Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

25 April 2015 | 320 views

OAT – Microsoft OCS Assessment Tool (Office Communication Server)

Don't let a Dragon into your website!

OAT is an Open Source Microsoft OCS Assessment Tool designed to check the password strength of Lync and Microsoft Office Communication Server users. After a password is compromised, OAT demonstrates potential UC attacks that can be performed by legitimate users if proper security controls are not in place.

OAT - Microsoft OCS Assessment Tool (Office Communication Server)

We first wrote about OAT when it was v1.0 and just came out in 2009.

OAT has a user friendly tabbed interface that begins with a password strength test feature. Once the OAT user has successfully elicited the password, attack modules from subsequent tabs can be used for launching UC attacks against valid, registered Lync and OCS users.

New in OAT v3.0

  • Lync Support
  • Improved speed of the online dictionary attack
  • Fixed issues with play spam audio for call walking
  • Minor graphical enhancements
  • New Active Directory Options

Features

  • Online Dictionary Attack
  • Presence Stealing
  • Contact List Stealing
  • Targeted IM Flood
  • Targeted Call Walk
  • Communicator DoS
  • Audio Call Spam
  • Report Generation
  • OCS 2007 & OCS 2007 R2

You can download OAT v3.0 here:

OAT-inst-3.05.zip

Or read more here.

Advertisements



21 April 2015 | 1,282 views

sptoolkit Rebirth – Simple Phishing Toolkit

The sptoolkit (rebirth) or Simple Phishing Toolkit project is an open source phishing education toolkit that aims to help in securing the mind as opposed to securing computers. Organizations spend billions of dollars annually in an effort to safeguard information systems, but spend little to nothing on the under trained and susceptible minds that operate these systems, thus rendering most technical protections instantly ineffective. A simple, targeted link is all it takes to bypass the most advanced security protections. The link is clicked, the deed is done.

sptoolkit Rebirth - Simple Phishing Toolkit

spt was developed from the ground up to provide a simple and easy to use framework to identify your weakest links so that you can patch the human vulnerability.

sptoolkit hasn’t been actively developed for two years. As it stands, it’s a brilliant peice of software, and the original developers are pretty damn awesome for creating it. But a new team would like to go further, and bring sptoolkit up to date – they’ve started active development again on Github just last month.

Requirements

  • Apache
  • PHP
  • MySQL

Features

  • Templates & Visual editor
  • Education completion tracking
  • Support for URL shorterners
  • Support for sending SMTP via SSL
  • Forms display inline errors for correction
  • Accurate e-mail tracking times
  • Browser Detection

You can download the new sptoolkit 0.80.1 here:

v0.80.1.zip

Or read more here.


18 April 2015 | 1,207 views

EvilAP Defender – Detect Evil Twin Attacks

EvilAP_Defender is an application that helps wireless network administrators to discover and prevent Evil Access Points (AP) from attacking wireless users. The application can be run in regular intervals to protect your wireless network and detect Evil Twin attacks.

EvilAP Defender - Detect Evil Twin Attacks

By configuring the tool you can get notifications sent to your email whenever an evil access point is discovered. Additionally you can configure the tool to perform DoS on discovered evil AP in order to give the administrator more time to react. However, notice that the DoS will only be performed for evil APs which have the same SSID but different BSSID (AP’s MAC address) or running on a different channel. This to avoid DoS your legitimate network.

The tool is able to discover evil APs using one of the following characteristics:

  • Evil AP with a different BSSID address
  • Evil AP with the same BSSID as the legitimate AP but a different attribute (including: channel, cipher, privacy protocol, and authentication)
  • Evil AP with the same BSSID and attributes as the legitimate AP but different tagged parameter – mainly different OUI (tagged parameters are additional values sent along with the beacon frame.

Currently no software based AP gives the ability to change these values. Generally software based APs are so poor in this area).

Whenever an Evil AP is discovered the tool will alert the admin through email (SMS will be supported soon). Additionally the tool will enter into preventive mode in which the tool will DoS the discovered Evil AP. The tool can be configured easily by starting in what we call “Learning Mode”. In this mode you can whitelist your legitimate network. This can be done by following the wizards during the Learning Mode. You can also configure the preventive mode and admin notification from there as well.

