Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

23 November 2006 | 6,434 views

Vulnerability Assessment and Operational Security Testing Methodology (VAOST) – version 0.2 released

Check Your Web Security with Acunetix

Here is a newly released VA methodology, the author believes it to be more focused, and thus cost effective VA process. It may map to internal work, but it is probably more suited to external sites.

It’s gone through a couple of revisions so it’s a bit more polished now.

You can find the notes on the first version here.

Version 0.2 has been released after some community endorsement, there is still some work to do though, they hope to add the following shortly:

  • Pre stages to get management buy in
  • A complete worked example that shows the kind of results that can be produced
  • A more complete list of or supporting implementing software
  • A more complete list of attack tools for the authorisation checklist.
  • Better graphics
  • A standalone collection of the checklists

You can download VAOST version 0.2 here:

VAOST 0.2 (doc version)

The author welcomes your feedback and comments. The VAOST forum area where you can get the files will accept guest (ie un-registered) posts so you can add your comments there if you desire (note we will delete defamatory and rude posts to prevent our being sued!).

It is work in progress and we still have a long way to go, but hopefully, we can get there with your help.

The general VAOST forum can be found here.


22 November 2006 | 14,935 views

Web 2.0 Hacking with Firefox and it’s plugins

A dream come true, would I say… recently found this article on securityfocus, it’s awesome… all that you need (beside Firefox) is pointed out in the article, so go on, what are you waiting for…


21 November 2006 | 7,850 views

AttackAPI 0.8 JavaScript Hacking Suite Available

AttackAPI provides simple and intuitive web programmable interface for composing attack vectors with JavaScript and other client (and server) related technologies. The current release supports several browser based attacking techniques, simple but powerful JavaScript console and powerful attack channel and associated API for controlling zombies.

The standalone components of the library can be found at the following locations:

One infrastructure tool is available here:

I would recommend AttackAPI 0.8 to everyone who is interested in high-end hacking not because I wrote it but because it provides a good demonstration of what is possible today. That, I hope will take our awareness even further.

AttackAPI slowly moves to its 1.0 release where I am planning to standardize its core, fix discovered bugs and make it even more cross-platformed. Still, there is a long way to go but I am willing to take my chances. There are plans for 0.9 but I will keep them undisclosed for now.

So what 0.8 has to offer? There are a couple of things that worth attention. I will start in chronological order.

The Client interface can be used to enumerate the current client. It has functionalities to fingerprint the current operating system, installed plugins, the browser in use and the local NATed IP address and hostname. This tool is brilliant for doing the first steps of any targeted attack.

The Server, on the other hand, can be used to fingerprint the current server. It provides information about its domain, IP address, platform, server software and the application architecture. Its purpose is to identify what is currently available. That is important because the Web is very distributed and agile network and controlling dozens of infected clients is a mission on its own.

Full information on AttackAPI is available here:

AttackAPI 0.8

19 November 2006 | 7,245 views

Hackers’ Project – Browser Exploit Code Hiding

Hackers are developing new software that will help hide browser attack code from some types of security software.

The software, called VoMM (eVade o’ Matic Module), uses a variety of techniques to mix up known exploit code so as to make it unrecognizable to some types of antivirus software.

Using these techniques, VoMM “can create an endless number of variants of an exploit,” said Aviv Raff, one of the developers behind the project.

“It aims to provide several techniques out of the box to make browser exploits (mostly) undetectable,” according to a blog posting by one of the project’s founders, a hacker going by the name of “LMH.” That posting can be found here.

The software users server-side scripting technology to create new versions of the exploit code, which then get delivered to browser users when they visit the attacker’s Web site. By making a number of cosmetic changes to the code that do not affect its functionality, VoMM creates a new version of the malicious software that cannot be detected by “signature-based” techniques.

Signature-based antivirus products analyze known malware and then create a digital fingerprint that allows the antivirus software to identify malicious code. By adding extra components — tabs and spaces, and random comments and variable names — that are not included in known signatures, VOMM creates software that can evade detection.

The VoMM code is expected to be included in a new module for the upcoming 3.0 version of the widely used Metasploit hacking toolkit, Raff said. Metasploit developer HD Moore is also developing the VoMM software. Raff’s blog posting on the project can be found here.

