Thursday, July 22, 2010

False Positive Generator - inundator

Inundator is a multi-threaded, queue-driven, anonymous intrusion detection false positive generator with support for multiple targets.

It can be used:

  • before, during and after a real attack to bury any IDS by flooding with false positives attack.
  • mess with an IDS analyst and keep the CIRT busy for investigation.
  • test the effectiveness of an IDS/IPS. (Less alerts mean a better product; more alerts mean a horrible product)
Inundator is part of the BackTrack. However, if you prefer to add it to your manually:
  • Add repository to /etc/apt/source.list:
deb all/

  • Then, download and install GPG key:
apt-key add inundator.asc

  • Then you can automatically pull in Inundator and all its dependencies:

aptitude update
aptitude install inundator

Change Your MAC Address (Quick)

Sometime, I need to change my MAC address quickly in order to get a new IP address from DHCP. Here's how I do it:
ifconfig eth0 down 
ifconfig eth0 hw ether 001122AABBCC
dhcpcd eth0
Enjoy the fun!

IDS Evasion on Linux Off-by-one TCP Timestamps

A very good article explaining potential IDS/IPS evasion with Linux 2.4/2.6 Kernel using off-by-one TCP timestamps.
In a nutshell, TCP timestamps can be included as a TCP option to specify the sending host's timestamp and echo the most recently received timestamp from the other side of the connection. The notion of time or timestamp is not the typical one since it denotes, for most operating systems except OpenBSD, a representation of the uptime of the host since the last reboot.

Wednesday, July 21, 2010

Terminal in BackTrack

What's the terminal you use in BackTrack normally? Konsole? Terminator?

Today, I found a cool one for me, Yakuake. Having a cool terminal to type command is very important, especially for pentesters!

To use it, press a shortcut key, such as F12, it pops up the terminal; press again it goes hiding.

Monday, July 19, 2010


According to Mike Sego, a former Gmail engineer, "shva" is an acronym for "should have valid authentication". Apparently, the parameter is only included after a successful authentication.

Sunday, July 18, 2010

Build initrd Manually

The initial RAM disk (initrd) is an initial root file system that is mounted prior to when the real root file system is available. The initrd is bound to the kernel and loaded as part of the kernel boot procedure. The kernel then mounts this initrd as part of the two-stage boot process to load the modules to make the real file systems available and get at the real root file system.

The initrd image contains the necessary executables and system files to support the second-stage boot of a Linux system. It contains a minimal set of directories and executables to achieve this, such as the insmod tool to install kernel modules into the kernel.

The initrd image can be created during the Linux build process. Normally, the initrd is a transient file system. Its lifetime is short, only serving as a bridge to the real root file system. In embedded systems with no mutable storage, the initrd is the permanent root file system.

To build your initrd manually, do this:
mkinitramfs -o initrd.img-2.6.34 2.6.34
Linux Kernel Support initrd
For the Linux kernel to support the initial RAM disk, the kernel must be compiled with the CONFIG_BLK_DEV_RAM and CONFIG_BLK_DEV_INITRD options.

File System Used By initrd Image
While ext2 is a common Linux file system format, there are alternatives that can reduce the size of the initrd image and the resulting mounted file systems. Examples include romfs (ROM file system), cramfs (compressed ROM file system), and squashfs (highly compressed read-only file system).

Linux Distribution by initrd
Minimax is an interesting open source project that was designed to be a Linux distribution that fits within an initrd. It's 32MB in size and uses BusyBox and uClibc for its ultra small size. Despite its small size, it's a 2.6 Linux kernel with a large array of useful tools.To build your initrd manually, do this:

Friday, July 16, 2010

BackTrack Console Font

I use a lot of command lines. Thus I need a cool font for my console.

Check you current console font setting: showconsolefont -i
By default, you should get 8x16x256

To change your console font, edit two lines (CODESET and FONTSIZE) in the file below:




Once it is done, reboot and you can type the command command again to check the console font settings. And you should get 8x14x512 now.

You may use others. Check out at /usr/share/consolefonts folder.

