Geekers Point

The Internet Protocol, or IP, is the main protocol used to route information across the Internet. The role of IP is to provide best-effort services for the delivery of information to its destination. IP depends on upper-level TCP/IP suite layers to provide accountability and reliability. The heart of IP is the IP datagram, a packet sent over the Internet in a connectionless manner. An IP datagram carries enough information about the network to get forwarded to its destination; it consists of a header followed by bytes of data . The header contains information about the type of IP datagram, how long the datagram should stay on the network (or how many hops it should be forwarded to), special flags indicating any special purpose the datagram is supposed to serve, the destination and source addresses, and several other fields, as shown in Figure 1.

Figure 1: The IP Header

Layers above IP use the source address in an incoming packet to identify the sender. To communicate with the sender, the receiving station sends a reply by using the source address in the datagram. Because IP makes no effort to validate whether the source address in the packet generated by a node is actually the source address of the node, you can spoof the source address and the receiver will think the packet is coming from that spoofed address. Many programs for preparing spoofed IP datagrams are available for free on the Internet; for example, hping lets you prepare spoofed IP datagrams with just a one-line command, and you can send them to almost anybody in the world. You can spoof at various network layers; for example, you can use Address Resolution Protocol (ARP) spoofing to divert the traffic intended for one station to someone else. The Simple Mail Transfer Protocol (SMTP) is also a target for spoofing; because SMTP does not verify the sender's address, you can send any e-mail to anybody pretending to be someone else. This article focuses on the various types of attacks that involve IP spoofing on networks, and the techniques and approaches that experts in the field suggest to contend with this problem.

Spoofing IP datagrams is a well-known problem that has been addressed in various research papers. Most spoofing is done for illegitimate purposes—attackers usually want to hide their own identity and somehow damage the IP packet destination. This article discusses ways of spoofing IP datagrams, various attacks that involve spoofed IP packets, and techniques to detect spoofed packets and trace them back to their original source; spoofing concerns for IPv6 are briefly addressed.

Spoofing an IP Datagram

IP packets are used in applications that use the Internet as their communications medium. Usually they are generated automatically for the user, behind the scenes; the user just sees the information exchange in the application. These IP packets have the proper source and destination addresses for reliable exchange of data between two applications. The IP stack in the operating system takes care of the header for the IP datagram. However, you can override this function by inserting a custom header and informing the operating system that the packet does not need any headers. You can use raw sockets in UNIX-like systems to send spoofed IP datagrams, and you can use packet drivers such asWinPcap on Windows . Some socket programming knowledge is enough to write a program for generating crafted IP packets. You can insert any kind of header, so, for example, you can also create Transmission Control Protocol (TCP) headers. If you do not want to program or have no knowledge of programming, you can use tools such as hping, sendip, and others that are available for free on the Internet, with very detailed documentation to craft any kind of packet. Most of the time, you can send a spoofed address IP packet with just a one-line command.

Why Spoof the IP Source Address?

What is the advantage of sending a spoofed packet? It is that the sender has some kind of malicious intention and does not want to be identified. You can use the source address in the header of an IP datagram to trace the sender's location. Most systems keep logs of Internet activity, so if attackers want to hide their identity, they need to change the source address. The host receiving the spoofed packet responds to the spoofed address, so the attacker receives no reply back from the victim host. But if the spoofed address belongs to a host on the same subnet as the attacker, then the attacker can "sniff" the reply. You can use IP spoofing for several purposes; for some scenarios an attacker might want to inspect the response from the target victim (called "nonblind spoofing"), whereas in other cases the attacker might not care (blind spoofing). Following is a discussion about reasons to spoof an IP packet.

Scanning

An attacker generally wants to connect to a host to gather information about open ports, operating systems, or applications on the host. The replies from the victim host can help the attacker in gathering information about the system.

These replies might indicate open ports, the operating system, or several applications running on open ports. For example, a response for connection at port 80 indicates the host might be running a Web server. The hacker can then try to telnet to this port to see the banner and determine the Web server version and type, and then try to exploit any vulnerability associated with that Web server. In the scanning case, attackers want to examine the replies coming back from the host, so they need to see the returned packet. If the spoofed address is actually an address of a host on the attacker's subnet, then the attacker can use a sniffer to see the packets.

Sequence-Number Prediction

If you establish the connection between two hosts by using TCP, the packets exchanged between the two parties carry sequence numbers for data and acknowledgments. The protocol uses these numbers to determine out-of-order and lost packets, thus ensuring the reliable delivery to the application layer as promised by TCP. These numbers are generated pseudo-randomly in a manner known to both the parties. An attacker might send several spoofed packets to a victim to determine the algorithm generating the sequence numbers and then use that knowledge to intercept an existing session. Again it is important for the attacker to be able to see the replies.

Hijacking an Authorized Session

An attacker who can generate correct sequence numbers can send a reset message to one party in a session informing that party that the session has ended. After taking one of the parties offline, the attacker can use the IP address of that party to connect to the party still online and perform a malicious act on it. The attacker can thus use a trusted communication link to exploit any system vulnerability. Keep in mind that the party that is still online will send the replies back to the legitimate host, which can send a reset to it indicating the invalid session, but by that time the attacker might have already performed the intended actions. Such actions can range from sniffing a packet to presenting a shell from the online host to the attacker's machine.

