Sunday, January 28, 2024

Change Passwords Regularly - A Myth And A Lie, Don'T Be Fooled, Part 1


TL;DR: different passwords have different protection requirements, and different attackers using various attacks can only be prevented through different prevention methods. Password security is not simple. For real advise, checking the second post (in progress).

Are you sick of password advices like "change your password regularly" or "if your password is password change it to pa$$w0rd"? This post is for you!

The news sites are full of password advises nowadays due to recent breaches. When I read/watch these advise (especially on CNN), I am usually pissed off for a lot of reasons. Some advises are terrible (a good collection is here), some are good but without solutions, and others are better, but they don't explain the reasons. Following is my analysis of the problem. It works for me. It might not work for you. Comments are welcome!

Password history

Passwords have been used since ancient times.


Because it is simple. When I started using the Internet, I believe I had three passwords. Windows login, webmail, and IRC. Now I have ~250 accounts/passwords to different things, like to my smartphone, to my cable company (this password can be used to change the channels on the TV), to my online secure cloud storage, to full disk encryption to start my computer, to my nude pictures, to my WiFi router, to my cloud server hosting provider, etc etc etc. My money is protected with passwords, my communication is protected with passwords/encryption, my work is protected with passwords. It is pretty damn important. But yet people tend to choose lame passwords. Pretty lame ones. Because they don't think it can be significant. But what is not essential today will be relevant tomorrow. The service you used to download music (iTunes) with the lame password will one day protect all your Apple devices, where attackers can download your backup files, erase all your devices, etc. The seven-character and one capital rule is not enough anymore. This advice is like PDF is safe to open, Java is secure. Old, outdated, untrue.

Now, after this lengthy prologue, we will deep dive into the analysis of the problem, by checking what we want to protect, against whom (who is the attacker), and only after that, we can analyze the solutions. Travel with me, I promise it will be fun! ;)

What to protect?

There are different services online, and various services need different ways to protect. You don't use the same lock on your Trabant as you do on your BMW.

Internet banking, online money

For me, this is the most vital service to protect. Luckily, most of the internet banking services use two-factor authentication (2FA), but unfortunately, not all of them offer transaction authorization/verification with complete transactions. 2FA is not effective against malware, it just complicates the attack. Transaction authorization/verification is better, but not perfect (see Zitmo). If the access is not protected with 2FA, better choose the best password you have (long, real random, sophisticated, but we will get to this later). If it is protected with 2FA, it is still no reason not to use the best password ;) This is what I call the "very high-level password" class.


Credit card data

This system is pretty fucked up bad. Something has to be secret (your credit card number), but in the meantime that is the only thing to identify your credit card. It is like your username is your password. Pretty bad idea, huh? The problem is even worse with a lot of different transaction types, especially when the hotel asks you to fax both sides of your CC to them. Unfortunately, you can't change the password on your credit card, as there is no such thing, but Verified by VISA or 3-D Secure with 2FA might increase the chances your credit card won't get hacked. And on a side note, I have removed the CVV numbers from my credit/debit cards. I only read it once from the card when I received it, I don't need it anymore to be printed there.
And sometimes, you are your own worst enemy. Don't do stupid things like this:


Work related passwords (e.g. Windows domain)

This is very important, but because the attack methods are a bit different, I created this as a different category. Details later.

Email, social sites (Gmail/Facebook/Twitter), cloud storage, online shopping

This is what I call the "high level password" class.
Still, pretty important passwords. Some people don't understand "why would attackers put any energy to get his Facebook account?" It is simple. For money. They can use your account to spread spam all over your Facebook wall. They can write messages to all of your connections and tell them you are in trouble and send money via Western Union or Bitcoin.


They can use your account in Facebook votes. Your e-mail, cloud storage is again very important. 20 years ago you also had letters you didn't want to print and put in front of the nearest store, neither want you to do that with your private photo album. On a side note, it is best to use a cloud storage where even the cloud provider admin can't access your data. But in this case, with no password recovery option, better think about "alternative" password recovery mechanisms.

