Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

11 February 2016 | 544 views

Darknet Moving Servers & Upgrades Etc

Don't let your data go over to the Dark Side!

So way back, this was the site 10 years ago when it launched in 2006 – not ALL that much different from today to be honest.

Darknet Site - 2006

The current theme you see here has been in use since April 2010, so almost 6 years as of February 2016 – and it’s come time to change. Which is apt, as the one before that was used since the beginning of the site in 2006.

Darknet Site - 2010

The current theme is pretty cool but it’s not mobile friendly at all, it’s kinda old, it’s no longer supported and probably not utterly efficient. So over the coming few days I’ll be upgrading everthing:

– Fresh install Server OS (to Ubuntu 14.04 LTS)
– Fresh install and configure all server software (nginx, PHP, MySQL etc)
– Theme
– Plugins

And hopefully end up with a faster, more efficient, more stable and importantly mobile responsive site.

I’ll be sticking with Linode, because well it’s been really good (despite the pesky DDoS attacks).

Anyway, the point of this post is to let you know – you may well see some weirdness over the next few days as the DNS flip-flops, there may be some periods of downtime and things might look odd or keep shifting as I make changes to the new theme and functions of the site.

I hope to be all finished by Monday 15th Feb, so if it goes to plan – it should be business as usual then. Wish me luck.

And drop a comment below or on Facebook or contact me direct if you have any feature requests (within reason, like Facebook comments etc).


09 February 2016 | 1,213 views

YARA – Pattern Matching Tool For Malware Analysis

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic.

YARA - Pattern Matching Tool For Malware

YARA is multi-platform, running on Windows, Linux and Mac OS X, and can be used through its command-line interface or from your own Python scripts with the yara-python extension.

Quite a few tools related to intrusion detection, malware analysis and compromise detection tools utilise YARA rules during the scanning phase. LOKI and FastIR being two recent examples.

Sample Rule

Let’s see an example:

The above rule is telling YARA that any file containing one of the three strings must be reported as silent_banker. This is just a simple example, more complex and powerful rules can be created by using wild-cards, case-insensitive strings, regular expressions, special operators and many other features that you’ll find explained in YARA’s documentation.

You can also find some cool YARA rules at this project: https://github.com/Yara-Rules/rules/

You can download YARA here:


Or read more here.

06 February 2016 | 2,029 views

Gophish – Open-Source Phishing Framework

Gophish is a phishing framework that makes the simulation of real-world phishing attacks very straight forwards. The idea behind gophish is simple – make industry-grade phishing training available to everyone.

Gophish - Open-Source Phishing Framework

There are various other similar tools available such as Simple Phishing Toolkit and sptoolkit Rebirth.

I wonder if this is the beginning of an emergence of portable, compiled Golang based security tools.


  • One-click Installation
  • Standalone, portable binary with static assets
  • Point-and-click Phishing
  • Beautiful Web UI
  • Automated Phishing campaigns
  • RESTful API (JSON)
  • Automated Training
  • Open-Source

What’s New

Gopshish is pretty new and just hit the milestone of it’s first public beta release, so there are the main recent features:

  • Added the timeline feature for campaign results
  • Added default tracking to email templates
  • Added additional events (such as when errors occur)
  • Added the ability to access admin server/ phishing server over TLS
  • Multiple UI fixes/tweaks (datatables, etc.)
  • Added the ability to export results as CSV

You can download the User Guide here: Gopshish User Guide [PDF]

And you can download Gophish here:

Windows 64-Bit – gophish_windows_64bit.zip
Linux 64-Bit – gophish_linux_64bit.tar.gz
OSX 64-Bit – gophish_osx_64bit.zip

(If you’re still on a 32-Bit OS, you can go to the releases page to find a suitable download)

Or read more here.

04 February 2016 | 631 views

Malwarebytes Bug Bounty Program Goes Live

So Malwarebytes bug bounty program is live, the official name is actually Malwarebytes Coordinated Vulnerability Disclosure Program – what a mouthful (guidelines here).

Malwarebytes Bug Bounty Program Goes Live

It’s good to see, bug bounty programs typically tend to have a nett positive effect and end in win-win situations for researchers and software vendors alike.