Determining the State of a Firewall

A firewall is used to protect a network from Internet intruders. Packets entering a firewall are checked against an Access Control List (ACL). TCP packets sent by a source are acknowledged by acknowledgment packets. If a packet seems like an acknowledgement to a request or data from the local network, then a stateful firewall also checks whether a request for which this packet is carrying the acknowledgment was sent from the network. If there is no such request, the packet is dropped, but a stateless firewall lets packets enter the network if they seem to carry an acknowledgment for a packet. Most probably the intended receiver sends some kind of response back to the spoofed address. Again, for this process to work, the attacker should be able to see the traffic returning to the host that has the spoofed address—and the attacker generally knows how to use the returned packet to advantage.

Denial of Service

The connection setup phase in a TCP system consists of a three-way handshake . This handshake is done by using special bit combinations in the "flags" fields. If host A wants to establish a TCP connection with host B, it sends a packet with a SYN flag set. Host B replies with a packet that has SYN and ACK flags set in the TCP header. Host A sends back a packet with an ACK flag set, finishing the initial handshake. Then hosts A and B can communicate with each other, as shown in Figure 2.

Figure 2: A Normal TCP Connection Request from A to B

The three-way handshake must be completed in order to establish a connection. Connections that have been initiated but not finished are called half-open connections. A finite-size data structure is used to store the state of the half-open connections. An attacking host can send an initial SYN packet with a spoofed IP address, and then the victim sends the SYN-ACK packet and waits for a final ACK to complete the handshake. If the spoofed address does not belong to a host, then this connection stays in the half-open state indefinitely, thus occupying the data structure. If there are enough half-open connections to fill the state data structure, then the host cannot accept further requests, thus denying service to the legitimate connections (Figure 3).

Figure 3: Half-Open TCP Connection

Setting a time limit for half-open connections and then erasing them after the timeout can help with this problem, but the attacker may keep continuously sending the packets. The attacked host will not have space to accept new incoming legitimate connections, but the connection that was established before the attack will have no effect. In this type of attack, the attacker has no interest in examining the responses from the victim. When the spoofed address does belong to a connected host, that host sends a reset to indicate the end of the handshake.

Flooding

In this type of attack an attacker sends a packet with the source address of the victim to multiple hosts. Responses from other machines flood the victim. For example, if an attacker uses the IP address of source A and sends a broadcast message to all the hosts in the network, then all of them will send a reply back to A, hence flooding it. The well-known Smurf and fraggle attacks used this technique.

Countermeasures for IP Spoofing

IP spoofing countermeasures include detecting spoofed IP packets and then tracing them back to the originating source. Detection of spoofed IP packets requires support of routers, host-based methods, and administrative controls, whereas tracing of IP packets involves special traceback equipment or traceback features in routers. The following section discusses both IP spoofing detection and IP spoofing traceback techniques.

Spoofed Packet Detection

Detection of a spoofed packet can start as early as at Layer 2. Switches with the IP Source Guard feature[8] match the MAC address of the host with a Dynamic Host Configuration Protocol (DHCP)-assigned dynamic or administratively assigned static IP address. Packets that do not have the correct IP source address for that particular MAC address are dropped, thereby limiting the ability of hosts connected to such a switch to send a packet with their neighbor's address. The IP Source Guard feature works very well for interfaces with a single IP address, but one interface can be assigned multiple IP addresses, and that may cause problems. The same problems can occur with Network Address Translation (NAT), where hosts might get different IP addresses several times. Routers work at Layer 3 in networks, and they know which interface a network is connected to and what network addresses can be expected to come from that network. If the outgoing packet from an interface does not have the network address of that interface, then the packet is spoofed and the router can stop that packet at that point; however, if the attacker is spoofing an IP address of a host on the same network (most likely in the attacks where they will be sniffing the replies), then this technique is not really helpful. The same logic can be used for an incoming packet; if a packet destined for an interface has a source address of the same network as the interface, then it is a spoofed packet. Routers can detect spoofed packets only when the packets pass through them, and if the target and attacker are both on the same subnet then this technique does not work.

Hosts receiving a suspicious packet can also use certain techniques to determine whether or not the IP address is spoofed. The first (and easiest) one is to send a request to the address of the packet and wait for the response; most of the time the spoofed addressees do not belong to active hosts and hence no response is sent.

Another method is to check the Time to Live (TTL) value of the packet, and then send a request to the spoofed host. If the reply comes, you can compare the TTL of both packets. Most probably the TTL values will not match. But of course it is also possible that these TTL values are the same but the packet is coming from a different source, and conversely. Packets generated by different operating systems differ slightly in values of certain fields; for example, in Internet Control Message Protocol (ICMP) ping packets, you can examine the data payload to determine the operating system. Windows fills the packet with letters of the alphabet, whereas Linux puts numbers in the data portion. If the suspicious packet does not have the same characteristics as the legitimate packet, that is evidence it was not sent from the IP address that is in its source address field. You can also use IP identification numbers to determine whether a packet is actually coming from the said source. For legitimate packets the IP ID is close in value, but this method is not reliable because the attacker can ping the said source and determine the IP ID that it is using, and then craft packets that will seem legitimate. In all these techniques we are trying to determine only whether or not a packet is spoofed, and taking all these steps for all packets would be prohibitive from an overhead standpoint. Thus you should either randomly check packets or determine some suspicious activity that would trigger further investigation for spoofed-packet detection. The next section addresses measures you can take to trace a spoofed packet back to its real source.

