Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

28 March 2015 | 590 views

Onapsis Bizploit v1.50 – SAP Penetration Testing Framework

Check Your Web Security with Acunetix

Onapsis Bizploit is an SAP penetration testing framework to assist security professionals in the discovery, exploration, vulnerability assessment and exploitation phases of specialized SAP security assessment. The framework currently ships with many plugins to assess the security of SAP Business Platforms. Additional plugins are available for broader platform support including Oracle.

Onapsis Bizploit v1.50 - SAP Penetration Testing Framework

Nowadays, most organizations which use SAP are going beyond the simple definition of SAP roles and profiles. They have incorporated the technical layer of their SAP platform into their regular risk assessment processes, in order to address the increased threat of cyber-attacks to their business-critical systems.

With Bizploit, you can perform basic analysis of some of the existing technical vulnerabilities affecting your SAP systems, which often pose critical risks to the integrity of the entire platform.

New in v1.50

  • New exploits for Management Console.
  • New modules for SAProuter.
  • New modules for remote execution of RFC Functions.
  • Module to detect the CTC Verb Tampering vulnerability.
  • Several bug fixes.

You can download Bizploit here (requires registration):

Windows
Linux

Or read more here.

Advertisements



24 March 2015 | 863 views

Yasca – Multi-Language Static Analysis Toolset

Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It’s basically a tool-kit for multi-language static analysis.

Yasca can scan source code written in Java, C/C++, HTML, JavaScript, ASP, ColdFusion, PHP, COBOL, .NET, and other languages

Yasca - Multi-Language Static Analysis Toolset

It leverages on external open source programs, such as:

Yasca can be used to scan specific file types, and also contains many custom scanners developed just for it. It is a command-line tool that generates reports in HTML, CSV, XML, SQLite, and other formats. Yasca is easily extensible via a plugin-based architecture, so scanning any particular file is as simple as coming up with the rules or integrating external tools. Yasca also features a simple regular-expression plugin that allows new rules to be written in less than a minute.

Yasca is written in command-line PHP and released under the BSD license.

Usage

You can download Yasca here:

yasca-2.1.zip

Or read more here.


21 March 2015 | 1,090 views

XSSYA v2.0 Released – XSS Vulnerability Confirmation Tool

We first published about XSSYA back in 2014, and it seemed to be pretty popular, there’s not a whole lot of tools in the XSS (Cross Site Scripting) space.

For those who are unfamiliar, XSSYA used to be Cross Site Scripting aka XSS Vulnerability Scanner & Confirmation tool – the scanning portion has been removed to reduce false positives and it now focuses on XSS Vulnerability Confirmation.

It uses two main methods:

  • Method number 1 for Confirmation Request and Response
  • Method number 2 for Confirmation Execute encoded payload and search for the same payload in web HTML code but decoded

XSSYA v2.0 Released - XSS Vulnerability Confirmation Tool

We have written about a couple of XSS related tools before:

XSS-Proxy – Cross Site Scripting Attack Tool
XSS Shell v0.3.9 – Cross Site Scripting Backdoor Tool

Features

  • Supports HTTPS
  • After Confirmation (execute payload to get cookies)
  • Identify 3 Types of WAF (Mod_Security – WebKnight – F5 BIG IP)
  • Can be run in Windows & Linux
  • XSSYA has a library of encoded payloads To bypass WAF (Web Application Firewall)
  • Supports saving the HTML before executing the payload

What’s new in v2.0?

  • More payloads; library contains 41 payloads to enhance detection level
  • XSS scanner is now removed from XSSYA to reduce false positive
  • URLs to be tested used to not allow any character at the end of the URL except (/ – = -?) but now this limitation has been removed
  • HTML5 Payloads
  • IP Address Conversion (Hex, DWORD, Octal etc)
  • XST (Cross Site Tracing) Detection

You can download XSSYA here:

master.zip

Or read more here.


