Total Pageviews

Tuesday, April 17, 2012

Enable SSH Version 1 on linux


Most of the linux flavors have disabled ssh version 1 due to security issues.
If you need to enable it for some reasons below are the steps.
Snip from sshd_config -->
Protocol 2,1
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key

Generate hostkey -->
sudo ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""

Restart sshd

agnel@ubuntu:/var/log$ ssh -1 localhost
agnel@localhost's password:
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-16-generic i686)

* Documentation:  https://help.ubuntu.com/

Last login: Mon Apr 16 05:27:26 2012 from localhost
agnel@ubuntu:~$

Saturday, April 14, 2012

Cloud Servives Terms Explained

IaaS (Infrastructure as a Service) is when the consumer does not deal with the infrastructure, instead the responsibility of the equipment is outsourced to the Service Provider. The Service Provider not only owns the equipment but will also be responsible for its running and maintenance, where the consumer will be charged on a ‘pay as you use’ basis. IaaS is often offered as a horizontally integrated service that includes not only the server and storage but also the connectivity domains. For example while the consumer may deploy and run their own applications and operating systems, the Iaas provider would typically provide the replication, backup and archiving (Storage), the powerful computing requirements (Server) or the network load balancing and firewalls (Connectivity domains).


Platform as a service (PaaS) is a category of cloud computing services that provide a computing platform and a solution stack as a service. In the classic layered model of cloud computing,[1] the PaaS layer lies between the SaaS and the IaaS layers.

Software as a service (SaaS) is the ability for a consumer to use on demand software that is provided by the service provider via a thin client device e.g. a web browser over the Internet. With SaaS the consumer has not only no management or control of the infrastructure such as the storage, servers, network, or operating systems, but also no control over the application’s capabilities. Culled from what were originally referred to as (ASPs) Application Service Providers, SaaS is a quick and efficient delivery model for key business applications such as customer relationship management (CRM), enterprise resource planning (ERP), HR and payroll.

Monitoring as a Service (MaaS) is at present still an emerging piece of the Cloud jigsaw but an integral one for the future. In the same way that businesses realised that their infrastructure and key applications required monitoring tools that would ensure the proactive elimination of any downtime risks, Monitoring as a Service provides the option to offload a large majority of those costs by having it run as a service as opposed to a fully invested in house tool. So for example by logging onto a thin client or central web based dashboard which is hosted by the service provider, the consumer can monitor the status of their key applications regardless of location. Add the advantages of an easy set up and purchasing process and MaaS could be a key pay as you use model for the de-risking of applications that are initially being migrated to the Cloud.

Communication as a Service (CaaS), enables the consumer to utilize Enterprise level VoIP, VPNs, PBX and Unified Communications without the costly investment of purchasing, hosting and managing the infrastructure. With the service provider responsible for the management and running of these services also, the other advantage the consumer has is that they needn’t require their own trained personnel, bringing significant OPEX as well as CAPEX costs.

XaaS or ‘anything as a service’ is the delivery of IT as a Service through hybrid Cloud computing and is a reference to either one or a combination of Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS). communications as a service (CaaS) or monitoring as a service (Maas).

Tcpdump

tcpdump - dump traffic on a network
1)To capture ipv6 traffic
tcpdump ip6 -i eth0
2)tcpdump host hope
In the above example tcpdump would print all packets arriving at or departing from hope.
3)tcpdump -i eth0
Capture data on eth0 interface.
4)tcpdump host helios and \( hot or ace \)
Print traffic between helios and either hot or ace.
5)tcpdump 'gateway snup and (port ftp or ftp-data)'
Print
 all ftp traffic through Internet gateway snup: (note that the
expression is quoted to prevent the shell from (mis-)interpreting the
parentheses).
6)To print all IP packets between ace and any host except helios
tcpdump ip host ace and not helios
7)To print all ICMP packets that are not echo requests/replies (i.e., not ping packets)
tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'
8)tcpdump -w ./log
Write the raw packets to file rather than parsing and printing them out.
9)
option -s1514 for the tcpdump which will cause the tcpdump NOT to truncate any packets10)-vv : More verbose output-x : When parsing and printing, in addition to printing the headers of each packet, print the data of each packet.-X
 : hen parsing and printing, in addition to printing the headers of each
 packet, print the data of each packet (minus its link level header) in
hex and ASCII. This is very handy for analysing new protocols.-s 1500: Snarf snaplen bytes of data from each packet rather than the default of 68. This is useful to see lots of information.-i eth1 : Monitor eth1 interface
10) tcpdump udp and src port 53
11)It's
 also important to note that tcpdump only takes the first 96 bytes of
data from a packet by default. If you would like to look at more, add
the -s number option to the mix, where number is the number of bytes you want to capture. I usually give it 1514 (to get everything) if I use this option.
12)TCPDump on RTP
tcpdump -T rtp -vvv src 192.168.0.2 and dst port 1234
tcpdump -i eth1 -T rtp -vvv src 8.8.8.53 and dst port 20000

Spamming

Spamming is populating the user’s inbox with unsolicited or junk emails
Spam email contains malicious computer programs such as viruses and Trojans which change the computer settings or track the system
Spamming is also used for product advertisements

Techniques Used by Spammers :
Spoofing the domain:  Message appears to be from user’s own domain
Poisoning or spoofing filters: Addition of invisible text or numbering in message
Social Engineering: Used to manipulate people to perform actions or divulge confidential information
Directory harvesting: By sending messages to possible addresses and then building a list of valid email addresses through non-delivery reports
Phishing attacks: Convinces the user that the mail is sent by a trusted source
Sending virus attached files: It installs Trojan horse and viruses that malfunctions host computer
Database Poisoning: Using innocuous words (ham words) in a SPAM, thereby effectively poisoning the database in the long run
Junk Tags: Hiding spam words by inserting invalid HTML tags in between words
Invalid Words: Spam word like mortgage etc. are masked by inserting special characters or junk characters in between

