Monday, March 11, 2013

Back track 5R3

Hello Guys

From last couple of days I was using BT5R3 Linux as my host machine. And I found that its very fantastic OS for Pen test.

I m sharing some of latest tool which is used for pen test.
This has been a great experience for me.

BT5r3 was released on August 2012.
Some tools added into this OS is mobile penetration testing, GUI based wifi-tools, and some physical exploitation.

List of new tools introduced in BT5r3 :-

jigsaw, etc....

Lots of tools has been added into this new version.

I used many of this tools and discuss some out of them.

Fem-Wifi-cracker :- 

This tool is written in python which provides GUI interface for cracking wireless network. Generally, you need to run some command to do this like airplay-ng, airodump-ng, aircrack-ng for cracking wireless network. but this tool provide you GUI base environment to crack the wireless network.

Sunday, March 10, 2013

My Favorites

My Favorites 

Favorites Hero and Heroine :- 
My Parents. Love u mummy and Papa.

My favorite Songs :-

Favorites Serial :- 
-- Bade Acche Lagte hai....
-- Kya hua tera vada...
-- Devon k dev mahadev

Favourite Quate :-

-- "When you wait for someone for a few minutes, its you "NEED". for a few hours, its your "TRUST". For few weeks, its your "FRIENDSHIP" But when you wait ever though you know they won't come its "TRUE LOVE"

-- "Love has nothing to do with what you are expecting to get - only with what you are expecting to give - which is everything."

-- Jab sapne tut te hai tab Jindgi ki shuruaat hoti hai....
Strange but true....

-- "Every Problem in life has a gift inside...So don't get upset when you face problem.. It may have more beautiful ending than your expectation..." 

-- "Everyone says you only fall in love once, but that's not true because ever time i see you I fall in LOVE all over again.."

Script for Mid sem Review

Good morning sir and all

My self Bhadreshsinh Gohil Enrollment number is 111060751030.
I m going to present my thesis on Federated Network Security Administration Framework.
My guide is Dr. Sandeep K. Joshi, Rishi K. Pathak, Swarup sir from C-DAC, Pune.

I m stating my speech with Introduction of Web application.
Now a days Web applications are the heart of all business. We can see that most of the business in the world are depend on web. All the field in the world connected with some web application like hospital, government web site, all businesses, banks, education, Multi national corporation, ISP, Defenses.
So we can says that web application is the heart of all the field.

But due to increase of internet into this world. Now a days security is the major concerns for this all web sites which is public ally hosted.
Now I m going to show you last year web attack on web site.
Attacks in 2012.
I m going fast in this attacks because of time limit.
The first news is FB helps FBI shut down Butter fly botnet.

Next one is Yahoo mail haijacking explits. Next one......

So this all are the latest attack which was occurred in 2012.

For this reason hosting a web application into public zone it is very risky. To resolve this risk, It is good to develop one framework to remove all this vulnerability and than hosting this web application into public zone[DMZ zone].The proposed system is designed for finding vulnerability into web application using OWASP (Open Web Application Security Project).

This is my objective of thesis.

Now I m going to show you Literature survey of this thesis.

This all are my references.
And This is my acknowledgment to my guide for help me during this semester.

Thank you.
Any question ???

Thursday, March 7, 2013

report for DP 2


This section contain my report skelton and presentation for my Dissertation.

Exam related :-

Students should present :
 Concise Literature Review
 Justification for their topic
 Objective and Scope
 Previous Review comments
 Work Done; Results; conclusions if any
 PhD students: Work Plan; ME Students: Submission plan
 Presentation time per student : 15 min. & Question Answer time : 10 min

Title page :- 
Federated Network Security Administration Framework

Certificate :-

Industry Certificate :-

Declaration :-

Dedicated to :- My parents

Acknowledgments :-

Table of content :- 

Abstract :-

In today’s world, Internet is now ubiquitous. Internet-based services touch all aspects of our daily life in modern society. Since the Internet and World Wide Web enabled an information explosion, security issues of websites that publish the online information become more and more crucial.  So As per above motivation of hosting a website in Public IPs resulted in implementation of security devices and controls like firewalls, routers etc. 

To resolve this security issue, it is proposed to build a framework which contain vulnerability assessment of web application and after fixing all this vulnerability, this web service ready to host into public environment. This thesis presents the process of how to put web application into secure zone means put website into DMZ after fixing all vulnerability.The proposed system is designed for finding vulnerability into web application using OWASP (Open Web Application Security Project).

Introduction :-
-- Chapter overview
-- Defination and abbreviations
-- Research motivation
-- Overview of research model
-- Overview of research approach
-- Outline of thesis chapters

Chapter            Chapters                         Chapter Outline


Litrature survey :-

Analysis :-
-- OWASP Top 10 vulnerability for 2013

Project Planning :-
-- Project scheduling
Table :-
ID              Task                                                     Duration          Start                 End
1                 Preparing Problem statement                                       17 Sep 2012 |  22 Sep 2012
2                 Understanding general requirement                             24 Sep 2012 |  6 Oct 2012                                      
3                 Meeting with guide                                                      8 Oct 2012   |  13 Oct 2012                            
4                 Literature Review                                                        15 Oct 2012 |  1 Nov 2012                          
5                 Implementation                                                             5 Nov 2012 |  5 Feb 2013                              
6                 Testing                                                                          6 Feb  2013 |  30 March 2013                                
7                 Writing project report                                                    1 April 2013 | 25 April 2013                                          
8                 Preparing Presentation                                                   26 April 2013 | 10 May 2013                                        

-- Project Plan
-- Refining the Project
-- Controlling the project
-- Project Diary

Project management :-

Implementation strategy :-
-- Implemantation tools and Environement
-- Customization
-- Work flow
-- Testing

Methodology and Proposed system :-
-- Overview
-- Project Scheduling - Gantt chart [ First Draft]
-- Project Scheduling - Gantt chart [ Revised]
-- Project Scheduling - Gantt chart [ Showing task's progress]
-- Project Scheduling - Gantt chart [ with milestone]
-- Use Case Sample [ Diagram ]
-- Use Case Model [ Sample 1]
-- Testing process Activity diagram

-- Project Prioritization Template
-- Project Prioritization Sample
-- Project Scheduling - Bottom up - First attempt
-- Project scheduling - bottom up - continued
-- Chosing a method
-- Choosing a implementation tool
-- Test case sample

Exploit diagram :-

Conclusions :-

References :- 

Appendix A :- 

Appendix B :- :- Published paper in jounals.

