Archive | February, 2009

Webtunnel 0.0.2 – HTTP Encapsulation and Tunnel Tool

Find your website's Achilles' Heel


Webtunnel is a network utility that encapsulates arbitrary data in HTTP and transmits it through a web server. In that regard, it is similar to httptunnel, however, it has several key important differences: its server component runs in the context of a web server as a CGI application (with optional FastCGI support) so it does not need its own port, and supports most things that the web server supports, such as authentication, HTTP 1.1, HTTPS, and client certificates; it uses simple requests and responses so it works seamlessly through forward and reverse proxies; it is multi-threaded (actually multi-process using sockets for inter-process communication) to allow multiple parallel connections to multiple destinations simultaneously.

It’s written in Perl and currently supports the tunneling of TCP connections. Future plans include implementations in different languages, mixed tunneling of UDP and pipes (so you can tunnel directly to a shell etc.), configuration features such as access control lists, and transmission options like compression and encryption.

You can download Webtunnel 0.0.2 here:

webtunnel-0.0.2.tgz

Or read more here.


Posted in: Hacking Tools, Network Hacking, Web Hacking

Posted in: Hacking Tools, Network Hacking, Web Hacking | Add a Comment
Recent in Hacking Tools:
- PowerOPS – PowerShell Runspace Portable Post Exploitation Tool
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- UFONet – Open Redirect DDoS Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,986,642 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,454,754 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 683,849 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Kaspersky Lab Alleged Customer Database Hack From SQL Injection Flaw

Your website & network are Hackable


The latest big news is that on February 6th the Kaspersky Customer Records database was hacked through a simple SQL injection flaw on the website. The hacker claimed it was possible to expose all customer data including users, activation codes, lists of bugs, admins, shot and so on. The anonymous hacker hasn’t actually posted any of the data, but has listed the database tables exposed here.

Later Kaspersky has stated that no data was actually exposed, apparently there was a flaw to do with data validation and perhaps only the database table names were exposed – not the data within.

So far though it’s all speculation unless the hacker releases the actual data and Kaspersky comfirms it there’s no way we can know what has actually transpired.

Anti-virus vendor Kaspersky Lab denies any data was stolen during a SQL injection attack launched Feb. 6. Well-known database security expert David Litchfield of NGSSoftware is doing a third-party review for Kaspersky.

Officials at anti-virus vendor Kaspersky Lab are adamant that no data was stolen during a hack of its U.S. support site over the weekend.

According to Kaspersky Lab, on Feb. 6, a hacker exploited a flaw on the Web site to launch a SQL injection attack. After Kaspersky officials received word of the breach Feb. 7, they took down the vulnerable site and replaced it.

The security company maintained in a press conference Feb. 9 that no data had been leaked. However, the anonymous hacker behind the attack publicized table names purportedly taken from a Kaspersky database the hacker accessed.

Kaspersky has already commissioned a 3rd party audit from well-known specialist in Database Security, David Litchfield the principal consultant with NGS Software.

I wonder if Mr. Litchfield will publish his findings publicly or they will be vetted through Kaspersky first, I’d imagine the latter – which again means we might never know the true extent of the vulnerability.

According to the company, the problem was due to the site not properly validating user input. Roel Schouwenberg, senior anti-virus researcher at Kaspersky, confirmed that the names of the tables are accurate. However, having the names of the tables does not mean the hacker actually accessed them, he noted.

Schouwenberg added that no credit card data was stored on the server targeted by the hacker, though there were product activation codes and 2,500 e-mail addresses for people who signed up for a product trial.

“This shouldn’t have happened,” Schouwenberg said, adding he was worried about the impact the hack would have on Kaspersky’s reputation.

The vulnerable code the hacker took advantage of to launch the attack was developed externally and did not go through Kaspersky’s normal code review process, Schouwenberg said.

It shouldn’t have happened? What insight these people have!

They are blaming the vulnerability on code developed externally, and it seems that from the story it’s limited data to do with some kind of software trial. It’s not the full customer records database.

