Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

25 July 2014 | 174 views

Gauntlt – Security Testing Framework For Developers & Ops

Prevent Network Security Leaks with Acunetix

Gauntlt provides hooks to a variety of security tools and puts them within reach of security, dev and ops teams to collaborate to build rugged software. It is built to facilitate testing and communication between groups and create actionable tests that can be hooked into your deploy and testing processes.

Gauntlt - Security Testing Framework For Developers & Ops

To use gauntlt, you will need one or more attack files. An attack file is a plain text file written with Gherkin syntax and named with the .attack extension. For more info on the Gherkin syntax, have a look at Cucumber. A gauntlt attack file is almost the same as a cucumber feature file. The main difference is that gauntlt aims to provide the user with predefined steps geared towards security and durability testing so that you do not have to write your own step definitions, whereas cucumber is aimed at developers and stakeholders building features from end to end. Gauntlt and cucumber can and do work together harmoniously.

Example attack file:

Features

  • Gauntlt attacks are written in a easy-to-read language
  • Easily hooks into your org’s testing tools and processes
  • Security tool adapters come with gauntlt
  • Uses unix standard error and standard out to pass status

Tools Supported

You will need to install each tool yourself before you can use it with gauntlt. However, if you try to use a tool that is not installed or that gauntlt cannot find, you will get a helpful error message from gauntlt with information on how to install and/or configure the tool for use with gauntlt.

The authors also include a generic attack adapter that allows you to run anything on the command line, parse its output and check its exit status.

You can download Gauntlt here (using the starter kit):

Pre-requisites

  • Virtual Box
  • Vagrant

Or read more here.



23 July 2014 | 1,110 views

Clear Your Cookies? You Can’t Escape Canvas Fingerprinting

So tracking is getting even trickier, it seems canvas fingerprinting would work in any browser that supports HTML5 and is pretty hard to stop as a user, as it’s a basic feature (a website instructing your browser to draw an image using canvas).

And it turns out, every single browser will draw the image slightly differently, so they can track you regardless of your cookie/privacy settings by asking your browser to redraw the image then I assume quickly scanning a database of image checksums for a match.

Canvas Fingerprinting

It wouldn’t exactly tie to your identity (unless you did it on a site that requires/supports login) but it would tie your usage together across sites, especially any sites using AddThis (which I could never stand).

A new, extremely persistent type of online tracking is shadowing visitors to thousands of top websites, from WhiteHouse.gov to YouPorn.com.

The type of tracking, called canvas fingerprinting, works by instructing the visitor’s web browser to draw a hidden image, and was first documented in a upcoming paper by researchers at Princeton University and KU Leuven University in Belgium. Because each computer draws the image slightly differently, the images can be used to assign each user’s device a number that uniquely identifies it.

Like other tracking tools, canvas fingerprints are used to build profiles of users based on the websites they visit — profiles that shape which ads, news articles or other types of content are displayed to them.

But fingerprints are unusually hard to block: They can’t be prevented by using standard web browser privacy settings or using anti-tracking tools

The researchers found canvas fingerprinting computer code, primarily written by a company called AddThis, on 5% of the top 100,000 websites. Most of the code was on websites that use AddThis’ social media sharing tools. Other fingerprinters include the German digital marketer Ligatus and the Canadian dating site Plentyoffish. (A list of all the websites on which researchers found the code is here).

A lot of sites use AddThis, so a lot of users are being tracked, the article/research states 5% of the top 100,000 websites. So at least 5000 high traffic sites are capturing user data in this rather underhanded way.

I can foresee a lot of people removing AddThis from their sites if this news gets any kind of traction.

You can find a list of the sites with the fingerprinting code here – Sites with canvas fingerprinting scripts

Rich Harris, chief executive of AddThis, said that the company began testing canvas fingerprinting earlier this year as a possible way to replace “cookies,” the traditional way that users are tracked, via text files installed on their computers.

“We’re looking for a cookie alternative,” Harris said in an interview.

Harris said the company considered the privacy implications of canvas fingerprinting before launching the test, but decided “this is well within the rules and regulations and laws and policies that we have.”

He added that the company has only used the data collected from canvas fingerprints for internal research and development. The company won’t use the data for ad targeting or personalization if users install the AddThis opt-out cookie on their computers, he said.

Arvind Narayanan, the computer science professor who led the Princeton research team, countered that forcing users to take AddThis at its word about how their data will be used, is “not the best privacy assurance.”

