Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

28 October 2006 | 17,544 views

BobCat SQL Injection Tool based on Data Thief

Cyber Raptors Hunting Your Data?

BobCat is a tool to aid a security consultant in taking full advantage of SQL injection vulnerabilities. It is based on a tool named “Data Thief” that was published as PoC by appsecinc. BobCat can list the linked severs, database schema, and allow the retrieval of data from any table that the current application user has access to.

The methods that BobCat incorprates are based on those discussed in the following papers:

advanced sql injection
more advanced sql injection
advanced sql injection
manipulating sql server usig sql injection

I suggest if you are interested in SQL injection at all, you read all of the above papers.

BobCat Requirements

  1. Windows OS (Tested on XP SP2)
  2. Access to MS SQL server/MSDE2000 (Tested on MSDE2000)
  3. .Net Framework 2.0

Read more about BobCat here:

Northern Monkee – BobCat

Download BobCat here:

BobCat Alpha 0.3

Some tools to use with BobCat can be found here:

BobCat Tools

Advertisements



27 October 2006 | 5,176 views

Security Companies Fight Against Microsoft Security Center

No surprise really? Microsoft and they monopoly strategies, anti-competitive behaviour, nothing new really is it?

Microsoft and its security rivals are feuding over a key piece of Windows Vista real estate.

The fight is over the display of technology that helps Vista owners manage the security tools on their PC. Symantec, McAfee, Check Point Software Technologies and other companies want Microsoft to change Vista so their products can easily replace the operating system’s built-in Windows Security Center on the desktop. But Microsoft is resisting the call.

Microsoft was locking down the kernel too, how are other security companies supposed to survive?!

“By imposing the Windows Security Center on all Windows users, Microsoft is defining a template through which everybody looks at security,” Bruce McCorkendale, a chief engineer at Symantec, said in an interview. “How do we trust that Microsoft knows what all the important things about security are to warn users about?”

Windows Security Center, introduced with Windows XP Service Pack 2, pops up on desktops to alert PC owners if their firewall, virus protection and other security tools need attention. The version in the Vista update, set for broad release in January, will add new categories and management tools.

Microsoft better be careful unless they want another antitrust case to brew…I’ve heard they will open up the Vista Kernel to certain companies though, will report more on that later.

Source: News.com


26 October 2006 | 18,303 views

ARPWatch-NG ARP Flooding/Spoofing Protection/Detection

If you are paranoid about people ARP spoofing or flooding on your network you can use ARPWatch-NG, ARPWatch-NG is a continue of the popular original ARPWatch from ftp://ftp.ee.lbl.gov/.

ARPWatch monitors MAC adresses on your network and writes them into a file, last know timestamp and change notification is included.

It can be used it to monitor for unknown (and as such, likely to be intruder’s) mac adresses or somebody messing around with your ARP/DNS tables.

There have been quite a few fixes lately, so it’s recommended of course to get the latest version!

arpwatch NG 1.5:

try to report error on startup better _ arp.dat _ ethercodes.dat [FIXED]

arpwatch NG 1.4:

try to report _all anomalities via the report function _not syslog [FIXED]

mode 2 _ make action list parseable [FIXED]

further static’fy local functions in arpwatch.c [FIXED]

ethercodes updated from nmap-4.11 and removed old ones [UPDATED]

arpwatch NG 1.2:

on make install also install man-pages [FIXED]

ethercodes updated from nmap-4.00 [UPDATED]

You can download the latest version of ARPWatch here.


25 October 2006 | 12,863 views

Tracking Users Via the Browser Cache

An interesting new twist on things, rather than using cookies to store information you can use perpetually cached files.

So clearing your cache and cookies isn’t enough, could be a privacy issue you say, indeed it could..

Clearing cookies may not be enough as you may think. Your browser’s cache is a valuable store of information. A JavaScript .js file resource which is generated dynamically when requested can have embedded a unique tracking ID and can live permanently in your browser’s cache when sent with the right HTTP cache-control headers. This JavaScript file can then be called by pages. The script is never re-requested, and hence keeps the unique ID, and it can call resources on the server-side to track you. They just need to associate this unique ID once with your account (when you login first time after the ID was created), and they can set cookies back again later and track you anyway. The result is that you can be tracked uniquely even past the point where you clear your cookies (i.e., as if you never cleared your cookies to generate fresh ones).

You can view a live demo here.

This is a demonstration of how a person’s web-browser can be tagged and tracked using a unique identifier which lives in the web browser’s cache for a very long time (using HTTP cache control headers and browsers’ use of conditional GET requests). This serves the same purpose as using a cookie to track people. However popular web browsers lack finer cache disposal controls (compared to cookie disposal), and this is something which needs to be looked into. No private information is collected in this example. It has been tested on Firefox, IE6, Konqueror and Epiphany. I don’t know about the IE7 versions or Safari.