Rough work :-

Steps for making Gantt chart :-
- understanding the problem area
- Litrature review
- Requirements managements
- Analysis 
- Design
- Implementation
- Test
- Project report
- Presentation

Scanning tools :-

Netsparker, SQLMap, Nikto, Burp suit, NMAP, NESSUS, Metasploit, OpenVAS, OSSIM, NTO objective,W3af[web application attack and audit framework], IBM app ratinal scan, Pantera, Wikto, Retina, Microsoft base analyzer, SAINT, hack alert, 

Abstract from IEEE :- 

This paper first investigates and analyzes security holes concerning the use of server-side includes (SSI) in some of the most used Web server software packages. We show that, by exploiting features of SSI, one could seriously compromise Web server security. For example, we demonstrate how users can gain access to information they are not supposed to see, and how attackers can crash a Web server computer by having an HTML file execute a simple program. Such attacks can be made with no trace left behind. We have successfully carried out all the attacks described in this paper on dummy servers we set up for this investigation. We then suggest several practical security measures to prevent a Web server from such attacks

Today's combat zone for both ethical and unethical hackers is the web. Rapid growth of web sites and web applications gives way to deliver complex business applications through the web. As the web dependency increases, so do the web hacking activities. Web applications are normally written in scripting languages like JavaScript, PHP embedded in HTML allowing connectivity to the databases, retrieving data and putting them in the WWW site. A web application is vulnerable to many kinds of threats and attacks. In order to detect known attacks, some set of attack rules and detections are needed. In this paper, a negative security model based on misuse of web applications is used. This negative security model provides a Web Application Firewall(WAF) engine with a rule set, to ensure critical protection across every web architecture. WAFs are deployed to establish an increased external security layer to detect and/or prevent attacks before they reach web applications. This paper has been tested with apache web server's log file. We have tested successfully almost all the common attacks. This paper also allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure.

Web servers are ubiquitous, remotely accessible, and often misconfigured. In addition, custom Web-based applications may introduce vulnerabilities that are overlooked even by the most security-conscious server administrators. Consequently, Web servers are a popular target for hackers. To mitigate the security exposure associated with Web servers, intrusion detection systems are deployed to analyze and screen incoming requests. The goal is to perform early detection of malicious activity and possibly prevent more serious damage to the protected site. Even though intrusion detection is critical for the security of Web servers, the intrusion detection systems available today only perform very simple analyses and are often vulnerable to simple evasion techniques. In addition, most systems do not provide sophisticated attack languages that allow a system administrator to specify custom, complex attack scenarios to be detected. We present WebSTAT, an intrusion detection system that analyzes Web requests looking for evidence of malicious behavior. The system is novel in several ways. First of all, it provides a sophisticated language to describe multistep attacks in terms of states and transitions. In addition, the modular nature of the system supports the integrated analysis of network traffic sent to the server host, operating system-level audit data produced by the server host, and the access logs produced by the Web server. By correlating different streams of events, it is possible to achieve more effective detection of Web-based attacks. :- references for web application security.

Digital forensics is the science of identifying, extracting, analyzing and presenting the digital evidence that has been stored in the digital devices. Various digital tools and techniques are being used to achieve this. Our paper explains forensic analysis steps in the storage media, hidden data analysis in the file system, network forensic methods and cyber crime data mining. This paper proposes a new tool which is the combination of digital forensic investigation and crime data mining. The proposed system is designed for finding motive, pattern of cyber attacks and counts of attacks types happened during a period. Hence the proposed tool enables the system administrators to minimize the system vulnerability."

Important website
******************************************************* :- :- :- :- :- :- :- :- :- :- :- :-  :- :- :- :- :- :- :- :- :- :- :- :- :- for books.  :-  :- :- :- for movies. :- :- :- :- :- For paper submision. :- paper submussion :- Blog for linux kernel. :- Magazines. :- For posting blogs. :- international journal for paper. :- OWASP video for learning. :- OWASP video. :- Pen test lab. :- latest tutorial used for practical purpose. :- :- IIT student web site. :- :- :- :- :- :- :-
This website is used for :-
Prime Number Hide-and-Seek: How the RSA Cipher Works
This is used for send fake e-mail to anyone from any e-mail ID :- :- this website is used for e-book searching. :- :- used for detecting web application firewall. :- The Information Systems Security Assessment Framework (ISSAF) :- :- learning video. :- for windows security.  :- For windows networking. :- for virtualization. :- Microsoft exchange server. :- For  security trainig. :- Security research group.,pen-tester-launches-infosec-bootcamp.aspx :- online university. :- learning for all hacking stuff. :- Bright talk for web seminar. :- OSSIM doc. :- for all doc. :- mAN VS WEB. :- used for showing live tv. :- for live tv. :- Training for hackers. :- view from one hacker. :- used for uni :- searching for jobs in security filed. :- Websol Education provides professional training for ASP.NET, VB.NET, C#.NET, SQL on live projects. :- SVIT,Vasad for paper publication in Master. :- :- :- :-