hakin9 is bimonthly magazine about hacking and IT security, covering techniques of breaking into computer systems, defense and protection methods. Our magazine is useful for all those interested in hacking - both professionals (system administrators, security specialists) and hobbyists. The magazine is of Polish origin, it's also translated and published in other countries and language versions:
in English (DIGITAL EDITION only)
in German (in Germany, Austria, Switzerland, Luxembourg and Belgium)
in French (in France, Canada, Luxembourg, Belgium, Morocco)
in Spanish (in Spain, Argentina, Portugal, Mexico)
in Italian (in Italy)
in Czech (in Czech Republic and Slovakia)
in Polish (in Poland)hakin9 offers an in-depth look at both attack and defense techniques and concentrates on difficult technical issues.
hakin9's target readers are those responsible for IT system security, programmers, security specialists, professional administrators, as well as people taking up security issues in their free time.
hakin9 Starter Kit is a step-by-step guide to hacker techniques. It covers basic techniques of breaking into computer systems. This magazine starts with entry level examples of the most popular security topics.
hakin9 is published by Software-Wydawnictwo Sp. z o. o.
Editors: hakin9 team Cooperation: Piotr Sobolewski, Stefan Lochbihler Covers: Agnieszka Marchocka DTP: Anna Osiecka Translators: Zbigniew Banach, Marek Szuba Proofreaders: Nicholas Potter, Dustin F. Leer, Martin Placek Top Beta Testers: Steven Roddis, Steve Lape, Sieng Chye Oh, Satish Chandra, Roderick Lucas, Richard Chamberlain, Rene Heinzl, Renato Borseti, Petko Petkov, Peter Howe, Paul Bakker, Pastor Adrian, Pablo Fernandez, Juan Bidini, Stavros Lekkas, Jan Feyereisl, Johan Ericsson, J.Ignacio Toledo, Felipe Lora, Wendel Guglielmetti Henrique, David Stow, Alicia Asín Pérez, Andrej Bielko, Antonio Merola, Carl Sampson, Clancey McNeal, Damian SzewczykNote: Hakin9's issue numbering system is a complete mess. They have also have a buch of special issues sprinkled inbetween, so these will be in a somewhat random order, or will most likely be mislabeled with the wrong volume/issue number and published date.
Hakin9 - Volume 0, Number 1
Hakin9 - Volume 0, Number 2 Issue 02/2005 (2) - March/April 2005
Hakin9 - Volume 0, Number 3 Issue 03/2005 (3) - May/June 2005
- TEMPEST - Compromising Emanations - by Robin Lobel
Hakin9 - Volume 0, Number 4 Issue 04/2005 (4) - July/August 2005
- Dangerous Google - Searching for Secrets - Information which should be protected is very often publicly available, revealed by careless or ignorant users. The result is that lots of confidential data is freely available on the Internet - just Google for it, by Michal Piotrowski
Hakin9 - Volume 0, Number 5 Issue 05/2005 (5) - September/October 2005
- Anatomy of Pharming: How Your Money is Stolen
- Pharming - DNS Cache Poisoning Attacks
- Robot Wars - How Botnets Work
- Voice over IP Security
- Exploiting Java VM Security Vulnerabilities
- Advanced SQL Injection Techniques
- Bad Tools Make
Hakin9 - Volume 0, Number 6
- Detection of Sniffing in Switched Networks - Sniffing in switched networks is typically conducted using one of two methods: MAC flooding or ARP spoofing. However, unlike sniffing in traditional, hub-based networks, both these methods are active and so can be detected – though sometimes this is not easy, by Daniel Kaczorowski and Maciej Szmit
- IPSec VPN discovery and Fingerprinting - Many people believe that IPSec VPN systems are invisible and inherently secure. However, in reality most implementations can be easily detected and fingerprinted. Once this step is achieved, a successful attack is only a matter of time, by Roy Hills
- Port Knocking from the Inside Out - Leaving a port open to the public is like an invitation for an intruder. Unfortunately, most services such as HTTP or SMTP need to be open for everyone to see. However, some of the more critical services may be accessible only when required. Here's where port knocking comes in, by Martin Krzywinski
- Total Control - Low-Level Network Access - Developing applications that directly access layers of the ISO/OSI model can be a difficult task, frequently requiring non-standard packet formatting. Help is at hand, however, in the form of the WinPcap and libnet libraries, which put the programmer in total control of the content being sent out into the network, by Konrad Malewski
- Attacks on Layer-Two of the OSI Model - Layer-two of OSI model is one of the weakest links when trying to assure network security in an organization. It is also one of the most commonly ignored, because there aren't many public implementations of layer-two attacks. However, a successful attack on layer-two can be just as dangerous as any other, by Alfredo Andros and David Barroso
- ARPAlert 0.4.10 - ARPAlert is intended for controlling access to LANs. The utility listens for ARP requests and compares them against a list of authorized MAC addresses. ARPAlert is used in corporate security solutions, by Thierry Fournier
- How to Create Polymorphic Shellcode - In the last issue of hakin9 magazine, we learned how to create and modify shellcode. We have also studied the common problems related to shellcode and the techniques of working around them. In this article, we will learn about polymorphism and how to create shellcode that does not get detected by intrusion detection systems, by Michal Piotrowski
- Hold on to Thine Cash - Is the most logical for all us to take all money out of the bank and hide it under the pillow?, by Tomasz Nidecki
- Exploiting Format String Vulnerabilities - In the second half of 2000, a whole new class of exploits was discovered, shocking the IT security community. It turned out that a vast array of programs, including well-known applications such as wu-ftpd, Apache with PHP3 or screen, have serious vulnerabilities - and all because of format strings, by Piotr Sobolewski and Tomasz Nidecki
Hakin9 - Volume 1, Number 1 Issue 01/2006 (6)
- Wi-Fi security - WEP, WPA and WPA2 - Wi-Fi (Wireless Fidelity) is one of today's leading wireless technologies. However, one configuration aspect all too often goes unnoticed: security. Let's have a closer look at the level of security of encryption methods used in modern Wi-Fi implementations, by Guillaume Lehembre
