Archive | December, 2007

wsScanner – Web Services Footprinting, Discovery, Enumeration, Scanning and Fuzzing tool

Cybertroopers storming your ship?


wsScanner is a toolkit for Web Services scanning and vulnerability detection.

This tool has the following functions:

Discovery tool

By leveraging search engine this tool helps in discovering Web Services running on any particular domain or with certain name pattern.

Vulnerability detection

It is possible to enumerate and profile Web Services using this tool and one can follow it up by auto auditing (.NET only). .NET proxy gets dynamically created for audit module. One can do vulnerability scan for data type, SQL injections, LDAP/Command injections, Buffer checks, Bruteforing SOAP etc. It is also possible to leverage regex patterns for SOAP analysis.

Fuzzing

This tool helps in fuzzing different Web 2.0 streams like SOAP, XML-RPC, REST, JSON etc. This module helps in assessing various different Web Services.

UDDI scan

It is possible to scan UDDI servers using this tool for footprinting and discovery of Web Services.

This tool is still in beta and they are planning to add some more features and support. Stay tuned for future releases as well.

You can download wsScanner here:

wsScanner.zip

Or read more here.


Posted in: Exploits/Vulnerabilities, Hacking Tools, Web Hacking

Tags: , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,368 views
- AJAX: Is your application secure enough? - 120,031 views
- eEye Launches 0-Day Exploit Tracker - 85,486 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Storm Worm Spreading Some Holiday Cheer

Cybertroopers storming your ship?


Storm is back in the festive season spreading some xmas and new year love. They even have a new year greeting site ready for spreading New Year related Storm Worm variants.

Social Engineering again, people are always more susceptible during holidays, I guess they are happy and less paranoid.

The Storm Worm gang are spreading seasonal ill-will. Security watchers have spotted New Year greeting spam runs that attempt to direct recipients to a malicious web site called uhavepostcard.com.

Anti-virus firm F-Secure warns that although the site remains free of exploits (for now) the spam run is likely to be a prelude for a New Year’s Eve-themed Storm Worm attack.

Things are getting tricky again, these Storm guys are really pushing the envelope for global domination with their nasty botnet, I guess there really is a lot of money in the business.

Malware miscreants are making early preparations for the New Year after they left it too late for Christmas, only striking on Christmas Eve. A widely-circulated email first distributed on December 24 pointed to a website containing a malicious Santa Claus-themed striptease.

The emails, which have varied subject lines including “Your Secret Santa”, “Santa Said, HO HO HO”, “Warm Up this Christmas” and “Mrs. Clause Is Out Tonight!” attempt to entice prospective marks into visiting a website containing images of scantily clad young women in a Santa suits. The images and “Download for free now!” button both linked to a variant of the Storm Worm, anti-virus firm Sophos reports.

So make sure you tell people, be careful about greeting cards from unknown addresses. And well let’s face it, be careful about anything from any address, don’t simply run executables you didn’t request and don’t go to dodgy sites – stick to Yahoo! Hallmark and other well known e-card providers.

You can read more on SANS ISC about Storm here.

Source: The Register


Posted in: General News, Malware

Tags: , , , , , , , , , , ,

Posted in: General News, Malware | Add a Comment
Recent in General News:
- Teen Accused Of Hacking School To Change Grades
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords

Related Posts:

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,378 views
- eEye Launches 0-Day Exploit Tracker - 85,486 views
- Seattle Computer Security Expert Turns Tables On The Police - 43,720 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Whitetrash – Dynamic Web White-listing for Squid

Cybertroopers storming your ship?


This is a pretty neat tool for those using Squid Cache and looking for a pro-active tool for securing web acccess in their company (or house if you have a devious sibling).

The goal of Whitetrash is to provide a user-friendly and sysadmin-friendly proxy that makes it significantly harder for malware to use HTTP and SSL for:

  • initial compromise;
  • data exfiltration; and
  • command and control.

Whitetrash features:

  • Provides whitelisting for HTTP and SSL that is good for both users and sysadmins, but defends against malware and browser exploits.
  • A HTML rendered whitelist report that can be viewed by all users. Can also be used to generate static whitelists for popular domains.
  • Fast: no noticeable impact on users browsing urls already in the whitelist, and adding a new URL is very quick.
  • Secure: As this is a security product, great care has been taken to sanitise input, flow control etc. so that the whitelist cannot be easily circumvented or exploited.
  • Users can delete their own whitelist entries (optional). Admins can delete any whitelist entry. A HTML report that lists all domains requested but not whitelisted – good for tracking down malware/adware and generating static blacklists.
  • Configurable authentication: any sort of authentication can be used. Squid provides plugins for NTLM, basic, and digest but has an extensible interface for other authentication schemes.
  • NEW: A CAPTCHA system has been implemented to prevent malware adding itself to the whitelist. CAPTCHA can be enabled for HTTP, SSL, or both. This is available in the source tree and will be included in the next release.

Whitetrash whitelists web traffic at the domain level, and is a powerful technique to eliminate (or at least make difficult) communications for a lot of malware.

You can download Whitetrash here:

whitetrash 0.2RC1

Or read more here.


Posted in: Countermeasures, Security Software

Tags: , , , , , ,

Posted in: Countermeasures, Security Software | Add a Comment
Recent in Countermeasures:
- Google Rapid Response (GRR ) – Remote Live Forensics For Incident Response
- PEiD – Detect PE Packers, Cryptors & Compilers
- NAXSI – Open-Source WAF For Nginx

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,031 views
- Password Hasher Firefox Extension - 117,720 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,707 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Trojan Targets Google Text Based Adverts

Don't let your data go over to the Dark Side!


It looks like the malware guys are indeed getting more tricky, and this time it has an effect on multiple parties. It deprives Google of the impressions from the adverts and potentially can infect surfers with some nasty malware.

Again it’s using the hosts file, redirecting Google’s own ads to those from a nefarious source.

A security company has identified a Trojan horse program that replaces Google text advertisements on Web pages with ads from another source, depriving Google of revenue and potentially causing problems for end users.

Google may be powerless to stop the trick since it involves the modification of an internal PC file, called the hosts file, that is used to match domain names of Web sites with IP addresses, said Romanian security company BitDefender.

It’s a pretty interesting vector and I guess in the coming year we are going to see a lot more tricks like this as the bad guys get more tricky and start thinking of new ways to get to people.

BitDefender said in an advisory this particular malware directs a browser to download advertisements from a different server than Google’s ad server.

BitDefender named the malware Trojan.Qhost.WU and said it is not spreading fast and poses a “medium” risk of damage. It did not say how the Trojan is being circulated, and company representatives did not return a call for comment.

Besides costing Google ad revenue, there is a danger that those replacement advertisements could contain links to sites with malicious software, BitDefender said. Web site owners who buy ads through Google, as well as Google itself, can lose out on both Web traffic and revenue if people are diverted from its ads.

As stated in the article there’s not much anyone can do, apart from the end-user making sure they don’t browse any malicious sites or run any software from unknown sources that might change their hosts file.

Source: Network World


Posted in: Malware, Web Hacking

Tags: , , , , , , , ,

Posted in: Malware, Web Hacking | Add a Comment
Recent in Malware:
- PEiD – Detect PE Packers, Cryptors & Compilers
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan
- Veil Framework – Antivirus Evasion Framework

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,475 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,594 views
- US considers banning DRM rootkits – Sony BMG - 44,979 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Merry Xmas From Darknet

Cybertroopers storming your ship?


I’d just like to take this opportunity to wish you all a jolly and safe Christmas, enjoy some time with your families and friends.

Relax, have some food, some drinks and some fun.

I’d like to thank you all for your continued support, reading, rss subscriptions and especially to those who actively comment.

I really enjoy each and every one of your comments and appreciate the time you’ve taken to make this a more interesting and positive community.

I hope I can keep bringing you the news and tools that interests you and Santa brings you some radical 0-days and a copy of Core Impact :)

Merry Xmas!


Posted in: Site News

Tags: , , , , , , , ,

Posted in: Site News | Add a Comment
Recent in Site News:
- A Look Back At 2015 – Tools & News Highlights
- A Look Back At 2014 – Tools & News Highlights
- Yes – We Now Have A Facebook Page – So Please Like It!

Related Posts:

Most Read in Site News:
- Welcome to Darknet – The REBIRTH - 36,571 views
- Get the ball rollin’ - 18,992 views
- Slashdot Effect vs Digg Effect Traffic Report - 12,251 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Nikto 2 Released – Web Server Scanning Tool

Cybertroopers storming your ship?


Another one that has been a long time coming, but finally here it is! Nikto 2.

