The magazine covers breaking industry news, new hacker threats and attacks, different techniques of defense and protection methods, security tips and tools and latest trends in IT Security. Their monthly issue is available for download in pdf from their corporate website. Hakin9's latest e-book edition is out now. It features more useful information on malware.
Get it now! Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet! For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now! The magazine covers breaking industry news, new hacker threats and attac Blog rating: 1 out of 5 with 1 ratings. First of all we are copying a file from one location to another, while copying the timestamp will change.
So copying forensic file, the timestamp should remain the same. To do so we are using Forensicopy tool. In Forensicopy tool, browse the file which is to be copied in source directory. It will show the message for copy completion and ask for log file to be exported. Now we will see the properties of the copied file. Its timestamp will remain the same. After log file creation, we will open the log file; it will show us the timestamp of start copy, finish copy, source, and destination of all the Files in that folder.
The timestamp will remain the same. New Case window will be open. Then it will ask for the file name to save your case in your specified location. Click on save option. Now you have to select both option and click on ok to proceed next step. Now it will allow you to analyze the message header, bodies and attachments. It will show creating physical drive image window.
Click on next. Now browse location and name of physical image file to create. Select save in raw format option. Now enter the details such as case no. Click on Finish. Now it will ask for File Name. Click on save. Now it will create the raw image. It will show the image file. Click on Next. Click on ok. Now it will show the location and search type. Select the items which are to be investigated.
Click on browse to select the destination folder. Assign the case Name , case no. Click on find evidence. Now it will show us the processing status. After process completion, IEF report. Now click on Google search, it will show the URLs with original search query. By selecting Skype Chat Message, it will show the Message and identifier. Now select FaceBook Chat Option.
It will show the FaceBook chat message. By selecting FaceBook status update. It will show the updated status. It will show opera history. It will show IE history. It can be used both by professional and non-expert people in order to quickly and easily collect, preserve and reveal digital evidences without compromising systems and data. Python from Here. Install PyQt4 from Here. These both are prerequisite for DFF. Now click on I Agree Option. Click on I Agree to proceed Further. Click on Finish to complete the installation.
A new window will open. It will ask for add data source in Step 1. In Step 2. It will process the data Source and add it to local database. After Process completion, it will show Forensic Investigation Report. Now click on Devices Attached option, it will show the list of attached device with system. It will show the image files. Now click on Installed Programs to see the entire installed programs in the system. Click Operating System Information. The PHP code would be executed and showed.
We can send with script in Listing 8 PHP codes instead of referrer. If the PHP configuration page is displayed, then this attack was successful. Now we will see how to protect against them. Disable eval function in php, that eval can run php-code from any string. Use absolute paths and make your string safer before you include it. Don t let raw or encoded version of characters like. If using PHP 5. Displaying errors in PHP is not recommended, because it shows a lot of information about the system and website.
The golden rule is always: safe coding! His areas of expertise are developing and upgrading CMS as well as web server administration. He is currently working on freelance on the development of the product-search engine Shophexe. You can contact him under the following e-mail address: erhan yekta. He has been working with computers for ten years, five of them with computer and web application security.
He is a system administrator of a webserver and performs penetration tests. He is studying computer science in Germany. This serves as an interdependent working platform. As a result of this, web application robustness is affected. This layout is versatile from a security point of view as well as from a working structure of applications. This paper discusses the infection vectors that occur due to insecure coding by developers and includes other related security issues.
It will provide a detailed analysis of the errors and efficient measures to correct those errors, while keeping in mind the original security concerns. The major point of discussion is Site Scraping. It is a process of scraping the contents of another website into a different format. The US laws have rightly stated that linking to another website is not a breach of the Copyright Act.
It becomes an issue whenever the site owner wants you to stop scraping and it is still continued in an illegal way. The best approach to follow is Licensed Feeds. Peripheral knowledge of working of RSS feeds will be useful. It is considered to be the root of feed transference and the operations required in managing data flow between various websites. The generation and transference of feeds is based on the application coding used for web services.
PHP is extensively used for creating the feeds structure. The model shows the inclusion of feeds from different websites and their processing by the service programs. The user is one of the components of this management system because the major interaction is undertaken with the user. The language used is XML which is based on a standard specification. More precisely XSLT is used for transformation of content into feeds. The feeds can be directly converted into HTML pages based on the designed application. As a result of this operation, a direct interface is provided to a user. The advent of Web 2.