Finally, you need to change into Normal Mode or re-run the tool in this mode in order to start discovering Evil APs.

Requirements

Learning Mode:

This Mode can be invoked with the “-L” switch. When running the tool in this mode the tool will start by scanning for the available wireless networks. Then it lists all the found wireless networks with whitelisted APs colored with green. It also lists the whitelist APs and OUIs (tagged parameters).

The tool also provides several options which allow you to add/remove SSIDs into/from whitelist. You need to whitelist your SSID first before running the tool in the Normal Mode. Moreover, you can configure Preventive Mode from “Update options -> Configure Preventive Mode”. First you need to set the Deauthentication time (in seconds) into a number bigger than 0 (setting the value to 0 will disable this mode). Then you need to set the number of time to repeat the attack. This is so important for attacking more than Evil AP because the tool cannot attack all of them in the same time (how can you attack several APs on different channels? Later on we will improve the tool and allow it to attack (in the same time) several APs in the same channel).

The tool will attack the first Evil AP for specified deauthentication time then it will stop and attack the second one and so on. Be careful from increasing the Deatuth time so much because this may attack only one AP and leaving the others running. My recommendation is to set the Deauth time to something suitable such as 10 seconds and increasing the repeat time. Finally, you can configure admin notification by setting admin email, SMPT server address, SMTP username (complete email address) for authentication purpose, and SMTP password. You can use any account on Gmail or your internal SMTP server account.

Normal Mode:

This is the mode in which the tool starts to discover Evil APs and notify the administrator whenever one is discovered. This mode can be invoked by “-N” switch.

You can download EvilAP Defender here:

master.zip

Or read more here.


16 April 2015 | 993 views

Google Chrome 42 Stomps A LOT Of Bugs & Disables Java By Default

Ah finally, the end of NPAPI is coming – a relic from the Netscape era the Netscape Plugin API causes a lot of instability in Chrome and security issues. It means Java is now disabled by default along with other NPAPI based plugins in Google Chrome 42.

Chrome will be removing support for NPAPI totally in Chrome 45.

Google Chrome 42 Stomps A LOT Of Bugs & Disables Java By Default

Other than that, they have also squashed 45 security issues and vulnerabilities, including some quite serious ones. And many, a product of their Bug Bounty program.

Google announced on Tuesday the availability of Chrome 42 for Windows, Mac and Linux. The latest release addresses a total of 45 security issues and removes NPAPI support.

Judging by the bug bounties paid out by Google, the most serious vulnerability fixed in Chrome 42 is a cross-origin bypass flaw in the HTML parser (CVE-2015-1235). The discovery of this high severity bug earned an anonymous researcher $7,500.

The list of high severity vulnerabilities also includes a type confusion in V8 (CVE-2015-1242) reported by Cole Forrester of Onshape, a use-after-free in IPC (CVE-2015-1237) reported by Khalil Zhani, and an out-of-bounds write bug in the Skia graphics engine (CVE-2015-1238) identified by cloudfuzzer.

The medium severity security issues reported by external researchers are a cross-origin-bypass in the Blink web browser engine, an out-of-bounds read in WebGL, a use-after-free in PDFium, a tap-jacking flaw, an HSTS bypass in WebSockets, an out-of-bounds read in Blink, scheme issues in OpenSearch, and a SafeBrowsing bypass.

The researchers who contributed to making Chrome more secure have been awarded a total of $21,500, according to a blog post published by Google. However, the total amount could be higher since there are some vulnerability reports that haven’t gone through the search giant’s reward panel.

The actual details of the bugs are not public right now, as the policy for Google is keep access to the details restricted until the majority of users are patched. It will be further restricted if the bug is in a third party library that other projects depend on and haven’t yet fixed.

Feature wise, they’ve also launched their implementation of the Push API for notifications.

“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” wrote Alex Mineer of the Google Chrome team.

In September 2013, Google announced plans to phase out support for the Netscape Plugin API (NPAPI). The company noted at the time that the API’s 90s-era architecture was causing crashes, security issues and other problems.

In January 2014, Google blocked web page-instantiated NPAPI plugins by default, but whitelisted some of the most popular applications, such as Silverlight, Unity, Google Earth, Google Talk, and Facebook Video. Java was also on the list of most popular plugins using NPAPI, but it had been disabled earlier for security reasons.

