Prevent Web Application Vulnerability Scanner

hi guys,
at least i decided to take this blog out of magazine releases news fashion, and pulled one of ideas out of my head, implement it, and write a little about it here.

anyway,let's get on the subject.
Certainly you have experience in working by WEB Application Vulnerability Scanners.They are all going to be improved and this is a big threat to all of web applications.both commercial and non-commercial web apps.
although there is many false positive in their results but most of them make the way of attacking luminous to us.It's great that you can find most of hidden directory in the web sites, check for SQL injection, Cross Site Scripting, Cross Site Request Forgery and so on.
This is great for pen-tester and a threat for security managers !
umm, the question that i asked myself many times was: how to scape from these web app scanners?
I scanned a Content management system(CMS) a few web application vulnerability scanners many many times.then sniffed the requests and the responses.after all i've founded that there is an unique USER-AGENT for each of these web app vuln scanners.in some of them you can change the USER-AGENT value,but in some this options is not implemented.and of course many users of these softwares that allow you to change, do not change the default value of USER-AGENT. So this is a good way to identify the web app vuln scanner softwares. however this can not fool elite users of these softwares.
It was still a possibility, not a fact. So i decided to examine this.
I fired up IBM Rational AppScan. Then check the request that AppScan Sent to remote http server. It was "Mozilla/4.0 (compatible; MSIE 6.0; Win32)" .
Also you can grab this USER-AGENT value by a short PHP code such as:







It will write down the USER-AGENT value of anything(browser, web app scanner and so on...) that request this page in data.txt besid itself.
Well,this is a good idea to foolish these scanners. So we fake a 404 error page for them.ha?!
ok let's write the code..

then i've scanned this page by AppScan automatically and it just detected the 404 error. then found out Manual test in Scan menu.I send a query and again 404 !
after all i saw AppScan Browser.I opend the page with it,and yes welcome message :-(

I checked it and found out that it use a different USER-AGENT, So i grab it and added in IF condition after an OR Logical Operator.then refreshed the page and finally 404 error :-)

finaly the code goes something like this:

be careful about what USER-AGENT you are fil*ter*ing in your code.if you fil*ter a usual USER-AGENT , so many of blameless visitors of your web site see 404 error page!!
well,may be it's not the best way and writing a secure program is better, but always there is something that you forget,and there is someone else that [ab]use it to smash your web app ! so this can be a guard between you and the Artificial Intelligence of these Web App vuln scanners.though you can not foolish an elite user with these kind of tricks.;)

that was all..

P.s. : this post is old! more or less for 7 months ago, I took this in draft for some skit reasons but now decided to publish it.

comments are welcomed ;-)

Snoop Magazine news Releases

Another Hi after a long time of silence on my blog. btw it's good, at least that's I'm still alive!

In this period of time we were working on Snoop Digital Security Magazine!

Well we have released 2 version of magazine!
one of them was No#2 of Snoop Magazine and contains below topics:

- Deep Look at SEH Overwrite Exploitation Techniques
- One Attack, One Solution.. (GreenSQL DB Firewall)
- Deep into Metasploit - Part 2
- Surf Jacking
- Analysis of CVE-2009-0658
- Introduction to Honeypots
- Using Dynamic IP Restrictions in IIS7
- Introduction to Cisco Security Solutions and CS-MARS
- Top 100 Network Security Tools
- Downadup/Conficker Detection
- .Net/Java Code Obfuscation


Next release was a special edition (No#2.5) for sake of releasing new ubuntu(9.04) and contains a couple of articles on (in)security aspects of this distro. topics are:


- Your Distro is Insecure: Ubuntu
- GnuPrivacyGuard HowTo
- Securing Ubuntu Linux
- Configure SSL in Ubuntu
- Getting Start with Firewall Builder
- OSX Tiger vs. Vista vs. Ubuntu

you can download all of these releases from Snoop Magazine web-site:
http://snoopmag.net/archive.html

after all i want to thanks all of my friends and colleague at Snoop-Security such as : Adel Karimi, Shahriyar Jalayeri, Alireza Mohammadzade, Mohammad Sadegh Babaei, Vahid Amirian and other fellas..

hope you find it useful.
/aMIr

Happy Norooz and MS !exploitable extension review

hi guys,
yep after all of these insomnia i'm still alive.
Microsoft today release a WinDbg Extension in the name of "!exploitable" and after some tests i review this on "Snoop Security Researching Community" blog and you can read this post here:

http://www.snoop-security.com/blog/?p=6

another good news is that new issue of Snoop Security Magazine coming soon(cheers to Adel).
oh i forgot it! happy norooz everyone. i wish a good year for you and your family in peace and luck.

that was all
/aMIr

I need INT3 on my life process

I know it's long time that i'm not updating this blog, yep that's my bad.
These days i'm really confused and mixed up. I'm in process of reading , researching, writing and blah blah blah..
before the next season of year we'll release next number of Snoop-Secrity Digital Magazine. If you haven't downloaded the first release you can grab it at www.snoopmag.net and feel free to contact us about the articles contents, sections, and everything you think can help growing the value of this release.And if you wanna write article contact me, however we have sufficient number of articles for this release and we save your article for the next season(spring) release.
IMHO this coming release has more usefull stuffs. You can wait and see these changes in next release.
As i said in the beginnig i'am really confused and it's so much time that i'm awake!
God, please send INT3 on my life running process...

