EXPLOITING SOFTWARE 04/12

Cisco IOS Rootkits and Malware: A practical guide
By Jason Nehrboss

Propagating the worm code into a new router can either be quite easy, difficult, or impossible. There are many variations of supported IOS code and hardware platforms. The author discusses the use of and demonstrates an IOS Embedded Event Manager rootkit and worm. When a router is infected it can be leveraged into a powerful malware platform. Capabilities demonstrated are network packet captures, reverse shell connections, a spam module, and a mini malware httpd server leveraged with ip address hijacking. In this article you will learn how to exploit critical network devices, network traffic traversing these devices and act as a launch point for further attacks into a network You will also learn about a self replicating IOS worm with stealth features and self defense mechanisms, all with platform independent code.

Taking control, Functions to DLL injection
By Craig Wright

DLL injection is one of the most common methods used by malware such as a rootkit to load it into the host’s privileged processes. Once injected, code can be inserted into functions being transmitted between the compromised code and a library function. This step is frequently followed with API hooking where the malicious code is used to vary the library function calls and returns. This article is part of a monthly series designed to take the reader from a novice to being able to create and deploy their own shellcode and exploits. With this knowledge, you will learn just how easy it is for sophisticated attackers to create code that can bypass many security tools. More, armed with this knowledge you will have the ability to reverse engineer attack code and even malware allowing you to determine what the attacker was intending to launch against your system.

Deceiving Networks Defenses with Nmap Camouflaged Scanning
By Roberto Saia

Nmap (contraction of ‘Network Mapper’) is an open-source software designed to rapidly scan both single hosts and large networks. To perform its functionalities Nmap uses particular IP packets (raw-packets) in order to probe what hosts are active on the target network: about these hosts, it is able to discover the running services (type and version), the operating system in use (type and version); it is also able to obtain more advanced information, such as, for example, the type of firewall used on the target network. You will learn how to deceive an IDS/IPS system through a particular feature offered by Nmap software, a simple option able to trick the rules generally used in this kind of systems to detect any suspect activity inside a medium/large network; the used software is the most famous network scanner in the world and the knowledge of its potentiality is a good way to improve our security policies.

Exploiting Software
By Swetha Dabbara

Security assurance for every software application built is becoming quite a challenge nowadays with the tempo of creating software and the skill set levels of the attackers. Exploiting software is usually done with even a single vulnerability exposed to the attacker. Therefore, the possible and potential vulnerabilities always pose a great deal of threat giving access to exploit and leverage privileges. The article describes security aspects from developers and Attackers perspective
and automated tools to exploit a software application.

Cross Site Request Forgery – Session Riding
By Miroslav Ludvik and Michal Srnec

By successful CSRF attacks the attacker is able to initiate arbitrary HTTP request to vulnerable web application in name of victim user. This type of attacks are very dangerous if we imagine, the attacker could (depends on the web application) post messages, send emails, change the user’s login name or password or even make some nasty thing on e-shops or banks pages – and all this stuff in name of the victim user. Cross Site Request Forgery (CSRF, XSRF) knowing as sessions riding is relative new security issue. Principle of this type of attacks lies on trust web applications in its authorized users. This can by exploited by attacker – make arbitrary HTTP request on behalf of a victim user. In this article the authors will present you some detailed information about common and important class of web applications vulnerabilities, co called “session riding”, they will show where do they come from, what is their main cause, what the possible profits for attackers can be and finally what can you do to protect our sites.

Data Logging with Syslog: A troubleshooting and auditing mechanism
By Abdy Martinez

The Syslog protocol, defined in RFC 3164, provides a transport to allow a device to send logs and event notification messages across IP networks to event message collectors (Syslog servers).
Syslog is an effective troubleshooting tool that permits a network administrator to analyze issues and events occurring on a network. Used for generalized analysis and security evaluation, it is an important security auditing mechanism in forensics investigations for a security incident that requires log-dependent information. You will learn how they help in monitoring and troubleshooting of the network devices by storing and retrieving the logs, how messages are logged in a Syslog server, how to setup a Linux Syslog Server in CentOS and how to configure Cisco and Windows devices to send their logs to that server.

Social Engineering – New Era of Corporate Espionage
By Amar Suhas

Security is all about trust. Trust in protection and authenticity. Human behaviour (the natural human willingness) to accept someone at his or her word leaves many of us vulnerable to attack and espionage. Social Engineering, often referred to as people hacking, is an outside hacker’s use of psychological tricks on legitimate users of a computer system to gain information (usernames, pass-words, personal identification codes (PINS), credit card numbers and expiration dates) needed to gain access to their.