Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

04 July 2015 | 598 views

AddressSanitizer – A Fast Memory Error Detector

Cyber Raptors Hunting Your Data?

AddressSanitizer (aka ASan) is a very fast memory error detector for C/C++, Tthe average slowdown of the instrumented program is ~2x. The tool works on x86 Linux and Mac, and ARM Android. AddressSanitizer is based on compiler instrumentation and directly-mapped shadow memory.

AddressSanitizer - A Fast Memory Error Detector

The tool consists of a compiler instrumentation module (currently, an LLVM pass) and a run-time library which replaces the malloc function.

Features

It finds:

  • Use after free (dangling pointer dereference)
  • Heap buffer overflow
  • Stack buffer overflow
  • Global buffer overflow
  • Use after return
  • Initialization order bugs

Using AddressSanitize

In order to use AddressSanitizer you will need to compile and link your program using clang with the -fsanitize=address switch. To get a reasonable performance add -O1 or higher, and to get nicer stack traces in error messages add -fno-omit-frame-pointer.

Limitations

AddressSanitizer does not prevent any uninitialized memory reads, and only prevents some use-after-return bugs. It is also not capable of preventing all arbitrary memory corruption bugs. Arbitrary write bugs due to integer underflow/overflows (when the integer with undefined behaviour is used to calculate memory address offsets). Adjacent buffers in structs and classes are not protected from overflow, in part to prevent breaking backwards compatibility

You can get AddressSanitizer as a part of LLVM starting with version 3.1 and a part of GCC starting with version 4.8.

Or read more here.

Advertisements



02 July 2015 | 561 views

Acunetix WVS 10 Released – Keeping Your Website Secure just got Easier

Acunetix WVS 10 Released

Acunetix, the pioneer in automated web application security software, has announced the release of version 10 of its Vulnerability Scanner. New features are designed to prevent the risk of hacking for all customers; from small businesses up to large enterprises, including WordPress users, web application developers and pen testers.

Acunetix WVS 10 Released - Keeping Your Website Secure just got Easier

With the number of cyber-attacks drastically up in the last year and the cost of breaches doubling, never has limiting this risk been such a high priority and a cost-effective investment. The 2015 Information Security Breaches Survey from PWC found 90% of large organisations had suffered a breach and average costs have escalated to over £3m per breach, at the higher end.

“It’s a sad fact that today the odds are that your business has already been breached, perhaps multiple times. Don’t let cyber-criminals drive your web app security strategy. Proactively identify security exploits before criminals do and take back control,” said Nick Galea, CEO, Acunetix.

The areas of a website which are most likely to be attacked and are prone to vulnerabilities are those areas that require a user to login. Therefore the latest version of Acunetix vastly improves on its ‘Login Sequence Recorder’ which can now navigate multi-step authenticated areas automatically and with ease. It crawls at lightning speed with its ‘DeepScan’ crawling engine now analyzing web applications developed using both Java Frameworks and Ruby on Rails. Version 10 also improves the automated scanning of RESTful and SOAP-based web services and can now detect over 1200 vulnerabilities in WordPress core and plugins.

“Acunetix maintains its lead in cutting-edge web application technologies. By re-engineering the ‘Login Sequence Recorder’ from the ground up and baking-in support for external tools, we have extended the scanner’s reach into web applications, further bridging the gap between manual and automated security testing,” added Nick Galea.

New in WVS 10

  • ‘Login Sequence Recorder’ has been re-engineered from the ground-up to allow restricted areas to be scanned entirely automatically.
  • Now tests for over 1200 WordPress-specific vulnerabilities in the WordPress core and plugins.
  • Acunetix WVS Crawl data can be augmented using the output of: Fiddler .saz files, Burp Suite saved items, Burp Suite state files, HTTP Archive (.har) files, Acunetix HTTP Sniffer logs, Selenium IDE Scripts.
  • Improved support for Java Frameworks (Java Server Faces [JSF], Spring and Struts) and Ruby on Rails.
  • Increased web services support for web applications which make use of WSDL based web-services, Microsoft WCF-based web services and RESTful web services.
  • Ships with a malware URL detection service, which is used to analyse all the external links found during a scan against a constantly updated database of Malware and Phishing URLs.

