Tuesday, July 28, 2009

Top 10 Password Cracking Tools

1. Cain and Abel :

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort.

It can recover passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.


2. John the Ripper

It works on Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

3.THC Hydra :

When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more then 30 protocols, including telnet, ftp, http, https, smb, several databases, and much more. Like THC Amap this release is from the fine folks at THC.

The project supports a wide range of services and protocols: TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, RSH, RLOGIN, CVS, SNMP, SMTP-AUTH, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, ICQ, SAP/R3, LDAP, PostgreSQL, Teamspeak, Cisco auth, Cisco enable, and Cisco AAA. It is licensed under version 2.0 of the GNU General Public License with the additional terms that the software may not be used for illegal purposes, and any commercial service or program that uses Hydra must give credit to THC.



4. Aircrack-ng

Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs. It works with any wireless card whose driver supports raw monitoring mode (for a list, visit the website of the project) and can sniff 802.11a, 802.11b and 802.11g traffic. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).


5. L0phtcrack

L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables.

External Links:


6. AirSnort

AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. AirSnort operates by passively monitoring transmissions. It uses Ciphertext Only Attack and captures approximately 5 to 10 million packets to decrypt the WEP keys.

External Links:

7. Solar Wind

It includes various Security-related tools such as many network discovery scanners, an SNMP brute-force cracker, router password decryption, a TCP connection reset program, one of the fastest and easiest router config download/upload applications available and more.

External Links:

solarwind Official Website

8. PwdDump

Pwdump is able to extract NTLM and LanMan hashes from a Windows target, regardless of whether Syskey is enabled. It is also capable of displaying password histories if they are available. In order to work, it must be run under an Administrator account, or be able to access an Administrator account on the computer where the hashes are to be dumped.

9. RainbowCrack

The RainbowCrack tool is a hash cracker that makes use of a large-scale time-memory trade-off. A traditional brute force cracker tries all possible plaintexts one by one, which can be time consuming for complex passwords. RainbowCrack differs from "conventional" brute forcerainbow tables to reduce the length of time needed to crack a password drastically.

External Links

crackers in that it uses large pre-computed tables called

10. Brutus

Brutus is one of the fastest, most flexible remote password crackers you can get your hands on - it's also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. It supports HTTP, POP3, FTP, SMB, TELNET, IMAP, NTP, and more.

External Links

http://www.hoobie.net/brutus/


How To Avoid SQL Injection

SQL injections are among the flaws the most widespread and dangerous in PHP.
This tutorial will explain clearly the concept of SQL Injection and how to avoid them once and for all.

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.

There are two types of SQL injection:

* Injection into the variables that contain strings;
* Injection into numeric variables.

These are two very different types and to avoid them, it will act
differently for each of these types.


Imagine a PHP script that fetches the age of a member according to its
nickname. This nickname has gone from one page to another via the URL
(by $ _GET what: p). This script should look like this:

$pseudo = $_GET['pseudo'];
$requete = mysql_query("SELECT age FROM membres WHERE pseudo='$pseudo'");


Well keep you well, this script is a big SQL injection vulnerability.
Suffice it to a bad boy putting in place the username in the URL a query
like this:


' UNION SELECT password FROM membres WHERE id=1



It is to arrive to show (just an example), for example the password for
the member with the id 1. I will not explain in detail the operation for
fear that someone is not nice to walk around. Well, so let us go to the
security:).

II) Security .


To secure this type of injection is simple. You use the function
mysql_real_escape_string ().


This feature adds the "\" character to the following characters:


NULL, \ x00, \ n, \ r, \, ', "and \ X1A


As you have noticed in previous injection, the attacker uses the quote
(to close the 'around $ nick): if she is prevented from doing that, the
bad boy will only have to look elsewhere . This means that if one
applies a mysql_real_escape_string () to the variable name like this ...