Setting Up WPA2 Connection in BackTrack

The next thing is to setup my Internet connection. Since I'm using WPA2 at home, and here is the content of my /etc/network/interfaces

auto lo
iface lo inet loopback

auto wlan0
iface wlan0 inet dhcp
wpa-driver wext
wpa-ssid < ssid >
wpa-ap-scan 1
wpa-proto RSN
wpa-pairwise CCMP
wpa-group CCMP
wpa-key-mgmt WPA-PSK WPA-EAP
wpa-psk < hex key generated by wpa_passphase ssid passphase >

Thursday, July 15, 2010

My BackTrack's GRUB Menu

The first thing I start customizing my BackTrack is the GRUB Menu. Here's the final copy:

# Grub Menu
default         0
timeout         5

vga=0x317                    # 64k/16b,1024x768
foreground e3e3e3
background 303030
share 1

title           BackTrack 4 Final, kernel 2.6.34
uuid            206c1cc6-a916-4de2-b061-b993e710e73c
kernel          /boot/vmlinuz-2.6.34 root=UUID=206c1cc6-a916-4de2-b061-b993e710e73c ro splash vga=0x317
initrd          /boot/initrd.img-2.6.34

title           Ubuntu 8.10, memtest86+
uuid            206c1cc6-a916-4de2-b061-b993e710e73c
kernel          /boot/memtest86+.bin

Updating My BT4 to 2.6.34

Start by updating and upgrading BackTrack as usual.
apt-get update
apt-get dist-upgrade
 When comes to kernel updates, typing "n". Next, install drivers as needed and kernel sources:
apt-get install madwifi-drivers broadcom-sta r8187-drivers linux-source-2.6.34
apt-get clean
depmod -a
Last, prepare to update kernel sources:
cd /usr/src/
rm -rf linux linux-source-*
rm -rf /lib/modules/
tar jxpf linux-source-2.6.34.tar.bz2
ln -s linux-source-2.6.34 linux
cd linux
cp /boot/config-2.6.34 .config
ln -s /usr/src/linux /lib/modules/2.6.34/build
make scripts && make prepare
apt-get clean && updatedb 
reboot # dont forget to reboot!

Wednesday, July 14, 2010

OWASP 2010

Since 2003, OWASP (Open Web Application Security Project) has been making an effort to inform web decision makers of the 10 most critical web application security flaws are through their Top 10 Project (link to: 2010 marks the third update to this list after a final draft to the original released in 2004 and an update to the list in 2007.

OWASP is “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.” Their work is derived from a collaboration of security professionals who serve as volunteers to bring information to the community in an open and unbiased manner. While the organization is not affiliated with any technology or security companies, they do support the use of commercial security products.

The Top 10
The Top 10 project is described by OWASP as:
The OWASP Top 10 provides a powerful awareness document for web application security. The OWASP Top 10 represents a broad consensus about what the most critical web application security flaws are.
One of the most noticeable changes to the Top 10 list is the focus being shifted from a list of the top 10 vulnerabilities to the top 10 risks. The reason for the shift is quite practical, “Actually, it moved from prevalence (which is one factor of likelihood) to risk, which takes into likelihood and prevalence to estimate risk. Organizations care about risk, not just likelihood, and the Top 10 was always about risk (really), but we weren’t as clear as we should be, so this update works to make that much more clear.” Dave Wichers, Project Leader for the Top 10 List.

Additionally, two risks were dropped from this update: Malicious File Execution due to tighter PHP security lowering the prevalence of this problem, and Information Leakage and Improper Error Handling because of a minimal zed impact of disclosing stack trace and error message information.