Source: Infoworld

17 November 2006 | 5,763 views

w3bfukk0r 0.2 Forced Browsing Tool Released

w3bfukk0r is a forced browsing tool, it basically scans webservers (HTTP/HTTPS) for a directory by using HTTP HEAD command and brute force mechanism based on a word list. Features:

  • HTTP/HTTPS(SSL) support
  • Banner grabbing
  • User-Agent faking
  • Proxy support (HTTP/S)
  • Reports found and non-existend directories

Example output:

Note: Not all webservers are handling HTTP status codes correctly, so if the webserver doesn’t care about RFCs the report generated by w3bfukk0r may include false positives. Maybe we’ll find a good method to detect those false positives.

You can download w3bfukk0r 0.2 here:


15 November 2006 | 4,080 views

McAfee buying Tel Aviv startup Onigma for $15-25 million cash

Data security giant McAfee has bought a young Tel Aviv startup, Onigma, for somewhere between $15 million to $25 million cash, surmise hi-tech circles.

McAfee will be integrating the Onigma technology in its enterprise security solution, and will be recruiting dozens more Israeli developers for the startup, which will become a local R&D center.

Onigma was founded in December 2004 by Amir Sadeh, Ishay Green and Liad Agmon, three “graduates” of the technology division of the Israeli army intelligence forces. The company is run by Jim Penosky, who hailed from the OnDemand Partners consultancy.

The startup was devoted to a new area in data security: DLP, or Data Leakage Prevention from an enterprise servers.

Within days, the Onigma technology will be available via all McAfee outlets worldwide.

The technology enables the company to monitor all its workers and ensure they do not send confidential information beyond the enterprise boundaries, whether via Internet or external memory storage devices.

Among the company’s investors are the founders of Excellence-Nessuah, Gil Deutsch and Roni Biran.

Via e-mail from Raphael Fogel

15 November 2006 | 18,650 views

Windows XP ToolBox

This a very old article based on my tiny document “WinDOS tools” which was for a short while on Blackcode, before it was shutdown… It was an article to impres my friends, but found some usefull stuff two when writing it… so let’s take a look at some “hidden” Windows XP programs…

MAC Address (getmac)
It seems that Windows has a miny tool usefull in finding out our mac address… So type getmac and your MAC(‘s) address(es) will appear in the console.

Net BIOS Status (Nbtstat)
Another information tool, probably you have heard about it when reading some old documentation about Windows hacking… For it to work there should be installed the NetBeUI protocol, type nbtstat to get the full cmd line parameters.

CAB Packer (makecab, extrac32)
Theres a small packing tool available under Windows, by the help of which you can compress any files, giving more often a better compresion… here is an example how to use this functionality:

makecab file.exe
extrac32 file.ex_

Not much to say about this program, because many of you have heard about it, just type it in the console and get all available options.

Windows has a simple file transfer protocol client, for those of you who don’t have installed Windows Commander, or work remotely on a computer and can not use your browser to download the file on the specific host.

Message (msg)
It does what is supposed to do, it sends messages to the specific host on your network, but there could be some configurations on your network which wouldn’t allow you to do it… anyway here is an example of use:

msg username-of-targeted-host /SERVER:hostname and here your message

If you are in a local network on which you often copy files from other shared folders on your network, than this will prove for you to be a big relief, because this way you could shortcut all the shares for faster access…

C:\>net view \\hostname

Shared resources at \\hostname

Share name Type Used as Comment

C:\>net use Z: \\hostname\DOWNLOAD

--if no error then from this point you can access the share the following way:


Network status (netstat)
If you don’t have a firewall, or you just want to see all your network connections currently in use of listening, then you the command netstat (-a) and will print you all the info mentioned above.

Path Ping (pathping)
This little program is a hybrid between traceroute and ping, so as you might have guessed it not only pings the specific host, but also shows the route the data packet uses to reach it’s destination.

Remote TaskKill (tskill)
Yes you can kill processes on your network, only if the network is not well configured (seen it a couple of times). By this you could shutdown an antivirus program, a firewall, the explorer process (this sometimes may crash Windows), or any other program run by the specific hostname. The command is tskill, for example you could do something like this (which would close Internet Explorer):

tskill iexplore /server:target-hostname /a /v

I mention this one because you do not have always to download PuTTY, just for a telnet/irc/smtp/etc. connection, you could use the Windows incorpored telnet program; of course is not as good as PuTTY, but it will do…

There is no conclusion, this was a time passing article (I was bored at my Informatix class, so I wrote this one)… maybe some of you will apreciate it, while other will not…

14 November 2006 | 22,764 views

Installing Nessus on Debian-based OSs like Ubuntu

With this simple tutorial I will explain how to install Nessus client (nessus) and Nessus Daemon (nessusd) and properly register it, so you don’t end up with the limitations of a non-registered version of the vulnerability scanner.


