Danny Tech Security

As you seen all of my tutorial I uses Virtualization Technology as seen in the screen-shot below and I use rdesktop in order to connect to the Windows machine from a Linux box. The Windows machine has the following software installed anti-virus and vmware. As you see in the screen-shot below it looks like if I installed a dedicated Linux server onto the machine.

[ Preventing XSS attacks ]  In the video it illustrates three version of an XSS attack: high level, detailed with the script tag, and detailed with no script tag, and then recommends resources for further learning.  Cross-site scripting holes are web-application vulnerabilities which allow attackers to bypass client-side security mechanisms normally imposed on web content by modern browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access privileges to sensitive page-content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-Site Scripting (XSS) attacks occur when: Data enters a Web application through an untrusted source, most frequently a web request. The data is included in dynamic content that is sent to a web user without being validated for malicious code. The malicious content sent to the web browser often takes the form of a segment of JavaScrip

[ Hack This Site]  Is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, it's a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project. This site has the following missions Basic missions Realistic missions Application missions Programming missions Extbasic missions Javascript missions Stego missions IRC missions http://www.hackthissite.org/ Pros a safe way to practice your knowledge Cons Must be online in order to use this Must create an user account.  -------------------------------------------------------------------------------------- [  OWASP ] The Open Web Application Security Project (OWASP) is a not-for-profit worldwide charitable organizati

Ever wanted to gather the user accounts in Linux well it's no problem if you know bash scripting. In the terminal or konsole type " awk 'BEGIN { FS=":" } { print "User Account: " $1 "\n" "Home Directory: "  $6 "\n" }' /etc/passwd " as seen below. Like what you see you can vist http://tldp.org/LDP/Bash-Beginners-Guide/html/Bash-Beginners-Guide.html . This site is great for user that want to learning about bash scripting.

Episode 11 - Stealing cookies with cross site scripting This video will show you how to steal users cookies by using a cookie stealer to exploit a XSS Cross site Scripting vulnerability. If you want to see more video visit http://www.iexploit.org/ and click on videos and yes there is still an IRC channel for people who want to chat old fashion. there no need to download any IRC software because the web site has one built-in IRC client.

Google search engine can be more than searching for information it has some built-in webmaster tools and I will using dannytechsecurity.blogspot.com & dtsenterprise.tech.officelive.com. On the search engine type " site:.dannytechsecurity.blogspot.com "like seen in the picture below. What this does it brings up pages of this site a.k.a the site domain. Now let's add some information the query, but instead we will switch to another site which I operate. Type " site:.dtsenterprise.tech.officelive.com filetype:pdf ". What this does it not just searches the site, but now I looking for something in particular like my PDF's. /** BONUS **/ From TechTV's " The Screen Savers " Woody Hughes, editor of the Maximum Linux magazine, drops by to show some really useful Linux commands every Linux newbie should know. <br>a If you want to see more of there vide

SANS: Information Security Policies: If your new in creating any kind of policies for your workplace then this site will help you. There is no cost for using these resources. They were compiled to help the people attending SANS training programs, but security of the Internet depends on vigilance by all participants, so we are making this resource available. Remember these are examples for you to compile. Audit Security Policy Computer Security Policy Desktop Security Policy Email Security Policy HIPAA Security Policy Internet Security Policy Mobile Security Policy Network Security Policy Physical Security Policy Security Policy Whitepapers Server Security Policy Wireless Security Policy What is Policy, a Standard or a Guideline? We frequently hear people use the names "policy", "standard", and "guideline" to refer to documents that fall within the policy infrastructure. So that those who participate in th

Last week I showed how to installed Nagios Server and now I will show you to install the client. Nagios may be only installed be on a Linux platform, but it does not mean that the admin cannot monitor windows machines. Nagios can monitor Windows, MAC OS X, Linux, Routers, Switches, and etc. In this tutorial I will show how to install the Nagios Client on a Windows machine. To read more about this download the PDF. Title: Nagios Client File Name: Nagios Client.pdf File Type: PDF File Size: 1.34 MB Download Now

What is Nagios? Imagine you have a company with 20+ workstations or servers and you need to monitor them. Nagios is a popular open source computer system and network monitoring software application. It watches hosts and services, alerting users when things go wrong and again when they get better. Overview Nagios is Open Source Software licensed under the GNU GPL V2. Monitoring of network services (SMTP, POP3, HTTP, NNTP, ICMP, SNMP, FTP, SSH) Monitoring of host resources (processor load, disk usage, system logs) on a majority of network operating systems, including Microsoft Windows with the NSClient++ plugin or Check_MK. Monitoring of anything else like probes (temperature, alarms...) which have the ability to send collected data via a network to specifically written plugins Monitoring via remotely-run scripts via Nagios Remote Plugin Executor Remote monitoring supported through SSH or SSL encrypted tunnels. Simple plugin design that allows users to easily develo

[ New DTS PDF Cover Page ] For past few weeks I been reviewing, learning coding, and trying out the new android tablet. I decided that instead of using the same logo cover page image I'm going to change it every season. Below is a cut up of the DTS cover page picture. The new PDF tutorials will begin May 3, 2011. Up coming tutorial for tomorrow .... How to install and configure Nagios.

