I understand what you're saying, but I'm afraid your logic is flawed; you want to be able to send some un-encrypted token (i.e., the cookie) across an un-secured network, and have that token tied to only your IP address, even though the Web server has no way of knowing for sure what your IP address is. I think the better solution is to simply encrypt the traffic to prevent cookie theft in the first place. However, if you really want to tie it to some dynamic IP address, you could set up a dynamic DNS solution where your computer, no matter where it is or what IP address it has, updates a specific DNS entry whenever its IP address changes. When your web application sees a request come in, it can lookup the DNS entry and see if the IP that the entry resolves to is the same IP that made the request. Of course, you have to ensure that whatever dynamic DNS solution you choose is secure, because otherwise someone could sniff your credentials for that and update your DNS host name with their own IP address (starting to get into the chicken-and-egg problem here). Remember also that this will not protect you against XSS and CSRF attacks.

I think that the best solution to your problem is to follow the guidelines that apollo and myself have already laid out: protect your application against XSS and CSRF, prevent JavaScript from accessing your cookies, and encrypt your traffic. This will help keep third parties from getting your cookie in the first place. Of course, you could also set up an SSH tunnel to your Web server that then connects back to itself on port 80 of the loop back interface - it would probably be slow, but really secure!

Ha! I'll second that...

From your post I am assuming that you are creating a Web application. I will also assume that when you talk about "RAM cookies" you are referring to session cookies. While session cookies will be destroyed when the browser closes, they are sent to a Web server in the exact same manner that any other cookie is sent, so there is no way for you to determine if a cookie has been saved to disk or not.

If you are concerned about the security of your session cookies, keep these points in mind:

• Session cookies are usually captured by an attacker via packet sniffing or XSS attacks. Using SSL and sanitizing user input to prevent XSS will go a long way in ensuring the security of your cookies.
• Cookies can also be marked as http-only, which prevents JavaScript code from accessing them.
• I don't know what language you are writing your application in, but most languages have built in support for session cookies, and will automatically time out the session cookies after a pre-defined period. This way, even if a session cookie is compromised, it will only be useful for a finite period of time.
• If you are concerned about preventing client impersonation, also ensure that you protect your application against CSRF attacks.

Hope this helps.

Full disclosure: I wrote this tool, so I might be a bit biased. 

If you've been following along with GNUCitizen over the past year, you've no doubt heard about their foray into UPNP attacks. I wanted to test some of my own devices against UPNP, but was discouraged by the lack of good UPNP utilities, especially for Linux.

Miranda is a Python-based Universal Plug-N-Play client application designed to discover, query and interact with UPNP devices, particularly Internet Gateway Devices (aka, routers). It can be used to audit UPNP-enabled devices on a network for possible vulnerabilities. Some of its features include:

    * Interactive shell with tab completion and command history
    * Passive and active discovery of UPNP devices
    * Customizable MSEARCH queries (query for specific devices/services)
    * Full control over application settings such as IP addresses, ports and headers
    * Simple enumeration of UPNP devices, services, actions and variables
    * Correlation of input/output state variables with service actions
    * Ability to send actions to UPNP services/devices
    * Ability to save data to file for later analysis and collaboration
    * Command logging

So far I've tested it in Linux (though, being Python, most functionality should be available in other platforms as well) against Linksys, D-Link, Belkin and ActionTec routers with some very interesting results.

More on UPNP hacking can be found at http://www.gnucitizen.org/blog/hacking-with-upnp-universal-plug-and-play and http://www.upnp-hacks.org

You can check out Miranda here: http://www.sourcesec.com/2008/11/07/miranda-upnp-administration-tool/

I can't tell you for sure what is happening, but I would suspect that since your tab character is being corrupted before the strcpy() then it is probably an issue with how the command line argument is being processed. I would try reading the shellcode out of a file or through a socket and see if that fixes the issue. If you can narrow the issue down to a problem with passing the shell code via the command line, then that at least will help narrow down your Google search...

