Archive | October, 2009

Deep Packet Inspection Engine Goes Open Source

Cybertroopers storming your ship?


This is great news, especially for open source tool developers. Deep packet inspection is an extremely niche area and requires great expertise (and a lot of R&D of course).

I hope a new project can spawn from this, it has many interesting applications. I think it’d be a good addition to Wireshark and IDS projects like Snort.

http://opendpi.org/

Deep packet inspection (DPI) hardware can identify an astonishing array of protocols passing across the Internet—up to and including protocols that are rare even to us in the Orbiting HQ (Gadu-Gadu? Manolito? Feidian?). But if you’ve ever wondered just how this can be done, and done at wire speed, wonder no more: Europe’s leading DPI vendor has open-sourced a version of its traffic detection engine.

OpenDPI.org is the new home for ipoque’s open source project; anyone interested can take a look at the code or contribute patches. The goal in this case, though, isn’t so much about crowdsourcing product development but about easing consumer fears about DPI technology.

Klaus Mochalski, CEO of ipoque, explains that “transparency was important for us from the beginning. The lack of transparency from the vendors’ side is widespread in the DPI business. Our thoughts are a bit different and that is why we decided to push this project.”

It can identify a whole range of weird and wonderful protocols including those you’ve never heard of.

The free version is basically a watered down of the commercial product, it’s slow, doesn’t come bundled with some fancy supercomputer grade hardware and can’t handle encrypted transmissions.

I think it will be useful too for people building open source router systems to manage traffic, do traffic shaping and general QoS with much more accuracy (rather than relying on port classification).

The OpenDPI engine, released under the LGPL license, differs from ipoque’s commercial scanning engine in its high-priced DPI hardware. The open-source version is much slower and (more importantly) doesn’t reveal ipoque’s methods for identifying encrypted transmissions. DPI vendors all claim high levels of success at identifying such traffic based on the flow patterns and handshake signatures common to protocols like BitTorrent and Skype, even if they cannot crack the encryption and examine the content of those transmissions.

ipoque apparently wants to convince people that its detection code doesn’t store or examine the actual content being transmitted. The company made the same point in a white paper released last week. “DPI as such has no negative impact on online privacy,” it says. “It is, again, only the applications that may have this impact. Prohibiting DPI as a technology would be just as naive as prohibiting automatic speech recognition because it can be used to eavesdrop on conversations based on content.

Although DPI can be used as a base technology to look at and evaluate the actual content of a network communication, this goes beyond what we understand as DPI as it is used by Internet bandwidth management—the classification of network protocols and applications.”

I hope they keep developing the project, or some other folks in the Open Source community step up and turn it into a full blown development fork.

That would be great, harness the existing technology and improve on it.

Because let’s face it, any commercial company releasing an Open Source branch of their software has no incentive to make it that great lest it get better than the stuff they are selling.

Source: Ars Technica


Posted in: Countermeasures, Forensics, Hacking Tools, Network Hacking, Security Software

Tags: , , , , , , ,

Posted in: Countermeasures, Forensics, Hacking Tools, Network Hacking, Security Software | Add a Comment
Recent in Countermeasures:
- Google Rapid Response (GRR ) – Remote Live Forensics For Incident Response
- PEiD – Detect PE Packers, Cryptors & Compilers
- NAXSI – Open-Source WAF For Nginx

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,034 views
- Password Hasher Firefox Extension - 117,720 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,707 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


VIPER Lab’s VAST Live Distro – VoIP Security Testing LiveCD

Cybertroopers storming your ship?


VAST is a VIPER Lab live distribution that contains VIPER developed tools such as UCsniff, VoipHopper, Videojak, videosnarf, ACE, Warvox, and more. Along with VIPER tools and other essential VoIP security tools, it also contains tools penetration testers utilize such as Metasploit, Nmap, Netcat, Hydra, Hping2 etc.

