Archive | May, 2010

WhatWeb – Next Gen Web Scanner – Identify CMS (Content Management System)

Don't let your data go over to the Dark Side!


Identify content management systems (CMS), blogging platforms, stats/analytics packages, javascript libraries, servers and more. When you visit a website in your browser the transaction includes many unseen hints about how the webserver is set up and what software is delivering the webpage. Some of these hints are obvious, eg. “Powered by XYZ” and others are more subtle. WhatWeb recognises these hints and reports what it finds.

WhatWeb has over 80 plugins and needs community support to develop more. Plugins can identify systems with obvious signs removed by looking for subtle clues. For example, a WordPress site might remove the tag but the WordPress plugin also looks for “wp-content” which is less easy to disguise. Plugins are flexible and can return any datatype, for example plugins can return version numbers, email addresses, account ID’s and more.

There are both passive and aggressive plugins, passive plugins use information on the page, in cookies and in the URL to identify the system. A passive request is as light weight as a simple GET / HTTP/1.1 request. Aggressive plugins guess URLs and request more files. Plugins are easy to write, you don’t need to know ruby to make them.


Aggressive plugins can identify versions of Joomla, phpBB, etc by making extra requests to the webserver.

Log Ouput

There are currently 3 types of log output. They are:

  • Brief logging
  • Full logging
  • XML logging

Plugins

There are over 90 plugins as of version 0.4.3. Plugins are easy to make. Matches are made with regular expressions, Google Hack Database queries, and custom ruby code. For now the probability means maybe (25%), probably (75%) and certain (100%).

You can download WhatWeb 0.4.3 here:

whatweb-0.4.3.tar.gz

Or read more here.


Posted in: Hacking Tools, Web Hacking

Tags: , , , , , , , , , , , , , , , , , ,

Posted in: Hacking Tools, Web Hacking | Add a Comment
Recent in Hacking Tools:
- The Backdoor Factory (BDF) – Patch Binaries With Shellcode
- Gdog – Python Windows Backdoor With Gmail Command & Control
- SPF (SpeedPhish Framework) – E-mail Phishing Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,972,918 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,399,488 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 675,726 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


eLearnSecurity – Online Penetration Testing Training

Don't let your data go over to the Dark Side!


Introduction

If you are in the information security industry, or plan to be you’ve probably been looking at the various infosec certifications available. Back when I started there really wasn’t anything available, there were no infosec degrees and no professional certs. Only later some high level ones came from SANS, then more jumped on the bandwagon with stuff like Security+ and CEH.

The ones I found respected in the industry were certs such as SANS GIAC and Cisco CCIE just for the pure level of network understanding it took to pass. Some others came along mostly aimed at those interested in management like CISSP and CISA.

In more recent years some more technical and more accessible courses and certs have been appearing such as OPST (which I hold) and OSCP. The oldest being CEH has always been thought of as a script kiddy cert, and well it still remains as such – although it has improved vastly over the years it’s still not what it should be (I’ve taught CEH before).

Anyway the point is, there’s a new kid on the block – recently launched from eLearnSecurity called Penetration Testing – Pro (PTP) with the tagline “What CEH Should Have Been”.

eLearnSecurity

The course itself contains 3 knowledge-domains spread over 1600 interactive elearning slides with 4 hours of video and labs. It’s authored by a guy I’ve known a long time Armando Romeo from Hackers Center along with Brett D. Arion and the famous pair Nitin & Vipin Kumar. If you’ve been reading Darknet for a long time most likely you’d have read about Nitin and Vipin here when we wrote about VBootkit bypassing Vistas digital signing.

The course also has an optional certification called Certified Professional Penetration Tester (eCPPT) which should be relevant to most as the course is targeted at those with between 0-3 years of experience. It covers all the way from the basics up to advanced techniques, especially in the System Security section written by Nitin and Vipin.

The Course

The course itself is basically a Penetration Testing Course and covers 3 main areas; System Security, Network Security & Web Application Security. This pretty much covers what you need to know to conduct a penetration test as each of the 3 topics are quite broad. The course-ware itself is well presented and it doesn’t limit the order in which you can learn the topics, there’s no linear progressions so you can pick and choose depending on your mood.

eLearnSecurity - Penetration Testing Pro

Let’s take a look at the sub-sections.

