Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

15 May 2006 | 7,646 views

OSSEC HIDS – Open Source Host-based Intrusion System

Prevent Network Security Leaks with Acunetix

OSSEC HIDS is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, rootkit detection, time-based alerting and active response.

It runs on most operating systems, including Linux, OpenBSD, FreeBSD, Solaris and Windows.

This is the first version offering native support for Windows (XP/2000/2003). It includes as well a new set of log analysis rules for sendmail, web logs (Apache and IIS), IDSs and Windows authentication events.

The correlation rules for squid, mail logs, firewall events and authentication systems have been improved, now detecting scans, worms and internal attacks.

The active-responses were also refined, with support to IPFW (FreeBSD) added.

The installation process was re-organized, now including simpler configuration options and
translation on 6 different languages (English, Portuguese, German, Turkish, Polish and Italian).

You can download the Unix and Windows versions here.

Read more Here.

The full changelog is here.



14 May 2006 | 5,129 views

Open Source Blamed for Rootkits?

This is the biggest load of shite I’ve read this year I think.

Rootkits are becoming more prevalent and difficult to detect, and security vendor McAfee says the blame falls squarely on the open source community.

In its “Rootkits” report being published today, McAfee says the number of rootkits it has collected as malware samples has jumped ninefold this quarter compared with the same quarter a year ago. Almost all the rootkits McAfee has identified are intended to hide other code (such as spyware or bots) or conceal processes running in Windows systems.

“The predominant reason for the growth in use of stealthy code is because of sites like Rootkit.com,” says Stuart McClure, senior vice president of global threats at McAfee

Excuse me?!

Rootkit.com’s 41,533 members do post rootkit source code anonymously, then discuss and share the open source code. But it’s naive to say the Web site exists for malicious purposes, contends Greg Hoglund, CEO of security firm HBGary and operator of Rootkit.

“It’s there to educate people,” says Hoglund, who’s also the co-author with James Butler of the book Rootkits: Subverting the Windows Kernel. “The site is devoted to the discussion of rootkits. It’s a great resource for anti-virus companies and others. Without it, they’d be far behind in their understanding of rootkits.”

It’s definitely there for education purposes, the Rootkits book is very informative. Sadly this is the same old discussion again and again, non-disclosure vs full-disclosure. Those who really understand the process want to share the information as soon as possible to aid prevention techniques and to promote understanding, not hiding behind ignorance and implementing security through obscurity.

Those pimping anti-virus software, anti-exploit and whatever obviously want to fuel the FUD that opensource software and sharing of knowledge actually exacerbate the problem.

It seems Trend actually understands the issue, unlike McAfee the corporate bitch.

Anti-virus vendor Trend Micro says the Rootkit Web site cuts both ways.

“We need those open source people,” says David Perry, global director of education at Trend Micro. “They uncover things. It’s a laboratory of computer science. They demand the intellectual right to discuss this.”

What more can we say..

Source: Network World


13 May 2006 | 4,407 views

I’m gonna h4x0r j00r Ferrari

Hacking cars, what next? I have fears for the IPv6 generation (if it every happens), when every toaster and light bulb has an IP address, yeah…I’m gonna hack your house then and make your lights blink.

High-tech thieves are becoming increasingly savvy when it comes to stealing automobiles equipped with keyless entry and ignition systems. While many computer-based security systems on automobiles require some type of key ‘mechanical or otherwise’ to start the engine, so-called ‘keyless’ setups require only the presence of a key fob to start the engine.

The expert gang suspected of stealing two of David Beckham’s BMW X5 SUVs in the last six months did so by using software programs on a laptop to wirelessly break into the car’s computer, open the doors, and start the engine.

Poor Beckham, he got had twice.

I wonder how simplistic the system they are using is? 20 minutes to break the encryption? A simple XOR or something, it must be.

“It’s difficult to steal cars with complex security, but not impossible. There are weaknesses in any system” Tim Hart of the Auto Locksmith Association told the U.K’s Auto Express magazine. “At key steps the car’s software can halt progress for up to 20 minutes as part of its in-built protection” said Hart.

Because the decryption process can take a while ‘up to 20 minutes, according to Hart’ the thieves usually wait to find the car in a secluded area where it will be left for a long period. That is believed to be what happened to Mr. Beckham & the crooks followed him to the mall where he was to have lunch, and went to work on his X5 after it was parked.

I’ve heard an experiment was done by some students at John Hopkins, they connected 16 FPGAs together at a total cost of under $3,500. Texas Instruments provided them with 5 DST tags whose keys they did not know. The 16-way parallel cracker was able to recover all 5 keys in well under 2 hours.