Tracing Spoofed IP Packets

IP traceback technology plays an important role in discovering the source of spoofed packets. Hop-by-hop traceback and logging of suspicious packets in routers are the two main methods for tracing the spoofed IP packets back to their source.

When a node detects that it is a victim of flood attack, it can inform the Internet Service Provider (ISP). In flood attacks the ISP can determine the router that is sending this stream to the victim, and then it can determine the next router, and so on. It reaches either to the source of the flood attack or the end of its administrative domain; for this case it can ask the ISP for the next domain to do the same thing. This technique is useful only if the flood is ongoing.

As mentioned earlier, a router has an idea of the IP addresses that should be arriving at its interfaces. If it sees any packet that does not seem to belong to the address range for its interface, it can log the packet as suspicious. Appropriately timed broadcasts among different domains to detect spoofed packets can help administrators of different networks trace spoofed IP packets back to their source.

IP Spoofing and IPv6

IP spoofing detection, or in other words validating the source address of an IPv6 packet, is a little more complicated than the process for IPv4. A host using IPv6 may potentially have multiple addresses. Again the problem inside the Local Area Network is to associate the IPv6 address with the Layer 2 or MAC address. Among peers on the same network, you can use Neighbor Discovery or Secure Neighbor Discovery (SEND) advertisements to verify the source address in a packet. You can verify source addresses of packets arriving from nodes outside the network by using the Authentication Header (AH) in IPv6 datagrams. You can use agreed-upon parameters between source and destination to calculate authentic­ation information on header fields that does not change during transit. Although this process will not prevent someone from signing a spoofed address, it does provide a means to authenticate the identity of the source.

IPv6 and IPv4 network inter­connections will likely face spoofing problems. IPv6 packets are usually encapsulated in IPv4 packets to travel across the non-IPv6 supporting networks. The IPv6 interim mechanism "6to4" [10, 11] uses automatic IPv6-to-IPv4 tunneling to interconnect networks using different IP versions. This mechanism uses 6to4 routers and 6to4 Relay Routers that accept and decapsulate IPv4 traffic from anywhere. There are no constraints on such embedded packets. Relay routers act as bridges between IPv6 and 6to4 networks and can be tricked into sending spoofed traffic anywhere. Also, anyone can send tunneled spoofed traffic to a 6to4 router, and the router will believe that it is coming from a legitimate relay. There is no simple way to prevent such attacks, and longer-term solutions are needed in both IPv6 and IPv4 networks.

Cloud storage services such as Dropbox, Google Drive, and SugarSync are convenient, efficient—and notoriously insecure. Files are rarely encrypted, data transfer is typically not protected, and companies are usually able to access your files (even if they state they won't, they may be legally compelled to do so).

Documents such as business plans or other sensitive files (say, a copy of your birth certificate) should be protected. You can utilize a special, ultra-secure provider such as Wuala or Tresorit, or you can encrypt files yourself before uploading them to larger storage services, such as Dropbox.

Wuala

Price: 5GB Free; Plans starting from 20GB for $4/month

Platforms: Windows, Linux, iOS, Android

IMAGE: SARAH JACOBSSON PUREWAL

Wuala's service encrypts your files locally before sending them to the cloud.

Wuala is a secure cloud storage service offered by storage company LaCie. This service differs from mainstream cloud storage providers in two ways:

Client-side encryption of files: All of your files are encrypted locally on your device before being sent to the cloud, which ensures that even on a non-encrypted transfer, no readable data would leak out. This process is more secure than a secure transfer, mainly because it means that nobody except you ever has access to your data.

IMAGE: SARAH JACOBSSON PUREWAL

Don't lose your Wuala password, because that's the only way to get to your files.

Zero-knowledge password policy: Only you know your password, and therefore only you can access your account. Wuala's employees cannot see your password, nor can they see your data except in raw form (how many files you have and how much storage space they take up). So even if the government came knocking on Wuala's door and asked them to turn over your files, they simply wouldn't be able to do so. Nor will you be able to get to your stuff if you forget your password, so keep it carefully.

Security aside, Wuala operates like the cloud storage services you're used to. Simply download Wuala's application and the service will install a special sync folder to your device, where you can drag and drop files to store both locally and in the cloud. Wuala also offers backup and versioning, which means you'll be able to access previous versions of files or restore files should you accidentally delete them. Like other cloud storage providers, Wuala offers 5GB of storage for free. Pricing plans start at 20GB for $4 per month.

Tresorit

Price: 5GB Free; Plans starting from 100GB for $7/month

Platforms: Windows, Mac OS X, iOS, Android

Tresorit is a cloud storage provider that claims to offer "a truly secure cloud storage service." Security features include client-side encryption, secure data transfer, and secure data centers that are equipped with physical security measures against intrusion as well as uninterruptible power and backup systems.

