Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

26 September 2006 | 9,371 views

Nerdcore Hits the Streets – Geek Music for the Masses

Cyber Raptors Hunting Your Data?

Something a little off-topic for once, nerdcore is getting big!

Geek music is hitting the streets.

Gangsta is dead. Grime is a bore. There’s a new beat on the street and it’s called Nerdcore. This geeky hip hop subgenre, also dubbed CS rap (that’s computer science, yo!), is finally booting up with the release of Rhyme Torrents, a compilation featuring the work of more than 50 men and even a few ladies who bust rhymes (and C++ code). The collection is free online, so none of the artists make bank.

Check it out yo!

Like all true playa MCs, they did it for the street cred. Of course, in the CS rap arena that means a Wikipedia entry, and you can’t get one of those without an official album release. Here are a few of the overclocked hustlas you can find at nerdcorehiphop.org.

What are you waiting for, head to http://www.bedoper.com/nerdcore/ and grab some geeksta rap tunes now!

Source: Wired


25 September 2006 | 17,335 views

FIS [File Inclusion Scanner] v0.1 – PHP Vulnerability

A useful tool for anyone working with PHP applications.

FIS (File Inclusion Scanner) is a vulnerability scanner for PHP applications. Is scans PHP files mapping PHP/HTTP variables and then performs a security audit,in order to find out which of them are exploitable.

php fis.php [local file] [remote file] [remote FIS ID file]

[local file]
The local copy of the PHP source file used by FIS to map the variables for the audit.

[remote file]
The remote copy of the source executed by a remote webserver, the file we will audit.

[remote FIS ID file]
The FIS ID file is used to check whether a variable is exploitable or not. It contains PHP code that simply echoes a unique MD5 hash used for identification.

FIS is intended to be used by penetration testers, not script kidies nor malicious users. It creates a lot of noise on the remote host and can be easily discovered with a simple glance at
the webserver logs, which makes it useless as a cracking tool.

FIS, currently, supports audits using only GET requests. COOKIE & POST support is not yet implemented.

FIS automatically logs extra audit information in “fis.log” in the working directory.

FIS Website

You can download FIS directly here.

24 September 2006 | 6,601 views

Most Damaging Computer Attacks Rely on Stolen Logins

A sterling case for two factor authentication if I ever saw one.

The rule is use two of the 3 methods of authentication, if possible use all 3.

  1. What you have (A USB key or Token)
  2. What you are (Biometrics – Fingerprint or Iris scan)
  3. What you know (A password or passphrase)

More than 8 out of every 10 computer attacks against businesses could be stopped if enterprises checked the identity of not only the user, but also the machine logging onto its network, a report released Monday claimed.

The study, conducted by a California research firm and paid for by BIOS maker Phoenix Technologies, used data from cases prosecuted by federal authorities between 1999 and 2006 to reach its conclusions.

“We wanted to get an honest viewpoint that wasn’t opinion- or survey-based,” said Dirck Schou, the senior director of security solutions at Phoenix. The problem with acquiring data on computer attacks, including the amount of damage done, is that companies are often hesitant to admit to a breach. “That’s the beauty of this [data],” said Schou. “It’s only looking at those who have actually suffered an attack.”

Their point of view is implementing checking of the physical machine, or perhaps logically checking that it should be part of the network? Some unique ID for each machine generated from hashes of the parts perhaps.

According to the report, attacks based on logging in with stolen or hijacked credentials cost businesses far more, on average, than the typical worm or virus assault. When a privileged account is penetrated by an unauthorized user, the average damage runs to $1.5 million, the report said. The average cost from a single virus attack was much smaller: under $2,400.

“Cyber criminals who accessed privileged accounts obtained IDs and passwords through many means,” the report said. “Network sniffing, use of password cracking programs, and collusion with insiders. It was also common for employees to share their IDs and passwords with coworkers who later left the organization and used that knowledge to gain access.”

All common and fairly easy methods, perhaps it’s time people really took some effort to understand information security and the issues at hand.

Source: Information Week

22 September 2006 | 5,291 views

SIFT Web Method Search Tool

SIFT has just published a world-first tool for identifying rogue web methods. The Web Method Search tool is a Windows based application that uses a hybrid dictionary attack in an attempt to find unpublished administrative and other web services functions.

As web services are becoming more prevalent, poor security practices from previous generations of application architectures are being transferred to the web service space. One of these practices is the use of ‘security through obscurity’ to hide certain web methods from users – that is, web methods exist that can be called, but that are not published in the WSDL or otherwise disclosed.

The SIFT Web Method Search tool is a dictionary attack tool that can be used to brute force the web method names for a given web service under certain circumstances. That is, SOAP requests can be submitted to a web service using probable combinations of words to allow the identification of hidden web methods not published in the corresponding WSDL document. This is possible because responses to requests for non-existent web methods and web methods that exist differ markedly under most platforms.

