Archive | November, 2007

fwtest – Firewall Testing Toolkit

Find your website's Achilles' Heel


The firewall test suite fwtest is a security auditing tool made up of two parts: the test control application fwtest and optionally one or two helper processes named fwagent. The test control application fwtest starts up the python interpreter with the given test script. The test script controls the packet data flow between two virtual interfaces A and B.

For this purpose the python interpreter is extended by commands which support the construction and transfer of arbitrary IP-packets. In this way it is possible to stimulate a firewall (or other relaying network nodes) connected between the interfaces A and B.

According to the interface-spec the virtual interfaces A and B are mapped on given physical interfaces on the same host the fwtest is running or to an interface on a remote host which runs the application fwagent. For the remote access the fwtest establishes a control TLS-protected connection to the fwagent on the specified host. You may use a ca structure or a fingerprint file to authenticate the peer. The shell script keymager.sh is distributed with this software to help you generate the necessary keys for both (ca structure and fingerprint) variants.

For both variants (one or two fwagents) the interfaces needs to be controlled by fwtest and fwagent on the link level. This is achieved by use of the berkely packet filter library pcap for reading and The Network Library libnet for writing of packets.

You can download fwtest source code here:

fwtest-0.5.2.tgz

Or read more here.


Posted in: Network Hacking, Security Software

Tags: , , , , , , ,

Posted in: Network Hacking, Security Software | Add a Comment
Recent in Network Hacking:
- fping 3 – Multi Target ICMP Ping Tool
- WOL-E – Wake On LAN Security Testing Suite
- dnmap – Distributed Nmap Framework

Related Posts:

Most Read in Network Hacking:
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,456,488 views
- Wep0ff – Wireless WEP Key Cracker Tool - 514,517 views
- THC-Hydra – The Fast and Flexible Network Login Hacking Tool - 328,086 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Security Software Moves to Consoles – Web Filtering for PS3

Find your website's Achilles' Heel


Ah it seems some companies are having the same idea as me, consoles might well be the next infection vector for zombie style botnets, they have good processing power, the current generation has ample hard-drive space and they are network connected.

The difference with consoles is they tend to be turned off when not in use unlike PCs which are quite often left on.

Still infecting a few million PS3s could be a great attack mechanism – so the latest update for the PS3 is web filtering, the first step towards security software for consoles.

Sony has integrated a website filter into its latest PlayStation 3 firmware. But while use of the utility is optional and, for now, free, neither the console giant nor its security partner, Trend Micro, are saying how much they’ll demand from user whene the free-use period ends next April.

Trend claimed the site blocker, which is part of PS3 firmware version 2.0, posted last week, is the world’s first global internet security service games console.

It’ll be interesting to see how much it costs when it stops being free, and what the uptake is like percentage wise. I have a feeling it’ll be very low.

If users choose to activate the filtering service, which is accessed through the PS3’s internet browser, they must select a password. If a blocked website is then accessed, users can enter their password to view the site.

Trend’s service is free to use until April 2008, it said. Bizarrely, however, it was unable to say how much it will demand PS3 owners cough up after that date if they want to carry on using the service, perhaps to keep inappropriate content away from their kids.

Apparently the pricing structure hasn’t even been worked out yet, but then I guess they just want to get it out there as the ‘first’ security software for a console and increase the branding strength.

Source: The Register


Posted in: Hardware Hacking, Malware

Tags: , , , , , , ,

Posted in: Hardware Hacking, Malware | Add a Comment
Recent in Hardware Hacking:
- Intel Hidden Management Engine – x86 Security Risk?
- Fitbit Vulnerability Means Your Tracker Could Spread Malware
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in Hardware Hacking:
- Elevator/Lift Hacking !!!!! - 79,338 views
- Military Communications Hacking – Script Kiddy Style - 49,822 views
- Hackers Crack London Tube Oyster Card - 45,091 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Chaosreader – Trace TCP/UDP Sessions from tcpdump

Your website & network are Hackable


A freeware tool to trace TCP/UDP sessions and fetch application data from snoop or tcpdump logs. This is a type of “any-snarf” program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG), SMTP emails and so on from the captured data inside network traffic logs.