How Spamming is Performed :
Getting the email ID’s :  Spammers get access to the email ID’s when the user registers to any email service, forums, or blogs by hacking the information or registering as genuine users. Spiders are used which searches the code in web pages that looks as email ID’s and copies it to the
database. E-mail extraction tools that have built in search engines to find email ID’s of companies based on the key words entered are used.On-line Ad Tracking tools help the spammers to analyze details of the number of users who opened the spam mails, the responses to it, and which ad brought the best results

How Spam is Relayed:  Rogue ISPs obtain their own network numbering and multiple domain names from the interNIC using which
spammers manage to get across spam blocks. On-the-fly Spammers - Spammers register as genuine users for trial accounts with ISPs and use forged identities to start spam hits. Blind Relayers – Some servers relay a message without authentication which is send as genuine mail.

Getting passed the anti spam softwares: The subject line of the email is given as ‘Re: or Fw:’ assures the anti spam softwares that it is a genuine
reply to users message. The spam message is enclosed as an image in the mail to make the anti spam software trust the source.

Ways of Spamming : Usenet spam - It is a single message sent to 20 or more Usenet newsgroups. It robs users of the newsgroups by
overwhelming them with a barrage of advertising or other irrelevant posts. USEr NETwork) A public access network on the Internet that provides group discussions and group e-mail. It is a giant, dispersed bulletin board that is maintained by volunteers who provide news and mail feeds to other nodes. All the content that travels over the Internet is called "NetNews," and a running collection of messages about a particular subject is called a "newsgroup." Usenet began in 1979 as a bulletin board between two universities in North Carolina. Today, there are more than 50,000 newsgroups, and news can be read with a news-enabled Web browser, popular newsreader applications such as News Rover (www.newsrover.com) or via venerable Unix-based utilities such as pine, tin and nn. Some newsgroups are "moderated"; in these newsgroups, the articles are first sent to a moderator for approval before appearing in the newsgroup.
Email Spam : Email spam targets individual users with direct mail messages. Email spam lists are often created by scanning Usenet postings, stealing Internet mailing lists, or searching the Web for addresses.

Types of Spam Attacks : 
Hidden text & links : Making the text look same as the back ground color

Double tags : Giving duplicate title tags and Meta tags

Cloaking :  This is done by showing different pages to search engine and users.Also known as stealth, a technique used by some Web sites to deliver one page to a search engine for indexing while serving an entirely different page to everyone else. The search engine thinks it is selecting a prime match to its request based on the meta tags that the site administrator has input. However, the search result is misleading because the meta tags do not correspond to what actually exists on the page.

Blog & Wiki spamming :  Wiki’s are used to add or update the content of any page on the website.This spamming allows the spammers to automatically run crawlers which hunt out blogs and then post keyword text links.Adding links that point to the spammer's web site artificially increases the site's search engine ranking. An increased ranking often results in the spammer's commercial site being listed ahead of other sites for certain searches, increasing the number of potential visitors and paying customers.A method to block automated spam comments is requiring a validation prior to publishing the contents of the reply form. The goal is to verify that the form is being submitted by a real human being and not by a spam tool.Many forms on websites take advantage of the CAPTCHA technique, displaying a combination of numbers and letters embedded in an image which must be entered literally into the reply form to pass the test. In order to keep out spam tools with built-in text recognition the characters in the images are customarily misaligned, distorted, and noisy.A simple alternative to CAPTCHAs is the validation in the form of a password question, providing a hint to human visitors that the password is the answer to a simple question like "The Earth revolves around the... [Sun]".

Image Spam : In this type of spamming, emails containing only images without any text are sent by spammers to evade security systems/controls.

Hijacking/pagejacking : Redirecting a page which improves the page rank of the redirected page
For pagejacking First, a copy of your page is taken. A page is then created on the pagejackers site that is basically a carbon copy of your content - including meta-tags. The pagejacker then adds extra scripting to allow only search engine robots to be able to read the content of the page. A 302 .htaccess redirect or meta-refresh is then used to automatically redirect human viewers to a totally different page - they never see your content.

Bulk Emailing Tools
FairlogicWorldcast bulk emailing tool : a customized mailer and also an address validator.It detects many common bad addresses existing
on the mailing lists.It provides a detailed logs of the entire delivering process and reports if there is any kind of error

123 Hidden Sender : sends absolute anonymous bulk emails.The IP address is not shown in the email headers.

YL Mail Man : a flexible email addresses management and email delivering software

Sendblaster : Bulk email software for email marketing

Direct Sender : quickly and easily send unlimited numbers of personalized email messages using any kind of database.

Hotmailer is a bulk email sender, email address finder, and verifier.

PackPal Bulk Email Server : safe and fast bulk email sender .It can run as a background service

IEmailer : safe to use since it does not use or go through the local ISPs email server.

Anti-Spam Techniques
Heuristic/Signature-based Content Filtering : Messages received are checked to match certain patterns.Scores are assigned based on the patterns and if the score is higher, then the email is an undesired email.

Bayesian Content Filtering :  It filters and sorts the emails into different folders based on the good and undesired mail feed to it
Bayesian spam filters calculate the probability of a message being spam based on its contents. Bayesian spam filtering learns from spam and from good mail, resulting in a very robust, adapting and efficient anti-spam approach that, best of all, returns hardly any false positives. Ideally, you start with a (big) bunch of emails that you have classified as spam, and another bunch of good mail. The filters look at both, and analyze the legitimate mail as well as the spam to calculate the probability of various characteristics appearing in spam, and in good mail.
The characteristics a Bayesian spam filter can look at can be : the words in the body of the message, of course, and its headers (senders and message paths, for example!), but also other aspects such as HTML code (like colors), or even word pairs, phrases and meta information (where a particular phrase appears, for example). 

