Archive | December, 2010

IOCTL Fuzzer v1.2 – Fuzzing Tool For Windows Kernel Drivers

Cybertroopers storming your ship?


IOCTL Fuzzer is a tool designed to automate the task of searching vulnerabilities in Windows kernel drivers by performing fuzz tests on them.

The fuzzer’s own driver hooks NtDeviceIoControlFile in order to take control of all IOCTL requests throughout the system.

While processing IOCTLs, the fuzzer will spoof those IOCTLs conforming to conditions specified in the configuration file. A spoofed IOCTL is identical to the original in all respects except the input data, which is changed to randomly generated fuzz.

IOCTL Fuzzer works on Windows XP, 2003 Server, Vista, Windows 7 and 2008 Server.


New in 1.2 version

  • Windows 7 support
  • Full support of 64-bit versions of Windows
  • Exceptions monitoring
  • “Fair Fuzzing” feature
  • Different data generation modes
  • Boot fuzzing (during OS initialization)

You can download IOCTL Fuzzer v1.2 here:

ioctl_fuzzer-1.2.zip

Or read more here.


Posted in: Exploits/Vulnerabilities, Programming, Windows Hacking

Tags: , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Programming, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,372 views
- AJAX: Is your application secure enough? - 120,032 views
- eEye Launches 0-Day Exploit Tracker - 85,488 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Recent in Site News:
- A Look Back At 2015 – Tools & News Highlights
- A Look Back At 2014 – Tools & News Highlights
- Yes – We Now Have A Facebook Page – So Please Like It!

Related Posts:

Most Read in Site News:
- Welcome to Darknet – The REBIRTH - 36,571 views
- Get the ball rollin’ - 18,992 views
- Slashdot Effect vs Digg Effect Traffic Report - 12,251 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Car Immobilisers Using Weak Encryption Schemes

Don't let your data go over to the Dark Side!


Another case of a certain industry lagging behind, I mean come-on – who seriously still using proprietary cryptography algorithms in 2010? Especially only 40 or 48-bit protocols, with the processing power available on hand now and new techniques like GPU based cracking – that just doesn’t cut it.

The latest discovery of such implementations was in the immobiliser technology used by car companies to secure their expensive vehicles. A researcher Karsten Nohl has exposed these weaknesses at the recent Embedded Security in Cars conference in Germany.

Weak cryptography means that car engine immobiliser technology has become easy for crooks to circumvent.

Nothing weaker than 128-bit AES is considered sufficient protection for e-commerce transactions, but car manufacturers are still using proprietary 40-bit and 48-bit encryptions protocols that are vulnerable to brute force attacks. Worse still, one unnamed manufacturer used the Vehicle Identification Number (VIN) as the “secret” key for the immobiliser.

The weakness of the technology was exposed in security research by ethical hacker Karsten Nohl of Security Research Labs, who links the weakness of the technology with a growth in car thefts in Germany last year, following years in decline.

Nohl outlined preliminary findings from his research at the recent Embedded Security in Cars conference, in Bremen, Germany. His research covers the communications between card immobilisers and engine electronic systems in dozens of cars. For example, Nohl was able to crack the Hitag 2 car immobiliser algorithm used by Dutch firm NXP Semiconductors in around six hours.

And using the VIN number as the secret key? Well, that’s not very secret is it? It’s akin to using the MAC address of a computer as the SSH secret key, no one in their right mind would do that. I guess that’s what happens when you leave the engineers to implement cryptography schemes without having anyone around handy with the cluestick.

I’d imagine some of these systems are protecting extremely expensive cars, so some basic equipment, some strong crypto knowledge and 6 hours and you can land yourself a $100,000 car. Not bad for a days work.


The research builds on work by other computer scientists and encryption experts dating back at least five years. In 2005 Ari Juels of RSA Labs and researchers at Johns Hopkins University in Baltimore, Maryland, circumvented the encryption system used by Texas Instruments.

Manufacturers of car immobiliser technology have defended the robustness of their technologies.

“To our knowledge the direct causal link between the failure to adopt AES systems and the rise in car theft cannot be drawn,” Thomas Rudolph of NXP told New Scientist.