In an effort to encourage researchers to responsibly disclose security flaws found in its products, anti-malware company Malwarebytes announced on Monday the launch of a bug bounty program.

The company is prepared to offer between $100 and $1,000 for eligible vulnerabilities, depending on how severe and exploitable they are. Bounty hunters are also offered an entry in the Malwarebytes Hall of Fame and “cool Malwarebytes swag.”

Malwarebytes’ Coordinated Vulnerability Disclosure program covers vulnerabilities found in the company’s products and web services, particularly weaknesses that can lead to remote code execution or sensitive information disclosure. Experts are also encouraged to report crashes and stability issues, but these are generally considered not eligible for a bounty.

In the case of vulnerabilities discovered by Malwarebytes in third-party products, the company’s standard public disclosure deadline is 150 days.

No surprise here, Tavis Ormandy is up to his tricks again and quite possible is the driving force behind the release of this bounty program. As he recently found several pretty serious buggs in Malwarebytes software.

The disclosure period is nice and long too, they give themselves 5 months to fix any bugs found – that seems more than ample.

The launch of Malwarebytes’ bug bounty program comes after Google researcher Tavis Ormandy reported finding several vulnerabilities in the consumer version of Malwarebytes Anti-Malware in early November.

Marcin Kleczynski, the CEO of Malwarebytes, said his company patched several of the vulnerabilities server-side within days and is currently working on releasing a new version that will patch the client-side issues.

“The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time,” Kleczynski said. “However, this is of sufficient enough a concern that we are seeking to implement a fix.”

Malwarebytes Anti-Malware Premium users can protect themselves against possible attacks leveraging the flaws reported by Ormandy by enabling the product’s self-protection feature.

It’s pretty good software, I’ve used it quite a few times to disinfect people’s machines. So if you do use it regularly, have a poke around and see if you can find any flaws – might be worthwhile now.

Good old Tavis Ormandy – he’s been poking holes in people’s software for years.

Source: Security Week

02 February 2016 | 1,093 views

WAF-FLE – Graphical ModSecurity Console Dashboard

WAF-FLE (Web Application Firewall: Fast Log and Event Console) is a OpenSource ModSecurity Console – which allows the modsecurity admin to store, view and search events sent by sensors.

WAF-FLE - Graphical ModSecurity Console Dashboard

It uses a graphical dashboard to drill-down and find quickly the most relevant events. It is designed to be fast and flexible, while keeping a powerful and easy to use filter, with almost all fields clickable to use on filter.


  • Central event console
  • Support Modsecurity in “traditional” and “Anomaly Scoring”
  • Brings mlog2waffle as a replacement to mlogc
  • Receive events using mlog2waffle or mlogc
    • mlog2waffle: in real-time, following log tail, or batch scheduled in crontab
    • mlogc: in real-time, piped with ModSecurity log, in batch scheduled in crontab
  • No sensor limit
  • Drill down of events with filter
  • Dashboard with recent events information
  • Almost every event data and charts are “clickable” deepening the drill down filter
  • Inverted filter (to filter for “all but this item”)
  • Filter for network (in CIDR format, x.x.x.x/22)
  • Original format (Raw) to event download
  • Use Mysql as database
  • Wizard to help configure log feed between ModSecurity sensors and WAF-FLE
  • Open Source released under GPL v2


  • Apache 2.x server with modrewrite
  • PHP 5.3 or higher
  • PHP PDO Mysql extension
  • PHP GeoIP extension
  • MySQL 5.1 or later


Consider installing APC or APCu (php cache) to improve WAF-FLE performance.

You can download WAF-FLE here:


Or read more here.

30 January 2016 | 1,982 views

hping3 – TCP/IP Packet Assembler & Analyser

hping is a command-line oriented TCP/IP packet assembler/analyser. The interface is inspired to the ping unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

hping3 - TCP/IP Packet Assembler & Analyser

While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t care about security to test networks and hosts. It is a network tool able to send custom TCP/IP packets and to display target replies like ping do with ICMP replies. hping3 can handle fragmentation, and almost arbitrary packet size and content, using the command line interface.