Still I think we need to wait a little longer to get a clearer picture of what is going on, either way it looks like this might be an interesting story for us to follow.

Source: eWeek


Posted in: Database Hacking, Exploits/Vulnerabilities, General Hacking, Legal Issues, Web Hacking

Tags: , , , , , ,

Posted in: Database Hacking, Exploits/Vulnerabilities, General Hacking, Legal Issues, Web Hacking | Add a Comment
Recent in Database Hacking:
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework
- OAT – Oracle Auditing Tools For Database Security
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 76,884 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,480 views
- SQLBrute – SQL Injection Brute Force Tool - 41,257 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Cisco Enterprise Wireless (Wi-Fi) Equipment DoS Vulnerability Discovered

Your website & network are Hackable


If your organisation is using any kind of Cisco Wi-Fi kit it may be time to get the latest patches for your kit. Although they state there is no proof that hackers have used this attack in the wild – in my experience if Cisco have discovered this now, someone else probably knew about it earlier.

There are multiple vulnerabilities mostly concerning malformed packets sent to the web authentication interface which can cause a reload or hanging of the hardware device.

Cisco is urging admins to update their wireless LAN hardware following the discovery of multiple vulnerabilities in its enterprise Wi-Fi kit.

Security flaws in Cisco Wireless LAN Controllers, Cisco Catalyst 6500 Wireless Services Modules (WiSMs), and Cisco Catalyst 3750 Integrated Wireless LAN Controllers create a mechanism for hackers to knock over vulnerable hardware.

All Cisco Wireless LAN Controllers running version 4.2 of the network giant’s software are affected by a pair of denial of service flaws. A third DoS flaw affects software versions 4.1 and later.

The denial of service bugs include a flaw in the handling of Web authentication, which can cause an affected device to reload, and a separate flaw (that also affects version 4.1 of the software) that means vulnerable kit can freeze up on receipt of malformed data packets.

Even if you have recent software (version 4.1) it’s also vulnerable to a separate flaw, which also needs to be patched. I’d imagine now the news is out, even if no one had discovered this previously a little bit of reverse engineering with yield some proof or concept or even a working exploit for these flaws.

You need to check your model numbers though as not all wireless devices are affected.

The same set of potential problems affects Cisco Catalyst 6500 Series/7600 Series Wireless Services Module and Cisco Catalyst 3750 Series Integrated Wireless LAN Controllers but not the equivalent wireless modules on Cisco 2800 and 3800 series Integrated Services Routers. Cisco 2000 and 2100 Series Wireless LAN Controllers are also unaffected by the vulnerability.

The denial of service problem is not the only issue to consider. Version 4.2.173.0 of Cisco’s Wireless LAN controller software is affected by a privilege escalation vulnerability. The security bug creates a means for an ordinary user to gain full administrative rights.

“Successful exploitation of the denial of service vulnerabilities may cause the affected device to hang or reload,” a security advisory from Cisco explains. “Repeated exploitation could result in a sustained DoS condition. The privilege escalation vulnerability may allow an authenticated user to obtain full administrative rights on the affected system.”

One of the flaws is a little more serious resulting in privilege escalation, the end result being administrative access. It does say though you need to be an authenticated user to achieve this – but as they say the majority of attacks come from within an organisation anyway.

As always be wary, and keep your patches up to date. A lot of organisations I’ve audited are very good on patching software, their antivirus is updated daily, Windows updates are applied regularly but often I’ve found hardware and especially Cisco devices woefully out of date.

The problem was discussed here a while ago with the Cisco Vulnerability Given ‘Write Once, Run Anywhere’ Treatement. Cisco needs to make it easier and more efficient for people to update their devices.