Texas Instruments claimed its proprietary cryptographic systems might be stronger than AES. Nonetheless both firms are in the process of phasing out their home-cooked crypto tech in favour of industry standard encryption systems based on 128-bit AES.

And what it is with TI claiming their system MIGHT be stronger than AES? When did ‘might‘ ever give anyone confidence? In all honesty, there is no reason at all for using proprietary algorithms or implementations. Those out in public like AES have been tried, tested and approved by the greatest crypto minds in the World, I don’t care how smart you think your employees are – but trust me they aren’t as smart as the people scrutinising AES.

I hope to see all companies using weak proprietary protocols in any industry phase them out and switch to tried and tested industry algorithms.

Source: The Register


Posted in: Cryptography, Exploits/Vulnerabilities, Hardware Hacking

Tags: , , , , , , , , , , ,

Posted in: Cryptography, Exploits/Vulnerabilities, Hardware Hacking | Add a Comment
Recent in Cryptography:
- DROWN Attack on TLS – Everything You Need To Know
- Dell Backdoor Root Cert – What You Need To Know
- ISIS Running 24-Hour Terrorist Crypto Help-desk

Related Posts:

Most Read in Cryptography:
- The World’s Fastest MD5 Cracker – BarsWF - 47,656 views
- Hackers Crack London Tube Oyster Card - 44,702 views
- WPA2 Vulnerability Discovered – “Hole 196” – A Flaw In GTK (Group Temporal Key) - 32,924 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


WackoPicko – Vulnerable Website For Learning & Security Tool Evaluation

Cybertroopers storming your ship?


There are various vulnerable web applications out there to hone your skills or test the latest web vulnerability scanner you downloaded, one such package would be Damn Vulnerable Web App – Learn & Practise Web Hacking.

There are others such as:

Another I learned of recently is WackoPicko, it’s basically a website that contains known vulnerabilities and was first used for the paper Why Johnny Can’t Pentest: An Analysis of Black-box Web Vulnerability Scanners [PDF].

To Install From Source

Download the source package as below, then import the WackoPicko database into MySQL using a command like the following:

This will create the MySQL user WackoPicko with the password webvuln!@# as well as create the WackoPicko table. The final step is to enable read/write access to the upload directory of WackoPicko for the webserver user. An easy way to do this is:


Known Issues

  • The search bar doesn’t appear in Internet Explorer.
  • There are some onions hanging around (particularly in the upload folder) but I kept them there to preserve parity with the version used during the tests.
  • WackoPicko was developed with the assumption that is was running as the root application as the URL and won’t work running as a directory.

You can download WackoPicko here:

Source: WackoPicko.zip
Pre-Built Image: WackoPicko.iso

Or read more here.


Posted in: Exploits/Vulnerabilities, Programming, Web Hacking

Tags: , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Programming, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,372 views
- AJAX: Is your application secure enough? - 120,032 views
- eEye Launches 0-Day Exploit Tracker - 85,488 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Gawker CTO Outlines Security Improvements Post Breach

Don't let your data go over to the Dark Side!


An e-mail from the Gawker CTO (Tom Plunkett) has been posted online and it outlines the security improvements that Gawker are planning to implement after the recent massive breach of user passwords from their database.

As we mentioned recently, the U.S. Federal Bureau of Investigation is looking into the Gawker breach, which just goes to show how serious this case is.

The improvements are pretty standard security practice, but it just shows in these days of rapid development and the focus being on features rather than security – bad things can happen.

Gawker Media’s CTO has outlined a series of security changes designed to shore up the company’s IT operations following an attack last week that compromised up to 1.4 million accounts.

The company was unprepared to respond to an attack in which user data and passwords were posted to peer-to-peer file-sharing networks, wrote Tom Plunkett in an e-mail memo to Gawker staff on Friday. The e-mail was reposted on Jim Romenesko’s blog on the Poynter journalism site. A group called Gnosis claimed responsibility for the hack, which exploited a flaw in the source code of Gawker’s Web servers.

“Our development efforts have been focused on new product while committing relatively little time to reviewing past work,” Plunkett wrote. “This is often a fatal mistake in software development and was central to this vulnerability.”

As a result, Gawker has done a security audit of the sites affected, which include Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot.

Gawker is now mandating the use of SSL (Secure Sockets Layer) encryption for employees with company accounts using Google Apps. Also, if those employees have access to sensitive legal, financial or account data, two-factor authentication must be used, Plunkett wrote.

