Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

14 November 2006 | 22,736 views

Installing Nessus on Debian-based OSs like Ubuntu

Check For Vulnerabilities with Acunetix

With this simple tutorial I will explain how to install Nessus client (nessus) and Nessus Daemon (nessusd) and properly register it, so you don’t end up with the limitations of a non-registered version of the vulnerability scanner.

Installing:

I personally use apt-, however, you may choose any other package manager.

apt-get install nessus nessusd -y

This will install the nessus client and server, and the -y is used to answer YES to the confirmation of apt-get.

We have now installed both the client and the server. Let’s proceed to the addition of a user:

nessus-adduser

Display:

gouki@8104:~$ sudo nessus-adduser
Using /var/tmp as a temporary file holder

Add a new nessusd user
----------------------

Login : darknet
Authentication (pass/cert) [pass] :
Login password :
Login password (again) :

User rules
----------
nessusd has a rules system which allows you to restrict the hosts
that darknet has the right to test. For instance, you may want
him to be able to scan his own host only.

Please see the nessus-adduser(8) man page for the rules syntax

Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)

Login : darknet
Password : ***********
DN :
Rules :

Is that ok ? (y/n) [y] y
user added.

About this display:

When asked about Authentication (pass/cert) [pass] : just press enter, as we will not use any.
When asked about rules for the specific user, press CTRL+D, as we will not enter any rules for the user.

Starting the Daemon:

By default, nessusd has not started. To manully force him to, you will need to do the following:

sudo /etc/init.d/nessusd start

Registering Nessus:

Nessus will work without being registered, however, it will have limitations. Unnecessary limitations, since it is easily registered.

Nessus Registration page - Go here and start the proccess.

After you have entered your e-mail address, the instructions on how to register will not work on Debian-based OSs.

On the eMail from the Nessus team, you will be instructed to this path: /opt/nessus/bin/nessus-fetch, however, the path should be replaced by /usr/bin, making the complete registration command: sudo /usr/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX

You should now have a complete and working installation of Nessus. Enjoy and remember, automatic scanners are not 1337! =)

TIP: Before starting to use Nessus, update the plugins by doing the following:

sudo nessus-update-plugins

Advertisements



13 November 2006 | 8,449 views

MySpace Paedo Caught by PERL Script

Now for once, this is a really neat use of technology, someone using their brains and a suitable tech to solve a problem that is very apparent.

PERL may be frowned upon by some as being old or outdated, but seriously for parsing data, pattern matching and trawling, it’s still excellent and you can get a program up and running very fast, especially with the CPAN module system.

he computer crimes unit of New York’s Suffolk County Police Department sits in a gloomy government office canopied by water-stained ceiling tiles and stuffed with battered Dell desktops. A mix of file folders, notes, mug shots and printouts form a loose topsoil on the desks, which jostle shoulder-to-shoulder for space on the scuffed and dented floor.

I’ve been invited here to witness the endgame of a police investigation that grew from 1,000 lines of computer code I wrote and executed some five months earlier. The automated script searched MySpace’s 100 million-plus profiles for registered sex offenders — and soon found one that was back on the prowl for seriously underage boys.

Of course some manual monkey work still needed to be done to verify any profiles, but still from 100 million down to a handful, pretty neat eh?

The code swept in a vast number of false or unverifiable matches. Working part time for several months, I sifted the data and manually compared photographs, ages and other data, until enhanced privacy features MySpace launched in June began frustrating the analysis.

Excluding a handful of obvious fakes, I confirmed 744 sex offenders with MySpace profiles, after an examination of about a third of the data. Of those, 497 are registered for sex crimes against children. In this group, six of them are listed as repeat offenders, though Lubrano’s previous convictions were not in the registry, so this number may be low. At least 243 of the 497 have convictions in 2000 or later.

I for one am impressed.

Source: Wired


11 November 2006 | 31,985 views

Medusa Fast Parallel Password Cracker 1.3 Released

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Version 1.3 of Medusa is now available for public download.

Medusa currently has modules supporting: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, and a generic wrapper module.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison you can see here.

This release fixes several autoconf issues and a number of minor bugs.

You can find the Medusa homepage here and download Medusa here:

Medusa 1.3

Medusa was developed on Gentoo Linux and FreeBSD. Some limited testing has been done on other platforms/distributions (OpenBSD, Debian, Ubuntu, Darwin, Solaris).


08 November 2006 | 8,722 views

the Art of Virology 00h

This is the first part (of many others to come) consisting of basic a introduction to different viruses, some terminology and other aspects required before starting to understand or write viruses.

