Archive | April, 2007

BackTrack v2.0 – Hackers LiveCD Finally Released

Find your website's Achilles' Heel


BackTrack is the result of the merging of the two innovative penetration testing live linux distributions Auditor security collection and Whax. By combining the best features from both distributions and putting continous development energy, the most complete and finest security testing live distro was born: BackTrack

BackTrack

BackTrack v.2.0 is finally released, it’s been a long wait that’s for sure, it does look good though so perhaps it was worth waiting.

You can find some screenshots here.

BackTrack ranked number one in Darknet’s well regarded list 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery).

It’s taken BackTrack almost 5 months to pull themselves out of the beta stage. Many features have been added and many of the persistent bugs have been fixed.

New exciting features in BackTrack 2, to mention a few:

  • Updated Kernel-Running 2.6.20, with several patches.
  • Broadcom based wireless card support
  • Most wireless drivers are built to support raw packet injection
  • Metasploit2 and Metasploit3 framework integration
  • Alignment to open standards and frameworks like ISSAF and OSSTMM
  • Redesigned menu structure to assist the novice as well as the pro
  • Japanese input support-reading and writing in Hiragana / Katakana / Kanji.

As usual, Nessus is not included into BackTrack as Tenable forbid redistribution.

The public wiki project is available at http://backtrack.offensive-security.com. Please help us by providing entries in HCL (Hardware compatibility list).

Read more about BackTrack here.

You can download BackTrack here:

BackTrack 2 Stable release Mar 06 2007


Posted in: Hacking Tools, Linux Hacking

Tags: , , , , , , , , , , ,

Posted in: Hacking Tools, Linux Hacking | Add a Comment
Recent in Hacking Tools:
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- UFONet – Open Redirect DDoS Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,987,378 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,457,566 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 684,263 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Slavasoft FSUM and Hashcalc md5 & File Integrity for Windows

Your website & network are Hackable


FSUM is a fast and handy command line utility for file integrity verification. It offers a choice of 13 of the most popular hash and checksum functions for file message digest and checksum calculation.

You can easily use FSUM with a batch wrapper to do automated file integrity monitoring, and use something like blat to email you any differences.

The most common use for FSUM is checking data files for corruption. A message digest or checksum calculation might be performed on data before transferring it from one location to another. Making the same calculation after the transfer and comparing the before and after results, you can determine if the received data is corrupted or not. If the results match, then the received data is likely accurate.

You can download FSUM here:

FSUM 2.52

Or read more here.

Hashcalc is a GUI version basically, a fast and easy-to-use calculator that allows to compute message digests, checksums and HMACs for files, as well as for text and hex strings. It offers a choice of 13 of the most popular hash and checksum algorithms for calculations such as:

MD2, MD4, MD5, SHA-1, SHA-2( 256, 384, 512), RIPEMD-160, PANAMA, TIGER, ADLER32 and CRC32.

You can download it here:

HashCalc 2.02

And read more here.

Darknet was informed about these tools via e-mail by Bogwitch!


Posted in: Countermeasures, Forensics, Security Software

Tags: , , , , , , ,

Posted in: Countermeasures, Forensics, Security Software | Add a Comment
Recent in Countermeasures:
- An Introduction To Web Application Security Systems
- OpenIOC – Sharing Threat Intelligence
- Cuckoo Sandbox – Automated Malware Analysis System

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,206 views
- Password Hasher Firefox Extension - 117,857 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,743 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Legal to Unlock Cell Phones Since November 2006

Find your website's Achilles' Heel


As with the UK, many phones in the US are sold under contract and are given at very discounted rates or even free in some cases if you sign a contract for year withe service provider.

Before that it was illegal to unlock your phone but finally in November 2006 it came out in court that it’s ok now.

Most cell phones in the United States are purchased as part of a service plan. The phone itself is cheap or free, but it must be bought as part of a one-year or two-year service contract. Phones can also be purchased separately, but are often hundreds of dollars more expensive then the phones that come with service plans. This is because phone companies take a loss on the phone up front and hope to make up that loss over the life of the contract in monthy fees.