Most of the things would have been picked up if they had ever done any kind of internal ISMS audit (based perhaps on something like ISO27001) – which bans all chat applications except for Skype as that encrypts the chats.

Using things like SSL are pretty obvious and should be forced on all login pages on all web applications – with FireSheep bring that issues to the forefront recently.

I’d say the most sensible move would be considering moving away from the local database model and using something like OAuth – that would make sense.


Gawker also will not allow employees to discuss sensitive information on chat applications, including AOL’s Instant Messenger and Campfire.

For users of its websites, Plunkett wrote that Gawker wants to move away from storing information such as e-mail and passwords and use systems such as OAuth.

OAuth is an authentication protocol that allows people to use the same login information for multiple services and share data through an API (application programming interfaces). OAuth provides a token that grants access to different applications, which do not see users’ original login credentials. It is being used now by Google, Twitter and Facebook, among other services.

Gawker will also allow people to create a “disposable” account with its sites in order to leave comments. Gawker will not store e-mail addresses or passwords for those accounts. The accounts can be used as long as the person remembers a key code, Plunkett wrote.

Since the breach, Gawker has been in the process of notifying those who are affected and reminding them to change their passwords, especially if they used the same password for other Web services. Twitter saw a raft of spam soon after the Gawker breach, which illustrated that some people used the same password on both services.

It’s good to see Gawker taking some pro-active measures rather than the normal arrogance we are used to. I think the disposable token based account is a good idea too as often I want to leave a comment on some site or another but the sign-up process, e-mail validation and so on puts me off.

I hope Gawker has gotten around to notifying everyone who had an account that was compromised as sadly many people use the same password and username/e-mail combo for all their online site accounts.

Source: Network World


Posted in: Countermeasures, General News

Tags: , , , , , , , , , ,

Posted in: Countermeasures, General News | Add a Comment
Recent in Countermeasures:
- Google Rapid Response (GRR ) – Remote Live Forensics For Incident Response
- PEiD – Detect PE Packers, Cryptors & Compilers
- NAXSI – Open-Source WAF For Nginx

Related Posts:

Most Read in Countermeasures:
- AJAX: Is your application secure enough? - 120,032 views
- Password Hasher Firefox Extension - 117,720 views
- NDR or Backscatter Spam – How Non Delivery Reports Become a Nuisance - 57,707 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Honggfuzz – Simple Command Line Software Fuzzing Tool

Don't let your data go over to the Dark Side!


Honggfuzz is a general-purpose fuzzing tool. Given a starting corpus of test files, Hongfuzz supplies and modifies input to a test program and utilize the ptrace() API/POSIX signal interface to detect and log crashes.

Basically it’s a simple, easy to use via command-line interface, providing nice analysis of software crashes in a simple form of file names.

It has been used to find a few (possibly exploitable) bugs in some major software packages including freetype2, librsvg and libtiff.

Features

  • Easy setup: No complicated configuration files or setup necessary — Hongfuzz can be run directly from the command line.
  • Fast: Multiple Hongfuzz instances can be run simultaneously for more efficient fuzzing.
  • Powerful analysis capabilities: Hongfuzz will use the most powerful process state analysis (e.g. ptrace) interface under a given OS.

You can download Honggfuzz here:

honggfuzz-0.1.tgz

Or read more here.


Posted in: Exploits/Vulnerabilities, Programming

Tags: , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Programming | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,372 views
- AJAX: Is your application secure enough? - 120,032 views
- eEye Launches 0-Day Exploit Tracker - 85,488 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


FBI Investigating Gawker Media User Database Password Ownage

Don't let your data go over to the Dark Side!


After the non-stop action with WikiLeaks last week, the big news this week is the hack carried out on Gawker Media which exposed their users e-mail addresses and passwords. More than 200,000 password hashes (very lightly encrypted with DES) and e-mail combos can be downloaded on-line as a torrent file.

Now this has had some epic fall-out as we all know many people use the same passwords for all their online services, so a whole bunch of Twitter accounts were owned and used for spamming Acai berries – causing Twitter to block/delete these accounts and reset a whole lot of passwords.