- Oracle Rootkits - It is not common knowledge that rootkits can also be implemented, and are being implemented by intruders in databases, often containing critical company data. Alexander describes rootkits in Oracle databases and presents how we can avoid them, by Alexander Kornbrust
- Windows Server 2003 Security - We present Windows Server 2003 and its security. We explain what security enhancements it offers, what is still exploitable, what new exploitation techniques have been devised lately and what can we do to protect it as much as possible against possible break-in, by Rudra Kamal Sinha Roy
- Detouring Network Firewalls - Firewalls also have their weaknesses and detouring them, both due to misconfiguration and due to product weaknesses, is possible. Oliver describe how an intruder can gain access to a system by detouring a firewall, by Oliver Karow
- Spyware Infection Methods - Such programs like spyware are usually bundled as a hidden component or downloaded from the Internet unwillingly. They install and run without user knowledge. Christiaan presents what methods such programs use to infect Windows systems and how can one protect oneself against them, by Christiaan Beek
- Column - Dumb Ideas in Computer Security - There's lots of innovation going on in security. Stephano introduces you what are the most dumbest ideas in computer security, by Stephano Zanero
- Writing Advanced Linux Backdoors - Packet Sniffing - People create new defenses for backdoors and intruders are forced to innovate new techniques to keep pace with the rapidly progressing security industry, e.g. packet sniffing backdoors. Brandon describes how they work by writing our own proof-of-concept tool, by Brandon Edwards
- Security Tools - Delete Secure - Secure Delete is a suite of tools for securely erasing files, directories, free disk space, swap space and RAM, by Michal Szymanski
- Security Tools - SendIP - SendIP makes it possible to prepare and send network packets using the NTP, BGP, RIP, RIPng, TCP, UDP and ICMP protocols, as well as raw IPv4 and IPv6 packets with user-supplied parameters and arbitrary data, by Piotr Sobolewski
- Cryptography for Mail and Data Would you put confidential information on a postcard and send it to your friends, colleagues, or business partners? Well, no. But why would you put confidential information in an e-mail and send it around the world?, by Lars Packschies
- Simple Event Correlator for Real-Time Security Log Monitoring Over the past decade, event correlation has become a prominent event processing technique in many domains (network and security management, intrusion detection, etc.). However, existing open-source log monitoring tools don't support it well. In this paper, we will discuss how to employ SEC for monitoring and correlating events from security logs, by Risto Vaarandi
Hakin9 - Volume 1, Number 2 Issue 02/2006 (7)
- Hacking an IBM iSeries Server - iSeries, a.k.a. AS/400 servers, are used by manufacturers, banks, insurance companies, casinos and governments. Odds are that wherever there is an iSeries based application, the money is as well. With over 300,000 customers worldwide and millions of users, some people are bound to be rogue hackers looking for a way to exploit it for their own means. We present what should be done to avoid such practice, by Shalom Carmel
- Secure Linux - Security Kit Review - Linux systems are fairly resistant to intrusion attempts. However, for certain applications requiring very high security levels, the features found in standard distributions may prove insufficient. This article examines several of the most popular ways to increase Linux system security at kernel level, by Michal Piotrowski
- Security Tool - GFI Network Server Monitor 7 - We show you how to monitor servers in your network using GFI Network Server Monitor, by Stefan Lochbihler
- Security tool - SwitchSniffer - We present how simple is SwitchSniffer for monitoring local area networks, and describe more its features like basic administration and abuse detection, by Pawe Charnas
- ICMP Use and Abuse - We describe how to use ICMP protocol and how it can be used by intruders for evil purposes. We present all ICMP protocols, their meaning and ways in which can be used. We explain how to configurate firewall to protect our system against attacks, by Antonio Merola
- Automating the Exploitation Process on Linux x86 - We describe some automation buffer overflow bugs identification methods and compare some techniques. We present a tool which could identify them and produce exploit code would definitely ease the burden, by Stavros Lekkas (vuln.c)
- Sony, Rootkit and the Fifth Power - We present the rootkits and spyware history putting on audio CDs by Sony company. We describe the scandal, by Michal Piotrowski
- Sender Authentication - Protection or Threat - We criticize the sender authentication mechanism and show why SPF is insecure. However, solutions being implemented as a quick and dirty patch to the notoriously insecure and broken SMTP protocol are introducing more threats, instead of fixing the problem at hand, by Tomasz Nidecki
- Building an IPS using Snort - Computer systems are usually protected by firewalls, with any attacks that do get through being monitored by intrusion detection systems. However, nowadays it is not enough to detect an intruder - what use is detection if we cannot prevent the attack? Intrusion prevention systems provide the answer, and in this article we will go through building an IPS and maintaining it, by Michal Piotrowski
- Snort_inline as a Solution Using Snort_inline in many different environments and scenarios has proved to be a winning strategy to secure internal networks, DMZ networks or home networks. In order to work properly in the drop mode, it should adapt to the features of the environment it is protecting. Therefore, we will not only present its configuration techniques but also the ways to add a dedicated device which is best suited for the environment we want to protect, by Pierpaolo Palazzoli and Matteo Valenza
- We're Up Against - Interview with Dr. Gary McGraw Gary McGraw, Cigital, Inc.'s CTO, is a world authority on software security. Dr. McGraw is co-author of five best selling books. We asked him about IT security situation, carless private users, vulnerabilities in the system and many more...?
