The main design objectives that CAINE aims to guarantee are the following:

• an interoperable environment that supports the digital investigator during the four phases of the digital investigation
• a user friendly graphical interface
• a semi-automated compilation of the final report

New Features/Tools

• New NAUTILUS SCripts
• ataraw
• bloom
• fiwalk
• xnview
• NOMODESET in starting menu
• xmount
• sshfs
• Reporting by Caine Interface fixed
• xmount-gui
• nbtempo
• fileinfo
• TSK_Gui
• Raid utils e bridge utils
• SMBFS
• BBT.py
• Widows Side:
• Wintaylor updated & upgraded

“rbfstab” is a utility that is activated during boot or when a device is plugged. It writes read-only entries to /etc/fstab so devices are safely mounted for forensic imaging/examination. It is self installing with ‘rbfstab -i’ and can be disabled with ‘rbfstab -r’. It contains many improvements over past rebuildfstab incarnations. Rebuildfstab is a traditional means for read-only mounting in forensics-orient distributions.

“mounter” is a GUI mounting tool that sits in the system tray. Left clicking the system tray drive icon activates a window where the user can select devices to mount or un-mount. With rbfstab activated, all devices, except those with volume label “RBFSTAB”, are mounted read-only. Mounting of block devices in Nautilus (file browser) is not possible for a normal user with rbfstab activated making mounter a consistent interface for users.

You can download CAINE 2.5/Supernova here:

caine2.5.iso

Or read more here.

Vulnerability Exploited

NFS before version 4 is reliant upon host trust relationships for authentication. The NFS server trusts any client machines to authenticate users and assign the same user IDs (UIDS) that the shared filesystem uses. This works in NIS, NIS+, and LDAP domains, for instance, but only if you know the client machine is not compromised, or faking its identity. This is because the only authentication in the NFS protocol is the passing of the UID and GID (group ID). There are a few things that can be done to enhance the security of NFS, but many of them are incomplete solutions, and even with them implemented, it could still be possible to circumvent the security measures.

Features

• Use filehandles from packet captures instead of asking mountd.
• Hide from sysadmins by immediately “unmounting” while retaining access
• Specify port/protocol for NFS or Mountd if you don’t have access to the portmapper

You can download NfSpy here:

NfSpy.zip

Or read more here.

The last major release was BackTrack Final 4 Released – Linux Security Distribution – back in January 2010.

The BackTrack Dev team has worked furiously in the past months on BackTrack 5, code name “revolution” – they released it on May 10th. This new revision has been built from scratch, and boasts several major improvements over all our previous releases. It’s based on Ubuntu Lucid LTS – Kernel 2.6.38, patched with all relevant wireless injection patches. Fully open source and GPL compliant.

BackTrack 5 – Penetration Testing Distribution from Offensive Security on Vimeo.

The interesting part for me is that the new .ISO downloads offer multiple versions, including a choice between GNOME and KDE desktops and the images include ARM, 32-Bit and 64-Bit versions.

New in Version 5

• Based on Ubuntu 10.04 LTS;
• Linux kernel 2.6.38 (with wireless injection patches);
• KDE 4.6;
• GNOME 2.6;
• 32-bit and 64-bit support;
• Metasploit 3.7.0;
• Forensics mode (a forensically sound instance);
• Stealth mode (without generating network traffic);
• Initial ARM image of BackTrack (for Android-powered devices);
• All support for Backtrack 4 will end on May 10th, 2011 and BackTrack 4 will not be available for download from our official mirrors from that date onwards.

As for the ARM image, they have had some joy getting BackTrack running on a Motorola Xoom tablet – check it out here.

You can download BackTrack version 5 here:

http://www.backtrack-linux.org/downloads/

It seems like the time for Android is now, the news lately has been buzzing about the DroidDream malware that has been flooding the Android Market. Google pulled a number of malicious apps (rumoured to be more than 50) on March the 1st but kept hush – they later blogged about it on March 5th outlining some details about the malware and the vulnerability involved.

An Update on Android Market Security

Google has acknowledged that it removed “a number” of malicious malware applications from the Android Market on March 1, and it has now reached out over the airwaves to remove the apps from end users devices as well.

Last week, reports indicated that more than 50 Android apps had been loaded with info-pilfering software known as DroidDream. Google immediately responded by pulling the apps from the Market, but the company remained silent on the matter until tossing up a blog post on Saturday evening.