IMAGE: SARAH JACOBSSON PUREWAL

Tresorit lets you secure any folder on your device, not just special ones the service creates.

Like Wuala, Tresorit encrypts your data on your local machine to help ensure that your files are protected at all times. It, too, practices a zero-knowledge password policy, which means that nobody in the company can ever access your password or decryption keys. Of course, the drawback of such a policy is that if you forget your password, you're basically out of luck (you'll have to create a new account, and you'll lose all of your data in the cloud).

Tresorit's main difference from Wuala, and other mainstream cloud storage services, is the ability to turn any folder on your device into a secure "tresor." What this means is that you do not have to drag and drop files into a special sync folder. Instead, you can simply right-click on an existing folder and "tresor it." This is especially convenient if you're digitally organized and you'd prefer not to rearrange your files into one sync-able folder.

Tresor offers 5GB of space for free. An additional 100GB will cost you 5 euros, or just under $7, per month.

McAfee Personal Locker

Price: 1GB free with a subscription to McAfee LiveSafe

Platforms: Windows 8, iOS, Android

McAfee's Personal Locker is a cloud storage vault that you manage via your smartphone or Windows 8 device. It can store up to 1GB of data, which you can access from anywhere—but only after you've jumped through a series of security hoops.

IMAGE: SARAH JACOBSSON PUREWAL

McAfee Personal Locker uses face and voice recognition along with a PIN to secure data.

The app requires voice recognition, biometric data (facial recognition), and a PIN to verify your identity before giving you access to your files. Every. Single. Time. You can choose to set certain files as low priority (you'll only have to enter a PIN to access them), but where's the fun in that?

While definitely not the sort of service you want to use for everyday cloud storage, Personal Locker would work well for sensitive documents that you may need to access from anywhere, such as legal documents, medical records, or copies of your passport or birth certificate. Personal Locker is free with a subscription to McAfee LiveSafe, which costs $80 per year.

Unauthorized HTTP and HTTPS Traffic Blocked on Port

ContentProtect Security Appliance can block proxy servers from redirecting unauthorized HTTP and HTTPS traffic to non standard ports, which is generally an attempt to bypass filtering on the appliance. This is especially helpful when organizations experience users running Filter Avoidance Programs to bypass the filtering system of ContentProtect Security Appliance, just so they can access more web site locations without being detected.

Unauthorized HTTP and HTTPS Traffic

Blocked on Port

Contact: Customer Support for help with technical questions.

Standard Ports

The following are standard ports used by ContentProtect Security Appliance when Anonymous Proxy Guard is enabled. Any HTTP and HTTPS traffic redirected to any other ports not listed below are considered non standard ports and will be blocked.

Port 80 - HTTPPort 8080 - Proxy ServersPort 443 - HTTPS

How Anonymous Proxy Guard Works

If ContentProtect Security Appliance recognizes that HTTP traffic is trying to use port 5000, the traffic is considered unauthorized and knows that someone has sent a web request to a non standard port, thus bypassing the filter. ContentProtect Security Appliance blocks the traffic, and sends a Blocked Website message back to the user. The user message also includes the port that the traffic was attempting to access. By default, Anonymous Proxy Guard only uses standard ports for HTTP, HTTPS traffic. It is possible that a user could send a valid web request over a non standard port. In this case, you must add an exception to the Traffic Flow Rule Set to send the web request through the web filter so that future web requests reach the host destination successfully.

Note: Even though the message says unauthorized HTTP traffic was blocked, HTTPS traffic could also have been blocked.

The following graphic shows that the URL address is attempting to send HTTP information through port 6666. Some URL addresses have the port redirection embedded in the URL and may not appear in the addresses.

Filter Avoidance Programs

There are several programs available on the market that allow users to bypass the filtering rules onContentProtect Security Appliance, by sending HTTP and HTTPS traffic through proxy server. Some programs may even send HTTP and HTTPS traffic encrypted, which makes it much more difficult to determine what type of traffic is trying to access the non standard ports. Some requests could be valid, but most are not. In any case, you want to create a signature that forces web requests to the standard ports and go through the Web Filtering system on ContentProtect Security Appliance.

Example: If a student in Palo Alto, West Coast school district uses the program Ultrasurf to bypass filtering by sending web requests over non standard ports, then you can resolve the filtering avoidance issue by blocking all ports except the standard ports, 80, 8080, and 443.

Creating a Custom Signature for HTTP and HTTPS Traffic

When Anonymous Proxy Guard is enabled a user may be blocked from accessing a valid site because the site is redirecting its traffic over a non-standard HTTP, HTTPS, or Proxy server port.

Allowing web requests over non-standard ports when Anonymous Proxy Guard is enabled, requires creating a custom signature so that the HTTP and HTTPS traffic goes through the Web Filter before going to the non standard port.

To create a custom signature for HTTP and HTTPS traffic

From ContentProtect Security Appliance, selectManage > Policies & Rules > Policy Manager.Click a Group on the Policy Manager page to find out what Internet Usage Rule has been assigned.