System Security

The topics covered in System Security are as follows:

  • Module 1 : Introduction
  • Module 2 : Cryptography and Password cracking
  • Module 3 : Buffer overflow
  • Module 4 : Shellcoding
  • Module 5 : Malware
  • Module 6 : Rootkit coding

You’ll fare a lot better in this topic if you have some coding experience as it heads in quite deep starting out with Dev-C++ and Assembly language using NASM. This is probably the most intensive section of the course, especially for the uninitiated. This course once again re-enforces what I wrote 2 years back, that yes – you still need to learn Assembly (ASM).

That’s why I say programming will help, they don’t spoon feed you on ASM and C++ so you’ll need to do some work on your own. However if you already have some knowledge of these two languages you’ll have a definite advantage. They also cover the basics of Windows Driver Development.

Dev-CPP

After that it’s onto the harder stuff, each topic is covered fairly broadly but with enough pointers so you can continue to do more research on your own. When it comes to subjects like Cryptography, you can spend 4 years doing a degree on that alone – so don’t expect to become an overnight master. Remember the focus of the course is to become a professional penetration tester, so you need to understand enough to do your job. Even though saying that pretty much all bases are covered here, for example the Cryptography module alone has around 150 slides (some of those contain sub-slides) so expect to spend quite some time on this.

The shortest section is the Rootkit module, but then how much can you write about rootkits? As long as you understand the concept and how they generally work you’re good to go.

Network Security

  • Module 1 : Information Gathering
  • Module 2 : Scanning and target detection
  • Module 3 : Enumeration and Footprinting
  • Module 4 : Sniffing and MITM Attacks
  • Module 5 : VA & Exploitation
  • Module 6 : Anonymity

Network Security would probably be my favourite topic, as you get deeper into infosec you’ll tend to find you have a certain affinity for some things, maybe natural talent in those areas or just more interest. Either way, for me it’s always been Network Security.

It follow a fairly logical structure as you would with a pen-test (info gathering, scanning, enumeration/fingerprinting then on to attacks). They explore plenty of tools but do note there are many more out there, it’s not possible to cover them all – plus they only really briefly introduce the tools. Getting familiar/skilled with the tools is on you, finding them however is easy – just look on Google and of course we have a good stock of tools for Network Hacking here at Darknet.

Tools such as Nmap and Maltego are very well covered.

The Vulnerability Assessment and Exploitation section (the fun part!) covers both Nessus and Metasploit fairly well. There are also quite a few videos in this section, which makes the whole thing a lot more interactive. The videos tend to take the form of a screen-cam with a voice over.

Web Application Security

  • Module 1 : Introduction
  • Module 2 : Information gathering
  • Module 3 : Vulnerability assessment
  • Module 4 : XSS
  • Module 5 : SQL Injection attacks
  • Module 6 : Advanced Web Attacks

Web Application Security is of course the newest and hottest security topic right now and has been for the past few years, with more and more sites moving important data online, ecommerce and online payment solutions it’s a critical area.

The two main things you need to know in Web Application Security are XSS (Cross Site Scripting) and SQL Injection.

The code examples are mostly based around PHP which makes sense, the content is well structured and starts from the very beginning (database structure) all the way to advanced SQL Injection attacks. I personally feel this is one of the strongest and most useful sections in the courseware, props to Armando for authoring these modules.

He also gives a good low-down on most of the popular tools for SQL Injection and even includes a taxonomy of what features are supported by each. Where possible the tools are linked directly and in some cases are attached to the slides for immediate download.

SQL Injection Tools

Appendixes

  • Methodology : Handling information
  • Methodology : Forms
  • Reporting : Guide

One of the main differences with this course, rather than just teaching you how to ‘hack’ and leaving it there – the course also includes a section on how to professional handle information and how to create reports.

As a professional penetration teser (and as with most) I personally hate the reporting part…but if you want to get paid it’s a necessary evil. You should know to report your findings in a clear, concise and methodological order. This is a very important part as in reality reporting on a VA/PT project can actually account for 30-50% of the total project time, it’s a safe bet in most cases that if the job will take 2 weeks the reporting will take another 1-2 weeks on top of that.

Labs

The labs consist of a customized version of Backtrack 4 with a vulnerable web application built in, there is a comprehensive PDF for download on how to setup the lab to attain the eCPPT certification.

