Archive | July, 2010

iKAT – Interactive Kiosk Attack Tool v3

Cybertroopers storming your ship?


iKAT was designed to aid security consultants with the task of auditing the security of a Windows based internet Kiosk terminal. iKAT is designed to provide access to the underlying operating system of a Kiosk terminal by invoking native OS functionality. This tool should be (and is) used by Kiosk vendors/developers/suppliers to test the security of their own Kiosk products.

Designed as a SaaS, iKAT features many methods of escaping out of a browser jailed environment and gaining command execution. iKAT is a website you visit from a Kiosk, its quick, free, and aims to please. iKAT is solely developed by myself (Paul Craig) a Kiosk hacking enthusiast from New Zealand.

Whats New in iKAT v3

Signed Code
All iKAT tools, VBScripts, ActiveXs, ClickOnce, SilverLight apps are now signed by a trusted CA! Four months ago i placed a “Donate Now” button on the front page of iKAT, hoping to raise money for a code signing certificate Sadly only two people donated cash (Enrique Exposito Martinez and Gerald Fehringer, you guys rock) Luckily a Kiosk vendor was willing to come to the party and donate the remaining cash. Big thanks to Kioware Kiosks, who kindly donated the remaining money. All iKAT tools are now signed by a trusted CA.

More Tools
iKAT now contains more tools packaged in different containers, file formats, PDFs, and even silent installers. More Java Applets, More VBScript, More WMI!


iKAT ActiveX
A newly developed ActiveX which focuses on Windows Shell hacking and process spawning. The ActiveX is signed and provides a mad amount of functionality.

iKAT OfficeKAT
Thanks to Didier Stevens who donated his “Excel Spawn CMD in Memory” trick to the iKAT project OfficeKAT allows you to pop shell in environments where you can run Excel, what’s more you don’t need to write to the file system.

iKAT SilverLight
SilverLight (and mono) are now supported by iKAT, and provide yet another attack vector for your pleasure

Improved URI + File Handler Enumeration
Vastly improved enumeration code, more URI’s, more instant “One click magic”. I also added support some of the more interesting Microsoft based URI handler vulnerabilities released this year.

Emo Kiosking – Crashing the Kiosk
The fastest way to get out of a browser jail environment is to simply CRASH IT. Oddly enough this is also the easiest thing to do to a browser, and Emo-Kiosking has become a personal favourite trick of mine. iKAT now supports over 60 different methods of crashing a browser, or a browser add-on This allows you to quickly drop back to the desktop, often with only one click required.

To use iKat just visit the following URL in a kiosk system browser:

http://ikat.ha.cked.net


Posted in: Hacking Tools, Hardware Hacking

Tags: , , , , , , , , , , ,

Posted in: Hacking Tools, Hardware Hacking | Add a Comment
Recent in Hacking Tools:
- Recon-ng – Web Reconnaissance Framework
- INURLBR – Advanced Search Engine Tool
- DNSRecon – DNS Enumeration Script

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,968,879 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,385,556 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 673,895 views

Get 50% off your second year with our 2-year deal!


UK ISP TalkTalk Monitoring Users Without Consent (Deep Packet Inspection)

Cybertroopers storming your ship?


Well this can be looked at in a number of ways, many would say “If you’ve nothing to hide, why worry?” – but then we know people in the UK can be fairly fanatical when it comes to issues regarding privacy. Also TalkTalk are claiming it’s an anonymous system, so actual user details aren’t stored.

Either way it’s a bit shady doing this kind of monitoring without even notifying your users and not offering any way of opting out from the exercise.

Plus the fact is, most of the major browsers already have this kind of technology built in and so does Google if people rely on it as their main search engine. It reminds me a little of the recent article Australians Propose ‘No Anti-virus – No Internet Connection’ Policy.

Broadband ISP TalkTalk UK could be about to incur the wrath of privacy campaigners after some of its customers spotted that their online website browsing activity was being monitored and recorded without consent. The situation has caused a significant amount of concern with many end-users worried about the impact upon their personal privacy.

TalkTalk has since confirmed that the monitoring, which was first discovered on the ISPs discussion forum during the middle of July (here), is part of a future Malware/Security/Parental Guidance tool to be provided by Chinese vendor Huawei. This is due to launch before the end of 2010.

