Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

13 September 2006 | 19,578 views

Using the capture command in a Cisco Systems PIX firewall.

Check Your Web Security with Acunetix

This is an excellent article you might find useful covering the use of the capture command in Cisco PIX firewalls.

A vital tool to use when troubleshooting computer networking problems and monitoring computer networks is a packet sniffer. That being said, one of the best methods to use when troubleshooting connection problems or monitoring suspicious network activity in a Cisco Systems PIX firewall is by using the capture command. Many times Cisco TAC will request captures from a PIX in PCAP format for open problem tickets associated with unusual problems or activity associated with the PIX and the network.

Cisco kit can be a bit daunting for a newcomer, but very well featured, it’s important to learn what your PIX can do!

The capture command was first introduced to the PIX OS in version 6.2 and has the ability to capture all data that passes through the PIX device. You can use access-lists to specify the type of traffic that you wish to capture, along with the source and destination addresses and ports. Multiple capture statements can be used to attach the capture command to multiple interfaces. You can even copy the raw header and hexadecimal data in PCAP format to a tftp server and open it with TCPDUMP or Ethereal.

NOTE: You must be in privileged mode to invoke the capture command.

Full article here.

Advertisements



12 September 2006 | 13,399 views

Moving Ahead in the War Against Botnets

This effort started quite a long time ago, I was just checking up to see how they were getting on, but there’s not much news of their progress.

perating under the theory that if you kill the head, the body will follow, a group of high-profile security researchers is ramping up efforts to find and disable the command-and-control infrastructure that powers millions of zombie drone machines, or bots, hijacked by malicious hackers.

The idea is to open up a new reporting mechanism for ISPs and IT administrators to report botnet activity, especially the C&C (command-and-control) system that remotely sends instructions to botnets.

A botnet, which is short for “robot network,” is a collection of broadband-enabled computers that have been commandeered by hackers for use in spam runs, distributed denial-of-service attacks or malware installation.

Botnets are often used in script kiddy DDoS wars or more commonly nowadays for Eastern block extortion scandals. “Pay us $xxxx or we will take down your site” this of course is especially effective against sites such as online Casinos which do their business solely through their websites.

Evron, who serves as the Israeli CERT manager and is a leader in many global Internet security efforts, said the group includes representatives from anti-virus vendors, ISPs, law enforcement, educational institutions and dynamic DNS providers internationally.

Over the last year, the group has done its work quietly on closed, invite-only mailing lists. Now, Evron has launched a public, open mailing list to enlist the general public to help report botnet C&C servers.

The new mailing list will serve as a place to discuss detection techniques, report botnets, pass information to the relevant private groups and automatically notify the relevant ISPs of command-and-control sightings.

It is true hackers code for cash nowdays, not for anarchy or chaos, money can be made being an online hitman and extortion has moved from physical beatings to online terrorism.

Websense’s Hubbard agrees there’s no silver bullet to solve the problem. “We’re seeing a major crossover,” he said. “Bots are now coming with keyloggers. We’re seeing botnets being used in conjunction with phishing attacks. The effort has to get buy-in from everyone, including law enforcement authorities, ISPs, dynamic DNS providers and the general public.

“I don’t think we’ll ever shut down botnets. The problem is just going to change with time,” Hubbard added. “The techniques are becoming better and more sophisticated as we come out with new defense techniques. We’re just trying to slow them down, really.”

I do agree, but it’s good to see efforts being made, the main counter of course is always education, remove the ignorance of PC owners and OS developers and there will be no botnets any more..but well that would be an ideal world wouldn’t it?

Botnets mailing list

Darknet also reported on Shadowserver Battling the Botnets.

Source: Eweek


11 September 2006 | 70,305 views

LCP – A Good FREE Alternative to L0phtcrack (LC5)

Since Symantec stopped development of L0phtcrack many people have been looking for alternatives.

So don’t forget..

Jack the Ripper is still king
Medusa is good
Ophcrack for Rainbow Tables

And now one more, introducting LCP, which we have talked about before in the article Password Cracking with Rainbowcrack and Rainbow Tables.

LCP is freeware!

The main purpose of LCP program is user account passwords auditing and recovery in Windows NT/2000/XP/2003. General features of this product:

Accounts information import:

  • import from local computer;
  • import from remote computer;
  • import from SAM file;
  • import from .LC file;
  • import from .LCS file;
  • import from PwDump file;
  • import from Sniff file;

Passwords recovery:

  • dictionary attack;
  • hybrid of dictionary and brute force attacks;
  • brute force attack;

Brute force session distribution:

  • sessions distribution;
  • sessions combining;

Hashes computing:

  • LM and NT hashes computing by password;
  • LM and NT response computing by password and server challenge.