Now, NPAPI support has been disabled by default in Chrome and extensions requiring NPAPI plugins will be removed from the Chrome Web Store. Advanced users and enterprises can temporarily re-enable NPAPI until the plugins they use transition to alternative technologies.

There’s more details from Google here: Stable Channel Update

I wish Firefox would keep up..

Source: Security Week


14 April 2015 | 994 views

SamuraiWTF 3.x And Onwards – Web Testing Framework Linux LiveCD

The Samurai Web Testing Framework (AKA SamuraiWTF) is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, the authors have based the tool selection on the tools they use in our security practice.

SamuraiWTF 3.x And Onwards - Web Testing Framework Linux LiveCD

SamuraiWTF includes the tools to carry out all four steps of a web pen-test.

Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and Burp Suite. For exploitation, the final stage, we included BeEF, AJAXShell and much more.

This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.

We’ve reported on Samurai Web Testing Framework since way back in 2006 when it first hit the scene with 0.3.

There’s been a lot of changes with the recent 3.x public release, a lot of clean-up work has been done and the underlying OS has finally been updated to Ubuntu 14.04 LTS (yay).

The major version number will be tied to the Ubuntu LTS release cycle (every 2 years with support for 5 years), so SamuraiWTF 4.0 will be on Ubuntu 16.04 LTS. Then there will be quarterly dot releases, so we should be hitting 3.2 soon (end of this month according to the schedule) but here’s 3.1 for now.

You can download SamuraiWTF 3.1 here:

SamuraiWTF3.1.vmwarevm.zip

Or read more here.


09 April 2015 | 831 views

Security Vendor Trustwave Bought By Singtel For $810M

The big news today is an acquisition, “Trustwave bought by Singtel” is rocking all the headlines. The fairly well known security vendor Trustwave has been bought for a rather large amount (almost $1 Billion – but not quite).

We have mentioned Trustwave before, and not in a good light – they were sued as the security vendor for the Target hacks.

Security Vendor Trustwave Bought By Singtel For $810M

It seems not to have hurt them as the case was dropped a few days after being filed, and they weren’t listed so their value isn’t public knowledge (until now at least) – they are valued at $850 million.

Singapore Telecommunications Ltd. (Singtel) is acquiring privately held security vendor Trustwave in a deal valued at $810 million.

Under the agreement, Singtel will acquire a 98 percent share of Trustwave, which has an enterprise value of $850 million. Trustwave Chairman, President and CEO Robert J. McCullen will retain the remaining 2 percent share.

Singtel expects the transaction to close in the next three to six months pending regulatory approvals. After the deal closes, Trustwave will operate as a stand-alone business unit of Singtel. The current Trustwave management team is expected to stay in place, and Trustwave’s headquarters will remain in Chicago.

Singtel is a leading communications group that provides multiple services, including both fixed and wireless voice and data. The group extends into 25 countries across Asia, Australia, Africa, Europe and the United States. According to Singtel, it has more than 500 million mobile customers globally today.

“Singtel is the perfect partner for us as we continue to help businesses fight cyber-crime, protect data and reduce security risk, and the Trustwave team is thrilled to become a part of such a prestigious and innovative organization,” McCullen said in a statement.

Trustwave is a large company in the security space with more than 2.7 million business customers globally across 96 countries. Definitely one of the leaders in the managed security services market.

This will take Singtel (who already has a strong hold on the services market) to a whole new level in the infosec space.

The deal will help Singtel establishing itself as a global security player.

“Our extensive customer reach and strong suite of ICT [information and communication technology] services, together with Trustwave’s deep cyber-security capabilities, will create a powerful combination and allow Singtel to capture global opportunities in the cyber-security space,” Chua Sock Koong, Singtel Group CEO, said in a statement.

Trustwave is active in multiple areas of cyber-security and has more than 1,200 employees based in 26 countries and currently operates global security operations centers (SOCs) in Chicago, Denver, Minneapolis, Manila and Warsaw.

Trustwave has managed security offerings as well as stand-alone products. In 2010, Trustwave acquired Breach Security, the primary commercial sponsor behind the widely deployed mod_security Web application firewall (WAF).