Other important stuff with personal data (e.g. your name, home address)

The "medium level password" class. This is a personal preference to have this class or not, but in the long run, I believe it is not a waste of energy to protect these accounts. These sites include your favorite pizza delivery service, your local PC store, etc.

Not important stuff

This is the category other. I usually use one-time disposable e-mail to these services. Used for the registration, get what I want, drop the email account. Because I don't want to spread my e-mail address all over the internet, whenever one of these sites get hacked. But still, I prefer to use different, random passwords on these sites, although this is the "low level password" class.

Attackers and attack methods

After categorizing the different passwords to be protected, let's look at the different attackers and attack methods. They can/will/or actively doing it now:

Attacking the clear text password 

This is the most effective way of getting the password. Bad news is that if there is no other factor of protection, the victim is definitely not on the winning side. The different attack methods are:

  • phishing sites/applications,


  • social engineering,
  • malware running on the computer (or in the browser), 
  • shoulder surfing (check out for smartphones, hidden cameras), 
  • sniffing clear-text passwords when the website is not protected with SSL,
  • SSL MiTM,
  • rogue website administrator/hacker logging clear text passwords,
  • password reuse - if the attacker can get your password in any way, and you reuse it somewhere else, that is a problem,
  • you told your password to someone and he/she will misuse it later,
  • hardware keyloggers,
  • etc.

The key thing here is that no matter how long your passwords are, no matter how complex it is, no matter how often do you change it (except when you do this every minute ... ), if it is stolen, you are screwed. 2FA might save you, or might not.

Attacking the encrypted password 

This is the usual "hack the webserver (via SQL injection), dump the passwords (with SQLMap), post hashes on pastebin, everybody starts the GPU farm to crack the hashes" scenario. This is basically the only scenario where the password policies makes sense. In this case the different level of passwords need different protection levels. In some cases, this attack turns out to be the same as the previous attack, when the passwords are not hashed, or are just encoded.

The current hash cracking speeds for hashes without any iterations (this is unfortunately very common) renders passwords like Q@tCB3nx (8 character, upper-lowercase, digit, special characters) useless, as those can be cracked in hours. Don't believe me? Let's do the math.

Let's say your password is truly random, and randomly choosen from the 26 upper, 26 lower, 10 digit, 33 special characters. (Once I tried special passwords with high ANSI characters inside. It is a terrible idea. Believe me.). There are 6 634 204 312 890 620 different, 8 character passwords from these characters. Assuming a 2 years-old password cracking rig, and MD5 hash cracking with 180 G/s speed, it takes a worst case 10 hours (average 5) to crack the password, including upgrading your bash to the latest, but still vulnerable bash version. Had the password been 10 characters long, it would take 10 years to crack with today hardware. But if the password is not truly random, it can be cracked a lot sooner.

A lot of common hashing algorithms don't use protections against offline brute-force attacks. This includes LM (old Windows hashes), NTLM (modern Windows hashes), MD-5, SHA1-2-512. These hashing algorithms were not developed for password hashing. They don't have salting, iterations, etc. out of the box. In the case of LM, the problem is even worse, as it converts the lowercase characters to uppercase ones, thus radically decreasing the key space. Out of the box, these hashes are made for fast calculation, thus support fast brute-force.


Another attack is when the protected thing is not an online service, but rather an encrypted file or crypto-currency wallet.

Attacking the authentication system online

This is what happened in the recent iCloud hack (besides phishing). Attackers were attacking the authentication system, by either brute-forcing the password, or bypassing the password security by answering the security question. Good passwords can not be brute-forced, as it takes ages. Good security answers have nothing to do with the question in first place. A good security answer is as hard to guess as the password itself. If password recovery requires manual phone calls, I know, it is a bit awkward to say that your first dog name was Xjg.2m`4cJw:V2= , but on the other hand, no one will guess that!