You can download LCP here.


10 September 2006 | 4,825 views

What Responsibility do Anti-Spyware Researchers Have?

Ethical debates are always interesting, and people have gotten in trouble lately for reverse engineering and various other branches of research.

This is a fairly old topic, but as I’m clearing out some old drafts, I still find it an interesting one.

There’s been an ongoing debate in security circles concerning how security researchers should disclose vulnerabilities for a long time, Darknet is of course in the Full Disclosure school of thinking. The common viewpoint is that the researchers should disclose the vulnerabilities to the company, giving them some time to fix the problem.

Typically, however, if nothing is done to fix the vulnerability, then researchers eventually will disclose it publicly. That’s where a lot of the conflict occurs, and there are even some questionable laws that might get you in trouble for publicly discussing a vulnerability. However, does this apply to spyware research as well?

The main question is, should the vulnerabilities ever be posted publically? I of course say yes, as if I’m using that software, I have the right to know there’s something wrong with it and take remedial measures, even if there’s no patch (that’s the beauty of open source, you can patch it yourself!).

There was a lot of conversation during the 180solution period about responsible disclosure and disclosing the affiliates used to install spyware, someone 180 always manage to spin it into a self-serving press release about how they triumphed over evil.

Ah ethics, always an interesting topic.

The whole thing became a virtual war between a high profile security researcher and the spammy 180solution folks.

The sniping between a controversial adware company and a prominent anti-spyware researcher continued Thursday as 180solutions defended its practices and called critic Ben Edelman “irresponsible.”

Earlier this week, Bellevue, Wash.-based 180 solutions, which distributes software that delivers ads to users’ computers, blasted Edelman, a Harvard researcher, for improperly disclosing a hack into the company’s installation software. Last week, Edelman had posted an analysis of an illegal download of 180’s Zango software by an affiliate Web site of 180’s advertising network.

You can read more here.


07 September 2006 | 125,224 views

Hacking Still Can’t Outdo Stupidity for Data Leaks

Can you believe this the provincial government in British Columbia has managed to auction off a set of data tapes containing people’s social insurance numbers, dates of birth and medical records among other information.

The provincial government has auctioned off computer tapes containing thousands of highly sensitive records, including information about people’s medical conditions, their social insurance numbers and their dates of birth.

Sold for $300 along with various other pieces of equipment, the 41 high-capacity data tapes were auctioned in mid-2005 at a site in Surrey that routinely sells government surplus items to the public.

Included among the files were records showing certain people’s medical status — including whether they have a mental illness, HIV or a substance-abuse problem — details of applications for social assistance, and whether or not people are fit to work.

Stupidity knows no bounds really. Do people not understand SENSITIVE, or CONFIDENTIAL or PRIVATE?

In an interview Friday afternoon, Labour Minister Mike de Jong, whose ministry oversees the auction process, said he has ordered an immediate investigation to determine how the breach took place.

“It is completely unacceptable for information like this to be unsecured in the way this clearly is,” he said.

“People deserve to know [this] type of information . . . is secure and kept private,” he added, offering an apology. “I can think of no excuse for information of this sort finding its way into the public domain.”

Well yes I totally agree. And well..this is not the first time is it? And I’m damn sure it wont be the last.

Source: Canada.com

*Clearing out some old articles*


06 September 2006 | 1,188,511 views

Brutus Password Cracker – Download brutus-aet2.zip AET2

If you don’t know, Brutus is one of the fastest, most flexible remote password crackers you can get your hands on – it’s also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. Brutus was first made publicly available in October 1998 and since that time there have been at least 70,000 downloads and over 175,000 visitors to this page. Development continues so new releases will be available in the near future.

Download brutus-aet2.zip

Brutus was written originally to help me check routers etc. for default and common passwords.

Features

Brutus version AET2 is the current release and includes the following authentication types :

  • HTTP (Basic Authentication)
  • HTTP (HTML Form/CGI)
  • POP3
  • FTP
  • SMB
  • Telnet

Other types such as IMAP, NNTP, NetBus etc are freely downloadable from this site and simply imported into your copy of Brutus. You can create your own types or use other peoples.

