Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

03 July 2006 | 11,006 views

Universal Hooker – An Ollydbg Plugin

Prevent Network Security Leaks with Acunetix

The Universal Hooker is a tool to intercept execution of programs. It enables the
user to intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory.

Why is it ‘Universal’? There are different ways of hooking functions in a program, for example, it can be done by setting software breakpoints (int 3h), hardware breakpoints (cpu regs), or overwriting the prologue of a function to jump to a ‘stub’, etc. All the methods mentioned above, specially the latter, usually require the programmer of the code creating the hook to have certain knowledge of the function it is intercepting. If the code is written in a programming language like C/C++, the code will normally need to be recompiled for every function one wants to intercept, etc.

The Universal Hooker tries to create very simple abstractions that allow a user of the tool to write hooks for different API and non-API functions using an interpreted language (python), without the need to compile anything, and with the possibility of changing the code that gets executed when the hooked function is called in run-time.

The Universal Hooker builds on the idea that the function handling the hook is the one with the knowledge about the parameters type of the function it is handling. The Universal Hooker only knows the number of parameters of the function, and obtains them from the stack (all DWORDS). The hook handler is the one that will interpret those DWORDS as the types received by the function.

The hook handlers are written in python, what eliminates the need for recompiling the handlers when a modification is required. And also, the hook handlers (executed by the server) are reloaded from disk every time a hook handler is called, this means that one can change the behavior of the hook handler without the need to recompile the code, or having to restart the application being analyzed.

What can you do with it?

  • Fuzz in runtime without implementing protocol, just modify the packets
  • Interactive fuzzing using an hex editor
  • Poor’s man http/https proxy
  • Many things, check out the documentation

You can download it here:

Universal Hooker (Documentation)



02 July 2006 | 98,186 views

Downgrade PSP v2.6 to v1.5 to play homebrew & ISO games

Dark_AleX has now shared Downgrader Test v0.5 For PSP 2.50/2.60 Firmware which, according to MANY users (including TGMG, LalaMan, Firey, and LAXitives), works 100% with PSP consoles that were upgraded to v2.50 or v2.60 Firmware. However, it will NOT work with TA-082 versions and it’s NOT recommended for users whose FACTORY/STOCK Firmware was 2.50 or 2.60.

Check out the video in action here. Unfortunately the video quality is crap but its proof that it works. This hack was just released yesterday. So to those who have upgaded their PSP to v2.6, you still can downgrade to v1.5 to be able to play homebrew games and also ISO games.

Use this to check if you have TA-082 before you continue.

Tags: ,

30 June 2006 | 10,304 views

ARP Scanning and Fingerprinting Tool – arp-scan

NTA-Monitor has released the arp-scan detection and fingerprinting tool under the open source (LGPL license) concept.

It has been tested under various Linux based operating systems and seems to work fine.

This will only compile on Linux systems. You will need a C compiler, the “make” utility and the appropriate system header files to compile arp-scan. It uses autoconf and automake, so compilation and installation is the normal ./configure; make; make install process.

You can download arp-scan here:

http://www.nta-monitor.com/tools/arp-scan/download/arp-scan-1.4.tar.gz

Please read the man pages arp-scan(1), arp-fingerprint(1) and get-oui(1) before using this tool.


29 June 2006 | 7,682 views

Shadowserver Battles the Botnets

Botnets are indeed a growing problem, we’ve seen serious cases of DDoS extortion, the most recent example would be the attacks against the ‘million dollar homepage’ and the problems it caused the owner.

Botnets have been used for quite some time as spam networks and mostly for script kiddies to have DoS wars on IRC networks, but now they have released they can go back to the old mafia tactics of protection money and make a few bucks from it.

Botnets are the workhorses of most online criminal enterprises today, allowing hackers to ply their trade anonymously — sending spam, sowing infected PCs with adware from companies that pay for each installation, or hosting fraudulent e-commerce and banking Web sites.

As the profit motive for creating botnets has grown, so has the number of bot-infected PCs. David Dagon, a Ph.D. student at Georgia Tech who has spent several years charting the global spread of botnets, estimates that in the 13-month period ending in January, more than 13 million PCs around the world were infected with malicious code that turned them into bots.

Shadowserver is an effort to take out these botnets, they are made up of volunteers with some experience in computer security and have the thankless job of informing ISPs of infected machines and getting them to deny access.

Even after the Shadowserver crew has convinced an ISP to shut down a botmaster’s command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker’s control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.

That’s the problem, even after they have shut them down, they can spring up again in a few days. There are so many unprotected Windows machines, it’s an uphill battle..

Shadowserver is using some kind of custom Honeynet to collect samples of the Bot seeding malware and examine it using reverse engineering techniques.

I predict it will get worse and as more machines from developing nations come online (using outdated and pirated copies of Windows) more more and vulnerable machines will be available to these ‘bot herders’…

Recent media attention to the Shadowserver project has generated interest among a new crop of volunteers eager to deploy honeynet sensors and contribute to the effort. Albright says he’ll take all the help he can get, but he worries that the next few years will bring even more numerous and stealthy botnets.

