Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

10 August 2006 | 4,556 views

OWASP – Fortify Bug Taxonomy

Don't let a Dragon into your website!

Ah at last a good solid collaborative effort to identify and categorise software vulnerabilities with a solid taxonomy and good organisation!

It seems very well written too in terms that anyone familiar with software development or programming can understand.

Fortify Software, which identifies and remediates software vulnerabilities, has contributed its collection of 115 types of software security errors to the Open Web Application Security Project (OWASP), a six-year old non-profit with almost 5,000 members whose “mission is to find and fight the causes of insecure software.”

The work will become part of OWASP’s Honeycomb Project.

This is a very good thing.

The OWASP Honeycomb project.

In the Honeycomb project, OWASP is assembling the most comprehensive and integrated guide ever attempted to the fundamental building blocks of application security (principles, threats, attacks, vulnerabilities, and countermeasures) through collaborative community efforts.

You can find the taxonomy itself here:

The Fortify Taxonomy of Software Security Errors

This site presents a taxonomy of software security errors developed by the Fortify Software Security Research Group together with Dr. Gary McGraw. Each vulnerability category is accompanied by a detailed description of the issue with references to original sources, and code excerpts, where applicable, to better illustrate the problem.

Source: Zdnet Blog

Advertisements



08 August 2006 | 5,076 views

Cyberwar Efforts Step-Up – NASA Sites Hacked

Ah cyberwar, cyber terrorism, efforts are ramping up, more sites are going down.

The war in Lebanon is now showing its consequences in the digital world and a huge number of websites has been attacked and defaced as a protest against the invasion of Lebanon by Israel.

Today two NASA websites were attacked as well. The intrusion was carried out by the Chilean group of crackers known as Byond Hackers Crew through a leak in the SQL Injection they entered the system and subtracted user names, passwords and e-mails from the NASA web server.

Seems like a pretty straight forward attack..but a high profile government site being prone to SQL injection that allow admin escalation?

That’s pretty bad..

After that these information had been stolen, they managed in entering the administrative area by using an administrator user ID and password , and finally they made the defacement replacing the homepage with their message.

This group goes with the others that in last days carried out attacks against governmental and commercial websites both from America and Israel, whereas other blackhat groups attacked Israeli websites provoking a denial of service (DDoS) of that particular webpage.

Let’s hope things don’t boil over to attacking powerstations or anything that will cause collateral damage.

Source: Zone-H


07 August 2006 | 11,725 views

Wapiti – Web Application Scanner / Black-box testing

Wapiti allows you to audit the security of your web applications.

It performs “black-box” scans, i.e. it does not study the source code of the application but will scans the webpages of the deployed webapp, looking for scripts and forms where it can inject data.

Once it gets this list, Wapiti acts like a fuzzer, injecting payloads to see if a script is vulnerable.

Wapiti can detect the following vulnerabilities :

  • File Handling Errors (Local and remote include/require, fopen, readfile…)
  • Database Injection (PHP/JSP/ASP SQL Injections and XPath Injections)
  • XSS (Cross Site Scripting) Injection
  • LDAP Injection
  • Command Execution detection (eval(), system(), passtru()…)
  • CRLF Injection (HTTP Response Splitting, session fixation…)

Wapiti is able to differentiate ponctual and permanent XSS vulnerabilities. Wapiti prints a warning everytime it founds a script allowing HTTP uploads. A warning is also issued when a HTTP 500 code is returned (useful for ASP/IIS). Wapiti does not rely on a vulnerability database like Nikto do. Wapiti aims to discover unknown vulnerabilities in web applications. It does not provide a GUI for the moment and you must use it from a terminal.

Efficiency

Wapiti is developed in Python and use a Python library I made called lswww. This web spider library does the most of the work.
Unfortunately, the html parsers module within Python only works with well formated html pages so lswww fails to extract informations from bad-coded webpages.

You can read more here:

Wapiti


04 August 2006 | 4,798 views

419 Scammers Duplicate Interpol Site

Scammers are getting more inventive and so it seems more technically advanced. They have actually duplicated the Interpol site to dupe people.

419 advanced fee scammers have created an exact copy of the Interpol website, which is expected to be used to dupe victims into believing they are dealing with the real International Criminal Police Organisation.

A spokesman for Ultrascan Advanced Global Investigations, a Netherlands-based firm which has been studying 419 matters since the mid 90s, says Interpolglobal is “the best scam site we’ve seen so far. They’ve totally looted the original Interpol site, by taking 200 megabytes or so of content and copied it to a remote server”.

They have totally ripped it.

The fake site is http://www.interpolglobal.com/

The website – registered last December by “Interpol” based in “London, Beijing, GB” – went up last week, but removing it won’t be easy as it is running from a server in China.

“419 scammers now include people with PhDs, well capable of creating good looking websites and running them from bullet proof servers,” says Frank Engelsman of Ultrascan.

The real Interpol has already responded to the new site.

“Interpol would like to draw your attention to a series of recent email scams sent to members of the public using the Interpol name,” the organisation warns.

Interesting stuff.

Source: The Register


03 August 2006 | 4,472 views

eEye Duster – Dead/Uninitialized Stack Eraser

Duster is the Dead/Uninitialized Stack Eraser, an injectable DLL that causes uninitialized stack and heap memory in its host process to be wiped over with a specific value. It is intended as a crude tool to assist in the run-time discovery of uninitialized memory usage problems by increasing the chances that the host process will raise an exception when a value in uninitialized memory is used. To use Duster, just inject it into the target process (using the DLLInject utility), or add it to AppInit_DLLs (possible but not recommended).