The inclusion of content has become the sole basis for the interworking of websites. There are a number of RSS variants present with different specifications. The base structure works on the specification used as a benchmark for designing elemental objects. The prime mechanism is the same for any kind of RSS implementation. To understand security implications it is crucial to comprehend the parsing of RSS feeds. The feeds are parsed through three basic techniques which are enumerated below. XML Parsing This is a process of parsing the raw feeds into well structured RSS feeds to be used directly in website content and blog feeds.
It is implemented through the XML: :Simple parsing library. See Listing 1. To do this requires no module installation and can be directly applied throughout the program. No doubt the implementing of regular expression is a somewhat complex procedure.
About - ijigimujel.tknd//ijigimujel.tk
An unstructured regular expression can affect the stability of an application. These components are well placed in the above presented hierarchical model of RSS generation. Listing 1. This structure is converted into a well defined object component that can then be easily placed into HTML pages or other web services for reproduction of data in an efficient manner.
This discussion provides a brief overview of RSS functioning. As our discussion is geared more towards application flaws, we will now look into various insecure practices one by one. The function creates a new empty XML document and returns an instance of it. The XML number version of the document is passed as an argument. The calling mechanism usesFigure 2. The DLL provides dynamic loading of a number of functions defined in it. It is configured by specifying it as an entry in the php. The function prototype should be defined as: see Listing 4. The code is symmetrical and is used as a definitive code structure.
The developers should focus on the calling method and the migration of content between different web pages. Of course secure coding is very important.
It affects the security of an application too. Many developers or system controllers enable DTD which is considered to be a security risk. Another point that comes into play is whether to accept DTD from other resources or not. For security, the sources have to be trusted. Any DTD from an untrusted source generates vulnerable behavior.
The XPATH problems can be encountered if the code is designed to call remote objects from an untrusted source. The developers should concentrate on this factor because, again, it results in potential denial of service with the inclusion of complex queries by the malicious user. Listing 3. These specific security issues can be the result of error prone XML base.
Header Modification Checks The rss. The web page is divided into two parts, the header and the body. It depends a lot on the type of content to be transferred and taken in response. Since the process is part of the header specification, it is crucial to modify headers based on the application requirements. The XML based document structure is used for data transference. The developers design robust and dynamic RSS based web applications. Code writers design the code with certain standards.
For example, the headers have to be specified on the basis of the output to be produced. The problem occurs when some of the body is sent to the user. A request to change the header is made. Since the error is a result of the header statement, the developer should look for adjacent code near the header function. The basic flaw is in the use of the header function. The second cause can result from redirection of pages. The underlined code redirects the user to the destination i. As RSS based applications require continuous functionality to update the site summary database remotely, the above defined two problems should be checked in rss.
This is considered one of the major potential risks in web application security. The attacker can easily exploit the insecure web application by passing a simple PHP script in which headers are modified directly. For Example, a vulnerable application can trigger a script as provided Listing 5. It changes the execution flow of the web application. In these types of attacks, the user is redirected towards the destination object which is passed as an argument to the header function. This attack basically occurs at the backend. It further acts as a base for third party redirection attacks, phishing and cross site request forgery attacks.
An attacker can specify the destination URL with arguments and pass it to the web application by a simple inclusion mechanism. Therefore, it should be taken into account that security should be implemented through secure code designing. Invalid Argument Checks in Control Structures The errors based on calling control structures are quite common.
The RSS based web applications are prone to these types of errors. Usually the base is PHP coding. Calling of structures in a wrong manner generates an error. The main problem is the passing of arguments. The error presented below is the consequence of failure of arguments in foreach control structure. The developers design an error prone code mostly while using this control structure. It basically works on arrays. When this Listing 7. Error Code Encountered in rss. The foreach structure is called in this manner. Developers generally prefer to use the reset function.
Even if this function is not used the reset is performed by the foreach structure itself. One problem arises when coders do not use unset function to flush the array object at the end. The main problem of error generation is caused by the arguments passed to the structure. In order to circumvent these errors, developers should define the variables carefully. The usage of arrays should be done according to the application requirement. For Example: see Listing 7.
If the keys are not declared with null character appended at the end, it will result in a bug. It affects the generation of XML format. So these types of developmental errors should be avoided. The security impact is high as it provides the working flow of various structures that are used in web applications. It also provides information on the vulnerable function and the type of arguments passed.
The attacker can use a trial and error mechanism to check the robustness of the function. The vulnerable function can be checked against buffer overflows. It depends on the type of arguments and initialized variables. Due to this factor, the security of web applications is impeded. An attacker can simultaneously design a function on the same pattern as the vulnerable function to test the insecure vectors. A simple vulnerable function not only lowers the effectiveness of an application but also the security parameters.
