WHO IS ETHICAL HACKER

Who is hacker?
A hacker is a Creative person and a creative Programmer,who have knowledge about Networking,Operating system,hacking & a best creative social engineer who control anyone's mind he is also a knowledgeable person.
Hacker are the problem solver and tool builder.

                                OR

A hacker is an individual who uses computer, networking and other skills to overcome a technical problem but it often refers to a person who uses his or her abilities to gain unauthorized access to system or networks in  order to commit crimes. 


Related articles

Postado por

Change Passwords Regularly - A Myth And A Lie, Don'T Be Fooled, Part 2

In the previous blog post, I have covered the different passwords you have to protect, the attackers and attack methods. Now let's look at how we want to solve the issue.

Password requirements

So far we have learned we have to use long, complex, true random passwords. In theory, this is easy.
Now, this is my password advice for 2014:

Password character classes
Use upper-lower-digit-special characters in general cases.
If you don't understand what I just write, choose from this:
qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM0123456789-=[];'\,./<>?:"|{}_+!@#$%^&* ()`~
If you are a CISO, and say: use 3 out of 4 character class, everyone will use Password12 or Welcome12 as their password (after the 12th enforced password change).

Password length
This is basically the only thing which changes whether the password is in the very high/high/medium/low level. Check the previous blog post for the details about very high/high/medium/low level.

Password length: Very high level class (including work-related/enterprise passwords)
15 character (or 20 if you are really paranoid). Making true random passwords longer than 20 characters usually does not make any sense, even in high security scenarios (e.g. military, spy agencies, etc.). 15 character in Windows environment is a right choice, as LM hash is incompatible with 15 character passwords, thus one (effective) attack won't work. Beware, there might be bugs with using 15 character passwords, with a low probability.

Password length: High-level class
12 character, upper-lower-special characters

Password length: Medium class
10 character, upper-lower-special characters, still TRUE random

Password length: Low-level class
9 character. Why less?

Pin codes
Always choose the longest provided, but a maximum of 8. Usually, more is pretty impractical.

Password randomness
True random, generated by a (local) computer. Avoid Debian. Avoid random generated by your brain. Do not use l33tsp33k. Do not append or prepend the current month, season or year to a word. Do not use Star Wars/Star Trek/(your favorite movie/series here) characters or terminology. In general, avoid any pattern like the above ones. The chances that a true random password generator generates SkyWalker12 is very-very low. And believe me, it is not that hard to crack those. Every algorithm that you would come up with; the bad guys have already thought of it. Use true random. Let the computer do it for you. See details later in this post.

Password history
Never-ever reuse passwords. NEVER!

Password change period
If it is not enforced otherwise, don't bother to change it twice in a year. But! Check if the password cracking speed made your current ones obsolete. If yes, change the obsolete passwords. Immediately change the password if you have been notified that the service you use has been compromised. Immediately change all of your recently used passwords if you suspect malware was running on your computer (do this on a known clean computer). Immediately change your password if you have used it on a computer you don't own, or there is a small chance malware is running on it. Change it if you really had to give your password to someone. Otherwise, goodbye regular password change. We will miss you...

If you are a CISO, and writing security policies, you should have to enforce the password change period based on: do you allow LM hashes? What is the password length requirement for users and administrators? What is the current hash cracking speed, and the forecast for the next 2 years? I think people would be happy to increase their passwords with 1-2 characters, if they are not forced to change it frequently (e.g. every month).
Now after I was sooo smart giving advises people still hate to implement, let's see the practical implementations. At least some people might like me, because I told them not to change the passwords regularly. Next time someone tells you to change all your important passwords regularly, put a lie detector on him, and check if he changes all of his passwords regularly. If he lies, feel free to use the wrench algorithm to crack his passwords. If he was not lying, call 911, to put a straitjacket on him. Only insane paranoid people do that in reality. Others are just too scared to say "what everyone recommended so far is bullshit". Comments are welcome ;) Other people might hate me for telling them using true random passwords. Don't panic, keep reading.
And don't forget to use 2 factor authentication. It might seem a bit of an overkill at the beginning, but after months, you won't notice using it.

(Bad and good) solutions

I will use the same password everywhere

This is a pretty bad idea. If one of the passwords are compromised, either the attackers can access your other sites, or you have to change all of your passwords. There are better ways to spend your life on earth than changing all of your passwords.