Similar to tcpflow which we mentioned recently.

A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports. Chaosreader can also run in standalone mode – where it invokes tcpdump or snoop (if they are available) to create the log files and then processes them.

The cool thing about Chaosreader is that it outputs a nicely formatted HTML file to enable you to look at the extracted sessions a lot easier.

In this example, a snoop file was created while a website was loaded, telnet was used to login and ftp to transfer files. Chaosreader has managed to extract the HTTP sections, follow the telnet session, grab the FTP files, and create an Image Report from the snoop log. It has also created a replay program to playback the telnet session. You can see the example here.

You can find some more screenshots here.

You can download Chaosreader here:

Chaosreader 0.94

You can read more here.


Posted in: Forensics, Hacking Tools, Network Hacking

Tags: , , , , , , , ,

Posted in: Forensics, Hacking Tools, Network Hacking | Add a Comment
Recent in Forensics:
- Cuckoo Sandbox – Automated Malware Analysis System
- Web Application Log Forensics After a Hack
- CapTipper – Explore Malicious HTTP Traffic

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,478 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 34,467 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 29,736 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Recent in Phishing:
- Phishing Frenzy – E-mail Phishing Framework
- Gophish – Open-Source Phishing Framework
- sptoolkit Rebirth – Simple Phishing Toolkit

Related Posts:

Most Read in Phishing:
- Twitter DM Phishing Scam - 28,953 views
- yahoo password grabber - 19,146 views
- Digital Underground Offering Cheap Botnets For Hire - 15,503 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


tcpflow – TCP Flow Recorder for Protocol Analysis and Debugging

Your website & network are Hackable


tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like ‘tcpdump’ shows a summary of packets seen on the wire, but usually doesn’t store the data that’s actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis.

tcpflow understands sequence numbers and will correctly reconstruct data streams regardless of retransmissions or out-of-order delivery. However, it currently does not understand IP fragments; flows containing IP fragments will not be recorded properly.

tcpflow is based on the LBL Packet Capture Library (available from LBL) and therefore supports the same rich filtering expressions that programs like ‘tcpdump’ support. It should compile under most popular versions of UNIX; see the INSTALL file for details.


tcpflow stores all captured data in files that have names of the form

Where the contents of the above file would be data transmitted from host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.

The only downside to this tool is that it’s not being actively maintained, the last version was released in 2003.

The upside is that the TCP protocol hasn’t changed, so the tool still work just fine.

Definitely extremely useful for network forensics, it’s one of the tools I use to demo network dissection in classes.

You can download it here:

Version 0.21 source tarball
Version 0.21 Source RPM

Or read more here.


Posted in: Forensics, Network Hacking

Tags: , , , , , , ,

Posted in: Forensics, Network Hacking | Add a Comment
Recent in Forensics:
- Cuckoo Sandbox – Automated Malware Analysis System
- Web Application Log Forensics After a Hack
- CapTipper – Explore Malicious HTTP Traffic

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,478 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 34,467 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 29,736 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Wi-Fi Jacking Extremely Common (45% of People Do!)

Find your website's Achilles' Heel


It seems Wi-Fi is actually extremely common, in fact in a recent poll up to 45% do it! I guess most people here have, I admit I do even with my phone when I’m out and about I’ll use any WiFi point that works.

We can blame it on the manufacturers for having lax default security settings, but they have to do it because if they enforced WEP for example by default..most people wouldn’t be able to connect and would most likely return it to the shop claiming that it’s ‘broken’.

Sophos has revealed new research into the use of other people’s Wi-Fi networks to piggyback onto the internet without payment. The research shows that 54 percent of computer users have admitted breaking the law, by using someone else’s wireless internet access without permission.

According to Sophos, many internet-enabled homes fail to properly secure their wireless connection properly with passwords and encryption, allowing freeloading passers-by and neighbours to steal internet access rather than paying an internet service provider (ISP) for their own.

As for the legal and ethical side, it’s hard to say. In most countries it’s still a fairly grey area – if you don’t do anything illegal with the connection (sniffing, cracking, hacking, DoS etc.) and you don’t use enough bandwidth to cause a problem it’s hard to say it’s illegal.