“Even with all the sensors we have in place now, we’re still catching around 20 new unknown [bot programs] per week,” he said. “Once we get more sensors that number will probably double.”

It’s only going to get worse.

Source: Washington Post


28 June 2006 | 5,174 views

Web Services Attack Frequency Increasing

As we’ve reported a few times recently, more and more attacks being aimed at Web Services such as Orkut, MySpace, Ebay and others.

As more people turn to web applications for everyday tasks like e-mail, friendship and payments, cyber criminals are following them in search of bank account details and other valuable data, security researchers said.

Users of Yahoo’s e-mail service, Google’s Orkut social networking site and eBay’s PayPal online payment service were among the targets of attacks in recent weeks. All three companies have acknowledged and plugged the security holes.

Money is to be made with users data, usually credit card details. It’s also a numbers game, 90% of users are using MS operating systems and most people are still using Internet Exploder. So its pretty easy to target them with the right combination of scripting and browser exploits.

The attacks come as Microsoft, whose Windows operating system runs about 90 percent of the world’s computers, has plugged many of the most easily exploited holes in its e-mail program, browser and other products following dozens of embarrassing breaches over the past several years.

They also come amid the growing popularity of online communities such as MySpace.com and of web-based calendar, messaging and other services offered by Google, Yahoo and others.

The only difference that has shown up is the speed in which web services providers patch the holes in constrast to the time it takes Microsoft or other traditional software vendors to respond (If they respond at all..).

The ability of Yahoo, Google and PayPal to quickly plug this month’s holes highlights one of the differences between combating worms that target websites and those that go after flaws running on an individual’s PC.

PayPal was able to roll out a fix almost immediately by altering several lines of code on its server, company spokeswoman Amanda Pires said. That blocked the ability to exploit a flaw that let cyber criminals intercept users who typed in a genuine PayPal web address, security researchers say.

Wired


27 June 2006 | 16,211 views

sqlninja 0.1.0alpha – MS-SQL Injection Tool

sqlninja is a little toy that has been coded during a couple of pen-tests done lately and it is aimed to exploit SQL Injection vulnerabilities on web applications that use Microsoft SQL Server as their back-end.

It borrows some ideas from similar tools like bobcat, but it is more targeted in providing a remote shell even with paranoid firewall settings.

It is written in perl and runs on UNIX-like boxes.

Here’s a list of what it does so far:

  • Upload of nc.exe (or any other executable) using the good ol’ debug script trick
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudoshell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

Being an alpha version and since it was originally supposed to be just a quick&dirty toy for a pentest, there are lots of bugs waiting to be found and fixed so go ahead and download it ! :)

More tunneling options (e.g.: HTTP, SMTP, …) will be added in the future together.

You can read more and download sqlninja here:

http://sqlninja.sourceforge.net/


27 June 2006 | 4,007 views

SANS Gateway Asia 2006

Forgot to post this earlier. I received this email from SANS Institute sometime in April. They seem to be having two of their training sessions in singapore in August. Those who live in Asia or anywhere near the region and are interested can look it up. SANS Institute has one of the best trainers and also very good training materials.

Dear [Insert name here],

Please join us as we present SANS Gateway Asia 2006 in Singapore on August 14th-19th! We are partnering with Fusion Frontier Pte Ltd to present two of SANS most popular courses:

* Security 401: SANS Security Essentials Bootcamp Style
* Security 504: Hacker Techniques, Exploits & Incident Handling

With attackers leveraging huge numbers of hosts to overwhelm common defense mechanisms it is vital that we defend our organization’s resources and networks. This means being educated about current threats and vulnerabilities and how to combat them. Let SANS help you get up
to speed fast!

In Security 401, Bob Hillery will cover the survival skills an information security team member needs. This program prepares you for GSEC certification and helps accelerate your career in security. Security 401 is also a requirement for the MSISE advanced degree from the SANS Technology Institute.

In Security 504, George Bakos will teach you to detect malicious code and respond on the fly. You’ll learn how your networks appear to hackers, how they gain access with special emphasis on the newer attack vectors, and what they do when they get in – especially in manipulating the system to hide their work. You’ll master the proven six-step process of incident handling so you are prepared to be the technical leader of the incident handling team. This course prepares you for GCIH certification and is a requirement for both the MSISE and MSISM advanced degrees from the SANS Technology Institute

Classes will be held at the Swissotel Merchant Court Hotel Singapore where special hotel rates have been arranged for SANS attendees. Convenient to the airport and transit, close to Singapore’s best attractions, and located along the banks of the Singapore River – you’re sure to enjoy your stay here and get the most out of your training!

So join us in the battle for a secure global Internet community by registering today for SANS Gateway Asia 2006! We guarantee that you will return to work with practical, relevant knowledge and skills you can use immediately to secure your organization’s critical resources.