I will remember it

Good luck remembering 250 different, complex passwords. Don't forget to change them regularly! ;)

I will use the password recovery all the time

Not a very user-friendly solution. And because the security answer has to be as complicated as the password itself, the problem has not been solved.

I will write it down into my super-secret notebook and put it in my drawer

Although it might work in some cases, it won't work in others. I don't recommend it.





I will use an algorithm, like a base password, and add the websites first letters to the end of the password

Still better than using the same password everywhere, but believe me, if this is a targeted attack, it is not that hard to guess your password generation algorithm.

I will use the advice from XKCD, and use the password correcthorsebatterystaple

Still a lot better than simple passwords, but unfortunately, people are still bad at choosing random words with random order, so it is not the best solution. And again, you can't memorize 250 different passwords ... Even 10 is impossible. Only use this method in special corner cases (see details later), and use a passphrase generator!

I will use a password manager

This is the very first good idea. It solves the problem of remembering 250 different complex and random passwords. Some people might complain about using a password manager, here are those complaints. And my answers:

If someone gets access to this one password store, all is lost.
Answer: If someone accessed your password store, and the master password, you can be pretty damn sure that most of your passwords are already stolen. For extra paranoids, you can use multiple password stores, one for daily use, one for rare cases. Beware not to forget the password for the second one ;)

What if I don't have access to the password store when I need it?
Answer: In the age of cheap notebooks, tablets, and smartphones, in 99% of the cases you should not use that important password on any other device than yours. In the rare cases when you must, you can use either your smartphone to get the password, or use a browser extension like Password hasher to generate different passwords to different websites, with one password. For extra paranoids, you can have different master passwords for the different security levels. And don't forget to change the password after you are back at your own computer.

What if I forgot the one password to the password store?
Answer: If you use your password manager daily, it has the same odds to forget that one password as it is to forget every one of your passwords.

Password managers make phishing attacks easier.
Answer: Who started this nonsense? Good password managers decrease the risk of phishing.

Password managers have the same vulnerabilities as other websites or software.
Answer: Well, this is partially true. There are at least 3 types of password managers, from most secure to least: offline, browser built-in, online. Online password managers give better user experience, with a sacrifice in security. But if you choose one of the leading password managers, and you are a simple home user, the risks are negligible. If you try to store your work password in an online password store, you might violate your internal security policy. For paranoids, use offline password managers, and back them up regularly. If you choose an online password manager, at least use 2-factor authentication. And don't forget, your Chrome password can be easily synchronized to the cloud, shifting it to the online category.

In some cases, like Full Disc Encryption, OS login, smartphone login, or password manager login, the auto-type of password from the password manager is not available, thus choosing a true random password is a pain in the a$$.
Answer: True. Generate pronounceable passwords or passphrases in these corner cases, e.g. with the Linux tool apg you can generate pronounceable passwords. For easy and fast type, don't use capital letters (only lower-alpha - digit - special) in the original password, but increase the length of the password. Add 1 extra character because you don't use upper case letters, add 3 other because it is a pronounceable password, and you are good to go. For extra paranoids change one or two of the letters to uppercase where it is convenient. 
apg -M SNL -m 15 is your friend.
If you want to check what I write here (always a good idea), test the entropy of a true random 10 character password with all character classes, and check it with 14 characters, without uppercase. I recommend KeePass for that. If you comment on this that "Keepass can not measure that it is a pronounceable password, thus the entropy is lower in reality", my answer is: "Check out the current passwords used by users, and current password advises, and tell me if this password is a lot better or not ..." . You have been warned.
 

For the high-level password class, I don't recommend anything your brain generated. There are also suitable offline passphrase generators. Use at least 5-6 words for passphrases.

Password managers are not user-friendly, it takes more time to log in.
Answer: If you set auto-type/auto-fill, and the password manager is opened once a day (and you lock your computer when you leave it), in this case, logging in takes less time than typing it! It is more convenient to use it, rather than typing the passwords every time.

I like to create new unique passwords every time I create a new account, and password managers take the fun away from it.
Answer: Said no one, ever! "38 percent of people think it sounds more appealing to tackle household chores – from folding the laundry to scrubbing toilets – than to try and come up with another new user name or password."

To summarize things. Use a password manager.

General advise

Never use your essential passwords on other computers. They might be infected with a password stealer. If you really have to use it, change the password as soon as possible on a trusted (your) computer.

Don't fool yourself by phishing sites. If you go to the local flea market, and there is a strange looking guy with "Superbank deposit here" logo above his head, will you put your money?