Definition

A virus is (taken from Windows XP’s Help And Support Center):

A program that attempts to spread from computer to computer and either cause damage (by erasing or corrupting data) or annoy users (by printing messages or altering what is displayed on the screen).

But wait a second… to this definition is not correct from some points of view; for example we could place in this category also programs that only reproduce, parasite different files, and do not do damage to users data, or annoy them, except maybe for the disk usage…
But you should not confuse viruses with John von Neumann’s self-reproducing mathematical automata. Google for more information about it because it’s not part of our subject, or maybe I don’t want to get scientific and speak about it

What programs are connected to virology?

The abstract definition of viruses has become more abstract with the help of know-it-all antivirus programmers, which for some money integrated in there software Trojan / hoaxes / malware / backdoor removers, so anytime a antivirus product pops up with a notification of such a program being found on a computer, a normal user doesn’t get interested in this aspect and it’s concerned of being infected with a virus (disinterest, what else)!
But what is the difference between these programs? I’ll make for you a little list with some personal definitions ok so let’s start:

adware – belong to the malware category, besides spyware; it’s not a virus, it’s and application normally shifted alongside with other programs, it’s main role being to pop up, while your connected to the web, some ads. most of the time they get installed because you do not read the files accompanying different software which are free or get free doing some ads for big/medium/small companies.

spyware – these are the fierce animals of malware, they spy on you, but not the subtle way James Bond does, they get installed through different exploits and surveillance the websites you visit, personal information, etc. and send them to different firms (or government, NSA, FBI, CIA ?)

Trojan – Trojans are programs written for specific tasks, in this list we could include flooders (DoS), hidden proxy server, virus droppers, also for different purposes that antivirus vendors think that could do harm to other people’s data.

backdoor – a backdoor is a program which if it’s not released by an underground website could be called “ËśRemote Administration Tool’, so it’s a tool that let’s you control, or do specific tasks on other computers; famous backdoor/Trojan backdoor clients (and server) are: BO2K, SubSeven, R3C, Insane Network.

virus – this one belongs to our subject, of course could it is well divided in more types of viruses, classified by language used to create them, how they infect, and what they infect.

worm – these programs/scripts also belong to virology (think so?!) because they also have the basic concept of viruses (parasites, worms. ring a bell?) to spread, beautifully, widely, and all other fancy adjectives you can find.

Viral History

The “first” virus
Sometime in the early 1970s, the Creeper virus was detected on ARPANET a US military computer network which was the forerunner of the modern Internet. Written for the then-popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system. Infected systems displayed the message, ‘I’M THE CREEPER : CATCH ME IF YOU CAN.’
Shortly thereafter, the Reaper program was anonymously created to delete Creeper. Reaper was a virus: it spread to networked machines and if it located a Creeper virus, Reaper would delete it. Even the participants are unable to say whether Reaper was a response to Creeper, or if it was created by the same person or persons who created Creeper in order to correct their mistake.
And now a list of the first viruses “to be the first”:
1981 :: Elk Cloner – Boot sector virus

1986 :: Brain – Stealth file virus
1986 :: Virdem – DOS COM file infector

1987 :: Suriv-1 – DOS COM real time file infector
1987 :: Suriv-2 – DOS EXE file infector
1987 :: Suriv-3 – DOS COM & EXE file infector
1987 :: Cascade – Encrypted Virus
1987 :: Christmas Tree Worm – Worm (Internet Virus)

1988 :: Morris Worm – Worm which used exploits against Unix system to spread

1990 :: the Chameleon family – A polymorphic virus family

1991 :: Tequila – A polymorphic boot virus
1991 :: Dir II – The one and only virus to use link-technology

1992 :: Win.Vir_1_4 -Windows virus

1994 :: Shifter -OBJ file infector
1994 :: ScrVir-a – C and Pascal source code files infector

1995 :: Winstart -BAT file virus

1996 :: Boza – Windows 95 virus
1996 :: OS2.AEP – OS/2 EXE file infector
1996 :: Laroux – Excel virus

1997 :: Linux Bliss – Linux virus
1997 :: ShareFun – Macro virus spreading through mail, with MS Mail
1997 :: Homer – Worm that used FTP to propagate
1997 :: Win95.Mad – Self-encrypting Windows 95 virus