It’s all pretty shady, but honestly we have to assume people are doing this type of stuff because one of those most valuable things you can create from the Internet is user data. Especially usage/consumption patterns, even if it doesn’t tie to specific humans – the data itself is very valuable to people making marketing decisions based on it.

Plus whatever AddThis is doing isn’t regulated in any way, so they can say they are gonna stop/change but just continue on anyway. If you wear a Tinfoil hat, you are probably already using Tor Browser anyway – so good for you.

The full paper is also available here – The Web Never Forgets [PDF]

Source: Mashable


21 July 2014 | 680 views

clipcaptcha – CAPTCHA Service Impersonation Tool

clipcaptcha is an extensible and signature based CAPTCHA Provider impersonation tool based off Moxie Marlinspike’s sslstrip codebase, which we mentioned back in 2009 – SSLstrip – HTTPS Stripping Attack Tool.

Depending on its mode of operation it may approve, reject or forward the CAPTCHA verification requests. It maintains an easy to edit XML configuration file that it queries to identify CAPTCHA provider request formats and render corresponding responses.

clipcaptcha - CAPTCHA Service Impersonation Tool

Signature based CAPTCHA provider detection

All CAPTCHA providers are basically HTTP based custom web services. These services accept CAPTCHA validation requests in a particular format and respond with finite set of responses that allow the clients to make Boolean choices to allow or disallow the request. clipcaptcha takes advantage of this finite and predictable request and response data set to implement signature based request detection and response system.

Running clipcaptcha

The four steps to getting this working on Linux are:

1. Enable forwarding mode on your machine

2. Setup iptables to redirect HTTP traffic to clipcaptcha.

3. Run arpspoof to redirect the traffic to your machine.

4. Run clipcaptcha in one of its mode of operation.

Requirements

It requires Python 2.5 or newer, along with the ‘twisted’ python module.

You can download clipcaptcha here:

clipcaptcha-v0.1.zip

Or read more here.


18 July 2014 | 1,768 views

Microsoft Says You SHOULD Re-use Passwords Across Sites

Ok so we constantly tell people not to reuse passwords across sites, because if they are stored in plain text (and leaked) those naughty hackers now have your e-mail address AND your password and can wreak havoc on your life.

Which is pretty much true, but Microsoft disagrees and there is some validity to what they say, if you MUST re-use passwords (which you shouldn’t) – do so only on low risk sites (anything without payment details really).

Re-use Passwords - what madness!

Keep the good passwords for the important sites (like online banking).

As for me, I say use a bloody password manager, generate different passwords for every site and make them all strong! A good online password manager is free, and even though some of them appear to not be totally secure (as we wrote a few days ago) – they are certainly better than not using one.

Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon.

Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked businesses and media outlets to stop repeating access codes across web sites.

The recommendations appeared logical; hackers with email addresses and passwords in hand could test those credentials against other websites to gain easy illegal access.

Now Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, have shot holes through the security dogma in a paper Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts (PDF).

The trio argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites.

I’m not sure why we are arguing about this though, I honestly don’t even know any of my passwords any more (or try to remember then) as for one, I have over 100 and I don’t have to. I use a password manager (PassPack in my case).

I only need to remember 1 login/password combo and 1 really strong keyphrase (which even the experts agree, is way better than a contiguous password).

Users should therefore slap the same simple passwords across free websites that don’t hold important information and save the tough and unique ones for banking websites and other repositories of high-value information.

“The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio,” the trio wrote.

“Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum.”

Password sets should be reused across groups of websites. Those sites holding little personal information could be placed in the users’ ‘go-ahead-and-hack-me’ bucket protected by codes like P@ssword1, while sites where pwnage would trigger fire and brimstone should be protected by complex and unique login credentials.

Hackable groups “should be very exposed” and “should have weak passwords”, the researchers said, because pushing users to light up even a small amount of grey matter “would be wasteful”.

The Redmond research realises the realities of userland security; People are bad at remembering passwords and seemingly worse at caring about the issue of security.

Research published in 2012 found the average Brit glued the same five passwords to their 26 online accounts while one in 25 used the same code for everything.

You can read the full paper here – Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts [PDF]

The whole issue is kind of sad if you ask me.

It’ll be interesting to see if any kind of counter-studies are done on this, or anyone comes out with a rebuttal of any sort. It’s a little odd to release a research paper on something that’s basically an opinion though.

Source: The Register


16 July 2014 | 2,355 views

FakeNet – Windows Network Simulation Tool For Malware Analysis

FakeNet is a Windows Network Simulation Tool that aids in the dynamic analysis of malicious software. The tool simulates a network so that malware interacting with a remote host continues to run allowing the analyst to observe the malware’s network activity from within a safe environment.