Protect yourself against malware. Use a recent operating system, and even if you use OSX or Linux, it is not a bad thing to have an AV as a "last line of defense". Or to check your pendrive for Windows USB worms.

Never-ever use online web sites to "generate your password", "measure the complexity of your password" or "check if it has been breached". Never! (Except if it is your password manager :) ... )

Update: Sign up on the https://haveibeenpwned.com/ for notification if your e-mail is found in a leak.

Changing passwords frequently is bad advice. It is not effective. Put more energy in other right password advise. 

Related articles


Postado por

HACKING PASSWORDS USING CREDENTIAL HARVESTER ATTACK

Everything over the internet is secured by the passwords. You need a login to do any stuff on any social or banking website. Passwords are the first security measure for these type of websites. So, I brought a tutorial on how to hack such sort of login passwords. This tutorial is based on credential harvester attack method. In which you will know about hacking passwords using credential harvester attack method.

HACKING PASSWORDS USING CREDENTIAL HARVESTER ATTACK

REQUIREMENTS

It's very simple and easy to follow. Before you start, you need the following things to work with.
  1. Kali Linux OS
  2. Target Website

STEPS TO FOLLOW

  • Run the Kali Linux machine. If you have not Kali Linux installed, you can grab a free copy and install it as a virtual machine. You can learn more about Kali Linux VirtualBox installation.
  • Sign in to Kali Linux by entering username root and password toor.
  • As you'll sign in, navigate to the Applications > Social Engineering Tools > Social Engineering as shown in the following screenshot.
  • Now you will see the different options. You have to choose Social Engineering Attacks by simply entering its number in the terminal. Once you do it, it will show a few options further. Simply choose Website Vector Attack by putting its number.
  • Website vector attack will show up it's a different type of attacks. We are going to use Credential Harvester Attack.
  • Choose the Site Clone option. As you do it, it will ask for your public IP address. Just open up a new terminal and type ifconfig. It'll show the public IP. Just copy it and paste in the previous terminal as shown in the following screenshots.
  • After we do it. Enter the target website of which passwords you want to hack. Make sure to use a website that has username and password on the same page.
  • All done now. As someone opens up the browser on the public IP we specified, it'll show up the website that we entered in the previous step. Now as someone enters their username or password, it will be captured in the terminal.

That's all. If you're not clear yet. You can watch the following complete video tutorial on how to do it.
More articles

Postado por

How To Start | How To Become An Ethical Hacker

Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!
This Post is for the people that:

  • Have No Experience With Cybersecurity (Ethical Hacking)
  • Have Limited Experience.
  • Those That Just Can't Get A Break


OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.
I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀

 I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.

If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.
Let's get this party started.
  •  What is hacking?
Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.
Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)

 There's some types of hackers, a bit of "terminology".
White hat — ethical hacker.
Black hat — classical hacker, get unauthorized access.
Grey hat — person who gets unauthorized access but reveals the weaknesses to the company.
Script kiddie — person with no technical skills just used pre-made tools.
Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.
  •  Skills required to become ethical hacker.
  1. Curosity anf exploration
  2. Operating System
  3. Fundamentals of Networking
*Note this sites





Related posts


Postado por

Nipe - A Script To Make TOR Network Your Default Gateway



Tor enables users to surf the Internet, chat and send instant messages anonymously, and is used by a wide variety of people for both Licit and Illicit purposes. Tor has, for example, been used by criminals enterprises, Hacktivism groups, and law enforcement agencies at cross purposes, sometimes simultaneously.

Nipe is a Script to make Tor Network your Default Gateway.

This Perl Script enables you to directly route all your traffic from your computer to the Tor Network through which you can surf the Internet Anonymously without having to worry about being tracked or traced back.

Download and install:
    git clone https://github.com/GouveaHeitor/nipe
    cd nipe
    cpan install Switch JSON LWP::UserAgent

Commands:
    COMMAND          FUNCTION
    install          Install dependencies
    start            Start routing
    stop             Stop routing
    restart          Restart the Nipe process
    status           See status

    Examples:

    perl nipe.pl install
    perl nipe.pl start
    perl nipe.pl stop
    perl nipe.pl restart
    perl nipe.pl status

Bugs

Continue reading


  1. Raspberry Pi Hacking
  2. Nfc Hacking
  3. Hacker Definicion Informatica
  4. Master Growth Hacking
  5. Hacking Wireless 101 Pdf
  6. Hacking Articles
  7. Definicion De Cracker
  8. Hacking Hardware Tools
  9. Libros Para Aprender A Hackear
  10. Master Hacking Etico
  11. Hacking Etico 101 Pdf
  12. Hacking Ethical
  13. Como Convertirse En Hacker
  14. Curso Growth Hacking
Postado por

Ettercap: Man In The Middle (MITM)


"Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis." read more...