This distribution is a work in progress. If you would like to see a tool or package included please feel free to suggest them to the author.

VAST also has built into synaptic package manager a third party repository link for the VIPER tools, so when you update a tool it’s as easy as “apt-get”.

Specs

  • Size 900MB
  • Built on Ubuntu 9.04
  • Full language pack
  • git,apt-get,svn
  • Includes custom repository for VIPER tools

Tool List

  • UCsniff
  • VideoSnarf
  • Videojak
  • Metasploit
  • SecurLogix Tools
  • Hydra
  • Nmap
  • tshark
  • Sipvicious
  • SIPp
  • Netcat
  • Warvox
  • Hping2

You can download VAST here:

VIPER_VASTbetav2.71.iso

Or read more here.


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- wildpwn – UNIX Wildcard Attack Tool
- SubBrute – Subdomain Brute-forcing Tool
- The Backdoor Factory (BDF) – Patch Binaries With Shellcode

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,973,803 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,402,935 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 676,271 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


UK Government To Launch ‘Hack Idol’

Don't let your data go over to the Dark Side!


Now this should be interesting, perhaps they should turn it into a hacking based reality TV show? From the description though it looks more centered around defense than offense and perhaps should be called ‘System Administrator Idol’.

Not quite so catchy though is it.

Well at least they doing something to try and nurture talent in the security arena, even if it is a little misguided.

The UK government has launched plans to find the best young hackers through a talent competition.

Would-be cyberdefenders will be rated on their abilities to thwart attacks and hack into websites. Winners will be offered courses by the respected SANS Institute and assigned mentors.

University course and work placements also form part of the putative programme, due to take its first intake late next year, The Times reports.

Hack Idol may be a catchy concept, and it’s easy to see how eccentric security minister Lord West – who famously reckons reformed naughty-boy hackers might play an important role in Britain’s cyber-defence – might get sold on the idea.

The prizes are pretty good for anyone into infosec, courses from SANS, uni courses and possible work placement.

It would be a great start to a security career for the average hacker nerd currently doing his A-Levels at college.

I guess as well as building the security industry, they are also trying to entice the more blackhat students to defect to the white side – or at least be a little more grey than black.

In addition, there’s a precedent from across the Atlantic. The UK scheme resembles the much larger US Cyber Challenge programme which is “looking for 10,000 young Americans with the skills to fill the ranks of cyber security practitioners, researchers, and warriors”.

The winner of the first US Cyber Challenge was Michael Coppola, 17, of Connecticut, who gained plaudits for breaking into the scoring system and awarding himself extra points – a move straight out of cult haxploitation flick WarGames.

Sounds like good fun, but the idea of taking the now-ubiquitous TV talent show/glorified karaoke concept and applying it to computer security to find the next Neo sounds more than a little wrong-headed.

It definitely does have some similarities to the US program, which as new as it is hasn’t really proved anything yet either.

It’s something to watch out for, we’ll have to see where it goes.

Source: The Register


Posted in: General Hacking

Tags: , , , , , , , , ,

Posted in: General Hacking | Add a Comment
Recent in General Hacking:
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS
- Drones, Tor & Remailers – The Story Of A High-Tech Kidnapping

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,168,372 views
- Hack Tools/Exploits - 622,626 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 432,690 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Nat Probe – NAT Detection Tool

Cybertroopers storming your ship?


This little, but very useful program, try to sends ICMP packet out the LAN, and detect all the host that allow it. Whit this you can find bugs in your (company?) network ( or others), for example hosts that allow p2p connections.

Explanation

When we use a Gateway, we send the packets with IP destination of the target, but the destination MAC on the ethernet is the MAC at the Gateway. If we send a packet to the different MACs in the LAN, we can know who is the gateway when we receive an response from this MAC.

Some times we can discover more than one box configured to be an gateway, generally, this is an wrong configuration, and the box will response with an ICMP-Redirect. This is the same, because the script only verify if the mac response.