From ContentProtect Security Appliance, selectManage > Policies & Rules > Internet Usage Rules.Click on the Internet Usage Rule assigned to the Group that you want to change.Write down the name of the Traffic Flow Rule Set(TFRS) used for the Internet Usage Rule.

Anonymous Proxy Guard is only enabled when using a TFRS that contains the nameAnonymous Proxy Guard.

From ContentProtect Security Appliance, selectManage > Applications > Applications.Click Create.

Enter a Name for the new application, which also appears in the application reports.Enter a Description for the new application.Select HTTP as the Application Set from the drop-down list.Select Source and Destination Port as the Type from the drop-down list.Enter the port number for the ValueSelect TCP as the Protocol from the drop-down list.Select Web Filter as the Target from the drop-down list.Click Save.

If you are using SSH client to connect to Linux server from your Windows laptop, sometimes it may be necessary to launch UI application on the remote Linux server, but to display the UI on the windows laptop. Following are two typical reasons to perform this activity:

Install software on Linux from Windows: To launch a UI based installer to install software on remote Linux server from windows laptop. For e.g. A DBA might want to install the Oracle on the Linux server where only the SSH connection to the remote server is available and not the console.Launch Linux X client software on Windows:To launch X Client software (for e.g. xclock) located on your remote Linux server to the Windows laptop.

Cygwin can be used to perform the above activities. Following 15 steps explains how to install Cygwin and launch software installers on Linux from Windows. Go to Cygwin and download the setup.exe. Launch the setup.exe on the Windows and follow the steps mentioned below.

1. Welcome Screen. Click next on the Cygwin installation welcome screen.

2. Choose a download source. Select the 'Install from internet' option

3. Choose Installation directory. I selected C:\cygwin as shown below. This is the location where the Cygwin software will be installed on the Windows.

4. Select Local Package Install directory. This is the directory where the installation files will be downloaded and stored.

5. Select Connection Type. If you are connected to internet via proxy, enter the information. If not, select 'Direct Connection'.

6. Choose a download site. You can either choose a download site that is closer to you or leave the default selection.

7. Download Progress. This screen will display the progress of the download.

8. Select Packages to install. I recommend that you leave the default selection here.

9. Installation Progress. This screen will display the progress of the installation.

10. Installation Completion.

11. Start the Cygwin Bash Shell on Windows.Click on cygwin icon on the desktop (or) Click on Start -> All Programs -> Cygwin -> Cygwin Bash shell, which will display the Cygwin Bash Shell window.

12. Start the X Server on Windows. From the Cygwin Bash Shell, type startx to start the X Server as shown below. Once the X Server is started, leave this window open and do not close it.

13. Xterm window: startx from the above step will open a new xterm window automatically as shown below.

14. SSH to the remote Linux host from the Xterm window as shown below. Please note that you should pass the -Y parameter to ssh.-Y parameter enables trusted X11 forwarding.

jsmith@windows-laptop ~ $ ssh -Y -l jsmith remote-host <This is from the xterm on windows laptop> jsmith@remotehost's password: Warning: No xauth data; using fake authentication data for X11 forwarding. Last login: Thu Jun 12 22:36:04 2008 from 192.168.1.102 /usr/bin/xauth: creating new authority file /home/jsmith/.Xauthority [remote-host]$ xclock & <Note that you are starting xclock on remote linux server> [1] 12593 [remote-host]$

15. xclock on windows laptop. From the Linux host, launch the xclock software as shown above, which will display the xclock on the windows laptop as shown below.

Use the same method explained above to launch any software installer on Linux (for e.g. Oracle database installer) and get it displayed on the Windows laptop.

Welcome to the FileZilla Client tutorial. In this tutorial, you will learn how to

Connect to an FTP server,Download and upload files,Use the site manager.

If you already know how to use an FTP client, you may want to read the more advanced usage instructionsinstead.

We assume that you already installed and started FileZilla Client (installation instructions).

Connecting to a server

The first thing to do is connecting to a server.

This is our (fictional) login data - please use your own data instead if you want to actively follow the tutorial.

Hostname: example.org Username: john Password: 7PjU#.J3

We will use the quickconnect bar for establishing the connection:

Enter the hostname into the quickconnect bar's Host:field, the username into the Username: field as well as the password into the Password: field. You may leave the Port: field empty unless your login information specifies a certain port to use. Now click onQuickconnect.

Note: If your login information specifies a protocol like SFTP or FTPS, enter the hostname as follows:sftp://hostname or ftps://hostnamerespectively.

FileZilla will now try to connect to the server. If all works well, you will notice that the right "column" switched from Not connected to any server to displaying a list of files and directories.

Navigating and window layout

Legend: 1. Toolbar, 2. Quick connect bar, 3. Message log, 4. Local pane, 5. Remote pane, 6. Transfer queue (Full-size version)

The next step is to get familiar with FileZilla's window layout.

Here is a quick introduction: Below thetoolbar (1) and quick connect bar (2), themessage log (3) displays transfer and connection related messages. Below, you can find the file listings. The left column (local pane, 4) displays the local files and directories, i.e. the stuff on the PC you're using FileZilla on. The right column (server pane, 5) displays the files and directories on the server you are connected to. Both columns have a directory tree at the top and a detailed listing of the currently selected directory's contents at the bottom. You can easily navigate either of the trees and lists by clicking around like in any other file manager. At the bottom of the window, thetransfer queue (6) lists the to-be-transferred and already transferred files.