- Column - The Future's So Bright I Gotta Wear Shades - We present the different view on rootkits, by Konstantin Klyagin
- Column - Microsoft Does It Again - We consider the fact that Microsoft has made using digital signatures next to impossible for common users, by Tomasz Nidecki
Hakin9 - Volume 1, Number 5
- Shatter Attack - Vulnerable Windows
- Tools - LANsurveyor 9.5 Explains why LANsurveyor is easy to use, proven network and desktop management software, by Stefan Lochbihler
- Tools - Acunetix Web Vulnerability Scanner Shows you how to scan directory structure and perform automatically an entire set of typical attacks that gets profit of configuration or programming errors using Acunetix scanner, by Carlos Garcia Prado
- Code Injection Using Windows GUI Messages Few could suspect that an innocuous GUI feature such as Windows messages could pose a danger to system security. We show why this seemingly innocent mechanism can be used to inject malicious code into another application and escalate an intruder's privileges, by Krzysztof Wilkos
- Advanced L2.6KM Rootkit Development Focus on the development of a rootkit for the 2.6 series of the Linux kernel. Techniques and methods of hiding the attacker actions within the system will be the primary target, along with discussing how to detect rootkits in the owned box: know your enemy, know thyself, by Pablo Fernandez
- Introduction to Passive Information Gathering In this article, we will learn how to locate valuable information that can help compromise a company's IT infrastructure, by Blazej Kantak
- How IPSec Works You will learn all about the IPSec protocol which is used to secure IP data transmissions and is one of the most complicated network protocols, by Benoni Martin
- Custom IPTables Extensions We will show you how to implement the required functionality yourself by writing an extension module when the firewall is based on IPTables. What's more, you'll be surprised just how easy it is, by Jarosaw Sajko
- Hacking Beyond the Net Many in the IT community have never forgiven the media for twisting the original meaning of hacker. Despair not, though - the constructivist spirit advocated by the likes of Eric S. Raymond and Richard Stallman is not dead, by Michal Piotrowski
- Column - The Future's So Bright I Gotta Wear Shades Freedom of piracy is one of the greatest freedoms the humanity gained in the most important virtual battle of all. Read more in Konst's column, by Konstantin Klyagin
- Column - My Car has a Firewall Who says technology just brings well-being? Want to know more?, by Regis Gabineski
- Interview - Situation on IT Security Scene hakin9 talks to Neon Software's President, Craig Isaacs, as the company puts first things first in managing an unmanaged network.
- How to Cook a Covert Channel Before starting to cook your covert channel, you first have to think about the receipt (recette): decide how your covert channel will look like, what it will be used for (antipasti or dessert?) and finally when you'll have your dinner. Today's menu focuses on HTTP cookies so let's review the receipt and start to cook, by Simon Castro and Gray World Team
Hakin9 - Volume 1, Number 6
- HTTP Authentication Vulnerability
- Problems with HTTP Authentication Authentication is a technique of identification based on knowledge. HTTP provides natural functionality of HTTP authentication. In this article, Emilio will concentrate on basic authentication, which is more widespread among clients and Web servers but also less secure, by Emilio Casbas
- Analysis of Network Traffic If you administer a network of any kind you can be certain that sooner or later it will become a target of an attack. However, you are capable of eliminating, or at least significantly reducing any chances of its success. Bartosz will show you how to analyze the network traffic, by Bartosz Przybylski (aut.sh)
- Weaknesses of Anti-Virus Programs The moment the First Programmer created the First Program, the probability of attempts being made to attack it increased by one. Robert will describe how anti-virus programs detect the presence of a virus in the system and how to perform an attack against a system using an anti-virus program, by Robert Majdanski?