Collaborative Content Filtering :  Many users share their judgment about what is a desired mail and undesired mail. Every time the user receives a mail, a special application suggest whether it is SPAM or not

Black Listing (RBL) :  It uses various spam detection tools, to report bad-behavior IP address as a list.The information is collected and stored in a database to filter the spam email based on this information

White Listing :  It accepts all the emails from certain IP addresses. No other filters can stop an email once it is accepted. 

Greylisting : It does not accept the messages from IP address which are not previously successfully connected to the mail server

Sender Policy Framework :  To prevent the sender address forgery, SPF proposes valid email sender register i.e. the IPs of the machines
they send email from, using extended DNS records
The Sender Policy Framework (SPF) is an open standard specifying a technical method to prevent sender address forgery. More precisely protects the envelope sender address, which is used for the delivery of messages.
Sender Addresses in E-Mails
Like paper mail letters, e-mail messages have at least two kinds of sender addresses: one on the envelope and one in the letterhead.
The envelope sender address (sometimes also called the return-path) is used during the transport of the message from mail server to mail server, e.g. to return the message to the sender in the case of a delivery failure. It is usually not displayed to the user by mail programs.
The header sender address of an e-mail message is contained in the "From" or "Sender" header and is what is displayed to the user by mail programs. Generally, mail servers do not care about the header sender address when delivering a message.
SPF allows the owner of an Internet domain to use special format of DNS records ("SPF", type 99) to specify which machines are authorized to transmit e-mail for that domain. For example, the owner of the example.com domain can designate which machines are authorized to send e-mail whose sender e-mail address ends with "@example.com". Receivers checking SPF can reject messages from unauthorized machines before receiving the body of the message.

DNS-based Block Lists :  It is used to add the spam IP addresses to a local block list

MX Callbacks :  It supports callbacks which verifies the sender of a message with their MX server

Teergrubing :  It responds slowly to connected mail servers by using multi line SMTP responses.apply a delay to all servers before accepting the mail (e.g. applying a 60 second delay is unlikely to impact a legitimate server, but would cost a spammer several tens of message deliveries).

Reputation Control :  It analyzes the email sent by the sender and assigns a score. If the email is found to be legitimate - score improves, if not - the score reduces

Transparent SMTP Proxy : This software blocks SMTP sessions used by e mail worms and viruses on the NA(P)T router. It acts like proxy,intercepting
outgoing SMTP connections and scanning session data on-the-fly. Anti-Spam-SMTP-Proxy (ASSP) : http://assp.sourceforge.net/

Anti-Spamming Tools
AEVITA Stop SPAM Email : hide email addresses from spambots.It will replace all the email addresses on the page with specifically
encoded email addresses

SpamExperts Desktop :

SpamEater Pro : 

SpamWeasel :

Spytech SpamAgent : It filters based on the sender, recipient, subject, body, as well as attachment type, forwards, and more

AntispamSniper : integrates with Outlook Express to filter incomingmails

Spam Reader :anti-spam add-on for Microsoft Outlook,uses a Bayesian engine

Spam Assassin Proxy (SA) Proxy : Spam Assassin Proxy is based on open source software.It runs on the local proxy server which is situated between email program and POP3 mail account.Spam Assassin Proxy uses Bayesian filtering which is accurate and detects new spam.It does not delete spam but marks it

MailWasher Free : 

Spam Bully : anti-spam tool for MS Outlook

Mount iso in linux

Once you've downloaded an ISO Image you can mount it as a loopback device. This will give you access to the files in the ISO without you having to burn it to a CDROM first. In order to do this you must have loopback compiled into your Linux Kernel. (Most newer distributions will have this enabled by default). For example if you wanted to mount filename.iso to /mnt/iso you would run the following command: mount -o loop -t iso9660 filename.iso /mnt/iso

RainbowCrack


Introduction

RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. Function of this software is to crack hash.

The straightforward way to crack hash is brute force. In brute force approach, all candidate plaintexts and corresponding hashes are computed one by one. The computed hashes are compared with the target hash. If one of them matches, the plaintext is found. Otherwise the process continues until finish searching all candidate plaintexts.

In time-memory tradeoff approach, the task of hash computing is done in advance with the results stored in files called "rainbow table". After that, hashes can be looked up from the rainbow tables whenever needed. The pre-computation process needs several times the effort of full key space brute force. But once the one time pre-computation is complete, the table lookup performance can be hundreds or thousands times faster than brute force.

This document explains the steps to make the RainbowCrack software working for first time user. Most contents in this document are implementation specific, while others are generic to time-memory tradeoff algorithm.

The RainbowCrack software includes three tools that must be used in sequence to make things working.
Step 1: Use rtgen program to generate rainbow tables.
Step 2: Use rtsort program to sort rainbow tables generated by rtgen.
Step 3: Use rcrack program to lookup rainbow tables sorted by rtsort.

The table lookup process in final step is equivalent to the hash cracking process.

The way to use these programs will be explained in this document. All of them are command line programs.

