Friday, June 26, 2009

Gmail Account Hacking Tool

A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas.

Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action involving Gmail, and not only, authentication. Users who did not turn it on now have a serious reason to do so as Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks.

When you log in to Gmail the website sends a cookie (a text file) containing your session ID to the browser. This file makes it possible for the website to know that you are authenticated and keep you logged in for two weeks, unless you manually hit the sign out button. When you hit sign out this cookie is cleared.

Even though when you log in, Gmail forces the authentication over SSL (Secure Socket Layer), you are not secure because it reverts back to a regular unencrypted connection after the authentication is done. According to Google this behavior was chosen because of low-bandwidth users, as SLL connections are slower.

The problem lies with the fact that every time you access anything on Gmail, even an image, your browser also sends your cookie to the website. This makes it possible for an attacker sniffing traffic on the network to insert an image served from http://mail.google.com and force your browser to send the cookie file, thus getting your session ID. Once this happens the attacker can log in to the account without the need of a password. People checking their e-mail from public wireless hotspots are obviously more likely to get attacked than the ones using secure wired networks. Todd Mumford, from the SEO company called SEO Visions Inc, states “This can be a serious problem for Internet Marketers who travel often and use their wireless laptops and Gmal services often and do not always have access to a secure connection”

Perry mentioned that he notified Google about this situation over a year ago and even though eventually it made this option available, he is not happy with the lack of information. “Google did not explain why using this new feature was so important” he said. He continued and explained the implications of not informing the users, “This gives people who routinely log in to Gmail beginning with an https:// session a false sense of security, because they think they’re secure but they’re really not.”

If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https://mail.google.com before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.

Download Free Softwares, Games, Movies and lot of Hacking Stuff from 50+ FTP Sites

Internet definitely has several unheard places also known as underground websites, few of these website offer users 100s and 1000s of softwares, games, movies and lot of Hacking Stuff for downloads. Though these sites are pretty tough to find, I was able to unearth more than 50+ FTP sites that allow users to download softwares, games, movies and lot of Hacking tools for free.

Here is a list of 50+ FTP sites that will allow you download content for free. Don’t forget to share and bookmark this page so that everyone can take advantage of it.

1. ftp://ftp.freenet.de/pub/filepilot/
2. ftp://193.43.36.131/Radio/MP3/
3. ftp://195.216.160.175/
4. ftp://207.71.8.54:21/games/
5. ftp://194.44.214.3/pub/music/
6. ftp://202.118.66.15/pub/books
7. ftp://129.241.210.42/pub/games/
8. ftp://clubmusic:clubmusic@217.172.16.3:8778/
9. ftp://212.174.160.21/games
10. ftp://ftp.uar.net/pub/e-books/
11. ftp://129.241.210.42/pub/games/
12. ftp://193.231.238.4/pub/
13. ftp://207.71.8.54/games/
14. ftp://194.187.207.98/video/
15. ftp://194.187.207.98/music/
16. ftp://194.187.207.98/soft/
17. ftp://194.187.207.98/games/
18. ftp://ftp.uglan.ck.ua/
19. ftp://159.153.197.74/pub
20. ftp://leech:l33ch@61.145.123.141:5632/
21. ftp://psy:psy@ftp.cybersky.ru
22. ftp://130.89.175.1/pub/games/
23. ftp://194.44.214.3/pub/
24. ftp://195.116.114.144:21/
25. ftp://64.17.191.56:21/
26. ftp://80.255.128.148:21/pub/
27. ftp://83.149.236.35:21/packages/
28. ftp://129.241.56.118/
29. ftp://81.198.60.10:21/
30. ftp://128.10.252.10/pub/
31. ftp://129.241.210.42/pub/
32. ftp://137.189.4.14/pub
33. ftp://139.174.2.36/pub/
34. ftp://147.178.1.101/
35. ftp://156.17.62.99/
36. ftp://159.153.197.74/pub/
37. ftp://193.140.54.18/pub/
38. ftp://192.67.63.35/
39. ftp://166.70.161.34/
40. ftp://195.161.112.15/musik/
41. ftp://195.161.112.15/
42. ftp://195.131.10.164/software
43. ftp://195.146.65.20/pub/win/
44. ftp://199.166.210.164/
45. ftp://195.46.96.194/pub/
46. ftp://61.136.76.236/
47. ftp://61.154.14.248/
48. ftp://62.210.158.81/
49. ftp://62.232.57.61/
50. ftp://212.122.1.85/pub/software/
51. ftp://193.125.152.110/pub/.1/misc/sounds/mp3/murray/

DDoS Attacks and DDoS Defense Mechanisms

Introduction

Distributed denial-of-service attacks (DDoS) pose an immense threat to the Internet, and consequently many defense mechanisms have been proposed to combat them. Attackers constantly modify their tools to bypass these security systems, and researchers in turn modify their approaches to handle new attacks.The DDoS field is evolving quickly, and it is becoming increasingly hard to grasp a global view of the problem.

DDoS Attack Overview

A denial-of-service attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. A distributed denial-of-service attack deploys multiple machines to attain this goal. The service is denied by sending a stream of packets to a victim that either consumes some key resource, thus rendering it unavailable to legitimate clients, or provides the attacker with unlimited access to the victim machine so he can inflict arbitrary damage. This section will answer the following questions:

1. What makes DDoS attacks possible?
2. How do these attacks occur?
3. Why do they occur?

Internet Architecture

The Internet is managed in a distributed manner; therefore no common policy can be enforced among its participants.Such design opens several security issues that provide opportunities for distributed denial-of-service attacks:

1. Internet security is highly interdependent. DDoS attacks are commonly launched from systems that are subverted through security related compromises. Regardless of how well secured the victim system may be, its susceptibility to DDoS attacks depends on the state of security in the rest of the global Internet.

2. Internet resource is limited. Each Internet host has limited resources that can be consumed by a sufficient number of users.

3. Power of many is greater than power of few. Coordinated and simultaneous malicious actions by some participants can always be detrimental to others, if the resources of the attackers are greater than the resources of the victims.

4. Intelligence and resources are not collocated an end-to-end communication paradigm led to locating most of the intelligence needed for service guarantees with end hosts. At the same time, a desire for large throughput led to the design of high bandwidth pathways in the intermediate network. Thus, malicious clients can misuse the abundant resources of unwitting network for delivery of numerous messages to a victim.

