Darknet - The Darkside

Don`t Learn to HACK - Hack to LEARN. That`s our motto and we stick to it, we are all about Ethical Hacking, Penetration Testing & Computer Security. We share and comment on interesting infosec related news, tools and more. Follow us on Twitter, Facebook or RSS for the latest updates.

28 April 2006 | 20,728 views

Paros Proxy 3.2.11 Released – MITM HTTP and HTTPS Proxy

Check For Vulnerabilities with Acunetix

Paros 3.2.11 has been released. This version is a maintenance release with a useful feature requested by various users. All users are recommended to upgrade to this version.

One of my favourite proxy options, along side the Burp Proxy (evolved into Burp Suite).

Paros labels itself as MITM Proxy + Spider + Scanner plus anything else you want it to be, it is a pretty neat piece of software.

It’s particularly useful for testing web applications and things such as insecure sessions.

Paros is free of charge and completely written in Java. Through Paros’s proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified.

A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.

These proxies have a different purpose than those personal type proxies like Proxomitron which are intended to protect you, clean adverts, block spyware and so on. Proxies like Paros and Burp are meant for examining the security of applications and web application auditing.

You do need Java Run Time Enviroment (JRE) 1.4 (or above) to install Paros.

You can download the latest version of Paros Here.

3.2.11 Release Notes



27 April 2006 | 12,669 views

Oracle Releases a Default Password Scanner

Oracle is getting serious with security? Again..?

Oracle Corp. has published a collection of software patches that address security vulnerabilities in a range of the company’s products, including its database and application server software. As part of this update, it also released a tool designed to ferret out commonly used default passwords that theoretically could be misused by hackers.

Earlier versions of Oracle’s database software included well-known default passwords and user names, for example “scott / tiger”. These accounts are also known to have been created by other software, such as application servers, that interact with the database, said Oracle Security Alerts Manager Darius Wiles

The ‘scanner’ is actually an SQL script.

The password scanner is a SQL (Structured Query Language) script that scans the database and then prints out the names of these well-known accounts if they are unlocked, Wiles said. “This tool is designed to catch those instances and then explain to customers the right thing to do to secure their systems.”

Source: Computerworld

Oracle default passwords have been quite a problem in the past, there is a whole page dedicated to them here.

This page is the home for the Oracle default password list that we have collated. The list can also be thought of as a list of Oracle default password hashes.

The full details of the release can be found from Oracle Here (Oracle Critical Patch Update – April 2006).

Subscribers to MetaLink can find more information on the Default Password Scanner in MetaLink Note 361482.1.

You can also check out Cain & Abel which has Oracle hash specific functions.

Digg This Article


26 April 2006 | 12,242 views

MS and the new IE vulnerability – Object Tag

Can you see the irony?
Just after 2 weeks that M$ released the Internet Explorer security makeover, Michal Zalewski came up with a highly critical exploit, as called by Secunia… based on a mishandling of the OBJECT tag….

Security alerts aggregator Secunia flagged the issue as “highly critical” and stressed that it can be exploited to corrupt memory by tricking a user into visiting a malicious Web site. “Successful exploitation allows execution of arbitrary code,” Secunia warned.

Of course M$ didn’t just sit around… they blamed Michal Zalewski for publishing the vulnerability prior of noticing M$ so they could launch a patch [again?] for it…

Microsoft chided Zalewski for jumping the gun and posting his findings before a comprehensive patch could be created, but the researcher is unapologetic.

And how expected Zalewski striked back:

[They] often attempt to downplay threats; they don’t participate in the vulnerability research community in a meaningful way; and they routinely use false pretenses when communicating their expectations to the media (for example, expressing concern for the customer and blaming the researcher where the chief risk for the customer arises from the fact that an extremely wealthy and profitable software giant severely underfunds the task of fixing critical defects in their software)

Researchers at Websense Security Labs said there are no published proof-of-concepts demonstrating a remote code execution attack vector but made it clear that browser crash vulnerabilities often lead to remote code execution exploits.
But a quick search on SecurityFocus proved something else:
http://www.securityfocus.com/archive/1/431796/30/30/threaded

Source: Microsoft Rocked by New IE Zero-Day Flaw Warning


26 April 2006 | 35,029 views

Alternatives to FrSIRT – Where to Download Exploits?

