Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

16 June 2006 | 4,484 views

CLR and SQL Server 2005

Check Your Web Security with Acunetix

Microsoft has taken a bit of a leap with the integration of .net into SQL Server, and a lot of developers(Myself included) are worrying about what security implications this could have. DevX.com have taken an in-depth look into the guts of it, and spilled them onto a page for us all to look at.

CAS provides a code-based rather than user-based authorization scheme to prevent various kinds of luring and other code attacks. But how does that security scheme coexist with SQL Server 2005′s own, newly enhanced security features? By default your .NET code is reasonably secure, but it’s all too easy for the two security schemes to butt heads and cause you grief. In this article I’ll look briefly at the concept behind CAS and a few new security features in SQL Server 2005, then explore how to make the two systems work for you instead of against you as you take advantage of these advanced programming features in SQL Server.

They seem suitably impressed, but sensibly wary at the same time.

The good news is that Microsoft did a great job bringing together the security systems of SQL Server and the Common Language Runtime, with tools to control code. But there are some interesting features’ both to watch for and to take advantage of!



15 June 2006 | 20,467 views

SQL Power Injector v1.1 Released

SQL Power Injector is a graphical application created in .Net 1.1 that helps the penetrating tester to inject SQL commands on a web page.

For now it is SQL Server, Oracle and MySQL compliant, but it is possible to use it with any existing DBMS when using the inline injection (Normal Mode).

Moreover this application will get all the parameters you need to test the SQL injection, either by GET or POST method, avoiding thus the need to use several applications or a proxy to intercept the data.

Features

  • Supported on Windows, Unix and Linux operating systems
  • SQL Server, Oracle, MySQL and Sybase/Adaptive Server compliant
  • SSL support
  • Load automatically the parameters from a form or a IFrame on a web
    page (GET or POST)
  • Detect and browse the framesets
  • Option that auto detects the language of the web site
  • Find automatically the submit page(s) with its method (GET or POST)
    displayed in a different color
  • Single SQL injection
  • Blind SQL injection
  • Comparison of true and false response of the page or results in
    the cookie
  • Time delay
  • Response of the SQL injection in a customized browser
  • Fine tuning parameters injection
  • Can parameterize the size of the length and count of the expected
    result to optimize the time taken by the application to execute the SQL
    injection
  • Multithreading
  • Option to replace space by empty comments /**/ against IDS or filter
    detection
  • Automatically encode special characters before sending them
  • Automatically detect predefined SQL errors in the response page
  • Automatically detect a predefined word or sentence in the response page
  • Real time result
  • Possibility to inject an authentication cookie
  • Can view the HTML code source of the returned page
  • Save and load sessions in a XML file

You can find out more here:

SQL Power Injector

Download the latest version now.


14 June 2006 | 3,735 views

Security Events Around the World

Following Darknet post regarding SyScan’06, I decided to make a little resume of the most important security events all around the world.

Unfortunately we won’t be able to go, so all the pictures are welcome. (-:

If there’s any missing do let us know.

Recon 2006WWW16 June to 18 June 2006 – Plaza Hotel Centre-Ville, Montreal, Canada

InfoSecurity Canada 2006WWW20 June to 21 June 2006 – Metro Toronto Convention Center, Toronto, Canada

HOPE Number SixWWW21 July to 23 July 2006 – Hotel Pennsylvania, New York, USA

Secure Malaysia 2006WWW24 July to 26 July 2006 – Putra World Trade Centre, Kuala Lumpur, Malaysia

The Third Conference on e-Mail and Anti-SpamWWW27 July to 28 July 2006 – Mountain View, California, USA

Defcon 14WWW4 August to 6 August 2006 – Riviera Hotel & Casino, Las Vegas, USA

RuxCon 2006WWW30 September to 1 October 2006 – University of Technology, Sydney, Australia

Mobile SecurityWWW3 October to 5 October 2006 – Crowne Plaza, St James, London, UK

Infosecurity New York 2006WWW23 October to 25 October 2006 – Jacob K. Javits Convention Center, New York, USA

You can also visit SecurityPark for a complete list of Information Security events.


