Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

05 July 2006 | 3,434 views

Veterans Administration Chief Says Laptop Recovered

Check For Vulnerabilities with Acunetix

Ah, so finally they got it back, from a street corner of all places.

Let’s hope they shall be a little more careful in the future yah?

The missing laptop and hard drive that contained veterans’ personal information has been found, Veterans Administration Chief Jim Nicholson announced Thursday.

The announcement came at the beginning of a hearing before the House Veterans’ Affairs Committee hearing.

“It was confirmed to me by the deputy attorney general that law enforcement has in their possession the … laptop and hard drive,” Nicholson said in a statement at the hearing. “The serial numbers match.”

Of course the FBI will roll out it’s forensics experts to testify the data has not been accessed, but let’s face it, how hard is it to mount the drive read only and clone it?

Not very right..

Experts were conducting forensic tests on the laptop and hard drive, Nicholson said. It was not immediately clear if the data on the equipment had been copied or compromised, but Nicholson said “there is reason to be optimistic.”

He did not say how the equipment was recovered, on where it’s been during the past two months. The equipment was found Wednesday; Nicholson said he wasn’t aware of any arrests made in connection with the incident.

An FBI spokesman said the laptop computer was recovered “in the area,” but could not provide more specific information. Forensics tests showed “the sensitive files were not accessed,” according to special agent in charge Bill Chase.

We’ll look at the forensics techniques in more depth later.

Source: MSNBC

Advertisements



04 July 2006 | 8,094 views

Month of Browser Bugs (MoBB)

Get ready for a complete month of fun with H D Moore’s Month of Browser Bugs.

Quoting from Browser Fun blog:

This blog will serve as a dumping ground for browser-based security research and vulnerability disclosure. To kick off this blog, we are announcing the Month of Browser Bugs (MoBB), where we will publish a new browser hack, every day, for the entire month of July. The hacks we publish are carefully chosen to demonstrate a concept without disclosing a direct path to remote code execution. Enjoy!

He say’s he has plenty of vulnerabilities to go around.

You can also read his post at Metasploit’s blog.


04 July 2006 | 39,133 views

Absinthe Blind SQL Injection Tool/Software

Absinthe is a gui-based tool that automates the process of downloading the schema & contents of a database that is vulnerable to Blind SQL Injection.

Absinthe does not aid in the discovery of SQL Injection holes. This tool will only speed up the process of data recovery.

Features:

  • Automated SQL Injection
  • Supports MS SQL Server, MSDE, Oracle, Postgres
  • Cookies / Additional HTTP Headers
  • Query Termination
  • Additional text appended to queries
  • Supports Use of Proxies / Proxy Rotation
  • Multiple filters for page profiling
  • Custom Delimiters

More Information here:

Absinthe (Documentation)


04 July 2006 | 29,476 views

Data Mining MySpace Bulletins

An interesting find made by John Hackenger surfaced today. For those of you familiar with MySpace, you’ll know that it uses ‘Bulletins’ to send a single message to multiple friends in your list.

Because the message is sent only to the people you have authorized to be on your list, sometimes you get a feel of safety that will make you post information that otherwise you would not want available on the Internet.

What if this information wasn’t private and could be available to everyone?

Because the messages are numeric and sequential at the URL, you can easily get information out of those bulletins.

John Hackenger explains his finding with a complete post of the information.

As you can see, he coded a little application in C to make the whole process simpler – needs some work with the syntax errors.


03 July 2006 | 11,065 views

Universal Hooker – An Ollydbg Plugin

The Universal Hooker is a tool to intercept execution of programs. It enables the
user to intercept calls to API calls inside DLLs, and also arbitrary addresses within the executable file in memory.

Why is it ‘Universal’? There are different ways of hooking functions in a program, for example, it can be done by setting software breakpoints (int 3h), hardware breakpoints (cpu regs), or overwriting the prologue of a function to jump to a ‘stub’, etc. All the methods mentioned above, specially the latter, usually require the programmer of the code creating the hook to have certain knowledge of the function it is intercepting. If the code is written in a programming language like C/C++, the code will normally need to be recompiled for every function one wants to intercept, etc.