Nearly all of the phones purchased as part of a service plan (and even some that are purchased separately) are SIM locked to only work with that phone companies network. The phone’s software will reject SIM cards from competing phone networks. Phones bought from T-Mobile only work with T-Mobile, phones bought from Cingular only work with Cingular, etc. This way the phone company can be certain that a customer is stuck and they will make back their investment.

The fact is the protection was frequently broken and many people were unlocking their owns anyway. The US made a smart decision this time to legitimize the dodgy unlocking market and make it straight forward. It also gives the consumers back the rights they should have anyway.

Yesterday, the Library of Congress announced six new exceptions to DMCA rules. Among those was the declaration that breaking SIM locks will not be considered a DMCA violation starting on Monday:

5. Computer programs in the form of firmware that enable wireless telephone handsets to connect to a wireless telephone communication network, when circumvention is accomplished for the sole purpose of lawfully connecting to a wireless telephone communication network.

Library of Congress Rulemaking Statement

This has the potential to legitimize the shady market of cell phone unlockers. It also has the potential to change how cell phone companies do business. If awareness of these rules spreads and legitimate cell phone unlocker services appear, the current cell phone business model might not make as much sense. It is also likely to further frustrate “pay as you go” cell phone providers who have been trying to stop resellers who purchase their phones and then sell them overseas for a profit.

So please, feel free to and unlock your phone, it’s no longer a DMCA violation!

Source: Uninnovate


Posted in: Hardware Hacking, Legal Issues, Telecomms Hacking

Tags: , , , , , ,

Posted in: Hardware Hacking, Legal Issues, Telecomms Hacking | Add a Comment
Recent in Hardware Hacking:
- Intel Hidden Management Engine – x86 Security Risk?
- Fitbit Vulnerability Means Your Tracker Could Spread Malware
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in Hardware Hacking:
- Elevator/Lift Hacking !!!!! - 79,349 views
- Military Communications Hacking – Script Kiddy Style - 49,823 views
- Hackers Crack London Tube Oyster Card - 45,100 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


DNS Brute Force eXtract – WS-DNS-BFX

Find your website's Achilles' Heel


There is another option for DNS Brute Forcing which uses threads, so may be faster than TXDNS 2.0 which we posted about recently.

What does it do?

This program was written to extract valid hosts of a domain that deny zone transfers.

The program supports:

  • IPv4 => IP Address of 32 bits.
  • IPv6 => IP Address of 128 bits.
  • Multi Thread => Make several resolutions at “the same time”.
  • EMA => Extract more than 1 IP in servers with HA, Network Load Balance, etc, (like: www.yahoo.com, www.microsoft.com).

Where do I use it?

This program must be used against DNS Servers that deny zone transfers.

Example of DNS Servers that deny transfer zones:

How do I compile it?

To compile it, do:

To best performance do:

If u don’t have a compiler (gcc), libs, etc, i added at the .tgz file this program compiled static, called “WS-DNS-BFX-Static”.

How do I use it?

Is easy use this program. Supose that you want extract valid hosts from “yahoo.com”, using dict-file.txt (Brute Force File) and open 4 threads, to do it the command is:

When it finish, will be generated a file called “hosts-yahoo.com.txt” with the extracted hosts.

You can download it here:

DNS Brute Force eXtract


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- UFONet – Open Redirect DDoS Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,987,378 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,457,566 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 684,263 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Chaos Communication Camp (CCC) 2007 – Germany

Your website & network are Hackable


The Chaos Communication Camp is an international, five-day open-air event for hackers and associated life-forms. The Camp features three conference tracks with interesting lectures, workshops and other stuff.

Chaos Communication Camp 2007 will take place at a brand new location at the Airport Museum Finowfurt, directly at Finow airport. So if you like, you can directly fly to the Camp. You can get to the location easily with a car in the less than 30 minutes starting in Berlin and we will make sure there is a shuttle connection to the next train station.

“In Fairy Dust We Trust!”

CCC 2007 will be held between August 8th and August 12th, 2007.

