Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

03 May 2006 | 5,014 views

Who is Gouki?

Check For Vulnerabilities with Acunetix

Well the original Gouki (also known as Akuma) is a character from the Street Fighter game series. I started using this handle approximately 10 years ago, when I was a big fan of the game.

My name is Tiago, and I’m a 20-something geek living in Portugal (all over the place).

I am interested in Information Security and everything related to GNU/Linux. I consider myself a free culture activist and free software supporter. I’m involved in the FSF, the GNU project, I do a lot of tracing and editing on the Open Street Map project and I do all sorts of contributions to the Ubuntu GNU/Linux distribution.

I also use a fair part of my free time working on the Tor Project, where I’m the core translator off all projects under Tor to Portuguese, run several relay nodes and one bridge node. I also keep a server with hidden services up and running for people on the .onion land.

During the day, I maintain my own small business dealing mostly with disaster recovery, teach LPI (I’m LPIC-3 and UCP-1 certified) and CompTia (A+, Network+, Security+ and Linux+ certified) courses and maintain a few Drupal/Wordpress websites for clients. Basically doing what I can to pay the bills.

My posts on Darknet will, obviously, be related to Information Security with special interest on Wireless, Linux kernel and general news.

My homepage is available at http://xroot.org/. Feel free to contact me if I can help you in any way.

Tiago



02 May 2006 | 4,414 views

Microsoft Shelves Support for RSA SecurID in Vista

Switchback? For the worst? Aww Microsoft would never compromise our security for the sake of convenience or their profit line right?

Microsoft has shelved plans to include native support for RSA’s SecurID tokens in Windows Vista, even though the company has been trialling the technology for almost two years.

In February 2004, Microsoft chairman Bill Gates announced that Windows would be able to support easy integration with RSA Security’s ubiquitous SecurID tokens, which meant that enterprises would find it far easier to deploy a two-factor authentication system for logging on to networks and applications.

However, almost two years after the SecurID beta programme kicked off, the chief executive of RSA Security Art Coviello has revealed that Windows Vista will not natively support the technology.

Yeah, you read it right, Vista will not support SecurID. Shame really it opened up a whole load of new capabilities.

Microsoft had said they would include the ability to support all kinds of One Time Password (OTP) and challenge response type authentication in Vista but they were unable to get it in with all the other issues they have had — so it is going to take longer

Seems like they may retrofit it some time in the future.

Source: Zdnet


02 May 2006 | 6,709 views

Proof of Concept for Internet Explorer Modal Dialog Exploit

Pretty interesting and imaginative way to exploit the flaw in IE…yeah I know linked to ActiveX again, all the more reason to use Firefox right?

It just shows that the browser really is a point of entry, this could be useful for a penetration test, another way to show how easy it is to get in via internet explorer, the frequency with which IE exploits have been coming out recently is scarier than normal.

A particular scenario was identified that involved the exploitation of the modal ActiveX prompt delivered by some systems. The user is asked to type a certain string of characters (ala captcha). A prompt will be displayed (hopefully during the time the user is typing the string) to install the Microsoft Surround Video Control.

If you’re still typing the “captcha” when the prompt appears, you’ll install the control. This works as advertised against all systems EXCEPT Windows XP SP2 and Windows Server 2003 SP1. If the software you install hoses your box, just remember that it’s signed by Microsoft. In
other words… don’t look at me.

You can check the PoC here:

Proof of Concept for IE Modal Dialog Issue

It just crashes IE for me, I’m not sure if it’s a null pointer or what, but I’m sure there’s some way to exploit it to take over the machine, it’s a another vulnerability, which usually can be mashed together with a couple of others to get complete control.

By Matthew Murphy spotted on Vulnwatch


30 April 2006 | 8,772 views

Gary McKinnon Busted Because he Forgot the Time Difference

It turns out Gary McKinnon got sloppy, that’s why he got busted. He forgot the computers he was comprimising were in a completely different time zone, and as he was using remote control software, the person in the office saw their mouse moving around. We have reported about this guy before, when he was fearing being exported and chucked in Guantanamo.

A British computer hacker facing extradition for breaking into United States military computers said today that computer administrators fail to take easy steps that deter unwanted intrusions.

Gary McKinnon, who spoke on a panel at Infosec Europe 2006 here, made a critical miscalculation when poking around one of his targets that started an international investigation.

“I got caught because I was using a graphical remote control tool, and I forgot what time zone I was in,” McKinnon said. “Somebody was in the office when I was moving the mouse around.”

McKinnon’s probes occurred when computers were left on but employees were gone. Simply shutting down computers at night reduces the risk, he said.

Sloppy mistake though.

He makes some good points in the interview too, weak passwords generally are the weakest link, it’s quite common to find blank admin passwords and the C$ still enabled giving you full access to a Windows machine. Users really are the weakest link.