Furthermore, the function can be used to leverage information extensively. Usually XML based documents work on the root element specification. The working of elements and the benchmarks are provided by the W3C. The validation and specification is checked against the standards directly from the W3C website. It defines the usage of elements in a hierarchical way from the root to Figure 3. XML Marker Listing Useful for debugging.
This type of error is basically a starting tag problem. The developers sometimes use special characters in the tags that cause parsing problems. The basic issue is that feeds are generated in a specific pattern already designed. If a certain code is prone to an error in the beginning, the feeds are not generated in the right manner thereby affecting the functionality of the RSS application extensively.
See Listing 8. Another reason for errors can be the mismatched version of the tags. Sometimes a developer forgets to use the end tags which are imperative for the completion of an element. So XML marking should be done in a correct manner to avoid errors. The depth of XML hierarchy can be extracted from the information resulted out. This not only shows the type of objects used but also the interdependencies and working usage of each object. It has been noticed in many web application configurations that the limit value for the XML hierarchy is low.
In order to avoid this, the limit should be not be defined. The document has to be made dynamic for any number of object allocations. See Figure 3. The database application has structured queries that are called by the user through the interface provided. The web three tier architecture works on this platform. A user simply provides input if required, or else the backend operations are executed automatically to get the work done.
The selection of variables and setting of parameters play a crucial role in the robust functionality of RSS based web applications. See Listing 9. Listing Error Due to a Path Problem in rss. Please contact with us at: support extralabs. The error is not due to the result of the functions or arguments passed. The query that is structured to configure the database is not initialized generically. The declaration is not done effectively. The trace of a generated error is presented as such. The parameter is defined as iUserID. So it becomes a problem of coding again.
These types of errors make the database unrecoverable if a proper backup is not made. Cross references defined for database optimization are the major cause of this happening. A single unstructured error can dismantle the proper functioning of the database. The problem can be reduced by setting debug code or exception handlers for tracing errors in RSS based web applications. Another point which should be taken into account while tracing errors is that the error information should not be displayed to the end user. There should be an error logging mechanism.
Web administrators and developers should emphasize the importance of this factor. See Listing So this type of practice can avert the coding problems in web based database applications to some extent. It affects the security element a lot. The leaking of database information acts as a basis for severe SQL injections. The attacker can easily extract the pattern of queries that are executed in the database. It not only provides the query information but also the objects and arguments to be supplied.
The attacker can easily build new queries on the same pattern with different arguments to test the robustness of the application. The database can be updated very easily from a security point of view. The content manipulation inference attack can be performed very easily by rendering the response code of the web server to a constant value. One can test the application by the process of parameter splitting and balancing. Once the internal interface of the database with a running application is breached, it becomes easy to perform data mining for extracting more information.
It acts as an evolving chain process chain reaction? This in turn supports the theme of a vulnerability finding. A simple error in RSS database results in a full compromise. After looking at a number of error prone rss. The applications explicitly written for RSS checks require a number of extra files that support the run time execution.
So those files have to be included in the code with definitive parameters. The PHP compiler requires proper paths where the libraries are located. This problem occurs mainly during installation when developers change the base directory and do not alter the core configuration files with respect to it. The problem is an intrinsic one but the errors are generated at the application level thereby preventing the interface from working.
The cause of this type of problem is mismatch in the usage of extensions. The developers use certain extra functions which are not present in the normal extensions by default. It means the extensions have to be included externally and the path has to be specified in the configuration file. Another Error Prone Output: see Listing The above presented errors clearly demonstrate the point discussed above.
The error pages are comprised in the path errors that originate from the misconfiguration of parameters. The configuration is an important part of development and should be done in a proper manner. These types of errors reveal information which can be used to launch directory traversal attacks and show web server objects in light of their security relevance. Generically, the directory structure on the web server can be understood. The path environment object shows internal information in the web directory and the way objects are organized. It is inevitable that error generation leads to information leakage.
The information can be exploited by a malicious user to dig deeper into a web application and to learn the type of system objects participating in that interaction. The path disclosure is one of the main problems because it shows the hierarchy of the directory in which files reside.
