The document discusses various methods of cracking salted password hashes, including determining the hashing algorithm used based on hash length, brute forcing hashes when the salt is known, and exploiting situations where the salt is constant rather than random to facilitate cracking multiple hashes. It provides examples of insecure password hashing implementations and advises using unique random salts with each hashed password for proper security.
This document discusses various methods of encrypting and cracking passwords, including hashing functions, salted hashes, and multiple encryption algorithms. It provides examples of how to crack passwords hashed with PHP crypt() using known salts, and how adding random salts per password improves security but requires storing the salt. It also describes a distributed password cracking tool and an algorithm bruter tool to identify unknown multiple encryption algorithms.
Hashing Considerations In Web ApplicationsIslam Heggo
Practical best practices for securing and hashing user's passwords. Protecting authentication through avoiding most common mistakes. Given examples in PHP through illustrating password_hash(), openssl_random_pseudo_bytes(), crypt(), mcrypt_create_iv(), md5(), sha1()
In 2016, the presenters co-founded the ‘nomoreransom’ platform to provide an answer to victims of ransomware. Supported by Amazon’s AWS and Barracuda technology, they never estimated that they had created the largest honeypot ever. In this presentation they will share in short what nomoreransom is, how victims can use it, but moreover insights in the daily attacks we are facing.
The document discusses how to enable JavaScript in different web browsers. It provides steps to enable JavaScript in Internet Explorer 6/7 by changing the security settings to allow scripting. It also provides steps to enable JavaScript in Firefox 2 by changing the content settings and selecting the option to enable JavaScript. Enabling JavaScript is required for JavaScript code to execute properly in web browsers.
This PHP script is a web shell that allows remote command execution on the server. It sets various PHP configuration options to disable security restrictions. It also checks for an authentication password and sets a cookie upon valid login. The main body defines functions for outputting headers, menus and executing commands via the shell.
The document describes a study on detecting Representational State Transfer (REST) patterns and antipatterns in web services. The study uses heuristics to analyze HTTP requests and responses between a client and server. Examples are provided of requests from a Dropbox client to the Dropbox server and from an Alchemy API client to the Alchemy server. The responses include JSON and XML payloads with metadata about files and entities extracted from URLs. The examples illustrate issues like missing hyperlinks that can indicate antipatterns.
This document discusses various methods of encrypting and cracking passwords, including hashing functions, salted hashes, and multiple encryption algorithms. It provides examples of how to crack passwords hashed with PHP crypt() using known salts, and how adding random salts per password improves security but requires storing the salt. It also describes a distributed password cracking tool and an algorithm bruter tool to identify unknown multiple encryption algorithms.
Hashing Considerations In Web ApplicationsIslam Heggo
Practical best practices for securing and hashing user's passwords. Protecting authentication through avoiding most common mistakes. Given examples in PHP through illustrating password_hash(), openssl_random_pseudo_bytes(), crypt(), mcrypt_create_iv(), md5(), sha1()
In 2016, the presenters co-founded the ‘nomoreransom’ platform to provide an answer to victims of ransomware. Supported by Amazon’s AWS and Barracuda technology, they never estimated that they had created the largest honeypot ever. In this presentation they will share in short what nomoreransom is, how victims can use it, but moreover insights in the daily attacks we are facing.
The document discusses how to enable JavaScript in different web browsers. It provides steps to enable JavaScript in Internet Explorer 6/7 by changing the security settings to allow scripting. It also provides steps to enable JavaScript in Firefox 2 by changing the content settings and selecting the option to enable JavaScript. Enabling JavaScript is required for JavaScript code to execute properly in web browsers.
This PHP script is a web shell that allows remote command execution on the server. It sets various PHP configuration options to disable security restrictions. It also checks for an authentication password and sets a cookie upon valid login. The main body defines functions for outputting headers, menus and executing commands via the shell.
The document describes a study on detecting Representational State Transfer (REST) patterns and antipatterns in web services. The study uses heuristics to analyze HTTP requests and responses between a client and server. Examples are provided of requests from a Dropbox client to the Dropbox server and from an Alchemy API client to the Alchemy server. The responses include JSON and XML payloads with metadata about files and entities extracted from URLs. The examples illustrate issues like missing hyperlinks that can indicate antipatterns.
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2016
The document discusses using Ruby for web application penetration testing. It begins by introducing the speaker and their background. It then outlines the OWASP Top 10 vulnerabilities it will focus on exploring with Ruby code, including injection, authentication issues, cross-site scripting, and more. The document demonstrates various Ruby gems and techniques for fingerprinting targets, discovering URLs, checking transport security, and searching for vulnerabilities like reflected cross-site scripting. Code examples are provided throughout to demonstrate how Ruby can be leveraged for penetration testing activities.
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
This document discusses using Logstash to collect, parse, and analyze log files. It begins with an introduction to logs and Logstash. It then covers installing and configuring Logstash - including using inputs to collect logs, filters to parse and transform data, and outputs to send parsed logs to a storage system. The document demonstrates a Logstash configuration to collect Apache access logs, parse fields using Grok, and output to Elasticsearch for analysis with Kibana. It concludes with tips on using Logstash for SEO-related tasks like analyzing crawler behavior and page load speeds.
This document discusses tools and techniques for diagnosing and debugging MongoDB deployments, drawing parallels to Sherlock Holmes' methods of investigation. It provides an overview of OS-level and MongoDB-specific tools for gathering data from logs and systems, including mtools for analyzing MongoDB logs. Examples demonstrate using mloginfo to extract query statistics and mplotqueries to visualize query patterns and collections scanned over time. The document advocates applying Holmes' principles of eliminating factors, balancing probabilities, and using imagination to scientifically analyze data and reveal the truth.
This document discusses codifying PostgreSQL database schemas using Terraform. It begins by explaining how to bootstrap a database by hand and then introduces Terraform as a way to automate and version the database schema. Key concepts covered include using Terraform providers and resources to define database schemas, importing existing databases into Terraform, and iterating on schema designs in a declarative way. The document aims to help users avoid issues with Terraform by following best practices.
This document summarizes Asya Kamsky's presentation on diagnostics and debugging tools for MongoDB. It discusses tools like mongostat, mongotop, db.currentOp(), and MongoDB Management Service for monitoring databases. It also describes the mtools library for analyzing MongoDB logs, including mloginfo to get log metadata, mlogfilter to filter logs, and mplotqueries to visualize query data from logs in different plot types. The presentation uses quotes from Sherlock Holmes stories as an analogy to discuss gathering and analyzing data from MongoDB logs.