- Penetration Testing in Practice Penetration testing often takes place in situation where the management doesn't fully trust the IT department. It is sometimes ordered by the IT department itself to show its excellent work. However, this is not the case covered by this case study. Leran more about penetration test from Miroslav's article, by Miroslav Ludvik
- Social Engineering Attacks Somebody has once accurately called social engineering 'hacking the mind.' It is an arithmetic average of social engineering proper (exerting pressure and manipulating people) with cracking (breaking into IT systems). The combination of these two mechanisms results in a powerful tool, the destructive power of which many still remain unaware of, by Tomasz Trejderowski
- XSS in Practice Internet has become more and more important. Millions of dollars are invested in websites. Big businesses don't work with simple HTML sites anymore; everything has to be dynamic these days. But by giving people the opportunity to insert data on a website, the chance of getting vulnerable gets bigger. Roderick will present XSS attacks in practice, by Roderick W. Lucas
- Port Scanning a Violation of Property Rights It is a common misconception that a lack of new statues makes all actions over the Internet legal unless expressly prohibited. This is a misconception as old laws do apply to new technology as well. The response to a property right is a general duty on other people not to interfere with the res (thing), by Craig S. Wright
- Why Is There No Anti-Virus? Konst will present his ideas, by Konstantin Klyagin
- Tool - TDFS's TCP/IP Packets Unlimited TTpU is a tool written to be able to generate any kind of TCP/IP packet with the possibility to specify a lot of IP and TCP options, by Alberto Maria Scattolo
- Tool - LogHound Employs a frequent itemset mining algorithm for discovering frequent patterns from event logs, by Stefan Lochbihler
Volume 2, Number 1
- Security Scanners Chart Dear Readers - we present a new section in hakin9, consumer's test. In this edition we asked users about their opinion on advantages and disadvantages of security scanners. You can find out if the prizes are adequate to the quality, what are the main problems that the users experienced and finally you will see the rating.
- Introduction to XPath Injection Techniques - In this article, we'll describe an XPath injection attack which is one of the latest techniques employing manipulating XPath queries in order to extract information from an XML database. He will show you how to employ XPath injection method to bypass safeguards in certain applications, by Jaime Blasco
Volume 2, Number 2 Issue 02/2007 (9)
- Firewall Leak Testing David Matousek of Matousec Transparent Security and Paul Whitehead of Comodo prepared, especially for hakin9 readers, personal firewall leak tests. Here are the results.
Volume 2, Number 3 Issue 03/2007 (10)
- Designing a Crypto Attack on the CCRP (bit shuffling) Cipher You will get to know some most important things connected with crypto attacks. Dale Thorn writes about the conventional attacks, about how to host and prepare the crypto attack.
- Analysing and Mapping Wireless Network Andrej Komarov provides you with some precious information on Wi-Fi positioning, creating a wardriver's map and running attacks in the wireless infrastructure.
Volume 2, Number 5 Issue 05/2007 (12)
- Choosing Data Recovery Software Especially for our readers, hakin9 team prepared the consumers tests on Data Recovery Tools. We hope it will help you to choose the best DRT.
- VoIP Security Testing and Solutions Four members of Snort Attack Project explain basics of VoIP vulnerability and using the tools for auditing on SIP and IAX. They also discuss a notion of risk analysis.
Volume 2, Number 6 Issue 06/2007 (13)
- Analyzing Malicious Code The article presents the various techniques and tools used for analyzing malicious code. Includes a tutorial on how to examine the NetSky-P worm.
- Consumers Tests on Virtual Machines Consumers tests on Virtual Machines. Our goal is to help the readers make a right decision when choosing a VM.