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespan possible, and it’s fairly obvious in log files. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for items that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Version 2 adds a ton of enhancements, including:

  • Fingerprinting web servers via favicon.ico files
  • 404 error checking for each file type
  • Enhanced false positive reduction via multiple methods: headers, page content, and content hashing
  • Scan tuning to include or exclude entire classes of vulnerability checks
  • Uses LibWhisker 2, which has its own long list of enhancements
  • A “single” scan mode that allows you to craft an HTTP request manually
  • Basic template engine so that HTML reports can be easily customized
  • An experimental knowledge base for scans, which will allow regenerated reports and retests (future)
  • Optimizations, bug fixes and more…

You can download Nikto 2 here:

nikto-current.tar.gz

Or read more here.


Posted in: Exploits/Vulnerabilities, Hacking Tools, Windows Hacking

Tags: , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,368 views
- AJAX: Is your application secure enough? - 120,031 views
- eEye Launches 0-Day Exploit Tracker - 85,486 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Worm Spreading Fast on Google’s Orkut Social Network

Cybertroopers storming your ship?


A new worm has hit Google’s Orkut and it seems to be hitting it pretty hard, it’s infected via the scrapbook feature and is adding hundreds of thousands of users, similar to the Myspace worm (Samy) that hit in October 2005.

It seems to be fairly unmalicious, more of a ‘look at me – see what I can do’ kind of thing. It’s certainly interested to see that social networking sites are beginning to be the focus of hackers, even if it’s not for money or stealing info..But more of a playground to test their skills.

A fast moving worm is squirming though Google’s Orkut social network, adding hundreds of thousands of users to an Orkut community created by a Brazilian hacker.

The worm, which first appeared on Dec. 19, has been spreading through Orkut’s Scrapbook system at a rapid pace, infecting more than 650,000 users in the space of a few hours.

According to an alert from anti-virus specialist Trend Micro, infection starts when an Orkut user is sent an e-mail telling them that they have a new Scrapbook entry.

I guess you can avoid it by not reading any scraps, or using something like NoScript – which would remove the danger of the JavaScript. But again it comes back to the same old thing, how many average users would even know what NoScript is?

Logging into Orkut, the victim is greeted with Portuguese-language text that reads: “2008 vem ai… que ele comece mto bem para vc.” This translates to “2008 is coming…I wish that it begins quite well for you”.

No interaction is necessary. Simply looking at the scrap starts the infection sequence,” says Trend Micro researcher Robert McArdle.

Once the scrap is viewed, it deletes itself and the victim is automatically added to the “Infectados pelo Vírus do Orkut” community.

Once a user becomes infected, the infected account downloads and executes an embedded Javascript that sends a copy of the original Scrapbook post to all the victim’s contacts.

But yes indeed, it shows the danger of allowing rich user content sanitizing it properly. Haven’t they learned their lessons from what happened at MySpace?

Source: eWeek


Posted in: Malware, Web Hacking

Tags: , , , , , , , , , ,

Posted in: Malware, Web Hacking | Add a Comment
Recent in Malware:
- PEiD – Detect PE Packers, Cryptors & Compilers
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan
- Veil Framework – Antivirus Evasion Framework

Related Posts:

Most Read in Malware:
- Nasty Trojan Zeus Evades Antivirus Software - 77,475 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,594 views
- US considers banning DRM rootkits – Sony BMG - 44,979 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Inguma 0.0.6 Released for Download – Free Pen-testing Framework

Don't let your data go over to the Dark Side!


Quite a few people seem to be interested in this tool, so here is the latest revision – Inguma 0.0.6.

For those that don’t know, Inguma is a free penetration testing and vulnerability discovery toolkit entirely written in python. Framework includes modules to discover hosts, gather information about, fuzz targets, brute force usernames and passwords, exploits, and a disassembler.

Inguma Penetration Testing Toolkit

In this new version various things have been added like new modules and improvements in the existing ones. For example the Oracle modules. The Oracle payloads now uses the Cursor Injection method when possible so CREATE PROCEDURE system privilege is not needed to become DBA.

The support for InlineEgg, added in version 0.0.5.1, have been removed and a new completely free library have been added (PyShellCodeLib).

The static analysis framework OpenDis have been enhanced and now you can use the API exposed by OpenDis to write your own binary static analysis tools. As an example of the API, a tool to make binary diffs have been added. Take a look to the file $INGUMA_DIR/dis/asmdiff.py and to the README stored in the same directory.

New 5 exploits for Oracle Databases have been added and the module “sidguess” have been enhanced to retrieve the SID of the database instance from the Enterprise Manager/Database Control banner when possible.

The new modules added to the discover, gather and brute sections are the following:

  • brutehttp: A brute forcer for HTTP servers.
  • extip : A tool to known your external IP address. Very useful to check anonymous proxies.
  • nmbstat : A tool to gather NetBIOS information.
  • ipscan : A tool to make IP protocol scans. The tool check what IP protocols are enabled in the target.
  • arppoison: A tool to poison target’s ARP cache

You can download Inguma 0.0.6 here:

Inguma 0.0.6

Or read more here.


