- Improper Input Validation
Ensure that your input is valid. If you're expecting a number, it shouldn't contain letters. Nor should the price of a new car be allowed to be a dollar. Incorrect input validation can lead to vulnerabilities when attackers can modify their inputs in unexpected ways. Many of today's most common vulnerabilities can be eliminated, or at least reduced, with strict input validation.
- Improper Encoding or Escaping of Output
Insufficient output encoding is at the root of most injection-based attacks. An attacker can modify the commands that you intend to send to other components, possibly leading to a complete compromise of your application - not to mention exposing the other components to exploits that the attacker would not be able to launch directly. When your program generates outputs to other components in the form of structured messages such as queries or requests, be sure to separate control information and metadata from the actual data.
- Failure to Preserve SQL Query Structure (aka 'SQL Injection')
If attackers can influence the SQL that you send to your database, they can modify the queries to steal, corrupt, or otherwise change your underlying data. If you use SQL queries in security controls such as authentication, attackers could alter the logic of those queries to bypass security.
- Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
Cross-site scripting (XSS) is a result of combining the stateless nature of HTTP, the mixture of data and script in HTML, lots of data passing between web sites, diverse encoding schemes, and feature-rich web browsers. If you're not careful, attackers can inject Javascript or other browser-executable content into a web page that your application generates. Your web page is then accessed by other users, whose browsers execute that malicious script as if it came from you -- because, after all, it did come from you! Suddenly, your web site is serving code that you didn't write. The attacker can use a variety of techniques to get the input directly into your server, or use an unwitting victim as the middle man.
- Failure to Preserve OS Command Structure (aka 'OS Command Injection')
Your software acts as a bridge between an outsider on the network and the internals of your operating system. When you invoke another program on the operating system, and you allow untrusted inputs to be fed into the command string, you are inviting attackers into your operating system.
- Cleartext Transmission of Sensitive Information
Information sent across a network crosses many different nodes in transit to its final destination. If your software sends sensitive, private data or authentication credentials, beware: attackers could sniff them right off the wire. All they need to do is control one node along the path to the final destination, any node within the same networks of those transit nodes, or plug into an available interface. Obfuscating traffic using schemes like Base64 and URL encoding offers no protection.
- Cross-Site Request Forgery (CSRF)
Cross-site request forgery is like accepting a package from a stranger -- except the attacker tricks a user into activating a HTTP request "package" that goes to your site. The user might not even be aware that the request is being sent, but once the request gets to your server, it looks as if it came from the user -- not the attacker. The attacker has masqueraded as a legitimate user and gained all the potential access that the user has. This is especially handy when the user has administrator privileges, resulting in a complete compromise of your application's functionality.
- Race Condition
A race condition involves multiple processes in which the attacker has full control over one process; the attacker exploits the process to create chaos, collisions, or errors. Data corruption and denial of service are the norm. The impact can be local or global, depending on what the race condition affects - such as state variables or security logic - and whether it occurs within multiple threads, processes, or systems.
- Error Message Information Leak
Chatty error messages can disclose secrets to any attacker who misuses your software. The secrets could cover a wide range of valuable data, including personally identifiable information (PII), authentication credentials, and server configuration. They might seem like harmless secrets useful to your users and admins, such as the full installation path of your software -- but even these little secrets can greatly simplify a more concerted attack.
- Failure to Constrain Operations within the Bounds of a Memory Buffer
The scourge of C applications for decades, buffer overflows have been remarkably resistant to elimination. Attack and detection techniques continue to improve, and today's buffer overflow variants aren't always obvious at first or even second glance. You may think that you're completely immune to buffer overflows because you write your code in higher-level languages instead of C. But what is your favorite "safe" language's interpreter written in? What about the native code you call? What languages are the operating system API's written in? How about the software that runs Internet infrastructure?
- External Control of Critical State Data
If you store user state data in a place where an attacker can modify it, this reduces the overhead for a successful compromise. Data could be stored in configuration files, profiles, cookies, hidden form fields, environment variables, registry keys, or other locations, all of which can be modified by an attacker. In stateless protocols such as HTTP, some form of user state information must be captured in each request, so it is exposed to an attacker out of necessity. If you perform any security-critical operations based on this data (such as stating that the user is an administrator), then you can bet that somebody will modify the data in order to trick your application.