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2
Businesses today are rapidly moving from being service enabled to being API enabled. Moving into the world of APIs brings with it its own set of complexities and challenges that are tough to tackle. API security, performance, scalability, monitoring and notifications are key areas to be focusing your engineering efforts on. The WSO2 Carbon platform is a complete open source enterprise middleware platform which includes products catering to your various different enterprise needs.
This talk will focus on leveraging the extensive feature set and extensible nature of the WSO2 platform to secure, monitor and monetize your APIs. It will also touch upon some of WSO2’s experiences with customers in building API ecosystems that suit modern day enterprises.
Faceted Search – the 120 Million Documents StorySourcesense
Upayavira's presentation at Online Information 2010 in London: the case study of an Enterprise-critical migration from custom Lucene indexes to Apache Solr, with a significant focus on scalability.
The solution needed to providing search against rapidly changing data-sets and multi-million document indexes, enabling complex queries with sub second responses and maintaining high availability.
This file contains encrypted PHP code. Reverse engineering or decoding the file is strictly prohibited according to a comment at the top. The bulk of the file consists of a long encrypted string that likely contains the PHP source code when decrypted.
AJAX and future JavaScript
- AJAX allows for asynchronous data exchange between a client and server using XMLHttpRequest objects and JavaScript. This allows for updating parts of a web page without reloading the entire page.
- Future versions of JavaScript may include features like classes, interfaces, and modules to improve organization and reuse. JSON and E4X also provide ways to work with data beyond traditional JavaScript objects.
The document discusses JSON Web Tokens (JWTs), which can be used for authentication and authorization in applications. JWTs consist of JSON objects that are used to share security information between parties as a JSON Web Token. They can contain claims about an entity (e.g. user) and are signed to protect the claims from being altered. The document provides examples of using JWTs to authorize API requests by encoding, transmitting, and verifying JWTs on the client and server side.
One of the most time consuming tasks as a red teamer is diving into filesystems and shares, attempting to identify any potentially sensitive information. Genneraly users store credentials and other sensitive information in local filesystems and this talk has the purpose of explaining how to use the carnivorall as a means to speed up the task of searching important files using several vectors. I will present some proof of concepts, comparisons between tools and my recent success cases in red teaming engagements."
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
1. The document discusses hacking techniques for web applications, including methodology, discovery techniques, mapping, and tactical fuzzing approaches for XSS, SQLi, file inclusion, and uploads.
2. It provides tips on finding less tested application scopes, port scanning, directory bruteforcing, crawling, and using tools like SQLmap and intrigue for reconnaissance.
3. The document outlines tactics for auth bypass, session hijacking, parameter tampering, and common vulnerabilities like XSS, SQLi, file inclusion, and CSRF with examples of payloads and techniques.
The document discusses three different buffer overflow exploits against three users (superuser, hyperuser, and masteruser) on a Linux machine. The superuser's program can be exploited through a simple buffer overflow. The hyperuser's program uses a canary but can still be exploited by overwriting a vulnerable function pointer. The masteruser's program must be exploited by overwriting the virtual pointer table. Code examples and steps are provided for each exploit.
This document contains JavaScript code for tracking and reporting user behavior to Right Media for advertising purposes. It sets various variables used for tracking, detects if Flash is installed, checks for cookies, and writes tracking tags and cookies. If conditions are met based on tracking variables and frequencies, it will write tracking scripts to the page.
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
How DNS wildcards really work & how to prevent that DNS wildcard bite!
Tailored for DNS administrators on Unix and Windows operating authoritative DNS Servers with one or more zone-files, as well as all those interested in the topic.
The document contains PHP code that uses base64 encoding and string manipulation to obfuscate code. When executed, it defines a function that decodes and executes another base64 encoded string, potentially running malicious code on the system.
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...MongoDB
Proximus is one of the biggest Telecom companies in the Belgian market. This year the company began developing a new IoT network using LoRaWan technology. The talk will detail our development team’s search for a database suited to meet the needs of our IoT project, the selection and implementation of MongoDB as a database, as well as well as how we built a system for storing a variety of sensor data with high throughput by leveraging sleepy.mongoose. The talk will also discuss how different decisions around data storage impact applications in regards to both performance and total cost.
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
OSXCollector is an open source forensic evidence collection and analysis toolkit for Mac OS X. It collects a wide range of system and application data from an OS X system, including files, browser history, startup items, quarantines, and more. The output is formatted as JSON, which contains metadata like hashes, timestamps, and signature chains for collected artifacts. This standardized format makes the data easy to analyze programmatically through output filters to detect anomalies, malware artifacts, and other interesting findings.
Code Obfuscation, PHP shells & more
What hackers do once they get passed your code - and how you can detect & fix it.
Content:
- What happens when I get hacked?
- What's code obfuscation?
- What are PHP shells?
- Show me some clever hacks!
- Prevention
- Post-hack cleanup
What is this not about:
- How can I hack a website?
- How can I DoS a website?
- How can I find my insecure code?
The document discusses reversing Microsoft patches to reveal vulnerable code. It describes taking a binary difference of files before and after a patch is applied to identify code changes and potential vulnerabilities. This process can be used to create better vulnerability signatures compared to exploit signatures. However, there are challenges to the process like obtaining the correct file versions to compare and dealing with compiler optimizations. Dynamic analysis by setting breakpoints in changed code is also described to help locate where user input is handled to potentially exploit vulnerabilities. The goal is to reveal vulnerable code details to help create vulnerability signatures and verify patches.
This document discusses security issues that can arise in custom Android ROMs. It identifies several practices that could compromise device security, such as having USB debugging or ADB shell enabled with root access, insecure permissions on the system partition, or installing apps from unknown sources. The document provides examples of how these issues could be exploited. It also discusses how ROM developers and users can help protect devices by disabling unnecessary settings and being cautious of untrusted connections or apps.
festival ICT 2013: Solid as diamond: use ruby in an web application penetrati...festival ICT 2016
The document discusses using Ruby for web application penetration testing. It begins by introducing the speaker and their background. It then outlines the OWASP Top 10 vulnerabilities it will focus on exploring with Ruby code, including injection, authentication issues, cross-site scripting, and more. The document demonstrates various Ruby gems and techniques for fingerprinting targets, discovering URLs, checking transport security, and searching for vulnerabilities like reflected cross-site scripting. Code examples are provided throughout to demonstrate how Ruby can be leveraged for penetration testing activities.
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
This document discusses using Logstash to collect, parse, and analyze log files. It begins with an introduction to logs and Logstash. It then covers installing and configuring Logstash - including using inputs to collect logs, filters to parse and transform data, and outputs to send parsed logs to a storage system. The document demonstrates a Logstash configuration to collect Apache access logs, parse fields using Grok, and output to Elasticsearch for analysis with Kibana. It concludes with tips on using Logstash for SEO-related tasks like analyzing crawler behavior and page load speeds.