Attacking single sign on

This type of attack is a bit different, as I was not able to put the "pass the hash" attacks anywhere. Pass the hash attack is usually found in Windows domain environments, but others might be affected as well. The key thing is single sign on. If you can login to one system (e.g. your workstation), and access many different network resources (file share, printer, web proxy, e-mail, etc.) without providing any password, then something (a secret) has to be in the memory which can be used to to authenticate to the services. If an attacker can access this secret, he will be able to access all these services. The key thing is (again) it does not matter, how complex your passwords are, how long it is, how often do you change, as someone can easily misuse that secret.

 

Attacking 2FA

As already stated, 2 factor authentication raises the efforts from an attacker point of view, but does not provide 100% protection. 
  • one time tokens (SecurID, Yubikey) can be relayed in a man-in-the-middle attack
  • smartcard authentication can be relayed with the help of a malware to the attacker machine - or simply circumvented in the browser malware, 
  • text based (SMS) messages can be stolen by malware on the smartphone or rerouted via SS7, 
  • bio-metric protection is constantly bypassed,
  • SSH keys are constantly stolen,
  • but U2F keys are pretty good actually, even though BGP/DNS hijack or similar MiTM can still circumvent that protection,
  • etc. 


Others

Beware that there are tons of other attack methods to access your online account (like XSS/CSRF), but all of these have to be handled on the webserver side. The best you can do is to choose a website where the Bug Bounty program is running 24/7. Otherwise, the website may be full of low hanging, easy-to-hack bugs.

Now that we have covered what we want to protect against what, in the next blog post, you will see how to do that. Stay tuned. I will also explain the title of this blog post.
Read more

  1. Hacker Tools Github
  2. Hacker Tools Free
  3. Hacking Tools Download
  4. Hacking Tools Name
  5. Hacking Tools For Beginners
  6. Hacker Tool Kit
  7. Hack Website Online Tool
  8. Hacker Tools Mac
  9. Game Hacking
  10. Pentest Tools For Android
  11. Hacking App
  12. Hacking Tools For Kali Linux
  13. Hacker Tools Software
  14. Beginner Hacker Tools
  15. Hacking Tools For Pc
  16. Usb Pentest Tools
  17. Pentest Tools Open Source
  18. Hacking Tools For Windows
  19. Pentest Tools Kali Linux
  20. Hack Tools Pc
  21. Hacker Tools Github
  22. Hacker Tools Github
  23. Hack Tools For Games
  24. Hacking Tools For Mac
  25. Hacker Tools Apk
  26. How To Make Hacking Tools
  27. Hacker Tools Hardware
  28. Hacking Tools Usb
  29. Pentest Tools For Ubuntu
  30. Hacker Tool Kit
  31. Hacking Tools Windows 10
  32. Pentest Box Tools Download
  33. Hack Tool Apk No Root
  34. Hack Tool Apk
  35. Hack Rom Tools
  36. Install Pentest Tools Ubuntu
  37. Top Pentest Tools
  38. Beginner Hacker Tools
  39. Nsa Hack Tools Download
  40. Hacking Tools Pc
  41. Pentest Tools Alternative
  42. Hack Rom Tools
  43. Hacking Tools For Windows 7
  44. Hacking Tools 2019
  45. How To Make Hacking Tools
  46. Hacking Tools For Games
  47. Hacking Tools For Pc
  48. Hacking Tools For Windows
  49. Hacker
  50. Nsa Hack Tools
  51. Nsa Hack Tools Download
  52. Hack Tools 2019
  53. Hacking Tools Pc
  54. What Are Hacking Tools
  55. Pentest Tools Framework
  56. Hacker Techniques Tools And Incident Handling
  57. Hacking Tools Pc
  58. Pentest Tools Find Subdomains
  59. Hacking Tools For Mac
  60. Physical Pentest Tools
  61. Pentest Tools Url Fuzzer
  62. Hacker Search Tools
  63. Hackers Toolbox
  64. Beginner Hacker Tools
  65. Game Hacking
  66. Hak5 Tools
  67. Usb Pentest Tools
  68. Hack Apps
  69. How To Install Pentest Tools In Ubuntu

Saturday, January 27, 2024

CEH: Identifying Services & Scanning Ports | Gathering Network And Host Information | NMAP


CEH scanning methodology is the important step i.e. scanning for open ports over a network. Port is the technique used to scan for open ports. This methodology performed for the observation of the open and close ports running on the targeted machine. Port scanning gathered a valuable information about  the host and the weakness of the system more than ping sweep.