- External Control of File Name or Path
When you use an outsider's input while constructing a filename, the resulting path could point outside of the intended directory. An attacker could combine multiple ".." or similar sequences to cause the operating system to navigate out of the restricted directory. Other file-related attacks are simplified by external control of a filename, such as symbolic link following, which causes your application to read or modify files that the attacker can't access directly. The same applies if your program is running with raised privileges and it accepts filenames as input. Similar rules apply to URLs and allowing an outsider to specify arbitrary URLs.
- Untrusted Search Path
Your software depends on you, or its environment, to provide a search path (or working path) to find critical resources like code libraries or configuration files. If the search path is under attacker control, then the attacker can modify it to point to resources of the attacker's choosing.
- Failure to Control Generation of Code (aka 'Code Injection')
While it's tough to deny the sexiness of dynamically-generated code, attackers find it equally appealing. It becomes a serious vulnerability when your code is directly callable by unauthorized parties, if external inputs can affect which code gets executed, or if those inputs are fed directly into the code itself.
- Download of Code Without Integrity Check
If you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can modify that code before it reaches you. They can hack the download site, impersonate it with DNS spoofing or cache poisoning, convince the system to redirect to a different site, or even modify the code in transit as it crosses the network. This scenario even applies to cases in which your own product downloads and installs updates.
- Improper Resource Shutdown or Release
When your system resources have reached their end-of-life, you dispose of them: memory, files, cookies, data structures, sessions, communication pipes, and so on. Attackers can exploit improper shutdown to maintain control over those resources well after you thought you got rid of them. Attackers may sift through the disposted items, looking for sensitive data. They could also potentially reuse those resources.
- Improper Initialization
If you don't properly initialize your data and variables, an attacker might be able to do the initialization for you, or extract sensitive information that remains from previous sessions. If those variables are used in security-critical operations, such as making an authentication decision, they could be modified to bypass your security. This is most prevalent in obscure errors or conditions that cause your code to inadvertently skip initialization.
- Incorrect Calculation
When attackers have control over inputs to numeric calculations, math errors can have security consequences. It might cause you to allocate far more resources than you intended - or far fewer. It could violate business logic (a calculation that produces a negative price), or cause denial of service (a divide-by-zero that triggers a program crash).
- Improper Access Control (Authorization)
If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and exercise that unauthorized functionality.
- Use of a Broken or Risky Cryptographic Algorithm
Grow-your-own cryptography is a welcome sight to attackers. Cryptography is hard. If brilliant mathematicians and computer scientists worldwide can't get it right -- and they're regularly obsoleting their own techniques -- then neither can you.
- Hard-Coded Password
Hard-coding a secret account and password into your software is extremely convenient -- for skilled reverse engineers. If the password is the same across all your software, then every customer becomes vulnerable when that password inevitably becomes known. And because it's hard-coded, it's a huge pain to fix.
- Insecure Permission Assignment for Critical Resource
Beware critical programs, data stores, or configuration files with default world-readable permissions. While this issue might not be considered during implementation or design, it should be. Don't require your customers to secure your software for you! Try to be secure by default, out of the box.
- Use of Insufficiently Random Values
You may depend on randomness without even knowing it, such as when generating session IDs or temporary filenames. Pseudo-Random Number Generators (PRNG) are commonly used, but a variety of things can go wrong. Once an attacker can determine which algorithm is being used, he can guess the next random number often enough to launch a successful attack after a relatively small number of tries.
- Execution with Unnecessary Privileges
Your software may need special privileges to perform certain operations; wielding those privileges longer than necessary is risky. When running with extra privileges, your application has access to resources that the application's user can't directly reach. Whenever you launch a separate program with elevated privileges, attackers can potentially exploit those privileges.
- Client-Side Enforcement of Server-Side Security
Don't trust the client to perform security checks on behalf of your server. Attackers can reverse engineer your client and write their own custom clients. The consequences will vary depending on what your security checks are protecting, but some of the more common targets are authentication, authorization, and input validation.
My LogiX is Undeniable.
Top 25 Most Dangerous Programming Mistakes
Most Popular Programming Language
Debate over the most popular programming language can become an emotional, almost religious battle. And sometimes there's no debate at all, such as when a developer is assigned to repair legacy software. "It was written in COBOL?" is a popular refrain.
