida sans unicode" , sans-serif; font-size: 10pt;"></span><br />
<hr align="center" size="2" width="100%" />
<span lang="FR" style="font-family: "lucida sans unicode" , sans-serif; font-size: 10pt;">
</span><span style="font-size: 10pt;"><br /></span><b><span style="color: #1f497d; font-family: "lucida sans unicode" , sans-serif; font-size: 10pt;">Rishabh Dangwal</span></b><span style="font-family: "lucida sans unicode" , sans-serif;">Network Security Specialist</span><span style="font-family: "lucida sans unicode" , sans-serif;">Orange Business Services (France Telecom)</span><b><span style="color: #ff6600; font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;">RHCE | CCNA | ITIL | CEH</span></b><span style="color: navy; font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;">Website: </span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;"><a href="http://www.theprohack.com/" style="color: #1155cc;" target="_blank">www.ThePROHACK.com</a> , <a href="http://www.rish.co.in/" style="color: #1155cc;" target="_blank">www.RISH.co.in</a></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;"> </span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;">"Quis Custodiet Ipsos Custodes ?''</span></blockquote>
<div dir="ltr" style="background-color: white;">
<div class="gmail_extra">
<div style="color: #222222; font-family: arial; font-size: small;">
<div dir="ltr">
<span style="color: #1f497d; font-family: "lucida sans unicode" , sans-serif; font-size: 10pt;"></span><br />
<div style="display: inline; font-family: 'trebuchet ms', sans-serif;">
<div style="font-size: 13px;">
</div>
<div style="font-family: arial, sans-serif; font-size: 13px;">
<div class="">
<div dir="ltr">
<div style="margin: 0.5pt 0in;">
<b><span style="color: #ff6600; font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;"></span></b></div>
</div>
</div>
</div>
</div>
<div style="display: inline; font-family: 'trebuchet ms', sans-serif;">
</div>
</div>
</div>
<div style="color: #222222; font-family: arial; font-size: small;">
<div class="h5" style="color: #500050;">
<br /></div>
</div>
<div class="h5">
<div style="color: black; font-family: 'Times New Roman'; font-size: medium;">
<b>Update 30 March 2014 09:13 - 09:30 PM IST :</b></div>
<div style="color: black; font-family: 'Times New Roman'; font-size: medium;">
Finally got a revert from Citibank Vice president Jinit Thakkar, although it was on a separate email chain.</div>
<div style="color: black; font-family: 'Times New Roman'; font-size: medium;">
<br /></div>
<blockquote class="tr_bq">
On Sun, Mar 30, 2014 at 9:13 PM, Thakkar, Jinit <jinit.thakkar@citi.com> wrote:<br />
Dear Mr. Dangwal,<br />
This refers to you email of March 30th 2014.<br />
We acknowledge receipt of your email.<br />
Due to an extended holiday, on occasion of Gudi Padwa, we will respond to you by Tuesday, April 1st 2014.<br />
Would appreciate your understanding till then.<br />
Regards,<br />
Jinit Thakkar<br />
Head- Executive Response Unit<br />
022-61755648</blockquote>
Pat went the response.<br />
<span style="color: #222222; font-family: "trebuchet ms" , sans-serif; font-size: x-small;"></span><br />
<div class="gmail_default" style="color: #222222; display: inline; font-family: 'trebuchet ms', sans-serif; font-size: small;">
<blockquote style="margin: 0.5pt 0in;">
<span style="color: #222222; font-family: "arial"; font-size: x-small;">---------- Forwarded message ----------</span><span style="color: #222222; font-family: "arial"; font-size: x-small;">From: </span><b class="gmail_sendername" style="color: #222222; font-family: arial; font-size: small;">Rishabh Dangwal</b><span style="color: #222222; font-family: "arial"; font-size: x-small;"> </span><span dir="ltr" style="color: #222222; font-family: "arial"; font-size: x-small;"><XXXXXXX@gmail.com></span><span style="color: #222222; font-family: "arial"; font-size: x-small;">Date: Sun, Mar 30, 2014 at 9:30 PM</span><span style="color: #222222; font-family: "arial"; font-size: x-small;">Subject: Re: your email dated March 30' 2014 / SDN14026864 / old ref#020-486-450</span><span style="color: #222222; font-family: "arial"; font-size: x-small;">To: "Thakkar, Jinit" <jinit.thakkar@citi.com></span><span style="color: #222222; font-family: "arial"; font-size: x-small;">Cc: Executive Response <executiveresponsedesk@citi.com>, "principal.nodal.officer@citi.com" <principal.nodal.officer@citi.com>, "india.branchbanking.head@citi.com" <india.branchbanking.head@citi.com>, india.consumerbanking.head@citi.com, india.operations.head@citi.com, india.ceo@citi.com, "head.customercare@citi.com" <head.customercare@citi.com>, rakesh.singh@citi.com, "nishashriram@citi.com" <nishashriram@citi.com>, vikram.saraf@citi.com, arghya.dasgupta@citi.com</span><br />