Step 1: Use rtgen program to generate rainbow tables

The rtgen program need several parameters to generate a rainbow table, the syntax of the command line is:

    rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index

Explanation of these parameters:
parametermeaning
hash_algorithmThe hash algorithm (lm, ntlm, md5 and so on) used in the rainbow table.
charsetThe charset of all plaintexts in the rainbow table. All possible charset are defined in the charset.txt file.
plaintext_len_min
plaintext_len_max
These two parameters define the possible length of all plaintexts in the rainbow table. If charset is numeric, plaintext_len_min is 1, and plaintext_len_max is 5. Then the plaintext "12345" is likely included in the table, but "123456" will not be included.
table_index
chain_len
chain_num
part_index
These four parameters are really difficult to explain in simple words. To read and understand Philippe Oechslin's original paper can help to know the exact meaning.
The table_index is related to the "reduce function" that is used in rainbow table.
The chain_len is the length of each "rainbow chain" in the rainbow table. A "rainbow chain" sized 16 bytes is the smallest unit in a rainbow table. A rainbow table contains lots of rainbow chains.
The chain_num is the number of rainbow chains in the rainbow table.
The part_index parameter determines how the "start point" in each rainbow chain is generated. It must be a number (or begin with a number) in RainbowCrack 1.3 & 1.4. In RainbowCrack 1.2, this parameter can be any string because random "start point" is used, while 1.3 & 1.4 use the sequential "start point".

The right values of all the parameters depend on what you need, to select good parameters require some understanding of the time-memory tradeoff algorithm.

One ready to work configuration is given below, as an example:
hash_algorithmlm, ntlm or md5
charset alpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
or
loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789]
plaintext_len_min1
plaintext_len_max7
chain_len3800
chain_num33554432
key space36^1 + 36^2 + 36^3 + 36^4 + 36^5 + 36^6 + 36^7 = 80603140212

key space is the number of possible plaintexts for the charset, plaintext_len_min and plaintext_len_max selected.
table size3 GB
success rate0.999

The time-memory tradeoff algorithm is a probabilistic algorithm. Whatever the parameters are selected, there is always probability that the plaintext within the selected charset and plaintext length range is not covered. The success rate is 99.9% with the parameters used in this example.
table generation commands The actual rtgen commands used to generate the rainbow tables are:
rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 1 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 2 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 3 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 4 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0

If ntlm or lm table is desired, replace "md5" in commands above with "ntlm" or "lm".
If alpha-numeric charset is desired, replace "loweralpha-numeric" in commands above with "alpha-numeric".

If lm table is to be generated, please CONFIRM the charset is alpha-numeric instead of loweralpha-numeric. The lm algorithm NEVER uses lowercase letters as plaintext.

Now it is time to generate rainbow table.
Change the current directory of your command prompt to RainbowCrack's directory, and execute following command:

rtgen md5 loweralpha-numeric 1 7 0 3800 33554432 0

This command takes about 4 hours to complete on Core2 Duo E7300 processor. It is safe to stop the computation any time by pressing Ctrl+C. Next time if the rtgen program is executed with exactly same command line parameters, it will resume from where the computation is stopped and continue the table generation.

When the command is finished, a file named "md5_loweralpha-numeric#1-7_0_3800x33554432_0.rt" sized 512 MB will be in place. The file name is simply all the command line parameters connected, with the "rt" extension. The rcrack program to be explained later need this piece of information to know parameters of the rainbow table. So don't rename the file.

Remaining tables can be generated in same way with commands:

rtgen md5 loweralpha-numeric 1 7 1 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 2 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 3 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 4 3800 33554432 0
rtgen md5 loweralpha-numeric 1 7 5 3800 33554432 0

Finally, these files are generated:
md5_loweralpha-numeric#1-7_0_3800x33554432_0.rt     512MB
md5_loweralpha-numeric#1-7_1_3800x33554432_0.rt     512MB
md5_loweralpha-numeric#1-7_2_3800x33554432_0.rt     512MB
md5_loweralpha-numeric#1-7_3_3800x33554432_0.rt     512MB
md5_loweralpha-numeric#1-7_4_3800x33554432_0.rt     512MB
md5_loweralpha-numeric#1-7_5_3800x33554432_0.rt     512MB

Now the rainbow table generation process complete.

Step 2: Use rtsort program to sort rainbow tables

The rainbow tables generated by rtgen program need some post processing to make table lookup easier. The rtsort program is used to sort the "end point" of all rainbow chains in a rainbow table.

Use following commands:

rtsort md5_loweralpha-numeric#1-7_0_3800x33554432_0.rt
rtsort md5_loweralpha-numeric#1-7_1_3800x33554432_0.rt
rtsort md5_loweralpha-numeric#1-7_2_3800x33554432_0.rt
rtsort md5_loweralpha-numeric#1-7_3_3800x33554432_0.rt
rtsort md5_loweralpha-numeric#1-7_4_3800x33554432_0.rt
rtsort md5_loweralpha-numeric#1-7_5_3800x33554432_0.rt

Each command above takes about 1 to 2 minutes to complete. The rtsort program will write the sorted rainbow table to the original file.
Don't interrupt the rtsort program; otherwise the rainbow table being sorted will be damaged.
If the free memory size of your system is smaller than the size of the rainbow table being sorted, temporary hard disk space as large as the rainbow table size will be needed to store intermediate data.

Now the rainbow table sorting process complete.

Step 3: Use rcrack program to lookup rainbow tables

The rcrack program is used to lookup the rainbow tables. It only accepts sorted rainbow tables.

Assume the sorted rainbow tables are placed in c:\rt directory, to crack single hash the command line will be:

rcrack c:\rt\*.rt -h your_hash_comes_here

The first parameter specifies the path to the rainbow tables to lookup. The "*" and "?" character can be used to specify multiple files.

Normally it takes seconds or tens of seconds to finish, if the plaintext is within the selected charset and plaintext length range. Otherwise, it takes much longer time to search all the tables only to find nothing.

To crack multiple hashes, place all the hashes in a text file with each hash in a line. And then specify file name in rcrack command line:

rcrack c:\rt\*.rt -l hash_list_file

If the rainbow tables you generate use lm algorithm, the rcrack program has special support for it with the "-f" command switch. A hash dump file in pwdump format is required as input to rcrack program. The file will looks like this:

    Administrator:500:1c3a2b6d939a1021aad3b435b51404ee:e24106942bf38bcf57a6a4b29016eff6:::
    Guest:501:a296c9e4267e9ba9aad3b435b51404ee:9d978dda95e5185bbeda9b3ae00f84b4:::

The pwdump file is the output of pwdump2, pwdump3 or other utilities. It contains both the lm hash and the ntlm hash.