A programming language is just one tool in a developer's expansive collection of specialty software and hardware. So does it really matter which programming language a developer uses, as long as he or she is meeting customer requirements on time and within budget?
Yes, yes it does. Ford or Chevy. Stihl or Husky. Coke or Pepsi. Let's face it, we all get passionate about our tools.
Most Popular?
There are a number of ways to measure the popularity of a programming language, for example, based on the number of:
- New applications written in the language
- Existing applications written in the language
- Developers that use the language primarily
- Developers that use the language ever
- Web searches
- Available jobs that require skills in the language
- Developers' favorites
The following surveys attempt to rank which programming languages are most popular, each using a different measure:
Tiobe.com
Tiobe is a popular site for ranking programming languages. Tiobe bases its rankings on world-wide availability of skilled engineers, courses and third party vendors. Rankings are not about the best programming language or the language in which most lines of code have been written. Tiobe uses Google, MSN and Yahoo! search engines to measure the Web "chatter" and hence the popularity of each programming language. The Tiobe top 11 for May 2007 are:
1. Java – 19.1%
2. C – 15.2%
3. C++ – 10.1%
4. PHP – 8.7%
5. Visual Basic – 8.4%
6. Perl – 6.2%
7. Python – 3.8%
8. C# – 3.7%
9. JavaScript – 3.1%
10. Ruby – 2.6%
11. Delphi – 2.1%
Dice.com
A September 2006 eWeek article ranks programming languages based on nationwide queries on Dice.com, a job site for technology professionals. Following are percentage of jobs listed on Dice.com that require skills in each programming language:
1. Java – 35.7%
2. C, C++ – 15.3%
3. C# – 12.7%
4. Perl – 11.9%
5. JavaScript – 10.9%
6. Visual Basic .NET – 5.2%
7. PHP – 2.9%
8. Ajax – 2.7%
9. Python – 2.0%
10. Ruby – 0.7%
Evans Data
Evans Data Corporation conducted a Winter 2006 developer survey that ranks programming languages based on how many developers use that language at least some of the time:
1. Java – 45%
2. C, C++ – 40%
3. C# – 32%
4. Ajax – 28%
5. Visual Basic & VB.NET – 21%
Computerworld
In early 2005, Computerworld conducted a developer survey that measured which programming languages are in use by the developer's company:
1. C# – 72%
2. Java – 66%
3. Visual Basic – 62%
4. C++ – 54%
5. JavaScript – 50%
6. Unix Shell Scripts – 42%
7. Perl – 34%
8. C – 32%
a
Host a Website on Your Home Computer for Free
This tip will show you how to host a website on your home computer for free using IIS in six easy steps. Performing these six steps will greatly help you understand ASP.NET programming in general.
Even if you do not have a practical need to host your own website, learning how everything works is of fundamental importance, and it is a great exercise for everyone. You can view the complete post that describes the details for each step by clicking on this link: Host a Website on Your Home Computer for Free.
Step 1: Make sure you have IIS installed.
Step 2: Add a website to IIS
Step 3: Open Port 80 to Make a website Accessible from the Internet
Step 4: Determine if your home computer uses a Static or Dynamic IP Address
Step 5: Handle a Dynamic IP Internet connection (if not using Static IP)
Step 6: Register Domain Name (if you do not want to just use IP Address)
Point-To-Point Tunneling Protocol (PPTP)
Point-To-Point Tunneling Protocol (PPTP) is a protocol that allows the secure exchange of data from a client to a server by forming a Virtual Private Network (VPN) via a TCP/IP based network. The strong point of PPTP is its ability to provide on demand, multi-protocol support over existing network infrastructure, such as the Internet. This ability would allow a company to use the Internet to establish a virtual private network without the expense of a leased line.
The technology that makes PPTP possible is an extension of the remote access Point-To-Point Protocol (PPP- which is defined and documented by the Internet Engineering Task Force in RFC 1171). PPTP technology encapsulates PPP packets into IP datagrams for transmission over TCP/IP based networks. PPTP is currently a protocol draft awaiting standardization. The companies involved in the PPTP forum are Microsoft, Ascend Communications, 3Com/Primary Access, ECI Telematics, and US Robotics.