<br style="color: #222222; font-family: arial; font-size: small;" />
<span style="font-family: "lucida sans unicode" , sans-serif;">Hello Jinit,</span><span style="font-family: "lucida sans unicode" , sans-serif;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif;">Lets not start one more email chain on this issue since there are already plenty , </span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: x-small;">I will be looping you in the main email chain & I expect a revert on the same one. </span></blockquote>
<br />
<blockquote style="margin: 0.5pt 0in;">
<span style="font-family: "lucida sans unicode" , sans-serif; font-size: x-small;">Please let me know if Citi will provide me some conclusive feedback by 1 April or will it be the same 5 month old weasel words/updates of "under investigation"/"being looked by internal team"/"awaiting confirmation from internal team" since Simmy / folks left the investigation in lurch & have wasted a lot of my research time in followups with Citi, mental harassment aside. </span><span style="font-family: "lucida sans unicode" , sans-serif;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif;"></span></blockquote>
<br />
<blockquote style="margin: 0.5pt 0in;">
<span style="font-family: "lucida sans unicode" , sans-serif;">Awaiting a LEAN & concrete feedback from Citi.</span><span style="font-family: "lucida sans unicode" , sans-serif;"><br /></span><span style="font-family: "lucida sans unicode" , sans-serif;">Best Regards</span><span lang="FR" style="font-family: "lucida sans unicode" , sans-serif; font-size: 10pt;"></span><br />
<hr align="center" size="2" width="100%" />
<span lang="FR" style="font-family: "lucida sans unicode" , sans-serif; font-size: 10pt;">
</span><span style="font-size: 10pt;"><br /></span><b><span style="color: #1f497d; font-family: "lucida sans unicode" , sans-serif; font-size: 10pt;">Rishabh Dangwal</span></b><span style="font-family: "lucida sans unicode" , sans-serif;">Network Security Specialist</span><span style="font-family: "lucida sans unicode" , sans-serif;">Orange Business Services (France Telecom)</span><b><span style="color: #ff6600; font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;">RHCE | CCNA | ITIL | CEH</span></b><span style="color: navy; font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;">Website: </span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;"><a href="http://www.theprohack.com/" style="color: #1155cc;" target="_blank">www.ThePROHACK.com</a> , <a href="http://www.rish.co.in/" style="color: #1155cc;" target="_blank">www.RISH.co.in</a></span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;"> </span><span style="font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;">"Quis Custodiet Ipsos Custodes ?''</span></blockquote>
</div>
<div dir="ltr" style="color: #222222; font-family: arial; font-size: small;">
<div>
<div style="font-family: 'trebuchet ms', sans-serif; font-size: 13px;">
</div>
<div style="font-family: arial, sans-serif; font-size: 13px;">
<div>
<div dir="ltr">
<div style="margin: 0.5pt 0in;">
<b><span style="color: #ff6600; font-family: "lucida sans unicode" , sans-serif; font-size: 8pt;"></span></b></div>
</div>
</div>
</div>
</div>
<div class="gmail_extra">
<div class="gmail_quote">
<br /></div>
</div>
</div>
<div>
<div style="color: #500050; font-family: arial; font-size: small;">
</div>
<div style="-webkit-text-stroke-width: 0px; background-color: white; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
</div>
<br />
<div style="background-color: white; orphans: auto; text-align: left; text-indent: 0px; widows: auto;">
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<b><br /></b></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<b>Update 30 March 2014 09:43 PM IST :</b></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Looks like even the Citi India Vice president Jinit Thakkar have got a taste of bad customer service, from folks at Samsung, had a #facepalm moment.</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
An amusing read at -</div>
<div style="margin: 0px;">
www.consumercomplaints.in/complaints/samsung-c303958.html</div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Somehow, it feels like a guilty pleasure. FYI details are - Jinit Thakkar Asst Vice President , Citibank India, mob : 9820401881 </div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br />