DDoS Attack Strategy

In order to perform a distributed denial-of-service attack, the attacker needs to recruit the multiple agent (slave) machines. This process is usually performed automatically through scanning of remote machines, looking for security holes that would enable subversion. Vulnerable machines are then exploited by using the discovered vulnerability to gain access to the machine, and they are infected with the attack code. The exploit/infection phase is also automated, and the infected machines can be used for further recruitment of new agents .Agent machines perform the attack against the victim. Attackers usually hide the identity of the agent machines during the attack through spoofing of the source address field in packets. The agent machines can thus be reused for future attacks.

DDoS Goals

The goal of a DDoS attack is to inflict damage on the victim, either for personal reasons (a significant number of DDoS attacks are against home computers, presumably for purposes of revenge), for material gain (damaging competitor’s resources) or for popularity (successful attacks on popular Web servers gain the respect of the hacker community).

Taxonomy of DDoS Attacks

In order to devise a taxonomy of distributed denialof- service attacks we observe the means used to prepare and perform the attack, the characteristics of the attack itself and the effect it has on the victim. Various classification criteria are indicated in bold type. Figure 1 summarizes the taxonomy.

Classification by Degree of Automation

During the attack preparation, the attacker needs to locate prospective agent machines and infect them with the attack code. Based on the degree of automation of the attack, we differentiate between manual, semi-automatic and automatic DDoS attacks.

Manual Attacks
Only the early DDoS attacks belonged to the manual category. The attacker scanned remote machines for vulnerabilities, broke into them and installed the attack code, and then commanded the onset of the attack. All of these actions were soon automated, leading to development of semiautomatic DDoS attacks, the category where most contemporary attacks belong.

Semi-Automatic Attacks

In semi-automatic attacks, the DDoS network consists of handler (master) and agent (slave, daemon) machines. The attacker deploys automated scripts for scanning and compromise of those machines and installation of the attack code. He then uses handler machines to specify the attack type and the victim’s address and to command the onset of the attack to agents, who send packets to the victim. Based on the communication mechanism deployed between agent and handler machines we divide semi-automatic attacks into attacks with direct communication and attacks with indirect communication.

Attacks with direct communication

During attacks with direct communication, the agent and handler machines need to know each other’s identity in order to communicate. This is achieved by hard-coding the IP address of the handler machines in the attack code that is later installed on the agent. Each agent then reports its readiness to the handlers, who store its IP address in a file for later communication. The obvious drawback of this approach is that discovery of one compromised machine can expose the whole DDoS network. Also, since agents and handlers listen to network connections, they are identifiable by network scanners.

Attacks with indirect communication

Attacks with indirect communication deploy a level of indirection to increase the survivability of a DDoS network.Recent attacks provide the example of using IRC channels for agent/handler communication. The use of IRC services replaces the function of a handler, since the IRC channel offers sufficient anonymity to the attacker. Since DDoS agents establish outbound connections to a standard service port used by a legitimate network service, agent communications to the control point may not be easily differentiated from legitimate network traffic. The agents do not incorporate a listening port that is easily detectable with network scanners. An attacker controls the agents using IRC communications channels. Thus, discovery of a single agent may lead no further than the identification of one or more IRC servers and channel names used by the DDoS network. From there, identification of the DDoS network depends on the ability to track agents currently connected to the IRC server. Although the IRC service is the only current example of indirect communication, there is nothing to prevent attackers from subverting other legitimate services for similar purposes.

Automatic Attacks

Automatic DDoS attacks additionally automate the attack phase, thus avoiding the need for communication between attacker and agent machines. The time of the onset of the attack,
attack type, duration and victim’s address is preprogrammed in the attack code. It is obvious that such deployment mechanisms offer minimal exposure to the attacker, since he is only involved in issuing a single command – the start of the attack script. The hard coded attack specification suggests a single-purpose use of the DDoS network. However, the propagation mechanisms usually leave the backdoor to the compromised DDoS machine open, enabling easy future access and modification of the attack code. Both semi-automatic and automatic attacks recruit the agent machines by deploying automatic scanning and propagation techniques. Based on the scanning strategy, we differentiate between attacks that deploy random scanning, hit list scanning, topological scanning, permutation scanning and local subnet scanning. Attackers usually combine the scanning and exploitation phases, thus gaining a larger agent population, and my description of scanning techniques relates to this model.

Attacks with Random Scanning

During random scanning each compromised host probes random addresses in the IP address space, using a different seed. This potentially creates a high traffic volume since many machines probe the same addresses. Code Red (CRv2) performed random scanning .

Attacks with Hitlist Scanning

A machine performing hitlist scanning probes all addresses from an externally supplied list. When it detects the vulnerable machine, it sends one half of the initial hitlist to the recipient and keeps the other half. This technique allows for great propagation speed (due to exponential spread) and no collisions during the scanning phase. An attack deploying hitlist scanning could obtain the list from netscan.org of domains that still support directed IP broadcast and can thus be used for a Smurf attack.

Attacks with Topological Scanning

Topological scanning uses the information on the compromised host to select new targets. All mail worms use topological scanning, exploiting the information from address books for their spread.

Attacks with Permutation Scanning

During permutation scanning, all compromised machines share a common pseudo-random permutation of the IP address space; each IP address is mapped to an index in this permutation. A machine begins scanning by using the index computed from its IP address as a starting point. Whenever it sees an already infected machine, it chooses a new random start point. This has the effect of providing a semi coordinated, comprehensive scan while maintaining the benefits of random probing. This technique is described in as not yet deployed.

Attacks with Local Subnet Scanning

Local subnet scanning can be added to any of the previously described techniques to preferentially scan for targets that reside on the same subnet as the compromised host. Using this technique, a single copy of the scanning program can compromise many vulnerable machines behind a firewall. Code Red II and Nimda Worm used local subnet scanning. Based on the attack code propagation mechanism, we differentiate between attacks that deploy central source propagation, back-chaining propagation and autonomous propagation .

Attacks with Central Source Propagation

During central source propagation, the attack code resides on a central server or set of servers.
After compromise of the agent machine, the code is downloaded from the central source through a file transfer mechanism. The 1i0n worm operated in this manner.

Attacks with Back-chaining Propagation

During back-chaining propagation, the attack code is downloaded from the machine that was used to exploit the system.The infected machine then becomes the source for the next propagation step. Back-chaining propagation is more survivable than central-source propagation since it avoids a single point of failure. The Ramen worm and Morris Worm used backchaining propagation.