Source: Left Lane News


11 May 2006 | 3,291 views

The Next 50 Years of Computer Security

There’s an interesting audio file about the next 50 years of computer security, it’s from a talk Alan Coxa a fellow at Red Hat Linux gave recently at the European OSCON.

It talks about the implementations of modularity, trusted computing hardware (we are already seing this in part, hardware anti-virus implementations and DRM to be built into CPUs), ‘separation of secrets,’ and overcoming the challenge of users not reading dialog boxes, will be crucial milestones as we head on to the future. He states: “As security improves, we need to keep building things which are usable, which are turned on by default, which means understanding users is the target for the next 50 years. You don’t buy a car with optional bumpers. You can have a steering wheel fitted if you like, but it comes with a spike by default.” All of this has to be shipped in a way that doesn’t stop the user from doing things.

Security and validation are critical issues in computing, and the next fifty years will be harder than the last. There are a number of proven programming techniques and design approaches which are already helping to harden our modern systems, but each of these must be carefully balanced with usability in order to be effective. In this talk, Alan Cox, fellow at Red Hat Linux, explores the future of what may be the biggest threat facing software engineers, the unverified user.

Of course security is always a balance between usability and actual security, the more secure something is, generally the less usable it becomes and vice versa, imminently usable…totally unsecure.

What else do you think is going to happen? For better or worse..

Source: IT Conversations


10 May 2006 | 6,287 views

MORE Sendmail Problems – Signal Handling Vulnerability

OH MY GOD, NOT ANOTHER SENDMAIL FLAW?

What’s that? Yah number 1001010102121.

Recently, Mark Dowd of ISS discovered a signal handling vulnerability in Sendmail. We don’t see major bugs in software that’s as popular as Sendmail very often (at least, in the Unix world anyways), and that’s probably a good thing. According to sendmail.com, Sendmail still handles about 70 per cent of all email on the internet.

As far as software goes, Sendmail is ancient, dating all the way back to 1981. Sendmail 8 itself is well over 10 years-old. To put it nicely, its security track record is less than stellar. However, the last big show stoppers in Sendmail were found about three years ago & Zalewski’s prescan() bugs reported in September and March of 2003, and crackaddr(), also in March of 2003. The crackaddr() bug was also discovered by Mark Dowd.

So it’s been about 3 years since the last big sendmail bug, but well how many underground exploits are there for sendmail, it seems to have been one of the most insecure peices of software to ever grace the Internet.

The article also addresses some interesting issues, like can software have a finite amount of bugs? I don’t believe so, unless it’s very simple and is never updated, there’s no way it can have a finite amount of errors.

More code or more changes = more bugs.

Source: The Register


10 May 2006 | 25,053 views

SecureDVD – Multiboot Live Security Distro’s

SecureDVD is a DVD with the 10 Best Security related Live CD’s.

Yes that’s right, they authored this DVD based on the recommendations made by Darknet!

Now you can have all your favorite CDs ‘compiled’ into a single DVD. I love this idea.

SecureDVD is available to download, but due to it’s size, only in BitTorrent. You can also have it shipped to your address if you buy it.

You can take a look at the boot loader screenshot here

Enjoy, and remember to seed after you’re done downloading.

P.S: I suggest everyone to wait a couple of hours until starting to download. SecureDVD is currently fixing some problems they had with the .Torrent.

Update: Download is going smooth now ;) ~100KBs


09 May 2006 | 10,208 views

UK hackers condemn McKinnon trial

It is a little over the top, this guy used over the counter kiddy tool and ‘hacked’ into systems because of blank passwords.

Not rocket science, and apparently the machines he had access to were air-gapped, or segregated from the networks containing sensitive information, so the charges are greatly trumped up and are NOT relative to his offence.

The UK’s hacking community has strongly criticised how fellow hacker Gary McKinnon has been treated.

Accused of hacking into US military computer networks, Mr McKinnon this week is expected to find out if he is to be extradited for trial in the US.

British hackers say he is being made an example of to serve political ends rather than improve computer security.

The punishment he faces, up to 70 years in jail, was also too harsh a sentence for the crimes he has confessed to.

70 years? For hacking into some minor grade web servers and finding some mostly declassified information.

Mark, and another attendee Rat, suggested that Mr McKinnon was being treated harshly to send a message to the rest of the hacking community to clean up its act.

“But,” they said, “the idea of clamping down on some unlucky guy and threatening him with 70 years in jail will not make the blindest bit of difference.”

“All [hackers] think they will not get caught,” said Mark.

Rat said that almost every message received by the blogs set up to document Mr McKinnon’s treatment and the progress of the court case had been supportive.