PPTP and Virtual Private Networking
A major feature in the use of PPTP is its support for virtual private networking. The best part of this feature is that it supports VPN's over public-switched telephone networks (PSTNs). By using PPTP a company can greatly reduce the cost of deploying a wide area, remote access solution for mobile users because it provides secure and encrypted communications over existing network structures like PSTNs or the Internet.
Standard PPTP Deployment
* a PPTP client
* a Network Access Server
* a PPTP Server
note: the network access server is optional, and if NOT needed for PPTP deployment. In normal deployment however, they are present.
In a typical deployment of PPTP, it begins with a remote or mobile PC that will be the PPTP client. This PPTP client needs access to a private network by using a local Internet Service Provider (ISP). Clients who are running the WindowsNT Server or Workstation operating systems will use Dial-up networking and the Point-To-Point protocol to connect to their ISP. The client will then connect to a network access server which will be located at the ISP (Network Access Servers are also known as Front-End Processors (FEPs) or Point-Of-Presence servers (POPs)). Once connected, the client has the ability to exchange data over the Internet. The Network Access Server uses the TCP/IP protocol for the handling of all traffic.
After the client has made the initial PPP connection to the ISP, a second Dial-Up networking call is made over the existing PPP connection. Data sent using the second connection is in the form of IP datagrams that contain PPP packets, referred to as encapsulated PPP. It is this second call that creates the virtual private network connection to a PPTP server on the private company network. This is called a tunnel.
Tunneling is the process of exchanging data to a computer on a private network by routing them over some other network. The other network routers cannot access the computer that is on the private network. However, tunneling enables the routing network to transmit the packet to an intermediary computer, such as a PPTP server. This PPTP server is connected to both the company private network and the routing network, which is in this case, the Internet. Both the PPTP client and the PPTP server use tunneling to securely transmit packets to a computer on the private network.
When the PPTP server receives a packet from the routing network (Internet), it sends it across the private network to the destination computer. The PPTP server does this by processing the PPTP packet to obtain the private network computer name or address information which is encapsulated in the PPP packet.
quick note: The encapsulated PPP packet can contain multi-protocol data such as TCP/IP, IPX/SPX, or NetBEUI. Because the PPTP server is configured to communicate across the private network by using private network protocols, it is able to understand Multi-Protocols.
PPTP encapsulates the encrypted and compressed PPP packets into IP datagrams for transmission over the Internet. These IP datagrams are routed over the Internet where they reach the PPTP server. The PPTP server disassembles the IP datagram into a PPP packet and then decrypts the packet using the network protocol of the private network. As mentioned earlier, the network protocols that are supported by PPTP are TCP/IP, IPX/SPX and NetBEUI.
PPTP Clients
* By using an ISP's network access server that supports inbound PPP connections.
* By using a physical TCP/IP-enabled LAN connection to connect to a PPTP server.
PPTP clients attempting to use an ISP's network access server must be properly configured with a modem and a VPN device to make the seperate connections to the ISP and the PPTP server. The first connection is dial-up connection utilizing the PPP protocol over the modem to an Internet Service Provider. The second connection is a VPN connection using PPTP, over the modem and through the ISP. The second connection requires the first connection because the tunnel between the VPN devices is established by using the modem and PPP connections to the internet.
The exception to this two connection process is using PPTP to create a virtual private network between computers physically connected to a LAN. In this scenario the client is already connected to a network and only uses Dial-Up networking with a VPN device to create the connection to a PPTP server on the LAN.
PPTP packets from a remote PPTP client and a local LAN PPTP client are processed differently. A PPTP packet from a remote client is placed on the telecommunication device physical media, while the PPTP packet from a LAN PPTP client is placed on the network adapter physical media.
PPTP Architecture
* PPP Protocol
* PPTP Control Connection
* PPTP Data Tunneling
Architecture Overview:
The secure communication that is established using PPTP typically involves three processes, each of which requires successful completion of the previous process. This will now explain these processes and how they work:
PPP Connection and Communication: A PPTP client utilizes PPP to connect to an ISP by using a standard telephone line or ISDN line. This connection uses the PPP protocol to establish the connection and encrypt data packets.
PPTP Control Connection: Using the connection to the Internet established by the PPP protocol, the PPTP protocol creates a control connection from the PPTP client to a PPTP server on the Internet. This connection uses TCP to establish communication and is called a PPTP Tunnel.
