Saturday 25 October 2014

Skipfish [kali linux]

welcome!

Today we are going to see about a tool in skipfish.
skipfish is a tool in kali linux to gather information.


Skipfish is a web application security Reconnaissance tool. Skipfish prepares an  interactive sitemap for the target using recursive crawl and dictionary-based probes. 
The resulting map provides output after being scanned by security checks


Skipfish can be found under Web Applications | Web Vulnerability Scanners as 
skipfish



When you first open Skipfish, a Terminal window will pop up showcasing the Skipfish commands. Skipfish can use built-in or customizable dictionaries for vulnerability assessment.


There are various command options available in Skipfish. To run Skipfish against a target website using a custom wordlist, enter skipfish, select your wordlist using the -W option followed by the location of the wordlist, select your output directory using -o followed by the location, and finally the target website.

==============================================================
Skipfish –o (output location) –W (location of wordlist) (target website)
==============================================================

I run a  sample over www.google.com


==============================================================
Skipfish –o /root/desktop/skipfishoutput http://www.google.com
==============================================================

If there are no compiling errors, you will be presented with a launch screen that states the will start in 60 seconds or on pressing any key.



You can press the Spacebar to see the details on the scan or watch the default numbers 
run. Scanning a target can take anywhere from 30 seconds to a few hours to complete the process. You can end a scan early by typing Ctrl + C.




Once the scan is complete or if you end it early, Skipfish will generate a ton of output files in the location specified when using the –o option to designate an output folder. To see the results, click on the index.html file, which will bring up an Internet browser. You can click through the drop-down boxes to see your results. See the example reports section for more information

Thursday 16 October 2014

Heartbleed Vulnerability exploitation

Hi HACKERS,
In recent weeks, the Heartbleed vulnerability of OpenSSL has been dominating the information security headlines. This vulnerability enables an attacker to extract data from the server's memory that may contain authentication credentials, cookies, the servers private key, and personally identifiable info (PII) that could be used for identity theft. As a result, websites around the world have been scrambling to close this hole. Fortunately for us, many still have not, and many may never be closed.
Basically, OpenSSL is an encryption library used in HTTPS (secure HTTP). The idea is that any data traveling over this secured version of HTTP should be secure and encrypted. During communication, OpenSSL uses a "heartbeat" that echoes back data to verify that the data was received correctly. It's kind of like one machine telling the other, "Yes, I got that data and you can send more now."
The Heartbleed vulnerability enables a hacker to trick OpenSSL by sending asingle byte of data while telling the server it sent 64K bytes of data. The server will then send back 64K bytes of data to be checked and echoed back. The server will then respond with 64K of random data from its memory.
In this tutorial, I'll show you a simple exploit for getting that OpenSSL to spill the contents of its memory and possibly give us the user's credentials and other information.

Step 1: Update Metasploit

The first step is to update Metasploit to get the new auxiliary module for Heartbleed. Type:
  • kali > msfupdate
Metasploit will then go through the long and slow process of updating its modules and framework. Be patient here, it takes awhile.
When you are finally returned to the Kali prompt, the update has completed.

Step 2: Start Metasploit

Now, we need to start the Metasploit console. At any terminal prompt, type:
  • kali > msfconsole
You should be greeted with a screen like that below.

Step 3: Find Heartbleed

Now, we need to find the new Heartbleed module. We can use the built-in search feature in Metasploit. Type:
  • search heartbleed
This should bring up two auxiliary modules for Heartbleed. Select the first one as I've highlighted below.

Step 4: Use Auxiliary Module

Next, we need to load this payload. Simply type:
  • use auxiliary/scanner/ssl/openssl_heartbleed
This will load the heartbleed module.
Whenever I am using a new module, I like to look at the info page. Once we have loaded the module, type:
  • msf > info
As we can see in the screenshot below, this reveals the options that need to set in order to use this module and a description of the module.

Step 5: Set Options

Although this module has numerous options, the critical one is RHOSTS (notice the plural here). Let's set it to a target website I set up on my network that is still vulnerable to Heartbleed.
  • msf > set RHOSTS 192.168.1.169

Step 6: Run the Module

Finally, set the option 'verbose" to "true". This will provide us with verbose output.
  • msf > set verbose true
And now let's run it:
  • msf > run
As you can see in the screenshot below, the server leaked about 64K bytes of what was in its memory.