Network Mapping (NMAP)

Basically NMAP stands for Network Mapping. A free open source tool used for scanning ports, service detection, operating system detection and IP address detection of the targeted machine. Moreover, it performs a quick and efficient scanning a large number of machines in a single session to gathered information about ports and system connected to the network. It can be used over UNIX, LINUX and Windows.

There are some terminologies which we should understand directly whenever we heard like Open ports, Filtered ports and Unfiltered ports.

Open Ports means the target machine accepts incoming request on that port cause these ports are used to accept packets due to the configuration of TCP and UDP.

Filtered ports means the ports are usually opened but due to firewall or network filtering the nmap doesn't detect the open ports.

Unfiltered means the nmap is unable to determine whether the port is open or filtered  while the port is accessible.

Types Of NMAP Scan


Scan Type Description
Null Scan This scan is performed by both an ethical hackers and black hat hackers. This scan is used to identify the TCP port whether it is open or closed. Moreover, it only works over UNIX  based systems.
TCP connect The attacker makes a full TCP connection to the target system. There's an opportunity to connect the specifically port which you want to connect with. SYN/ACK signal observed for open ports while RST/ACK signal observed for closed ports.
ACK scan Discovering the state of firewall with the help ACK scan whether it is stateful or stateless. This scan is typically used for the detection of filtered ports if ports are filtered. Moreover, it only works over the UNIX based systems.
Windows scan This type of scan is similar to the ACK scan but there is ability to detect an open ports as well filtered ports.
SYN stealth scan This malicious attack is mostly performed by attacker to detect the communication ports without making full connection to the network.
This is also known as half-open scanning. 

 

All NMAP Commands 


Commands Scan Performed
-sT TCP connect scan
-sS SYN scan
-sF FIN scan
-sX XMAS tree scan
-sN Null scan
-sP Ping scan
-sU UDP scan
-sO Protocol scan
-sA ACK scan
-sW Window scan
-sR RPC scan
-sL List/DNS scan
-sI Idle scan
-Po Don't ping
-PT TCP ping
-PS SYN ping
-PI ICMP ping
-PB ICMP and TCP ping
-PB ICMP timestamp
-PM ICMP netmask
-oN Normal output
-oX XML output
-oG Greppable output
-oA All output
-T Paranoid Serial scan; 300 sec between scans
-T Sneaky Serial scan; 15 sec between scans
-T Polite Serial scan; .4 sec between scans
-T Normal Parallel scan
-T Aggressive Parallel scan, 300 sec timeout, and 1.25 sec/probe
-T Insane Parallel scan, 75 sec timeout, and .3 sec/probe

 

How to Scan

You can perform nmap scanning over the windows command prompt followed by the syntax below. For example, If you wanna scan the host with the IP address 192.168.2.1 using a TCP connect scan type, enter this command:

nmap 192.168.2.1 –sT

nmap -sT 192.168.2.1

More info


Files Download Information




After 7 years of Contagio existence, Google Safe Browsing services notified Mediafire (hoster of Contagio and Contagiominidump files) that "harmful" content is hosted on my Mediafire account.

It is harmful only if you harm your own pc and but not suitable for distribution or infecting unsuspecting users but I have not been able to resolve this with Google and Mediafire.

Mediafire suspended public access to Contagio account.

The file hosting will be moved.

If you need any files now, email me the posted Mediafire links (address in profile) and I will pull out the files and share via other methods.

