Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

15 November 2006 | 4,080 views

McAfee buying Tel Aviv startup Onigma for $15-25 million cash

Don't let your data go over to the Dark Side!

Data security giant McAfee has bought a young Tel Aviv startup, Onigma, for somewhere between $15 million to $25 million cash, surmise hi-tech circles.

McAfee will be integrating the Onigma technology in its enterprise security solution, and will be recruiting dozens more Israeli developers for the startup, which will become a local R&D center.

Onigma was founded in December 2004 by Amir Sadeh, Ishay Green and Liad Agmon, three “graduates” of the technology division of the Israeli army intelligence forces. The company is run by Jim Penosky, who hailed from the OnDemand Partners consultancy.

The startup was devoted to a new area in data security: DLP, or Data Leakage Prevention from an enterprise servers.

Within days, the Onigma technology will be available via all McAfee outlets worldwide.

The technology enables the company to monitor all its workers and ensure they do not send confidential information beyond the enterprise boundaries, whether via Internet or external memory storage devices.

Among the company’s investors are the founders of Excellence-Nessuah, Gil Deutsch and Roni Biran.

Via e-mail from Raphael Fogel


15 November 2006 | 18,651 views

Windows XP ToolBox

This a very old article based on my tiny document “WinDOS tools” which was for a short while on Blackcode, before it was shutdown… It was an article to impres my friends, but found some usefull stuff two when writing it… so let’s take a look at some “hidden” Windows XP programs…

MAC Address (getmac)
It seems that Windows has a miny tool usefull in finding out our mac address… So type getmac and your MAC(‘s) address(es) will appear in the console.

Net BIOS Status (Nbtstat)
Another information tool, probably you have heard about it when reading some old documentation about Windows hacking… For it to work there should be installed the NetBeUI protocol, type nbtstat to get the full cmd line parameters.

CAB Packer (makecab, extrac32)
Theres a small packing tool available under Windows, by the help of which you can compress any files, giving more often a better compresion… here is an example how to use this functionality:

makecab file.exe
extrac32 file.ex_

Not much to say about this program, because many of you have heard about it, just type it in the console and get all available options.

Windows has a simple file transfer protocol client, for those of you who don’t have installed Windows Commander, or work remotely on a computer and can not use your browser to download the file on the specific host.

Message (msg)
It does what is supposed to do, it sends messages to the specific host on your network, but there could be some configurations on your network which wouldn’t allow you to do it… anyway here is an example of use:

msg username-of-targeted-host /SERVER:hostname and here your message

If you are in a local network on which you often copy files from other shared folders on your network, than this will prove for you to be a big relief, because this way you could shortcut all the shares for faster access…

C:\>net view \\hostname

Shared resources at \\hostname

Share name Type Used as Comment

C:\>net use Z: \\hostname\DOWNLOAD

--if no error then from this point you can access the share the following way:


Network status (netstat)
If you don’t have a firewall, or you just want to see all your network connections currently in use of listening, then you the command netstat (-a) and will print you all the info mentioned above.

Path Ping (pathping)
This little program is a hybrid between traceroute and ping, so as you might have guessed it not only pings the specific host, but also shows the route the data packet uses to reach it’s destination.

Remote TaskKill (tskill)
Yes you can kill processes on your network, only if the network is not well configured (seen it a couple of times). By this you could shutdown an antivirus program, a firewall, the explorer process (this sometimes may crash Windows), or any other program run by the specific hostname. The command is tskill, for example you could do something like this (which would close Internet Explorer):

tskill iexplore /server:target-hostname /a /v

I mention this one because you do not have always to download PuTTY, just for a telnet/irc/smtp/etc. connection, you could use the Windows incorpored telnet program; of course is not as good as PuTTY, but it will do…

There is no conclusion, this was a time passing article (I was bored at my Informatix class, so I wrote this one)… maybe some of you will apreciate it, while other will not…

14 November 2006 | 22,775 views

Installing Nessus on Debian-based OSs like Ubuntu

With this simple tutorial I will explain how to install Nessus client (nessus) and Nessus Daemon (nessusd) and properly register it, so you don’t end up with the limitations of a non-registered version of the vulnerability scanner.