Stealing Wi-Fi internet access may feel like a victimless crime, but it deprives ISPs of revenue. Furthermore, if you’ve hopped onto your next door neighbours’ wireless broadband connection to illegally download movies and music from the net, chances are that you are also slowing down their internet access and impacting on their download limit. For this reason, most ISPs put a clause in their contracts ordering users not to share access with neighbours – but it’s very hard for them to enforce this.

The contract clause is interested but as mentioned, extremely hard to enforce.

I guess Wifi jacking will continue and as more mobile devices support Wifi (n95, E61i, PSP, iPhone etc) it will get even more common.

Source: Net Security


Posted in: Legal Issues, Privacy, Wireless Hacking

Tags: , , , , , , ,

Posted in: Legal Issues, Privacy, Wireless Hacking | Add a Comment
Recent in Legal Issues:
- The Panama Papers Leak – What You Need To Know
- FBI Backed Off Apple In iPhone Cracking Case
- TalkTalk Hack – Breach WAS Serious & Disclosed Bank Details

Related Posts:

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,715 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,651 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,629 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Apple Fixes ‘Misleading’ Leopard Firewall Settings

Find your website's Achilles' Heel


Apple has admitted that is has at LEAST three serious design weaknesses in it’s new application based firewall being rolled out with Mac OS X ‘Leopard’.

It comes (somewhat oddly) only 24 hours after a Mac OS X security update that fixed 41 OS X and Safari security vulnerabilities.

Previously independent researchers proved that Apple’s claim that the Leopard firewall could block all incoming connections was false.

In an advisory accompanying the Mac OS X v10.5.1 update, Apple admitted that the “Block all incoming connections” setting for the firewall is misleading.

“The ‘Block all incoming connections’ setting for the Application Firewall allows any process running as user “root” (UID 0) to receive incoming connections, and also allows mDNSResponder to receive connections. This could result in the unexpected exposure of network services,” Apple said.

With the fix, the firewall will more accurately describe the option as “Allow only essential services”, and by limiting the processes permitted to receive incoming connections under this setting to a small fixed set of system services, Apple said

Sounds like they are back-pedaling rather fast. They also addressed two other issues with the application based firewall.

CVE-2007-4703: The “Set access for specific services and applications” setting for the Application Firewall allows any process running as user “root” (UID 0) to receive incoming connections, even if its executable is specifically added to the list of programs and its entry in the list is marked as “Block incoming connections”. This could result in the unexpected exposure of network services.

CVE-2007-4704: When the Application Firewall settings are changed, a running process started by launchd will not be affected until it is restarted. A user might expect changes to take effect immediately and so leave their system exposed to network access.

So watch out, Apple is not the panacea of security as some people claim it to be.

Source: ZDNet


Posted in: Apple, General Hacking

Tags: , , , , , , , , , , , , ,

Posted in: Apple, General Hacking | Add a Comment
Recent in Apple:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- FBI Backed Off Apple In iPhone Cracking Case
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan

Related Posts:

Most Read in Apple:
- KisMAC – Free WiFi Stumbler/Scanner for Mac OS X - 83,034 views
- Apple Struggling With Security & Malware - 24,140 views
- Java Based Cross Platform Malware Trojan (Mac/Linux/Windows) - 15,965 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


sqlninja 0.2.1-r1 – SQL Injection Tool for MS-SQL Released for Download

Find your website's Achilles' Heel


Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

It is written in perl and so far has been successfully tested on:

  • Linux
  • FreeBSD
  • Mac OS X

Features

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames (check the documentation for details about how this works)

What’s New

  • A new flavor of bruteforce attack, performed remotely on the target DB Server by using its own CPU resources (use it with caution !)
  • Detection of the authentication mode (mixed or Windows-only), which is useful to understand whether the bruteforce attack to the ‘sa’ account can succeed or not
  • Documentation is now in HTML format, which should make things much easier for new users
  • Several bugfixes and minor improvements

You can download sqlninja 0.2.1-r1 here:

sqlninja 0.2.1-r1

Or read more here.