Automated scanning of restricted areas

Latest automation functionality makes Acunetix not only even easier to use, but gives better peace of mind through ensuring the entire website is scanned. Restricted areas, especially user login pages, make it more difficult for a scanner to access and often required manual intervention. The Acunetix “Login Sequence Recorder” overcomes this, having been significantly improved to allow restricted areas to be scanned completely automatically. This includes the ability to scan web applications that use Single Sign-On (SSO) and OAuth-based authentication. With the recorder following user actions rather than HTTP requests, it drastically improves support for anti-CSRF tokens, nonces or other one-time tokens, which are often used in restricted areas.

Top dog in WordPress vulnerability detection

With WordPress sites having exceeded 74 million in number, a single vulnerability found in the WordPress core, or even in a plugin, can be used to attack millions of individual sites. The flexibility of being able to use externally developed plugins leads to the development of even more vulnerabilities. Acunetix v10 now tests for over 1200 WordPress-specific vulnerabilities, based on the most frequently downloaded plugins, while still retaining the ability to detect vulnerabilities in custom built plugins. No other scanner on the market can detect as many WordPress vulnerabilities.

Support for various development architectures and web services

Many enterprise-grade, mission critical applications are built using Java Frameworks and Ruby on Rails. Version 10 has been engineered to accurately crawl and scan web applications built using these technologies. With the increase in HTML5 Single Page Applications and mobile applications, web services have become a significant attack vector. The new version improves support  for SOAP-based web services with WSDL and WCF descriptions as well as automated scanning of RESTful web services using WADL definitions. Furthermore, version 10, introduces dynamic crawl pre-seeding by integrating with external, third-party tools including Fiddler, Burp Suite and the Selenium IDE to enhance Business Logic Testing and the workflow between Manual Testing and Automation.

Detection of Malware and Phishing URLs

Acunetix WVS 10 will ship with a malware URL detection service, which is used to analyse all the external links found during a scan against a constantly updated database of Malware and Phishing URLs. The Malware Detection Service makes use of the Google and Yandex Safe Browsing Database.

A trial version can be downloaded from:

http://www.acunetix.com/vulnerability-scanner/download/


30 June 2015 | 1,439 views

WATOBO – The Web Application Security Auditing Toolbox

WATOBO – The Web Application Security Auditing Toolbox – is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits.

It is capable of passive as well as active scanning and this latest is its real value added. It enables to automatize the discovery of common vulnerabilities (XSS, LFI, SQL injections etc) in web applications.

WATOBO - The Web Application Security Auditing Toolbox

WATOBO works like a local proxy, similar to ZAP, Paros or Burp Suite but in Ruby, when the rest are pretty much in JAVA.

Features

  • WATOBO has Session Management capabilities! You can define login scripts as well as logout signatures. So you don’t have to login manually each time you get logged out.
  • WATOB can act as an transparent proxy
  • WATOBO has anti-CSRF features
  • WATOBO can perform vulnerability checks out of the box.
  • WATOBO supports Inline De-/Encoding, so you don’t have to copy strings to a transcoder and back again. Just do it inside the request/response window with a simple mouse click.
  • WATOBO has smart filter functions, so you can find and navigate to the most interesting parts of the application easily.
  • WATOBO is written in (FX)Ruby and enables you to easiely define your own checks
  • WATOBO is free software ( licensed under the GNU General Public License Version 2)

Scanning/Active Checks

During a scan all selected active modules will be used to test the one or more chats (chat = request/response pair). The total amount of resulting requests is hard to predict because in most cases it depends on the number of parameters and the module itself. Here’s the list of the currently available active checks:

