Man In The Middle Tools

This weekend as i have nothing better to do, lemme talk about my experiences with proxy tools:

  1. Proxy Tool: Parameter Manipulation is a very important stage of web app testing, and without this, the test will be incomplete. I was using tools like Paros and Achillies for achieveing this, but the problem with both of them was they were highly unstable and would crash every now and then. Thus if the customer has asked you to provide all the logs of testing, it would be difficult for you to provide logs if tools were to crash. I currently use Burp Suite. I find it is highly stable and comes with this feature of viewing request/response as text, parameter, and as hex. Viewing request and response as ‘param’ helps me particulary when dealing with asp .net applications becuase of the long value of viewstate and other .net stuff. Another interesting feature of Burp is the repeater module, which could be used to send modified requests to server multiple times. I use this feature mostly to figure out the ‘non essential’ parameters of the unmodified request and then to focus on the essential parametes. Best way to learn the capabilities of this tool is to download it and then play with it. :)

SQL Injection Cheat Sheet

cheat sheet. Although there are so many articles on internet which talks about Sql Injection, this is the only document i know which is ‘complete’.

Word Press: Md5 hash in Cookie

I realised word press uses a static cookie, even when u have not enabled remember-me option. This static value holds the md5 of your password (md5(md5 of password)), which remains static. Thus an xss exploit in wordpress could be really handy as the cookie remains the same unless the password for the user is changed.

Abusing TCP/IP name resolution in Windows to carry out phishing attacks.

I was playing with name resolution in windows and i found that it sends broadcast requests over the network for the hostnames not resolved by DNS or WINS services. This is characteristic behaviour of windows and *nix boxes do not send any such broadcast requests. As these are the broadcast request, these can easily be abused to carry out phishing attacks. I wrote a small paper on this. You can access it here.

UPDATES: Here is good article from microsoft which discusses this process in detail. Here are a few drawbacks of this atatck:

1. This attack will ony work for domain names that are less than 16 characters.

2. Routers typically do not forward broadcasts, so only NetBIOS name on the local network can be resolved and the attacker thus has to be on the same local network.

3. The victim has to enable Netios Over TCP/IP to send out broadcast request.

Under Construction

This website is currently under construction. Kindly visit again in some time.