I personally use apt-, however, you may choose any other package manager.

apt-get install nessus nessusd -y

This will install the nessus client and server, and the -y is used to answer YES to the confirmation of apt-get.

We have now installed both the client and the server. Let’s proceed to the addition of a user:



gouki@8104:~$ sudo nessus-adduser
Using /var/tmp as a temporary file holder

Add a new nessusd user

Login : darknet
Authentication (pass/cert) [pass] :
Login password :
Login password (again) :

User rules
nessusd has a rules system which allows you to restrict the hosts
that darknet has the right to test. For instance, you may want
him to be able to scan his own host only.

Please see the nessus-adduser(8) man page for the rules syntax

Enter the rules for this user, and hit ctrl-D once you are done :
(the user can have an empty rules set)

Login : darknet
Password : ***********
DN :
Rules :

Is that ok ? (y/n) [y] y
user added.

About this display:

When asked about Authentication (pass/cert) [pass] : just press enter, as we will not use any.
When asked about rules for the specific user, press CTRL+D, as we will not enter any rules for the user.

Starting the Daemon:

By default, nessusd has not started. To manully force him to, you will need to do the following:

sudo /etc/init.d/nessusd start

Registering Nessus:

Nessus will work without being registered, however, it will have limitations. Unnecessary limitations, since it is easily registered.

Nessus Registration page - Go here and start the proccess.

After you have entered your e-mail address, the instructions on how to register will not work on Debian-based OSs.

On the eMail from the Nessus team, you will be instructed to this path: /opt/nessus/bin/nessus-fetch, however, the path should be replaced by /usr/bin, making the complete registration command: sudo /usr/bin/nessus-fetch --register XXXX-XXXX-XXXX-XXXX-XXXX

You should now have a complete and working installation of Nessus. Enjoy and remember, automatic scanners are not 1337! =)

TIP: Before starting to use Nessus, update the plugins by doing the following:

sudo nessus-update-plugins

13 November 2006 | 8,449 views

MySpace Paedo Caught by PERL Script

Now for once, this is a really neat use of technology, someone using their brains and a suitable tech to solve a problem that is very apparent.

PERL may be frowned upon by some as being old or outdated, but seriously for parsing data, pattern matching and trawling, it’s still excellent and you can get a program up and running very fast, especially with the CPAN module system.

he computer crimes unit of New York’s Suffolk County Police Department sits in a gloomy government office canopied by water-stained ceiling tiles and stuffed with battered Dell desktops. A mix of file folders, notes, mug shots and printouts form a loose topsoil on the desks, which jostle shoulder-to-shoulder for space on the scuffed and dented floor.

I’ve been invited here to witness the endgame of a police investigation that grew from 1,000 lines of computer code I wrote and executed some five months earlier. The automated script searched MySpace’s 100 million-plus profiles for registered sex offenders — and soon found one that was back on the prowl for seriously underage boys.

Of course some manual monkey work still needed to be done to verify any profiles, but still from 100 million down to a handful, pretty neat eh?

The code swept in a vast number of false or unverifiable matches. Working part time for several months, I sifted the data and manually compared photographs, ages and other data, until enhanced privacy features MySpace launched in June began frustrating the analysis.

Excluding a handful of obvious fakes, I confirmed 744 sex offenders with MySpace profiles, after an examination of about a third of the data. Of those, 497 are registered for sex crimes against children. In this group, six of them are listed as repeat offenders, though Lubrano’s previous convictions were not in the registry, so this number may be low. At least 243 of the 497 have convictions in 2000 or later.

I for one am impressed.

Source: Wired

11 November 2006 | 32,156 views

Medusa Fast Parallel Password Cracker 1.3 Released

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible. The author considers following items as some of the key features of this application:

  • Thread-based parallel testing. Brute-force testing can be performed against multiple hosts, users or passwords concurrently.
  • Flexible user input. Target information (host/user/password) can be specified in a variety of ways. For example, each item can be either a single entry or a file containing multiple entries. Additionally, a combination file format allows the user to refine their target listing.
  • Modular design. Each service module exists as an independent .mod file. This means that no modifications are necessary to the core application in order to extend the supported list of services for brute-forcing.