Duster is a quick and dirty implementation of its concept, and as such, it has a number of limitations:

Stack wiping is accomplished by overwriting all memory between the stack commit “ceiling” and ESP, whenever RtlAllocateHeap, RtlReAllocateHeap, or RtlFreeHeap is called, an exception occurs, or a system call is dispatched, which seriously limits the execution flow “granularity” with which stack wiping occurs. Additionally, system call dispatch hooking is accomplished by replacing specific “INT 2Eh” or “MOV EDX, 7FFE0300h” instructions, the first of which currently relies upon a two-byte privileged instruction which is handled specially by the exception handler hook, resulting in some overhead but mostly making it difficult to use a debugger in conjunction with Duster on Windows 2000.

Heap wiping, in addition to a limited amount of heap and argument validation, is performed whenever a heap block is allocated or freed. This is roughly a subset of the functionality provided by the Windows heap manager in debug mode, with the most significant deficiency on Duster’s part being that it does not wipe memory following a call to RtlReAllocateHeap.

You can download here:

Duster


02 August 2006 | 7,095 views

eEye Binary Diffing Suite (EBDS)

The eEye Binary Diffing Suite (EBDS) is a free and open source set of utilities for performing automated binary differential analysis. This becomes very useful for reverse engineering patches as well as program updates.

The first tool is BDS, the Binary Diffing Starter from Andre Derek Protas. This tool helps reverse engineers with batch-analysis of patches by dispatching IDA with its many powerful plugins against groups of binaries. This especially comes in useful for Update Rollups or Service Packs, where automation is necessary to be able to reverse engineer the updates in a reasonable amount of time.

The second tool is DarunGrim, a code-analysis tool to actually find the distinct code-changes between two binaries. In Korean, DarunGrim translates to “difference in picture”. DarunGrim performs multiple matching techniques against functions in order to find function pairs and analyze the differences/similarities between the functions.

This allows reverse engineers to pinpoint code changes between two binaries with a graphical interface, much more rapid than “side-by-side” disassembly instances. Much like most powerful disassembly tools, DarunGrim is also using the power of IDA Pro for analysis.

You can download it here:

EBDS v1.0.1

More info here, IDA.


02 August 2006 | 14,341 views

Firefox Extension Spyware – FormSpy

The antivirus specialists at McAfee have warned of a Trojan that disguises itself as a Firefox extension. The trojan installs itself as a Firefox extension, presenting itself as a legitimate existing extension called numberedlinks.

It then begins intercepting passwords and credit card numbers entered into the browser, which it then sends to an external server. The most dangerous part of the issue is that it records itself directly into the Firefox configuration data, avoiding the regular installation and confirmation process.

The file attached to the email consists of an executable Windows program, the AXM downloader. Once launched, it fetches the extension from the Internet and records itself directly into the Firefox configuration data, avoiding the regular installation process. Firefox extensions are normally distributed as XPI files, which ask the user for confirmation after forcing a pause of several seconds.

You should be extremely careful when installing unsigned Firefox extensions from unknown sources.

Websites were found to be linking to the FormSpy website hosted at IP address 81.95.xx.xx and installing FormSpy using an old VBS/Psyme exploit targeting Internet Explorer. These websites are believed to have been penetrated and modified by hackers

You can read the McAfee info on Formspy here.

Source: Heise Security


01 August 2006 | 12,010 views

Israeli Hackers Join the War Against Palestinian Sites

Israeli hackers have decided to ‘help’ and join the war against Palestine.

The hackers group that calls itself “IDF” (which also means Israeli Defence Force) has hacked dozens of sites, erased the site content and replaced it the index with a picture of the Lebanon destruction that is made by Israeli Defence Force as an answer for the Palestinian terror in the past few days.

Above the picture they left a text saying “You touch Israel, We touch you”

Israel Hack

All Your Middle East Are Belong To US?

Source: http://livewavecam.com/hackedsited.htm


01 August 2006 | 14,020 views

SpikeSource Spike PHP Security Audit Tool

Spike is an Open Source tool based on the popular RATS C based auditing tool implemented for PHP.

The tool Spike basically does static analysis of php code for security exploits, PHP5 and call-time pass-by-reference are currently required, but a PHP4 version is coming out this week.

This tool is especially welcomed by Darknet as there aren’t many static analysis tools out there that are free, and there are very few tools for auditing PHP code..which as we all known tends to be coded quite insecurely at times (just look at phpBB and PhpNUKE).

You can find the latest version here:

Spike PHP Audit Tool


31 July 2006 | 6,409 views

WordPress 2.0.4 Released – Fixes Security Issues

Just to let you all know, if you are using WordPress you can upgrade today.

The latest stable release of WordPress (Version 2.0.4) is available.

his release contains several important security fixes, so it’s highly recommended for all users. We’ve also rolled in a number of bug fixes (over 50!), so it’s a pretty solid release across the board.

Also fixes for the serious SQL vulnerabilities that led to several WordPress sites being hacked.

Upgrading is fairly simple, just overwrite your old files with the latest from the download. If you’d like more thorough instructions, the Codex is always the best spot.

Since this is a security release, if you have any friends with blogs make sure to remind them to upgrade and lend a hand if they’re not too savvy. We’re all in this together.

As we reported here at Darknet, there was some serious security issues in 2.0.3 and below so it’s recommended you upgrade immediately.