The tool is available for download from http://www.sift.com.au/73/171/sift-web-method-search-tool.htm

Should anyone have any questions, bug reports or other suggestions please feel free to contact us via research@sift.com.au

21 September 2006 | 6,823 views

DOE Hit By Hackers and Covered Up

Ahah! More government cover-ups? This one was a while back too.

Digging on those archives right now yah.

A hacker stole a file containing the names and Social Security numbers of 1,500 people working for the Energy Department’s nuclear weapons agency, scary eh?

The US government security really does scare me sometimes, their internal departments have some of the lowest IT security scores…there are SO many data leaks and successful hacks, I mean I appreciate they have a sprawling infrastructure which makes it hard to maintain, but please, at least try?

For example Homeland Security scored an F again for Internal Security.

And this time it was covered up..

But the incident, somewhat similar to recent problems at the Veterans Affairs Department, was last September yet senior officials were informed only two days ago, officials told a congressional hearing Friday. None of the victims was notified, they said.

The data theft occurred in a computer system at a service center belonging to the National Nuclear Security Administration in Albuquerque, New Mexico. The file contained information about contract workers throughout the agency’s nuclear weapons complex, a department spokesman said.

NNSA Administrator Linton Brooks told a House hearing that he learned of the security breach late last September, but did not inform Energy Secretary Samuel Bodman about it. It had occurred earlier that month.

It was as always blamed on ‘miscommunication’ but it’s bullshit as the people involved meet every day..

The oversight and investigations subcommittee learnt of this and launched their panel into action.

The Energy Department spends $140 million a year on cyber security, Gregory Friedman, the DOE’s inspector general, told the committee. But he said that while improvements have been made, “significant weaknesses continue to exist,” making the unclassified computer system vulnerable to hackers.

Last fall, a so-called “Red Team” of DOE computer specialists — seeking to test the security safeguards — succeeded in hacking into and gaining control of a DOE facility’s computer system, the panel was told.

“We had access to sensitive data including financial and personal data…. We basically had domain control,” said Glenn Podonsky, director of DOE’s Security and Safety Performance Assessment. “We were able to get passwords, go from one account to another.”

Perhaps they really do need some lessons?

Source: Wired

20 September 2006 | 42,663 views

Domain Stealing or How to Hijack a Domain

Please note this is an old technique again, just for learning purposes, learn how the old techniques worked and why they worked, then try and discover new ways to do things.


The sole purpose of the information contained in this advisory is to point out the flaws in InterNIC’s domain name handling system and is intended for educational use only. Since this is public knowledge, it should be also in everyone’s reach.

The technique described below involves an easy to follow procedure of stealing .com/.net/.org/.gov/.mil domain names.

This vulnerability has been publicly known for quite a while, and there are ways to prevent it. The procedure below enables an attacker to take over a domain name, enabling him or her to make the arbitrary web address (www.example.com) point to any desired web page on the Internet. This method of domain hijacking is constantly being used to hijack domain names, and to deface web sites.



Required ingredients:

  • Anonymous remailer or mail bomber that can spoof email addresses.
  • Social Engineering skills for timing the emails.
  • A fake email address at hotmail.com or any other free service.

As an example for this advisory, we will take the domain name example.org. Go to http://www.networksolutions.com and click on the link that says ‘Who Is.’ Now enter the domain name (example.org in this case) in the search field and click on the ‘Search’ button. This would show you the WhoIs information, which will be similar to the one shown below:

Now you have two choices:

1) Either you could take full control of the domain by changing the Administrator’s handle information.


2) You could simply point the domain to another host and let it recover in time by itself.


20 September 2006 | 5,137 views

China Outlaws Private E-mail Servers

Ah China, always been famous for repressing their population, now there repression is moving onto the Internet and using digital means..

Just like the so called ‘Great Firewall of China’, I’ve been meaning to do an article about that for quite some time, I have something drafted.

Anyway the latest thing China has done has made it illegal to own a private e-mail server without a ‘licence’. I guess it could be said that it’s an effort to curb spam…but..

China has introduced regulations that make it illegal to run an email server without a licence. The new rules, which came into force two weeks ago, mean that most companies running their own email servers in China are now breaking the law.

More than 600,000 servers were sold in China last year, according to market researchers. It’s unclear how many of these are running mail server software, which includes programs like Microsoft Exchange Server, Sendmail, Qmail or Lotus Notes.

They are calling it part of the anti-spam effort..

The new email licensing clause is just a small part of a new anti-spam law formulated by China’s Ministry of Information Industry (MII). The chilling effect on corporate email servers, which are commonly used by companies with more than a handful of employees, appears to have gone unnoticed until now.

However, Singapore-based technology consultant, James Seng, who first drew attention to the new email licence requirement, believes the inclusion of the prohibition on mail servers is no accident.

“Looking at the Chinese text, it is clear they have worded it carefully”, he told vnnet,”They know exactly what they are doing and what they want. So this isn’t a case of clueless civil servants screwing up or just bad translation.”

To be fair though spam originating from China has become a massive problem in the last 6-12 months, I’ve even noticed the amount of Chinese language spam increasing exponentially.