It is further used for directory traversal attacks if any misconfiguration is present in the application software. Conclusion This paper elucidates a number of developmental problems that affect the robustness of Really Simple Syndication, i. The major point discussed is insecure vectors of coding and the problematic concerns they create. The code has to be verified both offline and online to prevent lapses. Continuous, persistent errors will result in vulnerabilities. Secure coding is the key solution to these problems. The emphasis is to implement security in hard core applications Note: The underlined code gives you an idea of the conversion mechanism used to transport and export RSS feeds.
It is very crucial from the security point of view to actualize the source code for better understanding and testing of applications. Aditya K. Sood Aditya K. Sood is an independent security researcher and founder of SecNiche Security. His online handle is 0kn0ck. His research interests include penetration testing, reverse engineering and web application security. The penetration testing issues are structured under TrioSec project. As in the previous article, the code was written in VB script language for easy understanding.
This code will try to execute a Denial of service attack. According to Microsoft, a Denial of service attack prevents normal use of a computer or network by valid users; in this case, it will fill the disk space with random data. In essence, this virus will hide itself in a stream attached to a folder where it is located and then fill the disk with random data hidden in other ADS created locations attached also to this folder. Furthermore, to avoid damaging your computer, this script as it is will create just a few streams and will not block your machine.
Quit This is the call for the main function of the script called MoveScript in this example. The first time this script is launched it will attach the script to the folder where the script is located as an ADS, then it will re-launch the script and set the script to be launched with Windows. Any time the script is launched it will write to 10 ADS attached also to the folder where the script was launched for the first time.
It is recommended that only advanced users try this example and modify the code in Listing 1. If the answer is yes, the script will run; or else, the script will quit. The code for this function is presented in Listing 2. If the script is located on an NTFS drive, we will verify if the script has been already attached to a folder or file. If it is not attached, we will try to attach it to the folder where the script is located. We use function IsADS to verify if the full path of the script contains two colons; if it does, it returns True, else it returns False.
This is definitely not an elegant code, but it is very clear. The code for this function can be found in Listing 3. If the script is not attached to another file or folder we will attach it to the folder where the script is located using the File System Object and copyfile command. For this purpose, we will create a batch script that will run with the OS; this script will launch our script. In the following examples, we will show a full program script that acts like a virus and exploits ADS in order to make itself invisible and damage a system. This function will receive the address of our script as a parameter, and will create the files see Listing 4.
This will create batch scripts that will launch our script. Now, we need to add a registry entry. We could use a shell object to modify the registry as shown in Listing 5. Another function used in this code is StartShell. This function creates a shell object used to run an executable or a batch script. The code below will do this job. In our case, we will not fill the disk with random data for security reasons.
We will create just ten streams and we will write in only random bytes each of them. The i cycle will create a stream of characters in length but you could easily create a larger stream. Then in j cycle, we create 10 ADS and we write the random bits in streams. The code could be very easily modified in order to create a large amount of ADS. In this code we put a fixed amount of random data, but with a little change we could generate a large amount of alternate data streams attached to our folder and also the quantity of random data could be very easily increased.
If we do so in a short period, the disk will be full. Try yourself to see how fast you could create 1 Gigabyte of hidden data and you will be surprised. But remember that every time you restart the Windows OS, the script will run. This attack is very efficient and it is very hard for a system administrator to detect the file or directory Listing 1. GetDrive fso. GetDriveName WScript. Write tx ts. Also, this virus-like code does not continue multiplying itselfonly once, when it was launched the first time.
Si vis pacem, para bellum.
But with another few lines of code we could multiply the script and attach it to many other files or folders. In this case, the system could also crash because of the insufficient memory. For we only want to see how dangerous the ADS could be and not create a virus, we eliminate some lines of code and modify others, keeping the example fully functional.
Also, in order to be more explicit, the code is not too elegant in some sections. Start Notepad and then type the code from Listing 7. Save the file as MyVirus. Then run the script double click on it or use command prompt to open it. ADS and Microsoft Office Suite From simple programs, that track user activity, to advanced programs for steganography, there are many possibilities to use ADS to our benefit.
The next example will show you how to use ADS in order to save a history of any Word documents. Every time we open or close a Word document, the operation will be logged into an ADS attached to that Word document. Also a backup copy of the document will be created when the document is opened. Start Microsoft Word by opening a previously created Word document or open a new one.
Type the following code from Listing 8 in Code window. Close the Visual Basic Editor window, save the document and close it. Now every time you open a Word document, this code will create a backup copy of our document saved in our document folder and will write in ADS the name EditLog. When we close a Word document, a short resume will be written to ADS including a counter for paragraphs and characters, with timestamp and full path of the document. This example keeps a very simple history but could be very easily improved in order to store more information about the document.