Random Volume 2 Articles
Choosing a Router for Home Broadband Connection Consumers tests on routers. Our goal is to help the readers to make a right choice when buying, choosing a router. 04-2007
Defending the Oracle Database with Advanced Security Features Mikolas Pansky provides general information on Oracle, teaches a basic hacking Oracle methods and basic Oracle defense techniques. 04-2007
Hakin9 - Volume 3, Number 1 Issue 01/2008 (14)
Hakin9 - Volume 3, Number 2 Issue 02/2008 (15)
Hakin9 - Volume 3, Number 3 Issue 03/2008 (16)
- Pentest Labs Using Live CDs - After reading this article, you will come to know how to use and design live CDs for use in a penetration test lab, by thomas Wilhelm
- Best Practices for Secure Shell - The article presents the usage of an application called Secure Shell. It explains why SSH is the best secure tool for remote access. The paper also shows the best practices in using SSH and tips on how to avoid common mistakes, by Ryan W. Maple
- Cracking LDAP Salted SHA Hashes - The article will teach you how LDAP salted SHA hashes are structured, how to employ modern day tools to crack LDAP SSHA hashes. The author shows why LDAP SSHA hashes should be treated like clear-text data, by Andres Andreu
- Javascript Obfuscation Techniques - A very useful paper on how to conceal JavaScript code and how to detect and deobfuscate code hidden by these techniques, by David Sancho, Trend Micro
- Breaking in Add-on Malwares - This article covers the working functionality of malware add-ons. It presents the practical techniques that will help to understand malwares effectively, by Aditya K. Sood, a.k.a. 0KN0CK
- Vulnerabilities Due to Type Conversion of Integers - In this article the author presents the nature of type conversion. He explains how C's type conversions work, how vulnerabilities can be caused by unsafe type conversions and how to review C code for such vulnerabilities. Last but not least, you will get to know how to prevent them, by Davide Pozza
- Authentication and Encryption Techniques - Part II of a three-part series on Postgres. This article is to present ideas that can be used to mitigate threats presented in first part, using various authentication and encryption technologies that are available on Linux and other UNIX-like operating systems, by Robert Bernier
Hakin9 - Volume 3, Number 4 Issue 04/2008 (17)
Hakin9 - Volume 3, Number 5 Issue 05/2008 (18)
Hakin9 - Volume 3, Number 6 Issue 06/2008 (19)
- Client-Side Exploits Client-side exploit are some of the most commonly seen exploits and this is mainly due to the fact that traditional perimeter security (firewalls, router access lists) offer little or no protection against these kinds of exploits. This is due to the fact that client-side exploits target vulnerabilities on the client applications, by Anushree Reddy
Hakin9 - Volume 4, Number 1 Issue 01/2009 (20)
Hakin9 - Volume 4, Number 2 Issue 02/2009 (21)
Hakin9 - Volume 4, Number 3 Issue 03/2009 (22)
Hakin9 - Volume 4, Number 4 Issue 04/2009 (23)
Hakin9 - Volume 4, Number 5 Issue 05/2009 (24)
Hakin9 - Volume 4, Number 6 Issue 06/2009 (25)
Hakin9 - Volume 5, Number 1 Issue 01/2010 (26)
Hakin9 - Volume 5, Number 2 Issue 02/2010 (27)
Hakin9 - Volume 5, Number 3 Issue 03/2010 (28)
Hakin9 - Volume 5, Number 4 Issue 04/2010 (29)
Hakin9 - Volume 5, Number 5 Issue 05/2010 (30)
Hakin9 - Volume 5, Number 6 Issue 06/2010 (31)
Hakin9 - Volume 5, Number 7 Issue 07/2010 (32)
Hakin9 - Volume 5, Number 8 Issue 08/2010 (33)
Hakin9 - Volume 5, Number 9 Issue 09/2010 (34)
Hakin9 - Volume 5, Number 10 Issue 10/2010 (35)
Hakin9 - Volume 5, Number 11 Issue 11/2010 (36)
Hakin9 - Volume 6, Number 1 Issue 01/2011 (37)
Hakin9 - Volume 6, Number 2 Issue 02/2011 (38)
Hakin9 - Volume 6, Number 3 Issue 03/2011 (39)
Hakin9 - Volume 6, Number 4 Issue 04/2011 (40)
Hakin9 - Volume 6, Number 5 Issue 05/2011 (41)
Hakin9 - Volume 6, Number 6 Issue 06/2011 (42)
Hakin9 - Volume 6, Number 8 Issue 08/2011 (44)
Hakin9 - Volume 6, Number 9 Issue 09/2011 (45)
- Brief - eLearnSecurity and ID Theft Protect, by Armando Romeo
- The Bug Story - Despite the fact that our networks gardens are full of beautiful/gorgeous things, at same time they're full of bugs. The problem is that the Internet serves as connection between these gardens, which makes it easy for bugs to travel from one garden to another. A bug may be found in my neighbors' garden across the street, but in a matter of time, I will be seeing it creeping in my garden too... This time Ali tales us a quick history of the most vicious bugs in software till today. From his amusing article we will find out why software bugs exist today and how to avoid them. He will also present us the analysis one of the most popular bug in the IT security history and learn us on this example a quick analysis of a bug. Read the column which is as well for entertaiment as for gathering some basic knowledge, by Ali Hadi
- Secure Coding: Hits and Misses - This article expose the basics of most of the common software vulnerabilities, and explore the best programming practices to avoid their occurrence. The analysis will be made from a general perspective, but providing concrete examples and walk through to clarify the concepts discussed. The examples included in each point will range from academic to real vulnerabilities found while performing different source code audits. From this article you will learn best practices that architects and developers should be aware of in order to develop applications with a proper sense of security. After the reading you will also start to think of the security analysis in terms of the actors involved, to enhance and better adapt different attack vectors the common roots of many security issues, by Jorge Luis Alvares Medina
- For My Eyes Only - Data is a marvelous thing; so easy to create but so difficult to keep track of and maintain. This marvelous thing is the very thing that can take companies down to their knees. All without anyone knowing until it is too late... A silent killer... Data at rest and company drive shares spell disaster. Learn how to protect yourself against your data be it your programs, scripts and allow automation to occur non-interactively without you having to type your password in because you don't want to save them within the execution file. This demonstration focuses on the Apple Mac platform but can be easily geared otherwise, by Israel Torres