Now if you search through the files, there are a whole lot of major corporate domains inside – including some government organizations. This is the fact that is obviously worrying to the FBI and is leading them to carry out an investigation.

The FBI confirmed to PC World that it is investigating the recent intrusion by a group of hackers into Gawker Media’s servers last weekend. The hack exposed more than 200,000 reader e-mail addresses and passwords, and the data is now circulating online as a peer-to-peer torrent file. An FBI representative declined to comment further about the ongoing investigation; however, Gawker Media founder and CEO Nick Denton was scheduled to meet with federal authorities on Monday, according to The New York Post .

On Sunday, an online hacker collective calling itself Gnosis broke into the servers of Gawker Media, which owns a variety of popular online blogs including Deadspin, Fleshbot, Gawker, Gizmodo, Jezebel, io9, Jalopnik, Kotaku and Lifehacker. The hackers obtained the e-mail addresses and passwords for the company’s employees, and the source code for Gawker Media’s content management system. Gnosis hackers also obtained the login credentials for readers who were registered to leave comments on Gawker Media websites.

Gawker Media said most user login information was encrypted, but Gnosis managed to crack the credentials for more than 200,000 accounts. The exposed login information is now part of a data dump contained in a torrent file available on peer-to-peer file sharing networks.

It’s a pretty serious breach as Gawker is one of the major on-line media owners and their network reach is wide. 200,000 accounts with exposed passwords is not a small number and do remember just because people aren’t tech savvy (use weak passwords) it doesn’t mean they don’t hold some high position in some huge MNC.

There’s a big debate going on at Hacker News too about the ethics of e-mailing all the users in the file to notify them their passwords may have been breached. Apparently some people are already doing it, and other are writing scripts to extract the e-mail addresses and notify everyone to ensure no-one gets left behind.


It’s not entirely clear what inspired the attack against Gawker, but a person claiming to represent Gnosis recently told the blog Mediaite that the hacker group broke into the company’s servers because of Gawker’s “outright arrogance.” Previously, it was suggested the Gawker hack was related to the company’s ongoing feud with members of 4chan, an online message board. The Gnosis representative said there was no connection between the hacker group and 4chan.

Despite the potentially criminal acts perpetrated by Gnosis hackers, more high-minded hackers (among software engineers the term hacker refers to someone who is a programming expert) were coming to the defense of Gawker Media users. Readers of Y Combinator’s Hacker News — a news aggregator and discussion thread for technology start-up entrepreneurs and software engineers — banded together to create an automated e-mail program to alert the 200,000 people whose e-mails and passwords were exposed by Gnosis.

You can find a CSV of the file online here where you can check if your details are inside – gawker.csv

There is also another service which will help you hash your username/email and search through the hashes – http://gawkercheck.com/

Source: Network World


Posted in: Exploits/Vulnerabilities, Legal Issues, Privacy, Web Hacking

Tags: , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Legal Issues, Privacy, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Apple Will Not Patch Windows QuickTime Vulnerabilities
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,372 views
- AJAX: Is your application secure enough? - 120,032 views
- eEye Launches 0-Day Exploit Tracker - 85,488 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


SQLInject-Finder – Intelligent SQL Injection Detection Script

Cybertroopers storming your ship?


SQLInject-Finder is a simple python script that parses through a pcap and looks at the GET and POST request data for suspicious and possible SQL injects. Rules to check for SQL injection can be easily added. Output can be printed neatly on the command line or in tab delimited format.

The output includes:

  • The suspicious IP address
  • The attacked webpage
  • The parameter and value used
  • The frame number of the packet within the pcap (can be used to find exactly where the packet is in Wireshark)
  • The reason why the request was flagged

Requirements

This script was tested using Python 2.6.5. Other versions are not guaranteed to work.

This script depends on the dpkt libraries.

You can download SQLInject-Finder here:

sqlinject-finder.py

Or read more here.


Posted in: Database Hacking, Hacking Tools, Web Hacking

Tags: , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools, Web Hacking | Add a Comment
Recent in Database Hacking:
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework
- OAT – Oracle Auditing Tools For Database Security
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 76,185 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,344 views
- SQLBrute – SQL Injection Brute Force Tool - 40,741 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


WikiLeaks Attacks Cause Rival DDoS Retaliation

Don't let your data go over to the Dark Side!