Passwords are a consistent weak point. McKinnon was able to hack a few unguarded passwords that gave him access; stronger passwords are recommended, he said. Misconfiguration by administrators made it easier, as some password protection was simply not enabled, he said.

Source: Yahoo News


28 April 2006 | 7,892 views

Trojan Writers Coding for Money – Freezes PC for Ransom

A new term has been coined, yes indeed..

Ransomeware

That’s what they are calling this new threat, infects your PC then freezes it until you send some people some money.

A new kind of malware circulating on the Internet freezes a computer and then asks for a ransom paid through the Western Union Holdings money transfer service.

A sample of the Trojan horse virus was sent to Sophos, a security vendor, said Graham Cluley, senior technology consultant. The malware, which Sophos named Troj/Ransom-A, is one of only a few viruses so far that have asked for a ransom in exchange for releasing control of a computer, Cluley said.

Pretty dodgy really, what with being able to buy a Spyware creation kit for $15, now people are coding trojans to make money..

Once run, the Trojan freezes the computer, displaying a message saying files are being deleted every 30 minutes. It then gives instructions on how to send $10.99 via Western Union to free the computer.

Hitting the control, alt, and delete keys will not affect the bug, the virus writer warns. Sophos provides further details at its Web site.

Pretty tight rein, it just shows how sloppy Windows is…and how powerful the API’s are…and how dumb it is to let non-computer literate people using Internet Exploder to run as Administrator..

There was a case similar to this recently.

Last month, a Trojan emerged that encrypts a user’s documents and then leaves a file demanding $300 in exchange for the password to access the information. Victims were instructed to send money to one of 99 accounts run by e-gold, a company that runs a money transfer site.

The password, however, was contained on the infected computer. Sophos cracked it and publicly released it.

I guess they will get more advanced (sadly) as time goes on.


28 April 2006 | 20,701 views

Paros Proxy 3.2.11 Released – MITM HTTP and HTTPS Proxy

Paros 3.2.11 has been released. This version is a maintenance release with a useful feature requested by various users. All users are recommended to upgrade to this version.

One of my favourite proxy options, along side the Burp Proxy (evolved into Burp Suite).

Paros labels itself as MITM Proxy + Spider + Scanner plus anything else you want it to be, it is a pretty neat piece of software.

It’s particularly useful for testing web applications and things such as insecure sessions.

Paros is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.

These proxies have a different purpose than those personal type proxies like Proxomitron which are intended to protect you, clean adverts, block spyware and so on. Proxies like Paros and Burp are meant for examining the security of applications and web application auditing.

You do need Java Run Time Enviroment (JRE) 1.4 (or above) to install Paros.

You can download the latest version of Paros Here.

3.2.11 Release Notes


27 April 2006 | 12,655 views

Oracle Releases a Default Password Scanner

Oracle is getting serious with security? Again..?

Oracle Corp. has published a collection of software patches that address security vulnerabilities in a range of the company’s products, including its database and application server software. As part of this update, it also released a tool designed to ferret out commonly used default passwords that theoretically could be misused by hackers.

Earlier versions of Oracle’s database software included well-known default passwords and user names, for example “scott / tiger”. These accounts are also known to have been created by other software, such as application servers, that interact with the database, said Oracle Security Alerts Manager Darius Wiles

The ‘scanner’ is actually an SQL script.

The password scanner is a SQL (Structured Query Language) script that scans the database and then prints out the names of these well-known accounts if they are unlocked, Wiles said. “This tool is designed to catch those instances and then explain to customers the right thing to do to secure their systems.”

Source: Computerworld

Oracle default passwords have been quite a problem in the past, there is a whole page dedicated to them here.

This page is the home for the Oracle default password list that we have collated. The list can also be thought of as a list of Oracle default password hashes.

The full details of the release can be found from Oracle Here (Oracle Critical Patch Update – April 2006).

Subscribers to MetaLink can find more information on the Default Password Scanner in MetaLink Note 361482.1.

You can also check out Cain & Abel which has Oracle hash specific functions.

Digg This Article


26 April 2006 | 12,241 views

MS and the new IE vulnerability – Object Tag

Can you see the irony?
Just after 2 weeks that M$ released the Internet Explorer security makeover, Michal Zalewski came up with a highly critical exploit, as called by Secunia… based on a mishandling of the OBJECT tag….

Security alerts aggregator Secunia flagged the issue as “highly critical” and stressed that it can be exploited to corrupt memory by tricking a user into visiting a malicious Web site. “Successful exploitation allows execution of arbitrary code,” Secunia warned.