  • Examples of injection flaws are SQL, LDAP, HTTP header injection (cookies, requests), and OS command injections
  • Attacks occur when untrusted data, such as a query, command or argument, is sent to an interpreter
  • Vulnerable applications can be tricked into executing unintended commands or allowing the attacker to access, and modify, data

Cross Site Scripting

  • There are three types of XSS attacks: stored, reflected, and Dom based
  • XSS attacks occur when an application allows data that is not validated or escaped properly to be sent to a web browser
  • Malicious scripts are executed in the victim’s browser allowing the attacker to hijack the user’s session, steal cookies, deface web sites, redirect users to malicious web sites, and remote browser control

Broken Authentication and Session Management

  • Users are impersonated due to leaks or flaws in the authentication process
  • Attacks occur when a session ID is visible to others, timeouts are not properly set, SSL/TLS is not used, or any other flaw in the authentication scheme is detected
  • Flaws used against one account may be replicated against an account with higher privileges

Insecure Direct Object References

  • Attack occurs when an authorized user can change a parameter value that refers to a system object that they are not authorized for
  • Almost any reference that can be reached by URL to include: references to files, paths, database keys, reflection by class name (e.g. JDBC connector class)
  • Remote referencing includes: Web Services, CORBA, RMI, RPC

Cross Site Request Forgery (CSRF)

  • Attacker creates malicious code to generate a forged request that the attacker tricks the victim into submitting
  • Forged requests can be hidden in image tags, XSS attacks and a number of other techniques
  • CSRF attacks can complete any transactions that the victim is permitted to perform such as access data, transfer funds or make purchases

Security Misconfiguration

  • New to the 2010 update
  • Attacker exploits unsecured pages, default accounts, unpatched flaws or any other vulnerability that could have be addressed by proper configuration
  • These attacks can result in a complete system compromise

Failure to Restrict URL Access

  • This attack takes place when an authorized user can simply change a URL to access a privileged page
  • Attackers generally look for administrative functions to employ this attack on
  • Links can be obtained from: hidden fields, client-side code, robots.txt, configuration files, static XML files, directory access

Unvalidated Redirects and Forwards

  • New to the 2010 update
  • Unvalidated parameter allows an attacker to choose a destination page where they wish to send a victim to trick them into disclosing private information
  • Victims trust these links because the link is to a valid site

Insecure Cryptographic Storage

  • The most common reason for this attack is that data that should be encrypted is stored in cleartext
  • Can result from the poor use of encryption algorithms such as using home grown algorithms, insecure use of strong algorithms or the continued use of proven weak algorithms
  • The use of weak or unsalted hashes to protect passwords is another common flaw that leads to this risk

Insufficient Transport Layer Protection

  • Most commonly, this attack occurs when a site does not use SSL/TLS for pages that require authentication where an attacker can monitor network traffic to steal an authenticated user’s session cookie
  • Poorly configured SSL certificates can lull a user into accepting warnings for legitimate sites only to be tricked into accepting a phishing site’s certificate
  • Attacks can lead to account theft, phishing attacks and admin accounts being compromised

Tuesday, July 13, 2010


ostinato - a new packet/traffic generator and analyzer.

You need admin privilege to run it. It has a client-server architecture. Download it today and give it a try. There is a portable Win32 edition. :-)

Thursday, July 01, 2010

IDS Evasion with Syncookies

Is it possible that after a destination host (server) sends you a RST packet, you still can continue to send the server some data and continue the connections?

Yes, it is possible, on a Linux server with SynCookies enabled.

sysctl -a | grep net.ipv4.tcp_syncookies
net.ipv4.tcp_syncookies = 1

Steps (howto):

  • During the 3-way handshake, the client sends a ACK packet (3rd packet) to the server with a value one more than the expected value.
  • The Linux server will response with a RST at the 4th packet. - > fool the IDS that the TCP connection is terminated.
  • Then, the client can continue to send EVIL stuff to the server.
  • TCP SynCookies is used to combat Syn flood (DoS) attack.
  • By right, should see a re-transmit of SYN+ACK instead of RST, by the server.
  • The faked ACK packet (4th) is just a stray packet (in SynCookies).
  • The subsequent GET /EVIL packet (5th), is considered as valid final ACK of three-way handshake since the syn-cookie will match.
  • With Snort IDS, the default stream5 policy of "windows" will not be fooled by this because of what it considers an invalid reset sequence number.

Source articles:

Source codes: