Archive | July, 2007

Intel Core 2 Duo Vulnerabilities Serious say Theo de Raadt

Find your website's Achilles' Heel


The scariest type of all, hardware vulnerabilities. Security guru and creator of OpenBSD Theo de Raadt recently announced he had found some fairly serious bugs in the hardware architecture of Intel Core 2 Duo processors.

He goes as far as saying avoid buying a C2D processor until these problems are fixed.

A prominent software developer with a reputation for making waves in coding circles is doing it again – this time warning that Intel’s celebrated Core 2 Duo is vulnerable to security attacks that target known bugs in the processor.

Discussion forums on Slashdot and elsewhere were ablaze with comments responding to the claims made by Theo de Raadt, who is the founder of OpenBSD. Intel strongly discounted the report, saying engineers have thoroughly scanned the processor for vulnerabilities.

In it he warns that errata contained in the Intel processor is susceptible to security exploits that put users and enterprises at serious risk of being compromised. The exposure can exist even in cases where Intel has issued a fix, de Raadt said, because patches in the microcode frequently don’t get installed on systems purchased from smaller vendors or that run less popular operating systems.

“At this time, I cannot recommend purchase of any machines based on the Intel Core 2 until these issues are dealt with (which I suspect will take more than a year),” de Raadt concluded in his post to an OpenBSD discussion group.

The main problem being, these kind of issues cannot be fixed on a software level they need some re-engineering of the actual chips themselves and due to the nature of hardware vulnerabilities it means they can be exploited on any OS.

Many of the bugs lead to potentially dangerous buffer overflow in which write-protected or non-execute bits for a page table entry are ignored. Others involve floating point instruction non-coherencies or memory corruptions. Intel is aware of the security implications, but has yet to disclose them, he said in an interview.

Intel engineers and some outside security researchers disagree with de Raadt’s conclusion, but the implications of them being correct are serious. Thanks to its high performance and plentiful supply, the Core 2 Duo is seemingly everywhere – in Macs, phone switches and PCs running a wide variety of operating systems.

What’s more, a vulnerability in the processor could be exploited regardless of the OS it runs, and if the flaw resides in the silicon itself, the traditional remedy of pushing out a software patch could be rendered ineffective.

You can find 105 Core 2 errata here as published by Intel:

Core 2 Duo errata [PDF]

And the original e-mail from Theo here:

Intel Core 2

Source: The Register


Posted in: Exploits/Vulnerabilities, Hardware Hacking, UNIX Hacking

Tags: , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hardware Hacking, UNIX Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- PunkSPIDER – A Web Vulnerability Search Engine
- Dropbox Hacked – 68 Million User Accounts Compromised
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,807 views
- AJAX: Is your application secure enough? - 120,262 views
- eEye Launches 0-Day Exploit Tracker - 85,735 views

Get protected with Sucuri


Sandcat by Syhunt – Web Server & Application Vulnerability Scanner

Find your website's Achilles' Heel


Sandcat allows web administrators to perform aggressive and comprehensive scans of an organization’s web server to isolate vulnerabilities and identify security holes.

The Sandcat scanner requires basic inputs such as host names, start URLs and port numbers to scan a complete web site and test all the web applications for security vulnerabilities.

This is a pretty nifty and complete tool, there is a ‘pro’ version available too.

Sandcat

Key Features

  • Provides over 260 web application security checks, covering over 38 types of web security attacks — a target server can be local or remote
  • Crawls web sites and detects cross-site scripting, directory transversal problems, attempts to execute commands and multiple other attacks
  • Scans web servers for the SANS Top Twenty (C1), the OWASP Top 10 and the OWASP PHP Top 5 vulnerabilities
  • Allows to scan for specific vulnerabilities, such as Fault Injection, SQL Injection and XSS (Cross-Site Scripting) vulnerabilities
  • Allows to define a range or list of IP addresses to be scanned
  • Allows to define multiple start URLs
  • Allows to perform destructive and non-destructive scans
  • Allows to edit the crawling depth: maximum number of links per server, maximum links per page, maximum URL length and maximum response size and more
  • Allows to create user signatures for detecting application vulnerabilities
  • Prevents logout
  • Tests intrusion detection systems
  • Exploits AJAX-based web applications
  • Supports host authentication (basic and web form authentication)
  • Supports OSVDB, NVD, CVE and CWE
  • Stores and allows you to view the HTTP request and response for each successful test
  • Automatically discovers and analyzes the server’s configuration to determine which tests are needed
  • Analyzes robots.txt file and javascript
  • Includes a Baseline Security Scanner — ensures security against outdated server software

Download Sandcat Standard Edition v3.08 here:

Download (EXE-Installer)
Download PDF Manual

Downloads Page.

Windows only I’m afraid.

Or you can read more here.


Posted in: Hacking Tools, Web Hacking

Tags: , , , , , , , ,

Posted in: Hacking Tools, Web Hacking | Add a Comment
Recent in Hacking Tools:
- MANA Toolkit – Rogue Access Point (evilAP) And MiTM Attack Tool
- BBQSQL – Blind SQL Injection Framework
- DET – Data Exfiltration Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,991,589 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,475,159 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 686,782 views

Get protected with Sucuri


The Soft Underbelly? – Database Security

Your website & network are Hackable


It not surprising SQL Injection and database hacking are getting more frequent as people ramp up perimeter security more often than not they forget about interior security, software application security and most of all database security.

Of the 2007 total corporate IT budget, respondents said they have allocated 34 percent for database infrastructure and 20.6 percent for IT security overall. More than 53 percent believe their databases are critical to their businesses.

But only 15 percent said that extending security best practices to the database is a “critical priority” for 2007. Higher priorities included upgrading applications (25 percent), improving the efficiency of IT (20 percent), and consolidating IT infrastructure (19 percent). Upgrading security overall (13 percent) finished slightly lower, as did supporting Sarbanes-Oxley (10 percent) and upgrading disaster recovery capabilities (9 percent).

The irony is, generally THE most important information is stored in corporate databases. Including credit card details, social security information, corporate figures and all the guts that power the white-collar machine.

What’s in corporate databases? Lots of valuable data. Some 55 percent of respondents said their databases contain customer data, 54 percent said databases contain employee data, and 50 percent contain confidential business data. Intellectual property — the most highly-guarded data in our survey — resides in 38 percent of respondents’ databases.

Respondents’ database environments are of substantial scale and complexity — a majority of respondents manage more than 500 databases. Twenty-nine percent have many different database types and technologies.

The moral is, when pen-testing go after the database and applications and if you are into securing your network..Please don’t just concentrate on the firewall and IDS also look at overall architecture, security stance, information management, database and application security.

Source: Dark Reading


Posted in: Database Hacking, General News

Tags: , , , , ,

Posted in: Database Hacking, General News | Add a Comment
Recent in Database Hacking:
- DBPwAudit – Database Password Auditing Tool
- VTech Hack – Over 7 Million Records Leaked (Children & Parents)
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 77,209 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,520 views
- SQLBrute – SQL Injection Brute Force Tool - 41,440 views

Get protected with Sucuri


FG-Injector – SQL Injection & Proxy Tool

Your website & network are Hackable


FG-Injector Framework is a set of tools designed to help find SQL injection vulnerabilities in web applications, and help the analyst assess their severity. It includes a powerful proxy feature for intercepting and modifying HTTP requests, and an inference engine for automating SQL injection exploitation.

Often web developers think that by disabling error messages in their code, SQL injection vulnerabilities stop being dangerous. When a SQL injection vulnerability doesn’t return errors messages it is known as a Blind Injection. The truth is that Blind Injections are just as dangerous as regular SQL Injections. By carefully selecting SQL sentences to inject, an attacker can retrieve information from the database of the vulnerable web application, one bit at a time. The end result is that the attacker can obtain the same data through the Blind SQL Injection that he/she would obtain from a regular -non-blind- SQL Injection.


The Inference Engine Module of the FG-Injector Framework automates the generation and injection of SQL statements needed for exploitation of a Blind SQL Injection. This module will work also for regular injections using the same method. It can produce blind injections on web/app servers using MS SQL Server, MySQL, and PostgresSql DBMSs.

You can find the downloads here including 0.9 version Windows binary and 0.9a source code:


FG-Injector Framework Downloads

You can find full documentation here or just read more here.


Posted in: Database Hacking, Hacking Tools, Web Hacking

Tags: , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools, Web Hacking | Add a Comment
Recent in Database Hacking:
- DBPwAudit – Database Password Auditing Tool
- VTech Hack – Over 7 Million Records Leaked (Children & Parents)
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 77,209 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,520 views
- SQLBrute – SQL Injection Brute Force Tool - 41,440 views

Get protected with Sucuri


Recent in General Hacking:
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,171,806 views
- Hack Tools/Exploits - 630,859 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 436,440 views

Get protected with Sucuri


PowerShell – More than the command prompt

Find your website's Achilles' Heel


For this article you should thank Patrick Ogenstad and his comment on my post , because I did not know about PowerShell until he mentioned about it… so a white point for him =)
The parts that will follow are snippets from the Getting Started document that comes with it…

Abstract

Windows PowerShell™ is a new Windows command-line shell designed especially for system administrators. The shell includes an interactive prompt and a scripting environment that can be used independently or in combination.

Introducing Windows PowerShell

Most shells, including Cmd.exe and the SH, KSH, CSH, and BASH Unix shells, operate by executing a command or utility in a new process, and presenting the results to the user as text. Over the years, many text processing utilities, such as sed, AWK, and PERL, have evolved to support this interaction.
These shells also have commands that are built into the shell and run in the shell process, such as the typeset command in KSH and the dir command in Cmd.exe. In most shells, because there are few built-in commands.many utilities have been created.
Windows PowerShell is very different.

  • Windows PowerShell does not process text. Instead, it processes objects based on the .NET platform.
  • Windows PowerShell comes with a large set of built-in commands with a consistent interface.
  • All shell commands use the same command parser, instead of different parsers for each tool. This makes it much easier to learn how to use each command.

Best of all, you don’t have to give up the tools that you have become accustomed to using. You can still use the traditional Windows tools, such as Net, SC, and Reg.exe in Windows PowerShell.

Windows PowerShell Cmdlets

A cmdlet (pronounced “command-let”) is a single-feature command that manipulates objects in Windows PowerShell. You can recognize cmdlets by their name format — a verb and noun separated by a dash (-), such as Get-Help, Get-Process, and Start-Service.

In traditional shells, the commands are executable programs that range from the very simple (such as attrib.exe) to the very complex (such as netsh.exe).

In Windows PowerShell, most cmdlets are very simple, and they are designed to be used in combination with other cmdlets. For example, the “get” cmdlets only retrieve data, the “set” cmdlets only establish or change data, the “format” cmdlets only format data, and the “out” cmdlets only direct the output to a specified destination.
Each cmdlet has a help file that you can access by typing:

get-help -detailed

The detailed view of the cmdlet help file includes a description of the cmdlet, the command syntax, descriptions of the parameters, and example that demonstrate use of the cmdlet.

…and more

Besides the above mentioned things, powerShell also includes: a new scripting language (not the lame-ass batch), processes objects, object pipelines, interaction, etc. If you are interested take a look at microsoft.com/powershell

Once again thanks to Patrick….


Posted in: Programming, Windows Hacking

Tags: , , , , , , , , , ,

Posted in: Programming, Windows Hacking | Add a Comment
Recent in Programming:
- shadow – Firefox Heap Exploitation Tool (jemalloc)
- movfuscator – Compile Into ONLY mov Instructions
- The Backdoor Factory (BDF) – Patch Binaries With Shellcode

Related Posts:

Most Read in Programming:
- FLARE – Flash Decompiler to Extract ActionScript - 67,243 views
- Modern Exploits – Do You Still Need To Learn Assembly Language (ASM) - 28,123 views
- 4f: The File Format Fuzzing Framework - 23,878 views

Get protected with Sucuri


Pentagon E-mail System HACKED

Your website & network are Hackable


The Pentagon got owned pretty hard with 1,500 accounts being taken offline due to a hack attack. For once however they did admit the incident and didn’t try to cover it over or brush it off.

I guess the amount of attacks they get is exponentially more than other networks…but still, I would have thought they should be super secure.

About 1,500 unclassified e-mail users at the Pentagon had their service disrupted yesterday when a hacker infiltrated the e-mail system, forcing the accounts to be taken offline.

In a briefing today with reporters in Washington at the Pentagon, Secretary of Defense Robert M. Gates confirmed the incident and said that the users were disconnected from the system after the intrusion was discovered.

“The reality is that the Defense Department is constantly under attack,” Gates said during the briefing. “Elements of the [Office of the Secretary of Defense] unclassified e-mail system were taken offline yesterday afternoon, due to a detected penetration. A variety of precautionary measures are being taken. We expect the system to be online again very soon.”

The funny thing is the Secretary of Defense himself doesn’t even use e-mail…so I doubt he even noticed what had happened.

Hopefully the government will sharpen up it’s ideas.

Gates said that he was not sure why the 1,500 users were removed temporarily from the system. “Well, I don’t know the answer to that, and they’re still investigating it.”

Gates said he doesn’t use e-mail, so he didn’t know if his account was affected.

“I don’t do e-mail,” he said. “I’m a very low-tech person.”

A spokesman at the Department of Defense late this afternoon said he had no additional information about the incident.

This comes shortly after the GAO (Government Accountability Office) report slamming FBI Internal Security.

Source: Computer World


Posted in: General Hacking

Tags: , , , , , , ,

Posted in: General Hacking | Add a Comment
Recent in General Hacking:
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,171,806 views
- Hack Tools/Exploits - 630,859 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 436,440 views

Get protected with Sucuri


sqlget v1.0.0 – Blind SQL Injection Tool in PERL

Find your website's Achilles' Heel


sqlget is a blind SQL injection tool developed in Perl, it lets you get databases schemas and tables rows. Using a single GET/POST you can access quietly the database structure and using a single GET/POST you can dump every table row to a csv-like file.

Databases supported:

  • IBM DB2
  • Microsoft SQL Server
  • Oracle
  • Postgres
  • Mysql
  • IBM Informix
  • Sybase
  • Hsqldb
  • Mime
  • Pervasive
  • Virtuoso
  • SQLite
  • Interbase/Yaffil/Firebird (Borland)
  • H2
  • Mckoi
  • Ingres
  • MonetDB
  • MaxDB
  • ThinkSQL
  • SQLBase

Evasion features:

  • Full-width/Half-width Unicode encoding
  • Apache non standard CR bypass
  • mod_security bypass
  • Random uppercase request transform
  • PHP Magicquotes: encode every string using db CHR function or similar.
  • Convert requests to hexadecimal values
  • Avoid non-space replacing for /**/ or (\t) tab
  • Avoid non || or + concatenation using db concat function or similar.
  • Random user-agent
  • Random proxy-server
  • Random delay request

Common features:

  • Database schemate download blacklist
  • Cookie array support
  • SSL support
  • Proxy server support
  • Database information dumped in csv format

You can find a demo here bypassing IBM ISS Proventia IPS:


ISR sqlget ISS Proventia Bypass

And you can download sqlget here:

ISR-sqlget v.1.0.0

Or read more here.


Posted in: Database Hacking, Hacking Tools, Web Hacking

Tags: , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools, Web Hacking | Add a Comment
Recent in Database Hacking:
- DBPwAudit – Database Password Auditing Tool
- VTech Hack – Over 7 Million Records Leaked (Children & Parents)
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 77,209 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,520 views
- SQLBrute – SQL Injection Brute Force Tool - 41,440 views

Get protected with Sucuri


Apparently 8/10 High Traffic or ‘Big’ Websites are Vulnerable

Find your website's Achilles' Heel


It seems after a brief scan that about 80% of sites contain common flaws that allows them to be compromised in some way, most often to create phishing sites, steal data and hijack info about clients.

An amazing 30% contain a serious vulnerability.

Eight out of ten Web sites contain common flaws that can allow attackers to steal customer data, create phishing exploits, or craft a variety of other attacks, a security company reported today.

WhiteHat Security regularly scans hundreds of “very popular, very high-traffic sites” for its online business customers, says Jeremiah Grossman, the company’s founder. “More than likely, you have shopped there, or bank there,” he says. Thirty percent of scanned sites contain an urgent vulnerability, such as one that allows direct access to a company database with customer information, he says.

Two out of three scanned sites have one or more cross-site scripting (XSS) flaws, which take advantage of problems with sites’ programming and are increasingly used in phishing attacks. A recent eBay scam used a now-fixed XSS hole on the auction site to direct anyone who clicked on a phony car auction to a phishing site.

I guess this should be a stern lesson for anyone shopping online or using online facilities from any companies/banks or financial institutions.

About a third of scanned sites are at risk for some sort of information leakage, which often means the providing of programming data about the site that can facilitate an attack. And about one out of four sites allows content spoofing, another potential phishing risk, according to WhiteHat’s vulnerability report.

A type of database vulnerability that allows SQL injection attacks — “one of the nastier issues out there” — is becoming less common, Grossman says. Fewer than one out of five sites contain this type of vulnerability, but a successful incident can give a sophisticated attacker access to everything in a company’s database, he says.

The irony is those geeky sites which hold the least important information about people are usually the most secure, where as the big sites built by important companies often have the most vulnerabilities and are leaking the most important data.

Source: Computer World


Posted in: Exploits/Vulnerabilities, Web Hacking

Tags: , , , , , ,

Posted in: Exploits/Vulnerabilities, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- PunkSPIDER – A Web Vulnerability Search Engine
- Dropbox Hacked – 68 Million User Accounts Compromised
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,807 views
- AJAX: Is your application secure enough? - 120,262 views
- eEye Launches 0-Day Exploit Tracker - 85,735 views

Get protected with Sucuri


Proxmon – Proxy Log Monitoring Tool

Your website & network are Hackable


ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression testing scenarios.

Formerly announced as ScarabMon as part of BlackHat EU 2007, proxmon monitors proxy logs and reports on security issues it discovers. ProxMon was also presented at CanSecWest 2007.

It’s compatible with WebScarab.

ProxMon handles routine tasks like

  • Checking server SSL configuration
  • Looking for directories that allow listing or upload

It’s real strength is that it also helps with higher level analysis such as

  • Finding values initially sent over SSL that later go cleartext
  • Finding Secure cookie values also sent in the clear
  • Finding values that are sent to 3rd party sites

It’s key features are

  • automatic value tracing of set cookies, sent cookies, query strings and post parameters across sites
  • proxy agnostic
  • included library of vulnerability checks
  • active testing mode
  • cross platform
  • open source license
  • easy to program extensible python framework

You can download ProxMon here (Prerequisites: Python):

proxmon-1.0.18.tar.gz
proxmon-1.0.18.exe


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- MANA Toolkit – Rogue Access Point (evilAP) And MiTM Attack Tool
- BBQSQL – Blind SQL Injection Framework
- DET – Data Exfiltration Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,991,589 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,475,159 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 686,782 views

Get protected with Sucuri