Website: http://ettercap.sourceforge.net

Related posts

Postado por

Social Engineering Pentest Professional(SEPP) Training Review

Intro:
I recently returned from the new Social Engineering training provided by Social-Engineer.org in the beautiful city of Seattle,WA, a state known for sparkly vampires, music and coffee shop culture.  As many of you reading this article, i also read the authors definitive book Social Engineering- The art of human hacking and routinely perform SE engagements for my clients. When i heard that the author of the aforementioned book was providing training i immediately signed up to get an in person glance at the content provided in the book. However, i was pleasantly surprised to find the course covered so much more then what was presented in the book.

Instructors:



I wasn't aware that there would be more then one instructor and was extremely happy with the content provided by both instructors. Chris and Robin both have a vast amount of knowledge and experience in the realm of social engineering.  Each instructor brought a different angle and use case scenario to the course content. Robin is an FBI agent in charge of behavioral analysis and uses social engineering in his daily life and work to get the results needed to keep our country safe. Chris uses social engineering in his daily work to help keep his clients secure and provides all sorts of free learning material to the information security community through podcasts and online frameworks.



Course Material and Expectation: 
I originally thought that the material covered in class would be a live reiteration of the material covered in Chris's book. However, I couldn't have been more wrong !!  The whole first day was about reading yourself and other people, much of the material was what Robin uses to train FBI agents in eliciting information from possible terrorist threats. Each learning module was based on live demo's, nightly labs, and constant classroom interaction. Each module was in depth and the level of interaction between students was extremely useful and friendly. I would say the instructors had as much fun as the students learning and sharing social techniques and war stories.
The class was heavily made up of ways to elicit personal and confidential information in a way that left the individuatial "Happier for having met you".  Using language, body posture and social truisms as your weapon to gather information, not intended for your ears, but happily leaving the tongue of your target.
Other class activities and materials included an in depth look at micro expressions with labs and free extended learning material going beyond the allotted classroom days.  Also break out sessions which focused on creating Phone and Phishing scripts to effectively raise your rate of success. These sessions were invaluable at learning to use proper language techniques on the phone and in email to obtain your objectives.

Nightly Missions/Labs: 
If you think that you are going to relax at night with a beer. Think again!! You must ensure that your nights are free, as you will be going on missions to gain information from live targets at venues of your choice.  Each night you will have a partner and a mission to gain certain information while making that persons day better then it started.  The information  you are requested to obtain will change each night and if done properly you will notice all of the material in class starting to unfold.. When you get to body language training you will notice which targets are open and when its best to go in for the kill. You will see interactions change based on a persons change in posture and facial expressions. Each day you will take the new techniques you have learned and put them into practice. Each morning you have to report your findings to the class..
During my nightly labs i obtained information such as door codes to secured research facilities, information regarding secret yet to be released projects.  On the lighter side of things i obtained much personal information from my targets along with phone numbers and invitations for further hangouts and events. I made many new friends inside and outside of class.
There were also labs within the confines of the classroom such as games used to solidify your knowledge and tests to figure out what kind of learner you are. Technical labs on the use of information gathering tools and ways to use phone and phishing techniques to your advantage via linguistically and technologically. Essentially the class was about 60% interaction and labs.


Proof it works:
After class i immediately had a phishing and phone based contract at my current employment. I used the email and phone scripts that we created in class with 100% click rate and 100% success in phone elicitation techniques. Gaining full unfettered access to networks through phone and email elicitation and interaction. Although I do generally have a decent SE success rate, my rates on return are now much higher and an understanding of what works and what doesn't, and why are much more refined.


Conclusion and Certification:
I paid for this class out of pocket, including all expenses, hotels, rentals cars and planes etc etc. I would say that the class was worth every penny in which i paid for it. Many extras were given including black hat passes, extended training from notable sources and continued interaction from instructors after class ended. I would highly recommend this class to anyone looking for a solid foundation in social engineering or a non technical alternative to training.  You will learn a lot, push yourself in new ways and have a blast doing it. However I did not see any sparkly vampires while in seattle.... Twilight lied to me LOL
The certification is a 48 hour test in which you will utilize your knowledge gained technologically and socially to breach a company.I am not going to give away to much information about the certification as i haven't taken it yet and I do not want to misspeak on the subject. However I will say that social-engineer.org has done an excellent job at figuring out a way to include Real World Social Engineering into a test with verifiable proof of results. I am going to take my test in a couple weeks and it should be a blast!!!

