InfoSecGyan

You are at right place.

InfoSecGyan 1

InfoSecGyan 1

Critical 'Shellshock' Vulnerability Found in Bash..

Shellshock aka Bash Bug FAQ. Your all questions will be answered.

InfoSecGyan3

InfoSecGyan3

InfoSecGyan 2

InfoSecGyan 2

Friday, 2 October 2015

How to build your career as an Ethical Hacker ?


How to build your career as an Ethical Hacker ?
Greetings from InfoSecGyan..!

Though you're quite new, there is nothing to worry. It's really great to know that You’ve decided you’d like to be an Ethical Hacker..!

Here are our top 10 tips to get you started!


First of all, here is quick and layman definition of a HACKER. There are many misconfusions about definition of a Hacker.
In simple terms, Hacker is one who helps people or organizations to secure them or their environment which includes people, servers, networks, applications and other information assets from attackers.

1. Clear all your fundamentals:


A professional hacker is one who learns as much as she/he can about a particular information asset and then tries to break into it. Your concepts of basic networks (TCP/IP and other protocols), operating systems (Windows, Linux, UNIX, Android, iOS etc.) and databases (MySQL, MS SQL, Oracle etc.) should be crystal clear.


2. Read all Security Stuff:


There is so much information available on Internet about Information Security includes web application security, network security, mobile security, Information Security Audits, Latest hacks/vulnerabilities etc. You can select your favorite subject in which you are interested about.


3. Practice, Practice, and Practice:


Most of you have a Desktop/laptop at your home. Download freely available of latest version of Kali Linux (which is Specially designed for Pentesters) and get started! You can build a small lab at home by creating virtual machines (VirtualBox or VMware) and practice your tools and techniques against your own setup. You should be very familiar with standard tools such as Nmap, Nessus, Hping3, Netcat, Traceroute, Burpsuite etc.


4. Make some money, just by testing your skills:


Now a days a large number of sites run bug bounty programs such as Microsoft, Facebook, PayPal, Yahoo, eBay, Google, etc. You can test these sites as much as you wish without any fear of it being illegal, as long as you follow their bug bounty rules and perform responsible disclosure to them.

Remember, do not try to test any system/network which is not belongs to you or you are not authorized to.


5. Follow Communities/Forums:


There are lots of communities/forums that are active on Internet and also in your area. Attend their meets, conferences, present your ideas and research, and subscribe to their mailing list. There is a lot more you can learn from experts. I encourage, go for Nullcon and Garage4Hackers. They have got really awesome brains.


6. Do research and self-Study:


Choose your interest, say a mobile application security, and go deeper into it. Get an android or iOS phone, download some malicious mobile apps, and reverse engineer them. You’ll earn so much of confidence here.


7. Learn Programming Languages:


Its really not necess
ary to be a expert in programming languages but you should know basic understanding of a program and its flows. When you actually go on a field, you need to have basic understanding of programming languages without which your assessment may fail. Before you start your web application assessment you should have basic knowledge of at least HTML, javascript, php, asp. For Penetration Testing and exploit development you should know python, ruby.

8. Always be Ethical:


The knowledge and skills you gain as you go along are always a double-edged sword and you need to make sure you do not cross the line of ethics and legality. Do not test sites that don’t have an explicit bug bounty program like I said in point number 4. Do not call up a company and ask them to pay you because you have found some bug to report on their website. This is all illegal and doing such stupid this could put you up behind the bars.


9. Never stop Learning:


Cyber security field is so vast and so much exciting that you should never stop learning. If you feel that you have become expert on one topic, say mobile application security, then go for another topic, go and learn network Security, Web Services, cryptography, secure coding, Cloud Security, exploit development etc. But never ever stop learning.


10. Attend Good Trainings Programs:


Consider signing up for good courses mentioned below. Apart from these, learn basic Linux and commands.  
Also, I would recommend you to go for Vivek Ramachandran's (SecurityTube.net) courses to advance your skills. I really love all of his video series, they are damn awesome.


Training programs to get you started:


1. Basic Networking:

Cisco Certified Network Associate (CCNA):

This is course is optional but I would like to recommend this course to you because here, you will be able to gain basic networking skills which will really help you to build up attack scenarios and perform attacks likewise. Before you start your penetration testing, you should understand how different network components works and communicates to each other.  And it’s very cheap. Certification is not necessary, just course/training is sufficient.


2. Very Basic Course To Start with:

Certified Ethical Hacker (CEH)

This course will significantly benefit all those who are interested to know more about how hackers break into networks, build the capability of testing your own infrastructure, and enhance your vulnerability assessment and penetration testing capabilities. Here, you will get understanding of, which all different types of attacks are and how they works. Also, you will be able to perform many more attacks at certain level.However, there will be no a hands on but just theoretical.

This is recommended for people who are new into InfoSec/Hacking world and IT Auditor who want to learn basic attacks. With training, you also might need certificate in certain Indian companies when you apply for a job.


3. Advanced Course: 

Offensive Security Certified Professional(OSCP) 

It goes far beyond the usual courses that talk about the same old port scanning and vulnerability assessments. It is a completely hands-on, challenging, real-world oriented offensive security certification. It goes deep down into the depths of Penetration Testing and exploitation. Its bit difficult exam and need much more practice and patience.