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: 'Times New Roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
<div style="margin: 0px;">
<b>Update 31 March 2014 12:43 PM IST :</b></div>
<div style="margin: 0px;">
Had a word with Manisha Shriram / Jinit Thakkar from Chennai, they required 1 more day to investigate the issue since its holiday at Mumbai. Also, internally escalated the matter to Orange / France Telecom Finance department.</div>
</div>
</div>
<div style="color: black; font-family: 'times new roman'; font-size: medium; font-variant: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="font-style: normal; font-weight: normal;">
<br /></div>
<div style="font-style: normal; font-weight: normal;">
</div>
<div style="background-color: white; color: black; font-family: 'times new roman'; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
</div>
<div style="font-style: normal;">
<br /></div>
<div style="background-color: white; color: black; font-family: 'times new roman'; font-size: medium; font-variant: normal; letter-spacing: normal; line-height: normal; margin: 0px; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="font-style: normal; font-weight: normal; margin: 0px;">
<b>Update 31 March 2014 06:00 PM IST :</b></div>
<div style="font-style: normal; margin: 0px;">
Finally got the call from Simmy Sebastian (executive response unit), to cut a long story short-</div>
<div style="font-style: normal; margin: 0px;">
</div>
<ol style="font-style: normal; text-align: left;">
<li>As per him he has retrieved the clippings.</li>
<li>He has seen that cash is being dispensed.</li>
<li>He asked if I was informed about cash reversal -> negative</li>
<li>He asked if I had communication from Keerti -> positive</li>
<li>Asked him to drop an email about it, he asked for 1 more day to have a conclusive feedback.</li>
<li>Asked him if anything is required from my end , he said nothing else is required.</li>
<li>He said he will provide a final stand on this regard by tomorrow.</li>
</ol>
<div>
<div style="font-style: normal;">
<b>Final Update : </b></div>
<div style="font-style: normal;">
<br /></div>
<div style="font-style: normal;">
I am updating this in feb 2016, as I think it was long over due. Simmy called me and sent across the footage of ATM in a PKZIP encrypted file. Checked the footage and found out the ATM was misbehaving and another guy took out money. </div>
<div style="font-style: normal;">
<br /></div>
<b><i>Bottom Line : </i></b><br />
<div style="font-style: normal;">
<u>No refund from Bank (Thank you Citibank :X ) . No action from Delhi Police. The ATM was tore down to make place for a new clinic. </u></div>
<div style="font-style: normal;">
<u><br /></u></div>
<div style="font-style: normal;">
Welcome to India. </div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-48501797853756684952013-03-26T01:11:00.001+05:302013-03-26T01:11:17.843+05:30Ngrep–Grep patterns in Network traffic<p>We have got a lot of packet sniffer/analyzer software out there, I am a self confessed <a title="Wireshark - the ultimae network sniffer" href="http://www.theprohack.com/2009/03/wireshark-ultimate-network-sniffer.html" target="_blank"><strong>Wireshark</strong></a> & <a title="Guide to Ettercap - read at Prohack" href="http://www.theprohack.com/2011/01/errata-guide-to-ettercap-gui-through.html" target="_blank"><strong>Ettercap</strong> <strong>lover</strong></a>, but still, when it comes to analyzing network traffic from command line in a fast manner, ngrep is my one of my favourites. Written by Jordan Ritter its used to “grep” traffic patterns from the network interfaces. As per official documentation - </p> <blockquote> <p>ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.</p> </blockquote> <p>ngrep runs on <a title="Read more windows articles at Prohack" href="http://www.theprohack.com/search/label/Windows%20tricks" target="_blank"><strong>Windows</strong></a> & <a title="Read Linux articles at Prohack" href="http://www.theprohack.com/search/label/Linux" target="_blank">*<strong>nix</strong> <strong>platforms</strong></a> alike and you need WinPCAP to run it since it relies on it.  </p> <p><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="Ngrep–Grep patterns in Network traffic" border="0" alt="Ngrep–Grep patterns in Network traffic - Theprohack.com" src="http://lh4.ggpht.com/-KkueWyIFYR0/UVCoXJFLeKI/AAAAAAAACG8/IpUOGNUfQiM/Image.jpg?imgmax=800" width="504" height="431" /></p> <p>Once you install it, it by default uses the first interface on your machine, so , make sure to check the detected interfaces by running - </p> <blockquote> <p>C:\Users\RISHABH\Desktop>ngrep -L <br />idx     dev <br />---     --- <br /> 1:     \Device\NPF_{4D491111-D331-42BC-9A33-98EF8C40D422} (Microsoft) <br /> 2:     \Device\NPF_{ADBF6AC1-D111-463D-8D99-C58FA1BEF979} (Sun) <br /> 3:     \Device\NPF_{6F801AE0-CA61-4A6D-B5FF-DCB7CE8FC529} (VMware Virtual Ethernet Adapter) <br /> 4:     \Device\NPF_{930B6EC8-A5E3-4FFA-B68F-F159FDFC2064} (VMware Virtual Ethernet Adapter) <br /> 5:     \Device\NPF_{D1999293-A041-4C2A-B63F-5D8B4906000F} (Realtek PCIe GBE Family Controller) <br />exit</p> </blockquote> <p>Now for example you want to check out whats going on at port 23 using interface 5</p> <blockquote> <p>C:\Users\RISHABH\Desktop>ngrep -d 5  port 23 <br />interface: \Device\NPF_{D1999293-A041-4C2A-B63F-5D8B4906000F} (192.168.1.0/255.255.255.0) <br />filter: (ip or ip6) and ( port 23 ) <br />exit <br />0 received, 0 dropped</p> </blockquote> <p>Piece of cake.. and if you want to filter any website in you are searching for keyword "password" then :</p> <blockquote> <p>ngrep -d 5 “password” port 80</p> </blockquote> <p>Easy aint it ? Ngrep does it all : ] With some complex grep commands , you can become a pcap ninja.</p> <p> Well, you can </p> <ol> <li>Download Ngrep from <a title="Download Ngrep" href="http://ngrep.sourceforge.net/download.html" rel="nofollow" target="_blank"><strong>here</strong></a></li> <li>Check out documentation and examples <a title="Ngrep examples and documentations" href="http://ngrep.sourceforge.net/usage.html" rel="nofollow" target="_blank"><strong>here</strong></a></li> <li> <div align="left">Learn about Wireshark from <a title="Wireshark - Ultimate network sniffer" href="http://www.theprohack.com/2009/03/wireshark-ultimate-network-sniffer.html" rel="nofollow" target="_blank"><strong>here</strong></a> </div> </li> </ol> <div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-47097442336080366162013-03-24T18:33:00.001+05:302013-03-25T02:13:28.699+05:30Cisco Type 4 Passwords cracked–Coding mistake endangers devices<p>Cisco has issued a security advisory intimating that its new password hashing algorithm TYPE 4 is vulnerable,which allows Cisco TYPE 4 encoded hashes to be cracked easily. TYPE 4 is an update of TYPE 5 , and was supposed to salt passwords and apply 1000 iterations of SHA-256 .  Well, engineers at Cisco actually miscoded the algorithm by forgetting to salt passwords and setting the number of iterations to 1 which makes it even weaker than TYPE 5 algorithm .</p> <blockquote> <p>“This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.”</p> </blockquote> <p>Also, the code base (CISCO IOS 15) also disables TYPE 5 encryption on devices. Well..talk about rubbing salt on wounds. </p> <p><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="Cisco Type 4 Passwords cracked–Coding misfire endangers hardware " border="0" alt="Cisco Type 4 Passwords cracked–Coding misfire endangers hardware - - TheProhack.com" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijpYPTBBcAB_Cu7Zw-N4naoA-ibJUQOOJu-ODrqWAHRtGG6dulIBkicnW_30nQIYoGmZRw8CMcxKBsBkGVFVkqicIZVT9M7bP8twdcBg7bF6qdTlhZ_SOcPvssls6YoiuiWGguVipFmNo/?imgmax=800" width="404" height="349" /></p> <p>As per advisory - </p> <blockquote> <p>"A device running a Cisco IOS or IOS XE release with support for Type 4 passwords lost the capability to create a Type 5 password from a user-provided plaintext password.Backward compatibility problems may arise when downgrading from a device running a Cisco IOS or IOS XE release with Type 4 password support and Type 4 passwords configured to a Cisco IOS or Cisco IOS XE release that does not support Type 4 passwords. Depending on the specific device configuration, the administrator may not be able to log in to the device or to change into privileged EXEC mode, requiring a password recovery process to be performed."</p> </blockquote> <p>It was meant to be discovered inevitably. Folks at <a title="Hashcat" href="http://hashcat.net/oclhashcat-plus/" rel="nofollow" target="_blank">Hashcat</a> - Philipp Schmidt and Jens Steube found it and were able to decode a hash posted at inetpro.org . Since hashes were weak, the information was more than enough to crack millions of hashes in hours if anyone gets their hands on hashes.  </p> <p>The aftermath ? Cisco says it will be creating new password type to counter it with new as of now unknown commands to implement it.  