May 2020 | arin.

22 May 2020

BurpSuite Introduction & Installation

What is BurpSuite?
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.

In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.

Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.

BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.

Requirements and assumptions:

Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed

Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.

on for Firefox from https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/

If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.

Video for setup and installation.

You need to install compatible version of java , So that you can run BurpSuite.

More info

How To Start | How To Become An Ethical Hacker

Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!

This Post is for the people that:

Have No Experience With Cybersecurity (Ethical Hacking)
Have Limited Experience.
Those That Just Can't Get A Break

OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.

I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀

I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.

If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.

Let's get this party started.

What is hacking?

Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.

Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)

There's some types of hackers, a bit of "terminology".
White hat — ethical hacker.
Black hat — classical hacker, get unauthorized access.
Grey hat — person who gets unauthorized access but reveals the weaknesses to the company.
Script kiddie — person with no technical skills just used pre-made tools.
Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.

Skills required to become ethical hacker.

Curosity anf exploration
Operating System
Fundamentals of Networking

*Note this sites

Continue reading

21 May 2020

WHO IS ETHICAL HACKER

Who is hacker?
A hacker is a Creative person and a creative Programmer,who have knowledge about Networking,Operating system,hacking & a best creative social engineer who control anyone's mind he is also a knowledgeable person.

Hacker are the problem solver and tool builder.

A hacker is an individual who uses computer, networking and other skills to overcome a technical problem but it often refers to a person who uses his or her abilities to gain unauthorized access to system or networks in order to commit crimes.

Related word

20 May 2020

WHY WE DO HACKING?

Purpose of Hacking?
. Just for fun
.Show-off
.Steal important information
.Damaging the system
.Hampering Privacy
.Money Extortion
.System Security Testing
.To break policy compliance etc

More information

Open Sesame (Dlink - CVE-2012-4046)

A couple weeks ago a vulnerability was posted for the dlink DCS-9xx series of cameras. The author of the disclosure found that the setup application that comes with the camera is able to send a specifically crafted request to a camera on the same network and receive its password in plaintext. I figured this was a good chance to do some analysis and figure out exactly how the application carried out this functionality and possibly create a script to pull the password out of a camera.

The basic functionality of the application is as follows:

Application sends out a UDP broadcast on port 5978
Camera sees the broadcast on port 5978 and inspects the payload – if it sees that the initial part of the payload contains "FF FF FF FF FF FF" it responds (UDP broadcast port 5978) with an encoded payload with its own MAC address
Application retrieves the camera's response and creates another UDP broadcast but this time it sets the payload to contain the target camera's MAC address, this encoded value contains the command to send over the password
Camera sees the broadcast on port 5978 and checks that it is meant for it by inspecting the MAC address that has been specified in the payload, it responds with an encoded payload that contains its password (base64 encoded)

After spending some time with the application in a debugger I found what looked like it was responsible for the decoding of the encoded values that are passed:

super exciting screen shot.

After spending some time documenting the functionality I came up with the following notes (messy wall of text):


	Command	Comments
	.JGE SHORT 0A729D36	; stage1
	./MOV EDX,DWORD PTR SS:[LOCAL.2]	; set EDX to our 1st stage half decoded buffer
	.\|MOV ECX,DWORD PTR SS:[LOCAL.4]	; set ECX to our current count/offset
	.\|MOV EAX,DWORD PTR SS:[LOCAL.3]	; set EAX to our base64 encoded payload
	.\|MOVSX EAX,BYTE PTR DS:[EAX]	; set EAX to the current value in our base64 payload
	.\|MOV AL,BYTE PTR DS:[EAX+0A841934]	; set EAX/AL to a hardcoded offset of its value table is at 0a841934
	.\|MOV BYTE PTR DS:[ECX+EDX],AL	; ECX = Offset, EDX = start of our half-decoded buffer, write our current byte there
	.\|INC DWORD PTR SS:[LOCAL.4]	; increment our offset/count
	.\|INC DWORD PTR SS:[LOCAL.3]	; increment our base64 buffer to next value
	.\|MOV EDX,DWORD PTR SS:[LOCAL.4]	; set EDX to our counter
	.\|CMP EDX,DWORD PTR SS:[ARG.2]	; compare EDX (counter) to our total size
	.\JL SHORT 0A729D13	; jump back if we have not finished half decoding our input value
	.MOV ECX,DWORD PTR SS:[ARG.3]	; Looks like this will point at our decoded buffer
	.MOV DWORD PTR SS:[LOCAL.5],ECX	; set Arg5 to our decoded destination
	.MOV EAX,DWORD PTR SS:[LOCAL.2]	; set EAX to our half-decoded buffer
	.MOV DWORD PTR SS:[LOCAL.3],EAX	; set arg3 to point at our half-decoded buffer
	.MOV EDX,DWORD PTR SS:[ARG.4]	; ???? 1500 decimal
	.XOR ECX,ECX	; clear ECX
	.MOV DWORD PTR DS:[EDX],ECX	; clear out arg4 value
	.XOR EAX,EAX	; clear out EAX
	.MOV DWORD PTR SS:[LOCAL.6],EAX	; clear out local.6
	.JMP SHORT 0A729DAE	; JUMP