NatProbe is develop in Python with the Scapy library.

You can download Nat Probe here:

natprobe.1.0.tar.gz

Or read more here.


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- wildpwn – UNIX Wildcard Attack Tool
- SubBrute – Subdomain Brute-forcing Tool
- The Backdoor Factory (BDF) – Patch Binaries With Shellcode

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,973,803 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,402,935 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 676,271 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


AVG Stepping Up Consumer Anti-Virus Offerings

Don't let your data go over to the Dark Side!


AVG used to be THE anti-virus software a few years ago, especially with it being the first major vendor offering a free solution for home users.

If you asked any techie back in 2002 which AV should you use, the answer would invariably be AVG free (or perhaps Panda).

After that AVG just got bloated, slow and their signature files became very weak missing a lot of nasty infections, I had to fix so many PCs running AVG that were infected up the ass with all kind of malware.

People starting recommending other like Avast!, Avira and BitDefender which also offer free use versions for home use.

AVG is putting an emphasis on increased speed with a revamp of its free and paid for security suites.

The latest revamp – AVG 9.0 – boasts 50 per cent faster speed and increased ease of use. Improvements in speed have been achieved by skipping the scan of files already marked as safe in future scans unless the file structure changes. The approach also offers claimed improvements of ten to 15 per cent for boot times and memory usage, respectively.

The firewall module in AVG 9.0 has also been redesigned to be less intrusive (ie fewer ‘Do you want to allow this application online’ questions) alongside tighter integration with the anti-malware scanner that forms the core of the product. This anti-malware scanner makes greater use of behaviour-based, cloud-based and white-listing technologies.

I haven’t tested AVG 9.0 yet as the free version isn’t being released until later this month, but if it stands up to their claims it could be a good product.

Speed and bloat is definitely something they need to work on along with a more accurate scanning engine and complete signature files.

Let’s hope it’s not all just hype.

AVG Free 9.0 will be available mid-October. Details of the features are being held back until then, but expect to see a cut-down product based on the same engine but without a firewall and other bells and whistles. Based on past form, AVG free will offer an anti-malware scanner alongside LinkScanner safe search technology.

AVG’s business model relies on selling into small business and getting a percentage of consumer users of its free product (perhaps around two per cent) to upgrade. The consumer end of this equation is severely threatened by Microsoft Security Essentials launch.

Recommendations from tech savvy friends were one of the main reasons consumers latched onto AVG in the first place. AVG lost a lot of goodwill in this area with the traffic-spewing fiasco that attached to version 8.0 of its security scanner.

Secondly, irrespective of the technical merits of its product, AVG is facing off against Redmond’s marketing muscle while at the same time hunting for a new chief executive.

Microsoft Security Essentials is definitely a huge entry barrier for them and they will need to push hard to gain back a decent market share. There are some extremely good AV products out there now and a lot more choice for consumers.

Plus of course the big fat behemoths are still out there bundling their software with OEMs (Symantec, McAfee etc).

We shall see if it stands up to the tests of real world use.

Source: The Register


Posted in: Countermeasures, Malware, Security Software

Tags: , , , , , , , , , , , , , ,

Posted in: Countermeasures, Malware, Security Software | Add a Comment
Recent in Countermeasures:
- Google Rapid Response (GRR ) – Remote Live Forensics For Incident Response
- PEiD – Detect PE Packers, Cryptors & Compilers
- NAXSI – Open-Source WAF For Nginx

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,034 views
- Password Hasher Firefox Extension - 117,720 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,707 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Samhain v.2.5.9c – Open Source Host-Based Intrusion Detection System (HIDS)

Don't let your data go over to the Dark Side!


We’ve only mentioned one HIDS before, that was OSSEC HIDS, so I thought I’d do some updates on the others.

Samhain has always been one of my favourites, before that of course I was using Tripwire like everyone else.