To crack lm hashes in pwdump file, use following command:

rcrack c:\rt\*.rt -f pwdump_file

The lm hash algorithm converts all lowercase letters in plaintext to uppercase; as a result all the plaintexts cracked via the lm hash never contain lowercase letters, while the actual plaintext may contain lowercase letters. The rcrack program will try to do case correction with the ntlm hashes stored in same file and output the original plaintext.

Defense against rainbow tables

A rainbow table is ineffective against one-way hashes that include salts. For example, consider a password hash that is generated using the following function (where "." is the concatenation operator):
hash = MD5 (password . salt)
Or
hash = MD5 (MD5 (password) . salt)
The salt value is not secret and may be generated at random and stored with the password hash. A large salt value prevents precomputation attacks, including rainbow tables, by ensuring that each user's password is hashed uniquely. This means that two users with the same password will have different password hashes (assuming different salts are used). In order to succeed, an attacker needs to precompute tables for each possible salt value. Even for older Unix passwords, which used a 12-bit salt, this would be improbable. The MD5-crypt and bcrypt methods—used in Linux, BSD Unixes, and Solaris—have salts of 48 and 128 bits, respectively.[3] These larger salt values make precomputation attacks for almost any length of password infeasible against these systems for the foreseeable future.
Another technique that helps prevent precomputation attacks is key strengthening (also called key stretching). When stretching is used, the salt, password, and a number of intermediate hash values are run through the underlying hash function multiple times to increase the computation time required to hash each password[4]. For instance, MD5-Crypt uses a 1000 iteration loop that repeatedly feeds the salt, password, and current intermediate hash value back into the underlying MD5 hash function.[3] The user's password hash is the concatenation of the salt value (which is not secret) and the final hash. The extra time is not noticeable to a user because he only has to wait a fraction of a second each time he logs in. On the other hand, stretching greatly reduces the effectiveness of a brute-force or precomputation attacks because it reduces the number of computations an attacker can perform in a given time frame. This principle is applied in MD5-Crypt and in bcrypt.[5]
Also, rainbow tables and other precomputation attacks do not work against passwords that contain symbols outside the range presupposed, or that are longer than those precomputed by the attacker. Because of the sizable investment in computing processing, rainbow tables beyond fourteen places in length are not yet common. So, choosing a password that is longer than fourteen characters or that contains non-alphanumeric symbols may force an attacker to resort to brute-force methods.

Nearly all distributions and variations of Unix, Linux, and BSD use hashes with salts, though many applications use just a hash (typically MD5) with no salt. The Windows NT/2000 family uses the LAN Manager and NT LAN Manager hashing method and is also unsalted, which makes it one of the more popularly generated tables.



Virus Worms Trojans

What is a Virus ?


A computer virus is a small program written to alter the way a computer operates, without the permission or knowledge of the user. A virus must meet two criteria:

  • It must execute itself. It often places its own code in the path of execution of another program.
  • It must replicate itself. For example, it may replace other executable files with a copy of the virus infected file. Viruses can infect desktop computers and network servers alike.
Some viruses are programmed to damage the computer by damaging programs, deleting files, or reformatting the hard disk. Others are not designed to do any damage, but simply to replicate themselves and make their presence known by presenting text, video, and audio messages. Even these benign viruses can create problems for the computer user. They typically take up computer memory used by legitimate programs. As a result, they often cause erratic behavior and can result in system crashes. In addition, many viruses are bug-ridden, and these bugs may lead to system crashes and data loss.

Recognized types of viruses

Boot Sector,Polymorphic(change form each time its executed),Stealth(uses techniques to avoid detection),Macro(infects MS office docs),
Program(infects executable files),Multipartite(hybrid of boot and Program)


File infector virusesFile infector viruses infect program files. These viruses normally infect executable code, such as .com and .exe files. The can infect other files when an infected program is run from floppy, hard drive, or from the network. Many of these viruses are memory resident. After memory becomes infected, any noninfected executable that runs becomes infected. Examples of known file infector viruses include Jerusalem and Cascade.
Boot sector virusesBoot sector viruses infect the system area of a disk; that is, the boot record on floppy disks and hard disks. All floppy disks and hard disks (including disks containing only data) contain a small program in the boot record that is run when the computer starts up. Boot sector viruses attach themselves to this part of the disk and activate when the user attempts to start up from the infected disk. These viruses are always memory resident in nature. Most were written for DOS, but, all PCs, regardless of the operating system, are potential targets of this type of virus. All that is required to become infected is to attempt to start up your computer with an infected floppy disk Thereafter, while the virus remains in memory, all floppy disks that are not write protected will become infected when the floppy disk is accessed. Examples of boot sector viruses are Form, Disk Killer, Michelangelo, and Stoned.
Master boot record virusesMaster boot record viruses are memory-resident viruses that infect disks in the same manner as boot sector viruses. The difference between these two virus types is where the viral code is located. Master boot record infectors normally save a legitimate copy of the master boot record in an different location. Windows NT computers that become infected by either boot sector viruses or master boot sector viruses will not boot. This is due to the difference in how the operating system accesses its boot information, as compared to Windows 98/Me. If your Windows NT systems is formatted with FAT partitions you can usually remove the virus by booting to DOS and using antivirus software. If the boot partition is NTFS, the system must be recovered by using the three Windows NT Setup disks. Examples of master boot record infectors are NYB, AntiExe, and Unashamed.
Multipartite virusesMultipartite (also known as polypartite) viruses infect both boot records and program files. These are particularly difficult to repair. If the boot area is cleaned, but the files are not, the boot area will be reinfected. The same holds true for cleaning infected files. If the virus is not removed from the boot area, any files that you have cleaned will be reinfected. Examples of multipartite viruses include One_Half, Emperor, Anthrax and Tequilla.
Macro virusesThese types of viruses infect data files. They are the most common and have cost corporations the most money and time trying to repair. With the advent of Visual Basic in Microsoft's Office 97, a macro virus can be written that not only infects data files, but also can infect other files as well. Macro viruses infect Microsoft Office Word, Excel, PowerPoint and Access files. Newer strains are now turning up in other programs as well. All of these viruses use another program's internal programming language, which was created to allow users to automate certain tasks within that program. Because of the ease with which these viruses can be created, there are now thousands of them in circulation. Examples of macro viruses include W97M.Melissa, WM.NiceDay and W97M.Groov.