	./MOV EDX,DWORD PTR SS:[LOCAL.3]	; move our current half-decoded dword position into EDX
	.\|MOV CL,BYTE PTR DS:[EDX]	; move our current byte into ECX (CL) (dword[0])
	.\|SHL ECX,2	; shift left 2 dword[0]
	.\|MOV EAX,DWORD PTR SS:[LOCAL.3]	; move our current dword position into EAX
	.\|MOVSX EDX,BYTE PTR DS:[EAX+1]	; move our current dword position + 1 (dword[1]) into EDX
	.\|SAR EDX,4	; shift right 4 dword[1]
	.\|ADD CL,DL	; add (shift left 2 dword[0]) + (shift right 4 dword[1])
	.\|MOV EAX,DWORD PTR SS:[LOCAL.5]	; set EAX to our current decoded buffer position
	.\|MOV BYTE PTR DS:[EAX],CL	; write our decoded (dword[0]) value to or decoded buffer
	.\|INC DWORD PTR SS:[LOCAL.5]	; increment our position in the decoded buffer
	.\|MOV EDX,DWORD PTR SS:[LOCAL.3]	; set EDX to our current dword position
	.\|MOV CL,BYTE PTR DS:[EDX+1]	; set ECX to dword[1]
	.\|SHL ECX,4	; left shift 4 dword[1]
	.\|MOV EAX,DWORD PTR SS:[LOCAL.3]	; set EAX to our current dword position
	.\|MOVSX EDX,BYTE PTR DS:[EAX+2]	; set EDX to dword[2]
	.\|SAR EDX,2	; shift right 2 dword[2]
	.\|ADD CL,DL	; add (left shift 4 dword[1]) + (right shift 2 dword[2])
	.\|MOV EAX,DWORD PTR SS:[LOCAL.5]	; set EAX to our next spot in the decoded buffer
	.\|MOV BYTE PTR DS:[EAX],CL	; write our decoded value into our decoded buffer
	.\|INC DWORD PTR SS:[LOCAL.5]	; move to the next spot in our decoded buffer
	.\|MOV EDX,DWORD PTR SS:[LOCAL.3]	; set EDX to our current half-decoded dword
	.\|MOV CL,BYTE PTR DS:[EDX+2]	; set ECX dword[2]
	.\|SHL ECX,6	; shift left 6 dword[2]
	.\|MOV EAX,DWORD PTR SS:[LOCAL.3]	; set EAX to our current half-decoded dword
	.\|ADD CL,BYTE PTR DS:[EAX+3]	; add dword[2] + dword[3]
	.\|MOV EDX,DWORD PTR SS:[LOCAL.5]	; set EDX to point at our next spot in our decoded buffer
	.\|MOV BYTE PTR DS:[EDX],CL	; write our decoded byte to our decoded buffer
	.\|INC DWORD PTR SS:[LOCAL.5]	; move to the next spot in our decoded buffer
	.\|ADD DWORD PTR SS:[LOCAL.3],4	; increment our encoded buffer to point at our next dword
	.\|MOV ECX,DWORD PTR SS:[ARG.4]	; set ECX to our current offset?
	.\|ADD DWORD PTR DS:[ECX],3	; add 3 to our current offset?
	.\|ADD DWORD PTR SS:[LOCAL.6],4	; add 4 to our byte counter??
	.\|MOV EAX,DWORD PTR SS:[ARG.2]	; move total size into EAX
	.\|ADD EAX,-4	; subtract 4 from total size
	.\|CMP EAX,DWORD PTR SS:[LOCAL.6]	; compare our total bytes to read bytes
	.\JG SHORT 0A729D50	; jump back if we are not done