Make sure, you get all your training completed from recognized institutes from where you will really learn something fruitful and don’t just believe on fake institute who just do marketing on internet and your local area. Once you get into this network, you will see lots of people/institute offers training on hacking and other things. Don’t believe them blindly.  Always reviews before you choose institute.


And there are many more courses available out there, but they are all depends on your further interest.

Soooooooooooooo :)


Please comment down below if you have any queries, I would definitely love to help you out.

Happy Hacking…



Saturday, 19 September 2015

SSL / TLS : Best Practices




Hi All,

So finally, I got time to write something. Today, I'm gonna write about SSL and TLS. It’s pretty common terms in Information Security. However, only few heads know actual use of it, difference between them, vulnerabilities present in ciphers, best practices etc.

Let’s understand it in security best practices perspective and do not get into core technical details like Message authentication process, key material generation, Its design & implementation, its RFC etc. I will write about such core part in another post.

Let’s start...

Now days, people/corporates are majorly concern about data that is being sent between application and across the so called “Untrusted Internet” world. Corporates are using cryptographic protocols to authenticate their application server and clients. And also to encrypt messages between authenticated parties. (Server to Server, Server to Client etc).

As of now, there are two cryptographic protocols designed to make web communications secure over untrusted network (e.g. Internet). And those two Protocols are "SSL (Secure Sockets Layer)" and "TLS (Transport Layer Security)".

TLS and SSL are most widely recognized as the protocols that provide secure HTTP (HTTPS) for Internet transactions between Web browsers and Web servers. TLS/SSL can also be used for other application level protocols, such as File Transfer Protocol (FTP), Lightweight Directory Access Protocol (LDAP), and Simple Mail Transfer Protocol (SMTP). TLS/SSL enables server authentication, client authentication, data encryption, and data integrity over networks such as the World Wide Web.

SSL and TLS, Both protocols use Asymmetric Cryptography. SSL and TLS both use X.509 certificates to authenticate two or more parties. Both work on three features of Security (Confidentiality, Integrity and Availability).

How SSL/TLS handshake works:
In SSL/TLS, client submits a list of cipher suites that it supports and then server pick up one suite from the list to negotiate a secure communication channel. Later, secure communication starts. However, some servers will select the first supported suite from the list which is not a best practice.

Vulnerabilities and Best Practices:


Since, there are many vulnerabilities discovered in last few years like BEAST, Renegotiation attack, Version rollback attacks, CRIME attacks, BREACH attacks, POODLE, FREAK attack, logjam attack, Heartbleed attack etc. 
Hence, below are our Recommendations which you need to follow while implementing SSL/TLS to avoid these attacks:
  1. SSL v2 is insecure and must not be used.
  2. SSL v3 is insecure when used with HTTP and weak when used with other protocols. It’s also obsolete, which is why it shouldn’t be used.
  3. Disable support for TLS v1.0 (see note below).
  4. Disable insecure client-initiated renegotiation.
  5. NULL cipher suites provide no encryption.
  6. Export key exchange suites use authentication that can easily be broken. Do not use Export ciphers. (FREAK Attack)
  7. Anonymous Diffie-Hellman (ADH) suites do not provide authentication.).
  8. Suites with weak ciphers (typically of 40 and 56 bits) use encryption that can easily be broken. Make sure your all support ciphers length is more than 128 bits.'
  9. RC4 and MD5 is weaker.
  10. 3DES provides about 112 bits of security. This is below the recommended minimum of 128 bits, but it’s still strong enough. A bigger practical problem is that 3DES is much slower than the alternatives.
  11. Enable HSTS on webserver.
  12. Implement Forward Secrecy.
  13. Use Certificate pinning, if required.
  14. Set Ciphers in order (First Priority is for strength and size of cipher).
Currently, TLSv1.1 and TLSv1.2 are consider to be secure than any other protocol when they are correctly implemented (with above recommendations).

In order to support older clients, you may need to continue to support TLS v1.0 for the time being. With some workarounds, this protocol can still be considered secure enough for most web sites.

One point in above recommendations that I would like to cover, 

Support Forward Secrecy:
Forward Secrecy is a protocol feature that makes secure conversations that are not dependent on the server’s private key. It means, if your server administrator goes on holidays and server's private key gets compromised, administrator can still continue to enjoy his holidays. ;)

With cipher suites that do not support Forward Secrecy, someone having a server’s private key can decrypt all earlier encrypted conversations.

You need to support and prefer ECDHE suites in order to enable Forward Secrecy. Most of modern web browser support ECDHE. However, to support & cover almost all clients, you should use DHE suites as fallback after ECDHE.


Server Supporting ECDHE & DHE with recommended order

There are lots of tools available in market using which you can test your server’s SSL/TLS strength/vulnerabilities. Below are some which I prefer and are best among all:

Online Tools:

Offline Tools:
> SSLscan(From, Kali 2.0 onward is good)
> TLSenum (especially for checking order of ciphers)

Thanks for your time.. :)

Got queries? Leave a comment down below, I would love to reply..

Ref: ssllabs, owasp, qualys