19 March 2015 | 355 views

Pinterest Bug Bounty Program Starts Paying

There’s been a fair bit of news about bug bounty programs in the past year or so, with Twitter officially starting to pay bug bounties at the end of 2014 and Google recently removing the caps from their program and making Pwnium all year round.

Pinterest Bug Bounty Program Starts Paying

The latest news is Pinterest bug bounty program has started paying (finally), before this they just offered t-shirts and were sceptical about opening up paid bounties as they were exposed to multiple flaws because they hadn’t fully adopted HTTPS.

Pinterest’s journey toward becoming a fully HTTPS website opened a lot of doors, including a potentially profitable one for hackers.

The social networking site this week announced that it would begin paying cash rewards through its bug bounty program, upping the stakes from the T-shirt it originally offered last May when it kicked off the Bugcrowd-hosted initiative.

The news complements Pinterest’s full adoption of encrypted communication and traffic from its website.

“I feel HTTPS will soon be seen as a requirement for anyone doing business online,” said Paul Moreno, security engineering lead on Pinterest’s cloud team.

Pinterest spells out the scope of its bounty program on its Bugcrowd page. The company said it will start paying between $25 and $200 for vulnerabilities found on a number of Pinterest properties, including its developer site, iOS and Android mobile applications, API, and ads pages among others.

“We have a strong experimentation culture and we feel that HTTPS foundation provides the minimal baseline for us to get higher value bugs,” Moreno told Threatpost. “We are experimenting with the paid approach for these community sourced higher value bugs and will evaluate the program periodically.”

The bug bounty payout was discussed during the announcement of their full move to HTTPS and discusses some of the issues they faced and of course the good parts of moving to a full HTTPS site.

You can read the original full blog post here: Making Pinterest HTTPS

Many high-value Internet properties have moved to HTTPS in the wake of the Snowden revelations. The continuous flow of leaked documents demonstrating the breadth of government surveillance and collection of personal data has accelerated a number of tech companies’ migrations to HTTPS.

Moreno said that Pinterest’s move to HTTPS, however, was not without its challenges. Standing out among them was the site’s working relationships with content delivery networks (CDNs) that support HTTPS and Pinterest’s digital certificates. Other expected challenges, Moreno said, were some marginal performance issues, older browser support, mixed content warnings, and referral header removal from HTTPS to HTTP sites.

Once a test was rolled out to its large Pinner community in the U.K., Moreno said some unexpected issues cropped up including CDN content that broke the site’s Pin It functionality and some sitemap files that were not updated to point to HTTPS domains. Those were addressed respectively by orchestrating a DNS change to a new CDN provider, and the implementation of a meta referrer header to support HTTPS tracking to HTTP sites.

“In addition, having multiple CDN providers that supported HTTPS gave us options for performance as well as commercial leverage,” Moreno said in a blogpost announcing the move.

“In the end, we enhanced the privacy of Pinners by enabling encryption while also hindering exploitation by way of man-in-the-middle attacks, session hijacking, content injection, etc. This also paved the way for future products that may require HTTPS to launch,” Moreno said.

The bug bounty program with more details can be found here: Pinterest @ Bugcrowd with outlines for minimum rewards.

It basically covers all Pinterest domains, mobile apps and subdomains, and there’s been a 10x increase of bugs submitted – which is not surprising really. Money is WAY better than a t-shirt.

Source: ThreatPost


14 March 2015 | 1,184 views

wig – CMS Identification & Information Gathering Tool

wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications. It’s strength is CMS identification, it can also attempt to do OS fingerprinting.

wig - CMS Identification & Information Gathering Tool

The application fingerprinting is based on checksums and string matching of known files for different versions of CMSes. This results in a score being calculated for each detected CMS and its versions. Each detected CMS is displayed along with the most probable version(s) of it. The score calculation is based on weights and the amount of “hits” for a given checksum.

wig also tries to guess the operating system on the server based on the ‘server’ and ‘x-powered-by’ headers. A database containing known header values for different operating systems is included in wig, which allows wig to guess Microsoft Windows versions and Linux distribution and version.