PPTP Data Tunneling: The PPTP protocol creates IP datagrams containing encrypted PPP packets which are then sent through the PPTP tunnel to the PPTP server. The PPTP server disassembles the IP datagrams and decrypts the PPP packets, and the routes the decrypted packet to the private network.
PPP Protocol:
Most PPTP sessions are started by a client dialing up an ISP network access server. The PPP protocol is used to create the dial-up connection between the client and network access server and performs the folloing functions:
* Establishes and ends the physical connection. The PPP protocol uses a sequence defined in RFC 1661 to establish and maintain connections between remote computers.
* Authenticates Users. PPTP clients are authenticated by using PPP. Clear text, encrypted or MS CHAP can be used by the PPP protocol.
* Creates PPP datagrams that contain encrypted IPX, NetBEUI, or TCP/IP packets.
PPTP Control Connection:
The PPTP protocol specifies a series of messages that are used for session control. These messages are sent between a PPTP client and a PPTP server. The control messages establish, maintain and end the PPTP tunnel. The following list present the primary control messages used to establish and maintain the PPTP session.
| Message Type | Purpose |
| | |
| PPTP_START_SESSION_REQUEST | Starts Session |
| PPTP_START_SESSION_REPLY | Replies to Start Session Request |
| PPTP_ECHO_REQUEST | Maintains Session |
| PPTP_ECHO_REPLY | Replies to Maintain Session Request |
| PPTP_WAN_ERROR_NOTIFY | Reports an error in the PPP connection |
| PPTP_SET_LINK_INFO | Configures PPTP Client/Server Connection |
| PPTP_STOP_SESSION_REQUEST | Ends Session |
| PPTP_STOP_SESSION_REPLY | Replies to End Session Request |
The control messages are sent inside of control packets in a TCP datagram. One TCP connection is enabled between the PPTP client and Server. This path is used to send and receive control messages. The datagram contains a PPP header, a TCP Header, a PPTP Control message and appropriate trailers. The construction is as follows
| PPP Delivery Header |
| IP Header |
| PPTP Control Message |
| Trailers |
PPTP Data Transmission
After the PPTP Tunnel has been created, user data is transmitted between the client and PPTP server. Data is sent in IP Datagrams containing PPP packets. The IP datagram is created using a modified version of the Generic Routing Encapsulation (GRE) protocol (GRE is defined in RFC 1701 and 1702). The structure of the IP Datagram is as follows:
| PPP Delivery Header |
| IP Header |
| GRE Header |
| PPP Header |
| IP Header |
| TCP Header |
| Data |
By paying attention to the construction of the packet, you can see how it would be able to be transmitted over the Internet as headers are stripped off. The PPP Delivery header provides information necessary for the datagram to traverse the Internet. The GRE header is used to encapsulate the PPP packet within the IP Datagram. The PPP packet is created by RAS. The PPP Packet is encrypted and if intercepted, would be unintelligible.
Understanding PPTP Security
PPTP uses the strict authentication and encryption security available to computers running RAS under WindowsNT Server version 4.0. PPTP can also protect the PPTP server and private network by ignoring all but PPTP traffic. Despite this security, it is easy to configure a firewall to allow PPTP to access the network.
Authentication: Initial dial-in authentication may be required by an ISP network access server. If this Authentication is required, it is strictly to log on to the ISP, it is not related to Windows NT based Authentication. A PPTP server is a gateway to your network, and as such it requires standard WindowsNT based logon. All PPTP clients must provide a user name and password. Therefore, remote access logon using a PC running under NT server or Workstation is as secure as logging on from a PC connected to a LAN (theoretically). Authentication of remote PPTP clients is done by using the same PPP authentication methods used for any RAS client dialing directly into an NT Server. Because of this, it fully supports MS-CHAP (Microsoft Challenge Handshake Authentication Protocol which uses the MD4 hash as well as earlier LAN Manager methods.)
Access Control: After Authentication, all access to the private LAN continues to use existing NT based security structures. Access to resources on NTFS drives or to other network resources require the proper permissions, just as if you were connected directly to the LAN.