Windows Network Simulation Tool

The goal of the project is to:

  1. Be easy to install and use; the tool runs on Windows and requires no 3rd party libraries
  2. Support the most common protocols used by malware
  3. Perform all activity on the local machine to avoid the need for a second virtual machine
  4. Provide python extensions for adding new or custom protocols
  5. Keep the malware running so that you can observe as much of its functionality as possible
  6. Have a flexible configuration, but no required configuration

The tool is in its infancy of development. The team started working on the tool in January 2012 and intend to maintain the tool and add new and useful features. If you find a bug or have a cool feature you think would improve the tool please do contact them.

Features

  • Supports DNS, HTTP, and SSL
  • HTTP server always serves a file and tries to serve a meaningful file; if the malware request a .jpg then a properly formatted .jpg is served, etc. The files being served are user configurable.
  • Ability to redirect all traffic to the localhost, including traffic destined for a hard-coded IP address.
  • Python extensions, including a sample extension that implements SMTP and SMTP over SSL.
  • Built in ability to create a capture file (.pcap) for packets on localhost.
  • Dummy listener that will listen for traffic on any port, auto-detect and decrypt SSL traffic and display the content to the console.

Right now the tool only supports WinXP Service Pack 3. The tool runs fine on Windows Vista/7 although certain features will be automatically disabled.

You can download FakeNet here:

Fakenet1.0c.zip

Or read more here.


14 July 2014 | 2,734 views

Password Manager Security – LastPass, RoboForm Etc Are Not That Safe

We’ve talked a lot about using a password manager to secure, generate and manage your passwords – way back since 2008 when we introduced you to the Password Hasher Firefox Extension.

Since then we’ve also mentioned it multiple times in articles where plain text passwords were leaked during hacks, such as the Cupid Media hack which exposed 42 Million plain text passwords.

Password Manager Security

Now some researchers have ganged up and are taking a really close look at some of the popular password management solutions and password manager security. Honestly I haven’t heard of My1Login, PasswordBox or NeedMyPassword and wonder why they are included over more popular choices like PassPack and 1Password.

Researchers have detailed a series of quickly patched vulnerabilities in five popular password managers that could allow attackers to steal user credentials.

“Critical” vulnerabilities were discovered and reported in LastPass, RoboForm, My1Login, PasswordBox and NeedMyPassword in work described by the University of California Berkeley researchers as a “wake-up call” for developers of web password vaults.

“Our attacks are severe: in four out of the five password managers we studied, an attacker can learn a user’s credentials for arbitrary websites,” Researchers Zhiwei Li, Warren He, Devdatta Akhawe, and Dawn Song wrote in the paper The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers (PDF).

“We find vulnerabilities in diverse features like one-time passwords, bookmarklets, and shared passwords.

“The root-causes of the vulnerabilities are also diverse: ranging from logic and authorisation mistakes to misunderstandings about the web security model, in addition to the typical vulnerabilities like CSRF (cross site request forgery) and XSS (cross site scripting).”

The LastPass bookmarklet option which permitted ad-hoc integration with Safari on iOS was found vulnerable if users were tricked into running the Java code on an attackers’ site.

I just hope this means that PassPack is so secure they left it out (because that’s the one I use). I also chose PassPack because the choice was really between that or LastPass and LastPass has faced some security issues and does some things in rather pointless ways.

PassPack address the LastPass masked password features for example here: Why Masked Passwords Are a Serious Security Hole

I’m fairly certain though, all current password management solutions have security flaws – I just hope the companies developing them take them seriously (however much of an edge case they are) and address them.

A carder, for example, could set up a fake banking site in an attempt to con the less than one percent of LastPass users running bookmarklets to log in. Doing so could allow attackers to extract passwords from the victim’s LastPass vault.

A second CSRF bug affected LastPass one time passwords. It could allow attackers to see which apps and devices were running LastPass, to steal the entire master password-encrypted vault for later brute-forcing, and to erase any stored website password.

The disclosure prompted LastPass to issue a statement playing down vulnerabilities affecting its Java bookmarklets and one time passwords which if run on a malicious website could compromise user accounts prior to a fix pushed out in September.

“If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords, though we don’t think it is necessary,” chief information officer Joe Siegrist said.

“The OTP attack is a ‘targeted attack’ requiring an attacker to know the user’s username to potentially exploit it, and serve that custom attack [for each] user [which is] activity which we have not seen.