In the meantime, Cisco says you “may” want to replace Type 4 password with Type 5 , as quoted -</p> <blockquote> <p>There are two options to generate a Type 5 password:</p> <ul> <li>Using another device running a Cisco IOS or Cisco IOS XE release without Type 4 support </li> <li>Using the <em>openssl </em>command-line tool (part of the OpenSSL Project)</li> </ul> </blockquote> <p>You can read the advisory <a title="Cisco Type 4 advisory - TheProhack.com" href="http://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20130318-type4" rel="nofollow" target="_blank"><strong>here</strong></a></p> <p>You might also want to read  - </p> <ul> <li><a title="Static VRRP over Cisco and testing it - read at ProHack" href="http://www.theprohack.com/2011/08/static-vrrp-over-cisco-router-and.html" target="_blank"><strong>Static VRRP over Cisco and testing it.</strong></a></li> <li><a title="EIGRP Cheatsheet – EIGRP in 15 min - Read at ProHack" href="http://www.theprohack.com/2012/12/eigrp-cheatsheet-eigrp-in-15-min.html" target="_blank"><strong>EIGRP Cheatsheet – EIGRP in 15 min</strong></a></li> </ul> <div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0tag:blogger.com,1999:blog-473620016779402291.post-47567511904323897442013-03-23T01:16:00.001+05:302013-03-23T01:16:45.507+05:30CARNA Botnet–Researcher maps Internet using botnet<p>“ <em>Incredible</em>”</p> <p>thats one word when you describe CARNA botnet, which is a single handed attempt to map the entire Internet by a researcher, which makes it a single most herculean feat I have witnessed in digital domain which both grips me with mixed feelings of  astonishment and Deja Vu. </p> <p><img style="background-image: none; border-bottom: 0px; border-left: 0px; padding-left: 0px; padding-right: 0px; display: block; float: none; margin-left: auto; border-top: 0px; margin-right: auto; border-right: 0px; padding-top: 0px" title="So this how our Internet looks like ? " border="0" alt="CARNA Botnet–Researchers map Internet - theprohack.com" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNyotU_GDBePgYzdULwh7QZUABjgS27ZtMIP60hb5bk3PRWiGB0O_Dte5oviEMK_BjMc5n91bVAzGZlmqXFseRBaXKLleoZn1Rh9_G0klx0pE4D8hRsjiW9c-TvgtkSKIhhcNO2Xwj83s/?imgmax=800" width="596" height="337" /></p> <p>As the paper states, the basic theory behind CARNA was</p> <blockquote> <p>After completing the scan of roughly one hundred thousand IP addresses, we realized the number of insecure devices must be at least one hundred thousand. Starting with one device and assuming a scan speed of ten IP addresses per second, it should find the next open device within one hour. The scan rate would be doubled if we deployed a scanner to the newly found device. After doubling the scan rate in this way about 16.5 times, all unprotected devices would be found; this would take only 16.5 hours. Additionally, with one hundred thousand devices scanning at ten probes per second we would have a distributed port scanner to port scan the entire IPv4 Internet within one hour.</p> </blockquote> <p>Impressive..  and the payload they devised was small, surgical and targeted routers with insecure logins.</p> <blockquote> <p>The binary on the router was written in plain C. It was compiled for 9 different architectures using the OpenWRT Buildroot. In its latest and largest version this binary was between 46 and 60 kb in size depending on the target architecture.</p> </blockquote> <p>Well, the end results ? ~ 420,000 infected routers are identified with 1,300,000,000 geolocated IPV4 devices with about one-third of those responding directly to pings.</p> <p>Incredible..as I earlier said. Sceptics will say that It can be a hoax, as its difficult to verify with a 586GB bittorrent file compressed with ZPAQ which will decompress to 9TB , it needs somewhat of super human effort to download, unpack and analyze data if it really exists. But again, if its true, Its .. its awesome.</p> <p>You can </p> <ol> <li>Read the Paper<strong> </strong><a title="CARNA BOTNET Research - Census 2012 of Internet - TheProhack.com" href="http://census2012.sourceforge.net/paper.html" rel="nofollow" target="_blank"><strong>here</strong></a> </li> <li>Download Bit Torrent file <a title="CARNA Botnet Bit Torrent - TheProhack.com" href="http://census2012.sourceforge.net/download.html" rel="nofollow" target="_blank">here</a></li> <li>See graphical results <a title="CARNA Botnet - Results - TheProhack.com" href="http://census2012.sourceforge.net/images.html" rel="nofollow" target="_blank"><strong>here</strong></a> </li> </ol> <p>Like I said, prepare to be amazed.</p> <div class="blogger-post-footer">Thanks for your readership.
Be a Pro,Visit Prohack.
RD</div>rishhttp://www.blogger.com/profile/02053531903553289391noreply@blogger.com0