Version 1.3 of Medusa is now available for public download.

Medusa currently has modules supporting: CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NCP (NetWare), PcAnywhere, POP3, PostgreSQL, rexec, rlogin, rsh, SMB, SMTP (VRFY), SNMP, SSHv2, SVN, Telnet, VmAuthd, VNC, and a generic wrapper module.

While Medusa was designed to serve the same purpose as THC-Hydra, there are several significant differences. For a brief comparison you can see here.

This release fixes several autoconf issues and a number of minor bugs.

You can find the Medusa homepage here and download Medusa here:

Medusa 1.3

Medusa was developed on Gentoo Linux and FreeBSD. Some limited testing has been done on other platforms/distributions (OpenBSD, Debian, Ubuntu, Darwin, Solaris).

08 November 2006 | 8,765 views

the Art of Virology 00h

This is the first part (of many others to come) consisting of basic a introduction to different viruses, some terminology and other aspects required before starting to understand or write viruses.


A virus is (taken from Windows XP’s Help And Support Center):

A program that attempts to spread from computer to computer and either cause damage (by erasing or corrupting data) or annoy users (by printing messages or altering what is displayed on the screen).

But wait a second… to this definition is not correct from some points of view; for example we could place in this category also programs that only reproduce, parasite different files, and do not do damage to users data, or annoy them, except maybe for the disk usage…
But you should not confuse viruses with John von Neumann’s self-reproducing mathematical automata. Google for more information about it because it’s not part of our subject, or maybe I don’t want to get scientific and speak about it

What programs are connected to virology?

The abstract definition of viruses has become more abstract with the help of know-it-all antivirus programmers, which for some money integrated in there software Trojan / hoaxes / malware / backdoor removers, so anytime a antivirus product pops up with a notification of such a program being found on a computer, a normal user doesn’t get interested in this aspect and it’s concerned of being infected with a virus (disinterest, what else)!
But what is the difference between these programs? I’ll make for you a little list with some personal definitions ok so let’s start:

adware – belong to the malware category, besides spyware; it’s not a virus, it’s and application normally shifted alongside with other programs, it’s main role being to pop up, while your connected to the web, some ads. most of the time they get installed because you do not read the files accompanying different software which are free or get free doing some ads for big/medium/small companies.

spyware – these are the fierce animals of malware, they spy on you, but not the subtle way James Bond does, they get installed through different exploits and surveillance the websites you visit, personal information, etc. and send them to different firms (or government, NSA, FBI, CIA ?)

Trojan – Trojans are programs written for specific tasks, in this list we could include flooders (DoS), hidden proxy server, virus droppers, also for different purposes that antivirus vendors think that could do harm to other people’s data.

backdoor – a backdoor is a program which if it’s not released by an underground website could be called “ËśRemote Administration Tool’, so it’s a tool that let’s you control, or do specific tasks on other computers; famous backdoor/Trojan backdoor clients (and server) are: BO2K, SubSeven, R3C, Insane Network.

virus – this one belongs to our subject, of course could it is well divided in more types of viruses, classified by language used to create them, how they infect, and what they infect.

worm – these programs/scripts also belong to virology (think so?!) because they also have the basic concept of viruses (parasites, worms. ring a bell?) to spread, beautifully, widely, and all other fancy adjectives you can find.

Viral History

The “first” virus
Sometime in the early 1970s, the Creeper virus was detected on ARPANET a US military computer network which was the forerunner of the modern Internet. Written for the then-popular Tenex operating system, this program was able to gain access independently through a modem and copy itself to the remote system. Infected systems displayed the message, ‘I’M THE CREEPER : CATCH ME IF YOU CAN.’
Shortly thereafter, the Reaper program was anonymously created to delete Creeper. Reaper was a virus: it spread to networked machines and if it located a Creeper virus, Reaper would delete it. Even the participants are unable to say whether Reaper was a response to Creeper, or if it was created by the same person or persons who created Creeper in order to correct their mistake.
And now a list of the first viruses “to be the first”:
1981 :: Elk Cloner – Boot sector virus