            
What is a Trojan horse?


Trojan horses are impostors—files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojan horses contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must invite these programs onto your computers; for example, by opening an email attachment or downloading and running a file from the Internet. Trojan.Vundo is a Trojan horse.
Its ability to spread depends on popularity of software and willingness of user to downaload and install it from internet.
            
What is a worm?-->Same as Virus except that it replicates by itself without user interaction.


Worms are programs that replicate themselves from system to system without the use of a host file. This is in contrast to viruses, which requires the spreading of an infected host file. Although worms generally exist inside of other files, often Word or Excel documents, there is a difference between how worms and viruses use the host file. Usually the worm will release a document that already has the "worm" macro inside the document. The entire document will travel from computer to computer, so the entire document should be considered the worm W32.Mydoom.AX@mm is an example of a worm.
It takes advantage of security hole in applications/OS and then find other systems running similar applications/OS to replicate it.Its spreads by using email,file sharing(P2P),IM(Instant Messaging),IRC channels 
            
What is a virus hoax?


Virus hoaxes are messages, almost always sent by email, that amount to little more than chain letters. Following are some of the common phrases that are used in these hoaxes:
  • If you receive an email titled [email virus hoax name here], do not open it!
  • Delete it immediately!
  • It contains the [hoax name] virus.
  • It will delete everything on your hard drive and [extreme and improbable danger specified here].
  • This virus was announced today by [reputable organization name here].
  • Forward this warning to everyone you know!





Spyware
======
Undesirable code that comes with commercial software distributions.

Denial of Service

DoS(Denial of Service) :
It is an attack through which a person can render a system unusable unusable, or significantly slow it down for legitimate users, by overloading its resources.
Attempt to flood a network, thereby preventing legitimate network traffic
Attempt to disrupt connections between two machines, thereby preventing access to a service
Attempt to prevent a particular individual/system from accessing a service.

Distributed Denial of Service (DDoS) :
one in which a multitude of compromised systems attack a single target.

The Impact: Disabled network,Disabled organization,Financial loss,Loss of goodwill.
The Modes: Consumption of Scarce, limited, or non-renewable resources such as Network bandwidth, memory, disk space,CPU time,data structures,certain environmental resources such as power, cool air, or even water ; Destruction or Alteration of Configuration Information ; Physical destruction or alteration of network components, resources such as power, cool air, or even water.

Smurf Attack : The attacker generates a large amount of ICMP echo (ping) traffic to a network broadcast address with a spoofed source IP set to a victim host.The result will be lots of ping replies (ICMP Echo Reply) flooding the spoofed host.

Buffer Overflow Attack : Buffer overflow occurs any time the program writes more information into the buffer than the space allocated in the memory.The attacker can overwrite the data that controls the program execution path and hijack the control of the program to execute the attacker’s code instead of the process code. Sending email messages that have attachments with 256-character file names can cause buffer overflow.
There are two main types of buffer overflow attacks: stack based and heap based. Heap-based attacks flood the memory space reserved for a program, but the difficulty involved with performing such an attack makes them rare. Stack-based buffer overflows are by far the most common.
In a stack-based buffer overrun, the program being exploited uses a memory object known as a stack to store user input. Normally, the stack is empty until the program requires user input. At that point, the program writes a return memory address to the stack and then the user's input is placed on top of it. When the stack is processed, the user's input gets sent to the return address specified by the program.
However, a stack does not have an infinite potential size. The programmer who develops the code must reserve a specific amount of space for the stack. If the user's input is longer than the amount of space reserved for it within the stack, then the stack will overflow. This in itself isn't a huge problem, but it becomes a huge security hole when combined with malicious input.
For example, suppose a program is waiting for a user to enter his or her name. Rather than enter the name, the hacker would enter an executable command that exceeds the stack size. The command is usually something short. In a Linux environment, for instance, the command is typically EXEC("sh"), which tells the system to open a command prompt window, known as a root shell in Linux circles.
Yet overflowing the buffer with an executable command doesn't mean that the command will be executed. The attacker must then specify a return address that points to the malicious command. The program partially crashes because the stack overflowed. It then tries to recover by going to the return address, but the return address has been changed to point to the command specified by the hacker. Of course this means that the hacker must know the address where the malicious command will reside. To get around needing the actual address, the malicious command is often padded on both sides by NOP instructions, a type of pointer. Padding on both sides is a technique used when the exact memory range is unknown. Therefore, if the address the hacker specifies falls anywhere within the padding, the malicious command will be executed.
The last part of the equation is the executable program's permissions. As you know, most modern operating systems have some sort of mechanism to control the access level of the user who's currently logged on and executable programs typically require a higher level of permissions. These programs therefore run either in kernel mode or with permissions inherited from a service account. When a stack-overflow attack runs the command found at the new return address, the program thinks it is still running. This means that the command prompt window that has been opened is running with the same set of permissions as the application that was compromised. Generally speaking, this often means that the attacker will gain full control of the operating system.