1998 :: Win95.HPS and Win95.Marburg – Windows polymorphic viruses
1998 :: Cross – Multi-platform virus, infected MS Access and Word files
1998 :: Triplicate (Tristate) – MS Word, Excel and PowerPoint file infector
1998 :: Red Team – EXE infector virus, spreading through Eudora
1998 :: Java.StrangeBrew – Java web application virus

1999 :: Happy99 (Ska) – Modern-Day Worm
1999 :: SK; – HLP file infector virus
1999 :: Melissa – Word Macro virus incorporating Internet Worm functionality
1999 :: Gala – Corel Draw, Photo-Paint, Ventura file infector
1999 :: Bubbleboy and KakWorm – Worms spreading through IE vulnerabilities
1999 :: Babylonia – Worm with remote self-rejuvenation (don’t get scared by the term, it means that it automatically downloaded new versions of it)

2000 :: Inta – Windows 2000 file infector
2000 :: LoveLetter – Script Virus to break Guiness Book record
2000 :: Star – AutoCAD package virus
2000 :: Jer – Internet Worm using social engineering and mass marketing to get user to let them be infected
2000 :: Liberty – PalmOS virus
2000 :: Stream – ADS and NTFS filesystem viruses
2000 :: Fable – PIF file infector
2000 :: Pirus – PHP Script virus
2000 :: Hybris – Worm with self-rejuvenating based on a 128-bit RSA key

2001 :: Mandragore – Gnutella file-sharing Internet Worm

2002 :: LFM and Donut – .NET Framework viruses
2002 :: Spida – SQL Server worm
2002 :: Benjamin – Kazza file-sharing network worm

2003 :: Slammer – Fileless Worm with flash-worm capabilities

Wow. that’s quite a long list, don’t you think? And it isn’t all; if you want to see it all, then go to viruslist and read all the history of malware, and then surely you can say that this list is even to small = )

Classification

I think that we should classify viruses so we will now better about which kind of viruses we speak. you’d probably seen in the list different classifications, but it’s time we clearly point them out (of course this is my personal classification, agree with it or not, it’s your choice):

By what they infect

  • Binary File Infector
    In this category we will include the classic ones: exe, com, obj file infectors; plus the CAD, Corel and any other weird (?_?) extension virus we can find.
  • SourceCode File Infectors
    As you would imagine, in this category will be included viruses that infect source code files Pascal, C, etc. Think that I know a couple or two of this type.(?)
  • BOOT Sector Infectors
    Simple, complex, tiny and all other boot sector viruses will be part of this category. P.S. I hate doggie-B
  • MS Office Infectors
    We all have heard of them, laught about them, though they were dead, but we all know that they are extremely dangerous viruses. yes I’m talking about macro viruses, that populate Word, Excel, PowerPoint, Access.
  • Script Infectors
    And finally our last category dedicated for the viruses which infect script files like js, vbs, mrc and inject themselves into html files including a <script> area.
  • None infectors
    This will be, and is, a special category for our fellow friends of virology: worms. They often do not infect anything, they just multiply via different methods.

By their abilities

  • Stealth
    A common, or maybe told “would have to be common”, ability of viruses is that they can work in a stealth mode; things that help in this are timestamp maintenance, encoding different strings in the code so they won’t “scream” to users that simply view the source of the file, etc,
  • Encryption
    Since it’s appearance has passed long time, and we have even surpassed this ability, but it’s worth mentioning for the classification.
  • Polymorphism
    This category threads viruses which have more than one method of dencryption, thus making them harder to detect; the dencryption algorithm changes at every infection..
  • Metamorphism
    In this category are the most modern viruses, I mean viruses which have passed from polymorphism to a new generation, the generation of code variability.
  • Anti-Bait
    In this category do not go the worms (you know. fishing), just viruses which do not fall for it and don’t infect bait files created by AV.
  • Anti-Heuristic
    If a virus can survive in this heuristically environment, created by AV programs, than his place is in this category.
  • Anti-Debug
    Which viruses would fall in this category except the ones that can stop users, AV developers, or anything to debug there code?

Language used for writing viruses

On this one I have to think for a while. Yes I know, you can use php, pascal, c (and any other variation), javascript, visualbasic (script), python, perl, etc. and assembly, that’s it assembly is the one you will learn.

Why, you ask?
Because most of the virus source code I will print you out will be in assembly language, and this is the basic language of classic viruses. But don’t complain, you will be happy after having learned assembly and able to create viruses this way, trust me ;)

Books I recommend?
I have found recently some very fine books regarding this language (they are free and LEGAL two), and one of them threats assembly language as an art, so I recommend the Art of Assembly, but it’s ok for you to check out others two, can find them on computer-books. You’ll see there the Assembly category. One little note, the assembly language you will learn must be compatible with TASM (Turbo Assembler) or MASM (Microsoft Assembler).