The Universal Hooker tries to create very simple abstractions that allow a user of the tool to write hooks for different API and non-API functions using an interpreted language (python), without the need to compile anything, and with the possibility of changing the code that gets executed when the hooked function is called in run-time.

The Universal Hooker builds on the idea that the function handling the hook is the one with the knowledge about the parameters type of the function it is handling. The Universal Hooker only knows the number of parameters of the function, and obtains them from the stack (all DWORDS). The hook handler is the one that will interpret those DWORDS as the types received by the function.

The hook handlers are written in python, what eliminates the need for recompiling the handlers when a modification is required. And also, the hook handlers (executed by the server) are reloaded from disk every time a hook handler is called, this means that one can change the behavior of the hook handler without the need to recompile the code, or having to restart the application being analyzed.

What can you do with it?

  • Fuzz in runtime without implementing protocol, just modify the packets
  • Interactive fuzzing using an hex editor
  • Poor’s man http/https proxy
  • Many things, check out the documentation

You can download it here:

Universal Hooker (Documentation)


02 July 2006 | 98,222 views

Downgrade PSP v2.6 to v1.5 to play homebrew & ISO games

Dark_AleX has now shared Downgrader Test v0.5 For PSP 2.50/2.60 Firmware which, according to MANY users (including TGMG, LalaMan, Firey, and LAXitives), works 100% with PSP consoles that were upgraded to v2.50 or v2.60 Firmware. However, it will NOT work with TA-082 versions and it’s NOT recommended for users whose FACTORY/STOCK Firmware was 2.50 or 2.60.

Check out the video in action here. Unfortunately the video quality is crap but its proof that it works. This hack was just released yesterday. So to those who have upgaded their PSP to v2.6, you still can downgrade to v1.5 to be able to play homebrew games and also ISO games.

Use this to check if you have TA-082 before you continue.

Tags: ,

30 June 2006 | 10,354 views

ARP Scanning and Fingerprinting Tool – arp-scan

NTA-Monitor has released the arp-scan detection and fingerprinting tool under the open source (LGPL license) concept.

It has been tested under various Linux based operating systems and seems to work fine.

This will only compile on Linux systems. You will need a C compiler, the “make” utility and the appropriate system header files to compile arp-scan. It uses autoconf and automake, so compilation and installation is the normal ./configure; make; make install process.

You can download arp-scan here:

http://www.nta-monitor.com/tools/arp-scan/download/arp-scan-1.4.tar.gz

Please read the man pages arp-scan(1), arp-fingerprint(1) and get-oui(1) before using this tool.


29 June 2006 | 7,734 views

Shadowserver Battles the Botnets

Botnets are indeed a growing problem, we’ve seen serious cases of DDoS extortion, the most recent example would be the attacks against the ‘million dollar homepage’ and the problems it caused the owner.

Botnets have been used for quite some time as spam networks and mostly for script kiddies to have DoS wars on IRC networks, but now they have released they can go back to the old mafia tactics of protection money and make a few bucks from it.

Botnets are the workhorses of most online criminal enterprises today, allowing hackers to ply their trade anonymously — sending spam, sowing infected PCs with adware from companies that pay for each installation, or hosting fraudulent e-commerce and banking Web sites.

As the profit motive for creating botnets has grown, so has the number of bot-infected PCs. David Dagon, a Ph.D. student at Georgia Tech who has spent several years charting the global spread of botnets, estimates that in the 13-month period ending in January, more than 13 million PCs around the world were infected with malicious code that turned them into bots.

Shadowserver is an effort to take out these botnets, they are made up of volunteers with some experience in computer security and have the thankless job of informing ISPs of infected machines and getting them to deny access.