- Secure Coding PHP - It can be said that software is only as good as its code or as good as the developer who wrote that code. Yet if we used this adage to compare current web based software, we are in need of some major retrofits to the software we entrust our personal data to. The recent cyber attacks on BART - the San Francisco Bay Area's rapid transit system - only demonstrates the need for better and more secure software especially when personal and private information is at stake. As cyber attacks only seem to be growing in number, we have to start to focus more on secure coding as we try to walk the thinning line that is security and usability. With this in mind, we will discuss some of the techniques one can use to write more secure PHP code including user input verification and data encryption... In this article author shows how to write secure code in PHP and validate user input. You will also learn some encryption techniques and other counter measures, by Rich Hoggan
- Secure Coding in Database - Information systems are not islands. Either data is manually entered, or, as is more commonly the case, interchanged with other systems. Some systems are very tightly integrated: a database transaction committed in one system becomes available in another almost immediately. Other systems are more loosely coupled and synchronize data on a scheduled basis. Some partners in the interchange do an outstanding job of vetting their data and making sure that the data feeds are clean. But what do you do when a data supplier comes under attack, the data becomes vandalized, or it is rendered unavailable? This text will give you the knowledge about creating automatic audit trails for critical database tables and also about creating processes to guard against and recover from bad data. You will learn building a lightweight process for rapid data recovery that avoids using complex, time-consuming database backup tools, by Steve Hodge
- Mobile and Tablet Application Coding Security - There are practical techniques to securing app code - the first involves limiting privileges to a set of operations - this is known as sandboxing. The second technique involves identifying executables as they enter the trusted domain, a.k.a. firewall approach, do you want the app to run and how will it run are important queries. The third technique involves code trust - is the executable trustworthy? In this article author will attempt to discuss briefly some of the main mobile app security issues of today and consider what developers have to do to maintain and improve their coding security practices. Read and find out why code signing and sandboxing are two app security principles that should be pro-actively incorporated into the mobile coding development cycle, by Julian Evans
- Virustotal - Hispasec Sistemas has managed the service, VirusTotal, since June 2004. The VirusTotal website offers the public access to multiple Anti-Virus (AV) engines hosted by them to provision online scanning of individual files to uncover malware by harnessing a combination of signature-based and heuristic detection. This is the short column where you will find description of this very popular tool. If you haven't come across the VirusTotal yet this text should encourage you to pay more interest in it, by Mervyn Heng
- What's Wrong With the Bible? - Corporate IT security policies are often described by security professionals as "the Bible." This comparison always makes my skin crawl, since it suggests a certain lack of imagination. But in reality, the comparison makes sense. Both interpretations were probably written a long time ago by people who hadn’t met you, or by employees that faced precisely the same issues, technologies, and situations you face in your job today. More than that, both were probably written by different groups of people over time... Read the essay column in which the author deals with different legal curiosities and IT security cliches, by Drake
- Review of Passware Kit 11.0 - Passware Password Recovery Kit Forensic 11.0 is a handy all-in-one package for recovering different types of passwords quickly and with ease. Be it from a Windows laptop, Mac VM, or USB stick this software raises the bar for password cracking. Read the program review and check is it worth it's price and buying, by Israel Torres
Hakin9 - Volume 6, Number 10 Issue 10/2011 (46)
Hakin9 - Volume 6, Number 11 Issue 11/2011 (47)
Hakin9 - Volume 6, Number 12 Issue 12/2011 (48)
Hakin9 - Volume 7, Number 1 Issue 01/2012 (49)
Hakin9 - Volume 7, Number 2 Issue 02/2012 (50)
Hakin9 - Volume 7, Number 3 Issue 03/2012 (51)
Hakin9 - Volume 7, Number 4 Issue 04/2012 (52)
Hakin9 - Volume 7, Number 5 Issue 05/2012 (53)
Hakin9 - Volume 7, Number 6 Issue 06/2012 (54)
Hakin9 - Volume 7, Number 7 Issue 07/2012 (55)
Hakin9 - Volume 7, Number 8 Issue 08/2012 (56)
Hakin9 - Volume 7, Number 9 Issue 09/2012 (57)
Hakin9 - Volume 7, Number 10 Issue 10/2012 (58)
Hakin9 - Volume 7, Number 11 Issue 11/2012 (59)
Hakin9 - Volume 8, Number 1 Issue 01/2013 (61)
Hakin9 - Volume 8, Number 2 Issue 02/2013 (62)
Hakin9 - Volume 8, Number 3 Issue 03/2013 (63)
Hakin9 - Volume 8, Number 5 Issue 05/2013 (65)
Hakin9 - Volume 8, Number 6 Issue 06/2013 (66)
Hakin9 - Volume 8, Number 7 Issue 07/2013 (67)
Hakin9 - Volume 8, Number 8 Issue 08/2013 (68)
Hakin9 - Volume 8, Number 9 Issue 09/2013 (69)
Hakin9 - Volume 9, Number 3 Issue 03/2014 (72)
Hakin9 - Volume 11, Number 2
- Analysis of Linux Malware Tsunami Using Limon - A number of devices are running Linux due to its flexibility and open-source nature. This has made the Linux platform the target for malware attacks, so it becomes important to analyze the Linux malware. Today, there is a need to analyze Linux malwares in an automated way to understand its capabilities, by Monnappa K. A.