Penetration Testing Pro - Lab

If you really put the effort in, completing the practical assessment shouldn’t be a big problem. The certification exam is a practical pentest over a virtual lab and the production of a full report that will be carefully valuated by one of our instructors – there’s no multiple choice or automated marking here. You really have to prove you know what you’ve learned – including the reporting section.

Conclusion

All in all I think if you are looking for Penetration Testing Training this is a great choice, even if you have no desire to take the certification you can learn a lot just by studying the modules and applying yourself. Perhaps if are new to infosec (1-2) years and you feel you have some weak areas or blind-spots you could fill those in with this course.

If you are just starting out (still studying or a fresh grad) I think the course and the certification will definitely have a positive effect on your career. Currently at only $599USD it’s one of the cheaper offerings on the market and certainly makes economic sense when comparing to attending real life 5-day courses. Also of course it gives you the advantage of taking your time and making sure you really understand each module – more differentiators here [PDF].

It goes into a lot more depth than courses like CEH and can really benefit your skills. I wish there was something like this in 1999 when I was starting out. The way in which the material is presented is a lot more interactive and interesting than many other courses out there with a good mix of words, images and videos plus a good theory/practical mix too. This makes it a lot easier as many of the topics within infosec can get very dry very fast.

You can view the full syllabus here: syllabus.pdf

If you have any more questions you can check the PTP FAQ here.


Posted in: Advertorial, General Hacking

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Posted in: Advertorial, General Hacking | Add a Comment
Recent in Advertorial:
- 13 WordPress Security Tips From Acunetix
- Acunetix WVS 10 Released – Keeping Your Website Secure just got Easier
- Double For Your Money With Acunetix Vulnerability Scanner

Related Posts:

Most Read in Advertorial:
- eLearnSecurity – Online Penetration Testing Training - 41,247 views
- Acunetix Web Vulnerability Scanner 6 Review - 15,225 views
- Acunetix WVS (Web Vulnerability Scanner) 7 Review – Engine & Scanning Improvements - 15,040 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Recent in Hacking Tools:
- The Backdoor Factory (BDF) – Patch Binaries With Shellcode
- Gdog – Python Windows Backdoor With Gmail Command & Control
- SPF (SpeedPhish Framework) – E-mail Phishing Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,972,918 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,399,488 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 675,726 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


IBM Distributes Malware Laden USB Drives at AusCERT Security Conference

Don't let your data go over to the Dark Side!


Another case of ‘accidental’ malware distribution, remember a while back when Vodafone Spain was Distributing Mariposa Malware, the latest is that IBM handed out malware laden USB drives at a security conference of all places.

Well on the up-side at least everyone there would be security savvy so damage should be minimal. If it was a normal consumer conference we may not even know about it.

I wonder where the core of this problem is coming from? Manufacturers? Is it part of the whole China cyber-terrorism plot?

IBM has apologised after supplying a malware-infected USB stick to delegates of this week’s IBM AusCERT security conference.

The unlovely gift was supplied to an unknown number of delegates to the Gold Coast, Queensland conference who visited IBM’s booth. Big Blue does not identify the strain of malware involved in the attack beyond saying it’s a type of virus widely detected for at least two years which takes advantage of Windows autorun to spread, as a copy of IBM’s email apology published by the Beast Or Buddha blog explains.

As usual the big corporations tend to give as little information as possible, the same goes for IBM who kept pretty hush-hush about the whole thing and how it happened. They didn’t even release the name of the malware infector.

At least they did acknowledge it however and warned the attendees providing an address to return the USB key to. From their statement I’d say it’s probably not a targeted attack as it’s a rather old malware variant.

More likely it can be attributed to sloppy handling of the USB drives at some point, perhaps during testing procedure the host computer was already infected and spread when the drives were plugged in.

At the AusCERT conference this week, you may have collected a complimentary USB key from the IBM booth. Unfortunately we have discovered that some of these USB keys contained malware and we suspect that all USB keys may be affected.

The malware is detected by the majority of current Anti Virus products [as at 20/05/2010] and been known since 2008.

The malware is known by a number of names and is contained in the setup.exe and autorun.ini files. It is spread when the infected USB device is inserted into a Microsoft Windows workstation or server whereby the setup.exe and autorun.ini files run automatically.