More info here:

http://events.ccc.de/camp/2007/


Posted in: Events/Cons

Tags: , , , , , ,

Posted in: Events/Cons | Add a Comment
Recent in Events/Cons:
- Mac owned on 2nd day of Pwn2Own hack contest
- 2007 Hacker Reverse Engineering Challenge
- Chaos Communication Camp (CCC) 2007 – Germany

Related Posts:

Most Read in Events/Cons:
- 2007 Hacker Reverse Engineering Challenge - 13,474 views
- Mac owned on 2nd day of Pwn2Own hack contest - 12,904 views
- The Black & White Ball UK – Whitehat vs Blackhat - 6,439 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


PHProxy 0.5 Beta Released – Web HTTP Proxy to Bypass Firewalls

Find your website's Achilles' Heel


What is PHProxy?

PHProxy is a Web HTTP proxy programmed in PHP to bypass firewalls and other proxy restrictions through a Web interface very similar to the popular CGIProxy. School/country/company blocked your favorite Website? Look no further!

The server that this script runs on simply acts as a medium that retrives resources for you. The only IP address shown will be the server’s IP address. So basically, it is indirect browsing. The only catch being that the server has to have access to those otherwise inaccessible resources.

Usage

You simply supply a URL to the form and click Browse. The script then accesses that URL, and if it has any HTML contents, it modifies any tags that might contain URIs so that they point back to the script. You also have options of disabling JavaScript, accepting cookies, showing images, etc. that are available through the web interface.

You can download PHProxy here.

You can find more information at the homepage here:

PHProxy and a PHProxy Demo here.


Posted in: Security Software, Web Hacking

Tags: , , , , , , , ,

Posted in: Security Software, Web Hacking | Add a Comment
Recent in Security Software:
- An Introduction To Web Application Security Systems
- OpenIOC – Sharing Threat Intelligence
- Cuckoo Sandbox – Automated Malware Analysis System

Related Posts:

Most Read in Security Software:
- Top 15 Security/Hacking Tools & Utilities - 1,987,378 views
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,170,912 views
- Password Hasher Firefox Extension - 117,857 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Smart Trojan Targets eBay Users

Your website & network are Hackable


It seems like people that make malware are getting more specific nowadays, the are no longer writing random self-propagating worms or trojans just for the sake of knowledge or notoriety.

Far more common nowadays is malware for specific purposes to capture login or banking details for certain sites or organisations.

This time it’s a custom trojan targetting eBay users.

eBay users are being targeted by an advanced Trojan that attempts to redirect traffic so it can silently bid on a car from the auction site’s car section, Symantec is warning. It is the latest security headache for eBay, which has faced an onslaught of complaints from some users who say fraud on the site has increased to unacceptable levels over the past few months.

eBay officials are aware of the Trojan and are working with Symantec to prevent it from affecting buyers and sellers, a spokeswoman said.

It seems to be a combination of phishing and malware rolled into one to grab details from eBay users.

Trojan.Bayrob implements a proxy server so that traffic intended for eBay is instead sent to one of several sites controlled by the attacker. Traffic is redirected by changing settings corresponding to at least six eBay URLs in the victim’s hosts file. Once connected to rogue servers, Bayrob is programmed to download configuration data, including a variety of php scripts.

At least one of the scripts, Var.php, downloads variables such as tokenized versions of eBay pages designed to dupe a victim into thinking they are legitimate. One such page spoofs eBay’s “Ask a question” section, which allows prospective buyers to – wait for it – ask sellers questions.

As always do be on guard.

Source: The Register


Posted in: Malware, Web Hacking, Windows Hacking

Tags: , , , , , , , ,

Posted in: Malware, Web Hacking, Windows Hacking | Add a Comment
Recent in Malware:
- Android Malware Giving Phones a Hummer
- Cuckoo Sandbox – Automated Malware Analysis System
- movfuscator – Compile Into ONLY mov Instructions

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,530 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,651 views
- US considers banning DRM rootkits – Sony BMG - 44,996 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


SSA 1.5.1 – Security System Analyzer an OVAL Based Scanner

Find your website's Achilles' Heel


Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community.