P.S. I have not been able to resolve "yet" because it just happened today, not because they refuse to help.  I don't want to affect Mediafire safety reputation and most likely will have to move out this time.

The main challenge is not to find hosting, it is not difficult and I can pay for it, but the effort move all files and fix the existing links on the Blogpost, and there are many. I planned to move out long time ago but did not have time for it. If anyone can suggest how to change all Blogspot links in bulk, I will be happy.


P.P.S. Feb. 24 - The files will be moved to a Dropbox Business account and shared from there (Dropbox team confirmed they can host it )  


The transition will take some time, so email me links to what you need. 

Thank you all
M
More info

C++ Std::Condition_Variable Null Pointer Derreference


This story is about a bug generated by g++ and clang compilers (at least)
The condition_variables is a feature on the standard library of c++ (libstdc++), when its compiled statically a weird asm code is generated.


Any example on the link below will crash if its compiled statically:
 https://en.cppreference.com/w/cpp/thread/condition_variable



In this case the condition_variable.wait() crashed, but this happens with other methods, a simple way to trigger it:




If this program is compiled dynamically the crash doesn't occur:

Looking the dissasembly there is a surprise created by the compiler:


Compilers:
    g++  9.2.1+20200130-2
    clang++ v9

Both compilers are generating the "call 0x00"

If we check this call in a dynamic compiled:




The implementation of condition_variable in github:
https://github.com/gcc-mirror/gcc/blob/b7c9bd36eaacac42631b882dc67a6f0db94de21c/libstdc%2B%2B-v3/include/std/condition_variable


The compilers can't copile well this code in static,  and same happens on  other condition_variable methods.
I would say the _lock is being assembled improperly in static, is not exacly a null pointer derreference but the effects are the same, executing code at address 0x00 which on linux is a crash on most of cases.