  • Server-Status page
  • Directory Walker
  • FileExtensions
  • HTTP Methods
  • Lotus Domino DB Enumeration
  • .NET Custom Error
  • .NET Files
  • Local File Inclusion
  • Crossdomain Policy
  • Basic JBoss enumeration
  • SAP ITS: Default Commands
  • SAP ITS: Default Services
  • SAP ITS: Service Parameters
  • SAP ITS: XSS
  • Siebel Applications
  • Error-based SQL-Injection
  • Time-based SQL Injection
  • Boolean SQL-Injection
  • Numerical SQL-Injection
  • XML-XXE
  • NextGeneration Cross Site Scripting Checks
  • Simple Cross Site Scripting Checks

You can download WATOBO 0.9.20 gem here:

watobo-0.9.20.gem

Or read more here.


28 June 2015 | 949 views

BTCrawler – Bluetooth Diagnostic & Discovery Tool

BTCrawler is an application used to to discover Bluetooth devices and the services they provide, it is useful if you wish to know which Bluetooth enabled devices are in your proximity for debugging, spying, curiosity or any other purpose.

BTCrawler - Bluetooth Diagnostic & Discovery Tool

With this program you’ll be even able to find every service provided by those devices and to list all its Bluetooth attributes.

When the application is started, it firstly enables the Bluetooth service on the device if it was not already on and then it searches for information about all pre-known devices. During those operations a wait screen is shown. Please be patient, because the initial loading can take a little long.

Features

  • List pre-known devices and devices cached by the local Bluetooth implementation;
  • New device discovery;
  • Per device service discovery;
  • Customizable list of discovered services;
  • Complete attribute list for each device or service.

All known properties of any discovered device will be shown. Such properties include:

  • The device name;
  • The device Bluetooth address;
  • The major class of the device;
  • The minor class of the device;
  • The list of classes of service provided by the device.

It will then iterate through the services available on the device, and of those services it will attempt to discover the service attributes of each available service.

You can download BTCrawler here:

BTCrawler.jar

Or read more here.


23 June 2015 | 1,721 views

unix-privesc-check – Unix/Linux User Privilege Escalation Scanner

Unix-privesc-checker is a Unix/Linux User privilege escalation scanner that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).

It’s similar in some ways to – LinEnum – Linux Enumeration & Privilege Escalation Tool.

unix-privesc-check - Unix/Linux User Privilege Escalation Scanner

It is written as a single shell script so it can be easily uploaded and run (as opposed to un-tarred, compiled and installed). It can run either as a normal user or as root (obviously it does a better job when running as root because it can read more files).

unix-privesc-check is intended to be run by security auditors and penetration testers against systems they have been engaged to assess, and also by system administrators who want to check for “obvious” misconfiguration. It can even be run as a cron job so you can check regularly for misconfiguration that might be introduced.

The author wanted to write something that was at least partially useful to penetration testers when they gained access to a low-privilege account and wanted to escalate privileges. There are lots of things that pen-testers will check in this situation and one of the most tedious to check is weak file permissions – this of often one of the most fruitful, though, so there’s no avoiding it.

Checks Performed

  • Writable Home Directories
  • Readable /etc/shadow
  • Weak Permissions On Cron Jobs
  • Writable Configuration Files
  • Writable Device Files
  • Readable Files In Home Directories
  • Running Processes Correspond To Writable Programs
  • sudo Configuration
  • Accounts with no Password

You can download v2.1 here:

master.zip

Or read more here.


20 June 2015 | 3,863 views

Parrot Security OS – Debian Based Security Oriented Operating System

Parrot Security OS is a security oriented operating system designed for Penetration Testing, Computer Forensic, Reverse engineering, Hacking, Privacy/Anonymity and Cryptography.

Instead of installing the OS then painstakingly assembling your collection of security tools (and package dependencies), using something like Parrot Security OS takes care of all that for you.

Parrot Security OS - Debian Based Security Oriented Operating System

It is based on Debian and developed by Frozenbox network. Parrot is designed for everyone, from the Pro pen-tester to the newbie, because it provides the most professional tools combined in a easy to use, fast and lightweight pen-testing environment, and it can be used also for an everyday use.