14 June 2006 | 7,911 views

Spam – A Simple Guide To Keeping Your Inbox Clean

In my opinion, the best way to keep clean of spam is simple:

The first rule is NEVER reply to spam, NEVER click the unsubscribe link and NEVER e-mail to the unsubscribe address.

These are simply underhand tactics to get ‘active’ e-mail addresses.

Some other tips to avoid getting spammed in the first place:

1) Never use your real e-mail address in newsgroups, this is the best place to get picked up by a spam bot. Use something like l33t-no-spam-at-i.hate.spam-darknet.org.uk

Then in your signature put remove -no-spam and i.hate.spam- to reply.

2) Never put your e-mail address on a publically viewable web page as it will be spidered by Google and grabbed by spammers.

If you do need to put an e-mail address use the simple JavaScript below to protect it:

<!-- Begin Darknet E-mail Saver
<SCRIPT language="JavaScript">
randomword = "l33t";
randomword2 = "darknet.org.uk";
append = "?Subject=Enquiry&Body=Please%20Insert%20Your%20Message%20Here.";
document.write('<a href=\"mailto:' + randomword + '@' + randomword2 + append + '\">');
document.write(randomword + '@' + randomword2 + '</a>');
// End -->
</SCRIPT>

3) If you do put your e-mail address anywhere try and obscure it in some way.

4) Create a disposable e-mail address (hotmail or yahoo) that you rarely check for signing up to Web-sites. Most commercial sites will bombard you with spam after you’ve signed up for whatever services they are offering. Some also sell your address to list makers or other spammer so never give your *real* e-mail address to anyone except people you want to e-mail you.

5) Don’t share your e-Mail address & Skip Compulsive Registration* This goes along with number 4, if possible don’t register, and if you do make sure you untick the ‘spam me with a newsletter’ box.

Well 5) maybe a problem. Most of the times, a search on Google shows us a site with the answer to our problem, still, a big part of them requires registration (like Expertexchange)

That’s where BugMeNot comes into play.

BugMeNot is database of login information (usernames and passwords) that you can use to access a site that requires registration. The site has a voting mechanism that enables you to vote for the Username/Password that worked for you, making the login combination with most votes, the first on the list for a specific site.

You can also add new login information to the database for the sites you can’t find a login.

There is also a BugMeNot plugin for Firefox, that enables you to automatically enter the login information for a site, with a single click of the mouse.
The plugin was made for older versions of Firefox, and it has been reported not to work with most recent versions.

BugMeNot is not the solution for everything, and sometimes you need to ‘share’ your e-Mail with others.

DEA – Disposable e-Mail Address – Allows you to share an e-Mail address on doubtful sites without the concern of that information being used to spam.

There are various sites providing DEA’s. Top 10 sites.

In my personal, and humble opinion, I suggest Mailinator and Wuzup Mail. Both of them supporting RSS.

Mailinator will create a random e-Mail address every time you refresh the site, which you can then use to register on the more doubtful sites.

WuzupMail let’s you choose your username and will save the e-Mail’s you receive for 7 day’s.

Using both BugMeNot for compulsive registration and DEA to prevent your personal information from being used to spam, you will reduce the amount of spam you get on your Inbox everyday (if you get any).

Also remember Thunderbird has some pretty good bayesian spam filtering built in, once it’s learn your e-mail pattern it’s very effective, if you are still getting spam you can try that.

* If you need to share your personal e-Mail address, do it in a creative way. Most web spiders – crawlers – are able to spot e-Mail’s like jon at doe dot com.

Be creative, jon at |NO_SPAM_PLEASE| dot com, etc, etc.