Related links
  1. Pentest Tools Windows
  2. Black Hat Hacker Tools
  3. Pentest Tools Linux
  4. What Are Hacking Tools
  5. Best Hacking Tools 2019
  6. Hacking Tools Download
  7. Hacking Tools 2019
  8. Hacking Tools Mac
  9. Hack Tools For Games
  10. Hacker Tools Apk Download
  11. Wifi Hacker Tools For Windows
  12. Underground Hacker Sites
  13. Hacker Security Tools
  14. Hacker Search Tools
  15. Hacking Tools Download
  16. Pentest Tools Linux
  17. Hacker Tools For Mac
  18. Physical Pentest Tools
  19. Hacking Tools Download
  20. Hacking Tools Github
  21. Tools For Hacker
  22. Hacker
  23. Hacker Hardware Tools
  24. Hack Tools For Windows
  25. Hacking Tools For Kali Linux
  26. Hack Tools Download
  27. Bluetooth Hacking Tools Kali
  28. Hacker Tools Windows
  29. Computer Hacker
  30. Hack Rom Tools
  31. Hacker Tools 2020
  32. Game Hacking
  33. Hackrf Tools
  34. Free Pentest Tools For Windows
  35. Pentest Tools Github
  36. Hacking App
  37. Free Pentest Tools For Windows
  38. Hacker Tools Windows
  39. Hacker Tools Free
  40. Hacking Tools Github
  41. Usb Pentest Tools
  42. Pentest Tools Subdomain
  43. Hack Tools Pc
  44. Pentest Tools Apk
  45. Hacking Tools For Windows
  46. Beginner Hacker Tools
  47. Pentest Tools For Windows
  48. Pentest Reporting Tools
  49. What Are Hacking Tools
  50. New Hacker Tools
  51. Hacker Tools Apk Download
  52. Hacking Apps
  53. Hack Tools For Windows
  54. Pentest Tools Find Subdomains
  55. Hackrf Tools
  56. Pentest Tools Tcp Port Scanner
  57. Hack Tools Pc
  58. Hacking Tools For Pc
  59. Pentest Tools For Mac
  60. Pentest Tools List
  61. How To Hack
  62. How To Make Hacking Tools
  63. Hacking Tools Windows 10
  64. Hacking Tools For Windows
  65. Nsa Hacker Tools
  66. Hacking Tools Online
  67. Hacker Tool Kit
  68. Hacker Tools For Ios
  69. Hack Tools For Windows
  70. Pentest Automation Tools
  71. Hack Tools Download
  72. Hack Tools For Windows
  73. Hacker Tools For Ios
  74. Hacking Tools Hardware
  75. Pentest Tools
  76. Pentest Tools
  77. Hacking Tools Download
  78. Hacking App
  79. What Are Hacking Tools
  80. Wifi Hacker Tools For Windows
  81. Hacking Tools 2019
  82. What Is Hacking Tools
  83. Pentest Tools Port Scanner
  84. Pentest Tools Url Fuzzer
  85. Hack Tools Mac
  86. What Is Hacking Tools
  87. Pentest Box Tools Download
  88. Hacker Search Tools
  89. Tools 4 Hack
  90. New Hack Tools
  91. Hacker Tool Kit
  92. Hacking Tools Pc
  93. Hacker Tools For Mac
  94. Hack Tools Mac
  95. Hacker Tools Hardware
  96. Top Pentest Tools
  97. Kik Hack Tools
  98. Pentest Tools For Android
  99. Hack Tools Online
  100. Pentest Recon Tools
  101. Hack Tools
  102. Hacker Tools 2019
  103. Pentest Recon Tools
  104. Nsa Hack Tools
  105. Pentest Tools Free
  106. Hacking Tools For Beginners
  107. Usb Pentest Tools
  108. Install Pentest Tools Ubuntu
  109. Hacker Tools Linux
  110. Best Hacking Tools 2019
  111. Hack Tool Apk
  112. Hacking Tools
  113. Hacking Tools Kit
  114. Pentest Tools Apk
  115. Pentest Box Tools Download
  116. Hack And Tools
  117. Hackers Toolbox
  118. Easy Hack Tools
  119. Hacks And Tools
  120. Hack Apps
  121. Hacker Tools Apk Download
  122. Pentest Tools Online
  123. Best Hacking Tools 2020
  124. Blackhat Hacker Tools
  125. Hacker Tools Windows
  126. Hacking Tools Mac
  127. Hack Tools Github
  128. Hacker Tools Linux
  129. Hacking Tools For Kali Linux
  130. Hacking Apps
  131. Free Pentest Tools For Windows
  132. Hacker Security Tools
  133. Pentest Tools Bluekeep
  134. Pentest Tools Framework
  135. Tools 4 Hack
  136. Hacking Tools For Windows Free Download
  137. Hack Apps
  138. Hacker
  139. Hack Tools Github
  140. Hacker Tool Kit
  141. Hacker Tools Linux
  142. Pentest Tools Linux
  143. Hacker Tools For Mac
  144. Pentest Tools Apk
  145. Hacker Tools Free
  146. Pentest Tools Open Source
  147. Pentest Tools
  148. Tools Used For Hacking
  149. Hack Tools Mac
  150. Hack Tool Apk
  151. Pentest Tools Nmap
  152. Hacking Tools For Beginners
  153. Hack Tool Apk
  154. Hack Tools Download
  155. Pentest Tools Framework
  156. Github Hacking Tools
  157. Hacker Tools Apk
  158. Hacker Tools List
  159. Ethical Hacker Tools
  160. Hackers Toolbox
  161. How To Hack
  162. Pentest Tools
  163. Hacking Tools For Beginners
  164. Hack Rom Tools
  165. Pentest Tools Port Scanner
  166. Kik Hack Tools
  167. Best Hacking Tools 2020
  168. Tools Used For Hacking
  169. Hacker Tools 2020
  170. Hack Tools For Pc
  171. Hacker
  172. Hacker Tools Linux
  173. Hacker Tools Online
  174. Hacking Tools Windows 10