Source: The Register


Posted in: Exploits/Vulnerabilities, Hardware Hacking, Network Hacking

Tags: , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hardware Hacking, Network Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- Pompem – Exploit & Vulnerability Finder
- Bug Bounties Reaching $500,000 For iOS Exploits

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,386 views
- AJAX: Is your application secure enough? - 120,194 views
- eEye Launches 0-Day Exploit Tracker - 85,635 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


FlowMatrix – Free Network Behavior Analysis System

Find your website's Achilles' Heel


FlowMatrix is Network Anomaly Detection and Network Behavioral Analysis (NBA) System, which in fully automatic mode constantly monitors your network using NetFlow records from your routers and other network devices in order to identify relevant anomalous security and network events.

In addition, the new release of FlowMatrix, (ver.0.9.62 and later) supports Network Applications Behavior Analysis. This means you can define 3 groups of applications to monitor and FlowMatrix will automatically create a baseline for each of them, just like it does for network. When the baseline is crossed a security event is triggered. This allows you to catch many attacks, exploits and other security violations on more granular level giving you even better visibility to your network and network applications environment.

After initial learning period of (7-14 days) FlowMatrix builds multidimensional behavioral models of your network and network applications and later uses them to detect relevant anomalous security and network events. FlowMatrix provides short response time of 1 minute so you will know about anomaly right when it begins to happen.

How it works

The FlowMatrix receives NetFlow records from routers or other network devices you configure to send NetFlow to FlowMatrix. It processes NetFlow records and after learning period of 7-14 days builds detailed multidimensional behavioral models of your network. Later it compares measured parameters from incoming NetFlow records to built models and identifies relevant anomalous events which significantly deviate from what is expected by the models and logs an event.

To help you identify what each logged event means FlowMatrix performs (when possible) classification of each event to corresponding class of attack or network events.

In order to provide relevant possible information about each logged event FlowMatrix logs relevant filtered detailed information which can be used for more detailed investigation of the event.

Features

  • Performs continuous 27×7 fully automatic behavioral analysis of your network traffic to identify relevant anomaly security and network events.
  • Performs continuous 27×7 fully automatic behavioral analysis of your 3 groups of network applications traffic to identify relevant anomaly security and network events.
  • Classifies each reported anomaly event (when possible) as belonging to proper class of security or network events (DDoS, Scans, Alpha flows, network outages etc.).
  • Collects and presents relevant detailed information for each anomalous event so you can drill down to investigate each reported event to decide on proper set of actions.
  • Utilizes NetFlow records collected by network devices such as routers and switches. This eliminates need for additional expensive network probes and as result substantially lowers price for building network security monitoring solution. Currently only NetFlow versions 1, 5, 7 are supported, more being added;
  • Provides short response time — 1 minute, so you will know about events as they begin to happen.
  • Builds multidimensional behavioral models of your network and network applications in order to lower false positive rate.
  • Provides rule system for more interactive event identification so you can create rules to monitor for conditions you would like to know about (for example show host contacted by more then 100 unique hosts, show host that contacted more then 60 unique hosts etc.).

You can download FlowMatrix here:

FlowMatrix v0.9.75 (I’d grab it now if you can, I have a feeling it won’t be free forever)

Or read more here.


Posted in: Countermeasures, Network Hacking, Security Software

Tags: , , , , , , , ,

Posted in: Countermeasures, Network Hacking, Security Software | Add a Comment
Recent in Countermeasures:
- OpenIOC – Sharing Threat Intelligence
- Cuckoo Sandbox – Automated Malware Analysis System
- Fully Integrated Defense Operation (FIDO) – Automated Incident Response

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,194 views
- Password Hasher Firefox Extension - 117,847 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,740 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Windows 7 UAC Vulnerable – User Mode Program Can Disable User Access Control

Your website & network are Hackable


It seems like Windows 7 is already creating some controversy even though it’s still in BETA. Just like Vista it also has UAC (User Access Control) which a lot of people disable completely because they find it irritating (myself included).

When that happens, the boundary between security and usability has crossed too far and the control becomes useless because people just remove it.

Thankfully in Windows 7 they have made it more configurable with 4 levels to choose from which offer various levels of protection vs usability (level 4 is the same as Vista and it comes default at level 3).