Thanks and I hope this review is helpful to all those looking for SE training.  I had a blast :) :)

Related links


Postado por

LEGALITY OF ETHICAL HACKING

Why ethical hacking?
Legality of Ehical Hacking
 
Ethical hacking is legal if the hacker abides by the rules stipulated in above section on the definition of ethical hacking.

Ethical hacking is not legal for black hat hackers.They gain unauthorized access over a computer system or networks for money extortion.

Read more


  1. Hacking News
  2. Growth Hacking Examples
  3. Mundo Hacker
  4. El Libro Del Hacker
  5. Tipos De Hacker
  6. Hacking Python
  7. Curso De Hacking Etico
  8. Hacking Wifi
  9. Hacking Linux Distro
  10. Wargames Hacking
  11. Drupal Hacking
  12. Etica Definicion
  13. Herramientas Hacking Etico
  14. Fake Hacking
  15. Hacking Aves
Postado por

How Do I Get Started With Bug Bounty ?

How do I get started with bug bounty hunting? How do I improve my skills?



These are some simple steps that every bug bounty hunter can use to get started and improve their skills:

Learn to make it; then break it!
A major chunk of the hacker's mindset consists of wanting to learn more. In order to really exploit issues and discover further potential vulnerabilities, hackers are encouraged to learn to build what they are targeting. By doing this, there is a greater likelihood that hacker will understand the component being targeted and where most issues appear. For example, when people ask me how to take over a sub-domain, I make sure they understand the Domain Name System (DNS) first and let them set up their own website to play around attempting to "claim" that domain.

Read books. Lots of books.
One way to get better is by reading fellow hunters' and hackers' write-ups. Follow /r/netsec and Twitter for fantastic write-ups ranging from a variety of security-related topics that will not only motivate you but help you improve. For a list of good books to read, please refer to "What books should I read?".

Join discussions and ask questions.
As you may be aware, the information security community is full of interesting discussions ranging from breaches to surveillance, and further. The bug bounty community consists of hunters, security analysts, and platform staff helping one and another get better at what they do. There are two very popular bug bounty forums: Bug Bounty Forum and Bug Bounty World.

Participate in open source projects; learn to code.
Go to https://github.com/explore or https://gitlab.com/explore/projects and pick a project to contribute to. By doing so you will improve your general coding and communication skills. On top of that, read https://learnpythonthehardway.org/ and https://linuxjourney.com/.

Help others. If you can teach it, you have mastered it.
Once you discover something new and believe others would benefit from learning about your discovery, publish a write-up about it. Not only will you help others, you will learn to really master the topic because you can actually explain it properly.

Smile when you get feedback and use it to your advantage.
The bug bounty community is full of people wanting to help others so do not be surprised if someone gives you some constructive feedback about your work. Learn from your mistakes and in doing so use it to your advantage. I have a little physical notebook where I keep track of the little things that I learnt during the day and the feedback that people gave me.


Learn to approach a target.
The first step when approaching a target is always going to be reconnaissance — preliminary gathering of information about the target. If the target is a web application, start by browsing around like a normal user and get to know the website's purpose. Then you can start enumerating endpoints such as sub-domains, ports and web paths.

A woodsman was once asked, "What would you do if you had just five minutes to chop down a tree?" He answered, "I would spend the first two and a half minutes sharpening my axe."
As you progress, you will start to notice patterns and find yourself refining your hunting methodology. You will probably also start automating a lot of the repetitive tasks.

More info
Postado por

Probing For XML Encryption Weaknesses In SAML With EsPReSSO

Security Assertion Markup Language (SAML) is an XML-based standard commonly used in Web Single Sign-On (SSO) [1]. In SAML, the confidentiality of transferred authentication statements against intermediaries can be provided using XML Encryption [2]. However, implementing XML Encryption in a secure way can be tricky and several attacks on XML Encryption have been identified in the past [3] [4]. Therefore, when auditing a SAML endpoint, one should always consider testing for vulnerabilities in the XML Encryption implementation.

