Hi Everyone;
After a while from starting of this project finally our magazine released just right now.
Indisputably it's in our native language( persian ) and included many good stuffs such as:
An Inroduction To DNS And Kaminsky DNS Vulnerability
Wireless Packet Injection With Airpwn
Exploiting Office:MS08-011 Attacking using Malformed .WPS
Security Tools Review: Nipper
A Simple Reverse Engineering
Hacking JSON
Intrusion Prevention Systems
Security Books Review: Security Power Tools
Basic IPTables
Deep Into Metasploit - Part 1
http://mag.snoop-security.com
I hope you read it and find it useful.
I wanna thank from Netw0rm, Snake, L0pht, Black Scorpion, amytis and…
Snoop Security Researching Committee
sCORPINo
[UPDATE]:Because of low bandwidth of our site you can also download this number of magazine from below address:
http://scorpino.parsaspace.com/magazine/SnoopDigitalMagNo1.pdf
Wednesday, November 5, 2008
Monday, October 20, 2008
don't check my Y! ID nosy
A simple trick or just a light bulb on my curious mind.
May be you have seen web sites that check a Y! ID for invisibility and avatar photo.I don't link to them,you can find them in WWW.
I'm just thinking about how they work and what is behind the screen.
At beginning i was thinking that your online/invisible/offline status reported to Y! servers and these web sites robots check the invisibility and avatar photo from Y! servers and this is a full passive way to catch information about you and you can not do anything!
I had been in curious mode and thinking about that, immediately a light bulb came out of my head.I quickly fired up my fave sniffer wireshark and started it to capture traffic on my Y! ID client(pidgin) listening port and i saw what i wanted.You can look it in the below picture and blah blah..everything is clear..
P.S:Today I accidentally see metallica new album which named "Death Magnetic".It was much better than previous album of this group.In the previous album i just loved Frantic but there is more lovely songs in this new album..
May be you have seen web sites that check a Y! ID for invisibility and avatar photo.I don't link to them,you can find them in WWW.
I'm just thinking about how they work and what is behind the screen.
At beginning i was thinking that your online/invisible/offline status reported to Y! servers and these web sites robots check the invisibility and avatar photo from Y! servers and this is a full passive way to catch information about you and you can not do anything!
I had been in curious mode and thinking about that, immediately a light bulb came out of my head.I quickly fired up my fave sniffer wireshark and started it to capture traffic on my Y! ID client(pidgin) listening port and i saw what i wanted.You can look it in the below picture and blah blah..everything is clear..
P.S:Today I accidentally see metallica new album which named "Death Magnetic".It was much better than previous album of this group.In the previous album i just loved Frantic but there is more lovely songs in this new album..
Wednesday, October 15, 2008
Obfuscating Your OS TCP Stack or The Way To OSfuscate
Just another TCP post!
There is many tools for TCP/IP Stack Fingerprinting to figure out the target Operation System.all these tools use fixed methods.Normally these software send an SYN and wait for SYN/ACK , when they receive that packet(or any response to their request) they analyze the packet for Flag's value and guess the OS.
Fyodor listed TCP/IP stack Fingerprinting methods in his article(nmap fingerprinting) and that list contains below methods:
The FIN probe, The BOGUS flag probe, TCP ISN Sampling, Don't Fragment bit, TCP Initial Window, ACK Value, ICMP Error Message Quenching, ICMP Message Quoting, ICMP Error message echoing integrity, Type of Service, Fragmentation Handling, TCP Options, SYN Flood Resistance
these method supported by nmap.
there is a picture from Network Miner tool that show some active and passive fingerprinting result for a single IP address.
It's currently a Vista BoX that is with it's default configuration.
after some changes you can see that p0f and Ettercap can not detect the OS.although satori can detect by analyzing DHCP packets.It seems that windows does not allow you to modify it's DHCP packet configuration as well as TCP.
this tool change some value in your windows registry that include these keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpUseRFC1122UrgentPointer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SackOpts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*\MTU
here you can see result of nmap OS fingerprinting scan before and after using this tool:
before:
nmap -T Aggressive -O 192.168.1.123
PORT STATE SERVICE
3389/tcp open ms-term-serv
5357/tcp open unknown
MAC Address: 00:1A:70:3C:A6:3D (Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 6.X (92%), OpenBSD 4.X (92%), Microsoft Windows Vista (86%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (92%), OpenBSD 4.3 (92%), Microsoft Windows Vista (86%), Microsoft Windows Vista Home Basic (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
and after:
nmap -T Aggressive -O 192.168.1.123
PORT STATE SERVICE
3389/tcp open ms-term-serv
5357/tcp open unknown
MAC Address: 00:1A:70:3C:A6:3D (Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 6.X (96%), OpenBSD 4.X (96%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (96%), OpenBSD 4.3 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
it's not a stable and complete tool, and by the way using this tool is at your own risk!!! it's recommended to use it on a virtual machine OS if you wanna try it out.
it was just an introduce to this tool and real post is at irongeek, check out and there you can download OSfuscate 0.3(current version).
