電腦保安 | neraliu's blog

308月/100

finally, somebody suggests a way to narrow down the guess of sesssion ID

"There are a ton of sites these days that use load-balancers in front of them. There’s a few ways they can be installed - completely transparent or acting more like a proxy. The proxy is the more common setup but it has one pretty huge negative side-effect, all the IP addresses come to the server as just one - the internal IP of the load balancer. Normally that’s not a huge deal because the load-balancer does the logging or it sets some custom HTTP header that is properly logged. But PHP doesn’t know about any of that - it’s dumb. It’ll take whatever value it sees as the IP address and apply it to the session ID algorithm. So now instead of having to guess the entire IP space of the Internet, you now have to just guess RFC1918 - and probably realistically a much smaller slice of that in most cases."......

reference - http://ha.ckers.org/blog/20100812/removing-entropy-from-php-session-ids/

存檔在：科技, 電腦, 電腦保安沒有回應

57月/100

prototype is live

存檔在： aglie, 商業, 娛樂, 投資, 攝影, 流動科技, 生活, 科技, 筆記, 管理, 語言, 軟件, 遊戲設計, 閱讀, 電腦, 電腦保安, 電腦工程沒有回應

226月/100

domain scan for pentest

reference - http://trac.assembla.com/fierce

存檔在：電腦, 電腦保安, 電腦工程沒有回應

206月/100

somebody is scanning alibaba.com.cn

somebody is scanning alibaba.com.cn, and my account is being scanned for password reset. i received the password reset email yesterday.

存檔在：電腦, 電腦保安沒有回應

143月/100

notes on doing some pentest on my isp

it is just a sunday hacking...

first i would like to use the traceroute to know the gateway of my isp, you can simply traceroute some well known portal, like www.yahoo.com.

#traceroute www.yahoo.com
traceroute: Warning: www.yahoo.com has multiple addresses; using 72.30.2.43
traceroute to any-fp.wa1.b.yahoo.com (72.30.2.43), 64 hops max, 40 byte packets
 1  192.168.8.1 (192.168.8.1)  1.602 ms  0.782 ms  0.712 ms
 2  [gateway_hostname] (XXX.XXX.XXX.254)  18.115 ms  50.441 ms  11.054 ms

second i am interested in how many hosts are available in this /24 subnet, i use nmap -sP -PN to find out, there are many hosts are actually up, anyway, i go back to the gateway as my focus.
```
#nmap -sP XXX.XXX.XXX.0/24

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-13 17:32 HKT
Nmap scan report for [hostname] (XXX.XXX.XXX.3)
Host is up.
...
```

the next thing i am going to do is to have a heavy probing on the gateway and see what is actually live on it. i try to have the TCP SYN scan to probe the gateway and below is the result. it seems like that all of the services are being protected by kind of firewall.

#nmap -sS [gateway_ip]

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-14 13:37 HKT
Nmap scan report for [gateway_hostname] ([gateway_ip])
Host is up (0.053s latency).
Not shown: 988 closed ports
PORT      STATE    SERVICE
25/tcp    filtered smtp
80/tcp    filtered http
111/tcp   filtered rpcbind
135/tcp   filtered msrpc
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
515/tcp   filtered printer
593/tcp   filtered http-rpc-epmap
1068/tcp  filtered instl_bootc
5000/tcp  filtered upnp
6129/tcp  filtered unknown
10001/tcp filtered unknown

without giving up, i start the next round of udb scanning and see, seems like there is something open up for us, it is the snmp service on the host.

#nmap -sU [gateway_ip]

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-14 14:44 HKT
Nmap scan report for pcd-yck14-1-ex.netvigator.com (116.49.68.254)
Host is up (0.017s latency).
Not shown: 986 closed ports
PORT     STATE         SERVICE
7/udp    open|filtered echo
67/udp   open|filtered dhcps
68/udp   open|filtered dhcpc
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
135/udp  open|filtered msrpc
136/udp  open|filtered profile
137/udp  open|filtered netbios-ns
138/udp  open|filtered netbios-dgm
161/udp  open          snmp
162/udp  open|filtered snmptrap
445/udp  open|filtered microsoft-ds
520/udp  open|filtered route
1434/udp open|filtered ms-sql-m

Nmap done: 1 IP address (1 host up) scanned in 2111.55 seconds

in order to get more feeling of the host, i enable the OS detection in the scan, but no luck on it.