The system, which is not yet fully in place, aims to help block dangerous websites (e.g. those designed to spread malware) by comparing the URL that a person visits against a list of good and bad/dangerous sites. Bad sites will then be restricted.

Apparently the system itself will be opt-in, but from what is happening now it’s likely the data collection will still be carried out across the whole customer-base.

Also under the Data Protection act they are operating in a legal grey area and the new Digital Economy Act 2010. I honestly don’t think such a service is required and already duplicates the functionality that people already have.

At present the affected customers cannot opt-out of TalkTalk’s data collection exercise, while the actual malware/block tool itself has yet to be enabled and will also be subjected to optional customer testing before it is. The resulting system will apparently only be available if you opt-in to use it.

As a result the systems first stage is currently just monitoring and recording URLs, which TalkTalk says is an anonymous process; no end-user IP address or personal details are revealed. However some customer posts have suggested that the TalkTalk system also reads the code for sites, at least the ones it cannot identify, which could in theory pose a security risk if the URL you visited was for a private admin page. Some of these would be pages that even Google cannot find.

It’s worth pointing out that ISPs are already required to record website and email accesses (but not content), including dates and times, as part of the previous governments Data Retention Directive. However this is a closed process for use by specific public/security services and should not be confused with what TalkTalk is doing.

Gotta give TalkTalk kudos for owning up to it though, explaining their actions and not trying to sweep it under the carpet. I wonder how they will address it going forwards though and if any legal cases will arise from this.

The conspiracy theorists will also say that the technology vendor is linked to the Chinese PLA and this data could be used for espionage purposes!

Source: ISP Review


Posted in: Legal Issues, Network Hacking, Privacy

Tags: , , , , , , , , , , ,

Posted in: Legal Issues, Network Hacking, Privacy | Add a Comment
Recent in Legal Issues:
- FBI Backed Off Apple In iPhone Cracking Case
- TalkTalk Hack – Breach WAS Serious & Disclosed Bank Details
- More Drama About Hillary Clinton’s E-mail Leak – VNC & RDP Open

Related Posts:

Most Read in Legal Issues:
- Class President Hacks School Grades - 80,681 views
- Hospital Hacker GhostExodus Owns Himself – Arrested - 47,583 views
- One Of The World’s Most Prolific Music Piracy Groups Busted - 43,592 views

Get 50% off your second year with our 2-year deal!


FuzzDiff – Tool For Fuzzing and Crash Analysis

Don't let your data go over to the Dark Side!


FuzzDiff is a simple tool to help make crash analysis during file format fuzzing a bit easier. I’m sure many people have written similar tools for their own purposes, but I haven’t seen any that are publicly available. Hopefully at least one person finds it useful.

When provided with a fuzzed file, a corresponding original un-fuzzed file, and the path to the targeted program, FuzzDiff will selectively “un-fuzz” portions of the fuzzed file while re-launching the application to monitor for crashes. This will yield a file that still crashes the target application, but contains a minimum set of changes from the original, un-fuzzed file. This can be useful in pinning down the exact cause of a crash.

The tool is written in Python and currently only works on Unix-based systems, since it monitors for crashes by checking for SIGSEGV. It also assumes that the target program adheres to the syntax “[program] [args] [input file]”. Both of these limitations can be easily worked around. The code is hardly what I’d call production-ready, but it gets the job done.

You can download FuzzDiff here:

fuzzdiff.py

Or read more here.


Posted in: Exploits/Vulnerabilities, Hacking Tools, Programming

Tags: , , , , , , ,

Posted in: Exploits/Vulnerabilities, Hacking Tools, Programming | Add a Comment
Recent in Exploits/Vulnerabilities:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- DROWN Attack on TLS – Everything You Need To Know

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,059 views
- AJAX: Is your application secure enough? - 119,981 views
- eEye Launches 0-Day Exploit Tracker - 85,452 views

Get 50% off your second year with our 2-year deal!


WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key)

Don't let your data go over to the Dark Side!


Well as it tends to be, when something is scrutinized for long enough and with enough depth flaws will be uncovered. This time the victim is WPA2 – the strongest protection for your Wi-fi network which is standardized.

WEP fell long ago and there’s a myriad of WEP Cracking tools available. In 2008 it was reported flaws had been found in WPA and it was partially cracked.

These factors of course shifted a lot of people to WPA2, which has now been found to have certain flaws.