Digg This Article


13 June 2006 | 16,175 views

Windows Vista Preview Release Download & Torrent

You can get your hands on the windows vista preview release beta2. This is for those of you who are wondering how the interface of the new windows vista will look like and the new feel of the new operating system. You can find the minimum system requirements here.

You can download vista here. It’s free so try it out and see if you can find any security flaws on the new operating system before it hits final version. It’s 3GB in size so i suggest using your favorite download manager to download the .iso file.

Better still just download it using the torrent.

You can find the latest visa torrent information here:

http://www.vistatorrent.com/


13 June 2006 | 12,378 views

Oedipus – Open Source Web Application Security Analysis

Oedipus is an open source web application security analysis and testing suite written in Ruby by Penetration Testers for Penetration Testers. It is capable of parsing different types of log files off-line and identifying security vulnerabilities. Using the analyzed information, Oedipus can dynamically test web sites for application and web server vulnerabilities.

Oedipus can be broken down into 4 main components:

1. Analyzer

Capable of parsing several different types of log files, such as Burp, Paros, etc, identifying potential security vulnerabilities using pattern matching – An Oedipus input file is also produced.

2. Scanner

Parsers the Oedipus or IEnterceptor file, feeding each request to a dynamically loaded predefined security plug-in on the fly.

3. Reporter

Using the results from the Analyzer and the Scanner, Oedipus produces several well formatted reports designed for the Penetration Tester. The Scanner report can be interactively used to verify the results of the potential vulnerabilities discovered.

4. Tools

Using the above identified security vulnerabilities, a number of tools are provided to analyze and potentially exploit the vulnerability.

You can read more at:

Oedipus or Download Oedipus Now

Digg This Article


13 June 2006 | 3,678 views

Taiwan Kings of Spam from CipherTrust

Hmm Taiwan are really way ahead of everyone when it comes to being a spam hub, sadly that’s nothing to be proud of and generally it’s due to a large amount of poorly configured/unsecured servers.

Taiwan needs to start doing some vulnerability assessment! Taiwan and Korea have always had loads of open proxies/exploitable machines in my experience and when reporting such problems language is always an issue.

Almost two thirds (64 per cent) of servers controlling spam traffic are located in Taiwan, according to a survey by email security firm CipherTrust.

Such servers, used by internet low lives to relay spam and phishing emails through zombie, compromised PCs, are also commonly located in the US. The US accounts for 23 per cent of the machines identified on CipherTrust’s spam server blacklist with China in a fairly distant third place (three per cent).

Sounds like a pretty neat method they employed to get the figures.

CipherTrust obtained its figures after deploying a network of zombie-like machines across the world to gather intelligence on spamming operations. While machines in this “zombie honey pot” avoid relaying spam or phishing attacks to end-users, they collect messages from spammers trying to control them. By capturing these messages, CipherTrust is able to determine the location of the spam servers. Spammers themselves, of course, may be located somewhere completely different, such as Boca Raton, USA (for example).

Source: The Register


12 June 2006 | 5,432 views

Academic Papers on Web Application Security

I found a useful resource containing a whole list of academic papers on web-application security.

This list represents an attempt to collect academic papers on the subject of Web application security sorted by the year of publication.

Hacking web applications has become a big thing in the last 5 years, just look at the number of holes found in common PHP applications.

It has papers from 2004-2006.

Subjects cover a good range including:

  • SQLrand: Preventing SQL Injection Attacks
  • Bypass Testing of Web Applications
  • Defining a Set of Common Benchmarks for Web Application Security
  • The Essence of Command Injection Attacks in Web Applications
  • A Practical Approach for Defeating a Wide Range of Attacks

You can find the resource here:

Academic Papers in Web Application Security

Vulnerabilities in custom web applications are the most common flaws I find during penetration testing nowadays. It is a very important area and these papers should help your knowledge on both sides of the fence.


11 June 2006 | 3,352 views

Custom Trojans – Isn’t it Old News?

Well it is for me, and I guess anyone who consider themselves a career hacker, or at least has a serious interest..