“Even if this was exploited, the attacker would still not have the key to decrypt user data.”

The research did not signal curtains for web password managers, but rather served as a warning to developers and users of inherent security risks.

You can check out the original paper here – The Emperor’s New Password Manager: Security Analysis of Web-based Password Managers [PDF].

My sceptical side however does see this a little like a pre-marketing stunt, where these guys prove everyone else is insecure (or at least find some guys are partially insecure), publish the details then come out with a new super secure alternative..which you have to pay for obviously.

We shall of course have to wait and see if that happens.

Source: The Register


09 July 2014 | 1,647 views

dirs3arch – HTTP File & Directory Brute Forcing Tool

dirs3arch is a simple command line tool designed to brute force directories and files in websites. It’s a HTTP File & Directory Brute Forcing Tool similar to DirBuster.

dirs3arch - HTTP File & Directory Brute Forcing Tool

Features

  • Keep alive connections
  • Multithreaded
  • Detect not found web pages when 404 not found errors are masked (.htaccess, web.config, etc).
  • Recursive brute forcing

Getting Started

You can download dirs3arch here:

v0.2.3.zip

Or read more here.


07 July 2014 | 1,741 views

Hacking Your Fridge – Internet of Things Security

So one of the latest fads is IoT or the Internet of things phenomena which has been talked about for a while (especially since the discussion of IPv6 started), IoT is connecting physical items to the Internet and giving them some kind of IP (be in NAT or a proper IPv6 address).

This enabled you to control your lights (on/off & dimming) via your phone, or anything else that can be connected (turn on your kettle, check your fridge temperature, warm up your oven etc).

The possibilities are basically endless.

Internet of Things Security

The issues IoT brings is of course a whole new set of security concerns, if everything is Internet connected, it’s also prone to get hacked, spammed, DDoSed and generally fscked up.

Imagine if your house alarm is Internet savvy and someone DDoSed the control box, so you can’t get into your own house, unless you pay some kind of ransom. These things are going to happen.

Those convinced that the emerging Internet of Things (IoT) will become a hackers’ playground were given more grist for their mill with news on Friday that security researchers have discovered a weakness in Wi-Fi/mesh networked lightbulbs.

Researchers at Context Information Security discovered that LED light bulbs from manufacturer LIFX – which are designed to be controlled from a smartphone – have security weaknesses. By gaining access to the master bulb, Context was able to control all connected lightbulbs and expose user network configurations.

Context worked with LIFX to develop a patch for the security bug before releasing a fix in the form of a firmware update. Simon Walker from LIFX stated: “Prior to the patch, no one other than Context had exposed this vulnerability, most likely due to the complexity of the equipment and reverse engineering required.”

Thankfully IoT is a fairly new thing so not many malicious hackers are looking into it, plus for now – there’s no real monetary value when it comes to hacking into a lightbulb. Rather annoying yes? Business critical? No.

That is of course, until the point where your Lightbulb is part of your corporate LAN and hacking the lightbulb gives you access to the internal network..then it becomes a whole different story.

Context’s find is part of its ongoing research into the security of the Internet of Things (IoT) – which includes parking meters, internet-enabled fridges and much more besides. Many of these components are being put together with little thought for basic security precautions, according to Context.

“It is clear that in the dash to get onto the IoT bandwagon, security is not being prioritised as highly as it should be in many connected devices,” said Michael Jordon, research director at Context. “We have also found vulnerabilities in other internet connected devices from home storage systems and printers to baby monitors and children’s toys.”

So yah, as IoT becomes more of a ‘thing’ and adoption goes up, Internet of Things Security is going to become a major issue and it could well become the next hackers playground.

Fortunately this case is more of a research/knowledge share than actually something exposing risk or a published zero-day exploit against an IoT device. I would imagine in the coming year or so we’ll see a lot more similar incidents.

Source: The Register


04 July 2014 | 2,730 views

ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that test Oracle database security remotely.