According to Google, the malware exploited known vulnerabilities that had been patched in Android versions 2.2.2 and higher. Google “believes” the attacker or attackers was only able to gather device-specific information, including unique used to identify mobile devices and the version of Android running on the device. But the company added that attackers could have accessed other data.

In addition to removing the apps from the Android Market, Google suspended the accounts of the developers involved and contacted law enforcement about the attack, and as it did on one previous occasion, the company used the “kill switch” that lets it remotely remove mobile apps that have already been installed by end users.

So Google does have a kill switch for software already installed on end user devices, some may complain – but honestly it’s only responsible to have such a thing (Apple has one for iOS of course).

And it’s all well and good saying it only effects phones with Android versions lower than 2.2.2…but sadly that is still the majority of phones. Only the phones directly pushed out by Google get the most recent version of Android, all the other (HTC, Samsung, Motorola etc.) models out there still have older (vulnerable) versions.

Google maintains a persistent connection to Android phones that let the company not only remotely remove applications from devices but remotely install them as well. The remote install tool is used when Android owners purchase apps via the new web incarnation of the Android Market. The Android Market Web Store lets you browse and purchase applications via a browser, as opposed to Android client loaded on handsets.

Apple maintains its own “kill switch” for the iPhone. In 2008, an iPhone hacker told the world that Apple had added an app kill switch to the iPhone, and Steve Jobs later confirmed its existence. “Hopefully, we never have to pull that lever,” Jobs said, “but we would be irresponsible not to have a lever like that to pull.”

On Saturday, Google also said that it is pushing a security update to all Android devices affected by the malware in question. If your device was affected, the company said, you will receive an email from android-market-support@google.com, and you’ll get a notification on your phone that a package called “Android Market Security Tool March 2011” has been installed. You may also receive a notification that the offending apps have been removed.

The company is taking additional measures to stop such attacks in the future, but it did not provide specifics. “We are adding a number of measures to help prevent additional malicious applications using similar exploits from being distributed through Android Market and are working with our partners to provide the fix for the underlying security issues,” the blog post read.

Google will also be pushing out a security update to all Andoird hansets that were affected, if you’re an Android user you’ll see package called “Android Market Security Tool March 2011″ installed which combats the malware.

Apparently it was quite easy to foil the malware if you were handy on the command line, all you needed to do was a create a file at /system/bin/profile/ using the terminal and the touch command then chmod 644 and you’re done.

Source: The Register

A neat piece of coding indeed, it targets vulnerabilities in all 3 operating systems – the sad thing? The malware itself is vulnerable to a basic directory traversal exploit, which means rival gangs can actually commandeer the infected targets.

They went to lengths to keep it secure and unseen (encrypted communications etc) – but didn’t program the malware itself securely…

From the department of cosmic justice comes this gem, spotted by researchers from Symantec: a trojan that targets Windows, Mac, and Linux computers contains gaping security vulnerabilities that allow rival criminal gangs to commandeer the infected machines.

Known as Trojan.Jnanabot, or alternately as OSX/Koobface.A or trojan.osx.boonana.a, the bot made waves in October when researchers discovered its Java-based makeup allowed it to attack Mac and Linux machines, not just Windows PCs as is the case with most malware. Once installed, the trojan components are stored in an invisible folder and use strong encryption to keep communications private.

The bot can force its host to take instructions through internet relay chat, perform DDoS attacks, and post fraudulent messages to the victim’s Facebook account, among other things.

Now, Symantec researchers have uncovered weaknesses in the bot’s peer-to-peer functionality that allow rival criminals to remotely steal or plant files on the victim’s hard drive. That means the unknown gang that took the trouble to spread the infection in the first place risks having their botnet stolen from under their noses.

“Even though it’s encrypted and even though it was written in Java to make it cross-platform, it was still vulnerable to basically a directory transversal exploit,” Dean Turner, director of Symantec’s Global Intelligence Network, told The Reg. “From a technical perspective, it goes to show that even if you have all those things where you’re building in a secure platform, if you’re not building application security into your malware, other bad guys will probably take advantage of it.”

It’s somewhat of an odd decision though, in terms of numbers obviously Windows machines far outnumber Linux and OSX desktop installations. On the web-server front perhaps Linux is a valuable target – but on consumer desktops? Is it really worth the effort for malware creators to make cross-platform trojans? Personally I don’t think it is, maybe it was just an experiment.