1986 :: Brain – Stealth file virus
1986 :: Virdem – DOS COM file infector

1987 :: Suriv-1 – DOS COM real time file infector
1987 :: Suriv-2 – DOS EXE file infector
1987 :: Suriv-3 – DOS COM & EXE file infector
1987 :: Cascade – Encrypted Virus
1987 :: Christmas Tree Worm – Worm (Internet Virus)

1988 :: Morris Worm – Worm which used exploits against Unix system to spread

1990 :: the Chameleon family – A polymorphic virus family

1991 :: Tequila – A polymorphic boot virus
1991 :: Dir II – The one and only virus to use link-technology

1992 :: Win.Vir_1_4 -Windows virus

1994 :: Shifter -OBJ file infector
1994 :: ScrVir-a – C and Pascal source code files infector

1995 :: Winstart -BAT file virus

1996 :: Boza – Windows 95 virus
1996 :: OS2.AEP – OS/2 EXE file infector
1996 :: Laroux – Excel virus

1997 :: Linux Bliss – Linux virus
1997 :: ShareFun – Macro virus spreading through mail, with MS Mail
1997 :: Homer – Worm that used FTP to propagate
1997 :: Win95.Mad – Self-encrypting Windows 95 virus

1998 :: Win95.HPS and Win95.Marburg – Windows polymorphic viruses
1998 :: Cross – Multi-platform virus, infected MS Access and Word files
1998 :: Triplicate (Tristate) – MS Word, Excel and PowerPoint file infector
1998 :: Red Team – EXE infector virus, spreading through Eudora
1998 :: Java.StrangeBrew – Java web application virus

1999 :: Happy99 (Ska) – Modern-Day Worm
1999 :: SK; – HLP file infector virus
1999 :: Melissa – Word Macro virus incorporating Internet Worm functionality
1999 :: Gala – Corel Draw, Photo-Paint, Ventura file infector
1999 :: Bubbleboy and KakWorm – Worms spreading through IE vulnerabilities
1999 :: Babylonia – Worm with remote self-rejuvenation (don’t get scared by the term, it means that it automatically downloaded new versions of it)

2000 :: Inta – Windows 2000 file infector
2000 :: LoveLetter – Script Virus to break Guiness Book record
2000 :: Star – AutoCAD package virus
2000 :: Jer – Internet Worm using social engineering and mass marketing to get user to let them be infected
2000 :: Liberty – PalmOS virus
2000 :: Stream – ADS and NTFS filesystem viruses
2000 :: Fable – PIF file infector
2000 :: Pirus – PHP Script virus
2000 :: Hybris – Worm with self-rejuvenating based on a 128-bit RSA key

2001 :: Mandragore – Gnutella file-sharing Internet Worm

2002 :: LFM and Donut – .NET Framework viruses
2002 :: Spida – SQL Server worm
2002 :: Benjamin – Kazza file-sharing network worm

2003 :: Slammer – Fileless Worm with flash-worm capabilities

Wow. that’s quite a long list, don’t you think? And it isn’t all; if you want to see it all, then go to viruslist and read all the history of malware, and then surely you can say that this list is even to small = )


I think that we should classify viruses so we will now better about which kind of viruses we speak. you’d probably seen in the list different classifications, but it’s time we clearly point them out (of course this is my personal classification, agree with it or not, it’s your choice):

By what they infect

  • Binary File Infector
    In this category we will include the classic ones: exe, com, obj file infectors; plus the CAD, Corel and any other weird (?_?) extension virus we can find.
  • SourceCode File Infectors
    As you would imagine, in this category will be included viruses that infect source code files Pascal, C, etc. Think that I know a couple or two of this type.(?)
  • BOOT Sector Infectors
    Simple, complex, tiny and all other boot sector viruses will be part of this category. P.S. I hate doggie-B
  • MS Office Infectors
    We all have heard of them, laught about them, though they were dead, but we all know that they are extremely dangerous viruses. yes I’m talking about macro viruses, that populate Word, Excel, PowerPoint, Access.
  • Script Infectors
    And finally our last category dedicated for the viruses which infect script files like js, vbs, mrc and inject themselves into html files including a

    Subscribe via e-mail for updates!


Users Online 

Twitter Updates