Version 0.5 has just been tagged/released on Github and there are a bunch of changes since our previous posting in 2014 – wig – WebApp Information Gatherer – Identify CMS

There are various other tools which perform similar functions such as CMS identification and issue detection:

CMSmap – Content Management System Security Scanner
Droopescan – Plugin Based CMS Security Scanner
WhatWeb – Identify CMS, Blogging Platform, Stats Packages & More
BlindElephant – Web Application Fingerprinter
Web-Sorrow v1.48 – Version Detection, CMS Identification & Enumeration
Wappalyzer – Web Technology Identifier (Identify CMS, JavaScript etc.)
WPScan – WordPress Security/Vulnerability Scanner

Features

  • CMS version detection by: check sums, string matching and extraction
  • Lists detected package and platform versions such as asp.net, php, openssl, apache
  • Detects JavaScript libraries
  • Operation system fingerprinting by matching php, apache and other packages against a values in wig’s database
  • Checks for files of interest such as administrative login pages, readmes, etc
  • Currently the wig’s databases include 28,000 fingerprints
  • Reuse information from previous runs (save the cache)
  • Implement a verbose option
  • Remove dependency on ‘requests’
  • Support for proxy
  • Proper threading support
  • Included check for known vulnerabilities

Changes Since wig v.01

  • Added fingerprints for more CMS, OS, platforms
  • Improved and updated old fingerprints
  • Proxy support
  • List vulnerabilies associated with detected software version
  • Added detection of JavaScript libs
  • General site information (currently title, cookie, ip)
  • Removed requirement for 3rd party python libs (requests). Now only requires Python3
  • Improved verbose output
  • Added a cache
  • Improved structure of the output
  • Detection of generally interesting files (readme, backups, etc)
  • Implemented proper threading via thread pool

Requirements

wig is built with Python 3, and is therefore not compatible with Python 2.

Usage

You can download wig v0.5 here:

0.5.1.zip

Or read more here.


12 March 2015 | 1,983 views

Rowhammer – DDR3 Exploit – What You Need To Know

So the big news this week was the release of details of a very clever hardware attack posted by Google’s Project Zero security initiative called Rowhammer. The impressive part is this is a hardware/manufacturing bug that has elevated to a software based attack.

Rowhammer - DDR3 Exploit - What You Need To Know

In simple terms Rowhammer is an attack that exploits physical weaknesses in certain types of DDR memory chips (DDR3) to elevate the system rights of untrusted users of Intel-compatible PCs running Linux. It writes and rewrites memory to force capacitor errors in DRAM, which can be exploited to gain control of the system.

This corruption can lead to the wrong instructions being executed, or control structures that govern how memory is assigned to programs being altered – the latter case can be used by a normal program to gain kernel-level privileges (privilege escalation).

You can read the Google post here: Exploiting the DRAM rowhammer bug to gain kernel privileges

“Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.

Definitely one of the more interesting attacks vectors that have popped up in recent history, the last one as interesting/impressive as this was probably the researchers cracking 4096-bit RSA Encryption with a microphone.

The attack is based on work by scientists from 2014 that proved “bit flipping” could take place, you can find the related academic paper here: Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors [PDF]

Memory isolation is a key property of a reliable and secure computing system — an access to one memory address should not have unintended side effects on data stored in other addresses. However, as DRAM process technology scales down to smaller dimensions, it becomes more difficult to prevent DRAM cells from electrically interacting with each other. In this paper, we expose the vulnerability of commodity DRAM chips to disturbance errors. By reading from the same address in DRAM, we show that it is possible to corrupt data in nearby addresses. More specifically, activating the same row in DRAM corrupts data in nearby rows. We demonstrate this phenomenon on Intel and AMD systems using a malicious program that generates many DRAM accesses.

The research unveiled this week shows how the technique can be turned into an actual attack.