This document discusses tools and techniques for diagnosing and debugging MongoDB deployments, drawing parallels to Sherlock Holmes' methods of investigation. It provides an overview of OS-level and MongoDB-specific tools for gathering data from logs and systems, including mtools for analyzing MongoDB logs. Examples demonstrate using mloginfo to extract query statistics and mplotqueries to visualize query patterns and collections scanned over time. The document advocates applying Holmes' principles of eliminating factors, balancing probabilities, and using imagination to scientifically analyze data and reveal the truth.
This document discusses codifying PostgreSQL database schemas using Terraform. It begins by explaining how to bootstrap a database by hand and then introduces Terraform as a way to automate and version the database schema. Key concepts covered include using Terraform providers and resources to define database schemas, importing existing databases into Terraform, and iterating on schema designs in a declarative way. The document aims to help users avoid issues with Terraform by following best practices.
This document summarizes Asya Kamsky's presentation on diagnostics and debugging tools for MongoDB. It discusses tools like mongostat, mongotop, db.currentOp(), and MongoDB Management Service for monitoring databases. It also describes the mtools library for analyzing MongoDB logs, including mloginfo to get log metadata, mlogfilter to filter logs, and mplotqueries to visualize query data from logs in different plot types. The presentation uses quotes from Sherlock Holmes stories as an analogy to discuss gathering and analyzing data from MongoDB logs.
WSO2Con USA 2015: Securing your APIs: Patterns and MoreWSO2
Businesses today are rapidly moving from being service enabled to being API enabled. Moving into the world of APIs brings with it its own set of complexities and challenges that are tough to tackle. API security, performance, scalability, monitoring and notifications are key areas to be focusing your engineering efforts on. The WSO2 Carbon platform is a complete open source enterprise middleware platform which includes products catering to your various different enterprise needs.
This talk will focus on leveraging the extensive feature set and extensible nature of the WSO2 platform to secure, monitor and monetize your APIs. It will also touch upon some of WSO2’s experiences with customers in building API ecosystems that suit modern day enterprises.
Faceted Search – the 120 Million Documents StorySourcesense
Upayavira's presentation at Online Information 2010 in London: the case study of an Enterprise-critical migration from custom Lucene indexes to Apache Solr, with a significant focus on scalability.
The solution needed to providing search against rapidly changing data-sets and multi-million document indexes, enabling complex queries with sub second responses and maintaining high availability.
This file contains encrypted PHP code. Reverse engineering or decoding the file is strictly prohibited according to a comment at the top. The bulk of the file consists of a long encrypted string that likely contains the PHP source code when decrypted.
AJAX and future JavaScript
- AJAX allows for asynchronous data exchange between a client and server using XMLHttpRequest objects and JavaScript. This allows for updating parts of a web page without reloading the entire page.
- Future versions of JavaScript may include features like classes, interfaces, and modules to improve organization and reuse. JSON and E4X also provide ways to work with data beyond traditional JavaScript objects.
The document discusses JSON Web Tokens (JWTs), which can be used for authentication and authorization in applications. JWTs consist of JSON objects that are used to share security information between parties as a JSON Web Token. They can contain claims about an entity (e.g. user) and are signed to protect the claims from being altered. The document provides examples of using JWTs to authorize API requests by encoding, transmitting, and verifying JWTs on the client and server side.
One of the most time consuming tasks as a red teamer is diving into filesystems and shares, attempting to identify any potentially sensitive information. Genneraly users store credentials and other sensitive information in local filesystems and this talk has the purpose of explaining how to use the carnivorall as a means to speed up the task of searching important files using several vectors. I will present some proof of concepts, comparisons between tools and my recent success cases in red teaming engagements."
DEFCON 23 - Jason Haddix - how do i shot webFelipe Prado
1. The document discusses hacking techniques for web applications, including methodology, discovery techniques, mapping, and tactical fuzzing approaches for XSS, SQLi, file inclusion, and uploads.
2. It provides tips on finding less tested application scopes, port scanning, directory bruteforcing, crawling, and using tools like SQLmap and intrigue for reconnaissance.
3. The document outlines tactics for auth bypass, session hijacking, parameter tampering, and common vulnerabilities like XSS, SQLi, file inclusion, and CSRF with examples of payloads and techniques.
The document discusses three different buffer overflow exploits against three users (superuser, hyperuser, and masteruser) on a Linux machine. The superuser's program can be exploited through a simple buffer overflow. The hyperuser's program uses a canary but can still be exploited by overwriting a vulnerable function pointer. The masteruser's program must be exploited by overwriting the virtual pointer table. Code examples and steps are provided for each exploit.
This document contains JavaScript code for tracking and reporting user behavior to Right Media for advertising purposes. It sets various variables used for tracking, detects if Flash is installed, checks for cookies, and writes tracking tags and cookies. If conditions are met based on tracking variables and frequencies, it will write tracking scripts to the page.
This document provides an overview of Python cryptography and security topics including cryptography concepts like hashing, symmetric and asymmetric encryption, digital signatures, and Python libraries for working with cryptography like PyCrypto and Cryptography. It also discusses Django security best practices like using HTTPS, securing cookies and passwords, and access control.
How DNS wildcards really work & how to prevent that DNS wildcard bite!
Tailored for DNS administrators on Unix and Windows operating authoritative DNS Servers with one or more zone-files, as well as all those interested in the topic.
The document contains PHP code that uses base64 encoding and string manipulation to obfuscate code. When executed, it defines a function that decodes and executes another base64 encoded string, potentially running malicious code on the system.
MongoDB Europe 2016 - Enabling the Internet of Things at Proximus - Belgium's...MongoDB
Proximus is one of the biggest Telecom companies in the Belgian market. This year the company began developing a new IoT network using LoRaWan technology. The talk will detail our development team’s search for a database suited to meet the needs of our IoT project, the selection and implementation of MongoDB as a database, as well as well as how we built a system for storing a variety of sensor data with high throughput by leveraging sleepy.mongoose. The talk will also discuss how different decisions around data storage impact applications in regards to both performance and total cost.
sf bay area dfir meetup (2016-04-30) - OsxCollector Rishi Bhargava
OSXCollector is an open source forensic evidence collection and analysis toolkit for Mac OS X. It collects a wide range of system and application data from an OS X system, including files, browser history, startup items, quarantines, and more. The output is formatted as JSON, which contains metadata like hashes, timestamps, and signature chains for collected artifacts. This standardized format makes the data easy to analyze programmatically through output filters to detect anomalies, malware artifacts, and other interesting findings.
Code Obfuscation, PHP shells & more
What hackers do once they get passed your code - and how you can detect & fix it.