[update] : although all these works dizzy some tools,but still if your network use DHCP IP addressing,it's easy to figure out your OS by using satori.thanks Eric for the sake of reminding my mistake.I appreciate Eric and his good work;)
I'll try to works on it more in my future free times.
By the way anyone can access satoori from here.
There is many tools for TCP/IP Stack Fingerprinting to figure out the target Operation System.all these tools use fixed methods.Normally these software send an SYN and wait for SYN/ACK , when they receive that packet(or any response to their request) they analyze the packet for Flag's value and guess the OS.
Fyodor listed TCP/IP stack Fingerprinting methods in his article(nmap fingerprinting) and that list contains below methods:
The FIN probe, The BOGUS flag probe, TCP ISN Sampling, Don't Fragment bit, TCP Initial Window, ACK Value, ICMP Error Message Quenching, ICMP Message Quoting, ICMP Error message echoing integrity, Type of Service, Fragmentation Handling, TCP Options, SYN Flood Resistance
these method supported by nmap.
there is a picture from Network Miner tool that show some active and passive fingerprinting result for a single IP address.
It's currently a Vista BoX that is with it's default configuration.
after some changes you can see that p0f and Ettercap can not detect the OS.although satori can detect by analyzing DHCP packets.It seems that windows does not allow you to modify it's DHCP packet configuration as well as TCP.
this tool change some value in your windows registry that include these keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Tcp1323Opts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpUseRFC1122UrgentPointer
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpWindowSize
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SackOpts
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*\MTU
here you can see result of nmap OS fingerprinting scan before and after using this tool:
before:
nmap -T Aggressive -O 192.168.1.123
PORT STATE SERVICE
3389/tcp open ms-term-serv
5357/tcp open unknown
MAC Address: 00:1A:70:3C:A6:3D (Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 6.X (92%), OpenBSD 4.X (92%), Microsoft Windows Vista (86%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (92%), OpenBSD 4.3 (92%), Microsoft Windows Vista (86%), Microsoft Windows Vista Home Basic (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
and after:
nmap -T Aggressive -O 192.168.1.123
PORT STATE SERVICE
3389/tcp open ms-term-serv
5357/tcp open unknown
MAC Address: 00:1A:70:3C:A6:3D (Cisco-Linksys)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 6.X (96%), OpenBSD 4.X (96%)
Aggressive OS guesses: FreeBSD 6.2-RELEASE (96%), OpenBSD 4.3 (96%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
it's not a stable and complete tool, and by the way using this tool is at your own risk!!! it's recommended to use it on a virtual machine OS if you wanna try it out.
it was just an introduce to this tool and real post is at irongeek, check out and there you can download OSfuscate 0.3(current version).
[update] : although all these works dizzy some tools,but still if your network use DHCP IP addressing,it's easy to figure out your OS by using satori.thanks Eric for the sake of reminding my mistake.I appreciate Eric and his good work;)
I'll try to works on it more in my future free times.
By the way anyone can access satoori from here.
Labels:
fingerprinting,
obfuscate TCP stack,
osfuscate,
TCP
Friday, October 10, 2008
TCP SYN Cookie Juji-gatame
once upon a time,when the TCP/IP invented in 1979,no one thought that it's goping to knocked out late in 2008.
If you are interested in computer security so you should heard about this big threat.
though complete technical information does not disclosured but this can not be a hoax.because the men whom discovered this issue are not stupid ones.probably you have an experience with Unicornscan that is one of this netherlandish company which it's name is Outpost24.It seems that they have found this vulnerability in their deep digging in TCP/IP to accomplish developing the unicornscan. They dig the TCP protocol stacks and found out that something is wrong with SYN Cookies.
well now if your system is available,you are on risk,so you should cut off an angle of security triangle(availability). This mean that your system security is absurd.
each system have a limited connection slot,when all of them are in use the system goes out of service.the goal of DoS(Denial of Service) is to reach this.they wanna keep you busy in order to no one can get service from you.