Perhaps it was only a matter of time. But wireless security researchers say they have uncovered a vulnerability in the WPA2 security protocol, which is the strongest form of Wi-Fi encryption and authentication currently standardized and available.

Malicious insiders can exploit the vulnerability, named “Hole 196” by the researcher who discovered it at wireless security company AirTight Networks. The moniker refers to the page of the IEEE 802.11 Standard (Revision, 2007) on which the vulnerability is buried. Hole 196 lends itself to man-in-the-middle-style exploits, whereby an internal, authorized Wi-Fi user can decrypt, over the air, the private data of others, inject malicious traffic into the network and compromise other authorized devices using open source software, according to AirTight.

The researcher who discovered Hole 196, Md Sohail Ahmad, AirTight technology manager, intends to demonstrate it at two conferences taking place in Las Vegas next week: Black Hat Arsenal and DEF CON 18.

It’s a pretty interesting attack and leverages a man-in-the-middle style exploit to decrypt data from the wire and inject malicious packets onto the network.

The researched Md Sohail Ahmad is going to demo the exploit at 2 upcoming conferences (Black Hat and DEF CON 18) so I’ll be looking out for the slides and videos on that. We’ll have to wait and see if this is another ‘mostly theoretical‘ attack – or something that can actually be implemented in the wild.


The Advanced Encryption Standard (AES) derivative on which WPA2 is based has not been cracked and no brute force is required to exploit the vulnerability, Ahmad says. Rather, a stipulation in the standard that allows all clients to receive broadcast traffic from an access point (AP) using a common shared key creates the vulnerability when an authorized user uses the common key in reverse and sends spoofed packets encrypted using the shared group key.

Ahmad explains it this way:

WPA2 uses two types of keys: 1) Pairwise Transient Key (PTK), which is unique to each client, for protecting unicast traffic; and 2) Group Temporal Key (GTK) to protect broadcast data sent to multiple clients in a network. PTKs can detect address spoofing and data forgery. “GTKs do not have this property,” according to page 196 of the IEEE 802.11 standard.

These six words comprise the loophole, Ahmad says.

The upside is that the attack is limited to people who can genuinely authenticate to the network first, the downside that means large organizations using WPA2 in trouble – as generally most damage comes from the inside.

It’s also something to think about when connecting to ISP/public Wi-fi hotspots using WPA2 encryption.

I’m sure there will be more news about this soon.

Source: Network World (Thanks Austin)


Posted in: Cryptography, Exploits/Vulnerabilities, Wireless Hacking

Tags: , , , , , , , , , , , , , , , , , , ,

Posted in: Cryptography, Exploits/Vulnerabilities, Wireless Hacking | Add a Comment
Recent in Cryptography:
- DROWN Attack on TLS – Everything You Need To Know
- Dell Backdoor Root Cert – What You Need To Know
- ISIS Running 24-Hour Terrorist Crypto Help-desk

Related Posts:

Most Read in Cryptography:
- The World’s Fastest MD5 Cracker – BarsWF - 47,613 views
- Hackers Crack London Tube Oyster Card - 44,571 views
- WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key) - 32,838 views

Get 50% off your second year with our 2-year deal!


PlainSight – Open Source Computer Forensics LiveCD

Cybertroopers storming your ship?


PlainSight is a versatile computer forensics environment that allows inexperienced forensic practitioners perform common tasks using powerful open source tools such as RegRipper, Pasco, Mork, Foremost and many more.

We have taken the best open source forensic/security tools, customised them, and combined them with an intuitive user interface to create an incredibly powerful forensic environment.

With PlainSight you can perform operations such as:

  • Get hard disk and partition information
  • Extract user and group information
  • View Internet histories
  • Examine Windows firewall configuration
  • Discover recent documents
  • Recover/Carve over 15 different file types
  • Discover USB storage information
  • Examine physical memory dumps
  • Examine UserAssist information
  • Extract LanMan password hashes
  • Preview a system before acquiring it

You can view a more complete features list here:

PlainSight | Features

You can download PlainSight v0.1 ISO here:

UK Mirror – PlainSight-0.1.iso
Belgium Mirror – PlainSight-0.1.iso

Or read more here.