Ping of Death Attack : Fragmentation allows a single IP packet to be broken down into smaller segments.The fragments can add up to more than the allowed 65,536 bytes. The operating system, unable to handle oversized packets freezes, reboots, or simply crashes.

Teardrop Attack : IP requires that a packet that is too large for the next router to handle should be divided into fragments
The attacker's IP puts a confusing offset value in the second or later fragment.If the receiving operating system is not able to aggregate the packets accordingly, it can crash the system .It is a UDP attack, which uses overlapping offset fields to bring down hosts
The Unnamed Attack : Variation of the Teardrop attack .Fragments are not overlapping but gaps are incorporated

SYN Attack : The attacker sends bogus TCP SYN requests to a victim server. The host allocates resources (memory sockets) to
the connection.Prevents the server from responding to the legitimate requests.This attack exploits the three-way handshake.Malicious flooding by large volumes of TCP SYN packets to the victim’s system with spoofed source IP addresses can cause DoS
Initially, after receiving a connection request (a packet with SYN flag set), a victim host puts this half-open connection to the backlog queue and sends out the first response (a packet with SYN and ACK flags set). When the victim does not receive a response from a remote host, it tries to retransmit this SYN+ACK packet until it times out, and then finally removes this half-open connection from the backlog queue. In some operating systems this process for a single SYN request can take about 3 minutes!. The other important information you need to know is that the operating system can handle only a defined amount of half-open connections in the backlog queue. This amount is controlled by the size of the backlog queue. For instance, the default backlog size is 256 for RedHat 7.3 and 100 for Windows 2000 Professional. When this size is reached, the system will no longer accept incoming connection requests.

SYN Flooding  : A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK

DoS Attack Tools :
Jolt2  :denial of service attack against Windows-based machines,consume 100% of the CPU time on processing the illegal packets.Cisco routers
and other gateways may be vulnerable
Bubonic.c : against Windows 2000.It works by randomly sending TCP packets with random settings with the goal of increasing the load of the machine, so that it eventually crashes.
Land and LaTierra : IP spoofing in combination with the opening of a TCP connection.Both IP addresses, source, and destination, are modified to
be the same—the address of the destination host.This results in sending the packet back to itself, because the addresses are the same
Targa : eight different DoS attacks.It integrates bonk, jolt, land, nestea, netear, syndrop, teardrop, and winnuke into one multi-platform DoS attack
Blast : small, quick TCP service stress test tool that does a large amount of work quickly and can spot potential weaknesses in your network servers
Nemesy : generates random packets (protocol,port,etc)
Panther2 :  UDP-based attack is designed for 28.8-56k connection.Comes under flooder ( overloads a connection by any mechanism, such as fast pinging, causing a DoS attack).
Crazy Pinger : send large packets of ICMP to a remote target network.
SomeTrouble :remote flooder.3 remote functions:  Mail Bomb (Self Resolve for Smtp),Icq Bomb,Net Send Flood.
ICQ ( homophone for the phrase "I seek you") is a popular instant messaging computer program, which was first developed by the Israeli company Mirabilis, now owned by AOL.
Net send ,command in Windows Sends messages to other users, computers, or messaging names on the network.
UDP Flood :   sends out UDP packets to the specified IP and port at a controllable rate.Packets can be made from a typed text string; a given number of random bytes or data from a file.
FSMax : A scriptable, server stress testing tool .It takes a text file as input and runs a server through a series of tests based on the input.The purpose of this tool is to find buffer overflows of DOS points in a server.

Proxy servers

Proxy servers  : a server, which acts as an intermediary between internal users and external host

The proxy server takes requests from a user and then performs those requests on behalf of the user. To the external system, the request looks as if it originated from the proxy server, not from the user on the internal network.

To perform NAT functions : A proxy server can process and execute commands on behalf of clients that have private IP addresses. This enables an organization with only one registered IP address to provide Internet access to a large number of computers. This process is known as IP proxy.

To allow Internet access to be controlled : Having a centralized point of access allows for a great deal of control over the use of the Internet. By using the functionality of a proxy server application or by using an add-on feature, proxy servers can filter requests made by clients and either allow or disallow them. You can, for example, implement uniform resource locator (URL) filtering, which allows or denies users access to certain sites. More sophisticated products can also perform tests on retrieved material, to see if it fits acceptable criteria. Such measures are intended to prevent users from accessing inappropriate Internet web pages. As an "after the event" feature, proxy server applications also normally provide logging capabilities so that Internet usage can be monitored.

Caching Proxy Server : Caching enables the proxy server to store pages that it retrieves as files on disk. Consequently, if the same pages are requested again, they can be provided more quickly from the cache than if the proxy server had to continue going back to the Web server.
Increase performance where there is a great likelihood that more than one user might retrieve the same page.
To prevent issue of new page not been updated in the proxy server cache : Aging of cached information is implemented so that it is removed from the cache after a certain amount of time. Some proxy applications can also make sure that the page stored in the cache is the same as the page currently available on the Internet. If the page in the cache is the same as the one on the Internet, it is served to the client from the cache. If the page is not the same, the newer page is retrieved, cached, and supplied to the client.

Anonymizing Proxy Server : generally attempts to anonymize web surfing.

The socks  : an IETF (Internet Engineering Task Force ) standard.It is like a proxy system which supports the proxy aware applications.