Since FrSIRT closed it’s public archives and starting charging for access (blaming it on French laws…), people have been wondering where they can their dose of Exploits..For legitimate purposes obviously.

Security Forest

The most comprehensive collection in my opinion comes from SecurityForest. They also have a BETA exploitation framework in development, something like a Metasploit, but with a much larger range of exploits.

The part of SecurityForest you need to look at is the Exploit Tree.

I love the way it works, as it’s based on CVS, so you just download whatever you don’t have everytime you update.

The ExploitTree is a categorized collection of ALL available exploit code. ExploitTree’s ambition is to become the most organized, rich and up-to-date exploit repository on the internet. The ExploitTree is based on CVS (Concurrent Versioning System) and therefore allows the user to keep an up-to-date offline mirror of the repository on their hard drive. When an ExploitTree Administrator updates their local copy with a new/updated exploit, it updates the repository and keeps everyone else up-to-date. Furthermore, a web interface for web browsing is available.

It is a really impressive collection and very well categorised. It works fine on both Windows and *nix based systems. You can also browse online here.

milw0rm

milw0rm is less mainstream and started out as a personal site, but has grown into a comprehensive and well organised archive of exploits.

It can be organised various ways, by platform, by port, for PHP, for ASP etc.

Securiteam

Securiteam is quite commercial, but has an archive of verified exploits – going back to 1998, verified by their own team of ‘experts’. Note however Securiteam isn’t greatly liked on lists such as Full Disclosure (mostly for spamming their blog).

Securiteam Exploits Archive.

SecuriTeam™ is a group within Beyond Security® dedicated to bringing you the latest news and utilities in computer security.

Having experience as Security Specialists, Programmers and System Administrators we appreciate your need for a “Security Portal” – A central Security web site containing all the newest security information from various mailing lists, hacker channels and our own tools and knowledge.

Packetstorm

Packetstorm is one of the oldest sites, and has a reasonbly good archive of exploits.

Packetstorm Exploits

It goes back to about 1998 too.

Packet Storm offers an abundant resource of up-to-date and historical security tools, exploits, and advisories. We are a non-profit organization comprised of security professionals that are dedicated to providing the information necessary to secure networks on a global scale. We accomplish this goal by publishing new security information on a global network of websites.

Others

You can also check out:

Government Security Archive
Secwatch
Hackers Playground

Various

You can find the odd private archives online too, but they tend to go up and down, and sometimes when you have something specific in mind, it’s just best to hit Google and Google Groups to mine it out.

Don’t forget the good stuff like Google Hacking too.

Plus the Security and Hacking LiveCD’s have quite a lot of compiled & working exploits inside too.

Digg This Article


25 April 2006 | 38,985 views

Penetration Testing vs Vulnerability Assessment

There seems to be a certain amount of confusion within the security industry about the difference between Penetration Testing and Vulnerability Assessment, they are often classified as the same thing when in fact they are not.

I know Penetration Testing sounds a lot more exciting, but most people actually want a VA not a pentest, many projects are labelled as pen tests when in fact they are 100% VA.

A Penetration Test mainly consists of a VA, but it goes one step further..

A penetration test is a method of evaluating the security of a computer system or network by simulating an attack by a malicious hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

A vulnerability assesment is what most companies generally do, as the systems they are testing are live production systems and can’t afford to be disrupted by active exploits which might crash the system.

Vulnerability assessment is the process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region).

Vulnerability assessment has many things in common with risk assessment. Assessments are
typically performed according to the following steps:

1. Cataloging assets and capabilities (resources) in a system
2. Assigning quantifiable value and importance to the resources
3. Identifying the vulnerabilities or potential threats to each resource
4. Mitigating or eliminating the most serious vulnerabilities for the most valuable resources

This is generally what a security company is contracted to do, from a technical perspective, not to actually penetrate the systems, but to assess and document the possible vulnerabilities and recommend mitigation measures and improvements.