Usage examples of ODAT:

  • You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
  • You have a valid Oracle account on a database and want to escalate your privileges (ex: SYSDBA)
  • You have a valid Oracle account and want to execute commands on the operating system hosting this DB (ex: reverse shell)

ODAT (Oracle Database Attacking Tool)

Features

  • search valid SID on a remote Oracle Database listener via: a dictionary attack/a brute force attack/ALIAS of the listener
  • search Oracle accounts using: a dictionary attack/each Oracle user like the password
  • execute system commands on the database server using: DBMS_SCHEDULER/JAVA/external tables/oradbg
  • download files stored on the database server using: UTL_FILE/external tables/CTXSYS
  • upload files on the database server using: UTL_FILE/DBMS_XSLPROCESSOR/DBMS_ADVISOR
  • delete files using: UTL_FILE
  • send/reveive HTTP requests from the database server using: UTL_HTTP/HttpUriType
  • scan ports of the local server or a remote server using: UTL_HTTP/HttpUriType/UTL_TCP
  • exploit the CVE-2012-313 (http://cvedetails.com/cve/2012-3137)

Install/Dependencies

ODAT is compatible with Linux only. A standalone version exists in order to don’t have need to install dependencies and slqplus (see the build folder of the git). The ODAT standalone has been generated thanks to pyinstaller.

If you want to have the development version installed on your computer, these following tool and dependencies are needed:

  • Langage: Python 2.7
  • Oracle dependancies: Instant Oracle basic & Instant Oracle sdk
  • Python libraries: cx_Oracle with the following recommended – colorlog/termcolor/argcomplete/pyinstaller

You can download ODAT standalone here:

32-Bit – odat-linux-libc2.19-i686.tar.gz
64-Bit – odat-linux-libc2.19-x86_64.tar.gz

Or read more here.


02 July 2014 | 1,365 views

Microsoft’s Anti-Malware Action Cripples Dynamic DNS Service No-IP

So it looks like Microsoft has been a little heavy handed in this case, the case of dynamic DNS provider No-IP serving up malware. I would imagine most of us have utilised a dynamic DNS service at some point to map a dynamic IP address to a memorable domain.

It seems that malware folks have been using dynamic DNS services to mask their activities, it has been reported before by Cisco and No-IP appears to be one of the worst perpetrators (even though it’s through no real fault of their own).

Dynamic DNS Malware

This time though, Microsoft went straight into the legal system and took control of 23 domains owned by No-IP (Vitalwerks) – this has disrupted the services of approximately 4 million No-IP clients (according to them).

Microsoft has won a court order to gain control of 23 No-IP domains owned by dynamic DNS (DDNS) provider Vitalwerks Internet Solutions. The US software giant claimed the domains were being used by malware developed in the Middle East and Africa.

Vitalwerks operates its No-IP DDNS service from Nevada, and there is no suggestion it is in league with malware operators.

The service works by mapping users’ IP addresses, such as a home router’s public address, to a customized No-IP domain-name like myhouse.ddns.net. This allows you to connect to a system using a memorable sub-domain if you forget your IP address or your ISP changes it.

Microsoft’s security research team claimed it had identified two pieces of Windows malware, Bladabindi and Jenxcus, using No-IP sub-domains to communicate with their creators in 93 per cent of detected infections, and that 245 other pieces of malware also use No-IP.

“Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity,” claimed Richard Boscovich, assistant general counsel of Microsoft Digital Crimes Unit.

The unfortunate part, is that the domains seized are pretty much all of the services popular domains, which I imagine renders the majority of their service down.

There’s an update from their CEO here – A Message From Our CEO – Dan Durrer

And an overwhelming support on Twitter – #FreeNoIP

Court papers filed in Nevada alleged that Bladabindi was written by Naser Al Mutairi, a Kuwaiti national, while Jenxcus is allegedly run by an Algerian man named as Mohamed Benabdellah. Microsoft claimed the two have sold over 500 copies of the malware to crooks, and actively advertise it while using No-IP to help cover their tracks. The software giant said it has detected over seven million infections by the two packages.

The court has now granted a temporary restraining order against No-IP – as Microsoft accused the DNS biz of acting negligently, and claimed some of the sub-domains contained “Microsoft’s protected marks.”

Redmond further alleged that the defendants in its lawsuit – Al Mutairi, Benabdellah, Vitalwerks and 500 John Does – “violated federal and state law by distributing malicious software through more than 18,000 sub-domains belonging to No-IP, causing the unlawful intrusion into, infection of, and further illegal conduct involving, the personal computers of innocent persons, thereby causing harm to those persons, Microsoft, and the public at large.”

It’s not exactly certain what is going to happen in this case, but I’m pretty sure everyone involved is working towards a less harsh solution. The official statement from No-IP can be found here: No-IP’s Formal Statement on Microsoft Takedown

It’s going to seriously disrupt their service though, I can’t imagine how many gaming servers are down right now! They have updated with a list of currently working domains though if you are using the service you can switch your host to:

  • ddns.net
  • webhop.me
  • serveminecraft.net
  • ddnsking.com
  • onthewifi.com

Source: The Register