The Samhain open source host-based intrusion detection system (HIDS) provides file integrity checking and logfile monitoring/analysis, as well as rootkit detection, port monitoring, detection of rogue SUID executables, and hidden processes.

It has been designed to monitor multiple hosts with potentially different operating systems, providing centralized logging and maintenance, although it can also be used as standalone application on a single host.

Samhain is a multiplatform application for POSIX systems (Unix, Linux, Cygwin/Windows).

Features

  • PCI DSS Compliance
  • File integrity checks
  • Host integrity monitoring
  • Logfile monitoring/analysis
  • Log facilities
  • Integration with other systems / Active response

You can download Samhain here:

samhain-current.tar.gz

Or read more here.


Posted in: Countermeasures, Security Software

Tags: , , , , , , , , , ,

Posted in: Countermeasures, Security Software | Add a Comment
Recent in Countermeasures:
- Google Rapid Response (GRR ) – Remote Live Forensics For Incident Response
- PEiD – Detect PE Packers, Cryptors & Compilers
- NAXSI – Open-Source WAF For Nginx

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,034 views
- Password Hasher Firefox Extension - 117,720 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,707 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


No Emergency Patch For Latest Windows Exploit

Don't let your data go over to the Dark Side!


Another reason for Windows users to hate the Microsoft Patch Tuesday policy,

The exploit isn’t 100% reliable but it’s still fairly significant in my eyes as it is a critical vulnerability and can be used for code execution.

Vista isn’t the most popular OS still so perhaps Microsoft don’t the threat being that wide as the protocol this exploit focuses on (SMB 2) was only introducted in Vista.

A security researcher has downplayed the significance of publicly released attack code exploiting a critical vulnerability in newer versions of Windows, saying it isn’t reliable enough to force Microsoft to issue an emergency patch.

The exploit, which on Monday was folded into the open-source Metasploit penetration testing kit, is at best successful only 50 percent of the time, said Dave Aitel, CTO of security firm Immunity. Given the burden of releasing out-of-schedule patches, Microsoft is unlikely to do so in this case.

“To move something like Microsoft you’ve got to have something major and this isn’t quite it,” Aitel, whose company released its own attack code two weeks ago. “It’s going to be a lot of work to take the exploit where it is to something that works enough that they will do that.”

It seems like the exploit is more reliable with Windows on VMware, but honestly how commonly do you see that? With a real native Windows installation they are only seeing a 10% success rate.

Which really isn’t that serious is it?

Apparently Immunity have made it much more reliable, but they have poured a ton of resources into it.

The vulnerability, which surfaced three weeks ago, resides in file-sharing technology called SMB2, short for server message block version 2, which was first added to Windows Vista and later made its way into newer versions of the operating system. While the Metasploit exploit is sophisticated, it is frequently thwarted by a security measure known as ASLR. Short for address space layout randomization, it picks a different memory location to load system components each time the OS is started.

Without being able to predict where required code will be located, the Metasploit attack isn’t reliable enough to prompt Microsoft to take the drastic step of releasing a patch outside of the regularly scheduled update cycle. The software giant adopted the patch routine to make life easier on system administrators by allowing them to plan and test updates before installing them on huge numbers of business critical machines.

The Metasploit exploit in many cases is able to get around ASLR by targeting memory locations that are predictable when Windows is running on VMware. But when the exploit targets the OS running directly on a computer, the success rate can be as low as 10 percent.

Microsoft will patch this eventually, but I doubt it’ll be soon and they definitely won’t be rushing an out-of-schedule patch out just for this vulnerability.

The question is can the bad guys fashion this into a reliable exploit and get some major ownage going on?

Source: The Register


Posted in: Exploits/Vulnerabilities, Windows Hacking

Tags: , , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,380 views
- AJAX: Is your application secure enough? - 120,034 views
- eEye Launches 0-Day Exploit Tracker - 85,488 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95