Posted in: Database Hacking, Hacking Tools

Tags: , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools | Add a Comment
Recent in Database Hacking:
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework
- OAT – Oracle Auditing Tools For Database Security
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 76,910 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,484 views
- SQLBrute – SQL Injection Brute Force Tool - 41,270 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


The World’s Biggest Botnets – Peer to Peer

Find your website's Achilles' Heel


So what’s coming next, after Storm you might ask. You might remember Storm Worm Descending on Blogspot recently and other news about Botnets spiraling out of control accounting for almost 25% of online computers.

Well apparently next will be p2p or peer to peer Botnets which could literally blow Storm away.

You know about the Storm Trojan, which is spread by the world’s largest botnet. But what you may not know is there’s now a new peer-to-peer based botnet emerging that could blow Storm away.

“We’re investigating a new peer-to-peer botnet that may wind up rivaling Storm in size and sophistication,” says Tripp Cox, vice president of engineering for startup Damballa, which tracks botnet command and control infrastructures. “We can’t say much more about it, but we can tell it’s distinct from Storm.”

It’s hard to imagine anything bigger and more complex than Storm, which despite its nefarious intent as a DDOS and spam tool has awed security researchers with its slick design and its ability to reinvent itself when it’s at risk of detection or getting busted. Storm changed the botnet game, security experts say, and its successors may be even more powerful and wily.

Interesting developments, I’ll certainly be watching out for this and see what happens. This next generation could open up some DDoS attacks of never seen before proportions (I’m talking the ability to take whole countries offline).

Information warfare? Cyber Terrorism? Yes it’s getting very real.

Botnets are no longer just annoying, spam-pumping factories — they’re big business for criminals. This shift has even awakened enterprises, which historically have either looked the other way or been in denial about bots infiltrating their organizations.

“A year ago, the traditional method for bot infections was through malware. But now you’re getting compromised servers, with drive-by downloads so prevalent that people are getting infected without realizing it,” says Paul Ferguson, network architect for Trend Micro. “No one is immune.”

So watch out, and do educate people wherever you can about the dangers of Malware and safe surfing. A little Firefox here, a little NoScript there, a copy of Avast and a few instructions solve most problems.

Source: Dark Reading


Posted in: Malware

Tags: , , , , , , , , , , ,

Posted in: Malware | Add a Comment
Recent in Malware:
- Android Malware Giving Phones a Hummer
- Cuckoo Sandbox – Automated Malware Analysis System
- movfuscator – Compile Into ONLY mov Instructions

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,528 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,651 views
- US considers banning DRM rootkits – Sony BMG - 44,996 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Medusa 1.4 – Parallel Password Cracker Released for Download

Your website & network are Hackable


It’s been a long time coming but here it is, after almost a year (Remember Medusa 1.3?) finally version 1.4 is here!

Version 1.4 of Medusa is now available for public download!

What is Medusa? Medusa is a speedy, massively parallel, modular, login brute-forcer for network services created by the geeks at Foofus.net.

The Key Features are as follows:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

It currently has modules for the following services:

  • CVS
  • FTP
  • HTTP
  • IMAP
  • MS-SQL
  • MySQL
  • NCP (NetWare)
  • NNTP
  • PcAnywhere
  • POP3
  • PostgreSQL
  • rexec
  • rlogin
  • rsh
  • SMB
  • SMTP (AUTH/VRFY)
  • SNMP
  • SSHv2
  • SVN
  • Telnet
  • VmAuthd
  • VNC

It also includes a basic web form module and a generic wrapper module for external scripts.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison, see here.

It’s been over a year since version 1.3 was released and there has been a bunch of changes. This release includes multiple bug fixes, several new modules and additional module functionality. A somewhat detailed report is available here

You can download Medusa 1.4 here:

medusa-1.4.tar.gz

Or read more here.


Posted in: Hacking Tools, Password Cracking

Tags: , , , , , , ,

Posted in: Hacking Tools, Password Cracking | Add a Comment
Recent in Hacking Tools:
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- UFONet – Open Redirect DDoS Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,987,058 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,456,488 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 684,103 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95