Features

  • Updated pen-testing tools
  • Great for forensic analysis
  • Custom hardened 3.16 kernel
  • MATE interface with custom themes, wallpapers and icons
  • Fast lightweight system designed also for old computers
  • PenMode + AirMode
  • AnonSurf functionality (tor & i2p)
  • Pandora’s box ram cleaner at shutdown
  • Encrypted installation
  • Cryptocurrency friendly
  • All the necessary for programming out of the box
  • Cloud compatible

Rather than downloading the whole ISO, there’s also a BASH script version which turns a regular Debian Stable install into Parrot Security OS, you can find the script here:

parrot-install.sh

You can download Parrot Security OS here:

amd64 Parrot Full – Parrot-full-1.9_amd64.iso
i386 Parrot Full – Parrot-1.9_i386.iso

Or read more here.


18 June 2015 | 2,615 views

Apple’s Password Storing Keychain Cracked on iOS & OS X

And another password shocker, a few days after ‘cloud’ password service LastPass was pretty seriously hacked (yah if you’re using it, change your master password) critical 0-day flaws in Apple’s password storing keychain have been exposed.

Apple's Password Storing Keychain Cracked on iOS & OS X

Which is kinda funny, as after the LastPass hack I saw some people espousing the usage of Apple’s keychain as much more secure. And now, Apple’s keychain cracked – and in a really serious way.

Six university researchers have revealed deadly zero-day flaws in Apple’s iOS and OS X, claiming it is possible to crack Apple’s password-storing keychain, break app sandboxes, and bypass its App Store security checks.

Attackers can steal passwords from installed apps, including the native email client, without being detected, by exploiting these bugs.

The team was able to upload malware to the Apple app store, passing the vetting process without triggering alerts. That malware, when installed on a victim’s device, raided the keychain to steal passwords for services including iCloud and the Mail app, and all those stored within Google Chrome.

Lead researcher Luyi Xing told El Reg he and his team complied with Apple’s request to withhold publication of the research for six months, but had not heard back as of the time of writing.

They say the holes are still present in Apple’s software, meaning their work will likely be consumed by attackers looking to weaponize the work.

Apple was not available for immediate comment.

It’s pretty serious as they managed to bypass the app store vetting and can grab access tokens and data from other apps on the device including high profile apps like Facebook, Evernote and iCloud itself even while sandboxed.

The sad part is, Apple was notified about this 6 months ago and still haven’t fixed it – the only fast moving response came from Google’s Chromium security team who removed keychain integration for Chrome, noting that it could likely not be solved at the application level.

“Recently we discovered a set of surprising security vulnerabilities in Apple’s Mac OS and iOS that allows a malicious app to gain unauthorised access to other apps’ sensitive data such as passwords and tokens for iCloud, Mail app and all web passwords stored by Google Chrome,” Xing told The Register’s security desk.

“Our malicious apps successfully went through Apple’s vetting process and was published on Apple’s Mac app store and iOS app store.

“We completely cracked the keychain service – used to store passwords and other credentials for different Apple apps – and sandbox containers on OS X, and also identified new weaknesses within the inter-app communication mechanisms on OS X and iOS which can be used to steal confidential data from Evernote, Facebook and other high-profile apps.”

The team was able to raid banking credentials from Google Chrome on the latest OS X 10.10.3, using a sandboxed app to steal the system’s keychain data and secret iCloud tokens, and passwords from password vaults.

If any malicious teams are out there using this, it could be really bad – and well if they aren’t already using it my bet is they will be by tomorrow.

I guess it’ll probably be blocked from the app store by then though, now it’s getting widespread media coverage.

You can read the full report, including in-depth technical details here – Unauthorized Cross-App Resource Access on MAC OS X and iOS

Source: The Register


14 June 2015 | 2,206 views

Just-Metadata – Gathers & Analyse IP Address Metadata

Just-Metadata is a tool that can be used to gather IP address metadata passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has “gather” modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has “analysis” modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.