This document is for people who want to learn to the how and why of password cracking. There is a lot of information being presented and you should READ IT ALL BEFORE you attempted doing anything documented here. I do my best to provide step by step instructions along with the reasons for doing it this way. Other times I will point to a particular website where you find the information. In those cases someone else has done what I attempting and did a good or great job and I did not want to steal their hard work. These instructions have several excerpts from a combination of posts from pureh@te, granger53, irongeek, PrairieFire, RaginRob, stasik, and Solar Designer. I would also like to thank each of them and others for the help they have provided me on the BackTrack forum. The PDF cover both getting the SAM from inside windows and from the BackTrack CD, DVD, or USB flash drive. The SAM is the Security Accounts Manager database where local usernames and passwords are stored. For legal

OWASP attempts to make videos of presentations made by there members and at there conferences concerning application security whenever possible. The slides for most of these presentations are available, linked to the conference agendas. In episode 2 it illustrates SQL Injection, discusses other injection attacks, covers basic fixes, and then recommends resources for further learning.  Here are a couple of links on how to secure your SQL server SQL Injection Prevention Cheat Sheet XSS (Cross Site Scripting) Prevention Cheat Sheet

In the Linux Distribution BackTrack 4 it has the Social Engineering Toolkit otherwise known as SET. The homepage for SET is http://www.secmaniac.com/ and there is more useful information there. I am particularly impressed by the new java applet function is SET which allow the tester to effectively test how a targeted attack may succeed. Currently SET has two main methods of attack, one is utilizing Metasploit payloads and Java-based attacks by setting up a malicious website (which you can clone whatever one you want) that ultimately delivers your payload. The second method is through file-format bugs and e-mail phishing. The second method supports your own open-mail relay, a customized sendmail open-relay, or Gmail integration to deliver your payloads through e-mail. To see this operation in action Click Here . If you want to install it on your own machine then there will be a tutorial on how to set this up on Saturday.

Let's say you have limited access at a work place and manager wants if a user has access for something that they requested and you don't have the proper access to check. Today I will show you how to check access on limited access. The way that this example is setup is by virtual environment from Windows 2003 Server to Windows XP. Tools Virtualbox (free edition) running in local environment rdesktop (free) vmware (trial) Windows Server 2003 Enterprise Edition (Student Version 180 days trial) running in a remote location The picture above is typical Windows Server login. It just shows that I am running server OS. Ok let's move on. We are going to check on a user on " DTSAdmin " At the command prompt type " net user DTSAdmin /domain " it will gather from the server a lot of good information as shown in the picture above. If you don't type the " /domain " syntax the computer is going to think that user name is at t

The Problem   As you notice when upgrading to Ubuntu 10.04, Ubuntu 10.10, or using the latest BackTrack4. There is an issue with the latest kernel build of 2.6.35-35 which does not allow setting a specific channel and also it will not allow to perform packet injection in the Aircrack-ng suite.  For a solution please read the PDF. Title: Fixed Channel -1 File Name: Fixed Channel -1.pdf File Type: PDF File Size: 1.6 MB Download Now

The new kernel 2.6.35-25 has issues when wireless cards are put into monitor mode. To check the current kernel version on your system use the " uname -r " command and that would display the current kernel. For example if you use airodump-ng it would say " fixed channel mon0: -1 " like seen in the screen-shot below.   This Saturday I will show step by step to solve the " fixed channel mon0: -1 ". Why is this a big issue, this affects other applications that require monitor mode such as Kismet which also means when a user want to do a packet injection the card can't provide that function. On the tutorial for this Friday I will show you how to patch this problem with a Atheros wireless card. The following Linux Distro's have 2.6.35-25 kernel Ubuntu 10.04 Ubuntu 10.10 Backtrack 4 R4 Any other Linux distro that is keep up to date. If your still using previous versions of Ubuntu or BackTrack then this does not affect you, but i