Source: Mukund


24 October 2006 | 8,934 views

LAPSE Sourcecode Analysis for JAVA J2EE Web Applications

LAPSE stands for a Lightweight Analysis for Program Security in Eclipse. LAPSE is designed to help with the task of auditing Java J2EE applications for common types of security vulnerabilities found in Web applications. LAPSE was developed by Benjamin Livshits as part of the Griffin Software Security Project.

LAPSE targets the following Web application vulnerabilities:

  • Parameter manipulation
  • SQL injections
  • Header manipulation
  • Cross-site scripting
  • Cookie poisoning
  • HTTP splitting
  • Command-line parameters
  • Path traversal

What should you do to avoid these vulnerabilities in your code? How do we protect Web applications from exploits? The proper way to deal with these types of attacks is by sanitizing the tainted input. Please refer to the OWASP guide to find out more about Web application security.

If you are interested in auditing a Java Web application, LAPSE helps you in the following ways:

  • Identify taint sources
  • Identify taint sinks
  • Find paths between sources and sinks

LAPSE is inspired by existing lightweight security auditing tools such as RATS, pscan, and FlawFinder. Unlike those tools, however, LAPSE addresses vulnerabilities in Web applications. LAPSE is not intended as a comprehensive solution for Web application security, but rather as an aid in the code review process. Those looking for more comprehensive tools are encouraged to look at some of the tools produced by Fortify or Secure Software.

Read more about LAPSE HERE.

You can download LAPSE here:

LAPSE: Web Application Security Scanner for Java


23 October 2006 | 10,685 views

The Top 5 Causes of Data Loss

An interesting enough article, but if you work in infosec you could probably guess the topics anyway.

In a key step to help businesses better understand and protect themselves against the risks of fraud, Visa USA and the U.S. Chamber of Commerce announced the five leading causes of data breaches and offered immediate, specific prevention strategies for each.

“The single, most effective weapon in the battle against today’s data theft is education,” said Sean Heather, executive director, U.S. Chamber of Commerce.

  1. Storage of Magnetic Stripe Data – The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card’s magnetic stripe in violation of the PCI Data Security Standard. This can occur because a number of point-of-sale systems improperly store this data, and the merchant may not be aware of it.
  2. Missing or Outdated Security Patches – In this scenario, hackers are able penetrate a merchant or service provider’s systems because they have not installed up-to-date security patches, leaving their systems vulnerable to intrusion.
  3. Use of Vendor Supplied Default Settings and Passwords – In many cases, merchants receive POS hardware or software from outside vendors who install them using default settings and passwords that are often widely known to hackers and easy to guess.
  4. SQL Injection – Criminals use this technique to exploit Web-based applications for coding vulnerabilities and to attack a merchant’s Internet applications (e.g. shopping carts).
  5. Unnecessary and Vulnerable Services on Servers – Servers are often shipped by vendors with unnecessary services and applications that are enabled, although the user may not be aware of it. Because the services may not be required, security patches and upgrades may be ignored and the merchant system exposed to attack.

Did you get them right?

Source: Aviransplace


22 October 2006 | 22,846 views

Odysseus Proxy for MITM Attacks Testing Security of Web Applications.

Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. Odysseus will intercept an HTTP session’s data in either direction and give the user the ability to alter the data before transmission.

Odysseus Proxy

For example, during a normal HTTP SSL connection a typical proxy will relay the session between the server and the client and allow the two end nodes to negotiate SSL. In contrast, when in intercept mode, Odysseus will pretend to be the server and negotiate two SSL sessions, one with the client browser and another with the web server.

As data is transmitted between the two nodes, Odysseus decrypts the data and gives the user the ability to alter and/or log the data in clear text before transmission.

Features

  • Multi-threaded native Win32 executable – The use of native Window code, combined with extensive multi-threading, means that Odysseus is fast. Speed was a primary development objective.
  • No external dependencies – Everything needed to intercept web requests (apart from a browser configured to use Odysseus as a proxy :) is included in the distribution archive. No additional downloads or installations are required.
  • Flexible & configurable – A wealth of configuration options means Odysseus should be flexible enough to meet the needs of nearly any web based application assessment.
  • Low desktop profile – Odysseus doesn’t clutter your desktop with redundant windows. A simple System Tray icon is all that is needed to access it’s many features. The various components of Odysseus appear and disappear as configured, or instructed, by the user.

Odysseus Proxy

You can download Odysseus here.

Change log is here and FAQ here.


20 October 2006 | 6,549 views

A Politically Tight Situation? Blame a HACKER!

It has happened quite a few times lately, politically tight situations, mistakes, data or information leaks and whoops damn…er…let’s blame it on hackers!

Case 1:

California Highway Patrol officials have opened a criminal investigation into “multiple” breaches and illegal downloads by outside hackers into the computers of Gov. Arnold Schwarzenegger’s office, after an embarrassing private taped conversation was leaked last week to the Los Angeles Times, administration officials told The Chronicle.

“There is an investigation conducted by the California Highway Patrol on how the tape obtained by the L.A. Times was acquired,” said a senior official who spoke on condition of anonymity. “This is a criminal matter that has been turned over to the CHP.”