Outpost24 guys discovered this issue in 2005 and now they have written a TCP socket stress testing framework that named Sockstress.
They just noticed that there is such kind of vulnerability in TCP and the is such a tools to defeat all kind of devices that use TCP,and there is no technical disclosure about this issue.they haven't speak straightforward about this problem yet,and they said we are cooperating with vendors to solve this issue.
On the other side Fyodor, nmap programmer has disavow this and answered that this is not a new kind of vulnerability.He believes that they have rediscovered what he found in past years and performed in his private tools(Ndos).
I have no idea about it's a kind of dislike that Fyodor feels about Outpost24 and their Unicornscan or not,but as i said these guys news can't be a hoax.
they have offered some ways to defeat SYN Cookies and i mention them here as they told:
- To defeat Server side SYN Cookies...
- Employ Client side SYN Cookies
- Start with a random 32-bit number
- XOR this number against Client side of a
connection attempt (192.168.1.3:51242)
- Use output as ISN for SYN packets
- When Client receives SYN/ACK’s
- (Sequence Number - 1) XOR’d with 32-bit number reveals the client sending IP and port
- Client can now complete a full 3 way handshake without ever tracking anything in a table.
- Client can also transmit data on this connection
- No need on Client side to even keep a hash table. XOR is reversible.
that was all.
If you are interested in computer security so you should heard about this big threat.
though complete technical information does not disclosured but this can not be a hoax.because the men whom discovered this issue are not stupid ones.probably you have an experience with Unicornscan that is one of this netherlandish company which it's name is Outpost24.It seems that they have found this vulnerability in their deep digging in TCP/IP to accomplish developing the unicornscan. They dig the TCP protocol stacks and found out that something is wrong with SYN Cookies.
well now if your system is available,you are on risk,so you should cut off an angle of security triangle(availability). This mean that your system security is absurd.
each system have a limited connection slot,when all of them are in use the system goes out of service.the goal of DoS(Denial of Service) is to reach this.they wanna keep you busy in order to no one can get service from you.
Outpost24 guys discovered this issue in 2005 and now they have written a TCP socket stress testing framework that named Sockstress.
They just noticed that there is such kind of vulnerability in TCP and the is such a tools to defeat all kind of devices that use TCP,and there is no technical disclosure about this issue.they haven't speak straightforward about this problem yet,and they said we are cooperating with vendors to solve this issue.
On the other side Fyodor, nmap programmer has disavow this and answered that this is not a new kind of vulnerability.He believes that they have rediscovered what he found in past years and performed in his private tools(Ndos).
I have no idea about it's a kind of dislike that Fyodor feels about Outpost24 and their Unicornscan or not,but as i said these guys news can't be a hoax.
they have offered some ways to defeat SYN Cookies and i mention them here as they told:
- To defeat Server side SYN Cookies...
- Employ Client side SYN Cookies
- Start with a random 32-bit number
- XOR this number against Client side of a
connection attempt (192.168.1.3:51242)
- Use output as ISN for SYN packets
- When Client receives SYN/ACK’s
- (Sequence Number - 1) XOR’d with 32-bit number reveals the client sending IP and port
- Client can now complete a full 3 way handshake without ever tracking anything in a table.
- Client can also transmit data on this connection
- No need on Client side to even keep a hash table. XOR is reversible.
that was all.
Sunday, October 5, 2008
Netcat Power Tools Book Review
I have seen this book approximately 2 weeks ago.I got it,but indeed i was not in mood to read it.so i leave it alone in a folder and continue reading my other incomplete books.2 days ago i have seen a post , and it abet me(why? i don't know!)to read this thin book.
Yes,it just finished and i am dangling with something in this book!
At first look it may give you an adventure feel for discovering netcat power tools! umm,I'm not going to stop you from this feel,but i think this book could be better with a fair name and may be something more..
In the beginning of book,i bet you get crazy with repeating of two words: "Server" and "Client" . He has repeated these words over and over.It can repulse a new one who is going to read about a simple security tool such Netcat.
Next thing that must be mentioned is a huge headline in the first chapter.He almost said all of his book briefly in first chapter.
He named netcat as an powerful Banner Grabbing tools! I think always there is more than a simple banner that you get by connecting to a port from netcat.It's cool but not always.Sometimes banners are hidden and also sometimes spoofed,so you need more thing than netcat.Well in this situation netcat can be handy when you have a pattern from many known software that usually listen on a specific port(such as webservers on port 80).
Author mentioned all about windows and Unix/linux version of netcat but it didn't see anything that he notify about absence of -q switch in windows version(you see?!).