Attacks with Autonomous Propagation

Autonomous propagation avoids the file retrieval step by injecting attack instructions directly into the target host during the exploitation phase. Code Red, Warhol Worm and numerous E-mail worms use autonomous propagation.

Classification by Exploited Vulnerability

Distributed denial-of-service attacks exploit different strategies to deny the service of the victim to its clients. Based on the vulnerability that is targeted during an attack, we differentiate between protocol attacks and brute-force attacks.

Protocol Attacks

Protocol attacks exploit a specific feature or implementation bug of some protocol installed at the victim in order to consume excess amounts of its resources. Examples include the TCP SYN attack, the CGI request attack and the authentication server attack. In the TCP SYN attack, the exploited feature is the allocation of substantial space in a connection queue immediately upon receipt of a TCP SYN request. The attacker initiates multiple connections
that are never completed, thus filling up the connection queue indefinitely. In the CGI request attack, the attacker consumes the CPU time of the victim by issuing multiple CGI requests. In the authentication server attack, the attacker exploits the fact that the signature verification process consumes significantly more resources than bogus signature generation. He sends numerous bogus authentication requests to the server, tying up its resources.

Brute-force Attacks

Brute-force attacks are performed by initiating a vast amount of seemingly legitimate transactions. Since an upstream network can usually deliver higher traffic volume than the victim network can handle, this exhausts the victim’s resources. We further divide brute-force attacks based on the relation of packet contents with victim services into filterable and non-filterable attacks.

Filterable Attacks

Filterable attacks use bogus packets or packets for non-critical services of the victim’s operation, and thus can be filtered by a firewall. Examples of such attacks are a UDP flood attack or an
ICMP request flood attack on a Web server.

Non-filterable Attacks

Non-filterable attacks use packets that request legitimate services from the victim. Thus, filtering all packets that match the attack signature would lead to an immediate denial of the specified service to both attackers and the legitimate clients. Examples are a HTTP request flood targeting a Web server or a DNS request flood targeting a name server. The line between protocol and brute force attacks is thin. Protocol attacks also overwhelm a victim’s resources with excess traffic, and badly designed protocol features at remote hosts are frequently used to perform “reflector” brute-force attacks, such as the DNS request attack or the Smurf attack. The difference is that a victim can mitigate the effect of protocol attacks by modifying the deployed protocols at its site, while it is helpless against brute-force attacks due to their misuse of legitimate services (non-filterable attacks) or due to its own limited resources (a victim can do nothing about an attack that swamps its network bandwidth). Countering protocol attacks by modifying the deployed protocol pushes the corresponding attack mechanism into the brute-force category. For example, if the victim deploys TCP SYN cookies to combat TCP SYN attacks, it will still be vulnerable to TCP SYN attacks that generate more requests than its network can accommodate. However, the brute-force attacks need to generate a much higher volume of attack packets than protocol attacks, to inflict damage at the victim. So by modifying the deployed protocols the victim pushes the vulnerability limit higher. Evidently, classification of the specific attack needs to take into account both the attack mechanisms used and the victim’s configuration. It is interesting to note that the variability of attack packet contents is determined by the exploited vulnerability. Packets comprising protocol and non-filterable brute force attacks must specify some valid header fields and possibly some valid contents. For example TCP SYN attack packets cannot vary the protocol or flag field, and HTTP flood packets must belong to an established TCP connection and therefore cannot spoof source addresses, unless they hijack connections from legitimate clients.

Classification by Attack Rate Dynamics

Depending on the attack rate dynamics we differentiate between continuous rate and variable rate attacks.

Continuous Rate Attacks

The majority of known attacks deploy a continuous rate mechanism. After the onset is commanded, agent machines generate the attack packets with full force. This sudden packet flood disrupts the victim’s services quickly, and thus leads to attack detection.

Variable Rate Attacks

Variable rate attacks are more cautious in their engagement, and they vary the attack rate to avoid detection and response. Based on the rate change mechanism we differentiate between attacks with increasing rate and fluctuating rate
.
Increasing Rate Attacks

Attacks that have a gradually increasing rate lead to a slow exhaustion of victim’s resources. A state change of the victim could be so gradual that its services degrade slowly over a long time period, thus delaying detection of the attack.

Fluctuating Rate Attacks

Attacks that have a fluctuating rate adjust the attack rate based on the victim’s behavior, occasionally relieving the effect to avoid detection. At the extreme end, there is the example of pulsing attacks. During pulsing attacks, agent hosts periodically abort the attack and resume it at a later time. If this behavior is simultaneous for all agents, the victim experiences periodic service disruptions. If, however, agents are divided into groups who coordinate so that one group is always active, then the victim experiences continuous denial of service.

Classification by Impact

Depending on the impact of a DDoS attack on the victim we differentiate between disruptive and degrading attacks.

Disruptive Attacks

The goal of disruptive attacks is to completely deny the victim’s service to its clients. All currently known attacks belong to this category.

Degrading Attacks

The goal of degrading attacks would be to consume some (presumably constant) portion of a victim’s resources. Since these attacks do not lead to total service disruption, they could remain undetected for a significant time period. On the other hand, damage inflicted on the victim could be immense. For example, an attack that effectively ties up 30% of the victim’s resources would lead to denial of service to some percentage of customers during high load periods, and possibly slower average service. Some customers, dissatisfied with the quality, would consequently change their service provider and victim would thus lose income. Alternately, the false load could result in a victim spending money to upgrade its servers and networks.

Taxonomy of DDoS Defense Mechanisms

The seriousness of the DDoS problem and the increased frequency of DDoS attacks have led to the advent of numerous DDoS defense mechanisms. Some of these mechanisms address a specific kind of DDoS attack such as attacks on Web servers or authentication servers. Other approaches attempt to solve the entire generic DDoS problem. Most of the proposed approaches require certain features to achieve their peak performance, and will perform quite differently if deployed in an environment where these requirements are not met.
As is frequently pointed out, there is no “ram ban (means the weapon which never misses the target in hindi)” against DDoS attacks. Therefore we need to understand not only each existing DDoS defense approach, but also how those approaches might be combined together to effectively and completely solve the problem.

Classification by Activity Level

Based on the activity level of DDoS defense mechanisms, we differentiate between preventive and reactive mechanisms.