Posted in: Forensics

Tags: , , , , , , , , , , , , , , , , ,

Posted in: Forensics | Add a Comment
Recent in Forensics:
- FastIR Collector – Windows Incident Response Tool
- Rekall – Memory Forensic Framework
- DAMM – Differential Analysis of Malware in Memory

Related Posts:

Most Read in Forensics:
- NetworkMiner – Passive Sniffer & Packet Analysis Tool for Windows - 66,327 views
- raw2vmdk – Mount Raw Hard Disk (dd) Images As VMDK Virtual Disks - 33,903 views
- OpenDLP – Free & Open-Source Data Loss Prevention (DLP) Tool - 27,792 views

Get 50% off your second year with our 2-year deal!


Microsoft Confirms Windows Zero Day Bug In Shortcut Files

Cybertroopers storming your ship?


This is a pretty nasty attack and for once Microsoft have actually acknowledged and confirmed this is a critical unpatched vulnerability. Incidentally Microsoft also recently retired Windows XP SP2 from the support cycle, and this vulnerability effects that system and they have stated they will not be patching it.

It’s a pretty serious bug and it seems hackers have been maliciously exploiting it in the wild for over a month. The Stuxnet malware has been using this vulnerability to gain access to machines then download further attack files including a root kit.

Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives.

The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support , researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2. In a security advisory , Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows “shortcut” files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs.

“In the wild, this vulnerability has been found operating in conjunction with the Stuxnet malware,” Dave Forstrom, a director in Microsoft’s Trustworthy Computing group, said in a post Friday to a company blog . Stuxnet is a clan of malware that includes a Trojan horse that downloads further attack code, including a rootkit that hides evidence of the attack.

Forstrom characterized the threat as “limited, targeted attacks,” but the Microsoft group responsible for crafting antivirus signatures said it had tracked 6,000 attempts to infect Windows PCs as of July 15.

Limited but targeted attacks are the worst kind as they can really burrow through corporate defenses. A lot of companies are taking this seriously, including all the main players in the anti-virus arena.

You have to wonder if Microsoft will break their patch tuesday policy and issue an emergency out-of-band patch for this.

Especially since more virus writers are picking up on this flaw meaning it’s becoming more widespread.


On Friday, Siemens alerted customers of its Simatic WinCC management software that attacks using the Windows vulnerability were targeting computers used to manage large-scale industrial control systems used by major manufacturing and utility companies. The vulnerability was first mentioned on June 17 in an alert issued by VirusBlokAda , a little-known security firm based in Belarus. Other security organizations, including U.K.-based Sophos and SANS Institute’s Internet Storm Center , picked up on the threat Friday. Security blogger Brian Krebs , formerly with the Washington Post, reported on it Thursday.

According to Microsoft, Windows fails to correctly parse shortcut files, identified by the “.lnk” extension. The flaw has been exploited most frequently using USB flash drives. By crafting a malicious .lnk file, hackers can hijack a Windows PC with little user interaction: All that’s necessary is that the user views the contents of the USB drive with a file manager like Windows Explorer.

Chester Wisniewski, a senior security advisory with Sophos, called the threat “nasty,” and said his tests showed that the exploit works even when AutoRun and AutoPlay — two functions that have previously been used by attackers to commandeer PCs using infected flash drives — are disabled. The rootkit also bypasses all security mechanisms in Windows, including the User Account Control (UAC) prompts in Vista and Windows 7 , said Wisniewski in a blog entry Friday.

I’m sure they’ll come up with some reason for not patching this sooner rather than later. The scary part is the attack can still be carried out even if AutoRun and AutoPlay are disabled.

The rootkit also bypasses the security mechanisms in Windows 7 and Vista making this a very dangerous attack.

You can find a temporary workaround in the Microsoft Security Advisory here:

Microsoft Security Advisory: Vulnerability in Windows Shell could allow remote code execution

And Microsoft has stated they are working on a patch.

Source: Network World


Posted in: Exploits/Vulnerabilities, Windows Hacking

Tags: , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- DROWN Attack on TLS – Everything You Need To Know

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,059 views
- AJAX: Is your application secure enough? - 119,981 views
- eEye Launches 0-Day Exploit Tracker - 85,452 views

Get 50% off your second year with our 2-year deal!


Sagan – Real-time System & Event Log (syslog) Monitoring System

Don't let your data go over to the Dark Side!