$pseudo = mysql_real_escape_string($_GET['pseudo']);
$requete = mysql_query("SELECT age FROM membres WHERE pseudo='$pseudo'");

The application is completely secure.
Explanation

' UNION SELECT password FROM membres WHERE id=1


Well if we apply mysql_real_escape_string () to the variable $ name used
in the query is what will the injection:


\' UNION SELECT password FROM membres WHERE id=1


This means that we do not even come out of assessments around $ nick in
the request because the \ has been added. There is another function
somewhat similar to mysql_real_escape_string () is addslashes (), why
not have used? Well recently, a security hole was discovered on this if
it is used on a PHP 4.3.9 installation with magic_quotes_gpc enabled.

Numeric variables:


This type of injection is less known than the previous one, making it
more frequent, and it starts as just now with an example. This time, it
displays the age of a member according to its id, and by passing it by a
form ($ _POST) to change:

$id = $_POST['id'];
$requete = mysql_query("SELECT age FROM membres WHERE id=$id");


mysql_real_escape_string () would be nothing here, since if an attacker
wants to inject SQL code, it will not need to use quotes, because the
variable $ id is not surrounded by quotes. Simple example of
exploitation:


UNION SELECT password FROM membres WHERE id=1


This injection did exactly the same as the previous one, except that
here, to avoid it, there are two solutions:

* Change the contents of the variable so it contains only numbers;
* Check if the variable actually contains a number before using it in a query.


Method 1:


We'll use a function , intval () This function returns regardless of the
contents of a variable its numerical value. For example:


$variable = '1e10'; // $variable vaut '1e10'
$valeur_numerique = intval($variable); // $valeur_numerique vaut 1


Now back to our sheep:


$id = intval($_POST['id']);
$requete = mysql_query("SELECT age FROM membres WHERE id=$id");
}


That is: you can stop there and is more than enough, but I recommend you
continue to find another method, or you have air beast if you find this
method on a code that is not yours without understand it.


Méthode 2:


Here we use a function that returns TRUE when a variable contains only
numbers and FALSE if it is not the case this function is is_numeric (),
we will use it in a condition that checks whether is_numeric ( ) returns
TRUE well.


$id = $_POST['id'];
if (is_numeric($id))
{
$requete = mysql_query("SELECT age FROM membres WHERE id=$id");
}
else
{
echo "Trying to hack me ? ";


What is the best, depending intval () and is_numeric ()?


Well I will say that they are both equally effective, they are equal.
But I prefer inval () since with is_numeric () write more code, and if
the variable does not contain only numbers, the request is canceled (in
principle, but of course you can run the same query by choosing an
default value for the variable used). Well that's it! You know all about
securing your applications. If you apply these methods, there is
absolutely no risk of having a fault type SQL injection on its website
(or PHP).

How to maintain Integrity of Contents (Open Source Tripwire)

Open Source Tripwire is a free software security and data integrity tool useful for monitoring and alerting on specific file change(s) on a range of systems. The project is based on code originally contributed by Tripwire, Inc. in 2000.

Open Source Tripwire functions as a host-based intrusion detection system. Rather than attempting to detect intrusions at the network interface level (as in network intrusion detection systems), Open Source Tripwire detects changes to file system objects.

When first initialized, Open Source Tripwire scans the file system as directed by the administrator and stores information on each file scanned in a database. At a later date the same files are scanned and the results compared against the stored values in the database. Changes are reported to the user. Cryptographic hashes are employed to detect changes in a file without storing the entire contents of the file in the database.

While useful for detecting intrusions after the event, it can also serve many other purposes, such as integrity assurance, change management, and policy compliance.

Other open source projects exist that provide similar functionality. Examples include AIDE, AFICK and Samhain.

Thursday, July 16, 2009

Who is a Hacker?

In common usage, a hacker is a person who breaks into computers, usually by gaining access to administrative controls. The subculture that has evolved around hackers is often referred to as the computer underground. Proponents claim to be motivated by artistic and political ends, and are often unconcerned about the use of criminal means to achieve them.

Other uses of the word hacker exist that are not related to computer security (computer programmer and home computer hobbyists), but these are rarely used by the mainstream media.