Also part of Trustwave is the SpiderLabs ethical hacking and threat research team, which has helped discover a number of important security threats in recent years. In August 2014, the U.S. Secret Service credited Trustwave with helping discover the backoff point-of-sale (POS) malware. Initially, the U.S Secret Service warned that 600 U.S. retailers had been impacted by backoff and later upped that number to more than 1,000 retailers.

Trustwave has also acquired a whole slew of smaller companies which took them to the size they are and also contributed greatly to their software service offerings such as Finjan and MailMarshal which were bought by the acquisition of M86.

It’s good to see the little rock down South of Malaysia making such a bold move.

Source: eWeek


07 April 2015 | 2,819 views

Watcher – Passive Web Application Vulnerability Scanner

Ever find yourself looking for that show-stopper exploit in a Web-app, and forgetting to check out all the low-hanging fruit? That’s initially why the authors created Watcher – a passive web application vulnerability scanner.

For one thing, you don’t want to manually inspect a Web-app for many of these issues (cookie settings, SSL configuration, information leaks, etc), but you still want to find and fix them. Watcher provides this level of security analysis, plus provides hot-spot detection to help pen-testers focus in on the spots that will lead to that show-stopper exploit.

Watcher - Passive Web Application Vulnerability Scanner

Watcher is a Fiddler add-on which aims to assist penetration testers in passively finding Web-application vulnerabilities. The security field today has several good choices for HTTP proxies which assist auditors and pen-testers. The tool was implemented as a plugin for Fiddler which already provides the proxy framework for HTTP debugging.

Some reasons to use Watcher include:

  • Safe for the Cloud and hosting environments. Being passive gives Watcher several advantages – when applications live in the Cloud there’s often a risk that running security testing could damage the shared infrastructure. However, using a passive tool like Watcher ensures that there’s no chance of damaging Cloud-like infrastructure.
  • Safe for production environments. Watcher does not attack web-applications with loads of intrusive requests, it doesn’t modify inputs to your application. Unlike crawlers and web-application scanners, Watcher does not generate dangerous traffic. It quietly analyses normal user-interaction and makes educated reports on the security of an application.
  • Low overhead, no training. If you’re building web-applications you already have a development and test staff. Fiddler has been valuable to dev and test for years as a general-purpose HTTP debugging proxy. Watcher fits seamlessly into the picture, providing valuable security insight with no special training requirements, dedicated machines, or other resources.

Checks make up the most useful part of Watcher – they provide analysis of the HTTP traffic and reporting of security findings. As someone running the tool you can enable, disable, and configure checks independently. As a developer you can create custom and new checks for private use or to contribute to the public project.

Watcher currently ships with 38 standard checks. A check is defined as one set of logic usually stored in a single source code file. Checks can look for multiple issues, so a single check can end up reporting several separate findings.

The contents below are divided by the categories in which different checks operate. Within each category individual checks have been documented separately.

You can download Watcher here:

WatcherSetup.exe

Or read more here.


04 April 2015 | 1,566 views

Commix – Command Injection Attack Tool

Commix (short for [comm]and [i]njection e[x]ploiter) has a simple environment and it can be used by web developers, penetration testers or even security researchers to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.

Commix - Command Injection Attack Tool

By using this command injection attack tool, it is very easy to find and exploit a command injection vulnerability in a certain vulnerable parameter or string.

Commix is written in Python programming language.

Usage

You can download commix here by cloning the Github repo:

Or read more here.


02 April 2015 | 674 views

Google Revoking Trust In CNNIC Issued Certificates

So another digital certificate fiasco, once again involving China from CNNIC (no surprise there) – this time via Egypt. Google is going to remove all CNNIC and EV CAs from their products, probably with the next version of Chrome that gets pushed out.

Google Revoking Trust In CNNIC Issued Certificates

As of yet, no action has been taken by Firefox – or at least no release has been published.

Following the incident in which an Egypt-based company issued unauthorized digital certificates for several Google domains using an intermediate certificate from the China Internet Network Information Center (CNNIC), the search giant has decided to revoke trust in CNNIC certificates.

The change will take effect in a future Chrome release, Google noted on Wednesday in an update made to its initial blog post on the matter.