Softwink announces the release of Sagan, the ultimate in Syslog monitoring. Sagan can alert you when events are occurring in your syslogs that need your attention right away, in real time!

Sagan is a multi-threaded, real time system- and event-log monitoring system, but with a twist. Sagan uses a “Snort” like rule set for detecting “bad things” happening on your network and/or computer systems. If Sagan detects a “bad thing” happening, that event can be stored to a Snort database (MySQL/PostgreSQL) and Sagan will correlate the event with your Snort Intrusion Detection/Intrusion Prevention (IDS/IPS) system. Sagan is meant to be used in a ‘centralized’ logging environment, but will work fine as part of a standalone Host IDS system for workstations.

Sagan is fast: Sagan is written in C and is a multi-threaded application. Sagan is threaded to prevent blocking Input/Output (I/O). For example, data processing doesn’t stop when an SQL query is needed. It is also meant to be as efficient as possible in terms of memory and CPU usage.

Sagan uses a “Snort” like rule set: If you’re a user of “Snort” and understand Snort rule sets, then you already understand Sagan rule sets. Essentially, Sagan is compatible with Snort rule management utilities, like “oinkmaster” for example.

Sagan can log to Snort databases: Sagan will operate as a separate “sensor” ID to a Snort database. This means that your IDS/IPS events from Snort will remain separate from your Sagan (syslog/event log) events. Since Sagan can utilize Snort databases, using Snort front-ends like BASE and Snorby will not only work with your IDS/IPS event, but also with your syslog events as well!

Sagan output formats: You don’t have to be a Snort user to use Sagan. Sagan supports multiple output formats, such as a standard output file log format (similar to Snort), e-mailing of alerts (via libesmtp), Logzilla support and externally based programs that you can develop using the language you prefer (Perl/Python/C/etc).

Sagan is actively developed: Softwink, Inc. actively develops and maintains the Sagan source code and rule sets. Softwink, Inc. uses Sagan to monitor security related log events on a 24/7 basis.

Other Features:

  • Sagan is meant to be easy to install. The traditional, “./configure && make && make install” works for many installations depending on the functionality needed and configuration.
  • Thresholding of alerts. Uses the same format as Snort in the Sagan rule set.
  • Attempts to pull TCP/IP addresses, port information, and protocol of rule set that was triggered. This leads to better correlation.
  • Can be used to monitor just about any type of device or system (Routers, firewalls, managed switches, IDS/IPS systems, Unix/Linux systems, Windows event logs, wireless access points & much more).
  • Works ‘out of the box’ with Snort front ends like BASE, Snorby, proprietary consoles, various Snort based reporting systems.
  • Sagan is ‘open source’ and released under the GNU/GPL version 2 license.

You can download Sagan here:

sagan-current.tar.gz

Or read more here.


Posted in: Countermeasures, Forensics, Network Hacking, Security Software

Tags: , , , , , , , , , ,

Posted in: Countermeasures, Forensics, Network Hacking, Security Software | Add a Comment
Recent in Countermeasures:
- PEiD – Detect PE Packers, Cryptors & Compilers
- NAXSI – Open-Source WAF For Nginx
- Defence In Depth For Web Applications

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 119,981 views
- Password Hasher Firefox Extension - 117,688 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,695 views

Get 50% off your second year with our 2-year deal!


Clever Attack Allows Theft Of Names & Addresses From IE & Safari

Cybertroopers storming your ship?


There has been some very clever attacks lately, especially involving browsers and the kind of data they can leak when probed the right way. The biggest press recently was generated by the history leak that occurs in most browsers.

Another clever attack that got some coverage lately was tabnapping and the latest is another fascinating way to lift information from browsers using the auto-complete feature.

It’s good to see these kind of attacks, when you think about technically how they operate – they are fairly simple. But in saying that it takes a leap in logic to even get to the point where you can start coding for something like this.

The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow webmasters to glean highly sensitive information about the people visiting their sites, including their full names, email addresses, location, and even stored passwords, a security researcher says.

In a talk scheduled for next week’s Black Hat security conference in Las Vegas, Jeremiah Grossman, CTO of White Hat Security, plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice.

Among the most serious is a vulnerability in Apple’s Safari and earlier versions of Microsoft’s IE that exposes names, email addresses, and other sensitive information when a user visits a booby-trapped website. The attack exploits the browsers’ autocomplete feature used to automatically enter commonly typed text into websites. It works by creating a webpage with fields carrying titles such as “First Name,” “Last Name,” “Email Address,” and “Credit Card Number” and then adding javascript that simulates the user entering various letters, numbers or keystrokes into each one.