Snoop Digital Security Magazine No. #1 Released

Hi Everyone;

After a while from starting of this project finally our magazine released just right now.

Indisputably it's in our native language( persian ) and included many good stuffs such as:

An Inroduction To DNS And Kaminsky DNS Vulnerability
Wireless Packet Injection With Airpwn
Exploiting Office:MS08-011 Attacking using Malformed .WPS
Security Tools Review: Nipper
A Simple Reverse Engineering
Hacking JSON
Intrusion Prevention Systems
Security Books Review: Security Power Tools
Basic IPTables
Deep Into Metasploit - Part 1


http://mag.snoop-security.com

I hope you read it and find it useful.

I wanna thank from Netw0rm, Snake, L0pht, Black Scorpion, amytis and…

Snoop Security Researching Committee

sCORPINo

[UPDATE]:Because of low bandwidth of our site you can also download this number of magazine from below address:
http://scorpino.parsaspace.com/magazine/SnoopDigitalMagNo1.pdf

don't check my Y! ID nosy

A simple trick or just a light bulb on my curious mind.

May be you have seen web sites that check a Y! ID for invisibility and avatar photo.I don't link to them,you can find them in WWW.
I'm just thinking about how they work and what is behind the screen.
At beginning i was thinking that your online/invisible/offline status reported to Y! servers and these web sites robots check the invisibility and avatar photo from Y! servers and this is a full passive way to catch information about you and you can not do anything!
I had been in curious mode and thinking about that, immediately a light bulb came out of my head.I quickly fired up my fave sniffer wireshark and started it to capture traffic on my Y! ID client(pidgin) listening port and i saw what i wanted.You can look it in the below picture and blah blah..everything is clear..

P.S:Today I accidentally see metallica new album which named "Death Magnetic".It was much better than previous album of this group.In the previous album i just loved Frantic but there is more lovely songs in this new album..

Obfuscating Your OS TCP Stack or The Way To OSfuscate

Just another TCP post!
There is many tools for TCP/IP Stack Fingerprinting to figure out the target Operation System.all these tools use fixed methods.Normally these software send an SYN and wait for SYN/ACK , when they receive that packet(or any response to their request) they analyze the packet for Flag's value and guess the OS.
Fyodor listed TCP/IP stack Fingerprinting methods in his article(nmap fingerprinting) and that list contains below methods:
The FIN probe, The BOGUS flag probe, TCP ISN Sampling, Don't Fragment bit, TCP Initial Window, ACK Value, ICMP Error Message Quenching, ICMP Message Quoting, ICMP Error message echoing integrity, Type of Service, Fragmentation Handling, TCP Options, SYN Flood Resistance

these method supported by nmap.
there is a picture from Network Miner tool that show some active and passive fingerprinting result for a single IP address.


It's currently a Vista BoX that is with it's default configuration.
after some changes you can see that p0f and Ettercap can not detect the OS.although satori can detect by analyzing DHCP packets.It seems that windows does not allow you to modify it's DHCP packet configuration as well as TCP.
this tool change some value in your windows registry that include these keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpUseRFC1122UrgentPointer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SackOpts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*\MTU

here you can see result of nmap OS fingerprinting scan before and after using this tool:

before:
nmap -T Aggressive -O 192.168.1.123
PORT STATE SERVICE
3389/tcp open ms-term-serv
5357/tcp open unknown
MAC Address: 00:1A:70:3C:A6:3D (Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 6.X (92%), OpenBSD 4.X (92%), Microsoft Windows Vista (86%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (92%), OpenBSD 4.3 (92%), Microsoft Windows Vista (86%), Microsoft Windows Vista Home Basic (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

and after:
nmap -T Aggressive -O 192.168.1.123
PORT STATE SERVICE
3389/tcp open ms-term-serv
5357/tcp open unknown
MAC Address: 00:1A:70:3C:A6:3D (Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 6.X (96%), OpenBSD 4.X (96%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (96%), OpenBSD 4.3 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop


it's not a stable and complete tool, and by the way using this tool is at your own risk!!! it's recommended to use it on a virtual machine OS if you wanna try it out.

it was just an introduce to this tool and real post is at irongeek, check out and there you can download OSfuscate 0.3(current version).

[update] : although all these works dizzy some tools,but still if your network use DHCP IP addressing,it's easy to figure out your OS by using satori.thanks Eric for the sake of reminding my mistake.I appreciate Eric and his good work;)
I'll try to works on it more in my future free times.
By the way anyone can access satoori from here.