Preventive Mechanisms

The goal of preventive mechanisms is either to eliminate the possibility of DDoS attacks altogether or to enable potential victims to endure the attack without denying services to legitimate clients. According to these goals we further divide preventive mechanisms into attack prevention and denial-of-service prevention mechanisms.

Attack Prevention Mechanisms
Attack prevention mechanisms modify the system configuration to eliminate the possibility of a DDoS attack. Based on the target they secure, we further divide them into system security and protocol security mechanisms.

System Security Mechanisms

System security mechanisms increase the overall security of the system, guarding against illegitimate accesses to the machine, removing application bugs and updating protocol installations to prevent intrusions and misuse of the system. DDoS attacks owe their power to large numbers of subverted machines that cooperatively generate the attack streams. If these machines were secured, the attackers would lose their army and the DDoS threat would then disappear. On the other hand, systems vulnerable to intrusions can themselves become victims of DDoS attacks in which the attacker, having gained unlimited access to the machine, deletes or alters its contents. Potential victims of DDoS attacks can be easily overwhelmed if they deploy vulnerable protocols. Examples of system security mechanisms include monitored access to the machine, applications that download and install security patches, firewall systems, virus scanners, intrusion detection systems, access lists for critical resources, capability-based systems and client-legitimacy-based systems. The history of computer security suggests that this approach can never be 100% effective, but doing a good job here will certainly decrease the frequency and strength of DDoS attacks.

Protocol Security Mechanisms

Protocol security mechanisms address the problem of bad protocol design. Many protocols contain operations that are cheap for the client but expensive for the server. Such protocols can be misused to exhaust the resources of a server by initiating large numbers of simultaneous transactions. Classic misuse examples are the TCP SYN attack, the authentication server attack, and the fragmented packet attack, in which the attacker bombards the victim with malformed packet fragments forcing it to waste its resources on reassembling attempts. Examples of protocol security mechanisms include guidelines for a safe protocol design in which resources are committed to the client only after sufficient authentication is done , or the client has paid a sufficient price , deployment of powerful proxy server that completes TCP connections , etc. Deploying comprehensive protocol and system security mechanisms can make the victim completely resilient to protocol attacks. Also, these approaches are inherently compatible with and complementary to all other approaches.
Denial-of-service prevention mechanisms enable the victim to endure attack attempts without denying service to legitimate clients. This is done either by enforcing policies for resource consumption or by ensuring that abundant resources exist so that legitimate clients will not be affected by the attack. Consequently, based on the prevention method, we differentiate between resource accounting and resource multiplication mechanisms.

Resource Accounting Mechanisms

Resource accounting mechanisms police the access of each user to resources based on the privileges of the user and his behavior. Such mechanisms guarantee fair service to legitimate well-behaving users. In order to avoid user identity theft, they are usually coupled with legitimacy-based access mechanisms that verify the user’s identity. Approaches proposed in illustrate resource accounting mechanisms.

Resource Multiplication Mechanisms

Resource multiplication mechanisms provide an abundance of resources to counter DDoS threats. The straightforward example is a system that deploys a pool of servers with a load balancer and installs high bandwidth links between itself and upstream routers. This approach essentially raises the bar on how many machines must participate in an attack to be effective. While not providing perfect protection, for those who can afford the costs, this approach has often proven sufficient. For example, Microsoft has used it to weather large DDoS attacks.

Reactive Mechanisms

Reactive mechanisms strive to alleviate the impact of an attack on the victim. In order to attain this goal they need to detect the attack and respond to it. The goal of attack detection is to detect every attempted DDoS attack as early as possible and to have a low degree of false positives. Upon attack detection, steps can be taken to characterize the packets belonging to the attack stream and provide this characterization to the response mechanism. We classify reactive mechanisms based on the attack detection strategy into mechanisms that deploy pattern detection, anomaly detection, hybrid detection, and third-party detection.

Mechanisms with Pattern Attack Detection

Mechanisms that deploy pattern detection store the signatures of known attacks in a database. Each communication is monitored and compared with database entries to discover occurrences of DDoS attacks. Occasionally, the database is updated with new attack signatures. The obvious drawback of this detection mechanism is that it can only detect known attacks, and it is usually helpless against new attacks or even slight variations of old attacks that cannot be matched to the stored signature. On the other hand, known attacks are easily and reliably detected, and no false positives are encountered

Mechanisms with Anomaly Attack Detection

Mechanisms that deploy anomaly detection have a model of normal system behavior, such as a model of normal traffic dynamics or expected system performance. The current state of the system is periodically compared with the models to detect anomalies. Approaches presented in provide examples of mechanisms that use anomaly detection. The advantage of anomaly detection over pattern detection is that unknown attacks can be discovered. However, anomaly-based detection has to address two issues:

1. Threshold setting. Anomalies are detected when the current system state differs from the model by a certain threshold. The setting of a low threshold leads to many false positives, while a high threshold reduces the sensitivity of the detection mechanism.

2. Model update. Systems and communication patterns evolve with time, and models need to be updated to reflect this change. Anomaly based systems usually perform automatic model update using statistics gathered at a time when no attack was detected. This approach makes the detection mechanism vulnerable to increasing rate attacks that can mistrial models and delay or even avoid attack detection.

Mechanisms with Hybrid Attack Detection

Mechanisms that deploy hybrid detection combine the pattern-based and anomaly-based detection, using data about attacks discovered through an anomaly detection mechanism to devise new attack signatures and update the database. Many intrusion detection systems use hybrid detection. If these systems are fully automated, properly extracting a signature from a detected attack can be challenging. The system must be careful not to permit attackers to fool it into detecting normal behavior as an attack signature, or the system itself becomes a denial-of-service tool.

Mechanisms with Third-Party Attack Detection

Mechanisms that deploy third-party detection do not handle the detection process themselves, but rely on an external message that signals the occurrence of the attack and provides attack characterization. Examples of mechanisms that use third-party detection are easily found among trace back mechanisms The goal of the attack response is to relieve the impact of the attack on the victim, while imposing minimal collateral damage to legitimate clients of the victim. I classify reactive mechanisms based on the response strategy into mechanisms that deploy agent identification, rate-limiting, filtering and reconfiguration approaches.

Agent Identification Mechanisms

Agent identification mechanisms provide the victim with information about the identity of the machines that are performing the attack. This information can then be combined with other response approaches to alleviate the impact of the attack. Agent identification examples include numerous trace back techniques and approaches that eliminate spoofing thus enabling use of the source address field for agent identification.

