Archive | January, 2007

WordPress 2.0.5 Trackback Vulnerability with Exploit

Find your website's Achilles' Heel


WordPress was “born out of a desire for an elegant, well-architectured personal publishing system built on PHP and MySQL and licensed under the GPL. It is the official successor of b2/cafelog. WordPress is fresh software, but its roots and development go back to 2001. It is a mature and stable product. We hope by focusing on user experience and web standards we can create a tool different from anything else out there.”

While testing WordPress it was discovered that WordPress supports trackbacks in different charsets when PHP’s mbstring extension is installed. This feature can be abused to bypass WordPress’s SQL parameter escaping which leads to an SQL injection vulnerability that can result in a compromise of the admin account and end in a server compromise.

Full details of the vulnerability here.

An exploit is available here.

A work-around is available if something is stopping you from upgrading. WordPress 2.0.6 has fixed this problem.

Open wp-trackback.php and comment the following lines, this will prevent anyone from changing the default charset from the ‘safe’ ones to the ‘unsafe’ ones (UTF-7 to name one):

It is recommended to upgrade to WordPress 2.0.6 ASAP though.


Posted in: Exploits/Vulnerabilities, Web Hacking

Tags: , , , , ,

Posted in: Exploits/Vulnerabilities, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- PunkSPIDER – A Web Vulnerability Search Engine
- Dropbox Hacked – 68 Million User Accounts Compromised
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,828 views
- AJAX: Is your application secure enough? - 120,268 views
- eEye Launches 0-Day Exploit Tracker - 85,738 views

Get protected with Sucuri


MTR – Traceroute on Steroids

Your website & network are Hackable


MTR was written by Matt Kimball, with contributions by many people. Take a look at the “AUTHORS” file in the distribution. Roger Wolff took over maintenance of MTR in october 1998.

MTR combines the functionality of the ‘traceroute’ and ‘ping’ programs in a single network diagnostic tool.

MTR

As MTR starts, it investigates the network connection between the host MTR runs on and a user-specified destination host. After it determines the address of each network hop between the machines, it sends a sequence ICMP ECHO requests to each one to determine the quality of the link to each machine. As it does this, it prints running statistics about each machine.

You can get MTR from the BitWizard FTP site at ftp://ftp.bitwizard.nl/mtr/.

You can find more info and binary packages at the MTR Site.


Posted in: General Hacking, Network Hacking

Tags: , , , , , , ,

Posted in: General Hacking, Network Hacking | Add a Comment
Recent in General Hacking:
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,171,899 views
- Hack Tools/Exploits - 631,019 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 436,533 views

Get protected with Sucuri


Organised Cyber Criminals Recruiting Fresh Grads

Find your website's Achilles' Heel


Criminals are not stupid, cyber criminals are the same breed, perhaps even smarter than the traditionalists as they are utilising new ways of doing the same old tricks online.

Now the online criminals are recruiting fresh grads to help them push the boundaries further.

Organised crime is “grooming” a new generation of would-be cybercriminals using tactics which echo those used by the KGB to recruit operatives at the height of the cold war, according to a new blockbuster study by net security firm McAfee.

McAfee’s second annual Virtual Criminology report sensationally claims that crime gangs are targeting academic high-fliers in much the way Soviet intelligence agencies recruited spies such as notorious traitor Kim Philby in the 1940s. The study, which we reckon might prove a plausible basis for the next Tom Clancy blockbuster, suggests that net savvy teens as young as 14 are being “attracted into cybercrime by the celebrity status of hi-tech criminals and the promise of making money without the risks associated with traditional crime”.

Quite a scary though eh, if you have a young kid you better check out if he’s plotting a career in online extortion and custom malware solutions..

A process by which organised crime is now “employing KGB-style tactics to ensnare the next generation of hackers and malware authors. Cybercriminals are actively approaching students and graduates of IT technology courses to recruit a fresh wealth of cyber skill to their ranks,” McAfee breathlessly suggests.

Recruiting from Eastern Europe, India, China and Russia seems like the best bet, we better watch out for this next generation of vxers and organised cyber criminals.