Toolbox

I don’t think there is any need for plenty “useless” tools at this point of virology, I will point you just the basic ones you need at this stage, and later on we will add other ones, but just step-by-step, so here’s the “mega-sized” list:

  • Tasm & Tlink : the turbo assembler and turbo linker
  • Masm & Ml : Micro$oft’s assembler and linker
  • Windows Debug is an alternative two

Both tools can be found on the net, I didn’t have more patience with the article so I advice you to Google/Yahoo/Altavist for them = ). The last one can be found by running debug.exe from any Windows console.

Some Extra!
If you have a small HDD (2-4GB) drive I advice you to format it and install a fresh copy of Windows, which you will use if want to play with viruses or if you want to try them out. Of course you will disconnect your primary HDD so it won’t infect you clean one. But of course this step is not necessary if you trust the specification (concerning the payload) of different viruses that I will present, and don’t want to see them with your eyes (like Judas), to believe in what you hear.

End of 00h

By this I make it official, the first part of the Art of Virology has definitely ended. See you next time when I will present the general framework of a virus, so stick your eyes on Darknet, because the 01h article will be posted as soon as possible. If you think this article isn’t complete, then I ask you politely to post some comments and add “that” extra to it. ; )

P.S. I recommend you get some beers, cigarettes, and some hardcore music because the Art of Assembly is a damn long book, and you could make an indigestion.


08 November 2006 | 5,266 views

Taof 0.1 Network Protocol Fuzzer Released

Taof is a GUI cross-platform Python generic network protocol fuzzer. It has been designed for minimizing set-up time during fuzzing sessions and it is especially useful for fast testing of proprietary or undocumented protocols.

Taof aids the researcher during the data retrieval process by providing a transparent proxy functionality that forwards and logs requests from a client to a server. After the data retrieval phase, Taof presents the logged requests and allows the user to specify the fuzzing points within the requests.

This is the first public release, and as it is in beta state, every comment/suggestion/request is more than welcome. Contact regarding the project can be made by posting to the web forums or directly mailing the project’s administrator.

Source code, windows binaries and guide are now available for download. Screenshots are also provided.

http://sourceforge.net/projects/taof

Happy vulnerability hunting! Taof 0.1 fuzzer released.


07 November 2006 | 3,089 views

Spamhaus & e360 Battle is Heating Up

The battle is heating up between the spammers e360 and the anti-spam warlords Spamhaus, some say the Internet may meltdown if Spamhaus stops its service..

Some estimates say 80% of spam is stopped by Spamhaus and e-mail could suddenly shoot to a server melting rate if their service is pulled.

The legal battle between antispam organisation Spamhaus and David Linhard, of e360 Insight, is heating up, with a court order that could cause a temporary ten-fold surge in spam.

Spamhaus has a user base of around 650 million, and its lists block some fifty billion spams per day, according to the project’s chief executive, Steve Linford.

Linhardt sued the UK-based anti-spammers in an Illinois district court after being listed in Spamhaus Register of Known Spam Operations (ROKSO).

Although Spamhaus maintains the Illinois court has no jurisdiction over an organisation based in the UK, district court judge Charles Kocoras awarded a total of US$11.71 million (NZ$17.7 million) in damages to Linhardt.

I hope they can escape from this whole mess as although Spamhaus are known for being harsh, they do a good job.

It seems unlikely that ICANN or Spamhaus will accept an order to suspend spamhaus.org without a fight, Cox says. Linhardt may try to have the proposed order changed before issuance, Cox says, to include in it other parties. Should Linhardt be successful, Cox says it means a US District Court will have dictated to a non-US organisation what domain name it can use. This, he adds, is likely to cause great concern to internet users worldwide who resent the imposition of US-based ICANN as the sole governing body in these matters. ICANN is therefore likely to want to stay out of the dispute as much as possible.

I don’t think ICANN should or will intervene, let’s just wait and see as this battle reaches critical mass.

Source: Computerworld


04 November 2006 | 13,852 views

McDonalds Japan Spreads Malware on MP3 Player

This is pretty funny, but frankly typical of McDonalds..act before they think, it’s cheap, it’ll get more customers, whack it out!

They gave out a bunch of flash drive mp3 players as a promotion, it turns out every single one was loaded with a fairly nasty piece of spyware!