Rate-Limiting Mechanisms

Rate-limiting mechanisms impose a rate limit on a stream that has been characterized as malicious by the detection mechanism. Examples of rate limiting mechanisms are found in Rate limiting is a lenient response technique that is usually deployed when the detection mechanism has a high level of false positives or cannot precisely characterize the attack stream. The disadvantage is that they allow some attack traffic through, so extremely high scale attacks might still be effective even if all traffic streams are rate-limited.

Filtering Mechanisms

Filtering mechanisms use the characterization provided by a detection mechanism to filter out the attack stream completely. Examples include dynamically deployed firewalls , and also a commercial system Traffic Master . Unless detection strategy is very reliable, filtering mechanisms run the risk of accidentally denying service to legitimate traffic. Worse, clever attackers might leverage them as denial-of service tools.

Reconfiguration Mechanisms

Reconfiguration mechanisms change the topology of the victim or the intermediate network to either add more resources to the victim or to isolate the attack machines. Examples include reconfigurable overlay networks, resource replication services, attack isolation strategies etc. Reactive DDoS defense mechanisms can perform detection and response either alone or in cooperation with other entities in the Internet. Based on the cooperation degree we differentiate between autonomous, cooperative and interdependent mechanisms.

Autonomous Mechanisms

Autonomous mechanisms perform independent attack detection and response. They are usually deployed at a single point in the Internet and act locally. Firewalls and intrusion detection systems provide an easy example of autonomous mechanisms.

Cooperative Mechanisms

Cooperative mechanisms are capable of autonomous detection and response, but can achieve significantly better performance through cooperation with other entities. Mechanisms deploying pushback provide examples of cooperative mechanisms. They detect the occurrence of a DDoS attack by observing congestion in a router’s buffer, characterize the traffic that creates the congestion, and act locally to impose a rate limit on that traffic. However, they achieve significantly better performance if the rate limit requests can be propagated to upstream routers who otherwise may be unaware of the attack.

Interdependent Mechanisms

Interdependent mechanisms cannot operate autonomously; they rely on other entities either for attack detection or for efficient response. Traceback mechanisms provide examples of interdependent mechanisms. A traceback mechanism deployed on a single router would provide almost no benefit.

Classification by Deployment Location

With regard to a deployment location, we differentiate between DDoS mechanisms deployed at the victim, intermediate, or source network.

Victim-Network Mechanisms

DDoS defense mechanisms deployed at the victim network protect this network from DDoS attacks and respond to detected attacks by alleviating the impact on the victim. Historically, most defense systems were located at the victim since it suffered the greatest impact of the attack and was therefore the most motivated to sacrifice some resources for increased security. Resource accounting and protocol security mechanisms provide examples of these systems.

Intermediate-Network Mechanisms

DDoS defense mechanisms deployed at the intermediate network provide infrastructural service to a large number of Internet hosts. Victims of DDoS attacks can contact the infrastructure and request the service, possibly providing adequate compensation. Pushback and traceback techniques are examples of intermediate-network mechanisms.

Source-Network Mechanisms

The goal of DDoS defense mechanisms deployed at the source network is to prevent customers using this network from generating DDoS attacks. Such mechanisms are necessary and desirable, but motivation for their deployment is low since it is unclear who would pay the expenses associated with this service. Mechanisms proposed in provide examples of source-network mechanisms.

REFRENCE

http://www.cert.org/tech_tips/denial_of_service.html
http://www.cert.org/archive/pdf/DoS_trends.pdf
http://www.cert.org/incident_notes/IN-2001-08.html
http://www.cert.org/incident_notes/IN-2001-03.html
http://www.cert.org/incident_notes/IN-2001-01.html
http://www.cs.berkeley.edu/~nweaver/warhol.html
http://www.cert.org/incident_notes/IN-2001-09.html
http://www.cert.org/advisories/CA-2001-26.html
http://www.cert.org/incident_notes/IN-2000-04.html
http://www.cert.org/advisories/CA-1998-01.html
http://www.cisco.com/warp/public/707/newsflash.html
J. D. Howard, “An analysis of security incidents on the Internet,”
F. Kargl, J. Maier and M. Weber, “Protecting web servers from distributed denial of service attacks,”
J. D. Howard and T. A. Longstaff, “A common language for computer security incidents”
http://www.cert.org/research/taxonomy_988667.pdf
S. Axelsson, “Intrusion detection systems: A survey and taxonomy, “
K. Hafner and J. Markoff, Cyberpunk: Outlaws and hackers on the computer frontier
http://www.tripwire.com/products/servers/
http://www.usenix.org/publications/login/2000-7/apropos.html.
M. Franklin and A. Stubblefield, “An algebraic approach to IP Traceback”,
http://search.ietf.org/internet-drafts/draft-ietf-itrace-01.txt, Oct.
RFC 2267,
J. Leiwo, P. Nikander, and T. Aura, “Towards network denial of service resistant protocols
Wikipedia and
Also Credits-some articles by my hackers friends for writing different parts (WAR10RD, DIGITAL, ICEBEAR 64 ETC) ,Jelena , Martin and Peter

Sunday, June 21, 2009

Firefox 3.5 - faster than 3.0

Mozilla released Firefox 3.5 Release Candidate 2, which you can download from Mozilla’s Web site. Release Candidate 2 is the first version of Firefox 3.5 that average users might want to run, since it’s faster and more stable than the beta versions were.

Firefox 3.5 boasts a number of significant changes - ranging from new ways to work with the browser features to under-the-hood improvements that Mozilla developers say will make the browser more than twice as fast as Firefox 3 and ten times faster than 2.0 (based on the results of a SunSpider test of JavaScript performance on a Windows XP machine).

Here are some of the new features you’ll find in Firefox 3.5.

What’s new in Firefox 3.5 (Release Candidate 2)

Firefox 3.5 (Release Candidate) is based on the Gecko 1.9.1 rendering platform, which has been under development for the past year. Firefox 3.5 offers many changes over the previous version, supporting new web technologies

, improving performance and ease of use, and adding new features for users:

  • This release candidate is now available in more than 70 languages.
  • Improved tools for controlling your private data, including a Private Browsing Mode.
  • Better performance and stability with the new TraceMonkey JavaScript engine.
  • The ability to provide Location Aware Browsing using web standards for geolocation.
  • Support for native JSON, and web worker threads.
  • Improvements to the Gecko layout engine, including speculative parsing for faster content rendering.
  • Support for new web technologies such as: HTML5

Mozilla provides Firefox 3.5 (Release Candidate) for Windows, Linux, and Mac OS X in a variety of languages. You can get the latest version of Firefox 3.5 (Release Candidate) here.

