use wget to mirror www.mit.edu
the directory hierarchy of the site.
$ tree
.
├── favicon.ico
├── img
│ ├── BackImage.jpg
│ ├── MIT_logo.gif
│ ├── bckground.png
│ ├── transperantPNG.png
│ └── transperantSpotlightPNG.png
├── index.html
├── js
│ └── date.js
├── robots.txt
└── styles
├── iepngfix.htc
└── style3973.css
3 directories, 11 files
the file robot.txt makes not to download other directories
User-agent: *
Disallow: /afs/
Disallow: /cgi-bin/
Disallow: /user/
Disallow: /org/
Disallow: /activity/
Disallow: /contrib/
Disallow: /dept/
Disallow: /software/
Disallow: /bin/
2. Lookup “How I met your girlfriend” in the BlackHat 2010 demo to explain, in 0.5 page, how this was done.
Website developers use php_session mechanism a lot for data transferring and authentication. But how come the php sessions are generated by PHP? The author discussed about the PRNG (pseudo random number generator) in PHP. He found some weak links in the source cod and try to reduce the times for enumerate a specific PHP session. A good PRNG should be unpredictable. The talk shared that these functions are not necessarily suited for unpredictable, pseudo-random data, and that if the environment allows, we can even predict session values (and make the further progress).
A session is an identifier for PHP applications, Session support in PHP consists of a way to preserve certain data across subsequent accesses. This enables you to build more customized applications and increase the appeal of your web site. A visitor accessing your web site is assigned a unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL. This session identifier becomes a critical personal identifier in many applications, from social networking to online banking. If a pre-existing, or even future session identifier can be predicted, an attacker may be able to access a site as that user without authenticating. The randomness within this session identifier is critical in protecting the user and preventing session hijacking.
When a user logs into many social networking sites (facebook in this case), other users (read: attackers) can see that the user has logged in that moment. Additionally, an attacker could contact the user on the site via chat, message, comment, etc. and direct them to a link. The link itself would only provide the attacker with that user’s IP address. At this point, the attacker knows the time (according to the attacker’s computer) the user logged in (epoch, 4 bytes) and the IP address of the user (4 bytes).
Hence, we've reduced the 148 bits (pre-hashed) to 84 bits.
In the php_combined_lcg() function which produces 64 bits of pseudo-random data, use the LCG (linear congruential generator) function. The seed used in LCG function is from user's epoch time. So now we can try to produce the corresponding LCG by the timestamp above. To sum up, we’ve reduced our 148-bit session data down to, typically, less than 30 bits and many times very close to 20 bits.
3. Select a person. Use on-line sites for phone book, social network, information, job, photo management, business directory, jigsaw.com, etc. to summarize, with screen dumps and explanations, what information you can get. If your target is not in US nor native English speaker, you might need to use on-line sites different from the textbook.
- Barack Obama
- 44th President of the United States
- Tel: 202-456-1111
- photo
4 Google “XYZ resume firewall” and “XYZ resume intrusion detection” where “XYZ” is the name of your target company. Screen dump “useful” results and explain what you got.
I don't think the result is useful @@/
5 Lookup Archive.org and Google cached results, and select a target web site. Compare the differences between an archived and cached copy with its current on-line web site. Give screen dump and explain the differences.
The content form Google's cache is a screenshot like page of the original site. The content form Archive.org is like a category in the library of the site.
6. Find Google Hacking Database at hackersforcharity.org/ghdb/. Summarize what it has and select 3 strings to search. Screen dump and explain what you got.
Some search for special pattern in url (inurl keyword), and some for special vulnerable version of framework or packages.
- gotoURL.asp
- Gallery v1.4.4
- DCP Protal v5.5
The ghdb site
7. Select a web site. Start from whois.iana.org to find its registry, registrar, and registrant. Also select an IP address. Start from arin.net to find who owns the IP address. Show your screen dump and explain.
The information form iana.org is not complete, I use domaintools instead
- Registrar:New Dream Network, LLC dba DreamHost Web Hosting (R173-LROR)
- Registry: Public Interest Registry (PIR)
- Registrant Name:Private Registrant
The site's record is in my local cache.
9. Select a domain name. Use traceroute or similar tools to find the access path to that domain. Show your screen dump and explain.
The following is the routing from my laptop to dmhy