Just-Metadata - Gathers & Analyse IP Address Metadata

Just-Metadata will allow you to quickly find the Top “X” number of states, cities, timezones, etc. that the loaded IP addresses are located in. It will allow you to search for IP addresses by country. You can search all IPs to find which ones are used in callbacks as identified by VirusTotal. Want to see if any IPs loaded have been documented as taking part of attacks via the Animus Project, Just-Metadata can do it.

Additionally, it is easy to create new analysis modules to let people find other relationships between IPs loaded based on the available data. New intel gathering modules can be easily added in just as easily.

Features

Just-Metadata gathers various publicly available IP address metadata such as:

  • Geo-location information
    • Country
    • City
    • Timezone
    • GPS Coordinates
  • ISP
  • Is it a known attacker documented by the Animus Project?
  • Do the attacking IP addresses share any common traits
    • SSH Keys
    • HTTPS Certificates
    • Certificate Chains
  • What common ports are open across the attacking IPs?
  • Are any of the IPs known by VirusTotal?
  • Shodan information (Ports, keys, certificates, etc.)

Requirements

Ideally, you should be able to run the setup script, and it will install everything you need.

For the Shodan information gathering module, YOU WILL NEED a Shodan API key. This costs like $9 bucks, come on now, it’s worth it :).

I’ll be looking forwards to future versions with cli based input and output for scripting and chaining this with other tools, with a bit of data crunching and pattern matching/machine learning it could be turned into a fairly intelligent attack pre-warning system.

You can download Just-Metadata v1.0 here:

Just-Metadata-1.0.zip

Or read more here.


11 June 2015 | 1,465 views

Agile Security – How Does It Fit Into A World Of Continuous Delivery

So, Agile Security? How does it fit into the new age of rapid iteration, continuous integration and continuous development? It’s an interesting discussion and personally very on point for me as I operate in an agile organisation and just today took (and passed yay me) my Scrum Master certification.

The traditional silo approach of security is already breaking down as in smaller organisations it was typically part of the ops team, and with the whole DevOps movement, infrastructure as code and CI/CD – that silo is already getting busted up.

Agile Security - How Does It Fit Into A World Of Continuous Delivery

And I have to agree, the next silo to combust will be security – it has to adapt, become more agile and more integrated into the development flow from the beginning.

Continuous delivery of software and applications is one of the most significant advancements that has taken place in the computing industry in the past 25 years. It is catching on so fast that you can now hear the death rattle of the 18-month software delivery cycle. The rise of cloud computing infrastructures — both in corporate data centers and infrastructure-as-as-service providers (IaaS) such as Amazon Web Services (AWS) — is powered by agile software development teams using orchestration tools like Puppet and Chef to decouple application development from the infrastructure, adding speed and agility to the enterprise.

Just as enterprise computing is having its DevOps moment, though, much of the security profession has woken up to the fact they are mired in the traditional infrastructure and silo approach. When everything in computing is dynamic, distributed, heterogeneous, and hybrid (i.e., alive), security that is bonded to static infrastructures like the network — an architecture based on hierarchies and chokepoints — appears out of sync with the new reality. If you are a security professional, continuous delivery and agile development is your future.

Consider the traditional approach to securing applications. Development creates a new app and then passes it over to the infrastructure team, which then onboards it to server, storage, and networking platforms. When that is complete, the security team comes in to protect it so employees, partners, suppliers, and customers can use it securely.

Waterfall is dying off, I mean it’s still ok for simple projects with few changes (low complexity) but for the real world, agile is SO much better at adapting to change and building relevant, high quality software which delivers maximum value to the business.

So security needs to get out of the oldskool models of being an after-thought, or an entire separate “ops” stage like architecture, infrastructure and deployment used to be.

For security to flourish in the age of continuous delivery, it must meet the following requirements:

1. Security policy must be embedded into the application development cycle at inception. This means developers must co-join with infrastructure and security teams to create and instrument policy when they are creating new apps. Just as continuous delivery dissolves the barriers between developers and infrastructure, security will be the next silo to go.