Source: The Register


Posted in: General News, Malware, Phishing

Tags: , , , , , , ,

Posted in: General News, Malware, Phishing | Add a Comment
Recent in General News:
- Teen Accused Of Hacking School To Change Grades
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords

Related Posts:

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,442 views
- eEye Launches 0-Day Exploit Tracker - 85,738 views
- Seattle Computer Security Expert Turns Tables On The Police - 44,375 views

Get protected with Sucuri


LMCrack – Windows LanMan Hash Cracker Tool with Download

Find your website's Achilles' Heel


As a security consultant, job functions include Penetration Testing and Vulnerability Assessments. The aim of these types of engagements is to demonstrate risk to the customer. One of the steps involved in demonstrating risk is password auditing (“cracking”) in order to assess the strength and quality of passwords in use in the environment.

On a Windows network this invariably means dumping and cracking the Windows SAM file. The SAM file holds username, user ID (SID) and hashed passwords for all users. There are already many tools in existence to crack the SAM file such as L0phtCrack and Cain & Abel amongst others.

These tools, as brilliant as they are, require a set amount of time to effectively audit a SAM file, often 8 hours or more for programs such as L0pht. While this is extremely fast given the amount of processing involved, for someone in my position limited by the commerciality of time constraints, this can often be too slow. It is for this reason that I decided to write LMCrack.

The design goal of LMCrack was to walk a large key space based on a dictionary style attack rather than on a comprehensive brute force attack and to complete the task in under 5 minutes. The result is a program that utilises a database of pre-computed hashes, which can search an effective key space of 3 trillion passwords in less than 60 seconds with an average success rate of 50+%.

As stated previously the design goal of LMCrack was to identify weak passwords in the shortest time possible. Where weak passwords are defined as any dictionary word or lame permutation of a dictionary word (e.g. password5).

LMCrack works by searching for a password hash against a database of pre-computed hashes. The pre-computed hashes are derived from multiple dictionaries of real words rather than random character sequences. The pre-computed hashes are indexed to speed up the hash searching against the database.

The current version of LMCrack parses a SAM file extracted using PWDump (although future versions may crack LanMan hashes sniffed off the wire). Each 32-byte hash is split into two 16-byte halves and each half is searched for against the database of pre-computed hashes independently of the other half . As the hash is composed of two halves, cracking the password will often result in a partial password being found where one 16-byte hash exists in the database and the other 16-byte hash does not.

LMCrack is not intended to replace any existing password cracking tools and the output files are compatible as input for other cracking tools. LMCrack outputs 5 files at the completion of a cracking run:

  • cracked.txt – a file containing the successfully cracked username and passwords delimited by a colon,
  • cracked.dic – a file contaning all of the dictionary words found,
  • partial.dic – a file containging the partial password fragments,
  • newpwdump.txt – a rewritten PWDump file with the successfully cracked accounts removed,
  • stats.txt – the cumalative statistics for all cracking runs.

You can download LMCrack here:

LMCrack v0.2.1 (35MB)

More info about LMCrack here.


Posted in: Hacking Tools, Password Cracking, Windows Hacking

Tags: , , , , , , , , , , , , ,

Posted in: Hacking Tools, Password Cracking, Windows Hacking | Add a Comment
Recent in Hacking Tools:
- MANA Toolkit – Rogue Access Point (evilAP) And MiTM Attack Tool
- BBQSQL – Blind SQL Injection Framework
- DET – Data Exfiltration Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,991,967 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,476,787 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 686,969 views

Get protected with Sucuri


Serious Exploit in Windows Media Player (WMP)

Your website & network are Hackable


Oh look! Another 0-day in Windows…this time in Media Player, there was a few in Word lately and the latest thing that just hit is an XSS flaw in PDF files online.

I’ll report more on those later.

The Windows Media Player library WMVCORE.DLL contains a potentially exploitable heap buffer overflow in its handling of “REF HREF” URLs within ASX files. If the URL contains an unrecognized protocol (only “file”, “ftp”, “http”, “https”, “mms”, “mmst”, “mmsu”, “rtsp”, “rtspt”, and “rtspu” appear to be recognized), the function at 7D7A8F27 in WMVCORE.DLL version 9.0.0.3250, and at 086E586E in WMVCORE.DLL version 10.0.0.3802, will create a copy of the string in which the protocol is replaced with “mms”. A heap buffer is allocated, the string “mms” is copied into it, and then everything after and including “://” in the “REF HREF” URL is concatenated using wcsncat.

So what out what you are streaming..please! Or alternatively use something decent like Winamp.