Posted in: Exploits/Vulnerabilities, Hacking Tools, Password Cracking

Tags: , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools, Password Cracking | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,368 views
- AJAX: Is your application secure enough? - 120,031 views
- eEye Launches 0-Day Exploit Tracker - 85,486 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Pcapy – Python Interface to LibPcap

Cybertroopers storming your ship?


Pcapy is a Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network. Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.

Advantages of Pcapy

  • Works with Python threads.
  • Functions in both UNIX with libpcap and Windows with WinPcap.
  • Provides a simpler Object Oriented API.

Requirements

  • A Python interpreter. Versions 2.1.3 and higher.
  • A C++ compiler. GCC G++ 2.95, as well as Microsoft Visual Studio 6.0 or MSVC 2003 depending on the Python version.
  • A Libpcap 0.9.3 or newer. Windows users should have installed WinPcap 4.0 or newer.

Download Pcapy here:

Source code

Latest stable release (0.10.5) – gzip’d tarball or zip file

Win32 binaries – Pick the appropriate Python or WinPcap version.

Latest release (0.10.5) – Windows installer – Python 2.5 and WinPcap 4.0.
0.10.4 – Windows installer – Python 2.4 and WinPcap 3.1.

Or read more here and the documentation is here.


Posted in: Network Hacking, Programming

Tags: , , , , , , , ,

Posted in: Network Hacking, Programming | Add a Comment
Recent in Network Hacking:
- SubBrute – Subdomain Brute-forcing Tool
- WAFW00F – Fingerprint & Identify Web Application Firewall (WAF) Products
- IPGeoLocation – Retrieve IP Geolocation Information

Related Posts:

Most Read in Network Hacking:
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,401,917 views
- Wep0ff – Wireless WEP Key Cracker Tool - 514,232 views
- THC-Hydra – The Fast and Flexible Network Login Hacking Tool - 327,041 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


DNS Poisoning Getting Serious – Phishing from Open Recursive DNS Servers

Cybertroopers storming your ship?


A new generation of phishing attacks is being studied jointly by Google and Georgia Institute of Technology, it seems the bad guys are getting some smarter ideas.

They are using Open Recursive DNS servers to poison DNS queries and return false information, thus luring consumers to even more realistic phishing domains.

Researchers at Google and the Georgia Institute of Technology are studying a virtually undetectable form of attack that quietly controls where victims go on the Internet.

The study, set to be published in February, takes a close look at “open recursive” DNS servers, which are used to tell computers how to find each other on the Internet by translating domain names like google.com into numerical Internet Protocol addresses. Criminals are using these servers in combination with new attack techniques to develop a new generation of phishing attacks.

The scary thing about this is, you could end up at Paypal.com or HSBC.com and the site could look exactly the same, but you could actually be connected to some Russian phishers web site…and you wouldn’t even know.

Unless of course you check the SSL certificate whilst using the https version, but come on – how many average Joes would do that?

The Georgia Tech and Google researchers estimate that as many as 0.4 percent, or 68,000, open-recursive DNS servers are behaving maliciously, returning false answers to DNS queries. They also estimate that another two percent of them provide questionable results. Collectively, these servers are beginning to form a “second secret authority” for DNS that is undermining the trustworthiness of the Internet, the researchers warned.

“This is a crime with few witnesses,” said David Dagon, a researcher at Georgia Tech who co-authored the paper. “These hosts are like carnival barkers. No matter what you ask them, they’ll happily direct you to the red light store, or to a Web server that does nothing more than spray your eyeballs with ads.”

Oh well, another scam to look out for and another threat to monitor. Something else for us to educate the masses about, and some more ammo for us to scare people with.

It’s not all bad – is it?

Source: PC World


Posted in: Network Hacking, Phishing

Tags: , , , , , , , , ,

Posted in: Network Hacking, Phishing | Add a Comment
Recent in Network Hacking:
- SubBrute – Subdomain Brute-forcing Tool
- WAFW00F – Fingerprint & Identify Web Application Firewall (WAF) Products
- IPGeoLocation – Retrieve IP Geolocation Information

Related Posts:

Most Read in Network Hacking:
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,401,917 views
- Wep0ff – Wireless WEP Key Cracker Tool - 514,232 views
- THC-Hydra – The Fast and Flexible Network Login Hacking Tool - 327,041 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95