Even after the Shadowserver crew has convinced an ISP to shut down a botmaster’s command-and-control channel, most of the bots will remain infected. Like lost sheep without a shepherd, the drones will continually try to reconnect to the hacker’s control server, unaware that it no longer exists. In some cases, Albright said, a botmaster who has been cut off from his command-and-control center will simply wait a few days or weeks, then re-register the domain and reclaim stranded bots.

That’s the problem, even after they have shut them down, they can spring up again in a few days. There are so many unprotected Windows machines, it’s an uphill battle..

Shadowserver is using some kind of custom Honeynet to collect samples of the Bot seeding malware and examine it using reverse engineering techniques.

I predict it will get worse and as more machines from developing nations come online (using outdated and pirated copies of Windows) more more and vulnerable machines will be available to these ‘bot herders’…

Recent media attention to the Shadowserver project has generated interest among a new crop of volunteers eager to deploy honeynet sensors and contribute to the effort. Albright says he’ll take all the help he can get, but he worries that the next few years will bring even more numerous and stealthy botnets.

“Even with all the sensors we have in place now, we’re still catching around 20 new unknown [bot programs] per week,” he said. “Once we get more sensors that number will probably double.”

It’s only going to get worse.

Source: Washington Post


28 June 2006 | 5,177 views

Web Services Attack Frequency Increasing

As we’ve reported a few times recently, more and more attacks being aimed at Web Services such as Orkut, MySpace, Ebay and others.

As more people turn to web applications for everyday tasks like e-mail, friendship and payments, cyber criminals are following them in search of bank account details and other valuable data, security researchers said.

Users of Yahoo’s e-mail service, Google’s Orkut social networking site and eBay’s PayPal online payment service were among the targets of attacks in recent weeks. All three companies have acknowledged and plugged the security holes.

Money is to be made with users data, usually credit card details. It’s also a numbers game, 90% of users are using MS operating systems and most people are still using Internet Exploder. So its pretty easy to target them with the right combination of scripting and browser exploits.

The attacks come as Microsoft, whose Windows operating system runs about 90 percent of the world’s computers, has plugged many of the most easily exploited holes in its e-mail program, browser and other products following dozens of embarrassing breaches over the past several years.

They also come amid the growing popularity of online communities such as MySpace.com and of web-based calendar, messaging and other services offered by Google, Yahoo and others.

The only difference that has shown up is the speed in which web services providers patch the holes in constrast to the time it takes Microsoft or other traditional software vendors to respond (If they respond at all..).

The ability of Yahoo, Google and PayPal to quickly plug this month’s holes highlights one of the differences between combating worms that target websites and those that go after flaws running on an individual’s PC.

PayPal was able to roll out a fix almost immediately by altering several lines of code on its server, company spokeswoman Amanda Pires said. That blocked the ability to exploit a flaw that let cyber criminals intercept users who typed in a genuine PayPal web address, security researchers say.

Wired


27 June 2006 | 16,237 views

sqlninja 0.1.0alpha – MS-SQL Injection Tool

sqlninja is a little toy that has been coded during a couple of pen-tests done lately and it is aimed to exploit SQL Injection vulnerabilities on web applications that use Microsoft SQL Server as their back-end.

It borrows some ideas from similar tools like bobcat, but it is more targeted in providing a remote shell even with paranoid firewall settings.

It is written in perl and runs on UNIX-like boxes.

Here’s a list of what it does so far:

  • Upload of nc.exe (or any other executable) using the good ol’ debug script trick
  • TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell
  • Direct and reverse bindshell, both TCP and UDP
  • DNS-tunneled pseudoshell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames

Being an alpha version and since it was originally supposed to be just a quick&dirty toy for a pentest, there are lots of bugs waiting to be found and fixed so go ahead and download it ! :)

More tunneling options (e.g.: HTTP, SMTP, …) will be added in the future together.

You can read more and download sqlninja here:

http://sqlninja.sourceforge.net/