7 New Amazing Features on Google Books

Google Books being the leading, all in one stop for your all bookish needs, is now totally revamped with new features. These features range from sharing your book with embed option to flipping the contents instantly with drop down easily accessible Table of Contents menu.

All of these seven features are listed as:

  1. Embeds and links - This feature comes after a long wait yet quite handy to go with. This will let you share your favorite books and excerpts of the book with a simple HTML snippet. or share the books with direct links to the book pages available on the Google books.
  2. Better search within each book now not only specific but more detailed and exact. As now the searched text is presented as cutlets images to navigate through them as per the need of the search, as Previous and Next buttons are there to serve you shuffling from your searched queries.
  3. Thumbnail view - as the name suggests it will present thumbnail view of the whole book pages as thumbnails which can be clicked to get into the reading mode of that specific page at once.This feature is available with full-view books only.
  4. Contents drop-down menu - When you are done with the thumbnail view of every page let’s check out this feature which let you navigate through all the contents of the book with a simple drop down menu with no hassle. Now look for what you are searching in more speedy way with this new yet cool feature.
  5. Plain Text Mode will help you get the only text of the all book to appear which can easily be used for searching through the text and it also goes handy for visually impaired people who can benefit from this as to listen the text via their special software.
  6. Page Turn Button and Animation is for reading in more less distracting and continuous way. When you are done with a portion of the page simply hit the next button to let the follow up page come in advance to let you read the page in more continuous way.
  7. Improved Book Overview Page about each and every book let you get the more insight about the book. It present you a complete review in the form of reviews, ratings, summaries, related books, key words and phrases, references from the web, places mentioned in the book, publisher information, etc.

The introduction of such awesome features will not only revamp the whole look of the Google Books but will also attract more users to get benefit from this useful resource of information at its best.

Don’t forget to share your favorite feature you liked among this update of features on Google Books.

(Source: Official Google Book Search Blog)

Friday, June 5, 2009

Brutus Password Cracker - Download brutus-aet2.zip

A lot of people come to Darknet looking for Brutus AET2 (brutus-aet2.zip) to download, but unfortunately due to some stupid Homeland security bullshit I actually had to remove the file or risk having no hosting left..

If you don’t know, Brutus is one of the fastest, most flexible remote password crackers you can get your hands on - it’s also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. Brutus was first made publicly available in October 1998 and since that time there have been at least 70,000 downloads and over 175,000 visitors to this page. Development continues so new releases will be available in the near future.

Brutus was written originally to help me check routers etc. for default and common passwords.

Features

Brutus version AET2 is the current release and includes the following authentication types :

  • HTTP (Basic Authentication)
  • HTTP (HTML Form/CGI)
  • POP3
  • FTP
  • SMB
  • Telnet

Other types such as IMAP, NNTP, NetBus etc are freely downloadable from this site and simply imported into your copy of Brutus. You can create your own types or use other peoples.

The current release includes the following functionality :

  • Multi-stage authentication engine
  • 60 simultaneous target connections
  • No username, single username and multiple username modes
  • Password list, combo (user/password) list and configurable brute force modes
  • Highly customisable authentication sequences
  • Load and resume position
  • Import and Export custom authentication types as BAD files seamlessly
  • SOCKS proxy support for all authentication types
  • User and password list generation and manipulation functionality
  • HTML Form interpretation for HTML Form/CGI authentication types
  • Error handling and recovery capability inc. resume after crash/failure.

You can download it here:

Brutus AET2


FBController - The Ultimate Utility to Control Facebook Accounts

Just to put a downer on all the script kiddies, this utility WILL NOT hack/crack Facebook passwords or accounts.

You need to feed it biscuits (cookies) before you can do anything.

You can get the target’s cookie by sniffing, XSS, social engineering, ARP Poison-Sniffing, Scroogle search or however you like.

Once you have the cookies you can use FBController to have Full control over the target’s Facebook account.

Login to your Facebook account and sniff your own cookie OR collect a few live Facebook Biscuit/s of your Target/s.

Till now FBController version 1.0 uses your Target’s provided cookie and only :

A > Downloads the HomePage.
B > Allows you to Update the Target’s Wall and
C > Retrieve your Target’s Friend’s List


There are many APIs available to write apps and 3rd party Tools for FB in Java, Perl, .NET, etc.

FBConTroller was entirely written without knowing any of Facebook’s Dev API’s. Considering the above along with Facebook’s complexity, the next version might take some time to get released

You can download FBController here:

FBConTroller.RAR

Fiddler - Web Debugging Proxy For HTTP(S)Fiddler - Web Debugging Proxy For HTTP(S)

Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and “fiddle” with incoming or outgoing data. Fiddler includes a powerful event-based scripting subsystem, and can be extended using any .NET language.


Fiddler is freeware and can debug traffic from virtually any application, including Internet Explorer, Mozilla Firefox, Opera, and thousands more.

If you want some info on how to use Fiddler for debugging you can check here: Fiddler Can Make Debugging Easy

You can download Fiddler here:

Download Fiddler from server



Pangolin - Automatic SQL Injection Tool

Pangolin is an automatic SQL injection penetration testing tool developed by NOSEC. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL statement, read specific files on the file system and more.


Database Support
•Access: Informations (Database Path; Root Path; Drivers); Data
•MSSql: Informations; Data; FileReader; RegReader; FileWriter; Cmd; DirTree
•MySql: Informations; Data; FileReader; FileWriter;
•Oracle: Inforatmions (Version; IP; Database; Accounts ……); Data; and any others;
•Informix: Informatons; Data
•DB2: Informatons; Data; and more;
•Sybase: Informatons; Data; and more;
•PostgreSQL: Informatons; Data; FileReader;
•Sqlite: Informatons; Data

At present, most of the functions are directed at MSSQL and MySql coupled with Oracle and Access. Other small and medium-sized companies are using DB2, Informix, Sybase, PostgreSQL, as well as Sqlite which isn’t so common.