This blog post introduces our latest addition to the SAML Attacker of our BurpSuite extension EsPReSSO: the Encryption Attack tab. The new tab allows for easy manipulation of the encrypted parts within intercepted SAML responses and can, therefore, be used to quickly assess whether the SAML endpoint is vulnerable against certain XML Encryption attacks.


Weaknesses of XML Encryption

Implementations of XML Encryption can be vulnerable to adaptive chosen ciphertext attacks. This is a class of attacks in which the attacker sends a sequence of manipulated ciphertexts to a decryption oracle as a way to gain information about the plaintext content.
Falsely implemented XML Encryption can be broken using:
  • an attack against the CBC-mode decryption (quite similar to a padding oracle attack) [3] or
  • a Bleichenbacher attack against the RSA-PKCS#1 encryption of the session key  [4].
SAML makes use of XML Encryption and its implementations could, therefore, also be vulnerable to these attacks.

XML Encryption in SAML

To support confidential transmission of sensitive data within the SAML Assertion, assertions can be encrypted using XML Encryption. An EncryptedAssertion is shown in the abridged example below.

<EncryptedAssertion>
  <EncryptedData>
    <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
    <KeyInfo>
      <EncryptedKey>
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
        <CipherData>
          <CipherValue>
            [...]
          </CipherValue>
        </CipherData>
      </EncryptedKey>
    </KeyInfo>
    <CipherData>
        <CipherValue>
          [...]
        </CipherValue>
    </CipherData>
  </EncryptedData>
</EncryptedAssertion>

The EncryptedAssertion contains an EncryptedData element, which in turn is the parent of the EncryptionMethod, KeyInfo, and CipherData elements.  SAML makes use of what is referred to as a hybrid encryption scheme. This is done using a session key which symmetrically encrypts the payload data (the example uses AES-128 in CBC mode), resulting in the ciphertext contained in the EncryptedAssertion/EncryptedData/CipherData/CipherValue child element. The session key itself is encrypted using an asymmetric encryption scheme. In our example, RSA-PKCS#1.5 encryption is used with the public key of the recipient, allowing the contents of the the EncryptedKey child element to be derived from the KeyInfo element. 

Encryption Attacker

Our BurpSuite extension EsPReSSO can help detect vulnerable implementations with the newly integrated Encryption Attacker within EsPReSSO's SAML module.

Once a SAML response which contains an EncryptedAssertion has been intercepted, open the SAML tab, select the Attacks pane, and choose Encryption from the dropdown menu. This works in Burp's Proxy, as well as in the Repeater tool, and is depicted below.
As sketched out above, the symmetric session key is encrypted using the recipient's public key. Since the key is public, anybody can use it to encrypt a selected symmetric key and submit a valid encryption of arbitrary messages to the recipient. This is incredibly helpful because it allows us to produce ciphertexts that decrypt the chosen plaintexts. To accomplish this, one can purposefully send invalidly padded messages, or messages containing invalid XML, as a method to trigger and analyze the different reactions of the decryption endpoint (i.e, turning the endpoint into a decryption oracle). To facilitate these investigations, the new Encryption Attacker makes this process dead simple.
The screenshot above shows the essential interface of the new encryption tab:
At the top, the certificate used to encrypt the symmetric session key can be pasted into the text field. This field will be pre-filled automatically if the intercepted SAML message includes a certificate in the KeyInfo child element of the EncryptedData element. The Update Certificate checkboxes above the text area can be used to include the certificate in the manipulated SAML message.
In the Symmetric Key text field, the hexadecimal value of the symmetric session key can be set. Choose the asymmetric algorithm from the dropdown menu and click Encrypt key -- this will update the corresponding KeyInfo elements of the intercepted SAML message. 

The payload in the text area labeled XML data can now be entered. Any update in the XML data field will also be reflected in the hexadecimal representation of the payload (found on right of the XML data field). Note that this is automatically padded to the blocklength required by the symmetric algorithm selected below. However, the payload and the padding can be manually adjusted in the hex editor field.

Eventually, click the Encrypt content button to generate the encrypted payload. This will apply the changes to the intercepted SAML message, and the manipulated message using Burp's Forward or Go button can now be forwarded, as usual.

Probing for Bleichenbacher Oracles

Bleichenbacher's attack against RSA-PKCS1 v1.5 encryption abuses the malleability of RSA to draw conclusions about the plaintext by multiplying the ciphertext with adaptively chosen values, and observing differences in the received responses. If the (error-) responses differ for valid and invalid PKCS1 v1.5 ciphertexts, Bleichenbachers' algorithm can be used to decrypt the ciphertext without knowing the private key [6].