To view the history of a document you could use MyADS program that accompanies this article or you could use other utilities like Notepad or command prompt. For example: Click Start, and then click Run. Presuming you have a document C: Listing 5. Shell" s. Writeline tx ts. Writeline StreamText ts. This article is mostly focused on a full application named MyADS. This is a quick application with many features implemented only for demonstration purposes. If you want to hide important documents using ADS you need to use an encryption program first in order to encrypt the content; it is not enough just to hide the document!
MyADS allows a user to hide files directly as streams attached to other files with a visual interface unlike DOS programs which need special knowledge and are hard to use. Select where and what to hide and with a simple click the job is done. MyADS Figure 3.tooltiotykse.tk
Your browser is out of date.
MyADS program Figure 2. MyADS application Figure 1. MyADS application. MyADS implements this feature; it comes with a built in Keylogger that captures keyboard, clipboard and screenshots from the computer in the invisible mode. The keylogger is installed as ADS and both reports and screenshots are saved as ADS in the file where keylogger is installed. After you install the keylogger, you are able to see capture reports and screenshots from the computer where the keylogger was installed. But the main feature of this program is the possibility to work with streams.
It could scan for streams in a folder or an entire hard disk or, it could list the streams attached to a file; it could extract and run the streams; it could delete streams; and it could open streams with a text editor. It works only with streams attached to files but it offers a visual interface for these operations unlike other programs.
I developed this program especially for Hakin9 magazine to accompany this article and because there are very few programs that deal with ADS. I hope all the information about ADS with its good parts and bad parts was useful. Par agraphs. Ch aracters. Act iveDocument. Name If fso. CopyFile Fn1, fn2 Figure 5. Write streamText ts. The tools presented here work on the Linux operating system, but the same techniques are applicable on other OS.
A Need for Discretion Usually, an attacker, especially a beginner, will not take care of all the side effects produced by the tools he is using. Besides, in order to run, the executable file has to be launched directly from a shell or from inside another program by calling a function like exec. This is not really discreet particularly if an IDS probe is running. This will leave manifest traces even if the file is deleted from the hard drive and covered up by another one.
A fine analysis of the disk in a cleanroom can show the original file. In fact, in order to definitively eliminate any traces of our compromising data, it is advised to rewrite over it at least seven times. Obviously, an experienced administrator will not have difficulties to find out that his server is being or has been compromised. In this article, we will show how to bypass the above issues, by executing our tools within the memory space of a legitimate process or service like Apache or Postfix.
The scope is therefore limited to a subpart of an attack: exactly just after the exploitation of a vulnerability, in other words where the executing flow is at the beginning of the payload. We will learn also that the other main interest of the Syscall Proxy and Remote Userland Execve techniques is its robustness against forensics analysis. Indeed, the fact that all the exploitation is done in memory space will not leave any evidence of our presence. This is especially true after the classical operation done by forensics people when they arrive on the crime scene: halting the system.
Existing Techniques and Tools This section presents the current techniques that allow an intruder to take advantage of Difficulty All in Memory Execution under Linux During a computer intrusion, a good attacker has to pay close attention to the traces he could leave on the remote target.
The following article will describe different techniques that provide enough discretion in order to bypass the usual countermeasures. Some tools were made before randomization protection was added in Linux 2. The tool impacted is Self. Syscall Proxy The first technique, that allows us to never write to the hard drive, is called Syscall Proxy. It consists of executing a program entirely on the network by sending most of the instructions to the exploited server. With Syscall Proxy, all the system calls are sent by the attacker, treated by the kernel of the server, and their results are returned.
Most of the execution is therefore deported on the targeted computer. However, even though this method appears original, it extensively uses the network resources. Its performance is thereby directly related because a huge amount of messages transit on the network two per system call. But most of all, the capacity of detection by the administrators becomes pretty easy. The first implementation of a Syscall Proxy has been developed by Maximiliano Caceres from the Core Security Technologies company and has been released in one of their best products, Core-Impact.
This is a commercial tool specialized in penetration testing. Unfortunately, its price might keep many people away. He has also further developed the proxy server and client that are based on this library. This would be useful to build a proxy server on the target. A potential implementation of this method could be released in the tool UWskyzoexec.
Despite the fact that no public tool that implements a Syscall Proxy is available, we wanted to mention this technique of memory exploitation in order to be as exhaustive as possible, and also because the idea behind it appears pretty nice. Userland Execve The second approach is called Userland Execve. This solution provides different advantages.