Source: SFGate

Case 2:

The man responsible for Joe Lieberman’s campaign Web site said Tuesday that Joe2006.com was overwhelmed by traffic generated by hackers early Tuesday morning, forcing him to take the site off-line.

Tuesday’s attack was the third in the past month, said Dan Geary, who runs Lieberman’s site. But the earlier two attacks involved defacements & the hacker altered content on Lieberman’s home page. This time, attackers toppled the Lieberman site with requests, probably by directing an army of hacked computers at the site.

Source: MSN

So who do we believe?!


18 October 2006 | 29,896 views

Mozilla Hires Ex-Microsoft Security Strategist Window Snyder

Looks like Mozilla is toughening it’s stance on security, people have been putting it down lately, especially those from the Microsoft camp as there have been a few flaws.

But well, it’s still not part of the operating system, the flaws are generally fixed within a couple of days and the patching system is simple and bandwidth friendly since version 1.5.0.1.

I generally find it more effecient, better designed, more secure and less proprietary :P than Internet Exploder.

Anyway back on topic..

Former Microsoft security strategist Window Snyder is joining Mozilla to lead the company’s effort to protect its range of desktop applications from malicious hacker attacks.

Snyder, who was responsible for security sign-off for Microsoft’s Windows XP Service Pack 2 and Windows Server 2003, will spearhead Mozilla’s security strategy, eWEEK has learned.

The hiring of Snyder is a coup for Mozilla Corp., the for-profit subsidiary of the Mozilla Foundation, based in Mountain View, Calif.

The group has seen its flagship Firefox Web browser chip away at the market dominance of Microsoft’s Internet Explorer, largely because of high-profile security flaws in and attacks on IE, and the addition of Snyder is sure to help beef up Mozilla’s security process and improve its communications with bug finders.

Sounds like a very good idea to me, with a proper security stance and process in place Firefox will become a market dominating product, it’s already fantastic, now it’s getting more money and skills injected, it’s evolving faster and smoother than ever.

Snyder most recently served as principal and founder of Matasano Security, a New York-based startup that was one of several external penetration testers hired by Microsoft to conduct simulated hacking attacks on Windows Vista.

She is also credited with seeding the idea for Microsoft’s internal “Blue Hat” security briefings, in which the crème de la crème of the hacking community is invited to the company’s Redmond, Wash., headquarters to discuss security with employees.

Snyder, a regular at security conferences, helped to soothe Microsoft’s contentious relationship with security consultants, and played a part in the improvement of the software maker’s strategy for reaching out to security vendors and researchers.

She was HITB conference this year I think if anyone was there, she’s quite cute too :P

Source: eWeek


16 October 2006 | 217,614 views

Download pwdump 1.4.2 and fgdump 1.3.4 – Windows Password Dumping

New versions of the ultracool tools pwdump (1.4.2) and fgdump (1.3.4) have been released.

Both versions provide some feature upgrades as well as bug fixes. Folks with really old versions of either program should definitely look at upgrading, since there are numerous performance improvements and full multithreading capabilities in both packages.

If you don’t know..what are pwdump6 and fgdump?

pwdump6 is a password hash dumper for Windows 2000 and later systems. It is capable of dumping LanMan and NTLM hashes as well as password hash histories. It is based on pwdump3e, and should be stable on XP SP2 and 2K3. If you have had LSASS crash on you using older tools, this should fix that.

fgdump is a more powerful version of pwdump6. pwdump tends to hang and such when antivirus is present, so fgdump takes care of that by shutting down and later restarting a number of AV programs. It also can dump cached credentials and protected storage items, and can be run in a multithreaded fashion very easily. I strongly recommend using fgdump over pwdump6, especially given that fgdump uses pwdump6 under the hood! You’ll get everything pwdump6 gives you and a lot more.

Darknet definately DOES recommend fgdump, super cool update of the old favourite pwdump.

fgdump was born out of frustration with current antivirus (AV) vendors who only partially handled execution of programs like pwdump. Certain vendors’ solutions would sometimes allow pwdump to run, sometimes not, and sometimes lock up the box. As such, we as security engineers had to remember to shut off antivirus before running pwdump and similar utilities like cachedump. Needless to say, we’re forgetful sometimes…

So fgdump started as simply a wrapper around things we had to do to make pwdump work effectively. Later, cachedump was added to the mix, as were a couple other variations of AV. Over time it has grown, and continues to grow, to support our assessments and other projects. We are beginning to use it extensively within Windows domains for broad password auditing, and in conjunction with other tools (ownr and pwdumpToMatrix.pl) for discovering implied trust relationships.

fgdump is targetted at the security auditing community, and is designed to be used for good, not evil. :) Note that, in order to effectively use fgdump, you’re going to need high-power credentials (Administrator or Domain Administrator, in most cases), thus limiting its usefulness as a hacking tool. However, hopefully some of you other security folks will find this helpful.

Get pwdump here

Get fgdump here