Of course M$ didn’t just sit around… they blamed Michal Zalewski for publishing the vulnerability prior of noticing M$ so they could launch a patch [again?] for it…

Microsoft chided Zalewski for jumping the gun and posting his findings before a comprehensive patch could be created, but the researcher is unapologetic.

And how expected Zalewski striked back:

[They] often attempt to downplay threats; they don’t participate in the vulnerability research community in a meaningful way; and they routinely use false pretenses when communicating their expectations to the media (for example, expressing concern for the customer and blaming the researcher where the chief risk for the customer arises from the fact that an extremely wealthy and profitable software giant severely underfunds the task of fixing critical defects in their software)

Researchers at Websense Security Labs said there are no published proof-of-concepts demonstrating a remote code execution attack vector but made it clear that browser crash vulnerabilities often lead to remote code execution exploits.
But a quick search on SecurityFocus proved something else:
http://www.securityfocus.com/archive/1/431796/30/30/threaded

Source: Microsoft Rocked by New IE Zero-Day Flaw Warning


26 April 2006 | 35,013 views

Alternatives to FrSIRT – Where to Download Exploits?

Since FrSIRT closed it’s public archives and starting charging for access (blaming it on French laws…), people have been wondering where they can their dose of Exploits..For legitimate purposes obviously.

Security Forest

The most comprehensive collection in my opinion comes from SecurityForest. They also have a BETA exploitation framework in development, something like a Metasploit, but with a much larger range of exploits.

The part of SecurityForest you need to look at is the Exploit Tree.

I love the way it works, as it’s based on CVS, so you just download whatever you don’t have everytime you update.

The ExploitTree is a categorized collection of ALL available exploit code. ExploitTree’s ambition is to become the most organized, rich and up-to-date exploit repository on the internet. The ExploitTree is based on CVS (Concurrent Versioning System) and therefore allows the user to keep an up-to-date offline mirror of the repository on their hard drive. When an ExploitTree Administrator updates their local copy with a new/updated exploit, it updates the repository and keeps everyone else up-to-date. Furthermore, a web interface for web browsing is available.

It is a really impressive collection and very well categorised. It works fine on both Windows and *nix based systems. You can also browse online here.

milw0rm

milw0rm is less mainstream and started out as a personal site, but has grown into a comprehensive and well organised archive of exploits.

It can be organised various ways, by platform, by port, for PHP, for ASP etc.

Securiteam

Securiteam is quite commercial, but has an archive of verified exploits – going back to 1998, verified by their own team of ‘experts’. Note however Securiteam isn’t greatly liked on lists such as Full Disclosure (mostly for spamming their blog).

Securiteam Exploits Archive.

SecuriTeam™ is a group within Beyond Security® dedicated to bringing you the latest news and utilities in computer security.

Having experience as Security Specialists, Programmers and System Administrators we appreciate your need for a “Security Portal” – A central Security web site containing all the newest security information from various mailing lists, hacker channels and our own tools and knowledge.

Packetstorm

Packetstorm is one of the oldest sites, and has a reasonbly good archive of exploits.

Packetstorm Exploits

It goes back to about 1998 too.

Packet Storm offers an abundant resource of up-to-date and historical security tools, exploits, and advisories. We are a non-profit organization comprised of security professionals that are dedicated to providing the information necessary to secure networks on a global scale. We accomplish this goal by publishing new security information on a global network of websites.

Others

You can also check out:

Government Security Archive
Secwatch
Hackers Playground

Various

You can find the odd private archives online too, but they tend to go up and down, and sometimes when you have something specific in mind, it’s just best to hit Google and Google Groups to mine it out.

Don’t forget the good stuff like Google Hacking too.

Plus the Security and Hacking LiveCD’s have quite a lot of compiled & working exploits inside too.

Digg This Article


25 April 2006 | 38,947 views

Penetration Testing vs Vulnerability Assessment

There seems to be a certain amount of confusion within the security industry about the difference between Penetration Testing and Vulnerability Assessment, they are often classified as the same thing when in fact they are not.

I know Penetration Testing sounds a lot more exciting, but most people actually want a VA not a pentest, many projects are labelled as pen tests when in fact they are 100% VA.

A Penetration Test mainly consists of a VA, but it goes one step further..

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

A vulnerability assesment is what most companies generally do, as the systems they are testing are live production systems and can’t afford to be disrupted by active exploits which might crash the system.

Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region).

Vulnerability assessment has many things in common with risk assessment. Assessments are
typically performed according to the following steps:

1. Cataloging assets and capabilities (resources) in a system
2. Assigning quantifiable value and importance to the resources
3. Identifying the vulnerabilities or potential threats to each resource
4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources

This is generally what a security company is contracted to do, from a technical perspective, not to actually penetrate the systems, but to assess and document the possible vulnerabilities and recommend mitigation measures and improvements.

Sources: Wikipedia

Digg This Article