Please do not use the USB key, and we ask that you return it to IBM at Reply Paid 120, PO Box 400, West Pennant Hills 2120.

Hopefully we won’t start to see hoards of phones and USB pen-drives getting handed out carrying nasty malware variants, we could write these incidents off as freak convergences of circumstance..but then honestly I think it will happen again.

And this isn’t the first time it’s happened at AusCERT either, Australian telco Telstra distributed malware-infected USB drives at AusCERT 2008 as reported by Secure Computing.

You thought some people might have learn some lessons by now?

Source: The Register


Posted in: Hardware Hacking, Malware

Tags: , , , , , , , , , ,

Posted in: Hardware Hacking, Malware | Add a Comment
Recent in Hardware Hacking:
- Kid Gets Arrested For Building A Clock – World Goes NUTS
- The Jeep HACK – What You Need To Know
- Rowhammer – DDR3 Exploit – What You Need To Know

Related Posts:

Most Read in Hardware Hacking:
- Elevator/Lift Hacking !!!!! - 78,866 views
- Military Communications Hacking – Script Kiddy Style - 49,775 views
- Hackers Crack London Tube Oyster Card - 44,679 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


FOCA – Network Infrastructure Mapping Tool

Cybertroopers storming your ship?


FOCA 2 has a new algorithm which tries to discover as much info related to network infrastructure as possible. In this alpha version FOCA will add to the figured out network-map, all servers than can be found using a recursive algorithm searching in Google, BING, Reverse IP in BING, Well-known servers and DNS records, using an internal PTR-Scaning, etc

To configure this algorithm you can use the new DNS Search panel and the info extracted will be showed up in three panels:

  • Domains
  • IP addresses
  • PC/Servers

ChangeLog 2.0.1:

  • Fix error searching EXIF information
  • Fix error in DNS Transfer Zone requests

ChangeLog 2.0:

  • DNS enumeration added using subdomains Web Search, zone transfer, dictionary and bing IP search.
  • Added panels Domains & IP
  • Documents grouped by document type
  • Used ListView groups
  • Better Network Map representation
  • Bing only search supported filetype documents
  • Fix error analysing metadata

You can read more and download FOCA here.


Posted in: Hacking Tools, Network Hacking, Web Hacking

Tags: , , , , , , , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking, Web Hacking | Add a Comment
Recent in Hacking Tools:
- The Backdoor Factory (BDF) – Patch Binaries With Shellcode
- Gdog – Python Windows Backdoor With Gmail Command & Control
- SPF (SpeedPhish Framework) – E-mail Phishing Toolkit

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,972,918 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,399,488 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 675,726 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


76% Of Users Exposing Their Browsing Histories

Don't let your data go over to the Dark Side!


This is actually a very old flaw as it’s part of the core HTTP standards, it’s exploiting the very way in which the Internet works. Basically most browsers expose browsing history if probed in the right way, the fact was that it was just too resource intensive to get any useful data.

Someone has refined the attack using the top 5000 most popular sites, then pulling specific URL data when it gets positive responses on those. With this technique giving them the ability to scan up to 30,000 URLs a second…as soon as you land on the site they can pull the data. I wonder if anyone will start exploiting this to serve more relevant content/ads to users.

It’s pretty neat actually, check it out here:

http://whattheinternetknowsaboutyou.com/

The vast majority of people browsing the web are vulnerable to attacks that expose detailed information about their viewing habits, including news articles they’ve read and the Zip Codes they’ve entered into online forms.

According to results collected from more than 271,000 visits to a site called What the internet knows about you, 76 percent of users exposed their browser histories, with the proportion of those using Apple’s Safari and Google Chrome browsers even higher. Surprisingly, the percentage was also higher among browsers that turned off JavaScript.

While the underlying browser history disclosure vulnerability was disclosed a decade ago, researchers on Thursday disclosed a variety of techniques that make attacks much more efficient. Among other things, the researchers described an algorithm that can scan as many as 30,000 links per second. That makes it possible for webmasters to stealthily gobble up huge amounts of information within seconds of someone visiting their site.

It correctly identified 11 major sites which I have visited recently and actually displayed the exact Wikipedia pages I’ve visited in the past. They’ve also extended the attack even further to get people’s ZIP codes from sites which utilize it (Weather & Movie sites for example).