Transferring files

Now we will upload these files (or the ones you choose, respectively):

website/ +- index.html +- images/ +- image01.jpg +- image02.jpg

Uploading

First - in the local pane - bring the directory into view which contains data to be uploaded (e.g.index.html and images/). Now, navigate to the desired target directory on the server (using the server pane's file listings). To upload the data, select the respective files/directories and drag them from thelocal to the remote pane. You will notice that the files will be added to the transfer queue at the bottom of the window and soon thereafter get removed again - since they were (hopefully, if nothing went wrong) just uploaded to the server. The uploaded files and directories should now be displayed in the server content listing at the right side of the window.

Local and remote file listings after uploading the example files

Note: If you don't like using drag-and-drop, you can also right click on files/directories (in the lower local pane) and select Upload to upload them - or simply double-click a file entry (this does not work for directories).

Note (advanced): If you enable filtering and upload a complete directory, only the not-filtered-out files and directories inside this directory will be transferred.

Downloading

Downloading files, or complete directories, works essentially the same way as uploading - you just drag the files/directories from the remote pane to the local pane this time, instead of the other way round.

Note: In case you (accidentally) try to overwrite a file during upload or download, FileZilla will by default display a dialog asking what to do (overwrite, rename, skip...).

Using the site manager

Now that you are confident in transferring files (if not, practice a little bit), you might want to add the server information to the site manager to make it easy to reconnect to this server. To do this, select Copy current connection to Site Manager... in the File menu. The site manager will be opened and a new entry will be created with all the important information already filled in. You will notice that the entry's name is selected and highlighted - you can enter some descriptive name so you will later on find your server again (enter something like domain.com FTP server for example - you can rename it later if you wish). Now close the dialog by clicking on OK.

The next time you want to connect to this server, you can simply select it in the site manager and clickConnect.

 Below method can updates your Windows XP up-to April 2019.

STEPS TO FOLLOW:

1. Open Notepad 

2. Copy and paste the follow code

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]

"Installed"=dword:00000001

3.Save file as .reg extension 

4. Double click on it 

When it runs then it you automatically get notification for Windows Update.

Enjoy..!!

>>Open COMMAND PROMPT while Locked by User.
 
>open notepad
>type www.command.com
> then save as cmd.bat at desktop
>then enter now its open.....enjoy
 
>>If your computer is slow?
then clean up the ram..

>Open notepad
>type FREEMEM=SPACE(64000000)
>Save it as ram.vbs
now run the script.
Check out !!

>>CracK BIOS Password

>Open the CPU
>Observe the Motherbord
>Remove the Silver Battery(3v)
>Wait 2 minutes and place the Battery
>>Restoring a Lost Desktop-
>Start
>Run 
Type a period " . " 
Then press Enter
 
 
>>If ur PC is hanged then do this.
Press shift+ctrl+esc or ctrl+alt+del
n den click on 'END TASK'
ur PC is runing now

>>create folder without name

>select any folder
>rename it
>press alt & type 0160 or 255
>enter

>>Amazing trick for use
Windows Backup Utility if installed
go to run
type ntbackup
ok
Now use backup
 
>>Increase the speed of your file sharing

Simple Way to Share Multiple Folders :
Goto Run and Type SHRPUBW.EXE then press Enter
Select the folder you want to share and Set permissions, 
your share folder is ready now.....  
 

>>Turning off the Help on Min, Max, Close Icons

When the mouse goes over the minimize, maximize and close icons on the upper 
right hand side of a window.

To disable that display:
1. Start Regedit
2. Go to HKEY_CURRENT_USER \ Control Panel \ Desktop
3. Create a String Value called MinMaxClose
4. Give it a value of 1
5. Reboot

>>FIX CORRUPTED FILE IN WINDOW XP
1.Load XP cd into cd drive

2. go to Run

3. type sfc/scannowok

4. Then copy its lost file frm cd. 
 
  >>AUTO DELETE TEMPORARY FOLDER.!!

what i prefer is %temp% " without quotes.. at Start -> Run.. this opens ur temp folder n den u cal erase it nearly
First go into gpedit.msc
Next select -> Computer Configuration/Administrative Templates/Windows Components/Terminal Services/Temporary Folder
Then right click "Do Not Delete Temp Folder Upon Exit"
Go to properties and hit disable. Now next time Windows puts a temp file in
that folder it will automatically delete it when its done! Note from Forum Admin: Remember, GPEDIT (Group Policy Editor) is only available in XP Pro.

>>Locking Folders:

Consider you want to lock a folder named XXXX in your E:\, whose path is E:\XXXX.Now open the Notepad and type the following

[code]ren xxxx xxxx.{21EC2020-3AEA-1069-A2DD-08002B30309D}[/code]

Where xxxx is your folder name. Save the text file asloc.bat in the same drive.Open another new notepad text file and type the following

[code]ren xxxx.{21EC2020-3AEA-1069-A2DD-08002B30309D} xxxx[/code]

Save the text file as key.bat in the same drive.