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|media device|router|switch|printer
Running (JUST GUESSING) : Apple Mac OS X 10.5.X (91%), Apple iPhone OS 1.X (90%), OpenBSD 4.X (89%), FreeBSD 7.X (88%), Cisco IOS 12.X (88%), Novell NetWare 6.X (87%), HP embedded (86%), Microsoft Windows 2000|98 (86%)
Aggressive OS guesses: Apple Mac OS X 10.5 (Leopard) (Darwin 9.2.2, x86) (91%), Apple Mac OS X 10.5.5 - 10.6.1 (Leopard - Snow Leopard) (Darwin 9.5.0 - 10.0.0) (91%), Apple iPod touch audio player (iPhone OS 1.1.2 - 1.1.4, Darwin 9.0.0d1) (90%), OpenBSD 4.1 (89%), OpenBSD 4.3 (89%), OpenBSD 4.5 (89%), FreeBSD 7.0-RC1 (88%), FreeBSD 7.0-STABLE (88%), FreeBSD 7.1-PRERELEASE 7.2-STABLE (88%), OpenBSD 4.1 (x86) (88%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 3 hops

not manage to continue on the snmp, like looking into the community string, need to hang out with my wife...

reference - http://nmap.org/book/man-port-scanning-techniques.html

disclaimer: this article does not encourage people to do anything illegal, for those who reads this arcticle takes their own responsibilities and risks.

存檔在：電腦, 電腦保安, 電腦工程沒有回應

73月/100

testing the udb awareness of the nmap 5.21

for a typically network scanner, when it is going to scan the udb services available on the hosts, it simply sends the udb packets without knowing the exact content of the specific services. when the hosts receive the packet, there are few things possible happen. if the hosts do not listen on that port, it would reply the ICMP port unreachable (type 3, code 3). if the hosts listen on port, they may drop the packet or do not reply of not understanding packet contents. anyway, the similar behavior happen for firewall protected port.

in the new version of nmap 5.21, it provides a new feature of udb awareness during the udb scanning. for simplicity, the nmap is actually talking some specific protocol, like dns, ntp etc. during scanning, rather than scanning with some malcontent. below is the comparison of nmap 5.0 and 5.21

# nmap -sU -p53 208.67.222.222
Starting Nmap 5.00 ( http://nmap.org ) at 2010-03-07 15:39 HKT
Interesting ports on resolver1.opendns.com (208.67.222.222):
PORT   STATE         SERVICE
53/udp open|filtered domain
Nmap done: 1 IP address (1 host up) scanned in 2.33 seconds

# nmap -sU -p53 208.67.222.222
Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-07 15:54 HKT
Nmap scan report for resolver1.opendns.com (208.67.222.222)
Host is up (0.18s latency).
PORT   STATE         SERVICE
53/udp open  domain
NNmap done: 1 IP address (1 host up) scanned in 0.64 seconds

from the returned result, you can notice that nmap 5.0 reports the port 53 is of the state of "open/filtered" while nmap 5.21 reports the state of "open", as the new version of nmap is actually talking the dns protocol rather than scanning with malcontent, it is not sure about whether it is firewall protected or not.

reference - http://nmap.org/book/man-port-scanning-basics.html
reference - http://www.rfc-editor.org/rfc/rfc792.txt

存檔在：電腦, 電腦保安沒有回應

222月/100

a recent phishing email i got – hey dudes, this is maggie tam!

recently, i got a phishing email which made me stop and think who this guy is, below is the content i got

hey guys, I haven't seen or talked to some of you for ages, but how are all of you doing??? hope you guys are having fun at casterton (for those still there) and have joy at whatever you do,

well I've changed my email:
old: abc@hotmail.com
NEW email: xyz@hotmail.com

well, I will try and add all of you again!!
if you want to send me emails feel free!

Love you all,
Magz!

after getting this email for a while, i found this guy trying to add me in my msn. hm..., seems like the phishers now are talking one more step further by combining the email and msn to approach the victim nowadays. if you have a certain level of curiosity without doubt, you may add her and got phished finally. good luck

存檔在：電腦, 電腦保安沒有回應

52月/100

old news, just a screenshot of how twitter being phished recently

reference - http://blog.twitter.com/2009/01/gone-phishing.html

存檔在： twitter, 科技, 電腦, 電腦保安沒有回應

32月/100

battlenet warning on account theft

hm... when you read the new security portal provided by blizzard, to an internet security professional, things are very basic to defend your online asset being phished or hacked.

存檔在：科技, 電腦, 電腦保安沒有回應

12月/100

understanding the aurora attack in ie

as the source code of exploit is being out, i can reproduce the ie aurora exploit by using the metasploit, dumping my peers screen out, it is really terrible. (note: my testing platform is ie6 running on xp)