“As a result of a joint investigation of the events surrounding this incident by Google and CNNIC, we have decided that the CNNIC Root and EV CAs will no longer be recognized in Google products,” said Google security engineer Adam Langley. “To assist customers affected by this decision, for a limited time we will allow CNNIC’s existing certificates to continue to be marked as trusted in Chrome, through the use of a publicly disclosed whitelist.”

The incident came to light last week, when Google revealed that several unauthorized certificates had been issued by Egypt-based MCS Holdings and installed on an internal firewall device that acted as a man-in-the-middle (MitM) proxy.

CNNIC revoked the intermediate certificate used by MCS Holdings and pointed out that the Egyptian firm should have used it to issue only certificates for domains it had registered.

Proper certs being used for MITM attacks, pretty dodgy indeed. Especially when CNNIC is included in all major root stores this does constitute a fairly serious breach of the Certificate Authority system.

I’m pretty sure CNNIC will be ‘let back in’ at some point, meaning their certs will be reissued and reinstated, but for now – they are OUT!

CNNIC’s certificates are included in all major root stores and Google believes this was a “serious breach of the CA system.” After being alerted by Google, both Mozilla and Microsoft took steps to protect Firefox and Internet Explorer users.

Langley said that while there is no evidence to suggest that other fake certificates have been issued or that the ones from MCS Holdings were used outside of the company’s own network, CNNIC will have to take measures before it can earn Google’s trust again.

“CNNIC will implement Certificate Transparency for all of their certificates prior to any request for reinclusion. We applaud CNNIC on their proactive steps, and welcome them to reapply once suitable technical and procedural controls are in place,” Langley said.

In a brief statement issued on Thursday, CNNIC urged Google to reconsider its decision.

“The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users’ rights and interests into full consideration,” CNNIC stated. “For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected.”

Mozilla could also take action against CNNIC, but the company is still discussing options with members of its community.

You can read the full post from Google here: Maintaining digital certificate security

And the statement from CNNIC here: Declaration

Source: Security Week


31 March 2015 | 1,815 views

Pentoo – Gentoo Based Penetration Testing Linux LiveCD

Pentoo is a Gentoo based penetrating testing linux LiveCD. It’s basically a Gentoo install with lots of customized tools, customized kernel, and much more. Here is a non-exhaustive list of the features currently included:

  • Hardened Kernel with aufs patches
  • Backported Wifi stack from latest stable kernel release
  • Module loading support ala slax
  • Changes saving on usb stick
  • XFCE4 wm
  • Cuda/OPENCL cracking support with development tools
  • System updates if you got it finally installed

Pentoo - Gentoo Based Penetration Testing Linux LiveCD

Put simply, Pentoo is Gentoo with the Pentoo overlay. This overlay is available in layman so all you have to do is layman -L and layman -a pentoo. We have a pentoo/pentoo meta ebuild and multiple pentoo profiles, which will install all the pentoo tools based on USE flags.

Pentoo has been around for a LONG time, it even got a brief mention in our epic 2006 article 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) with over a million views. But it was pretty new back then, 9 years later it’s still around (unlike most of the other LiveCD distros which have disappeared).

It’s also still active and has a 2015 just released! It’s great to see such a dedicated team working on something for so many years.

Tool Categories

  • Analyzer
  • Bluetooth
  • Cracker
  • Database
  • Development
  • Exploit
  • Footprint
  • Forensics
  • Forging
  • Fuzzers
  • Misc
  • MitM
  • Pentoo
  • Proxy
  • RCE
  • Scanner
  • SIP-VOIP
  • Wireless

Notable Changes in 2015.0 RC3.7

  • Changes saving (including unetbooting support)
  • CUDA/OpenCL Enhanced cracking software
  • Kernel 3.15.5 and all needed patches for injection
  • XFCE 4.10

The full tool list is available here (it’s HUGE):

tools_list_x86_64_2014_0_RC3_5

You can download Pentoo 2015.0 RC3.7 here:

Direct – pentoo-amd64-hardened-2015.0_RC3.7.iso
Torrent – Pentoo_Linux_amd64_hardened_2015.0_RC3.7.torrent

Or read more here.