Step 7: Success

If credentials, personally identifiable information (PII), or the server's private key had been in memory, they would have leaked out as well. Of course, we could set up this Heartbleed scanner to run repeatedly to gather the info in memory at a continual basis, eventually gaining access to all the info that traversed RAM.

Monday 6 October 2014

8 Must-Have Tools For Coders



1.Debug

Debug is a small library for logging debug messages. Since it is just a wrapper around console.log, it works in both Node and the Browser. It allows you to filter logging output without changing your source and it also outputs time differences which lets you easily tell how much time has elapsed between log messages.

2.The Prettifier

The Prettifier provides code formatting and syntax highlighting for common programming languages and file formats including JSON, CSS, HTML, XML, SQL, PHP, Perl, Apache Config, and JavaScript, where editing often takes place outside of an IDE.

3.Quill

Quill is a free, open source WYSIWYG editor built for the modern web. With its extensible architecture and a expressive API you can completely customise it to fulfill your needs.

4.Hoa

Hoa is a modular, extensible and structured set of PHP libraries. Moreover, Hoa aims at being a bridge between industrial and research worlds.

5.HTML Inspector

HTML Inspector is a code quality tool to help you and your team write better markup. It's written in JavaScript and runs in the browser, so testing your HTML has never been easier.

6.Socket.IO

Socket.IO enables real-time bidirectional event-based communication. It works on every platform, browser or device, focusing equally on reliability and speed.

7.Handy.js

Handy is a web application template for nodejs. Handy provides all the basic functionality of a web app freeing you to focus on the features that make your app truly unique.

8.Twproject Gantt

Twproject Gantt is a JavaScript component built on jQuery for creating Gantts, task trees, dependencies which exports the resulting data in JSON format

7 Tips To Follow To Increase Battery Life Of Smart Devices





1. Know the basics:

Know the basic facts about the longevity of batteries. Smartphones, tablets and laptops have lithium-ion batteries usually which start losing their capacity after long-time and daily use. Batteries are designed to retain around 80 per cent of their capacity till a certain limit in charge cycles. You must be wondering what is a charge cycle. Well, a battery completes one charge cycle when it completes 100 per cent and then gets drained to 0.

2. Maintain Screen Brightness:

You must know that if your smartphone screen has maximum brightness then the battery reserve is reduced slowly. The display levels should be reduced manually to a lower level or enable automatic brightness adjustment to save energy. If you are having animated screen-savers it can become a great reason for draining out battery life. You should also keep your device cool all the time to prolong battery life.

3. Keep Temperature In Mind:

Temperature factor plays a crucial role in device's battery life . If you stay in extreme weather conditions, battery capacity will drain out faster. Direct sunlight and freezing temperatures should be avoided on smart devices, as much as possible. Remember extreme heat is more harmful than extreme cold.

4. Signals and Connections:

When you are travelling somewhere, your smartphone's network seeks manual intervention. When this search for network goes on, battery life gets reduced. Bluetooth also drains out battery fast. To ensure better battery life for your smart devices, you need to stay in a zone where network signal is quite healthy. Airplane mode is a quick way to stop battery drain.

5. Don't Keep Devices Plugged-In Most Of The Time:

Once the battery is fully charged at 100 per cent, make sure that the device is not plugged in anymore. Hence, overcharging is not at all a healthy practice. But this practice cannot be implemented in case you are using your laptop. Make sure you discharge laptop battery to at least 40 per cent and then recharge it.

6. Partial discharge vs. Full discharge:

Partial discharge cycles are better than full discharge cycles, keeping the charge in 40-80 per cent range. It means you should discharge your device till 40 per cent and charge it till 80 per cent to get the best. But be practical while following these rules and don't be blind.

7. Battery Replacement:

Even if you follow all the rules, there is a certain limit your battery life can last. So look out for the indicators to make it out that your device battery needs a replacement. The symptoms are: you need to charge your device more than before, it's getting warm during charging or it's getting discharged very shortly.