Plus some other sites I’ve visited (Twitter, Google sites, Archive.org, Speedtest.net etc).

It’s still limited in scope as stated by the researchers, but once again it’s a nice extension of an old attack which yields a lot more accurate data.

What’s more, the researchers showed how webmasters can launch attacks that detect Zip Codes entered into weather or movie listings sites, find search terms entered into Google and Bing, and discover specific articles viewed on Wikileaks and dozens of popular news sites.

“While limited in scope due to resource limitations, our results indicate that history detection can be practically used to uncover private, user-supplied information from certain web forms for a considerable number of internet users and can lead to targeted attacks against the users of particular websites,” the researchers, Artur Janc and Lukasz Olejnik, wrote.

The results, presented at the Web 2.0 Security and Privacy conference in Oakland, California, are the latest convincing evidence that anonymity on the net is largely a myth. Separate research released earlier this week showed that 84 percent of browser users leave digital fingerprints that can uniquely identify them. It stands to reason that attacks that combine both methods could unearth even more information most presume is private.

Last month, Mozilla said it would add protections to its upcoming Firefox 4 that would plug the gaping information disclosure vulnerability, which is known to plague every major browser. Most browser publishers, Microsoft included, have offered a variety of workarounds, but have said fixing the weakness will be extremely difficult because it’s at the core of the HTTP standard.

It can also parse out from RSS feeds on news sites to probe for articles you might have recently read if it has already discovered that you have visited the main URL.

We’ll have to see how Mozilla attempts to address this in Firefox 4 and if it really works.

Many more details are available in a PDF of their report, which you can grab here: p26.pdf

Source: The Register


Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking

Tags: , , , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,322 views
- AJAX: Is your application secure enough? - 120,028 views
- eEye Launches 0-Day Exploit Tracker - 85,481 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Metasploit 3.4.0 Hacking Framework Released – Over 100 New Exploits Added

Don't let your data go over to the Dark Side!


Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only.

Update Summary

  • Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
  • Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
  • Over 100 tickets were closed since the last point release and over 200 since v3.3

After five months of development, version 3.4.0 of the Metasploit Framework has been released. Since the last major release (Metasploit 3.3) over 100 new exploits have been added and over 200 bugs have been fixed.

This release includes massive improvements to the Meterpreter payload; both in terms of stability and features, thanks in large part to Stephen Fewer of Harmony Security. The Meterpreter payload can now capture screenshots without migrating, including the ability to bypass Session 0 Isolation on newer Windows operating systems. This release now supports the ability to migrate back and forth between 32-bit and 64-bit processes on a compromised Windows 64-bit operating system. The Meterpreter protocol now supports inline compression using zlib, resulting in faster transfers of large data blocks. A new command, “getsystem”, uses several techniques to gain system access from a low-privileged or administrator-level session, including the exploitation of Tavis Ormandy’s KiTrap0D vulnerability. Brett Blackham contributed a patch to compress screenshots on the server side in JPG format, reducing the overhead of the screen capture command. The pivoting backend of Meterpreter now supports bi-directional UDP and TCP relays, a big upgrade from the outgoing-only TCP pivoting capabilities of version 3.3.3.

This is the first version of Metasploit to have strong support for bruteforcing network protocols and gaining access with cracked credentials. A new mixin has been created that standardizes the options available to each of the brute force modules. This release includes support for brute forcing accounts over SSH, Telnet, MySQL, Postgres, SMB, DB2, and more, thanks to Tod Bearsdley and contributions from Thomas Ring.

Metasploit now has support for generating malicious JSP and WAR files along with exploits for Tomcat and JBoss that use these to gain remote access to misconfigured installations. A new mixin was creating compiling and signing Java applets on fly, courtesy of Nathan Keltner. Thanks to some excellent work by bannedit and Joshua Drake, command injection of a cmd.exe shell on Windows can be staged into a full Meterpreter shell using the new “sessions -u” syntax.

Full Metasploit 3.4.0 Release Notes

You can download Metasploit 3.4.0 here:

Windows – framework-3.4.0.exe
Linux – framework-3.4.0-linux-i686.run

Or read more here.