The current release includes the following functionality :

  • Multi-stage authentication engine
  • 60 simultaneous target connections
  • No username, single username and multiple username modes
  • Password list, combo (user/password) list and configurable brute force modes
  • Highly customisable authentication sequences
  • Load and resume position
  • Import and Export custom authentication types as BAD files seamlessly
  • SOCKS proxy support for all authentication types
  • User and password list generation and manipulation functionality
  • HTML Form interpretation for HTML Form/CGI authentication types
  • Error handling and recovery capability inc. resume after crash/failure.

You can download brutus-aet2.zip here (the password is darknet123):

Brutus AET2


06 September 2006 | 5,879 views

Charity Computers May Fuel Malware Wars

Sometimes doing good can help bad things propagate, sometimes it’s good to consider the big picture and the repercussions of your charitable actions.

This is a case where such logic rings true.

Programs to send PCs to third world countries might inadvertently fuel the development of malware for hire scams, an anti-virus guru warns.

Eugene Kaspersky, head of anti-virus research at Kaspersky Labs, cautions that developing nations have become leading centres for virus development. Sending cheap PCs to countries with active virus writing cliques might therefore have unintended negative consequences, he suggests.

“A particular cause for concern is programs which advocate ‘cheap computers for poor third world countries’,” Kaspersky writes. “These further encourage criminal activity on the internet. Statistics on the number of malicious programs originating from specific countries confirm this: the world leader in virus writing is China, followed by Latin America, with Russia and Eastern European countries not far behind.”

It has to be considered I guess, but this shouldn’t be a reason to NOT give them computers, IMHO anyway.

But what about all the positive uses in education, for example, possible through the use of second-hand PCs in developing nations? We reckon these more than outweigh the possible misuse of some computers at the fringes of such programs.

We wanted to quiz Kaspersky more closely on his comments but he wasn’t available to speak to us at the time of going to press.

I say let’s do the best we can, and take the bad guys out as we go along.

Source: The Register


05 September 2006 | 32,384 views

The Top 10 PHP Security Vulnerabilities from OWASP

This is a useful article that has basically taken the OWASP Top 10 Vulnerabilities and remapped them to PHP with actual examples.

The Open Web Application Security Project released a helpful document that lists what they think are the top ten security vulnerabilities in web applications.

These vulnerabilities can, of course, exist in PHP applications. Here are some tips on how to avoid them. I’ve included related links and references where relevant.

You can download the detailed OWASP Top 10 Vulnerabilities here.

You can find PHP and the OWASP Top Ten Security Vulnerabilities here.


04 September 2006 | 309,666 views

Web Based E-mail (Hotmail Yahoo Gmail) Hack/Hacking with JavaScript

“pleez, pleez, PLEEZ teach me how to hack a Hotmail Account!!!”
-unidentified IRC user

From here on in you walk alone. Neither little_v OR Black Sun Research Facility AND its members will be responsible for what you do with the information presented here. Do not use this information to impress your “l33t0_b0rit0″ friends. Do not operate in shower. Objects in article may be closer than they appear.

Note: If you see (x), where x is a number, it means that this term is defined at (x) at the bottom of this article.

Intro

The purpose of this article is NOT, I repeat, NOT to teach someone how to “hack an email account”. It’s true purpose is actually MUCH more devious. The purpose of this and all other articles in the “An Exploit Explained: ” series is to teach readers about various web technologies, and the basics of security and exploiting. I will try to give you a hands-on, learn as you go type of education in computer security. Sound good??? Then let’s get in to it!!

Preface

On Wednesday, Sept. 22 1999, yet another bleary day in the life of little v, the following message was sent to my inbox:

Ok, don’t puke, I’m going to explain what just happened in a fashion that even your dog can understand.

What is this all about?

This important part of this posting to the Bugtraq(1) (http://www.securityfocus.com) mailing list is the actual exploit(2).
The exploit would be:

<IMG SRC=”javasCript:alert(‘JavaScript is
executed’);a=window.open(document.links[2]);setTimeout(‘alert(\’The
first message in your Inbox is from :
\’+a.document.links[26].text)’,20000)”>

What does it do?

As this exploit, when put into an email message sent to a hotmail user, opens a little box using the “alert()”(3) function in javascript(4), and is also supposed to read who the first message in your inbox is from. However, this code does not work on its own. You see, the email also says that you need to use the ASCII(5) code for “C” in the message. If I get out my handy HTML reference book, I can see that the ASCII code is C. If we substitute this into our little exploit, minus the “read who the first message in your inbox” part, we get this:

<IMG SRC=”javasCript:alert(‘JavaScript is executed’)”>

How does it work?