As a few good trojans are open source (Back Orifice?), you can just mess around with them for a while until you reach the point they are no longer detected by any of the major anti-virus suites, then bind then to a file and off you go, instant access.

I remember once, someone actually believed I’d sent them a notepad.exe upgrade version…oh well, if only everyone was that stupid it would make our jobs so much easier.

Anyone back to the point, it seems customized trojans and malware is being created for specific attacks.

Anti-virus companies employee legions of researchers, honey pots, and customers to find viruses as soon as they appear in the wild. It takes on average about six hours to find, classify, and push out a new definition to your desktop. The Achilles heel of the whole industry is that these research techniques can do nothing to protect you against a custom virus or Trojan.

Custom malware is easy to create. Take the source code of an existing Trojan or virus, and modify it so that existing anti-virus and anti-spyware programs do not recognize it. And even if you or your IT department finds the Trojan, it does no good to report it, because it is not “in the wild.” So the developer of the custom Trojan can reuse his wares against other targets.

Sadly as always the AV industry is way behind, your anti-virus software only works if it has the correct definition, heuristics in the AV field are still very weak.

Anti-virus software is still reactive, not pro-active.

The infamous Trojan developed by Michael Haephrati and used to steal competitive information from dozens of companies in Israel was a custom Trojan. Now China is engaging in industrial-scale fishing expeditions against U.K. businesses and government agencies using a two-pronged attack.

The routine goes like this: First, a custom virus is sent in to harvest email addresses. It stays only within the target domain. Then, emails are sent to those addresses containing the custom Trojan. The reply-to addresses all appear to be within the same organization, making them more likely to be opened. Would you not open an email from your boss that said “Annual Appraisal Attached, Open Immediately”?

Social engineering combined with a custom trojan and some neat code, blended threats are always the most effective.

Again things like this can be stopped with education, it’s very hard to protect against such things with currect technology.

Host based intrusion detection can go a little way to helping..

Source: Dark Reading


10 June 2006 | 3,571 views

Predicting Malware – Events Trigger Malware/Phishing Spikes

Apologies for the lack of updates for the past few days, I had to go abroad for an important assessment ;)

It’s sad how people can pray on things as terrible as disasters to make a quick buck, but well we have to face the facts that they do, and will.

And as it seems, they will use anything, we’ve already seen a trojan targetting world cup fans.

For example, consider what we witnessed last year following the Katrina and Rita hurricanes that struck the southern coast of the USA. Within 24 hours of landfall, the Internet Storm Center observed a dramatic increase in fraudulent web sites aimed at good-hearted people wanting to donate to charities or relief efforts. We can predict with fairly high certainty that the same thing is going to happen again this year. We are monitoring DNS registrations and have seen several new names appear in the last few weeks with the strings “alberto”, “beryl”, “donation”, or “hurricane” in them. (Alberto and Beryl are the first two names on the list for 2006.) Are they all legitimate? Well, let’s see what happens as soon as the first storm forms and makes landfall.

People have even gone to the length of pre-registering domains for hurricanes that haven’t even HAPPENED yet, amazing eh?

We really need to focus on the so called ‘layer 8′ protection, beef up the wetware, educate and inform! The world cup will trigger all kinds of tricks, we can pretty much guarantee that, so we have to be on our guards.

In fact, one of our observant readers (thanks, George!) wrote us to say, “I work in a government research lab with a very diverse user population, including many soccer fans. The last World Cup led to a malware spike. I expect another spike this year, but with a potential for more sophisticated attacks.” So George is keeping an eye out for a potential rise in malware attacks, basing his prediction on the fact that during the World Cup many fraudsters and pranksters will likely launch specially crafted emails and set up bogus web sites designed to lure in sports fans around the world.

At least if we are ready, we can thwart the attacks before they happen in most cases, perhaps just a mass e-mail warning people will suffice.

Source: SANS