Content:
- What happens when I get hacked?
- What's code obfuscation?
- What are PHP shells?
- Show me some clever hacks!
- Prevention
- Post-hack cleanup
What is this not about:
- How can I hack a website?
- How can I DoS a website?
- How can I find my insecure code?
The document discusses reversing Microsoft patches to reveal vulnerable code. It describes taking a binary difference of files before and after a patch is applied to identify code changes and potential vulnerabilities. This process can be used to create better vulnerability signatures compared to exploit signatures. However, there are challenges to the process like obtaining the correct file versions to compare and dealing with compiler optimizations. Dynamic analysis by setting breakpoints in changed code is also described to help locate where user input is handled to potentially exploit vulnerabilities. The goal is to reveal vulnerable code details to help create vulnerability signatures and verify patches.
This document discusses security issues that can arise in custom Android ROMs. It identifies several practices that could compromise device security, such as having USB debugging or ADB shell enabled with root access, insecure permissions on the system partition, or installing apps from unknown sources. The document provides examples of how these issues could be exploited. It also discusses how ROM developers and users can help protect devices by disabling unnecessary settings and being cautious of untrusted connections or apps.
The document provides guidance on penetration testing biometric fingerprint authentication systems. It outlines various potential attack vectors, including local attacks on the fingerprint sensor and USB data manager, as well as remote attacks on the remote IP management, backend database, and fingerprint manager admin interface. The document then details methods for conducting local attacks, such as using a fingerprint logger to steal a print and reproducing fake fingerprints to trick the sensor. It also discusses vulnerabilities in biometric device network protocols and remote administration capabilities. The goal is to evaluate security and identify ways to bypass authentication or steal sensitive user data from biometric systems.
This document analyzes a Facebook spam campaign that exploited users through malicious browser extensions. The spam spread by tricking users into installing a fake "YouTube Premium" extension that stole users' cookies and used them to post spam messages on friends' walls. The document traces how the extension redirected users to a page containing a distracting video while running a script in the background to spread the spam. It concludes with tips on how to avoid similar scams by being wary of suspicious browser extensions and unsolicited promises of gifts or money online.
The document discusses Jugaad, a proof-of-concept toolkit that demonstrates code injection on Linux systems similar to CreateRemoteThread on Windows. It does this using the ptrace system call to attach to a process, read/write its memory, and inject shellcode that allocates memory and creates a thread to execute arbitrary code within the target process context. First, it explains how ptrace can be used to manipulate another process. Then it describes how Jugaad uses these ptrace capabilities to meet the requirements of allocating memory, creating a thread, and executing payload code inside the target process.
This document provides an overview of shellcode mastering techniques. It discusses the basics of shellcode including features, types, and development tasks. It covers basic shellcode techniques like call/ret algorithms and delta offset approaches. Optimization techniques are analyzed like instruction format optimizations, register value reusing, and avoiding the stack. An example analysis is given of the evolution of smaller shellcodes over time in a shellcode size competition. Hands-on labs are described to practice skills like addressing variables, using strings, and finding Windows API entry points. Required tools are listed for the labs including debuggers and assemblers.
The document discusses proper password hashing methods for securely storing passwords. It begins by stating that most websites currently do not properly store passwords, either in plaintext or with a single hash without salt. This is irresponsible. The document then discusses proper hashing methods that should be used, including adding salt, using key derivation functions like PBKDF2, ARC4PBKDF2, and bcrypt. PBKDF2 works by repeatedly hashing the password with a salt, while ARC4PBKDF2 additionally encrypts the password and hashes with an evolving ARC4 stream for added complexity. Bcrypt is also an adaptive function that works similarly to PBKDF2 but in a more complicated way. The document
Password Storage And Attacking In PHP - PHP ArgentinaAnthony Ferrara
Password storage is a common problem that every developer needs to solve at some point in their career. Often, we rely upon frameworks and libraries to do it for us. But do they get it right?
How should passwords be stored? How are they going to be attacked? All these questions (and more) will be answered. This session will dive head first into password storage and all aspects surrounding it. We’ll cover some common misconceptions and dangerous mistakes. We’ll also explore some of the best available tools to solve the problem, and go into why they are the best. Finally, we’ll look at some of the tools that attackers will use to attempt to extract plain text passwords.
We’ll explore each point from both angles: the pragmatic developer and the attacker. For the safety and security of your users, make sure that you know how to securely store their passwords. It’s not just the right thing to do, but it is negligent not to!
These slides are from a talk that I did at PHP Benelux 2013 ( http://conference.phpbenelux.eu/2013/ ).
In this talk, I go over the progression of password storage techniques, and weaknesses of each method. Eventually, we build up to the final secure implementations, and the current methods used to attack them.
Would you voluntarily share how your web app stores passwords? Some companies indeed do share, for example Facebook and LastPass to name just a few. Some share involuntarily. Some don't share at all because they feel that it will make them more vulnerable. Here's why you should do that and how.
Techniques for password hashing and crackingNipun Joshi
This document discusses techniques for securely storing passwords using hashing and preventing cracking. It recommends using algorithms like bcrypt and PBKDF2 that include salts and key stretching to make passwords very difficult to brute force or dictionary attack by requiring extensive time and computing resources. The document provides examples of hashing best practices and measures organizations and users can take to better protect against leaks and unauthorized access.
How to Use Cryptography Properly: Common Mistakes People Make When Using Cry...All Things Open
Andy Watson gave a presentation on properly using cryptography in applications. He discussed random number generation, hashing, salting passwords, key derivation functions, symmetric encryption, and common mistakes made with cryptography. The presentation covered topics like cryptographically secure random number generation, choosing secure hash functions, adding salts to hashes, using functions like PBKDF2 for key derivation, different encryption modes like ECB and GCM, and real examples of cryptography mistakes from companies like LinkedIn.
Kieon secure passwords theory and practice 2011Kieon
The document discusses password security and different methods for storing passwords. It analyzes passwords from a data breach of 32 million passwords and finds that most passwords were very weak. It then discusses various methods for storing passwords like clear text, hashed passwords without salts, hashed passwords with static salts, and hashed passwords with dynamic salts. Hashing passwords with dynamic salts provides the strongest security since each hash is unique and cannot be cracked using rainbow tables. The document concludes that while no database is completely secure, dynamic hashing with salts makes the passwords much harder to steal through automated attacks or by experienced hackers.
Andy Watson, an employee of Ionic Security, gave a presentation on properly using cryptography in applications. The presentation covered topics such as random number generation, hashing, salting passwords, key derivation functions, symmetric encryption algorithms and common mistakes made with cryptography. The goal was to help people avoid vulnerabilities like unsalted hashes, hardcoded keys, weak random number generation and improper encryption modes.