Under the new regulations, Email Service Providers must register their mail servers’ internet protocol (IP) addresses with authorities 20 days before they start operating the server. The must also keep a record of all emails sent and received for 60 days. The rules even prohibit open relays: mail servers which accept and relay email from any source without verification

The regulations also ban many of the techniques commonly used by spammers, such as hijacking servers to use as ‘zombie’ spam relays. In addition, advertisers sending unsolicited commercial mail also need to prefix the subject line with ‘Advertisement’ or ‘AD’, and comply with recipients’ requests to cease sending them unwanted email.

Perhaps in a way it might be a good thing?

Source: VNUnet

18 September 2006 | 3,858 views

Former Hacker Irks Microsoft in EU Dispute

Ah the anti-trust battle continues, good to see someone with technical skills involved, I wonder how the case is coming along, I haven’t heard about it for a while.

Again this is quite an old story.

As an expert witness on digital crime, British computer consultant Neil Barrett has helped prosecutors in the United Kingdom convict murderers and pedophiles.

Now Mr. Barrett is finding out what it’s like to be on trial, as the independent trustee and chief technical expert in the European Union’s mammoth antitrust battle with Microsoft Corp.

European Commission regulators in Brussels chose Mr. Barrett from among Microsoft’s own nominees for the job of judging whether the company is complying with a 2004 EU ruling that it help its competitors design software to mesh with its nearly ubiquitous Windows operating system. Following Mr. Barrett’s scathing assessments of Microsoft’s efforts, the European Commission threatened the company with fines that could exceed €100 million, or $120 million — prompting Microsoft to attack Mr. Barrett’s competence and to accuse him of colluding with its rivals. Regulators last week rose to Mr. Barrett’s defense.

Microsoft accusing someone else of dirty tactics and colluding with competitors? That’s a new one..

In February, Microsoft responded that Mr. Barrett was operating with a “set of basic misunderstandings” about Microsoft programming terms. In another filing to the EU this month, Microsoft accused Mr. Barrett and the regulators of “actively and secretly working with Microsoft’s adversaries.”

Emails the commission gave Microsoft show Mr. Barrett in frequent contact with regulators and Microsoft competitors, which led the company to call Mr. Barrett the “commission’s co-prosecutor.” The growing brouhaha led the normally secretive commission to release the terms of Mr. Barrett’s mandate, which says he should “play a proactive role” in monitoring Microsoft — a clause the commission says gives him freedom to confer with Microsoft rivals. Even Sun Microsystems, which usually declines to comment on the case, made an exception, calling Microsoft’s criticism of him “misplaced.”

I’ll have a Google and see what’s happening nowadays with Mr Barrett.

Source: WSJ

14 September 2006 | 16,601 views

Impressive Open Source Intrusion Prevention – HLBR

It’s good to see work on open source tools in the countermeasure department aswell as the attack and penetration arena.

It’s a shame since Snort and Nessus have gone semi-commercial.

I hope more people invest their time in good IDS, Firewall and IPS systems, I love things like IPCop and hope to see more products like HLBR.

HLBR is a brazilian project, started in november 2005, as a fork of the Hogwash project (started by Jason Larsen in 1996)

HLBR is an IPS (Intrusion Prevention System) that can filter packets directly in the layer 2 of the OSI model (so the machine doesn’t need even an IP address). Detection of malicious/anomalous traffic is done by rules based in signatures, and the user can add more rules. It is an efficient and versatile IPS, and it can even be used as bridge to honeypots and honeynets. Since it doesn’t make use of the operating system’s TCP/IP stack, it can be “invisible” to network access and attackers.

Since version 1.0, released in march 5th 2006, HLBR can use regular expressions to detect intrusion attempts, virus, worms, and phishing.

You can view the entire HLBR README file here.

Go to the HLBR Homepage for more information and downloads.

13 September 2006 | 19,579 views

Using the capture command in a Cisco Systems PIX firewall.

This is an excellent article you might find useful covering the use of the capture command in Cisco PIX firewalls.

A vital tool to use when troubleshooting computer networking problems and monitoring computer networks is a packet sniffer. That being said, one of the best methods to use when troubleshooting connection problems or monitoring suspicious network activity in a Cisco Systems PIX firewall is by using the capture command. Many times Cisco TAC will request captures from a PIX in PCAP format for open problem tickets associated with unusual problems or activity associated with the PIX and the network.

Cisco kit can be a bit daunting for a newcomer, but very well featured, it’s important to learn what your PIX can do!

The capture command was first introduced to the PIX OS in version 6.2 and has the ability to capture all data that passes through the PIX device. You can use access-lists to specify the type of traffic that you wish to capture, along with the source and destination addresses and ports. Multiple capture statements can be used to attach the capture command to multiple interfaces. You can even copy the raw header and hexadecimal data in PCAP format to a tftp server and open it with TCPDUMP or Ethereal.

NOTE: You must be in privileged mode to invoke the capture command.

Full article here.