Unfortunately, the heap buffer for the new “mms” URL is allocated to the size of the “REF HREF” URL, and even more unfortunately, the length of the input string being passed to wcsncat is supplied as the character count, effectively causing wcsncat to behave identically to wcscat. As a result, a two- or four-byte heap overflow is possible if the “REF HREF” URL features a protocol shorter than three characters (the length of “mms”).

Single-letter protocols (such as “a://”) are rejected, but this restriction can be circumvented by encoding the protocol (“%61://”), thereby making a four-byte overflow possible.

Exploitability due to the corruption of the adjacent heap block’s header is assumed likely but research is ongoing.

As far as I know there’s no current exploit for this, but it is a possibility.

Source: eEye


Posted in: Exploits/Vulnerabilities, Windows Hacking

Tags: , , , , , , ,

Posted in: Exploits/Vulnerabilities, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- PunkSPIDER – A Web Vulnerability Search Engine
- Dropbox Hacked – 68 Million User Accounts Compromised
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,828 views
- AJAX: Is your application secure enough? - 120,268 views
- eEye Launches 0-Day Exploit Tracker - 85,738 views

Get protected with Sucuri


SIFT Web Services Security Testing Framework

Find your website's Achilles' Heel


SIFT has released a new Intelligence Report titled ‘A Web Services Security Testing Framework‘. The framework covers the entire web services security testing process incorporating detailed threat modelling, scoping and planning methodologies tailored specifically for web services applications.

Web services are a widely touted technology that aim to provide tangible benefits to both business and IT. The increasing use of this technology in the enterprise sector for the integration of distributed systems and business critical functions dictates the need for security assurance yet there is currently no security testing methodology specifically adapted to applications that implement the technology.

Although many application security testing principles can be generically applied to web services, particular aspects of the technology such as its reliance upon XML and web services specific standards require closer attention that is not provided by other testing methodologies. Thus, a comprehensive framework for evaluating the security of web service implementations during all phases of the development cycle is required.

This paper presents a framework that covers the entire web services security testing process incorporating detailed threat modelling, scoping and planning methodologies tailored specifically for web services applications. The framework provides a structured approach to assessing the security of a web service through an application-level penetration test and aims to deliver a repeatable means for security assurance.

The paper is available for download from the the SIFT site [PDF].


Posted in: Web Hacking

Tags: , , , , , ,

Posted in: Web Hacking | Add a Comment
Recent in Web Hacking:
- PunkSPIDER – A Web Vulnerability Search Engine
- UFONet – Open Redirect DDoS Tool
- Everything You Need To Know About Web Shells

Related Posts:

Most Read in Web Hacking:
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 686,969 views
- Web Based E-mail (Hotmail Yahoo Gmail) Hack/Hacking with JavaScript - 312,082 views
- Download youtube.com videos? - 156,587 views

Get protected with Sucuri


Malware Outbreak During New Year – Dref-V and Trojan downloader Tibs-jy

Your website & network are Hackable


Social Engineering again, someone praying on xmas spirit and good will to spread their filthy malware.

It quite often happens during festive times, someone hatches a new worm and sends it out packaged as a jolly xmas card or game.

A significant worm outbreak over the new year festivities has put paid to the notion we’ve seen the end of mass mailing worms just yet.

The Luder email worm (AKA Dref-V and Trojan downloader Tibs-jy, first seen on 30 December, poses as an electronic postcard and clogged up email in-boxes over the last two days after successfully duping the gullible into opening executable email attachments with names such as postcard and Greeting Card.exe. Subject lines such “Happy New Year!”, “Fun Filled New Year!” and “Happy 2007!” have been enough to convince the unwary that the messages were electronic greetings celebrating the new year rather than malware.

This time it’s about new year, but same old story packaged as a greeting card with rotated subject lines and various executable names.

Same concept as usual.

It’s far from the first instance of malware authors attempting to exploit seasonally dulled senses in a bid to spread malware. Two years ago a worm called Wumark-D spread across the net, net security firm Sophos notes. The attachment of infected emails launched a graphic image of nude men and women contorting to form the words “HAPPY NEW YEAR” whilst silently downloading malicious code onto compromised machines, which became agents in spreading the infection.

Once again a message for people to be vigilant, especially when receiving executables from anyone (even someone you know) unless you are expecting it.

Just drop a note back and ask did they mean to send it to you.