The document provides guidance on properly storing passwords in a database. It recommends using cryptographically secure hash functions with salts to hash passwords before storage. It discusses approaches like PBKDF2, BCrypt, and SCRYPT that can be used to hash passwords and make brute force attacks more difficult. The document stresses that security should be a higher priority for developers than new frameworks, and provides other recommendations like using standard authentication when possible and limiting database access.
The document discusses various security issues and best practices for writing secure PHP applications, including:
1. Validating all user inputs, using prepared statements to prevent SQL injection, and disabling register_globals and magic quotes.
2. Properly configuring PHP error messages, file permissions, and directory listings to prevent information disclosure.
3. Using strong hashing with salts to securely store passwords, disabling dangerous PHP functions, preventing XSS and CSRF attacks, and being generally paranoid about security.
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMJonathan Katz
Jonathan S. Katz gave a talk on safely protecting passwords in PostgreSQL. He discussed:
- The evolution of password management in PostgreSQL, from storing passwords in plain text to using md5 hashes to modern SCRAM authentication.
- How plain text and md5 password storage are insecure as passwords can be intercepted or cracked.
- The SCRAM authentication standard which allows two parties to verify they know a secret without exchanging the secret directly.
- How PostgreSQL implements SCRAM-SHA-256 to generate a secure verifier from the password and authenticate users with random salts and iterations to secure against brute force attacks.
Is your crypto secure? Let's take a look at what main issues there are in modern cryptography that software developers and architects have to be aware of.
This document provides basic instructions for cracking Android PINs/passwords with the tool Hashcat. It outlines the tools and files needed from the Android device, including the device_policies.xml, locksettings.db, and password.key files. It then walks through the steps to extract the necessary information like the salt and hash, convert it to the proper format for Hashcat, and run the cracking process to reveal passwords of varying lengths.
Get Your Insecure PostgreSQL Passwords to SCRAMJonathan Katz
Passwords: they just seem to work. You connect to your PostgreSQL database and you are prompted for your password. You type in the correct character combination, and presto! you're in, safe and sound.
But what if I told you that all was not as it seemed. What if I told you there was a better, safer way to use passwords with PostgreSQL? What if I told you it was imperative that you upgraded, too?
PostgreSQL 10 introduced SCRAM (Salted Challenge Response Authentication Mechanism), introduced in RFC 5802, as a way to securely authenticate passwords. The SCRAM algorithm lets a client and server validate a password without ever sending the password, whether plaintext or a hashed form of it, to each other, using a series of cryptographic methods.
In this talk, we will look at:
* A history of the evolution of password storage and authentication in PostgreSQL
* How SCRAM works with a step-by-step deep dive into the algorithm (and convince you why you need to upgrade!)
* SCRAM channel binding, which helps prevent MITM attacks during authentication
* How to safely set and modify your passwords, as well as how to upgrade to SCRAM-SHA-256 (which we will do live!)
all of which will be explained by some adorable elephants and hippos!
At the end of this talk, you will understand how SCRAM works, how to ensure your PostgreSQL drivers supports it, how to upgrade your passwords to using SCRAM-SHA-256, and why you want to tell other PostgreSQL password mechanisms to SCRAM!
Crypto failures every developer should avoidOwaspCzech
This document discusses common cryptography failures that developers should avoid. It begins by outlining what conventional wisdom says about cryptography implementation challenges. It then examines specific failures like improper password storage, misuse of hash functions, lack of authentication with encryption, reuse of nonces/IVs, poor randomness, and TLS certificate issues. For each failure, it provides examples of real world incidents and outlines the proper approaches to implementation. The goal is to help developers learn from these mistakes and understand cryptography at a level needed to use it securely.
Crypto failures every developer should avoidFilip Šebesta
This document discusses common cryptography failures that developers should avoid. It begins by outlining what conventional wisdom says about cryptography implementation challenges. It then examines specific failures like improper password storage, misuse of hash functions, lack of authentication with encryption, reuse of nonces/IVs, poor randomness, and TLS certificate issues. For each failure, it provides examples of real world incidents and outlines the proper approaches to implementation. The goal is to help developers learn from these mistakes and understand cryptography at a level needed to use it securely.
The 7th June 2012 Linkedin was hacked. More than 6 million LinkedIn passwords was compromised. The real shocking news was not the theft but the fact that the attackers were able to decrypt many of these passwords. Why it happened? The answer is simple: a bad design of the password security. In this talk I presented how to choose "secure" user's passwords and how to safely store it from a programmer's perspective.
This talk has been presented during the MOCA 2012, http://moca.olografix.org/moca2012
This document discusses password security and best practices. It notes that 66% of corporate network breaches are due to weak passwords. Passwords should not be stored in plaintext or with reversible encryption, but rather hashed with salts. Hashing strengthens security but using salts is important to avoid rainbow table attacks. The document recommends choosing long, unique passphrases rather than short, dictionary words for passwords. It also advocates the use of password managers and two-factor authentication for strongest security.
Arun Mane is the founder and director of AmynaSec Labs. He is a security speaker and trainer who has presented at many conferences including Defcon, Blackhat, Nullcon, and HITB. His areas of expertise include security testing of IoT devices, connected vehicles, medical devices, and industrial control systems. Some common issues he finds include devices being publicly accessible, having backdoors, hardcoded credentials, and crypto or web application management problems. His testing methodology involves assessing web and mobile applications, embedded device communications, hardware testing through reverse engineering, and analyzing communication protocols and stored data.
This document outlines an agenda for a presentation on open-source intelligence (OSINT) gathering techniques. The agenda includes an introduction to OSINT, different types of intelligence gathering, a scenario example, OSINT gathering tactics and tools like Shodan, TheHarvester and Google dorks, applications of OSINT, a demonstration, references for OSINT, and a conclusion. Key OSINT tools that will be demonstrated include Twitter, Shodan, TheHarvester and Google dorks for gathering information from public online sources.
This document provides an overview of server-side request forgery (SSRF) vulnerabilities, including what SSRF is, its impact, common attacks, bypassing filters, and mitigations. SSRF allows an attacker to induce the application to make requests to internal or external servers from the server side, bypassing access controls. This can enable attacks on the server itself or other backend systems and escalate privileges. The document discusses techniques for exploiting trust relationships and bypassing blacklists/whitelists to perform SSRF attacks. It also covers blind SSRF and ways to detect them using out-of-band techniques. Mitigations include avoiding user input that can trigger server requests, sanitizing input, whitelist
Nmap is a network scanning tool that can perform port scanning, operating system detection, and version detection among other features. It works by sending TCP and UDP packets to a target machine and examining the response, comparing it to its database to determine open ports and operating system. There are different scanning techniques that can be used like TCP SYN scanning, UDP scanning, and OS detection. Nmap also includes a scripting engine that allows users to write scripts to automate networking tasks. The presentation concludes with demonstrating Nmap's features through some examples.