Posted in: Exploits/Vulnerabilities, Hacking Tools, Linux Hacking, Windows Hacking

Tags: , , , , , , , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools, Linux Hacking, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,322 views
- AJAX: Is your application secure enough? - 120,028 views
- eEye Launches 0-Day Exploit Tracker - 85,481 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Cloud Security – The Next Big Thing? Fortify Readiness Scorecard

Don't let your data go over to the Dark Side!


With the paradigm shifting, especially for high traffic or high availability web applications, towards cloud computing – will Cloud Security become the next big thing?

We’ve already seen how you can use a cloud platform like Amazon EC2 for password cracking. So with a lot of companies moving to 3rd party cloud platforms, I’m sure security and data privacy is a concern.

Fortify are addressing this with a free add-on for their existing Fortify 360 product.

Fortify Software has come up with a way for companies interested in moving their applications to a cloud provider can analyse it line by line for security-worthiness in the new environment.

The Readiness Scorecard is effectively a free add-on for the company’s software assurance products, Fortify 360, and the online Fortify on Demand assurance service, able to give companies a vulnerability rating for software as if it was running in a cloud environment. Aren’t code vulnerabilities the same whether they are in the cloud or inside a corporate network?

According to Fortify chief scientist and founder, Brian Chess, the cloud questions coding assumptions that would have been reasonable when an application was originally written. Applications can communicate with one another using insecure protocols, while assumed infrastructure such as DNS servers will in the cloud model be shared and beyond the oversight of the IT department.

I would expect the same, if an application is inherently secure and well programmed with sanitized inputs etc, it should be secure on a regular host and on a cloud computing platform. But then there are inherent risks with a cloud platform such as the way in which the nodes communicate with each other and as mentioned – how DNS is handled.

It’s good practice though to make sure an application assumes less trust when on a cloud platform, make sure all communications are encrypted securely (for example between the front-end and the database) and any data written to the file system is also done securely with correct permissions.

In short, software has to assume less trust and the vulnerability of data must be pinpointed precisely. “When you move to the cloud, your risk profile changes,” said Chess.

The point of the Readiness Scorecard is to give in-house teams a list of both minor and major fixes needed before a given application can be run in the cloud in a way that minimises such risk, he said.

“Like immunising themselves against infection, cloud providers can use Fortify 360 or Fortify on Demand to ensure that bad code introduced by one or more customers doesn’t contaminate their cloud offering,” said Chess.

Current Fortify customers would get access to the Scorecard free of cost from later this quarter while new users would have the feature bundled with subscriptions.

Anyway, if you’re considering moving something to a cloud platform – you could use this tool from Fortify..or not. Just be aware that the risk profile for your application is changing and that you should take precautions to ensure you remain secure.

It’s also important for cloud providers themselves to make sure their platform is configured securely to increase customer security and integrity. As it’s a fairly new model I’d say we still have some way to go with this, it’s definitely the way forward for hosting sites prone to large spikes though.

Source: Network World


Posted in: Network Hacking, Web Hacking

Tags: , , , , , , , , , , , ,

Posted in: Network Hacking, Web Hacking | Add a Comment
Recent in Network Hacking:
- SubBrute – Subdomain Brute-forcing Tool
- WAFW00F – Fingerprint & Identify Web Application Firewall (WAF) Products
- IPGeoLocation – Retrieve IP Geolocation Information

Related Posts:

Most Read in Network Hacking:
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,399,488 views
- Wep0ff – Wireless WEP Key Cracker Tool - 514,222 views
- THC-Hydra – The Fast and Flexible Network Login Hacking Tool - 326,994 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


sqlninja v0.2.5 Released – Microsoft SQL Server (MS-SQL) SQL Injection Vulnerability Tool

Cybertroopers storming your ship?


It’s been 2 years, but a new version of sqlninja is out at Sourceforge, we wrote about the previous release back in 2008 and we’ve actually been following this tool since 2006!

Sqlninja is a tool to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide an interactive access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Features

  • Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode)
  • Bruteforce of ‘sa’ password (in 2 flavors: dictionary-based and incremental)
  • Privilege escalation to sysadmin group if ‘sa’ password has been found
  • Creation of a custom xp_cmdshell if the original one has been removed
  • Upload of netcat (or any other executable) using only normal HTTP requests (no FTP/TFTP needed)
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames
  • Evasion techniques to confuse a few IDS/IPS/WAF
  • Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection

What’s New?