The controversy is with a VBScript run in user-mode the UAC can be disabled (set to level 1) without any kind of prompt happening.

A controversy erupted last week with the revelation by a researcher that it is possible for a user-mode program in Windows 7 to disable User Access Control in the default configuration. My first reaction to this was that it was bad, but it’s a beta and it will be fixed. Now I’m getting the vibe from Microsoft that it won’t be fixed and I can see their argument. It still leaves me uncomfortable though.

For those of you unfamiliar with the specific problem, in Windows 7 the default behavior of UAC was changed so that the user is not prompted for access to Windows programs, such as control panel applets, as they are in Vista. UAC also no longer uses the “secure desktop” mode for confirmation by default.

And a new control panel is provided to let the user choose the behavior of UAC in Windows 7. There is a slider control with 4 levels: level 4 is the same as Vista, with all the same prompting for system-level changes and secure desktop; level 3, the default, is the same as level 4, but doesn’t prompt for changes in Windows settings, like the control panel; level 2 is the same as level 3, but does not use the secure desktop; and level 1 shuts off UAC; no prompting at all. The secure desktop is a special mode in which you can only interact with the UAC prompt, and no other software.

It’s not really a vulnerability in the traditional sense of the word as it’s a design choice by Microsoft and only occurs under a certain set of circumstances. For example the user must be running as Administrator for a program to be able to disable UAC without prompting.

So if the machine is set up properly and day to day usage is logged in under a non-privileged account this won’t be an issue anyhow. The problem I see is, how often does that really happen?

Everyone just uses the Administrator account, so this could be a real problem.

The proof of concept showed a user-mode program which spoofed keystrokes and mouse movements to change the setting from the default down to level 1.

What bothered me was that this was user-mode code. It seemed to me that it sort-of violated at least the spirit of UAC by indirectly elevating privilege through an external program, which level 3 is supposed to prompt. The author of the attack proposed what seemed a sensible solution: force a prompt, one that requires secure desktop, for that one case. The heart of the argument for making this a special case is that users would expect from level 3 that it would protect them from elevation changes from external programs.

There was a lot of hyperbole about this issue. There are many legitimate arguments that this isn’t so bad a problem, and in fact not surprising at all. Some of them are made in Roger’s Security Blog, who closes with the point that a lot of the criticism is hypocritical, amounting to calls for more rigid prompting from people who complained about it in Vista..

The more I’ve thought about it, the more I think Microsoft is right not to make a change here. Here are the major arguments for this position.

The fact still remains, for this to be an issue – the user has to run a piece of untrusted code (even if it’s ‘just’ a VBScript) and once that has happened you can assume the machine is compromised anyway.

I’d imagine the script to carry out the actions will soon enough be flagged by Anti-virus software rendering it a little less of a threat.

Either way I’ll be paying close attention to the insecurity security of Windows 7 – I hope you will too.

Source: eWeek


Posted in: Exploits/Vulnerabilities, Windows Hacking

Tags: , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- Pompem – Exploit & Vulnerability Finder
- Bug Bounties Reaching $500,000 For iOS Exploits

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,386 views
- AJAX: Is your application secure enough? - 120,194 views
- eEye Launches 0-Day Exploit Tracker - 85,635 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


dradis v2.0 Released – Open Source Security Reporting Tool

Find your website's Achilles' Heel


This is more of a tool for the information security professional amongst us, those working in a team carrying out web application audits, penetration tests and vulnerability assessments.

It’s useful for a team to use a tool like dradis so everyone is on the same page and the progress and segregation of responsibility can easily be seen.

Basically speaking dradis is an open source tool for sharing information during security assessments. It provides a centralized repository of information to keep track of
what has been done so far, and what is still ahead.

It’s a web application using a client/server architecture with an easy to use web interface. If you still aren’t sure what that means you can view a flash demo of the application in action here.

dradis v2.0

This application is suited to people in lengthy engagements, it’s very useful to have all the information in one place. It’s also good to have if your team changes (i.e. someone joins half the way through), it will be useful to bring them up to speed.