It seems all 4 of the main browsers are susceptible to this, although the implementation varies slightly for each browser. Hacking wise that’s not a big problem as you can just do a user agent string identification when the user lands on the malicious page and serve them up with the relevant info grabbing script for their browser type.

The worst case scenario is if this flaw allows malicious pages to gather user passwords that are stored in the browser, combined with the ability to probe the browser to see which sites they have visited..it could multiply into a quite accurate and potentially dangerous attack.

The worst effected is the Safari and older versions of Internet Explorer.


Users who in the past have used the autocomplete features to store that information in versions 6 and 7 of IE or versions 4 and 5 of Safari will find that the information will be automatically zapped to the rogue website. No interaction is necessary other than to visit the page. Webmasters can set the input fields to be invisible to better conceal the attack.

In the case of Safari, Grossman’s proof-of-concept attack simulates a user entering various letters or numbers into the fields. In a demonstration, when the script entered the letter J under a field titled “Name,” the browser automatically exposed “Jeremiah Grossman” to the web server. Grossman said he alerted Apple to the vulnerability on June 17, but received no reply other than an automatic response saying his message had been received.

“I would never have talked about this publicly if Apple had taken this seriously,” he told The Register. “I figured somebody else must have found this before because it’s so brain-dead simple.” When he sent a follow up query “I never heard anything back, human or robotic.”

Tricking IE 6 and 7 into coughing up the autocomplete details works in a similar fashion, but instead of simulating the entering of numbers or letters into a field, Grossman enters a user’s down arrow twice and then the enter key to extract the stored information. If more than one record is stored in that field, the script will repeat the process so they can be lifted as well.

Apart from the above flaws he seems to have uncovered a whole lot of bugs in all the major browsers including ways to steal passwords from Firefox and Chrome by using bugs + XSS attacks.

Another neat trick is the ability to erase all cookies on a users computer, not really dangerous but certainly annoying. The trick is to spawn more cookies than the browser can handle (about 3000 for Firefox) so the browser will delete all older cookies. The PoC for this takes about 2.5 seconds!

It’ll be interesting to see the whole talk at BlackHat.

Source: The Register


Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking

Tags: , , , , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- DROWN Attack on TLS – Everything You Need To Know

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,059 views
- AJAX: Is your application secure enough? - 119,981 views
- eEye Launches 0-Day Exploit Tracker - 85,452 views

Get 50% off your second year with our 2-year deal!


thc-ipv6 Toolkit – Attacking the IPV6 Protocol

Don't let your data go over to the Dark Side!


A complete tool set to attack the inherent protocol weaknesses of IPV6 and ICMP6, and includes an easy to use packet factory library. Please note to get full access to all the available tools you need to develop IPV6 tools yourself or submit patches, tools and feedback to the thc-ipv6 project.

The Tools

  • parasite6: icmp neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite)
  • alive6: an effective alive scanng, which will detect all systems listening to this address
  • dnsdict6: parallized dns ipv6 dictionary bruteforcer
  • fake_router6: announce yourself as a router on the network, with the highest priority
  • redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever icmp6 redirect spoofer
  • toobig6: mtu decreaser with the same intelligence as redir6
  • detect-new-ip6: detect new ip6 devices which join the network, you can run a script to automatically scan these systems etc.
  • dos-new-ip6: detect new ip6 devices and tell them that their chosen IP collides on the network (DOS).
  • trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN
  • flood_router6: flood a target with random router advertisements
  • flood_advertise6: flood a target with random neighbor advertisements
  • fuzz_ip6: fuzzer for ipv6
  • implementation6: performs various implementation checks on ipv6
  • implementation6d: listen daemon for implementation6 to check behind a FW
  • fake_mld6: announce yourself in a multicast group of your choice on the net
  • fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication
  • fake_advertiser6: announce yourself on the network
  • smurf6: local smurfer
  • rsmurf6: remote smurfer, known to work only against linux at the moment
  • sendpees6: a tool by willdamn@gmail.com, which generates a neighbor solicitation requests with a lot of CGAs (crypto stuff ;-) to keep the CPU busy. nice.