Repeating of fixed headline make me bored from this book.For example he has repeated port scanning in chapter 1, 2, 3 and 7.They are almost all alike!
Author has filled many pages with base of some simple protocol and this is not good.He could reference them.
I think this book could name "Computer forensics tools tips and tricks".It could be a graceful name for this book.
Huge list of tips and tricks are great but not plenty.for example it could include the trick of using netcat as an simple web server.it comes very handy.this can be implemented by using bash same this(i can't put code in blog post!why?!):
Simple and useful;)
There is some strange headline in this book such as using nmap and etc.
But a good inform about cryptcat is so good.
anyway i appreciate the author because of writing books for starter, however there are many blame on him.
Yes,it just finished and i am dangling with something in this book!
At first look it may give you an adventure feel for discovering netcat power tools! umm,I'm not going to stop you from this feel,but i think this book could be better with a fair name and may be something more..
In the beginning of book,i bet you get crazy with repeating of two words: "Server" and "Client" . He has repeated these words over and over.It can repulse a new one who is going to read about a simple security tool such Netcat.
Next thing that must be mentioned is a huge headline in the first chapter.He almost said all of his book briefly in first chapter.
He named netcat as an powerful Banner Grabbing tools! I think always there is more than a simple banner that you get by connecting to a port from netcat.It's cool but not always.Sometimes banners are hidden and also sometimes spoofed,so you need more thing than netcat.Well in this situation netcat can be handy when you have a pattern from many known software that usually listen on a specific port(such as webservers on port 80).
Author mentioned all about windows and Unix/linux version of netcat but it didn't see anything that he notify about absence of -q switch in windows version(you see?!).
Repeating of fixed headline make me bored from this book.For example he has repeated port scanning in chapter 1, 2, 3 and 7.They are almost all alike!
Author has filled many pages with base of some simple protocol and this is not good.He could reference them.
I think this book could name "Computer forensics tools tips and tricks".It could be a graceful name for this book.
Huge list of tips and tricks are great but not plenty.for example it could include the trick of using netcat as an simple web server.it comes very handy.this can be implemented by using bash same this(i can't put code in blog post!why?!):
Simple and useful;)
There is some strange headline in this book such as using nmap and etc.
But a good inform about cryptcat is so good.
anyway i appreciate the author because of writing books for starter, however there are many blame on him.
Saturday, October 4, 2008
Computer comes with exception
Computers are sometimes exceptional.their act make us wonderful.
for example doing some work with computer is your daily job and always you do a routine task.It always seems normal and after many many times it sounds a good way to do this task.but very chancy one time that you are doing this routine job,something go wrong!
yes you try to fire up your intelligence mind and solve this problem.may be it get a long time to solve this problem to you,and may be it will be solved with a lil trick.absolutely it depends on your experience and may be your fortune.
But there is many many occasion that not computer logic exceptional.because many events are based on concepts.concepts always forced by us to computers.some concepts are documented and some not.some are intentional and some not.
I believe the exceptional that i said at beginning of this post is a kind of inadvertent undocumented concepts.They forced to the computer by writing the codes from programmer.The computer never disobeys from programmer in normal mode,because it's logic is based on the obey.
So we must try to be careful about any concept that we are learning to computer!
yes,this is very important.If we want,we can teach computer to disobey us.we can force computers to disobey us,and this may be the last obey of computer from us.They can learn from us to be our malicious foe.
So,be careful about what concept you are learning to your computer...
for example doing some work with computer is your daily job and always you do a routine task.It always seems normal and after many many times it sounds a good way to do this task.but very chancy one time that you are doing this routine job,something go wrong!
yes you try to fire up your intelligence mind and solve this problem.may be it get a long time to solve this problem to you,and may be it will be solved with a lil trick.absolutely it depends on your experience and may be your fortune.
But there is many many occasion that not computer logic exceptional.because many events are based on concepts.concepts always forced by us to computers.some concepts are documented and some not.some are intentional and some not.
I believe the exceptional that i said at beginning of this post is a kind of inadvertent undocumented concepts.They forced to the computer by writing the codes from programmer.The computer never disobeys from programmer in normal mode,because it's logic is based on the obey.
So we must try to be careful about any concept that we are learning to computer!
yes,this is very important.If we want,we can teach computer to disobey us.we can force computers to disobey us,and this may be the last obey of computer from us.They can learn from us to be our malicious foe.
So,be careful about what concept you are learning to your computer...
Subscribe to:
Posts (Atom)