  • Proxy support (it was about time!)
  • No more 64k bytes limit in upload mode
  • Upload mode is also massively faster
  • Privilege escalation through token kidnapping (kudos to Cesar Cerrudo)
  • Other minor improvements

Compatibility

It is written in Perl, it is released under the GPLv2 and so far has been successfully tested on:

  • Linux
  • FreeBSD
  • Mac OS X

You can download sqlninja v0.2.5 here:

sqlninja-0.2.5.tgz

Or read more here.


Posted in: Database Hacking, Hacking Tools, Web Hacking

Tags: , , , , , , , , , , , , , , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools, Web Hacking | Add a Comment
Recent in Database Hacking:
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework
- OAT – Oracle Auditing Tools For Database Security
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 76,160 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,336 views
- SQLBrute – SQL Injection Brute Force Tool - 40,710 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Two Thirds Of All Phishing Attacks Carried Out By Single Group

Don't let your data go over to the Dark Side!


Now this is a pretty surprising figure, we all know Phishing has become a big issue in recent years especially for financial institutions, but it still amazes me two-thirds of all attacks can come from a single group! It’s been a major issue concerning computer security in general, consumer privacy and companies like PayPal have had a lot of problems with phishing attacks.

Apparently Avalanche arose from members of Rock Phish which we wrote about accounting for 50% of all phishing attacks back in 2007.

It seems that phishing is growing into a fairly huge business for some people.

A single criminal operation was responsible for two-thirds of all phishing attacks in the second half of 2009 and is responsible for a two-fold increase in the crime, a report published this week said.

The Avalanche gang is believed to have risen out of the ashes of the Rock Phish outfit, which by some estimates was responsible for half the world’s phishing attacks before fizzling out in late 2008. Driving the success of both groups is their use of state-of-the-art technology for mass-producing imposter websites and distributing huge amounts of crimeware for automating identity theft.

“Avalanche uses the Rock’s techniques but improved upon them, introducing greater volume and sophistication,” the report, released by the Anti-Phishing Working Group, stated.

They are definitely getting more sophisticated as I remember phishing attacks when they first originated and they were really very basic, generally riddled with typos and spelling mistakes and weren’t particularly convincing to anyone.

Now, especially with CSRF/XSS/iframe injection attacks on major websites, phishing gangs have a lot more ways to spoof legitimate looking URLs.

Central to Avalanche’s success is its use of fast-flux botnets to host phishing sites. The use of peer-to-peer communications makes it impossible for a single ISP or hosting provider to to pull the plug on the infrastructure. The gang also excels at launching attacks from a relatively small number of domain names that often appear confusingly identical to each other, such as 11f1iili.com and 11t1jtiil.com. Those abilities also fuel the success.

There were 126,697 phishing attacks during the second half of 2009, more than double the number in the first half of the year or from July through December of 2008, the APWG report said. Avalanche, which was first identified in December of 2008, was responsible for 24 percent of phishing attacks in the first half of 2009 and for 66 percent in the second half. From July through the end of the year, Avalanche targeted the more than 40 major financial institutions, online services, and job search providers.

Curiously, Avalanche may turn out to be a victim of its own success.

The average uptime for each Avalanche phishing attack is much shorter than from other people due to awareness of their gang and tactics, obviously being infamous doesn’t work in their advantage. Perhaps time for them to rethink their strategies.

Remember anti-virus software, firewalls and even the anti-phishing features built into Internet Explorer and Firefox can’t really help with phishing, it’s more a social problem. So if you get the chance do try and educate the less tech-savvy around you about the risks.

You can find the full report here:

APWG_GlobalPhishingSurvey_2H2009.pdf

Source: The Register


Posted in: Phishing, Spammers & Scammers

Tags: , , , , , , , , , , , , , , , ,

Posted in: Phishing, Spammers & Scammers | Add a Comment
Recent in Phishing:
- Phishing Frenzy – E-mail Phishing Framework
- Gophish – Open-Source Phishing Framework
- sptoolkit Rebirth – Simple Phishing Toolkit

Related Posts:

Most Read in Phishing:
- Twitter DM Phishing Scam - 28,943 views
- yahoo password grabber - 19,126 views
- Digital Underground Offering Cheap Botnets For Hire - 15,430 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95