Limitations

This code currently only runs on:

  • Linux 2.6.x (because of /proc usage)
  • 32 Bit
  • Ethernet and Raw are supported (is there anything else necessary?)

You can download thc-ipv6 here:

thc-ipv6-1.2.tar.gz

Or read more here.


Posted in: Hacking Tools, Network Hacking

Tags: , , , , , , , , , , , , , , , ,

Posted in: Hacking Tools, Network Hacking | Add a Comment
Recent in Hacking Tools:
- Recon-ng – Web Reconnaissance Framework
- INURLBR – Advanced Search Engine Tool
- DNSRecon – DNS Enumeration Script

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,968,879 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,385,556 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 673,895 views

Get 50% off your second year with our 2-year deal!


Mozilla Increases Security Bug Bounty To $3000

Cybertroopers storming your ship?


There’s been a number of bounty programs in the past year or so with Mozilla being one of the forerunners with their Mozilla Security Bug Bounty Program.

There are others like Google offering rewards for bugs in Chrome, and other specific high profile bounties like when Microsoft Offered $250K Bounty for Conficker Author.

Mozilla on Thursday boosted bug bounty payments six-fold by increasing the standard cash award to $3,000.

The new bounty for vulnerabilities in Firefox, Firefox Mobile and Thunderbird is also six times the normal payment by Google for flaws in its Chrome browser, and more than double the maximum $1,337 that Google pays for the most severe bugs. Mozilla and Google are the only browser makers that pay security researchers for reporting vulnerabilities in their products.

“A lot has changed in the six years since the Mozilla program was announced, and we believe that one of the best ways to keep our users safe is to make it economically sustainable for security researchers to do the right thing when disclosing information,” said Lucas Adamski, director of security engineering. Mozilla kicked off its bounty program in August 2004 .

Only bugs that Mozilla ranks “crucial” or “high” — its top two ratings — are eligible for payment. In Mozilla’s hierarchy, critical vulnerabilities are those that allow remote code execution; in other words, ones that when exploited give the attacker full control of the machine. High vulnerabilities are those that expose “high-value” personal information, such as usernames, passwords and credit card numbers. Denial-of-service flaws are not eligible for a bounty, Mozilla said.

It’s a big increase too going from $500 all the way to $3000 which is more than double what Google offers for the most critical & clever bugs ($1337). You could earn a decent living if you could find one Mozilla bug a month, especially if you already have a stable monthly salary.

I doubt anyone would be able to find so many bugs, and even if they did it’s still way below the market rate for a real, remotely exploitable 0-day exploit.

I still think it’s a good initiative though and they’ve raised the bounty to make it a more viable option for security researchers to submit vulnerabilities directly to them.


Google launched its own cash-for-flaws program in January 2010, paying $500 for most bugs. Some vulnerabilities, however, earn their discoverer $1,000, or even $1,337, the latter given only to bugs that Chrome’s team judge’s “particularly severe or particularly clever.” The last time Google paid bounties was July 2, when it handed out $2,500 to a pair of researchers for reporting four vulnerabilities.

Adamski announced several other changes to Mozilla’s bounty program on the Mozilla security blog Thursday. Bugs in the Mozilla Suite, which the Mozilla Foundation dropped in 2005 — will no longer be eligible for bounties, said Adamski. But vulnerabilities in Firefox Mobile, Mozilla’s mobile browser, as well as any Mozilla services that Firefox or Thunderbird rely on for safe operation, are eligible.

Mozilla also added new language to its reward policy that gives it some new flexibility. “Mozilla reserves the right to not give a bounty payment if we believe the actions of the reporter have endangered the security of Mozilla’s end users,” the revised guidelines now state.

They do say in the statement that if you were paid to find the flaw (e.g. by your company as a security researcher) they would prefer if you didn’t apply for the bounty so they can award the money to people working independently.

So if any of you guys find any interesting flaws in Mozilla products, $3000 might be waiting for you!

Source: Network World


Posted in: Exploits/Vulnerabilities, Programming, Web Hacking

Tags: , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Programming, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- DROWN Attack on TLS – Everything You Need To Know

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,059 views
- AJAX: Is your application secure enough? - 119,981 views
- eEye Launches 0-Day Exploit Tracker - 85,452 views

Get 50% off your second year with our 2-year deal!