The number of Apple machines is certainly growing, the next big market we are going to see is tablets and smartphones I believe. I’d be on the lookout for more iOS and Android worms/trojans in coming months.

A self-replicating stealthy Android trojan with a previously unpatched zero-day remote root exploit could be devastating.

Jnanabot’s P2P feature is designed to make botnets harder to take down by providing multiple channels of communication. After sending an infected machine a single GET request, a website can discover all the information needed to upload any file to any location on the host’s file system. Attackers can then install a simple backdoor on a user’s machine by, for instance, writing a malicious program to a computer’s startup directory.

Attackers can use the same vulnerability to steal files on infected machines.

Turner said the number of Jnanabot infections so far is “measured in the thousands,” rather than the hundreds of thousands for some of the better-known trojans. Still, infection statistics gathered by Symantec in December are surprising. They show that about 16 per cent of infections hit Macs. They didn’t show any infections on Linux machines. Turner said that Jnanabot attacks on the open source platform weren’t able to survive a reboot.

The bot was discovered spreading over Facebook posts that planted the following message on infected users’ Facebook pages: “As you are on my friends list I thought I would let you know I have decided to end my life.” An included link leads recipients to a cross-platform JAR, or Java Archive file that can run on Windows, Mac, or Linux. Once the recipient is infected, his Facebook page carries the same dire warning.

It seems like the trojan theoretically can attack Linux, but so far hasn’t been seen in the wild and it can’t survive a reboot. Not that it really matters as from my experience most Linux users never reboot anyway except for kernel upgrades (which isn’t that often).

Perhaps it just doesn’t work that well on Linux, or Linux users don’t believe in installing JVM – it doesn’t usually come standard with OS installs as it’s considered non-free software.

The chosen vector for replication seems to be Facebook and a rather dramatic faux-suicide note – which sadly I think will be very effective.

Source: The Register

New in V2

This version has a bunch of new stuff all around. One major addition to the project is Forge. This tool facilitates a simple point-and-click installation for adding even more distributions to Katana Bootable. This new version also adds the Computer Aided Investigative Environment (CAINE) for a live forensics environment and Kon-Boot for bypassing password. Much effort was placed on the installation of additional applications to the Katana Tool Kit. These new applications include Metasploit, NMAP, Cain & Able, John the Ripper, Cygwin, and more.

Bootable

• BackTrack
• the Ultimate Boot CD
• CAINE
• Ultimate Boot CD for Windows
• Ophcrack Live
• Puppy Linux
• Trinity Rescue Kit
• Clonezilla
• Darik’s Boot and Nuke (DBAN)
• Kon-Boot

A full list of the tools available is here.

You can download Katana v2 here:

Torrent – katana-v2.0.torrent
Direct – katana-v2.0.rar

Or read more here.

WeakNet Linux is designed primarily for penetration testing, forensic analysis and other security tasks. WeakNet Linux IV was built from Ubuntu 9.10 which is a Debian based distro. All references to Ubuntu have been removed as the author completely re-compiled the kernel, removed all Ubuntu specific software which would cause the ISO to bloat, and used a non-Ubuntu-traditional Window Manager, with no DM. To start X11 (Fluxbox) simply type “startx” at the command line as root.

The tools selected are those that the developer feels are used most often in pen-tests. A sample of those included are:

• BRuWRT-FORSSE v2.0
• Easy-SSHd
• Web-Hacking-Portal v2.0
• Perlwd
• Netgh0st v3.0
• YouTube-Thief!
• Netgh0st v2.2
• DomainScan
• ADtrace
• Admin-Tool
• Tartarus v0.1

A full list of applications is here:

WeakNet Linux Applications List

You can also get the guide here:

Official WeakNet Linux WEAKERTHAN System Administration Guide [PDF]

Hardware Requirements

This distro boots to a command line by default, so they are quite minimal. For Fluxbox, the recommended specs are:

• 256 MiB of system memory (RAM)
• 2 GB of disk space
• Graphics card and monitor capable of 800×600 resolution

You can download Weaknet Linux here:

WEAKERTHAN4.1k.ISO

Or read more here.