Internet Content Filtering Techniques

Internet filter is a software that blocks unwanted content such as pornography and group sites.
Filters use a list of keywords and well-known URLs to restrict access.More advanced filters can also block or filter chat rooms,
instant messages, file downloads, and forums.
Key Features of Internet Filters : 
User profiles: Allow you to create a profile for each member of your family.
Reporting: Provides detailed information on what your children have been doing and saying online, including sites visited
Time Limits: You can set limits on when and how long a user may be online
Regular updates:  download regular updates to keyword and URL lists.
Compatibility: with browser as well as your operating system used.
Pros and Cons of Internet Filters :
Pros : Prevents children from deliberately or inadvertently accessing pornography.Prevent predators from talking to your children online.Allows kids to surf online without constant parental presence
Cons : Can sometimes filter out “safe” sites, words, and people.May create a false sense of security for parents.Tech-savvy kids may find a way around filters, or may access inappropriate content elsewhere.
Internet Content Filtering Tools
iProtectYou :Block e-mails, chat sessions, instant messages, and P2P connections if they contain inappropriate words. Prevent your private information (credit card number for example) from being sent to the Internet.Set a schedule to specify days and times when on-line activity is allowed. Limit Internet Traffic to a specified amount of data that can be sent or received per user/per day. Control the list of programs that can have access to the Internet.Get notification e-mails with full description of blocked operations and an attached screen-shot of your kids' computer to control them remotely

Block Porn : is an Internet filtering software that can block access to pornographic material and adult web sites as well as any other web site as
needed.The program offers two modes: One that allows access to all web sites, except pornography. Restricted mode that blocks all web browsing, except for the sites that you specifically allow.It include the options such as blocking access to selected folders, restricting program access, locking the IE home page, custom warning messages,network synch, and more.

FilterGate : offers four main Internet filters : PopupFilter,AdFilter,PrivacyFilter,AdultFilter.

Adblock : content filtering plug-in for the Mozilla and Firebird browsers.It allows the user to specify filters, which remove unwanted content based on
the source-address.Adblock supports two types of filters: Simple Filter and Regular Expression.Adblock has no built-in concept of what an ad is.  It doesn’t look for blinky gifs or anything like that.  Rather, it has a big list of known bad servers.  For example, if you’re on the website www.whatever.com and there is an image that comes from "http://www.doubleclick.com/advertisementImages/blinkyAd.gif", Adblock will decide that this is an advertisement and not render that image.  It works equally well on images you can’t see, since it makes it decision of whether to show the graphic before Firefox even downloads it.This is why keeping Adblock’s list of known advertising URLs up-to-date is important to its usefulness.  If there’s a particular website you visit very often or a particular ad that drives you crazy, it can definitely be worth your while to play with Adblock’s list of blocked URLs and filter rules.

AdSubtract : program that blocks every type of conceivable web advertisements.Pop-Ups and Pop-Unders are blocked.A pop-up window is a new browser window created (launched or opened), either by the user clicking a button/link, or automatically: when a webpage is first viewed (loaded) or is linked away from (unloaded).As pop-up ads became widespread, many users learned to immediately close the popup ads that appeared over a site without looking at them.Pop-under ads do not immediately impede a user's ability to view the site content, and thus usually remain unnoticed until the main browser window is closed, leaving the user's attention free for the advertisement.A pop-under is first opened, then moved behind the content window. The new window is then only visible if the user systematically closes content windows before quitting/closing their browser, or if the content windows do not fill the screen.
Stops multimedia ads.Stops windows messenger pop-up spam[Windows Messenger service listens for connections on port 1026 as well as the more widely-known port 135.Windows Messenger has been a target for spammers  because it allows anonymous pop-up messages to be displayed on any Windows system running the messenger service].Distracting animations can be frozen; Web sounds can be silenced.

GalaxySpy : GalaxySpy is a program that lets you retake control of your Internet experience.It allows you selectively block ads, adult-content sites, market research, profiling, and tracking.It detects and blocks adware, cookies, hackers, scripts, spyware,viruses, and worms.This program features an optional password for parental control.The Professional Edition lets you log Web sites visited, cookie contents and requested URLS

AdsGone : Blocks unwanted popup ads. Prevents messenger service and web page dialog ads. Blocks banner ads.Kills spyware and adware programs.Blocks ads and Pop-Ups when using Kazaa,Morpheus, Gator, or Chat programs like ICQ, MSN,AIM or Trillian.Blocks Macromedia "Flash" ads

Anti-PopUp for IE is a small program that automatically stops a sponsor's pop-ups.also has an Internet Eraser capabilities

Pop Up Police is a popup blocker that will keep your Internet surfing experience entertaining

Super Ad Blocker blocks all forms of advertising including Flash, Rich Media,fly-in, slide-in, pop-ups, pop-unders, spyware ads, and messenger ads.

Anti-AD Guard : program that filters and blocks commercial banners from being loaded by browsers.

Net Nanny : controls access to websites and other online content such as Internet-based games, blocks file sharing of music, images and videos, and monitors a user's Internet activity.

CyberSieve is a Internet filtering and parental control software program

BSafe Internet Filter : allows you to monitor your child’s use of Internet.

Stop-the-Pop-Up Lite : kills all pop ups from file sharing programs and the spyware/adware that are bundled with these peer-to-peer programs.It supports Kazaa, Kazaa Lite, Morpheus, Grokster, iMesh, Xolox, and Direct Connect.It kills the new breed of pop-ups called 'Messenger Service spam'.

WebCleaner : program that prevents annoying sponsors PopUp's when you visit some web sites.

AdCleaner : program that blocks floating ads and new form popups.

Adult Photo Blanker : blanks objectionable adult images and movies.It intercepts attempts to open files and checks them for objectionable content.

LiveMark Family enables you to block access to web sites that are inappropriate for children.You can choose from two filtering levels (under 12 or over 12 years old) and also select the topics that should be filtered (pornography, violence etc.).It also includes an option to limit Internet access to certain times of the day.

KDT Site Blocker is an easy to use tool to block access to certain websites.It automatically displays a generic ‘blocked’ page
whenever a blocked site is accessed.