What application/service were the hashes related to? Are these Windows logons, or something else? Some services will use a nonce value combined with the password to produce a unique hash value each time. Or, it could be something completely different; you really need to take a look at how the service in question works, what kind of hashing it uses, and how that hashing is implemented.

http://www.binrev.com/forums/index.php?showtopic=38128
http://www.rohitab.com/discuss/index.php?s=6663bc8bee6ee3e5202f4ed081e74a52&showtopic=31086&pid=10044820&st=0&#entry10044820
http://antionline.com/showthread.php?t=277201

Not much more to add other than what those guys said. Although AltaVista used to have a case-sensitive search, I think they're partnered with Yahoo now and no longer support that feature.

Is there something specific that you are trying to find? Perhaps there is another way of narrowing down your search.

Yahoo mail used to use the exact same method to hash their passwords. Google for a program called Ycrack (dictionary attack tool), it should work for your situation - just substitute your $user_salt string for the challenge string that Yahoo used.

P.S. - If you want to speed up Ycrack, delete the line before compiling it.

The bottom line is, Linux != Windows. Wine does a good job for getting a lot of Windows programs working in Linux, but if you're banging your head against the wall trying to get C&A working in Linux, it would probably be easier to use programs written for Linux. If you list what features of C&A do you need, maybe we can suggest some alternatives.

@jnf:

Thank you for your corrections; you are correct, void main() is a no-no, and I should have used single quotes for the "char a" declaration. However, I have to disagree with you on your last two corrections:


The strncpy man pages indicate (http://www.opengroup.org/onlinepubs/007908799/xsh/strncpy.html) that strncpy will copy a maximum of 200 bytes from buff1 to buff2. It will stop copying data from buff1 once a null character is encountered (i.e., the end of the source string); if the data copied is less than 200 bytes (which it is here), then strncpy will pad the remaining data with null bytes, so no data beyond the buff1 data will be stored in buff2. Your alternate example is correct as well, but not necessary.


Not according to the fgets man page: "fgets() reads in at most one less than size characters from stream and stores them into the buffer pointed to by s...a '\0' is stored after the last character in the buffer." So by telling fgets to read 5 bytes, it will actually read in 4 bytes and set the fifth byte to 0x00. The article actually points this out when describing the fgets() function:


The use of EXIT_SUCCESS and EXIT_FAILURE is also a good suggestion, particularly if you need to write code for multiple platforms.

ilovewadhwa,

I have no idea what encoding this is using (don't know much about the different character encodings), but each hex value is 128 bytes above the normal ASCII values. This is interesting because ASCII values range from values 0-127. Subtracting 128 from each encoded value and converting it to ASCII gives you:

'"><script>alert('XSS Test Successful')</script>

Which is a pretty standard XSS test string. Whatever encoding it is using, it's probably not supported by most Web applications, so unless you are using some special encoding it probably isn't working (it depends though).

Like jimbob said, it's not ASCII-7 or regular ASCII. Also doesn't appear to be UTF-8 or unicode. If you could tell us if this string actually produces a pop-up box, and if so, what type of Web application/database you are using, it would help.

real.whitehat:

Prevx has some more information on qwerty12.exe (http://www.prevx.com/filenames/X1385008863339364323-635683128/QWERTY12.EXE.html) that might be helpful to you, as well as a download that supposedly removes it as well as other malware (I've never heard of Prevx before, but they seem legit).

If you Google for 'qwerty12' you'll also find a bunch of forums containing steps to remove it, most of which seem to use a combination of Hijack This and ComboFix.

If you're trying to track a particular machine over the Internet, BiotiC is right, the best way would be to have some call-home program installed on it. Although you can theoretically trace a computer based on time skews measured from the time stamp option in TCP packets, it requires gathering several thousand packets, and I'm not aware of it being performed in a real-world situation (paper on it here: http://www.caida.org/publications/papers/2005/fingerprinting/). 

Of course this could be mitigated by turning off the time stamp option too.

You will only be able to see their MAC address if you are on the same subnet they are. Any machines separated by a router will not see each other's MACs.

This looks like what you're talking about:

http://packetstorm.foofus.com/Exploit_Code_Archive/xscan.tar.gz