Dr K, another UK hacker interviewed by the BBC News website, questioned why Mr McKinnon had to be extradited to be tried for the crimes for which he has already confessed.

He got sloppy and he got caught, he made a mistake. He really doesn’t deserve to get 70 years for what he did.

No one is saying he didn’t do anything wrong, but branding him a terrorist is going a bit far, I don’t think the US needs to make an example of him in this way.

Source: BBC News


09 May 2006 | 4,014 views

ASP.NET Memberships and Roles

If your familiar with asp.net, you’ll know the feeling of wasting hours searching through countless settings to get an app working, and then the many more hours it takes to tweak IIS to get your site running smoothly. But this is nothing compaired to getting authentication and domain controllers properly integrated. On Microsofts asp.net newsgroup the biggest single security issue mentioned is user error and bad setup, sometimes allowing things as stupid as anonymous users having full control of a web app.

4GuysFromRolla regular .net author Scott Mitchell has written a kick-ass guide to all things membership and role based, and if your producing an intranet or just a large webapp you will want to take a look. Allowing .net to manage your permissions and users can not only save you time, but takes out some of the many errors that can sneak in when your managing a large sites security manually.


08 May 2006 | 6,387 views

McAfee Seeds Mac Virus Threat FUD

What a surprise, McAfee spreading FUD to sell more copies of their bloated AV software?

Apart from the fact I think the whole AV model is flawed i.e. it can only protect against things the AV companies 1) know about 2) have written a definition for and 3) have delivered the definition to you – That’s a LOT of ifs.

Now McAfee is spreading some FUD about Apple viruses so they can sell their new Mac antivirus software.

Among its key findings, which McAfee clearly hopes will scare you enough to consider buying its anti-virus software for the Mac:

  • From 2003 to 2005, the annual rate of vulnerability discovery on on Apple;s Mac OS platform has increased by 228% compared to Microsoft’s products which only saw a 73% increase.
  • As demonstrated by its March 2006 patch, which corrected 20 vulnerabilities, Apple’s Mac OS platform is just as vulnerable to targeted malware attacks as other operating systems
  • Security researchers and hackers will increasingly target the Mac OS and other Apple products, such as iTunes and iPods.

The direct link to the McAfee whitepaper is here (PDF WARNING).

Here’s the part that is supposed to the Mac users worried.

Apple appears to be in the earlier stages of malware evolution where exploits are written and spreads as proof-of-concept to demonstrate technical prowess and garner notoriety. While these elements remain in the Windows malware community, they are being overshadowed today by the more professional, profit-seeking malefactors. Apples customer base does not yet provide an attractive enough target to warrant interest from this for-profit contingent. However, as Apple’s continued market success places its products in the hands of more and more consumers that status will inevitably change

Nice eh? Are you scared yet? I’m not..

I have to say from experience though, Mac users tend to be more tech savvy, they know a bit about their machines and the Operating System running on it.

Plus OSX does actually have some concepts of real priveledge seperation built in, unlike Windows. It’s basically *nix with a great Window Manager.

I mean niche doesn’t mean safe, but still, any virus that infects a properly designed operating system can’t do anything, other than delete that users files, assuming the virus can work out where they are..files which should be backed up anyway.

Proper OS security architecture renders antivirus software pointless.

Source: Business Week


08 May 2006 | 8,184 views

SinFP – Next Generation OS Detection Tool

OS Fingerprinting is an important part of any penetration test or hack as it allows you focus your efforts a lot more effeciently when point testing, rather than throwing everything at a machine like a script kiddy would. So let’s introduce a new option, other than p0f and xprobe2.

SinFP is a new approach to OS fingerprinting, which bypasses limitations that nmap has.

Nmap approaches to fingerprinting as shown to be efficient for years. Nowadays, with the omni-presence of stateful filtering devices, PAT/NAT configurations and emerging packet normalization, its approach to OS fingerprinting is becoming to be obsolete.

SinFP uses the aforementioned limitations as a basis for tests to be obsolutely avoided in used frames to identify accurately the remote operating system. That is, it only requires one open TCP port, sends only fully standard TCP packets, and limits the number of tests to 2 or 3 (with
only 1 test giving the OS reliably in most cases).

Features list:

  • full OS fingerprinting suite, built as a Perl module
  • active fingerprinting
  • passive fingerprinting (with signature matching made against active ones)
  • works the same over IPv4 and IPv6 (yes, IPv6 fingerprinting)
  • online mode
  • offline mode (especially useful when you have a pcap file)
  • heuristic matching algorithm to avoid the need to write new signature for a target stack which has some TCP option deactivated, or changed window size

To read more you can check out the SinFP Homepage.

You can download SinFP directly here.