2. Enforcement of security policies must move and adapt with the continuous delivery approach. If new applications are moved between private clouds and IaaS environments, security must move with the applications.

3. Thus, security must be decoupled from infrastructure to support the distributed and fluid nature of continuous, on-demand applications and supporting infrastructures. This provides an added benefit of being able to dynamically add resources on-demand, including security

4. Finally, as Gartner notes, security must offer detective, preventive, responsive, and predictive capabilities that adapt with changes in the threat environment and provide transparency to the various IT constituencies involved.

So what do we do? What’s the way forwards? I’m personally a huge fan of tools like Code Climate which perform static analysis on every commit to your Github repo, it actually uses Brakeman for Ruby security for example and it’s all integrated so it works brilliantly in an agile development flow.

This pushes basic security responsibility to the developers and couples it with code quality, style and test coverage.

There’s much more than this we can do, but it’s a whole new movement I guess – exciting times ahead.

Source: Security Week


09 June 2015 | 2,036 views

Patator – Multi-threaded Service & URL Brute Forcing Tool

Patator is an extremely flexible, module, multi-threaded, multi-purpose service & URL brute forcing tool written in Python that can be used in many ways. Basically the author got tired of using Medusa, Hydra, ncrack, metasploit auxiliary modules, nmap NSE scripts and the like because:

  • They either do not work or are not reliable (got me false negatives several times in the past)
  • They are not flexible enough (how to iterate over all wordlists, fuzz any module parameter)
  • They lack useful features (display progress or pause during execution)

Patator - Multi-threaded Service & URL Brute Forcing Tool

Features

Basically you should give Patator a try once you get disappointed by Medusa, Hydra or other brute-force tools and are about to code your own small script because Patator does the following:

  1. No false negatives, as it is the user that decides what results to ignore based on the status code of the response, the size of the response and/or matching strings/regex
  2. Modular Design (not limited to network modules, e.g. unzip_pass)
  3. Interactive runtime (shows progress, pause/unpause)
  4. Use persistent connections
  5. Multi-threaded
  6. Flexible user input (any module parameter can be fuzzed)
  7. Save every response (along with the request) to separate log files for later review.

Modules

  • ftp_login : Brute-force FTP
  • ssh_login : Brute-force SSH
  • telnet_login : Brute-force Telnet
  • smtp_login : Brute-force SMTP
  • smtp_vrfy : Enumerate valid users using the SMTP VRFY command
  • smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
  • finger_lookup : Enumerate valid users using Finger
  • http_fuzz : Brute-force HTTP/HTTPS
  • pop_login : Brute-force POP
  • pop_passd : Brute-force poppassd (not POP3)
  • imap_login : Brute-force IMAP
  • ldap_login : Brute-force LDAP
  • smb_login : Brute-force SMB
  • smb_lookupsid : Brute-force SMB SID-lookup
  • rlogin_login : Brute-force rlogin
  • vmauthd_login : Brute-force VMware Authentication Daemon
  • mssql_login : Brute-force MSSQL
  • oracle_login : Brute-force Oracle
  • mysql_login : Brute-force MySQL
  • mysql_query : Brute-force MySQL queries
  • pgsql_login : Brute-force PostgreSQL
  • vnc_login : Brute-force VNC
  • dns_forward : Brute-force DNS
  • dns_reverse : Brute-force DNS (reverse lookup subnets)
  • ike_enum : Enumerate IKE transforms
  • snmp_login : Brute-force SNMPv1/2 and SNMPv3
  • unzip_pass : Brute-force the password of encrypted ZIP files
  • keystore_pass : Brute-force the password of Java keystore files
  • umbraco_crack : Crack Umbraco HMAC-SHA1 password hashes

Patator is NOT script-kiddie friendly, please read the README inside patator.py before reporting/complaining/asking how to use this tool..

You can download Patator v0.6 here:

patator-0.6.zip

Or read more here.