- Never Assume Secure - It's been a wild ride in the world of cyber security the past few years. Large corporations and small businesses alike have not been immune to the wrath of nation states, hacktivists, and professional hackers for hire. And don't think it's only crafty pros who are bent on mayhem. In the past two weeks alone, three teenagers and a 20-year-old have been arrested in the British telecom hack of Talk Talk, which potentially affected well over 1 million customers. This was Talk Talk's third known breach since December 2014, by Paul Janes
- Modern Age: WordPress Security Threats - The Internet has become a medium to connect billions of people online. Until afew years ago, people used to hire programmers to code their site. To overcome that, Web Content Management Systems were created which allow nontechnical users to build a website with little or no programming knowledge. Now, anyone can start their own blogs, business, forums and organizations. It helps us to bring our ideas and projects to life in an "online" environment. Some of the Web CMS are WordPress, Joomla and Drupal. The most popular content management system is WordPress, by Aaditya Purani
- The Life Of A Vulnerability - Battles are always about attack and defense. In military wars, armies combat on the battlefields and the one that wins is the one that had successful attacks on the other, which failed to strongly defend. In politics, the people overthrow their government by attacking its failed policies; while the latter is also not able to defend back by satisfying their needs either by convincing them with those rejected policies or issue new acceptable ones. In sports, the player or the team wins the match by attacking the opponent persistently and also defending against receiving goals or losing points, by Louay Saleh
- Deanonymization - The Tor network is a group of volunteer-operated servers that allows people to improve their privacy and security on the Internet. Tor's users employ this network by connecting through a series of virtual tunnels rather than making a direct connection, thus allowing both organizations and individuals to share information over public networks without compromising their privacy, by Alexander Antukh
- Agents of Shield: Diagnosis and Prevention of Dos/DDos Attacks - Given the relentless growth of online activities worldwide, the threat landscape utilized by hackers has become vast and complex. Reports indicated that individuals and organizations alike will continue to succumb to online threats and attacks. In 2014 survey conducted by the Cyberedge group, the report published that 71% of those surveyed were affected by a successful attack (Cyberedge, 2015). While a security mindset has led to some progressive security improvements in the dominant platforms for business and personal use such as Microsoft Windows are leading to a decline in the number of vulnerabilities discovered, there are other problems emerging, by by Anthony Caldwell & Ronan Dunne
- Formula Injection - To start with, Web Application Penetration Testing is the name given to software testing that focuses on web applications. Most websites out are vulnerable to wild attacks due to lack of security tests. Over 70 attacks exist which can result in a fatal impact on websites. Web Application Penetration Tests are legitimate hacking attacks carried out to discover all such vulnerabilities and inculcate proper remediation before launching the application to users. he OWASP Testing Guide is a popular testing list which is preferred by pentesters to audit applications, by Samrat Das
- Web Applications Pentesting Tools: Burp Suite Playbook - Web Application pen testing can be done through various tools available. This article will mainly focus on 'Burp Suite' tool and its various interesting features. After reading this article, the reader will be able to configure Burp Suite with the browser, exploit XSS using Burp plugins and will know how to use different tabs of Burp Suite, by Pranav Jagtap
- How to Develop Secure Software - Action Plan to Make Secure Software - The purpose of this article is to provide a guideline for secure software development. Easily avoided software defects are a primary cause of commonly exploited software vulnerabilities. By identifying insecure coding practices and developing secure alternatives, software developers can take practical steps to reduce or eliminate vulnerabilities while developing software product, by Jeevan Dahake
- Interview with Yevgeniy (Jim) Brikman, founder of Atomic Squirrel "Startup is a company that spends most of its time searching," by Marta Sienicka and Marta Strzelec
- Preview
- Preview
- Preview
Hakin9: Exploiting Software - Volume 2, Number 1 Issue 01/2012 (5)
Hakin9: Exploiting Software - Volume 2, Number 3 Issue 03/2012 (7)
Hakin9: Exploiting Software - Volume 2, Number 4 Issue 04/2012 (8)
Hakin9: Exploiting Software - Volume 2, Number 8 Issue 08/2012 (12)