If you’re using ECC memory it will protect you to a certain degree (as you should be if you’re running servers), but won’t make you immune as it won’t protect you against multiple bit flips at once, given enough tries a malicious attacker could pull this off.

If you’re using DDR4 however, you should be immune to this.

The problem with this flaw from a security perspective, is we can’t patch it..it’s a hardware issue. And well, as anyone who has worked in datacenters or server grade computing knows – those DIMMs are not going to get replaced any time soon.

You can find the Rowhammer test on Github here: https://github.com/google/rowhammer-test

“Rowhammer” is a problem with recent DRAM modules in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. This repo contains a program for testing for the rowhammer problem which runs as a normal userland process.

Does this affect the average man on the street? No. Do we as security professionally and people who write code have to consider this, yes we do.

It’s quite an academic/theoretical attack – but also yields quite consistent results.

The team tested the exploit on 29 x86 laptops built between 2010 and 2014 and using DDR3 DRAM. In 15 cases the team could successfully subvert the systems in minutes, and found DRAM made by a variety of memory manufacturers is susceptible to the attack.

While this was a high cracking rate, the team reported almost no success on desktop machines. This is possibly because those computers use newer RAM with error-correcting memory (ECC), which makes rowhammer attacks on the kernel much harder to accomplish, or that laptops have denser and lower-power RAM that’s easier to corrupt.

From: Ouch! Google crocks capacitors and deviates DRAM to root Linux


09 March 2015 | 896 views

MessenPass – Recover MSN, Yahoo Messenger, ICQ, Trillian Passwords

MessenPass is a password recovery tool that reveals the passwords of the many popular Instant Messaging applications.

MessenPass - Recover MSN, Yahoo Messenger, ICQ, Trillian Passwords

MessenPass can only be used to recover the passwords for the current logged-on user on your local computer, and it only works if you chose the remember your password in one of the above programs. You cannot use this utility for grabbing the passwords of other users.

MessenPass supports password recovery for the following IM apps:

  • MSN Messenger
  • Windows Messenger (In Windows XP)
  • Windows Live Messenger (In Windows XP/Vista/7)
  • Yahoo Messenger (Versions 5.x and 6.x)
  • Google Talk
  • ICQ Lite 4.x/5.x/2003
  • AOL Instant Messenger v4.6 or below, AIM 6.x, and AIM Pro.
  • Trillian
  • Trillian Astra
  • Miranda
  • GAIM/Pidgin
  • MySpace IM
  • PaltalkScene
  • Digsby

Installing MessenPass

MessenPass can be used without any installation process, simply by running the executable file (mspass.exe) from the zip file.
If you want to install MessenPass with automatic creation of program group icons and uninstall support, download and run the self-install executable file.

Using MessenPass

When you run MessenPass, it automatically detects the Instant Messenger applications installed on your computer, decrypts the passwords they store, and displays all user name/password pairs that it found in the main window of MessenPass. If from some reason, MessenPass fails to locate the installed Instant Messenger application, you can try to manually select the right folder of your IM application by using ‘Select Folders’ option (from the File menu).

On the main window of MessenPass, you can select one or more password items, and then copy them to the clipboard in tab-delimited format (you can paste this format into Excel or Open-Office Spreadsheet), or save them into text/html files.

You can download MessenPass here:

mspass.zip

Or read more here.


07 March 2015 | 3,451 views

Santoku Linux – Mobile Forensics, Malware Analysis, and App Security Testing LiveCD

The word santoku loosely translates as ‘three virtues’ or ‘three uses’. Santoku Linux has been crafted with a plethora of open source tools to support you in three endeavours, mobile forensics, malware analysis and security testing. Boot into Santoku and get to work, with the latest security tools and utilities focused on mobile platforms such as Android and iOS.

Santoku - Mobile Forensics, Malware Analysis, and App Security Testing LiveCD

Pre-installed platform SDKs, drivers, and utilities, plus helpful tools for easy deployment and control of mobile apps. Auto Detection and setup of new connected mobile devices. To make future updating of Santoku WAY easier for users, we’re hosting a repository. Set it up just once and get updates with package management instead of downloading a whole new iso.