The document provides an introduction and overview of the Metasploit Framework. It defines key terms like vulnerability, exploit, and payload. It outlines the scenario of testing a subnet to find vulnerabilities. It describes the main features of msfconsole like searching for modules, using specific modules, and configuring options. It promotes understanding and proper use, emphasizing that Metasploit alone does not make someone a hacker.
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
TLS 1.3 is an update to the Transport Layer Security protocol that improves security and privacy. It removes vulnerable optional parts of TLS 1.2 and only supports strong ciphers to implement perfect forward secrecy. The handshake process is also significantly shortened. TLS 1.3 provides security benefits by removing outdated ciphers and privacy benefits by enabling perfect forward secrecy by default, ensuring only endpoints can decrypt traffic even if server keys are compromised in the future.
This document provides an introduction to hacking mainframes in 2020. It begins with an overview of mainframe systems and terminology. It then discusses reconnaissance methods like port scanning and credential theft to gain initial access. Next, it covers conducting internal reconnaissance to escalate privileges by exploiting surrogate users, APF authorized libraries, and UNIX privilege escalation techniques. The document aims to provide enough context for curiosity about hacking mainframe systems.
The document discusses CRLF injection and SSRF vulnerabilities. CRLF injection occurs when user input is directly parsed into response headers without sanitization, allowing special characters to be injected. SSRF is when a server is induced to make HTTP requests to domains of an attacker's choosing, potentially escalating access. Mitigations include sanitizing user input, implementing whitelists for allowed domains/protocols, and input validation.
The document provides an overview of Active Directory, including its components and how it is used to centrally manage users, computers, and other objects within a network. It discusses key Active Directory concepts such as forests, domains, organizational units, users, computers, and domain trusts. It also provides step-by-step instructions for setting up an Active Directory lab environment for red teaming purposes and integrating a client machine into the domain.
A security engineer discusses how logs and passive reconnaissance can reveal sensitive information like AWS credentials. The engineer searched for open Jenkins and SonarQube instances which led to discovering Slack channels containing AWS access keys. Key lessons are to know your boundaries, automate mundane tasks, don't presume systems mask secrets, and persistence is important in security work.
Shodan is a search engine that indexes internet-connected devices and provides information about devices, banners, and metadata. It works by generating random IP addresses and port scans to retrieve banner information from devices. This information is then stored in a searchable database. Users can search Shodan's database using filters like country, city, IP address, operating system, and ports. Shodan can be accessed through its website or command line interface. While useful for security research, Shodan also raises privacy and security concerns by revealing information about unprotected devices.
This document outlines an agenda for discussing cloud security. It begins with an introduction to cloud computing and deployment models. It then discusses challenges of cloud computing and why cloud security is important. Specific threats like data breaches and account hijacking are listed. The document reviews the shared responsibility model and scope of security in public clouds. It describes cloud security penetration testing methods like static and dynamic application testing. Finally, it provides prerequisites and methods for conducting cloud penetration testing, including reconnaissance, threat modeling, and following standard testing methodologies.
This document discusses several techniques for maintaining persistence on Windows systems, including modifying accessibility features, injecting into image file execution options, using AppInit DLLs, application shimming, BITS jobs, registry run keys, and Windows Management Instrumentation event subscriptions. It provides details on how each technique works, common implementations, required privileges, relevant data sources, and example event log entries.
Frida is a dynamic instrumentation toolkit that allows injecting JavaScript into applications. Objection is a runtime mobile exploration toolkit powered by Frida that helps assess the security of mobile apps. It supports iOS and Android. Objection allows exploring apps by listing classes, methods, and injecting scripts to enable dynamic analysis like dumping keychain entries.
Osquery is an open source tool that allows users to perform SQL queries on their system to retrieve information. It supports various platforms and makes it easy to get details about the system. Osquery consists of Osqueryi, Osqueryd, and Osqueryctl components. Basic queries can be run in user context mode to view system information, configuration, and tables. Osqueryd runs in daemon mode and can be configured using packs and decorators to monitor specific events and files. Osqueryctl is used to control the Osquery daemon process.
This document discusses DevSecOps, beginning with an introduction from Tibin Lukose. It then covers some challenges in DevSecOps such as developers lacking security skills, cultural challenges, and difficulties balancing speed, coverage and accuracy in testing. The document proposes a model DevSecOps company, Infosys, and provides a demo and contact information for any further questions.
This document provides an introduction to XML and related technologies like libxml2, XSLT, XPath, and XML attacks. It discusses the basics of XML including elements, tags, attributes, and validation. It also describes common XML libraries and tools like libxml2, xmllint, and xsltproc. Finally, it provides an overview of different types of XML attacks like XML injection, XPath injection, XXE, and XSLT injection.
This document contains the agenda for a presentation on Linux for hackers. The agenda includes discussing the Linux file system, managing virtual machines smartly, command line tools like alias, tee, pipe, grep, cut, uniq, and xargs, Bash scripting, logging, and proxy chaining. It also mentions demonstrating several commands and tools. The presentation aims to be an interactive session where the presenter will answer any questions from attendees.
This document provides an overview of Android penetration testing. It discusses requirements and tools for static and dynamic analysis, including Apptitude, Genymotion, and ADB. It covers analyzing the Android manifest and classes.dex files. It also describes vulnerabilities in WebViews, such as loading cleartext content and improper SSL handling. Best practices for coding securely on Android are also presented.
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Driving Business Innovation: Latest Generative AI Advancements & Success StorySafe Software
Are you ready to revolutionize how you handle data? Join us for a webinar where we’ll bring you up to speed with the latest advancements in Generative AI technology and discover how leveraging FME with tools from giants like Google Gemini, Amazon, and Microsoft OpenAI can supercharge your workflow efficiency.
During the hour, we’ll take you through:
Guest Speaker Segment with Hannah Barrington: Dive into the world of dynamic real estate marketing with Hannah, the Marketing Manager at Workspace Group. Hear firsthand how their team generates engaging descriptions for thousands of office units by integrating diverse data sources—from PDF floorplans to web pages—using FME transformers, like OpenAIVisionConnector and AnthropicVisionConnector. This use case will show you how GenAI can streamline content creation for marketing across the board.
Ollama Use Case: Learn how Scenario Specialist Dmitri Bagh has utilized Ollama within FME to input data, create custom models, and enhance security protocols. This segment will include demos to illustrate the full capabilities of FME in AI-driven processes.