Source: The Register


Posted in: Malware

Tags: , , , , , , , , , ,

Posted in: Malware | Add a Comment
Recent in Malware:
- CuckooDroid – Automated Android Malware Analysis
- Android Malware Giving Phones a Hummer
- Cuckoo Sandbox – Automated Malware Analysis System

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,547 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,661 views
- US considers banning DRM rootkits – Sony BMG - 44,998 views

Get protected with Sucuri


Cain & Abel – Download the Super Fast and Flexible Password Cracker with Network Sniffing

Find your website's Achilles' Heel


Cain & Abel is easily one of our favourite password crackers here at Darknet, especially because it’s oldskool but still under development, unlike most other projects which have been abandoned as time passed.

Cain & Abel has some awesome stuff built in like native network sniffing and network password grabbing.

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol’s standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some “non standard” utilities for Microsoft Windows users.

Cain & Abel

Cain & Abel has been developed in the hope that it will be useful for network administrators, teachers, security consultants/professionals, forensic staff, security software vendors, professional penetration tester and everyone else that plans to use it for ethical reasons. The author will not help or support any illegal activity done with this program. Be warned that there is the possibility that you will cause damages and/or loss of data using this software and that in no events shall the author be liable for such damages or loss of data. Please carefully read the License Agreement included in the program before using it.

The latest version is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs and Man-in-the-Middle attacks. The sniffer in this version can also analyze encrypted protocols such as SSH-1 and HTTPS, and contains filters to capture credentials from a wide range of authentication mechanisms. The new version also ships routing protocols authentication monitors and routes extractors, dictionary and brute-force crackers for all common hashing algorithms and for several specific authentications, password/hash calculators, cryptanalysis attacks, password decoders and some not so common utilities related to network and system security.

You can download Cain & Abel v4.9.4 for Windows NT/2000/XP here:

Cain & Abel 4.9.4 or Cain & Abel 4.9.4 (mirror 1)

You can find the online user manual here:

Cain & Abel online user manual.


Posted in: Hacking Tools, Network Hacking, Password Cracking, Windows Hacking

Tags: , , , , , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking, Password Cracking, Windows Hacking | Add a Comment
Recent in Hacking Tools:
- MANA Toolkit – Rogue Access Point (evilAP) And MiTM Attack Tool
- BBQSQL – Blind SQL Injection Framework
- DET – Data Exfiltration Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,991,967 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,476,787 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 686,969 views

Get protected with Sucuri


eEye Launches 0-Day Exploit Tracker

Your website & network are Hackable


Ah finally a decent 0-day exploit tracker, one that isn’t underground and could be fairly useful to everyone.

0-day as basically stated in the article is an exploit not known publicly or available publicly well before any patches are available, some private groups often have exploits for a year or more before someone else discovers them, makes them public and they inevitably get fixed.

Like the famous remote exploit in Windows RPC, private groups had that for almost 2 years before it became public.

Scary eh?

Security firm eEye has created what’s described as the industry’s first site designed solely to track zero-day vulnerabilities, flaws where exploits are available prior to the release of security patches.

eEye’s zero-day tracking site provides detailed information on flaws and remediation strategies to users. The site will be maintained by security researchers at eEye Research, who have a track record of unearthing new security bugs, and is essentially an eEye gig rather than a cross-industry effort.

It’s a good idea even if it’s not an industry effort it’s solely an eEye effort, I’m glad someone has done it and eEye has a strong capable team, so it should be fairly relevant if it’s kept up to date.

However, eEye invites other interested parties to contribute suggestions on flaws that merit inclusion on its list. eEye said it created the site, which includes information on how long flaws have remained unfixed, in response to the growing number of zero-day exploits.

In other security tracking news, security notification firm Secunia has released a tool designed to determine insecure versions of popular software packages (such as browsers, IM clients, and media players) on consumer’s PC.

Secunia’s Software Inspector provides users with advice on what to do if they are running insecure software packages.

Both eEye zero-day tracking site and Secunia’s Software Inspector are available free of charge.

You can find the site here:

eEye Zero Day Tracker

Source: The Register


Posted in: Exploits/Vulnerabilities, General News

Tags: , , , , , , , ,

Posted in: Exploits/Vulnerabilities, General News | Add a Comment
Recent in Exploits/Vulnerabilities:
- PunkSPIDER – A Web Vulnerability Search Engine
- Dropbox Hacked – 68 Million User Accounts Compromised
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,828 views
- AJAX: Is your application secure enough? - 120,268 views
- eEye Launches 0-Day Exploit Tracker - 85,738 views

Get protected with Sucuri