- Windows 8 Security in Action - Is Windows 8 the next operating system for your enterprise? In this article, we will take a quick look at Microsoft's new OS - Windows 8. We will see some of the new security features that make it more secure than its predecessor Windows 7. We will also run the security through the paces and see some of the possible issues that are new to the OS and some that have carried over from previous versions of Windows. From the BackTrack 5 R3 security testing platform, the author uses the Metasploit Framework and Social Engineering Toolkit to see how Windows 8 stands up to the most common Internet based threats, by Daniel Dieterle
- Raspberry Pi Hacking - The Raspberry Pi is a credit-card sized computer that plugs into your TV and a keyboard. It's a capable little PC which can be used for many of the things that your desktop PC does, like spreadsheets, word-processing and games. It also plays high-definition video. We want to see it being used by kids all over the world to learn programming. If you love your Pi you'll definitely love to hack it, by Jeremiah Brot
- Malware, Botnet and cyber threats, what is happening to the cyberspace? - The article proposes an analysis of the main cyber threats that worry security experts and that are profoundly changing the cyber space. The exponential growth of the number of cyber threats and attacks is rebutted by a wide range of statistical provided by reports published by the major security firms. The scenario is really scaring due concomitant action of cybercriminals, hacktivists and state sponsored hackers that are producing malware and botnets of increasing complexity, by Pierluigi Paganini
- Live Capture Procedures - Live data capture is an essential skill in required for both Incident Handlers as well as forensic practitioners and it is one that is becoming more, not less, important over time as we move towards networked and cloud-based systems. This article has introduced a few tools that, although free, can be used together to create a powerful network forensics and incident response toolkit. Like all of these tools, the secret comes to practice, by Craig Wright
- SQL Injection - by Wong Chon Kit
- Network Pen Testing Breaking the Corporate Network through Hackers Perspective - by Amar Wakharkar
- Intel SMEP overview and bypass on Windows 8 - by Artem Shikhin
- Android Application Assessment - by Nilesh Kumar
Hakin9: Exploiting Software - Volume 2, Number 9 Issue 09/2012 (13)
Hakin9: Exploiting Software - Volume 2, Number 10 Issue 10/2012 (14)
Hakin9: Starter Kit - Volume 1, Number 1 Issue 01/2007 (1)
Hakin9: Starter Kit - Volume 1, Number 2 Issue 02/2007 (2)
Hakin9: Starter Kit - Volume 1, Number 3 Issue 03/2007 (3)
Hakin9: Starter Kit - Volume 2, Number 1 Issue 01/2010 (4)
Hakin9: Starter Kit - Volume ?, Number ? Issue 01/2011 (4?)
Hakin9: Starter Kit - Volume 3, Number 10 Issue 04/2013 (10)
Hakin9: On Demand - Volume 1, Number 1 Issue 01/2012 (1)
Hakin9: On Demand - Volume 1, Number 2 Issue 02/2012 (2)
Hakin9: On Demand - Volume 1, Number 7 Issue 07/2012 (7)
Hakin9: On Demand - Volume 1, Number 8 Issue 08/2012 (8)
Hakin9: On Demand - Volume 2, Number 1 Issue 01/2013 (10)
Hakin9: On Demand - Volume 2, Number 3 Issue 03/2013 (12)
Hakin9: Mobile Security - Volume 2, Number 1 Issue 01/2012 (2)
Hakin9: Mobile Security - Volume 2, Number 2 Issue 02/2013 (3)
Hakin9: Workshops - Backend Database Hacking
Hakin9 - Volume 1, Number 1 Issue 01/2013 (1)
Hakin9 - Volume 1, Number 4 Issue 04/2013 (4)
Hakin9 - Volume 2, Number 6 Issue 01/2014 (6)
- PortWitness - Developing an automated tool using Bash Scripting for OSINT, by Sahil Tikoo
- mitm6 - Compromising IPv4 networks via IPv6, by Fox-IT
- CoffeeMiner - Hacking Wi-Fi to inject cryptocurrency miner to HTML requests, by Arnau Code
- Galileo - Web application audit framework, by Momo Outaadi (m4ll0k)
- Interview with Felipe Daragon, Creator of Syhunt and Huntpad - "Writing is the art of cutting words." I believe this applies well to programming as well. If you write code, remember to cut lines, keep it as simple as possible and avoid redundancy - this should be a continuous goal.
- PeNCrawLer - An advanced web-crawler and "dirbuster," by Mahdi Makhdumi
- OWASP Mth3l3m3nt Framework - by Munir Njiru
- Sn1per - Automated pentest recon scanner, by 1N3
- Lama - The application that does not mince words, by Tatam
- AirpyDump Analyze wireless packets on the fly, by Shameer Kashif
- Interview with Mohammed, creator of wpCrack - "I didn't find the tool I wanted on the internet, so I decided to make my own."
- ESP8266 Deauther 2.0 - Scan for Wi-Fi devices, block selected connections, create dozens of networks and confuse WiFi scanners!, by Stefan Kremser
- Interview with Olie Brown, creator of RFCrack - "RF was something I didn’t see sufficient penetration testing information on but essential for me to know while testing devices, so I created my own tool and learning material."
- mimic Covert execution in Linux, by @emptymonkey and @stygianblu
- ProbeQuest - by Paul-Emmanuel Raoul
- Defense Matrix - by Ivens Portugal, K4YT3X
Hakin9: Extra Issue 07/2011 (7)
Hakin9: Extra Issue 04/2012 (11)
Hakin9: Extra Issue 06/2012 (13)
Hakin9: Extra Issue 02/2013 (20)
Hakin9 - Volume 1, Number 1 Issue 01/2009 (1)
Hakin9 - Volume 1, Number 2 Issue 01/2010 (2)
Hakin9: Python Compendium for Hackers and Programmers
Hakin9: Reverse Engineering Compendium
Knowledge is Power