To register, please go to:
http://www.sans.org/gateway_asia2006/

Discounts are available for early registration, so don’t delay


26 June 2006 | 5,072 views

US Veterans Information Leaked on The Web

Another HUGE information leak from the US government, seems they can’t help themselves.

Or perhaps people are just ramping up the efforts against them..

The Navy has begun a criminal investigation after Social Security numbers and other personal data for 28,000 sailors and family members were found on a civilian website.

The Navy said Friday the information was in five documents and included people’s names, birth dates and Social Security numbers. Navy spokesman Lt. Justin Cole would not identify the website or its owner, but said the information had been removed. He would not provide any details about how the information ended up on the site.

They really need to step up their standards and training, and of course use some kind of file based or filesystem encryption, a stolen laptop shouldn’t yeild so much information.

The breach regarding the Navy comes amid a rash of government computer data thefts, including one at the Agriculture Department earlier this week in which a hacker may have obtained names, Social Security numbers and photos of 26,000 Washington-area employees and contractors.

As many as 26.5 million veterans and current military troops may have been affected by the theft of a laptop computer containing their Social Security numbers and birth dates. The computer was taken from the home of a Veterans Affairs Department employee in early May, and officials waited nearly three weeks before notifying veterans on May 22 of the theft.

That’s a hell of a lot of people to be effected..

Source: Wired


25 June 2006 | 17,368 views

UFO ‘Hacker’ Gary McKinnon Reveals What He Found

An interesting interview had been posted on Wired with Gary McKinnon about what he actually found whilst penetrating the US government networks.

After allegedly hacking into NASA websites — where he says he found images of what looked like extraterrestrial spaceships — the 40-year-old Briton faces extradition to the United States from his North London home. If convicted, McKinnon could receive a 70-year prison term and up to $2 million in fines.

Final paperwork in the case is due this week, after which the British home secretary will rule on the extradition request.

McKinnon, whose extensive search through U.S. computer networks was allegedly conducted between February 2001 and March 2002, picked a particularly poor time to expose U.S. national security failings in light of the terror attacks of Sept. 11, 2001.

You can also search the Darknet archives for more news on Gary.

There are a couple of interesting parts, but it all sounds rather X-Files..

WN: Did you find anything in your search for evidence of UFOs?

McKinnon: Certainly did. There is The Disclosure Project. This is a book with 400 testimonials from everyone from air traffic controllers to those responsible for launching nuclear missiles. Very credible witnesses. They talk about reverse-(engineered) technology taken from captured or destroyed alien craft.

Shame he was on 56k aswell, or we might have gotten some good stuff!

WN: What sort of evidence?

McKinnon: A NASA photographic expert said that there was a Building 8 at Johnson Space Center where they regularly airbrushed out images of UFOs from the high-resolution satellite imaging. I logged on to NASA and was able to access this department. They had huge, high-resolution images stored in their picture files. They had filtered and unfiltered, or processed and unprocessed, files.

My dialup 56K connection was very slow trying to download one of these picture files. As this was happening, I had remote control of their desktop, and by adjusting it to 4-bit color and low screen resolution, I was able to briefly see one of these pictures. It was a silvery, cigar-shaped object with geodesic spheres on either side. There were no visible seams or riveting. There was no reference to the size of the object and the picture was taken presumably by a satellite looking down on it. The object didn’t look manmade or anything like what we have created. Because I was using a Java application, I could only get a screenshot of the picture — it did not go into my temporary internet files. At my crowning moment, someone at NASA discovered what I was doing and I was disconnected.

I also got access to Excel spreadsheets. One was titled “Non-Terrestrial Officers.” It contained names and ranks of U.S. Air Force personnel who are not registered anywhere else. It also contained information about ship-to-ship transfers, but I’ve never seen the names of these ships noted anywhere else.

Interesting eh?

Source: Wired


24 June 2006 | 5,788 views

LiveJournal Advert Installs Malware

Seems like someone sneaked past the LiverJournal advertisers policy by only trying to infect Australian and European users.

A certain advertiser (kpremium.com) – being sneaky and underhanded. It’s not LJ’s fault, LJ already disabled the advert from rotation.

The ad itself is for a program that lets you download stuff – you know the sort of thing. The ad is a Flash ad, and masquerades as a banner ad.

Thing is, the Flash ad contains code to open a popup that leads to a very different destination – it’s what I assume is an affiliate link that attempts to download and install ErrorSafe on your computer.

Source: no_lj_ads

LJ have said they are looking into it.

It looks like one of our advertisers possibly managed to sneak past our ad guidelines. The kpremium ad is designed and targeted for people in Western Europe and Australia, and we’ve received reports from people in those regions, indicating that it’s doing obnoxious things with the browsers — shrinking the window and generating popups. (Many people mentioned “ErrorSafe” in

Source: lj_ads

Sneaky eh, all the more reason to use Firefox, Adblock Plus and NoScript!

Also keep your anti-virus software up to date just in case.