McDonalds Japan has launched a recall after discovering that MP3 players it offered as a prize were loaded with a particularly nasty strain of malware. Up to 10,000 people might have been exposed to the problem after claiming a Flash MP3 player pre-loaded with ten tunes and a variant of the QQpass spyware Trojan.

Not nice eh? Pretty bad too as it doesn’t just track your surfing habits, it actually sends out your passwords over the web.

Punters received the contaminated gift after purchasing a large drink form the fast-food chain in Japan and submitting a serial number contained on the beverage holder as part of a competition, sponsored by McDonalds and Coca-cola. Users who connected the McDonalds-branded MP3 player to their Windows PC were exposed to spyware code programmed to transmit their web passwords and other sensitive information to hackers. The cause of the accidental infection is unclear but past experience suggests a contaminated machine involved in loading content onto the players is the likely culprit.

They are really sorry, honestly..

McDonalds Japan has apologized for the cock-up and established a helpline designed to handle the recall of the infected MP3 players and send out uncontaminated music gizmos. A Japanese-language statement also explains how punters can cleanse potentially infected PCs

Apologised, meh! Any thoughts?

Source: The Register


02 November 2006 | 51,700 views

Wyd – Automated Password Profiling Tool

Wyd is a neat tool I found recently for Password Profiling.

In current IT security environments, files and services are often password protected. In certain situation it is required to get access to files and/or data even when they are protected and the password is unknown.

wyd.pl was born out of those two of situations:

  • A penetration test should be performed and the default wordlist does not contain a valid password
  • During a forensic crime investigation a password protected file must be opened without knowing the the password.

The general idea is to personalize or profile the available data about a “target” person or system and generate a wordlist of possible passwords/passphrases out of available informations. Instead of just using the command ‘strings’ to extract all the printable characters out of all type of files, we wanted to eliminate as much false-positives as possible. The goal was to exlude as much “unusable” data as possible to get an effective list of possible passwords/passphrases.

At the moment the following file types are supported:

  • plain
  • html
  • doc
  • ppt
  • mp3
  • pdf

There is more info here.

You can download Wyd here:

Wyd – Latest Version


01 November 2006 | 5,903 views

Hackers Target Home Users for Cash

Hackers are switching targets now, companies are getting too hard to break into due to the availability of decently configured perimeter kit like firewalls and IDS.

Plus the information they do get if they manage to break in is often worthless commercially and really not worth the effort.

So instead, they target the end user, home bankers, those who they can scam, con or phish!

Consumers are now on the main target of malicious hackers intent on enriching themselves through the misery of others. Vulnerabilities in desktop applications and the increased use of stealth techniques are on the rise among members of the digital underground, according to the latest edition of Symantec’s Internet Security Threat Report.

The report, which covers the first half of 2006, suggests that consumer security protection is weak, leaving Joe Public easy prey to identity thieves, botnet herders and other financially motivated criminals. Crackers are using a variety of techniques to escape detection and remain on infected systems for longer. Symantec reckons assaults against consumers account for 86 per cent of all targeted attacks. Banks and other financial sector organisations are the second most prevalent target for internet attacks. Phishing attacks almost doubled during the reporting period.

The information on your desktop could be valuable to someone…remember aswell spyware/adware companies are making tens of millions infecting users and just simply collecting information about Internet useage and surfing habits.

In the first half of 2006, 18 per cent of all malicious code samples detected by Symantec had not been seen before, indicating that hackers are trying harder to evade detection by signature-based anti virus and intrusion prevention systems.

Phishers are also attempting to bypass filtering technologies by creating multiple randomised messages. In H1 2006, 157,477 unique phishing messages were detected, 81 per cent more than the previous six months. The financial services sector was the most heavily phished, accounting for 84 per cent of phishing sites tracked by the Symantec.

This shows a BIG pickup in new and unique code, people are trying harder and getting smarter, phishers are starting to use the tricks spammers are already using. Loads of phishing.

Source: The Register


31 October 2006 | 5,584 views

New Firefox vulnerability – DoS and [DELETED] – UPDATED

This has just been posted to Bugtraq.

For now you can test if your version is vulnerable, here. (will cause Firefox to close)

So far Firefox 1.5.0.7 and 2.0 (Linux) have been tested, and both vulnerable. Firefox 1.0.7 (Win32), not vulnerable.

The code used on the test page and the one submitted to Bugtraq can be found here.

Severity: … not really

Update: This attack does not allow remote code execution! It has been posted on the mailing lists and several news sites.