What’s New

Since version 3, hping implements scripting capabilities, read the API.txt file under the /docs directory to learn more about it.

Basically hping uses the Tcl language as scripting language to write networking and security related applications, test suites, and software prototypes. To run hping in scripting mode just run it without arguments.


  • Firewall testing
  • Advanced port scanning
  • Network testing, using different protocols, TOS, fragmentation
  • Manual path MTU discovery
  • Advanced traceroute, under all the supported protocols
  • Remote OS fingerprinting
  • Remote uptime guessing
  • TCP/IP stacks auditing
  • hping can also be useful to students that are learning TCP/IP.

hping works on the following unix-like systems: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows.

There is a great tutorial to get started here: Getting started with hping3

You can download hping3 here:


Or read more here.

28 January 2016 | 1,415 views

PayPal Remote Code Execution Vulnerability Patched

So this is a big one, and thankfully this PayPal Remote Code Execution Vulnerability was discovered by security researchers and not the bad guys. Although there’s no way for us to know if someone has been using this to siphon data out of PayPal for some time before the whitehats found it.

PayPal Remote Code Execution Vulnerability Patched

It’s a roundabout bug that turns out serious, and why I tell developers don’t mess with serialised data – it’s ugly. In this case object deserialisation in Java basically allowed for remote command execution on PayPal servers.

Independent security researcher Michael Stepankin has reported a since-patched remote code execution hole in Paypal that could have allowed attackers to hijack production systems.

The critical vulnerability affecting manager.paypal.com revealed overnight was reported 13 December and patched soon after disclosure.

It allowed Stepankin to execute arbitrary shell commands on PayPal web servers through Java object deserialisation opening access to production databases.

“I immediately reported this bug to PayPal security team and it was quickly fixed after that,” Stepankin says

“While security testing of manager.paypal.com, my attention was attracted by unusual post form parameter “oldFormData” that looks like a complex object after base64 decoding.

It was reported responsibly and fixed fairly quickly, PayPal does have quite a good record of reacting in a timely fashion.

You can read the original blog post here: PayPal Remote Code Execution Vulnerability

“After some research I realised that it’s a Java serialised object without any signature handled by the application [which] means that you can send serialised object of any existing class to a server and ‘readObject’ or ‘readResolve’ method of that class will be called.”

Attackers would need to follow the technique disclosed by FoxGlove Security to gain remote code execution.

Stepankin says he used their ‘ysoserial’ payload generation tool in his attack.

PayPal handed out US$5000 for the bug even though it was a duplicate of a report sent in two days prior by researcher Mark Litchfield. Most bug bounty operators do not pay for duplicates making the payment unusual.

Strangely enough it seems to like two researchers found the same bug within days of each other independently. So PayPal paid them both a bounty, which is very rare – and pretty cool IMHO.

You can read about what Mark Litchfield got upto in December here – My $50k Personal Challenge – Results

Pretty good earnings for a months work, although I might imagine he’s had a fair number of those bugs in pocket for a while.

Source: The Register

26 January 2016 | 4,111 views

RWMC – Retrieve Windows Credentials With PowerShell

RWMC is a Windows PowerShell script written as a proof of concept to Retrieve Windows Credentials using only PowerShell and CDB command-line options (Windows Debuggers).

RWMC - Retrieve Windows Credentials With PowerShell

It allows to retrieve credentials from Windows 2003 to 2012 and Windows 10 (It was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition).

The script is different from Mimikatz or WCE because it doesn’t work with system .dlls to decrypt data. All the decryptions are made in the script.


The main features of RWMC:

  • Fully PowerShell
  • Works locally, remotely or from a dump file collected on a machine
  • Doesn’t use .dll files to locate credentials address in memory but a simple Microsoft debugger
  • Doesn’t use OS .dll files to decipher passwords collected (AES, TripleDES, DES-X)
  • Breaks undocumented Microsoft DES-X
  • Works even if you are on a different architecture than the target
  • Leaves no trace in memory


To run this script effectively you need:

  • PowerShell 3
  • Allow PowerShell script on you machine, example : Set-ExecutionPolicy Unrestricted -force
  • An Internet Connection

You can download RWMC here:


Or read more here.