Thursday, June 4, 2009

Hack Tools, Utilities and Exploits

Astalavista Tools and Utilities

Packetstorm Last 10 Files

  1. joomla1510-xss.txt - Joomla! version 1.5.10 suffers from multiple persistent cross site scripting vulnerabilities in the JA_Purity template.
  2. kjtechforce-blindsql.txt - Kjtechforce Mailman Beta-1 suffers from a remote blind SQL injection vulnerability.
  3. kjtechforce-sqldelete.txt - Kjtechforce Mailman Beta-1 suffers from a remote SQL injection delete row vulnerability.
  4. pixelactivo-sqlbypass.txt - Pixelactivo version 3.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
  5. pixelactivo-sql.txt - Pixelactivo version 3.0 suffers from a remote SQL injection vulnerability.
  6. peazip-inject.txt - PeaZIP versions 2.6.1 and below compressed filename command injection proof of concept exploit.
  7. MDVSA-2009-129.txt - Mandriva Linux Security Advisory 2009-129 - Heap-based buffer overflow in the cdf_read_sat function in src/cdf.c in Christos Zoulas file 5.00 allows user-assisted remote attackers to execute arbitrary code via a crafted compound document file, as demonstrated by a.msi,.doc, or.mpp file. NOTE: some of these details are obtained from third party information. This update provides file-5.03, which is not vulnerable to this, and other unspecified issues.
  8. dsa-1812-1.txt - Debian Security Advisory 1812-1 - Apr-util, the Apache Portable Runtime Utility library, is used by Apache 2.x, Subversion, and other applications. Two denial of service vulnerabilities have been found in apr-util.
  9. astalavista-pwned.txt - The Astalavista.com web site has been completely compromised and all user details have been exposed.
  10. MDVSA-2009-128.txt - Mandriva Linux Security Advisory 2009-128 - Multiple security vulnerabilities have been identified and fixed in libmodplug. These range from integer to buffer overflows. The updated packages have been patched to prevent this.

Packetstorm Tools

  1. iodine-0.5.2.tar.gz - iodine is a piece of software that lets you tunnel IPv4 data through a DNS server. This can be useful in situations where Internet access is firewalled, but DNS queries are allowed. It needs a TUN/TAP device to operate. The bandwidth is asymmetrical with limited upstream and up to 1 Mbit/s downstream.
  2. wpadcheck_en.zip - Simple Freeware Network Checker to detect potentially dangerous entries in Microsoft DNS and WINS name servers (MS09-008).
  3. kismet-2009-05-RC2.tar.gz - Kismet is an 802.11 layer 2 wireless network sniffer. It can sniff 802.11b, 802.11a, and 802.11g traffic. It is capable of sniffing using almost any wireless card supported in Linux, which currently divide into cards handled by libpcap and the Linux-Wireless extensions (such as Cisco Aironet), and cards supported by the Wlan-NG project which use the Prism/2 chipset (such as Linksys, Dlink, and Zoom). Besides Linux, Kismet also supports FreeBSD, OpenBSD and Mac OS X systems. Features Multiple packet capture sources, Runtime network sorting by AP MAC address (bssid), IP block detection via ARP and DHCP packet dissection, Cisco product detection via CDP, Ethereal and tcpdump compatible file logging, Airsnort-compatible interesting (cryptographically weak) logging, Secure SUID behavior, GPS devices and wireless devices fingerprinting. Kismet also includes a tool called gpsmap that can be used to create maps from logged GPS data.
  4. advchk-3.00.tar.bz2 - Advchk (Advisory Check) reads security advisories so you do not have to. Advchk gathers security advisories using RSS feeds, compares them to a list of known services, and alerts you if you are vulnerable. Since adding hosts and services by hand would be quite a boring task, advchk leverages nmap for automatic service and version discovery.
  5. pkd-1.4.tgz - ipt_pkd is an iptables extension implementing port knock detection. This project provides 3 parts: the kernel module ipt_pkd, the iptables user space module libipt_pkd.so, and a user space client knock program. For the knock packet, it uses a UDP packet sent to a random port that contains a SHA-256 of a timestamp, small header, random bytes, and a shared key. ipt_pkd checks the time window of the packet and does the SHA-256 to verify the packet. The shared key is never sent. This version adds support for libxtables, iptables 1.4.3.2, and Linux kernel 2.6.29. A port config option was added on the Python knock, so you don't have to have a bunch of UDP ports open on a firewall to pass a knock through to an internal client.
  6. pdfresurrect-v0_6.tar.gz - PDFResurrect is a tool aimed at analyzing PDF documents. The PDF format allows for previous document changes to be retained in a more recent version of the document, thereby creating a running history of changes for the document. This tool attempts to extract all previous versions while also producing a summary of changes between versions. It can also scrub or write data over the original instances of PDF objects that have been modified or deleted, in an effort to disguise information from previous versions that might not be intended for anyone else to read.
  7. ProxyHarvest.txt - Proxy Harvesting tool that uses google and evaluates the sites.
  8. mandos_1.0.10.orig.tar.gz - The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.
  9. darkTouch.txt - darkTouch is a fuzzer that attempts to fingerprint the structure of a website.Written in Python.
  10. rsbac-common-2.6-1.4.2.tar.bz2 - Rule Set Based Access Control (RSBAC) is an open source security extension for current Linux kernels. It is based on the Generalized Framework for Access Control (GFAC) and provides a flexible system of access control implemented with the help of a kernel patch. All security relevant system calls are extended by security enforcement code. This code calls the central decision component, which in turn calls all active decision modules and generates a combined decision. This decision is then enforced by the system call extensions. This version is for the 2.6 kernel. This release is for Linux kernel 2.6.29.2. A significant speedup and even better SMP scalability are expected from the new RCU based list locking. The most important changes since 1.3.5 are the addition of VUM (Virtual User Management) support, OTP support for UM, support of ANY for NETLINK control, checking of CLOSE requests in RC, the addition of SCD target videomem and kernel attribute pagenr, ext4 secure delete support, and many small bugfixes too. Generic lists were changed to use RCU instead of rw spinlocks.