The biggest news by far for the past week or so has been the attacks on WikiLeaks infrastructure after posting tens of thousands of classified cables online in a categorized form.

Just a few days ago their DNS provider (EveryDNS) pulled the plug – apparently due to pressure from the US government, and also because of the ongoing DDoS attacks against WikiLeaks which also effected them.

The latest development is that ‘Anonymous’ has joined the WikiLeaks side of the argument and start attacking those it sees as detrimental to WikiLeaks.

An anonymous, loosely affiliated group that has been responsible for a series of recent Distributed Denial of Service (DDOS) attacks against entertainment industry Web sites over copyright issues, has started attacking organizations viewed as being hostile to WikiLeaks, says a PandaLabs researcher.

The group, dubbed Anonymous, launched a DDOS attack on Monday that knocked Swiss payment transaction firm PostFinance’s Web site offline. The attack was in apparent retaliation for the firm’s freezing of an account set up by WikiLeaks founder Julian Assanage, PandaLabs threat researcher Sean-Paul Correll said.

The bank’s main Web site was unavailable for several hours but appeared to have been restored by late Monday afternoon. The attack on PostFinance was preceded by one against PayPal’s blog site over the weekend, Correll said. That attack was apparently prompted by PayPal’s decision to cut off money services to WikiLeaks last week.

The PayPal attack began at 4.00 a.m PST on Saturday and resulted in the blog being unavailable for a total of more than 8 hours, Correll said. Meanwhile, anonops.net, a site used by Anonymous to announce their attack plans, came under a massive DDOS attack earlier on Monday, apparently by those opposed to WikiLeaks. In an ironic twist, users attempting to reach the site were being redirected to PostFinance’s Website late Monday evening.

The first target I became aware of was PayPal, due to the fact they froze the WikiLeaks account and ceased processing donations for them. More info on that here:

PayPal Announces It Will No Longer Handle Wikileaks Donations

It seems there are other targets on the list such as the payment processor PostFinance who froze an account set up for Julian Assange the WikiLeaks founder.


A lengthy statement posted on the anonymous group’s Web site listed several organizations that the group claimed had stifled WikiLeaks’ effort to release the documents. “We will find and will attack those who stand against Wikileaks and we will support WikiLeaks in everything they need,” the statement said.

The group said it will offer WikiLeaks an additional site for mirroring the leaked documents. It will also create ‘counter-propaganda’ and organize DDoS attacks on “various targets related to censorship” the group claimed.

Anonymous’ campaign over copyright enforcement issues, Operation:Payback, has resulted in several DDOS attacks being launched against and knocking off sites belonging to the Recording Industry Association of America, the Motion Picture Association of America and others.

In the statement announcing support for Assange, the organizers of Anonymous declared that “Operation:Payback has come out in support of WikiLeaks and has declared war on the entities involved in censoring there information.”

The online tussle between those opposed to WikiLeaks’ campaign and those supporting it highlights how the Internet is increasingly becoming the battleground for all sorts of causes, Correll said.

“People are starting to figure out they can use technology to fight back,” he said. “They have realized they don’t have to just stand in a picket line. This has been going on for a few years, but its getting more organized.”

WikiLeaks has been having a bad time recently, as just before they lost their DNS service – they got kicked off from the Amazon platform.

All in all it seems freedom of speech really isn’t free. If you want to read more about this, there are a LOT of articles – so knock yourselves out.

Source: Network World


Posted in: General News

Tags: , , , , , , , , , , , , , , ,

Posted in: General News | Add a Comment
Recent in General News:
- Teen Accused Of Hacking School To Change Grades
- Google’s Chrome Apps – Are They Worth The Risk?
- Twitter Breach Leaks 250,000 User E-mails & Passwords

Related Posts:

Most Read in General News:
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,378 views
- eEye Launches 0-Day Exploit Tracker - 85,488 views
- Seattle Computer Security Expert Turns Tables On The Police - 43,726 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Recent in Hacking Tools:
- SubBrute – Subdomain Brute-forcing Tool
- The Backdoor Factory (BDF) – Patch Binaries With Shellcode
- Gdog – Python Windows Backdoor With Gmail Command & Control

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,973,719 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,402,512 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 676,208 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95