Mobile Forensics

Tools to acquire and analyze data

  • Firmware flashing tools for multiple manufacturers
  • Imaging tools for NAND, media cards, and RAM
  • Free versions of some commercial forensics tools
  • Useful scripts and utilities specifically designed for mobile forensics

Mobile Malware

Tools for examining mobile malware

  • Mobile device emulators
  • Utilities to simulate network services for dynamic analysis
  • Decompilation and disassembly tools
  • Access to malware databases

Mobile Security

Assessment of mobile apps

  • Decompilation and disassembly tools
  • Scripts to detect common issues in mobile applications
  • Scripts to automate decrypting binaries, deploying apps, enumerating app details, and more

You can download Santoku here:

santoku_0.5.iso (Direct ISO)
santoku_0.5.iso.torrent (Torrent)

Or read more here.


05 March 2015 | 570 views

Acunetix Clamps Down On Costly Website Security With Online Solution

As cyber security continues to hit the headlines, even smaller companies can expect to be subject to scrutiny and therefore securing their website is more important than ever. In response to this, Acunetix are offering the online edition of their vulnerability scanner at a new lower entry price. This new option allows consumers to opt for the ability to scan just one target or website and is a further step in making the top of the range scanner accessible to a wider market.

Acunetix clamps down on costly website security with online solution

A web vulnerability scanner allows the user to identify any weaknesses in their website architecture which might aid a hacker. They are then given the full details of the problem in order to fix it. While the scanner might previously have been a niche product used by penetration testers, security experts and large corporations, in our current cyber security climate, such products need to be made available to a wider market. Acunetix have recognised this which is why both the product and its pricing have become more flexible and tailored to multiple types of user, with a one scan target option now available at 295 Euros. Pricing for other options has also been reduced by around 15% to reflect the current strength of the dollar. Use of the network scanning element of the product is also currently being offered completely free.

Acunetix CEO Nicholas Galea said: “Due to recent attacks such as the Sony hack and the Anthem Inc breach, companies are under increasing pressure to ensure their websites and networks are secure. We’ve been continuously developing our vulnerability scanner for a decade now, it’s a pioneer in the field and continues to be the tool of choice for many security experts. We feel it’s a tool which can benefit a far wider market which is why we developed the more flexible and affordable online version.

About Acunetix Vulnerability Scanner (Online version)

User-friendly and competitively priced, Acunetix Vulnerability Scanner fully interprets and scans websites, including HTML5 and JavaScript and detects a large number of vulnerabilities, including SQL Injection and Cross Site Scripting, eliminating false positives. Acunetix beats competing products in many areas; including speed, the strongest support of modern technologies such as JavaScript, the lowest number of false positives and the ability to access restricted areas with ease. Acunetix also has the most advanced detection of WordPress vulnerabilities and a wide range of reports including HIPAA and PCI compliance.

Users can sign up for a trial of the online version of Acunetix which includes the option to run free network scans.

About Acunetix

Acunetix is the market leader in web application security technology, founded to combat the alarming rise in web attacks. Its products and technologies are the result of a decade of work by a team of highly experienced security developers. Acunetix’ customers include the U.S. Army, KPMG, Adidas and Fujitsu. More information can be found at www.acunetix.com.


03 March 2015 | 1,781 views

Appie – Portable Android Security Testing Suite

Appie is a collection of software packages in a portable Windows format to help with Android security testing, specifically penetration testing Android applications. Appie since its latest release can also help with security assessments, forensics and malware analysis.

It is completely portable and can be carried on USB stick or your smartphone.

Appie – Android Portable Pen-testing Suite

Appie was designed to avoid the use of heavy/large VM machines and the associated images, instead choosing to run the apps on the host machine using a portable console emulator for Windows (cmder).

Various tools are included such as:

You can download Appie here:

Appie2.zip

Or read more here.