Steps to lock the folder:

To lock the xxxx folder, simply click the loc.bat and it will transform into control panel icon which is inaccessible.To unlock the folder click thekey.bat file. Thus the folder will be unlocked and the contents are accessible.

>>Locking Drives:

We don't usually prefer to lock our drives, but sometimes it becomes nesscary. Say for instance you might have stored your office documents in D:\ and you don't want your kids to access it, in such case this technique can be useful for you. Please don't try this tweak with your root drive (usually C:\ is the root drive) since root drives are not intended to be locked because they are mandatory for the system and application programs.

Start & Run and type Regedit to open Registry editorBrowseHKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\ExplorerCreate a new DWORD valueNoViewOnDrive and set its value as

2^ (Alpha Number of Drive Letter-1) where Alpha number are simple counting of alphabets from A to Z as 1 - 26
For example: to lock C:\, Alpha number of C is 3 so 2^ (3-1) = 4(decimal value)

To lock more drives, calculate the value of each drive and then set sum of those numbers as valueTo unlock your drive justdelete the key from the registry.>>To Remove Recyle Bin From Your Desktop

Open Regedit by going to START - RUN and type Regedit and hit enter. Then you should navigate to following entry in registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ Desktop\NameSpace\{645FF040-5081-101B-9F08-00AA002F954E} and delete it. This action should remove recycle bin from your desktop.

>>Disable the Security Center warnings

Follow the given steps to edit the computer registry for disable message:
First click on Start button then type Regedit in Run option.
Here locate the location to:
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
Here in right side panel, double click on Anti Virus Disable Notify and set its value 1.
Now close the registry editor and restart your computer after any changes to go into effect.

>>HIDE DRIVES
How to Hide the drives(c:,d:,e:,a:...etc)

To disable the display of local or networked drives when you click My Computer.
1.Go to start->run.Type regedit.Now go to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

 \Explorer

2.In the right pane create a new DWORD item and name it NoDrives(it is case sensitive). 

3.Modify it's value and set it to 3FFFFFF (Hexadecimal) .

4.Restart the computer. 

5.Now when you click on My Computer, no drives will be shown(all gone...). 

To enable display of drives in My Computer, simply delete this DWORD item that you created. Restart your computer. All the drives are back again.

>>Show your name in taskbar

Trick to Show Your name after time in taskbar...
Try this trick to add up ur name in place of AM and PM beside time Its simple

Step-1:- Navigate to -> Start -> Control Pannel -> Regional and Language Option -> Click on Customize -> Go to TIME Tab -> Change AM symbol and PM symbol from AM and PM to ur name -> Apply -> Ok ...
Did It change? If not, follow step-2 below.

Step2:- Now go to time in taskbar and Double Click it to open "Date and time property" ...Look place where time changes in digital form i.e. 02:47:52 AM , click to arrow to change the AM or PM by selecting and press arrow. It will Show ur name or name that was entered by u, Apply -> OK 
 Done

What are content Providers?

As per Google's inbuilt security model, Application data is private to an application and hence it is not possible for an application to access other application's data by default. When applications want to share their data with other applications, Content Provider is a way which acts as an interface for sharing data between applications. Content providers use standard insert(), query(), update(), delete() methods to access application data. A special form of URI which starts with "content://" is assigned to each content provider. Any app which knows this URI can insert, update, delete and query data from database of the provider app. 

There may be some cases where content providers might not be implemented for sharing data with other apps, or developer may want to give access only to those apps which have proper permissions. In such cases, if proper security controls are not enforced in the app, that leads to leakage of information.

Inbuilt SMS application in Android devices is a classic example of content providers. Any app can query the inbox from the device using it's URI content://sms/inbox.   But, READ_SMS permission must be declared in the app's AndroidManifest.xml file in order to access SMS app's data.

Prerequisites to follow the steps:

Computer with Android SDK Installed

A Non Rooted mobile device to install the app.

Test Application's functionality:

Once after downloading the test application, install it in the non rooted android device in order to test and exploit it. 

It can be installed with adb using the following command

adb install <name of the apk>.apk

It has a feature to store data inside the application. When we launch it, it appears as shown in the figure. 

The Goal is to find out if there are any content providers implemented in this app and if YES, We need to check and exploit if they are vulnerable to data leakage.

Topics Involved:

Information gathering

Attacking Vulnerable Content Providers

Securing the applications

Information gathering

Like any other pentest, let's start with information gathering. We assume that we have the APK file with us. So, decompile the downloaded apk file as shown in the previous article and check AndroidManifest.xml file for any registered content providers. We should also check the smali files for all the URIs used in the app.

Content Providers are generally registered in AndroidManifest.xml file in the following format.

So let's go ahead and examine the manifest file.

We got one content provider registered in the AndroidManifest.xml file and good news is, it is exported to be accessed by all other apps. 

Attacking Vulnerable Content Providers

This is the most interesting part. Let's now try to query the content provider we found. If it returns any data, then it is vulnerable. This can be done in multiple ways.

1. Using adb shell

2. Using a Malicious app to query

3. Using Mercury Framework

Using adb:

To query the content provider from adb, the app should be installed on the device. 