Custom AI Models: Discover how to leverage FME to build personalized AI models using your data. Whether it’s populating a model with local data for added security or integrating public AI tools, find out how FME facilitates a versatile and secure approach to AI.
We’ll wrap up with a live Q&A session where you can engage with our experts on your specific use cases, and learn more about optimizing your data workflows with AI.
This webinar is ideal for professionals seeking to harness the power of AI within their data management systems while ensuring high levels of customization and security. Whether you're a novice or an expert, gain actionable insights and strategies to elevate your data processes. Join us to see how FME and AI can revolutionize how you work with data!
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Pushing the limits of ePRTC: 100ns holdover for 100 days
Cracking Salted Hashes
1. Garage 4 Hackers http://www.garage4hackers.com
Cracking Salted Hashes
Web Application Security: - The Do’s and Don’ts of “Salt Cryptography”
Overview:
Data Base security has become more critical as Databases have become more open. And Encryption
which is one among the five basic factors of data base security.
It’s an insecure practice to keep your sensitive data like Password, Credit Card no etc unencrypted in
you database. And this paper will cover the various Cryptography options available and do and don’ts of
them.
Even if you have encrypted your data that doesn’t mean that your data’s are fully secured, and this
paper will be covered in an Attacker perspective.
Slat Cryptography.
http://en.wikipedia.org/wiki/Salt_(cryptography)
Assume a user’s hashed password is stolen and he is known to use one of 200,000 English words as his
password. The system uses a 32-bit salt. The salted key is now the original password appended to this
random 32-bit salt. Because of this salt, the attacker’s pre-calculated hashes are of no value (Rainbow
table fails). He must calculate the hash of each word with each of 232 (4,294,967,296) possible salts
appended until a match is found. The total number of possible inputs can be obtained by multiplying the
number of words in the dictionary with the number of possible salts:
2^{32} times 200 000 = 8.58993459 times 10^{14}
To complete a brute-force attack, the attacker must now compute almost 900 trillion hashes, instead of
only 200,000. Even though the password itself is known to be simple, the secret salt makes breaking
the password increasingly difficult.
Well and salt is supposed to be secret, to be simple if the attacker knows what salt is used then we
would be back again to step one. So below listed are few possible ways you could use to crack salted
hashes.
FB1H2S http://www.fb1h2s.com Page 1
2. Garage 4 Hackers http://www.garage4hackers.com
Application that doesn’t use cryptography hashes:
While auditing a web application I came across this piece of program. It used
java script to encrypt the user password before sending. And a salt too was
used, and the salt used was the current Session ID.
onclick="javascript:document.frm.id.value='user';
document.frm.passwd.value='value';
this.form.passwd.value=(hex_md5('CC6AB28BA9FAD121184B09E00F1DD6E7'+this.form.passwd.value));
this.form.submit();
Where “CC6AB28BA9FAD121184B09E00F1DD6E7”.
So In the Back End program:
There would be no way for the back end program to verify the password value, as the salt is used and is the
random session id. And as MD5 function are non reversible hash function, the password cannot be verified
unless and until the passwords are saved as clear text in the Data Base.
The salt used to encrypt the password before sending were the random generated session ids. That
means that the back end databases are no way encrypted.
Some time these kinds of coding gives away a lot of information.
Point NO 1: Always encrypt and save your passwords database.
Slated Hashes.
I recently came across a huge Data Base of a well known !@#$$il[Encrypted] ☺, the Database contained
Email-Ids and there alternate passwords, but unfortunately the passwords were encrypted and was in
hashed format, “Good Practice”. So the following paper would be in respect to how I cracked those
hashes.
Cracking The Hashes:
The few possible way to crack hashed passwords are:
1) The algorithm used for hashing should have some flaws and hashes should be
reversible
2) Or that you will have to Brute force the hashes with a wordlist of Dictionary or
Rainbow tables.
3) Or simply if you have UPDATE Privileges on that Data Base Update it with a
know password’s hash value.
For all of these attacks to work you need to know what algorithm the hashes are computed on.
FB1H2S http://www.fb1h2s.com Page 2
3. Garage 4 Hackers http://www.garage4hackers.com
So what is that you could do to figure out the Hashing Algorithm used??
Answer: All algorithms generate a fixed length hash value, so based on the Output you could estimate
what algorithm was used☺. “Well all these things are pretty know facts “, but Still am putting it here.
For this am putting here a small Cheat sheet for figuring out the Hash functions based on the output.
Language: PHP ASP JAVA
Algorithm:
Function: md5(“input”); Function: Function:java.secur
Hash(“input”); System.Security.Cryptogr ity.MessageDigest
aphy
MD5 Output: 32 Char Output: 32 Char
Output: 32 Char
Ex: Ex:
“5f4dcc3b5aa765d61d8327d “5f4dcc3b5aa765d61d8327d Ex:
eb882cf99” eb882cf99” “5f4dcc3b5aa765d61d
8327deb882cf99”
Function: Crypt() ““ ““
Salt+Crypto By default its DES
Output: 13 Char
Ex: “sih2hDu1acVcA”
And lot others:
Original Source: http://www.insidepro.com/eng/passwordspro.shtml
FB1H2S http://www.fb1h2s.com Page 3
6. Garage 4 Hackers http://www.garage4hackers.com
Well hope this reference table might be of help for you some time.
And out these the hashes I had to crack where “13 Chars” hashes. So it was obvious form my table that
It was based on Php Crypt function.
A simple walk through of of the Php crypt function:
1) It’s is a hash algorithm which takes in a “String” and a “salt” and encrypts the hashes.
2) And by default it uses “DES” to encrypt hashes.
FB1H2S http://www.fb1h2s.com Page 6
7. Garage 4 Hackers http://www.garage4hackers.com
Consider the Ex:
<?php
$password = crypt('password');
?>
Hashes: laAsfestWEiq1
Here password hashes generated would be on basis of a random 2 digit salt.
Or we could provide our on salt.
<?php
$password = crypt('password',’salt’);
?>
Hashes: sih2hDu1acVcA
And the comparison password verification code would be as follows:
if (crypt($user_password, $password) == $password) {
echo "Correct Password";
}
?>
In either of the cases the salt is appended with the Hashes, property of DES. Well as I mentioned above
the security of salt cryptography is on the fact that the salt is unknown to the cracker. But here it’s not.
Well with this basic piece of Information, it was easy to crack hashes that I had in my hands☺.
And all the hashes were cracked easily, all I have to do was load a common passwords dictionary and
add it with the constant salt, and get my work done.
FB1H2S http://www.fb1h2s.com Page 7
8. Garage 4 Hackers http://www.garage4hackers.com
Consider the given Hash/salt programs with the following cases.