To determine whether or not a SAML endpoint is vulnerable to Bleichenbacher's Attack, we simply need to check if we can distinguish those responses received when submitting ciphertexts that are decrypted into invalidly formatted PKCS1 v1.5 plaintexts, from the responses we receive when sending ciphertexts that are decrypted into validly formatted plaintexts. 

Recall that PKCS1 v1.5 mandates a certain format of the encrypted plaintext, namely a concatenation of a BlockType 00 02, a randomized PaddingString (PS) that includes no 00 bytes, a 00 (NULL-byte) as delimiter, and the actual plaintext message. The whole sequence should be equal in size to the modulus of the RSA key used. That is, given the byte length k of the RSA modulus and the message length |m|, PS has the length |PS| = k - 3 - |m|. Furthermore, PKCS1 v1.5 demands that |PS| to be at least eight bytes long [5]. 

In SAML, the recipient's public key is usually known because it is published in the metadata, or even included in the EncryptedAssertion. For this reason, we do not need to fiddle around with manipulated ciphertexts. Instead, we simply submit a validly formatted RSA-PKCS1 v1.5 encrypted message and an encrypted message which deciphers into an invalidly formatted plaintext. As an example, assume an RSA public key of 2048 bits which we want to use to encrypt a 16 byte session key `01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10` (hexadecimal representation). |PS|$ is $2048/8 - 3 - 16 = 237, so a valid PKCS1 v1.5 plaintext, ready to be encrypted using `AA` for all 237 padding bytes, could look like the listing shown below.

00 02 AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA 00
01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10
In the Encryption attack pane of EsPReSSO, ensure that the correct public key certificate has been added to the Certificate field. Insert a valid plaintext, such as the one above, into the Symmetric Key field and select Plain RSA encryption from the Algorithm drop down menu. Click the Encrypt button to compute the RSA transformation and apply the new EncryptedKey element to the intercepted SAML message. Now, submit the message by clicking Burp's Go or Forward button and carefully inspect the response.

Next, repeat the steps outlined above, but this time submit an invalid PKCS1 v1.5 message. For example, consider using an invalid BlockType of `12 34` instead of `00 02`, or replace the `00` delimiter so that the decryptor is unable to determine the actual message after decrypting the ciphertext. If you are able to determine from the recieved responses whether or not the submitted ciphertext decrypted into a valid PKCS1 v1.5 formatted plaintext, chances are high that the decryptor can be used as a Bleichenbacher oracle. Don't forget to take into account the actual XML data, i.e., the assertion encrypted with the new session key; by submitting valid or invalid XML, or by removing signatures from the SAML message or the assertion you may increase your chances of detecting differences in the returned responses.

Probing for Oracles in CBC-Mode Decryption

Another known attack on XML Encryption is aimed at the Cipher Block Chaining (CBC) mode, which can be used with the block ciphers AES or 3DES [2]. The attack is described in detail in this referenced paper [3] and is quite similar to Padding-Oracle attacks on CBC mode; the malleability of CBC mode encryption enables the attacker to perform a bytewise, adaptive manipulation of the ciphertext blocks which are subsequently sent to the decryptor. In most cases, the manipulated ciphertext will not decrypt to valid XML and an error will be returned. Sometimes, however, the plaintext will be parsed as valid XML, in which cases an error is thrown later on at the application layer. The attacker observes the differences in the responses in order to turn the decryptor into a ciphertext validity oracle which can be used to break the encryption.  Due to some particularities of the XML format, this attack can be very efficient, enabling decryption with about 14 requests per byte, and it is even possible to fully automate the process [7].

In order to determine if a particular SAML service provider is vulnerable to this attack, we can avoid the cumbersome ciphertext manipulation, if we are in possession of the decryptor's public key:
In the Encryption Attacker tab of EsPReSSO, add the public key certificate to the Certificate field (if necessary) and insert a symmetric key of your own devising into the  Symmetric Key text field. Select an appropriate RSA encryption method and click the Encrypt button to apply the new EncryptedKey element to the original SAML message. 