21 January 2016 | 1,089 views

123456 Still The Most Common Password For 2015

So sadly, but also unsurprisingly ‘123456’ is still the most common password for 2015 (based on leaked password lists) the same as it was in years before, e.g. The 25 Worst Passwords Of 2013 – “password” Is Not #1.

123456 Still The Most Common Password For 2015

Way back in 2006, it clocked in at number 5 in a rather UK centric look at passwords. Interestingly, back in 2006 a weaker version of the same password was number 1, I think 6 digit password requirements hadn’t become commonplace yet.

SplashData has announced the 2015 edition of its annual “Worst Passwords List” highlighting the insecure password habits of Internet users. “123456” and “password” once again reign supreme as the most commonly used passwords, as they have since SplashData’s first list in 2011, demonstrating how people’s choices for passwords remain consistently risky.

In SplashData’s fifth annual report, compiled from more than 2 million leaked passwords during the year, some new and longer passwords made their debut – perhaps showing an effort by both websites and web users to be more secure. However, the longer passwords are so simple as to make their extra length virtually worthless as a security measure.

The top 10 most commonly used passwords for 2015:

1. 123456
2. password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. football
8. 1234
9. 1234567
10. baseball

And as you can see this year, 8 characters minimums must have become a thing with 12345678 clocking in at 6th place.

You’d think with all the massive, extremely messy, public hacks that have taken place – people would have wised up a little. But then I always forgot the number of stupid people is a constant, so the more people come on-line or use computers, the greater the absolute number of idiots there are.

The only thing I’m glad about is that football is more popular than baseball.

As for preventing this, use a password generator (preferably the one inside your password manager, because you are using a password manager right?), use separate passwords per site (easier with a password manager), don’t use predictable passwords (yourname, yourname1 etc for each different site).

Source: SplashData

19 January 2016 | 2,998 views

MITMf – Man-In-The-Middle Attack Framework

MITMf is a Man-In-The-Middle Attack Framework which aims to to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques.

MITMf - Man-In-The-Middle Attack Framework

Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it’s been almost completely re-written from scratch to provide a modular and easily extendible framework that anyone can use to implement their own MITM attack.


  • The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass.
  • As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what etterfilters did, only better), allowing users to modify any type of traffic or protocol.
  • The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework: this allows you to tweak settings of plugins and servers while performing an attack.
  • MITMf will capture FTP, IRC, POP, IMAP, Telnet, SMTP, SNMP (community strings), NTLMv1/v2 (all supported protocols like HTTP, SMB, LDAP etc.) and Kerberos credentials by using Net-Creds, which is run on startup.
  • Responder integration allows for LLMNR, NBT-NS and MDNS poisoning and WPAD rogue server support.

Available Plugins

  • HTA Drive-By : Injects a fake update notification and prompts clients to download an HTA application
  • SMBTrap : Exploits the ‘SMB Trap’ vulnerability on connected clients
  • ScreenShotter : Uses HTML5 Canvas to render an accurate screenshot of a clients browser
  • Responder : LLMNR, NBT-NS, WPAD and MDNS poisoner
  • SSLstrip+ : Partially bypass HSTS
  • Spoof : Redirect traffic using ARP, ICMP, DHCP or DNS spoofing
  • BeEFAutorun : Autoruns BeEF modules based on a client’s OS or browser type
  • AppCachePoison : Performs HTML5 App-Cache poisoning attacks
  • Ferret-NG : Transperently hijacks client sessions
  • BrowserProfiler : Attempts to enumerate all browser plugins of connected clients
  • FilePwn : Backdoor executables sent over HTTP using the Backdoor Factory and BDFProxy
  • Inject : Inject arbitrary content into HTML content
  • BrowserSniper : Performs drive-by attacks on clients with out-of-date browser plugins
  • JSkeylogger : Injects a Javascript keylogger into a client’s webpages
  • Replace : Replace arbitrary content in HTML content
  • SMBAuth : Evoke SMB challenge-response authentication attempts
  • Upsidedownternet : Flips images 180 degrees

You can download MITMf here:


Or read more here.