Salt/Hash algorithm with Constant Salt:
$password = $password_input; //user input
$salt = "salted";
$password = md5($salt.$password); //saved in db md5(saltedpassword)
Hashes: 1423de37c0c1b63c3687f8f1651ce1bf
Salt: salted
In this program a constant salt is used therefore the salt is not saved in
the database. So our dumped hashes won’t be having the salt value.
For verifying such algorithms we need to try the following things.
1) Try to create a new user using the target application.
2) Dump the data again and verify what algorithm is used using the above
mentioned methods.
3) Consider the new password added was “password” md5(‘password’)==
“5f4dcc3b5aa765d61d8327deb882cf99”, instead if the updated value was
“1423de37c0c1b63c3687f8f1651ce1bf” that says a salt is used and is a constant one as it
don’t seem to be added with the final hashes.
Cracking the salt:
Now for breaking this, the only thing you could do is a bruteforce the hashes for figuring out what the
salt is, for ex:
And once we know the salt append it with every password we check and crack it.
We know :
Md5(‘password’)== “5f4dcc3b5aa765d61d8327deb882cf99”
Now question is
Md5(‘password’ + “????WHAT????”) ===
“1423de37c0c1b63c3687f8f1651ce1bf”
FB1H2S http://www.fb1h2s.com Page 8
9. Garage 4 Hackers http://www.garage4hackers.com
Note: Never use a constant salt for all hashes:
“If same constant salt is used for all hashes then it would be easy to crack
all hashes”
So Point NO 2: If your PHP application is storing Sensitive values and you want to encrypt and store its
salted hashes then Crypt() function is not the right option nor depending on any constant salt functions
is the right choice.
Salt/Hash algorithm with Random Salt:
If random salt is used for each hash, which is necessary for application
whose source is publicly available, then it would be necessary to store the
salt along with the hashes. That gives it a –ve point because it’s possible
to extract the salt for the hashes. But + point is, that cracker need to
build hash tables with each salt for cracking each hash. This makes it hard
to crack multiple hashes at a time. But still possible to crack the selected
hashes, consider the admin one.
Consider the example:
$password = $rand(5); //user input
$salt = "salted";
$password = md5($salt.$password); //saved in db md5(saltedpassword)
Hashes: 6f04f0d75f6870858bae14ac0b6d9f73:14357 (Hash:Salt)
Salt: 14357
We could extract the salt, but as different hash will be having a different
salt, it’s impossible to crack all hashes at a stretch.
But it would be back again dependent on how good the passwords are.
At similar situations a Dictionary attack on the hashes would be the only
possibility. Or else we need a better Cracking program, which provides
distributed cracking process.
Rainbow tables rocks not because it has got all possible values hashes, but
because “Searching” algorithm is faster.
FB1H2S http://www.fb1h2s.com Page 9
10. Garage 4 Hackers http://www.garage4hackers.com
Consider.
Rainbow tables check searching [Fast]
Brute Force Read a value Append salt Compute hashes Compare [slow]
This property makes the attack slow even if we know the salt.
So such situation a better and free Cracking [Distributed Cracking System would be necessary]
Idea for One such Distributed Cracking System would be as follows
Tool: One such tools documentation would be.
The whole Idea of such a system comes from the concept of torrents, where if
you want something you have to share something. Here if you want to crack
something you will have to share your processing speed.
Architecture Of the tool should be:
Note: Sorry for the poor Image
FB1H2S http://www.fb1h2s.com Page 10
11. Garage 4 Hackers http://www.garage4hackers.com
1) You download the Cracker tool Client
2) You have an admin hash to crack that of wordpress, you add the hash along with salt to cracker
Client.
3) Cracker client sends the hash to Crack server.
4) Crack server accepts you as part of the distributed cracking Network.
5) Crack server updates you with the new set of hashes, algorithm, and permutations you have to
carry out.
6) Logic is when someone is doing work for you, will have to work for them too.
7) There by your work will be carried out by many different computers.
How this speeds your cracking.
1) Your computer when in the network is assigned to generate wordlist , consider the key
space for a 9 char alphanumeric password is 101559787037052 and your computer will have
to generate 101559787037052/N , where “N” is the total no of cracker clients in the NW.
FB1H2S http://www.fb1h2s.com Page 11
12. Garage 4 Hackers http://www.garage4hackers.com
2) You computer will have to pass each word generated through multiple algorithms your
assigned with on your multithreaded Cracker Client.
3) Once a client cracks a password it updates it to the Cracker server, and cracker server passes
it to the user who requested the information.
4) So if you have 350 cracker clients working together then every body’s work will be done in a
day or two.
Finding an unknown Hash Algorithm:
Consider the case with such an algorithm
• Consider a situation where the hashes are multiple encrypted with different hash
algorithms, for example:
<?php
$password = sha1('password'); // de4he6la fe4oe6late4he6lade4he6lade4he6la
$final_password= md5($password)
Final Password Hashes: 1423de37c0c1b63c3687f8f1651ce1bf
• In such kind of situations, Hashes may looks like Md5 but it’s actually the md5 of
sh1 hashes.
• So in such kind of situation were multiple hashing algorithm is used and algorithm is
unknown, and it would be really hard to find what the hashes are.
Now you need an algorithm brute force for predicting the back end
algorithm.
FB1H2S http://www.fb1h2s.com Page 12
13. Garage 4 Hackers http://www.garage4hackers.com
Algorithm_Bruter
• So I came up with this script, which takes in a known “password” and it’s “hashes” and
then moves it through many different commonly used hash algorithms and tries to find
a match, predicting what algorithm it used in the back end.
• For script need to be provided with a Plain Text Value and its alternate Hashes and as
output you will get the algorithm used.
• You could check out the script here.
• http://www.fb1h2s.com/algorithmbruter.php
• This could be used in above mentioned situations.
Algorithm_Bruter.php
I am going through different Programming forums and taking out different, forms of
multiple hashing; programmers are using and, will update it on this script. So you
could find what algorithm was used.
FB1H2S http://www.fb1h2s.com Page 13
14. Garage 4 Hackers http://www.garage4hackers.com
Hope this paper was of some help for you in dealing with salted hashes.
And all greets to Garage Hackers Members.
http://www.garage4hackers.com
And shouts to all ICW, Andhra Hackers members
http://www.andhrahackers.com/
and my Brothers:-
B0Nd,Eberly,Wipu,beenu,w4ri0r,empty,neo,Rohith,Sids786,SmartKD,Tia,hg-
h@xor,r5scal,Yash,Secure_IT, Atul, Vinnu and all others.
This paper was written for Null meet 21/08/
By FB1H2S
www.fb1h2s.com
FB1H2S http://www.fb1h2s.com Page 14