Packetstorm Exploits

  1. joomla1510-xss.txt - Joomla! version 1.5.10 suffers from multiple persistent cross site scripting vulnerabilities in the JA_Purity template.
  2. kjtechforce-blindsql.txt - Kjtechforce Mailman Beta-1 suffers from a remote blind SQL injection vulnerability.
  3. kjtechforce-sqldelete.txt - Kjtechforce Mailman Beta-1 suffers from a remote SQL injection delete row vulnerability.
  4. pixelactivo-sqlbypass.txt - Pixelactivo version 3.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.
  5. pixelactivo-sql.txt - Pixelactivo version 3.0 suffers from a remote SQL injection vulnerability.
  6. peazip-inject.txt - PeaZIP versions 2.6.1 and below compressed filename command injection proof of concept exploit.
  7. hostdirpro-passwd.txt - Host Directory PRO version 2.1.0 remote administrative password changing exploit.
  8. webdirpro-backup.txt - Web Directory PRO suffers from a remote database backup vulnerability.
  9. hostdirpro-backup.txt - Host Directory PRO version 2.1.0 suffers from a remote database backup vulnerability.
  10. webdirpro-passwd.txt - Web Directory PRO remote administrative password changing exploit.

Securiteam Exploits

  1. Nortel Contact Center Manager Server Password Disclosure Vulnerability - The Nortel Contact Center Manager Server web application provides a SOAP interface. This interface does not need authorisation and responds to certain requests with sensitive information.
  2. ATEN IP KVM Switch Multiple Vulnerabilities - ATEN produces several IP KVM Switches. These devices can be used like normal kvm switches with an attached keyboard, mouse and monitor. However, it is also possible to access the hosts connected to them via a network using an ordinary PC as a client. As this function can be used via an insecure network, it is very important that this connection is cryptographically protected against sniffing of confidential data (e.g. keystrokes, monitor signals) and man in the middle attacks. The affected products provide an SSL encrypted web interface. After authenticating to the web interface the user can download a client program (java or windows). The ATEN client program contains temporary authentication data so that it can connect to the kvm switch without asking the user for username/password again.
  3. HP Printers and HP Digital Senders Unauthorized Access to Files - A potential security vulnerability has been identified with certain HP LaserJet printers, HP Color LaserJet printers and HP Digital Senders. The vulnerability could be exploited remotely to gain unauthorized access to files.
  4. Android Improper Package Verification - Android, an open source mobile phone platform, improperly checks developer certificates when installing packages that request the shared user identifier (uid) permission.
  5. Sun Communications Express Multiple XSS - Several cross-site scripting vulnerabilities were found in two files/urls of the Sun Java System Communications Express.

Web Based E-mail (Hotmail Yahoo Gmail) Hack/Hacking with JavaScript

pleez, pleez, PLEEZ teach me how to hack a Hotmail Account!!!”
-unidentified IRC user

From here on in you walk alone. Neither little_v OR Black Sun Research Facility AND its members will be responsible for what you do with the information presented here. Do not use this information to impress your “l33t0_b0rit0″ friends. Do not operate in shower. Objects in article may be closer than they appear.

Note: If you see (x), where x is a number, it means that this term is defined at (x) at the bottom of this article.

Intro

The purpose of this article is NOT, I repeat, NOT to teach someone how to “hack an email account”. It’s true purpose is actually MUCH more devious. The purpose of this and all other articles in the “An Exploit Explained: ” series is to teach readers about various web technologies, and the basics of security and exploiting. I will try to give you a hands-on, learn as you go type of education in computer security. Sound good??? Then let’s get in to it!!

Preface

On Wednesday, Sept. 22 1999, yet another bleary day in the life of little v, the following message was sent to my inbox:

To: BugTraq
Subject: Yet another major Hotmail security hole -
injecting JavaScript using "javasCript:"
Date: Wed Sep 22 1999 10:48:04
Author: Georgi Guninski
Message-ID: <37e8d004.ef848f34@nat.bg>

Yet another major Hotmail security hole - injecting
JavaScript using "javasCript:"

There is a major security flaw in Hotmail which allows
injecting and executing JavaScript code in an email
message using the javascript protocol. This exploit
works both on Internet Explorer 5.0 (guess IE 4.x)
and Netscape Communicator 4.x. Hotmail filters the
"javascript:" protocol for security reasons. But it
does not filter properly the following case:
"javasCript:" where "C" is the ASCII code of "C".

So the following HTML is executed
if the user has enabled automatically loading of
images (most users have).

Probably this may be used in other HTML tags.

Executing JavaScript when the user opens Hotmail
email message allows for example displaying a fake
login screen where the user enters his password
which is then stolen. I don't want to make a scary
demonstration, but I am sure it is also possible to
read user's messages, to send messages from user's
name and doing other mischief. Hotmail deliberately
escapes all JavaScript (it can escape) to prevent such
attacks, but obviously there are holes. It is much
easier to exploit this vulnerability if the user uses
Internet Explorer 5.0. AFAIK this is not a browser
problem, it is Hotmail's problem.

Workaround: Disable JavaScript

The code is:


....

....
Regards,
Georgi Guninski
http://www.securityfocus.com/external/http://www.nat.bg/~joro

Ok, don’t puke, I’m going to explain what just happened in a fashion that even your dog can understand.

What is this all about?

This important part of this posting to the Bugtraq(1) (http://www.securityfocus.com) mailing list is the actual exploit(2).
The exploit would be:

What does it do?

As this exploit, when put into an email message sent to a hotmail user, opens a little box using the “alert()”(3) function in javascript(4), and is also supposed to read who the first message in your inbox is from. However, this code does not work on its own. You see, the email also says that you need to use the ASCII(5) code for “C” in the message. If I get out my handy HTML reference book, I can see that the ASCII code is C. If we substitute this into our little exploit, minus the “read who the first message in your inbox” part, we get this:


How does it work?

Finding out how an exploit works is always the part that makes people a bit spindizzy. If we look at that gibberish we call code one more time we can see that it uses an tag, which all you who took my HTML tutorial would know is to display an image onto the page. Because hotmail tries to be the “top dog” webmail provider, they allow you to set autoloading of images, so the image just shows up on the same page as the mail. When you open a new hotmail account, this option is already set (hurray!). The conflict happens because your normal browser allows you to put javascript tags into your IMG tags. Because JavaScript is a strong little language, and allows just about full control over someone’s browser, if the conditions are right. Naturally, people like you and me started exploiting hotmail’s allowing of javascript. Soon, the

Call phones from Gmail- Calls from PC to Phone with Google Talk ~~~~ Now in India ~~~~

Free International Calls from PC to Phone with Google Talk and Talkster (GTalk-to-VoIP) Google has officially unveiled its new Google Mai...