The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment.

SSA is a scanner based on OVAL, the command line tool provided by MITRE is not very easy to use so the guys at Security Database decided to write a GUI to make it simple to use and understand and then free the security testers community to take advantage of it.

The latest final release 1.5.1 of SSA is available. You can download it either in “exe” or “zip” format. SSA comes with a PDF documentation.

You can read more here and download both SSA and the PDF documentation.

SSA 1.5.1


Posted in: Hacking Tools, Security Software, Windows Hacking

Tags: , , , , , , , , ,

Posted in: Hacking Tools, Security Software, Windows Hacking | Add a Comment
Recent in Hacking Tools:
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- UFONet – Open Redirect DDoS Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,987,378 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,457,566 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 684,263 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


The Black & White Ball UK – Whitehat vs Blackhat

Find your website's Achilles' Heel


Black hat hackers vs White hat professionals – This is the Black & White Ball

The Black & White Ball will be held at the stylish Ministry of Sound venue in London, the date is to be confirmed (but it will be in September).

In security parlance, the terms Black Hat and White Hat refer to hackers on opposite sides of the fence. Black Hat hackers break the law when they hack into computers, they do it for their own personal gain. White Hat hackers are professional hackers who do it for a living, who hack with the knowledge and consent of the computer owners. We named the event the Black & White Ball to describe the unique 2-track conference style of presenting first 2 days of the latest Black Hat techniques and trends, followed by 2 days of the latest White Hat defensive methodologies and policies.

In September 2007, Whitedust will be running the first annual Black & White Ball in London. Presented in a unique two track format, The Ball will run for 4 days – the first two bringing the latest in hacker techniques and attacks, the last two presenting the cutting-edge of security defence mechanisms and strategies.

The Ball will present the latest research in information security, network penetration, malware generation, hacker methodologies, 0-day attacks, forensic and anti-forensic methods. Bringing together the leading minds from both the White Hat sphere (CSO’s, Programmers, Security Architects) and the Black Hat sphere (hackers, crackers, virus writers, digital miscreants), the Ball will provide a unique venue to pit the best of the best against the rest.

You can find a list of speakers here and submit your papers here.

The main site is here:

http://www.theblackandwhiteball.co.uk/


Posted in: Events/Cons

Tags: , , , , , , , ,

Posted in: Events/Cons | Add a Comment
Recent in Events/Cons:
- Mac owned on 2nd day of Pwn2Own hack contest
- 2007 Hacker Reverse Engineering Challenge
- Chaos Communication Camp (CCC) 2007 – Germany

Related Posts:

Most Read in Events/Cons:
- 2007 Hacker Reverse Engineering Challenge - 13,474 views
- Mac owned on 2nd day of Pwn2Own hack contest - 12,904 views
- The Black & White Ball UK – Whitehat vs Blackhat - 6,439 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


(in)Secure 1.10 Magazine – Infosec E-zine Released

Your website & network are Hackable


(IN)SECURE Magazine is a freely available digital security magazine discussing some of the hottest information security topics. It can be distributed only in the form of the original non-modified PDF document.

ISSUE 1.10 (February 2007) – DOWNLOAD

  • Microsoft Windows Vista: significant security improvement?
  • Review: GFI Endpoint Security 3
  • Interview with Edward Gibson, Chief Security Advisor at Microsoft UK
  • Top 10 spyware of 2006
  • The spam problem and open source filtering solutions
  • Office 2007: new format and new protection/security policy
  • Wardriving in Paris
  • Interview with Joanna Rutkowska, security researcher
  • Climbing the security career mountain: how to get more than just a job
  • RSA Conference 2007 report
  • ROT13 is used in Windows? You’re joking!
  • Data security beyond PCI compliance – protecting sensitive data in a distributed environment

Grab it now!


Posted in: General Hacking

Tags: , , , , ,

Posted in: General Hacking | Add a Comment
Recent in General Hacking:
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,170,912 views
- Hack Tools/Exploits - 628,937 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 435,520 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95