The app is flexible, you don’t need to adapt your methodology to use it. It provides a web service interface so you can connect it with your existing vulnerability database or reporting tool.

The changelog for the latest feature can be found here.

You can download dradis v2.0 here:

One click installer for Windows – dradis-v2.0-setup.exe
Platform independant source – dradis-v2.0.0.tar.gz

Or read more here.


Posted in: General Hacking, Security Software

Tags: , , , , ,

Posted in: General Hacking, Security Software | Add a Comment
Recent in General Hacking:
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,170,777 views
- Hack Tools/Exploits - 628,506 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 435,360 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Chrome and Firefox Face Clickjacking Exploit

Find your website's Achilles' Heel


Just remember that even though Firefox tends to be more secure than Internet Exploder – it’s not immune from vulnerabilities (although they do tend to get fixed much much faster).

The latest one that’s cropped up in both Firefox and Chrome is a clickjacking vulnerability. This is basically where a link is replaced by an attacker to lead to a site (which would usually be setup to deliver malware).

You can find the Proof of Concept (PoC) here.

Security researchers have discovered a flaw affecting Google’s Chrome browser that exposes it to “clickjacking”–in which an attacker hijacks a browser’s functions by substituting a legitimate link with one of the attacker’s choice.

Google has acknowledged the flaw and is working toward a patch for Chrome versions 1.0.154.43 and earlier when running within Windows XP SP2 systems, according to SecNiche security researcher Aditya Sood.

Sood disclosed the flaw on Tuesday and has since posted a proof of concept on the Bugtraq vulnerability disclosure forum.

“Attackers can trick users into performing actions which the users never intended to do and there is no way of tracing such actions later, as the user was genuinely authenticated on the other page,” Sood said within the disclosure.

While Google is working on a fix, a representative for the Australian arm of the company pointed out that clickjacking can affect all browsers, not just Chrome.

I’m pretty sure there has been an Internet Explorer Clickjacking bug going around recently too. There was something with IE8 and apparently the ‘fix’ didn’t even help much.

So as always be cautious with what you’re clicking, and if you are super Paranoid just turn off all Javascript.

If you are even more paranoid…just go back to using Lynx on the command line :)

Either way it’s a fairly new brand of vulnerability so I’m sure it will be developed into a more complex and perhaps damaging variation.

However, Nishad Herath, an independent security researcher and CEO of Australian security consultancy Novologica, told ZDNet.com.au that after running Sood’s proof of concept he found that Internet Explorer 8 (release candidate 1 and beta 2 versions) and Opera 9.63 (the latest version) were not exposed to the flaw. But, like Chrome, Firefox 3.0.5 was exposed.

Google’s security researchers had not found any attacks in the wild that exploited the specific vulnerability, said Google’s representative.

Clickjacking is a relatively new browser attack that security researchers Robert Hansen and Jeremiah Grossman gave a talk on it late last year at the Open Web Application Security Project security conference in New York. Such an attack broadly fits within the category of cross-site scripting forgery, where an attacker uses maliciously crafted HTML or JavaScript code to force a victim’s browser to send an HTTP request to a Web site of their choosing.

“Clickjacking means that any interaction you have with a Web site you’re on, for example like clicking on a link, may not do what you expect it to do,” explained Herath.

I’d except Firefox to come out with an updated version pretty soon patched against this vulnerability, I’m not so sure about the release cycle of Chrome but I’d be surprised if Google let this slide.

It’ll be interesting to watch how far this goes.

Source: Cnet (Thanks Navin)


Posted in: Exploits/Vulnerabilities, Web Hacking

Tags: , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Shadow Brokers NSA Hack Leaks 0-day Vulnerabilities
- Pompem – Exploit & Vulnerability Finder
- Bug Bounties Reaching $500,000 For iOS Exploits

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 235,386 views
- AJAX: Is your application secure enough? - 120,194 views
- eEye Launches 0-Day Exploit Tracker - 85,635 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95