Sources: Wikipedia

Digg This Article


24 April 2006 | 6,528 views

DIY Spyware – Get Into it for just $15

I remember some time ago there was a VB virus creation kit, there’s actually quite a few. Yah I know, it’s extremely lame.

But what to do, it seems less and less people can actually think nowdays, let along think of something original, or wow…even DO SOMETHING ORIGINAL? So what’s the big money maker now? Spyware…

So what is the natural progressions, yeah a Spyware creation kit which costs about $15.

A Russian website is selling a DIY spyware kit, called WebAttacker, for around $15 a throw. The site, which proudly boasts of its creator’s credentials in the scumware industry, also offer technical supporter to potential buyers.

The kits come in a script kiddie friendly form with code designed to make the task of infecting computers a breeze. All the buyers need do is send spam messages inviting potential marks to visit a compromised website.

Worrying eh?

A new generation of spamming Spyware bosses, all running Spyware creation kits they bought off some website with a stolen credit card number.

“This type of behaviour is inviting the return of script-kiddies,” said Carole Theriault, senior security consultant at Sophos. “By simplifying the task of the potential hacker for a mere tenner, sites like this one will attract opportunists who aren’t necessarily very skilled and turn them into cyber-criminals.”

Source: The Reg


21 April 2006 | 5,474 views

Kids Learn About Cyber Security – About Time Too!

I have always said no matter what it be, you need to start ‘em young!

Same for open source, don’t lock kid into Microsoft operating systems in the schools, give dual boot machines, let them use Ubuntu or Debian or something else. Let them explore free software, let the smart ones see the source, fix the bugs and get involved in development.

The same goes for security, educate them young, make them aware of the concerns young, then as they grow up, they will grow up understand the issues involved.

New York — A group of students at Rome Catholic School are learning how to become the future defenders of cyberspace through a pilot program that officials say is the first of its kind in the country.

The program teaches students about data protection, computer network protocols and vulnerabilities, security, firewalls and forensics, data hiding, and infrastructure and wireless security.

Most importantly, officials said, teachers discuss ethical and legal considerations in cyber security.

Perhaps it might also cut down on the amount of script kiddies in the world if they understand the ethics involved a little better.

Cybersecurity is massively important now, even that donkey George Bush appreciates it, especially with the war against terror and cyber terrorism becoming popular around the globe.

President Bush made cyber security a focal point in February 2003 in his National Strategy to Secure Cyberspace, citing the importance of safeguarding America from crippling internet-based attacks by terrorists against U.S. power grids, airports and other targets.

I think it’s a good effort, more countries should take up compulsory cyber security education.

Wired.com


20 April 2006 | 22,590 views

Symantec Dumps L0phtcrack Password Cracker

Man this blows.

It seems it happened quite a while ago, I only just found out about it recently though when I was checking to see if L0phtcrack had been updated past version 5.

Symantec has quietly pulled the plug on sales of L0phtCrack, the venerable password auditing and recovery application.

The decision to discontinue support for L0phtCrack, also known as LC5, comes just months after Symantec stopped selling the application to customers outside the United States and Canada out of concerns that it violated cryptography export controls.

It is a shame as this was without doubt the best password cracker around, fastest for LM hashes by quite a long way.

Luckily there are some good alternatives, even a free alternative for L0phtcrack itself called LCP which we mentioned in our Rainbow Crack and Rainbow Tables article.

There are other good alternative too, my favourite being Cain and Abel then probably John the Ripper. I’ll do an article about Password Crackers soon, a run down of the options.

“There was always going to be a double-edged sword for Symantec. L0phtCraft is valuable as a good password-strength auditing tool but it’s also popular with [malicious] hackers who used it to break passwords and attack networks,” Fleming said in an interview with eWEEK.