Rest assured that more is in store for Meterpreter on other platforms. A new extension called Railgun is now integrated into Meterpreter courtesy of Patrick HVE, giving you scriptable access to Windows APIs and an unprecedented amount of control over post-exploitation.

For those of you wishing to contribute to the framework, a new file called HACKING has been introduced that lays out a few guidelines to make it easier.

This release contains 16 new exploits, 22 new auxiliary modules and 11 new Meterpreter scripts for your pwning enjoyment. The major changes in terms of numbers were:

• 567 exploits and 283 auxiliary modules (up from 551 and 261 in v3.4)
• Over 40 community reported bugs were fixed and numerous interfaces were improved

For more in-depth information about this release, see the 3.4.1 release notes here:

Metasploit 3.4.1 Release Notes

You can download Metasploit 3.4.1 here:

Windows – framework-3.4.1.exe
Linux (32-Bit) – framework-3.4.1-linux-i686.run

Or read more here.

Metasploit provides useful information and tools for penetration testers, security researchers, and IDS signature developers. This project was created to provide information on exploit techniques and to create a functional knowledgebase for exploit developers and security professionals. The tools and information on this site are provided for legal security research and testing purposes only.

Update Summary

• Metasploit now has 551 exploit modules and 261 auxiliary modules (from 445 and 216 respectively in v3.3)
• Metasploit is still about twice the size of the nearest Ruby application according to Ohloh.net (400K lines of Ruby)
• Over 100 tickets were closed since the last point release and over 200 since v3.3

After five months of development, version 3.4.0 of the Metasploit Framework has been released. Since the last major release (Metasploit 3.3) over 100 new exploits have been added and over 200 bugs have been fixed.

This release includes massive improvements to the Meterpreter payload; both in terms of stability and features, thanks in large part to Stephen Fewer of Harmony Security. The Meterpreter payload can now capture screenshots without migrating, including the ability to bypass Session 0 Isolation on newer Windows operating systems. This release now supports the ability to migrate back and forth between 32-bit and 64-bit processes on a compromised Windows 64-bit operating system. The Meterpreter protocol now supports inline compression using zlib, resulting in faster transfers of large data blocks. A new command, “getsystem”, uses several techniques to gain system access from a low-privileged or administrator-level session, including the exploitation of Tavis Ormandy’s KiTrap0D vulnerability. Brett Blackham contributed a patch to compress screenshots on the server side in JPG format, reducing the overhead of the screen capture command. The pivoting backend of Meterpreter now supports bi-directional UDP and TCP relays, a big upgrade from the outgoing-only TCP pivoting capabilities of version 3.3.3.

This is the first version of Metasploit to have strong support for bruteforcing network protocols and gaining access with cracked credentials. A new mixin has been created that standardizes the options available to each of the brute force modules. This release includes support for brute forcing accounts over SSH, Telnet, MySQL, Postgres, SMB, DB2, and more, thanks to Tod Bearsdley and contributions from Thomas Ring.

Metasploit now has support for generating malicious JSP and WAR files along with exploits for Tomcat and JBoss that use these to gain remote access to misconfigured installations. A new mixin was creating compiling and signing Java applets on fly, courtesy of Nathan Keltner. Thanks to some excellent work by bannedit and Joshua Drake, command injection of a cmd.exe shell on Windows can be staged into a full Meterpreter shell using the new “sessions -u” syntax.

Full Metasploit 3.4.0 Release Notes

You can download Metasploit 3.4.0 here:

Windows – framework-3.4.0.exe
Linux – framework-3.4.0-linux-i686.run

Or read more here.

Regardless if you’re making BackTrack your primary operating system, booting from a LiveDVD, or using your favorite thumbdrive, BackTrack has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester.

BackTrack is intended for all audiences from the most savvy security professionals to early newcomers to the information security field. BackTrack promotes a quick and easy way to find and update the largest database of security tool collection to-date.

I’m sure many of you have been using the BackTrack 4 Pre Release which was pushed out in June last year, finally BackTrack Final 4 is available for download!

New in BackTrack Final 4

This release includes a new kernel, a larger and expanded toolset repository, custom tools that you can only find on BackTrack, and more importantly, fixes to most major bugs that were known of.

You can download BackTrack Final 4 here:

http://www.backtrack-linux.org/downloads/

Due to massive demand and lack of capacity I would suggest download the Torrent version.

Or read more here.