Finding out how an exploit works is always the part that makes people a bit spindizzy. If we look at that gibberish we call code one more time we can see that it uses an <IMG> tag, which all you who took my HTML tutorial would know is to display an image onto the page. Because hotmail tries to be the “top dog” webmail provider, they allow you to set autoloading of images, so the image just shows up on the same page as the mail. When you open a new hotmail account, this option is already set (hurray!). The conflict happens because your normal browser allows you to put javascript tags into your IMG tags. Because JavaScript is a strong little language, and allows just about full control over someone’s browser, if the conditions are right. Naturally, people like you and me started exploiting hotmail’s allowing of javascript. Soon, the <SCRIPT> tag (the normal way to add javascript to a page) was banned from use in hotmail messages by way of filtering(6) (boo! hiss!). So normal guys like you and me had to “inject”, or put into other html tags, our javascript exploits. The IMG tag is perfect for this, when combined with it’s autoloading capabilities. This discovery led to the filtering, yet again, of javascript injected into IMG tags. Of course, hackers ALWAYS find a way, and today we combine IMG-injecting with ASCII tags to give you the current exploit.

What else can I do with this hole in Hotmail’s Security?

As is the case with many exploits, the sky is the limit. If you know javascript, you can pretty much have a field day with this exploit. If you don’t, here’s a few more snippets of code to get you started:

This code opens a window with Darknet’s main page in it when the hotmail user opens your mail:

<IMG SRC=”javasCript:window.open(‘http:://www.darknet.org.uk’)”>

Note that the above code could point to any page at all (even one that simulates hotmail’s “you have been logged out” screen. *wink* *wink* HINT HINT ;-) )

This code opens 100 windows with Darknet’s main page in it (tee hee! self promotion is good!):

<IMG SRC=”javasCript:for(var i = 0; i < 100; i++) window.open(‘http:://www.darknet.org.uk’);”>

The rest is up to you, my friend. By the way, if Hotmail finds a way to make this exploit null and void, please don’t mail me, as I probably already know. Just keep looking for the next big exploit, and then when you’ve found it, you may tell me.

Terms Defined

(1) Bugtraq – A mailing list where people publicize holes and exploits in various softwares. I highly suggest that you subscribe at http://www.securityfocus.com.
(2) Exploit – Webster’s dictionary sez: ” exploit (eks’ploit’) – an act remarkable for brilliance or daring; bold deed”. Wow. Think of that the next time you steal someone’s ICQ password.
(3) alert() function – A function built into the Javascript language that brings up a rectangle box with the message passed to the alert() function in it. Note: alert(‘message goes here’)
(4) Javascript – A scripting language built into most popular browsers that gives much greater control over web page content than HTML alone (chicks dig pages with javascript 2 to 1 over standard HTML!).
(5) ASCII – A standard for characters on and beyond the normal keyboard.
(6) Filtering – A way to ‘catch and detain’ certain text or commands. Hotmail, for example, filters for the “javascript” text.

Some URLs

(1) http://www.htmlgoodies.com – they have some javascript tutorials if you wanna learn javascript.
(2) http://come.to/the-lamer – they have some fake hotmail pages that will make you think you were logged out for some reason and ask you to input your password. They also have some tutorials on how to use these pages, etc’ etc’ etc’.

From Blacksun – Updated by Darknet


04 September 2006 | 47,066 views

Teen Data Exposed on Myspace

Ah another flaw in Myspace, this time it’s quite dangerous exposing the details of teenagers.

A security hole in the popular MySpace social networking site allowed users to view entries marked “private”, a crucial protection for users aged under 16, according to weekend reports.

Though the site is said to have fixed the problem, it was said by news reports to have been active for months. Nobody at MySpace was immediately available for comment.

The explosion of social networking sites has caused significant worry for parents and politicians over how to protect children from sexual advances over websites. The amount of information that young people reveal about themselves coupled with the opportunities for deception by sexual predators has led to concerns that the sites can be dangerous.

Normal for Myspace, things don’t get fixed for a LONG time.

“In the UK, the vulnerabilities alleged could amount to a breach of the Data Protection Act,” said Struan Robertson, editor of OUT-LAW.COM and a technology lawyer with Pinsent Masons.

The Data Protection Act says “appropriate technical and organisational measures” must be taken to prevent unauthorised access to personal data held by organisations.

“For any site, the technical measures that are appropriate will vary depending on the type of data held and the harm that might result from a security breach,” Robertson said. “There is best practice guidance in the UK for sites used by children and, if the allegations are true, it may be that MySpace fell short of the standard expected.”

This basically means anyone in the UK who got ‘hacked’ in this way is legally able to sue!

Source: The Register