Get an adb shell on the device and type the following command to query the content provider. In my case, I am going to query the URI I found in MyProvider.smali file which is extracted by APK tool.

Content –query –uri content://com.isi.contentprovider.MyProvider/udetails

We should now see all the details stored into the app's db as show in the figure below.

Using a Malicious app to query:

We can even write a malicious app to query the data from its content provider. Following is the code snippet to query the inbox from a mobile device. 

Using Mercury Framework:

The entire process can be carried out using Mercury framework in even more efficient and simple way.

Securing the Applications:

1. Setting android:exported attribute's value to false:

In the AndroidManifest.xml file of our application, we should add the following attribute to the content provider to be secured. In our case com.isi.contentprovider.MyProvider is the content provider.

If we try to query the content provider whose android:exported value is set to false, it will throw an exception as shown below.

Note: The Default value of android:exported is true for all the applications using API Level lower than 17.

2. Limiting access with custom permissions

We can also impose permission-based restrictions by defining custom permissions for an activity. This is helpful if the developer wants to limit the access to his app's components to those apps which have permissions.

Other issues with Content Providers:

SQL Injection: If security controls are not properly implemented, content providers can lead to Client Side attacks like SQL Injection. This works similar to traditional SQL Injection attacks.

Path Traversal: This is one more attack which can be carried out, if a content provider is not properly implemented. This is similar to the path traversal attacks on Web Applications. It allows an attacker to traverse and view the local file system. Sensitive files can be transferred from the device to the local machine using an app vulnerable to Path Traversal attack.

To connect to a VPN on Windows 7, press the Windows key and, type VPN, and press Enter.

Enter the address of your VPN provider in the Internet Address box. You can enter an address like vpn.example.com or a numerical IP address, depending on the server information your VPN provider gave you.

You should also enter a Destination name – this can be anything you like. It's only used to help you remember which VPN connection is which.

Enter your login credentials on the next screen. Use the username and password your VPN provider gave you.

Windows will connect you to the VPN you configured. If you checked the "Don't connect now" checkbox on the first screen, Windows will save the VPN connection so you can easily connect later.

Once connected, you can click the network icon in your system tray to view your VPN connections. While connected to a VPN, all your network traffic will be sent over it.

To disconnect from a VPN, click it and click Disconnect. You can then reconnect to it later by clicking it and selecting Connect. You can have multiple VPNs configured and switch between them in this way.

To delete a saved VPN connection, press the Windows key, type network connections, and press Enter. Right-click a VPN connection and use the Delete option.

Windows has the built-in ability to function as VPN server, although this option is hidden. This trick works on both Windows 7 and Windows 8. The server uses the point-to-point tunneling protocol (PPTP.)

This could be useful for connecting to your home network on the road, playing LAN games with someone, or securing your web browsing on a public Wi-Fi connection – a few of the many reasons you might want to use a VPN.

Limitations

While this is a pretty interesting feature, it may not be the ideal way to allow VPN connections to your local network. It has some limitations:

You will need the ability to forward ports from your router.You have to expose Windows and a port for the PPTP VPN server directly to the Internet, which is not ideal from a security standpoint. You should use a strong password and consider using a port that isn't the default port.This isn't as easy to set up and use as software like LogMeIn Hamachi andTeamViewer. Most people will probably be better off with a more complete software package like those two.

Creating a VPN Server

First, you'll need to open the Network Connections window. The quickest way to open it is to press the Windows key, typencpa.cpl, and press Enter.

Press the Alt key, click the File menu that appears, and select New Incoming Connection.

You can now select the user accounts that can connect remotely. To increase security, you may want to create a new, limited user account rather than allow VPN logins from your primary user account. (Click Add someone to create a new user account.) Ensure the user you allow has a very strong password, as a weak password could be cracked by a dictionary attack.

Select the Through the Internet option to allow VPN connections over the Internet. You can also allow incoming connections over a dial-up modem, if you have the dial-up hardware.

You can then select the networking protocols that should be enabled for incoming connections. For example, if you don't want people connected to the VPN to have access to shared files and printers on your local network, you can uncheck the File and Printer Sharing option.

Click the Allow access button and Windows will set up a VPN server.

If you want to disable the VPN server in the future, you can delete the Incoming Connections item from your Network Connections window.

Router Setup

You will now need to log into your router's setup page and forward port 1723 to the IP address of the computer where you set up the VPN server. For more instructions, readHow to Forward Ports on Your Router.

For maximum security, you may want to create a port forwarding rule that forwards a random "external port" – such as 23243 – to "internal port" 1723 on your computer. This will allow you to connect to the VPN server using port 23243, and will protect you from malicious programs that scan and attempt to automatically connect to VPN servers running on the default port.

You can also consider using a router or firewall to only allow incoming connections from specific IP addresses.

To ensure you can always connect to the VPN server, you may want to set up a dynamic DNS service like DynDNS on your router.

Connecting to Your VPN Server

To connect to the VPN server, you will needyour computer's public IP address (its IP address on the Internet) or its dynamic DNS address, if you set up a dynamic DNS service above.

Use the Connect to a network option in Windows and enter your computer's public IP address. Provide the username and password you created to log in.