I personally use apt-, however, you may choose any other package manager.

apt-get install nessus nessusd -y

This will install the nessus client and server, and the -y is used to answer YES to the confirmation of apt-get.

We have now installed both the client and the server. Let’s proceed to the addition of a user:



gouki@8104:~$ sudo nessus-adduser
Using /var/tmp as a temporary file holder

Add a new nessusd user

Login : darknet
Authentication (pass/cert) [pass] :
Login password :
Login password (again) :

User rules
nessusd has a rules system which allows you to restrict the hosts
that darknet has the right to test. For instance, you may want
him to be able to scan his own host only.

Please see the nessus-adduser(8) man page for the rules syntax

Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)

Login : darknet
Password : ***********
DN :
Rules :

Is that ok ? (y/n) [y] y
user added.

About this display:

When asked about Authentication (pass/cert) [pass] : just press enter, as we will not use any.
When asked about rules for the specific user, press CTRL+D, as we will not enter any rules for the user.

Starting the Daemon:

By default, nessusd has not started. To manully force him to, you will need to do the following:

sudo /etc/init.d/nessusd start

Registering Nessus:

Nessus will work without being registered, however, it will have limitations. Unnecessary limitations, since it is easily registered.

Nessus Registration page - Go here and start the proccess.

After you have entered your e-mail address, the instructions on how to register will not work on Debian-based OSs.

On the eMail from the Nessus team, you will be instructed to this path: /opt/nessus/bin/nessus-fetch, however, the path should be replaced by /usr/bin, making the complete registration command: sudo /usr/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX

You should now have a complete and working installation of Nessus. Enjoy and remember, automatic scanners are not 1337! =)

TIP: Before starting to use Nessus, update the plugins by doing the following:

sudo nessus-update-plugins

13 November 2006 | 8,449 views

MySpace Paedo Caught by PERL Script

Now for once, this is a really neat use of technology, someone using their brains and a suitable tech to solve a problem that is very apparent.

PERL may be frowned upon by some as being old or outdated, but seriously for parsing data, pattern matching and trawling, it’s still excellent and you can get a program up and running very fast, especially with the CPAN module system.

he computer crimes unit of New York’s Suffolk County Police Department sits in a gloomy government office canopied by water-stained ceiling tiles and stuffed with battered Dell desktops. A mix of file folders, notes, mug shots and printouts form a loose topsoil on the desks, which jostle shoulder-to-shoulder for space on the scuffed and dented floor.

I’ve been invited here to witness the endgame of a police investigation that grew from 1,000 lines of computer code I wrote and executed some five months earlier. The automated script searched MySpace’s 100 million-plus profiles for registered sex offenders — and soon found one that was back on the prowl for seriously underage boys.

Of course some manual monkey work still needed to be done to verify any profiles, but still from 100 million down to a handful, pretty neat eh?

The code swept in a vast number of false or unverifiable matches. Working part time for several months, I sifted the data and manually compared photographs, ages and other data, until enhanced privacy features MySpace launched in June began frustrating the analysis.

Excluding a handful of obvious fakes, I confirmed 744 sex offenders with MySpace profiles, after an examination of about a third of the data. Of those, 497 are registered for sex crimes against children. In this group, six of them are listed as repeat offenders, though Lubrano’s previous convictions were not in the registry, so this number may be low. At least 243 of the 497 have convictions in 2000 or later.

I for one am impressed.

Source: Wired

11 November 2006 | 32,098 views

Medusa Fast Parallel Password Cracker 1.3 Released

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Version 1.3 of Medusa is now available for public download.

Medusa currently has modules supporting: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, and a generic wrapper module.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison you can see here.

This release fixes several autoconf issues and a number of minor bugs.

You can find the Medusa homepage here and download Medusa here:

Medusa 1.3

Medusa was developed on Gentoo Linux and FreeBSD. Some limited testing has been done on other platforms/distributions (OpenBSD, Debian, Ubuntu, Darwin, Solaris).