	.MOV EDX,DWORD PTR SS:[LOCAL.3]	; set EDX to our last DWORD of encoded buffer
	.MOVSX ECX,BYTE PTR DS:[EDX+3]	; set ECX to dword[3] last byte of our half-decoded dword (dword + 3)
	.INC ECX	; increment the value of dword[3]
	.JE SHORT 0A729E1E
	.MOV EAX,DWORD PTR SS:[LOCAL.3]	; set EAX to our current half-decoded dword
	.MOV DL,BYTE PTR DS:[EAX]	; set EDX (DL) to dword[0]
	.SHL EDX,2	; shift left 2 dword[0]
	.MOV ECX,DWORD PTR SS:[LOCAL.3]	; set ECX to our current encoded dword position
	.MOVSX EAX,BYTE PTR DS:[ECX+1]	; set EAX to dword[1]
	.SAR EAX,4	; shift right 4 dword[1]
	.ADD DL,AL	; add (shifted left 2 dword[0]) + (shifted right 4 dword[1])
	.MOV ECX,DWORD PTR SS:[LOCAL.5]	; set ECX to point at our next spot in our decoded buffer
	.MOV BYTE PTR DS:[ECX],DL	; write our decoded value (EDX/DL) to our decoded buffer
	.INC DWORD PTR SS:[LOCAL.5]	; move to the next spot in our decoded buffer
	.MOV EDX,DWORD PTR SS:[LOCAL.3]	; set EDX to point at our dword
	.MOV AL,BYTE PTR DS:[EDX+1]	; set EAX/AL to dword[1]
	.SHL EAX,4	; shift left 4 dword[1]
	.MOV EDX,DWORD PTR SS:[LOCAL.3]	; set EDX to our current dword
	.MOVSX ECX,BYTE PTR DS:[EDX+2]	; set ECX to dword[2]
	.SAR ECX,2	; shift right 2 dword[2]
	.ADD AL,CL	; add (shifted left 4 dword[1]) + (shifted right 2 dword[2])
	.MOV EDX,DWORD PTR SS:[LOCAL.5]	; set EDX to point at our current spot in our decoded buffer
	.MOV BYTE PTR DS:[EDX],AL	; write our decoded value to the decoded buffer
	.INC DWORD PTR SS:[LOCAL.5]	; move to the next spot in our decoded buffer
	.MOV EAX,DWORD PTR SS:[LOCAL.3]	; set EAX to point at our current dword
	.MOV CL,BYTE PTR DS:[EAX+2]	; set ECX/CL to dword[2]
	.SHL ECX,6	; shift left 6 dword[2]
	.MOV EAX,DWORD PTR SS:[LOCAL.3]	; point EAX at our current dword
	.ADD CL,BYTE PTR DS:[EAX+3]	; add dword[3] + (shifted left 6 dword[2])
	.MOV EDX,DWORD PTR SS:[LOCAL.5]	; point EDX at our current decoded buffer
	.MOV BYTE PTR DS:[EDX],CL	; write our decoded value to the decoded buffer
	.INC DWORD PTR SS:[LOCAL.5]	; increment our deocded buffer
	.MOV ECX,DWORD PTR SS:[ARG.4]	; set ECX to our current offset?
	.ADD DWORD PTR DS:[ECX],3	; add 4 for our current byte counter?
	.JMP 0A729EA6	; jump

Translated into english: the application first uses a lookup table to translate every byte in the input string, to do this it uses the value of the current byte as an offset into the table. After it is done with "stage1" it traverses the translated input buffer a dword at a time and does some bit shifting and addition to fully decode the value. The following roughly shows the "stage2" routine:

(Dword[0] << 2) + (Dword[1] >> 4) = unencoded byte 1

(Dword[1] << 4) + (Dword[2] >> 2) = unencoded byte 2

(Dword[2] << 6) + Dword[3] = unencoded byte 3

I then confirmed that this routine worked on an "encoded" value that went over the wire from the application to the camera. After confirming the encoding scheme worked, I recreated the network transaction the application does with the camera to create a stand alone script that will retrieve the password from a camera that is on the same lan as the "attacker". The script can be found here, thanks to Jason Doyle for the original finding (@jasond0yle ).

Read more

arin.