He said Digital Defense used L0phtCraft in its penetrating testing products to identify and remediate security vulnerabilities that result from the use of weak or easily guessed passwords.

L0phtCraft can also be used to recover Windows and Unix account passwords to access user and administrator accounts whose passwords are lost or to streamline migration of users to newer authentication systems.

It is a tough call for a ‘security company’ especially such a large one that has to take a lot of care about reputation and corporate image.

I’m sad to see it go however.

Source: Eweek


19 April 2006 | 38,984 views

Good Password Guidelines – How to Make a Strong/Secure Password

It’s common sense for most people on the hacking side of computer security as we know how easy it is to break a password when it’s only a few characters long or it uses a dictionary word (even if it is postfixed with a couple of digits, a hybrid dictionary attack breaks it pretty fast).

Even more so if you are utilising some decent Rainbow Tables and the RainbowCrack method (time/memory trade-off).

The basics of creating a secure password:

  • Include punctuation marks (,.;), special characters (!#$%^) and numbers.
  • Mix capital (uppercase), lowercase and space characters.
  • Create a unique acronym.
  • Short passwords should be 8 chars at least.

Some potential weaknesses to avoid:

  • Don’t use a password that is listed as an example or public.
  • Don’t use the same password you have been using for years.
  • Don’t use a password someone else has seen you type.
  • Don’t use a password that contains personal information (names, birthdays or dates that are easily related to you)
  • Don’t use words or acronyms that can be found in a dictionary.
  • Don’t use keyboard patterns (qwerty) or sequential numbers (12345).

Once you have a good password it’s equally important to keep your password secure:

  • Never tell anyone your password or use it where someone can observe it.
  • Never send your password by email or say it where others may hear.
  • Occasionally verify your current password and change it to a new one.
  • Avoid writing your password down. (Keep it with you in a purse or wallet if you have to write down the password until you remember it.)

And never label that scrap of paper in any way, write it down on an the back of an old businesscard or something that doesn’t indicate it’s a password.

Don’t give anyone who finds (or gains access to) your purse/wallet any clue of what the password means or what it is related to.

128 bit entropy in a password requires a long randomized passphrase, which wouldn’t be very usable, there has to be a trade somewhere between security and usability.

You can also use online password generators such as http://makemeapassword.com/, the problem with these however, is that they do create strong passwords but they aren’t easy to remember, which kind of defeats the purpose.

Another thing you can do is use something like a password safe to keep all the hard to remember passwords in one place, the one I would recommend is from Bruce Schneier and is actually called “Password Safe”.

Password Safe is an Open Source (free) tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP).

You can find it here:

http://passwordsafe.sourceforge.net/

Any other inputs?

Digg This Article


18 April 2006 | 235,349 views

Photos as Visual Passwords Could Foil Hackers?

I’ve tried out a few of these visual recognition password technique things, and to tell you the truth they didn’t work for me, not at all.

I clicked the requisite 3-4 spots on the image, and remembered them, but when I tried to login it wouldn’t accept it.

A password that uses images instead of numbers could give some people access to secure information on personal electronic devices or at ATMs within the next year.

The image authentication system uses a pair of digital images instead of a string of numbers to make logging in simple for the legitimate user, but difficult for impersonators.

“It is expected that many of the conventional user authentication systems would be able to be replaced with our scheme, since recognition of images is significantly easier for human beings than precise recall of passwords,” said team leader Masakatsu Nishigaki, a professor of informatics at Shizuoka University in Japan, where the system is being developed.

Source: Discovery Channel

There is a simple implementation of it I saw called Passclicks over at mininova

http://labs.mininova.org/passclicks/

Passclicks is a new way to login to websites without users having to remember thir old style textual password. Studies have revealed that humans are way better in remembering visual things than textual things. With passclicks your normal textual passwords are replaced with a sequence of clicks on an image.

It is true most people remember things a lot better visually.

I think the Japanese 4 ‘digit’ icon type password might be pretty good though, as a different form of pin number.