Data Encryption: For data encryption, PPTP uses the RAS "shared-secret" encryption process. It is referred to as a shared-secret because both ends of the connection share the encryption key. Under Microsoft's implementation of RAS, the shared secret is the user password (Other methods include public key encryption). PPTP uses the PPP encryption and PPP compression schemes. The CCP (Compression Control Protocol) is used to negotiate the encryption used. The username and password is available to the server and supplied by the client. An encryption key is generated using a hash of the password stored on both the client and server. The RSA RC4 standard is used to create this 40-bit (128-bit inside the US and Canada
PPTP Packet Filtering: Network security from intruders can be enhanced by enabling PPTP filtering on the PPTP server. When PPTP filtering is enabled, the PPTP server on the private network accepts and routes only PPTP packets. This prevents ALL other packet types from entering the network. PPTP traffic uses port 1723.
PPTP and the Registry
This following is a list of Windows NT Registry Keys where user defined PPTP information can be found:
KEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASPPTPE\
Parameters\Configuration
Values: AuthenticateIncomingCalls
DataType = REG_WORD
Range = 0 - 1
Default = 0
Set this value to 1 to force PPTP to accept calls only from IP addresses listed in the PeerClientIPAddresses registry value. If AuthenticateIncomingCalls is set to 1 and there are no addresses in PeerClientIPAddresses, the no clients will be able to connect.
PeerClientIPAddresses
DataType = REG_MULTI_SZ
Range = The format is a valid IP address
This parameter is a list of IP addresses the server will accept connections from.
KEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<adapter name>\
Parameters\Tcpip
Values: DontAddDefaultGateway
DataType = REG_WORD
Range = 0 - 1
Default = 1
When PPTP is installed, a default route is made for each LAN adapter. This parameter will disable the default route on the corporate LAN adapter.
PPTPFiltering
Key: <adaptername.\Paramters\tcpip
ValueType: REG_WORD
Valid Range: 0 - 1
Default = 0
This parameter controls whether PPTP filtering is enabled or not.
PPTPTcpMaxDataRetransmissions
Key: Tcpip\Parameters
ValueType: REG_WORD - Number of times to retransmit a PPTP packet.
Valid Range: 0 - 0xFFFFFFFF
Default: 9
This setting control how many times PPTP will retransmit a packet.
Special Security Update
SPECIAL REVISION: As a last minute revision to the lecture. A flaw has been discovered in the PPTP architecture. It turns out that if you send a that if you send a pptp start session request with an invalid packet length in the pptp packet header that it will crash an NT box and cause the NT server to do a CoreDump. Fragments of code for a DoS attack package are flying, and the rhino9 team should have a completed DoS Attack program released soon. This program is released, of course, for network administrators wanting to know how the bug works.
Google Your PC
dir/b/s %1|find "%2"
save with a file name google.bat.
open the cmd.exe and type
google c: .bat
to search all files in c:\ with *.bat extension.
save with a file name google.bat.
open the cmd.exe and type
google c: .bat
to search all files in c:\ with *.bat extension.
The Telnet Command
Technically, telnet is a protocol. This means it is a language that computer use to communicate with one another in a particular way. From your point of view, Telnet is a program that lets you login to a site on the Internet through your connection to Teleport. It is a terminal emulation program, meaning that when you connect to the remote site, your computer functions as a terminal for that computer.
Once the connection is made, you can use your computer to access information, run programs, edit files, and otherwise use whatever resources are available on the other computer. What is available depends on the computer you connect to. Most of the times, if you type '?' or 'help', you would normally receive some type of information, menu options, etc.
Note: telnet connections give you command-line access only. In other
words, instead of being able to use buttons and menus as you do with a
graphical interface, you have to type commands. However, telnet allows
you to use certain utilities and resources you cannot access with your
other Internet applications.
Usage: telnet hostname or IP address port(optional)
The Netstat Command
This command is used to query the network subsystem regarding certain types of information. Different types of information will be received depending on the switches used in conjunction with this command.
The IpConfig Command
The ipconfig command will give you information about your current TCP/IP configuration. Information such as IP address, default gateway, subnet mask, etc can all be retrieved using this command.
The Finger Command
By default, finger will list the login name, full name, terminal name, and write status (shown as a "*" before the terminal name if write permission is denied), idle time, login time, office location, and phone number (if known) for each current user connected to the network.