An XML message can now be inserted into the XML data text field. Select a CBC mode encryption algorithm and click Encrypt to apply the changes. As in the example above, press Burp's Go or Forward button to send the message and carefully inspect the response. Try sending invalid XML, e.g., by not closing a tag or using the `&` character without a valid entity and keep an eye open for differences in the returned responses. To manipulate the padding, the text field on the right side shows the hexadecimal representation of the plaintext, including the CBC padding. If you send a single block and set the last byte, which indicates the padding length to the blocksize, i.e. 16 or 0x10 for AES, the ciphertext should decrypt into an empty string and is generally considered "valid" XML.

Please refer to the original paper for more details, tips, and tricks for performing the actual attack [3]. 

Summary

The new XML Encryption attacker included in EsPReSSO can help security auditors to quickly assess if a SAML endpoint is vulnerable to known attacks against XML Encryption. To this end, the decryptor's public key is used in order to send suitable test vectors that can be provided in plaintext. Ciphertext manipulation is, therefore, not required. The actual process of decrypting an intercepted SAML message is, however, considered out of scope and not implemented in EsPReSSO.

In case you wonder how XML Encryption can be used in a secure fashion, here are some considerations [6]:
  • Always use an authenticated encryption mode such as AES-GCM instead of the CBC-mode encryption.
  • Using RSA-PKCS1 v1.5 within XML Encryption is particularly difficult to do in a secure manner, and it is recommended to use RSA with Optimal Asymmetric Encryption Padding (OAEP) instead [2].
  • Apply a digital signature over the whole SAML response, and ensure it is properly validated before attempting to decrypt the assertion. This should thwart the attack as a manipulated response can be recognized as such and should be rejected.
----------

More articles


  1. Master Growth Hacking
  2. Hacking Linkedin
  3. Hacking To The Gate Lyrics
  4. Cosas De Hackers
  5. Elladodelmal
Postado por

ADVANTAGE OF ETHICAL HACKING

Advantage of Ethical Hacking

Hacking is quite useful in the following purpose-

1-To recover lost information, especially in case you lost your password.

2-To perform penetration testing to strengthen computer and network security.

3-To put adequate preventative measure in place to prevent security breaches.

4-To have a computer system that prevents malicious hackers from gaining access.

5-Fighting against terrorism and national security breaches.


Continue reading
  1. Password Hacking
  2. Tutoriales Hacking
  3. Hacking Health
  4. Ethical Hacking Course
  5. Hacking To The Gate
  6. Curso De Hacking Etico Gratis
  7. Growth Hacking Definicion
Postado por

Linux Stack Protection By Default

Modern gcc compiler (v9.2.0) protects the stack by default and you will notice it because instead of SIGSEGV on stack overflow you will get a SIGABRT, but it also generates coredumps.




In this case the compiler adds the variable local_10. This variable helds a canary value that is checked at the end of the function.
The memset overflows the four bytes stack variable and modifies the canary value.



The 64bits canary 0x5429851ebaf95800 can't be predicted, but in specific situations is not re-generated and can be bruteforced or in other situations can be leaked from memory for example using a format string vulnerability or an arbitrary read wihout overflowing the stack.

If the canary doesn't match, the libc function __stack_chck_fail is called and terminates the prorgam with a SIGABORT which generates a coredump, in the case of archlinux managed by systemd and are stored on "/var/lib/systemd/coredump/"


❯❯❯ ./test 
*** stack smashing detected ***: terminated
fish: './test' terminated by signal SIGABRT (Abort)

❯❯❯ sudo lz4 -d core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000.lz4
[sudo] password for xxxx: 
Decoding file core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 
core.test.1000.c611b : decoded 249856 bytes 

 ❯❯❯ sudo gdb /home/xxxx/test core.test.1000.c611b7caa58a4fa3bcf403e6eac95bb0.1121.1574354610000000 -q 


We specify the binary and the core file as a gdb parameters. We can see only one LWP (light weight process) or linux thread, so in this case is quicker to check. First of all lets see the back trace, because in this case the execution don't terminate in the segfaulted return.




We can see on frame 5 the address were it would had returned to main if it wouldn't aborted.



Happy Idea: we can use this stack canary aborts to detect stack overflows. In Debian with prevous versions it will be exploitable depending on the compilation flags used.
And note that the canary is located as the last variable in the stack so the previous variables can be overwritten without problems.




Related articles


  1. Que Es Hacking Etico
  2. Quiero Ser Hacker
  3. Hacker Pelicula
  4. Hacking Wifi Windows
  5. Que Hay Que Estudiar Para Ser Hacker
  6. Programas De Hacker
  7. Servicio Hacker
  8. Aprender Hacking Etico
Postado por
Assinar: Postagens (Atom)