Usage: finger username@domain
Switches: -b Brief output format
-f Supresses the printing of the header line.
-i Provides a quick list of users with idle time.
-l Forces long output format.
-p Supresses printing of the .plan file (if present)
-q Provides a quick list of users.
-s Forces short output form.
-w Forces narrow output form.
The Arp Command
The arp command will display internet to ethernet (IP to MAC) address translations which is normally handled by the arp protocol. When the hostname is the only parameter, this command will display the currect ARP entry for that hostname.
Usage: arp hostname
Switches: -a Displays current ARP entries by interrogating the current
protocol data. If inet_addr is specified, the IP and Physical
addresses for only the specified computer are displayed. If
more than one network interface uses ARP, entries for each ARP
table are displayed.
-g Same as -a.
inet_addr Specifies an internet address.
-N if_addr Displays the ARP entries for the network interface specified
by if_addr.
-d Deletes the host specified by inet_addr.
-s Adds the host and associates the Internet address inet_addr
with the Physical address eth_addr. The Physical address is
given as 6 hexadecimal bytes separated by hyphens. The entry
is permanent.
eth_addr Specifies a physical address.
if_addr If present, this specifies the Internet address of the
interface whose address translation table should be modified.
If not present, the first applicable interface will be used.
The Nbtstat Command
Can be used to query the network concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and reloading the LMHOSTS file. This one command can be extremely useful when performing security audits. When one knows how to interpret the information, it can reveal more than one might think.
The Ping Command
The ping (Packet Internet Groper) is used to send ICMP (Internet Control Message Protocol) packets from one host to another. Ping transmits packets using the ICMP ECHO_REQUEST command and expects an ICMP ECHO_REPLY.
Usage: ping IP address or Hostname
Switches: -t Ping the specifed host until interrupted.
-a Resolve addresses to hostnames.
-n count Number of echo requests to send.
-l size Send buffer size.
-f Set Don't Fragment flag in packet.
-i TTL Time To Live.
-v TOS Type Of Service.
-r count Record route for count hops.
-s count Timestamp for count hops.
-j host-list Loose source route along host-list.
-k host-list Strict source route along host-list.
-w timeout Timeout in milliseconds to wait for each reply.
Hooking ZwOpenProcess To Protect Processes
protect processes by returning a STATUS_ACCESS_DENIED.
#include "ntddk.h"
// Hooking ZwOpenProcess to protect a process by returning a STATUS_ACCESS_DENIED
// The PID of my process
int PID = 1234; // I want to get the PID from the process "SERVER.EXE"
NTSYSAPI
NTSTATUS
NTAPI ZwOpenProcess (OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);
typedef NTSTATUS (*ZWOPENPROCESS)(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL);
// OldZwOpenProcess points to the original function
ZWOPENPROCESS OldZwOpenProcess;
// This is my hook function that will replace the kernel function ZwOpenProcess in the System Service Dispatch Table (SSDT)
NTSTATUS NewZwOpenProcess(OUT PHANDLE ProcessHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes, IN PCLIENT_ID ClientId OPTIONAL)
{
HANDLE ProcessId;
__try
{
ProcessId = ClientId->UniqueProcess;
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
return STATUS_INVALID_PARAMETER;
}
if (ProcessId == (HANDLE)PID) // Check if the PID matches my protected process
{
return STATUS_ACCESS_DENIED; // Return a Acess Denied
}
else
{
return OldZwOpenProcess(ProcessHandle, DesiredAccess,ObjectAttributes, ClientId); // Return the original ZwOpenProcess
}
}
Hooking explorer.exe (inject.cpp:)
//Filename:inject.cpp
#include "main.h"
typedef DWORD NTSTATUS;
struct NtCreateThreadExBuffer{
ULONG Size;
ULONG Unknown1;
ULONG Unknown2;
PULONG Unknown3;
ULONG Unknown4;
ULONG Unknown5;
ULONG Unknown6;
PULONG Unknown7;
ULONG Unknown8;
};
Hooking explorer.exe (main.h)
//Filename main.h #pragma once #include <windows.h> #include <iostream> #include <tlhelp32.h> #include <string> #include <stdio.h> #include <shlwapi.h> #include <fstream>
Subscribe to:
Posts (Atom)